Application Hosting on Cisco Catalyst 9000 Switches with Jeff McLaughlin

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody my name is Marketing engineer here at Cisco working on cab switching and specifically I work on programmability and automation of our cattle of switching products and I'm going to talk to you today about application hosting on iOS XE as I said I work on catalyst specifically but a lot of this does apply to other iOS XE platforms I just that my focus is catalyst and so I always like to start by telling people that you know I became a network engineer because I like computers and I didn't want to be a programmer and I didn't want to be a sysadmin and now I'm a programmer and I'm assist admin and I actually liking it because I'm doing programming and sysadmin stuff related to network devices so we're going to talk about today is actually hosting and running applications on our switches and routers so any of you remember this box the good ol 2501 the venerable box when I did my greatest ever write in my domain I e back 2004 my apartment was filled with these things a lot of people didn't come over to my place because of that it's a classic old networking device right and this had a slow processor and had a motorola 68000 20 megahertz great processor but a little slow not much memory very monolithic iOS right it was basically one package it did one thing that was route packets right in and out push packets in and out that was what the 2501 did now obviously there have been a lot of products since then a lot of improvement but the newest platforms if you look at like the cat 9k that just came out right there the exact opposite of that they have a very fast processor in the case of the cat 9k we have an x86 processor our previous catalyst products didn't have that SS the expansion on some of them you can go up to one terabyte on a 90 400 series switch the OS you know a lot of customers don't realize this because they login and it looks like the same iOS that they've known and loved for so many years but it's modernized right it's a Linux based operating system it's not monolithic anymore and so this box is capable of a lot more than what our old boxes were obviously again there were a lot in between the 2500 and this I'm just trying to draw contrast and so we have all this computing power in our network that's kind of unhonest and so what this session is about is harnessing that so again fast x86 processor s the expansion Linux OS and multiple apps just to reiterate so what we can do is we can now spin up containers and VMs and actually install applications directly on the device it could be Python it could be a tool like perf sonar it could be Wireshark interesting thing on specifically the catalyst 9k is they actually have Wireshark built into the platform it's integrating the CLI so you can do a monitor capture and start up Wireshark but for other platforms that don't actually have Wireshark integrated you could spin it up in a container or VM and potentially if there were some CLI options that you wanted that aren't available through our integrated Wireshark then in that case you could also install it and use that as an additional tool on the catalyst platform Python is actually a special case because we have a special dedicated guest shell container for running that so it's a streamlined and much more so ID workflow to bring Python up if you want to install other apps there are a few more steps that you have to go through but Python really comes with the OS starting 16-5 so all you have to do is two commands to bring that up and we'll demo that in just a minute so what types of applications would we want to run on a switch or router or something well obviously like I was mentioning before performance and throughput testing right we have customers that for persona for example if these person are they install a separate box and that's what does their purpose on our you know responding and throughput analysis so we can actually run an agent for persona our I / f which I'll be demoing a little bit later on our device configuration management agents this is really an interesting use case ansible does not require an agent puppet historically has but they're updating their software and very soon they won't require an agent either but there are several other configuration management tools that do require an agent so if we needed to we could build an agent and run it in a container on our box as well packet connect collection and analysis I mentioned Wireshark earlier Python based apps of course I said Python is a special case there are a lot of things that you can develop yourself very easily scripts and apps in Python by the customer who said they wanted to scrape some data off their switch and aggregate it on the box and then send some aggregate up to their network management system and said if you can write in Python we can make it work not recommended video games except dork I think we might be able to get Zork to work if they're Annie's orc fans and one of my customers came to me and said I told them that a posting is like I got the best idea Bitcoin mining no don't know what tack will do if you call and you're doing Bitcoin mining on your 9ks can't promise it you can try it be my guest but I'm not sure that's a supported application but you're likely to be eaten by a grue exactly exactly he knows orc right so as I mentioned on box scripting is a bit of a special case because we made it very easy for you to enable this because it's a very specific granular use case and so the way this works is on a switch or a router you enable our i/o X framework this is the framework for bringing up the containers in the VM so it's just one command and then you just say guest shell enable and that actually brings up a container with Python running in it ok so that's all you have to do to get Python running there are a lot of use cases for Python I'll show you a use case where we integrate with embedded Event Manager also for example zero-touch provisioning we've had plug-and-play on our devices for a long time but if you want to do the more standard space ztp you need to have Python scripting on the box because it uses Python scripting to actually bring up the box once the container is active in you're running a Python script there are several ways that script can talk to the device internally it can talk CLI so we actually have a library where you can execute a CLI command directly I'm really big on net conf and yang models so the good news is you can do net conf and yang models actually inside the box so you can talk internally using Netcom syslog other facilities we can actually connect inside the box yeah go ahead make sure I'm understanding when you say feel like man like Wireshark for example is essentially a containerized app running in a container right kripp and I can interact Wireshark through the monitor capture command can I interact with other containerized apps through the actual iOS XE CLI well you can't you can interact with the Python through the iOS CLI but you can't interact directly with other apps that way I can actually make like a command alias to interact with a containerized ad not directly as I have Albert with me yeah or so so as a container you can actually connect through the console that you can actually log in and have a batch problem depending on your operating system so you can then go into that container environment and execute commands there but I can't abstract it further so I'm sitting at the actual iOS XD CLI and make my own little command to do that no but you can probably run on top of guest shell and guess she'll run that you can run your own script there now you can pick up your own script yeah so in terms of as I said I focus on catalyst catalyst platforms in terms of what we support Python 2.7 on the 3k platforms as well as the new 9k we won't get Python 3 on the 3k it's just an older platform we're not going to support it but you can do Python 3 on the 9k pip install we all know that Python isn't much without its libraries right so you can do pip installs so there's a library you need no problem you can install it one caveat there some of them have binaries and if there's a binary that you need it may not work on the 3k because it is mips-based and not x86 as I mentioned before but most of them should work and the app hosting feature that's a 9k feature again we need the x86 processor to do that so from catalyst perspective we're not gonna do app posting on the 3k so I'm going to do a demo for you now because we know live demos always work so it's going to work right so in this demo what's going to happen I'm integrating a spark you're probably all familiar with spark or collaboration tool and what's going to happen is I'm going to make a change to a 3850 that's in my lab and what's going to happen is I have embedded Event Manager which has been around forever right it's actually a powerful tool in and of itself EEM but there's some things that can't do can't do a REST API for example so what EEM is going to do is detect the config change that I make and it's going to call a Python script on box okay and then that Python script is going to go and do a diff see what changed in the config and post it using rest api's to spark room so it's actually calling spark via rest api from a switch in my lab sound good yeah so let's do this I'm going to sit down here to make it a little easier to type so I have my spark room open here and it's kind of a lonely spark room it's just me and my catalyst switching box but normally you probably have your whole operations team sitting here and if I go to my switch this is the 3850 disconnected but that's easy enough to fix it timed out and so what I'm going to do before I go and actually fire that often just going to show you I can say guess shall run Python on here and this is going to drop me into a Python prompt on my 3850 is running sixteen five by the way so I'm in an interactive Python prompt here I can say you know print hello whatever and it works the CLI thing we were talking about earlier we have a library for that so I can say import CLI and then from that library I can say CLI CLI show version so if you have to execute a CLI command you can do it that way okay we could assign that to a variable or do any of those things that we would normally do with the script so I have a script as I said already set up on here it's going to be triggered by EEM what I'm going to do I'm just going to go in and I'm going to go into copying a set up a vrf we'll call it how about text field day that's good enough right and we'll give it an RD of I don't know 100 it doesn't really matter I'll good with that and so I've just put a vrf in there when I exit out that's a config change right so I'm going to go back to my spark room it's going to have it's going to take a second because the box is going to detect that there is a change and then it's going to do that diff and it's going to send it via REST API so it pops right up there the plus is because I actually use the diff library the pluses mean we added some right if I take something out if I go back in and delete that clean it up what's going to happen is you'll see that same thing with minuses okay so rest api is directly called from switch so they're now okay okay so you can have in that script one of those sums them from the CLI library that throws an output and then add that output thrown out to spark exactly and in fact the way this one works I actually use the CLI library to basically scrape the running config and I keep a copy so as you make changes I keep a backup of what the last config was I just run a diff based on that and that's using the CLI library to collect the running config where's the different is it is that backup on box the diff itself is run in the Python script on the guest shell container the configs are stored on the Box on the flash probably just saying it just goes and looks in there for them yep there are a lot of different ways you could do it obviously but that's the way I chose to do it for that case so that was our demo so we'll talk about app hosting now more specific app hosting cases and so again the basic idea of a posting is that we want to be able to install multiple apps on our device and we support both Linux containers ok LXE containers as well as VMs ok so we can do containers or VMs we can do a full-blown KBM VM if you want I owe X is our management and orchestration tool that we use to do this to spin up these containers manage them install them destroy them etc ok I'm going to give you a little look under the hood of io X and how all this works so basically this is a blown-up diagram of what's going on on the device itself we have this Cisco application framework here this is a part of that that iox framework or I want to say ecosystem for you guys but you know what I mean right it's a part of ILX so it's cisco application framework that's actually dealing with spinning up and managing these containers and VMs on the device ok so again we can do Linux containers you probably familiar this but a container it's very lightweight it doesn't have its own Linux kernel right so that means it's actually running through luckily on the iOS XE kernel itself whereas a VM has its own Linux kernel it doesn't need to run directly so this is better for things that need like low-level access right but there's also a little bit more of a security risk because if you hack the kernel here you're hacking my iOS XE kernel right so something you have to take into consideration when you're creating these you know what risk are you willing to take what do you need to do to secure that container to make sure that doesn't happen right diem obviously it's not quite as lightweight as a container but it has a little bit more security and there's a little bit more that you could do with a VM in that regard so unbox management tools the waiting we spin these up the way that we actually manage this again get the package onto the device start it manage it etc is using one of several tools okay the most obvious one is CLI I'm actually going to show you that so we can copy a package over start it do all that using CLI commands we also have local manager on the device local manager is basically the the device web UI right so you can hit the IP address of your switcher route or whatever and pull up the web UI on there we have a web UI to manage applications on that box we also have external management tools iox client is the client it's a CLI based client it works on Linux and it works on Mac OS we'll also work on Windows if you have a Linux VM on Windows you can run it on Windows but it won't run directly on Windows bob director is the tool that we have you know so obviously local manager and CLI are focused on that specific box that you're working on io x client can connect to multiple devices but you know one at a time fog director is an application that we have it's really a part of our IOT suite of applications but it's really intended to manage multiple devices because obviously if you're doing this you don't want to do it over and over and over again if you have 50 100 switches so those tools are used to spin up delete destroy those containers they're also used for packaging the containers so an important point here because you might say well could I just bring up a VM and do an RPM install or yum install or something of the application that I want and the answer is yes sure you could do that she could do that but again if you're managing fifty a hundred two hundred devices do you really want to go rpm install that same application over and over and over again it's an important part of the solution isn't just the fact that we can run the containers and run the VMS on the switcher router but the fact that we provide tools for packaging your application up so you don't have to go through that process over and over again makes sense the question so far just one does the 3650 3850 support mips Alexie's no okay just channel yeah on the 3650 3850 the only thing you're going to get in terms of app hosting would be Python based apps basically terms of actually getting a pack or VM or container packaged and on to the on to the device there are two different workflows good news is the container workflow we can use docker tools to actually build a container so we can do a docker build use a docker file use all that you know to pull something down from docker hub we can do all that to build our container so those are familiar tools anybody who works with containers knows docker usually we have to add some metadata and some other stuff to that docker container before we can actually run it on iOS XE so there's a packaging step that has to take place and that's the case for a disk image as well okay we take cue cow to disk images which is pretty standard VM disk image right so we run it through a packaging tool in the case of like a docker container which is what I'm going to be showing you today what we actually what I did was I used our i/o X client that's that CLI base tool and you just provide some additional again data about you know how much memory it needs etc that disk image basically the file system gets put into a file called artifacts tgz with a couple other things and then there's a yamo file that gets added by the packaging tool all that is bundled up and then created we have new packages tar file which is created from that so when that's done the package tar file is what you copy over to the device so you don't need to worry about all the different components of it okay so that's our pack system another demo we're demo time again again yep so this time what I'm going to do is as we have we have the package file already copied over to our iOS XE device and so we're going to spin up an eye curve container on this so let's get out of here make sure that my server terminated so I have a knife server actually running on another Unix Linux box so I'm going to go back to my Iowa sexy device I have timeouts on all of them so we get logged out occasionally okay so on here if I look at the flash clue packet it just make it easy dir it's a little bit easier so you can see that I have package tar on there so I already did the docker workflow because we didn't have time to do the whole thing and I've copied it on to the flash okay so that's sitting there so what I'm going to do is there's you know a few steps to bringing this package online so what I'm going to do is app app hosting that's the commands for this app hosting install and I have to say app ID so for every app we're going to give it an app ID that's the name that we choose I'm just going to call this TCP bouncer because that's basically what it's doing and then I just have to give it a package name and that's going to be a flash package dot R you'll see it'll just take a second and it's going to deploy that now if I try to activate that at this point it's going to give me an error app hosting activate app ID TCP bouncer it's going to tell me that there's no interface configuration so we're bringing up the VM and as you know or a container rather but a container or VM you need to have a network interface right so we actually have to specify the network interface before we can bring this up and what I've already done I've created a virtual port group interface on the switch and I made it an IP unnumbered interface off of another one think of the virtual port group if you've worked with like ESXi you know you have port groups there you can attach several things that's all it is it's just like an internal mapping of ports right so I've done that already but what I need to do here is I'm going to go app hosting and we're going to give it the ID of that app we just created and under here they're just a few options we're going to create a v-neck v-neck I'll just show you all the options as I'm doing it gateway 1 and virtual port group 0 ok guest interface that's just the interface number it's going to get on the container VM or whatever so we'll use 0 and then we give it an IP address guest IP address 7 - 2 6 2 4 4 . mmm why don't we do 85 I think work net mask of 255.255.0.0 4.1 ok so I've just given it the interface so now when I back out of here and I run that activate command again we should see it go activated ok so we just had to do that so told us we weren't quite there yet the only other step that I have to do is to start it did you pull that addressing dynamically yes actually you could yeah you don't have to do a statically you could do DHCP as well at this point tells me the app is running so I'm just going to go up hosting connect again give it the app ID because we can have more than one right bouncer and I'm going to go to the console port on that and you'll see that I'm sitting at a Yocto Linux prompt so that's my Linux container on here I'm going to go in this route right now on this one I don't have a password obviously that's up to you and so I've set up my IP server you saw earlier so I'm just going to say I / 3 - C 172 - 6 2 4 4 and Q is 1 2 4 and what's going to happen is you'll see it'll run and I perf test now these are on the same subnet that I'm sourcing and connecting to but just to prove the point that you could do throughput testing directly to your switch so when you get that call the user who's complaining you now know okay we're good to that switch it's not the network it's our favourite phrase in networking right the network oh good very nice good so a couple more things is we have just a few more minutes and I want to just talk to you a little bit about fog director I'm not going to actually run it right now but I'm just going to show you really quickly so again fog director is just a GUI to do all this so that's not the only way to do it I know you guys probably want to see the CLI again we could start it up from the GUI on the local device you're just clicking buttons to do that same workflow you know install package for my local machine activate start etc it's the same thing so if you prefer GUI that's a point or a device by device solution the nice thing about fog director is you can load in multiple devices and manage multiple devices you can push an app out to more than one at a time right so you're not just stuck doing it device by device so fog director is a nice solution for a larger management of ear FET devices so good so we have a few minutes left I have Albert Mac with me by the way who's from engineering who developed a lot of this so so thank you Albert for doing it first of all hi there is there anything else you want to add to this Albert before me I think that we're pretty good here he's go so that's pretty much it any questions from you on this it seemed useful you're interested in that yeah I was curious how it actually all work together I'm very new with all of the container world's series on switches oh yeah why would I care my data center much less why would I care my switch right yeah well you know as I was saying there there's several yeast cases for it in the data center I used to work on the Nexus ID and actually my last text field day talk was about running puppet agents on Nexus and that was one of the motivating factors for bringing up containers on those switches so again you still have that use case if you're using an agent-based configuration management tool and again you know I've talked to customers where they're installing boxes all over their network to do persona or something and they love this idea because they don't need to install those anymore they can just host the app on they're catalysts which is again as I said at the beginning you think about you have a lot of unhonest compute in your in your network right I mean and usually you need to install an app you're going to install server that you know the location where you need it well if you have you know branch office with a router you need to install server if it has a posting capabilities install your app on there I think there are other use cases for example for security type applications you can run snort with some enhancements on feature but logically you can actually run snowman there are other security applications that we are going to trial with customers and it can use all the same technology as well I was thinking just use reverse as the cessation of the bounce out of an office from your office of the more practical right yeah now what are you seeing there I don't know you don't know how to describe your problem here let me let me give generate traffic from your office and land on my machine okay I also think that the Python integrations are really cool the EEM thing like you saw I mean you can fire up a Python script if you lose an IP SLA probe or something changes the config or you know some other condition on the device you can trigger it off a syslog message whatever you know as I said IEM is actually a powerful tool in and of itself but it's not Python it's not Python so there's a lot more you can do this actually some interesting integration with Python on the csr as well so you can imagine that interacting with something like AWS api those kind of things so that's also been in the world yeah

Info

Channel: Tech Field Day

Views: 12,142

Rating: 5 out of 5

Keywords: Tech Field Day, TFD, Tech Field Day Extra, TFDx, Cisco Live US, Cisco Live, Cisco Live US 2017, CLUS17, Cisco, Jeff McLaughlin, IOS XE, containers, linux, virtual machines

Id: kYxfTWN4nZI

Channel Id: undefined

Length: 26min 24sec (1584 seconds)

Published: Thu Jun 29 2017