netbox

Table of Contents

1. Description
2. Setup - The basics of getting started with netbox
   • What netbox affects
   • Setup requirements
   • Beginning with netbox
3. Usage - Configuration options and additional functionality
   • A more interesting example
   • Example with Apache on Centos/RHEL8
4. Limitations - OS compatibility, etc.
5. Development - Guide for contributing to the module

Description

Puppet module for installing and configuring Netbox, an IPAM (IP Adress Management) tool initially conceived by the network engineering team at DigitalOcean. The documentation for Netbox can be found here

Setup

What netbox affects

This module installs and configures Netbox. Netbox needs PostgreSQL and Redis to work, and this module can optionally handle that too. Netbox is a Python web applications built on the Django framework and uses the Gunicorn webserver. Usually you place a webserver (like Nginx og Apache) in front of it. This is not part of this module, but a configuration using Apache is provided. Everything in this module is made according to the Netbox documentation. As such, if something is not properly explained here, you can probably find answers to your questions there.

Setup Requirements

You need to have epel configured. The easiest way to do that is by running:

yum install -y epel-release

This module has been tested with Apache HTTPD using the puppetlabs-apache module. There are a couple of gotchas, see example with Apache on Centos/RHEL8.

Beginning with Netbox

Add dependency modules to your puppet environment:

• camptocamp/systemd
• puppet/archive
• puppetlabs/inifile
• puppetlabs/stdlib

If you are going to use this module to install PostgreSQL and Redis, then you need these as well:

• puppetlabs/postgresql
• puppetlabs/concat
• puppet/redis

If you are following along the Apache example you also need to handle Selinux:

• puppet/selinux

Usage

In its simplest configuration, the module needs only one parameter set. This is the secret_key. This is something Netbox will not run without, and is recomended to be an at least 50 character long string of letters, symbols and numbers. This is to be treated as a secret.

By default, PostgreSQL and Redis is set up as part of the installation. If you have your own PostgreSQL or Redis installation you want to use, you simply set $handle_database and $handle_redis to false. Some configuration is offered, but if you need to tweek any of those two softwares, I would recommend handling them outside of this module.

If you want to use LDAP, activate the correct parameters (which is easy to find in the REFERENCE). But you must handle the LDAP-config file yourself It is still not implemented due to some complicated template work, and it's almost as easy to handle the file yourself. The Netbox documentation is pretty clear.

The following code shows an example where you have a profile::netbox (because of course you are using the "roles and profiles" design pattern) which takes in the secret key. This could for example be stored in Hiera eyaml.

class profile::netbox (
  String $netbox_secret_key,
) {

  class { 'netbox':
    secret_key    => $netbox_secret_key,
  }
}

You also need to set up a django superuser manually after installing. This is the admin account to your Netbox application. To do this, use the virtual Python environment created by the installation and the manage.py command:

# cd /opt/netbox
# source venv/bin/activate
(venv) # cd netbox
(venv) # python3 manage.py createsuperuser
Username: admin
Email address: admin@example.com
Password:
Password (again):
Superuser created successfully.

If you have installed Netbox in an non-default location, then you have adapt the above description accordingly.

A more interesting example

You probably want to adjust your parameters a little more than the minimal example. Here is a more realistic one:

  class { 'netbox':
    secret_key        => $netbox_secret_key,
    allowed_hosts     => [$trusted[certname], 'localhost'],
    banner_top        => 'TOP BANNER TEXT',
    banner_login      => 'WELCOME TO THE NETBOX LOGIN',
    banner_bottom     => 'BOTTOM BANNER TEXT',
    database_password => $netbox_database_password,
    email_from_email => "netbox@${trusted[domain]}",
  }

The $netbox_database_password is expected to be defined in wherever you include the Netbox module from. Should probably be stored in Hiera Eyaml.

Example with Apache on Centos/RHEL8

Here is a full working example with a Netbox profile which includes Netbox module and Apache with settings as recommended in the Netbox documentation. Note that for this setup to work you need:

• The boolean httpd_can_network_connect set to true:
  • Done in the example, requires the puppet/selinux module
• The apache user must be part of the netboxgroup:
  • usermod apache -G netbox

# Netbox
#
# Profile for running Netbox through the ahs/netbox-module
#
class profile::netbox (
  String $netbox_secret_key,
) {

selinux::boolean { 'httpd_can_network_connect': }
# usermod apache -G netbox

  class { 'netbox':
    secret_key    => $netbox_secret_key,
    allowed_hosts => [$trusted[certname]],
    banner_top    =>  'TOP BANNER TEXT',
    banner_bottom =>  'BOTTOM BANNER TEXT',
  }
  class { 'apache':
    default_vhost => false,
  }

  class { 'apache::mod::wsgi':
    mod_path     => '/usr/lib64/httpd/modules/mod_wsgi_python3.so',
    package_name => 'python3-mod_wsgi',
  }

  apache::vhost { $trusted[certname]:
    servername              => $trusted[certname],
    port                    => '80',
    proxy_preserve_host     => true,
    docroot                 => '/opt/netbox/netbox/',
    request_headers         => [
      'set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}',
    ],
    proxy_pass              => [
      { path        => '/',
        url         => 'http://127.0.0.1:8001/',
        reverse_url => 'http://127.0.0.1:8001/'
      },
    ],
    aliases                 => [
      { alias => '/static',
        path  => '/opt/netbox/netbox/static',
      },
    ],
    wsgi_pass_authorization => 'On',
    directories             => [
    { path            => '/opt/netbox/netbox/static',
      provider        => 'directory',
      custom_fragment => 'Options Indexes FollowSymLinks MultiViews'
    },
    { path            => '/static',
      provider        => 'location',
      custom_fragment => 'ProxyPass !'
    },
  ],
  }
}

Limitations

This module is only tested on RHEL/Centos8 at the moment, and will not work for Ubuntu family or older versions of EL just yet.

Upgrading from one version of Netbox to the next is not well tested, so you might need to do some manual steps that are explained in the Netbox documentation.

This module rests too heavily on execs that are ordered and grouped together with different notify refreshonlys and it's a bit fragile. So if you make a mistake by for example specifying some parameters wrong in your initial setup, and the Puppet run fails, you might have to do some manual steps. Depending on where the mistake lies, you might have to run pip install -r requirements.txt, python manage.py migrate or some other routine. These are explained in the Netbox documentation, and it's usually pretty clear from the error messages what you need to do.

There is only support for the tarball-way of getting Netbox as of now. This should not pose a problem as they are available through the Github repo as releases.

There are several optional integrations and configuration options found in the Netbox documentation that is not supported by this module yet. Including but not limited to:

• Remote File Storage
• Several optional settings

Development

I would be more than happy if you wanted to improve this module. Use the Github issue tracker to submit issues og fork it and issue Pull Requests.

Reference

Table of Contents

Classes

• netbox: Manage Netbox
• netbox::config: Configures Netbox and gunicorn
• netbox::database: Sets up the PostgreSQL database for netbox
• netbox::install: Installs Netbox
• netbox::redis: Class that handles the installation of Redis
• netbox::service: Manage the Netbox and Netvox-rq Systemd services

Classes

netbox

Install, configure and run Netbox

Examples

Defaults

class { 'netbox':
  secret_key => $my_secret_variable
}

Downloading from a different repository

class { 'netbox':
  version           => 'x.y.z',
  download_url      => 'https://my.local.repo.example.com/netbox/netbox-x.y.z.tar.gz',
  download_checksum => 'abcde...',
}

Parameters

The following parameters are available in the netbox class.

version

Data type: String

The version of Netbox. This must match the version in the tarball. This is used for managing files, directories and paths in the service.

Default value: '2.7.10'

user

Data type: String

The user owning the Netbox installation files, and running the service.

Default value: 'netbox'

group

Data type: String

The group owning the Netbox installation files, and running the service.

Default value: 'netbox'

secret_key

Data type: String

A random string of letters, numbers and symbols that Netbox needs. This needs to be supplied, and should be treated as a secret. Should be at least 50 characters long.

download_url

Data type: String

Where to download the binary installation tarball from.

Default value: 'https://github.com/netbox-community/netbox/archive/v2.7.10.tar.gz'

download_checksum

Data type: String

The expected checksum of the downloaded tarball. This is used for verifying the integrity of the downloaded tarball.

Default value: '21743eda8f633761fd9a16c28658235e7ee9a79b15353770b4b1fe0d133a26e5'

download_checksum_type

Data type: String

The checksum type of the downloaded tarball. This is used for verifying the integrity of the downloaded tarball.

Default value: 'sha256'

download_tmp_dir

Data type: Stdlib::Absolutepath

Temporary directory for downloading the tarball.

Default value: '/var/tmp'

install_root

Data type: Stdlib::Absolutepath

The root directory of the netbox installation.

Default value: '/opt'

handle_database

Data type: Boolean

Should the PostgreSQL database be handled by this module.

Default value: true

include_napalm

Data type: Boolean

NAPALM allows NetBox to fetch live data from devices and return it to a requester via its REST API. Installation of NAPALM is optional. To enable it, set $include_napalm to true

Default value: true

include_django_storages

Data type: Boolean

By default, NetBox will use the local filesystem to storage uploaded files. To use a remote filesystem, install the django-storages library and configure your desired backend in configuration.py.

Default value: true

include_ldap

Data type: Boolean

Makes sure the packages and the python modules needed for LDAP-authentication are installed and loaded. The LDAP-config itself is not handled by this Puppet module at present. Use the documentation found here: https://netbox.readthedocs.io/en/stable/installation/5-ldap/ for information about the config file.

Default value: true

email_server

Data type: String

Host name or IP address of the email server (use localhost if running locally) https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: 'localhost'

email_timeout

Data type: Integer

Amount of time to wait for a connection (seconds) https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: 10

email_port

Data type: Stdlib::Port

TCP port to use for the connection (default: 25) https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: 25

email_username

Data type: String

Username with which to authenticate https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: ''

email_password

Data type: String

Password with which to authenticate https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: ''

email_from_email

Data type: String

Sender address for emails sent by NetBox https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#email

Default value: ''

handle_redis

Data type: Boolean

Should the Redis installation be handled by this module. Defaults to true.

Default value: true

install_dependencies_from_filesystem

Data type: Boolean

Used if your machine can't reach the place pip would normally go to fetch dependencies as it would when running "pip install -r requirements.txt". Then you would have to fetch those dependencies beforehand and put them somewhere your machine can reach. This can be done by running (on a machine that can reach pip's normal sources) the following: pip download -r <requirements.txt> -d Remember to do this on local_requirements.txt also if you have one.

Default value: false

python_dependency_path

Data type: Stdlib::Absolutepath

Path to where pip can find packages when the variable $install_dependencies_from_filesystem is true

Default value: '/srv/python_dependencies'

database_name

Data type: String

Name of the PostgreSQL database. If handle_database is true, then this database gets created as well. If not, then it is only used by the application, and needs to exist. Defaults to 'netbox'

Default value: 'netbox'

database_user

Data type: String

Name of the PostgreSQL database user. If handle_database is true, then this database user gets created as well. If not, then it is only used by the application, and needs to exist. Defaults to 'netbox'

Default value: 'netbox'

database_password

Data type: String

Name of the PostgreSQL database password. If handle_database is true, then this database password gets created as well. If not, then it is only used by the application, and needs to exist. Defaults to 'netbox'

Default value: 'netbox'

database_host

Data type: Stdlib::Host

Name of the PostgreSQL database host. Defaults to 'localhost'

Default value: 'localhost'

database_port

Data type: Integer

PostgreSQL database port. NB! The PostgreSQL database that is made when using handle_database does not support configuring a non-standard port. So change this parameter only if using separate PostgreSQL DB with non-standard port. Defaults to 5432.

Default value: 5432

database_conn_max_age

Data type: Integer

Database max connection age in seconds. Defaults to 300.

Default value: 300

allowed_hosts

Data type: Array[Stdlib::Host]

Array of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.

Default value: ['netbox.exmple.com','localhost']

banner_top

Data type: String

Text for top banner on the Netbox webapp Defaults to the empty string

Default value: ''

banner_bottom

Data type: String

Text for bottom banner on the Netbox webapp Defaults to the empty string

Default value: ''

banner_login

Data type: String

Text for login banner on the Netbox webapp Defaults to the empty string

Default value: ''

base_path

Data type: String

Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: BASE_PATH = 'netbox/'

Default value: ''

admins

Data type: Array

Array of hashes with two keys, 'name' and 'email'. This is where the email goes if something goes wrong This feature (in the Puppet module) is not well tested.

Default value: []

debug

Data type: Boolean

Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging on a production system.

Default value: false

login_required

Data type: Boolean

Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.

Default value: false

metrics_enabled

Data type: Boolean

Setting this to true will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.

Default value: false

enforce_global_unique

Data type: Boolean

Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.

Default value: false

prefer_ipv4

Data type: Boolean

When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to prefer IPv4 instead.

Default value: false

exempt_view_permissions

Data type: Array

Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and by anonymous users. List models in the form <app>.<model>. Add '*' to this list to exempt all models.

Default value: []

napalm_username

Data type: String

Username that NetBox will uses to authenticate to devices when connecting via NAPALM.

Default value: ''

napalm_password

Data type: String

Password that NetBox will uses to authenticate to devices when connecting via NAPALM.

Default value: ''

napalm_timeout

Data type: Integer

NAPALM timeout (in seconds).

Default value: 30

netbox::config

Configures Netbox and gunicorn, and load the database schema.

Examples

include netbox::config

Parameters

The following parameters are available in the netbox::config class.

user

Data type: String

The user owning the Netbox installation files, and running the service.

group

Data type: String

The group owning the Netbox installation files, and running the service.

install_root

Data type: Stdlib::Absolutepath

The root directory of the netbox installation.

allowed_hosts

Data type: Array[Stdlib::Host]

Array of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.

database_name

Data type: String

Name of the PostgreSQL database. If handle_database is true, then this database gets created as well. If not, then it is only used by the application, and needs to exist.

database_user

Data type: String

Name of the PostgreSQL database user. If handle_database is true, then this database user gets created as well. If not, then it is only used by the application, and needs to exist.

database_password

Data type: String

Name of the PostgreSQL database password. If handle_database is true, then this database password gets created as well. If not, then it is only used by the application, and needs to exist.

admins

Data type: Array

Array of hashes with two keys, 'name' and 'email'. This is where the email goes if something goes wrong This feature (in the Puppet module) is not well tested.

database_host

Data type: Stdlib::Host

Hostname where the PostgreSQL database resides.

database_port

Data type: Integer

PostgreSQL database port. NB! The PostgreSQL database that is made when using handle_database does not support configuring a non-standard port. So change this parameter only if using separate PostgreSQL DB with non-standard port. Defaults to 5432.

database_conn_max_age

Data type: Integer

Database max connection age in seconds. Defaults to 300.

redis_options

Data type: Hash

Options used against redis. Customize to fit your redis installation. Use default values if using the redis bundled with this module.

email_options

Data type: Hash

Options used for sending email.

secret_key

Data type: String

A random string of letters, numbers and symbols that Netbox needs. This needs to be supplied, and should be treated as a secret. Should be at least 50 characters long.

banner_top

Data type: String

Text for top banner on the Netbox webapp

banner_bottom

Data type: String

Text for bottom banner on the Netbox webapp

banner_login

Data type: String

Text for login banner on the Netbox webapp

base_path

Data type: String

Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: BASE_PATH = 'netbox/'

debug

Data type: Boolean

Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging on a production system.

enforce_global_unique

Data type: Boolean

Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.

login_required

Data type: Boolean

Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.

metrics_enabled

Data type: Boolean

Setting this to true will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.

prefer_ipv4

Data type: Boolean

When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to prefer IPv4 instead.

exempt_view_permissions

Data type: Array

Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and by anonymous users. List models in the form <app>.<model>. Add '*' to this list to exempt all models.

napalm_username

Data type: String

Username that NetBox will uses to authenticate to devices when connecting via NAPALM.

napalm_password

Data type: String

Password that NetBox will uses to authenticate to devices when connecting via NAPALM.

napalm_timeout

Data type: Integer

NAPALM timeout (in seconds).

netbox::database

This class sets up PostgreSQL database. This is optional, you can choose to handle that yourself.

Examples

include netbox::database

Parameters

The following parameters are available in the netbox::database class.

database_name

Data type: String

Name of the PostgreSQL database.

database_user

Data type: String

Name of the PostgreSQL database user.

database_password

Data type: String

Name of the PostgreSQL database password.

netbox::install

Installs Netbox

Examples

include netbox::install

Parameters

The following parameters are available in the netbox::install class.

install_root

Data type: Stdlib::Absolutepath

The root directory of the netbox installation.

version

Data type: String

The version of Netbox. This must match the version in the tarball. This is used for managing files, directories and paths in the service.

download_url

Data type: String

Where to download the binary installation tarball from.

download_checksum

Data type: String

The expected checksum of the downloaded tarball. This is used for verifying the integrity of the downloaded tarball.

download_checksum_type

Data type: String

The checksum type of the downloaded tarball. This is used for verifying the integrity of the downloaded tarball.

download_tmp_dir

Data type: Stdlib::Absolutepath

Temporary directory for downloading the tarball.

user

Data type: String

The user owning the Netbox installation files, and running the service.

group

Data type: String

The group owning the Netbox installation files, and running the service.

install_method

Data type: Enum['tarball', 'git_clone']

Method for getting the Netbox software

Default value: 'tarball'

include_napalm

Data type: Boolean

NAPALM allows NetBox to fetch live data from devices and return it to a requester via its REST API. Installation of NAPALM is optional. To enable it, set $include_napalm to true

include_django_storages

Data type: Boolean

By default, NetBox will use the local filesystem to storage uploaded files. To use a remote filesystem, install the django-storages library and configure your desired backend in configuration.py.

include_ldap

Data type: Boolean

Makes sure the packages and the python modules needed for LDAP-authentication are installed and loaded. The LDAP-config itself is not handled by this Puppet module at present. Use the documentation found here: https://netbox.readthedocs.io/en/stable/installation/6-ldap/ for information about the config file.

install_dependencies_from_filesystem

Data type: Boolean

Used if your machine can't reach the place pip would normally go to fetch dependencies as it would when running "pip install -r requirements.txt". Then you would have to fetch those dependencies beforehand and put them somewhere your machine can reach. This can be done by running (on a machine that can reach pip's normal sources) the following: pip download -r <requirements.txt> -d Remember to do this on local_requirements.txt also if you have one.

python_dependency_path

Data type: Stdlib::Absolutepath

Path to where pip can find packages when the variable $install_dependencies_from_filesystem is true

netbox::redis

Class that handles the installation of Redis

Examples

include netbox::redis

netbox::service

A class for running Netbox as a Systemd service

Parameters

The following parameters are available in the netbox::service class.

install_root

Data type: Stdlib::Absolutepath

The root directory of the netbox installation.

user

Data type: String

The user running the service.

group

Data type: String

The group running the service.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[2.2.0] 2021-06-03

• Fix, change package installs to ensure_packages(), so class can work with other manifests without resource dupes. Fixes #11
• Also fixed several tests that were failing.
• Also fixed some dependency issues where if you manage redis or database elsewhere, the catalog will not compile. Fixes #10
  Thank you to github user lukebigum for submitting PRs

[2.1.0] 2020-12-17

• Feature, add possibility to configure encoding and locale on postgreSQL database, as proposed here
• Fix, The 'webhooks' REDIS configuration section has been renamed to 'tasks', Fixes #9
• Bump default version to 2.10.1

[2.0.1] 2020-06-09

• Bugfix, add refresh_only to the exec that changes owner on archive, fixes that corrective change is applied at every puppet run

[2.0.0] 2020-06-01

• Add notify arrow and move "install local requirements"
• Use root to unarchive, so you can put the netbox application a place where the netbox user doesn't have wright access.
• Use version 2.8.5 as default.

[1.1.1] 2020-05-26

• Bugfix, some VIRTUAL_ENVs were hard coded. Use the $venv_dir variable instead

[1.1.0] 2020-05-07

• Don't enforce creation and letting netbox own $install_root
• Change description of $install_root
• Clean up code
• Add correct documentation of the $metrics_enabled parameter

[1.0.1] 2020-04-29

• Bugfix, there was a rouge space in allowed_hosts in the config template.

[1.0.0] 2020-04-08

• Add support for all the date and time parameters
• Use version 2.7.11 as default.
• Add more in the limitations section
• First major version
• Formatting, pdk updates, structuring

[0.2.1] 2020-03-31

• Handle ADMINS in the config with the the admins array of hashes
• Handle debug option
• Handle enforce_global_unique option
• Handle exempt_view_permissions option
• Handle the metrics_enabled option
• Handle the prefer_ipv4 option
• Add validate command to validate python
• Add Napalm support (no Napalm arguments yet)
• Add possibility to download django-storage. Can not be configured yet
• Add way to install Netbox with this module without access internet.

[0.1.0] 2020-03-25

• Initial release.
• Download, install and start Netbox, with optionally also handling PostgreSQL and redis.
• Most important settings can be configured, but plenty are missing.
• Supports EL8 and nothing else right now.