Habari Habr!
Hivi majuzi makala iliibuka hapa ambapo tatizo kama hilo lilitatuliwa kwa kutumia njia za kisukuku. Na ingawa kazi ni ya kawaida kabisa, hakuna kitu kama hicho kwa Habre. Ninathubutu kutoa baiskeli yangu kwa jumuiya inayoheshimiwa ya IT.
Hii sio baiskeli ya kwanza kwa kazi kama hiyo. Chaguo la kwanza lilitekelezwa miaka kadhaa iliyopita nyuma inayohusika toleo la 1.x.x. Baiskeli haikutumiwa sana na kwa hivyo ilikuwa na kutu kila wakati. Kwa maana kwamba kazi yenyewe haitokei mara nyingi matoleo yanaposasishwa inayohusika. Na kila wakati unahitaji kuendesha gari, mnyororo huanguka au gurudumu huanguka. Hata hivyo, sehemu ya kwanza, kuzalisha configs, daima hufanya kazi kwa uwazi sana, kwa bahati nzuri jinja2 Injini imeanzishwa kwa muda mrefu. Lakini sehemu ya pili - kusambaza usanidi - kawaida huleta mshangao. Na kwa kuwa lazima nitoe usanidi kwa mbali kwa vifaa vya nusu mia, ambavyo vingine viko umbali wa maelfu ya kilomita, kutumia zana hii ilikuwa ya kuchosha kidogo.
Hapa lazima nikubali kwamba kutokuwa na hakika kwangu kunawezekana zaidi ni kutojua kwangu inayohusikakuliko katika mapungufu yake. Na hii, kwa njia, ni hatua muhimu. inayohusika ni tofauti kabisa, eneo lake la maarifa na DSL yake (Lugha Maalum ya Kikoa), ambayo lazima idumishwe kwa kiwango cha kujiamini. Naam, wakati huo inayohusika Inakua haraka sana, na bila kuzingatia maalum kwa utangamano wa nyuma, haiongezi imani.
Kwa hiyo, si muda mrefu uliopita toleo la pili la baiskeli lilitekelezwa. Wakati huu python, au tuseme kwenye mfumo ulioandikwa ndani python na kwa python kuitwa
Kwa hivyo - Nornir ni microframework iliyoandikwa ndani python na kwa python na iliyoundwa kwa ajili ya automatisering. Sawa na katika kesi na inayohusika, ili kutatua matatizo hapa, maandalizi ya data yenye uwezo yanahitajika, i.e. hesabu ya majeshi na vigezo vyao, lakini hati zimeandikwa si katika DSL tofauti, lakini katika hiyo si ya zamani sana, lakini nzuri sana p[i|i]tani.
Wacha tuangalie ni nini kwa kutumia mfano wa moja kwa moja ufuatao.
Nina mtandao wa tawi wenye ofisi kadhaa kote nchini. Kila ofisi ina kipanga njia cha WAN ambacho kinasimamisha njia kadhaa za mawasiliano kutoka kwa waendeshaji tofauti. Itifaki ya uelekezaji ni BGP. Vipanga njia vya WAN vinakuja katika aina mbili: Cisco ISG au Juniper SRX.
Sasa kazi: unahitaji kusanidi subnet iliyojitolea kwa Ufuatiliaji wa Video kwenye bandari tofauti kwenye ruta zote za WAN za mtandao wa tawi - tangaza subnet hii katika BGP - usanidi kikomo cha kasi cha bandari iliyojitolea.
Kwanza, tunahitaji kuandaa templeti kadhaa, kwa msingi ambao usanidi utatolewa kando kwa Cisco na Juniper. Pia ni muhimu kuandaa data kwa kila hatua na vigezo vya uunganisho, i.e. kukusanya hesabu sawa
Kiolezo kilicho tayari kwa Cisco:
$ cat templates/ios/base.j2
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface {{ host.task_data.ifname }}
description VIDEOSURV
ip address 10.10.{{ host.task_data.ipsuffix }}.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp {{ host.task_data.asn }}
network 10.40.{{ host.task_data.ipsuffix }}.0 mask 255.255.255.0
access-list 11 permit 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255
access-list 111 permit ip 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255 anyKiolezo cha Juniper:
$ cat templates/junos/base.j2
set interfaces {{ host.task_data.ifname }} unit 0 description "Video surveillance"
set interfaces {{ host.task_data.ifname }} unit 0 family inet filter input limit-in
set interfaces {{ host.task_data.ifname }} unit 0 family inet address 10.10.{{ host.task_data.ipsuffix }}.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.{{ host.task_data.ipsuffix }}.0/24 exact
set security zones security-zone WAN interfaces {{ host.task_data.ifname }}
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiterTemplate, bila shaka, haitoke nje ya hewa nyembamba. Hizi kimsingi ni tofauti kati ya usanidi wa kufanya kazi ambao ulikuwa na ulikuwa baada ya kutatua kazi kwenye ruta mbili maalum za mifano tofauti.
Kutoka kwa templates zetu tunaona kwamba ili kutatua tatizo, tunahitaji tu vigezo viwili vya Juniper na vigezo 3 vya Cisco. hizi hapa:
- jina la jina
- kiambishi kiambishi
- asn
Sasa tunahitaji kuweka vigezo hivi kwa kila kifaa, i.e. fanya jambo lile lile hesabu.
Kwa hesabu Tutafuata hati madhubuti
yaani, wacha tuunde mifupa ya faili sawa:
.
βββ config.yaml
βββ inventory
β βββ defaults.yaml
β βββ groups.yaml
β βββ hosts.yamlFaili ya config.yaml ni faili ya kawaida ya usanidi ya nornir
$ cat config.yaml
---
core:
num_workers: 10
inventory:
plugin: nornir.plugins.inventory.simple.SimpleInventory
options:
host_file: "inventory/hosts.yaml"
group_file: "inventory/groups.yaml"
defaults_file: "inventory/defaults.yaml"Tutaonyesha vigezo kuu katika faili mwenyeji.yaml, kikundi (kwa upande wangu hizi ni logi/nenosiri) ndani vikundi.yaml, na ndani defaults.yaml Hatutaonyesha chochote, lakini unahitaji kuingiza minuses tatu hapo - ikionyesha kuwa ni yaml faili ni tupu ingawa.
Hivi ndivyo hosts.yaml inavyoonekana:
---
srx-test:
hostname: srx-test
groups:
- juniper
data:
task_data:
ifname: fe-0/0/2
ipsuffix: 111
cisco-test:
hostname: cisco-test
groups:
- cisco
data:
task_data:
ifname: GigabitEthernet0/1/1
ipsuffix: 222
asn: 65111Na hapa kuna vikundi.yaml:
---
cisco:
platform: ios
username: admin1
password: cisco1
juniper:
platform: junos
username: admin2
password: juniper2Hiki ndicho kilichotokea hesabu kwa kazi yetu. Wakati wa uanzishaji, vigezo kutoka kwa faili za hesabu hupangwa kwa mfano wa kitu Kipengele cha Mali.
Chini ya spoiler ni mchoro wa mfano wa InventoryElement
print(json.dumps(InventoryElement.schema(), indent=4))
{
"title": "InventoryElement",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"groups": {
"title": "Groups",
"default": [],
"type": "array",
"items": {
"type": "string"
}
},
"data": {
"title": "Data",
"default": {},
"type": "object"
},
"connection_options": {
"title": "Connection_Options",
"default": {},
"type": "object",
"additionalProperties": {
"$ref": "#/definitions/ConnectionOptions"
}
}
},
"definitions": {
"ConnectionOptions": {
"title": "ConnectionOptions",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"extras": {
"title": "Extras",
"type": "object"
}
}
}
}
}Mfano huu unaweza kuangalia kuchanganyikiwa kidogo, hasa kwa mara ya kwanza. Ili kuibaini, hali ya maingiliano ndani chatu.
$ ipython3
Python 3.6.9 (default, Nov 7 2019, 10:44:02)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.1.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from nornir import InitNornir
In [2]: nr = InitNornir(config_file="config.yaml", dry_run=True)
In [3]: nr.inventory.hosts
Out[3]:
{'srx-test': Host: srx-test, 'cisco-test': Host: cisco-test}
In [4]: nr.inventory.hosts['srx-test'].data
Out[4]: {'task_data': {'ifname': 'fe-0/0/2', 'ipsuffix': 111}}
In [5]: nr.inventory.hosts['srx-test']['task_data']
Out[5]: {'ifname': 'fe-0/0/2', 'ipsuffix': 111}
In [6]: nr.inventory.hosts['srx-test'].platform
Out[6]: 'junos'
Na hatimaye, hebu tuendelee kwenye script yenyewe. Sina cha kujivunia hasa hapa. Nilichukua tu mfano uliotengenezwa tayari kutoka na kuitumia karibu bila kubadilika. Hivi ndivyo hati iliyokamilishwa ya kufanya kazi inaonekana kama:
from nornir import InitNornir
from nornir.plugins.tasks import networking, text
from nornir.plugins.functions.text import print_title, print_result
def config_and_deploy(task):
# Transform inventory data to configuration via a template file
r = task.run(task=text.template_file,
name="Base Configuration",
template="base.j2",
path=f"templates/{task.host.platform}")
# Save the compiled configuration into a host variable
task.host["config"] = r.result
# Save the compiled configuration into a file
with open(f"configs/{task.host.hostname}", "w") as f:
f.write(r.result)
# Deploy that configuration to the device using NAPALM
task.run(task=networking.napalm_configure,
name="Loading Configuration on the device",
replace=False,
configuration=task.host["config"])
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# run tasks
result = nr.run(task=config_and_deploy)
print_result(result)Makini na parameter dry_run=Kweli katika uanzishaji wa kitu cha mstari nr.
Hapa ni sawa na katika inayohusika jaribio la majaribio limetekelezwa ambalo uunganisho kwenye router hufanywa, usanidi mpya uliobadilishwa umeandaliwa, ambao unathibitishwa na kifaa (lakini hii sio hakika, inategemea usaidizi wa kifaa na utekelezaji wa dereva katika NAPALM) , lakini usanidi mpya hautumiki moja kwa moja. Kwa matumizi ya vita, lazima uondoe parameter kavu_kimbia au kubadilisha thamani yake Uongo.
Hati inapotekelezwa, Nornir hutoa kumbukumbu za kina kwenye kiweko.
Chini ya kiharibu ni matokeo ya pigano kwenye ruta mbili za majaribio:
config_and_deploy***************************************************************
* cisco-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface GigabitEthernet0/1/1
description VIDEOSURV
ip address 10.10.222.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp 65001
network 10.10.222.0 mask 255.255.255.0
access-list 11 permit 10.10.222.0 0.0.0.255
access-list 111 permit ip 10.10.222.0 0.0.0.255 any
---- Loading Configuration on the device ** changed : True --------------------- INFO
+class-map match-all VIDEO_SURV
+ match access-group 111
+policy-map VIDEO_SURV
+ class VIDEO_SURV
+interface GigabitEthernet0/1/1
+ description VIDEOSURV
+ ip address 10.10.222.254 255.255.255.0
+ service-policy input VIDEO_SURV
+router bgp 65001
+ network 10.10.222.0 mask 255.255.255.0
+access-list 11 permit 10.10.222.0 0.0.0.255
+access-list 111 permit ip 10.10.222.0 0.0.0.255 any
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* srx-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
set interfaces fe-0/0/2 unit 0 description "Video surveillance"
set interfaces fe-0/0/2 unit 0 family inet filter input limit-in
set interfaces fe-0/0/2 unit 0 family inet address 10.10.111.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.111.0/24 exact
set security zones security-zone WAN interfaces fe-0/0/2
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiter
---- Loading Configuration on the device ** changed : True --------------------- INFO
[edit interfaces]
+ fe-0/0/2 {
+ unit 0 {
+ description "Video surveillance";
+ family inet {
+ filter {
+ input limit-in;
+ }
+ address 10.10.111.254/24;
+ }
+ }
+ }
[edit]
+ policy-options {
+ policy-statement export2bgp {
+ term 1 {
+ from {
+ route-filter 10.10.111.0/24 exact;
+ }
+ }
+ }
+ }
[edit security zones]
security-zone test-vpn { ... }
+ security-zone WAN {
+ interfaces {
+ fe-0/0/2.0;
+ }
+ }
[edit]
+ firewall {
+ policer policer-1m {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 187k;
+ }
+ then discard;
+ }
+ policer policer-1.5m {
+ if-exceeding {
+ bandwidth-limit 1500000;
+ burst-size-limit 280k;
+ }
+ then discard;
+ }
+ filter limit-in {
+ term 1 {
+ then {
+ policer policer-1.5m;
+ count limiter;
+ }
+ }
+ }
+ }
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Kuficha manenosiri kwenye ansible_vault
Mwanzoni mwa makala nilienda juu kidogo inayohusika, lakini sio mbaya sana. Nawapenda sana vault kama, ambayo imeundwa kuficha habari nyeti ili isionekane. Na labda wengi wamegundua kuwa tunayo logi/nenosiri zote za vipanga njia vyote vinavyong'aa kwa fomu wazi kwenye faili. gorups.yaml. Sio nzuri, bila shaka. Hebu tulinde data hii kwa vault.
Hebu tuhamishe vigezo kutoka kwa groups.yaml hadi creds.yaml, na tusimbe kwa njia fiche kwa kutumia AES256 kwa nenosiri lenye tarakimu 20:
$ cd inventory
$ cat creds.yaml
---
cisco:
username: admin1
password: cisco1
juniper:
username: admin2
password: juniper2
$ pwgen 20 -N 1 > vault.passwd
ansible-vault encrypt creds.yaml --vault-password-file vault.passwd
Encryption successful
$ cat creds.yaml
$ANSIBLE_VAULT;1.1;AES256
39656463353437333337356361633737383464383231366233386636333965306662323534626131
3964396534396333363939373539393662623164373539620a346565373439646436356438653965
39643266333639356564663961303535353364383163633232366138643132313530346661316533
6236306435613132610a656163653065633866626639613537326233653765353661613337393839
62376662303061353963383330323164633162386336643832376263343634356230613562643533
30363436343465306638653932366166306562393061323636636163373164613630643965636361
34343936323066393763323633336366366566393236613737326530346234393735306261363239
35663430623934323632616161636330353134393435396632663530373932383532316161353963
31393434653165613432326636616636383665316465623036376631313162646435Ni rahisi hivyo. Inabaki kufundisha yetu Nornir-script kupata na kutumia data hii.
Ili kufanya hivyo, katika hati yetu baada ya mstari wa uanzishaji nr = InitNornir(config_file=... ongeza nambari ifuatayo:
...
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# enrich Inventory with the encrypted vault data
from ansible_vault import Vault
vault_password_file="inventory/vault.passwd"
vault_file="inventory/creds.yaml"
with open(vault_password_file, "r") as fp:
password = fp.readline().strip()
vault = Vault(password)
vaultdata = vault.load(open(vault_file).read())
for a in nr.inventory.hosts.keys():
item = nr.inventory.hosts[a]
item.username = vaultdata[item.groups[0]]['username']
item.password = vaultdata[item.groups[0]]['password']
#print("hostname={}, username={}, password={}n".format(item.hostname, item.username, item.password))
# run tasks
...Bila shaka, vault.passwd haipaswi kuwa karibu na creds.yaml kama katika mfano wangu. Lakini ni sawa kwa kucheza.
Ni hayo tu kwa sasa. Kuna nakala kadhaa zaidi kuhusu Cisco + Zabbix zinazokuja, lakini hii sio kidogo juu ya otomatiki. Na katika siku za usoni ninapanga kuandika kuhusu RESTCONF huko Cisco.
Chanzo: mapenzi.com