Äau Habr!
Nesen Å”eit parÄdÄ«jÄs raksts kur lÄ«dzÄ«ga problÄma tika atrisinÄta, izmantojot fosilos lÄ«dzekļus. Un, lai gan uzdevums ir pilnÄ«gi tipisks, HabrĆ© tajÄ nav nekÄ lÄ«dzÄ«ga. UzdroÅ”inos piedÄvÄt savu velosipÄdu cienÄ«jamai IT sabiedrÄ«bai.
Å is nav pirmais velosipÄds Å”Ädam uzdevumam. PirmÄ iespÄja tika ieviesta pirms vairÄkiem gadiem ansible versija 1.x.x. VelosipÄds bija maz lietots un tÄpÄc pastÄvÄ«gi rÅ«sÄja. TÄdÄ ziÅÄ, ka pats uzdevums nerodas tik bieži, kÄ tiek atjauninÄtas versijas ansible. Un katru reizi, kad vajag braukt, Ä·Äde nokrÄ«t vai ritenis nokrÄ«t. TomÄr pirmÄ daļa, Ä£enerÄjot konfigurÄcijas, vienmÄr, par laimi, darbojas ļoti skaidri jinja2 DzinÄjs ir sen izveidots. Bet otrÄ daļa ā konfigurÄciju izrullÄÅ”ana ā parasti nesa pÄrsteigumus. Un tÄ kÄ man attÄlinÄti ir jÄizvÄrÅ” konfigurÄcija pussimts ierÄ«cÄm, no kurÄm dažas atrodas tÅ«kstoÅ”iem kilometru attÄlumÄ, Ŕī rÄ«ka izmantoÅ”ana bija nedaudz garlaicÄ«ga.
Å eit man jÄatzÄ«st, ka mana nenoteiktÄ«ba, visticamÄk, slÄpjas manÄ neziÅÄ ansiblenekÄ tÄs nepilnÄ«bÄs. Un tas, starp citu, ir svarÄ«gs punkts. ansible ir pilnÄ«gi atseviŔķa, sava zinÄÅ”anu joma ar savu DSL (Domain Specific Language), kas ir jÄuztur pÄrliecinoÅ”Ä lÄ«menÄ«. Nu, tas brÄ«dis, ka ansible Tas attÄ«stÄs diezgan Ätri, un, Ä«paÅ”i neÅemot vÄrÄ atpakaļejoÅ”u saderÄ«bu, tas nedod pÄrliecÄ«bu.
TÄpÄc ne tik sen tika ieviesta otrÄ velosipÄda versija. Å oreiz tÄlÄk pitons, vai drÄ«zÄk uz rÄmja, kas ierakstÄ«ts pitons un par pitons aicinÄja
TÄtad - Nornir ir mikroietvars, kas ierakstÄ«ts pitons un par pitons un paredzÄts automatizÄcijai. Tas pats, kas gadÄ«jumÄ ar ansible, lai Å”eit atrisinÄtu problÄmas, nepiecieÅ”ama kompetenta datu sagatavoÅ”ana, t.i. hostu un to parametru uzskaiti, bet skriptus raksta nevis atseviÅ”Ä·Ä DSL, bet tajÄ paÅ”Ä ne pÄrÄk vecajÄ, bet ļoti labÄ p[i|i]tonÄ.
ApskatÄ«sim, kas tas ir, izmantojot Å”Ädu reÄllaika piemÄru.
Man ir filiÄļu tÄ«kls ar vairÄkiem desmitiem biroju visÄ valstÄ«. KatrÄ birojÄ ir WAN marÅ”rutÄtÄjs, kas pÄrtrauc vairÄkus sakaru kanÄlus no dažÄdiem operatoriem. MarÅ”rutÄÅ”anas protokols ir BGP. WAN marÅ”rutÄtÄji ir divu veidu: Cisco ISG vai Juniper SRX.
Tagad uzdevums: jums ir jÄkonfigurÄ speciÄls apakÅ”tÄ«kls videonovÄroÅ”anai atseviÅ”Ä·Ä portÄ visos filiÄles tÄ«kla WAN marÅ”rutÄtÄjos - reklamÄjiet Å”o apakÅ”tÄ«klu BGP - konfigurÄjiet speciÄlÄ porta Ätruma ierobežojumu.
PirmkÄrt, mums ir jÄsagatavo pÄris veidnes, uz kuru pamata tiks Ä£enerÄtas atseviŔķi Cisco un Juniper konfigurÄcijas. TÄpat ir nepiecieÅ”ams sagatavot datus par katru punktu un savienojuma parametrus, t.i. savÄc to paÅ”u inventÄru
Gatava Cisco veidne:
$ cat templates/ios/base.j2
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface {{ host.task_data.ifname }}
description VIDEOSURV
ip address 10.10.{{ host.task_data.ipsuffix }}.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp {{ host.task_data.asn }}
network 10.40.{{ host.task_data.ipsuffix }}.0 mask 255.255.255.0
access-list 11 permit 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255
access-list 111 permit ip 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255 anyKadiÄ·a veidne:
$ cat templates/junos/base.j2
set interfaces {{ host.task_data.ifname }} unit 0 description "Video surveillance"
set interfaces {{ host.task_data.ifname }} unit 0 family inet filter input limit-in
set interfaces {{ host.task_data.ifname }} unit 0 family inet address 10.10.{{ host.task_data.ipsuffix }}.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.{{ host.task_data.ipsuffix }}.0/24 exact
set security zones security-zone WAN interfaces {{ host.task_data.ifname }}
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiterVeidnes, protams, nerodas no zila gaisa. TÄs bÅ«tÄ«bÄ ir atŔķirÄ«bas starp darba konfigurÄcijÄm, kas bija un bija pÄc uzdevuma atrisinÄÅ”anas diviem konkrÄtiem dažÄdu modeļu marÅ”rutÄtÄjiem.
No mÅ«su veidnÄm mÄs redzam, ka, lai atrisinÄtu problÄmu, mums ir nepiecieÅ”ami tikai divi Juniper parametri un 3 parametri Cisco. Å”eit tie ir:
- ifname
- ipsufikss
- asn
Tagad mums ir jÄiestata Å”ie parametri katrai ierÄ«cei, t.i. darÄ«t to paÅ”u inventÄrs.
Par inventÄrs MÄs stingri ievÄrosim dokumentÄciju
tas ir, izveidosim to paŔu faila skeletu:
.
āāā config.yaml
āāā inventory
ā āāā defaults.yaml
ā āāā groups.yaml
ā āāā hosts.yamlFails config.yaml ir standarta nornir konfigurÄcijas fails
$ cat config.yaml
---
core:
num_workers: 10
inventory:
plugin: nornir.plugins.inventory.simple.SimpleInventory
options:
host_file: "inventory/hosts.yaml"
group_file: "inventory/groups.yaml"
defaults_file: "inventory/defaults.yaml"MÄs norÄdÄ«sim galvenos parametrus failÄ hosts.yaml, grupÄ (manÄ gadÄ«jumÄ tie ir logins/paroles) iekÅ”Ä grupas.yamlun noklusÄjuma iestatÄ«jumi.yaml MÄs neko nenorÄdÄ«sim, bet tur jÄievada trÄ«s mÄ«nusi - norÄdot, ka tÄ ir jams tomÄr fails ir tukÅ”s.
LÅ«k, kÄ izskatÄs hosts.yaml:
---
srx-test:
hostname: srx-test
groups:
- juniper
data:
task_data:
ifname: fe-0/0/2
ipsuffix: 111
cisco-test:
hostname: cisco-test
groups:
- cisco
data:
task_data:
ifname: GigabitEthernet0/1/1
ipsuffix: 222
asn: 65111Un Ŕeit ir groups.yaml:
---
cisco:
platform: ios
username: admin1
password: cisco1
juniper:
platform: junos
username: admin2
password: juniper2TÄ tas notika inventÄrs mÅ«su uzdevumam. InicializÄcijas laikÄ parametri no inventarizÄcijas failiem tiek kartÄti uz objekta modeli InventoryElement.
Zem spoilera ir InventoryElement modeļa diagramma
print(json.dumps(InventoryElement.schema(), indent=4))
{
"title": "InventoryElement",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"groups": {
"title": "Groups",
"default": [],
"type": "array",
"items": {
"type": "string"
}
},
"data": {
"title": "Data",
"default": {},
"type": "object"
},
"connection_options": {
"title": "Connection_Options",
"default": {},
"type": "object",
"additionalProperties": {
"$ref": "#/definitions/ConnectionOptions"
}
}
},
"definitions": {
"ConnectionOptions": {
"title": "ConnectionOptions",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"extras": {
"title": "Extras",
"type": "object"
}
}
}
}
}Å is modelis var izskatÄ«ties nedaudz mulsinoÅ”i, it Ä«paÅ”i sÄkumÄ. Lai to noskaidrotu, tiek ieslÄgts interaktÄ«vais režīms ipython.
$ ipython3
Python 3.6.9 (default, Nov 7 2019, 10:44:02)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.1.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from nornir import InitNornir
In [2]: nr = InitNornir(config_file="config.yaml", dry_run=True)
In [3]: nr.inventory.hosts
Out[3]:
{'srx-test': Host: srx-test, 'cisco-test': Host: cisco-test}
In [4]: nr.inventory.hosts['srx-test'].data
Out[4]: {'task_data': {'ifname': 'fe-0/0/2', 'ipsuffix': 111}}
In [5]: nr.inventory.hosts['srx-test']['task_data']
Out[5]: {'ifname': 'fe-0/0/2', 'ipsuffix': 111}
In [6]: nr.inventory.hosts['srx-test'].platform
Out[6]: 'junos'
Un visbeidzot, pÄriesim pie paÅ”a skripta. Man te nav ar ko Ä«paÅ”i lepoties. Es tikko paÅÄmu gatavu piemÄru no un izmantoja to gandrÄ«z nemainÄ«tÄ veidÄ. Å Ädi izskatÄs gatavais darba skripts:
from nornir import InitNornir
from nornir.plugins.tasks import networking, text
from nornir.plugins.functions.text import print_title, print_result
def config_and_deploy(task):
# Transform inventory data to configuration via a template file
r = task.run(task=text.template_file,
name="Base Configuration",
template="base.j2",
path=f"templates/{task.host.platform}")
# Save the compiled configuration into a host variable
task.host["config"] = r.result
# Save the compiled configuration into a file
with open(f"configs/{task.host.hostname}", "w") as f:
f.write(r.result)
# Deploy that configuration to the device using NAPALM
task.run(task=networking.napalm_configure,
name="Loading Configuration on the device",
replace=False,
configuration=task.host["config"])
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# run tasks
result = nr.run(task=config_and_deploy)
print_result(result)PievÄrsiet uzmanÄ«bu parametram dry_run=Tiesa rindÄ objekta inicializÄcija nr.
Å eit tas pats, kas iekÅ”Ä ansible ir ieviesta testa palaiÅ”ana, kurÄ tiek izveidots savienojums ar marÅ”rutÄtÄju, tiek sagatavota jauna modificÄta konfigurÄcija, kuru pÄc tam apstiprina ierÄ«ce (bet tas nav droÅ”i; tas ir atkarÄ«gs no ierÄ«ces atbalsta un draivera ievieÅ”anas NAPALM) , taÄu jaunÄ konfigurÄcija netiek tieÅ”i piemÄrota. Lai izmantotu kaujas, jums ir jÄnoÅem parametrs sausais_skrÄjiens vai mainiet tÄ vÄrtÄ«bu uz Nepatiess.
Kad skripts tiek izpildÄ«ts, Nornir konsolei izvada detalizÄtus žurnÄlus.
Zem spoilera ir divu testa marÅ”rutÄtÄju kaujas rezultÄts:
config_and_deploy***************************************************************
* cisco-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface GigabitEthernet0/1/1
description VIDEOSURV
ip address 10.10.222.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp 65001
network 10.10.222.0 mask 255.255.255.0
access-list 11 permit 10.10.222.0 0.0.0.255
access-list 111 permit ip 10.10.222.0 0.0.0.255 any
---- Loading Configuration on the device ** changed : True --------------------- INFO
+class-map match-all VIDEO_SURV
+ match access-group 111
+policy-map VIDEO_SURV
+ class VIDEO_SURV
+interface GigabitEthernet0/1/1
+ description VIDEOSURV
+ ip address 10.10.222.254 255.255.255.0
+ service-policy input VIDEO_SURV
+router bgp 65001
+ network 10.10.222.0 mask 255.255.255.0
+access-list 11 permit 10.10.222.0 0.0.0.255
+access-list 111 permit ip 10.10.222.0 0.0.0.255 any
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* srx-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
set interfaces fe-0/0/2 unit 0 description "Video surveillance"
set interfaces fe-0/0/2 unit 0 family inet filter input limit-in
set interfaces fe-0/0/2 unit 0 family inet address 10.10.111.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.111.0/24 exact
set security zones security-zone WAN interfaces fe-0/0/2
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiter
---- Loading Configuration on the device ** changed : True --------------------- INFO
[edit interfaces]
+ fe-0/0/2 {
+ unit 0 {
+ description "Video surveillance";
+ family inet {
+ filter {
+ input limit-in;
+ }
+ address 10.10.111.254/24;
+ }
+ }
+ }
[edit]
+ policy-options {
+ policy-statement export2bgp {
+ term 1 {
+ from {
+ route-filter 10.10.111.0/24 exact;
+ }
+ }
+ }
+ }
[edit security zones]
security-zone test-vpn { ... }
+ security-zone WAN {
+ interfaces {
+ fe-0/0/2.0;
+ }
+ }
[edit]
+ firewall {
+ policer policer-1m {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 187k;
+ }
+ then discard;
+ }
+ policer policer-1.5m {
+ if-exceeding {
+ bandwidth-limit 1500000;
+ burst-size-limit 280k;
+ }
+ then discard;
+ }
+ filter limit-in {
+ term 1 {
+ then {
+ policer policer-1.5m;
+ count limiter;
+ }
+ }
+ }
+ }
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Paroļu slÄpÅ”ana ansible_vault
Raksta sÄkumÄ es nedaudz pÄrspÄ«lÄju ansible, bet tas nemaz nav tik slikti. Man tie ļoti patÄ«k velvi patÄ«k, kas ir paredzÄts, lai paslÄptu sensitÄ«vu informÄciju no redzesloka. Un droÅ”i vien daudzi ir pamanÄ«juÅ”i, ka mums visi pieteikÅ”anÄs logi/paroles visiem kaujas marÅ”rutÄtÄjiem dzirkstÄ« atvÄrtÄ formÄ failÄ gorups.yaml. Tas, protams, nav skaisti. AizsargÄsim Å”os datus ar velvi.
PÄrsÅ«tÄ«sim parametrus no groups.yaml uz creds.yaml un Å”ifrÄsim to ar AES256 ar 20 ciparu paroli:
$ cd inventory
$ cat creds.yaml
---
cisco:
username: admin1
password: cisco1
juniper:
username: admin2
password: juniper2
$ pwgen 20 -N 1 > vault.passwd
ansible-vault encrypt creds.yaml --vault-password-file vault.passwd
Encryption successful
$ cat creds.yaml
$ANSIBLE_VAULT;1.1;AES256
39656463353437333337356361633737383464383231366233386636333965306662323534626131
3964396534396333363939373539393662623164373539620a346565373439646436356438653965
39643266333639356564663961303535353364383163633232366138643132313530346661316533
6236306435613132610a656163653065633866626639613537326233653765353661613337393839
62376662303061353963383330323164633162386336643832376263343634356230613562643533
30363436343465306638653932366166306562393061323636636163373164613630643965636361
34343936323066393763323633336366366566393236613737326530346234393735306261363239
35663430623934323632616161636330353134393435396632663530373932383532316161353963
31393434653165613432326636616636383665316465623036376631313162646435Tas ir tik vienkÄrÅ”i. Atliek mÄcÄ«t mÅ«su Nornir-skripts, lai izgÅ«tu un lietotu Å”os datus.
Lai to izdarÄ«tu, mÅ«su skriptÄ pÄc inicializÄcijas rindas nr = InitNornir(config_file=ā¦ pievienojiet Å”Ädu kodu:
...
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# enrich Inventory with the encrypted vault data
from ansible_vault import Vault
vault_password_file="inventory/vault.passwd"
vault_file="inventory/creds.yaml"
with open(vault_password_file, "r") as fp:
password = fp.readline().strip()
vault = Vault(password)
vaultdata = vault.load(open(vault_file).read())
for a in nr.inventory.hosts.keys():
item = nr.inventory.hosts[a]
item.username = vaultdata[item.groups[0]]['username']
item.password = vaultdata[item.groups[0]]['password']
#print("hostname={}, username={}, password={}n".format(item.hostname, item.username, item.password))
# run tasks
...Protams, vault.passwd nedrÄ«kst atrasties blakus creds.yaml, kÄ manÄ piemÄrÄ. Bet spÄlÄÅ”anai der.
Tas pagaidÄm ir viss. Ir vÄl daži raksti par Cisco + Zabbix, taÄu Å”eit nav runa par automatizÄciju. Un tuvÄkajÄ laikÄ es plÄnoju rakstÄ«t par RESTCONF vietnÄ Cisco.
Avots: www.habr.com