"Ansible for Networking" Lesson and Image

.gitignore

@@ -45,3 +45,5 @@ __pycache__
 
 *.img
 *.tgz
+
+!lessons/tools/lesson-41-ansible-network/stage1/hosts

CHANGELOG.md

@@ -10,6 +10,7 @@
 - Disable caching for all image builds [#260](https://github.com/nre-learning/nrelabs-curriculum/pull/260)
 - New Images and PoC Lessons for NXTWORK 2019 Hackathon [#261](https://github.com/nre-learning/nrelabs-curriculum/pull/261)
 - Add wordlist package to Kali image [#272](https://github.com/nre-learning/nrelabs-curriculum/pull/272)
+- Ansible for Networking Lesson and Image [#289](https://github.com/nre-learning/nrelabs-curriculum/pull/289)
 - Updates to utility image [#285](https://github.com/nre-learning/nrelabs-curriculum/pull/285)
 - Update YAML Loader statements[#292](https://github.com/nre-learning/nrelabs-curriculum/pull/292)
 - Temporarily pin netmiko to 2.4.2 in st2 image [#293](https://github.com/nre-learning/nrelabs-curriculum/pull/293)

collections/redhat/collection.meta.yaml

@@ -16,4 +16,4 @@ longDescription: |
     We help you standardize across environments, develop cloud-native applications, and integrate, automate, secure, and manage complex environments with award-winning support, training, and consulting services.
 
 type: vendor
-tier: ptr
+tier: prod

images/ansible/Dockerfile

@@ -0,0 +1,41 @@
+FROM centos:8
+
+RUN yum --enablerepo=extras -y install epel-release
+RUN yum update -y
+RUN yum install -y openssh-server git vim nano jq python3-pip sshpass
+RUN mkdir /var/run/sshd
+
+# Antidote user
+RUN mkdir -p /home/antidote
+RUN useradd antidote -p antidotepassword
+RUN chown antidote:antidote /home/antidote
+# RUN chsh antidote --shell=/bin/bash
+RUN echo 'antidote:antidotepassword' | chpasswd
+RUN echo 'root:$(uuidgen)' | chpasswd
+RUN rm /run/nologin
+RUN ssh-keygen -b 2048 -t rsa -f /etc/ssh/ssh_host_rsa_key -q -N ""
+
+# Adjust MOTD
+ADD motd.sh /etc/profile.d/motd.sh
+
+# Disable root Login
+RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
+RUN sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
+
+# SSH login fix. Otherwise user is kicked off after login
+RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+# Disable su for everyone not in the wheel group (no one is in the wheel group)
+RUN echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
+
+ENV NOTVISIBLE "in users profile"
+RUN echo "export VISIBLE=now" >> /etc/profile
+
+ADD requirements.txt /requirements.txt
+RUN pip3 install -r /requirements.txt
+
+RUN mkdir /etc/ansible
+COPY ansible.cfg /etc/ansible/ansible.cfg
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]

images/ansible/Makefile

@@ -0,0 +1,10 @@
+# SHELL=/bin/bash
+
+TARGET_VERSION ?= latest
+
+all: docker
+
+docker:
+	docker build --pull --no-cache -t antidotelabs/ansible:$(TARGET_VERSION) .
+	# docker build --pull -t antidotelabs/ansible:$(TARGET_VERSION) .
+	docker push antidotelabs/ansible:$(TARGET_VERSION)

images/ansible/ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+stdout_callback = yaml
+connection = smart
+timeout = 60
+deprecation_warnings = False
+host_key_checking = False
+retry_files_enabled = False
+
+# Can we use the `-i` flag  for ansible-playbook instead, so this isn't baked into the image?
+# inventory = /home/student1/networking-workshop/lab_inventory/hosts
+
+[persistent_connection]
+connect_timeout = 200
+command_timeout = 200

images/ansible/motd.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+printf "Welcome to \u001b[1;38;5;36mNRE Labs\033[1m%s\033[0m! \n"
+printf " * Docs - https://docs.nrelabs.io/\n"

images/ansible/requirements.txt

@@ -0,0 +1,2 @@
+ansible==2.9.1
+ncclient

lessons/tools/lesson-41-ansible-network/lesson.meta.yaml

@@ -0,0 +1,55 @@
+---
+lessonName: Ansible for Network Automation
+lessonId: 41
+category: tools
+lessonDiagram: "https://raw.githubusercontent.com/nre-learning/nrelabs-curriculum/master/lessons/tools/lesson-41-ansible-network/diagram.png"
+tier: prod
+prereqs:
+  - 22  # Python
+  - 23  # Linux
+description: In this lesson, we'll explore the use of Ansible for multi-vendor network automation
+slug: ansible-network-automation
+tags:
+- ansible
+- automation
+- configuration
+collection: 7  # RedHat
+
+endpoints:
+- name: ansible
+  image: antidotelabs/ansible
+  presentations:
+  - name: cli
+    port: 22
+    type: ssh
+
+- name: vqfx1
+  image: antidotelabs/vqfx-snap1
+  configurationType: napalm-junos
+  presentations:
+  - name: cli
+    port: 22
+    type: ssh
+  additionalPorts: [830]
+
+- name: cvx1
+  image: antidotelabs/cvx
+  configurationType: python
+  presentations:
+  - name: cli
+    port: 22
+    type: ssh
+
+connections:
+- a: vqfx1
+  b: cvx1
+
+stages:
+  - id: 1
+    description: Enable NETCONF
+  - id: 2
+    description: Ansible Facts
+  - id: 3
+    description: Resource Facts
+  - id: 4
+    description: Network Configuration Templates

lessons/tools/lesson-41-ansible-network/stage1/ansible.cfg

@@ -0,0 +1,10 @@
+[defaults]
+interpreter_python = auto_silent
+gather_timeout = 0
+stdout_callback = yaml
+connection = smart
+timeout = 60
+deprecation_warnings = False
+host_key_checking = False
+retry_files_enabled = False
+inventory = /antidote/stage1/hosts

lessons/tools/lesson-41-ansible-network/stage1/configs/cvx1.py

@@ -0,0 +1,33 @@
+import paramiko
+import os
+from scp import SCPClient
+
+host=os.environ['SYRINGE_TARGET_HOST']
+
+def createSSHClient(server, port, user, password):
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    client.connect(server, port, user, password)
+    return client
+
+ssh=createSSHClient(host,22,"antidote","antidotepassword")
+
+scp=SCPClient(ssh.get_transport())
+
+this_dir = os.path.dirname(os.path.realpath(__file__))
+
+scp.put('%s/cvx1/interfaces' % this_dir, '/home/antidote/interfaces')
+scp.put('%s/cvx1/daemons' % this_dir, '/home/antidote/daemons')
+scp.put('%s/cvx1/frr.conf' % this_dir, '/home/antidote/frr.conf')
+
+ssh.exec_command('sudo cp /home/antidote/interfaces /etc/network/interfaces')
+ssh.exec_command('sudo cp /home/antidote/daemons /etc/frr/daemons')
+ssh.exec_command('sudo cp /home/antidote/frr.conf /etc/frr/frr.conf')
+ssh.exec_command('sudo systemctl restart frr.service')
+ssh.exec_command('sudo ifreload -a')
+
+scp.close()
+ssh.close()
+
+
+

lessons/tools/lesson-41-ansible-network/stage1/configs/cvx1/daemons

@@ -0,0 +1,3 @@
+zebra=yes
+bgpd=yes
+

lessons/tools/lesson-41-ansible-network/stage1/configs/cvx1/frr.conf

@@ -0,0 +1,7 @@
+router bgp 65002
+    bgp router-id 10.1.1.2
+    neighbor 10.10.10.1 remote-as 65001
+    address-family ipv4 unicast
+        neighbor 10.10.10.1 activate
+        redistribute connected
+

lessons/tools/lesson-41-ansible-network/stage1/configs/cvx1/interfaces

@@ -0,0 +1,23 @@
+auto lo
+iface lo inet loopback
+    address 10.1.1.2/32
+
+auto eth0
+iface eth0 inet dhcp
+    vrf mgmt
+
+auto mgmt
+iface mgmt
+    address 127.0.0.1/8
+    vrf-table auto
+
+auto swp1 
+allow-uplink swp1
+iface swp1 inet static
+    address 10.10.10.2/30
+
+auto swp2
+allow-uplink swp2
+iface swp2 inet static
+    address 10.10.100.1/30
+

lessons/tools/lesson-41-ansible-network/stage1/configs/vqfx1.txt

@@ -0,0 +1,151 @@
+<configuration operation="replace">
+        <version>15.1X53-D60.4</version>
+        <system>
+            <host-name>vqfx1</host-name>
+            <root-authentication>
+                <encrypted-password>$1$mlo32jo6$BOMVhmtORai2Kr24wRCCv1</encrypted-password>
+                <ssh-rsa>
+                    <name>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key</name>
+                </ssh-rsa>
+            </root-authentication>
+            <login>
+                <user>
+                    <name>antidote</name>
+                    <class>super-user</class>
+                    <authentication>
+                        <encrypted-password>$1$iH4TNedH$3RKJbtDRO.N4Ua8B6LL/v/</encrypted-password>
+                    </authentication>
+                </user>
+                <password>
+                    <change-type>set-transitions</change-type>
+                    <minimum-changes>0</minimum-changes>
+                </password>
+            </login>
+            <services>
+                <ssh>
+                    <root-login>allow</root-login>
+                </ssh>
+                <netconf>
+                    <ssh>
+                    </ssh>
+                    <rfc-compliant/>
+                </netconf>
+                <rest>
+                    <http>
+                        <port>8080</port>
+                    </http>
+                    <enable-explorer/>
+                </rest>
+            </services>
+            <syslog>
+                <user>
+                    <name>*</name>
+                    <contents>
+                        <name>any</name>
+                        <emergency/>
+                    </contents>
+                </user>
+                <file>
+                    <name>messages</name>
+                    <contents>
+                        <name>any</name>
+                        <notice/>
+                    </contents>
+                    <contents>
+                        <name>authorization</name>
+                        <info/>
+                    </contents>
+                </file>
+                <file>
+                    <name>interactive-commands</name>
+                    <contents>
+                        <name>interactive-commands</name>
+                        <any/>
+                    </contents>
+                </file>
+            </syslog>
+            <extensions>
+                <providers>
+                    <name>juniper</name>
+                    <license-type>
+                        <name>juniper</name>
+                        <deployment-scope>commercial</deployment-scope>
+                    </license-type>
+                </providers>
+                <providers>
+                    <name>chef</name>
+                    <license-type>
+                        <name>juniper</name>
+                        <deployment-scope>commercial</deployment-scope>
+                    </license-type>
+                </providers>
+            </extensions>
+        </system>
+        <interfaces operation="merge">
+            <interface>
+                <name>em0</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>{{ mgmt_addr }}</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+            <interface>
+                <name>em3</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>10.12.0.11/24</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+            <interface>
+                <name>em4</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>10.31.0.11/24</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+        </interfaces>
+        <forwarding-options>
+            <storm-control-profiles>
+                <name>default</name>
+                <all>
+                </all>
+            </storm-control-profiles>
+        </forwarding-options>
+        <routing-options>
+            <autonomous-system>
+                <as-number>64001</as-number>
+            </autonomous-system>
+        </routing-options>
+        <protocols>
+            <igmp-snooping>
+                <vlan>
+                    <name>default</name>
+                </vlan>
+            </igmp-snooping>
+
+        </protocols>
+        <vlans>
+            <vlan>
+                <name>default</name>
+                <vlan-id>1</vlan-id>
+            </vlan>
+        </vlans>
+</configuration>