Network Infrastructure as Code with Chef and CiscoJune 9, 2015

Matt Ray matt@chef.io

What is Chef? • Open Source framework for managing complexity

• Declarative language for describing & configuring infrastructure

• An awesome community of professionals

• A fast-growing company based in Seattle, WA with >50% remote

How does Chef work?• Ensures desired state by continually testing and repairing individual resources in the system

• You compose policies using a series of simple declarations

• The Chef client fetches those policies from a central server and applies them to the local machine

• The state of the machine is recorded and sent back to a database, where it is indexed for search, reporting, and audit.

Policy-based• Chef provides a domain-specific language (DSL) that allows you to specify policy for your infrastructure

• Policy describes the desired state

• Policies can be statically or dynamically defined

• Chef ensures each node in your infrastructure complies with the policy

Recipes

package "httpd"

template "/etc/httpd/conf.d/mysite.conf" do source "mysite.conf.erb" owner "root" group "root" mode "0644" variables(:allow_override => "All") notifies :reload, "service[httpd]"end

service "httpd" do action [:enable,:start] supports :reload => trueend

Resource one

Resource two

Resource three

Infrastructure as Code• Programmatically provision and configure components

• Treat like any other code base

• Reconstruct business from code repository, data backup, and compute resources

Built-in Resources• package

• template

• service

• cron

• directory

• mount

• user

• group

• registry_key

• remote_directory

• route

• ...and many more!

Build Anything• Simple internal applications

• Complex external applications

• Workstations

• Hadoop clusters

• IaaS infrastructure

• PaaS infrastructure

• SaaS applications

• Storage systems

• You name it

http://www.flickr.com/photos/hyku/245010680/

And Manage it Simply• Automatically reconfigure everything

• Linux, Windows, Unixes, BSDs

• Switches and load balancers

• Storage systems

• Metrics collection systems

• Monitoring systems

• Cloud migrations become trivial

http://www.flickr.com/photos/helico/404640681/

Servers are great and all… • Chef easily scales to deployments of hundreds of thousands of servers.

• Physical, virtual or cloud instances

• Linux, Windows, AIX, Solaris, OS X and many more

…but Networking is Different! • Managing network devices is trickier

• Especially without an agent

• But many devices are Linux or FreeBSD-based

• Chef is already cross-platform and on many operating systems already

Chef & Cisco

Nexus 9k and 3k Platforms • Chef and Cisco are working together to bring officially supported packages to NX-OS and IOS-XR

• Support across Nexus 9300/9500 & 3000 Series

• Q3 of this year

Omnibus Packages • Omnibus is our open source cross-platform full-stack packaging system (Linux, Windows, AIX, OS X, etc.)

• github.com/chef/omnibus

• Includes all of the dependencies for running Chef on an operating system (Ruby, OpenSSL, etc.)

• Produces a dependency-free package (ie. RPM, DEB, MSI)

• Installs into /opt/chef

node[‘platform’] = ‘nexus’node[‘platform_family’] = ‘wrlinux’

Chef Client

• Currently building from Chef 12 master branch

• Omnibus and ohai patches upstreamed

• Chef Resources being updated accordingly

Chef’s CD Pipeline • Continuous delivery of Chef client builds

• currently 22 targets

• Cisco will be a Tier 1 Platform

• Downloads will be available:

• downloads.chef.io

• packagecloud.io/chef/

• Omnitruck API (www.chef.io)

Cisco Cookbook • Provides Resources for managing NX-OS

• Ruby API calls to NXAPI

• Abstracts underlying Cisco specifics, cross-platform

• ChefSpec and Test Kitchen support

• Cookbook and Ruby Gems open source soon

Cisco Cookbook Resources • cisco_command_config

• cisco_interface

• cisco_interface_ospf

• cisco_ospf

• cisco_ospf_vrf

• cisco_package

• cisco_snmp_community

• cisco_snmp_group

• cisco_snmp_server

• cisco_snmp_user

• cisco_tacacs_server

• cisco_tacacs_server_host

• cisco_vlan

• cisco_vtp

•…and more coming!

cisco_interface 'Ethernet1/1' do action :create ipv4_address '1.1.1.1' ipv4_netmask_length 24 ipv4_proxy_arp true ipv4_redirects true shutdown true switchport_mode 'disabled'end

Cisco Cookbook Resource Example

Test Driven Infrastructure • Versioning is baked into Chef Cookbooks and Environments

• Infrastructure as Code should be treated like code

• Version control

• Testing

• Continuous Delivery

Testing with Chef• RuboCop: Ruby code analyzer

• FoodCritic: lint testing for Chef cookbooks

• ChefSpec: unit testing for Chef cookbooks

• Test Kitchen: platform for integration testing Chef infrastructure

Continuous Delivery and Networking • Controlled promotion of change across environments with testing reduces risk

• Visibility and accountability of all changes across all infrastructure

• Faster and safer delivery of new features

Strategies for Managing Networks • Chef-only

• Controller-less, Chef manages devices

• Cisco Application-Centric Infrastructure-only

• Chef interacts directly with ACI which manages everything

• Hybrid

• Chef manages devices, ACI manages networking

Further Cisco Integrations• UCS

• Ruby ucslib-based solutions

• ACI

• OpenStack

• knife-openstack

• chef-provisioning-openstack

Thanks!Matt Ray matt@chef.io @mattray