Perform NSO System Install
Perform NSO System Install
Task 1: Install NSO.
In this task, you will install the NSO software.
Step 1: Open the terminal window using the Terminal icon on the bottom bar.
Step 2: Start the installation by using the information provided in the following table. It lists all the information required for installing the NSO software.
| Parameter | Value | Comment |
|---|---|---|
| Location of installation package | /opt | Directory reserved for all the software and add-on packages that are not part of the default installation. |
| NSO installation type | system | System installation is intended for use in production environments. |
| Installation directory | /opt/ncs/ncs- VERSION | Replace VERSION with the NSO version as seen from the installation file. Linked to /opt/ncs/current |
| Running directory | var/opt/ncs | CDB, packages directory, rollbacks, and other runtime files reside here. |
| Log directory | /var/log/ncs | Various NSO logs. |
| Configuration directory | etc/ncs | ncs.conf is located here |
Step 3: Java JDK-8.x or higher must be installed on system where you will install NSO. Ensure that it is installed with the java –version command.
rst@rst:~$ java --version openjdk 11.0.11 2021-04-20 OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04) OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
Step 4: Another prerequisite is Python. Python version 3.4 or higher is supported. Check that it is installed.
rst@rst:~$ python --version Python 3.8.10
Step 5: Go to the home directory and display its contents.
rst@rst:~$ cd rst@rst:~$ ls -l total 182632 drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Desktop drwxr-xr-x 3 rst rst 4096 Aug 8 15:27 Documents drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Downloads drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Music drwxrwxr-x 4 rst rst 4096 Oct 27 2020 neds -rw-rw-r-- 1 rst rst 186964982 Aug 10 16:52 nso-5.3.2.linux.x86_64.signed.bin drwxrwxr-x 14 rst rst 4096 Oct 27 2020 packages drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Pictures drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Public drwxr-xr-x 4 rst rst 4096 Aug 10 17:03 snap drwxrwxr-x 3 rst rst 4096 Oct 27 2020 solutions drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Templates drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Videos rst@rst:~$
Step 6: Make the signed binary executable with the chmod +x command (in this lab, it already is executable), and then execute it.
Pressing the Tab key while typing a binary name autocompletes the name, makes the Tab and the process of writing commands more accurate and faster.
rst@rst:~$ chmod +x nso-5.3.2.linux.x86_64.signed.bin rst@rst:~$ ./nso-5.3.2.linux.x86_64.signed.bin Unpacking... Verifying signature... Downloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ... Successfully downloaded and verified crcam2.cer. Downloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ... Successfully downloaded and verified innerspace.cer. Successfully verified root, subca and end-entity certificate chain. Successfully fetched a public key from tailf.cer. Successfully verified the signature of nso-5.3.2.linux.x86_64.installer.bin using tailf.cer rst@rst:~$
Step 7: By default, NSO (system install) runs the process as root. This should be avoided for security reasons. That is why you will use rst user which is already created on the lab machine and has sudo privileges. Run the binary with sudo ./nso-. linux.x86_64.installer.bin. You also must specify the –system-install option and –run-as-user rst to avoid running the NSO process as root.
rst@rst:~$ sudo ./nso-5.3.2.linux.x86_64.installer.bin --system-install --run-as-user rst
INFO Using temporary directory /tmp/ncs_installer.9911 to stage NCS installation bundle
INFO Using /opt/ncs/ncs-5.3.2 for static files
INFO Using /etc/ncs for configuration files
INFO Using /var/opt/ncs for run-time state files
INFO Using /var/log/ncs for log files
INFO Doing install for running as user rst
INFO Unpacked ncs-5.3.2 in /opt/ncs/ncs-5.3.2
INFO Found and unpacked corresponding DOCUMENTATION_PACKAGE
INFO Found and unpacked corresponding EXAMPLE_PACKAGE
INFO Found and unpacked corresponding JAVA_PACKAGE
INFO Generating default SSH hostkey (this may take some time)
INFO SSH hostkey generated
INFO Environment set-up generated in /opt/ncs/ncs-5.3.2/ncsrc
INFO NSO installation script finished
INFO Found and unpacked corresponding NETSIM_PACKAGE
cp: cannot stat '/sbin/arping': No such file or directory
WARN Failed to copy /sbin/arping command - capability not set
INFO Generating keys for encrypted-strings
INFO Configuring installation for PAM authentication
INFO Using PAM service common-auth for authentication
INFO Generating self-signed certificates for HTTPS
INFO Installed init script /etc/init.d/ncs
INFO Installed user profile script ncs.sh in /etc/profile.d
INFO Installed user profile script ncs.csh in /etc/profile.d
INFO Installed 'logrotate' configuration file ncs in /etc/logrotate.d
INFO The installation has been configured for PAM authentication,
INFO with group assignment based on the OS group database
INFO (e.g. /etc/group file). Users that need access to NCS must
INFO belong to either the 'ncsadmin' group (for unlimited access
INFO rights) or the 'ncsoper' group (for minimal access rights).
INFO To create the 'ncsadmin' group, use OS shell command:
groupadd ncsadmin
INFO To create the 'ncsoper' group, use OS shell command:
groupadd ncsoper
INFO To add an existing user to one of these groups, use OS shell command:
usermod -a -G
INFO The following files have been installed with elevated privileges:
/opt/ncs/ncs-5.3.2/lib/ncs/lib/core/pam/priv/epam: setuid-root
/opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs: capability cap_net_bind_service
/opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs.smp: capability cap_net_bind_service
/opt/ncs/ncs-5.3.2/lib/ncs/bin/ip: capability cap_net_admin
INFO NCS installation complete
rst@rst:~$
Step 8: Display the content of the installation directory.
rst@rst:~$ ls -l /opt/ncs/ncs-5.3.2/
total 468
drwxr-xr-x 2 root root 4096 Aug 10 17:07 bin
-rw-r--r-- 1 root root 295794 May 5 2020 CHANGES
drwxr-xr-x 5 root root 4096 May 5 2020 doc
drwxr-xr-x 4 root root 4096 May 5 2020 erlang
drwxr-xr-x 3 root root 4096 May 5 2020 etc
drwxr-xr-x 9 root root 4096 May 5 2020 examples.ncs
drwxr-xr-x 2 root root 4096 May 5 2020 include
drwxr-xr-x 3 root root 4096 Aug 10 17:07 java
drwxr-xr-x 7 root root 4096 May 5 2020 lib
-rw-r--r-- 1 root root 94792 May 5 2020 LICENSE
drwxr-xr-x 6 root root 4096 May 5 2020 man
-rw-r--r-- 1 root root 543 Aug 10 17:07 ncsrc
-rw-r--r-- 1 root root 511 Aug 10 17:07 ncsrc.tcsh
drwxr-xr-x 3 root root 4096 Aug 10 17:07 netsim
drwxr-xr-x 6 root root 4096 May 5 2020 packages
-rw-r--r-- 1 root root 7155 May 5 2020 README
drwxr-xr-x 4 root root 4096 May 5 2020 scripts
drwxr-xr-x 3 root root 4096 May 5 2020 src
drwxr-xr-x 4 root root 4096 May 5 2020 support
drwxr-xr-x 3 root root 4096 May 5 2020 var
-rw-r--r-- 1 root root 298 Aug 10 17:07 VERSION
rst@rst:~$
Step 9: As stated in the output of the installation script, you need to create ncsadmin and ncsoper groups to do a group assignment of users who need access to NSO.
rst@rst:~$ sudo groupadd ncsadmin rst@rst:~$ sudo groupadd ncsoper
Step 10: Assign rst user to ncsadmin group.
rst@rst:~$ sudo usermod -aG ncsadmin rst rst@rst:~$
Step 11: Restart the VM with the sudo reboot command. You need to restart the VM so that the group membership changes that were made to the currently logged in user take effect. Open the terminal windows again after the VM has come online.
rst@rst:~$ sudo reboot rst@rst:~$
Step 12: Set the environment variables for the NSO source /etc/profile.d/ncs.sh file.
The installation program creates a shell script file in each NSO installation, which sets the environment variables needed to run NSO. With the –system-install option, by default these settings are set on the shell to explicitly set the variables, source ncs.sh or ncs.csh, depending on your shell type.
rst@rst:~$ source /etc/profile.d/ncs.sh rst@rst:~$
Step 13: Start NSO using the /etc/init.d/ncs script.
rst@rst:~$ sudo /etc/init.d/ncs start Starting ncs: . rst@rst:~$
Step 14: Check NSO status.
rst@rst:~$ ncs --status vsn: 5.3.2 SMP support: yes, using 4 threads Using epoll: yes available modules: backplane,netconf,cdb,cli,snmp,webui running modules: backplane,netconf,cdb,cli,webui status: started ### OUTPUT OMITTED ###
Task 2: Install NEDs
In this task, you will add Network Element Drivers (NEDs) to the previously installed NSO. You will be using the NEDs that are provided together with each NSO installation.
Step 1: Display the content of the NSO installation directory in which lab grade NEDs are stored.
You will use latest NEDs in your Lab which can be found in ~/neds. You can obtain the latest production-grade NEDs directly from Cisco. A privileged CCO account might be needed to download them.
rst@rst:~$ ls -l /opt/ncs/ncs-5.3.2/packages/neds/ total 40 drwxr-xr-x 8 root root 4096 May 5 2020 a10-acos-cli-3.0 drwxr-xr-x 7 root root 4096 May 5 2020 alu-sr-cli-3.4 drwxr-xr-x 8 root root 4096 May 5 2020 cisco-asa-cli-6.6 drwxr-xr-x 7 root root 4096 May 5 2020 cisco-ios-cli-3.0 drwxr-xr-x 7 root root 4096 May 5 2020 cisco-ios-cli-3.8 drwxr-xr-x 8 root root 4096 May 5 2020 cisco-iosxr-cli-3.0 drwxr-xr-x 8 root root 4096 May 5 2020 cisco-iosxr-cli-3.5 drwxr-xr-x 8 root root 4096 May 5 2020 cisco-nx-cli-3.0 drwxr-xr-x 8 root root 4096 May 5 2020 dell-ftos-cli-3.0 drwxr-xr-x 5 root root 4096 May 5 2020 juniper-junos-nc-3.0 rst@rst:~$
Step 2: In your environment, you want to configure Cisco IOS and IOS XR devices. Copy corresponding NEDs from ~/neds to the running directory.
Packages that you are copying over are already compiled for the NSO version that you are using. This is also true for NEDs that are part of the NSO installation bundle. This means that you do not have to compile them (make). If you want to create packages yourself from the beginning, or if you have packages that were used with older versions of the NSO, you must compile them.
rst@rst:~$ sudo cp -r ~/NSO_FILES/neds/cisco-ios-cli-6.54/ /var/opt/ncs/packages/ rst@rst:~$ sudo cp -r ~/NSO_FILES/neds/cisco-iosxr-cli-7.26/ /var/opt/ncs/packages/ rst@rst:~$
Step 3: Connect to the NSO CLI with ncs_cli -C, where -C stands for the Cisco style of NSO CLI.
rst@rst:~$ ncs_cli -C rst connected from 127.0.0.1 using console on rst rst@ncs#
Step 4: Reload the packages and view the output. All results should be true.
rst@ncs# packages reload
>>> System upgrade is starting.
>>> Sessions in configure mode must exit to operational mode.
>>> No configuration changes can be performed until upgrade has completed.
>>> System upgrade has completed successfully.
reload-result {
package cisco-ios-cli-6.54
result true
}
reload-result {
package cisco-iosxr-cli-7.26
result true
}
rst@ncs#
System message at 2021-08-10 17:20:25...
Subsystem started: ncs-dp-1-cisco-ios-cli-6.54:IOSDp
rst@ncs#
Step 5: Check NED package versions
rst@ncs# show packages package package-version PACKAGE NAME VERSION ------------------------------- cisco-ios-cli-6.54 6.54 cisco-iosxr-cli-7.26 7.26 rst@ncs# exit rst@rst:~$
Task 3: Configure NSO CLI for SSH Access
In this task, you will enable SSH connectivity on the NSO CLI northbound interface.
Step 1: Open the ncs.conf file located in directory /etc/ncs/ncs.conf.
rst@rst:~$ sudo vim /etc/ncs/ncs.conf
Step 2: In ncs.conf, find the section for CLI settings and enable the built-in SSH server. This will enable operators to connect to the NSO CLI, using an SSH connection to port 2024.
### OUTPUT OMITTED ###
<cli>
<enabled>true</enabled>
<!-- Use the builtin SSH server -->
<ssh>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>2024</port>
</ssh>
<prompt1>\u@ncs> </prompt1>
<prompt2>\u@ncs% </prompt2>
<c-prompt1>\u@ncs# </c-prompt1>
<c-prompt2>\u@ncs(\m)# </c-prompt2>
<restricted-file-access>true</restricted-file-access>
<show-log-directory>${NCS_LOG_DIR}</show-log-directory>
<show-commit-progress>true</show-commit-progress>
<suppress-commit-message-context>maapi</suppress-commit-message-context>
<suppress-commit-message-context>system</suppress-commit-message-context>
</cli>
### OUTPUT OMITTED ##
Step 3: Find section aaa, where authentication settings can be configured. Check that the PAM option is enabled and that external and local authentication is disabled. To save the file, press Esc and write :wq!.
### OUTPUT OMITTED ###
<aaa>
<ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>
<!-- Depending on OS - and also depending on user requirements -->
<!-- the pam service value value must be tuned. -->
<pam>
<enabled>true</enabled>
<service>common-auth</service>
</pam>
<external-authentication>
<enabled>false</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>
<local-authentication>
<enabled>false</enabled>
</local-authentication>
<expiration-warning>prompt</expiration-warning>
</aaa>
### OUTPUT OMITTED ###
Step 4: To apply the configuration, NSO must be reloaded.
You are using PAM to do user authentication. This is convenient because you can provide the same set of users with access to both the Linux server and NSO.
rst@rst:~$ sudo /etc/init.d/ncs reload Reloading ncs: . rst@rst:~$
Step 5: Now you can test connectivity to the NSO CLI over SSH. The password for user rst in /etc/passwd will be checked and /etc/group consulted to do group assignment. When asked, confirm the connection with yes.
rst@rst:~$ ssh 127.0.0.1 -p 2024 The authenticity of host '[127.0.0.1]:2024 ([127.0.0.1]:2024)' can't be established. ED25519 key fingerprint is SHA256:HkErXod4eRIEBMUUasQiZ7AyvXwoAWoa3gXuKz0D48o. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[127.0.0.1]:2024' (ED25519) to the list of known hosts. [email protected]'s password: rst connected from 127.0.0.1 using ssh on rst rst@ncs> switch cli rst@ncs# exit Connection to 127.0.0.1 closed. rst@rst:~$
You have successfully connected over SSH using rst user.