I learned recently that Arista EOS is based on fedora, and ‘Full Access to Linux shell and tools’ is a first class feature - so of course I had to buy an Arista switch on ebay and check it out.
In part one of this series, I’ll just be showing what the system looks like, and in part two we’ll exploit its linux nature to do something useful.
Don’t turn it on, take it apart!
Looks like we have a sata header, a pcie x1 slot, and a (usb?) sata-dom type boot drive. I’ve of course already upgraded the 4gb of memory to 8gb. Don’t be fooled by those little asic heatsinks, they put out a ton of heat even at idle. Idle consumption running on one psu is 134 watts.
First we need access. From serial:
en
conf t
environment fan-speed override 30
ip name-server vrf default 1.1.1.1
interface Ethernet48
no switchport
ip address 172.30.184.98/27
end
ip route 0.0.0.0/0 172.30.184.97
After running en, we’re free to just run bash. From here, we can sudo -i. We can also work backward and run cli commands like Cli -c "sho int et48"; for some reason they’re very slow.
Changes to the filesystem are not persisted accross reboots, but arista allows us to create a magic startup script at /mnt/flash/rc.eos. Abusing this, we can land a root ssh key:
#!/bin/sh
mkdir -p /root/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP8ugbhqJMmQtNSQPyOGeWWuVc4FJ7P8+nAKpKmnb0vTtO4OTBng6rytPDchlCG52mTpf/Qqib3XOUXCo79OvzTxH9JCrfCh/VHunv7THbilbLd0ZJEBH/lKGiCRqt3Dm3xNRFJNtbzypLa3vt4g0bfUngMTtE+9CgpTTmrcSbtfy9r7Lzt2ydimw7epVOl4inixAsOKi1WG90Sqgv0R4AofcgyvGveSfh8lXdBE2SS6MoSFSDy+HZE/XU/fuh7ML3QVPm1RnPyQs6Q6KCIS+PD2j9a5/2PgCDqBXF2aSdM3c/8UywzyjUputOkmxMR+8SDzU2sdCDWF38MrhVG3218gTViMT7ydCfEN/nh5wWjLK7lJZWBprP59CzDjFjNZJwPSjDASxBfGP4VTlWlscg6pkgy5tBInHWdA3tYCLR7szWFt9lZOQTKDGl6pAbFL54W/1JnG7IpW3FcWfmv31f5MW8wP89DR6kuitBzz+VTrr5Qf4lITeZQiCVSmArqNU=' > /root/.ssh/authorized_keys
With an ip on interface et48, and our rc.eos script landing an ssh key, we are able to reboot and ssh directly to a root bash shell:
-bash-4.1# reboot
Broadcast message from root@localhost
(/dev/pts/3) at 2:42 ...
The system is going down for reboot NOW!
-bash-4.1# Connection to 172.30.184.98 closed by remote host.
Connection to 172.30.184.98 closed.
~$ ssh [email protected]
Arista Networks EOS shell
-bash-4.1#
For reference, heres what the rest of /mnt/flash/ looks like. I’m assuming EOS-4.15.10M.swi gets extracted on every boot:
-bash-4.1# ls /mnt/flash/
EOS-4.15.10M.swi boot-config debug persist rc.eos schedule startup-config zerotouch-config
Yes, startup-config is the network config. More on this later.
And mountpoints:
-bash-4.1# df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 1.2G 9.2M 1.2G 1% /
none 1.2G 9.2M 1.2G 1% /
none 1.2G 9.2M 1.2G 1% /.overlay
tmpfs 1.2G 72K 1.2G 1% /tmp
tmpfs 64M 568K 64M 1% /.deltas
tmpfs 64M 568K 64M 1% /var/run
tmpfs 3.9G 0 3.9G 0% /var/run/netns
tmpfs 64M 568K 64M 1% /var/tmp
tmpfs 792M 0 792M 0% /var/core
tmpfs 792M 35M 757M 5% /var/log
tmpfs 8.0M 108K 7.9M 2% /dev
tmpfs 1.0G 16M 1009M 2% /var/shmem
/dev/sda1 1.7G 832M 826M 51% /mnt/flash
kernel.org tells me rootfs is a type of ramfs.
This switch is running EOS 4.15, which is based on fedora 14.
localhost>show version
Arista DCS-7048T-A-R
Hardware version: 01.06
Serial number: JPE14044798
System MAC address: 001c.7360.da01
Software image version: 4.15.10M
Architecture: i386
Internal build version: 4.15.10M-4113119.41510M
Internal build ID: 4072d5fd-40ee-462f-8221-ea42c7fef901
Uptime: 12 minutes
Total memory: 8100576 kB
Free memory: 5009944 kB
-bash-4.1# uname -a
Linux localhost 3.4.43.Ar-4097593.41510M #1 SMP PREEMPT Fri Jan 13 07:36:09 PST 2017 x86_64 x86_64 x86_64 GNU/Linux
This is not a systemd system:
-bash-4.1# service sshd status
openssh-daemon (pid 2583) is running...
And yes, we can see all the interfaces and control them with ip:
-bash-4.1# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/24 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ma1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:1c:73:60:da:00 brd ff:ff:ff:ff:ff:ff
3: fabric: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc prio state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
4: cpu: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
5: txraw: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
6: vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
7: mirror0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
8: mirror1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
9: mirror2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
10: mirror3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
11: mirror4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
12: mirror5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
13: mirror6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
14: mirror7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
15: mirror8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
16: mirror9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
17: mirror10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
18: mirror11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
19: mirror12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
20: mirror13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
21: mirror14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
22: mirror15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
23: et1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
24: et2: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
25: et3: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
26: et4: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
27: et5: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
28: et6: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
29: et7: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
30: et8: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
31: et9: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
32: et10: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
33: et11: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
34: et12: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
35: et13: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
36: et14: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
37: et15: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9214 qdisc prio state DORMANT qlen 1000
link/ether 00:1c:73:60:da:01 brd ff:ff:ff:ff:ff:ff
...
(through et52)
Don’t know whats up with ‘cpu’, ’txraw’, ‘mirror’, but et1-et48 are indeed the front panel interfaces. ma1 works as well.
After setting no switchport on the arista side, we can indeed do things like ip link set et48 up, ip ad add 1.2.3.4/32 dev et48, tcpdump -i et48 and dhclient ma1.
lscpu doesn’t tell us much:
-bash-4.1# lscpu
Architecture: x86_64
CPU op-mode(s): 64-bit
CPU(s): 2
Thread(s) per core: 1
Core(s) per socket: 2
CPU socket(s): 1
Vendor ID: AuthenticAMD
CPU family: 16
Model: 6
Stepping: 3
CPU MHz: 1500.054
Virtualization: AMD-V
L1d cache: 64K
L1i cache: 64K
L2 cache: 1024K
-bash-4.1# lspci
00:00.0 Host bridge: Advanced Micro Devices [AMD] RS780 Host Bridge Alternate
00:01.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge (int gfx)
00:04.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge (PCIE port 0)
00:08.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge (NB-SB link)
00:09.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge (PCIE port 4)
00:0a.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge (PCIE port 5)
00:11.0 SATA controller: ATI Technologies Inc SB700/SB800 SATA Controller [IDE mode]
00:12.0 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI0 Controller
00:12.2 USB Controller: ATI Technologies Inc SB700/SB800 USB EHCI Controller
00:13.0 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI0 Controller
00:13.2 USB Controller: ATI Technologies Inc SB700/SB800 USB EHCI Controller
00:14.0 SMBus: ATI Technologies Inc SBx00 SMBus Controller (rev 42)
00:14.3 ISA bridge: ATI Technologies Inc SB700/SB800 LPC host controller (rev 40)
00:14.4 PCI bridge: ATI Technologies Inc SBx00 PCI to PCI Bridge (rev 40)
00:14.6 Ethernet controller: Broadcom Corporation NetLink BCM5785 Gigabit Ethernet (rev 01)
00:16.0 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI0 Controller
00:16.2 USB Controller: ATI Technologies Inc SB700/SB800 USB EHCI Controller
00:18.0 Host bridge: Advanced Micro Devices [AMD] Family 10h Processor HyperTransport Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] Family 10h Processor Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] Family 10h Processor DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] Family 10h Processor Miscellaneous Control
00:18.4 Host bridge: Advanced Micro Devices [AMD] Family 10h Processor Link Control
01:05.0 VGA compatible controller: ATI Technologies Inc M880G [Mobility Radeon HD 4200]
02:00.0 System peripheral: Arastra Inc. Device 0003 (rev 01)
04:00.0 System peripheral: Arastra Inc. Device 0001 (rev 0a)
Apparently this network switch has a radeon igpu which is quite amusing. One would think they would try to choose a cpu which doesn’t have graphics cores sitting idle wasting power; even if its only a couple watts. My guess from this clue is that the cpu is something like a 45nm athlon/turion, which is a bit odd as this switch appears to have been manufactured in 2017.
Since this is fedora based, you’re probably asking by now if we can yum install regular packages. Yes we can!
echo '[fedora]
name=Fedora 14
failovermethod=priority
baseurl=http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/14/Everything/i386/os/
exclude=kernel,fedora-logos
enabled=1
gpgcheck=0' > /etc/yum.repos.d/fedora.repo
-bash-4.1# yum install htop
===================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================
Installing:
htop i686 0.8.3-3.fc14 fedora 60 k
Installing for dependencies:
plpa-libs i686 1.3.2-4.fc13 fedora 25 k
Transaction Summary
===================================================================================================================================
Install 2 Package(s)
Total size: 85 k
Installed size: 185 k
Installed:
htop.i686 0:0.8.3-3.fc14
Dependency Installed:
plpa-libs.i686 0:1.3.2-4.fc13
By default, there were no yum repos.
Again, package installs like this wont be persisted. If we needed, we could land rpms on /mnt/flash and install them locally on every boot. For now, I’ll just land the repo conf from my rc.eos so its always available.
