Professional Documents
Culture Documents
BRKPRG 1816
BRKPRG 1816
BRKPRG 1816
Containers for
Network Automation
and Operations -
IOS-XE and NX-OS
Nagendra Kumar Nainar, Principal Engineer, CX
Yogesh Ramdoss, Principal Engineer, CX
BRKPRG-1816
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Motivation
Make you all aware of advanced architecture and capabilities in our
platforms, and how to bring them into your day-to-day tasks
Containers
in Cisco
Sky is
Network the
Devices? limit!!
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Virtualization and Containers
• Containers in Cisco IOS-XE
• Containers in Cisco NX-OS
• Summary and Take-aways
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Reference
What's In It For Me?
Session Abstract
• Refresh virtualization and container concepts
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Once up on a time….
Minicomputers. Server
Time sharing Consolidation
1970
1990
2015
service DISCO from
Compuserve, Stanford
Tymshare Commodity OS
1980
2000
computing Client-Server Virtualization
1960
Evolution of Virtualization
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Motivation for Virtualization
Virtualization
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Virtualization and Cloud Computing
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Types of Virtualization
Server Virtualization Network Virtualization
Virtualization Layer
Physical Hardware
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Server Virtualization
Virtual Machine 1 Virtual Machine 2
Virtual Machines
• Hypervisor allows multiple OS to Application Application
share the same hardware
Guest OS Guest OS
• Hypervisor can run on bare metal
or on other OpenStack Platform Virtual HW Virtual HW
• Virtual Machines runs its own
dedicated Operating System Hypervisor
Physical Host
• Ex: KVM, Hyper-V, VirtualBox etc. (CPU, Memory, NIC, Disk)
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
KVM Installation
Checking KVM supportability
root@server:-$ kvm-ok
INFO: /dev/kvm exists
KVM acceleration can be used
root@server:-$
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Server Virtualization
Containers Container 1 Container 2
Physical Host
• Ex: Linux Containers (LXC), Docker (CPU, Memory, NIC, Disk)
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Containers
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Container Hosting
BusyBox
root@server:-$
root@server:-$ sudo apt install lxd
Install Linux container Manager Reading package lists... Done
Building dependency tree
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Docker Containers
Architecture
• Docker Client
• CLI to interface with
Docker
• Dockerfile
• Instruction file to build
Docker Image
• Registry
• Docker image registry
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Docker Containers
Dockerfile
Build docker image: docker build FROM python:alpine3.7
COPY . /app1
List the local images: docker images WORKDIR /dir
Start a docker container: docker create <image> RUN pip install -r requirements.txt
List the containers: docker ps CMD [ "python3", "./app1-server_udp.py" ]
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Orchestration and Automation
How can I
automate
container
instantiation?
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Kubernetes
• Kubernetes is an open source platform for automating,
deploying, scaling, and operating containers
• Kubernetes was created by Google and donated to
Cloud Native Compute Foundation (open source)
• Since kubernetes is open source there are dozens of
projects to enable networking, storage etc.
• Allowing customers to focus on applications instead of
infrastructure
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Additional components
• Fluentd – Cluster level logging
Kubernetes Architecture • CoreDNS
• Dashboard
• Kube-dns-autoscaler
Kube-controller-manager handles Cloud-Controller-manager • Heapster – container
nodes, replication, Endpoint handles, nodes, services like Loadbalancers and performance & monitoring
controller joins Services to Pods routes • Event-exporter(fluentd)
kube-proxy
Proxies
TCP/UDP
Kube-scheduler Watches
Binds Pod to Node Kubernetes Workers
Services and
configures
IPTables
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Kubernetes Eco System
OpenComponent
Grafana
Visualization APIs Database, Analytics
SAML
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Motivation: Containers on Network Devices
• Network OS Independence
• Limited Kernel dependency
• System Modularity
• Leverage existing toolsets
• Ability to bring application close to the data
• Isolated Application Eco-system
• Application focused deployment
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Cisco Software Architecture
Control Plane
(IOS-XE, IOS-XR, NX-OS)
System Infrastructure
Linux Kernel
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco OS Architecture
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IOS-XE Architecture
• Linux Kernel based architecture
• IOSd runs as a daemon on Linux Kernel
Virtualization
• Used in some of the legacy platforms Manager
• CAF augments the infrastructure libvirt
• “virtual-service” CLI based package install Host Kernel
csr1000v-2# virtual-service ?
clear Clear command
connect Connect to an appliance
install Install an appliance package
move Copy files for an appliance package
uninstall Uninstall an appliance package
upgrade Upgrade an appliance package
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco Application Hosting Framework (CAF)
Fog
IOx Client
Director
REST
REST
CLI
libvirt
Host Kernel
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cisco Application Hosting Framework (CAF)
• New Framework created for application lifecycle management
• Initially developed to host IoT applications
• Expanded the scope of applicability
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco Application Hosting Framework
• Flexible Secure Runtime
Environment
• Operating System level Construct
• Virtualization Toolkit
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Container Hosting
• Guest Shell
• Owner: IOx Guest
3rd
Party
• Type: LXC IOx
shell
App
IOSd VMAN
CAF
• IOx APP Hosting LibVirt
• Owner: IOx
• Type: Custom
Linux Kernel
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Platform Comparison
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Feature Matrix
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Containers in Cisco IOS-XE
• IOS-XE Architecture
• IOS-XE Guest Shell Containers
• IOS-XE IOx App Hosting
• IOS-XE Container Network Model
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Guest Shell
• Maintain IOS-XE system integrity
• Isolated User Space
• Fault Isolation
• Resource Isolation Linux
applications
• On-box rapid prototyping
• Device-level API Integration
• Scripting (Python)
Guest Shell
• Linux Commands
• Application Hosting
API
• Integrate into your Linux workflow
Network OS
• Integrated with IOS-XE
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Enabling Guest Shell
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Enable IOX Service
Task 1 - Enable IOX Service Guest Shell N/W Config
C9300#
C9300# show iox-service
IOx Infrastructure Summary:
• “iox” command enables the
--------------------------- service on IOS-XE.
IOx service (CAF) : Running
IOx service (HA) : Running
IOx service (IOxman) : Running
• The show command lists the
Libvirtd
C9300#
: Running summary of services enabled.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Enable IOX Service
Task 2 – Guest Shell Network Config Guest Shell N/W Config
C9300# conf t
C9300(config)# interface VirtualPortGroup 0 Enable Guest Shell
C9300(config-if)# ip address 10.1.1.1 255.255.255.0
C9300(config-if)# no shut Optional NAT
C9300(config-if)# end
C9300#
C9300#conf t
C9300(config)# app-hosting appid guestshell
C9300(config-app-hosting)# app-vnic gateway0 virtualportgroup 0 guest-interface 0 Container
C9300(config-app-hosting-gateway0)# guest-ipaddress 10.1.1.2 netmask 255.255.255.0
vEth
C9300(config-app-hosting-gateway0)# app-default-gateway 10.1.1.1 guest-interface 0
C9300(config-app-hosting)# end 10.1.1.2/24
C9300#
Shell Virtual
PortGroup
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Enable IOX Service
Task 3 – Enable Guest Shell Guest Shell N/W Config
“guestshell enable”
Current state is: ACTIVATED
guestshell started successfully •
Current state is: RUNNING
Guestshell enabled successfully command will start the
C9300# container
C9300# show app-hosting list • “guestshell destroy” is
App id State
----------------------------------------- used to kill the container
guestshell RUNNING
C9300#
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
C9300# show app-hosting detail
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Containers in Cisco IOS-XE
• IOS-XE Architecture
• IOS XE Guest Shell Containers
• IOS-XE IOx App Hosting
• IOS XE Container Network Model
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
IOx App Hosting
Steps Involved
1 2 3
Get the App Install the Build and
Dev tools/libraries prepare VM
Environment File system
4 5 6
Build IOx Copy the Install and
package package to device host the App
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
1 2 3
IOx App Hosting Get the App
Environment
Install the
tools/libraries
Build and
prepare VM
Build the App VM File system
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
3
IOx App Hosting Build and
prepare VM
VMDK to QCOW2 Conversion File system
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
IOx App Hosting
IOx Client Installation
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
4
package.yaml Build IOx
info:
Build IOx Package name: CiscoLiveApp
description: "App Hosting Demo for Ciscolive”
app:
qemu-guest-agent: True
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
5
Copy Packages
• Copy the package to USB Flash and
insert on the platform
• External USB must be used to host
the application on Cat9k Platforms
C9300# dir usbflash0:App1xe.tar
Directory of usbflash0:/App1xe.tar
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
IOx App Hosting
Configure App-Hosting
• Configure VirtualPortGroup Interface
• Configure DHCP on the hosting Platform
• App-Hosting cannot have static IP address
!
interface VirtualPortGroup1
ip address 10.2.2.1 255.255.255.0
!
ip dhcp pool ciscolive
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
dns-server 8.8.8.8
!
iox
app-hosting appid centos
app-vnic gateway0 virtualportgroup 1 guest-interface 0
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
6
Install and
IOx App Hosting host the App
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
IOx App Hosting
Access App
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Get Your Hands Dirty
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Service Containers – Legacy way of App Hosting
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Containers in Cisco IOS-XE
• IOS-XE Architecture
• IOS-XE Guest Shell Containers
• IOS-XE IOx App Hosting
• IOS-XE Container Network Model
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Container Network Model
Shared Dedicated
Applications inside the container appear as applications Applications inside the container appear as appliances on a
running natively on the host subnet reachable from the host
Examples: Nexus 3k, 9k, 6k, 7k, NCS xK Examples: C9K, ASR 1k, CSR 1kv, ISR4k, ISR 819
eth0 eth1 eth2 eth0 eth1 eth2 veth0 veth1 veth2 veth0 veth1 veth2
10.1.1.2/24
!
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 10.1.1.2 netmask 255.255.255.0
app-default-gateway 10.1.1.1 guest-interface 0
end 10.1.1.1/24
Virtual
PortGroup
WAN IOS-XE
172.16.1.1/24
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Network Model – Unnumbered Model
!
interface Gigiabit0/0/0
ip address 10.1.1.1 255.255.255.0 Container
!
interface VirtualPortGroup0 vEth
ip unnumbered G0/0/0
! 10.1.1.2/24
!
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 10.1.1.2 netmask 255.255.255.0
app-default-gateway 10.1.1.1 guest-interface 0
end 10.1.1.1/24
Virtual
PortGroup
WAN IOS-XE
Gig0/0/0
10.1.1.1/24
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Network Model – Shared-IP Model
!
interface GigiabitEthernet 1
ip address 10.1.1.1 255.255.255.0 Container
!
virtual-service ciscolive
ip shared host-interface GigabitEthernet1 vEth
!
10.1.1.1/24
csr1000v-2#
csr1000v-2# virtual-service install name ciscolive package flash:ciscolive.ova
Routing
virtual-service not supported
in Cat9000 platforms
WAN IOS-XE
Gig1
10.1.1.1/24
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Network Model - Layer 2
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Network Model – Layer 2 Model
VLAN Access
Container
!
interface GigabitEthernet1/1/2
vEth
switchport access vlan 101
!
10.1.1.2/24
10.1.1.1/24
Access L2Bridge
Gig1/1/2 IOS-XE
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Network Model – Layer 2 Model
Trunk Mode
Container
!
interface GigabitEthernet1/1/2
vEth
switchport mode trunk
!
10.1.1.2/24
Trunk
AppGig
Ethernet
10.1.1.1/24
Trunk L2Bridge
Gig1/1/2 IOS-XE
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Containers in
Cisco NX-OS
Containers in Cisco NX-OS
• Containers for NX-OS (Standalone)
• Open Agent Containers (OAC)
• Docker Container in NX-OS
• NX-OS: Container Orchestration with Kubernetes
• Use-cases
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Container for NX-OS Standalone Switches
• Independent application
running on a Nexus switch
• Enables users to run any
application, including 3rd
party applications
• Run applications without
compromising security
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Containers for Network Elements
• Virtualized environment to host Customer ISV* Cisco
“applications” on a Nexus device Apps Apps Apps
• Application Examples
• Cisco Virtual Services:
App1 App1
Linux shell: Guest shell & OAC (LXC) v1.17 v2.13
App 2 App 3
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Front-Panel Ports in OAC
Netstack vs. Kstack – Quick Review
• Not every front-panel port in Nexus7000/Nexus6000 is represented
in OAC container
• A custom Netstack mechanism is used to access VRFs within the
VDC
• OAC still has IP reachability to Management and In-band VRFs but
cannot address individual interfaces
• There is no IP access to VRFs outside the VDC in which OAC is
deployed
• Kstack is not VDC aware as N3K/N9K don’t support VDCs. It runs in
default VDC (VDC 1) and provides access to all front-panel ports.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Containers in Cisco NX-OS
• Containers for NX-OS (Standalone)
• Open Agent Containers (OAC)
• Docker Container in NX-OS
• NX-OS: Container Orchestration with Kubernetes
• Use-cases
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Open Agent Container
Installation Steps
• Download oac.ova image from Cisco.com to your Nexus /bootflash
• Decide which VDC you want to install OAC into
• Enable NX-API feature – take advantage of this capability
• Install oac.ova and activate it via virtual-service command
Nexus-7k# feature nxapi
Nexus-7k# dir bootflash: | grep ova Takes 3-5 minutes. Be patience.
66355200 Apr 04 14:42:44 2019 oac.ova
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
OAC Activation
Troubleshooting Failure
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
OAC – A Closer Look
Nexus-7k# show virtual-service detail
Virtual service oac detail
State : Activated
Package information
Name : oac.8.1.1.ova
Path : bootflash:/oac.8.1.1.ova
Application
Name : OpenAgentContainer
Installed version : 1.0
Description : Cisco Systems Open Agent Container
Signing
Key type : Cisco release key
Method : SHA1
Licensing
Name : None
Version : None
Resource reservation
Disk : 500 MB
Memory : 384 MB
CPU : 1% system CPU
Attached devices
Type Name Alias
---------------------------------------------
Disk _rootfs
Disk /cisco/core
Serial/shell
Serial/aux
Serial/Syslog serial2
Serial/Trace serial3
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
OAC Shell
Console Access
• Attaching to the container Nexus-7k# virtual-service connect name oac console
Connecting to virtual-service. Exit using ^c^c^c
console you may login as Trying 127.1.1.5...
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
OAC Shell
Enabling SSH Access
• Shared interface with NX-OS environment
• sshd must listen on non-standard TCP port, typically 2222 (as port
22 already taken by the Management interface for NXOS)
• sshd must also be started in the VRF required to bind to the correct
interfaces
• Modify /etc/ssh/sshd_config and start sshd
[root@(none)]# sudo cat /etc/ssh/sshd_config [root@(none)]# chvrf management /etc/init.d/sshd start
Port 2222 Starting sshd:
#AddressFamily any [ OK ]
ListenAddress 0.0.0.0
#ListenAddress :: [root@(none)]# vrf2num management
2
Added config to pre-set VRF
at the initialization / startup [root@(none)]# more /etc/init.d/sshd | grep DCOS
export DCOS_CONTEXT=2
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
OAC Shell
Setup Network Access Nexus-7k# show ip internal info interface mgmt 0
• DNS IP extension for iod 131/mgmt0
lcache 0x5a86776c, Ext 0x5a86776c, if_private 0xd7b4c2fc,
/etc/resolv.conf maddresses (nil), iod 131
nameserver 8.8.8.8 VRF 2/management admin up 1
search foo.com unnumbered if : 0 (null)
ip_ctxt 0xdf928e34, ip_vaddr (nil) (0),
directed_broadcast_acl (nil)Total 'ip forward' configured
interface count: 0
• Proxy?
/etc/environment [root@(none) ~]$ chvrf management
export http_proxy=http://proxy.foo.com:80 [root@(none) ~]$ getvrf
export https_proxy=https://proxy.foo.com:80 Management
[root@(none) ~]$
• VRF Access (chvrf, getvrf, and vrf2num) [root@(none) ~]$ vrf2num management
vrf2num <vrf_name> 2
[root@(none) ~]$
chvrf vrf_name <cmd>
chvrf vrf_name
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
OAC Shell
Running Host CLI
• The dohost command is a Python wrapper script around NX-API
calls using Linux domain sockets back to NX-OS
[root@(none) ~]$ dohost "show clock"
23:03:42.122 UTC Wed May 01 2019
Time source is NTP
[root@(none) ~]$
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Package Management
Yum Install
• Install the packages you want, just like any CentOS 6.8 Linux
environment
• Ensure you callout the correct VRF to access Yum repository or have
environment variable setup already
• Also make sure any proxy [root@(none) ~]$ chvrf management
[root@(none) ~]$ sudo yum install -y vim
server and DNS configuration Loaded plugins: fastestmirror
base | 3.6 kB 00:00
is applied for connectivity extras
updates
| 3.4 kB
| 3.4 kB
00:00
00:00
(1/4): base/7/x86_64/group_gz | 166 kB 00:00
• No default route is needed in (2/4): base/7/x86_64/primary_db | 6.0 MB 00:03
(3/4): extras/7/x86_64/primary_db | 188 kB 00:03
Linux as we are using the (4/4): updates/7/x86_64/primary_db | 4.2 MB 00:04
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Package Management
Python PIP: Install
• Python’s package manager is called PIP
• Users can install optional libraries (Py Packages)
• May require specifying proxy server
• Bootstrap PIP with get_pip.py
https://pip.pypa.io/en/stable/installing/
pip install requests -–proxy=proxy.foo.com:80
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
OAC Persistence
Supervisor Engine Failover/Reload
• Containers on Standby Supervisor is offline (inactive). Switchover
triggers activation in new Active Supervisor (boot up)
• Agents/Scripts must be scripted to bring up any functionality that
must come up on startup of the container
• Run copy run start to ensure container filesystem changes are
persisted to flash
• On N7000/N7700 a reload of the VDC containing OAC container
will cause the container to go offline and be re-activated on VDC
bring-up
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Guest Shell and OAC
Guest Shell and OAC
• Guest Shell supports guestshell sync to command to synchronize
container filesystem to Standby Supervisor
• Currently OAC does not replicate container filesystem between
supervisors
• Looking at EXT4 capabilities to do real-time replication of container
state between Supervisors
• Container on Standby supervisor is non-active - On switchover
event the container will be activated (booted)
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Shared Network Interfaces
Interfaces existing in multiple containers or native environment
• It all comes back to Network Shared Network Model
Namespaces isolating, among
other things, sockets and file Container 1
Network namespace: Host
Container 2
Network namespace: Host
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Containers in Cisco NX-OS
• Containers for NX-OS (Standalone)
• Open Agent Containers (OAC)
• Docker Container in NX-OS
• NX-OS: Container Orchestration with Kubernetes
• Use-cases
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Docker Container in NX-OS
Prerequisites
switch# conf t
1. Enable bash-shell feature switch(config)# feature bash-shell
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Docker Container in NX-OS
Docker Service “service docker stop”
to stop the service
• Start Docker Service as a Load Bash and become superuser.
switch# run bash sudo su -
Superuser in the bash- Start the Docker daemon.
shell root@switch# service docker start
• Dockerpart …
Once you start the Docker daemon, a
switch# dir bootflash:dockerpart
dockerpart file will be created in the 2000000000 Mar 19 12:50:14 2019 dockerpart
bootflash: with 2GB memory reserved.
Do not delete or tamper it, as it is critical
to the docker functionalities.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Docker Container in NX-OS Load specific volume
• Shared Kernel
Kernel
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Docker Container in NX-OS
Docker Container – Status & Persistence Through Reload/Sup Switchover
root@switch# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
47d5c0a2916b alpine "/bin/sh" 56 mins ago Up 56 mins myalpine
52e7a1e5731a alpine "/bin/sh" 31 mins ago Up 31 mins myalpine2
root@switch#
Docker containers root@switch# chkconfig --add docker
in action! root@switch#
Starts an Alpine
container and
• Configure the switch root@switch# chkconfig --list | grep docker
docker 0:off 1:off 2:on 3:on 4:on 5:on 6:off configures it to
always restart
to restart docker root@switch#
unless it is explicitly
service (or not) at root@switch# chkconfig --del docker
root@switch# chkconfig --list | grep docker
stopped or docker is
restarted
each reload root@switch#
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Container Orchestration Node 1
Kubernetes Components
Kubelet
Master Kube-Proxy
Kube-Controller Cloud-Controller
Manager Manager Container Node 2
Runtime
Kubelet
Kube API-Server
etcd Kube-Proxy
Kube Scheduler
Container
Runtime
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Container Orchestration
Kubernetes and NX-OS – What do we have so far?
Control-Plane
Inband Channel
Supervisor Docker Container
NX-OS
Inband port
Bash
Kernel
Eth1-1 Eth1-2 ... Eth1-N Mgmt0
Physical interfaces Nexus9000
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Container Orchestration
Docker & Kubernetes in Master Node
docker run -d \
Start etcd --net=host \
component of
gcr.io/google_containers/etcd:2.2.1 \
/usr/local/bin/etcd --listen-client-urls=http://10.0.0.6:4001 \
Kubernetes
--advertise-client-urls=http://10.0.0.6:4001 --data-dir=/var/etcd/data
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Container Orchestration
Docker & Kubernetes in Master Node (Contd.)
docker run -d --name=kubs \
--volume=/:/rootfs:ro --volume=/sys:/sys:ro --volume=/dev:/dev \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
Run kubelet --volume=/var/run:/var/run:rw --net=host --pid=host \
component of
--privileged=true \
gcr.io/google_containers/hyperkube:v1.2.2 \
Kubernetes
/hyperkube kubelet --allow-privileged=true \
--hostname-override="10.0.0.6" \
--address="10.0.0.6" --api-servers=http://10.0.0.6:8080 \
--cluster_dns=10.0.0.10 \
--cluster_domain=cluster.local --config=/etc/kubernetes/manifests-multi
Kubernetes
/hyperkube proxy --master=http://10.0.0.6:8080 --v=2
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Container Orchestration
Kubernetes in Nexus – Kubernetes Worker
root@switch# docker run -d --name=kubs \
--net=host --pid=host --privileged=true \
--volume=/:/rootfs:ro --volume=/sys:/sys:ro --volume=/dev:/dev \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
Join Nexus9000 to the --volume=/var/run:/var/run:rw \
gcr.io/google_containers/hyperkube:v1.2.2 \
pod by registering to /hyperkube kubelet --allow-privileged=true --containerized \
--enable-server --cluster_dns=10.0.0.10 \
the Master --cluster_domain=cluster.local \
--config=/etc/kubernetes/manifests-multi \
--hostname-override="10.0.0.6" \
--address=0.0.0.0 --api-servers=http://10.0.0.6:4001
root@switch# docker run -d --name=proxy \
--net=host --privileged=true \
gcr.io/google_containers/hyperkube:v1.2.2 \
/hyperkube proxy --master=http://10.0.0.6:4001 --v=2
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Container Orchestration
NX-OS and Kubernetes – What do we have so far?
Nexus9000
Control-Plane
K8s Master
myalpine Kube-Proxy
Packets sent to the CPU etcd
Container Kube Scheduler
Runtime
10.0.0.6/24 NIC
Docker Service
eth1 Ubuntu Server
Eth1-1 Eth1-2 ... Eth1-N Bash
Physical interfaces Kernel Network
10.102.242.131/28
Mgmt0
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Containers in Cisco NX-OS
• Containers for NX-OS (Standalone)
• Open Agent Containers (OAC)
• Docker Container in NX-OS
• NX-OS: Container Orchestration with Kubernetes
• Use-cases
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Use-cases
Management & Troubleshooting At Scale
• Agents can be used to monitor each and every switch’s
parameters, config, packet counters or log events.
Reporting can be local via web server running in the
container and/or some remote data collection server
(Syslog, Splunk, Elastic Search, local Web Server). Sky is
• Agents can poll the switch frequently to support a more
consistent, less error prone operational environment.
the
• Distributed agents co-located on switches scale higher
limit!!
than centralized server, automating hundreds to
thousands of switches.
• Ease of managing switches at scale. Original use-case
for containers was for Puppet and Chef integration.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Use-case 1: Develop a custom CLI
to track end-host mobility
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
NXOS Software Development Kit (SDK)
Introduction
• Simple, flexible and powerful tool for
custom on-the-box applications Custom Applications
(Python, C++)
Native NX-OS
Applications
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Tracking End-Hosts Mobility
Building Custom Application
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
NXOS Software Development Kit (SDK)
End-to-End Process Flow
BASH:
Python SDK Environment not needed.
Setting up the C++ SDK Environment is optional, but recommended.
ENXOS SDK VSH:
Environment SDK environment is mandatory. Apps must be built as an RPM package,
and installed as a package.
VSH:
Start the application with “nxsdk service-name <app-name>”. If App
Running the
is installed at non-default location, then do “nxsdk service-name
application in
<full-path/app-name>”
Switch
BASH:
In the switch config, “run bash sudo su”, and then “app-full-path &”
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Tracking End-Hosts Mobility
1) Building a Python application – CLIs
def get_mac_from_arp(cli_parser, clicmd, target_ip):
exec_cmd = "show ip arp {}".format(target_ip)
arp_cmd = cli_parser.execShowCmd(exec_cmd, nx_sdk_py.R_JSON)
if arp_cmd:
try:
Check ARP arp_json = json.loads(arp_cmd)
except ValueError as exc:
and get return None
MAC-addr count = int(arp_json["TABLE_vrf"]["ROW_vrf"]["cnt-total"])
if count:
intf =arp_json["TABLE_vrf"]["ROW_vrf"]["TABLE_adj"]["ROW_adj"]
if intf.get("ip-addr-out") == target_ip:
target_mac = intf["mac"]
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Tracking End-Hosts Mobility
2-3) Setting up Docker environment and Building RPM package
2) Install Docker, pull NX-SDK Docker container and run
[root@localhost ~]# yum -y install docker
[root@localhost ~]# docker pull dockercisco/nxsdk:v1
[root@localhost ~]# docker run –it dockercisco/nxsdk:v1 /bin/bash
root@b7d33ce8a7b8:/# cd /NX-SDK
root@b7d33ce8a7b8:/NX-SDK# git pull
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Tracking End-Hosts Mobility
4-5) Installing RPM in Nexus, Activate and Verify Service
4) Move the RPM to Nexus, install and activate
N93180# copy ftp://<server>/ip_move.1.0-1.5.0.x86_64.rpm bootflash: vrf management
N93180# install add bootflash:ip_move.1.0-1.5.0.x86_64.rpm
N93180# install activate ip_move.1.0-1.5.0.x86_64
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Tracking End-Hosts Mobility
6) Using the Service
0010.9400.0002 has been moving between the following interfaces, from most recent to least
recent:
Fri Apr 20 12:05:17 2019 - Ethernet1/3 (Current interface)
Fri Apr 20 12:04:13 2019 - Ethernet1/5
Fri Apr 20 12:04:13 2019 - Ethernet1/4
Fri Apr 20 12:03:50 2019 - Ethernet1/5
Fri Apr 20 12:03:50 2019 - Ethernet1/4
Fri Apr 20 12:03:26 2019 - Ethernet1/5
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Use-case 2: Running a containerized
App – Anomaly Detector
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Nexus 9000 – Anomaly Detector
Steps: Building and Running a Containerized-Application
1. Linux Python Integrated Development Environment (IDE) –
Develop a Python code with core functions
2. GitHub - Build a Dockerfile, to set environment variables, install
requirements and execute the Python code.
3. DockerHub - Build a containerized application
4. Nexus9000 - In the Bash shell, under the management
namespace, build a docker-compose file (e.g., docker-
compose.yml) and execute the App.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Nexus 9000 -Anomaly Detector
Building and Running a Containerized-Application
3
Control-Plane 4
Floodlight
(Containerized App)
Inband Channel Floodlight
Supervisor NameSpace: Management DockerHub
NX-OS
Python
Inband port Docker Pull
/startup-config
/var/log
/bootflash
2
1
Container
eth1 Floodlight
(Dockerfile, Python
Packets sent to the CPU & Requirements)
Bash
Kernel GitHub
Eth1-1 Eth1-2 ... Eth1-N Linux Host
[Python Integrated
Physical interfaces Nexus9000 Development Environment]
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Floodlight
Floodlight Application
(Dockerfile,
Requirements &
2 Python)
Application requirements
Dockerfile Execution !!
Requirements
Reference: Floodlight - GitHub Repository
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Floodlight
Floodlight Application
(Dockerfile,
Requirements &
2 Python)
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Floodlight
Floodlight Application
(Dockerfile,
Requirements &
2 Python)
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Floodlight
Floodlight Application 3
(Containerized App)
DockerHub
DockerHub Repository
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Floodlight
Floodlight Application 4 Bash
Nexus9000 – Bash Shell and Docker Nexus9000
enable Bash shell
N93180(config)# feature bash-shell root@N93180# cd floodlight/
N93180(config)# end root@N93180# ls -l
N93180# run bash sudo su – run Bash shell
-rw-r--r-- 1 root root 316 Jan 16 14:24 docker-compose.yml
root@N9380# root@N93180#
root@N9380# ip netns exec management bash root@N93180#
root@N93180# more docker-compose.yml
version: "3"
pulls the latest image
services: from the dockerhub
Namespace: Management floodlight:
Make sure it has internet image: chrisjhart/floodlight:latest
connectivity, if DockerHub is used container_name: floodlight
volumes:
- /var/sysmgr/startup-cfg/ascii/system.cfg:/startup-config
- /var/log/:/var/log/
Mount the - /bootflash:/bootflash
required volumes environment:
- DEBUG=1
Reference: Installing - EXPORT=/bootflash/example_pcap.pcap
Docker Compose in NX- network_mode: "host"
OS Bash Shell root@N93180# Container runs
in “host” mode
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Floodlight
Floodlight Application That’s your App !!
CLI executes docker-compose.yml 4 Bash
root@N93180# docker-compose up
Docker Starting floodlight ... done
Control-Plane Hub Attaching to floodlight
floodlight INFO [LOG] Debug logging level set!
floodlight INFO [SETUP] NX-OS startup-config file detected
Packet sent
floodlight INFO [FILTER] OSPF feature and configuration found!
to the CPU Docker floodlight INFO [FILTER] HSRP configuration not found, skipping...
Pull <snip>
Inband port
floodlight INFO ==== FILTERS ====
floodlight | ‘ip': ['224.0.0.5', '224.0.0.6'],
Floodlight floodlight | 'ip_protocol_type': ['89’],
NameSpace: Management <snip>
floodlight | 'protocols': ['OSPF', 'BGP', 'Spanning Tree Protocol', 'SSH',
Python 'CDP', 'LLDP']}
floodlight INFO [CAPTURE] Beginning packet capture, be back in 60 seconds...
/startup-config floodlight INFO [CAPTURE] Packet capture finished! 259 packets in capture
/var/log floodlight INFO [UNEXPECTED] Number of unexpected packets: 138
/bootflash floodlight INFO ===== RESULTS =====
floodlight INFO 14,879 bytes (123 packets) | TCP (TCP )
00:01:02:03:04:05 10.150.53.63:50449 -> 10.150.53.229:2345 00:de:fb:fa:64:c7
Container <snip>
eth1 floodlight INFO [WRITE-PCAP] Successfully wrote unexpected packets to PCAP
Bash at /bootflash/example_pcap.pcap
Nexus9000 floodlight exited with code 0
root@N93180#
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Container Use-cases
Operations
• Inventory Management
• Hardware Uptime Check
• Scalability Check Sky is
• Control-plane Health Check
the
Configuration Consistency Check
•
limit!!
• Traffic Profiling and Top-Talkers
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Summary
&
Take-Aways
• Motivation behind this session
Summary • Topics to discuss
• Goals and potential learnings
• Introduction
• Refresh on virtualization and container concepts
• How these are applicable to Cisco’s platforms
• Virtualization and Containers
• Detailed discussion on different container
capabilities in IOS-XE platforms
• Procedure to enable container and App
• Containers in Cisco IOS-XE hosting in IOS-XE
• Discussion on various networking models
• Containers in Cisco NX-OS • Detailed discussion on different container
capabilities like Open Agent Container (OAC)
• Deploying Docker in NX-OS and orchestrate
it with Kubernetes
• Use-cases: How to bring them to your day-
to-day operations
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Take-Aways …
Architecture and capabilities of Cisco IOS-XE
and NX-OS are innovative to virtualize the
infrastructure and host applications
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Continue your education
Demos in the
Walk-in Labs
Cisco campus
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Appendix
Guest Shell and Bash Shell in NX-OS
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Guest and Bash Shell
Hosting Environments
Open NX-OS provides two environments for hosting 3rd-Party applications or Agents/Clients.
• Guest Shell:
• Third-Party applications built for CentOS7 can be installed within the secure
Guest Shell environment. For additional details please refer to Guest Shell user
guide.
• Agent installed in this environment provides security against inadvertently
damaging the switch OS without sacrificing capabilities.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Guest Shell Applications
Linux Shell Environment
• Maintain NX-OS system integrity
• Isolated User Space
• Fault Isolation Linux
• Resource Isolation applications
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Enabling Guest Shell Guest shell is an OVA
N9K-C93180YC# show guestshell
Virtual service guestshell+ detail
Cent OS 7 environment State : Activated
Package information
N9K-C93180YC# guestshell enable
Name : guestshell.ova
Path : /isanboot/bin/guestshell.ova
2019 May 1 02:10:24 N9K-C93180YC %$ VDC-1 %$
Application
%VMAN-2-INSTALL_STATE: Installing virtual service
'guestshell+’ Name : GuestShell
Installed version : 2.4(0.0)
Description : Cisco Systems Guest Shell
2019 May 1 02:10:53 N9K-C93180YC %$ VDC-1 %$
%VMAN-2-INSTALL_STATE: Install success virtual <snip>
service 'guestshell+'; Activating Resource reservation
Disk : 250 MB
2019 May 1 02:10:53 N9K-C93180YC %$ VDC-1 %$ Memory : 256 MB
%VMAN-2-ACTIVATION_STATE: Activating virtual CPU : 1% system CPU
service 'guestshell+’
Attached devices
2019 May 1 02:11:26 N9K-C93180YC %$ VDC-1 %$ Type Name Alias
%VMAN-2-ACTIVATION_STATE: Successfully activated ---------------------------------------------
virtual service 'guestshell+’ Disk _rootfs
Disk /cisco/core
2019 May 1 02:11:26 N9K-C93180YC %$ VDC-1 %$ Serial/shell
%VMAN-2-GUESTSHELL_ENABLED: The guest shell has Serial/aux
been enabled. The command 'guestshell' may be used Serial/Syslog serial2
to access it, 'guestshell destroy' to remove it. Serial/Trace serial3
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Guest Shell
Resizing the Resources Allocated
• You may want to resize your Guest Shell filesystem to a larger
footprint
• For example to Yum install full Linux development environment (gcc…) you
will need to resize container to a minimum of 1GB
chvrf management yum groupinstall "Developer Tools”
• Generally, it’s easier to build equivilent CentOS virtual machine off box to
develop and transfer compiled binaries over
• Also, maybe your script requires more memory or CPU?
Nexus-9k# guestshell resize rootfs 1500
Note: Please disable/enable or reboot the Guest shell for root filesystem to be resized
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Guest Shell
Access Shell and Run Scripts
[guestshell@guestshell ~]$ python hello.py
Hello, World!
One
N9K-C93180YC# guestshell Python 2.7.5 is packaged
Two
[admin@guestshell ~]$ pwd
Three
with guest shell
/home/admin
[admin@guestshell ~]$ su - guestshell [guestshell@guestshell ~] python
Password: Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[guestshell@guestshell ~]$ pwd [GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2
/home/guestshell Type "help", "copyright", "credits" or "license" for
more information.
[guestshell@guestshell ~]$ ls
>>> print "a"
hello.py
[guestshell@guestshell ~]$ cat hello.py
a [Control + D three
#!/usr/bin/env python
>>> times to exit ]
[guestshell@guestshell ~] $exit
import sys
N9K-C93180YC# run guestshell sudo python
print "Hello, World!"
/home/guestshell/hello.py
list = ['One', 'Two', 'Three']
Hello, World!
for item in list:
One
print item
Two
[guestshell@guestshell ~]$
Three
N9K-C93180YC#
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Guest Shell
SSH and Console Access
• By default, the guest shell starts an Open-SSH server upon boot
up, and listening at port number 4022. Username/password less.
• Guest shell can also be accessed with virtual-service connect
name guestshell+ console command. This is helpful if SSH server
is killed, or configurations altered (available at
/etc/ssh/sshd_config).
• To have SSH server at custom VRF and port,
chvrf vrf_name /usr/sbin/sshd -p port_number
• Use NX-OS CLI “show socket connections” to find a free port to
use.
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Guest Shell Management VRF
Internet
Mgmt0
Network Access
NX-OS
N9K-C93180YC# guestshell
[admin@guestshell ~]$ ping 8.8.8.8 Inband Channel
connect: Network is unreachable Sup eth1
Engine Inband port
[admin@guestshell ~]$ ifconfig lo
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 Default Mgmt
inet 127.0.0.1 netmask 255.255.0.0 Packets sent to the CPU VRF VRF
<snip> Shell
Kernel
[admin@guestshell ~]$ ifconfig veobc
veobc: flags=67<UP,BROADCAST,RUNNING> mtu 1494 Eth1-1 Eth1-2 ... Eth1-N Default VRF
inet 127.1.2.1 netmask 255.255.255.0 Physical interfaces Nexus9000
broadcast 127.1.2.255
<snip> [admin@guestshell ~]$ ifconfig eth1
[admin@guestshell ~]$ ip netns list eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>
management mtu 1500
default inet 10.102.242.131 netmask
[admin@guestshell ~]$ chvrf management 255.255.255.240 broadcast 10.102.242.143
[admin@guestshell ~]$ ping 8.8.8.8 ether 00:3a:9c:5a:00:60 txqueuelen
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 1000(Ethernet)
64 bytes from 8.8.8.8: icmp_seq=1 ttl=121 RX packets 717307 bytes 57542116 (54.8 MiB)
time=7.96 ms TX packets 101602 bytes 10472080 (9.9 MiB)
<snip> <snip>
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Guest Shell
Networking
• Each front-panel port, VLAN interface and port-channel are
represented in Linux kernel as Net-devices using Cisco kstack
implementation
• ARP and Routing tables synchronized between NX-OS and Native
Linux Kernel via Netbroker module
• VRFs represented in Linux Kernel as first class Kernel Network
Namespaces
• This allows container direct access to network elements such as
tcpdump on a given front-panel port
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Guest Shell
Routes and ARP Synchronization N9K-C93180YC# show run int mgmt0
<snip>
N9K-C93180YC# show ip route vrf management interface mgmt0
IP Route Table for VRF "management" vrf member management
<snip> ip address 10.102.242.131/28
0.0.0.0/0, ubest/mbest: 1/0 N9K-C93180YC#
*via 10.102.242.129, [1/0], 1w4d, static
10.102.242.128/28, ubest/mbest: 1/0, attached
*via 10.102.242.131, mgmt0, [0/0], 1w4d, direct
10.102.242.131/32, ubest/mbest: 1/0, attached
*via 10.102.242.131, mgmt0, [0/0], 1w4d, local
N9K-C93180YC# show ip arp vrf management
Address Age MAC Address Interface Flags
10.102.242.129 00:02:34 001e.f7be.70c2 mgmt0
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Guest Shell
Front-Panel Ports
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Guest Shell
Front-Panel Ports –Capturing Traffic and Detailed Counters
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Bash Shell
Interface State Control via Linux Kernel
• kstack also synchronizes interface up/down state between Linux and NX-OS
• Provides an option for management of the switch in a more Linux/compute friendly
manner via shell directly or scripting. Must be in bash-shell not Guest Shell.
Nexus-9k# run bash
bash-4.2$ ifconfig Eth1-12
Eth1-12 Link encap:Ethernet HWaddr 58:f3:9c:a3:64:dd
inet addr:1.1.1.1 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:539 errors:0 dropped:0 overruns:0 frame:0
TX packets:10641 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100
RX bytes:24794 (24.2 KiB) TX bytes:2476821 (2.3 MiB)
bash-4.2$ sudo ifconfig Eth1-12 down
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Guest Shell
Run Host CLI and EEM Intergation
[admin@guestshell ~]$ dohost "show version | inc Chassis"
cisco Nexus9000 C93180YC-FX Chassis
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Use-Case with Guest Shell
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
In-Situ Packet Generator in Guest Shell
Use spare ports as packet generators
• Guest Shell allows raw socket access to front-panel ports. Thanks to
kstack!
• Open Source packet generator called PackEthCli for CentOS 7 x64 is
available at: http://packeth.sourceforge.net/packeth/Home.html
• PCAP file must be in tcpdump format for this specific tool to work correctly
(PackETH Limitation)
• Send arbitrary L2/L3 traffic out any port or port-channel on N3K/N9K
• Simulate traffic flows for monitoring & troubleshooting
[root@guestshell cli]# ./packETHcli -i Eth1-12 -m 2 -d 10 -n 10000 -f /bootflash/mycap.pcap
Sent 1829 packets on Eth1-12; 124 packet length; 1829 packets/s; 1814 kbit/s data rate;,
2165 kbit/s link utilization
Sent 10000 packets on Eth1-12
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
In-Situ Packet Generator using Guest Shell
Compiling the packETH binary
• Ensure the Container is sized big enough for the Development Tools and
yum installed.
• Or, build the binary on a VM/Host running CentOS 7 64-bit and copy binary
over
[guestshell@guestshell tools]$ sudo tar -xvf packETH-1.8.tar
[guestshell@guestshell tools]$ cd packETH-1.8/cli/
[guestshell@guestshell cli]$ sudo make all
gcc -g -O2 -Wall -Wunused -Wmissing-prototypes -Wmissing-declarations -c cli_send.ccli_send.c: In
function 'two':cli_send.c:440:42: warning: the omitted middle operand in ?: will always be 'true',
suggest explicit middle operand [-Wparentheses] for(li = 0; pkt2send == 0 ? : li <
pkt2send; li++) { ^cli_send.c:476:41: warning: the omitted
middle operand in ?: will always be 'true', suggest explicit middle operand [-Wparentheses]
for(li = 0; pkt2send == 0 ? : li < pkt2send; li++) { ^gcc -g
-O2 -Wall -Wunused -Wmissing-prototypes -Wmissing-declarations cli_send.o -lm -lpthread -o
packETHcli
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
In-Situ Packet Generator using Guest Shell
Here is the Proof ….
#CLUS BRKPRG-1816 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Thank you
#CLUS
#CLUS