[DOCKER] Network device config management automation verification with oxidized and gitlab
Introduction
<!-Description the beginning and outline-> A personal memo of verification that automates the configuration management of network devices with oxidized and gitlab. It may be useful in the field where many network devices are operated.
In this verification, we will launch vSRX with Vagrant and oxidized and gitlab with docker. The purpose is to automatically get the vSRX config by oxidized and save it in gitlab.
It would be nice if the wasteful work of manually acquiring the config after changing the settings, moving the file to the in-house NW via USB, storing it in a shared folder, and managing the configuration is reduced as much as possible.
If the latest config is not properly managed, it will be difficult to replace the device due to a failure, so it will be automated properly.
environment
- mac OS Catalina 10.15.7
- docker 19.03.13
- docker-compose 1.27.4
- vagrant 2.2.10
table of contents
<!-Edit title and anchor name->
- [Docker preparation](#docker preparation)
- [Preparing for vSRX](Preparing for #vSRX)
- [Prepare for gitlab](Prepare for #gitlab)
- [Preparing for oxidized](Preparing for #oxidized)
- Run
docker ready
Get ready around docker
docker installation
Install docker and docker-compose by referring to this article
Below my environment
# docker -v
Docker version 19.03.13, build 4484c46d9d
$ docker-compose -v
docker-compose version 1.27.4, build 40524192
Raise the memory limit that docker can use
Mac version docker can only use up to 2GB of memory by default, so please refer to this article. Increase it to the feeling. Memory 4G / swap 1G? Consult with machine specs.
If you don't do this, you'll be struck by a 502 error in gitlab for the rest of your life. Note that gitlab uses a lot of memory!
vSRX preparation
This time, we will use Vagrant + vSRX to simulate network equipment.
Install vagrant and virtual box
Install vagrant and virtual box by referring to this article
Below my environment
$ vagrant -v
Vagrant 2.2.10
Install vagrant plugin
Do I need a plugin to run vSRX?
$ vagrant plugin install vagrant-host-shell
$ vagrant plugin install vagrant-junos
Below my environment
$ vagrant plugin list
vagrant-host-shell (0.0.4, global)
vagrant-junos (0.2.1, global)
vSRX launch
Launch the ancient vSRX on vagrant. Use vSRX in packet mode (router). If you make a mistake and use vSRX in flow mode (FireWall), it will be duplicated (DUP) for the rest of your life by pinging and you will be crazy.
#Directory creation
$ mkdir vSRX
#Move to directory
$ cd vSRX
#Create a vSRX Vagrantfile
$ vagrant init juniper/ffp-12.1X47-D15.4-packetmode
#Set the IP of vSRX appropriately. This time 192.168.33.10
$ sed -i '' -e 's/# config.vm.network "private_network", ip: "192.168.33.10"/config.vm.network "private_network", ip: "192.168.33.10"/' Vagrantfile
#Start vSRX Wait patiently It takes a long time
$ vagrant up
#Status check OK if running
$ vagrant status
Current machine states:
default running (virtualbox)
The VM is running. To stop this VM, you can run `vagrant halt` to
shut it down forcefully, or you can run `vagrant suspend` to simply
suspend the virtual machine. In either case, to restart it again,
simply run `vagrant up`.
vSRX user created
Create a user for oxidized for later use. Work in the same directory as the previous item. You will use the user and password later.
#ssh login to vSRX
$ vagrant ssh
--- JUNOS 12.1X47-D15.4 built 2014-11-12 02:13:59 UTC
root@vsrx%
#Shift to vSRX cli mode
root@vsrx% cli
root@vsrx>
#Move to vSRX configure mode
root@vsrx> configure
root@vsrx#
#Added oxidized user
root@vsrx# set system login user oxidized class super-user
root@vsrx# set system login user oxidized authentication plain-text-password
New password:[Enter your favorite password]
Retype new password:[Put it in again and enter]
#Commit settings
root@vsrx# commit
#Exit vSRX by doing exit several times
# ssh [email protected] is also a confirmation that you can ssh with 10 or something
#WARNING at ssh: REMOTE HOST IDENTIFICATION HAS CHANGED!Know when it comes out_192 from hosts.168.33.Try to erase 10
gitlab preparation
I will set up gitlab with docker.
Create docker-compose.yml
Create a docker-compose file for gitlab.
#Directory creation
$ mkdir gitlab
#Move to directory
$ cd gitlab
# docker-compose.yaml file creation
$ touch docker-compose.yaml
Edit docker-compose.yaml below.
gitlab/docker-compose.yaml
version: '3.8'
services:
gitLab:
image: gitlab/gitlab-ce:latest
ports:
- "10080:80"
volumes:
- './config:/etc/gitlab'
- './logs:/var/log/gitlab'
- './data:/var/opt/gitlab'
run gitlab
Execute with docker-compose up
$ docker-compose up -d
docker-compose up itself is fast,
Wait patiently until you can see it on the Prouser. It takes a lot of time.
Until the launch is complete, you will be saddened by an error such as woops! Or 502. let's wait.
gitlab access
Browser access to http : // localhost: 10080
Follow the on-screen instructions to initialize the root password.
gitlab oxidized user created
Create a user for oxidized.
Browser access to http : // localhost: 10080
Create an oxidized user and proceed as shown on the screen.
gitlab repository creation
Create a private repository for use with oxidized. This time with the following name. Project name: config-auto-collector
The repository creation is complete.
Prepared to be oxidized
Prepare around oxidized
Create docker-compose.yml
Create an oxidized docker-compose file.
#Directory creation
$ mkdir oxidized
# oxidized/Move to
$ cd oxidized
# docker-compose.yaml file creation
$ touch docker-compose.yaml
Edit docker-compose.yaml below. I slept for 2 days without knowing the existence of ʻextra_hosts` Convenient because hosts are automatically set in the docker container
oxidized/docker-compose.yaml
oxidized:
restart: always
image: oxidized/oxidized:latest
ports:
- 8888:8888/tcp
environment:
CONFIG_RELOAD_INTERVAL: 600
volumes:
- ./oxidized:/root/.config/oxidized
extra_hosts:
- vSRX:192.168.33.10
oxidized config
We will set the oxidized config.
#Create Moiko directory
$ mkdir oxidized
# oxidized/oxidized/Move to
$ cd oxidized
#Create config file
$ touch config
Edit the config below. I feel that there are unnecessary settings, but I believe and copy and paste. Please enter some IPs and passwords for your environment. Since the acquisition interval (interval) is 10 seconds, tuning is required when putting it in the production environment. (Half day, maybe every day)
oxidized/coxidized/config
---
username: oxidized
password: oxidized
model: junos
resolve_dns: true
interval: 10
use_syslog: false
log: "/root/.config/oxidized/logs/oxidized.log"
debug: false
threads: 30
timeout: 20
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 127.0.0.1:8888
next_adds_job: false
vars: {}
groups: {}
models: {}
pid: "/root/.config/oxidized/pid"
crash:
directory: "/root/.config/oxidized/crashes"
hostnames: false
stats:
history_size: 10
input:
default: ssh, telnet
debug: false
ssh:
secure: false
ftp:
passive: true
utf8_encoded: true
output:
default: git
git:
user: oxidized
email: [Email address specified when creating oxidized red with gitlab]
single_repo: true
repo: "/root/.config/oxidized/config-auto-collector"
hooks:
push_to_remote:
type: githubrepo
events: [post_store]
remote_repo: "http://[Real IP of localhost]:10080/oxidized/config-auto-collector.git"
username: oxidized
password: [gitlab password]
source:
default: csv
csv:
file: "/root/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
map:
name: 0
model: 1
username: 2
password: 3
vars_map:
enable: 4
model_map:
cisco: ios
juniper: junos
oxidized settings (router.db)
We will set router.db of oxidized. It's like setting the network device to be acquired by oxidized.
# oxidized/oxidized/Work under subordinates
# router.db file creation
$ touch router.db
Edit router.db below.
oxidized/coxidized/router.db
vSRX:juniper:oxidized:[vSRX oxidized user password]
Repository preparation
Let's clone the repository you created. Be sure to access with the real IP without using localhost etc. This repository is a file shared with the docker container, so If you set it to localhost, you will not be able to easily access it from the docker container side. (maybe)
# oxidized/oxidized/Work under subordinates
$ git clone http://oxidized@[Real IP of localhost]:10080/oxidized/config-auto-collector.git
Run
Finally oxidized execution. Execute it with gitlab and vSRX running.
oxidized start
# oxidized/Work under subordinates
$ docker-compose up -d
If all goes well, the vSRX config will be automatically added to the repository. Of course, if you change the vSRX config, it will be automatically pushed to the repository. I'm happy.
After that, let's deploy it in the production environment by fine tuning and host registration.
Tips
When vagrant freezes
Let's kill the pid that comes out with ps -ef | grep VBox.
Impression that vSRX hardens well
Enter docker container
I googled about 20,000 times saying "Enter docker". Let's remember
$ docker-compose exec [container name] bash
TODO --I want to do something about the file name becoming the host name --I want to manage that the execution command is not displayed in the output config file. --I want to extend the acquired information with my own model (show int terse, etc.) --Try in a real environment ――I wonder if there is a good way to handle hosts ... When the number of target hosts increases, it is difficult to handle.
Impressions
--Deoxidized is painful with few documents ――If you can go to the Internet, you don't have to set up gitlab locally. ――Once deployed, it seems that you can operate it easily --Since the UI of cvs is not good, I tried using gitlab, but I feel that cvs is easier to see if it is just generation management of config files. ――I feel like I have extra features of gitlab. I wonder if I can do something interesting --It may be better not to use a virtual environment because it uses too much gitlab resources ――Since git is not familiar to network operation members in the first place, it may be better not to use it so much ――Even if you create a user with vSRX and plain-text-password, the config is encrypted. Why? Is that something like that?
end