Nokia Networking/SR Linux Initial Config
First login
On a new device log in as the "linuxadmin" user first, and the default password NokiaSrl1!. Once done you can disable the ZTP / autoboot process with:
ztp service stop --autoboot disable
When that is done reboot the box with "shutdown -r now", after which you can log on with "admin" and the default password.
First thing to do is generate a new self-signed cert and key as follows:
tools system tls generate-self-signed email noc@wikimedia.org country us organization wmf
When logged on add the basic config via cli as follows:
enter candidate
set system name host-name <device_name> set / system aaa authentication linuxadmin-user password <network_root_password> set / system aaa authentication admin-user password <network_root_password> set / system aaa authentication user homer superuser true set / system aaa authentication user homer ssh-key [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESO36OH9RJD/YwgTv0PRQzivYEC4RzfC7m+K5unFtS6" ] set / system aaa authentication user homer password <homer_user_password>
delete / interface mgmt0 subinterface 0 ipv4 dhcp-client delete / interface mgmt0 subinterface 0 ipv6 dhcp-client set / interface mgmt0 admin-state enable set / interface mgmt0 subinterface 0 admin-state enable set / interface mgmt0 subinterface 0 ipv6 admin-state disable set / interface mgmt0 subinterface 0 ipv4 admin-state enable set / interface mgmt0 subinterface 0 ipv4 address <mgmt_ip> set / network-instance mgmt type ip-vrf set / network-instance mgmt admin-state enable set / network-instance mgmt interface mgmt0.0 set / network-instance mgmt protocols linux import-routes true set / network-instance mgmt protocols linux export-routes true set / network-instance mgmt protocols linux export-neighbors true set / network-instance mgmt static-routes route 0.0.0.0/0 next-hop-group mgmt_gw set / network-instance mgmt next-hop-groups group mgmt_gw nexthop 0 ip-address <mgmt_network_gw_ip> set / system ssh-server mgmt admin-state enable set / system ssh-server mgmt network-instance mgmt set / system ssh-server mgmt use-credentialz true set / system dns network-instance mgmt set / system dns server-list [ 10.3.0.1 ] set / system ntp admin-state enable set / system ntp network-instance mgmt set / system ntp server 10.3.0.5 set / system ntp server 10.3.0.6 set / system ntp server 10.3.0.7 set / acl acl-filter cpm type ipv4 entry 600 description "Accept packets from HTTP-ALT port for software downloads" set / acl acl-filter cpm type ipv4 entry 600 match ipv4 protocol tcp set / acl acl-filter cpm type ipv4 entry 600 match transport source-port operator eq set / acl acl-filter cpm type ipv4 entry 600 match transport source-port value 8080 set / acl acl-filter cpm type ipv4 entry 600 action accept set / system tls server-profile self-signed key '<tls_private_key_generated_above>' set / system tls server-profile self-signed certificate '<tls_certificate_generated_above>' set / system json-rpc-server admin-state enable set / system json-rpc-server network-instance mgmt https admin-state enable set / system json-rpc-server network-instance mgmt https tls-profile self-signed
commit save
tools system configuration rescue-save
Notes
The admin/linuxadmin passwords should be the network-root from pwstore.
TLS Certificate
The above config adds a temporary 'server-profile' called self-signed with a TLS private key and certificate.
Once the above config is added, and the device is reachable on the network, run the sre.network.tls cookbook which will push the valid WMF-signed cert to the device and configure it to use that for the JSON-RPC endpoint instead.
Software Version
Before the device goes into production it should be running the correct software version, which may be different from the factory-shipped image. If necessary upgrade/downgrade the version as shown on the commands page.
Homer
Once the device has a valid TLS cert we can run homer to add the rest of the configuration.
RANCID
See instructions on RANCID#Nokia SR-Linux