Using netbox as external pillar

Network automation is cool. But even better is deriving the configuration information from an asset management system that serves as the source of truth for anything in the network. In this article I will present a solution with saltstack that uses netbox as the data store (pillar) to set the SNMP configuration on the network devices.

netbox as Source of Truth

The authors describe netbox as a tool for IP address management (IPAM) and data center infrastructure managemnt (DCIM). This explains exactly the use of the software. You can enter everything that you need to know to operate a network environment.

But defining your data center in some software helps you with documentation but not in operation. It would be better to have tools thats take the information from netbox and configure the network devices accordingly. One possible way to achieve that goal is the configuration management software saltstack in combination with the napalm to deliver the configurations to the devices. saltstack can be set up to use netbox as a data store, a so called pillar.

In my example saltstack will get the site where a device is installed from netbox. saltstack then will look in the site data for the contact who is responsible. With the location and contact information saltstack will configure the SNMP agent on the network devices in that site.

All information is gathered via the API of netbox.

netbox as an External pillar

The documentation of the project shows you how to set up the external pillar in your saltstack environment. It is very simple, you just have to tell your saltstack under what URL it can get information from netbox and add the key to access the API to the configuration of your master in /etc/salt/master.

ext_pillar:
  - netbox:
      api_url: http://192.0.2.1/api/
      api_token: super_secret_token

All other options for this external pillar are also described in documentation. We will need the site information. The option site_details by default is set to True so netbox will get the site information automatically.

After the restart of the salt master and the setup of the salt proxies for your devices you can ask salt for the pillar items of your device.

# salt myswitch pillar.items 'netbox'
myswitch:
    ----------
    netbox:
        ----------
        asset_tag:
            None
        cluster:
            None
        comments:
        created:
            2019-01-02
        custom_fields:
            ----------
            NAPALM driver:
                napalm
        device_role:
            ----------
            id:
                2
            name:
                Switch
(...)

You can see that saltstack can use netbox as an external data source.

A SaltStack State to Set SNMP on Network Devices

Now you can use your netbox data as regular pillar items to configure the network devices. As described in my last article I use a state that refers to a template where all commands are given to set up the SNMP agent on devices of a specific manufacturer. We have to rewrite the state to use the site data from netbox instead the data from the internal pillar. The new state file now looks like:

snmp_config:
  netconfig.managed:
    - template_name: salt://snmp.jinja
      email: {{ salt['pillar.get']('netbox:site:contact_email', 'ms@sys4.de') | json }}
      contact: {{ salt['pillar.get']('netbox:site:contact_name', 'Michael Schwartzkopff') | json }}
      location: {{ salt['pillar.get']('netbox:site:name', 'Network Lab') | json }}
      community: public

The template file stays the same:

{%- if grains.vendor|lower == 'cisco' %}
  snmp-server community {{ community }} RO
  snmp-server location {{ location }}
  snmp-server contact {{ contact }} <{{ email }}>
{%- elif grains.os|lower == 'junos' %}
  snmp {
    replace:
      location "{{ location }}";
      contact "{{ contact }} <{{ email }}>";
      community {{ community }} {
        authorization read-only;
      }
  }
{%- endif %}

For the sake of simplicity I show the configuration for SNMPv1 / v2c with community strings. Of course, in a production environment, you would set up SNMPv3.

Michael Schwartzkopff, 16 Feb 2019