Batfish Part Two – Configuring and Getting Started.
In my last article I covered why you should use Batfish – today I’ll show you how to get started.
1. Dependencies
- First things first, you’ll need to have Docker installed and configured
- Pull the batfish Docker image from Docker Hub
docker pull batfish/allinone && docker run --name batfish -v batfish-data:/data -p 8888:8888 -p 9997:9997 -p 9996:9996
batfish/allinone
3. Install the pybatfish module using pip on your ansible controller – if you’re running AWX or Ansible Tower you will need to install pybatfish on the awx_task container.
pip3 install pybatfish
4. Install the batfish.base role from ansible galaxy
ansible-galaxy install batfish.base
With all of the setup done, let’s get batfish do run some simple tests on our configurations.
2. Setting up your snapshot
Before Batfish can run any tests, it needs to know where all of your configurations are so it can load them into a data structure called a snapshot.
- Set up a directory for your configurations.
mkdir /home/netsyncrio_connor/bf_snap_test/
mkdir /home/netsyncrio_connor/bf_snap_test/configs
mkdir /home/netsyncrio_connor/bf_snap_test/hosts
mkdir /home/netsyncrio_connor/bf_snap_test/iptables
2. Copy the configuration file of every host you want to test into your ‘configs’ directory, each hosts configuration information in json format into the ‘hosts’ directory, and each host’s iptables config into the ‘iptables’ directory.
A good example of a working snapshot can be found here.
3. Using Ansible to start your tests
For the final step you’ll need to write up an Ansible playbook to run through your tests.
The first thing to do is to establish a connection to your running Batfish container – this is done using the bf_session task included in the batfish.base role.
- hosts: batfish_host
gather_facts: no
roles:
- batfish.base
tasks:
- name: connect to batfish
bf_session:
host: "{{inventory_hostname}}"
name: "bf_demonstration"
register: session
delegate_to: localhost
connection: local
Next up you’ll need to initialize the snapshot you configured in step two.
- name: initialize the snapshot
bf_init_snapshot:
network: NetworkName
snapshot: "DemonstrationSnapshotName"
snapshot_data: "/home/netsyncrio_connor/bf_snap_test/"
overwrite: true
This step is fairly straightforward, we provide batfish with the location of our snapshot directories, and if a snapshot with the same name we specified already exists, we overwrite it.
Now we can start running some tests, let’s see if there are any undefined references in our configuration files
- name: Test for undefined references
bf_assert:
assertions:
- type: assert_no_undefined_references
name: Undefined References
register: reference_results
ignore_errors: true
Again, this is fairly straightforward. We’re using the bf_assert task and specifying that we’re checking that there aren’t any undefined references within our configurations. Then we register the result of this test to the variable {{reference_results}}. The reason we’re ignoring errors is because currently batfish takes an assertion coming back negative as a failure, however the output still registers, making this useful even when it fails.
For a full list of assertions check out the comprehensive list provided by Batfishon on Github .
In this article we talked about how to install and configure Batfish for testing, and walked through the file structure required to create a snapshot. Then we finished off by showing how to run some simple tests using the batfish.base role in Ansible.
Thanks for reading! See you in the next post!
Connor.
Lilyanna Misovski
yes very nice 10/10
Elizabeth
Good website.
Andrew Kadrich
This blog post ROCKS! 10/10 poggers, friend.
Seamus O'Finnigan
Nice post! Stay cool.
Tristan Swick
I KNOW some of these words. 10/10 VERY TOP POGS
Giovanni Correra
Very good post. I like it a lot thank you