Hosting KVM Apps Inside IOS XE Virtual Service Container

Service Containers are applications that can be hosted directly on Cisco IOS XE routing platforms. Service containers are either Linux Virtual Containers (LXC) or Kernel Virtual Machine( KVM) based virtual machines. A typical Cisco service container carries a digital signature that verifies it as an authentic application from Cisco. An open service (unsigned) container is a KVM application that does not require a digital signature. This means that any KVM application can run directly on your Cisco IOS XE router. Open service containers are often referred to simply as KVM applications on IOS-XE routers.

Cisco IOS-XE 3.17 onward allows to to enable unsigned containers. The goal of this tutorial is to have a KVM virtual machine with applications running on Cisco CSR 1000v router.

Software:

  • Host OS: Debian 10 Buster with GNS3 2.2.5 and WMware Workstation 15.1.0 build-13591040 installed
  • Guest OS: Cisco Cloud Services Router (CSR) 1000v, IOS XE Software version is 16.07.01

1. Cisco CSR 1000v Installation

We will use WMware Workstation 15.1.0 build-13591040 hypervisor to run Cisco CSR 1000v, but you can also use KVM. It is necessary to assign the correct amount of RAM to the CSR instance, otherwise the maximum vCPU per virtual service is zero. (Picture 1). For example, if the amount of RAM required by the KVM service container is 1024 MB (defined in the package.yaml file), we must allocate 5 GB of RAM to the entire CSR instance (4 GB for the CSR itself plus one GB for the KVM) (Figure 2).

Create Custom VMware VM (used VMware® Workstation 15 Pro). Configure the following options.

  • I will install OS later
  • Guest OS Linux, version 4.x, 64bit kernel
  • Number of CPU 8, Number of Cores 1
  • 4800 MB RAM (RAM for KVM VM is 800MB)
  • 8 NICs (add new NICs if needed, Edit-> Virtual Network Editor, vmnet1 - vmnet8, type host-only)
  • Use host-only networking
  • SCSI Controller Type - LSI Logic
  • Virtual disk type - SCSI
  • Use an existing virtual disk (csr1000v-universalk9.16.07.01-serial.vmdk)

Navigate to VM settings-> Processor-> and enable Virtualize Intel VTx/EPT or AMD-V/RVI

Note: The router is loaded with permanent (evaluation) license. The license expires 60 days from the time it is activated. The AX feature set is enabled and the maximum throughput is 2500 Mbps. The entire process of licensing CSR1000v for ax license is explained in the article CSR1000v Installation on QEMU VM.

Picture 1 - Number of vCPU is Zero When RAM Requirements Are Not Met

Picture 2 - vCPU Detected when When RAM Requirements Are Met

Network topology is depicted on the Picture 3. VMware CSR router is connected via interface tap0 to the GNS3 cloud device.  The tap interface is added to the bridge along with the interface enp4s0f2.

Picture 3 - Network Topology

2. Creating KVM VM

Our KVM virtual machine is CorePure 6.3 mimimalistic Linux distro installed on VMDK disk and remastered for ouput to a serial port. As a first step, we will convert vmdk image to required qcow2 format.

$ qemu-img convert -p -c -f vmdk -o compat=0.10 -O qcow2 CorePure64-6.3-host.vmdk CorePure64-6.3-host.qcow2

-p show progress of the command
-c target image must be compressed (qcow format only)

3. Creating Open Service Container

Our goal is to create core.ova file that we copy later from host OS (Devian 10) to CSR 1000v router.  Very ova file contains the following files:

  1. package.yaml - YAML Descriptor File is defining:
    • Number of vCPUs and Share of CPU cycles
    • Disks including size and source image if applicable
    • Memory, Virtual NICs, Console/Aux connectivity
  2. core.qcow2 - image file
    • IDE virtio driver within the VM kernel for disk access
    • Optional TTY0 and TTY1 specification for console/aux connection
    • ISO: Supported for read-only file systems like a CDROM.
    • RAW: Supported for read-write file systems.
    • QCOW2 (recommended): Supported for read-write with compression. Longer initial install time but much smaller disk images.
  3. core.mf - manifest file is a text file with the SHA1 hash for all files in the OVA
  4. version.ver - simple text file with application version number

The following configuration is done on Debian 10:

~$ mkdir service-containers
~$ cd service-containers
~/service-containers$ mkdir core

~/service-containers$ wget https://github.com/shabaz123/ServiceContainers/raw/master/templates.tar

~/service-containers$ tar xvf templates.tar
~/service-containers$ mv templates/package.yaml core/
~/service-containers$ mv templates/create_ova.sh .
~/service-containers$ cp ../CorePure64-6.3-host.qcow2 core/core.qcow2

There should the following files located in a directory ~/service-containers.

~/service-containers$ ls
core create_ova.sh templates templates.tar

The directory ~/service-containers/core/ consists of these files:

~/service-containers$ ls core/
core.qcow2 package.yaml

Edit the file package.yaml. Set vCPU to 1 as the CSR1 1000v only supports Service-VMs with one vCPU.

~/service-containers$ vi core/package.yaml

manifest-version: 1.0

info:
name: core
description: "Linux Core"
version: 1.1

app:
# Indicate app type (vm, paas, lxc etc.,)
apptype: vm

resources:
cpu: 8
memory: 854016
vcpu: 1

disk:
- target-dev: hdc
file: core.qcow2

interfaces:
- target-dev: net1

serial:
- console
- aux

# Specify runtime and startup
startup:
runtime: kvm
boot-dev: hd

Another File „version.ver“ has to be created. The version must match the „manifest-version“ of the yaml-file.

~/service-containers$ echo '1.0' > core/version.ver

The directory core contains the following files:

~/service-containers$ ls core/
core.qcow2 package.yaml version.ver

Run the script create_ova.sh that will create the KVM pen service container  ~/service-containers/core/core.ova. Log file log_create_ova.txt is attached.

~/service-containers$ ./create_ova.sh -mts 200000 -mfs 100000 core

The directory core contains the following files.

~/service-containers$ ls core/
core.mf core.ova core.qcow2 package.yaml version.ver

Copy the core.ova to CSR 1000v:

$ copy scp://brezular@172.17.100.80:/service-containers/core/core.ova bootflash:

4. Router Configuration

Configure the VirtualPort group to provide IP connectivity to a service container. The interface  virtualportGroup 0 is a routed L3 interfaces which connects the container to IOS-XE. Therefore, the IP address 10.0.0.254/24 configured for Vi0 represents a default gateway address for the service  container.

CSR1(config)# interface VirtualPortGroup0
CSR1(config-if)# ip address 10.0.0.254 255.255.255.0
CSR1(config-if)# no shutdown

Set up virtual service and allow unsigned and all signing methods so we can run our KVM VM.

CSR1(config)# virtual-service
CSR1(config-virt-serv-global)# signing level unsigned
CSR1(config-virt-serv-global)# exit

Configure parameters of an open virtual service container (KVM VM) core.

CSR1(config)# virtual-service core
CSR1(config-virt-serv)# vnic gateway virtualPortGroup 0
CSR1(config-virt-serv-vnic)# guest ip address 10.0.0.1
CSR1(config-virt-serv-vnic)# end

Install open service container core.

CSR1# virtual-service install name core package bootflash:core.ova

Picture 4 - Successful Core Package Installation

Check the state of the container using the command:

Picture 4 - Core.ova in Installed State

Now we need to activate virtual service container core to switch from Installed to Active state.

CSR1(config)# virtual-service core
CSR1(config-virt-serv)# activate
CSR1(config-virt-serv)# end

Again, check the state of the container Core:

CSR1# show virtual-service list

Picture 6 - Service Container Core in Active State

Note: Get more info about the container Core with the command bellow. The output log_ova_parameters.txt is attached.

CSR1# show virtual-service detail name core

5. Connection to Service Container

Connect to the Core service container console:

CSR1# virtual-service connect name core console

Picture 7 - Accessing Linux Core Shell

Use Ctrl-c Ctrl-c to switch back from Core Linux CLI to CSR console.

End.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.