NSO Modules for Ansible - Manage All Your Networks

camoberg · ‎10-24-2017

A couple of weeks I presented work we have done on NSO and Ansible integration to a great audience at Ansiblefest 2017 in San Francisco. The videos are available here. The presentation consisted of an introduction to NSO, and introduced three new Ansible modules for interacting with NSO. This was our first time presenting the solution to this audience and based on the healthy-sized number of people that wanted to chat after the presentation (which is a great way of measuring the impact of your content) it seems like it went well.

To me, this validates our understanding that giving software tools like Ansible access to managing multi-vendor hybrid networks is the way to go about opening up for radical change in the industry. If nothing else, I believe by giving Ansible-users access to the network through a database-like API, and thereby making it significantly more manageable entity, we will see lots of interesting outcomes over time.

We had a couple of ideas that we wanted to include in the design of the modules, including:

Normalize the access to the configuration across vendors - use YAML in playbooks for all data encoding
Reduce the amount of configuration changes in the network to the bare minimum - only change what you intend to do and avoid side-effects
Provide a full create-read-update-delete interface to avoid exploding the number of vendor-specific modules - modules should express operations on data, not protocol details

So, we built three modules to allow ansible to access data in NSO, one for each type of operation you are likely to perform on configuration and operational data:

nso_configure - allows for updating (creating, changing, deleting) configuration data
nso_verify - allows for verifying configuration and/or operational data is the same as expected
nso_action - allows for triggering actions, i.e. operations with side-effects like 'reboot' or 'ping'

The key here is that these three modules act on a common set of data, namely the data that resides in NSO according to the YANG modules loaded into the system. Think of NSO as exposing a large tree-representation of all your configuration and operational data, across all your network devices and services under management. The modules then allow you to operate on that data with NSO taking care of the details of robustly getting and setting configuration and operational data on devices and in services in a distributed and transaction-safe manner.

By doing this we have removed:

vendor-specific modules and proprietary encoding
opaque configuration blobs that unnecessarily upsets your network
separate modules for all activities you are allowed to do on the device

And as an added bonus, we have also made sure that there is consistent roundtripping of data between NSO and playbooks. This means that you can reliably fetch configuration and operational data from NSO using the NSO RESTCONF interface or CLI, translate the resulting JSON to YAML that can be included (or simply pasted into) NSO module tasks. This literally removes (or radically reduces) the need for manual work when creating module content.

The example I used during the presentation used curl(1) to fetch the running configuration of a device called jnpr0 and convert from the NSO RESTCONF interface JSON output and convert the response into YAML using the following command:

$ curl -H "Accept: application/yang-data+json" http://localhost:8080/restconf/data/devices/device/jnpr0/config | ../json2yaml.py

The YAML output can then be used in e.g. the nso_verify module to verify that the configuration stays the same. As an obvious next step for the more ansible-savvy; you can now apply a handler to the verify-task and on change, call an nso_config task with the content to revert back to the intended configuration.

We are currently in process of upstreaming the modules into ansible core, you can track the progress of the pull request here.The demo files that I used during the presentation and referenced above is available from our developer hub github here.

Feel free to reach out directly to me with any feedback or questions.

camoberg · ‎11-09-2017

I'm happy to say that our first pull request has been accepted into ansible:devel in preparation for inclusion into ansible 2.5. The commit content is available here. Next up is to open pull requests for the other two modules (nso_verify and nso_action). Stay tuned!

ysolan · ‎11-17-2017

Hello Carl,

I tried nso_config module for a service that use the yang statement "choice".

YANG:

choice access-or-trunk {

leaf vlan-access {type uint16;}

list vlan-trunk {

key vlan-trunk;

leaf vlan-trunk {type uint16; }

}}

With the module I was able to setup the list "vlan-trunk".

But the module return an error when i want to setup the leaf "vlan-access".

=> AttributeError: 'NoneType' object has no attribute 'get'

My playbook:

data:

tailf-ncs:services:

test-ansible:test-ansible:

- name: test01

vlan-access: 2

Did I forget something? can you check if you have the same behavior?

Thanks,

Yannick

ysolan · ‎11-17-2017

Hello Carl,

Another question about module nso_config :

In the playbook, what is the syntax for removing all values in a leaf-list or leaf ?

Thanks

Yannick

cnasten · ‎11-29-2017

Hi Yannik,

The issue you're experience with choice is a bug that I've tracked down and fixed, will get it included in the main tree of Ansible ASAP.

To delete leaf-list/leaf just set the value to null.

Regards,

Claes

camoberg · ‎12-20-2017

Final (and brief) update. The first three modules are now all in ansible:devel and ready for Ansible 2.5. We may be able to sneak in two more modules (show and query) as well. cnasten is working on it.

NSO Modules for Ansible - Manage All Your Networks

Get NSO for Free!

Collective Intelligence resolved my SSH problems with NSO on the latest macOS Mojave!

Secrets of the NSO Transaction Phases