ACI Power Deployment Tool (acipdt)

I’ve been spending a lot of my free time working on a little side project with Python. Rather than waxing on about it, I’ll just post a very quick and dirty video, and the readme.md that will accompany my tool.

You can find the video here. Note that the issue (which worked out as a decent demo) in the video where there were a bunch of 400 errors has been fixed — you can blame silly Python sets not being ordered!

You can find the acitool library here.

## Synopsis

ACIPDT – or ACI Power Deployment Tool – is a Python library that is intended to be used for network engineers deploying an ACI fabric. ACIPDT is very much early alpha, later releases should add additional features/functionality as well as optimization and improved error handling.

## Overview

The “SDN” (hate the term, but it applies) movement has brought a great deal of discussion to the idea of how a network engineer deploys networking equipment. Historically text files, or perhaps macros in Excel have been used as templates for new deployments, and good old-fashioned copy/paste has been the actual deployment vehicle. Among other things, SDN is attempting to change this. With SDN we (networking folk) have been given APIs! However, most network engineers, myself included, have no idea what to do with said APIs.

Cisco ACI, as with the other networky “SDN products,” in the market have provided some nifty tools in order to begin the journey into this API driven next-generation network world, but the bar to entry in any meaningful way is still rather high. In example, ACI provides an API inspector, which displays the XML or JSON payloads that are configuring the ACI fabric, however the payload on its own of course doesn’t do much for a network guy – where am I supposed to paste that into? What became clear to me is that Postman was the obvious answer. Postman is a great tool for getting started with an API, and I have used it extensively with ACI, even to the point of deploying an entire fabric in 2 minutes with a handful of Postman collections. However…

Postman left much to be desired. I’m fairly certain that the way in which I was using it was never really the intended use case. In order to keep the collections to a reasonable size, which in turn kept spreadsheets relatively organized (spreadsheets contained the data to insert as a variable in the payloads), but then I had nine collections to run, which meant nine spreadsheets. On top of all of that, there was very little feedback in terms of even simple success/fail per post — and even if you captured that output, there would be things that would fail no matter what due to the way the spreadsheet was piping in variables (perhaps more on that later, maybe its just how I was using it).

The result of this frustration is the ACIPDT. My intention is to re-create the functionality that I have used Postman for in Python. In doing so, the goal is to have a single spreadsheet (source of data, could be anything but a spreadsheet is easy), to run a single script, and to have valuable feedback about the success or failure of each and every POST. ACIPDT itself is not a script that will configure your ACI fabric, but is instead a library that contains ReST calls that will configure the most common deployment scenarios. In addition to the library itself, I have created a very simple script to ingest a spreadsheet that contains the actual configuration data and pass the data to the appropriate method in the library.

Key features:
– Have a library that is de-coupled from any deployment type of script.
– This was a goal after early attempts became very intertwined and I was unable to cleanly separate the simple ReST call/payload from the rest of the script.
– Run one script that references one source of data.
– This is more relevant to the run script than it is to the library, but it was taken into consideration when creating the library. A single spreadsheet (with multiple tabs) is used to house all data, is parsed in the run script, then data is passed as kwargs to the appropriate methods for deployment.
– Have discreet configuration items.
– Ensure that an Interface Profile on an L3 Out can be modified without deleting/re-creating the parent object. While this library/script is intended for deployments where this is likely not a big deal, it was at any rate a design goal.
– Capture the status of every single call.
– Each method returns a status code. The run script simply enters this data into the Excel spreadsheet at the appropriate line so you know which POSTs failed and which ones succeeded. This is a simplistic status check, but is leaps better than I was getting with Postman.

## Resources

I believe the code to be relatively straight-forward (and I am very not good at Python), and have provided comments ahead of every method in the library to document what is acceptable to pass to the method. As this is really just a pet project on the weekends, that’s probably about it from a resources perspective. Feel free to tweet at me (@carl_niger) if you run into any issues or have a burning desire for a feature add.

## Code Example

# Import acidpt from the acitool library
from acitool import acipdt
# Initialize the FabLogin class with the APIC IP, username, and password
fablogin = acipdt.FabLogin(apic, user, pword)
# Login to the fabric and capture the challenge cookie
cookies = fablogin.login()
# Initialize the Fabric Pod Policy class with the APIC IP and the returned cookies from the login class
podpol = acipdt.FabPodPol(apic, cookies)
# Configure an NTP server of 1.1.1.1
status = podpol.ntp('1.1.1.1', 'created,modified')

## Getting Started

To get started, unzip the zip file and place the entire contents in a directory in your Python path. For me (using OSX), I placed the folder in /usr/local/lib/python2.7/. You can then import as outlined in the code example above.

## Disclaimer

This is NOT fancy code. It is probably not even “good” code. It does work (for me at least!) though.

Python + OSX OpenSSL Issue

I recently ran into an issue with the requests library in Python and TLS 1.1 and 1.2. I was trying to build out some scripts to configure some stuff in Cisco ACI but was getting errors when using HTTPS. Using HTTP, the script would execute just fine. Okay so that’s pretty obvious that the issue is around the encryption bits, but my good friend Google kind of let me down while searching for a fix. So I started dorking about in ACI to see if there was anything I could do (who knows what!), and experimented with disabling TLS 1.1 and 1.2, leaving only TLS 1.0 enabled. This got me an SSLv3 error about invalid cert I believe. I started going down the path of forcing my script to use SSLv2 but got stymied pretty quickly there by my lack of Python skills. Okay so flipping TLS 1.1 and 1.2 back on I got a different error than with 1.0 on — which I guess is a good thing since its something new to search on… that error was about “connection error: error 54” or something like that. Eventually I tested this same script out on an Ubuntu 15.10 box and it worked (with TLS 1.2) no problem… okay so whats the difference between OSX and Ubuntu? Python was the same version on both boxes, so that ruled that out, same script, so no issue there, what else? After a bit of thinking (and Googling) I realized that it wasn’t any of those things, but the problem lied with OpenSSL! On my Macbook, I ran the command:

openssl version

This just displays the version — I was getting something like this:

OpenSSL 0.9.8zg 14 July 2015

Doesn’t take much Googling to realize that is a bit old since we are in 2016! So I started trying to figure out how to update that, turns out its nice and easy with brew:

brew update
brew install openssl

This installed the new version for me, but when I checked the version again it was still using the old one. So some more Googling and I discovered how to force the new version:

brew link openssl --force

Note that until the terminal window gets closed it will still show the old version when you do:

openssl version

After opening a new terminal window I’m showing:

OpenSSL 1.0.2f 28 Jan 2016

However I was still having issues with Python not connecting to my APIC. Turns out that Python was stuck tied to an older version, you can check that by hopping into the interpreter and importing the SSL library:

python
 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 0.9.8zg 14 July 2015
 >>> exit()

Okay, so that’s not cool. Guess Python is compiled against the older version, so lets update that and hook it to the newer OpenSSL:

brew install python --with-brewed-openssl

Now Python OpenSSL Version should be good:

python
 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 1.0.2f 28 Jan 2016
 >>> exit()

For some reason had to close out of terminal and load it back up then things worked. I also unlinked openssl with:

brew unlink openssl

Not entirely sure that’s needed or maybe I just wasn’t supposed to do that in the first place 🙂 In any case, my scripts are now working on my Macbook with TLS 1.1 and 1.2!

Hopefully this will help somebody else out since it took me entirely too long to figure this all out!