Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Prerequisites

  1. Linux management server connected to two distribution switches
  2. Multiple free /24 networks for IPv4 management addressing
  3. Somewhere to host git repositories (you need to create three new repositories)

...

mkdir {access,core,devices,dist,fabric,global,groups}
touch {access,core,dist,fabric,global}/{base_system.yml,groups.yml,routing.yml,vxlans.yml}
touch {access,core,dist,fabric}/base_system.yml
touch devices/README
touch groups/README

Edit global/routing.yml and configure the IP blocks you allocated before:

...

underlay:
  infra_link_net: 10.198.0.0/16
  infra_lo_net: 10.199.0.0/16
  mgmt_lo_net: 10.100.3.0/24

Commit and push

etc repo

Edit global/groups.yml and add the group ALL:

groups:
  - group:
      name: 'ALL'
      regex: '.*'

Commit and push

etc repo

For For etc repository add a directory called dhcpd and then add a file called dhcpd.conf in there based on https://github.com/SUNET/cnaas-nms/blob/develop/docker/dhcpd/dhcpd.conf to dhcpd/dhcpd.conf

mkdir -p dhcpd && touch dhcpd/dhcpd.conf

In dhcd.conf replace the last subnet definition with the ZTP network for access switches you want to use for this distribution switch pair. If you have many pairs of distribution switches and ZTP networks you need to copy the subnet definition for each ZTP network.

...

Create a docker-compose.yml file on the server with the following contents:

--- 
version: '3.7'
services:
  cnaas_api:
    image: docker.sunet.se/cnaas/api:latest stable
    ports:
      - 443:1443
    networks:
      - cnaas
    environment:
      - GITREPO_TEMPLATES
      - GITREPO_SETTINGS
      - GITREPO_ETC
      - USERNAME_DHCP_BOOT
      - PASSWORD_DHCP_BOOT
      - USERNAME_DISCOVERED
      - PASSWORD_DISCOVERED
      - USERNAME_INIT
      - PASSWORD_INIT
      - USERNAME_MANAGED
      - PASSWORD_MANAGED
      - FIRMWARE_URL
      - TEMPLATE_SECRET_ADMIN_HASH
      - TEMPLATE_SECRET_TRANSCEIVER
      - TEMPLATE_SECRET_RADIUS
    depends_on:
      - "cnaas_postgres"
      - "cnaas_redis"
      - "cnaas_httpd"
    volumes:
      - type: volume
        source: cnaas-templates
        target: /opt/cnaas/templates
      - type: volume
        source: cnaas-settings
        target: /opt/cnaas/settings
      - type: volume
        source: cnaas-jwtcert
        target: /opt/cnaas/jwtcert
- type: volume
source:
 cnaas-cacert
target: /opt/cnaas/cacert

  cnaas_httpd:
    image: docker.sunet.se/cnaas/httpd:latest
    ports:
      - 80:1180
    networks:
      - cnaas
    environment:
      - GITREPO_TEMPLATES
 
volumes:
- type: volume
source: cnaas-www-data
target: /opt/cnaas/www/

  cnaas_dhcpd:
    image: docker.sunet.se/cnaas/dhcpd:latest
    ports:
      - 67:67/udp
    environment:
      - GITREPO_TEMPLATES
      - GITREPO_SETTINGS
      - GITREPO_ETC
      - DB_PASSWORD
      - DB_HOSTNAME=cnaas_postgres
      - JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
    networks:
      - cnaas
 
  cnaas_postgres:
    image: docker.sunet.se/cnaas/postgres:latest
    volumes:
      - cnaas-postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB=cnaas
    networks:
      - cnaas
 
  cnaas_redis:
    image: redis:latest
    networks:
      - cnaas

networks:
  cnaas:
    driver: bridge
    name: cnaas
    ipam:
      config:
      - subnet: 172.30.0.0/24
    driver_opts:
      com.docker.network.bridge.name: br-cnaas
 
volumes:
  cnaas-templates:
    external: true
  cnaas-settings:
    external: true
  cnaas-postgres-data:
    external: true
  cnaas-jwtcert:
external: true
cnaas-cacert:
external: true
cnaas-www-data:
external: true


:latest here should be replaced with specific version or stable once we have a stable release.

...

docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
docker volume create cnaas-jwtcert
docker volume create cnaas-cacert

Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:

...

The API container will need the public key for a JWT certificate for authenticating API/JWT tokens to start. You can generate a certificate using the commands described under the "Authentication tokens" section below or just copy in a dummy cert in the meantime:

docker cp /etc/cnaas-nms/public.pem/public.pem docker_cnaas_api_1:/opt/cnaas/jwtcert/public.pem

The API container will also need a rootCA if you want to generate valid certificates for API services on devices, you can create a rootCA via:

docker exec -u root -it docker_cnaas_api_1: /opt/cnaas/jwtcert/public.pemcreateca.sh

Check everything is up and running:

docker ps
docker logs -f docker_cnaas_dhcpd_1

...

Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -u root -it cnaas_front_cnaas_front_1 nginx -s reload

...

Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert(auth-server) you copied in to the api container earlier. the CNAASURL can very depending on setup):

export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
export CNAASURL="https://localhost"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" https://localhost/ ${CNAASURL}/api/v1.0/system/devicesversion

If you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.

...

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"

...

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/device -X POST -d '{  "hostname": "eosdist1",  "management_ip": "10.100.3.0",  "platform": "eos",  "state": "MANAGED",  "device_type": "DIST"}' -H "Content-Type: application/json"

...

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"

...