Scribd
Upload
185 views

Automating ACI With Ansible

The document discusses automating Cisco Application Centric Infrastructure (ACI) using the open source automation tool Ansible. It provides an overview of Ansible, describes how to automate ACI configurations using Ansible playbooks and modules, and demonstrates automating a three-tier application deployment to ACI.

Uploaded by

paulo_an7381
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
185 views

Automating ACI With Ansible

The document discusses automating Cisco Application Centric Infrastructure (ACI) using the open source automation tool Ansible. It provides an overview of Ansible, describes how to automate ACI configurations using Ansible playbooks and modules, and demonstrates automating a three-tier application deployment to ACI.

Uploaded by

paulo_an7381
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 59

#CiscoLive

Automating ACI with Ansible

Thomas Renzy – Technical Leader CX


@Thomas_Renzy
DGTL-BRKACI-1619

#CiscoLive
Agenda

• Quick Overview of Ansible


• Automating ACI with Playbooks
• Signature Based Authentication
• Collections – What’s changing?

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
What is automation?
• Exists to make repeatable things easier
• Uses tools to create process and instructions
• Replaces manual work

• Benefits – speed, efficiency, $$$

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Why automation with ACI?
• GUI Point-and-click for configuration – one at a time
• Repetitive Tasks
• Does not scale when deploying large configurations
• ACI APIC provides robust API
• Automation tools can leverage

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Deploy Three Tier Application – APIC GUI

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Overview of Ansible
Inventory, Playbooks, and Modules
• Open Source
• Automation, Configuration
• Version 2.10
What is Ansible? • 2.9 & 2.8 also available
• ACI support - 2.4

• Supported on UNIX/Linux
• Windows Subsystem for Linux

• Can manage different systems


• ACI, IOS, NX-OS, IOS-XR

DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
• Agentless
• Push Model

• Idempotent
What is Ansible? • YAML based
• Easily Readable

• APIC REST API interface


• Same as GUI

• Requires no programming skills


• Python is helpful – not required

DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
What makes up Ansible?

Inventory

Playbook https REST API

Control Target
Machine System
Modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Example ACI Ansible Inventory
YAML inventory file
apic1:
hosts:
10.9.3.21:
vars:
username: admin
password: CiscoAC1

INI inventory file


[apic1]
10.9.3.21 username=admin password=CiscoAC1
10.9.3.22 username=ansible privatekey=ansible.key

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Ansible Playbooks Breakdown
• Contains a list of plays
• Series of tasks to be performed on target systems

• Tasks are executed in order


• Built on YAML
• Proper Indentation is required
• “---” exists at the start of every playbook
• Apply specific roles to targets

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Ansible Playbook breakdown
Start of YAML ---
# Demo ACI Playbook
Comment - name: Configuring Example Tenant
Name of hosts: apic1
Playbook connection: local
gather_facts: no
Hosts from
inventory tasks:
Connection is - name: Create Tenant
local to this aci_tenant:
host hostname: "{{ inventory_hostname }}"
username: "{{ username }}"
Collects Watch the password: "{{ password }}"
information Indentation! tenant: "CiscoLive"
about targets description: "Tenant configured by Ansible"
validate_certs: no
state: present

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Ansible Playbook breakdown
---
# Demo ACI Playbook
- name: Configuring Example Tenant
Task name hosts: apic1
connection: local
Module Name gather_facts: no
Hostname
Authentication tasks:
- name: Create Tenant
Tenant aci_tenant:
hostname: "{{ inventory_hostname }}"
Description of task
username: "{{ username }}"
password: "{{ password }}"
Validate certs tenant: "CiscoLive"
description: "Tenant configured by Ansible"
Add if not already validate_certs: no
“present” state: present

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Ansible Playbook breakdown
---
# Demo ACI Playbook
- name: Configuring Example Tenant
hosts: apic1
connection: local
gather_facts: no

tasks:
Signature-based - name: Create Tenant
Authentication aci_tenant:
hostname: "{{ inventory_hostname }}"
username: "{{ username }}"
private_key: ansible.key
tenant: "CiscoLive"
description: "Tenant configured by Ansible"
validate_certs: no
state: present

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Ansible ACI Modules
• Perform specific tasks (Create Tenant/VRF/BD)
• Already installed when you install Ansible
• Changing in 2.10 (collections)
• Written in Python
• Can develop your own modules

• 60+ ACI modules as of 2.9


• 30+ Multisite Orchestrator Modules

• To see all Ansible Modules – ansible-doc -l


• ACI (or MSO) specific ones – ansible-doc -l | grep –E "^aci|^mso"

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Ansible ACI Modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Ansible Multisite Modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Ansible ACI Module Documentation

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Ansible ACI Modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Ansible ACI Modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Automating ACI with
Playbooks
Running an ACI Playbook
• Ansible command
• Good for running single commands – ad-hoc
• ansible 10.15.20.101 --user=admin --ask-pass -a "uptime"
• Command to run our playbooks
• ansible-playbook –i {inventory file} {Playbook file}
• ansible-playbook –i hosts ciscolive.yml
• Check mode(--check)
• Run through playbook without making changes
• ansible-playbook –i hosts tenant.yml --check

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Running our Tenant Playbook

• Runs through each task.


• Let’s you know how many tasks were OK, changed, failed, etc.
• To see more output use “-v”, “–vvv”, or “-vvvv”

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Tenant Playbook with verbose output

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Verifying the APIC

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
A Sample Three Tier Application in Ansible
• We want to do the following:
• Create a new Tenant – Ansible
• New VRF – ansible-VRF
• New BD – ansible-BD
• Application Profile – ansible-AP
• 3 EPGs
• Web, App, DB
• 2 Contracts (and associated subjects/filters)
• web_to_app – Communication between Web EPG and App EPG on http (tcp 80)
• app_to_db - Communication between App EPG and DB EPG on sql (tcp 1433)

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Variables in Three Tier Application
• Use of variables in Ansible
• Can be used to substitute values in playbooks
• Leverages jinja2 templating - “{{ Variable Value }}”
• Defined in inventory, playbook, external
• Variables have precedence

vars:
mytenant: ciscolive

tenant: "{{ mytenant }}"

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Variables
vars:
in Three Tier Application
tenant: Ansible
vrf: ansible-VRF
bd:
name: ansible-BD
ip: 10.255.255.1
mask: 24
app_profile: ansible-AP
http_filter: http_ans
http_filter_entry: http_ans_entry
web_to_app_contract: web_to_app
web_to_app_contract_subject: web_to_app_subject
db_filter: db_ans_entry
db_filter_entry: db_ans_entry
app_to_db_contract: db_to_app
app_to_db_contract_subject: app_to_db_subject
epg1: web
epg2: app
epg3: db
#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Loops (iteration) with loop
• Repeat a task multiple times
• Suppose you need to create 3 or more EPGs
• Tedious to write out 3 or more additional tasks
• with_items: Also a method

aci_epg:

epg: "{{ item.epg }}"
loop:
- epg: "{{ epg1 }}"
- epg: "{{ epg2 }}"
- epg: "{{ epg3 }}"

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Modules used in Three-Tier Application
• aci_tenant • aci_contract
• aci_vrf • aci_filter

• aci_bd • aci_filter_entry

• aci_bd_subnet • aci_epg_to_contract
• aci_contract_subject
• aci_ap
• aci_contract_subject_to_filter
• aci_epg

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Demo – Deploy a Three
Tier Application
Signature-Based
Authentication
A Note about Authentication
• Authentication using username/password
• Not very secure

• Large playbooks with lots of tasks can fail


• Especially with iteration
• NGINX throttling – ACI 3.1

• Workarounds
• Disable APIC session throttling
• Add pause in playbooks
• Signature-based authentication***

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Signature-based Authentication
• Available as of 2.5
• Generate certificate using openssl
• Create a local user on APIC
• Ansible Module - aci_aaa_user
• Some additional config required
• Push Certificate up to APIC
• Ansible Module - aci_aaa_user_certificate

• Modify your tasks to leverage new Key


• Replace username/password - private_key: keyname.key

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Generate Self Signed Certificate
• Use “openssl” to generate your cert
openssl req -new -newkey rsa:1024 -days 36500 -nodes -x509 -keyout ansible.key -out ansible.crt
-subj '/CN=Admin/O=Your Company/C=US'

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Automate Local User Creation
• Create a local user using aci_aaa_user module

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Add new Certificate to new Local User
• Can copy Cert to use aci_aaa_user_certificate Module

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Assign proper privileges to Local User
• Leverages the aci_rest module - no module available

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
ACI REST Module (aci_rest)
• Direct access and management to APIC REST API
• Works around no Ansible module
• Can use JSON, XML, and even YAML
• Can POST, DELETE, GET
• Variables substituion
• Can grab GUI configurations through
• API Inspector
• Download JSON/XML configuration

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Example aci_rest module task
tasks:
- name: Add admin privileges to allow Ansible user to make changes
aci_rest:
hostname: "{{ inventory_hostname }}"
username: "{{ username }}"
password: "{{ password }}"
validate_certs: no
path: /api/node/mo/uni/userext/user-ansible/userdomain-all.json
method: post
content:
{"aaaUserDomain":
{"attributes":{
"name":"all",
"rn":"userdomain-all",
},
"children":[
{"aaaUserRole":
{"attributes":{
"name":"admin","privType":"writePriv",
"rn":"role-admin",
},
"children":[]
}
}
]
}
} #CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Demo – Deploy
Signature-Based
Authentication
Updated Tenant Playbook
---
# Demo ACI Playbook
- name: Configuring Example Tenant
hosts: apic1
connection: local
gather_facts: no

tasks:
- name: Create Tenant
aci_tenant:
hostname: "{{ inventory_hostname }}"
username: ansible
private_key: ansible.key
tenant: "CiscoLive"
description: "Tenant configured by Ansible"
validate_certs: no
state: present

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Ansible Collections –
What’s changing in
Ansible
Ansible “Classic”
Classic Ansible

Cisco MSO
Commands modules
ansible
ansible-playbook
ansible-doc Cisco ACI
ansible-galaxy modules


Documentation
Kitchen sink
3300
modules

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
A change is coming….
• Ansible has grown…..a lot
• Over 3000 modules!
• 4300+ open issues/ +2000 pull requests
• Large volume of Pull Requests and issues

• Growing support challenge


• Who can I ask for support?
• Release cycle for modules
• Bug/Features
• How do they address this? Ansible Collections

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
What are collections?
• Ansible project/directory structure for Ansible Content
• Broken out into different components
• Core engine (ansible, ansible-playbook, etc)
• Core modules and plugins
• Community modules (Cisco ACI, Multi-Site)

• Uses Ansible Galaxy to deliver collection


• ACI - https://galaxy.ansible.com/cisco/aci
• MSO - https://galaxy.ansible.com/cisco/mso

• Support since 2.9 – standard with new 2.10 release

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Ansible Collections
Ansible Base Collections

Cisco MSO
Commands modules
ansible
ansible-playbook
ansible-doc Install modules & Cisco ACI
ansible-galaxy Plugins as needed modules

.…
Documentation ansible-galaxy collection install cisco.aci
Partner/Community
modules and plugins
Core modules and plugins

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Collection Naming
• Uses Fully Qualified Collection Name
• Name Space - Functional content category
• Collection Name - Characteristics of the collection content
• Module Name – Name of the module

• Example – ACI Tenant task


cisco.aci.aci_tenant
Name Space Collection Module Name
Name

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
ACI Collection Example - Tenant

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ACI Collection Example - Tenant

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Ansible Galaxy – ACI Collection

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Ansible Galaxy – Multi-Site Collection

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Demo – Ansible ACI
Collections
Summary
Automating ACI with Ansible
• Automate repeatable tasks
• Saves time, efficient
• Ease of writing/reading inventory/playbooks
• Start small – automate easy tasks
• Move on to larger automation tasks
• Modules
• pre-built with most common tasks < 2.9
• Ansible Collections – changes the way we use Ansible - 2.10
• Use signature-based authentication

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
References
Ansible Documentation
http://docs.ansible.com/
Ansible ACI Documentation
https://docs.ansible.com/ansible/devel/scenario_guides/guide_aci.html
Ansible Collections Overview
https://github.com/ansible-collections/overview
Ansible Galaxy
https://galaxy.ansible.com/
Playbooks
https://github.com/trenzy

#CiscoLive DGTL-BRKACI-1619 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Thank you

#CiscoLive
#CiscoLive

You might also like