ONES Installation follows the below steps in the order sequence of:
License Readiness
Preparing and Installing ONES Application machine
Installing ONES Agents on SONiC Switches for Orchestrator and Telemetry
Enabling OpenConfig on non-SONiC Switches for Telemetry
License Readiness
The installer allows a default capability for managing 8 devices without a license. Beyond this, the following license key is required for proceeding with the Installation;
Support (Zendesk)- Ability to open a ticket with inventory dump
Syslog access, Console/SSH access for device
To obtain a license, contact support@aviznetworks.com providing the below details;
License Duration - In Years (1-5)
Devices Count - 8, 32, 64, 128, 256, 512 or 1024
ONES installation ID
Email ID: (For Account creation)
Users can get the ONES installation ID on the ONES-UI Login page after the installation
System Hardware Requirements – ONES Application
In the current release, ONES can support managing up to 1024 devices. For ONES Application Installation, the system hardware requirements vary based on the number of devices to manage;
Devices
Processor and Cores
RAM
Storage
8/16/32/64
x86/x64 based,
4-core CPU
16GB
160GB/320GB/640GB/1.2 TB
128
INTEL(E5-1607 v2)/AMD,
4 cores
32GB
3 TB or more
256
x86/x64 based
8-core CPU
64GB
6 TB or more
512
INTEL(E5-1607 v2)/AMD,
16 cores or higher
64GB
12 TB or more
1024
INTEL(E5-1607 v2)/AMD,
32 cores or higher
128GB
20 TB or more
If user wants to use 8 devices, the recommendation is to use 64GB storage, because the default backup count is 1, and max can be configured 3
And if storage gets full, the controller will stop working or behave in wrong way
System Software Requirements - ONES Application
OS
Libraries
Ubuntu 18.0 or later
docker, docker-compose
python3, python3-pip
paramiko
scp
Task
Command
Validation
Ubuntu Server
Installer file (Version 18 or higher)
lsb_release -a
Update to latest packages
sudo apt-get update
NA
Install Docker
sudo apt-get install docker.io
docker ps
Install Docker-compose
sudo apt-get install docker-compose
docker-compose version
Install Python3
sudo apt-get install python3
python3 –-version
Install Python3-pip
sudo apt-get install python3-pip
pip3 –-version
Install Paramiko
sudo apt-get install python3-paramiko
pip show paramiko
Install SCP-Client
sudo pip3 install scp
pip show scp
ONES Application package will take care of this prerequisite at the time of installation, Package verify the availability of the dependencies first then execute the application scripts
Note* Script do not take care about the update to latest version of ubuntu
Customer Firewall Configuration (Ports to be opened)
ONES Service
Port Numbers
ONES Web GUI
443
Switch Access over SSH
22
ONES Monitoring
50052
gNMI Gateway (Telemetry)
9339
ONES Telemetry Database
5432
ONES Orchestrator
8787
ONES Orchestrator Database
2345
pty-server
8885
API-Server
8080
stream-processer
8093
ksqldb-server
8088
kafka-connect
8083
schema-registry
8081
broker
29092, 9101, 9092
Zookeeper
2181
ONES Collector
50053
These port numbers should be available to use and all ports must be allowed in the firewall if the Database server and devices are in the different DMZ zone
sudo iptables -L // This command can be used to verify the used ports
The installer file automatically detects & processes fresh installation or upgrade to the new version
While upgrading there is no dependency of prevision version files,
Once the upgrade process is completed, user manually have to delete the previous version files/Packages from the device, Script do not touch old version files
By default, the installer has a license for 8 devices upto 30days
ONESv2.0 support SSL certificate integration
User can choose YES if the User wants to integrate their own SSL certificate
Installing Open Networking Enterprise Suite (ONES)
..................................................
ONES is getting installed for the first time, choose appropriate options when prompted...
....................
Installing prerequisites for ONES application
....................
....................
....................
....................
Installing ONES application...
Do you want to install domain SSL certificate(if not, installation will proceed with a self signed certificate)? [y/n]: y
Enter the path to the private key file: ./certs/server.pem
Enter the path to the certificate file: ./certs/server.crt.pem
Note* Replace the Private key & certificate path to correct location
Choose No, if the user wants to use a self-signed certificate that is integrated into ONES package
Installing Open Networking Enterprise Suite (ONES)
..................................................
ONES is getting installed for the first time, choose appropriate options when prompted...
....................
Installing prerequisites for ONES application
....................
....................
....................
....................
Installing ONES application...
Do you want to install domain SSL certificate(if not, installation will proceed with a self signed certificate)? [y/n]: n
Using self signed certificates...
3. The installation allows a user to enable DB backup
Users can choose the local or remote location to backup the database
By default, the application creates a database backup every 86400 seconds(1 day), but the user can modify it as per the requirement
Local and Remote Backup
By-default application creates 1 backup for local and for remote,
It has a range of 1 to 3 and once it will add one more it will remove the first copy of the database,
User can modify the number of backup files at the time of installation
By-default ONES create ./backup directory to maintain local database
Local backup:
Do you want to enable DB backups? [y/n]y
Where do you want to store the backups? [local/remote]: local #local keyword trigger local database on server
Enter the backup directory: ./backups #Enter the server directory in which user wants to take backup
Enter the number of backups (between 1 and 3) to retain (Older backups will be deleted): 1 #Enter the number of backup user wants to create
Enter the backup interval in seconds (3600 seconds or higher): 86400 #Enter the value in seconds to take a backup
Remote backup:
Do you want to enable DB backup feature? [y/n]: y
Where do you want to store the backups? [local/remote]: remote #remote keyword trigger remote database on server
Please make sure the remote server is reachable via SSH
Enter the remote machine IP: 10.0.0.1
Enter the remote machine username: admin
Enter the remote machine password:
Enter the backup directory: ~/backups #Enter the remote server directory in which user wants to take backup
Backup is being done in 10.0.0.1 at ~/backups
Enter the number of backups (between 1 and 100) to retain (Older backups will be deleted): 5 #Enter the number of backup user wants to create
Enter the backup interval in seconds (3600 seconds or higher): 86400 #Enter the value in seconds to take a backup
ONESv2.0 support certificate-based authentication between ONES App and devices for GNMI and Auto-discovery
For agent auto-discovery agent will act as a client and the collector as a server.
For normal gnmi communication, the agent will act as a server and the collector as a client. Need certificates based on this.
No:
Do you want to enable certificate based authentication between ONES controller and devices? [y/n]: n
Yes:
Do you want to enable certificate based authentication between ONES controller and devices? [y/n]: y
Enter the path to the ca-cert.pem file: ca-cert.pem
Enter the path to the server-cert.pem file: server-cert.pem
Enter the path to the server-key.pem file: server-key.pem
Enter the path to the client-cert.pem file: client-cert.pem
Enter the path to the client-key.pem file: client-key.pem
Proceeding with certificates for Agent Auto Registration
Enter the path to the ca-cert-reg.pem file: ca-cert-reg.pem
Enter the path to the server-cert.pem file: server-cert.pem
Enter the path to the server-key.pem file: server-key.pem
Enter the path to the client-cert.pem file: client-cert.pem
Enter the path to the client-key.pem file: client-key.pem
The user needs to provide the certificate path and replace the key name with the path of the certificate to be used here
ONES Application support IP-based Access & FQDN Access
Enter the ONES App URL: https:// #Replace the input with IP or FQDN
IP based
Enter the ONES App URL: https://192.168.1.1
FQDN based
Enter the ONES App URL: https://ones.aviznetworks.com
Installation begins
Installing Open Networking Enterprise Suite (ONES)
..................................................
ONES is getting installed for the first time, choose appropriate options when prompted...
....................
Installing prerequisites for ONES application
....................
....................
....................
....................
Installing ONES application...
Do you want to install domain SSL certificate(if not, installation will proceed with a self signed certificate)? [y/n]: n
Using self signed certificates...
Do you want to enable DB backup feature? [y/n] : y
Where do you want to store the backups? [local/remote]: local
Enter the backup directory: ./backups
Enter the number of backups(between 1 and 3) to retain (Older backups will be deleted) : 1
Enter the backup interval in seconds(3600 seconds or higher) : 86400
Do you want to enable certificate based authentication between ONES controller and devices? [y/n]: n
Enter the ONES App URL: https://192.168.1.1
Setting up the environment and loading essential dockers...
d07119f7c800: Loading layer [==================================================>] 53.62MB/53.62MB
366319f9a81c: Loading layer [==================================================>] 2.56kB/2.56kB
0f6276391b12: Loading layer [==================================================>] 86.32MB/86.32MB
5f70bf18a086: Loading layer [==================================================>] 1.024kB/1.024kB..
...
...
...
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------
api-server "java -jar /app/apis…" api-server running 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp
broker "/etc/confluent/dock…" broker running 0.0.0.0:9092->9092/tcp, :::9092->9092/tcp, 0.0.0.0:9101->9101/tcp, :::9101->9101/tcp, 0.0.0.0:29092->29092/tcp, :::29092->29092/tcp
docker "python3 app.py" docker running
kafka-connect "/etc/confluent/dock…" kafka-connect running (healthy) 0.0.0.0:8083->8083/tcp, :::8083->8083/tcp, 9092/tcp
ksqldb-server "/usr/bin/docker/run" ksqldb-server running 0.0.0.0:8088->8088/tcp, :::8088->8088/tcp
ones-collector "java -jar /app/coll…" collector running 8093/tcp, 0.0.0.0:50053->50053/tcp, :::50053->50053/tcp
ones-collector-db "/docker-entrypoint.…" collector-db running 8008/tcp, 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp, 8081/tcp
ones-fm "/bin/sh -c '{ gunic…" fm running 0.0.0.0:8787->8080/tcp, :::8787->8080/tcp
ones-fm-db "docker-entrypoint.s…" fm-db running 0.0.0.0:2345->5432/tcp, :::2345->5432/tcp
ones-gateway "./gnmi-gateway -Tar…" gateway running 0.0.0.0:9339->9339/tcp, :::9339->9339/tcp
ones-pty-server "docker-entrypoint.s…" pty-server running 0.0.0.0:8885->8885/tcp, :::8885->8885/tcp
ones-rule-service "java -jar /app/rule…" rule-service running 8080/tcp
ones-rule-service-db "docker-entrypoint.s…" rule-service-db running 5432/tcp
ones-ui "docker-entrypoint.s…" ui running 0.0.0.0:443->443/tcp, :::443->443/tcp, 3002/tcp
schema-registry "/etc/confluent/dock…" schema-registry running 0.0.0.0:8081->8081/tcp, :::8081->8081/tcp
stream-processor "java -jar /app/stre…" stream-processor running 8080/tcp
zookeeper "/etc/confluent/dock…" zookeeper running 2888/tcp, 0.0.0.0:2181->2181/tcp, :::2181->2181/tcp, 3888/tcp
Finishing up ONES Installation...
...................................................................................
Installed ONES application successfully
Open the ONES application at https://<host-ip>
Access ONES Application Web GUI from a supported browser using https://<host-ip/FQDN>
Activation:
For Trail, user can choose Start A Trial (valid for 30days)
For Activation, user can choose Activate License if the user has an activation key of any subscription
1. Start A Trail
Use Default credentials as below;
Username: superadmin
Password : Admin@123
Update/Change your password on the first login
Password should contain:-
Minimum Password Length - 8 characters
Maximum Password Length - 24 characters
Character Support - Alpha Numeric
Special Characters - (# @ $ ! & % only)
Character Rule - At least one Upper Case and one special character
Login To ONES
After Resetting the password use new credentials to login
You will see the default Monitor Page with a Topology view
2. Activate License
Get the Activation key
Share ONES installation ID to the AVIZ support team
As per PO, the AVIZ team will share the Activation key
Paste the activation key and Activate
Users can activate ONES Application first time just after installation(first-time ONES application shows the page to activate the license
After evaluating ONES application, the user will have the option to activate the license anytime from the dashboard
Installing ONES Agents
Overview
ONES requires user to install the below agents on SONiC NOS to allow Network Orchestration and Visibility
ONES Orchestrator Agent for Network Orchestration
ONES Telemetry Agent for Telemetry Data Streaming (Network Visibility)
NOTE: for non-SONiC switches,
OpenConfig feature on its NOS needs to be enabled for Network Visibility (Telemetry Data Streaming)
Network Orchestration is not supported
SONiC NOS upgrade scenario - Impact on ONES Agents
SONiC NOS Upgrade could be done either via
ONES UI (Inventory-->Devices)
Instead of using FM - Orchestrator Agent
Orchestrator Agent takes a backup of FMCLI, ONES Agents and associated services to the /host folder.
After a successful upgrade, Orchestrator Agent restores these files
Traditional means (ZTP, sonic-installer CLI)
The user needs to reinstall ONES Agents again
ONES Telemetry Agent Installation
ONES Agent v2.0 support Agent Auto discovery
ONESv2.0 Agent support auto-discovery feature
ONESv2.0 Agent support to send telemetry on multiple controllers (Max 2)
Restrict IP feature can be enabled/disabled
Using this feature agent will discover the ONES Controller and will update the entry on ONES App with all the feature metrics
Need to add a few inputs while installing agent
Controller IP //To restrict the telemetry streaming
Device Credentials
Layer
Region
azid
brickid
rackid
Installation
On the Application machine, go to ONES-2.0/ones_t_agent folder
root@ones-application:~$ cd /ONES-2.0/ones_t_agent
Installation (Agent Install on multiple switches at the same time)
Enter device details (Management IP, Username and Password ) in device_info.csv
root@ones-application/ONES-2.0/ones_t_agent:~$ vi device_info.csv
The user needs to add all the required details in the CSV file, This CSV file will be used to push this information to agent.conf(/etc/sonic/agent.conf) file to every switch and ones-agent on the switch will pick the details from agent.conf file and will register itself to ONES controller with all the given parameters
this helps a NetOps engineer to directly add a CSV file containing all the details, The Engineer needs not to add one by one devices on the controller which actually is time-consuming
Executing the installation script can be used for installing a telemetry agent on one or more devices in the data centre.
The installer file automatically detects & will process fresh installation or upgrade to the new version
While upgrading, all the previous files will automatically get deleted on the Switch
If users want to use the certificate for GNMI & Auto-Registration, so users need to put the certificate in directory gnmi-certs(for GNMI) & auto-reg-certs(for Agent Auto Registration)
Users can use ONES-Agent as an integrated service in SONiC OS or can use it as an independent third-party container.
Does the ONES-agent is integrated with SONiC NOS? (yes/no): no
Scripts asks to put the Controller IP to use auto-discovery feature
Enter the ip address of collectors to auto-discover. Do not enter more than 2. Eg - 10.1.1.10, 10.2.2.5 : 10.4.4.11
User can only add 2 Controller IP to restrict the telemetry streaming
User can choose the restriction to send telemetry to collector IP only
Do you want to restrict access only to provided collector ip?
Note: Providing Yes will restrict access to agent only with the provided collector IP Address
Enter Yes/No : Yes
It's important to restrict collector IP as NO in case the running network has NAT translation from private to public IP for ONES server access from the device.
Installation Begin
root@ones-application/ONES-2.0/ones_t_agent:~$./ones_agent_parallel_installer.sh
Does the ONES-agent is integrated with SONiC NOS? (yes/no): no
Enter the ip address of collectors to auto-discover. Do not enter more than 2. E.g. - 10.1.1.10, 10.2.2.5 : 10.4.4.11
Do you want to restrict access only to provided collector ip?
Note: Providing Yes will restrict access to agent only with the provided collector IP Address
Enter Yes/No : Yes
[{'ip': '10.4.4.61', 'user': 'admin', 'passwd': 'YourPaSsWoRd', 'layer': 'Spine', 'region': 'Sanjose', 'azid': '1', 'brickid': '1', 'rackid': '1', 'installation_instance': 1, 'agentip': '10.4.4.61', 'collectorip': '10.4.4.11', 'restrict_collector_ip': 'Yes'}, {'ip': '10.4.4.62', 'user': 'admin', 'passwd': 'YourPaSsWoRd', 'layer': 'Leaf', 'region': 'Sanjose', 'azid': '1', 'brickid': '1', 'rackid': '1', 'installation_instance': 1, 'agentip': '10.4.4.62', 'collectorip': '10.4.4.11', 'restrict_collector_ip': 'Yes'}]
###############Connecting to switch###############
###############Connecting to switch###############
Connection to switch 10.4.4.61 successful.....................
Looking for previous installation........................
avizdock/ones-agent:devu
Connection to switch 10.4.4.62 successful.....................
Looking for previous installation........................
avizdock/ones-agent:latest
...
...
...
...
ones-agent.service file copied successfully on the device 10.4.4.61........
##################################################################
ones-agent.service file copied successfully on the device 10.4.4.62........
##################################################################
Deployment of ones-agent to switch 10.4.4.61 is successful
Deployment of ones-agent to switch 10.4.4.62 is successful
Now Agent will only stream the metrics to the given controller & will autoregister on the ONES-App
The user needs to make sure, The devices have a unique name, otherwise, there will issue while plotting the full topology view(Topology Page).
ONES Orchestration Agent Installation
On the ONES Application server, go to ONES-2.0/ones_fm_agent
root@ones-application:~$ cd /ONES-2.0/ones_fm_agent
Installation (Agent Install on multiple switches at the same time)
Enter device details (Management IP, Username, Password ) in device_info.csv
root@ones-application/ONES-2.0/ones_fm_agent:~$ vi device_info.csv
root@ones-application/ONES-2.0/ones_fm_agent:~$ ./deploy_fmcli.sh 'install'
Installer will proceed with FMCLI-install ...
2fa37f2ee66e: Loading layer [==================================================>] 121.3MB/121.3MB
5cc3a4df1251: Loading layer [==================================================>] 49.6MB/49.6MB
2ef3351afa6d: Loading layer [==================================================>] 181.5MB/181.5MB
0c2d6fc19d6a: Loading layer [==================================================>] 596.9MB/596.9MB
d3de4ba9f72c: Loading layer [==================================================>] 19.25MB/19.25MB
6546924ee8e7: Loading layer [==================================================>] 41.04MB/41.04MB
16227882e38c: Loading layer [==================================================>] 5.12kB/5.12kB
29d8b0c23f30: Loading layer [==================================================>] 10.5MB/10.5MB
0eb731fd9ff0: Loading layer [==================================================>] 69.94MB/69.94MB
015b774a058f: Loading layer [==================================================>] 2.56kB/2.56kB
35743f2c1258: Loading layer [==================================================>] 37.47MB/37.47MB
e02e88375b40: Loading layer [==================================================>] 4.428MB/4.428MB
Loaded image: avizdock/agent_installer:latest
Docker image 'avizdock/agent_installer:latest' is loaded.
4c7a6666fea40554651f85c6b6857a79a99433872ba168c8865fbcf3246f0adc
Docker container 'agent_installer' is running.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c7a6666fea4 avizdock/agent_installer:latest "python3" 4 seconds ago Up Less than a second agent_installer
Server IP: 172.17.0.2
fm_port: None
[{'ip': '10.20.7.12', 'passwd': 'YourPaSsWoRd', 'user': 'admin', 'server_ip': '172.17.0.2', 'fm_port': None}]
Operation = install
##### params = {'ip': '10.20.7.12', 'passwd': 'YourPaSsWoRd', 'user': 'admin', 'server_ip': '172.17.0.2', 'fm_port': None} #####
###############Connecting to switch###############
...
#################### Installing FMCLI on the device 10.20.7.12 ######################
####### Debug LOGS on the device 10.20.7.12 #######
...
FM-Agent installed successfully on the device 10.20.7.12........
Installation with a config cleanup
using this process, Script will clear the base config like port--channel related config, IP related config, VXlan related config and more related configuration.
ONES IS not using NCLU. ONES Application only use NVUE API from OS version 4.4, less than that NCLU code is not enabled for ONES. [For ONES 1.1 testing 4.4 and 5.2 version]
Cumulus 5.x not fully support NCLU, only NVUE.
Arista EOS (OpenConfig)
Introduction
To enable Arista switches running EOS to stream telemetry data to ONES controller, API gNMI and eAPI need to be enabled
Enable API gNMI
Arista-DCS-7010T(config)#management api gnmi
Arista-DCS-7010T(config-mgmt-api-gnmi)#transport grpc default
Arista-DCS-7010T(config-gnmi-transport-default)#port 50052
Arista-DCS-7010T(config-gnmi-transport-default)#provider eos-native
Arista-DCS-7010T(config-mgmt-api-gnmi)#end
Arista-DCS-7010T#show management api gnmi
Octa: enabled
Transport: GRPC
Enabled: yes
Server: running on port 50052, in default VRF
SSL profile: SELFSIGNED
QoS DSCP: none
Authorization required: no
Accounting requests: no
Certificate username authentication: no
Notification timestamp: last change time
Listen addresses: ::
Transport: default
Enabled: yes
Server: running on port 6030, in default VRF
SSL profile: none
QoS DSCP: none
Authorization required: no
Accounting requests: no
Certificate username authentication: no
Notification timestamp: last change time
Listen addresses: ::
Enabling eAPI
bash$ ssh username@myswitch
Password: <passw0rd>
myswitch> enable
myswitch# configure terminal
myswitch(config)# management api http-commands
myswitch(config-mgmt-api-http-cmds)# no shutdown
myswitch(config-mgmt-api-http-cmds)# show management api http-commands
Enabled: Yes
HTTPS server: running, set to use port 443
HTTP server: shutdown, set to use port 80
Local HTTP server: shutdown, no authentication, set to use port 8080
Unix Socket server: shutdown, no authentication
VRFs: default
Adding New Controller
ONES Agent configuration file allows user to add new collector(controller) after the agent installation if required
Overview
If a customer desires to receive the same agent telemetry on a different ONES collector, there's no need to reinstall the agent on the device. Instead, the user can effortlessly add the new collector's IP to the device's agent.conf file after installing ONES on the other server. This action will automatically register and initiate streaming to the new ONES application
Only 2 controllers are supported in auto-discovery
Note: Terms "collector" and "controller" are used interchangeably; they have the same meaning.
Steps to add new Controller-IP
SSH to the device first
Navigate to /etc/sonic/
admin@Spine-2:~$ cd /etc/sonic/
admin@Spine-2:/etc/sonic$
Edit agent.conf file and add collector ip
admin@Spine-2:/etc/sonic$ sudo vi agent.conf
# Configuration file for agent gnmi
# Any edits require restart of the agent
# Mode - can be Tls/NoTls
mode = NoTls
#restrict_collector_ip = Yes/No
#Setting this to yes means that only the IP address mentioned under collectorip
#will be allowed to connect to the agent. No sets off this behavior
restrict_collector_ip = No
#layer of the switch Eg - Superspine/ Leaf/ Spine/ ToR
layer = Spine
#region of the switch Eg - Denver
region = Sj
#ip of the switch Eg - 10.4.4.33
agentip = 10.20.2.12
#ip of the collector Eg - 10.1.1.10
collectorip = 10.20.0.16,10.20.0.14
#azid of the switch Eg - 1
azid = 1
#brickid of the switch Eg - 1
brickid = 1
#rackid of the switch Eg - 1
