NOTE: This IOS-XR Ansible only supports up to Ansible version 2.3.
In the nutshell, Ansible is an automation tool for configuring system,
deploying software, and orchestrating services. Unlike Puppet and Chef which
is an agent-based architecture, Ansible does not require daemon running or
agent pre-installed on the target nodes to perform configuration tasks.
Ansible could be specified to run either on local server or on remote
node.
The different between local and remote connection mode in Ansible is basically
where the script (so-called Ansible module) is being run. For the remote
mode, Ansible automatically attempts to establish SSH connection to the remote
node. Once established, it transfers the script and runs it on the remote node.
The script responds to the server in JSON formatted text. This mode requires
setting up third-party namespace (TPNNS) on the IOS-XR node.
As for the local mode, Ansible run the module script on the local server.
The script has to establish a connection to the remote node itself. The
local mode module uses Ansible network module to establish SSH connection
to the IOS-XR console to run CLI command.
There are 6 different ways to access IOS-XR in local mode.
Managing the IOS-XR device in the remote mode required TPNNS through SSH
port 57722 with the helper programs, /pkg/bin/xr_cli and /pkg/sbin/config, to
deliver CLI commands and configuration to the IOS-XR, respectively. This
remote mode connection is identical to TPNNS CLI running in local mode except
for how the SSH connection is being established and where the script is run.
With different variants for local and remote modes mentioned earlier, before
implementing Ansible modules, one needs to be aware of their limitation.
Linux-based vs. QNX-based IOS-XR
CLI vs. XML/NETCONF
Console CLI vs. TPNNS CLI
Raw XML/NETCONF vs. YDK NETCONF
NOTE: IOS-XR NETCONF 1.1 XML construct is based on Cisco IOS-XR YANG model
which is currently limited, e.g. it doesn’t support SMU package
installation. Although limited, the Cisco IOS-XR YANG definitions will
continue to grow as more definitions are added and would be a preferred
method for accessing IOS-XR.
manageability (mgbl) and security (k9sec) packages are required on IOS-XR.
Pull YDK from the github onto a Linux server
Pull Ansible Core modules onto a Linux server
Additional read on Ansible installation is here
iosxr-ansible
├── config
├── local
│ ├── common
│ ├── library
│ └── samples
│ ├── cli
│ ├── tpnns
│ ├── xml
│ └── ydk
└── remote
├── library
└── samples
└── install
Directory Description
config Contains sample IOS-XR configuration files
local/library Contains Ansible modules for local mode
local/samples/cli Contains sample playbooks using Console CLI
local/samples/tpnns Contains sample playbooks using TPNNS access method
local/samples/xml Contains sample RPC XML used with iosxr_netconf_send
local/samples/ydk Contains sample playbooks using YDK API's
local/common Contains IOS-XR common Python functions
remote/library Contains Ansible modules for remote mode
remote/samples Contains sample playbooks using Namespace Shell CLI
remote/samples/install Contains additional playbooks showing direct access
to IOS-XR using shell
NOTE: Some of these instruction may require root access for setting IOS-XR.
RP/0/RP0/CPU0:ios# crypto key generate rsa
RP/0/RP0/CPU0:ios# show crypto key mypubkey rsa
RP/0/RP0/CPU0:ios# conf t
RP/0/RP0/CPU0:ios(config)# ssh server v2
RP/0/RP0/CPU0:ios(config)# ssh server netconf vrf default
RP/0/RP0/CPU0:ios(config)# ssh server logging
RP/0/RP0/CPU0:ios(config)# xml agent ssl
RP/0/RP0/CPU0:ios(config)# xml agent tty
RP/0/RP0/CPU0:ios(config)# netconf agent tty
RP/0/RP0/CPU0:ios(config)# netconf-yang agent ssh
RP/0/RP0/CPU0:ios(config)# commit
cut -d" " -f2 ~/.ssh/id_rsa.pub | base64 -d > ~/.ssh/id_rsa_pub.b64
cp ~/.ssh/id_rsa_pub.b64 /tftpboot
RP/0/RP0/CPU0:ios# crypto key import authentication rsa tftp://192.168.1.1/id_rsa_pub.b64
RP/0/RP0/CPU0:ios# show crypto key authentication rsa
ssh cisco@192.168.1.120
ssh cisco@192.168.1.120 "show run"
Setup the third party namespace (TPNNS) access on IOS-XR. Please refer to the
following link for instruction and make sure you can SSH to the IOS-XR
through port 57722.
To access IOS-XR without password, you will also need to add your
Linux server SSH public key (~/.ssh/id_rsa.pub) to your IOS-XR
<your_xr_home>/.ssh/authorized_key file by using ssh-copy-id
command, for example,
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 57722 cisco@192.168.1.120
cd iosxr-ansible/local
vi ansible_env
source ansible_env
[ss-xr]
192.168.1.120 ansible_ssh_user=cisco
192.168.1.121 ansible_ssh_user=cisco
cd samples
ansible-playbook iosxr_get_config.yml
ansible-playbook iosxr_clear_log.yml
ansible-playbook iosxr_cli.yml -e 'cmd="show interface brief"'
ansible-playbook iosxr_netconf_send.yml -e "xml_file=xml/nc11_show_install_active.xml"
[defaults]
remote_port = 57722
cd iosxr-ansible/remote
vi ansible_env
source ansible_env
[ss-xr]
192.168.1.120 ansible_ssh_user=cisco
192.168.1.121 ansible_ssh_user=cisco
cd samples
ansible-playbook iosxr_get_config.yml
ansible-playbook iosxr_cli.yml -e 'cmd="show interface brief"'
Sample Modules using Cisco YDK services
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community