Junos OS

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 03-28-2023 16:36
    Edited by Michael Pappas 03-30-2023 13:47
    I am working on automation of Zero Touch Provisioning for Juniper devices. We have in our lab EX4550-32F switch with software version 15.1R7-S13, which is used for my tests and development. My task is adopt previously developed ZTP automation script to Juniper device.
    As it is described in the Junos® OS Software Installation and Upgrade Guide the ZTP process supports Shell scripts (/bin/sh) on all the devices. That is the feature that automation process relies on. But in my multiple tests and later by analyzing Junos utility script (image_load), which is invoked by the ZTP process, I found that it expects only boot image file and/or device configuration, which are supplied by DHCP server. Meaning the script option is not considered and therefore the automation process is not possible.
    Additional log information from the device (no sign of script execution or failure):

    root@:RE:0% find / -name test-juniper-script

    /var/tmp/test-juniper-script

    /packages/mnt/jweb-ex-15.1R7.9/jail/var/tmp/uploads/test-juniper-script

    root@:RE:0% /var/tmp/test-juniper-script

    /var/tmp/test-juniper-script: Authentication error.

    root@:RE:0% sh /var/tmp/test-juniper-script

    ###############

    Runnning test-junos-script Shell script on Junos device

    ###############

    root@:RE:0% ls -l /var/tmp/test-juniper-script

    -rw-r--r--  1 root  field  404 Jun 22 18:34 /var/tmp/test-juniper-script

    root@:RE:0% cd /var/log

    root@:RE:0% grep -n "test-juniper-script" *

    dhcp_logfile:361:Jun 22 18:34:28 AIU: Config Filename is test-juniper-script

    dhcp_logfile:380:Jun 22 18:34:28 AIU: Config Filename is test-juniper-script

    dhcp_logfile:431:Jun 22 18:34:36 AIU: spawn : /bin/sh /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp  -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http

    image_load_log:2:[Wed Jun 22 18:34:36 UTC 2022] /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http

    image_load_log:4:[Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/test-juniper-script

    image_load_log:5:[Wed Jun 22 18:34:46 UTC 2022] test-juniper-script                                    369 kB  369 kBps

    messages:384:Jun 22 18:34:36   image_load[1854]: /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http

    messages:393:Jun 22 18:34:46  LX0213481837 image_load[1854]: fetch http://172.22.143.63/test-juniper-script

    messages:394:Jun 22 18:34:46  LX0213481837 image_load[1854]: test-juniper-script                                    369 kB  369 kBps

    messages:420:Jun 22 18:36:46  LX0213481837 /kernel: veriexec: no signatures for device. file='/var/tmp/test-juniper-script' fsid=67 fileid=4 gen=328216438 uid=0 pid=2701

    root@:RE:0% cat image_load_log

    [Wed Jun 22 18:34:36 UTC 2022] Creating /var/run/image_load.pid with 1854

    [Wed Jun 22 18:34:36 UTC 2022] /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http

    [Wed Jun 22 18:34:44 UTC 2022] Directory to store image is valid /var/tmp

    [Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/test-juniper-script

    [Wed Jun 22 18:34:46 UTC 2022] test-juniper-script                                    369 kB  369 kBps

    [Wed Jun 22 18:34:46 UTC 2022] File fetch done.

    [Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz

    [Wed Jun 22 18:35:18 UTC 2022] jinstall-ex-4500-15.1R7.9-domestic-signed.tgz         4193 kB 4193 kBps

    [Wed Jun 22 18:35:18 UTC 2022] File fetch done.

    [Wed Jun 22 18:35:32 UTC 2022] /var/tmp/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz is version 15.1R7.9.

    [Wed Jun 22 18:35:32 UTC 2022] This version is already installed.

    [Wed Jun 22 18:35:32 UTC 2022] Aborting install.

    [Wed Jun 22 18:35:32 UTC 2022] Removing /var/tmp/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz

    [Wed Jun 22 18:35:32 UTC 2022] jinstall-ex-4500-15.1R7.9-domestic-signed.tgz not installed, committing config

    [Wed Jun 22 18:35:32 UTC 2022] /usr/sbin/cli op url /usr/sbin/commit-config.slax config_file /config/auto_image_upgrade.conf action override

    [Wed Jun 22 18:35:47 UTC 2022] Removing /var/run/image_load.pid

    root@:RE:0% 

     
    My questions: 
    1. Am I missing something and software version 15.1R7-S13 is sufficient to run ZTP scripts? If yes, what options must be supplied from DHCP?
    2. What Junos software version should be installed to support shell scripts in ES switch?
    3. What Junos software version should be installed to support Python scripts in ES switch? 

    Thank you



    ------------------------------
    Yan Gorelik
    ------------------------------



  • 2.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    This message was posted by a user wishing to remain anonymous
    Posted 04-02-2024 12:10
    This message was posted by a user wishing to remain anonymous

    I am running into the same issue. The script_output file actually  has the script debug info. But it throws out this message

    : not foundmage_load: bin/sh


    Original Message


  • 3.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 04-03-2024 15:26

    Hi,

    This is a common issue with ZTP Builds, some versions of ZTP will only accept Configuration files.

    To work around this you have to load a configuration file with an event script that calls your intended script. (You then use the DHCP vendor-class options to filter those trouble devices).

    It is hard for me to answer your question as the experience and tests I have performed were with slightly different versions of 15.1 and they behaved differently. i.e. some prior to D120 would not even run the auto-image-upgrade process. So I cannot provide a conclusive answer on versions without verifying in my lab.

    I had intended on making this ZTP repo publically available but I have not got around to anonymizing it. 

    Here is an example config file to load via ZTP, this allows the ZTP system to push the configuration and trigger any script to perform the upgrade for you, independent of ZTP:

    system {
    host-name ex-test;
    root-authentication {
        encrypted-password "$1"; ## SECRET-DATA
    }
    static-host-mapping {
        ftpserver inet 172.16.1.199;
    }
    services {
        ssh;
        netconf {
            ssh;
        }
    }
    syslog {
        user * {
            any emergency;
            user info;
        }
        file messages {
            any notice;
            authorization info;
        }
        console {
            user info;
        }
    }
    inactive: autoinstallation {
    }
}
interfaces {
    me0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
event-options {
    generate-event {
        syscheck time-interval 900;
    }
    policy syscheck {
        events syscheck;
        then {
            execute-commands {
                commands {
                    "op url ftp://anonymous@ftpserver:/pub/scripts/junos-sys-checks.slax";
                }
            output-filename syscheck-event.log;
            destination syscheck-event_log;
            output-format text;
            }
        }
    }
    destinations {
        syscheck-event_log {
            archive-sites {
                /var/tmp/;
            }
        }
    }
}


    ------------------------------
    GAVIN WHITE
    ------------------------------

    Original Message


  • 4.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 5 days ago

    Hi Gavin

    Thank you for the suggestion. It is working now and I can run the ZTP.

    The only question left is how to configure user password from configuration file? Supplying plain-text password in the config file is not allowed, because it is interactive command.

    At the moment I use previous copy of encrypted password, but I am sure there must be better way.

    Thanks,

    Yan



    ------------------------------
    Yan Gorelik
    ------------------------------

    Original Message


  • 5.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

     
    Posted 4 days ago

    You can use "plain-text-password-value" instead of "plain-text-password" to avoid the interactive method.   Take care with using plain-text passwords in files though!

    e.g.

    system {
    login {
        user $USER {
            class $CLASS;
            authentication {
                plain-text-password-value "$PASS";
            }
        }
    }
}

set system login user foo class super-user authentication plain-text-password-value "Jun1p3r@123!"
[edit]
root@vmx101# show | compare
[edit system login]
+    user foo {
+        class super-user;
+        authentication {
+            encrypted-password "$6$O99PqW0u$Kuy3CavIFOdrOP5/R32Oz6.HsHjn6X33zUL9wfrUBeWZNyPCfG/ik9pAj94mAK71uNwksiZYYMakYw4A8vf641"; ## SECRET-DATA
+        }
+    }

[edit]


    ------------------------------
    Andy Sharp
    ------------------------------

    Original Message


  • 6.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 2 days ago

    Thanks Andy,

    I learned something new today... this is a hidden command but does work.

    Yan, as Andy mentioned, be careful putting plain-text passwords (or any sensitive data in config files). As this is ZTP, you cannot prompt the user for the password so either use a default that is changed as part of the process or alternatively you can use SSH keys. This will allow you to store only the public key in the configuration and the private key is still protected.



    ------------------------------
    GAVIN WHITE
    ------------------------------

    Original Message


  • 7.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 2 days ago

    Hi Andy

    Thank you so much for the valuable solution!

    One more issue that I am facing with ZTP. As a part of a bootstrap process the script should configure a management interface me0 IP address. But switch does not allow me to do that, because it is configured as dhcp. I can manually delete dhcp, then configure the IP address, but this must be done by loading Day0 configuration file. Any suggestion? Maybe another hidden feature?

    Thanks again,

    Yan



    ------------------------------
    Yan Gorelik
    ------------------------------

    Original Message


  • 8.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 2 days ago

    Hi Yan, 

    There are many ways to do this, it will depend on the source of the IP Address DB that you are using...

    The simplest is using Static Assignment under the DHCP server...

    This can be expanded on by performing some additional operations on the switch, reading the current DHCP Assigned address and then converting this to a static configuration, via Python, SLAX etc.

    Alternatively, write your initial script to collect a DB file from the FTP server (or perform a GET request to an API) that matches the device serial number (or MAC) to an IP address value, then configure this static IP on the switch. 

    To provide more insight into this one, we would need to review your bootstrap script and method of IP assignment/management.



    ------------------------------
    GAVIN WHITE
    ------------------------------

    Original Message


  • 9.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 20 hours ago

    Hi Gavin

    I found working solution. In the starter configuration I assign dhcp to vme interface. Then my shell script sets needed IP address on me0 interface.

    I have though yet another question. When my shell script finishes the work I need remove or disable event-options configuration. I tried to delete it as last command in the list, but I can see that all the commands executed kind of in parallel and for that reason it did not work. Then I tried to delete event-option at the very end of my script (note that it is invoked by the event); that does not work either. Currently I have to manually delete it after ZTP bootstrap process finished. I wonder if you can suggest a better way to delete or disable the event.

    Appreciate your help very much.

    Yan



    ------------------------------
    Yan Gorelik
    ------------------------------

    Original Message


  • 10.  RE: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script

    Posted 18 hours ago

    Hi Yan,

    How are you loading the configuration? Are you using set commands or compiling and loading a configuration file. 

    You can make use of some of the 'replace:', 'merge:' and 'patch:' options available in the configuration stanza, also xmlns has it's own way of replacing sections of configuration. 

    Here is an article that illustrates some examples and the expected output of the various options...

    https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/junos-config-files-loading.html#loading-a-configuration-from-a-file



    ------------------------------
    GAVIN WHITE
    ------------------------------

    Original Message