In my last article I covered why you should use Batfish – today I’ll show you how to get started.

1. Dependencies

docker pull batfish/allinone && docker run --name batfish -v batfish-data:/data -p 8888:8888 -p 9997:9997 -p 9996:9996 
batfish/allinone

pip3 install pybatfish

ansible-galaxy install batfish.base

With all of the setup done, let’s get batfish do run some simple tests on our configurations.

2. Setting up your snapshot

Before Batfish can run any tests, it needs to know where all of your configurations are so it can load them into a data structure called a snapshot.

1. Set up a directory for your configurations.

mkdir /home/netsyncrio_connor/bf_snap_test/
mkdir /home/netsyncrio_connor/bf_snap_test/configs
mkdir /home/netsyncrio_connor/bf_snap_test/hosts
mkdir /home/netsyncrio_connor/bf_snap_test/iptables

2. Copy the configuration file of every host you want to test into your ‘configs’ directory, each hosts configuration information in json format into the ‘hosts’ directory, and each host’s iptables config into the ‘iptables’ directory.

A good example of a working snapshot can be found here.

3. Using Ansible to start your tests

For the final step you’ll need to write up an Ansible playbook to run through your tests.

The first thing to do is to establish a connection to your running Batfish container – this is done using the bf_session task included in the batfish.base role.

- hosts: batfish_host
  gather_facts: no
  roles:
   - batfish.base
  tasks:

  - name: connect to batfish
    bf_session:
      host: "{{inventory_hostname}}"
      name: "bf_demonstration"
    register: session
    delegate_to: localhost
    connection: local

Next up you’ll need to initialize the snapshot you configured in step two.

- name: initialize the snapshot
    bf_init_snapshot:
      network: NetworkName
      snapshot: "DemonstrationSnapshotName"
      snapshot_data: "/home/netsyncrio_connor/bf_snap_test/"
      overwrite: true

This step is fairly straightforward, we provide batfish with the location of our snapshot directories, and if a snapshot with the same name we specified already exists, we overwrite it.

Now we can start running some tests, let’s see if there are any undefined references in our configuration files

- name: Test for undefined references
      bf_assert:
        assertions:
          - type: assert_no_undefined_references
            name: Undefined References
      register: reference_results
      ignore_errors: true

Again, this is fairly straightforward. We’re using the bf_assert task and specifying that we’re checking that there aren’t any undefined references within our configurations. Then we register the result of this test to the variable {{reference_results}}. The reason we’re ignoring errors is because currently batfish takes an assertion coming back negative as a failure, however the output still registers, making this useful even when it fails.

For a full list of assertions check out the comprehensive list provided by Batfishon on Github .

In this article we talked about how to install and configure Batfish for testing, and walked through the file structure required to create a snapshot. Then we finished off by showing how to run some simple tests using the batfish.base role in Ansible.

Thanks for reading! See you in the next post!

Connor.