Managing Zero-Touch Provisioning (ZTP) for Switches#

Important

Currently only supported for Cumulus switches.

The ICE ClusterWare ™ platform supports ZTP (Zero-Touch Provisioning) of switches. ZTP by itself does not provide a full, end-to-end control plane for cluster networking. However, it does allow for server-provided scripts to alter the configuration of connected switches.

ZTP-capable switches are essentially Linux management systems attached to the switches. The ClusterWare platform treats them similar to nodes in the cluster. You can add switches to the cluster using cw-switchctl create and specifying the switch's MAC address. See Create Switches for details.

Configure ZTP Boot Script#

You can configure each ZTP switch to boot using a ZTP boot script. Write the boot script in Bash or Python. Some switches also allow Perl, Ruby, or a vendor-specific language. As with other scripts, the first line should be #!/path/to/interpreter (for example, #!/bin/bash). These scripts execute as user root on the switch and can execute commands supported by the switch, including triggering Puppet or Ansible runs, downloading files via wget or curl and manipulating or moving them on the switch, and more. After successful execution, the script must return status 0.

Per the Cumulus Linux guidelines, the script must include the phrase "CUMULUS-AUTOPROVISIONING", usually in a comment, to execute at ZTP boot. Other switch or NOS vendors may require similar keywords.

Local ZTP boot scripts reside in /opt/scyld/clusterware/kickstarts/. In a cluster with multiple head nodes, every head node should have the same ZTP boot script installed. Alternatively, you can store the script in a local, mirrored, or remote Git repository. If you store passwords or other sensitive data in your boot script, storing the script on the head node(s) or in a local or mirrored Git repository may be more secure.

Installing the ZTP boot script is done manually via a boot configuration. Multiple boot configuration options are available depending on your file type and client capabilities.

  • _boot_config="ztp:<file or Git repository location>": Generic file that can be a script or configuration file. Assumes the switch client accepts a generic file type.

  • _boot_config="ztp_script:<file or Git repository location>": Text file. The ClusterWare software sets the MIME type to a text document.

  • _boot_config="ztp_config:<file or Git repository location>": JSON file. The ClusterWare software sets the MIME type to text/JSON. If the switch expects a script instead, it will fail.

ZTP boot configuration scripts stored locally in the /opt/scyld/clusterware/kickstarts/ directory are provided as a file name. For example, _boot_config="ztp:ztp_config.sh". Scripts stored in a head node-hosted Git repository (local or mirrored) are provided with cwgit:. For example, _boot_config="ztp:cwgit://switchrepos/path/to/ztp_config.json". Alternatively, scripts stored in any type of Git repository can be provided with http.

For example:

  • Configure the local boot script ztp_config.sh for the switch switch0 using the specific prefix "ztp:":

    cw-switchctl -i switch0 set _boot_config="ztp:ztp_config.sh"

  • Store a JSON configuration file ztp_config.json in a local Git repository for the switch switch1 using the prefix "ztp_config:":

    cw-switchctl -i switch1 set _boot_config="ztp_config:cwgit://switchrepos/path/to/ztp_config.json"

  • Use an attribute group to configure the boot script:

    cw-attribctl create name=ZtpSwitches
cw-attribctl -i ZtpSwitches set _boot_config="ztp:ztp_config.sh"
cw-switchctl -i switch2 join ZtpSwitches

    The example commands above create an attribute group "ZtpSwitches" and joins "switch2" into it. All members of that attribute group boot using the same ztp_config.sh script.

At boot time, the ZTP-enabled switch executes a DHCP query. The server sees the query, identifies the switch using the client's MAC address in the DHCP request, recognizes the client as a ZTP-enabled switch and the switch _boot_config's "ztp:" (or "ztp_script:" or "ztp_config:"), and then builds a DHCP response that includes a URL of the form http://*<SERVER_IPADDR>*/boot/ztp_config.sh. The switch uses standard web protocols to read the URL, download the script, and execute it.

While the system may provide some limited logging that the ZTP script was run, it may make sense to log any/all command outputs to a known file for easier debugging and triage. A line such as exec >> /var/log/autoprovision 2>&1 in a bash script writes output to that log file for subsequent commands in the script.

Once a ZTP-switch is successfully configured and the script returns status 0, it will not execute the ZTP boot script again, not even at the next reboot of the switch. To force the switch to re-execute the boot script on the next reboot, ssh to the switch and execute sudo ztp -–reset.