Contrail Insights JTI (gRPC) Monitoring
Set Up gRPC-based Streaming
Starting with Junos OS Release 16.1R3, you can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP. The Junos Telemetry Interface relies on a so-called push model to deliver data asynchronously, which eliminates polling.
The Junos Telemetry Interface and gRPC streaming are supported on QFX10000 and QFX5200 switches starting with Junos OS Release 17.2R1. The Junos Telemetry Interface and gRPC streaming is supported on QFX5110 switch starting with Junos OS Release 17.3R1. For more information on supported devices, and to configure gRPC for Junos Telemetry Interface, see gRPC Services for Junos Telemetry Interface.
For all Juniper devices that run a version of Junos OS with upgraded FreeBSD kernel, you must install the Junos Network Agent software package, which provides the interfaces to manage gRPC subscriptions. For Juniper Network devices that run other all other versions of the Junos OS, this functionality is embedded in the Junos OS software. For more information, see Installing the Network Agent Package. You must also install the OpenConfig for Junos OS module and the YANG models. For more details, see Understanding OpenConfig and gRPC on Junos Telemetry Interface.
Contrail Insights automatically configures the network device based on the JSON file
you provide. Contrail Insights will stream the gRPC metrics with a default interval
of 60 seconds.
After completing the above steps, verify the following configuration on the network device:
root@B5R4-QFX5K-1> show configuration | display set | grep exten
set groups appformix-grpc system services extension-service request-response grpc clear-text port 50051
set groups appformix-grpc system services extension-service request-response grpc skip-authentication
set groups appformix-grpc system services extension-service notification allow-clients address 0.0.0.0/0
{master:0}
root@B5R4-QFX5K-1> show system processes | grep na-
7563 - S 2:29.58 /usr/sbin/na-mqttd -c /opt/telemetry/na-mqttd/na-mqt
7572 - I 0:44.58 /usr/sbin/na-grpcd -c /opt/telemetry/na-grpcd/na-grp
{master:0}
root@B5R4-QFX5K-1> show system software | grep open
junos-openconfig-x86-32-0.0.0I20180615_1002_rbu-builder -- junos openconfig
While configuring gRPC devices, you can select to enable SSL on the gRPC subscription. Select Settings in the top right of the Dashboard, Network Devices > +Add Device. Also, see section “Secure Socket Layer (SSL) gRPC Configuration.”
In addition, you need to enable gRPC plug-in in your group_vars/all
file to enable gRPC monitoring in Contrail Insights:
appformix_plugins:
- { plugin_info: 'certified_plugins/grpc_config_all_sensors.json' }
To allow Contrail Insights to configure the network device, have the following
settings on your device and supply the device username and
password:
set system services netconf ssh
Unsecured gRPC Configuration
Following is the configuration Contrail Insights adds on the
device when you select SSLEnabled = False when configuring the device.
root@5b9-qfx2# show groups
appformix-grpc {
system {
services {
extension-service {
request-response {
grpc {
clear-text {
port 50051;
}
skip-authentication;
}
}
notification {
allow-clients {
address 0.0.0.0/0;
}
}
}
}
}
}
root@5b9-qfx2# show apply-groups
apply-groups appformix-grpc;
Secure Socket Layer (SSL) gRPC Configuration
In order for Contrail Insights to subscribe to devices over SSL technology, complete the following steps in advance of enabling SSL.
Certificates for all devices need to be signed by one single certificate authority (CA).
Common Name (CN) value specified for the certificate used by a particular device, should be that device's Domain Name System (DNS) name.
Certificates need to be preloaded on the device as name
appformixby running the following command:set security certificates local appformix <path_to_certificate>
When configuring the devices in Contrail Insights, enter the device DNS name or IP address in the
ManagementIpfield. TheManagementIpshould be able to resolve (translate) the device DNS name from the Contrail Insights Platform node.Example configuration Contrail Insights puts on the device:
root@5b9-qfx2# show groups appformix-grpc { system { services { extension-service { request-response { grpc { ssl { port 50051; local-certificate appformix; } skip-authentication; } } notification { allow-clients { address 0.0.0.0/0; } } } } } } root@5b9-qfx2# show apply-groups apply-groups appformix-grpc;
Distribute gRPC Network Device CA Using Ansible
In order for Contrail Insights to have secure connections between
collectors (Contrail Insights Agent and devices), the collector needs
to have the CA, which signed all of the devices' certificates, in /opt/appformix/etc/cert/.
Then use Ansible to distribute the CA to all Contrail Insights
Agents. Add the following in your group_vars/all file and then run the playbook.
appformix_grpc_ssl_ca: <path to your certificate file>