System Install

Primary requirements to do a System Install include:

• A system running Linux or macOS on either the x86_64 or ARM64 architecture for development. Linux for production.

• GNU libc 2.24 or higher.

• Java JRE 17 or higher. Used by Cisco Smart Licensing.

• Required and included with many Linux/macOS distributions:

  • tar command. Unpack the installer.

  • gzip command. Unpack the installer.

  • ssh-keygen command. Generate SSH host key.

  • openssl command. Generate self-signed certificates for HTTPS.

  • find command. Used to find out if all required libraries are available.

  • which command. Used by the NSO package manager.

  • libpam.so.0. Pluggable Authentication Module library.

  • libexpat.so.1. EXtensible Markup Language parsing library.

  • libz.so.1 version 1.2.7.1 or higher. Data compression library.

Additional requirements to, for example, build and run NSO production deployment examples, include:

• Java JDK 17 or higher.

• Ant 1.9.8 or higher.

• Python 3.10 or higher.

• Python Setuptools is required to build the Python API.

• Often installed using the Python package installer pip:

  • Python Paramiko 2.2 or higher. To use netconf-console.

  • Python requests. Used by the RESTCONF demo scripts.

• xsltproc command. Used by the support/ned-make-package-meta-data command to generate the package-meta-data.xml file.

• One of the following web browsers is required for NSO GUI capabilities. The version must be supported by the vendor at the time of release.

  • Safari

  • Mozilla Firefox

  • Microsoft Edge

  • Google Chrome

• OpenSSH client applications. For example ssh and scp commands.

• cron. Run time-based tasks, such as logrotate.

• logrotate. rotate, compress, and mail NSO and system logs.

• rsyslog. pass NSO logs to a local syslog managed by rsyslogd and pass logs to a remote node.

• systemd or init.d scripts to start and stop NSO.

You need to know your system specifications (Operating System and CPU architecture) to choose the appropriate NSO Installer.

NSO is delivered as an OS/CPU-specific signed self-extractable archive. The signed archive file has the pattern nso-VERSION.OS.ARCH.signed.bin that after signature verification extracts the nso-VERSION.OS.ARCH.installer.bin archive file, where:

• VERSION is the NSO version to install.

• OS is the Operating System (linux for all Linux distributions and darwin for macOS).

• ARCH is the CPU architecture, for example, x86_64.

The following contents are unpacked:

• nso-VERSION.OS.ARCH.installer.bin: The NSO installer.

• nso-VERSION.OS.ARCH.installer.bin.signature: Signature generated for the NSO image.

• tailf.cer: An enclosed Cisco signed x.509 end-entity certificate containing the public key that is used to verify the signature.

• README.signature: File with further details on the unpacked content and steps on how to run the signature verification program. To manually verify the signature, refer to the steps in this file.

• cisco_x509_verify_release.py: Python program that can be used to verify the 3-tier x.509 certificate chain and signature.

• Multiple .tar.gz files: Bundled packages, extending the base NSO functionality.

• Multiple .tar.gz.signature files: Digital signatures for the bundled packages.

Since NSO version 6.3, a few additional NSO packages are included. They contain the following platform tools:

• HCC

• Observability Exporter

• Phased Provisioning

• Resource Manager

For platform tools documentation, refer to individual package's README file or to the online documentation.

NED Packages

The NED Packages that are available with the NSO Installation are netsim-based example NEDs. These NEDs are used for NSO examples only.

Fetch the latest production-grade NEDs from Cisco Software Download using the URLs provided on your NED license certificates.

Manual Pages

The installation program will unpack the NSO manual pages from the documentation archive, allowing you to use the man command to view them. The Manual Pages are also available in PDF format and from the online documentation located on NCS man-pages, Volume 1 in Manual Pages.

Following is a list of a few of the installed manual pages:

• ncs(1): Command to start and control the NSO daemon.

• ncsc(1): NSO Yang compiler.

• ncs_cli(1): Frontend to the NSO CLI engine.

• ncs-netsim(1): Command to create and manipulate a simulated network.

• ncs-setup(1): Command to create an initial NSO setup.

• ncs.conf: NSO daemon configuration file format.

For example, to view the manual page describing the NSO configuration file you should type:

$ man ncs.conf

Apart from the manual pages, extensive information about command line options can be obtained by running ncs and ncsc with the --help (abbreviated -h) flag.

$ ncs --help

$ ncsc --help

Installer Help

Run the sh nso-VERSION.linux.x86_64.installer.bin --help command to view additional help on running binaries. More details can be found in the ncs-installer(1) Manual Page included with NSO.

Notice the two options for --local-install or --system-install.

sh nso-6.0.linux.x86_64.installer.bin --help

The System Install by default creates the following directories:

• The Installation Directory is created in /opt/ncs, where the distribution is available.

• The Configuration Directory is created in /etc/ncs, where the ncs.conf file, SSH keys, and WebUI certificates are created.

• The Running Directory is created in /var/opt/ncs, where runtime state files, CDB database, and packages are created.

• The Log Directory is created in /var/log/ncs, where the log files are populated.

• System-wide environment variables are created in /etc/profile.d/ncs.sh.

• The installer creates a systemd system service script in /etc/systemd/system/ncs.service and enables the NSO service to start at boot, but the service is not started immediately. See the steps below for starting NSO after installation and before rebooting.

• To allow package reload when starting NSO, an environment file called /etc/ncs/ncs.systemd.conf is created. This file is owned by the user that starts NSO.

For the --system-install option, you can also choose a user-defined (non-default) Installation Directory, Configuration Directory, Running Directory, and Log Directory with --install-dir, --config-dir, --run-dir and --log-dir parameters, and specify that NSO should run as a different user than root with the --run-as-user parameter.

If you choose a non-default Installation Directory by using --install-dir, you need to specify --install-dir for subsequent installs and also for backup and restore.

Use the --ignore-init-scripts option to disable provisioning the systemd system service.

If a legacy SysV service exists in /etc/init.d/ncs when installing in interactive mode, the user will be prompted to continue using the old SysV service behavior or prepare a systemd service. In non-interactive mode, a systemd service will be prepared where a /etc/systemd/system/ncs.service.prepare file is created. The service is not enabled to start at boot. To enable it, rename it to /etc/systemd/system/ncs.service and remove the old /etc/init.d/ncs SysV service. When using the --non-interactive option, the /etc/systemd/system/ncs.service file will be overwritten if it already exists.

For more information on the ncs-installer, see the ncs-installer(1) man page.

For an extensive guide to NSO deployment, refer to Development to Production Deployment.

By default, the Linux kernel allows overcommit of memory. However, memory overcommit produces an unexpected and unreliable environment for NSO because the Linux Out-Of-Memory (OOM) killer may terminate NSO without restarting it if the system is critically low on memory. Also, when the OOM killer terminates NSO, no system dump file will be produced, and the debug information will be lost. Thus, it is strongly recommended to enable strict overcommit accounting.

Heuristic Overcommit Mode as an Alternative to Strict Overcommit

The alternative—using heuristic overcommit mode (see below for best‑effort recommendations)—can be useful if the NSO host has severe memory limitations. For example, if RAM sizing for the NSO host did not take into account that the schema (from YANG models) is loaded into memory by NSO Python and Java packages affecting total committed memory (Committed_AS) and after considering the recommendations in CDB Stores the YANG Model Schema.

Recommended: Host Configured for Strict Overcommit

• Set vm.overcommit_memory=2 to enable strict overcommit accounting.

• Set vm.overcommit_ratio so the CommitLimit is approximately equal to physical RAM, with a 5% headroom for the kernel to reduce the risk of system-wide OOM conditions. E.g., 95% of RAM when no swap is present (recommended), or subtract 5 percentage points from the calculated ratio that neutralizes swap. Increase the headroom if the host runs additional services.

• Alternatively, set vm.overcommit_kbytes which takes precedence; vm.overcommit_ratio is ignored while vm.overcommit_kbytes > 0.

  • When vm.overcommit_kbytes > 0, it sets a fixed CommitLimit in kB and ignores ratio and swap in the calculation. Note that HugeTLB is not subtracted when overcommit_kbytes is used (it’s a fixed value).

• Strongly discourage swap use at runtime by setting vm.swappiness=1.

• If swap must remain enabled system-wide, prevent NSO from using swap by configuring its cgroup with memory.swap.max=0 (cgroup v2).

• If swap must be enabled for NSO use a fast disk, for example, an NVMe SSD.

Apply Immediately

echo 2 > /proc/sys/vm/overcommit_memory

When vm.overcommit_memory=2, the overcommit_ratio parameter defines the percentage of physical RAM that is available for commit.

The Linux kernel computes the CommitLimit:

CommitLimit = MemTotal × (overcommit_ratio / 100) + SwapTotal − total_huge_TLB

• MemTotal is the total amount of RAM on the system.

• overcommit_ratio is the value in /proc/sys/vm/overcommit_ratio .

• SwapTotal is the amount of swap space. Can be 0.

• total_huge_TLB is the amount of memory set aside for huge pages. Can be 0.

The default overcommit_ratio is 50%. On systems with more than 50% of RAM available, this default can underutilize physical memory.

Do not set vm.overcommit_ratio=100 as it includes all RAM plus all swap in the CommitLimit and leaves no headroom for the kernel. While swap increases the commit capacity, it is usually slow and should be avoided for NSO.

Compute overcommit_ratio to Neutralize Swap

To allocate physical RAM only in commit accounting and keep a 5-10% headroom for the kernel:

• Compute the base ratio: base_ratio = 100 × (MemTotal − SwapTotal) / MemTotal.

• Apply headroom: overcommit_ratio = floor(base_ratio) − 5.

Notes:

• overcommit_ratio is an integer; round down for a bit of extra headroom.

• Recompute the ratio if RAM or swap changes.

• If SwapTotal ≥ MemTotal, swap cannot be neutralized via overcommit_ratio, use overcommit_kbytes; see Example 3.

• If the computed value is very low, ensure it still fits your workload requirements.

Example 1: No Swap, 5% Headroom

cat /proc/meminfo | grep "MemTotal\|SwapTotal"
MemTotal:    8039352 kB
SwapTotal:         0 kB

echo 2  > /proc/sys/vm/overcommit_memory
echo 95 > /proc/sys/vm/overcommit_ratio
echo 1  > /proc/sys/vm/swappiness

Rationale: With no swap, set overcommit_ratio=95 to allow ~95% of RAM for user-space commit, leaving ~5% headroom for the kernel.

Example 2: MemTotal > SwapTotal, Neutralize Swap with 5% Headroom

cat /proc/meminfo | grep "MemTotal\|SwapTotal"
MemTotal:    8039352 kB
SwapTotal:   1048572 kB

Calculate the ratio:

• base_ratio= 100 × ((8039352 − 1048572) / 8039352) ≈ 86.9%.

• Apply 5% headroom: overcommit_ratio = floor(86.9) − 5 = 81.

echo 2  > /proc/sys/vm/overcommit_memory
echo 81 > /proc/sys/vm/overcommit_ratio
echo 1  > /proc/sys/vm/swappiness

This keeps the CommitLimit safely below physical RAM to provide kernel headroom and neutralizes swap’s contribution to CommitLimit and then applies 5% headroom toward the commit budget.

Example 3: SwapTotal ≥ MemTotal (Headroom via ratio not applicable, use overcommit_kbytes)

cat /proc/meminfo | grep "MemTotal\|SwapTotal"
MemTotal:    16000000 kB
SwapTotal:   16000000 kB

Compute:

• CommitLimit_kB = floor(MemTotal × 0.95) = floor(16,000,000 × 0.95) = 15,200,000 kB.

echo 2 > /proc/sys/vm/overcommit_memory
echo 15200000 > /proc/sys/vm/overcommit_kbytes
echo 1 > /proc/sys/vm/swappiness

Note that overcommit_kbytes sets a fixed CommitLimit that ignores swap; recompute if RAM changes. Also note the HugeTLB subtraction does not apply when using overcommit_kbytes (fixed commit budget).

Refer to the Linux proc_sys_vm(5) manual page for more details on the overcommit_memory, overcommit_ratio, and overcommit_kbytes parameters.

Persist Across Reboots

To ensure the overcommit remains disabled after reboot, add the three lines below to /etc/sysctl.conf (or a file under /etc/sysctl.d/).

vm.overcommit_memory = 2
vm.overcommit_ratio = <integer> # if not using overcommit_kbytes
vm.overcommit_kbytes = <kbytes> # if using a fixed CommitLimit
vm.swappiness = 1

See the Linux sysctl.conf(5) manual page for details.

NSO Crash Dumps

If NSO aborts due to failure to allocate memory, NSO will produce a system dump by default before aborting. When starting NSO from a non-root user, set the NCS_DUMP environment variable to point to a filename in a directory that the non-root user can access. The default setting is NCS_DUMP=ncs_crash.dump, where the file is written to the NSO run-time directory, typically NCS_RUN_DIR=/var/opt/ncs. If the user running NSO cannot write to the directory that the NCS_DUMP environment variable points to, generating the system dump file will fail, and the debug information will be lost.

Alternative: Heuristic Overcommit Mode (vm.overcommit_memory=0) With Committed_AS Monitoring

As an alternative to the recommended strict mode, vm.overcommit_memory=2, you can keep vm.overcommit_memory=0 to allow overcommit of memory and monitor the total committed memory (Committed_AS) versus CommitLimit using, for example, a best effort script or observability tool. When Committed_AS crosses a threshold, for example, 90% of CommitLimit, proactively trigger a series of NSO debug dumps every few seconds via ncs --debug-dump. Optionally, a second critical threshold, for example, 95% of CommitLimit, proactively trigger NSO to produce a system dump and then exit gracefully.

• This approach does not prevent NSO from getting killed; it attempts to capture diagnostic data before memory pressure becomes critical and the Linux OOM-killer kills NSO.

• If swap is enabled, prefer vm.swappiness=1 and consider placing NSO in a cgroup with memory.swap.max=0 to avoid swap I/O for NSO. Requires Linux cgroup v2 and a service-managed cgroup (e.g., systemd) support.

• Committed_AS versus CommitLimit is a more meaningful early‑warning signal than Committed_AS versus MemTotal, because CommitLimit reflects the kernel’s current overcommit policy, swap availability, and huge page reservations—MemTotal does not.

• When in Heuristic mode (vm.overcommit_memory=0): CommitLimit is informative, not enforced. It’s still better than MemTotal for early warning, but OOM can occur before or after you reach it.

• If necessary for your use-case, complement with MemAvailable, swap activity (vmstat or /proc/vmstat), PSI memory pressure (/proc/pressure/memory), and per‑process/cgroup RSS to catch imminent pressure that Committed_AS alone may miss.

• Ensure the user running the monitor has permission to execute ncs --debug-dump and write to the chosen dump directory.

• See "NSO Crash Dumps" above for crash dump details.

#!/usr/bin/env bash
# Simple NSO debug-dump monitor for heuristic overcommit mode (vm.overcommit_memory=0).
# Triggers ncs --debug-dump when Committed_AS reaches 90% of CommitLimit.
# Triggers NSO to produce a system dump before exiting using kill -USR1 <ncs.smp PID> when Committed_AS reaches 95% of CommitLimit

THRESHOLD_PCT=90       # Trigger at 90% of CommitLimit (10% headroom).
CRITICAL_PCT=95        # Trigger at 95% of CommitLimit (5% headroom).
POLL_INTERVAL=5        # Seconds between checks.
PROCESS_CHECK_INTERVAL=30
DUMP_COUNT=10          # Number of dumps to collect.
DUMP_DELAY=10          # Seconds between dumps.
DUMP_PREFIX="dump"     # Files like dump.1.bin, dump.2.bin, ...

command -v ncs >/dev/null 2>&1 || { echo "ncs command not found in PATH."; exit 1; }

find_nso_pid() {
  pgrep -x ncs.smp | head -n1 || true
}

while true; do
  pid="$(find_nso_pid)"
  if [ -z "${pid:-}" ]; then
    echo "NSO not running; retry in ${PROCESS_CHECK_INTERVAL}s..."
    sleep "$PROCESS_CHECK_INTERVAL"
    continue
  fi

  committed="$(awk '/Committed_AS:/ {print $2}' /proc/meminfo)"
  commit_limit="$(awk '/CommitLimit:/ {print $2}' /proc/meminfo)"
  if [ -z "$committed" ] || [ -z "$commit_limit" ]; then
    echo "Unable to read /proc/meminfo; retry in ${POLL_INTERVAL}s..."
    sleep "$POLL_INTERVAL"
    continue
  fi

  threshold=$(( commit_limit * THRESHOLD_PCT / 100 ))
  critical=$(( commit_limit * CRITICAL_PCT / 100 ))
  echo "PID=${pid} Committed_AS=${committed}kB; CommitLimit=${commit_limit}kB; Threshold=${threshold}kB; Critical=${critical}kB."
  if [ "$committed" -ge "$critical" ]; then
    echo "Critical threshold crossed; collect a system dump and stop NSO..."
    kill -USR1 ${pid}
    exit 0
  elif [ "$committed" -ge "$threshold" ]; then
    echo "Threshold crossed; collecting ${DUMP_COUNT} debug dumps..."
    for i in $(seq 1 "$DUMP_COUNT"); do
      file="${DUMP_PREFIX}.${i}.bin"
      echo "Dump $i -> ${file}"
      if ! ncs --debug-dump "$file"; then
        echo "Debug dump $i failed."
      fi
      sleep "$DUMP_DELAY"
    done
    echo "All debug dumps completed; exiting."
    exit 0
  fi

  sleep "$POLL_INTERVAL"
done

If no registration token is provided, NSO enters a 90-day evaluation period and the remaining evaluation time is recorded hourly in the NSO daemon log:

      ...
<INFO> 13-Apr-2016::13:22:29.178 miosaterm confd[16260]:
Starting the NCS Smart Licensing Java VM
<INFO> 13-Apr-2016::13:22:34.737 miosaterm confd[16260]:
Smart Licensing evaluation time remaining: 90d 0h 0m 0s
...
<INFO> 13-Apr-2016::13:22:34.737 miosaterm confd[16260]:
Smart Licensing evaluation time remaining: 89d 23h 0m 0s
...

During upgrades, If you experience a 'Communication Send Error' during license registration, restart the Smart Agent.

In a situation where the NSO instance has no direct access to the Cisco Smart Software Manager, one option is the Cisco Smart Software Manager Satellite which can be installed to manage software licenses on the premises. Install the satellite and use the command call-home destination address http <url:port> to point to the satellite.

Another option when direct access is not desired is to configure an HTTP or HTTPS proxy, e.g., smart-license smart-agent proxy url https://127.0.0.1:8080. If you plan to do this, take the note below regarding ignored CLI configurations into account:

If ncs.conf contains configuration for any of java-executable, java-options, override-url/url or proxy/url under the configure path /ncs-config/smart-license/smart-agent/, then any corresponding configuration done via the CLI is ignored.

When configuring NSO in High Availability (HA) mode, the license registration token must be provided to the CLI running on the primary node. Read more about HA and node types in High Availability.

Licensing activities are also logged in the NSO daemon log as described in Monitoring NSO. For example, a successful token registration results in the following log entry:

<INFO> 21-Apr-2016::11:29:18.022 miosaterm confd[8226]:
Smart Licensing Global Notification:
type = "notifyRegisterSuccess"

To check the registration status, use the command show license status.

admin@ncs# show license status

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: Network Services Orchestrator
Virtual Account: Default
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Apr 21 09:29:11 2016 UTC
Last Renewal Attempt: SUCCEEDED on Apr 21 09:29:16 2016 UTC
Next Renewal Attempt: Oct 18 09:29:16 2016 UTC
Registration Expires: Apr 21 09:26:13 2017 UTC
Export-Controlled Functionality: Allowed

License Authorization:

License Authorization:
Status: IN COMPLIANCE on Apr 21 09:29:18 2016 UTC
Last Communication Attempt: SUCCEEDED on Apr 21 09:26:30 2016 UTC
Next Communication Attempt: Apr 21 21:29:32 2016 UTC
Communication Deadline: Apr 21 09:26:13 2017 UTC

No, there is no such dependency.

No. By default, the environment variables are configured and set on the shell with System Install.

Yes.

Yes.

The easiest way is to Uninstall the System install using ncs-uninstall --all and do a Local Install from scratch.

No.