I recently created a Meetup group in San Francisco (SF Network Automation) and gave the initial talk on, "Network Automation using Ansible and Puppet". In preparing for that talk, I created an Ansible-Arista test environment. This three part blog series will share things I learned. Part 1 (this article) covers configuring the Arista virtual switch to work with Ansible; part 2 will cover using Ansible to configure the Arista switch; and part 3 will cover troubleshooting.

For some additional context, Ansible is clientless. It uses SSH to transfer Arista-specific Python modules from the Ansible server to the switch. It then executes the Python modules on the switch (Arista has Python installed). The modules in turn execute a set of 'devops' commands; these 'devops' commands are provided by the Arista Devops Extension (you can also manually execute these devops commands from the switch's UNIX shell). The devops commands then make JSON-RPC calls into the Arista API. Given the above, the setup process consists of:

• Install the Arista Devops Extension
• Configure the Devops Extension to use the Arista API
• Enable the Arista API on the switch
• Create an Ansible user on the switch
• Configure the Arista switch to trust the Ansible server for SSH

My test environment consisted of three components—my MacBook Pro running VMWare Fusion, an Arista virtual switch, and a Linux virtual server (the Ansible server). From a networking perspective, my MacBook Pro was located at 172.16.64.1/24, the Linux virtual machine was at 172.16.64.2/24, and the Arista virtual switch was at 172.16.64.11/24 (management interface).

Arista provided me with several files including the Arista Boot Loader (Aboot-veos-2.0.8.iso) and an Arista .vmdk file (EOS-4.12.3-veos.vmdk). They also provided me with the Arista Devops extension and with the devops.conf configuration file. I will discuss both the Devops Extension and the devops.conf configuration file in more detail in this article.

Using the below documents, I was able to get the Arista virtual switch to run in Fusion:

https://eos.aristanetworks.com/2011/11/running-eos-in-a-vm/
https://eos.aristanetworks.com/2012/06/vmware-fusion-virtual-networks/

After the Arista virtual switch is running, you then need to configure the switch to support Ansible. The first step in this process is to install the Arista Devops Extension (check with Arista on which version to use). This is accomplished by doing the following (on the Arista switch):

# Transfer the Devops Extension file from my MacBook Pro to the Arista switch
copy http://172.16.64.1/devops-0.1.1-1.noarch.rpm extension:
# Install the extension
extension devops-0.1.1-1.noarch.rpm
# Have the extension load at boot
copy installed-extensions boot-extensions

After the extension is installed you can verify its status:

arista-sw1#show extensions 
Name                                       Version/Release           Status RPMs
------------------------------------------ ------------------------- ------ ----
devops-0.1.1-1.noarch.rpm                  0.1.1/1                   A, I      1

A: available | NA: not available | I: installed | NI: not installed | F: forced 

The extension should show up as available and installed.

After you install the Devops Extension, you then need to configure the devops.conf configuration file. To do this, drop into the shell from the Arista CLI and cd to /mnt/flash:

arista-sw1#bash

Arista Networks EOS shell

[admin@arista-sw1 ~]$ cd /mnt/flash
[admin@arista-sw1 ~]$ vi devops.conf

Here are the contents of the file excluding comments and whitespace:

[main]
USERNAME = eapi 
PASSWORD = password
HOSTNAME = localhost
PORT = 80
PROTOCOL = http
LEVEL = DEBUG

Note, since my environment is an unreachable test environment, I used trivial passwords and HTTP.

The devops.conf configuration file defines parameters that the Devops Extension uses to call the Arista API.

After configuring the Devops Extension, you then need to configure the API on the Arista switch (back in the Arista CLI):

management api http-commands
   no protocol https
   protocol http
   no shutdown

username eapi secret password

Your API configuration has to be consistent with the settings in the devops.conf configuration file.

After configuring the Arista API, go back to shell and create an Ansible user:

arista-sw1#bash

Arista Networks EOS shell

$ cd /mnt/flash
$ cat rc.eos 
#!/bin/sh
devops user create ansible --shell-account --pwd ansible 

You then can either reload the switch or alternatively manually execute the 'devops' command.

After the Ansible user is created, you then need to setup authorized_keys so that the remote Ansible user can SSH into the switch using public key authentication.

$ mkdir .ssh
$ chmod 700 .ssh
$ cd .ssh/
$ touch authorized_keys
$ chmod 600 authorized_keys
$ vi authorized_keys 

Add your Ansible server SSH public key. Note, in this document I am creating a test environment, you must determine the appropriate security for the environment that you are setting up.

The above setup will cause the Ansible user's home directory to get recreated every time the switch reboots. This implies that you must recreate the .ssh directory and the authorized_keys file after every reboot. This was fine for my test environment.

You should now be able to SSH without a password from the Ansible server into the Arista virtual switch (using public key authentication).

$ ssh ansible@172.16.64.11
Last login: Thu Nov 14 10:23:45 2013 from 172.16.64.1

Arista Networks EOS shell

$ 

You should now be ready to use Ansible to configure the Arista switch (see Part 2, Configuring Arista Switches with Ansible).