Zero Touch Provisioning (ZTP) / Deployment (ZTD)

Contents

Zero Touch Provisioning (ZTP) / Deployment (ZTD)

About

Please also see:

DHCP

Reasoning

Automation of repetitive manual tasks
- Saves configuration time
- Saves cost
Faster and simpler deployment
- during upgrades
- during scale out
Reduction of errors
Usage of additional scripts possible

Standards

Requirements

Sources of Bootstrapping Data
- Removable Storage
- DNS Server
- DHCP Server
- Bootstrap Server
DHCP server
HTTP server

Preface

This configuration has been created for a set of Dell EMC Powerswitch S5224F-ON. It is based on the Dell SmartFabric OS10 User Guide.

This may be setup differently for your switches.

Installation DHCP

Install DHCP server

   1 apt install isc-dhcp-server

Configure DHCP

/etc/default/isc-dhcp-server

   1 # Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
   2 
   3 # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
   4 #DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
   5 #DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
   6 
   7 # Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
   8 #DHCPDv4_PID=/var/run/dhcpd.pid
   9 #DHCPDv6_PID=/var/run/dhcpd6.pid
  10 
  11 # Additional options to start dhcpd with.
  12 #       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
  13 #OPTIONS=""
  14 
  15 # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
  16 #       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
  17 INTERFACESv4="enp2s0"
  18 INTERFACESv6=""

/etc/dhcp/dhcpd.conf

   1 # dhcpd.conf
   2 #
   3 # Configuration file for ISC dhcpd
   4 #
   5 
   6 authoritative;
   7 ddns-update-style none;
   8 
   9 default-lease-time 3600;
  10 max-lease-time 115200;
  11 
  12 # option definitions common to all networks
  13 option domain-name "example.com";
  14 option domain-name-servers 192.0.2.254;
  15 option ztd-provision-url code 240 = text;
  16 
  17 subnet 192.0.2.0 netmask 255.255.255.0 {
  18         range 192.0.2.128 192.0.2.192;
  19         option routers 192.0.2.254;
  20 }
  21 
  22 host host1 {
  23         hardware ethernet aa:bb:cc:aa:aa:a1;
  24         fixed-address 192.0.2.11;
  25         option ztd-provision-url "http://192.0.2.9/ztd.sh";
  26 }
  27 host host2 {
  28         hardware ethernet aa:bb:cc:aa:aa:a2;
  29         fixed-address 192.0.2.12;
  30         option ztd-provision-url "http://192.0.2.9/ztd.sh";
  31 }
  32 host host3 {
  33         hardware ethernet aa:bb:cc:aa:aa:a3;
  34         fixed-address 192.0.2.13;
  35         option ztd-provision-url "http://192.0.2.9/ztd.sh";
  36 }

Install webserver

   1 apt install apache2

Configure webserver

/etc/apache2/sites-available/ztd.conf

   1 <VirtualHost *:80>
   2         ServerName ztp1.example.com
   3 
   4         ServerAdmin webmaster@example.com
   5         DocumentRoot /var/www/ztp
   6 
   7         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
   8         # error, crit, alert, emerg.
   9         # It is also possible to configure the loglevel for particular
  10         # modules, e.g.
  11         #LogLevel info ssl:warn
  12 
  13         ErrorLog ${APACHE_LOG_DIR}/ztp_error.log
  14         CustomLog ${APACHE_LOG_DIR}/ztp_access.log combined
  15 </VirtualHost>

Security configuration commented
/etc/apache2/conf-enabled/security.conf

   1 # Changing the following options will not really affect the security of the
   2 # server, but might make attacks slightly more difficult in some cases.
   3 
   4 #
   5 # ServerTokens
   6 # This directive configures what you return as the Server HTTP response
   7 # Header. The default is 'Full' which sends information about the OS-Type
   8 # and compiled in modules.
   9 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
  10 # where Full conveys the most information, and Prod the least.
  11 #ServerTokens Minimal
  12 ServerTokens Minor
  13 #ServerTokens Full
  14 
  15 #
  16 # Optionally add a line containing the server version and virtual host
  17 # name to server-generated pages (internal error documents, FTP directory
  18 # listings, mod_status and mod_info output etc., but not CGI generated
  19 # documents or custom error documents).
  20 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
  21 # Set to one of:  On | Off | EMail
  22 #ServerSignature Off
  23 ServerSignature EMail
  24 
  25 #
  26 # Allow TRACE method
  27 #
  28 # Set to "extended" to also reflect the request body (only for testing and
  29 # diagnostic purposes).
  30 #
  31 # Set to one of:  On | Off | extended
  32 TraceEnable Off
  33 #TraceEnable On
  34 
  35 #
  36 # Forbid access to version control directories
  37 #
  38 # If you use version control systems in your document root, you should
  39 # probably deny access to their directories.
  40 #
  41 # Examples:
  42 #
  43 #RedirectMatch 404 /\.git
  44 #RedirectMatch 404 /\.svn
  45 
  46 #
  47 # Setting this header will prevent MSIE from interpreting files as something
  48 # else than declared by the content type in the HTTP headers.
  49 # Requires mod_headers to be enabled.
  50 #
  51 #Header set X-Content-Type-Options: "nosniff"
  52 
  53 #
  54 # Setting this header will prevent other sites from embedding pages from this
  55 # site as frames. This defends against clickjacking attacks.
  56 # Requires mod_headers to be enabled.
  57 #
  58 #Header set Content-Security-Policy "frame-ancestors 'self';"
  59

Configure sites and reload the webserver

   1 a2dissite 000-default.conf
   2 a2ensite ztd.conf
   3 systemctl reload apache2

ZTD filesystem structure and content

Create ZTD directories

   1 DIRS=("/var/www/ztd"
   2         "/var/www/ztd/config"
   3         "/var/www/ztd/images"
   4         "/var/www/ztd/post"
   5         "/var/www/ztd/shell"
   6 )
   7 for DIR in "${DIRS[@]}"; do
   8         [ -d "$DIR" ] \
   9         || install -o root -g root -m 0755 -d "$DIR"
  10 done

Create empty files

   1 touch /var/www/ztd/config/cli_config
   2 touch /var/www/ztd/post/no_post_script.py

Yes, I modified it slightly …
/var/www/ztd/shell/ztd_template.sh

   1 #!/bin/bash
   2 
   3 ### DELL EMC OS10 ZTD Provisioning Script
   4 
   5 ### UPDATE THE BELOW CONFIG VARIABLES ACCORDINGLY
   6 ### ATLEAST ONE OF THEM SHOULD BE FILLED
   7 SERVER_IP="192.0.2.9"
   8 BASE_URL="http://$SERVER_IP"
   9 #IMG_FILE="$BASE_URL/images/OS10.bin"
  10 #CLI_CONFIG_FILE="$BASE_URL/config/cli_config"
  11 #POST_SCRIPT_FILE="$BASE_URL/post/no_post_script.py"
  12 
  13 ### DO NOT MODIFY THE LINES BELOW
  14 if [ "$IMG_FILE" ] \
  15         || [ "$CLI_CONFIG_FILE" ] \
  16         || [ "$POST_SCRIPT_FILE" ]; then
  17         sudo os10_ztd_start.sh \
  18                 "$IMG_FILE" "$CLI_CONFIG_FILE" "$POST_SCRIPT_FILE"
  19 fi

Create distinct ZTD shell scripts for every host defined in DHCP configuration
/usr/local/sbin/ztd_refresh.sh

   1 #!/bin/bash
   2 
   3 DIR_SHELL="/var/www/ztd/shell"
   4 ZTD_TEMPLATE="ztd_template.sh"
   5 
   6 while read -r HNAME; do
   7         IMG_FILE="OS10.bin"
   8         CLI_CONFIG_FILE="cli_config"
   9         #CLI_CONFIG_FILE="cli_config_${HNAME}"
  10         POST_SCRIPT_FILE="no_post_script.py"
  11         #POST_SCRIPT_FILE="post_script_${HNAME}.py"
  12         FILE_DST="ztd_${HNAME}.sh"
  13 
  14         cp "$DIR_SHELL/${ZTD_TEMPLATE}" \
  15                 "$DIR_SHELL/$FILE_DST"
  16         [ "$IMG_FILE" ] \
  17                 && sed -ri "s/OS10.bin/$IMG_FILE/" \
  18                 "$DIR_SHELL/$FILE_DST"
  19         [ "$CLI_CONFIG_FILE" ] \
  20                 && sed -ri "s/cli_config/$CLI_CONFIG_FILE/" \
  21                 "$DIR_SHELL/$FILE_DST"
  22         [ "$POST_SCRIPT_FILE" ] \
  23                 && sed -ri "s/no_post_script.py/$POST_SCRIPT_FILE/" \
  24                 "$DIR_SHELL/$FILE_DST"
  25 done < <(grep '^host' /etc/dhcp/dhcpd.conf | awk '{print $2}')

Protocols

Technologies

Configurations

Services

Misc

Navigation