Shell Access
Cisco Nexus switches support access to the Bourne-Again SHell (Bash). Bash interprets commands that you enter or commands that are read from a shell script. Using bash enables access to the underlying Linux system on the device and to manage the system.
Access to the bash shell and Linux is controlled via feature enablement on the Nexus platform. You must explicitly enable feature bash-shell to gain access to bash as user admin, which is by default part of DevOps role on the switch.
n9k-sw-1# show role name dev-ops
Role: dev-ops
Description: Predefined system role for devops access. This role cannot be modified.
| Rule | Perm | Type | Scope | Entity |
|---|---|---|---|---|
| 6 | permit | command | conf t ; username * | |
| 5 | permit | command | attach module * | |
| 4 | permit | command | slot * | |
| 3 | permit | command | bcm module * | |
| 2 | permit | command | run bash * | |
| 1 | permit | command | python * |
Enabling and Accessing Bash
n9k-sw-1(config)# do show feature | grep bash
bash-shell 1 disabled
n9k-sw-1(config)# feature bash-shell
n9k-sw-1(config)# do show feature | grep bash
bash-shell 1 enabled
n9k-sw-1# run bash
bash-4.2$ id
uid=2002(admin) gid=503(network-admin) groups=503(network-admin)
By default you are still user admin. In order to install third-party agents on the switch, you are required to be root user and either utilize sudo root to enable the agent to be installed in the filesystem, or authenticate as root within bash using su - root.
bash-4.2$ yum install puppet
Loaded plugins: downloadonly, importpubkey, localrpmDB, patchaction, patching,
: protect-packages
You need to be root to perform this command.
Other capabilities available within bash are covered in the other sections of this chapter, such as manipulating, configuring and monitoring the switch in Linux, and agent installation. Refer to these specific sections for further information.
From within bash, you also have the capability to execute NX-OS commands using our virtual shell utility (vsh). This enables the use of bash utilities (sed, grep, awk) to parse output to produce proper formatting.
Virtual Shell Utility Example - Provisioning a New Tenant on the Network
Ensure the following features are enabled on the switch for this particular example:
n93k-sw-1# show feature | include bash
bash-shell 1 enabled
n93k-sw-1# show feature | include interface-vlan
interface-vlan 1 enabled
Go to bash shell n93k-sw-1# run bash
Switch to user root bash-4.2$ su - root
Password:
Switch to management namespace in Linux&# ​root@n93k-sw-1#ip netns exec management bash
Verify current configuration of tenant interface eth2/4 root@n93k-sw-1#vsh -c "show interface Eth2/4 brief"
| Ethernet Interface | VLAN | Type | Mode | Status | Reason | Speed | Port Ch # |
|---|---|---|---|---|---|---|---|
| Eth2/4 | 1 | eth | access | up | none | 40G(D) | -- |
Configure tenant vlan 200, SVI, and assign provision tenant port"
root@n93k-sw-1#vsh -c "config terminal ; vlan 200 ; name TenantA ; exit"
root@n93k-sw-1#vsh -c "config terminal ; interface vlan 200 ; no shutdown ; exit"
root@n93k-sw-1#vsh -c "configure terminal ; interface eth2/4 ; switchport access vlan 200 ; no shutdown"
Verify tenant is configured correctly in the network
root@n93k-sw-1#vsh -c "show running-config interface Eth2/4"
!Command: show running-config interface Ethernet2/4
version 7.0(3)I2(1)
interface Ethernet2/4
switchport access vlan 200
root@n93k-sw-1#vsh -c "show interface vlan 200 brief"
| Interface | Secondary | VLAN(Type) | Status | Reason |
|---|---|---|---|---|
| Vlan200 | -- | up | -- |
The capabilities depicted above are simple examples to illustrate the flexibility of using bash for automation. These types of functions/examples could be combined and built into a bash-developed monitoring "agent" for your switch. For specifics on making agents/processes persistent in the native Linux shell, refer to the Custom Developed Applications section of the document.