123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634 |
- .. _network-automation:
- ==================
- Network Automation
- ==================
- Network automation is a continuous process of automating the configuration,
- management and operations of a computer network. Although the abstraction
- could be compared with the operations on the server side, there are many particular
- challenges, the most important being that a network device is traditionally
- closed hardware able to run proprietary software only. In other words,
- the user is not able to install the salt-minion package directly on a
- traditional network device. For these reasons, most network devices can be
- controlled only remotely via :ref:`proxy minions <proxy-minion>` or
- using the :ref:`Salt SSH <salt-ssh>`. However, there are also vendors producing
- whitebox equipment (e.g. Arista, Cumulus) or others that have moved the
- operating system in the container (e.g. Cisco NX-OS, Cisco IOS-XR),
- allowing the salt-minion to be installed directly on the platform.
- New in Carbon (2016.11)
- -----------------------
- The methodologies for network automation have been introduced in
- :ref:`2016.11.0 <release-2016-11-0-network-automation-napalm>`. Network
- automation support is based on proxy minions.
- - :mod:`NAPALM proxy <salt.proxy.napalm>`
- - :mod:`Junos proxy<salt.proxy.junos>`
- - :mod:`Cisco NXOS <salt.proxy.nxos>`
- - :mod:`Cisco NOS <salt.proxy.cisconso>`
- NAPALM
- ------
- NAPALM (Network Automation and Programmability Abstraction Layer with
- Multivendor support) is an opensourced Python library that implements a set of
- functions to interact with different router vendor devices using a unified API.
- Being vendor-agnostic simplifies operations, as the configuration and
- interaction with the network device does not rely on a particular vendor.
- .. image:: /_static/napalm_logo.png
- Beginning with 2017.7.0, the NAPALM modules have been transformed so they can
- run in both proxy and regular minions. That means, if the operating system
- allows, the salt-minion package can be installed directly on the network gear.
- The interface between the network operating system and Salt in that case would
- be the corresponding NAPALM sub-package.
- For example, if the user installs the
- salt-minion on a Arista switch, the only requirement is
- `napalm-eos <https://github.com/napalm-automation/napalm-eos>`_.
- The following modules are available in 2017.7.0:
- - :mod:`NAPALM grains <salt.grains.napalm>`
- - :mod:`NET execution module <salt.modules.napalm_network>` - Networking basic
- features
- - :mod:`NTP execution module <salt.modules.napalm_ntp>`
- - :mod:`BGP execution module <salt.modules.napalm_bgp>`
- - :mod:`Routes execution module <salt.modules.napalm_route>`
- - :mod:`SNMP execution module <salt.modules.napalm_snmp>`
- - :mod:`Users execution module <salt.modules.napalm_users>`
- - :mod:`Probes execution module <salt.modules.napalm_probes>`
- - :mod:`NTP peers management state <salt.states.netntp>`
- - :mod:`SNMP configuration management state <salt.states.netsnmp>`
- - :mod:`Users management state <salt.states.netusers>`
- - :mod:`Netconfig state module <salt.states.netconfig>` - Manage the configuration
- of network devices using arbitrary templates and the Salt-specific
- advanced templating methodologies.
- - :mod:`Network ACL execution module <salt.modules.napalm_acl>` - Generate and
- load ACL (firewall) configuration on network devices.
- - :mod:`Network ACL state <salt.states.netacl>` - Manage the firewall
- configuration. It only requires writing the pillar structure correctly!
- - :mod:`NAPALM YANG execution module <salt.modules.napalm_yang_mod>` - Parse,
- generate and load native device configuration in a standard way,
- using the OpenConfig/IETF models. This module contains also helpers for
- the states.
- - :mod:`NAPALM YANG state module <salt.states.netyang>` - Manage the
- network device configuration according to the YANG models (OpenConfig or IETF).
- - :mod:`NET finder <salt.runners.net>` - Runner to find details easily and
- fast. It's smart enough to know what you are looking for. It will search
- in the details of the network interfaces, IP addresses, MAC address tables,
- ARP tables and LLDP neighbors.
- - :mod:`BGP finder <salt.runners.bgp>` - Runner to search BGP neighbors details.
- - :mod:`NAPALM syslog <salt.engines.napalm_syslog>` - Engine to import events
- from the napalm-logs library into the Salt event bus. The events are based
- on the syslog messages from the network devices and structured following
- the OpenConfig/IETF YANG models.
- - :mod:`NAPALM Helpers <salt.modules.napalm>` - Generic helpers for
- NAPALM-related operations. For example, the
- :mod:`Compliance report <salt.modules.napalm.compliance_report>` function
- can be used inside the state modules to compare the expected and the
- existing configuration.
- Getting started
- ###############
- Install NAPALM - follow the notes_ and check the platform-specific dependencies_.
- .. _notes: http://napalm.readthedocs.io/en/latest/installation/index.html
- .. _dependencies: http://napalm.readthedocs.io/en/latest/installation/index.html#dependencies
- Salt's Pillar system is ideally suited for configuring proxy-minions
- (though they can be configured in /etc/salt/proxy as well). Proxies
- can either be designated via a pillar file in :conf_master:`pillar_roots`,
- or through an external pillar.
- External pillars afford the opportunity for interfacing with
- a configuration management system, database, or other knowledgeable system
- that may already contain all the details of proxy targets. To use static files
- in :conf_master:`pillar_roots`, pattern your files after the following examples:
- ``/etc/salt/pillar/top.sls``
- .. code-block:: yaml
- base:
- router1:
- - router1
- router2:
- - router2
- switch1:
- - switch1
- switch2:
- - switch2
- cpe1:
- - cpe1
- ``/etc/salt/pillar/router1.sls``
- .. code-block:: yaml
- proxy:
- proxytype: napalm
- driver: junos
- host: r1.bbone.as1234.net
- username: my_username
- password: my_password
- ``/etc/salt/pillar/router2.sls``
- .. code-block:: yaml
- proxy:
- proxytype: napalm
- driver: iosxr
- host: r2.bbone.as1234.net
- username: my_username
- password: my_password
- optional_args:
- port: 22022
- ``/etc/salt/pillar/switch1.sls``
- .. code-block:: yaml
- proxy:
- proxytype: napalm
- driver: eos
- host: sw1.bbone.as1234.net
- username: my_username
- password: my_password
- optional_args:
- enable_password: my_secret
- ``/etc/salt/pillar/switch2.sls``
- .. code-block:: yaml
- proxy:
- proxytype: napalm
- driver: nxos
- host: sw2.bbone.as1234.net
- username: my_username
- password: my_password
- ``/etc/salt/pillar/cpe1.sls``
- .. code-block:: yaml
- proxy:
- proxytype: napalm
- driver: ios
- host: cpe1.edge.as1234.net
- username: ''
- password: ''
- optional_args:
- use_keys: True
- auto_rollback_on_error: True
- CLI examples
- ############
- Display the complete running configuration on ``router1``:
- .. code-block:: bash
- $ sudo salt 'router1' net.config source='running'
- Retrieve the NTP servers configured on all devices:
- .. code-block:: yaml
- $ sudo salt '*' ntp.servers
- router1:
- ----------
- comment:
- out:
- - 1.2.3.4
- result:
- True
- cpe1:
- ----------
- comment:
- out:
- - 1.2.3.4
- result:
- True
- switch2:
- ----------
- comment:
- out:
- - 1.2.3.4
- result:
- True
- router2:
- ----------
- comment:
- out:
- - 1.2.3.4
- result:
- True
- switch1:
- ----------
- comment:
- out:
- - 1.2.3.4
- result:
- True
- Display the ARP tables on all Cisco devices running IOS-XR 5.3.3:
- .. code-block:: bash
- $ sudo salt -G 'os:iosxr and version:5.3.3' net.arp
- Return operational details for interfaces from Arista switches:
- .. code-block:: bash
- $ sudo salt -C 'sw* and os:eos' net.interfaces
- Execute traceroute from the edge of the network:
- .. code-block:: bash
- $ sudo salt 'router*' net.traceroute 8.8.8.8 vrf='CUSTOMER1-VRF'
- Verbatim display from the CLI of Juniper routers:
- .. code-block:: bash
- $ sudo salt -C 'router* and G@os:junos' net.cli 'show version and haiku'
- Retrieve the results of the RPM probes configured on Juniper MX960 routers:
- .. code-block:: bash
- $ sudo salt -C 'router* and G@os:junos and G@model:MX960' probes.results
- Return the list of configured users on the CPEs:
- .. code-block:: bash
- $ sudo salt 'cpe*' users.config
- Using the :mod:`BGP finder <salt.runners.bgp>`, return the list of BGP neighbors
- that are down:
- .. code-block:: bash
- $ sudo salt-run bgp.neighbors up=False
- Using the :mod:`NET finder <salt.runners.net>`, determine the devices containing
- the pattern "PX-1234-LHR" in their interface description:
- .. code-block:: bash
- $ sudo salt-run net.find PX-1234-LHR
- Cross-platform configuration management example: NTP
- ####################################################
- Assuming that the user adds the following two lines under
- :conf_master:`file_roots`:
- .. code-block:: yaml
- file_roots:
- base:
- - /etc/salt/pillar/
- - /etc/salt/templates/
- - /etc/salt/states/
- Define the list of NTP peers and servers wanted:
- ``/etc/salt/pillar/ntp.sls``
- .. code-block:: yaml
- ntp.servers:
- - 1.2.3.4
- - 5.6.7.8
- ntp.peers:
- - 10.11.12.13
- - 14.15.16.17
- Include the new file: for example, if we want to have the same NTP servers on all
- network devices, we can add the following line inside the ``top.sls`` file:
- .. code-block:: yaml
- '*':
- - ntp
- ``/etc/salt/pillar/top.sls``
- .. code-block:: yaml
- base:
- '*':
- - ntp
- router1:
- - router1
- router2:
- - router2
- switch1:
- - switch1
- switch2:
- - switch2
- cpe1:
- - cpe1
- Or include only where needed:
- ``/etc/salt/pillar/top.sls``
- .. code-block:: yaml
- base:
- router1:
- - router1
- - ntp
- router2:
- - router2
- - ntp
- switch1:
- - switch1
- switch2:
- - switch2
- cpe1:
- - cpe1
- Define the cross-vendor template:
- ``/etc/salt/templates/ntp.jinja``
- .. code-block:: jinja
- {%- if grains.vendor|lower == 'cisco' %}
- no ntp
- {%- for server in servers %}
- ntp server {{ server }}
- {%- endfor %}
- {%- for peer in peers %}
- ntp peer {{ peer }}
- {%- endfor %}
- {%- elif grains.os|lower == 'junos' %}
- system {
- replace:
- ntp {
- {%- for server in servers %}
- server {{ server }};
- {%- endfor %}
- {%- for peer in peers %}
- peer {{ peer }};
- {%- endfor %}
- }
- }
- {%- endif %}
- Define the SLS state file, making use of the
- :mod:`Netconfig state module <salt.states.netconfig>`:
- ``/etc/salt/states/router/ntp.sls``
- .. code-block:: yaml
- ntp_config_example:
- netconfig.managed:
- - template_name: salt://ntp.jinja
- - peers: {{ pillar.get('ntp.peers', []) | json }}
- - servers: {{ pillar.get('ntp.servers', []) | json }}
- Run the state and assure NTP configuration consistency across your
- multi-vendor network:
- .. code-block:: bash
- $ sudo salt 'router*' state.sls router.ntp
- Besides CLI, the state can be scheduled or executed when triggered by a certain
- event.
- JUNOS
- -----
- Juniper has developed a Junos specific proxy infrastructure which allows
- remote execution and configuration management of Junos devices without
- having to install SaltStack on the device. The infrastructure includes:
- - :mod:`Junos proxy <salt.proxy.junos>`
- - :mod:`Junos execution module <salt.modules.junos>`
- - :mod:`Junos state module <salt.states.junos>`
- - :mod:`Junos syslog engine <salt.engines.junos_syslog>`
- The execution and state modules are implemented using junos-eznc (PyEZ).
- Junos PyEZ is a microframework for Python that enables you to remotely manage
- and automate devices running the Junos operating system.
- Getting started
- ###############
- Install PyEZ on the system which will run the Junos proxy minion.
- It is required to run Junos specific modules.
- .. code-block:: shell
- pip install junos-eznc
- Next, set the master of the proxy minions.
- ``/etc/salt/proxy``
- .. code-block:: yaml
- master: <master_ip>
- Add the details of the Junos device. Device details are usually stored in
- salt pillars. If the you do not wish to store credentials in the pillar,
- one can setup passwordless ssh.
- ``/srv/pillar/vmx_details.sls``
- .. code-block:: yaml
- proxy:
- proxytype: junos
- host: <hostip>
- username: user
- passwd: secret123
- Map the pillar file to the proxy minion. This is done in the top file.
- ``/srv/pillar/top.sls``
- .. code-block:: yaml
- base:
- vmx:
- - vmx_details
- .. note::
- Before starting the Junos proxy make sure that netconf is enabled on the
- Junos device. This can be done by adding the following configuration on
- the Junos device.
- .. code-block:: shell
- set system services netconf ssh
- Start the salt master.
- .. code-block:: bash
- salt-master -l debug
- Then start the salt proxy.
- .. code-block:: bash
- salt-proxy --proxyid=vmx -l debug
- Once the master and junos proxy minion have started, we can run execution
- and state modules on the proxy minion. Below are few examples.
- CLI examples
- ############
- For detailed documentation of all the junos execution modules refer:
- :mod:`Junos execution module <salt.modules.junos>`
- Display device facts.
- .. code-block:: bash
- $ sudo salt 'vmx' junos.facts
- Refresh the Junos facts. This function will also refresh the facts which are
- stored in salt grains. (Junos proxy stores Junos facts in the salt grains)
- .. code-block:: bash
- $ sudo salt 'vmx' junos.facts_refresh
- Call an RPC.
- .. code-block:: bash
- $ sudo salt 'vmx' junos.rpc 'get-interface-information' '/var/log/interface-info.txt' terse=True
- Install config on the device.
- .. code-block:: bash
- $ sudo salt 'vmx' junos.install_config 'salt://my_config.set'
- Shutdown the junos device.
- .. code-block:: bash
- $ sudo salt 'vmx' junos.shutdown shutdown=True in_min=10
- State file examples
- ###################
- For detailed documentation of all the junos state modules refer:
- :mod:`Junos state module <salt.states.junos>`
- Executing an RPC on Junos device and storing the output in a file.
- ``/srv/salt/rpc.sls``
- .. code-block:: yaml
- get-interface-information:
- junos:
- - rpc
- - dest: /home/user/rpc.log
- - interface_name: lo0
- Lock the junos device, load the configuration, commit it and unlock
- the device.
- ``/srv/salt/load.sls``
- .. code-block:: yaml
- lock the config:
- junos.lock
- salt://configs/my_config.set:
- junos:
- - install_config
- - timeout: 100
- - diffs_file: 'var/log/diff'
- commit the changes:
- junos:
- - commit
- unlock the config:
- junos.unlock
- According to the device personality install appropriate image on the device.
- ``/srv/salt/image_install.sls``
- .. code-block:: jinja
- {% if grains['junos_facts']['personality'] == MX %}
- salt://images/mx_junos_image.tgz:
- junos:
- - install_os
- - timeout: 100
- - reboot: True
- {% elif grains['junos_facts']['personality'] == EX %}
- salt://images/ex_junos_image.tgz:
- junos:
- - install_os
- - timeout: 150
- {% elif grains['junos_facts']['personality'] == SRX %}
- salt://images/srx_junos_image.tgz:
- junos:
- - install_os
- - timeout: 150
- {% endif %}
- Junos Syslog Engine
- ###################
- :mod:`Junos Syslog Engine <salt.engines.junos_syslog>` is a Salt engine
- which receives data from various Junos devices, extracts event information and
- forwards it on the master/minion event bus. To start the engine on the salt
- master, add the following configuration in the master config file.
- The engine can also run on the salt minion.
- ``/etc/salt/master``
- .. code-block:: yaml
- engines:
- - junos_syslog:
- port: xxx
- For junos_syslog engine to receive events, syslog must be set on the Junos device.
- This can be done via following configuration:
- .. code-block:: shell
- set system syslog host <ip-of-the-salt-device> port xxx any any
- .. toctree::
- :maxdepth: 2
- :glob:
|