Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Prerequisites

  1. Linux management server connected to two distribution switches
  2. Multiple free /24 networks for IPv4 management addressing
  3. Somewhere to host git repositories (you need to create three new repositories)

...

To add some data to your own repository we suggest starting meld ( https://meldmerge.org/ ) and do a directory comparison from the cnaas-nms-templates repo from github and the cnaas-example-templates directory. Copy the files/directories from cnaas-nms-templates to cnaas-example-templates.

For Arista you will need to modify the template eos/dist.j2 and change "ip helper-address" on vlan1 to point to your VM running the CNaaS-NMS docker containers.

Then add/commit/push:

git add .
git commit -a -m "init"
git push

...

mkdir {access,core,devices,dist,fabric,global,groups}
touch {access,core,dist,fabric,global}/{base_system.yml,groups.yml,routing.yml,vxlans.yml}
touch devices/README{access,core,dist,fabric}/base_system.yml
touch devices/README
touch groups/README

Edit global/routing.yml and configure the IP blocks you allocated before:

---
underlay:
  infra_link_net: 10.198.0.0/16
  infra_lo_net: 10.199.0.0/16
  mgmt_lo_net: 10.100.3.0/24

Commit and push

etc repo

Edit global/groups.yml and add the group ALL:

groups:
  - group:
      name: 'ALL'
      regex: '.*'

Commit and push

etc repo

For etc repository add a directory called dhcpd For etc repository add a directory called dhcpd and then add a file called dhcpd.conf in there based on https://github.com/SUNET/cnaas-nms/blob/develop/docker/dhcpd/dhcpd.conf to dhcpd/dhcpd.conf

mkdir -p dhcpd && touch dhcpd/dhcpd.conf

In dhcd.conf replace the last subnet definition with the ZTP network for access switches you want to use for this distribution switch pair. If you have many pairs of distribution switches and ZTP networks you need to copy the subnet definition for each ZTP network.

...

Create a docker-compose.yml file on the server with the following contents:

--- 
version: '3.7'
services:
  cnaas_api:
    image: docker.sunet.se/cnaas/api:latest stable
    ports:
      - 443:1443
    networks:
      - cnaas
    environment:
      - GITREPO_TEMPLATES
      - GITREPO_SETTINGS
      - GITREPO_ETC
      - USERNAME_DHCP_BOOT
      - PASSWORD_DHCP_BOOT
      - USERNAME_DISCOVERED
      - PASSWORD_DISCOVERED
      - USERNAME_INIT
      - PASSWORD_INIT
      - USERNAME_MANAGED
      - PASSWORD_MANAGED
      - FIRMWARE_URL
      - TEMPLATE_SECRET_ADMIN_HASH
      - TEMPLATE_SECRET_TRANSCEIVER
      - TEMPLATE_SECRET_RADIUS
    depends_on:
      - "cnaas_postgres"
      - "cnaas_redis"
      - "cnaas_httpd"
    volumes:
      - type: volume
        source: cnaas-templates
        target: /opt/cnaas/templates
      - type: volume
        source: cnaas-settings
        target: /opt/cnaas/settings
 
  cnaas_httpd:
    image: docker.sunet.se/cnaas/httpd:latest
    ports:
      - 80:1180
    networks:
      - cnaas
    environment:
      - GITREPO_TEMPLATES
       - type: volume
        source: cnaas-jwtcert
        target: /opt/cnaas/jwtcert
- type: volume
source: cnaas-cacert
target: /opt/cnaas/cacert

  cnaas_dhcpdhttpd:
    image: docker.sunet.se/cnaas/dhcpdhttpd:latest
    ports:
      - 67:67/udp 80:1180
    environmentnetworks:
      - GITREPO_TEMPLATEScnaas
      - GITREPO_SETTINGS    environment:
      - GITREPO_ETCTEMPLATES
      - DB_PASSWORD
      - DB_HOSTNAME=cnaas_postgres
      - JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
    networks:
      - cnaas
 
  cnaas_postgres: volumes:
- type: volume
source: cnaas-www-data
target: /opt/cnaas/www/

  cnaas_dhcpd:
    image: docker.sunet.se/cnaas/postgresdhcpd:latest
    volumesports:
      - cnaas-postgres-data67:/var/lib/postgresql/data
67/udp
    environment:
      - GITREPO_TEMPLATES
      - GITREPO_SETTINGS
      - POSTGRESGITREPO_USERETC
      - POSTGRESDB_PASSWORD
      - POSTGRESDB_DBHOSTNAME=cnaas_postgres
      - JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
    networks:
      - cnaas
 
  cnaas_redispostgres:
    image: redisdocker.sunet.se/cnaas/postgres:latest
    networksvolumes:
      - cnaas
networks:
  cnaas:
    driver: bridge
    name: cnaas
    ipam:
      config-postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB=cnaas
    networks:
      - subnet: 172.30.0.0/24
    driver_optscnaas
 
  cnaas_redis:
      com.docker.network.bridge.name: br-cnaas
 
volumes    image: redis:latest
    networks:
       cnaas-templates: cnaas

networks:
  cnaas:
    externaldriver: true bridge
     cnaas-settingsname: cnaas
    externalipam:
      true config:
       cnaas-postgres-data subnet: 172.30.0.0/24
    externaldriver_opts: true

:latest here should be replaced with specific version or stable once we have a stable release.

The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.

Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.

"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"

Create the three needed persistent docker volumes:

docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings

Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:

docker-compose up -f ./docker-compose.yml
docker ps
docker logs -f docker_cnaas_dhcpd_1

SSL certificates

Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -it cnaas_front_cnaas_front_1 nginx -s reload

Initialize database

Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API:


      com.docker.network.bridge.name: br-cnaas
 
volumes:
  cnaas-templates:
    external: true
  cnaas-settings:
    external: true
  cnaas-postgres-data:
    external: true
  cnaas-jwtcert:
external: true
cnaas-cacert:
external: true
cnaas-www-data:
external: true


:latest here should be replaced with specific version or stable once we have a stable release.

The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.

Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.

"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"


Create the three needed persistent docker volumes:

docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
docker volume create cnaas-jwtcert
docker volume create cnaas-cacert

Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:

docker-compose up -f ./docker-compose.yml

The API container will need the public key for a JWT certificate for authenticating API/JWT tokens to start. You can generate a certificate using the commands described under the "Authentication tokens" section below or just copy in a dummy cert in the meantime:

docker cp /etc/cnaas-nms/public.pem docker_cnaas_api_1:/opt/cnaas/jwtcert/public.pem

The API container will also need a rootCA if you want to generate valid certificates for API services on devices, you can create a rootCA via:

docker exec -u root -it docker_cnaas_api_1 /opt/cnaas/createca.sh

Check everything is up and running:

docker ps
docker logs -f docker_cnaas_dhcpd_1

SSL certificates

Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -u root -it cnaas_front_cnaas_front_1 nginx -s reload

Authentication tokens

JSON Web Tokens (JWT https://jwt.io/ ) are used to authenticate users. Setup howto for CNaaS auth poc server .

Initialize database

Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert(auth-server) you copied in to the api container earlier. the CNAASURL can very depending on setup):

export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
export CNAASURL="https://localhost"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" ${CNAASURL}/api/v1.0/system/version

If you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.

Before adding the dist devices you must make the API pull from the templates and settings repositories:

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/jsonexport JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
curl -s -H "Authorization: Bearer ${JWT$JWT_AUTH_TOKEN}" https://localhost/api/v1.0/devices" ${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"

If there's any syntax files in settings you need to fix them and then run the refresh command againIf you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.

You then need to add your distribution switches with data similar to this:

...

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/device -X POST -d '{  "hostname": "eosdist1",  "management_ip": "10.100.3.0",  "platform": "eos",  "state": "MANAGED",  "device_type": "DIST"}' -H "Content-Type: application/json"

...

curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost/${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"

...

curl output is hard to read: Install the command "jq" and pipe output like so: curl https://... | jq

Web UI

Installing CNaaS Front WebUI