Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
7
Replies

I am not seeing aaa in my ncs_cli after deploying a nso 6.1 container

sahooanup
Level 1
Level 1

‎11-13-2023 06:13 PM

Hi,

I have deployed a container using this command from root user - "docker run -itd --name cisco-nso_root -v /data/nso:/nso -v /data/nso-logs:/log -v ./ncs.conf:/etc/ncs/ncs.conf -e ADMIN_USERNAME=admin -e ADMIN_PASSWORD=admin -e CRON_ENABLE=true -e LOGROTATE_ENABLE=true  cisco-nso-dev:6.1.

My container is up and running but I can not see aaa in my ncs_cli , for which I can not configure anything in my ncs cli.

Please suggest what could be the issue . Thanks

 

Labels:
0 Helpful
7 Replies 7

Jesus Illescas
Cisco Employee
Cisco Employee

‎11-14-2023 12:00 AM

It sounds like a permissions issue, which groups the user you used on the container has? what's the output of 'groups'?

You can also enter the ncs_cli specifying the group the user belongs to ncs_cli -C -u developer -g ncsadmin

Take a look at the playground https://developer.cisco.com/codeexchange/devenv/CiscoDevNet/NSO-Playground-System-Install which is also a container running 6.1.2.1 it can help you to compare the config that is applied there vs what you have.

 

0 Helpful

Jesus Illescas
Cisco Employee
Cisco Employee

‎11-14-2023 12:23 AM

To add to my previous answer, make sure your user if part of the groups 'ncsadmin'

0 Helpful

sahooanup
Level 1
Level 1

‎11-15-2023 02:20 AM

@Jesus Illescas  I can see only these two groups 
builduser@lab-docker-temp1:~$ groups
builduser docker
builduser@lab-docker-temp1:~$

I can not see ncsadmin

0 Helpful

cohult
Cisco Employee
Cisco Employee
In response to sahooanup

‎11-15-2023 02:49 AM - edited ‎11-15-2023 03:21 AM

@sahooanup ,
EDIT: I notice that you are mounting the /nso run-time directory. What is in your /nso/run/cdb/aaa_init.xml (or equivalent) config?
If you want to be able to use the admin user over SSH, in your ncs.conf, make sure that /ncs-conf/aaa/local-authentication is enabled. Example:

 

<aaa>
  <local-authentication>
    <enabled>true</enabled>
  </local-authentication>
  ...
</aaa>

 

See the Administration Guide for more details.

0 Helpful

sahooanup
Level 1
Level 1
In response to cohult

‎11-15-2023 09:22 AM

@cohult Here is my details - 
root@766e0ca4be96:/nso/run/cdb# ls
A.cdb C.cdb O.cdb S.cdb aaa_init.xml add_admin_user.xml compact.lock
root@766e0ca4be96:/nso/run/cdb#

I am attaching the aaa_init.xml for your reference.


Also here is my aaa configs in ncs.conf : -
<aaa>
<ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>
<!-- Depending on OS - and also depending on user requirements -->
<!-- the pam service value value must be tuned. -->
<pam>
<enabled>false</enabled>
<service>common-auth</service>
</pam>
<external-authentication>
<enabled>false</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>
<local-authentication>
<enabled>true</enabled>
</local-authentication>
<expiration-warning>prompt</expiration-warning>
</aaa>

Also I want to add if I am not mounting /nso , then I can see aaa in ncs cli and I can configure everything normally in my ncs cli. Inside nso we have coredumps, etc and run, and inside run we have INSTALLATION-LOG, backups, cdb , packages rollbacks, scripts, state, storedstate, streams and  target. If i am mounting everything other than cdb then aaa is coming in my ncs cli. That means cdb is creating issue.

Preview file
3 KB
0 Helpful

cohult
Cisco Employee
Cisco Employee
In response to sahooanup

‎11-16-2023 01:23 AM - edited ‎11-16-2023 01:30 AM

@sahooanup, it could be that when you mount the /nso dir:

  1. You run the container without the -e ADMIN_USERNAME=admin flag.
  2. The /nso/run/cdb/C.cdb (and A.cdb O.cdb S.cdb) persisted CDB config file is created without the admin user configured.
  3. Next time you run the container, you use the -e ADMIN_USERNAME=admin flag, which will add the/nso/run/cdb/add_admin_user.xml file, but since the *.cdb files exist in the /nso/run/cdb directory, no XML files are loaded into CDB when NSO start, and the admin user is not configured.

Either:

  • Load the add_admin_user.xml using, for example the ncs_load command:
    docker exec -it cisco-nso_root ncs_load -dd -m -l /nso/run/cdb/add_admin_user.xml
  • Use the noaaa option:
    docker exec -it cisco-nso_root ncs_cli -u superduperuser --noaaa -C
  • Delete all (warning) the existing configuration nso/run/cdb/*.cdb files before running the container to make NSO initialize from the XML files in the nso/run/cdb directory.


0 Helpful

sahooanup
Level 1
Level 1
In response to cohult

‎11-21-2023 02:37 AM - edited ‎11-21-2023 02:38 AM

@cohult  so when I mount the /nso as volume while creating container, I can not see AAA in my ncs_cli. Also i can not see any nacm configs.

admin@ncs# show running-config nacm
-------------------------------^
syntax error: element does not exist
admin@ncs# exit

so I configured the nacm manually like this

root@ff87fc285371:/# ncs_cli -Cu admin --noaaa
admin@ncs(config)# nacm rule-list admin
admin@ncs(config-rule-list-admin)# group [ ncsadmin ]
admin@ncs(config-rule-list-admin)# rule any-access
Value for 'action' [deny,permit]: permit
admin@ncs(config-rule-any-access)# exit
admin@ncs(config-rule-list-admin)# cmdrule any-command
Value for 'action' [deny,permit]: permit
admin@ncs(config-cmdrule-any-command)# commit

After configuring the above I am able to see nacm details and also the AAA.

But I dont want to do this manually. I want I should get the aaa or nacm details by default even if i mount the /nso as volume while creating container. 
please suggest how to do that .
thanks.

0 Helpful
Customers Also Viewed These Support Documents