Perform NSO System Install
Perform NSO System Install
Performing the Cisco Network Services Orchestrator (NSO) System Install is a critical step in deploying this powerful network automation and orchestration platform. This process involves tasks such as preparing the target system, ensuring the fulfillment of prerequisite software and hardware requirements, and executing the installation script provided by NSO. Participants typically configure essential parameters during the installation, such as system paths, user accounts, and network settings. The NSO System Install aims to provide a robust foundation for running NSO, enabling participants to harness its capabilities for automating and orchestrating network services efficiently. Successful completion of the NSO System Install equips users with a properly configured NSO environment, paving the way for further exploration and utilization of this platform in network management and automation scenarios.
Lab:
Task 1: Install NSO.
In this task, you will install the NSO software.
Step 1: Open the terminal window using the Terminal icon on the bottom bar.
Step 2: Start the installation by using the information provided in the following table. It lists all the information required for installing the NSO software.
Step 3: Java JDK-8.x or higher must be installed on system where you will install NSO. Ensure that it is installed with the java –version command.
rst@rst:~$ **java --version**
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
Step 4: Another prerequisite is Python. Python version 3.4 or higher is supported. Check that it is installed.
rst@rst:~$ **python --version**
Python 3.8.10
Step 5: Go to the home directory and display its contents.
rst@rst:~$ **cd**
rst@rst:~$ **ls -l**
total 182632
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Desktop
drwxr-xr-x 3 rst rst 4096 Aug 8 15:27 Documents
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Downloads
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Music
drwxrwxr-x 4 rst rst 4096 Oct 27 2020 neds
-rw-rw-r-- 1 rst rst 186964982 Aug 10 16:52 nso-5.3.2.linux.x86\_64.signed.bin
drwxrwxr-x 14 rst rst 4096 Oct 27 2020 packages
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Pictures
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Public
drwxr-xr-x 4 rst rst 4096 Aug 10 17:03 snap
drwxrwxr-x 3 rst rst 4096 Oct 27 2020 solutions
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Templates
drwxr-xr-x 2 rst rst 4096 Aug 8 14:52 Videos
rst@rst:~$
Step 6: Make the signed binary executable with the chmod +x command (in this lab, it already is executable), and then execute it.
Pressing the Tab key while typing a binary name autocompletes the name, makes the Tab and the process of writing commands more accurate and faster.
rst@rst:~$ **chmod +x nso-5.3.2.linux.x86\_64.signed.bin**
rst@rst:~$ **./nso-5.3.2.linux.x86\_64.signed.bin**
Unpacking...
Verifying signature...
Downloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully downloaded and verified crcam2.cer.
Downloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully downloaded and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from tailf.cer.
Successfully verified the signature of nso-5.3.2.linux.x86\_64.installer.bin using tailf.cer
rst@rst:~$
Step 7: By default, NSO (system install) runs the process as root. This should be avoided for security reasons. That is why you will use rst user which is already created on the lab machine and has sudo privileges. Run the binary with sudo ./nso-. linux.x86_64.installer.bin. You also must specify the –system-install option and –run-as-user rst to avoid running the NSO process as root.
rst@rst:~$ **sudo ./nso-5.3.2.linux.x86\_64.installer.bin --system-install --run-as-user rst**
INFO Using temporary directory /tmp/ncs\_installer.9911 to stage NCS installation bundle
INFO Using /opt/ncs/ncs-5.3.2 for static files
INFO Using /etc/ncs for configuration files
INFO Using /var/opt/ncs for run-time state files
INFO Using /var/log/ncs for log files
INFO Doing install for running as user rst
INFO Unpacked ncs-5.3.2 in /opt/ncs/ncs-5.3.2
INFO Found and unpacked corresponding DOCUMENTATION\_PACKAGE
INFO Found and unpacked corresponding EXAMPLE\_PACKAGE
INFO Found and unpacked corresponding JAVA\_PACKAGE
INFO Generating default SSH hostkey (this may take some time)
INFO SSH hostkey generated
INFO Environment set-up generated in /opt/ncs/ncs-5.3.2/ncsrc
INFO NSO installation script finished
INFO Found and unpacked corresponding NETSIM\_PACKAGE
cp: cannot stat '/sbin/arping': No such file or directory
WARN Failed to copy /sbin/arping command - capability not set
INFO Generating keys for encrypted-strings
INFO Configuring installation for PAM authentication
INFO Using PAM service common-auth for authentication
INFO Generating self-signed certificates for HTTPS
INFO Installed init script /etc/init.d/ncs
INFO Installed user profile script ncs.sh in /etc/profile.d
INFO Installed user profile script ncs.csh in /etc/profile.d
INFO Installed 'logrotate' configuration file ncs in /etc/logrotate.d
INFO The installation has been configured for PAM authentication,
INFO with group assignment based on the OS group database
INFO (e.g. /etc/group file). Users that need access to NCS must
INFO belong to either the 'ncsadmin' group (for unlimited access
INFO rights) or the 'ncsoper' group (for minimal access rights).
INFO To create the 'ncsadmin' group, use OS shell command:
groupadd ncsadmin
INFO To create the 'ncsoper' group, use OS shell command:
groupadd ncsoper
INFO To add an existing user to one of these groups, use OS shell command:
usermod -a -G
INFO The following files have been installed with elevated privileges:
/opt/ncs/ncs-5.3.2/lib/ncs/lib/core/pam/priv/epam: setuid-root
/opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs: capability cap\_net\_bind\_service
/opt/ncs/ncs-5.3.2/lib/ncs/erts/bin/ncs.smp: capability cap\_net\_bind\_service
/opt/ncs/ncs-5.3.2/lib/ncs/bin/ip: capability cap\_net\_admin
INFO NCS installation complete
rst@rst:~$
Step 8: Display the content of the installation directory.
rst@rst:~$ **ls -l /opt/ncs/ncs-5.3.2/**
total 468
drwxr-xr-x 2 root root 4096 Aug 10 17:07 bin
-rw-r--r-- 1 root root 295794 May 5 2020 CHANGES
drwxr-xr-x 5 root root 4096 May 5 2020 doc
drwxr-xr-x 4 root root 4096 May 5 2020 erlang
drwxr-xr-x 3 root root 4096 May 5 2020 etc
drwxr-xr-x 9 root root 4096 May 5 2020 examples.ncs
drwxr-xr-x 2 root root 4096 May 5 2020 include
drwxr-xr-x 3 root root 4096 Aug 10 17:07 java
drwxr-xr-x 7 root root 4096 May 5 2020 lib
-rw-r--r-- 1 root root 94792 May 5 2020 LICENSE
drwxr-xr-x 6 root root 4096 May 5 2020 man
-rw-r--r-- 1 root root 543 Aug 10 17:07 ncsrc
-rw-r--r-- 1 root root 511 Aug 10 17:07 ncsrc.tcsh
drwxr-xr-x 3 root root 4096 Aug 10 17:07 netsim
drwxr-xr-x 6 root root 4096 May 5 2020 packages
-rw-r--r-- 1 root root 7155 May 5 2020 README
drwxr-xr-x 4 root root 4096 May 5 2020 scripts
drwxr-xr-x 3 root root 4096 May 5 2020 src
drwxr-xr-x 4 root root 4096 May 5 2020 support
drwxr-xr-x 3 root root 4096 May 5 2020 var
-rw-r--r-- 1 root root 298 Aug 10 17:07 VERSION
rst@rst:~$
Step 9: As stated in the output of the installation script, you need to create ncsadmin and ncsoper groups to do a group assignment of users who need access to NSO.
rst@rst:~$ **sudo groupadd ncsadmin**
rst@rst:~$ **sudo groupadd ncsoper**
Step 10: Assign rst user to ncsadmin group.
rst@rst:~$ **sudo usermod -aG ncsadmin rst**
rst@rst:~$
Step 11: Restart the VM with the sudo reboot command. You need to restart the VM so that the group membership changes that were made to the currently logged in user take effect. Open the terminal windows again after the VM has come online.
rst@rst:~$ **sudo reboot**
rst@rst:~$
Step 12: Set the environment variables for the NSO source /etc/profile.d/ncs.sh file.
The installation program creates a shell script file in each NSO installation, which sets the environment variables needed to run NSO. With the –system-install option, by default these settings are set on the shell to explicitly set the variables, source ncs.sh or ncs.csh, depending on your shell type.
rst@rst:~$ **source /etc/profile.d/ncs.sh**
rst@rst:~$
Step 13: Start NSO using the /etc/init.d/ncs script.
rst@rst:~$ **sudo /etc/init.d/ncs start**
Starting ncs: .
rst@rst:~$
Step 14: Check NSO status.
rst@rst:~$ **ncs --status**
vsn: 5.3.2
SMP support: yes, using 4 threads
Using epoll: yes
available modules: backplane,netconf,cdb,cli,snmp,webui
running modules: backplane,netconf,cdb,cli,webui
status: started
### OUTPUT OMITTED ###
Task 2: Install NEDs
In this task, you will add Network Element Drivers (NEDs) to the previously installed NSO. You will be using the NEDs that are provided together with each NSO installation.
Step 1: Display the content of the NSO installation directory in which lab grade NEDs are stored.
You will use latest NEDs in your Lab which can be found in ~/neds. You can obtain the latest production-grade NEDs directly from Cisco. A privileged CCO account might be needed to download them.
rst@rst:~$ **ls -l /opt/ncs/ncs-5.3.2/packages/neds/**
total 40
drwxr-xr-x 8 root root 4096 May 5 2020 a10-acos-cli-3.0
drwxr-xr-x 7 root root 4096 May 5 2020 alu-sr-cli-3.4
drwxr-xr-x 8 root root 4096 May 5 2020 cisco-asa-cli-6.6
drwxr-xr-x 7 root root 4096 May 5 2020 cisco-ios-cli-3.0
drwxr-xr-x 7 root root 4096 May 5 2020 cisco-ios-cli-3.8
drwxr-xr-x 8 root root 4096 May 5 2020 cisco-iosxr-cli-3.0
drwxr-xr-x 8 root root 4096 May 5 2020 cisco-iosxr-cli-3.5
drwxr-xr-x 8 root root 4096 May 5 2020 cisco-nx-cli-3.0
drwxr-xr-x 8 root root 4096 May 5 2020 dell-ftos-cli-3.0
drwxr-xr-x 5 root root 4096 May 5 2020 juniper-junos-nc-3.0
rst@rst:~$
Step 2: In your environment, you want to configure Cisco IOS and IOS XR devices. Copy corresponding NEDs from ~/neds to the running directory.
Packages that you are copying over are already compiled for the NSO version that you are using. This is also true for NEDs that are part of the NSO installation bundle. This means that you do not have to compile them (make). If you want to create packages yourself from the beginning, or if you have packages that were used with older versions of the NSO, you must compile them.
rst@rst:~$ **sudo cp -r ~/NSO\_FILES/neds/cisco-ios-cli-6.54/ /var/opt/ncs/packages/**
rst@rst:~$ **sudo cp -r ~/NSO\_FILES/neds/cisco-iosxr-cli-7.26/ /var/opt/ncs/packages/**
rst@rst:~$
Step 3: Connect to the NSO CLI with ncs_cli -C, where -C stands for the Cisco style of NSO CLI.
rst@rst:~$ **ncs\_cli -C**
rst connected from 127.0.0.1 using console on rst
rst@ncs#
Step 4: Reload the packages and view the output. All results should be true.
rst@ncs# **packages reload**
>>> System upgrade is starting.
>>> Sessions in configure mode must exit to operational mode.
>>> No configuration changes can be performed until upgrade has completed.
>>> System upgrade has completed successfully.
reload-result {
package cisco-ios-cli-6.54
result true
}
reload-result {
package cisco-iosxr-cli-7.26
result true
}
rst@ncs#
System message at 2021-08-10 17:20:25...
Subsystem started: ncs-dp-1-cisco-ios-cli-6.54:IOSDp
rst@ncs#
Step 5: Check NED package versions
rst@ncs# **show packages package package-version**
PACKAGE
NAME VERSION
-------------------------------
cisco-ios-cli-6.54 6.54
cisco-iosxr-cli-7.26 7.26
rst@ncs# exit
rst@rst:~$
Task 3: Configure NSO CLI for SSH Access
In this task, you will enable SSH connectivity on the NSO CLI northbound interface.
Step 1: Open the ncs.conf file located in directory /etc/ncs/ncs.conf.
rst@rst:~$ **sudo vim /etc/ncs/ncs.conf**
Step 2: In ncs.conf, find the section for CLI settings and enable the built-in SSH server. This will enable operators to connect to the NSO CLI, using an SSH connection to port 2024.
\### OUTPUT OMITTED ###
<cli>
<enabled>true</enabled>
<!-- Use the builtin SSH server -->
<ssh>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>2024</port>
</ssh>
<prompt1>\\u@ncs> </prompt1>
<prompt2>\\u@ncs% </prompt2>
<c-prompt1>\\u@ncs# </c-prompt1>
<c-prompt2>\\u@ncs(\\m)# </c-prompt2>
<restricted-file-access>true</restricted-file-access>
<show-log-directory>${NCS\_LOG\_DIR}</show-log-directory>
<show-commit-progress>true</show-commit-progress>
<suppress-commit-message-context>maapi</suppress-commit-message-context>
<suppress-commit-message-context>system</suppress-commit-message-context>
</cli>
### OUTPUT OMITTED ##
Step 3: Find section aaa, where authentication settings can be configured. Check that the PAM option is enabled and that external and local authentication is disabled. To save the file, press Esc and write :wq!.
\### OUTPUT OMITTED ###
<aaa>
<ssh-server-key-dir>${NCS\_CONFIG\_DIR}/ssh</ssh-server-key-dir>
<!-- Depending on OS - and also depending on user requirements -->
<!-- the pam service value value must be tuned. -->
<pam>
<enabled>true</enabled>
<service>common-auth</service>
</pam>
<external-authentication>
<enabled>false</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>
<local-authentication>
<enabled>false</enabled>
</local-authentication>
<expiration-warning>prompt</expiration-warning>
</aaa>
### OUTPUT OMITTED ###
Step 4: To apply the configuration, NSO must be reloaded.
You are using PAM to do user authentication. This is convenient because you can provide the same set of users with access to both the Linux server and NSO.
rst@rst:~$ **sudo /etc/init.d/ncs reload**
Reloading ncs: .
rst@rst:~$
Step 5: Now you can test connectivity to the NSO CLI over SSH. The password for user rst in /etc/passwd will be checked and /etc/group consulted to do group assignment. When asked, confirm the connection with yes.
rst@rst:~$ **ssh 127.0.0.1 -p 2024**
The authenticity of host '\[127.0.0.1\]:2024 (\[127.0.0.1\]:2024)' can't be established.
ED25519 key fingerprint is SHA256:HkErXod4eRIEBMUUasQiZ7AyvXwoAWoa3gXuKz0D48o.
Are you sure you want to continue connecting (yes/no/\[fingerprint\])? yes
Warning: Permanently added '\[127.0.0.1\]:2024' (ED25519) to the list of known hosts.
rst@127.0.0.1's password:
rst connected from 127.0.0.1 using ssh on rst
rst@ncs> switch cli
rst@ncs# exit
Connection to 127.0.0.1 closed.
rst@rst:~$
You have successfully connected over SSH using rst user.