Two incredible engineers: Shane Corban from Cisco and Carl Caum from Puppet Labs came together to be our guest experts for this workshop. See the demos in the replay at bit.ly/1lJQm3A
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TechWiseTV Workshop: Open NX-OS and Devops with Puppet Labs
1. TECHNOLOGY YOU CAN USE, FROM GEEKS YOU CAN TRUST!
Robb Boyd @robbboyd techwisetv.com
2. TechWiseTV Workshop -Accelerate
Your IT Tasks with Open NX-OS
Shane Corban Product Manager Cisco
Carl Caum Technical Marketing Puppet
December 10th 2015
3. • Open NX-OS Introduction & Level Set
• Open NX-OS Linux Architecture & Capabilities
• Open NX-OS Devops Tool Integration
• Open NX-OS Programmability Options
Agenda
4. What problem are we trying to solve?
“I can spin up servers in minutes with my Configuration Management
Tool workflows, why does it take orders of magnitude more to spin
up and affect change on my Network Elements?”
IT Organizations adopting DevOps processes and tools deploy 30x
more frequently with 200x shorter lead times; they have 60x fewer
failures and recover 168x faster.
7. • Open NX-OS Introduction & Level Set
• Open NX-OS Linux Architecture & Capabilities
• Open NX-OS Devops Tool Integration
• Open NX-OS Programmability Options
Agenda
8. Off the shelf Applications without modifications
Leverage ability to install third party packages
in Secure Guestshell or natively in NX-OS kernel
• Install all third party applications
(Puppet/Chef, Splunk/Nagios/Ganglia) as RPMs
Daemon managed via standard
Linux interfaces
Built-in support for YUM package
manager
Patching and upgrade using standard
rpm/yum workflows
• NX-OS processes(BGP) can be
upgraded/patched via “yum update”
Open NX-OS Linux Based Architecture
C app with
standard Linux
constructs
Open Embedded
64 bit Build
Environment
RPM
Upload
Linux Daemon
Linux Kernel
Raw Socket
Netdevs
Libpcap
init.d
Monitoring
server
ASIC
Target Switch
Package as RPM
Build Server
Cisco/Local
Repository
RPM Local
Repository
9. Kernel (cgroup, LSM)
NX-OS root file system
Native
Linux
Processes
Native
Linux
Processes
Bash Bash
Native
Linux
Processes
Native
Linux
Processes
Native
Linux
Processes
Guest root file system
Pkg-1.rpm Pkg-2.rpm
Pkg-2.rpm Pkg-3.rpm
Ns=globalNs=global Ns=guestshell Ns=guestshell Ns=guestshellNs=global Ns=guestshell
Native Shell, RPM +
Containers
• Secure common distribution CentOS7 environment in which customer may install their own custom
applications
• Use “guestshell resize” command to restrict CPU/memory/rootfs resources available to Guest
Shell
Open NX-OS: Third Party Application Integration
Secure Guest Shell
Pkg-4.rpm
10. • Open NX-OS Introduction & Level Set
• Open NX-OS Linux Architecture & Capabilities
• Open NX-OS Devops Tool Integration
• Open NX-OS Programmability Options
Agenda
11. https://opennxos.cisco.com
Built on Flexible and Modular Linux
Shipped
Q3CY15
Reduce OPEX and Enable Rapid Application Deployment using DevOps Model
OPEN
NXOS
KEY BENEFITS
Reduced maintenance windows, higher availability
enabled by non-disruptive RPM-based live patching and
process restart
Choice of DevOps automation and monitoring tools,
enabling rapid application deployment and enhanced
visibility
Integrate natively and securely using common DevOps
configuration management tools – Chef/Puppet/Ansible
Enable greater network visibility using industry standard
analytics tools – Splunk/Ganglia/Nagios
Flexibility to integrate off-the-shelf and custom
applications using the Linux SDK
12. Automating Device Operational Lifecycle
Day 0
Install
Day 1
Configure
& Operate
Day 2
Optimize
Day N
Upgrade
GOAL:
Get a device/s into an
operational state?
CHALLENGE:
“I can bring up a server in
5 minutes, but a switch takes
2 days…”
GOAL:
Get the network into an
operational state?
CHALLENGE:
Automation of configuration
for servers and applications
is relatively easy how can my
network be as easy?
GOAL:
Continuously upgrade
features within my network,
incrementally and safely?
CHALLENGE:
I can dynamically patch Linux
with automated tools; why
can’t I do the same with my
network devices?
GOAL:
Add dynamic services, optimize
behavior and trouble shooting?
(Includes information from
applications and the network
correlated).
CHALLENGE:
My compute and application
platforms are open and
extensible why is my network
not?
Ignite &
POAP/PXE
Ansible,
Puppet and Chef
NX-API REST
Ansible
Puppet and Chef
and
Guestshell
Modular NxOS
Patachablity,
ISSU
Puppet/Chef/Ansible
NX-API REST ensure
model compliance
Guestshell,
Splunk/Nagios
13. https://github.com/datacenter/ignite
Enabling Day Zero Provisioning with Open Source Tools
PXE/iPXE
Automate day zero provisioning with open source,
standards-based tools
Provides GUI for topology and configuration
design packaged as an OVA, support for KVM or
VMware
Acts as an image and configuration template store
for POAP
Use python script extensions for third party
application installation and post boot
customizations
Operational Choice: Supported across Nexus 3K
& 9K, bootstrap NX-OS using existing compute
PXE/iPXE servers for switching infrastructure
Shipped
Q3CY15
Simplify Operations, Eliminate Provisioning Errors, Reduce Cost with
OPEN
NXOS
14. Puppet/Chef Master Server
Native Linux Service
/etc/init.d/puppet.d & chef.d
NX-OS
Cisco Puppet/Chef Agent
NX-APICisco Puppet/Chef
Module(Incl Utility
GEMs)
Linux Software
Repository
Server
Yum/RPM install
puppet/chef.rpm
• Support for Puppet, Chef and Ansible
• Cisco Puppet Agent RPM/software package posted
to Puppet forge and Open Sourced to Github
• Install Cisco Puppet Module on Puppet Master
• Yum install Puppet Agent rpm on switches
• Switch Agent periodically will poll Puppet/Chef
Master for updated catalog/cookbooks and attempt
to converge switch to desired state
CM Agent Based Tool Architecture –
Chef/Puppet
15. Type/Provider Roadmap:
VXLAN EVPN – Q1CY16
Virtual Port Channel – Q2CY16
Segment Routing – Q3CY16
Open NX-OS Puppet/Chef
Cisco Chef & Puppet Agent Types/Provider Support
Chef/Puppet Agent Types/Providers
cisco_vtp
cisco_tacacs_server
cisco_tacacs_server_host
cisco_snmp_server
cisco_snmp_community
cisco_snmp_group
cisco_ospf
cisco_ospf_vrf
cisco_vlan
cisco_bgp
cisco_bgp_vrf
cisco_interface
cisco_interface_ospf
cisco_interface_vlan
• Agents RPM installed natively on switch, using agent RPM or
within isolated guestshell environment
• Supported Agent Types/Providers for Camden
• Cisco Network Element Chef/Puppet module code published on
Git and Forge/Supermarket
• Agent is extensible beyond what we support by default by
using the utility classes OR:
• Agent is also extensible by embedding CLI using
cisco_command_config resource construct
18. • Deliver value to business
faster, more reliably
• Meet compliance & audit
requirements
• Adopt & mature DevOps
practices & supporting
technologies
• Adopt new technology while
supporting & sun-setting old
• Too much fire fighting
• Scripting & manual
processes aren’t cutting it
• Provisioning systems & apps
is manual, costly
• Unexpected configuration
changes
• Difficult to keep up with
demands from the business
Common Challenges. Critical Initiatives.
19. Our software
automates the provisioning,
configuration &
ongoing management
of your network & the applications,
services & software running on them.
22. Where To Start
Infrastructure as Code
Version
Control
Configuration
Management
Peer Review
Collaboration IterationFast Feedback Visibility
Continuous
Delivery
Automated
Testing &
Deployments
23. How we help:
• Apply DevOps practices to networking
• Manage the network just like compute
• Unify change insight & management for all
infrastructure at all levels of the application stack
A Unified Platform for Your Infrastructure
Network
Compute
24. • Use Case 1.1: Automatically deploying
configuration based on roles
• Use Case 1.2: Understanding change as it occurs
on the network
Demo 1 – Automating Open NX-OS with Puppet
25. • All CM tools enforce model compliance and eliminate
configuration drift
• All CM tools provide audit logging of change
• All CM tools support concept of no-op runs
Configuration Managements Tools
Agent v/s Agent-less Architecture
• Agent based CM are “pull based”
• Agent on managed device connects
with master for config information
periodically
• Changes made on master are pulled
down and executed
• Operations are Idempotent
• Puppet and Chef are agent based
• Agent-less CM are “push based”
• CM scripts are run on the master
• Scripts connect to the managed
device and execute the tasks
• No timer, control lies with the master
• Operations are Idempotent
• Ansible is agent-less
26. Ansible Enterprise
Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/Uses OpenSSH & NX-
API
/No extra code to manage
/Ready for cloud-scale
/Uses YAML for playbooks
/No special coding skills
needed
/Fast learning curve
/Tasks in playbooks executed
in order
/App deployment
/Orchestration
/Configuration
management
/Eliminates Config Drift
/Role-Based Access Control
/Delegation of
credentials/keys
/Audit trail for automation
/Centralized job runs
/Job scheduling
/Automation dashboard
/Push-button job execution
/Portal mode for delegation
/REST API for integration
Ansible
Open Source
Ansible
Tower
Ansible 2.0 Release with
Tower in Q1CY16
includes complete
support for Nexus
platforms
28. Open NX-OS Virtual Nexus 9000
• Use with Beaker/KitchenCI for
ongoing application integration testing
• Test more often and catch errors early
and often prior to live deployment
• Integrated support for Vmware
Fusion, ESX 5.1/5.5 and
KVM(QCOW2), VMDK(Virtual Box)
• Available under controlled availability
– email get-n9kv@cisco.com with
CCO ids for access
• Targeting Public Release CY16 of
v9K, with ViRL integration
• Feature Parity 7.0(3)I2(2)
v9k Test Fabric
CI Tools
29. • Use Case 2.1: Provisioning new tenant workloads
for the network takes an exhorbitant amount of
time manually, use Ansible and Open NX-OS to
reduce this from days to mins
Demo 2 – Open NX-OS Ansible Demo
30. • Open NX-OS Introduction & Level Set
• Open NX-OS Linux Architecture & Capabilities
• Open NX-OS Devops Tool Integration
• Open NX-OS Programmability Options
Agenda
31. https://opennxos.cisco.com
Customized Automation with NX-API REST
Shipped
Q3CY15
Shorten Network Deployment Times, Reduce Human Error, Build Flexible, Responsive
Automation Architecture
OPEN
NXOS
KEY BENEFITS
Model Based – Provides a scalable, object model based
architecture for custom automation tool development
Secure - Access to all network objects is authenticated,
encrypted and authorized with AAA (Tacacs+, Radius)
Change Based Notifications - NX-API REST
applications can subscribe to events from network
objects without redundant polling, providing:
Application performance benefits
Application processing time reduction
NX-API contains a modeled representation of critical NX-
OS features in a tree based hierarchical model
Objects are modified and queried using HTTP REST API
calls
System
Router-ID
PeersEth1/1
Eth1/2..
ARP Entries
Physical BGP
Object Store
• class
• dn: distinguished name(url)
• statistics
• Properties(xml/json)
• object prop1
• object prop2
…
MIT
ARP
Publisher
Subscribe
Any Updates –
BGP Object
Push Notification
– BGP Peer Down!
32. What are we trying to solve with NX-API REST?
Limitation with CLI Modeled Automation:
Screen Scraping:
• With NX-API REST and the object model you send objects in XML/JSON not
CLI’s to the switch, and receive objects back from the switch, removing the need
for manipulation of strings in automation tools.
Centralized Database:
• Direct access to our centralized database(object store), resulting in automation
tool performance improvements, no more need to go through CLI software layers
Sequencing:
• With NX-API REST there is less need to be aware of command sequencing when
configuring something (conf t ; router bgp ; neighbor…)
• Want to remove or update something? Re-do potentially have to redo the whole
CLI sequence with a “no” to the last command and re-configuration, so you need
to build this intelligence into your automation.
33. Referencing an Object in NX-API REST:
Distinguished Name
Globally unique identifier for an object in the database
For example:
Adding a peer address to BGP default domain:
DN: sys/bgp/inst/dom-default/peer-[192.168.0.2]
Viewing a physical ethernet interface’s port capabilities:
DN: sys/phys-[eth1/1]/phys/portcap
Object Definition or naming rule will be posted to http://developer.cisco.com
System
BgpEntity BgpInstance BgpDomain BgpPeer
BgpLocalASN
BgpPeerAf
BgpPeerEntry
L1PhysIf
ethpmPhysIf ethpmPortCap
L1Load
L1StormControl
34. How do I utilize it?
• To configure or update something: push an new object
to the switch via the HTTP POST REST API call
• To check status of something: read the relevant object
using HTTP GET REST API call
• To monitor something:
• Subscribe to an object for events related to that particular object
• The switch will send you a push notification when this object
changes
35. • Use Case 3.1:Automation the provisioning of a BGP based
programmable fabric utilizing our NX-API REST object
model. Reduce time to fabric deployment from days to
mins.
Demo 3 – Open NX-OS NX-API REST Demo
36. Open-NXOS Reference Links
Software Link
Chef Agent (Supermarket)
Chef Cookbook
http://supermarket.chef.io
https://github.com/cisco/cisco-network-chef-cookbook
NX-API REST Model https://opennxos.cisco.com/public/api/nxapi-rest/
Puppet Agent (Puppetforge)
Puppet Module
http://forge.puppetlabs.com
https://github.com/cisco/cisco-network-puppet-module
Native 3rd Party Agent Repository
(Cisco Repository)
http://developer.cisco.com/opennxos
Nexus 3/9K GiT Repository (Scripting
Examples, etc)
http://github.com/datacenter/nexus9000
Ignite Open Source Toolkit
NX Toolkit
https://github.com/datacenter/ignite
https://github.com/datacenter/nxtoolkit
SDK for developing native application
RPMs
www.yocto.org
38. Thank You for Attending
For TechWiseTV episodes, TechWiseTV Workshops, Fundamentals and
Networking 101’s visit http://www.Cisco.com/go/TechWiseTV.com.
https://www.facebook.com/techwise
https://twitter.com/techwisetv
Hinweis der Redaktion
This slide should state the level & Learning Objective the audience should be at:
Today we are here to understand the Messaging, Positioning and gain the ability to Differentiate …
Or
Today we are here to Design, Deploy, Competitively position within product X, (or) Solution X …
Guestshell easier to use, no need to build a distro, yum install from centos repository into your guestshell..
For most part just works, running with less access than the host.
We’re not in same linux network namespace as the host, so we can do monitor stuff with netdevices ports, run ethtool monitor stats, parameters, etc, but we cannot change stuff from within guestshell.
We turned off ability to change interface parameters, mtu, addresses, etc..anything that changing networking within guestshell, no network admin capabilities from a linux networking perspective..do host conf t, eth4/1 shut..system call to nxos essentially.
Run bash or run guestshell…
From guestshell, can’t shut down interfaces…
Lot of stuff you can’t do in Linux that you can do in NXOS..WNL Chef/Puppet native on switch or CentOS distro within guestshell
9504-B# guestshell resize ?
cpu Resize the system CPU share allocated to guest shell
memory Resize the system memory allocated to guest shell
rootfs Resize the guest shell root filesystem to a larger value
Apps within guestshell run in default vrf, if for example you wanted an application ro run in a different vrf, you could run linux chvrf within the guestshell to switch to it to run the application.
User installs & configures the agents on Cisco switches. Our goal is to automate this step using ISV specific tool (Chef Provisioner) or home grown tool (for Puppet).
Download agent RPM from ISV site
Install agent RPM on switch
Configure agent to talk to the proper server/master
User installs the Cisco Cookbook/Puppet Module (along with Cisco utility GEMs) on the Server/Master
User creates a recipe or defines a manifest using the resources available in the cookbook/module.
If agent is configured to run periodically, it will obtain download the cookbook/catalogue and attempt to converge the network element to the desired state.
Sales Presentation Deck – 4Q FY2016 –v7
Puppet Labs exists to reduce the timeline: from the moment you have new technology, to the moment it’s in the hands of your users delivering value. That new technology comes in a few different flavors. First, new applications. Maybe you’re deploying a new application that your team built, tested and is ready to deliver to the business. It might be a new application you bought from a vendor and you’re preparing to roll out to users. Second, new infrastructure. For example, maybe you’re deploying an OpenStack environment or spinning up a new greenfield project in AWS. Third, updates to existing services. Maybe your adding a new set of capabilities to an application the business already relies on. And lastly, configuration updates. Maybe there have been key configuration settings that have drifted from the state they should be in and you need to bring those systems back into compliance. In any case, we help reduce the timeline of getting that update out to your users, and help you do so with the reliability, predictability and repeatability you demand.
What’s interesting though, is that each customer has different timelines at play. When I talk to Wal-Mart, out of the 40+k nodes they manage with Puppet, about 11k of them are on SLES 11, and they are trying to move another 6k from SLES 10 to SLES 11. Puppet helps them reliably reduce that timeline. At a very different looking user like Spotify, the notion of SLES is nearly laughable. We talk to them about how they are managing a sophisticated containerized environment. But as different as the technologies are, the common thread is that both organizations are cycling out older technology and cycling in newer tech and updates – and Puppet helps them do that.
As we work with organizations to accelerate the delivery of value to the business, we see a common set of challenges and critical initiatives organizations use Puppet Enterprise to help address.
[read through key challenges and initiatives that you’ve discovered they are trying to address].
Does this list make sense? Any that shouldn’t be on the list for you? Any that stick out? Any that aren’t on it but should be? [Use this line of questioning to tease out team dynamics and concerns that you should be aware of as you pursue the deal.]
Our software helps you automate the configuration and ongoing management of your machines and the software running on them, so you spend less time fighting fires and more time deploying great software.
We help you make rapid, repeatable changes and automatically enforce the consistency of systems and devices–across physical and virtual machines, on prem or in the cloud.
Key points. [The minimum points that a rep/SE should make. However, this is a good time to dig into details or have the SE lead a whiteboard discussion about our approach if you know this is an area of interest].
Our declarative, model-driven approach where you focus on defining the desired state of infrastructure, services and apps rather than the programmatic steps it takes to get there.
Once you’ve modeled your infrastructure/apps, we make it possible to test your code to see what happens when you deploy that app update, etc.
We also automate the deployment of that desired state to the infrastructure, and continually enforce that your infrastructure matches your desired state. When it doesn’t we let you know so you can remediate ASAP.
This approach is model once, use everywhere. Once you model your infrastructure and your applications, you can deploy those changes to dev, to test, to staging, to production. It’s the same set of Puppet code that defines your desired state and we make that state so across your deployment tiers – there is no need to rewrite a new set of runbooks to programatically account for all the differences across environments.
And all along the way, you get reports, so whether you want full traceability and insight through your environment or you need to meet audit requirements, you have the data you need about the state of your environments at your fingertips.
Key points. [The minimum points that a rep/SE should make. However, this is a good time to dig into details or have the SE lead a whiteboard discussion about our approach if you know this is an area of interest].
Provisioning is too often a slow process filled with manual steps. You should automate more than just the configuration management of your infrastructure or the orchestration of your apps, and extend automation to go across the entire lifecycle: from initial provisioning of infrastructure through decommissioning.
Over the last few releases we added new provisioning capabilities making it easy to provision
Bare metal and the OSs and hypervisors on those servers
Virtualized environments like spinning up VMs with vSphere
Public cloud infrastructure in AWS and Azure
And Docker, both the Docker engine as well as Docker containers.
The best place to start is by managing your infrastructure as code. Our take is that infrastructure as code is a prerequisite for any DevOps or DevOps-like practice. When you treat your infrastructure as code it’s easy to share that code, collaborate around it, put it in a version control system, do peer reviews (rather than the big CAB meetings), unit testing, automate your deployments and more.
After that, automating your configuration management and version control give you the biggest bang for your buck, meaning that you can make substantial gains toward the speed and reliability benefits we talked about earlier.
Since managing your infrastructure as code is such a critical piece of a DevOps practice, let’s spend some time digging into what you should consider as you manage your infrastructure as code.
CI TOOLS: Jenkins, CircleCI, TravisCI
CM TOOLS: Chef/Puppet/Ansible/SALTSTACK – we have a minion in our repo
CL TEST SIMULATION: Beaker, v9k, VIRL, Kitchen CI, Docker, Vagrant, VMWARE, etc
CD Tools: Github, Bitbucket
Platforms: Cloud, Openstack RH Orchectrator, etc..
Vagrant Free runs on your laptop
Devops and Tooling Process Flow for Customer who has enabled devops processes and tools through out their infrastructure
First some terms:
Github – code repository
GitLab is a web-based Git repository manager with wiki and issue tracking features. GitLab offers hosted accounts similar to GitHub, but also allows its software to be used on third-party servers. It is available as an Omnibus package.
Bitbucket is the Git solution for professional teams
Continuous Integration Tools
Jenkins monitors the code repository for changes/notifications or updates, which trigger a build when they are detected.
It calls an integration testing like beaker once build completes like puppet beaker to kick off a test run on the v9k staging fabric
Sequencing, this also effects your productivity and level of complexity you need to build into your automation design as you need to follow specific sequences of commands to execute something on the switch, as CLI needs commands in a specific order or will return an error. Same issue when you need to update something, need to no the specific previous command and redo with new values, very restrictive approach
String Manipulation: With an industry standard based REST API’s if automation and network teams are separate teams, automation teams will understand REST API’s and manipulating REST API’s,
Maintainable from customers perspective as the object definition will not change/
Ops team that does potentially automation within access URL and an object, automation teams may not have networking expertise, but understand automation and programming constructs, makes it easier to teams to co-operate to automate. The automation teams understand industry standard restful based API’s, and will understand how to create, update or delete an object or its attributes using REST.
REST is industry standard for APIs..
HOW DO WE FURTHER ENABLE YOU TO MOVE TO DEVOPS WITH TOOLING INTEGRATION
WHAT PIECES ARE MISSING TO ENABLE YOU TO TRANSITION TO THIS MODEL?