Skip to main content

UMnet network data gatherer

Project description

Agador

Agador is a tool that collects operational data from the network and stores it in a database. It's intended to be a replacement for rancid and other perl tools that currently handle this for us.

Note that the name isn't an acronym for anything, I just needed to not call this code "new rancid" anymore so I named it after Agador Sparticus - my favorite character from one of my favorite movies.

Overview

Agador brings together several different tools:

  • Netbox is used as an inventory source for devices.
  • Cyberark is used as the source for credentials (but plain text creds work too).
  • umnet-napalm is custom code based on NAPALM that runs various commands on network devices and returns normalized data across all vendors.
  • umnet-db is the custom database where this normalized data is stored.
  • git is how we store versioned data in files - stuff that we don't want to put in umnet-db. Currently this is just config backups, but could be expanded to include other things if applicable.
  • Nornir manages this whole process. This is a public library that provides Ansible-like functionality - it runs a series of tasks across a set of devices and do stuff with the results.

Inventory Filters

One thing that Agador is concerned with is how to identify different subsets of devices within your inventory. This allows you to restrict gathering certain types of data to only certain types of devices - you don't really want to do 'show mpls' on a firewall, for example. To that end, you must provide Agador with a file that defines Nornir inventory filter functions. These functions can then be referenced in the Command Map and Credential Map (more details below). Here are some notable examples - see inventory_filters.py in the examples directory of this repo for more.

### identifies a specific host by name
def fw_cpp(host):
    return host.name == "fw-cpp"

### Identifies any host that starts with 'ngfw'
def ngfw(host):
    return host.name.startswith("ngfw")

### Identifies netbox roles that map to devices that route
def routers_filter(host):
    """
    Netbox roles that indicate a router
    """
    return host.data["role"]["slug"] in [
        "core",
        "bin",
        "data-center",
        "distribution",
        "security",
        "ngfw",
        "legacy-bin",
        "legacy-core",
        "legacy-data-center",
        "legacy-distribution",
    ]

Command Map

The heart of Agador is the command map file. See command_map.yml in the example folder of this repo. The first section of the file is where you specify which device role(s) in Netbox are relevant to Agador. If this section is commented out, all devices will be considered - but they must be of status Active and have a Primary IP address, otherwise they will be ignored no matter what.

netbox_roles:
  - av
  - access-layer-switch
  - bin

The commands section is where you specificy what data to gather, how often, from what subset of devices, and how to store that data.

commands:

  config:
    frequency: 0 0 * * *
    getter: get_config
    save_to_file:
      mapper: SaveConfig
      destination: ${FILES_DIR}/umnet-config-backups

  lldp_neighbors:
    frequency: 0 0 * * *
    getter: get_lldp_neighbors
    inventory_filter: non_security_filter
    save_to_db: UpdateNeighbor

Let's talk about the components of each command:

Parameter Required Description
frequency Yes How often to run this command in crontab format
getter Yes The umnet-napalm getter to run for this command
inventory_filter No A Nornir inventory filter function in the inventory_filters.py file that defines which types of devices this command should run against
save_to_file No* If the resulting data should be saved to a file, specify how this should be done with the following required sub-arguments:
mapper - name of mapper class in agador.mappers.save_to_file to use
destination - destination directory for the data
save_to_db No* If the resulting data should be saved to umnetdb, the name of the mapper class in agador.mappers.save_to_db to use to save the data. Note that before a new mapper can be created, a corresponding model must be built in umnet-db

*Note: You must specify at least one of save_to_file or save_to_db so Agador knows what to do with the data it pulls. You can specify both if applicable.

Credential map

The credential map file tells Agador how to retrieve credentials for logging into the devices. Currently two methods of credential retrieval are supported - Cyberark and plaintext. Here's an example:

defaults:
  mapper: cyberark_umnet
  username: automaton
  password: automaton_user_automaton
  enable: Infrastructure_from_2020-05-01_to_current_enable

custom:

  - inventory_filter: fw_cpp
    mapper: cyberark_nso
    username: srancid
    password: fw-cpp_srancid
    enable: fw-cpp_enable

  - inventory_filter: fw_uhs
    mapper: plaintext
    username: srancid
    password: Abc123!

Let's talk about the components of each section:

Parameter Required Description
mapper Yes How to look up the password and enable. Three methods are currently supported: cyberark_nso, cyberark_umnet, and plaintext.
username Yes Credential username
password Yes Credential password. For cyberark, provide the string to query the Cyberark API for that will return the password. For plaintext, just provide the password in plain text.
enable default only Credential enable. You must provide this in the defaults section, it's optional in the custom section.
inventory_filter custom only Required when providing a custom credential. This is a reference to a filter function in your inventory_filters.py file that tells agador which hosts the custom parameter applies to

Note that when deciding which custom credentials apply to which hosts, the first custom match will be applied. So if your matches overlap, it's best to put the most specific ones at the top and more broad ones below. If no match is found for a host in the custom section, the default credentials will apply.

The credential map is located at /etc/agador/credential_map.yml on wintermute.

Running Agador

agador-run

agador-run runs everything once, ignoring the frequency value for each command in the command map. You can restrict the run to a specific device, a specific Netbox device role, or a subset of commands. For example, the following command will pull lldp neighbors off of dl-arbl-1 and store them in the umnet-db.

agador-run --cmds lldp_neighbors --device dl-arbl-1

This command will pull the arp and route tables off of all the non-legacy DLs and store them in the umnet-db. The role must match a Netbox device role.

agador-run --cmds arp_table,route  --role distribution

Note that this command does consult the command_map to tell it what commands are relevant for what devices. If you try to run a command on a device or a role that does not match the inventory_filter function (ie like running arp_table for an AL), you won't get any results.

Use --help to see all options, you'll see a lot of logging options as well.

agador-run-with-schedule

agador-run-with-schedule is designed to run forever as a background process. It pulls data from the network at regular intervals based on the command_map file.

Configuration

Agador requires you to provide it with a path to a configuration file, either on the cli when you invoke it, or as the environment variable AGADOR_CFG. On wintermute this config file is located at /etc/agador/agador.conf. /etc/profile.d/agador.sh sets AGADOR_CFG to this file for all users when they log in. Look at the example config file in the examples folder of this repo for details on what parameters are required.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agador-0.4.5.tar.gz (24.0 kB view details)

Uploaded Source

Built Distribution

agador-0.4.5-py3-none-any.whl (27.9 kB view details)

Uploaded Python 3

File details

Details for the file agador-0.4.5.tar.gz.

File metadata

  • Download URL: agador-0.4.5.tar.gz
  • Upload date:
  • Size: 24.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-57-generic

File hashes

Hashes for agador-0.4.5.tar.gz
Algorithm Hash digest
SHA256 d712865a4ff64f34240b662066b350d056cc570a63ce9d052adcd6153fc3c860
MD5 a04547380ba64a10b0fe4b18ef8b65d0
BLAKE2b-256 89eee989ca2cd5ab85f3d641e01f2394bb5eda1d8847db3cbca0ba27e78181e3

See more details on using hashes here.

File details

Details for the file agador-0.4.5-py3-none-any.whl.

File metadata

  • Download URL: agador-0.4.5-py3-none-any.whl
  • Upload date:
  • Size: 27.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-57-generic

File hashes

Hashes for agador-0.4.5-py3-none-any.whl
Algorithm Hash digest
SHA256 c659036ebb70a7245fecf88c6ecbe1b039dc1b39765d2a0e0947ceea1f0dbdec
MD5 85316a56e081b551da9cfedc0ccf88d6
BLAKE2b-256 ef15096e59f54c49f7aa4578dc4273ae10475c342a87224d28d867d5ef446a18

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page