Menu

Perform NSO System Install

Perform NSO System Install

Task 1: Install NSO.

In this task, you will install the NSO software.

Step 1: Open the terminal window using the Terminal icon on the bottom bar.

Step 2: Start the installation by using the information provided in the following table. It lists all the information required for installing the NSO software.

ParameterValueComment
Location of installation package/optDirectory reserved for all the software and add-on packages that are not part of the default installation.
NSO installation typesystemSystem installation is intended for use in production environments.
Installation directory/opt/ncs/ncs-
VERSION
Replace VERSION with the NSO version as seen from the installation file. Linked to /opt/ncs/current
Running directoryvar/opt/ncsCDB, packages directory, rollbacks, and other runtime files reside here.
Log directory/var/log/ncsVarious NSO logs.
Configuration directoryetc/ncsncs.conf is located here

Step 3: Java JDK-8.x or higher must be installed on system where you will install NSO. Ensure that it is installed with the java –version command.

rst@rst:~$ java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing) 

Step 4: Another prerequisite is Python. Python version 3.4 or higher is supported. Check that it is installed.

rst@rst:~$ python --version
Python 3.8.10   

Step 5: Go to the home directory and display its contents.

rst@rst:~$ cd
rst@rst:~$ ls -l
total 182632
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Desktop
drwxr-xr-x  3 rst rst      4096 Aug  8 15:27 Documents
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Downloads
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Music
drwxrwxr-x  4 rst rst      4096 Oct 27  2020 neds
-rw-rw-r--  1 rst rst 186964982 Aug 10 16:52 nso-5.3.2.linux.x86_64.signed.bin
drwxrwxr-x 14 rst rst      4096 Oct 27  2020 packages
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Pictures
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Public
drwxr-xr-x  4 rst rst      4096 Aug 10 17:03 snap
drwxrwxr-x  3 rst rst      4096 Oct 27  2020 solutions
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Templates
drwxr-xr-x  2 rst rst      4096 Aug  8 14:52 Videos
rst@rst:~$

Step 6: Make the signed binary executable with the chmod +x command (in this lab, it already is executable), and then execute it.

Pressing the Tab key while typing a binary name autocompletes the name, makes the Tab and the process of writing commands more accurate and faster.

rst@rst:~$ chmod +x nso-5.3.2.linux.x86_64.signed.bin 
rst@rst:~$ ./nso-5.3.2.linux.x86_64.signed.bin 
Unpacking...
Verifying signature...
Downloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully downloaded and verified crcam2.cer.
Downloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully downloaded and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from tailf.cer.
Successfully verified the signature of nso-5.3.2.linux.x86_64.installer.bin using tailf.cer
rst@rst:~$

Step 7: By default, NSO (system install) runs the process as root. This should be avoided for security reasons. That is why you will use rst user which is already created on the lab machine and has sudo privileges. Run the binary with sudo ./nso-. linux.x86_64.installer.bin. You also must specify the –system-install option and –run-as-user rst to avoid running the NSO process as root.

rst@rst:~$ sudo ./nso-5.3.2.linux.x86_64.installer.bin --system-install --run-as-user rst

INFO  Using temporary directory /tmp/ncs_installer.9911 to stage NCS installation bundle
INFO  Using /opt/ncs/ncs-5.3.2 for static files
INFO  Using /etc/ncs for configuration files
INFO  Using /var/opt/ncs for run-time state files
INFO  Using /var/log/ncs for log files
INFO  Doing install for running as user rst
INFO  Unpacked ncs-5.3.2 in /opt/ncs/ncs-5.3.2
INFO  Found and unpacked corresponding DOCUMENTATION_PACKAGE
INFO  Found and unpacked corresponding EXAMPLE_PACKAGE
INFO  Found and unpacked corresponding JAVA_PACKAGE
INFO  Generating default SSH hostkey (this may take some time)
INFO  SSH hostkey generated
INFO  Environment set-up generated in /opt/ncs/ncs-5.3.2/ncsrc
INFO  NSO installation script finished
INFO  Found and unpacked corresponding NETSIM_PACKAGE
cp: cannot stat '/sbin/arping': No such file or directory
WARN  Failed to copy /sbin/arping command - capability not set
INFO  Generating keys for encrypted-strings
INFO  Configuring installation for PAM authentication
INFO  Using PAM service common-auth for authentication
INFO  Generating self-signed certificates for HTTPS
INFO  Installed init script /etc/init.d/ncs
INFO  Installed user profile script ncs.sh in /etc/profile.d
INFO  Installed user profile script ncs.csh in /etc/profile.d
INFO  Installed 'logrotate' configuration file ncs in /etc/logrotate.d

INFO  The installation has been configured for PAM authentication,
INFO  with group assignment based on the OS group database
INFO  (e.g. /etc/group file). Users that need access to NCS must
INFO  belong to either the 'ncsadmin' group (for unlimited access
INFO  rights) or the 'ncsoper' group (for minimal access rights).
INFO  To create the 'ncsadmin' group, use OS shell command:

    groupadd ncsadmin

INFO  To create the 'ncsoper' group, use OS shell command:

    groupadd ncsoper

INFO  To add an existing user to one of these groups, use OS shell command:

    usermod -a -G  

INFO  The following files have been installed with elevated privileges:
    /opt/ncs/ncs-5.3.2/lib/ncs/lib/core/pam/priv/epam: setuid-root
    /opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs: capability cap_net_bind_service
    /opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs.smp: capability cap_net_bind_service
    /opt/ncs/ncs-5.3.2/lib/ncs/bin/ip: capability cap_net_admin

INFO  NCS installation complete

rst@rst:~$

Step 8: Display the content of the installation directory.

rst@rst:~$ ls -l /opt/ncs/ncs-5.3.2/

total 468
drwxr-xr-x 2 root root   4096 Aug 10 17:07 bin
-rw-r--r-- 1 root root 295794 May  5  2020 CHANGES
drwxr-xr-x 5 root root   4096 May  5  2020 doc
drwxr-xr-x 4 root root   4096 May  5  2020 erlang
drwxr-xr-x 3 root root   4096 May  5  2020 etc
drwxr-xr-x 9 root root   4096 May  5  2020 examples.ncs
drwxr-xr-x 2 root root   4096 May  5  2020 include
drwxr-xr-x 3 root root   4096 Aug 10 17:07 java
drwxr-xr-x 7 root root   4096 May  5  2020 lib
-rw-r--r-- 1 root root  94792 May  5  2020 LICENSE
drwxr-xr-x 6 root root   4096 May  5  2020 man
-rw-r--r-- 1 root root    543 Aug 10 17:07 ncsrc
-rw-r--r-- 1 root root    511 Aug 10 17:07 ncsrc.tcsh
drwxr-xr-x 3 root root   4096 Aug 10 17:07 netsim
drwxr-xr-x 6 root root   4096 May  5  2020 packages
-rw-r--r-- 1 root root   7155 May  5  2020 README
drwxr-xr-x 4 root root   4096 May  5  2020 scripts
drwxr-xr-x 3 root root   4096 May  5  2020 src
drwxr-xr-x 4 root root   4096 May  5  2020 support
drwxr-xr-x 3 root root   4096 May  5  2020 var
-rw-r--r-- 1 root root    298 Aug 10 17:07 VERSION
rst@rst:~$
    

Step 9: As stated in the output of the installation script, you need to create ncsadmin and ncsoper groups to do a group assignment of users who need access to NSO.

rst@rst:~$ sudo groupadd ncsadmin

rst@rst:~$ sudo groupadd ncsoper

Step 10: Assign rst user to ncsadmin group.

rst@rst:~$ sudo usermod -aG ncsadmin rst
rst@rst:~$

Step 11: Restart the VM with the sudo reboot command. You need to restart the VM so that the group membership changes that were made to the currently logged in user take effect. Open the terminal windows again after the VM has come online.

rst@rst:~$ sudo reboot
rst@rst:~$

Step 12: Set the environment variables for the NSO source /etc/profile.d/ncs.sh file.

The installation program creates a shell script file in each NSO installation, which sets the environment variables needed to run NSO. With the –system-install option, by default these settings are set on the shell to explicitly set the variables, source ncs.sh or ncs.csh, depending on your shell type.

rst@rst:~$ source /etc/profile.d/ncs.sh 
rst@rst:~$

Step 13: Start NSO using the /etc/init.d/ncs script.

rst@rst:~$ sudo /etc/init.d/ncs start
Starting ncs: .
rst@rst:~$  

Step 14: Check NSO status.

rst@rst:~$ ncs --status
vsn: 5.3.2
SMP support: yes, using 4 threads
Using epoll: yes
available modules: backplane,netconf,cdb,cli,snmp,webui
running modules: backplane,netconf,cdb,cli,webui
status: started
### OUTPUT OMITTED ###

Task 2: Install NEDs

In this task, you will add Network Element Drivers (NEDs) to the previously installed NSO. You will be using the NEDs that are provided together with each NSO installation.

Step 1: Display the content of the NSO installation directory in which lab grade NEDs are stored.

You will use latest NEDs in your Lab which can be found in ~/neds. You can obtain the latest production-grade NEDs directly from Cisco. A privileged CCO account might be needed to download them.

rst@rst:~$ ls -l /opt/ncs/ncs-5.3.2/packages/neds/
total 40
drwxr-xr-x 8 root root 4096 May  5  2020 a10-acos-cli-3.0
drwxr-xr-x 7 root root 4096 May  5  2020 alu-sr-cli-3.4
drwxr-xr-x 8 root root 4096 May  5  2020 cisco-asa-cli-6.6
drwxr-xr-x 7 root root 4096 May  5  2020 cisco-ios-cli-3.0
drwxr-xr-x 7 root root 4096 May  5  2020 cisco-ios-cli-3.8
drwxr-xr-x 8 root root 4096 May  5  2020 cisco-iosxr-cli-3.0
drwxr-xr-x 8 root root 4096 May  5  2020 cisco-iosxr-cli-3.5
drwxr-xr-x 8 root root 4096 May  5  2020 cisco-nx-cli-3.0
drwxr-xr-x 8 root root 4096 May  5  2020 dell-ftos-cli-3.0
drwxr-xr-x 5 root root 4096 May  5  2020 juniper-junos-nc-3.0
rst@rst:~$

Step 2: In your environment, you want to configure Cisco IOS and IOS XR devices. Copy corresponding NEDs from ~/neds to the running directory.

Packages that you are copying over are already compiled for the NSO version that you are using. This is also true for NEDs that are part of the NSO installation bundle. This means that you do not have to compile them (make). If you want to create packages yourself from the beginning, or if you have packages that were used with older versions of the NSO, you must compile them.

rst@rst:~$ sudo cp -r ~/NSO_FILES/neds/cisco-ios-cli-6.54/ /var/opt/ncs/packages/
rst@rst:~$ sudo cp -r ~/NSO_FILES/neds/cisco-iosxr-cli-7.26/ /var/opt/ncs/packages/
rst@rst:~$    

Step 3: Connect to the NSO CLI with ncs_cli -C, where -C stands for the Cisco style of NSO CLI.

rst@rst:~$ ncs_cli -C

rst connected from 127.0.0.1 using console on rst
rst@ncs#

Step 4: Reload the packages and view the output. All results should be true.

rst@ncs# packages reload

>>> System upgrade is starting.
>>> Sessions in configure mode must exit to operational mode.
>>> No configuration changes can be performed until upgrade has completed.
>>> System upgrade has completed successfully.
reload-result {
package cisco-ios-cli-6.54
result true
}
reload-result {
package cisco-iosxr-cli-7.26
result true
}
rst@ncs# 
System message at 2021-08-10 17:20:25...
Subsystem started: ncs-dp-1-cisco-ios-cli-6.54:IOSDp
rst@ncs#

Step 5: Check NED package versions

rst@ncs# show packages package package-version

PACKAGE  
NAME                  VERSION  
-------------------------------
cisco-ios-cli-6.54    6.54     
cisco-iosxr-cli-7.26  7.26     

rst@ncs# exit
rst@rst:~$

Task 3: Configure NSO CLI for SSH Access

In this task, you will enable SSH connectivity on the NSO CLI northbound interface.

Step 1: Open the ncs.conf file located in directory /etc/ncs/ncs.conf.

rst@rst:~$ sudo vim /etc/ncs/ncs.conf

Step 2: In ncs.conf, find the section for CLI settings and enable the built-in SSH server. This will enable operators to connect to the NSO CLI, using an SSH connection to port 2024.

### OUTPUT OMITTED ###
<cli>
    <enabled>true</enabled>   
        
    <!-- Use the builtin SSH server -->  
    <ssh>
    <enabled>true</enabled>
    <ip>0.0.0.0</ip>
    <port>2024</port>
    </ssh>
    
    <prompt1>\u@ncs> </prompt1>
    <prompt2>\u@ncs% </prompt2>
    
    <c-prompt1>\u@ncs# </c-prompt1>
    <c-prompt2>\u@ncs(\m)# </c-prompt2>
        
    <restricted-file-access>true</restricted-file-access>
    <show-log-directory>${NCS_LOG_DIR}</show-log-directory>
    <show-commit-progress>true</show-commit-progress>
    <suppress-commit-message-context>maapi</suppress-commit-message-context>
    <suppress-commit-message-context>system</suppress-commit-message-context>
</cli>
### OUTPUT OMITTED ##  

Step 3: Find section aaa, where authentication settings can be configured. Check that the PAM option is enabled and that external and local authentication is disabled. To save the file, press Esc and write :wq!.

### OUTPUT OMITTED ###
<aaa> 
    <ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>
                            
    <!-- Depending on OS - and also depending on user requirements -->
    <!-- the pam service value value must be tuned. -->
        
    <pam>
    <enabled>true</enabled>
    <service>common-auth</service>
    </pam>
    <external-authentication>
    <enabled>false</enabled>
    <executable>my-test-auth.sh</executable>
    </external-authentication>

    <local-authentication>
    <enabled>false</enabled>
    </local-authentication>
    
    <expiration-warning>prompt</expiration-warning>
</aaa>
### OUTPUT OMITTED ###

Step 4: To apply the configuration, NSO must be reloaded.

You are using PAM to do user authentication. This is convenient because you can provide the same set of users with access to both the Linux server and NSO.

rst@rst:~$ sudo /etc/init.d/ncs reload
Reloading ncs: .
rst@rst:~$  

Step 5: Now you can test connectivity to the NSO CLI over SSH. The password for user rst in /etc/passwd will be checked and /etc/group consulted to do group assignment. When asked, confirm the connection with yes.

rst@rst:~$ ssh 127.0.0.1 -p 2024
The authenticity of host '[127.0.0.1]:2024 ([127.0.0.1]:2024)' can't be established.
ED25519 key fingerprint is SHA256:HkErXod4eRIEBMUUasQiZ7AyvXwoAWoa3gXuKz0D48o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2024' (ED25519) to the list of known hosts.
rst@127.0.0.1's password: 

rst connected from 127.0.0.1 using ssh on rst
rst@ncs> switch cli
rst@ncs# exit
Connection to 127.0.0.1 closed.
rst@rst:~$  

You have successfully connected over SSH using rst user.