| Table of Contents |
|---|
Prerequisites
- Linux management server connected to two distribution switches
- Multiple free /24 networks for IPv4 management addressing
- Somewhere to host git repositories (you need to create three new repositories)
...
To add some data to your own repository we suggest starting meld ( https://meldmerge.org/ ) and do a directory comparison from the cnaas-nms-templates repo from github and the cnaas-example-templates directory. Copy the files/directories from cnaas-nms-templates to cnaas-example-templates.
For Arista you will need to modify the template eos/dist.j2 and change "ip helper-address" on vlan1 to point to your VM running the CNaaS-NMS docker containers.
Then add/commit/push:
git add .
git commit -a -m "init"
git push
...
mkdir {access,core,devices,dist,fabric,global,groups}
touch {access,core,dist,fabric,global}/{base_system.yml,groups.yml,routing.yml,vxlans.yml}
touch devices/README{access,core,dist,fabric}/base_system.yml
touch devices/README
touch groups/READMEEdit global/routing.yml and configure the IP blocks you allocated before:
---
underlay:
infra_link_net: 10.198.0.0/16
infra_lo_net: 10.199.0.0/16
mgmt_lo_net: 10.100.3.0/24
Commit and push
etc repo
Edit global/groups.yml and add the group ALL:
---
groups:
- group:
name: 'ALL'
regex: '.*'
Commit and push
etc repo
For etc repository add a directory called dhcpd and then add a For etc repository add a directory called dhcpd and then add a file called dhcpd.conf in there based on https://github.com/SUNET/cnaas-nms/blob/develop/docker/dhcpd/dhcpd.conf to dhcpd/dhcpd.conf
...
Create a docker-compose.yml file on the server with the following contents:
---
version: '3.7'
services:
cnaas_api:
image: docker.sunet.se/cnaas/api:latest stable
ports:
- 443:1443
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- GITREPO_ETC
- USERNAME_DHCP_BOOT
- PASSWORD_DHCP_BOOT
- USERNAME_DISCOVERED
- PASSWORD_DISCOVERED
- USERNAME_INIT
- PASSWORD_INIT
- USERNAME_MANAGED
- PASSWORD_MANAGED
- FIRMWARE_URL
- TEMPLATE_SECRET_ADMIN_HASH
- TEMPLATE_SECRET_TRANSCEIVER
- TEMPLATE_SECRET_RADIUS
depends_on:
- "cnaas_postgres"
- "cnaas_redis"
- "cnaas_httpd"
volumes:
- type: volume
source: cnaas-templates
target: /opt/cnaas/templates
- type: volume
source: cnaas-settings
target: /opt/cnaas/settings
- type: volume
source: cnaas-jwtcert
target: /opt/cnaas/jwtcert
- type: volume
source: cnaas-cacert
target: /opt/cnaas/cacert
cnaas_httpd:
image: docker.sunet.se/cnaas/httpd:latest
ports:
- 80:1180
networks:
- cnaas
environment:
- GITREPO_TEMPLATES
cnaas_dhcpd:
image: docker.sunet.se/cnaas/dhcpd:latest
ports:
- 67:67/udp
environment:
- GITREPO_TEMPLATES
- GITREPO_SETTINGS
- GITREPO_ETC
- DB_PASSWORD
- DB_HOSTNAME=cnaas_postgres
- JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
networks:
- cnaas
cnaas_postgres: volumes:
- type: volume
source: cnaas-www-data
target: /opt/cnaas/www/
cnaas_dhcpd:
image: docker.sunet.se/cnaas/postgresdhcpd:latest
volumesports:
- cnaas-postgres-data:/var/lib/postgresql/data67:67/udp
environment:
- POSTGRESGITREPO_USERTEMPLATES
- POSTGRESGITREPO_PASSWORDSETTINGS
- POSTGRESGITREPO_DB=cnaasETC
networks:- DB_PASSWORD
- cnaas
cnaas_redis:
image: redis:latest DB_HOSTNAME=cnaas_postgres
- JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
networks:
- cnaas
networks:
cnaas_postgres:
driver: bridge
name: cnaas image: docker.sunet.se/cnaas/postgres:latest
ipamvolumes:
config:
- subnet: 172.30.0.0/24
driver_opts:
com.docker.network.bridge.name: br-cnaas
volumes:
cnaas-templates:
external: true
cnaas-settings:
external: true
cnaas-postgres-data:
external: true
cnaas-jwtcert:
external: true
:latest here should be replaced with specific version or stable once we have a stable release.
The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.
Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.
"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"
Create the three needed persistent docker volumes:
docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
docker volume create cnaas-jwtcert
Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:
docker-compose up -f ./docker-compose.ymlThe API container will need the public key for a JWT certificate for authenticating API/JWT tokens to start. You can generate a certificate using the commands described under the "Authentication tokens" section below or just copy in a dummy cert in the meantime:
docker cp /etc/cnaas-nms/public.pem docker_cnaas_api_1:/opt/cnaas/jwtcert/public.pemdocker psdocker logs -f docker_cnaas_dhcpd_1SSL certificates
Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -it cnaas_front_cnaas_front_1 nginx -s reload
Authentication tokens
JSON Web Tokens (JWT https://jwt.io/ ) are used to authenticate users. Setup howto for CNaaS auth poc server .
Initialize database
Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert you copied in to the api container earlier):
export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" https://localhost/api/v1.0/devices
- cnaas-postgres-data:/var/lib/postgresql/data
environment:
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB=cnaas
networks:
- cnaas
cnaas_redis:
image: redis:latest
networks:
- cnaas
networks:
cnaas:
driver: bridge
name: cnaas
ipam:
config:
- subnet: 172.30.0.0/24
driver_opts:
com.docker.network.bridge.name: br-cnaas
volumes:
cnaas-templates:
external: true
cnaas-settings:
external: true
cnaas-postgres-data:
external: true
cnaas-jwtcert:
external: true
cnaas-cacert:
external: true
cnaas-www-data:
external: true
:latest here should be replaced with specific version or stable once we have a stable release.
The environment variable defininitions controls much of how CNaaS NMS is run. You can ether configure the variables right in this file by typing GITREPO_TEMPLATES="https://github.com/..." etc or set the environment variables before running the docker commands to start the docker containers.
Set USERNAME_*/PASSWORD_* to your desired passwords for the switches, if using default dhcp-init.j2 user/pass for dhcp/discovered/init is admin/abc123abc123, for MANAGED you should probably use something more secure. The TEPLATE_SECRET_ADMIN_HASH should be a password hash for the password you set under PASSWORD_MANAGED.
"FIRMWARE_URL" should point to the HTTP container and the path where firmwares are stored. This will most likely be the IP address of the NMS server with the prefix "/firmware". For example "<IP address of your NMS>/firmware/"
Create the three needed persistent docker volumes:
docker volume create cnaas-postgres-data
docker volume create cnaas-templates
docker volume create cnaas-settings
docker volume create cnaas-jwtcert
docker volume create cnaas-cacert
Start docker-compose and check the logs to try and fix any broken environment variables such as git repositories:
docker-compose up -f ./docker-compose.ymlThe API container will need the public key for a JWT certificate for authenticating API/JWT tokens to start. You can generate a certificate using the commands described under the "Authentication tokens" section below or just copy in a dummy cert in the meantime:
docker cp /etc/cnaas-nms/public.pem docker_cnaas_api_1:/opt/cnaas/jwtcert/public.pemThe API container will also need a rootCA if you want to generate valid certificates for API services on devices, you can create a rootCA via:
docker exec -u root -it docker_cnaas_api_1 /opt/cnaas/createca.shCheck everything is up and running:
docker psdocker logs -f docker_cnaas_dhcpd_1SSL certificates
Valid SSL certificates can be copied into the container using docker cp and placed at /etc/nginx/conf.d/cnaas_nakeoil.crt and .key , after you have copied the files reload nginx: docker exec -u root -it cnaas_front_cnaas_front_1 nginx -s reload
Authentication tokens
JSON Web Tokens (JWT https://jwt.io/ ) are used to authenticate users. Setup howto for CNaaS auth poc server .
Initialize database
Once the databases and API are up you can create your first initial dist switches. Start by checking if you can access the API (the JWT token has to be signed by the cert(auth-server) you copied in to the api container earlier. the CNAASURL can very depending on setup):
export JWT_AUTH_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzEwNTk2MTgsIm5iZiI6MTU3MTA1OTYxOCwianRpIjoiNTQ2MDk2YTUtZTNmOS00NzFlLWE2NTctZWFlYTZkNzA4NmVhIiwic3ViIjoiYWRtaW4iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.Sfffg9oZg_Kmoq7Oe8IoTcbuagpP6nuUXOQzqJpgDfqDq_GM_4zGzt7XxByD4G0q8g4gZGHQnV14TpDer2hJXw"
export CNAASURL="https://localhost"
curl -s -H "Authorization: Bearer ${JWT_AUTH_TOKEN}" ${CNAASURL}/api/v1.0/system/version
If you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.
Before adding the dist devices you must make the API pull from the templates and settings repositories:
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
If there's any syntax files in settings you need to fix them and then run the refresh command againIf you don't have installed valid certificates you will need to add -k to curl to make it accept self signed certificates. This curl command should return a result with status success but no data.
You then need to add your distribution switches with data similar to this:
...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" ${CNAASURL}/api/v1.0/device -X POST -d '{ "hostname": "eosdist1", "management_ip": "10.100.3.0", "platform": "eos", "state": "MANAGED", "device_type": "DIST"}' -H "Content-Type: application/json"...
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/templates -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
curl -s -H "Authorization: Bearer $JWT_AUTH_TOKEN" https://localhost${CNAASURL}/api/v1.0/repository/settings -d '{"action": "refresh"}' -X PUT -H "Content-Type: application/json"
...