Installing EOS hot fixes with CloudVision Portal

Installing hotfixes via CloudVision Portal

 

One of the major strengths of EOS is the open nature of the operating system.  By being able to add software to Arista switches, one can extend the capabilities of the operating system (that’s where the ‘E’ in EOS comes from after all).  One scenario where this is perhaps most beneficial is in the realm of security updates.  The majority of security updates to Arista’s operating system are initially delivered in the form of an extension prior to rolling the update into a new release of EOS.  There are some clear advantages to this method including:

  • Time to deliver
  • Minimized impact to production

Traditional network equipment requires a new operating system to address security vulnerabilities and other bugs.  Not so with Arista EOS.  In this article, we’ll review how to use Arista’s Cloud Vision Portal to install a security extension across all switches on a network.

CloudVision Portal can be used to install extensions on a single device, or across multiple switches in the infrastructure simultaneously.  In this example, we’ll deploy a security patch to our switches which are all running EOS 4.17.0F.

1) First, locate the image bundle(s) for your switches (note, the image bundle in this example is a veos build)

ImageBundle1

As CloudVision Portal supports multiple image bundles, it is sometimes handy to check which devices an image is applied to.  This can be easily accomplished by clicking on the “Applied Devices” tab on the “Images” page:

ImageAppliedTo

2) Next add the extension file to the image bundle.  Click the folder icon to the right of the window and select the file on your local machine you’d like to add to the bundle.  In this case, we deploy the CVE-2016-6894-hotfix.swix extension:

SelectExtension

The image bundle now also includes the extension as can be seen in the above capture.

3) At this point, CloudVision Portal will prompt to push the bundle. Select yes in this dialogue to add the extension to the switch image.  Note, this step creates a task per switch to add the extension to the switches.  The image will not be installed on the devices until you execute the task on each switch.  When installing an extension, such as a security hotfix, it is strongly recommended to verify the impact on the switches (i.e. do any processes restart, is the installation hitless, etc).  For patches released by Arista Networks, this should be documented in the advisory.

ApplyImage2Devices

4) Next, exit to the network provisioning screen. The tasks are now created for the switches as indicated by the “T” on the switches

DevicesHaveTasks

5) Verify the status of the extension, note, it is not loaded on the leaf-1b switch:

NoExtensionCli

Additionally, one can quickly validate the status of all switches in the network using Arista’s eAPI and a simple python script such as this:

ScriptSource

 

NoExtensionsEapi

6) Execute the task, one per switch:

SelectImageTask

PushInProgress

PushComplete

 

 

 

 

7) Now that the tasks are all complete, we can re-run the getver.py script to validate that all switches now have the extension installed:

EapiExtensionInstalled

That’s it.  In 5-10 minutes, CloudVision Portal can install a security patch across the entirety of your Arista infrastructure.  We can also see the uptime of the switches and more importantly that none of them were rebooted as a result of the application of the patch, and that should make everybody happy.  Time to relax again, you’re running Arista switches.  Happy networking!