Hey Xabr!
Yaqinda bu erda bir maqola paydo bo'ldi bu erda shunga o'xshash muammo fotoalbom vositalar yordamida hal qilindi. Va bu vazifa mutlaqo odatiy bo'lsa-da, Habré-da bunga o'xshash narsa yo'q. Men o'z velosipedimni hurmatli IT hamjamiyatiga taklif qilishga jur'at etaman.
Bu bunday vazifa uchun birinchi velosiped emas. Birinchi variant bir necha yil oldin amalga oshirilgan sezilmaydigan 1.x.x versiyasi Velosiped kamdan-kam ishlatilgan va shuning uchun doimo zanglagan. Vazifaning o'zi versiyalar yangilanganidek tez-tez paydo bo'lmaydi degan ma'noda sezilmaydigan. Va har safar haydash kerak bo'lganda, zanjir tushadi yoki g'ildirak tushadi. Biroq, konfiguratsiyalarni yaratadigan birinchi qism, xayriyatki, har doim juda aniq ishlaydi jinja2 Dvigatel uzoq vaqtdan beri ishlab chiqilgan. Ammo ikkinchi qism - konfiguratsiyalarni chiqarish - odatda kutilmagan hodisalar keltirdi. Va men konfiguratsiyani masofadan turib, ba'zilari minglab kilometr uzoqlikda joylashgan yarim yuzta qurilmaga o'tkazishim kerak bo'lganligi sababli, ushbu vositadan foydalanish biroz zerikarli edi.
Bu erda tan olishim kerakki, mening noaniqligim, ehtimol, tanish emasligimdir sezilmaydigankamchiliklariga qaraganda. Va bu, aytmoqchi, muhim nuqta. sezilmaydigan Bu mutlaqo alohida, o'zining DSL (domenga xos til) bilan o'ziga xos bilim sohasi bo'lib, ishonchli darajada saqlanishi kerak. Xo'sh, o'sha daqiqada sezilmaydigan U juda tez rivojlanmoqda va orqaga qarab muvofiqlikka alohida e'tibor bermasdan, ishonchni qo'shmaydi.
Shuning uchun, yaqinda velosipedning ikkinchi versiyasi amalga oshirildi. Bu safar python, yoki to'g'rirog'i yozilgan ramkada python va uchun python nom ostida
Shunday qilib - Nornir da yozilgan mikrofreyvorkdir python va uchun python va avtomatlashtirish uchun mo'ljallangan. Xuddi shu holatda bo'lgani kabi sezilmaydigan, bu erda muammolarni hal qilish uchun vakolatli ma'lumotlarni tayyorlash kerak, ya'ni. xostlar va ularning parametrlarini inventarizatsiya qilish, lekin skriptlar alohida DSLda emas, balki juda eski emas, lekin juda yaxshi p[i|i]tonda yozilgan.
Keling, quyidagi jonli misoldan nima foydalanayotganini ko'rib chiqaylik.
Mening butun mamlakat bo'ylab bir necha o'nlab ofislari bo'lgan filial tarmog'im bor. Har bir ofisda turli operatorlarning bir nechta aloqa kanallarini to'xtatuvchi WAN router mavjud. Marshrutlash protokoli - BGP. WAN routerlari ikki xil bo'ladi: Cisco ISG yoki Juniper SRX.
Endi vazifa: siz filial tarmog'ining barcha WAN routerlarida alohida portda Video kuzatuv uchun ajratilgan pastki tarmoqni sozlashingiz kerak - bu quyi tarmoqni BGPda reklama qiling - ajratilgan portning tezlik chegarasini sozlang.
Birinchidan, biz bir nechta shablonlarni tayyorlashimiz kerak, ular asosida Cisco va Juniper uchun alohida konfiguratsiyalar yaratiladi. Bundan tashqari, har bir nuqta va ulanish parametrlari uchun ma'lumotlarni tayyorlash kerak, ya'ni. bir xil inventarni yig'ing
Cisco uchun tayyor shablon:
$ cat templates/ios/base.j2
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface {{ host.task_data.ifname }}
description VIDEOSURV
ip address 10.10.{{ host.task_data.ipsuffix }}.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp {{ host.task_data.asn }}
network 10.40.{{ host.task_data.ipsuffix }}.0 mask 255.255.255.0
access-list 11 permit 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255
access-list 111 permit ip 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255 anyJuniper uchun shablon:
$ cat templates/junos/base.j2
set interfaces {{ host.task_data.ifname }} unit 0 description "Video surveillance"
set interfaces {{ host.task_data.ifname }} unit 0 family inet filter input limit-in
set interfaces {{ host.task_data.ifname }} unit 0 family inet address 10.10.{{ host.task_data.ipsuffix }}.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.{{ host.task_data.ipsuffix }}.0/24 exact
set security zones security-zone WAN interfaces {{ host.task_data.ifname }}
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiterShablonlar, albatta, havodan chiqmaydi. Bular, asosan, turli modellarning ikkita maxsus marshrutizatorida vazifani hal qilgan va keyin bo'lgan ishchi konfiguratsiyalar o'rtasidagi farqdir.
Bizning shablonlarimizdan biz muammoni hal qilish uchun Juniper uchun ikkita parametr va Cisco uchun 3 parametr kerakligini ko'ramiz. mana ular:
- ifname
- ipsuffix
- asn
Endi biz har bir qurilma uchun ushbu parametrlarni o'rnatishimiz kerak, ya'ni. xuddi shunday qiling inventarizatsiya.
uchun inventarizatsiya Biz hujjatlarga qat'iy rioya qilamiz
ya'ni bir xil fayl skeletini yaratamiz:
.
├── config.yaml
├── inventory
│ ├── defaults.yaml
│ ├── groups.yaml
│ └── hosts.yamlconfig.yaml fayli standart nornir konfiguratsiya faylidir
$ cat config.yaml
---
core:
num_workers: 10
inventory:
plugin: nornir.plugins.inventory.simple.SimpleInventory
options:
host_file: "inventory/hosts.yaml"
group_file: "inventory/groups.yaml"
defaults_file: "inventory/defaults.yaml"Biz faylda asosiy parametrlarni ko'rsatamiz hosts.yaml, guruh (mening holimda bu login/parollar) ichida guruhlar.yamlvaqt ichida defaults.yaml Biz hech narsani ko'rsatmaymiz, lekin u erda uchta minusni kiritishingiz kerak - bu borligini ko'rsatadi yaml fayl bo'sh bo'lsa ham.
hosts.yaml shunday ko'rinadi:
---
srx-test:
hostname: srx-test
groups:
- juniper
data:
task_data:
ifname: fe-0/0/2
ipsuffix: 111
cisco-test:
hostname: cisco-test
groups:
- cisco
data:
task_data:
ifname: GigabitEthernet0/1/1
ipsuffix: 222
asn: 65111Mana group.yaml:
---
cisco:
platform: ios
username: admin1
password: cisco1
juniper:
platform: junos
username: admin2
password: juniper2Bu shunday bo'ldi inventarizatsiya bizning vazifamiz uchun. Initsializatsiya paytida inventar fayllaridagi parametrlar ob'ekt modeliga moslashtiriladi InventoryElement.
Spoyler ostida InventoryElement modelining diagrammasi keltirilgan
print(json.dumps(InventoryElement.schema(), indent=4))
{
"title": "InventoryElement",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"groups": {
"title": "Groups",
"default": [],
"type": "array",
"items": {
"type": "string"
}
},
"data": {
"title": "Data",
"default": {},
"type": "object"
},
"connection_options": {
"title": "Connection_Options",
"default": {},
"type": "object",
"additionalProperties": {
"$ref": "#/definitions/ConnectionOptions"
}
}
},
"definitions": {
"ConnectionOptions": {
"title": "ConnectionOptions",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"extras": {
"title": "Extras",
"type": "object"
}
}
}
}
}Ushbu model, ayniqsa, birinchi navbatda, biroz chalkash ko'rinishi mumkin. Buni tushunish uchun interaktiv rejim ipython.
$ ipython3
Python 3.6.9 (default, Nov 7 2019, 10:44:02)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.1.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from nornir import InitNornir
In [2]: nr = InitNornir(config_file="config.yaml", dry_run=True)
In [3]: nr.inventory.hosts
Out[3]:
{'srx-test': Host: srx-test, 'cisco-test': Host: cisco-test}
In [4]: nr.inventory.hosts['srx-test'].data
Out[4]: {'task_data': {'ifname': 'fe-0/0/2', 'ipsuffix': 111}}
In [5]: nr.inventory.hosts['srx-test']['task_data']
Out[5]: {'ifname': 'fe-0/0/2', 'ipsuffix': 111}
In [6]: nr.inventory.hosts['srx-test'].platform
Out[6]: 'junos'
Va nihoyat, keling, skriptning o'ziga o'taylik. Bu erda menda alohida faxrlanadigan hech narsa yo'q. Men shunchaki tayyor misolni oldim va uni deyarli o'zgarmagan holda ishlatgan. Tayyor ish skripti shunday ko'rinadi:
from nornir import InitNornir
from nornir.plugins.tasks import networking, text
from nornir.plugins.functions.text import print_title, print_result
def config_and_deploy(task):
# Transform inventory data to configuration via a template file
r = task.run(task=text.template_file,
name="Base Configuration",
template="base.j2",
path=f"templates/{task.host.platform}")
# Save the compiled configuration into a host variable
task.host["config"] = r.result
# Save the compiled configuration into a file
with open(f"configs/{task.host.hostname}", "w") as f:
f.write(r.result)
# Deploy that configuration to the device using NAPALM
task.run(task=networking.napalm_configure,
name="Loading Configuration on the device",
replace=False,
configuration=task.host["config"])
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# run tasks
result = nr.run(task=config_and_deploy)
print_result(result)Parametrga e'tibor bering dry_run=To‘g‘ri qatordagi obyektni ishga tushirish nr.
Bu erda ham xuddi shunday sezilmaydigan test sinovi amalga oshirildi, unda marshrutizatorga ulanish amalga oshirildi, yangi o'zgartirilgan konfiguratsiya tayyorlanadi, so'ngra qurilma tomonidan tasdiqlanadi (lekin bu aniq emas, bu qurilmani qo'llab-quvvatlashga va NAPALM da drayverni amalga oshirishga bog'liq) , lekin yangi konfiguratsiya to'g'ridan-to'g'ri qo'llanilmaydi. Jangovar foydalanish uchun siz parametrni olib tashlashingiz kerak quruq_run yoki uning qiymatini o'zgartiring yolg'on.
Skript bajarilganda, Nornir batafsil jurnallarni konsolga chiqaradi.
Spoyler ostida ikkita sinov marshrutizatoridagi jangovar chiqish ko'rsatilgan:
config_and_deploy***************************************************************
* cisco-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface GigabitEthernet0/1/1
description VIDEOSURV
ip address 10.10.222.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp 65001
network 10.10.222.0 mask 255.255.255.0
access-list 11 permit 10.10.222.0 0.0.0.255
access-list 111 permit ip 10.10.222.0 0.0.0.255 any
---- Loading Configuration on the device ** changed : True --------------------- INFO
+class-map match-all VIDEO_SURV
+ match access-group 111
+policy-map VIDEO_SURV
+ class VIDEO_SURV
+interface GigabitEthernet0/1/1
+ description VIDEOSURV
+ ip address 10.10.222.254 255.255.255.0
+ service-policy input VIDEO_SURV
+router bgp 65001
+ network 10.10.222.0 mask 255.255.255.0
+access-list 11 permit 10.10.222.0 0.0.0.255
+access-list 111 permit ip 10.10.222.0 0.0.0.255 any
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* srx-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
set interfaces fe-0/0/2 unit 0 description "Video surveillance"
set interfaces fe-0/0/2 unit 0 family inet filter input limit-in
set interfaces fe-0/0/2 unit 0 family inet address 10.10.111.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.111.0/24 exact
set security zones security-zone WAN interfaces fe-0/0/2
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiter
---- Loading Configuration on the device ** changed : True --------------------- INFO
[edit interfaces]
+ fe-0/0/2 {
+ unit 0 {
+ description "Video surveillance";
+ family inet {
+ filter {
+ input limit-in;
+ }
+ address 10.10.111.254/24;
+ }
+ }
+ }
[edit]
+ policy-options {
+ policy-statement export2bgp {
+ term 1 {
+ from {
+ route-filter 10.10.111.0/24 exact;
+ }
+ }
+ }
+ }
[edit security zones]
security-zone test-vpn { ... }
+ security-zone WAN {
+ interfaces {
+ fe-0/0/2.0;
+ }
+ }
[edit]
+ firewall {
+ policer policer-1m {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 187k;
+ }
+ then discard;
+ }
+ policer policer-1.5m {
+ if-exceeding {
+ bandwidth-limit 1500000;
+ burst-size-limit 280k;
+ }
+ then discard;
+ }
+ filter limit-in {
+ term 1 {
+ then {
+ policer policer-1.5m;
+ count limiter;
+ }
+ }
+ }
+ }
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ansible_vault-da parollarni yashirish
Maqolaning boshida men biroz haddan oshib ketdim sezilmaydigan, lekin hammasi yomon emas. Ular menga juda yoqadi Tovush kabi, bu nozik ma'lumotlarni ko'zdan yashirish uchun mo'ljallangan. Va, ehtimol, ko'pchilik bizda faylda ochiq shaklda porlayotgan barcha jangovar marshrutizatorlar uchun barcha loginlar/parollar mavjudligini payqashdi. gorups.yaml. Bu chiroyli emas, albatta. Keling, ushbu ma'lumotlarni himoya qilaylik Tovush.
Parametrlarni group.yaml dan creds.yaml ga o'tkazamiz va uni AES256 bilan 20 xonali parol bilan shifrlaymiz:
$ cd inventory
$ cat creds.yaml
---
cisco:
username: admin1
password: cisco1
juniper:
username: admin2
password: juniper2
$ pwgen 20 -N 1 > vault.passwd
ansible-vault encrypt creds.yaml --vault-password-file vault.passwd
Encryption successful
$ cat creds.yaml
$ANSIBLE_VAULT;1.1;AES256
39656463353437333337356361633737383464383231366233386636333965306662323534626131
3964396534396333363939373539393662623164373539620a346565373439646436356438653965
39643266333639356564663961303535353364383163633232366138643132313530346661316533
6236306435613132610a656163653065633866626639613537326233653765353661613337393839
62376662303061353963383330323164633162386336643832376263343634356230613562643533
30363436343465306638653932366166306562393061323636636163373164613630643965636361
34343936323066393763323633336366366566393236613737326530346234393735306261363239
35663430623934323632616161636330353134393435396632663530373932383532316161353963
31393434653165613432326636616636383665316465623036376631313162646435Bu juda oddiy. Bizni o'rgatish qoladi Nornir-bu ma'lumotlarni olish va qo'llash uchun skript.
Buning uchun skriptimizda ishga tushirish chizig'idan keyin nr = InitNornir (config_file=… quyidagi kodni qo'shing:
...
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# enrich Inventory with the encrypted vault data
from ansible_vault import Vault
vault_password_file="inventory/vault.passwd"
vault_file="inventory/creds.yaml"
with open(vault_password_file, "r") as fp:
password = fp.readline().strip()
vault = Vault(password)
vaultdata = vault.load(open(vault_file).read())
for a in nr.inventory.hosts.keys():
item = nr.inventory.hosts[a]
item.username = vaultdata[item.groups[0]]['username']
item.password = vaultdata[item.groups[0]]['password']
#print("hostname={}, username={}, password={}n".format(item.hostname, item.username, item.password))
# run tasks
...Albatta, vault.passwd mening misolimdagi kabi creds.yaml yonida joylashmasligi kerak. Lekin o'ynash yaxshi.
Hozircha hammasi shu. Cisco + Zabbix kelishi haqida yana bir nechta maqola bor, ammo bu avtomatlashtirish haqida emas. Va yaqin kelajakda men Cisco'da RESTCONF haqida yozishni rejalashtirmoqdaman.
Manba: www.habr.com