SR Linux with Openconfig services#
Summary | |
---|---|
Tutorial name | SR Linux with KNE |
Lab components | 2 Nokia SR Linux nodes |
Resource requirements | 2 vCPU 4 GB |
Lab | kne/examples/srlinux/2node-srl-ixr6-with-oc-services.pbtxt |
Main ref documents | kne documentation |
Version information1 | kne v0.1.9 , srlinux:22.11.2 , srl-controller:0.5.0 , kind:0.17.0 |
Authors | Roman Dodin |
KNE repository contains a set of example topologies that aim to help new users get started with using KNE to orchestrate virtual network labs. SR Linux team maintains several examples, which include SR Linux nodes.
This chapter explains the details behind the 2node-srl-ixr6-with-oc-services.pbtxt
example topology.
Topology diagram#
The lab topology aims to introduce KNE users to labs with Nokia SR Linux nodes and acquaint them with Openconfig services running on SR Linux. Two Nokia SR Linux nodes connected over their ethernet-1/1
interfaces form a topology of this lab.
a_node z_node
ββββββββ a_int z_intββββββββ
β βββββββ βββββββ€ β
β srl1 βe1-1 βββββββββββ€e1-1 β srl2 β
β βββββββ βββββββ€ β
ββββββββ ββββββββ
Both nodes are configured to emulate IXR-6e chassis-based hardware and run SR Linux v22.6.3.
Deployment#
To deploy this topology, users should complete the following pre-requisite steps:
Once prerequisites are satisfied, topology deployment is just a single command:
When the topology creation succeeds, the final log message Topology "2-srl-ixr6" created
is displayed.
A Kubernetes namespace is created matching the lab name 2-srl-ixr6
, and lab components are placed in that namespace. To verify lab deployment status, a user can invoke the following command and ensure that the pods are in running state.
β― kubectl get pods -n 2-srl-ixr6
NAME READY STATUS RESTARTS AGE
srl1 1/1 Running 0 15h
srl2 1/1 Running 0 15h
The above command confirms that the two nodes specified in the topology files are in running state.
Configuration#
Topology file utilizes startup configuration provided in a separate file. This startup configuration contains configuration for essential management and Openconfig services.
As a result of this startup config, the nodes come up online with these services in an already operational state.
How to configure Openconfig services via CLI
In order to configure the below mentioned Openconfig services users can spin up a single-node SR Linux topology with containerlab and enter the follwoing commands in the CLI:
enter candidate
/system tls
replace "server-profile clab-profile" with "server-profile kne-profile"
set / system gnmi-server network-instance mgmt tls-profile kne-profile
set / system json-rpc-server network-instance mgmt https tls-profile kne-profile
set / system management openconfig admin-state enable
set / system gnmi-server network-instance mgmt yang-models openconfig
set / system gribi-server admin-state enable network-instance mgmt admin-state enable tls-profile kne-profile
set / network-instance mgmt protocols gribi admin-state enable
set / system p4rt-server admin-state enable network-instance mgmt admin-state enable tls-profile kne-profile
TLS certificate#
A generated TLS profile is present in the configuration and can be found by /system tls server-profile kne-profile
path. This server profile named kne-profile
contains a TLS certificate and a key. This server profile is used by a number of SR Linux management services that require TLS-enabled security.
Note, that the certificate present in a lab is shared between both nodes and contains invalid CN and SAN values. Therefore, it won't be possible to verify the certificate offered by the lab nodes, and tools should skip certificate verification.
Services#
Essential management and Openconfig services are provided in the startup configuration file utilized by this lab. In the following sections, we explain how to verify the operational status of those services.
Services enabled on SR Linux nodes running in this lab are made available externally by the MetalLB Load Balancer and the corresponding services configuration blob in the topology file.
Tip
To list ports that available externally use:
β― kubectl get svc -n 2-srl-ixr6
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-srl1 LoadBalancer 10.96.72.99 172.18.0.50 22:30281/TCP,57400:30333/TCP 15h
service-srl2 LoadBalancer 10.96.135.142 172.18.0.51 57400:31443/TCP,22:30266/TCP 15h
External-IP
and the corresponding port number. For example, SSH service on srl1
node is available by the 172.18.0.50:22
socket. SSH#
An SSH service is enabled on both SR Linux nodes and is exposed via port 22
. Users can access SSH using the External-IP
for a matching service and port 22
.
Example
Credentials: admin:NokiaSrl1!
β― ssh admin@172.18.0.50
Warning: Permanently added '172.18.0.50' (ECDSA) to the list of known hosts.
................................................................
: Welcome to Nokia SR Linux! :
: Open Network OS for the NetOps era. :
: :
: This is a freely distributed official container image. :
: Use it - Share it :
: :
: Get started: https://learn.srlinux.dev :
: Container: https://go.srlinux.dev/container-image :
: Docs: https://doc.srlinux.dev/22-6 :
: Rel. notes: https://doc.srlinux.dev/rn22-6-1 :
: YANG: https://yang.srlinux.dev/v22.6.1 :
: Discord: https://go.srlinux.dev/discord :
: Contact: https://go.srlinux.dev/contact-sales :
................................................................
admin@172.18.0.50's password:
Console#
To get console-like access to SR Linux NOS users should leverage kubectl exec
command and start the sr_cli
process:
-
- Namespace
2-srl-ixr6
matches the lab name set in the topology file srl1
container name matches the node name set in the topology file.
- Namespace
Example
Openconfig#
By default, Nokia SR Linux uses native YANG models. Openconfig YANG models are already enabled in the configuration file used in this lab.
For completeness, the below section shows how to enable Openconfig via different management interfaces.
gNMI#
gNMI service is enabled over port 57400
in the configuration file used with this lab and exposed by the cluster's LoadBalancer over 9339
port for external connectivity.
By default, gNMI instance configured in the mgmt
network instance uses native YANG models. This is driven by the default configuration value of the /system/gnmi-server/network-instance[name=mgmt]/yang-models
leaf and selects which models are going to be used when gNMI paths are provided without the origin
information in the path.
Startup configuration file used in this lab has the yang-models
leaf set to openconfig
. This makes the paths without the origin
value to be treated as openconfig paths.
Example
gNMI service can be tested using gnmic cli client.
β― gnmic -a 172.18.0.50:9339 -u admin -p NokiaSrl1! --skip-verify capabilities
gNMI version: 0.7.0
supported models:
- urn:srl_nokia/aaa:srl_nokia-aaa, Nokia, 2022-06-30
- urn:srl_nokia/aaa-password:srl_nokia-aaa-password, Nokia, 2022-06-30
- urn:srl_nokia/aaa-types:srl_nokia-aaa-types, Nokia, 2021-11-30
- urn:srl_nokia/acl:srl_nokia-acl, Nokia, 2022-06-30
-- snip --
Since the default schema is set ot Openconfig in the startup configuration file, to perform gNMI requests using the native SR Linux models users have to specify the native
origin. At the time of this wrigin, origin can be provided via Path Prefixes, and soon will be available for paths as well.
β― gnmic -a 172.18.0.50:9339 -u admin -p NokiaSrl1! --skip-verify -e JSON_IETF \
get --prefix 'native:' --path '/system/information/version'
[
{
"source": "172.18.0.50:9339",
"timestamp": 1678615621140266475,
"time": "2023-03-12T11:07:01.140266475+01:00",
"updates": [
{
"Path": "srl_nokia-system:system/srl_nokia-system-info:information/version",
"values": {
"srl_nokia-system:system/srl_nokia-system-info:information/version": "v22.11.2-116-gf3be2e95f2"
}
}
]
}
]
With the configuration leaf /system/gnmi-server/network-instance[name=mgmt]/yang-models
set to openconfig
, paths without the origin
information are assumed to belong to the Openconfig YANG.
β― gnmic -a 172.18.0.50:9339 -u admin -p NokiaSrl1! --skip-verify -e JSON_IETF \
get --path "/system/state/hostname"
[
{
"source": "172.18.0.50:9339",
"timestamp": 1678615843724905250,
"time": "2023-03-12T11:10:43.72490525+01:00",
"updates": [
{
"Path": "openconfig-system:system/state/hostname",
"values": {
"openconfig-system:system/state/hostname": "srl1"
}
}
]
}
]
gNOI#
On SR Linux, gNOI service is enabled automatically once gNMI service is operational and share the same port 57400
. Although the same external post could have been used, to integrate with Ondatra test framework, a different service definition named gnoi
with a separate outside
port has been created.
Example
gNOI service can be tested using gnoic cli client.
β― gnoic -a 172.18.0.50:9337 --skip-verify -u admin -p NokiaSrl1! file stat --path /etc/os-release
+-------------------+-----------------+---------------------------+------------+------------+------+
| Target Name | Path | LastModified | Perm | Umask | Size |
+-------------------+-----------------+---------------------------+------------+------------+------+
| 172.18.0.50:57400 | /etc/os-release | 2021-09-14T06:32:07+02:00 | -rwxrwxrwx | -----w--w- | 21 |
+-------------------+-----------------+---------------------------+------------+------------+------+
gRIBI#
gRIBI server is enabled on a system level and in the mgmt
network instance of SR Linux running on port 57401
. It is exposed to 9340
port for external connectivity as specified by the services configuration in the topology file.
Example
gRIBI service can be tested using gribic cli client.
P4 Runtime (P4RT)#
The P4 Runtime server is configured on a system level and in the mgmt
network instance of SR Linux running on port 9559
. The same port is used externally in this lab.
Lab users still need to configure interface or device identifiers as per the documentation.
-
the following versions have been used to create this tutorial. The newer versions might work; please pin the version to the mentioned ones if they don't. ↩
-
License is required to run chassis-based SR Linux systems (models:
ixr6e/ixr10e
). License-free IXR-D/H systems do not yet have support for Openconfig service; hence they are not suitable for the goals of this lab. ↩