pyATS/Genie:踏み台を経由したネットワーク機器への接続

(この記事はネットワーク自動化 Advent Calendar 2019 2日目として書いています)

ネットワーク自動化に関するものなら何でもOKです!

pyATS/Genie では SSH だけでなく、telnet/serial console 経由での接続ができますが、ネットワーク運用下ではよくある踏み台を経由したのネットワークへの接続も簡単に可能です。

今回は pyATS/Genie を使って踏み台サーバまたはデバイスを経由してネットワーク機器へ接続する方法を紹介します。ちょっとだけ testbed.yaml へ変更を加えるだけですので、非常に簡単です。

ネットワーク構成

VIRL Server IP: 172.25.192.134
VIRL Flat Network : 172.16.1.0/24

VIRL Server ---(flat)---(Gi1) csr1000v-1 --- nx-osv-1
            .250          .52
              172.16.1.0/24

今回は上記の簡単なネットワーク構成を使います。csr1000v-1(CSR1Kv) と nx-osv-1(NXOSv) が peer-to-peer で接続されており、csr1000v-1 は Gi1 が flat 接続で VIRL Server と接続されています。

これにより、pyATS/Genie マシン -> VIRL Server -> csr1000v-1 という接続を行います。VIRL Server が踏み台です。

踏み台無しの testbed.yaml

まずは踏み台サーバ無しのコンソール情報のみを書いた testbed.yaml です。

testbed:
  name: example_testbed_flat-ZoV69i

devices:
  csr1000v-1:
    os: iosxe
    platform: iosxe
    type: CSR1000v
    alias: csr1000v-1
    connections:
      console:
        ip: 172.25.192.134
        port: 17034
        protocol: telnet
    credentials:
      default:
        password: cisco
        username: cisco
      enable:
        password: cisco
    custom:
      abstraction:
        order:
        - os
        - platform

  nx-osv-1:
    os: nxos
    platform: nxosv
    type: NX-OSv
    alias: nx-osv-1
    connections:
      cli:
        ip: 172.25.192.134
        port: 17036
        protocol: telnet
    credentials:
      default:
        password: admin
        username: admin
      enable:
        password: admin
    custom:
      abstraction:
        order:
        - os
        - platform

もちろん問題なく接続できますが、これは VIRL Server にポート番号を付けて接続しており、いわゆるコンソール接続です。

>>> dev = testbed.devices['csr1000v-1']
>>> dev.connect(via='console')
[2019-12-01 19:32:06,737] +++ csr1000v-1 logfile /tmp/csr1000v-1-cli-20191201T193206736.log +++
[2019-12-01 19:32:06,738] +++ Unicon plugin iosxe +++
Trying 172.25.192.134...

[2019-12-01 19:32:06,790] +++ connection to spawn: telnet 172.25.192.134 17034, id: 4563153472 +++
[2019-12-01 19:32:06,791] connection to csr1000v-1
Won't send login name and/or authentication information.
Connected to asg-ucs4-virl.cisco.com.
Escape character is '^]'.


csr1000v-1#
csr1000v-1#
[2019-12-01 19:32:08,660] +++ initializing handle +++
[2019-12-01 19:32:08,661] +++ csr1000v-1: executing command 'term length 0' +++

csr1000v-1#
[2019-12-01 19:32:09,037] +++ csr1000v-1: executing command 'term width 0' +++
term length 0
csr1000v-1#
[2019-12-01 19:32:09,540] +++ csr1000v-1: executing command 'show version' +++
term width 0
csr1000v-1#
[2019-12-01 19:32:10,048] +++ csr1000v-1: config +++
show version
Cisco IOS XE Software, Version 16.09.01
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 17-Jul-18 16:57 by mcpre

(snip)

cisco CSR1000V (VXE) processor (revision VXE) with 1217428K/3075K bytes of memory.
Processor board ID 9NU0SHAQ63E
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3018864K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

csr1000v-1#config term
Enter configuration commands, one per line.  End with CNTL/Z.
csr1000v-1(config)#no logging console
csr1000v-1(config)#line console 0
csr1000v-1(config-line)#exec-timeout 0
csr1000v-1(config-line)#end
csr1000v-1#
"Escape character is '^]'.\r\n\r\n\r\ncsr1000v-1#\r\ncsr1000v-1#"

踏み台サーバ有りの testbed.yaml

踏み台サーバの追加

それでは踏み台サーバ有りの testbed.yaml を作成します。まずは踏み台サーバ自体(デバイス名 : jump_host) を testbed.yaml へ追加します。

devices:
(snip)
  jump_host:
    os: linux
    type: linux
    connections:
      ssh:
        ip: 172.25.192.134
        port: 22
        protocol: ssh
    credentials:
      default:
        password: VIRL
        username: virl

踏み台サーバ(jump_host)にも接続できることを確認します。

>>> dev = testbed.devices['jump_host']
>>> dev.connect(via='ssh')
[2019-12-01 19:42:51,144] +++ jump_host logfile /tmp/jump_host-cli-20191201T194251143.log +++
[2019-12-01 19:42:51,145] +++ Unicon plugin linux +++
[2019-12-01 19:42:51,149] +++ connection to spawn: ssh -l virl 172.25.192.134 -p 22, id: 4609495224 +++
[2019-12-01 19:42:51,151] connection to jump_host


virl@172.25.192.134's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

  System information as of Mon Dec  2 00:42:56 GMT 2019

  System load:     10.61               IP address for eth0:    172.25.192.134
  Usage of /:      30.9% of 191.02GB   IP address for br4:     172.16.10.250
  Memory usage:    34%                 IP address for br1:     172.16.1.250
  Swap usage:      1%                  IP address for br2:     172.16.2.250
  Processes:       827                 IP address for br3:     172.16.3.250
  Users logged in: 0                   IP address for docker0: 172.17.0.1

  Graph this data and manage this system at:
    https://landscape.canonical.com/
New release '18.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Mon Dec  2 00:15:45 2019 from 10.65.50.254
virl@asg-ucs4-virl:~$
[2019-12-01 19:42:58,244] +++ initializing handle +++
[2019-12-01 19:42:58,245] +++ jump_host: executing command 'stty cols 200' +++
stty cols 200
virl@asg-ucs4-virl:~$
[2019-12-01 19:42:58,832] +++ jump_host: executing command 'stty rows 200' +++
stty rows 200
virl@asg-ucs4-virl:~$

ネットワーク機器へ踏み台経由でのコネクション情報を追加

踏み台サーバ(jump_host)への接続が確認できれば、次はネットワーク機器へ踏み台サーバを使うコネクション情報を追加します。

実際にはスタンダードなものに proxy に踏み台サーバ(jump_host)を指定するだけ です。

devices:
  csr1000v-1:
    (snip)
    connections:
      ssh:
        ip: 172.16.1.52
        protocol: ssh
        proxy: jump_host
    (snip)

接続する時に踏み台サーバを意識する必要はなく、コネクション ‘ssh’ を指定するだけです。下記のログを見てもらうと、まずは VIRL Server へ SSH 接続し、その後 csr1000v-1 へ接続していることが確認できます。

>>> dev = testbed.devices['csr1000v-1']
>>> dev.connect(via='ssh')
[2019-12-01 19:52:16,621] +++ csr1000v-1 logfile /tmp/csr1000v-1-cli-20191201T195216608.log +++
[2019-12-01 19:52:16,621] +++ Unicon plugin iosxe +++
[2019-12-01 19:52:16,623] connection via proxy jump_host
[2019-12-01 19:52:16,628] +++ connection to spawn: ssh -l virl 172.25.192.134 -p 22, id: 4410651760 +++
[2019-12-01 19:52:16,629] connection to jump_host


virl@172.25.192.134's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

  System information as of Mon Dec  2 00:52:21 GMT 2019

  System load:     9.94                IP address for eth0:    172.25.192.134
  Usage of /:      30.9% of 191.02GB   IP address for br4:     172.16.10.250
  Memory usage:    34%                 IP address for br1:     172.16.1.250
  Swap usage:      1%                  IP address for br2:     172.16.2.250
  Processes:       831                 IP address for br3:     172.16.3.250
  Users logged in: 0                   IP address for docker0: 172.17.0.1

  Graph this data and manage this system at:
    https://landscape.canonical.com/
New release '18.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Mon Dec  2 00:42:57 2019 from 10.65.50.254
virl@asg-ucs4-virl:~$
[2019-12-01 19:52:23,731] +++ initializing handle +++
[2019-12-01 19:52:23,846] connection to csr1000v-1
ssh -l cisco 172.16.1.52
Password:



csr1000v-1>
[2019-12-01 19:52:25,411] +++ initializing handle +++
enable
Password:
csr1000v-1#
[2019-12-01 19:52:26,473] +++ csr1000v-1: executing command 'term length 0' +++
term length 0
csr1000v-1#
[2019-12-01 19:52:27,134] +++ csr1000v-1: executing command 'term width 0' +++
term width 0
csr1000v-1#
[2019-12-01 19:52:27,793] +++ csr1000v-1: executing command 'show version' +++
show version
Cisco IOS XE Software, Version 16.09.01
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 17-Jul-18 16:57 by mcpre

(snip)

cisco CSR1000V (VXE) processor (revision VXE) with 1217428K/3075K bytes of memory.
Processor board ID 9NU0SHAQ63E
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3018864K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

csr1000v-1#
[2019-12-01 19:52:28,445] +++ csr1000v-1: config +++
config term
Enter configuration commands, one per line.  End with CNTL/Z.
csr1000v-1(config)#no logging console
csr1000v-1(config)#line console 0
csr1000v-1(config-line)#exec-timeout 0
csr1000v-1(config-line)#end
csr1000v-1#
'ssh -l cisco 172.16.1.52\r\nPassword: \r\n\r\n\r\n\r\ncsr1000v-1>'
>>>

これで踏み台サーバ経由でネットワーク機器へ接続することができました。

ネットワーク機器経由でネットワーク機器へ接続

踏み台サーバが Linux サーバ等ではなく、ネットワーク機器という場合もあるかと思います。そういう場合でも pyATS/Genie では同じ要領で対応が可能です。

今回は csr1000v-1 -> nx-osv-1 という形で接続することにします。

まずは csr1000v-1 へコネクションのデフォルトとして ssh を使う旨の記載を追加します。これはネットワーク機器では console/telnet/ssh と複数のコネクションがある場合にどのコネクションをデフォルトで使うかという設定となります。

devices:
  csr1000v-1:
    (snip)
    connections:
      defaults:
        via: console
      (snip)

次に先ほどと同じように nx-osv-1 へ proxy に csr1000v-1 を指定した ssh 接続を追加します。

devices:
  nx-osv-1:
    connections:
      (snip)
      ssh:
        ip: 172.16.1.53
        protocol: ssh
        proxy: csr1000v-1
      (snip)

同じように接続をしてみます。ログを見ると分かる通り、csr1000v-1 -> nx-osv-1 と接続していることが確認できます。

>>> dev = testbed.devices['nx-osv-1']
>>> dev.connect(via='ssh')
[2019-12-01 20:15:24,664] +++ nx-osv-1 logfile /tmp/nx-osv-1-cli-20191201T201524663.log +++
[2019-12-01 20:15:24,665] +++ Unicon plugin nxos +++
[2019-12-01 20:15:24,667] connection via proxy csr1000v-1
Trying 172.25.192.134...

[2019-12-01 20:15:24,718] +++ connection to spawn: telnet 172.25.192.134 17034, id: 4477862016 +++
[2019-12-01 20:15:24,719] connection to csr1000v-1
Won't send login name and/or authentication information.
Connected to asg-ucs4-virl.cisco.com.
Escape character is '^]'.


csr1000v-1#
csr1000v-1#
[2019-12-01 20:15:26,578] +++ initializing handle +++
[2019-12-01 20:15:26,698] connection to nx-osv-1

csr1000v-1#ssh -l admin 172.16.1.53
User Access Verification

Password:

Cisco NX-OS Software
Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.
NX-OSv software ("NX-OSv Software") and related documentation,
files or other reference materials ("Documentation") are
the proprietary property and confidential information of Cisco
Systems, Inc. ("Cisco") and are protected, without limitation,
pursuant to United States and International copyright and trademark
laws in the applicable jurisdiction which provide civil and criminal
penalties for copying or distribution without Cisco's authorization.
(snip)
***************************************************************************
*  NX-OSv is strictly limited to use for evaluation, demonstration and    *
*  NX-OS education. NX-OSv is provided as-is and is not supported by      *
*  Cisco's Technical Advisory Center. Any use or disclosure, in whole or  *
*  in part of the NX-OSv Software or Documentation to any third party for *
*  any purposes is expressly prohibited except as otherwise authorized by *
*  Cisco in writing.                                                      *
***************************************************************************
nx-osv-1#
[2019-12-01 20:15:36,980] +++ initializing handle +++
[2019-12-01 20:15:36,982] +++ nx-osv-1: executing command 'term length 0' +++
term length 0
nx-osv-1#
[2019-12-01 20:15:38,567] +++ nx-osv-1: executing command 'term width 511' +++
term width 511
nx-osv-1#
[2019-12-01 20:15:40,507] +++ nx-osv-1: executing command 'terminal session-timeout 0' +++
terminal session-timeout 0
nx-osv-1#
[2019-12-01 20:15:42,487] +++ nx-osv-1: config +++
config term
Enter configuration commands, one per line.  End with CNTL/Z.
nx-osv-1(config)# no logging console
nx-osv-1(config)# line console
nx-osv-1(config-console)# exec-timeout 0
nx-osv-1(config-console)# terminal width 511
nx-osv-1(config-console)# end
nx-osv-1#
'\r\ncsr1000v-1#ssh -l admin 172.16.1.53\r\nUser Access Verification\r\n\r\nPassword: \r\n\r\nCisco NX-OS Software\r\nCopyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.\r\nNX-OSv software ("NX-OSv Software") and related documentation,\r\nfiles or other reference materials ("Documentation") are\r\nthe proprietary property and confidential information of Cisco\r\nSystems, Inc. ("Cisco") and are protected, without limitation,\r\npursuant to United States and International copyright and trademark\r\nlaws in the applicable jurisdiction which provide civil and criminal\r\npenalties for copying or distribution without Cisco\'s authorization.\r\n\r\nAny use or disclosure, in whole or in part, of the NX-OSv Software\r\nor Documentation to any third party for any purposes is expressly\r\nprohibited except as otherwise authorized by Cisco in writing.\r\nThe copyrights to certain works contained herein are owned by other\r\nthird parties and are used and distributed under license. Some parts\r\nof this software may be covered under the GNU Public License or the\r\nGNU Lesser General Public License. A copy of each such license is\r\navailable at\r\nhttp://www.gnu.org/licenses/gpl.html and\r\nhttp://www.gnu.org/licenses/lgpl.html\r\n***************************************************************************\r\n*  NX-OSv is strictly limited to use for evaluation, demonstration and    *\r\n*  NX-OS education. NX-OSv is provided as-is and is not supported by      *\r\n*  Cisco\'s Technical Advisory Center. Any use or disclosure, in whole or  *\r\n*  in part of the NX-OSv Software or Documentation to any third party for *\r\n*  any purposes is expressly prohibited except as otherwise authorized by *\r\n*  Cisco in writing.                                                      *\r\n***************************************************************************\r\n\rnx-osv-1# '
>>>

まとめ

  • 踏み台サーバをネットワーク機器と同じように device として testbed.yaml へ記載できる
  • 踏み台を使いたい場合は connection 情報に proxy で踏み台としたいデバイスを追加するのみ
  • 踏み台デバイスが複数のコネクションを持っている場合はデフォルトで使うコネクションを via で testbed.yaml に指定しておく

ネットワーク運用ではよくある踏み台サーバ経由でのネットワーク接続も pyATS/Genie を使うと簡単に実現が可能です。

最後に最終的な testbed.yaml を載せておきます。

testbed:
  name: example_testbed_flat-ZoV69i

devices:
  csr1000v-1:
    os: iosxe
    platform: iosxe
    type: CSR1000v
    alias: csr1000v-1
    connections:
      defaults:
        via: ssh
      console:
        ip: 172.25.192.134
        port: 17034
        protocol: telnet
      ssh:
        ip: 172.16.1.52
        protocol: ssh
        proxy: jump_host
    credentials:
      default:
        password: cisco
        username: cisco
      enable:
        password: cisco
    custom:
      abstraction:
        order:
        - os
        - platform

  nx-osv-1:
    os: nxos
    platform: nxosv
    type: NX-OSv
    alias: nx-osv-1
    connections:
      cli:
        ip: 172.25.192.134
        port: 17036
        protocol: telnet
      ssh:
        ip: 172.16.1.53
        protocol: ssh
        proxy: csr1000v-1
    credentials:
      default:
        password: admin
        username: admin
      enable:
        password: admin
    custom:
      abstraction:
        order:
        - os
        - platform

  jump_host:
    os: linux
    type: linux
    connections:
      ssh:
        ip: 172.25.192.134
        port: 22
        protocol: ssh
    credentials:
      default:
        password: VIRL
        username: virl
スポンサーリンク