Contrail Insights JTI (gRPC) Monitoring
Set Up gRPC-based Streaming
For gRPC based streaming, Junos OS Release 16.1R3 or later is
required. Contrail Insights automatically configures the network device
based on the JSON file you provide. Contrail Insights will stream
the gRPC metrics with a default interval of 60
seconds.
For platforms that are running a version of Junos OS based on an upgraded FreeBSD kernel only, you must install a separate package called Network Agent that functions as a gRPC server and terminates the RPC interfaces. For all other versions of Junos OS, the Network Agent functionality is embedded in the software. You must also install the OpenConfig for Junos OS module and the YANG models. For more details, see Understanding OpenConfig and gRPC on Junos Telemetry Interface.
After completing the above steps, verify the following configuration on the network device:
root@B5R4-QFX5K-1> show configuration | display set | grep exten set groups appformix-grpc system services extension-service request-response grpc clear-text port 50051 set groups appformix-grpc system services extension-service request-response grpc skip-authentication set groups appformix-grpc system services extension-service notification allow-clients address 0.0.0.0/0 {master:0} root@B5R4-QFX5K-1> show system processes | grep na- 7563 - S 2:29.58 /usr/sbin/na-mqttd -c /opt/telemetry/na-mqttd/na-mqt 7572 - I 0:44.58 /usr/sbin/na-grpcd -c /opt/telemetry/na-grpcd/na-grp {master:0} root@B5R4-QFX5K-1> show system software | grep open junos-openconfig-x86-32-0.0.0I20180615_1002_rbu-builder -- junos openconfig
While configuring gRPC devices, you can select to enable SSL on the gRPC subscription. Select Settings in the top right of the Dashboard, Network Devices > +Add Device. Also, see section “Secure Socket Layer (SSL) gRPC Configuration.”
In addition, you need to enable gRPC plug-in in your group_vars/all
file to enable gRPC monitoring in Contrail
Insights:
appformix_plugins: - { plugin_info: 'certified_plugins/grpc_config_all_sensors.json' }
To allow Contrail Insights to configure the network device,
have the following settings on your device and supply the device username
and password
:
set system services netconf ssh
Unsecured gRPC Configuration
Following is the configuration Contrail Insights adds on the
device when you select SSLEnabled = False
when configuring the device.
root@5b9-qfx2# show groups appformix-grpc { system { services { extension-service { request-response { grpc { clear-text { port 50051; } skip-authentication; } } notification { allow-clients { address 0.0.0.0/0; } } } } } } root@5b9-qfx2# show apply-groups apply-groups appformix-grpc;
Secure Socket Layer (SSL) gRPC Configuration
In order for Contrail Insights to subscribe to devices over SSL technology, complete the following steps in advance of enabling SSL.
Certificates for all devices need to be signed by one single certificate authority (CA).
Common Name (CN) value specified for the certificate used by a particular device, should be that device's Domain Name System (DNS) name.
Certificates need to be preloaded on the device as name
appformix
by running the following command:set security certificates local appformix <path_to_certificate>
When configuring the devices in Contrail Insights, enter the device DNS name or IP address in the
ManagementIp
field. TheManagementIp
should be able to resolve (translate) the device DNS name from the Contrail Insights Platform node.Example configuration Contrail Insights puts on the device:
root@5b9-qfx2# show groups appformix-grpc { system { services { extension-service { request-response { grpc { ssl { port 50051; local-certificate appformix; } skip-authentication; } } notification { allow-clients { address 0.0.0.0/0; } } } } } } root@5b9-qfx2# show apply-groups apply-groups appformix-grpc;
Distribute gRPC Network Device CA Using Ansible
In order for Contrail Insights to have secure connections between
collectors (Contrail Insights Agent and devices), the collector needs
to have the CA, which signed all of the devices' certificates, in /opt/appformix/etc/cert/
.
Then use Ansible to distribute the CA to all Contrail Insights
Agents. Add the following in your group_vars/all
file and then run the playbook.
appformix_grpc_ssl_ca: <path to your certificate file>