Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Deploying Chef for Junos OS

Chef for Junos OS Deployment Overview

A Chef for Junos OS deployment consists of the following major components:

  • Chef server—The server acts as a hub for configuration data. The server stores cookbooks and the node object metadata that describes each registered node managed by the Chef client.

  • Workstations—You can perform most of your work on a workstation. Use the Chef CLI, called knife, to develop cookbooks and recipes and store them in a local Chef repository. From the workstation, you can synchronize the local repository with your version-control system, upload cookbooks to the Chef server, and perform operations on nodes.

  • Nodes—A node is any physical or virtual device that is configured for the Chef client to manage. Ruby Interpreter, Native Ohai and junos-ez-stdlib (Ruby Gems) are also installed on all nodes to aid the Chef client in managing the node.

    To manage a node, the Chef client running on the node obtains the configuration details, such as recipes, templates, and file distributions, from the Chef server. It also collects detailed data about a node, such as hardware properties, memory and processor usage, networking statistics, kernel data, and hostname using Ohai. The Chef client performs as much of the configuration as possible on the node using Ruby Interpreter and junos-ez-stdlib to help interpret Chef recipes into configuration details.

    For a Juniper Networks device to be a Chef node, it must have the Chef client installed and configured on it. See the Chef for Junos OS Release Notes for information about Juniper Networks devices running Junos OS that support the Chef client.

Figure 1 shows the major components of a Chef for Junos OS deployment. For more details about all the components that constitute a Chef deployment, see the Chef documentation at https://docs.chef.io/.

Figure 1: Major Components of a Chef for Junos OS DeploymentMajor Components of a Chef for Junos OS Deployment

Chef for Junos OS Deployment Overview

The following major steps describe how you deploy Chef for Junos OS:

  1. Set up the Chef server. For more information on setting up the Chef server, see the Chef documentation at https://docs.chef.io/.

  2. Set up the Chef workstation. The major steps for doing so are:

    1. Install the Chef client from https://docs.chef.io/ and Ruby Interpreter on your workstation. You can install both at the same time by using the Chef installer. install the Chef Client for the Workstation installation

    2. Set up the Chef repository (chef-repro) and the version-control system.

    3. Install authentication keys and verify that you can connect to the Chef server from your workstation.

      For more information about setting up the Chef workstation, see the Chef documentation at https://docs.chef.io/.

    4. After you have set up the workstation, download the netdev cookbook to the chef-repro repository and extract the cookbook files.

      knife cookbook site download netdev

      tar -zxvf netdev-n.n.n.tar.gz -C cookbooks

      The netdev cookbook is available at the Chef supermarket website at https://supermarket.getchef.com/cookbooks/netdev.

  3. If the Chef client is not already installed on the Junos OS nodes, install the client by using the Chef for Junos OS installation package as described in Installing or Uninstalling the Chef Client on Juniper Networks Devices Running Junos OS.

    Note:

    On Juniper Networks switches running Junos OS with Junos Automation Enhancements, you do not need to install the Chef client because the Chef client and related components are installed with the Junos OS software.

    For more information on Junos Automation Enhancements, see Junos Automation Enhancements Documentation.

  4. Configure the Chef client on the Junos OS nodes so that it can connect with the Chef server. For more information, see Configuring the Chef Client on Juniper Networks Devices Running Junos OS.

Installing or Uninstalling the Chef Client on Juniper Networks Devices Running Junos OS

This topic describes how to install, upgrade, or uninstall the Chef client on Juniper Networks devices running Junos OS.

Note:

The Chef client is automatically installed on Juniper Networks switches running Junos OS with Junos Automation Enhancements. If your switch is running Junos OS with Junos Automation Enhancements, skip this installation procedure and configure the Chef client as described in Configuring the Chef Client on Juniper Networks Devices Running Junos OS.

For more information on Junos Automation Enhancements, see Junos Automation Enhancements Documentation.

This topic covers:

Devices Supporting Chef for Junos OS

Table 1 shows devices running the Junos OS release and the installation package that we recommend you use to install the Chef client. You can download the package or bundle at Chef for Junos Software Download. .

Table 1: Supported Devices and Junos OS Versions

Device

Junos OS Version

Chef Client Installation Package Example

Support for agent as Docker container

Compatible Versions of netdev

EX4300

Release 15.1X53-D10 or later

chef-powerpc-11.10.4_1.0.tgz

MX80

MX104

Release 14.2R2 or later

chef-powerpc-11.10.4_1.1.tgz

MX240

MX480

MX960

Release 14.2R2 or later 14.2 release

chef-i386-11.10.4_1.1.tgz

Release 15.1R1 or later 15.1 release

Chef not supported

Release 16.1R1 or later

chef-x86-32-11.10.4_2.0.tgz

Release 18.1R1

chef-x86-32-11.10.4_2.1.tgz

Release 18.2R1 or later

chef-x86-32-11.10.4_3.0.tgz

OCX1100

Release 14.1X53-D20 or later

Not Applicable

PTX10003-80C

PTX10003-160C

Release 19.1R1 or later

Not Applicable

Release 19.4R2 or later (Junos OS Evolved only)

Not Applicable

Y

2.1.0 or later

PTX10008

Release 19.4R2 or later (Junos OS Evolved only)

Not Applicable

Y

2.1.0 or later

QFX5100

Release 13.2X51-D15 or later

Not Applicable

Release 15.1X53-D70 or later (Non-TVP based images using JET based packages)

chef-x86-32-11.10.4_2.0.tgz

Release 18.1R1

chef-x86-32-11.10.4_2.1.tgz

Release 18.2R1 or later

chef-x86-32-11.10.4_3.0.tgz

QFX10002

Release 15.1X53-D20 or later

Not Applicable

Not Applicable

Not Applicable

Release 15.1X53-D70 or later (TVP Unix SDK based packages across all the branches)

chef-x86-32-11.10.4_2.0.tgz

Release 18.1R1

chef-x86-32-11.10.4_2.1.tgz

Release 18.2R1 or later

chef-x86-32-11.10.4_3.0.tgz

QFX10003-80C

QFX1003-160C

Release 19.1R1 or later

Not Applicable

QFX10008

Release 17.1R1 or later

Not Applicable

QFX10016

Release 17.1R1 or later

Not Applicable

QFX5220-32CD

QFX5220-128C

Release 19.4R2 or later (Junos OS Evolved only)

Not Applicable

Y

2.1.0 or later

See the Chef for Junos OS Release Notes for information about which Juniper Network devices support Chef clients.

Installing the Chef Client Overview

The Chef client is part of an installation package that includes the Chef client, Ohai, the Ruby Interpreter, and junos-ez-stdlib.

On a device with redundant Routing Engines, you must run the Chef client from the primary Routing Engine.

When the Chef client runs, it obtains an exclusive configuration lock, which it releases after it commits all pending configuration changes. If you enable the reporting add-on on your Enterprise Chef server, the Chef client reports the results of the run back to the server. On successful Chef client runs, the Chef client sends a list of updated resources to the server; on failed Chef client runs, it sends a full exception stacktrace to the server.

The configuration of a resource on a managed node always reflects the resource state defined in the last recipe that was run that contains that resource. For example, if you run a recipe that defines a LAG resource as containing the member links ge-0/0/0 and ge-0/0/1 and then later run a recipe that defines the same LAG resource as containing the member links ge-0/0/2 and ge-0/0/03, the resulting configuration for the LAG on the managed node contains only the member links ge-0/0/2 and ge-0/0/3.

Installing or Upgrading the Chef Client on Junos

To install or upgrade the Chef client on a Juniper Networks device:

Note:

The procedure to upgrade a Chef client is the same as that of installation. During an upgrade, the previous version of the Chef client is overwritten with the latest version.

  1. Access the Chef for Junos OS download page at https://www.juniper.net/support/downloads/?p=chefforjunos#sw.

    The Chef for Junos OS Release Notes are also available at the download site. Consult them for information about what package to install on your platform.

  2. Download the Chef for Junos OS software package that is specific to your platform to the /var/tmp/ directory on the device.
    Best Practice:

    We recommend you install the software package from the /var/tmp/ directory on your device to ensure the maximum amount of disk space and RAM for the installation.

    The following template describes the package naming format of Chef Bundles for Junos:

    chef-<platform>-<chef version>_<SDK indicator>.<Release count>.tgz

    where:

    • platform is the platform microprocessor architecture whose values can be i386 , powerpc or x86-32.

    • chef version is the version of the Chef client (for example, 11.10.4).

    • SDK indicator indicates the Junos OS SDK infrastructure used to create the package. A 1 indicates the Junos SDK; a 2 indicates the Junos Extension Toolkit (JET).

    • Release count is the version of Juniper Networks version of the package.

    You must use the installation package that matches the microprocessor architecture of your device. If you do not know the architecture used by your device, you can use the UNIX shell command uname -a to determine it.

  3. If you are accessing a Juniper device externally through remote access, you must configure the device for external remote access through SSH. For more information on configuring a Juniper device for external remote access, see Configuring SSH Service for Remote Access to the Router or Switch.
  4. In the Junos OS CLI, enter configuration mode.

    user@host> configure

  5. Configure the provider name, license type, and deployment scope associated with the application.

    [edit]

    user@host# set system extensions providers chef license-type juniper deployment-scope commercial

    user@host# commit and-quit

  6. Install the software package by using the request system software add operational mode command.

    user@host> request system software add /var/tmp/chef-package.tgz

  7. Verify that the installation is successful by issuing the show version operational mode command.

    If the installation is successful, the list of installed software includes the Chef, Ruby Interpreter, and junos-ez-stdlib packages. For example:

    • If your installation package was built with the Junos Extension Toolkit, only one package is installed, JET app chef. This package includes all the required components, including the Ruby Interpreter and junos-ez-stdlib. To verify the installation:

    • If your installation package was built with the Junos SDK, three packages are installed: the Chef, Ruby Interpreter, and junos-ez-stdlib packages. To verify the installation:

After you install the Chef client, you must configure it as described in Configuring the Chef Client on Juniper Networks Devices Running Junos OS.

Installing the Chef Client on Junos OS evolved

Starting in Junos OS evolved Release 19.1R1, the Junos OS evolved image includes the Chef client package; therefore, you do not need to install Chef client package separately on your device.

Using the Chef Client Docker Container

Starting in Junos OS Evolved Release 19.4R2, certain devices running Junos OS Evolved support running the Chef client as a Docker container. As an alternative to using the Chef client that is integrated into the Junos OS Evolved software image, you can use the Chef client Docker container provided by Juniper Networks. Using a container enables you to use standard Docker tools to manage the container and mount or unmount the Chef client as needed

Docker is a software container platform that is used to package and run an application and its dependencies in an isolated container. Juniper Networks provides a Docker image for the Chef client on Docker Hub.

When you run the Chef client using the Docker container, the container:

  • Shares the hostname and network namespace of the host

  • Uses the host network to communicate with the Chef server

  • Authenticates to the host using key-based SSH authentication

To use the Chef client Docker container on supported devices:

  1. Log in as the root user.
  2. Switch to the default VRF for management traffic, vrf0.
  3. Start the Docker service, and bind it to the default VRF for management traffic, vrf0.
  4. Set the DOCKER_HOST environment variable.
  5. Start the Chef client Docker container as follows, and set the NETCONF_USER to the Junos OS user account that was set up to run the client.
  6. Generate the SSH key pair that will be used to authenticate the container to the host.
  7. Copy the public key to the host, and add it to the root user’s authorized_keys file.
  8. Verify the connection from the container to the host.
  9. Create a client.rb configuration file and copy the file to container’s working directory/chef-client.

    where:

    • chef_server_url is the URL of your Chef server

    • validation_client_name is chef-validator if you are using Open Source Chef and orgname-validator if you are using Enterprise Chef

    • node_name is optional if the switch has a hostname configured

    • validation_key is chef-validator.pem if you are using Open Source Chef and orgname-validator.pem if you are using Enterprise Chef

  10. Copy the validation key before chef-client run. For more details about validation key, see Step 3 inConfiguring the Chef Client on Juniper Networks Devices Running Junos OS .
  11. Start the chef client.

Uninstalling the Chef Client from the Juniper Networks Device

To uninstall the Chef client from the Juniper Networks device, use the request system software delete CLI command to delete the installed packages. For example:

  • To delete a Chef client package built by the Junos Extension Toolkit (JET), enter:

    user@host> request system software delete chef

  • To delete the Chef client and related packages built by the Junos SDK, enter:

    user@host> request system software delete chef user@host> request system software delete junos-ez-stdlib user@host> request system software delete ruby

Configuring the Chef Client on Juniper Networks Devices Running Junos OS

To enable the Chef client to communicate with the Chef server, you must configure the Chef client after it is installed on the Juniper Networks device.

Note:

You must set up the Chef workstation and the Chef server so that they can communicate before you perform this procedure.

To configure the Chef client:

  1. On your Juniper Networks device that is running Junos OS, log in as the root user and create the /var/db/chef directory.

    mkdir -p /var/db/chef

  2. Copy your validation key into the /var/db/chef directory.

    If you do not have your validation key, you can obtain it as follows:

    • If you are using Open Source Chef, you can obtain your validation key from /etc/chef on your server. The key is named chef-validator.pem.

    • If you are using Enterprise Chef (hosted or on-premise), you can obtain your validation key from the Enterprise Chef management console. The key is named orgname-validator.pem, where orgname is your organization name.

  3. Create a client.rb file with the following statements in /var/db/chef directory:

    where:

    • chef_server_url is the URL of your Chef server

    • validation_client_name is chef-validator if you are using Open Source Chef and orgname-validator if you are using Enterprise Chef

    • node_name is optional if the switch has a hostname configured

    • validation_key is chef-validator.pem if you are using Open Source Chef and orgname-validator.pem if you are using Enterprise Chef

    For more information about the settings in the client.rb file, see https://docs.chef.io/config_rb_client.html.

  4. Run the Chef client on Junos OS.
    • If the Juniper Networks version of the Chef client is 2.x (for example, Chef client version 11.10.4_2.0), enter:

      %/opt/jet/chef/bin/ruby /opt/jet/chef/bin/chef-client -c /var/db/chef/client.rb

    • If the Juniper Networks version of the Chef client is 1.x (for example, Chef client version 11.10.4_1.1), enter:

      %/opt/sdk/chef/bin/ruby /opt/sdk/chef/bin/chef-client -c /var/db/chef/client.rb

    These commands assume that your client.rb file resides in the /var/db directory. We recommend using this directory.

Configuring the Chef Client on Juniper Networks Devices Running Junos OS Evolved

To enable the Chef client to communicate with the Chef server, you must configure the Chef client on the Juniper Networks device.

Note:

You must set up the Chef workstation and the Chef server so that they can communicate before you perform this procedure.

To configure the Chef client:

  1. On your Juniper Networks device that is running Junos OS evolved, log in as the root user and create the /etc/chef directory.

    mkdir /etc/chef

  2. Copy your validation key into the /etc/chef directory.

    If you do not have your validation key, you can obtain it as follows:

    • If you are using Open Source Chef, you can obtain your validation key from /etc/chef on your server. The key is named chef-validator.pem.

    • If you are using Enterprise Chef (hosted or on-premise), you can obtain your validation key from the Enterprise Chef management console. The key is named orgname-validator.pem, where orgname is your organization name.

  3. Create a client.rb file with the following statements in /etc/chef directory:

    where:

    • chef_server_url is the URL of your Chef server

    • validation_client_name is chef-validator if you are using Open Source Chef and orgname-validator if you are using Enterprise Chef

    • node_name is optional if the switch has a hostname configured

    • validation_key is chef-validator.pem if you are using Open Source Chef and orgname-validator.pem if you are using Enterprise Chef

    For more information about the settings in the client.rb file, see https://docs.chef.io/config_rb_client.html.

  4. Fetch certificate from Chef server.

    From the /etc/chef directory, type knife ssl fetch -s server-name statement, to fetch the certificate from the Chef server.

  5. Check certificate.

    From the /etc/chef directory, type knife ssl check -s server-name statement, to verify the certificate fetched from the Chef server.

  6. Run the Chef client on Junos OS evolved.

    On devices running Junos OS evolved, to start the Chef client:

    • Enter the shell.

      user@host> start shell

    • switch to the default VRF for management traffic, vrf0, and then start the client.

      [vrf:none] user@host:~# switchvrf $$ vrf0

      [vrf:vrf0] user@host:~# /usr/bin/chef-client -c /etc/chef/client.rb

    These commands assume that your client.rb file resides in the /etc/chef directory. We recommend using this directory.