Feature #3906
closed
Support for Junos Zero-Touch-Provisioning
Description
Status¶
Some pull-requests are currently being prepared for submission. It was developed running foreman 1.3.1, so it might need some modifications for foreman 1.4.
Description¶
Junos devices can be automcatically provisioned by using either "Autoinstallation" (before Junos 12.2) or "Zero-Touch-Provisioning" (12.2+). Additionally a puppet agent is available for Junos devices. Documentation is available on Juniper's website:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB13232
http://kb.juniper.net/InfoCenter/index?page=content&id=KB27327&actp=RSS
http://www.juniper.net/techpubs/en_US/release-independent/junos-puppet/information-products/pathway-pages/index.html
Workflow¶
In case you are not trying to provision a NEW device it might be a good idea to run "request system zeroize".
The basic workflow is as follows:
- Junos device needs to be reset to default configuration
- Junos device will send a DHCP request on the management interface
- DHCP server will send a "filename" option, referring to a special Junos configuration file
- Junos device will receive this configuration file and install it
- an Event Policy will be setup automatically to receive an SLAX script
- the SLAX script will take care for further provisioning tasks
Limitations¶
Using "Autoinstallation" does not require any customization, it can all be configured through foreman. It is disabled in favour of "Zero-Touch-Provisioning" on devices running Junos 12.2+. ZTP requires some custom options in your dhcpd.conf:
option option-150 code 150 = ip-address;
option space FM_ZTP;
option FM_ZTP.image-file-name code 0 = text;
option FM_ZTP.config-file-name code 1 = text;
option FM_ZTP-encapsulation code 43 = encapsulate FM_ZTP;
Furthermore the puppet agent should be seen as a technology preview. It is currently only available for devices running Junos 12.3R2.5 and requires manual steps to complete it's setup. Sad story.
While "Autoinstallation" will send DHCP requests forever, with ZTP there is a limit on the number of retries. This means you could find you in the need to restart a device to trigger ZTP again.
Compatibility¶
This was tested with EX4200 devices running Junos 11.4R1.6, 11.4R5.5, 12.3R2.5 and 12.3R3.4.
Licence¶
The SLAX script was originally written by Jeremy Schulman and was released by Juniper Networks under a 2-clause BSD license. In any case, my modifications are under the same 2-clause BSD license.
Updated by Frank Wall over 10 years ago
Quirks¶
I forgot to mention some quirks :-(
- Foreman configuration: You need to set token_duration to enable UID support. And you need to set safemode_render = false to enable the macro <%= Settings['foreman_url'] %> in provisioning templates.
- Junos version numbering scheme is bad (i.e. 12.3R2.5) and foreman does not handle this at all. Currently I rely on a "feature" of foreman allowing "12.3" as major and "2.5" as minor version number. This works well, but foreman needs to support those strange version numbers. (FreeBSD would benefit too).
- Although Junos is based on FreeBSD, I decided to create it's own OperatingSystem (family). Junos is basically a black box and is very different from FreeBSD as of now.
- Although it would have been technically possible to use the Syslinux class for provisioning, I've decided to create a Ztp class to make it easier to get the required quirks in.
- ZTP requires special DHCP options to be set though omshell (Smart Proxy); it will fail if you forgot to edit your dhcpd.conf.
- ZTP requires a .slax suffix in the provisioning url (Foreman); the UnattendedController will check for this suffix and reparate it from the token internally.
Updated by Ohad Levy over 10 years ago
Exciting, looking forward seeing the code :)
Updated by Frank Wall over 10 years ago
One more quirk:
- You need to specify any parition table to deploy a Junos device, although it will never be used in any ZTP template.
Couldn't figure out if it is possible to "disable" partition tables for a specific OS family.
Updated by Dominic Cleal over 10 years ago
- Copied to Feature #3941: Proxy TFTP support for Junos Zero-Touch-Provisioning added
Updated by Dominic Cleal over 10 years ago
- Copied to deleted (Feature #3941: Proxy TFTP support for Junos Zero-Touch-Provisioning)
Updated by Dominic Cleal over 10 years ago
- Blocked by Feature #3941: Proxy TFTP support for Junos Zero-Touch-Provisioning added
Updated by Dominic Cleal over 10 years ago
- Status changed from New to Ready For Testing
Updated by Anonymous
Updated by Daniel Lobato Garcia over 10 years ago
https://github.com/theforeman/foreman/pull/1103 is completed now, waiting for merge.
Updated by Frank Wall over 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 70 to 100
Applied in changeset b80c6c009d37c3c60cae39e361ac886f8933d51d.