Enabling the Guest Shell

Enabling the Guest Shell

To enable the guest shell on the Cisco CSR 1000v, running on AWS, first create an IAM instance role and establish trust with an EC2 service. Then you have a choice of either assigning the IAM instance role to a preexisting Cisco CSR 1000v instance see Assign an IAM Instance Role to a Cisco CSR 1000v Instance below or assigning the IAM instance role to a new Cisco CSR 1000v instance, see Assign an IAM Instance Role to a New Cisco CSR 1000v Instance.

Then perform further configuration steps on the Cisco CSR 1000v and enter the guest shell.

Create an IAM Instance Role

  1. Sign into AWS, as an administrator with permissions to create an IAM Role

  2. Click EC2 to enter the EC2 console.

  3. Click IAM to enter the IAM console.

  4. Click Roles.

    Figure 1. IAM Instance Roles

  5. Click Create new Role.

  6. Enter a name for your app's role.

  7. Click Continue.

  8. Select a Role Type.

    Figure 2. IAM Instance Role Types

  9. For the Amazon EC2 role type, click Select.

    This establishes trust with an EC2 service.

  10. Under "Set Permissions", click Select Policy Template.

  11. Select a template (for example "Amazon S3 Full Access") by clicking Select. You can select multiple services. Use these to specify the access in further detail. For example, you can allow an IAM instance role to read from an S3 bucket, but not write to an S3 bucket.

  12. Enter the role name.

  13. Click Create Role.

Assign an IAM Instance Role to a Cisco CSR 1000v Instance

Specifying an IAM instance role is not a mandatory for accessing the guest shell. However, it will later allow you to access specific entities in the AWS account using a key/password that eliminates the need to save account information on the Cisco CSR 1000v.

Procedure

Step 1

Click EC2 to enter the EC2 dashboard.

Step 2

Select one of your listed CSR 1000v instances, right-click and select Instance Setup, then select Attach/Replace IAM Role.

Step 3

From the drop-down list, select an IAM instance role that you created previously.

Step 4

Enter the following CLI configuration commands on the Cisco CSR 1000v and relaunch the Cisco CSR 1000v.


Router(config)# interface GigabitEthernet1
Router(config-if)# ip address dhcp
Router(config-if)# ip nat outside
Router(config-if)# exit
Router(config)# interface VirtualPortGroup0
Router(config-if)# ip address 192.168.35.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 overload
Router(config)# ip access-list standard GS_NAT_ACL
Router(config)# permit 192.168.0.0 0.0.255.255
Router(config)# app-hosting appid guestshell
Router(config-app-hosting)# vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 192.168.35.2 netmask 255.255.255.0 gateway 192.168.35.1 name-server 8.8.8.8 default
Router(config-app-hosting)# resource profile custom cpu 1500 memory 512
Router(config-app-hosting)# exit
Router(config)# exit
Router# guestshell enable
Router# guestshell run python

Assign an IAM Instance Role to a New Cisco CSR 1000v Instance

The following procedure shows how to assign an IAM Instance Role to a Cisco CSR 1000v, during the creation of a new Cisco CSR 1000v instance.

Procedure

Step 1

Launch a new CSR 1000v as an EC2 instance, and choose an instance type.

Step 2

Click Next: Configure Instance Details.

Figure 3. Configure Instance Details

Step 3

Perform one of the following two steps:

  1. Click the IAM role text box to select an existing IAM instance role from the dropdown list.

  2. Click Create new IAM role to create a new IAM instance role.

Step 4

Enter the following CLI configuration commands on the Cisco CSR 1000v and relaunch the Cisco CSR 1000v.


Router(config)# interface GigabitEthernet1
Router(config-if)# ip address dhcp
Router(config-if)# ip nat outside
Router(config-if)# exit
Router(config)# interface VirtualPortGroup0
Router(config-if)# ip address 192.168.35.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 overload
Router(config)# ip access-list standard GS_NAT_ACL
Router(config)# permit 192.168.0.0 0.0.255.255
Router(config)# app-hosting appid guestshell
Router(config-app-hosting)# vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 192.168.35.2 netmask 255.255.255.0 gateway 192.168.35.1 name-server 8.8.8.8 default
Router(config-app-hosting)# resource profile custom cpu 1500 memory 512
Router(config-app-hosting)# exit
Router(config)# exit
Router# guestshell enable
Router# guestshell run python

Guest Shell Examples

The following examples show how to download packages in the Guest Shell on a Cisco CSR 1000v instance, and a few other useful guest shell commands.

  1. Install packages using the yum or pip commands. For example, enter the [guestshell@guestshell ~] sudo pip install awscli command to install the AWS CLI and Amazon SDK. 

    Collecting csr_aws_guestshell
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  Downloading csr_aws_guestshell-0.0.7.dev.tar.gz
Collecting awscli (from csr_aws_guestshell)
  Downloading awscli-1.11.145-py2.py3-none-any.whl (1.2MB)
    100% |################################| 1.2MB 1.1MB/s
Collecting boto (from csr_aws_guestshell)
  Downloading boto-2.48.0-py2.py3-none-any.whl (1.4MB)
    100% |################################| 1.4MB 914kB/s
Collecting boto3 (from csr_aws_guestshell)
  Downloading boto3-1.4.7-py2.py3-none-any.whl (128kB)
    100% |################################| 133kB 8.5MB/s
Collecting botocore==1.7.3 (from awscli->csr_aws_guestshell)
  Downloading botocore-1.7.3-py2.py3-none-any.whl (3.6MB)
    100% |################################| 3.6MB 337kB/s
Collecting rsa<=3.5.0,>=3.1.2 (from awscli->csr_aws_guestshell)
  Downloading rsa-3.4.2-py2.py3-none-any.whl (46kB)
    100% |################################| 51kB 11.2MB/s
Collecting s3transfer<0.2.0,>=0.1.9 (from awscli->csr_aws_guestshell)
  Downloading s3transfer-0.1.11-py2.py3-none-any.whl (54kB)
    100% |################################| 61kB 11.5MB/s
Collecting docutils>=0.10 (from awscli->csr_aws_guestshell)
  Downloading docutils-0.14-py2-none-any.whl (543kB)
    100% |################################| 552kB 2.3MB/s
Collecting colorama<=0.3.7,>=0.2.5 (from awscli->csr_aws_guestshell)
  Downloading colorama-0.3.7-py2.py3-none-any.whl
Collecting PyYAML<=3.12,>=3.10 (from awscli->csr_aws_guestshell)
  Downloading PyYAML-3.12.tar.gz (253kB)
    100% |################################| 256kB 4.7MB/s
Collecting jmespath<1.0.0,>=0.7.1 (from boto3->csr_aws_guestshell)
  Downloading jmespath-0.9.3-py2.py3-none-any.whl
Collecting python-dateutil<3.0.0,>=2.1 (from botocore==1.7.3->awscli->csr_aws_guestshell)
  Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
    100% |################################| 194kB 5.7MB/s
Collecting pyasn1>=0.1.3 (from rsa<=3.5.0,>=3.1.2->awscli->csr_aws_guestshell)
  Downloading pyasn1-0.3.3-py2.py3-none-any.whl (63kB)
    100% |################################| 71kB 10.7MB/s
Collecting futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" (from s3transfer<0.2.0,>=0.1.9->awscli->csr_aws_guestshell)
  Downloading futures-3.1.1-py2-none-any.whl
Collecting six>=1.5 (from python-dateutil<3.0.0,>=2.1->botocore==1.7.3->awscli->csr_aws_guestshell)
  Downloading six-1.10.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, jmespath, docutils, botocore, pyasn1, rsa, futures, s3transfer, colorama, PyYAML, awscli, boto, boto3, csr-aws-guestshell
  Running setup.py install for PyYAML ... done
  Running setup.py install for csr-aws-guestshell ... done
Successfully installed PyYAML-3.12 awscli-1.11.145 boto-2.48.0 boto3-1.4.7 botocore-1.7.3 colorama-0.3.7 csr-aws-guestshell-0.0.7.dev0 docutils-0.14 futures-3.1.1 jmespath-0.9.3 pyasn1-0.3.3 python-dateutil-2.6.1 rsa-3.4.2 s3transfer-0.1.11 six-1.10.0
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[guestshell@guestshell ~]$
  2. Having installed the AWS CLI, you can enter an aws s3command such as aws s3 ls. 
    [guestshell@guestshell ~]$ aws s3 ls csr1kv
2017-08-09 02:55:27  446866343 ultra_166.bin
[guestshell@guestshell ~]$

  3. You can download a Cisco CSR 1000v AWS package containing sample scripts, using the sudo pip install csr_aws_guestshell command. For further information on this package, see https://github.com/CiscoDevNet/csr_aws_guestshell. Example: 

    [guestshell@guestshell ~]$ sudo pip install csr_aws_guestshell
Collecting csr_aws_guestshell
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  Downloading csr_aws_guestshell-0.0.7.dev.tar.gz
Collecting awscli (from csr_aws_guestshell)
  Downloading awscli-1.11.145-py2.py3-none-any.whl (1.2MB)
    100% |################################| 1.2MB 1.1MB/s
Collecting boto (from csr_aws_guestshell)
  Downloading boto-2.48.0-py2.py3-none-any.whl (1.4MB)
    100% |################################| 1.4MB 914kB/s
Collecting boto3 (from csr_aws_guestshell)
  Downloading boto3-1.4.7-py2.py3-none-any.whl (128kB)
    100% |################################| 133kB 8.5MB/s
Collecting botocore==1.7.3 (from awscli->csr_aws_guestshell)
  Downloading botocore-1.7.3-py2.py3-none-any.whl (3.6MB)
    100% |################################| 3.6MB 337kB/s
Collecting rsa<=3.5.0,>=3.1.2 (from awscli->csr_aws_guestshell)
  Downloading rsa-3.4.2-py2.py3-none-any.whl (46kB)
    100% |################################| 51kB 11.2MB/s
Collecting s3transfer<0.2.0,>=0.1.9 (from awscli->csr_aws_guestshell)
  Downloading s3transfer-0.1.11-py2.py3-none-any.whl (54kB)
    100% |################################| 61kB 11.5MB/s
Collecting docutils>=0.10 (from awscli->csr_aws_guestshell)
  Downloading docutils-0.14-py2-none-any.whl (543kB)
    100% |################################| 552kB 2.3MB/s
Collecting colorama<=0.3.7,>=0.2.5 (from awscli->csr_aws_guestshell)
  Downloading colorama-0.3.7-py2.py3-none-any.whl
Collecting PyYAML<=3.12,>=3.10 (from awscli->csr_aws_guestshell)
  Downloading PyYAML-3.12.tar.gz (253kB)
    100% |################################| 256kB 4.7MB/s
Collecting jmespath<1.0.0,>=0.7.1 (from boto3->csr_aws_guestshell)
  Downloading jmespath-0.9.3-py2.py3-none-any.whl
Collecting python-dateutil<3.0.0,>=2.1 (from botocore==1.7.3->awscli->csr_aws_guestshell)
  Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
    100% |################################| 194kB 5.7MB/s
Collecting pyasn1>=0.1.3 (from rsa<=3.5.0,>=3.1.2->awscli->csr_aws_guestshell)
  Downloading pyasn1-0.3.3-py2.py3-none-any.whl (63kB)
    100% |################################| 71kB 10.7MB/s
Collecting futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" (from s3transfer<0.2.0,>=0.1.9->awscli->csr_aws_guestshell)
  Downloading futures-3.1.1-py2-none-any.whl
Collecting six>=1.5 (from python-dateutil<3.0.0,>=2.1->botocore==1.7.3->awscli->csr_aws_guestshell)
  Downloading six-1.10.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, jmespath, docutils, botocore, pyasn1, rsa, futures, s3transfer, colorama, PyYAML, awscli, boto, boto3, csr-aws-guestshell
  Running setup.py install for PyYAML ... done
  Running setup.py install for csr-aws-guestshell ... done
Successfully installed PyYAML-3.12 awscli-1.11.145 boto-2.48.0 boto3-1.4.7 botocore-1.7.3 colorama-0.3.7 csr-aws-guestshell-0.0.7.dev0 docutils-0.14 futures-3.1.1 jmespath-0.9.3 pyasn1-0.3.3 python-dateutil-2.6.1 rsa-3.4.2 s3transfer-0.1.11 six-1.10.0
/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[guestshell@guestshell ~]$
    The following scripts are included in the csr_aws_guestshell package:

    get-metadata.py —retrieves and prints instance metadata from AWS

    get-route-table.py —retrieves instances in VPC along with routes, route tables, and associations

    save-config-to-s3.py —saves Cisco IOS XE CLI commands to an S3 bucket

    save-tech-support-to-s3.py —saves tech support output to an S3 bucket

    load-bin-from-s3.py —downloads a .bin file for the Cisco CSR 1000v and reloads

    get-stat-drop.py —retrieves CLI statistics and pushes them to cloudwatch

    capture-interface.py —sets Cisco IOS XE CLI commands to monitor and capture packets for a period of time, then upload the file to S3

  4. In the following example, the load-bin-from-s3.py script loads a binary from S3 and boots a Cisco CSR 1000v image:

    [guestshell@guestshell ~]$ load-bin-from-s3.py csr1kv ultra_167.bin
/bootflash/ultra_167.bin  446866343 / 446866343  (100.00%)
Download Complete