MyNOG, profile picture
Uploaded byMyNOG
PDF, PPTX1,039 views

Ansible & Salt - Vincent Boon

Salt and Ansible are both popular tools for network orchestration and automation. Salt uses a centralized master-minion architecture where configuration files and templates are stored on the master. Ansible uses an agentless architecture where playbooks are run directly on managed nodes. Both tools support network device configuration through modules like NAPALM that provide a common API. Salt states and Ansible playbooks define the desired configuration through templates that are rendered and installed on devices. The tools detect configuration drift and make necessary changes.

Embed presentation

Download as PDF, PPTX
© Copyright 2018 Opengear, Inc. www.opengear.com 1 Choosing an orchestration tool: Ansible and Salt Vincent Boon Opengear
2 Introduction What is Orchestration, and how is it different from Automation? •  Automation involves codifying tasks like configuring a webserver, or upgrading a software package, so that they can be performed quickly, and without error. •  Orchestration involves codifying processes like deploying an application, where many tasks may need to take place on disparate devices. •  Traditionally been part of the Software and Ops world, but more and more applicable to network devices.
3 Introduction This talk is mostly going to focus on the automation component of Orchestration. The tools discussed are capable of both; my aim today is to give you enough of an introduction that you can set aside some time to spin up a VM and try them out. Each of the tools have their own jargon, but once you get past that, you can understand how they work, and make a choice based on your requirements.
4 Introduction
5 Changes in Network Orchestration In 2018, Ansible gets a lot of airtime for network orchestration, more than Puppet and Chef. Salt is also heavily promoted by companies like Cloudflare This talk will focus on Ansible and Salt: -  What does their architecture look like. -  What comes for free vs what you pay for. -  How they use NAPALM. -  Example of both applying a templated configuration
6 What is NAPALM? Network vendors love automation/orchestration tools -  They build a module for configuring their devices for Puppet/Chef/ Ansible/Salt -  Write a whole bunch of whitepapers demonstrating its use -  Customer writes a whole bunch of configuration using the module -  Customer goes to evaluate another vendor l  The module is different :( -  Enter NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support).
7 What is NAPALM? NAPALM is a Python library that can provide a unified API to a number of different router vendors. The napalm-ansible module provides a way to call the NAPALM API inside Ansible Playbooks NAPALM itself is integrated inside Salt from version 2016.11.0 (Carbon) (driven by Cloudflare)
8 What is NAPALM? Supported Network Operating Systems are: •  Arista EOS •  Cisco IOS, IOS-XR, NX-OS •  Fortinet FortiOS •  IBM •  Juniper JunOS •  Mikrotik RouterOS •  Palo Alto NOS •  Pluribus NOS •  VyOS
9 What is NAPALM? It isn’t magic: •  In general, you’re still going to be writing configuration templates for your different vendors. •  Template then gets merged into running config, and can be checked for diffs. •  Power comes from the consistent “getters” API. •  Allows “verifiers” to be written to check the bits of config you care about •  Work continues on generalized configuration templates for true cross- platform configuration, as well as Netconf and YANG support.
10 Ansible Developed by Redhat, written in Python Billed as an “masterless and agentless” automation/orchestration tool •  Uses SSH as transport, authentication is generally done using SSH keys •  Ships Python modules to the target device, which are then executed. •  When being used with ansible-napalm, transport will vary based on the device being managed. •  Can log to a variety of log services •  Integrates with Ansible Tower to provide more enterprise features –  Acts a central server for Ansible –  WebUI/REST API/Dashboard
11 Ansible Ansible uses the concept of a playbook to define a series of steps (or “plays”) that map a series of execution steps (or tasks) to a group of hosts. These playbooks are written in YAML. Each task (which calls an Ansible module) should be idempotent – running it many times will give the same result, and the task definition should contain enough detail to allow it to also be used to check that the task has been carried out successfully. Handlers can also be defined for tasks that may need to be called only once after a number of operations. For example, if a number of tasks are concerned with changing webserver configurations, then the webserver only needs to be restarted once at the end.
12 Ansible In Ansible, hosts are defined inside an inventory. The inventory is often a static file, but it can be dynamic when that makes sense (for managing Docker containers, or VMs). The inventory allows administrators to groups hosts based on their role (webservers, load-balancers, border-routers etc), as well as associating variables with individual or groups of host. These variables can be referenced inside the Playbooks to customize the particular task for the host. Variables can also be retrieved at application time from the hosts. These variables are called “Facts”
13 Ansible – Free vs $$ Out of the box, Ansible is designed around the user running Ansible playbooks to push and verify configuration. •  Very basic automation of playbook scheduling is included (ansible-pull + cron) •  For more, this is where Ansible Tower comes in l  Free Tier, then 2 ($$) Tiers that come with more features and support
Ansible – Example --- - name: Apply basic config hosts: cisco-cpe tasks: - name: Generate local configuration for hosts local_action: template dest={{ playbook_dir }}/gen-config/initial-{{ hostname }}.conf src={{ playbook_dir }}/source/initial.j2 - name: Gen .diff file (apply change) napalm_install_config: hostname: "{{ host }}" username: "{{ username }}" password: "{{ password }}" dev_os: "{{ dev_os }}" config_file: gen-config/initial-{{ hostname }}.conf commit_changes: True replace_config: True diff_file: initial-{{ hostname }}.diff optional_args: {'auto_rollback_on_error': False} Config Playbook hosts definition references the inventory. Task 1: “Render” a template based on facts found in the inventory and gathered from the host Task 2: Install that configuration on the host, and retrieve a diff to show what changed Variables come from the inventory or from fact retrieval
Ansible – Example ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname {{ hostname }} ! boot-start-marker boot-end-marker ! enable secret 5 $1$WBBw$3WDO6jJHSwFtuw4Wk38Zv/ enable password notdefault ! no aaa new-model no ip routing ! ! no ip cef Config Playbook - Template Templated hostname
Ansible – Example # Cisco CPE devices [cisco-cpe] r1 host=192.168.82.76 hostname=r1-cpe.opengear.com r2 host=192.168.82.77 hostname=r2-cpe.opengear.com # Default variables for Cisco devices managed via NAPALM [cisco-cpe:vars] username=admin password=default dev_os=ios ansible_connection=local Inventory hosts definitions, with in-line variable definitions Default variables for this group of hosts
Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ ansible -playbook config.play -i inventory PLAY [Apply basic config] ****************************************************** TASK [Gathering Facts] ********************************************************* ok: [r1] ok: [r2] TASK [Generate local configuration for hosts] ********************************** ok: [r2 -> localhost] ok: [r1 -> localhost] TASK [Gen .diff file (apply change)] ******************************************* ok: [r1] ok: [r2] PLAY RECAP ********************************************************************* r1 : ok=3 changed=0 unreachable=0 failed=0 r2 : ok=3 changed=0 unreachable=0 failed=0 Execution – test configuration compliance Configuration matches the generated template.
Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ ssh admin@192.168.82.77 Password: r2-cpe.opengear.com#conf t Enter configuration commands, one per line. End with CNTL/Z. r2-cpe.opengear.com(config)#hostname r2-cpe-modified.opengear.com % Hostname "R2-CPE-MODIFIED. " is not a legal LAT node name, Using "CISCO_CC0008" r2-cpe-modified.open(config)#end r2-cpe-modified.opengear.com#exit Connection to 192.168.82.77 closed. Execution – configuration fixups Configuration on one host is manually changes
Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ ansible-playbook config.play -i inventory PLAY [Apply basic config] ************************************************************************************************** TASK [Gathering Facts] ***************************************************************************************************** ok: [r1] ok: [r2] TASK [Generate local configuration for hosts] ****************************************************************************** ok: [r1 -> localhost] ok: [r2 -> localhost] TASK [Gen .diff file (apply change)] *************************************************************************************** ok: [r1] changed: [r2] PLAY RECAP ***************************************************************************************************************** r1 : ok=3 changed=0 unreachable=0 failed=0 r2 : ok=3 changed=1 unreachable=0 failed=0 test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ cat initial-r2-cpe.opengear.com.diff +hostname r2-cpe.opengear.com -hostname r2-cpe-modified.opengear.com test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ ssh admin@192.168.82.77 Password: r2-cpe.opengear.com#exit Execution – configuration fixups Configuration change is discovered and fixed Diff shows the change
20 Salt Developed by SaltStack, written in Python The architecture is generally based around a central server (salt-master), with agents called salt- minions running on the devices under management. It can be run in a masterless mode, but this is not how its normally used. •  For devices that can’t run an agent, a “proxy-minion” process can be run on a server, which then communicates with the device using its native protocols. •  Communications between the server and the minions uses the ZeroMQ message bus by default. •  All operations are scheduled and logged by the central server. Minions receive commands from the server, and run these asynchronously. Results are push back to the server via the message bus.
21 Salt Salt has many types of modules, but for our example, we’ll examine two: execution modules, and state modules. Execution modules are used to perform actions State modules use execution modules to make a device conform to the desired state. This allows the user to define a desired state for a particular segment of configuration in a declarative fashion. Execution modules are generally run as once-off commands, while state modules are more like Ansible Playbooks. Execution modules do however return their results as JSON data, so their results can be parsed and used in other workflows
22 Salt Architecture The state module uses state definitions, which are written as SLS (SaLt State) files. They can be written in many languages, but the default is YAML (like an Ansible playbook) These are stored centrally on the master, in a file server that is referred to as the file_roots, while other data (such as variables) are stored in a data store known as the Salt Pillar. The salt-minions retrieve these state file definitions, and other items (like variable definitions) from the Salt Pillar and the file server over the central message bus.
23 Salt Architecture Like Ansible, variables can be defined locally in the state file, and can also be retrieved from the devices under management. Salt calls these variables “grains”. However, best practice with Salt is to keep variables separate from state information, by storing them in the Salt Pillar. This keeps logic (state) separate from data (variables). Rather that specifying the devices that a state or action applies to in the state definition, Salt allows that to be specified during application time, using static data stored inside the pillar, as well as grains that are retrieved from the managed devices.
24 Salt This description barely brushes the surface of what Salt can do. It is more complex than Ansible: •  More moving parts, and options compared to Ansible Playbooks •  Steeper learning curve •  Allows more complex workflows than out-of-the-box Ansible
25 Salt – Free vs $$ SaltStack does have an Enterprise version that adds a number of extra features, but the OSS release allows a more sophisticated Automation and Orchestration setup than Ansible. However, this comes at the cost of the extra effort for setup.
Salt – Example └── salt ├── pillar │ ├── r1.sls │ ├── r2.sls │ └── top.sls └── states ├── config.sls └── router-config.j2 Salt Directory Structure Salt Pillar contains host definitions, and other configuration information for hosts and modules. The States directory contains state definitions. In this example, it also contains a jinja2 template, but this could be stored in the Salt Pillar also. The “top” file is used to define what data each minion can retrieve from the Pillar. Best practice is to only expose what is necessary for each host.
Salt – Example [test@test-srv pillar (master)]$ cat top.sls base: r1: - r1 r2: - r2 [test@test-srv pillar (master)]$ cat r1.sls proxy: proxytype: napalm driver: ios host: 192.168.82.76 username: admin password: default optional_args: auto_rollback_on_error: False #R1 specific variables hostname: r1.cpe.opengear.com [test@test-srv pillar (master)]$ cat r2.sls <same proxy statement as r1.sls> #R2 specific variables hostname: r2.cpe.opengear.com Salt Pillar Restrict r1.sls to host r1, and r2.sls to host r2 NAPALM configuration for R1 (same settings used for R2) Host specific variable for R1
Salt – Example [test@test-srv states (master)]$ cat config.sls full_config: netconfig.managed: - template_name: salt://router-config.j2 - replace: True [test@test-srv states (master)]$ cat router-config.j2 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname {{ pillar.hostname }} ! Salt State Defines the template to be applied, and if it should replace the existing config Same templating engine as Ansible “pillar.hostname” instructs Salt to Retrieve variable from the Pillar
Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$ sudo salt r1 state.sls config r1: ---------- ID: full_config Function: netconfig.managed Result: True Comment: Configuration changed! Started: 17:33:50.636394 Duration: 33202.776 ms Changes: ---------- diff: +hostname r1.cpe.opengear.com -hostname r1-modified.cpe.opengear.com Summary for r1 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 33.203 s Execution – test configuration compliance Executing the “config” state template on host r1 Diff shows the configuration change that was applied
Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$ sudo salt -G 'os:ios' net.load_template salt://router-config.j2 replace=True r2: ---------- already_configured: False comment: diff: +hostname r2.cpe.opengear.com -hostname r2-cpe.opengear.com loaded_config: result: True r1: ---------- already_configured: False comment: diff: +hostname r1.cpe.opengear.com -hostname r1-cpe.opengear.com loaded_config: result: True Execution – arbitrary commands Running a “load_template” command (same as our config.sls) Selector sets the devices to those running “ios” as their operating system.
Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$ sudo salt --output=yaml -G 'os:ios' net.arp r2: comment: '' out: - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.1 mac: 00:E0:4C:97:64:41 - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.77 mac: CA:01:34:CC:00:08 result: true r1: comment: '' out: - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.1 mac: 00:E0:4C:97:64:41 - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.76 mac: CA:00:34:CC:00:08 result: true Retrieving information Calls the net.arp NAPALM module. Retrieves the ARP table of the devices Selector sets the devices to those running “ios” as their operating system. Specifies YAML as the output format. Can be used as ingress for other tools
32 Conclusion I don’t know your requirements, you do. There are good communities around both products. You don’t need to do everything right now Watch some vidoes and try out some examples! Ansible: https://www.youtube.com/watch?v=9TFlc-ekRPk Salt: https://www.youtube.com/watch?v=AqBk5fM7qZ0
33 Further Information Ansible + Napalm: https://pynet.twb-tech.com/blog/automation/napalm-ios.html Salt + Napalm: https://mirceaulinic.net/2016-11-17-network-orchestration-with-salt-and- napalm/

More Related Content

PDF
DIY Netflow Data Analytic with ELK Stack by CL Lee
byMyNOG
 
PPTX
APNIC IPv6 Deployment
byAPNIC
 
PDF
Open Connect Appliances - Jocelyn Ooi
byMyNOG
 
PDF
Tech Talk by Louis Fourie: SFC: technology, trend and implementation
bynvirters
 
PDF
CDN_Netflix_analysis
bySanket Jain
 
PDF
Netflix Open Connect: Delivering Internet TV to the world
byInternet Society
 
PDF
ElasticISP
byKHNOG
 
PDF
Advanced Traffic Engineering (TE++)
byPravin Bhandarkar
 
DIY Netflow Data Analytic with ELK Stack by CL Lee
byMyNOG
 
APNIC IPv6 Deployment
byAPNIC
 
Open Connect Appliances - Jocelyn Ooi
byMyNOG
 
Tech Talk by Louis Fourie: SFC: technology, trend and implementation
bynvirters
 
CDN_Netflix_analysis
bySanket Jain
 
Netflix Open Connect: Delivering Internet TV to the world
byInternet Society
 
ElasticISP
byKHNOG
 
Advanced Traffic Engineering (TE++)
byPravin Bhandarkar
 

What's hot

PPTX
Building a Router
byHannes Gredler
 
PDF
NFD9 - Dinesh Dutt, Data Center Architectures
byCumulus Networks
 
PPTX
IPv6 deployment at APNIC
byAPNIC
 
PDF
Cisco Live! :: Content Delivery Networks (CDN)
byBruno Teixeira
 
PPTX
DEVNET-1175 OpenDaylight Service Function Chaining
byCisco DevNet
 
PPTX
LISP and NSH in Open vSwitch
bymestery
 
PPTX
22 - IDNOG03 - Christopher Lim (Mellanox) - Efficient Virtual Network for Ser...
byIndonesia Network Operators Group
 
PDF
21st Century iBGP Route Reflection by Mark Tinka
byMyNOG
 
PPTX
Cumulus Linux 2.5.3
byCumulus Networks
 
PDF
DPDK Acceleration with Arkville
byShepard Siegel
 
PPTX
Address Scopes OpenStack Summit 2016
bycarlbaldwin
 
PDF
BGP Dynamic Routing and Neutron
byrktidwell
 
PDF
Service Chaining overview (English) 2015/10/05
byKentaro Ebisawa
 
PDF
Dynamic Service Chaining
byTail-f Systems
 
PDF
LINE's Infrastructure Platform: How It Scales Massive Services and Maintains ...
byLINE Corporation
 
PDF
【EPN Seminar Nov.10.2015】 Services Function Chaining Architecture, Standardiz...
byシスコシステムズ合同会社
 
PDF
ONOS-Based VIM Implementation
byOPNFV
 
PDF
VNFs at the Edge using Docker Containers
byOPNFV
 
PPTX
Subnet Pools and Pluggable IPAM
bycarlbaldwin
 
PDF
ONOS-Based VIM Implementation
byOPNFV
 
Building a Router
byHannes Gredler
 
NFD9 - Dinesh Dutt, Data Center Architectures
byCumulus Networks
 
IPv6 deployment at APNIC
byAPNIC
 
Cisco Live! :: Content Delivery Networks (CDN)
byBruno Teixeira
 
DEVNET-1175 OpenDaylight Service Function Chaining
byCisco DevNet
 
LISP and NSH in Open vSwitch
bymestery
 
22 - IDNOG03 - Christopher Lim (Mellanox) - Efficient Virtual Network for Ser...
byIndonesia Network Operators Group
 
21st Century iBGP Route Reflection by Mark Tinka
byMyNOG
 
Cumulus Linux 2.5.3
byCumulus Networks
 
DPDK Acceleration with Arkville
byShepard Siegel
 
Address Scopes OpenStack Summit 2016
bycarlbaldwin
 
BGP Dynamic Routing and Neutron
byrktidwell
 
Service Chaining overview (English) 2015/10/05
byKentaro Ebisawa
 
Dynamic Service Chaining
byTail-f Systems
 
LINE's Infrastructure Platform: How It Scales Massive Services and Maintains ...
byLINE Corporation
 
【EPN Seminar Nov.10.2015】 Services Function Chaining Architecture, Standardiz...
byシスコシステムズ合同会社
 
ONOS-Based VIM Implementation
byOPNFV
 
VNFs at the Edge using Docker Containers
byOPNFV
 
Subnet Pools and Pluggable IPAM
bycarlbaldwin
 
ONOS-Based VIM Implementation
byOPNFV
 

Similar to Ansible & Salt - Vincent Boon

PPTX
Introduction to Ansible
byCoreStack
 
PDF
Ansible Tutorial.pdf
byNigussMehari4
 
PDF
Ansible - Hands on Training
byMehmet Ali Aydın
 
PPTX
Ansible
byAfroz Hussain
 
PDF
ansible_rhel.pdf
byssuser6d347b
 
PPTX
Ansible as configuration management tool for devops
byPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PPTX
Ansible_Presentation and ansible master .pptx
byyvenkateswaracse
 
PPTX
Basics of Ansible - Sahil Davawala
bySahil Davawala
 
PDF
Automation with ansible
byKhizer Naeem
 
PDF
Getting Started with Ansible - Jake.pdf
byssuserd254491
 
PDF
Ansible at work
byBas Meijer
 
PDF
#OktoCampus - Workshop : An introduction to Ansible
byCédric Delgehier
 
PDF
Ansible101
byHideki Saito
 
PDF
Automation with Ansible and Containers
byRodolfo Carvalho
 
PPTX
Go Faster with Ansible (PHP meetup)
byRichard Donkin
 
PPTX
SESSION Ansible how to deploy and push resources
bySaravanan68713
 
PPTX
Intro to-ansible-sep7-meetup
byRamesh Godishela
 
PDF
Ansible nice-pdf-copy-for-pres
byManmohan Singh
 
PDF
Automated Deployment and Configuration Engines. Ansible
byAlberto Molina Coballes
 
PPTX
Ansible: What, Why & How
byAlfonso Cabrera
 
Introduction to Ansible
byCoreStack
 
Ansible Tutorial.pdf
byNigussMehari4
 
Ansible - Hands on Training
byMehmet Ali Aydın
 
Ansible
byAfroz Hussain
 
ansible_rhel.pdf
byssuser6d347b
 
Ansible as configuration management tool for devops
byPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Ansible_Presentation and ansible master .pptx
byyvenkateswaracse
 
Basics of Ansible - Sahil Davawala
bySahil Davawala
 
Automation with ansible
byKhizer Naeem
 
Getting Started with Ansible - Jake.pdf
byssuserd254491
 
Ansible at work
byBas Meijer
 
#OktoCampus - Workshop : An introduction to Ansible
byCédric Delgehier
 
Ansible101
byHideki Saito
 
Automation with Ansible and Containers
byRodolfo Carvalho
 
Go Faster with Ansible (PHP meetup)
byRichard Donkin
 
SESSION Ansible how to deploy and push resources
bySaravanan68713
 
Intro to-ansible-sep7-meetup
byRamesh Godishela
 
Ansible nice-pdf-copy-for-pres
byManmohan Singh
 
Automated Deployment and Configuration Engines. Ansible
byAlberto Molina Coballes
 
Ansible: What, Why & How
byAlfonso Cabrera
 

More from MyNOG

PDF
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
byMyNOG
 
PDF
Embedded CDNs in 2023
byMyNOG
 
PDF
Edge virtualisation for Carrier Networks
byMyNOG
 
PDF
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
byMyNOG
 
PDF
Securing the Onion: 5G Cloud Native Infrastructure
byMyNOG
 
PDF
Load balancing and Service in Kubernetes
byMyNOG
 
PDF
Peering Personal MyNOG-10
byMyNOG
 
PDF
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
byMyNOG
 
PDF
Introducing Peering LAN 2.0 at DE-CIX
byMyNOG
 
PDF
Hierarchical Network Controller
byMyNOG
 
PDF
Cloud SDN: BGP Peering and RPKI
byMyNOG
 
PDF
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
byMyNOG
 
PDF
SDM – A New (Subsea) Cable Paradigm
byMyNOG
 
PDF
Equinix: New Markets, New Frontiers
byMyNOG
 
PDF
Building a Connected Future: The Power of Interconnection
byMyNOG
 
PDF
Cleaning up your RPKI invalids
byMyNOG
 
PDF
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
byMyNOG
 
PDF
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
byMyNOG
 
PDF
Strategies for Seamless Recovery in a Dynamic Data Landscape
byMyNOG
 
PDF
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
byMyNOG
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
byMyNOG
 
Embedded CDNs in 2023
byMyNOG
 
Edge virtualisation for Carrier Networks
byMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
byMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
byMyNOG
 
Load balancing and Service in Kubernetes
byMyNOG
 
Peering Personal MyNOG-10
byMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
byMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
byMyNOG
 
Hierarchical Network Controller
byMyNOG
 
Cloud SDN: BGP Peering and RPKI
byMyNOG
 
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
byMyNOG
 
SDM – A New (Subsea) Cable Paradigm
byMyNOG
 
Equinix: New Markets, New Frontiers
byMyNOG
 
Building a Connected Future: The Power of Interconnection
byMyNOG
 
Cleaning up your RPKI invalids
byMyNOG
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
byMyNOG
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
byMyNOG
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
byMyNOG
 
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
byMyNOG
 

Recently uploaded

PDF
BÀI GIẢNG POWERPOINT CHÍNH KHÓA PHIÊN BẢN AI TIẾNG ANH 6 CẢ NĂM, THEO TỪNG BÀ...
byNguyen Thanh Tu Collection
 
PPTX
The Creation Pattern Physical Health.pptx
byTammy Hulse
 
PPTX
Statistical Data Analysis using R Programming.pptx
byVETRISELVIP1
 
PDF
McDowell Technical Community College Early Childhood Program Equitable Workfo...
byEducationNC
 
PDF
Types of Artificial Intelligence: Capabilities and Functionality Explained
byARTHIDEVARANIP
 
PDF
To synthesis and submit Benzamide synthesis.pdf
byPradeep Swarnkar
 
PPTX
How to Create Opening Balance in Odoo 18
byCeline George
 
PPTX
ANTISEPTICS AND DISINFECTANTS CHAPTER NO.05.pptx
byGanu Gavade
 
PPTX
How to Manage Product Types in Odoo 18 Sales
byCeline George
 
PPTX
How to create Article in Odoo 18 Knowledge App
byCeline George
 
PPTX
How to Create SMS Marketing Campaigns in Odoo 18
byCeline George
 
PPTX
VAGINAL IRRIGATION..................pptx
byAneetaSharma15
 
PPTX
Accounting Theory Group Presentation - Why Study Accounting Theory
byAbrahamAtuanor1
 
PPTX
INSTRUCTIONAL MATERIALS IN TEACHING SCIENCE.pptx
byReclaMailyn1
 
PPTX
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
PPTX
Burnout_among_medical teachers_&_mentoring .pptx
byAhmadUzairQureshi
 
PPTX
NMR Spectroscopy: Principles and Applications
byVanitha Rajakumar
 
PPTX
Introduction of Carbohydrates - Dr.M.Jothimuniyandi
byJothimuniyandi
 
PPTX
OXYGEN ADMINISTRATION/THERAPY ......pptx
byAneetaSharma15
 
PPTX
Nanomaterials and its types - Dr.M.Jothimuniyandi
byJothimuniyandi
 
BÀI GIẢNG POWERPOINT CHÍNH KHÓA PHIÊN BẢN AI TIẾNG ANH 6 CẢ NĂM, THEO TỪNG BÀ...
byNguyen Thanh Tu Collection
 
The Creation Pattern Physical Health.pptx
byTammy Hulse
 
Statistical Data Analysis using R Programming.pptx
byVETRISELVIP1
 
McDowell Technical Community College Early Childhood Program Equitable Workfo...
byEducationNC
 
Types of Artificial Intelligence: Capabilities and Functionality Explained
byARTHIDEVARANIP
 
To synthesis and submit Benzamide synthesis.pdf
byPradeep Swarnkar
 
How to Create Opening Balance in Odoo 18
byCeline George
 
ANTISEPTICS AND DISINFECTANTS CHAPTER NO.05.pptx
byGanu Gavade
 
How to Manage Product Types in Odoo 18 Sales
byCeline George
 
How to create Article in Odoo 18 Knowledge App
byCeline George
 
How to Create SMS Marketing Campaigns in Odoo 18
byCeline George
 
VAGINAL IRRIGATION..................pptx
byAneetaSharma15
 
Accounting Theory Group Presentation - Why Study Accounting Theory
byAbrahamAtuanor1
 
INSTRUCTIONAL MATERIALS IN TEACHING SCIENCE.pptx
byReclaMailyn1
 
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
Burnout_among_medical teachers_&_mentoring .pptx
byAhmadUzairQureshi
 
NMR Spectroscopy: Principles and Applications
byVanitha Rajakumar
 
Introduction of Carbohydrates - Dr.M.Jothimuniyandi
byJothimuniyandi
 
OXYGEN ADMINISTRATION/THERAPY ......pptx
byAneetaSharma15
 
Nanomaterials and its types - Dr.M.Jothimuniyandi
byJothimuniyandi
 

Ansible & Salt - Vincent Boon

  • 1.
    © Copyright 2018Opengear, Inc. www.opengear.com 1 Choosing an orchestration tool: Ansible and Salt Vincent Boon Opengear
  • 2.
    2 Introduction What is Orchestration,and how is it different from Automation? •  Automation involves codifying tasks like configuring a webserver, or upgrading a software package, so that they can be performed quickly, and without error. •  Orchestration involves codifying processes like deploying an application, where many tasks may need to take place on disparate devices. •  Traditionally been part of the Software and Ops world, but more and more applicable to network devices.
  • 3.
    3 Introduction This talk ismostly going to focus on the automation component of Orchestration. The tools discussed are capable of both; my aim today is to give you enough of an introduction that you can set aside some time to spin up a VM and try them out. Each of the tools have their own jargon, but once you get past that, you can understand how they work, and make a choice based on your requirements.
  • 4.
  • 5.
    5 Changes in NetworkOrchestration In 2018, Ansible gets a lot of airtime for network orchestration, more than Puppet and Chef. Salt is also heavily promoted by companies like Cloudflare This talk will focus on Ansible and Salt: -  What does their architecture look like. -  What comes for free vs what you pay for. -  How they use NAPALM. -  Example of both applying a templated configuration
  • 6.
    6 What is NAPALM? Networkvendors love automation/orchestration tools -  They build a module for configuring their devices for Puppet/Chef/ Ansible/Salt -  Write a whole bunch of whitepapers demonstrating its use -  Customer writes a whole bunch of configuration using the module -  Customer goes to evaluate another vendor l  The module is different :( -  Enter NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support).
  • 7.
    7 What is NAPALM? NAPALMis a Python library that can provide a unified API to a number of different router vendors. The napalm-ansible module provides a way to call the NAPALM API inside Ansible Playbooks NAPALM itself is integrated inside Salt from version 2016.11.0 (Carbon) (driven by Cloudflare)
  • 8.
    8 What is NAPALM? SupportedNetwork Operating Systems are: •  Arista EOS •  Cisco IOS, IOS-XR, NX-OS •  Fortinet FortiOS •  IBM •  Juniper JunOS •  Mikrotik RouterOS •  Palo Alto NOS •  Pluribus NOS •  VyOS
  • 9.
    9 What is NAPALM? Itisn’t magic: •  In general, you’re still going to be writing configuration templates for your different vendors. •  Template then gets merged into running config, and can be checked for diffs. •  Power comes from the consistent “getters” API. •  Allows “verifiers” to be written to check the bits of config you care about •  Work continues on generalized configuration templates for true cross- platform configuration, as well as Netconf and YANG support.
  • 10.
    10 Ansible Developed by Redhat,written in Python Billed as an “masterless and agentless” automation/orchestration tool •  Uses SSH as transport, authentication is generally done using SSH keys •  Ships Python modules to the target device, which are then executed. •  When being used with ansible-napalm, transport will vary based on the device being managed. •  Can log to a variety of log services •  Integrates with Ansible Tower to provide more enterprise features –  Acts a central server for Ansible –  WebUI/REST API/Dashboard
  • 11.
    11 Ansible Ansible uses theconcept of a playbook to define a series of steps (or “plays”) that map a series of execution steps (or tasks) to a group of hosts. These playbooks are written in YAML. Each task (which calls an Ansible module) should be idempotent – running it many times will give the same result, and the task definition should contain enough detail to allow it to also be used to check that the task has been carried out successfully. Handlers can also be defined for tasks that may need to be called only once after a number of operations. For example, if a number of tasks are concerned with changing webserver configurations, then the webserver only needs to be restarted once at the end.
  • 12.
    12 Ansible In Ansible, hostsare defined inside an inventory. The inventory is often a static file, but it can be dynamic when that makes sense (for managing Docker containers, or VMs). The inventory allows administrators to groups hosts based on their role (webservers, load-balancers, border-routers etc), as well as associating variables with individual or groups of host. These variables can be referenced inside the Playbooks to customize the particular task for the host. Variables can also be retrieved at application time from the hosts. These variables are called “Facts”
  • 13.
    13 Ansible – Freevs $$ Out of the box, Ansible is designed around the user running Ansible playbooks to push and verify configuration. •  Very basic automation of playbook scheduling is included (ansible-pull + cron) •  For more, this is where Ansible Tower comes in l  Free Tier, then 2 ($$) Tiers that come with more features and support
  • 14.
    Ansible – Example --- -name: Apply basic config hosts: cisco-cpe tasks: - name: Generate local configuration for hosts local_action: template dest={{ playbook_dir }}/gen-config/initial-{{ hostname }}.conf src={{ playbook_dir }}/source/initial.j2 - name: Gen .diff file (apply change) napalm_install_config: hostname: "{{ host }}" username: "{{ username }}" password: "{{ password }}" dev_os: "{{ dev_os }}" config_file: gen-config/initial-{{ hostname }}.conf commit_changes: True replace_config: True diff_file: initial-{{ hostname }}.diff optional_args: {'auto_rollback_on_error': False} Config Playbook hosts definition references the inventory. Task 1: “Render” a template based on facts found in the inventory and gathered from the host Task 2: Install that configuration on the host, and retrieve a diff to show what changed Variables come from the inventory or from fact retrieval
  • 15.
    Ansible – Example ! version12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname {{ hostname }} ! boot-start-marker boot-end-marker ! enable secret 5 $1$WBBw$3WDO6jJHSwFtuw4Wk38Zv/ enable password notdefault ! no aaa new-model no ip routing ! ! no ip cef Config Playbook - Template Templated hostname
  • 16.
    Ansible – Example #Cisco CPE devices [cisco-cpe] r1 host=192.168.82.76 hostname=r1-cpe.opengear.com r2 host=192.168.82.77 hostname=r2-cpe.opengear.com # Default variables for Cisco devices managed via NAPALM [cisco-cpe:vars] username=admin password=default dev_os=ios ansible_connection=local Inventory hosts definitions, with in-line variable definitions Default variables for this group of hosts
  • 17.
    Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ansible -playbook config.play -i inventory PLAY [Apply basic config] ****************************************************** TASK [Gathering Facts] ********************************************************* ok: [r1] ok: [r2] TASK [Generate local configuration for hosts] ********************************** ok: [r2 -> localhost] ok: [r1 -> localhost] TASK [Gen .diff file (apply change)] ******************************************* ok: [r1] ok: [r2] PLAY RECAP ********************************************************************* r1 : ok=3 changed=0 unreachable=0 failed=0 r2 : ok=3 changed=0 unreachable=0 failed=0 Execution – test configuration compliance Configuration matches the generated template.
  • 18.
    Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ssh admin@192.168.82.77 Password: r2-cpe.opengear.com#conf t Enter configuration commands, one per line. End with CNTL/Z. r2-cpe.opengear.com(config)#hostname r2-cpe-modified.opengear.com % Hostname "R2-CPE-MODIFIED. " is not a legal LAT node name, Using "CISCO_CC0008" r2-cpe-modified.open(config)#end r2-cpe-modified.opengear.com#exit Connection to 192.168.82.77 closed. Execution – configuration fixups Configuration on one host is manually changes
  • 19.
    Ansible – Example test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ansible-playbook config.play -i inventory PLAY [Apply basic config] ************************************************************************************************** TASK [Gathering Facts] ***************************************************************************************************** ok: [r1] ok: [r2] TASK [Generate local configuration for hosts] ****************************************************************************** ok: [r1 -> localhost] ok: [r2 -> localhost] TASK [Gen .diff file (apply change)] *************************************************************************************** ok: [r1] changed: [r2] PLAY RECAP ***************************************************************************************************************** r1 : ok=3 changed=0 unreachable=0 failed=0 r2 : ok=3 changed=1 unreachable=0 failed=0 test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ cat initial-r2-cpe.opengear.com.diff +hostname r2-cpe.opengear.com -hostname r2-cpe-modified.opengear.com test@test-srv:~/src/central-orchestration/ansible-napalm-ios$ ssh admin@192.168.82.77 Password: r2-cpe.opengear.com#exit Execution – configuration fixups Configuration change is discovered and fixed Diff shows the change
  • 20.
    20 Salt Developed by SaltStack,written in Python The architecture is generally based around a central server (salt-master), with agents called salt- minions running on the devices under management. It can be run in a masterless mode, but this is not how its normally used. •  For devices that can’t run an agent, a “proxy-minion” process can be run on a server, which then communicates with the device using its native protocols. •  Communications between the server and the minions uses the ZeroMQ message bus by default. •  All operations are scheduled and logged by the central server. Minions receive commands from the server, and run these asynchronously. Results are push back to the server via the message bus.
  • 21.
    21 Salt Salt has manytypes of modules, but for our example, we’ll examine two: execution modules, and state modules. Execution modules are used to perform actions State modules use execution modules to make a device conform to the desired state. This allows the user to define a desired state for a particular segment of configuration in a declarative fashion. Execution modules are generally run as once-off commands, while state modules are more like Ansible Playbooks. Execution modules do however return their results as JSON data, so their results can be parsed and used in other workflows
  • 22.
    22 Salt Architecture The statemodule uses state definitions, which are written as SLS (SaLt State) files. They can be written in many languages, but the default is YAML (like an Ansible playbook) These are stored centrally on the master, in a file server that is referred to as the file_roots, while other data (such as variables) are stored in a data store known as the Salt Pillar. The salt-minions retrieve these state file definitions, and other items (like variable definitions) from the Salt Pillar and the file server over the central message bus.
  • 23.
    23 Salt Architecture Like Ansible,variables can be defined locally in the state file, and can also be retrieved from the devices under management. Salt calls these variables “grains”. However, best practice with Salt is to keep variables separate from state information, by storing them in the Salt Pillar. This keeps logic (state) separate from data (variables). Rather that specifying the devices that a state or action applies to in the state definition, Salt allows that to be specified during application time, using static data stored inside the pillar, as well as grains that are retrieved from the managed devices.
  • 24.
    24 Salt This description barelybrushes the surface of what Salt can do. It is more complex than Ansible: •  More moving parts, and options compared to Ansible Playbooks •  Steeper learning curve •  Allows more complex workflows than out-of-the-box Ansible
  • 25.
    25 Salt – Freevs $$ SaltStack does have an Enterprise version that adds a number of extra features, but the OSS release allows a more sophisticated Automation and Orchestration setup than Ansible. However, this comes at the cost of the extra effort for setup.
  • 26.
    Salt – Example └──salt ├── pillar │ ├── r1.sls │ ├── r2.sls │ └── top.sls └── states ├── config.sls └── router-config.j2 Salt Directory Structure Salt Pillar contains host definitions, and other configuration information for hosts and modules. The States directory contains state definitions. In this example, it also contains a jinja2 template, but this could be stored in the Salt Pillar also. The “top” file is used to define what data each minion can retrieve from the Pillar. Best practice is to only expose what is necessary for each host.
  • 27.
    Salt – Example [test@test-srvpillar (master)]$ cat top.sls base: r1: - r1 r2: - r2 [test@test-srv pillar (master)]$ cat r1.sls proxy: proxytype: napalm driver: ios host: 192.168.82.76 username: admin password: default optional_args: auto_rollback_on_error: False #R1 specific variables hostname: r1.cpe.opengear.com [test@test-srv pillar (master)]$ cat r2.sls <same proxy statement as r1.sls> #R2 specific variables hostname: r2.cpe.opengear.com Salt Pillar Restrict r1.sls to host r1, and r2.sls to host r2 NAPALM configuration for R1 (same settings used for R2) Host specific variable for R1
  • 28.
    Salt – Example [test@test-srvstates (master)]$ cat config.sls full_config: netconfig.managed: - template_name: salt://router-config.j2 - replace: True [test@test-srv states (master)]$ cat router-config.j2 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname {{ pillar.hostname }} ! Salt State Defines the template to be applied, and if it should replace the existing config Same templating engine as Ansible “pillar.hostname” instructs Salt to Retrieve variable from the Pillar
  • 29.
    Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$sudo salt r1 state.sls config r1: ---------- ID: full_config Function: netconfig.managed Result: True Comment: Configuration changed! Started: 17:33:50.636394 Duration: 33202.776 ms Changes: ---------- diff: +hostname r1.cpe.opengear.com -hostname r1-modified.cpe.opengear.com Summary for r1 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 33.203 s Execution – test configuration compliance Executing the “config” state template on host r1 Diff shows the configuration change that was applied
  • 30.
    Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$sudo salt -G 'os:ios' net.load_template salt://router-config.j2 replace=True r2: ---------- already_configured: False comment: diff: +hostname r2.cpe.opengear.com -hostname r2-cpe.opengear.com loaded_config: result: True r1: ---------- already_configured: False comment: diff: +hostname r1.cpe.opengear.com -hostname r1-cpe.opengear.com loaded_config: result: True Execution – arbitrary commands Running a “load_template” command (same as our config.sls) Selector sets the devices to those running “ios” as their operating system.
  • 31.
    Salt - Example test@test-srv:~/src/central-orchestration/salt-napalm-ios$sudo salt --output=yaml -G 'os:ios' net.arp r2: comment: '' out: - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.1 mac: 00:E0:4C:97:64:41 - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.77 mac: CA:01:34:CC:00:08 result: true r1: comment: '' out: - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.1 mac: 00:E0:4C:97:64:41 - age: 0.0 interface: FastEthernet0/0 ip: 192.168.82.76 mac: CA:00:34:CC:00:08 result: true Retrieving information Calls the net.arp NAPALM module. Retrieves the ARP table of the devices Selector sets the devices to those running “ios” as their operating system. Specifies YAML as the output format. Can be used as ingress for other tools
  • 32.
    32 Conclusion I don’t knowyour requirements, you do. There are good communities around both products. You don’t need to do everything right now Watch some vidoes and try out some examples! Ansible: https://www.youtube.com/watch?v=9TFlc-ekRPk Salt: https://www.youtube.com/watch?v=AqBk5fM7qZ0
  • 33.
    33 Further Information Ansible +Napalm: https://pynet.twb-tech.com/blog/automation/napalm-ios.html Salt + Napalm: https://mirceaulinic.net/2016-11-17-network-orchestration-with-salt-and- napalm/