Table of Contents |
---|
Prerequisites
- Linux management server connected to two distribution switches
- Multiple free /24 networks for IPv4 management addressing
- Somewhere to host git repositories (you need to create three new repositories)
...
To add some data to your own repository we suggest starting meld ( https://meldmerge.org/ ) and do a directory comparison from the cnaas-nms-templates repo from github and the cnaas-example-templates directory. Copy the files/directories from cnaas-nms-templates to cnaas-example-templates.
For Arista you will need to modify the template eos/dist.j2 and change "ip helper-address" on vlan1 to point to your VM running the CNaaS-NMS docker containers.
Then add/commit/push:
git add .
git commit -a -m "init"
git push
...
mkdir {access,core,devices,dist,fabric,global,groups}
touch {access,core,dist,fabric,global}/{base_system.yml,groups.yml,routing.yml,vxlans.yml}
touch devices/README{access,core,dist,fabric}/base_system.yml
touch devices/README
touch groups/README
Edit global/routing.yml and configure the IP blocks you allocated before:
---
underlay:
infra_link_net: 10.198.0.0/16
infra_lo_net: 10.199.0.0/16
mgmt_lo_net: 10.100.3.0/24
Commit and push
etc repo
Edit global/groups.yml and add the group ALL:
groups:
- group:
name: 'ALL'
regex: '.*'
Commit and push
etc repo
For etc repository add a directory called dhcpd For etc repository add a directory called dhcpd and then add a file called dhcpd.conf in there based on https://github.com/SUNET/cnaas-nms/blob/develop/docker/dhcpd/dhcpd.conf to dhcpd/dhcpd.conf
mkdir -p dhcpd && touch dhcpd/dhcpd.conf
In dhcd.conf replace the last subnet definition with the ZTP network for access switches you want to use for this distribution switch pair. If you have many pairs of distribution switches and ZTP networks you need to copy the subnet definition for each ZTP network.
...
Create a docker-compose.yml file on the server with the following contents:
---
version: '3.7'
services:
cnaas_api:
image: docker.sunet.se/cnaas/api:latest stable
ports:
- 443:1443
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- GITREPO_ETC
- USERNAME_DHCP_BOOT
- PASSWORD_DHCP_BOOT
- USERNAME_DISCOVERED
- PASSWORD_DISCOVERED
- USERNAME_INIT
- PASSWORD_INIT
- USERNAME_MANAGED
- PASSWORD_MANAGED
- FIRMWARE_URL
- TEMPLATE_SECRET_ADMIN_HASH
- TEMPLATE_SECRET_TRANSCEIVER
- TEMPLATE_SECRET_RADIUS
depends_on:
- "cnaas_postgres"
- "cnaas_redis"
- "cnaas_httpd"
volumes:
- type: volume
source: cnaas-templates
target: /opt/cnaas/templates
- type: volume
source: cnaas-settings
target: /opt/cnaas/settings
cnaas_httpd:
image: docker.sunet.se/cnaas/httpd:latest
ports:
- 80:1180
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
- type: volume
source: cnaas-jwtcert
target: /opt/cnaas/jwtcert
- type: volume
source: cnaas-cacert
target: /opt/cnaas/cacert
cnaas_dhcpdhttpd:
image: docker.sunet.se/cnaas/dhcpdhttpd:latest
ports:
- 67:67/udp 80:1180
environmentnetworks:
- GITREPO_TEMPLATEScnaas
- GITREPO_SETTINGS environment:
- GITREPO_ETCTEMPLATES
- DB_PASSWORD
- DB_HOSTNAME=cnaas_postgres
- JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
networks:
- cnaas
cnaas_postgres: volumes:
- type: volume
source: cnaas-www-data
target: /opt/cnaas/www/
cnaas_dhcpd:
image: docker.sunet.se/cnaas/postgresdhcpd:latest
volumesports:
- cnaas-postgres-data67:/var/lib/postgresql/data
67/udp
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- POSTGRESGITREPO_USERETC
- POSTGRESDB_PASSWORD
- POSTGRESDB_DBHOSTNAME=cnaas_postgres
- JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
networks:
- cnaas
cnaas_redispostgres:
image: redisdocker.sunet.se/cnaas/postgres:latest
networksvolumes:
- cnaas
networks:
cnaas:
driver: bridge
name: cnaas
ipam:
config-postgres-data:/var/lib/postgresql/data
environment:
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB=cnaas
networks:
- subnet: 172.30.0.0/24
driver_optscnaas
cnaas_redis:
com.docker.network.bridge.name: br-cnaas
volumes image: redis:latest
networks:
cnaas-templates: cnaas
networks:
cnaas:
externaldriver: true bridge
cnaas-settingsname: cnaas
externalipam:
true config:
cnaas-postgres-data subnet: 172.30.0.0/24
externaldriver_opts: true
:latest here should be replaced with specific version or stable once we have a stable release.
The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.
Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.
"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"
Create the three needed persistent docker volumes:
docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:
docker-compose up -f ./docker-compose.yml
docker ps
docker logs -f docker_cnaas_dhcpd_1
SSL certificates
Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -it cnaas_front_cnaas_front_1 nginx -s reload
Authentication tokens
JSON Web Tokens (JWT https://jwt.io/ ) are used to authenticate users. Setup howto for CNaaS auth poc server .
Initialize database
Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API:
com.docker.network.bridge.name: br-cnaas
volumes:
cnaas-templates:
external: true
cnaas-settings:
external: true
cnaas-postgres-data:
external: true
cnaas-jwtcert:
external: true
cnaas-cacert:
external: true
cnaas-www-data:
external: true
:latest here should be replaced with specific version or stable once we have a stable release.
The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.
Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.
"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"
Create the three needed persistent docker volumes:
docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
docker volume create cnaas-jwtcert
docker volume create cnaas-cacert
Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:
docker-compose up -f ./docker-compose.yml
The API container will need the public key for a JWT certificate for authenticating API/JWT tokens to start. You can generate a certificate using the commands described under the "Authentication tokens" section below or just copy in a dummy cert in the meantime:
docker cp /etc/cnaas-nms/public.pem docker_cnaas_api_1:/opt/cnaas/jwtcert/public.pem
The API container will also need a rootCA if you want to generate valid certificates for API services on devices, you can create a rootCA via:
docker exec -u root -it docker_cnaas_api_1 /opt/cnaas/createca.sh
Check everything is up and running:
docker ps
docker logs -f docker_cnaas_dhcpd_1
SSL certificates
Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -u root -it cnaas_front_cnaas_front_1 nginx -s reload
Authentication tokens
JSON Web Tokens (JWT https://jwt.io/ ) are used to authenticate users. Setup howto for CNaaS auth poc server .
Initialize database
Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert(auth-server) you copied in to the api container earlier. the CNAASURL can very depending on setup):
export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
export CNAASURL="https://localhost"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" ${CNAASURL}/api/v1.0/system/version
If you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.
Before adding the dist devices you must make the API pull from the templates and settings repositories:
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/jsonexport JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
curl -s -H "Authorization: Bearer ${JWT$JWT_AUTH_TOKEN}" https://localhost/api/v1.0/devices" ${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
If there's any syntax files in settings you need to fix them and then run the refresh command againIf you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.
You then need to add your distribution switches with data similar to this:
...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/device -X POST -d '{ "hostname": "eosdist1", "management_ip": "10.100.3.0", "platform": "eos", "state": "MANAGED", "device_type": "DIST"}' -H "Content-Type: application/json"
...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost/${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
...
curl output is hard to read: Install the command "jq" and pipe output like so: curl https://... | jq