 So first welcome for people in the first row. Please do not take picture. I see you not at all I'm serious. I know your name so My presentation is one configuration one at one please SDM. My name is Michael Quickly who I am for people who didn't see me in the last 10 years speaking about free software and everything I'm six admin at Red Hat working in the open source and server team, which is a team Dave is also working The goal of the team is to help extreme project to be successful a strategic extreme project So that means from time to time to the configuration to do configuration management like organizing event sometimes doing design and Sometimes getting a six admin to fix Whatever was set before we have a company or when there is problem like when another six admin is leaving You need to pop another one usually turn turns to be me And for what I'm mostly using on C++ quickly because I'm using on C++ as a way to get as much talk as possible to be accepted It's a very popular topic, but just to be sure who never heard about on C++. Can you raise your hand? Good, so there is a few people so I will still explain so if I was there So it is on C++ it's an orchestration tool. That's mostly used Around server So for six admin we will see later that it can be used by also a network engineer or anything or any kind of people but This is the SDN room. So it should be about network That's similar to in purpose to a lot of tools like and collective Funk or whatever control a random but not on Windows in the sense. That's supposed to be Executing a command remotely at some larger scale One of the advantages of on C++ when compared to everything else is that you do not have an agent That means that you do not need to install something on the remote system You do not need to maintain something on the remote system and that's already quite a lot I mean if you ask this admin, you will know that everything that you do not maintain is something that do not crash It's something that do not page you in the night that let you sleep play drink club, but they whatever you want to do In order to do that I choose SSH by default. I said by default because there is all kind of other way you can use on C++ but for what interest us is using SSH Yeah, that's a quite flexible way to just execute remotely So for example, let's say you are an admin you want to shut down your whole production You just type that and that's it suddenly you have a lot of free time because we've had those that would likely be fired At least if I am the boss But if you want to do a large-scale problem, you just sometimes just one comment is not enough Sometimes it's kind of I mean see that if you want to do more There is a concept of playbook, which is but you can just executing several command so It's like a script But because I know that even if it's a because this is a developer meeting I want to be sure that people understand. This is not a script. This is description of several steps and it looks like a script because there is loop as always conditional But no, it's mostly a custom domain specific language on top of yamal because everybody love yamal Hopefully the tool did appear 10 years ago. It would have been XML and people will be crying right now That's totally different Because you know, well, it's nice, but it's just description. We have also a ginger. I Don't know if people are using Python, but ginger is a templating language one out of 100 templating language in a python This is a national sport for Python code And that's just for templating a file for expression and everything And because just adding step one by one is not really a good idea There is also a concept of a role where you say I want to deploy Your I don't know a quick server on that server So I create a role and the role will just execute everything in one logical unit or deploy the quick server Just at the same time as a minecraft server and everything so you can use your cloud for really important stuff and business critical game Well, there is a converse concept of dependency between role if you want to set up phpvb to discuss about the minecraft server that you just set up But you can just deploy phpvb that will pull Apache my SQL and everything Everything can be done on multiple system which is Which is one huge advantage of Ansible and compare to other stuff This is used for running update etc. So that's just the basics of the whole concept of configuration as code Which is something that most is admin know maybe the student do not know maybe the developer do only the part about code I was expecting to get a network Network engineer so Well, I explained basically what is Ansible. I guess the people who are late Know already what is Ansible because I'm not gonna repeat So now what about SDN that the second part of the presentation or at least of the title So I hope that there are lots of people there I've been already hearing about SDN. I'm not a specialist so From what I know SDN is the new evolution for network because the new evolution for this admin it's container and Tell me if I'm wrong, but from what I see from discussing with the people there is a traditional way which Which is you have switches you have everything and You just connect by SSH when someone open a ticket to verify everything and that's it that work Otherwise, we would not have working internet at the moment everything works because you have like a simple fixed config You don't need to make a lot of change and it's very valuable and it seems that well the only way is a SDN so for people who don't know I just cut and pass from Wikipedia Which is not exactly easy to digest. So I will just focus on the part which is programmatically control The whole idea of using Ansible for that is to what even if it's not a script It's still programmatically curly control which permit to supply the data such as IP address firewall rules ACL password from the exact hour I See that as very useful for it around your news network. I don't know how it's at your work or Well, you're home if you have like your own a Cisco switches But at work we decided to drop Cisco to go to juniper and that means that suddenly we have a million of investment Hardware we still running and we have a new hardware and we need to control the system And for that, yeah, you need suppression. So here come Ansible network module So there is not a further I supported I'm not gonna give a list I just took as the only one I know which is not a lot So for example, there is a F5 juniper or Cisco. There is a several bellows I didn't heard about pan OS, but it seems that it exists otherwise people will not speak about it So I'm not actually gonna show everything it's gonna be well quite boring and I like when I don't like when people are too bored in a presentation So I will just focus on a quick example Not because most of them are content but they try to organize everything. So there is always for each one the same type of So the first one you need to be aware of that starts module when you want to manage your whole set of hardware You need to know what is running what are I don't know the uptime so you can be sure that you will reboot everything from time to time the version The IP address seems to be quite important, especially for network So there is a whole set of facts module. We are just here to return facts So that's return information that can be used later for decision such as we would only the system We are running system. I don't know 5.3 point 6 Update everything for switches. We are doing IPv6 and everything for example So I took only the juniper stuff because that's quite complete because that's the one I plan to read later And I'm system mean if I need to read documentation for our talk It has to be also useful later so I can spend more time on ILC and discussing about system D and docker and So there is for example the Jonas fact that you just execute as a module It's not executed directly on the router Ansible is written in Python I think I'm gonna surprise no one to say that Python is not running on Cisco juniper or whatever switches So you need to execute on a Linux host It use the Junos as an NC module I hope that it means something for someone because I have no idea how it works Suspected some West API or something like this. You need to give a password username SSH key and everything to connect And yeah, so you get your information But if you go with just to get information you do not need to have your own symbol for that You can just pay an intern that connect to everything and write on a paper and that's it you get your report You want to do more for example you want to configure? So it all out. Well, since the last slide Python is still not running directly on the switches. So you still need to execute on the list Then there is this various interface people who already used Cisco know that everything is done line by line if I'm not wrong when you get a config file It's something line-oriented. So you can say yeah for that configuration I want to get for example no DHCP for that switches. I want to get a DHCP snooping on that part and everything So the line-oriented part is quite interesting because suddenly you can put some configuration in one part of the playbook Some configuration in another part without mixing If you do not like this because I want to control everything There is another solution which is using a template. You just give a template file and you do whatever you want with a ginger if it's easy enough for People to use it. It should be also easy enough for Networks this admin to do that and for example One specific example is a Juno's config module Which is again Really, it's a Juno's for the Juno family and something config Sometimes they do under the Mars and the standard way which is a line and a template for example for Juno's And I've not been paid by a Juno's not yet They under the wall back. So if you fuck up completely the system, well, you can come back at the previous step Which is again quite useful. I mean, I do not make mistakes, but I heard that some people do so that's for them Sometimes you want to do more than just getting facts and configure stuff such as executing command So as an I mean play surprise it execute command Returns your output for example, you want to know What is the current status of Who is connected or the root or anything like this? Well, you can use that It's quite a low-level interface in the sense that you do not have a 9-level view for I want to get through it It's execute that set of command That's it You get a string that you need to parse by yourself and that's where you start to regret of using on seagull and not a Python script but If you want to get more there is a service module Each of them are specific to each family. So there is for the non-config operation again For Juno, if you want to install a package, so with the Juno's package Install package You just give a fine name and I don't know it works. It's copy it Install the package and that's it As I was very constrict for specific module So for example, sometimes not for Juno's because they have only a form module and I did spoke of the four of them For an XOS, no, not XOS, NexusOS Which is for Cisco Nexus. I think you can specifically configure the NTP So that means that you do not need to know the exact command and there is some level of abstraction In case, I mean that's not that it happened, but in case Cisco decided to break something on Compatibility, well, maybe you can isolate yourself from that The good part is that it can be combined with a non-network Which is a whole part about DevOps where developers discuss with ops without insulting each other for example You install a VM Then you can set the VM for that VM So the VM is for people for C-segment. The VM is for people in the network team And you just want to have one single operation in case you decide to do a lot of VM but you are not Well, I would not say crazy, but you are not rich enough to pay for open stack and the 1000 people needed to maintain you can do all you want directly with Ansible And I think that's all if people have questions you can ask them now and We have 10 minutes left so ask me anything And then if it's not related if it's for another talk if it's all I can work with someone as marvelous as Dave or this kind of stuff This kind of stuff and if you do not want to ask me question right now You can contact me by mail and on IRC and not on the server stuff that I list and Shit, I forgot, right, not on Google, please, not on Facebook and this kind of stuff Again, if you have questions, I'm also okay if you decide to report from for ten minutes. It's good for my ego Not that I need that but I'm still good. So no question So yes So the question is Ansible is using SSH. What are the other possibilities? So as always, for example, you can connect Using funk which is Message which is a remote execution tool you can use assault There is system where you can connect using a CH foot. It's not SSH. It's a connecting locally But it's kind of the same you connect to get a route You can connect to docker image. There is something to use a guest fish to connect to a VM, which is not running There is a jail There is no tennet it could be fun, but I could not find a tennet server to test it, but yeah, you can use PowerMico SSH is good Yeah, so it's not a question, but I would still repeat so The gentleman just at the first row said that you can also use a model called raw Which basically allowed to execute command without Python. I did use that for starting stuff on netapps It was using Ansible to do two jump posts and then starting to execute something on netapp So you can also do that But then it's equivalent to using expect which is not very ideal I should have done that it should have been like one or two slides more, but question I'm trying to yep another question So the what model So Okay, so the question is oh does Ansible work with the netconf model Yeah, I have no idea because I've been waiting since too long for getting access to switches at work to test that And I got access to last week And I had no time to break the network to test that so I don't know I did see netconf somewhere in the doc So there is something but if you have more complicated question, you can either go on the IRC channel which is Okay, there is no So I think you need to answer that question to that Okay, so those in Ansible 2.2 A module named netconf config that is using Python and NC clients on the client side. It's all in the Ansible docs So the question is at what state can we use that That's a good question I'm not planning to use that at a large scale because my job is mostly maintaining a lot of small projects. I Know that our network stuff. There is workspace managing the whole cloud using Ansible I know that they have some patches and maybe some specific way like starting several Ansible controller to deploy everything I know that open stack is using Ansible for the whole CI and I'm pretty sure that there is someone somewhere there That can explain for the connection that to you But I have no idea of the scale I guess that for something like 100 it should be fine Maybe more to then I have no clue on how it would work And with Ansible you can decide to start multiple process at the same time It just need to connect to something using the regular API. So it's not gonna be a huge bottleneck So I do not see any limitation beside CPU and because that's in Python It's not exactly the fastest language in the world. I'm not sure there is some limitation regarding Regarding network so it should not be a problem there. So it's no disk issue It should work fine, and I guess you will likely eat some Limitation regarding the expression of what you want to do like he is suddenly you want to configure one million switch Maybe that means that you need to get a one million IP address in a file And I'm pretty sure we are not testing that and I'm pretty sure it's not the right approach And you need something more I love it My part is more that currently the C send me and net ups are doing stuff in the traditional way But deploying a complete SDN solution is a huge effort So maybe start to get people Comfortable with the idea of doing a script and deployment and automation can be a small step Because if something gets wrong you can still go back Like you did before with an automated system. You try to fix stuff and the system is fixing where you're fix. It's not great My use case is mostly to be able to delegate or that with a git commit and Let the developer from the community to break their stuff instead of me breaking stuff for them And I think there was someone having another question Can you speak louder? Oh So the question was a little answer. That's what you said Okay, perfect. I'm not sure to know what you mean by southbound or outbound Okay, and I was no as well as there is no SDN controller per se that's so the question was is on to go Similar to SDN controller Is So I would place it on a server which is well protected because once you have access to the road network you can do a lot of stuff Currently the way we are using for server is to have one server which is Having a ssh key that can connect as route to everything The way we'll do for switch will be the same maybe on a separate part and a separate network Well, you will put a bastion where people can connect to go to the switches while you would play so that You can also do that deployment from the laptop of the sysadmin, which is what I will call the stock start up mode But I think it's not a good idea but it works if you want to test a lab you do not need anything but a laptop and maybe a lot of hardware to do something and Once the way is quite flexible you want to run it where you want you want to set up a Raspberry Pi It's running you want to set up on 3dsd. It's running. I mean, I've been doing both I think I have no more time for questions. So again, if you want to contact me, I will be there Either tomorrow for other talk or you can just find me somewhere trying to get my way to the next talk So thanks for coming