Support for Junos Zero-Touch-Provisioning
Some pull-requests are currently being prepared for submission. It was developed running foreman 1.3.1, so it might need some modifications for foreman 1.4.
Junos devices can be automcatically provisioned by using either "Autoinstallation" (before Junos 12.2) or "Zero-Touch-Provisioning" (12.2+). Additionally a puppet agent is available for Junos devices. Documentation is available on Juniper's website:
In case you are not trying to provision a NEW device it might be a good idea to run "request system zeroize".
The basic workflow is as follows:
- Junos device needs to be reset to default configuration
- Junos device will send a DHCP request on the management interface
- DHCP server will send a "filename" option, referring to a special Junos configuration file
- Junos device will receive this configuration file and install it
- an Event Policy will be setup automatically to receive an SLAX script
- the SLAX script will take care for further provisioning tasks
Using "Autoinstallation" does not require any customization, it can all be configured through foreman. It is disabled in favour of "Zero-Touch-Provisioning" on devices running Junos 12.2+. ZTP requires some custom options in your dhcpd.conf:
option option-150 code 150 = ip-address;
option space FM_ZTP;
option FM_ZTP.image-file-name code 0 = text;
option FM_ZTP.config-file-name code 1 = text;
option FM_ZTP-encapsulation code 43 = encapsulate FM_ZTP;
Furthermore the puppet agent should be seen as a technology preview. It is currently only available for devices running Junos 12.3R2.5 and requires manual steps to complete it's setup. Sad story.
While "Autoinstallation" will send DHCP requests forever, with ZTP there is a limit on the number of retries. This means you could find you in the need to restart a device to trigger ZTP again.
This was tested with EX4200 devices running Junos 11.4R1.6, 11.4R5.5, 12.3R2.5 and 12.3R3.4.
The SLAX script was originally written by Jeremy Schulman and was released by Juniper Networks under a 2-clause BSD license. In any case, my modifications are under the same 2-clause BSD license.
Updated by Frank Wall almost 10 years ago
I forgot to mention some quirks :-(
- Foreman configuration: You need to set token_duration to enable UID support. And you need to set safemode_render = false to enable the macro <%= Settings['foreman_url'] %> in provisioning templates.
- Junos version numbering scheme is bad (i.e. 12.3R2.5) and foreman does not handle this at all. Currently I rely on a "feature" of foreman allowing "12.3" as major and "2.5" as minor version number. This works well, but foreman needs to support those strange version numbers. (FreeBSD would benefit too).
- Although Junos is based on FreeBSD, I decided to create it's own OperatingSystem (family). Junos is basically a black box and is very different from FreeBSD as of now.
- Although it would have been technically possible to use the Syslinux class for provisioning, I've decided to create a Ztp class to make it easier to get the required quirks in.
- ZTP requires special DHCP options to be set though omshell (Smart Proxy); it will fail if you forgot to edit your dhcpd.conf.
- ZTP requires a .slax suffix in the provisioning url (Foreman); the UnattendedController will check for this suffix and reparate it from the token internally.