IOx and guestshell on IOS XE
Most of the recent firmware on Cisco devices run on top of Linux operating system. Yout IOS XE or NX-OS is just a Linux process! It is nothing new; Juniper does it for years. However, it does not mean you can access the operating system directly; this is reserved just for Cisco TAC and developers in case the base operating system might be the source of the problems. However, you can use the IOx and the guestshell container introduced in IOS XE Everest 16.5.1 release.
What is IOx?
The IOx fulfills the requirement for edge computing. Cisco calls it fog computing, and it refers to extending cloud computing to the edge of an enterprise’s network. The idea is to host the applications at the network edge across different hardware platforms. In a preferred way, it should not require any additional hardware for computing. The fog itself refers to the unique problem domain in an example the management overload. It is one of the pillars of Cisco IoT model.
The IOx shares the CPU, SDRAM and NVRAM/Flash memory with the host system.Do you remember that a few years ago with new hardware platform based on x86 processors introduced the multicore CPU? So far only the first core (Core 0) was second core remains idle. The first core runs the IOS process. With IOx the second core is now active – the hypervisor, the host OS, and the apps are using it. However, on some platforms, like ISR 829, there Shared Core Hosting model is deployed where there is no dedicated core for IOS process but its run on top of the hypervisor and shares the resources with other applications.
Starting the IOx
Lets first check that the IOX subsystem is not running
CSR1000V#show iox-service <omitted> IOx Infrastructure Summary: --------------------------- IOx service (CAF) : Not Running IOx service (HA) : Not Running IOx service (IOxman) : Not Running Libvirtd : Running
To start the IOX, you need to execute just one command
CSR1000V#conf t CSR1000V(config)#iox
After few minutes you can check the status again
CSR1000V#show iox-service <omitted> IOx Infrastructure Summary: --------------------------- IOx service (CAF) : Running IOx service (HA) : Not Running IOx service (IOxman) : Running Libvirtd : Running
Now we are ready to deploy containers
The guestshell
The guestshell is a built-in container with Linux CentOS 7 operating system. It is designed to run custom Linux applications, including Python the automated provisioning (Day zero) of systems.
On CSR1000v the guestshell access is provided via bridged interface VirtualPortGroup. On other platforms, you may run it directly.
interface GigabitEthernet1 ip address 172.16.1.101 255.255.255.0 negotiation auto no mop enabled no mop sysid ! interface VirtualPortGroup0 ip unnumbered GigabitEthernet1 no mop enabled no mop sysid
While starting the guestshell, you need to specify the IP address it will use. It is also recommended to determine the nameserver – this is the only additional parameter you can set on CSR1000V. On other devices you may also specify subnet mask and default gateway – all depends on the platform and the firmware version.
CSR1000V#guestshell enable VirtualPortGroup 0 guest-ip 172.16.1.102 name-server 192.168.1.250 Please wait for completion Guestshell enabled successfully
Now you can access your guestshell and sudo to root permissions
CSR1000V#guestshell [guestshell@guestshell ~]$ sudo su - [root@guestshell ~]#
The guestshell itself has the default pointing to its eth0 interface. However, the router itself needs to know how to send the traffic to guestshell. We need to add a static route.
CSR1000V(config)#ip route 172.16.1.102 255.255.255.255 VirtualPortGroup 0
Also, that is the place where experience problems if we decide to use VRFs. In such configuration, we put the GigabitEthernet1 and VirtualPortGroup0 interfaces in the vrf providing proper static routes. The problem is that we cannot add static route in VRF without providing next-hop IP address which you cannot in this situation
CSR1000V(config)#ip route vrf mgmt 172.16.1.102 255.255.255.255 VirtualPortGroup 0 % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
The only solution I know so far is using the NAT, but this is not a flexible way.
What can I do inside of guestshell? A lot! This is Linux so you can use all available commands. If you are missing any packages just install them using yum command. It uses Centos repository. You can write python scripts and much more.
You can access guestshell externally via SSH – default authentication method is via public key. You need to download public from the guestshell account (or generate a new one) and install on your SSH client.
IOx GUI Management – check when introduced
There is GUI interface that you can use for monitoring and manage the IOx. You must have IP HTTP server enabled on the CSR1000V router
ip http server ip http authentication local ip http secure-server
After you log in select the Configuration | IOx from the menu of the left side and provide your credentials again.
There are just two tabs for IOx management. In System Info tab we can see basic information about IOx including software version, available storage, CPU and memory usage and interfaces statistics. The most useful feature here is Logs section where you can enable predefined logging filters and view the log files.
In the Applications tab, we can find running containers and add new ones. We can quickly stop it from here. When you click manage link, you can view advanced container status, logs or allocate resources.
Disabling and removing guestshell
There are two more operations you can do on the guestshell container instance – stop it (disable) and remove (destroy)
CSR1000V#guestshell disable Guestshell disabled successfully CSR1000V#guestshell destroy Guestshell destroyed successfully
The disable option just stops the container and retains the files. You can restart it using the guestshell enable command again. If you use destroy option, the container stops and all files are removed. If you decide to re-enable the container in future, the system will build it as a new one with default configuration.