Once you have completed the tasks specified in the prerequisites section, you can use the following procedure to deploy and
launch ESC instance in CSP 2100. Following are the three deployment alternatives available for CSP 2100.
For list of variables used in the CSP 2100 sample files, see List of Variables Used in CSP 2100 Sample Files.
ESC with Single and Dual Interface
To install ESC in CSP, you must create the user-data in the following format as the day0 configuration file:
A sample for single interface describing the day zero file as config drive and user data is as follows:
#cloud-config
users:
- name: admin # The user's login name
gecos: admin # The user name's real name
groups: esc-user # add admin to group esc-user
passwd: $6$saltsalt$9PDBehueUG4XTLEj6BFZA5MDGh/XeQ6QPbf9HYLU3RifHj1
# The hash -- not the password itself -- of the password you want
# to use for this user. You can generate a safe hash via:
# mkpasswd --method=SHA-512 --rounds=4096
lock-passwd: false # Defaults to true. Lock the password to disable password login
# Set to false if you want to password login
homedir: /home/admin # Optional. Set to the local path you want to use. Defaults to /home/<username>
sudo: ALL=(ALL) ALL # Defaults to none. Set to the sudo string you want to use
ssh_pwauth: True # Defaults to False. Set to True if you want to enable password authentication for sshd.
write_files:
# ESC Configuration
- path: /opt/cisco/esc/esc-config/esc-config.yaml
content: |
resources:
confd:
init_aaa_users:
- key: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUF
passwd: $6$rounds=4096$adWFd7LUn2PEUPWtWPl5tCD7pO9bae672T1
option: start-phase0
escmanager:
open_ports:
- '8080'
- '8443'
url:
- http://0.0.0.0:8080/ESCManager
- https://0.0.0.0:8443/ESCManager
esc_service:
type: group
# Params
- path: /opt/cisco/esc/esc-config/esc_params.conf
content: |
default.active_vim=CSP
default.enable_cascade_deletion=true
# Networking
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
USERCTL="yes"
IPADDR="VAR_NETWORK0_IPADDR"
NETMASK="VAR_NETWORK0_NETMASK"
GATEWAY="VAR_NETWORK0_GATEWAY"
DEFROUTE="yes"
NM_CONTROLLED="no"
IPV6INIT="no"
IPV4_FAILURE_FATAL="yes"
bootcmd:
- [ cloud-init-per, once, disable_ipv6_eth0, sh, -c, "echo net.ipv6.conf.eth0.disable_ipv6 = 1 >> /etc/sysctl.conf"]
- [ cloud-init-per, once, update_host_name, sh, -c, "echo VAR_LOCAL_HOSTNAME >> /etc/hostname && hostnamectl set-hostname VAR_LOCAL_HOSTNAME"]
- [ cloud-init-per, once, update_hosts, sh, -c, "echo 127.0.0.1 VAR_LOCAL_HOSTNAME >> /etc/hosts"]
- [ cloud-init-per, once, add_name_server, sh, -c, "echo nameserver VAR_NAMESERVER_IP >> /etc/resolv.conf"]
- [ cloud-init-per, once, add_ntp_server, sh, -c, "echo server VAR_NTP_SERVER iburst >> /etc/ntp.conf"]
- [ cloud-init-per, once, enable_ecdsa-sha2-nistp521, sh, -c, "/usr/bin/ssh-keygen -f /etc/ssh/ssh_host_ecdsa_521_key -t ecdsa -b 521 -N ''"]
- [ cloud-init-per, once, enable_ecdsa-sha2-nistp384, sh, -c, "/usr/bin/ssh-keygen -f /etc/ssh/ssh_host_ecdsa_384_key -t ecdsa -b 384 -N ''"]
- [ cloud-init-per, once, enable_ssh_rsa, sh, -c, "sed -i '/ssh_host_rsa_key/s/^#//g' /etc/ssh/sshd_config"]
runcmd:
- [ cloud-init-per, once, apply_network_config, sh, -c, "systemctl restart network"]
- [ cloud-init-per, once, stop_chronyd, sh, -c, "systemctl stop chronyd;systemctl disable chronyd"]
- [ cloud-init-per, once, start_ntp, sh, -c, "systemctl enable ntpd;systemctl start ntpd"]
- [ cloud-init-per, once, set_timezone, sh, -c, "timedatectl set-timezone VAR_TIMEZONE"]
- [ cloud-init-per, once, confd_keygen_root, sh, -c, "/usr/bin/escadm confd keygen --user root"]
- [ cloud-init-per, once, confd_keygen_admin, sh, -c, "/usr/bin/escadm confd keygen --user admin"]
- [ cloud-init-per, once, esc_service_start, sh, -c, "chkconfig esc_service on && service esc_service start"] # You must include this line
A sample for dual interfaces describing the day zero file as config drive and user data is as follows:
You can configure an ethernet-based physical network device with a static IPv4 in ESC .
#cloud-config
users:
- name: admin # The user's login name
gecos: admin # The user name's real name
groups: esc-user # add admin to group esc-user
passwd: $6$saltsalt$9PDBehueUG4XTLEj6BFZA5MDGh/XeQ6QPbf9HYLU3RifHj1
# The hash -- not the password itself -- of the password you want
# to use for this user. You can generate a safe hash via:
# mkpasswd --method=SHA-512 --rounds=4096
lock-passwd: false # Defaults to true. Lock the password to disable password login
# Set to false if you want to password login
homedir: /home/admin # Optional. Set to the local path you want to use. Defaults to /home/<username>
sudo: ALL=(ALL) ALL # Defaults to none. Set to the sudo string you want to use
ssh_pwauth: True # Defaults to False. Set to True if you want to enable password authentication for sshd.
write_files:
# ESC Configuration
- path: /opt/cisco/esc/esc-config/esc-config.yaml
content: |
resources:
confd:
init_aaa_users:
- key: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUF
passwd: $6$rounds=4096$adWFd7LUn2PEUPWtWPl5tCD7pO9bae672T1
option: start-phase0
escmanager:
open_ports:
- '8080'
- '8443'
url:
- http://0.0.0.0:8080/ESCManager
- https://0.0.0.0:8443/ESCManager
esc_service:
type: group
# Params
- path: /opt/cisco/esc/esc-config/esc_params.conf
content: |
default.active_vim=CSP
default.enable_cascade_deletion=true
# Networking
- path: /etc/sysconfig/network-scripts/ifcfg-eth0
content: |
DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
USERCTL="yes"
IPADDR="VAR_NETWORK0_IPADDR"
NETMASK="VAR_NETWORK0_NETMASK"
GATEWAY="VAR_NETWORK0_GATEWAY"
DEFROUTE="yes"
NM_CONTROLLED="no"
IPV6INIT="no"
IPV4_FAILURE_FATAL="yes"
- path: /etc/sysconfig/network-scripts/ifcfg-eth1
content: |
DEVICE="eth1"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
USERCTL="yes"
IPADDR="VAR_NETWORK1_IPADDR"
NETMASK="VAR_NETWORK1_NETMASK"
GATEWAY="VAR_NETWORK1_GATEWAY"
DEFROUTE="no"
NM_CONTROLLED="no"
IPV6INIT="no"
IPV4_FAILURE_FATAL="yes"
bootcmd:
- [ cloud-init-per, once, disable_ipv6_eth0, sh, -c, "echo net.ipv6.conf.eth0.disable_ipv6 = 1 >> /etc/sysctl.conf"]
- [ cloud-init-per, once, update_host_name, sh, -c, "echo VAR_LOCAL_HOSTNAME >> /etc/hostname && hostnamectl set-hostname VAR_LOCAL_HOSTNAME"]
- [ cloud-init-per, once, update_hosts, sh, -c, "echo 127.0.0.1 VAR_LOCAL_HOSTNAME >> /etc/hosts"]
- [ cloud-init-per, once, add_name_server, sh, -c, "echo nameserver VAR_NAMESERVER_IP >> /etc/resolv.conf"]
- [ cloud-init-per, once, add_ntp_server, sh, -c, "echo server VAR_NTP_SERVER iburst >> /etc/ntp.conf"]
- [ cloud-init-per, once, enable_ecdsa-sha2-nistp521, sh, -c, "/usr/bin/ssh-keygen -f /etc/ssh/ssh_host_ecdsa_521_key -t ecdsa -b 521 -N ''"]
- [ cloud-init-per, once, enable_ecdsa-sha2-nistp384, sh, -c, "/usr/bin/ssh-keygen -f /etc/ssh/ssh_host_ecdsa_384_key -t ecdsa -b 384 -N ''"]
- [ cloud-init-per, once, enable_ssh_rsa, sh, -c, "sed -i '/ssh_host_rsa_key/s/^#//g' /etc/ssh/sshd_config"]
runcmd:
- [ cloud-init-per, once, apply_network_config, sh, -c, "systemctl restart network"]
- [ cloud-init-per, once, stop_chronyd, sh, -c, "systemctl stop chronyd;systemctl disable chronyd"]
- [ cloud-init-per, once, start_ntp, sh, -c, "systemctl enable ntpd;systemctl start ntpd"]
- [ cloud-init-per, once, set_timezone, sh, -c, "timedatectl set-timezone VAR_TIMEZONE"]
- [ cloud-init-per, once, confd_keygen_root, sh, -c, "/usr/bin/escadm confd keygen --user root"]
- [ cloud-init-per, once, confd_keygen_admin, sh, -c, "/usr/bin/escadm confd keygen --user admin"]
- [ cloud-init-per, once, esc_service_start, sh, -c, "chkconfig esc_service on && service esc_service start"] # You must include this line
Creating ESC passwords to use in Day0 Files
When using the Cloud-Init day0 file to deploy an ESC instance, the passwords must be passed in as a hash, and not a plain
text.
To create a hashed password, use the mkpasswd tool. The following example shows how to use the mkpasswd tool to create a hashed
password.
~$ mkpasswd --method=SHA-512 --rounds=4096
Password:
$6$rounds=4096$Yo11pRsFO$iT5SGMJ6z8WEnmj8TKMdInblgWeb/UChmrsQs3aspx8j.yUuuhxKk2XScOkerWWxpqD5F0sLfC5kzT5t2xGkL1