nxos.rst 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405
  1. ============================================================
  2. Cisco Nexus Salt Minion Installation and Configuration Guide
  3. ============================================================
  4. This document describes the Salt Minion installation and configuration on Cisco Nexus switches. These instructions detail the process for managing the Nexus switches using a Proxy Minion or Native Minion on platforms that have GuestShell support.
  5. .. contents:: Table of Contents
  6. Pre-Install Tasks
  7. =================
  8. STEP 1: Verify Platform and Software Version Support
  9. ----------------------------------------------------
  10. The following platforms and software versions have been certified to work with this version of Salt.
  11. .. table:: Platform / Software Mininum Requirements
  12. :widths: auto
  13. :align: center
  14. =================== ===================== ================ =================== =================
  15. Supported Platforms Minimum NX-OS Version SSH Proxy Minion NX-API Proxy Minion GuestShell Minion
  16. =================== ===================== ================ =================== =================
  17. Cisco Nexus N3k 7.0(3)I2(5) and later Supported Supported Supported
  18. Cisco Nexus N9k 7.0(3)I2(5) and later Supported Supported Supported
  19. Cisco Nexus N6k 7.3(0)N1(1) and later Supported Not Supported Not Supported
  20. Cisco Nexus N7k 7.3(0)D1(1) and later Supported Supported Not Supported
  21. =================== ===================== ================ =================== =================
  22. .. table:: Platform Models
  23. :widths: auto
  24. :align: center
  25. ======== ===========
  26. Platform Description
  27. ======== ===========
  28. N3k Support includes N30xx, N31xx, N32xx and N35xx models
  29. N6k Support includes all N6xxx models
  30. N7k Support includes all N7xxx models
  31. N9k Support includes all N9xxx models
  32. ======== ===========
  33. STEP 2: Choose Salt Minion Type
  34. -------------------------------
  35. Using the tables above, select the Salt Minion type.
  36. Choices:
  37. * ``SSH`` Proxy Minion (See `Salt Proxy Minion Configuration`_ Section)
  38. * ``NX-API`` Proxy Minon (See `Salt Proxy Minion Configuration`_ Section)
  39. * ``GuestShell`` Native Minion (See `GuestShell Salt Minion Installation`_ Section)
  40. * Some platforms support a native minon installed directly on the NX-OS device inside the GuestShell
  41. * The GuestShell is a secure Linux container environment running CentOS
  42. STEP 3: Network Connectivity
  43. ----------------------------
  44. Ensure that IP reachability exists between the NX-OS Salt Minon device and the SaltStack Master.
  45. **Note:** The management interface exists in a separate VRF context and requires additional configuration as shown.
  46. Example: Nexus CLI Configuration for connectivity via management interface
  47. .. code:: bash
  48. config term
  49. vrf context management
  50. ip name-server 10.0.0.202
  51. ip domain-name mycompany.com
  52. ip route 0.0.0.0/0 10.0.0.1
  53. interface mgmt0
  54. vrf member management
  55. ip address 10.0.0.99/24
  56. ntp server 10.0.0.201 use-vrf management
  57. end
  58. Salt Proxy Minion Configuration
  59. ===============================
  60. Here is a sample Proxy Minion directory structure
  61. .. code:: bash
  62. saltmaster:/srv/pillar$tree
  63. .
  64. ├── n3k-proxy.sls
  65. ├── n7k-proxy.sls
  66. └── top.sls
  67. This displays a top sls file and two proxy minon sls files for a Nexus 3k and Nexus 7k device.
  68. Sample contents for the ``top.sls`` file.
  69. .. code:: yaml
  70. saltmaster:/srv/pillar$cat top.sls
  71. base:
  72. n3k-proxy:
  73. - n3k-proxy
  74. n7k-proxy:
  75. - n7k-proxy
  76. Proxy Minion Pillar Data
  77. ------------------------
  78. Here is a sample Proxy Minon pillar data file.
  79. All of the data for both ssh and nxapi proxy minion types can be stored in the same pillar data file. To choose ``ssh`` or ``nxapi``, simply set the ``connection:`` parameter accordingly.
  80. .. code:: yaml
  81. saltmaster:/srv/pillar$cat n7k-proxy.sls
  82. proxy:
  83. proxytype: nxos
  84. # Specify ssh or nxapi connection type (default is ssh)
  85. #connection: ssh
  86. connection: nxapi
  87. # Parameters Common to both SSH and NX-API
  88. host: n7k.example.com
  89. username: admin
  90. password: password
  91. # SSH Parameters
  92. prompt_name: n7k
  93. ssh_args: '-o PubkeyAuthentication=no'
  94. key_accept: True
  95. # NX-API Parameters
  96. transport: https
  97. port: 443
  98. verify: False
  99. # Option to prevent auto-save after each configuration command.
  100. # Setting this to True will improve performance when using
  101. # nxos execution module functions to configure the device.
  102. no_save_config: True
  103. * For the most current nxos proxy minion configuration options, See :mod:`salt.proxy.nxos <salt.proxy.nxos>`
  104. * For the most current list of nxos execution module functions, See :mod:`salt.modules.nxos<salt.modules.nxos>`
  105. GuestShell Salt Minion Installation
  106. ===================================
  107. This section is only required when running the SaltStack Minion from the ``guestshell``.
  108. STEP 1a: Enable the Guestshell on low footprint N3ks
  109. ----------------------------------------------------
  110. **NOTE:** Skip down to **STEP 1b** if the target system is not a low footprint N3k.
  111. Nexus 3xxx switches with 4 GB RAM and 1.6 GB bootflash are advised to use compacted images to reduce the storage resources consumed by the image. As part of the compaction process, the ``guestshell.ova`` is removed from the system image. To make use of the guestshell on these systems, the guestshell.ova may be downloaded and used to install the guestshell.
  112. Guestshell OVA Download Link_
  113. .. _Link: https://software.cisco.com/download/home/283970187/type/282088129/release/9.2%25281%2529?catid=268438038
  114. Starting in release ``9.2(1)`` and onward, the .ova file can be copied to the ``volatile:`` directory which frees up more space on ``bootflash:``.
  115. Copy the ``guestshell.ova`` file to ``volatile:`` if supported, otherwise copy it to ``bootflash:``
  116. .. code:: bash
  117. n3xxx# copy scp://admin@1.2.3.4/guestshell.ova volatile: vrf management
  118. guestshell.ova 100% 55MB 10.9MB/s 00:05
  119. Copy complete, now saving to disk (please wait)...
  120. Copy complete.
  121. Use the ``guestshell enable`` command to install and enable guestshell.
  122. .. code:: bash
  123. n3xxx# guestshell enable package volatile:guestshell.ova
  124. STEP 1b: Enable the Guestshell
  125. ------------------------------
  126. The ``guestshell`` container environment is enabled by default on most platforms; however, the default disk and memory resources allotted to guestshell are typically too small to support SaltStack Minion requirements. The resource limits may be increased with the NX-OS CLI ``guestshell resize`` commands as shown below.
  127. .. table:: Resource Requirements
  128. :widths: auto
  129. :align: center
  130. =================== =====================
  131. Resource Recommended
  132. =================== =====================
  133. Disk **500 MB**
  134. Memory **350 MB**
  135. =================== =====================
  136. ``show guestshell detail`` displays the current resource limits:
  137. .. code:: bash
  138. n3k# show guestshell detail
  139. Virtual service guestshell+ detail
  140. State : Activated
  141. ...
  142. Resource reservation
  143. Disk : 150 MB
  144. Memory : 128 MB
  145. ``guestshell resize rootfs`` sets disk size limits while ``guestshell resize memory`` sets memory limits. The resize commands do not take effect until after the guestshell container is (re)started by ``guestshell reboot`` or ``guestshell enable``.
  146. **Example.** Allocate resources for guestshell by setting new limits to 500MB disk and 350MB memory.
  147. .. code:: bash
  148. n3k# guestshell resize rootfs 500
  149. n3k# guestshell resize memory 350
  150. n3k# guestshell reboot
  151. Are you sure you want to reboot the guest shell? (y/n) [n] y
  152. STEP 2: Set Up Guestshell Network
  153. ---------------------------------
  154. The ``guestshell`` is an independent CentOS container that does not inherit settings from NX-OS.
  155. * Use ``guestshell`` to enter the guestshell environment, then become root.
  156. * *Optional:* Use ``chvrf`` to specify a vrf namespace; e.g. ``sudo chvrf management``
  157. .. code:: bash
  158. n3k# guestshell
  159. [guestshell@guestshell ~]$ sudo su - # Optional: sudo chvrf management
  160. [root@guestshell guestshell]#
  161. **OPTIONAL: Add DNS Configuration**
  162. .. code:: bash
  163. [root@guestshell guestshell]# cat >> /etc/resolv.conf << EOF
  164. nameserver 10.0.0.202
  165. domain mycompany.com
  166. EOF
  167. **OPTIONAL: Define proxy server variables if needed to allow network access to SaltStack package repositories**
  168. .. code:: bash
  169. export http_proxy=http://proxy.yourdomain.com:<port>
  170. export https_proxy=https://proxy.yourdomain.com:<port>
  171. STEP 3: Install SaltStack Minion
  172. ---------------------------------
  173. **OPTIONAL: Upgrade the pip installer**
  174. ``[root@guestshell guestshell]# pip install --upgrade pip``
  175. Install the ``certifi`` python package.
  176. ``[root@guestshell guestshell]# pip install certifi``
  177. The most current information on installing the SaltStack Minion in a Centos7 environment can be found here_
  178. .. _here: https://repo.saltstack.com/#rhel
  179. Information from the install guide is provided here for convenience.
  180. Run the following commands to install the SaltStack repository and key:
  181. ``[root@guestshell guestshell]# yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm``
  182. Run the following command to force yum to revalidate the cache for each repository.
  183. ``[root@guestshell guestshell]# yum clean expire-cache``
  184. Install the Salt Minion.
  185. ``[root@guestshell guestshell]# yum install salt-minion``
  186. STEP 4: Configure SaltStack Minion
  187. ----------------------------------
  188. Make the following changes to the ``/etc/salt/minion`` configuration file in the NX-OS GuestShell.
  189. Change the ``master:`` directive to point to the SaltStack Master.
  190. .. code:: diff
  191. - #master: salt
  192. + master: saltmaster.example.com
  193. Change the ``id:`` directive to easily identify the minion running in the GuestShell.
  194. Example:
  195. .. code:: diff
  196. - #id: salt
  197. + id: n3k-guestshell-minion
  198. Start the Minon in the Guestshell and accept the key on the SaltStack Master.
  199. ``[root@guestshell ~]# systemctl start salt-minion``
  200. .. code:: bash
  201. saltmaster: salt-key -L
  202. Accepted Keys:
  203. Denied Keys:
  204. Unaccepted Keys:
  205. n3k-guestshell-minion
  206. Rejected Keys:
  207. .. code:: bash
  208. saltmaster: salt-key -A
  209. The following keys are going to be accepted:
  210. Unaccepted Keys:
  211. n3k-guestshell-minion
  212. Proceed? [n/Y] Y
  213. Key for minion n3k-guestshell-minion accepted.
  214. Ping the SaltStack Minon running in the Guestshell.
  215. .. code:: bash
  216. saltmaster: salt n3k-guestshell-minion nxos.ping
  217. n3k-guestshell-minion:
  218. True
  219. GuestShell Salt Minion Persistence
  220. ===================================
  221. This section documents SaltStack Minion persistence in the ``guestshell`` after system restarts and high availability switchovers.
  222. The ``guestshell`` container does not automatically sync filesystem changes from the active processor to the standby processor. This means that SaltStack Minion installation files and related file changes will not be present on the standby until they are manually synced with the following NX-OS exec command:
  223. ``guestshell sync``
  224. The ``guestshell`` environment uses **systemd** for service management. The SaltStack Minion provides a generic systemd script when installed, but a slight modification as shown below is needed for nodes that run Salt in the management (or other vrf) namespace:
  225. .. code:: diff
  226. --- /usr/lib/systemd/system/salt-minion.service.old
  227. +++ /usr/lib/systemd/system/salt-minion.service
  228. [Unit]
  229. Description=The Salt Minion
  230. Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html
  231. https://docs.saltstack.com/en/latest/contents.html
  232. After=network.target salt-master.service
  233. [Service]
  234. KillMode=process
  235. Type=notify
  236. NotifyAccess=all
  237. LimitNOFILE=8192
  238. - ExecStart=/usr/bin/salt-minion
  239. + ExecStart=/bin/nsenter --net=/var/run/netns/management -- /usr/bin/salt-minion
  240. [Install]
  241. WantedBy=multi-user.target
  242. Change the ``pidfile:`` directive to point to the ``/run`` ``tmpfs`` location in the GuestShell.
  243. .. code:: diff
  244. - #pidfile: /var/run/salt-minion.pid
  245. + pidfile: /run/salt-minion.pid
  246. Next, enable the SaltStack Minion systemd service (the ``enable`` command adds it to systemd for autostarting on the next boot) and optionally start it now:
  247. .. code:: diff
  248. systemctl enable salt-minion
  249. systemctl start salt-minion
  250. References
  251. ==========
  252. .. table:: Nexus Document References
  253. :widths: auto
  254. :align: center
  255. =================== =====================
  256. References Description
  257. =================== =====================
  258. GuestShell_N9k_ N9k Guestshell Programmability Guide
  259. GuestShell_N3k_ N3k Guestshell Programmability Guide
  260. =================== =====================
  261. .. _Guestshell_N9k: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_9x/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_9x_chapter_0100.html
  262. .. _GuestShell_N3k: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/programmability/9_x/b_Cisco_Nexus_3000_Series_NX-OS_Programmability_Guide_9x/b_Cisco_Nexus_3000_Series_NX-OS_Programmability_Guide_9x_chapter_0101.html