You can use "plain-text-password-value" instead of "plain-text-password" to avoid the interactive method. Take care with using plain-text passwords in files though!
e.g.
Original Message:
Sent: 05-03-2024 13:30
From: Yan Gorelik
Subject: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script
Hi Gavin
Thank you for the suggestion. It is working now and I can run the ZTP.
The only question left is how to configure user password from configuration file? Supplying plain-text password in the config file is not allowed, because it is interactive command.
At the moment I use previous copy of encrypted password, but I am sure there must be better way.
Thanks,
Yan
------------------------------
Yan Gorelik
Original Message:
Sent: 04-03-2024 15:26
From: GAVIN WHITE
Subject: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script
Hi,
This is a common issue with ZTP Builds, some versions of ZTP will only accept Configuration files.
To work around this you have to load a configuration file with an event script that calls your intended script. (You then use the DHCP vendor-class options to filter those trouble devices).
It is hard for me to answer your question as the experience and tests I have performed were with slightly different versions of 15.1 and they behaved differently. i.e. some prior to D120 would not even run the auto-image-upgrade process. So I cannot provide a conclusive answer on versions without verifying in my lab.
I had intended on making this ZTP repo publically available but I have not got around to anonymizing it.
Here is an example config file to load via ZTP, this allows the ZTP system to push the configuration and trigger any script to perform the upgrade for you, independent of ZTP:
system { host-name ex-test; root-authentication { encrypted-password "$1"; ## SECRET-DATA } static-host-mapping { ftpserver inet 172.16.1.199; } services { ssh; netconf { ssh; } } syslog { user * { any emergency; user info; } file messages { any notice; authorization info; } console { user info; } } inactive: autoinstallation { }}interfaces { me0 { unit 0 { family inet { dhcp; } } } vlan { unit 0 { family inet { dhcp; } } }}event-options { generate-event { syscheck time-interval 900; } policy syscheck { events syscheck; then { execute-commands { commands { "op url ftp://anonymous@ftpserver:/pub/scripts/junos-sys-checks.slax"; } output-filename syscheck-event.log; destination syscheck-event_log; output-format text; } } } destinations { syscheck-event_log { archive-sites { /var/tmp/; } } }}
------------------------------
GAVIN WHITE
Original Message:
Sent: 03-28-2023 11:59
From: Yan Gorelik
Subject: ZTP on EX4550-32f 15.1R7-S13 fails to execute shell script
I am working on automation of Zero Touch Provisioning for Juniper devices. We have in our lab EX4550-32F switch with software version 15.1R7-S13, which is used for my tests and development. My task is adopt previously developed ZTP automation script to Juniper device.
As it is described in the Junos® OS Software Installation and Upgrade Guide the ZTP process supports Shell scripts (/bin/sh) on all the devices. That is the feature that automation process relies on. But in my multiple tests and later by analyzing Junos utility script (image_load), which is invoked by the ZTP process, I found that it expects only boot image file and/or device configuration, which are supplied by DHCP server. Meaning the script option is not considered and therefore the automation process is not possible.
Additional log information from the device (no sign of script execution or failure):
root@:RE:0% find / -name test-juniper-script
/var/tmp/test-juniper-script
/packages/mnt/jweb-ex-15.1R7.9/jail/var/tmp/uploads/test-juniper-script
root@:RE:0% /var/tmp/test-juniper-script
/var/tmp/test-juniper-script: Authentication error.
root@:RE:0% sh /var/tmp/test-juniper-script
###############
Runnning test-junos-script Shell script on Junos device
###############
root@:RE:0% ls -l /var/tmp/test-juniper-script
-rw-r--r-- 1 root field 404 Jun 22 18:34 /var/tmp/test-juniper-script
root@:RE:0% cd /var/log
root@:RE:0% grep -n "test-juniper-script" *
dhcp_logfile:361:Jun 22 18:34:28 AIU: Config Filename is test-juniper-script
dhcp_logfile:380:Jun 22 18:34:28 AIU: Config Filename is test-juniper-script
dhcp_logfile:431:Jun 22 18:34:36 AIU: spawn : /bin/sh /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http
image_load_log:2:[Wed Jun 22 18:34:36 UTC 2022] /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http
image_load_log:4:[Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/test-juniper-script
image_load_log:5:[Wed Jun 22 18:34:46 UTC 2022] test-juniper-script 369 kB 369 kBps
messages:384:Jun 22 18:34:36 image_load[1854]: /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http
messages:393:Jun 22 18:34:46 LX0213481837 image_load[1854]: fetch http://172.22.143.63/test-juniper-script
messages:394:Jun 22 18:34:46 LX0213481837 image_load[1854]: test-juniper-script 369 kB 369 kBps
messages:420:Jun 22 18:36:46 LX0213481837 /kernel: veriexec: no signatures for device. file='/var/tmp/test-juniper-script' fsid=67 fileid=4 gen=328216438 uid=0 pid=2701
root@:RE:0% cat image_load_log
[Wed Jun 22 18:34:36 UTC 2022] Creating /var/run/image_load.pid with 1854
[Wed Jun 22 18:34:36 UTC 2022] /usr/sbin/image_load -G 172.22.143.63 -I vme -O install_reboot -D /var/tmp -C test-juniper-script -F jinstall-ex-4500-15.1R7.9-domestic-signed.tgz -T http
[Wed Jun 22 18:34:44 UTC 2022] Directory to store image is valid /var/tmp
[Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/test-juniper-script
[Wed Jun 22 18:34:46 UTC 2022] test-juniper-script 369 kB 369 kBps
[Wed Jun 22 18:34:46 UTC 2022] File fetch done.
[Wed Jun 22 18:34:46 UTC 2022] fetch http://172.22.143.63/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz
[Wed Jun 22 18:35:18 UTC 2022] jinstall-ex-4500-15.1R7.9-domestic-signed.tgz 4193 kB 4193 kBps
[Wed Jun 22 18:35:18 UTC 2022] File fetch done.
[Wed Jun 22 18:35:32 UTC 2022] /var/tmp/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz is version 15.1R7.9.
[Wed Jun 22 18:35:32 UTC 2022] This version is already installed.
[Wed Jun 22 18:35:32 UTC 2022] Aborting install.
[Wed Jun 22 18:35:32 UTC 2022] Removing /var/tmp/jinstall-ex-4500-15.1R7.9-domestic-signed.tgz
[Wed Jun 22 18:35:32 UTC 2022] jinstall-ex-4500-15.1R7.9-domestic-signed.tgz not installed, committing config
[Wed Jun 22 18:35:32 UTC 2022] /usr/sbin/cli op url /usr/sbin/commit-config.slax config_file /config/auto_image_upgrade.conf action override
[Wed Jun 22 18:35:47 UTC 2022] Removing /var/run/image_load.pid
root@:RE:0%
My questions:
- Am I missing something and software version 15.1R7-S13 is sufficient to run ZTP scripts? If yes, what options must be supplied from DHCP?
- What Junos software version should be installed to support shell scripts in ES switch?
- What Junos software version should be installed to support Python scripts in ES switch?
Thank you
------------------------------
Yan Gorelik
------------------------------