PacketFail.Net

We’ve had many an issue with NSM upgrades and config import/export changes, unexpected behaviour, NSM thinking it knows better and screwing up our configs (especially NAT), and much other fun.

Because of this, in prep for rebuilding our NSM appliance (which is an absolute mess from a once steady stream of upgrade/rollback cycles attempting to find a version that worked best with our configs), we wanted to test the latest versions without impacting our production instance.  So I started looking at creating a virtualized instance of NSM for testing.

Note – This is NOT supported by Juniper or JTAC, you will NOT receive assistance or support for doing this.

When I started upon this little adventure I had found a great resource that detailed the few tweaks needed to make NSM install happily on a CentOS base (since only RHEL and Solaris are officially supported).  Unfortunately, when I got around to actually attacking this, I found that resource to have disappeared.

All credit for the CentOS tweaks and base install go to the great (and unfortunately neglected?) Juniper Hacks Blog.  Unfortunately the author of that blog chose to store many of his articles outside his WordPress instance and instead used Google’s “knol” service which has been retired.  You can find a cached/snapshot copy of hackjuniper’s original NSM on CentOS article via the Internet Archive’s WayBack Machine here.

Now, on to the fun.

Notes:

• CentOS 5.2 seems to be the cleanest base.  I had some weird package version conflicts and issues on 5.8.  You can get the 5.2 install media from http://vault.centos.org/5.2/isos/i386/.  For the base install you’ll need CD’s 1, 2, and 3 (why they couldn’t put the entire base install on cd1 is beyond me).  There’s also a .torrent link in that directory for the DVD iso.
• I have successfully installed pretty much every NSM version from 2008 up to the latest 2011.4s2 on the CentOS 5.2 base.  All install and run cleanly.  However, for some reason, I simply *cannot* get the web-based administration page to work properly.  You can get the basic client download page, but /administration never comes up even though webproxy appears to be running correctly.  This isn’t a huge issue for my testing purposes, but I would love to get it working anyway.  If anyone has any idea how to fix this, I’d love to hear it.
• Again, this is completely UNSUPPORTED by Juniper or JTAC.  Additionally, NSM is a pig – it runs horribly on dedicated high-end hardware, and it’s worse in a VM.  I would certainly never attempt to use a virtualized instance for anything outside of basic testing and functional validation.
• I’ve used this on VMWare Workstation/Player, ESX, and VirtualBox.  No issues with any of them.

And, without further ado…..

Create your VM

• 1 CPU
• 2GB RAM (At least, it’ll run a bit smoother with 4)
• 40-50GB HD (You won’t use most of this, but it will ensure the NSM installers don’t complain about free disk)

Install CentOS 5.2

• Boot your install media iso and choose text mode install (type ‘linux text’ and hit enter).  Skip the disk check that takes forever.
• Take the defaults for most of the install.  Let the OS take care of disk partitioning with the default layout.
• For the software selection, on the first page deselect all options and check the box at the bottom for ‘customize selection’
• On the customize selection page, ensure everything but ‘base’ is unchecked.
• Proceed with the install.  You’ll need the images for discs 2 and 3 as well if you’re using the CD images rather than the DVD.
• Reboot when complete

Prep CentOS for NSM

• On first boot log in as root.
• Disable iptables (optional – you can create an appropriate iptables policy to allow NSM to function, but that is outside the scope of this article)
• ‘/etc/init.d/iptables stop; chkconfig –level 12345 iptables off’
• ‘/etc/init.d/ip6tables.stop; chkconfig –level 12345 ip6tables off’
• Update the system to appear to be RHEL5
• ‘vi /etc/redhat-release’
• Delete the existing release name and replace with the string below, exactly, without quotes
• “Redhat Enterprise Linux Server release 5”
• Disable selinux (probably optional; NSM expects selinux to be present, but I had issues at times with the selinux policy preventing or blocking things.  Because of this, and because this system is meant for testing only in my case, I’ve configured selinux to run in “permissive” mode so it logs without blocking).
• ‘vi /etc/selinux/config’
• Set SELINUX=permissive

Download and Install NSM

• I have successfully installed and run 2008, 2009, 2010, and 2011 with various revisions.  I am currently running 2011.4s2, the latest release as of 5.28.12.
• You’ll need two files from the JTAC software download site (you’ll need a JTAC account and support contract to access the downloads).
• For your chosen version of NSM, download both the appropriate systemupdate_linux package for your release as well as the linux_servers package.
• Once downloaded, use SCP or ftp to transfer the two files to your VM.  Move them both to /var/tmp
• Unzip the systemupdate file and you’ll end up with 2 .tar archives.  Remove the archive for ES4, and extract the archive for ES5.  You’ll be left with a es5 directory.  Drop into there where we will run the systemupdate script momentarily.
• Install a few additional packages then update the system and all packages
• ‘yum install gnupg rsync xorg-x11-font-utils vim http’
• ‘yum update’
• Run the NSM systemupdate script to install the NSM preferred package versions
• ‘sh /var/tmp/es5/rhes5.sh’
• Let Yum update the system and packages once more.  This will override a few of the NSM provided packages, but running this update/systemupdate/update cycle was the only way I could seem to get all the packages into a happy state for everything to install cleanly.
• ‘yum update’
• Extract the NSM installer and you’ll be left with a very large .sh script.  Don’t fret, it’s huge because most of it is a binary blob containing the NSM installers.
• Now we’ll run the installer.  The command line below is for the release I’m using, 2011.4s2.  The -niAPPLIANCE=n tag at the end tells it that we are installing on a full Linux system and NOT an NSMXpress appliance.
• ‘sh /var/tmp/nsm2011.4s2_servers_linux_x86.sh -niAPPLIANCE=n’
• There’s nothing too special in the installer if you’ve installed NSM previously.  Can mostly take the defaults and adjust as appropriate for your environment.
• Once the NSM installer is complete, you’re done!
• Point a web browser to https://<your.nsm.vm.ip>:8443 and download the client and test it out.

That’s pretty much it.  Really the only special part is setting the redhat-release so that NSM believes it’s installing on RHEL, and getting the packages straight.

If anyone else has any other experience running NSM in a VM or on CentOS, I’d love to hear about it.  Corrections, updates, etc are always welcome!

~pf