Connection to SSH server from Nornir

Hi All,

I use a ssh server to connect routers without this server I dont have a direct ssh access to router.
The only thing I do after reaching ssh server is entering the router_IP(x.x.x.x) or router_name. I chose IP for it. Then I enter the router cli.

At that case I need a method how i can do it.

Thank you.

I am afraid I don’t understand how your setup works but the “standard” way of doing this is using the ProxyJump/ProxyCommand feature of ssh.

Here is an article where I discuss how to do this in Netmiko:

https://pynet.twb-tech.com/blog/automation/netmiko-proxy.html

That also implies you can do for the NAPALM devices that use Netmiko under-the-hood.

Then this other discourse post covers how to reference the SSH config file (if it is in a non-standard location):

The problem is that the only way to connect the routers is to use this server. First I login this server then there is special user interface. Ath this interface, i search the router by its name or some short word to find it then connect to router. Or the other way after I connect the server, If I know the router IP address I just enter its IP at this user interface and I get this router cli.

Before when I was testing nornir I could ssh router directly from my PC but now I can’t .

The process goes like that.

I want to use nornir to connect the devices because i like it very much. It is super useful and fast to collect the information from the routers.

My problem is how I can overcome this issue. I used netmiko redispatch to connect routers. It works but I dont know how to integrate it with nornir. I want to use nornir threading functions. :slightly_smiling_face:

Thanks you very much, regards

Hi Kirk,

I read this but I couldn’t do it by this way. Then I use redispatch to connect to router through this server. But it took around 30-40 sec for one router.

Thank you very much, regards

I also read this and try it but I couldn’t do it.

Thanks, regards

I am afraid you will probably need to write your own connection plugin to do do that. You can check how the netmiko one is written and adapt as needed.

Hello,

I apologize for piggy-backing on this thread, but I have a similar question. Does the default Napalm connection plugin work with ProxyJump natively then, or will I need to use Netmiko under the hood?

I have a container running nornir and am able to load my local ssh config, ssh to devices with ProxyJump, but running a nornir script throws an exception:

File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

It looks like a resolving issue, but I’m unsure if I have to add anything to the config for nornir to get this working. Thanks!

NAPALM has several platforms that are not SSH-based (for example, eAPI, and NX-API) so no NAPALM doesn’t understand ProxyJump natively.

So you would probably need to use Netmiko and/or Paramiko. You could possibly use NAPALM, but it would be for the NAPALM platforms that use Netmiko or NETCONF over SSH in the case of Juniper.

Thanks @ktbyers. I’ll try to get that working today!

Okay, making progress. I’m able to confirm netmiko works with proxyjump, but now I’m trying to figure out how to run napalm_configure using an underlying netmiko connection. Am I thinking of this correctly? Is it simply a matter of adding connection_options to the groups.yaml file, or do I need to specify the connection plugin when running InitNornir?

For NAPALM platforms of “ios”, and “nxos_ssh” Netmiko will be used automatically. For “iosxr” Netmiko will also be used but via the PyIOSXR library so I am not sure how SSH configuration handling is there (i.e. whether they transparently pass the options to Netmiko or not).

The other platforms: junos, eos, and nxos do not use netmiko-SSH for transport.

As far as the where in inventory to specify the SSH config file, you would need to locate it in the napalm optional_args, see here for the structure:

Alternatively, there is an SSH config file environment variable in Nornir (and an SSH config file configuration option).

Gotcha, this makes sense. As I’m using primarily Junos, is there any way to tell napalm to use netmiko-SSH for transport? I’ve been playing around with the optional_args listed here just trying to get something to work:

global:
    username: testuser
    password: ""
    port: 22
    connection_options:
      napalm:
        extras:
          optional_args:
            transport: ssh
            alt_host_keys: True
            alt_key_file: '~/.ssh/special_key'
            ssh_config_file: '~/.ssh/config'
            use_keys: True
            allow_agent: True
            session_log: session.txt

Is it simply a matter of me missing something here in order for the napalm tasks to understand the proxyjump configuration?

For Juniper-napalm you need to figure out how to pass the arguments to the underlying PyEZ driver. I suspect you just need to specify the juniper PyEZ arguments in optional_args.

If you want to use Netmiko with Juniper, then you need to change to the Netmiko-nornir plugins. You can’t do NAPALM-Juniper and use Netmiko (i.e. NAPALM-Juniper is all NETCONF using PyEZ).

Perfect, thank you. I realize how much of a broken record I sound like, so I definitely appreciate your patience! I’ll see if I can get pyez to work.