Node management

This section includes topics such as node RBAC and node discover, including bootstrapping and zero-touch provisioning (ZTP).

Node RBAC

EDA supports the use of node RBAC to secure communications between EDA and nodes. System administrators can configure node security profile, node groups and node users using TACACS.

Node groups

The NodeGroup resource defines a group on a node. It includes RBAC settings and the selection of services to which users belonging to the group has access, and TACACS configuration. A node group has the following attributes:

  • an optional name override in groupName, allowing the resource name and local group name on the target to be different
  • the set of enabled services
  • an indicator if the group provides superuser permissions
  • a set of rules, being target specific RBAC rules
  • mapping to a privilege level in the TACACS container

A NodeGroupDeployment resource is used to deploy NodeGroup resources to target toponodes.

Rules

Users of for node groups can define a set of rules that are specific to a specified operating system. The Rules section of the NodeGroup resource includes the following parameters that define a rule:

  • An action, which can be one of the following:
    • Deny
    • ReadWrite
    • Read
  • An operatingSystem - which OS to apply this rule to.
  • A match - an OS-specific path, for example interface for SR Linux, or configure port for SR OS.

Rules that match the operating system of the target are deployed to that target.

The default for action is set to ReadWrite, and to simplify the majority of deployments the operatingSystem is set to srl.

Superuser

EDA supports a superuser attribute; if enabled for a node user group, users that belong to the node group can perform all functions on the system, including sudo and root access, if available.

TACACS+

System administrators commonly use TACACS+ to authenticate users, and then use the local device to enforce a locally-defined rule set, or role. In EDA, enforcement uses the privilege level in TACACS+. If TACACS+ is used for authentication and if a privilege level is returned, a user is granted the set of permissions from all groups that match that privilege level and lower (following TACACS+ implementation of higher privilege levels inheriting permissions of lower levels).

Note: TACACS+ server configuration is currently done through a Configlet application.

Services

You can select the services (management services like gNMI, NETCONF, CLI) that a group is allowed in the Services field. Select one or more of the following services:
  • CLI
  • FTP
  • gNMI
  • gNSI
  • gRIBI
  • Reflection
  • JSON-RPC
  • NETCONF

Default sudo group

The default sudo node group is provided during the bootstrap process or playground deployment. This group enables critical services and provides read/write access to all paths. The NodeGroup resource is referenced by the admin NodeUser resource that is provided with playground KPT package.

The following example shows a sudo NodeGroup resource:

apiVersion: core.eda.nokia.com/v1
kind: NodeGroup
metadata:
  name: sudo
  namespace: eda
spec:
  services:
  - GNMI
  - CLI
  - NETCONF
  superuser: true

Creating node groups

In the EDA UI, from the navigation pane, go to System Administration > NODE MANAGEMENT > Node Groups page.
  1. Click Create.
  2. Configure metadata for this resource.
    Set the following fields:
    • Name
    • Namespace
    • Labels
    • Annotations
  3. Configure specifications for the node group.
    • Provide a group name. If you do not provide a name, the system uses the resource name.
    • In the Services drop-down list, select the services that users who belong to this group can access.
    • Enable the Superuser field to make members of this node user group superusers.
  4. In the Rules section, click Add to configure rules.
    Set the following fields to define the operating system match rule for this group:
    • Action: select an action from the drop-down list
    • Operating System: select srl for SR Linux or sros for SR OS.
    • Match: a string to match input against; for example, interface for SR Linux or configure port for SR OS. Rules here should be specified in the target specific format.
  5. If TACACS is used for authentication, in the TACACS section, select the privilege level.
  6. Click Add To Transaction.

Node users

The NodeUser resource defines a node user using the following parameters:

  • username and password
  • node groups to which the user belongs
  • SSH public keys to be deployed for the user

Creating node users

In the EDA UI, from the navigation pane, go to System Administration > NODE MANAGEMENT > Node Users page.
  1. Click Create.
  2. Configure metadata for this resource.
    Set the following fields:
    • Name
    • Namespace
    • Labels
    • Annotations
  3. Configure the specifications for this node user.
    In the Specification section, set the following fields:
    • Username: provide a name for this user. If you do not provide a username, the resource name is used.
    • Password: provide a password for this user
  4. Configure group bindings.
    In the Group Bindings section, click Add.
    • Select the toponodes.
      • To use a label selector to select nodes, in the Node Selector section, click Add a Label Selector .
      • To identify specific nodes, in the Nodes section, click Add item to select toponodes from the drop-down list.
    • In the Groups section, click Add to specify the node groups to which this user belongs.
  5. In the SSH Public Keys field, click Add item to set the SSH public key to deploy for the user.
NodeUser resource
---
apiVersion: core.eda.nokia.com/v1
kind: NodeUser
metadata:
  name: node-user
spec:
  username: test
  password: testPassword
  groups:
  - admin
  nodeSelector:
  - eda.nokia.com/role=spine
  - eda.nokia.com/role=leaf
  - eda.nokia.com/role=superspine
  sshPublicKeys:
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsYFM9U5hwi+hcZGr5EPjbcneMB+CRmJ1zYDI5wXq8BgtJdXLCqRnsHtdTpfXn5agwGfkMntsw+/whDjJj3HBX6FxAnB9CO/tHw0AZ7wwAagfp5TFkQwGsUVroJlqUfiu1I1yHqNx+etS8DrAAyLtiUMaEvSLztpqjG/4E3TsEvR1pRgt5OkEfX7CX8PIuCtKvuFBh7aaU6W8a5kvInQaL0TrxEWHb3cnqwTryRri+ohtHFaSFvpJsTT07in3j2UwPw8ICpi75xd8PMKC8CIqijIACIHMIADK0qUIhB+VEXhFp0RPihXraX8v+l7IFRBHLHqIW8ygJ5PUXQKx6+p+TRDhCNtuhL7pd+TWFJPqD9bZigIWEYfQE3dQ2ZNabXr+5sOxyeHot1nYUj5TiFLuCtNz36i3TkXNbHfKxuMymoLEiSOZyD2EkKNlzvxiW4RJl2wZAjjg9pqZILNkbkFVNo0gE3QSkr6fzIRFy27xUBWmG8zi06T4iumEvmhL05Ri3cPDzWQa4FoI9kzt1iCgCFqhHioK882CjZoWt9vX5+JqqddKXJV7oix5jlTvKtEQBYFSKTra2Mt+Gwpbn5bG3TtaumtpX4rK9PVPKnfCLccwRnp+mpijxcGA91N7+2Ud9fSPe8JX/jdGfSXAyU1GuCNI/pHjp0ILqFy2GwQseGQ== admin"

Node security profile

The NodeSecurityProfile resource provides the parameters that define how to secure communication between EDA and a node. The NodeSecurityProfile resource facilitates the configuration, generation, and rotation of TLS certificates, trust bundle management, and secure communication with specified nodes.

Node selection

In NodeSecurityProfile resource, you can select nodes using the following methods:

  • by listing the nodes: in the nodes field, list the TopoNodes to which the profile applies
  • by label: in the nodeSelector field, select a label that applies to TopoNodes that meet the criteria selected. This field can contain a list of label selectors; a TopoNode must contain at least one of the labels to inherit the profile's settings.

    A nodeSelector set to an empty string ("") means that the profile applies to all nodes.

The nodes field takes precedence over the nodeSelector setting. If multiple profiles match a node's labels, the profile whose name is first in alphabetic order is applied.

TLS configuration

The tls context indicates whether the connection to the node is secure (with TLS) or insecure (without TLS). The absence of the tls field implies an insecure connection, while its presence signals a secure connection.

EDA-managed certificates

When EDA is responsible for managing node certificates, the tls context must include the following entries:

  • issuerRef: a reference to a CertManager Issuer, which is responsible for issuing the certificates.

  • csrParams: the Certificate Signing Request (CSR) parameters define the parameters for certificate generation and rotation.

    • csrSuite: the key and digest set to be used for generating the CSR.
    • commonName: the common name (CN) to include in the certificate. This value is auto-generated.
    • country: the legally registered country of the organization.
    • state: the state or province where the organization is located.
    • city: the city in which the organization is based.
    • org: the name of the organization requesting the CSR.
    • orgUnit: the department or division within the organization requesting the certificate.
    • certificateValidity: the duration for which the certificate remains valid post-issuance.
    • SAN (Subject Alternative Names):
      • dns: List of DNS names used to access the node.
      • emails: Email addresses associated with the certificate.
      • ips: IP addresses that the certificate should validate.
      • uris: Specific URIs that the certificate needs to authenticate.

The following is an example of a nodeSecurityProfile CR where EDA manages certificates:

apiVersion: v1
items:
  - apiVersion: core.eda.nokia.com/v1
    kind: NodeSecurityProfile
    metadata:
      annotations:
        config.k8s.io/owning-inventory: 8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347
        kubectl.kubernetes.io/last-applied-configuration: >
          {"apiVersion":"core.eda.nokia.com/v1","kind":"NodeSecurityProfile","metadata":{"annotations":{"config.k8s.io/owning-inventory":"8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347"},"name":"insecure","namespace":"default"},"spec":{"nodeSelector":["eda.nokia.com/security-profile=insecure"]}}
      name: insecure
      namespace: eda
    spec:
      nodeSelector:
        - eda.nokia.com/security-profile=insecure
  - apiVersion: core.eda.nokia.com/v1
    kind: NodeSecurityProfile
    metadata:
      annotations:
        config.k8s.io/owning-inventory: 8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347
        kubectl.kubernetes.io/last-applied-configuration: >
          {"apiVersion":"core.eda.nokia.com/v1","kind":"NodeSecurityProfile","metadata":{"annotations":{"config.k8s.io/owning-inventory":"8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347"},"name":"managed-tls","namespace":"default"},"spec":{"nodeSelector":["eda.nokia.com/security-profile=managed"],"tls":{"csrParams":{"certificateValidity":"2160h","city":"Sunnyvale","country":"US","csrSuite":"CSRSUITE_X509_KEY_TYPE_RSA_2048_SIGNATURE_ALGORITHM_SHA_2_256","org":"NI","orgUnit":"EDA","state":"California"},"issuerRef":"eda-node-issuer"}}}
      name: managed-tls
      namespace: eda
    spec:
      nodeSelector:
        - eda.nokia.com/security-profile=managed
      tls:
        csrParams:
          certificateValidity: 2160h
          city: Sunnyvale
          country: US
          csrSuite: CSRSUITE_X509_KEY_TYPE_RSA_2048_SIGNATURE_ALGORITHM_SHA_2_256
          org: NI
          orgUnit: EDA
          state: California
        issuerRef: eda-node-issuer
  - apiVersion: core.eda.nokia.com/v1
    kind: NodeSecurityProfile
    metadata:
      annotations:
        config.k8s.io/owning-inventory: 8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347
        kubectl.kubernetes.io/last-applied-configuration: >
          {"apiVersion":"core.eda.nokia.com/v1","kind":"NodeSecurityProfile","metadata":{"annotations":{"config.k8s.io/owning-inventory":"8c2644abc6befe73d5ad0cfc386ec155f31bc07d-1729769165484669347"},"name":"unmanaged-tls","namespace":"default"},"spec":{"nodeSelector":["eda.nokia.com/security-profile=unmanaged"],"tls":{"trustBundle":"eda-node-trust-bundle"}}}
      name: unmanaged-tls
      namespace: eda
    spec:
      nodeSelector:
        - eda.nokia.com/security-profile=unmanaged
      tls:
        trustBundle: eda-node-trust-bundle
kind: List
metadata:
  resourceVersion: ""

External certificate management

If certificates are managed outside of EDA, the tls section must reference an external trust bundle. The trustBundle field contains a reference to a ConfigMap that holds a CA certificate. EDA uses this CA certificate to verify the node’s certificate whenever it establishes a connection. The trust bundle must be provided if node certificate management is performed outside of EDA, allowing the node to validate certificates through an external authority.
apiVersion: core.eda.nokia.com/v1
kind: NodeSecurityProfile
metadata:
  name: example-node-security-profile
spec:
  nodeSelector:
    - "eda.nokia.com/role=leaf"
  tls:
    trustBundle: "node-trust-bundle"

Node discovery

This section includes topics related to initial node discovery.

Bootstrapping

The Init application generates an initial configuration file for nodes that require bootstrapping. The input to the Init application is an Init resource, which specifies which toponodes to select and for which toponodes to create an initial configuration.

The initial configuration file is stored in the artifact server. When toponodes connect to NPP, NPP pushes the initial configuration file to the node.

Additionally, the Init application generates the Python provisioning script for SR Linux and bootstrap files needed for SR OS or other operating systems. Based on the same selection criteria, a bootstrap file or Python provisioning script is generated for the selected nodes.

The bootstrap file or Python provisioning script ensures that the node boots into the version specified in the toponode. The software and any other artifacts are downloaded to the node during ZTP using HTTP/HTTPS.

By default, if no toponode selectors are present in the Init resource, an initial configuration file is generated for every toponode present in EDA.

Management interface IP address assignment

The Init resource allows you to configure the management interface IP assignment method using DHCP or by defining static IP addresses. For details, see Enabling DHCP clients and Setting static management IP addresses.

Saving node configuration on commit

To specify whether the node configuration is saved after each commit or not, in the Init CR include the entry commitSave: true. The Init script must reflect the commitSave value in the generated initial configuration.

Preparing for bootstrapping

Ensure that you meet the following requirements:

  • The NodeSecurityProfile resource (for TLS) must be configured to ensure successful onboarding. For details, see Node security profile.

  • A node requires the relevant EDA-CE license resource to be applied. Without this license, the node may not move to the READY state. 
    apiVersion: core.eda.nokia.com/v1
kind: License
metadata:
  name: eda-license
  namespace: eda-system
spec:
  enabled: true
  data: "ACoAgOlJq7AABoAU6V6W6XAERezbcYa+ZRZLg8M5IyqMgAABAATAEVEQS1bQkNdLTAuMC4qAAACABIATm9raWEuY29tLOVEQQAAAMAAMQCjorJ+SPKP3if9pcD3OhqlyaWK1VE89JWreOWkyOJcbIWO602C+iwp+FFp8AwAAAADAB4ARWRhIGxpY2Vuc2UgSW50ZXJuYWwgVGVzdAAAAAUAHADl0zNnAAAAAABgKWcAAAAAADohaAAAAADAACQAoKr6XCCQCZj1rWFYik1dGbiqG7TWRK2orh+0sjUKXNYBACkAMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwAAAAAAYADAABAAQAAAAAAMAAMAC/KQqX7Di/m1d0zYz9quIyghaHatF0yDvDgK/fFr011Wa/7FN3LO/OoD3aHg8AXQFkOEh6ejQrTlFyNmVJNTNsVW9SMi9JV2xXd1NqMUF3QVh0eEd6LzhGdlp0WXphTkdOQ1RWRnNCQ3wwZ0p2b21pSDNiZHFTSFBYQ2R6d0xxVlNhM3FZZUZuL1BGMnhoSjN6OS8yS3RlVGpmUngreWFNS1NwZ0p5OE12YlBVbmw2TUFpNHRXR1g4U3R0WXFBN21uVUNhVHp5eXpLOWtXcWgwZVZtR1oyV09RTURML0thaWY1RGMva21tc0NVY042RUdNZUNiTmdvV2RKUFlXZ1o4c2hlaG03b2tsZHdsSDBxMXZWdjhHMjZ4OVUxbTd2ellBN3BDNkFXODJyZ3FsaExWTUJxYm11VDdKSzdPWWhzYVp4Q3h4a2lIbWZ5KytNY3FLVHFBUk1McWhYRzRIb290ME0xK1RaRVZTdUJKNFl5a3pkeHdVV3pGZGRZdjg5Ym5uUHBsdXc9PQAAAAA="

  • If the deployment uses EDA DHCP for bootstrapping, the GlobalConfig and UdpProxy CRs may be needed.

    Following is an example of GlobalConfig resource:
    apiVersion: v1
items:
  - apiVersion: core.eda.nokia.com/v1
    kind: GlobalConfig
    metadata:
      name: global
      namespace: eda-system
    spec:
      dhcp:
        domainName: mv1-3.dclab.nuq.ion.nokia.net
        httpPort: 9200
        httpsPort: 9443
        ipv4Address: 10.11.12.13
        ipv6Address: 3001:cafe:11::2
kind: List
metadata:
  resourceVersion: ""
    Following is an example of a UdpProxy resource:
    apiVersion: v1
items:
  - apiVersion: core.eda.nokia.com/v1
    kind: UdpProxy
    metadata:
      annotations:
        config.k8s.io/owning-inventory: aeb8a5709fd9a90c89d3d3dcc1d9c3817f2618ae-1732279916926223978
        kubectl.kubernetes.io/last-applied-configuration: >
          {"apiVersion":"core.eda.nokia.com/v1","kind":"UdpProxy","metadata":{"annotations":{"config.k8s.io/owning-inventory":"aeb8a5709fd9a90c89d3d3dcc1d9c3817f2618ae-1732279916926223978"},"name":"eda-dhcp","namespace":"eda-system"},"spec":{"bufferSize":65535,"destHost":"eda-dhcp","destPort":67,"idleTimeout":60,"proxyPort":67}}
      name: eda-dhcp
      namespace: eda-system
    spec:
      bufferSize: 65535
      destHost: eda-dhcp
      destPort: 67
      idleTimeout: 60
      proxyPort: 67
  - apiVersion: core.eda.nokia.com/v1
    kind: UdpProxy
    metadata:
      annotations:
        config.k8s.io/owning-inventory: aeb8a5709fd9a90c89d3d3dcc1d9c3817f2618ae-1732279916926223978
        kubectl.kubernetes.io/last-applied-configuration: >
          {"apiVersion":"core.eda.nokia.com/v1","kind":"UdpProxy","metadata":{"annotations":{"config.k8s.io/owning-inventory":"aeb8a5709fd9a90c89d3d3dcc1d9c3817f2618ae-1732279916926223978"},"name":"eda-dhcp6","namespace":"eda-system"},"spec":{"bufferSize":65535,"destHost":"eda-dhcp6","destPort":547,"idleTimeout":60,"proxyPort":547}}
      name: eda-dhcp6
      namespace: eda-system
    spec:
      bufferSize: 65535
      destHost: eda-dhcp6
      destPort: 547
      idleTimeout: 60
      proxyPort: 547
kind: List
metadata:
  resourceVersion: ""
  • The init and relevant images must be downloaded to the artifacts server.

    The following resource must be present:

    apiVersion: v1
kind: Secret
metadata:
  name: srl-node-cred
  namespace: eda
type: Opaque
data:
  username: YWRtaW4=
  password: Tm9raWFTcmwxIQ==
---
apiVersion: v1
kind: Secret
metadata:
  name: srl-ftp-cred
  namespace: eda
type: Opaque
data:
  username: ZnRwdXNlcg==
  password: U2ghbmluZyR0YXIxIQ==
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: srlinux-24.10.1-492
  namespace: eda
spec:
  repo: images
  filePath: srl.bin
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/eda/srl_images/srlinux-24.10.1-492.bin
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: srlinux-24.10.1-492-md5
  namespace: eda
spec:
  repo: images
  filePath: srl.bin.md5
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/eda/srl_images/srlinux-24.10.1-492.bin.md5
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: sros-iom-24-10-r4
  namespace: eda
spec:
  repo: images
  filePath: iom.tim
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/fsp/sros_images/24.10.r4/iom.tim
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: sros-both-24-10-r4
  namespace: eda
spec:
  repo: images
  filePath: both.tim
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/fsp/sros_images/24.10.r4/both.tim
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: sros-support-24-10-r4
  namespace: eda
spec:
  repo: images
  filePath: support.tim
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/fsp/sros_images/24.10.r4/support.tim
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: sros-cpm-24-10-r4
  namespace: eda
spec:
  repo: images
  filePath: cpm.tim
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/fsp/sros_images/24.10.r4/cpm.tim
  secret: srl-ftp-cred
---
apiVersion: artifacts.eda.nokia.com/v1
kind: Artifact
metadata:
  name: sros-kernel-24-10-r4
  namespace: eda
spec:
  repo: images
  filePath: kernel.tim
  remoteFileUrl:
    fileUrl: ftp://10.10.10.10/fsp/sros_images/24.10.r4/kernel.tim
  secret: srl-ftp-cred
---

Enabling DHCP clients

To enable the IPv4 and IPv6 DHCP clients on the management interface, in the Init resource, include the following entries in the mgmt context:

ipv4DHCP: true

ipv6DHCP: true

In the mgmt section, by default, both ipv4DHCP and ipv6DHCP are set to true. Optionally, you can also set the IP MTU, as shown in the following example:
apiVersion: bootstrap.eda.nokia.com/v1alpha1
kind: Init
metadata:
  name: init-config
spec:
  nodeSelector:
  - 'eda.nokia.com/role=leaf'
  - 'eda.nokia.com/role=spine'
  - 'eda.nokia.com/role=borderleaf'
  - 'eda.nokia.com/role=superspine'
  - 'eda.nokia.com/role=backbone'
  mgmt:
    ipv4DHCP: true
    ipv6DHCP: true
    ipMTU: 9000
Note: If the ipv4DHCP or ipv6DHCP parameters are set to true, the settings are not reflected in the DHCP client-related config in BOF for SR OS.

Setting static management IP addresses

To set the management IP address statically, the init script must use the productionAddress setting from the Toponode resource as the IPv4 or IPv6 address in the generated configuration.

The init script sets the address as either IPv4 or IPv6 and sets the prefix length.

The table below displays the different combinations of ipv4DHCP, ipv6DHCP and productionAddress settings and the corresponding resulting initial configuration.

Table 1. Combinations for ipv4DHCP, ipv6DHCP and productionAddress settings
Init resource TopoNode setting Result
ipv4DHCP: true * The management interface IPv4 client is enabled in the initial configuration.
ipv6DHCP: true * The management interface IPv6 client is enabled in the initial configuration.
ipv4DHCP: false IPv4 productionAddress is set The production address is set as the IPv4 address of the management interface in the initial configuration.
ipv4DHCP: false IPv6 productionAddress is set The IPv4 address is left unset in the initial configuration and the IPv4 DHCP client is not enabled.
ipv6DHCP: false IPv4 productionAddress is set The IPv6 address is left unset in the initial configuration and the IPv6 DHCP client is not enabled.
ipv6DHCP: false IPv6 productionAddress is set The production address is set as the IPv6 address of the management interface in the initial configuration.
ipv4DHCP: false ipv6DHCP: false productionAddress is not set Results in an error; add productionAddress to TopoNode or enable a DHCP client.
Static Routes
To define the static routes in the Init CR, specify an IP prefix and a next hop. The Init script adds the static routes to the management network instance. For example:
apiVersion: bootstrap.eda.nokia.com/v1alpha1
kind: Init
metadata:
  name: init-config
spec:
  nodeSelector:
  - 'eda.nokia.com/role=leaf'
  - 'eda.nokia.com/role=spine'
  - 'eda.nokia.com/role=borderleaf'
  - 'eda.nokia.com/role=superspine'
  - 'eda.nokia.com/role=backbone'
  mgmt:
    ipv4DHCP: true
    ipv6DHCP: true
    ipMTU: 9000
    staticRoutes:
      - prefix: 10.10.0.0/16
        nextHop: 172.16.255.29
      - prefix: 2001:10:10::/64
        nextHop: "200::"

Zero-touch provisioning

Zero Touch Provisioning (ZTP) allows for a device to be installed in a rack, powered on, and without any additional input from an operator, boot up, pull down the software version of its operating system, an initial configuration and any other boot artifacts required for it to be managed.

Most ZTP implementations rely on DHCP to provide an IP address to the DUT and use DHCP options to inform the DUT of the location of any boot artifacts it requires to complete its ZTP process. In SR Linux, the DHCP server provides the URL of a Python provisioning script which is then used by the DUT to perform actions such as software upgrade and applying an initial configuration. In SR OS, the DHCP server provides a URL to a provisioning file which is a text file containing URLs to software images and configuration files.

For devices running SR OS and SR Linux, the devices send a DHCP Discover message with option 61 (client-id) set to the chassis serial number. This setting is used on the DHCP server to associate a DHCP discover message with a specific DUT and allows for the DHCP server to allocate static DHCP leases (IP addresses) and potentially device-specific boot artifacts (Python script or boot file).

EDA supports the following modes of operation for DHCP aspect of ZTP:
  • Use of an internal DHCP server (hosted and managed by EDA)
  • Use of an external DHCP server (hosted and managed outside of EDA)

To serve the boot artifacts (Python script, boot file, software, or any other files needed during the bootstrapping process), an artifact server must be present in EDA. An intent is used to allow for artifacts to be added to the server, which is then retrieved by the devices during boot.

DHCP server

In deployments that use EDA to handle ZTP in its entirety, a DHCP server is required to provide IP addresses to devices.

When a device issues a DHCP discovery message, the client-id option (61) attribute includes their chassis serial number. This serial number is used to associate real devices with node objects in EDA. Additionally, an IP address is assigned to device via a Target object.

The DHCP server must support the following capabilities:

  • Static lease assignment using the client-id (option 61) as the binding between an IP address and a device
  • Ability to receive DHCP packets from a DHCP relay (the DHCP relay between the devices and the DHCP server)
  • When providing an IP address to the device, the DHCP server must be able to populate option 66 or 67 in the DHCP offer. This option provides HTTPs. The URL points to the ZTP provisioning script or boot file hosted on the artifact server.
  • Ability to populate other options as required by the operator, for example:
    • Router option 3
    • Time Server option 4
    • Name Server option 5
    • Domain Server option 6
    • Log server option 7
  • Support both IPv4 and IPv6 IP addressing