| Table of Contents |
|---|
Prerequisites
- Linux management server connected to two distribution switches
- Multiple free /24 networks for IPv4 management addressing
- Somewhere to host git repositories (you need to create three new repositories)
...
mkdir {access,core,devices,dist,fabric,global,groups}
touch {access,core,dist,fabric,global}/{base_system.yml,groups.yml,routing.yml,vxlans.yml}
touch {access,core,dist,fabric}/base_system.yml
touch devices/README
touch groups/READMEEdit global/routing.yml and configure the IP blocks you allocated before:
...
underlay:
infra_link_net: 10.198.0.0/16
infra_lo_net: 10.199.0.0/16
mgmt_lo_net: 10.100.3.0/24
Commit and push
etc repo
Edit global/groups.yml and add the group ALL:
groups:
- group:
name: 'ALL'
regex: '.*'
Commit and push
etc repo
For For etc repository add a directory called dhcpd and then add a file called dhcpd.conf in there based on https://github.com/SUNET/cnaas-nms/blob/develop/docker/dhcpd/dhcpd.conf to dhcpd/dhcpd.conf
mkdir -p dhcpd && touch dhcpd/dhcpd.confIn dhcd.conf replace the last subnet definition with the ZTP network for access switches you want to use for this distribution switch pair. If you have many pairs of distribution switches and ZTP networks you need to copy the subnet definition for each ZTP network.
...
Create a docker-compose.yml file on the server with the following contents:
---
version: '3.7'
services:
cnaas_api:
image: docker.sunet.se/cnaas/api:stable
ports:
- 443:1443
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- GITREPO_ETC
- USERNAME_DHCP_BOOT
- PASSWORD_DHCP_BOOT
- USERNAME_DISCOVERED
- PASSWORD_DISCOVERED
- USERNAME_INIT
- PASSWORD_INIT
- USERNAME_MANAGED
- PASSWORD_MANAGED
- FIRMWARE_URL
- TEMPLATE_SECRET_ADMIN_HASH
- TEMPLATE_SECRET_TRANSCEIVER
- TEMPLATE_SECRET_RADIUS
depends_on:
- "cnaas_postgres"
- "cnaas_redis"
- "cnaas_httpd"
volumes:
- type: volume
source: cnaas-templates
target: /opt/cnaas/templates
- type: volume
source: cnaas-settings
target: /opt/cnaas/settings
- type: volume
source: cnaas-jwtcert
target: /opt/cnaas/jwtcert
- type: volume
source: cnaas-cacert
target: /opt/cnaas/cacert cacert
cnaas_httpd:
image: docker.sunet.se/cnaas/httpd:latest
ports:
- 80:1180
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
volumes:
- type: volume
source: cnaas-www-data
target: /opt/cnaas/www/
cnaas_dhcpd:
image: docker.sunet.se/cnaas/dhcpd:latest
ports:
- 67:67/udp
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- GITREPO_ETC
- DB_PASSWORD
- DB_HOSTNAME=cnaas_postgres
- JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
networks:
- cnaas
cnaas_postgres:
image: docker.sunet.se/cnaas/postgres:latest
volumes:
- cnaas-postgres-data:/var/lib/postgresql/data
environment:
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB=cnaas
networks:
- cnaas
cnaas_redis:
image: redis:latest
networks:
- cnaas
networks:
cnaas:
driver: bridge
name: cnaas
ipam:
config:
- subnet: 172.30.0.0/24
driver_opts:
com.docker.network.bridge.name: br-cnaas
volumes:
cnaas-templates:
external: true
cnaas-settings:
external: true
cnaas-postgres-data:
external: true
cnaas-postgres-datajwtcert:
external: true
cnaas-jwtcertcacert:
external: true
cnaas-www-cacertdata:
external: true
:latest here should be replaced with specific version or stable once we have a stable release.
...
The API container will also need a rootCA if you want to generate valid certificates for API services on devices, you can create a rootCA via:
docker exec -u root -it docker_cnaas_api_1 /opt/cnaas/createca.sh...
Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -u root -it cnaas_front_cnaas_front_1 nginx -s reload
...
Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert(auth-server) you copied in to the api container earlier. the CNAASURL can very depending on setup):
export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
export CNAASURL="https://localhost"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" https://localhost/ ${CNAASURL}/api/v1.0/system/devicesversion
If you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.
...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/device -X POST -d '{ "hostname": "eosdist1", "management_ip": "10.100.3.0", "platform": "eos", "state": "MANAGED", "device_type": "DIST"}' -H "Content-Type: application/json"...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
...