Yuma netconfd Manual
Contents
1. subdirs If true then sub directories will be searched when looking for files Otherwise just the specified directory will be used and none of its sub directories if any Superuser Specifies the user name or empty string for none to be given super user privileges instead of the default superuser system sorted Specifies whether system ordered lists and leaf lists should be maintained in sorted order target Specifies if the lt candidate gt or lt running gt configuration should be the edit target usexmlorder Forces strict YANG XML ordering to be enforced version Prints the program version and exits warn idlen Controls how identifier lengths are checked warn linelen warn off Controls how line lengths are checked Suppresses the specified warning number with startup Enable or disable the lt startup gt database with url Enable or disable the url capability with validate Enable or disable the validate capability yuma home Specifies the YUMA_HOME project root to use when searching for files Version 2 2 Yuma netconfd Manual Server capabilities are the primary mechanism to specify optional behavior in the NETCONF protocol This section describes the capabilities that are supported by the netconfd server The base 1 0 capability indicates that the RFC 4741 version of the NETCONF protocol is supported Th2. none Returns e lt ok gt Possible Operation Errors e access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc discard changes gt lt nc rpc gt Example Reply lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc ok gt lt nc rpc reply gt Page 49 Version 2 2 Yuma netconfd Manual The lt edit config gt operation is used to alter the target database The target database is the lt candidate gt configuration if the target configuration parameter is set to candidate and the lt running gt configuration if it is set to running The nc operation attribute must appear within the inline lt config gt parameter contents if the lt default operation gt parameter is set to none or the lt edit config gt operation will have no affect This is not an error condition If the nc operation attribute is used then it may appear any number of times and be arbitrarily nested within the lt config gt parameter contents Certain combinations will cause errors however so this must be done carefully For example a delete operation nested within a create operation is an error because the conditions for both operations cannot possibly be satisfied at once Other combinations such as merge within create are not an error because there are no conflicting
3. A node that is present but has a false when statement is treated as an error Server instrumentation PDU validation o Semantic requirements expressed only in description statements will be checked by device instrumentation callbacks The specific YANG data module should indicate which errors may be reported and when they should be reported e database validation o o Several automated tests are performed when a database is validated If the edit target is the lt candidate gt configuration then referential integrity tests are postponed until the lt commit gt operation is attempted The specific conditions checked automatically are referential integrity condition test failed must missing leaf mandatory missing choice mandatory extra container or leaf too few instances of a list or leaf list min elements too many instances of a list or leaf list max elements instance not unique unique Nodes that are unsupported by the server will automatically be removed from these tests This can occur in the following ways node is defined within a feature that is not supported if feature node has conditional existence test that is false when nodes derived from a uses statement which has a conditional existence test that is false when nodes derived from an augment statement which has a conditional existence test that is false when server instrumentation database valida
4. lt nacm user name gt barney lt nacm user name gt lt nacm group gt lt nacm groups gt lt nacm nacm gt lt nc config gt lt nc edit config gt lt nc rpc gt The access control configuration parameter is used to globally enable or disable the access control system It cannot be changed at run time or through a NETCONF session Off no access control enforcement is done at all disabled all nacm secure and nacm very secure tagged objects will require the super user account to access but no other access control enforcement will be done permissive all nacm very secure objects will require super user account to read No other read access enforcement will be done Write and exec access will be checked enforcing all access control enforcement will be checked This is the default behavior There are 3 types of access permissions defined 1 read retrieval of any kind 2 write modification of any kind 3 exec right to invoke an RPC operation The lt allowed rights gt object in each of the 3 access control rule entries is a bits leaf which is allowed to contain any of these string tokens or none of them to deny all access to a set of groups When a rule is found which matches the current request the lt allowed rights gt leaf will be used to grant permission or not If the bit for the requested operation is present then the request is permitted If the bit is not present then the request is denie
5. yuma mysession Get and Set session specific parameters yuma proc proc file system monitoriing yuma system system monitoring operations and notifications yuma time filter Get only if datastore changed since a specified timestamp The following notification event types are built into the netconfd server Pre loaded Notifications module event type description nc notifications lt replayComplete gt lt notificationComplete gt nc notifications yuma system lt sysStartup gt server startup event Page 13 Version 2 2 Notification replay has ended Notification delivery has ended Yuma netconfd Manual yuma system lt sysSessionStart gt NETCONF session started yuma system lt sysSessionEnd gt NETCONF session ended yuma system lt sysConfigChange gt lt running gt configuration has changed yuma system lt sysCapabilityChange gt server capability added or deleted yuma system lt sysConfirmedCommit gt confirmed commit procedure event The following protocol operations are built into the netconfd server module Pre loaded Operations operation description letf netconf lt cancel commit gt Cancel a confirmed commit operation ietf netconf lt close session gt Terminate the current session ietf netconf lt commit gt Activate edits
6. lt nacm allowed rights gt read write exec lt nacm allowed rights gt lt nacm allowed group gt nacm admin lt nacm allowed group gt lt nacm comment gt access to shutdown and restart rpcs lt nacm comment gt lt nacm moduleRule gt lt nacm moduleRule gt lt nacm moduleName gt netconf lt nacm moduleName gt lt nacm allowed rights gt read write exec lt nacm allowed rights gt lt nacm allowed group gt nacm admin lt nacm allowed group gt lt nacm allowed group gt nacm monitor lt nacm allowed group gt lt nacm moduleRule gt lt nacm rules gt lt nacm nacm gt lt nc data gt lt nc rpc reply gt The lt get my session gt operation is used to retrieve session customization data for the current session The session indent amount line size and default behavior for the with defaults parameter can be controlled at this time lt get my session gt operation Min parameters 0 Max parameters 0 Return type data YANG file yuma mysession yang Capabilities needed none Mandatory Parameters none Optional Parameters 7 none Page 58 Version 2 2 Yuma netconfd Manual Returns e lt indent gt o type uint32 range O 9 o This parameter specifies the desired indent amount for the session e lt linesize gt o type uint32 range 40 1024 o This parameter specifies the desired line length for the session e lt with defaults gt o type enumeration report all rep
7. urn ietf params xml ns netconf monitoring module ietf netconf monitoring amp amp revision 2009 06 16 lt nc capability gt lt nc capability gt Page 26 Version 2 2 Page 27 Yuma netconfd Manual urn ietf params netconf capability with defaults 1 0 module ietf with defaults amp amp revision 2009 07 01 amp amp features with defaults lt nc capability gt lt nc capability gt urn ietf params xml ns yang yang types module ietf yang types amp amp revision 2009 05 13 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma interfaces module interfaces amp amp rQ ses msg setup send buff 1 evision 2009 07 17 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma mysession module yuma mysession amp amp revision 2009 08 11 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma nacm module yuma nacm amp amp revision 2009 05 13 lt nc capability gt lt nc capability gt urn ietf params xml ns netmod notification module nc notifications amp amp revision 2008 07 14 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma ncx module yuma ncx amp amp revision 2009 06 12 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma app common module yuma app common amp amp revision 2009 04 10 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma types module yuma types amp
8. 2 9 10 lt sysComfigChange gt EVeEiaoicinncicdaa ios 103 2 9 11 lt sysCapabilityChange gt EVO usos sesos tersoveenteeccpeds eds ias acre ndadrasto sabes uanas 105 2 9 12 lt sysConfirmedCommit gt Even re 107 SCLERETORCNICO A A A eR ee E ea 110 SL A A ca 110 3 2 a A DD 110 3 3a CO SS COMO dde eakat 110 O ie E RR RREO CANIS ORDER GONE UN wneud foc RR PARAR ED AR oe 111 Sep Cala path ss ss actas ia ada asia a a AAEE EE EAA Sol ssa 112 Ode aU SLY PERRO RP O RU OE aaa E sr Taa 112 3 7 delete emMpty NpcContaiNerFS ccocccccoccnccononcnnnoncnncnncnnnonnnanornnnnroronnnronnonannnannnnnons 113 E sheets RO RD ERRO END DEt 113 sa 6 6 SIZE RR UNR GU Eeee da EEEa a OD RDNS RR EES i eit 114 3 10 fea A SPAS ELAS odece rene seeds Da nen 114 3 11 safe a turo Ena O A 115 3 12 teature enable detaUl lluita 116 A tebe ERR RREO NO RREO RR OD wnt RN 116 A 9 PS DONDE eco ARE RIOS E RPE RPPN icc deena RR RD RR PRO DRE 117 cn EEE EEE E YE R E E 117 ek oeae EEn A E E E E EE 118 A O ey eee re ee eee rere 119 BELO A A Te 119 BLO 1OG a PPCM Ginsiissessesvernteacaeteesitsa sect AE Rain ad aA AAE a aat 119 B20 100510 VOL jac eeccecsctedesnttinlnauumsyyanes bi Ged san ee bhae each ah ELOA tetova ye Ieee ede 120 3 2 Sia x UNS aii io O 121 IIA n nO iri era Dana owas 121 3 23 AM OQUIS A A a qi 122 3 24 DOM Lnias A da end ana Oda e eia a e ami 122 Ss EES aa SERENO AAA a lane 122 3 26 UA IO A dai CDE ia do 123 3 27 a UMD aul
9. copy not supported optional to implement e delete config o lt url gt accepted as source to delete e validate o lt url gt accepted as a configuration source to validate Only the file scheme is supported at this time A URL file can be specified as a simple file within the root directory No whitespace or special characters are allowed in the file name Page 20 Version 2 2 Yuma netconfd Manual The file extension xml should be used The server only generates and expects XML configuration files The NETCONF config element is used as the top level element in all lt url gt files The YUMA_DATAPATH environment variable or the datapth system variable is used to find the file names specified in the lt url gt URI string Example lt url gt file my backup xml lt url gt The with defaults capability indicates that the server will accept the lt with defaults gt parameter for the following operations e lt get gt e lt get config gt e lt copy config gt There are 4 values defined for this parameter The server supports all of them no matter what mode is used for the default style report all all nodes are reported report all tagged all nodes are reported with an XML attribute indicating the nodes which are considered default nodes by the server trim nodes set to thier YANG default stmt value by the server or the client are skipped e explicit nodes set by the server are skipped Nodes s
10. gt lt nc ok gt lt nc rpc reply gt The netconfd access control data model is defined in yuma nacm yang The nacm secure and nacm very secure extensions also affect access control If present in the YANG definition then the default behavior when no rule is found is not followed Instead the super user account must be used to allow default access There are 3 types of access control rules that can be defined 1 module rule 2 RPC operation rule 3 database rule Rules apply to one or more groups Each group contains zero or more user names Database rules are applied top down at every level The user needs permission for the requested access read or write for all referenced nodes within the database For example if there was a leaf from module X that augments a container in module Y the user would need permission to access the container from module Y and then permission to access the leaf from module X The NACM data model can be used without any configuration at all Refer to the section on access control modes for more details Page 78 Version 2 2 Yuma netconfd Manual NETCONF Database Access Control Model 2 Step Access Model First RPC then Data lt edit config gt or lt reboot gt ao anna config gt 4 lt config gt y lt edit config gt C gt Eee onie lt foo gt a YANG does not address the NETCONF acces
11. lt hello gt PDU idle timeout Set the number of seconds to wait for a lt rpc gt PDU indent Specifies the indent count to use when writing data log Specifies the log file to use instead of STDOUT log append Controls whether a log file will be reused or overwritten Page 15 Version 2 2 Page 16 Yuma netconfd Manual log level Controls the verbosity of logging messages max burst Specifies the maximum number of notifications to send to one session in a row modpath Sets the module search path module Specifies one or more YANG modules to load upon startup protocols Specifies which NETCONF protocol versions to enable no startup If present the startup configuration will not be used if present and the factory defaults will be used instead port Specifies up to 4 TCP port numbers to accept NETCONF connections from runpath Server instrumentation library SIL search path running error Specifies whether the server should stop or continue if the running configuration contains any errors at boot time such as missing mandatory nodes Startup startup error Specifies the startup configuration file location to override the default Not allowed if the no startup parameter is present Specifies whether the server should stop or continue if the startup configuration contains any recoverable errors the bad configuration data can be removed
12. o a If the requested RPC operation is tagged as nacm secure or nacm very secure then deny access otherwise grant access and exit e Step 5 Retrieve all the NACM groups that this user is found within o Ifthere are no groups found a If the requested RPC operation is tagged as nacm secure or nacm very secure then deny access and exit b Ifthe lt exec default gt leaf is set to permit then grant access otherwise deny access and exit o f there are any groups found then proceed to step 6 e Step 6 Check if there are any nacm rules nodes configured o If there are no rules configured then if the lt exec default gt leaf is set to permit then grant access otherwise deny access and exit o f there are some entries within the lt rules gt container then proceed to step 7 e Step 7 Check for any nacm rules rpc rule entries that contain an lt allowed group gt with the same value as one of the groups found in step 5 and is also for the requested RPC operation The first entry found will be used If an entry is found then check its lt allowed rights gt leaf for the exec bit e If the exec bit is found then grant access otherwise deny access and exit Ifamatching lt rpc rule gt entry is not found then proceed to step 8 e Step 8 Check for any nacm rules module rule entries that contain an lt allowed group gt with the same value as one of the groups found in step 5 and is also for same module
13. type list same structure as lt rpc error gt element usage optional will only be present if errors were recorded during boot There will be one entry for each lt rpc error gt encountered during the load config operation The lt rpc error gt fields are used directly There is no particular order so no key is defined All fields except lt error info gt will be present from the original lt rpc error gt that was generated during the boot process Version 2 2 Yuma netconfd Manual Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T17 21 13Z lt ncEvent eventTime gt lt sys sysStartup xmlns sys http netconfcentral org ns system gt lt sys startupSource gt home andy swdev yuma trunk netconf data startup cfg xml lt sys startupSource gt lt sys sysStartup gt lt sys sequence id xmlns sys http netconfcentral org ns system gt 1 lt sys sequence id gt lt ncEvent notification gt The lt sysSessionStart gt notification is generated when a NETCONF session is started The username remote address and session ID that was assigned are returned in the event payload lt sysSessionStart gt notification Description A new NETCONF session has started Min parameters 3 Max parameters 3 YANG file yuma system yang Parameters userName o type s
14. Default 3600 1 hour Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd idle timeout 30000 Page 119 Version 2 2 Yuma netconfd Manual The indent parameter specifies the number of spaces that will be used to add to the indentation level each time a child node is printed during program operation indent parameter Syntax uint32 0 9 Min Allowed 0 Supported by netconfd yangcli yangdiff yangdump Example netconfd indent 4 The log parameter specifies the file name to be used for logging program messages instead of STDOUT It can be used with the optional log append and log level parameters to control how the log file is written log parameter Syntax string log file specification Default none Supported by netconfd yangcli yangdiff yangdump Example netconfd log server log amp The log append parameter specifies that the existing log file if any should be appended instead of deleted It is ignored unless the log parameter is present log append parameter Page 120 Version 2 2 3 20 Yuma netconfd Manual Syntax empty Default none Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli yangdiff yangdump Example netconfd log append Log server log amp log level The log level parameter controls the verbosity level of messages printed to the log file or STDOUT i
15. RFC 4742 and RFC 6242 Full automatic run time support for any YANG defined NETCONF content o rpc statement automatically supported so new operations can be added at run time o all YANG data statements automatically supported so new database objects can be added at run time o notification statement automatically supported so new notification event types can be added at run time Complete XML 1 0 implementation with full support for XML Namespaces Automatic support for all capability registration and lt hello gt message processing Full automatic generation of all YANG module lt capability gt contents including features and deviations Automatic session management including unlimited number of concurrent sessions session customization and all database cleanup Fully recoverable automatic database editing using a simple 3 phase callback model o 1 validate 2 apply 3 commit or rollback Full support for database locking editing validation including extensive user callback capabilities to support device instrumentation Automatic support for all YANG validation mechanisms including all XPath conditionals Automatic subtree and full XPath filtering Automatic confirmed commit and rollback procedures Automatic database audit log and change notification support Complete lt rpc error gt reporting support including user defined errors via YANG error app tag and error message statements Several lt rpc error gt exten
16. RR RR PEREGRINO OM CR OR EAR RSRS O DER VR ests 123 A 124 3 29 SEAMUpP Gil Ol orrir iniiis rn e eE at Eoia 125 SO O AAA E E E E E T 125 Page 3 Version 2 2 Yuma netconfd Manual cs A 126 ENE A ghd ade cn deka DADA dere EDGE Eee 126 Pen E E a E 126 3 SU SO ORO CL at na poderia a di MS gafe T 127 E RE Dee CESTO renan vacates LAG bh Arend E da da E pa A a 127 OO sro sra ud SR Eb AAE E E 128 SS ANAL INCISO SA eai CS ADE SRS OO SS a 128 O 129 3 39 WIC SbANCUP i cireccsccvaneeriacnnatacdduathid dss sisniich Sus Liana d ada ianaia ada ge Ga nen aa 129 AA e cd GAS A AID 130 SA site ali ES raso 130 3 42 UMM Ome O A AE anaa EN T 131 Page 4 Version 2 2 Yuma netconfd Manual 1 Preface Copyright 2009 2012 Andy Bierman All Rights Reserved This document assumes you have successfully set up the software as described in the printed document Yuma Installation Guide Other documentation includes Yuma Quickstart Guide Yuma User Manual Yuma yangcli Manual Yuma yangdiff Manual Yuma yangdump Manual Yuma Developer Manual To obtain additional support you may join the yuma users group on sourceforge net and send email to this e mail address yuma users lists sourceforge net The SourceForge net Support Page for Yuma can be found at this WEB page http sourceforge net projects yuma support There are several sources of free information and tools for use with YANG and or NETCONF The following section lists the resources
17. a lt get gt or lt get config gt filter Instead of selecting sub trees of the specified database it is treated as a boolean expression If the filter matches the content in the notification then the notification is sent to that subscription If the filter does not match the content then the notification is not sent to that subscription A filter match for notification purposes means that the filter is conceptually applied as if it were a lt get gt operation and if any nodes are selected non empty result node set then the filter is a match If no content is selected empty result node set then the filter is not a match The first node that can appear in the filter is the event type The lt eventTime gt and lt sequence id gt nodes are siblings of the event type element so they cannot be used in a notification filter The notification element contains 2 or 3 child elements in this order 1 eventTime timestamp for the event The namespace URI for this element is urn ietf params xml ns netconf notification 1 0 2 eventType The real name will be the name of the YANG notification such as sysStartup The contents of this element will depend on the YANG notification definition The namespace URI for this element will be different for every event type It will be the same value as the YANG Page 98 Version 2 2 Yuma netconfd Manual namespace statement in the module that defines the notification statement for the particular
18. already loaded e module parsing errors E resource errors Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 52 gt lt nd load xmlns nd http netconfcentral org ns netconfd gt lt nd module gt test2 lt nd module gt lt nd load gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 52 gt lt nd mod revision xmlns nd http netconfcentral org ns netconfd gt 2008 10 15 lt nd mod revision gt lt nc rpc reply gt The lt lock gt operation is used to insure exclusive write access to an entire configuration database The lt running gt configuration can be locked at any time if it is currently unlocked If the startup capability is supported the lt startup gt configuration can be locked at any time if it is currently unlocked If the candidate capability is supported and it is not already locked then it may usually be locked However the lt candidate gt configuration can only be locked if there are no edits already contained Page 64 Version 2 2 Yuma netconfd Manual within it A lt discard changes gt operation may be needed to clear any leftover edits if this operation fails with a resource denied error instead of a lock denied error If the session holding the lock is terminated for any reason the l
19. amp revision 2008 07 20 lt nc capability gt lt nc capability gt http netconfcentral org ns netconfd module netconfd amp amp revision 2009 05 28 lt nc capability gt lt nc capability gt urn ietf params xml ns netconf notification 1 0 module notifications amp amp revision 2008 07 14 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma proc module yuma proc amp amp revision 2009 07 17 lt nc capability gt lt nc capability gt http netconfcentral org ns yuma system module yuma system amp amp revision 2009 06 04 lt nc capability gt lt nc capability gt http netconfcentral org ns test module test amp amp revision 2009 06 10 amp amp features featurel feature3 feature4 lt nc capability gt lt nc capabilities gt lt nc session id gt 1 lt nc session id gt lt nc hello gt 1 gt 11 gt Version 2 2 Yuma netconfd Manual The netconfd server requires a valid lt hello gt message from the client before accepting any lt rpc gt requests Only the mandatory netconf base URIs will be checked by the server All other lt capability gt elements will be ignored by the server The server can be configured with the protocols CLI parameter to enable the base 1 0 and or the base 1 1 NETCONF protocol versions Both the client and server send the base 1 x where x is 1 or 2 URIs they support 1 or 2 lt capability gt elements The highest version in common
20. are some groups and rules then proceed to step 13 to start checking access control rules Step 13 Check for any nacm rules data rule entries that contain a lt path gt expression that evaluates to an XPath node set that contains the requested database node and the lt allowed group gt leaf list contains an entry with the same value as one of the groups found in step 5 The first such entry found will be used If an entry is found then check its lt allowed rights gt leaf for the read bit e If the read bit is found then grant access otherwise deny access and exit If an entry is not found then proceed to step 14 Step 14 Check for any nacm rules module rule entries that contain an lt allowed group gt with the same value as one of the groups found in step 5 and is also for the same module as the requested database node The first entry found will be used If an entry is found then check its lt allowed rights gt leaf for the read bit e Ifthe read bit is found then grant access otherwise deny access and exit If an entry is not found then proceed to step 15 e Step 15 If the lt read default gt leaf is set to permit then grant access otherwise deny access and exit Phase 2b Database Write Access e Step 16 If the user name matches the superuser configuration variable or the default superuser if not set then grant access and exit e Step 17 Make sure there are some groups and rules
21. as the requested RPC operation The first entry found will be used If an entry is found then check its lt allowed rights gt leaf for the exec bit e If exec bit is found then grant access otherwise deny access and exit Ifamatching lt module rule gt entry is not found then proceed to step 9 e Step 9 If the lt exec default gt leaf is set to permit then grant access otherwise deny access o Continue to phase 2a if any read access or phase 2b if any write access to the NETCONF database contents is requested on behalf of the specific RPC operation Phase 2a Database Read and Notification Access e Step 10 If the user name matches the superuser configuration variable or the default superuser if not set then grant access and exit e Step 11 Check the access control mode o a If the access control configuration parameter is set to permissive If the requested object is tagged as nacm very secure then deny access otherwise grant access and exit o b Otherwise this must be normal enforcing mode so proceed to step 12 Page 84 Version 2 2 Yuma netconfd Manual e Step 12 Make sure there are some groups and rules o a If there were no groups found in step 5 or no rules found in step 6 then If the requested object is tagged as nacm very secure then deny access otherwise e If the lt read default gt is set to permit then grant access otherwise deny access and exit o bp If there
22. available at this time Netconf Central o http www netconfcentral org o Yuma Home Page Free information on NETCONF and YANG tutorials on line YANG module validation and documentation database Yuma SourceFource OpenSource Project o http sourceforge net projects yuma Page 5 Version 2 2 Yuma netconfd Manual Download Yuma source and binaries project forums and help Yang Central o http www yang central org o Free information and tutorials on YANG free YANG tools for download NETCONF Working Group Wiki Page o http trac tools ietf org wg netconf trac wiki o Free information on NETCONF standardization activities and NETCONF implementations NETCONF WG Status Page o http tools ietf org wg netconf o IETF Internet draft status for NETCONF documents libsmi Home Page o http www ibr cs tu bs de projects libsmi o Free tools such as smidump to convert SMlv2 to YANG NETCONF Working Group o http www ietf org html charters netconf charter html o Technical issues related to the NETCONF protocol are discussed on the NETCONF WG mailing list Refer to the instructions on the WEB page for joining the mailing list NETMOD Working Group o http www ietf org html charters netmod charter html o Technical issues related to the YANG language and YANG data types are discussed on the NETMOD WG mailing list Refer to the instructions on the WEB page for joining the mailing list The following formatt
23. for the specified node These permissions will over ride all NACM access control rules even if NACM is disabled To dis allow all user access provide an empty string for the permitted parameter To allow only create and delete user access provide the string create delete for the parameter Use this for YANG database objects that cannot be changed once they are set Each access type has a default behavior if no rule is found and no special YANG extensions apply e read default permit e write default deny e exec default permit These defaults can be changed by the server developer by modifying the YANG definitions in yuma nacm yang If the data node object definition contains the special YANG extensions described in the previous section then the extension will define default access and the NACM default access rule will not be used The following logic represents the steps taken during access control enforcement Phase 1 RPC Operation Access e Step 1 If the access control configuration parameter is set to off then grant access and exit Page 83 Version 2 2 Yuma netconfd Manual e Step 2 If the user name matches the superuser configuration variable or the default superuser if not set then grant access and exit e Step 3 If the RPC operation requested is the NETCONF lt close session gt operation then grant access and exit e Step 4 If the access control configuration parameter is set to disabled
24. in lt candidate gt ietf netconf lt copy config gt Copy an entire configuration notifications lt create subscription gt Start receiving notifications ietf netconf lt delete config gt Delete a configuration ietf netconf lt discard changes gt Discard edits in lt candidate gt ietf netconf lt edit config gt Edit the target configuration ietf netconf lt get gt Retrieve lt running gt or state data ietf netconf lt get config gt Retrieve all or part of a configuration yuma mysession lt get my session gt Retrieve session customization parameters ietf netconf monitoring lt get schema gt Retrieve a YANG or YIN module definition file ietf netconf lt kill session gt Terminate a NETCONF session netconfd lt load gt Load a YANG module ietf netconf lt lock gt Lock a database netconfd lt no op gt No operation ietf netconf partial lock lt partial lock gt Lock part of the lt running gt database ietf netconf partial lock lt partial unlock gt Unlock part of the lt running gt database Page 14 Version 2 2 Yuma netconfd Manual netconfd lt restart gt Restart the server yuma lt set my session gt Set the session customization mysession parameters yuma system lt set log level gt Set the logging verbosity level ne
25. is generated lt notificationComplete gt notification Description All notification delivery has ended and the subscription is terminated Min parameters 0 Max parameters 0 YANG file nc notifications yang Page 99 Version 2 2 Yuma netconfd Manual Page 100 Version 2 2 Example Yuma netconfd Manual lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T17 31 22Z lt ncEvent eventTime gt lt manageEvent notificationComplete xmlns manageEvent urn ietf params xml ns netmod notification gt lt ncEvent notification gt The lt sysStartup gt event is the first notification generated when the server starts or restarts It contains the startup file source if any and lists any lt rpc error gt contents that were detected at boot time during the copying of the startup configuration into the running configuration lt sysStartup gt notification Description The netconfd server has started 0 2 Min parameters YANG file Max parameters yuma system yang Parameters e startupSource o o o type string usage optional will not be present if no startup was present This parameter identifies the local file specification associated with the source of the startup configuration contents bootError o o o Page 101
26. is locked by another session e lt commit gt validation errors if test then set is used or the target is the lt running gt configuration Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 12 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt merge lt nc default operation gt lt nc test option gt set lt nc test option gt lt nc error option gt rollback on error lt nc error option gt lt nc config gt lt t musttest xmlns t http netconfcentral org ns test gt lt t A nc operation create gt testing one two lt t A gt lt t musttest gt lt nc config gt lt nc edit config gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt Page 51 Version 2 2 Yuma netconfd Manual lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 12 gt lt nc ok gt lt nc rpc reply gt The lt get gt operation is used to retrieve data from the lt running gt configuration or non configuration data available on the server The simple command lt get gt will cause all available data to be retrieved from the server This may be generate a large response and waste resources To select only specific subsets of all available data use subtree or XPath filtering by providing a lt filter gt parameter Namespace prefixes ar
27. lt nc rpc gt Example Reply no reply will be sent session will be dropped instead The lt set log level gt operation is used to configure the server logging verbosity level Page 70 Version 2 2 Yuma netconfd Manual Only the designated superuser user can invoke this operation by default lt set log level gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma system yang Capabilities needed none Mandatory Parameters e lt log level gt o type enumeration off error warn info debug debug2 debug3 o default none o This parameter specifies the server logging verbosity level Optional Parameters e none Returns e lt ok gt Possible Operation Errors e access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt myses set my session xmlns myses http netconfcentral org ns mysession gt lt myses indent gt 4 lt myses indent gt lt myses linesize gt 64 lt myses linesize gt lt myses with defaults gt trim lt myses with defaults gt lt myses set my session gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc 0k gt lt nc rpc reply gt Page 71 Version 2 2 Yuma netconfd Manual The lt set my ses
28. lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 10 gt lt nc data gt lt if interfaces xmlns if http netconfcentral org ns interfaces gt lt if interface gt lt if name gt eth0 lt if name gt lt if counters gt lt if inBytes gt 290046042 lt if inBytes gt lt if outBytes gt 112808406 lt if outBytes gt lt if counters gt lt if interface gt lt if interfaces gt lt nc data gt lt nc rpc reply gt The xpath capability is fully supported including the YANG extensions to this capability The XPath 2 0 rule for default XML namespace behavior is used not XPath 1 0 rules as specified by the YANG language This means that any module with a node with the same local name in the same position in the schema tree will match a missing XML prefix This allows much simpler specification of XPath filters but it may match more nodes than intended Remember that any nodes added via an external YANG augment statement may have the same local name even though they are bound to a different XML namespace If the XPath expression does not return a node set result then the empty lt data gt element will be returned in the lt rpc reply gt Page 93 Version 2 2 Yuma netconfd Manual If no nodes in the node set result exist in the specified target database then an empty lt data gt element will be returned in the lt rpc reply gt If a node in
29. lt nc ok gt lt nc rpc reply gt The lt validate gt operation is used to perform the lt commit gt validation tests against a database or some in line configuration data lt validate gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma netconf yang Capabilities optional candidate startup Mandatory Parameters Page 76 Version 2 2 Yuma netconfd Manual target o type container with 1 of N choice of leafs o This parameter specifies the name of the target database or the in line configuration data that should be validated o container contents 1 of N candidate e type empty e capabilities needed candidate running e type empty e capabilities needed none startup e type empty e capabilities needed startup config e type anyxml capabilities needed none Optional Parameters e none Returns e lt ok gt Possible Operation Errors e access denied lt commit gt validation errors Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 76 gt lt nc validate gt lt nc source gt lt nc candidate gt lt nc source gt lt nc validate gt lt nc rpc gt Page 77 Version 2 2 Yuma netconfd Manual Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 76
30. module name gt key name of the YANG module associated with the rule leaf lt notification name gt key name of the notification event type associated with the rule leaf lt allowed rights gt key privileges granted to all groups associated with the rule leaf lt allowed rights gt privileges granted to all groups associated with the rule leaf list lt allowed group gt leaf list of one or more group identifiers that are associated with the rule leaf lt comment gt comment string for the rule ignored by the server Access rights in NACM are given to groups A group entry consists of a group identifier and a list of user names that are members of the group A group is named with is a YANG identity which has a base of nacmRoot Page 80 Version 2 2 Yuma netconfd Manual identity nacmGroups description Root of all NETCONF Administrative Groups There are 3 hard wired group names that can be used nacm admin e nacm monitor nacm guest Any module can define an extension identity for the nacmGroups base type and use it as a group name There are no special semantics associated with any particular group name import nacm prefix nacm identity mygroup 4 description My special administrator s group base nacm nacmGroups By default there are no groups created Each nacm groups group entry must be created by the client There is no user name table either It is assumed that the opera
31. range error info lt bad value gt error number 288 Example Request e create int8 1 value 1000 lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 4 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt none lt nc default operation gt lt nc config gt lt t int8 1 nc operation create xmlns t http netconfcentral org ns test gt 1000 lt t int8 1 gt lt nc config gt lt nc edit config gt lt nc rpc gt Example Error Reply Page 38 Version 2 2 Yuma netconfd Manual lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 4 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt none lt nc default operation gt lt nc config gt lt t int8 1 nc operation create xmlns t http netconfcentral org ns test gt 1000 lt t int8 1 gt lt nc config gt lt nc edit config gt lt nc rpc gt This section describes the netconfd implementation details that may affect usage of the NETCONF protocol operations Every protocol operation is defined with a YANG rpc statement All NETCONF operations and several proprietary operations are supported The lt cancel commit gt operation is used to cancel a confirmed commit procedure in progress A lt sysSessionEn
32. received before the lt confirm timeout gt value default 10 minutes then the running and candidate configurations will be reset to the contents of the running configuration before the first lt commit gt operation If the session that started the confirmed commit procedure is terminated for any reason before the second lt commit gt operation is completed then the running configuration will be reset as if the confirm timeout interval had expired If the confirmed commit procedure is used and the startup capability is also supported then the contents of NV storage e g startup cfg xml will not be updated or altered by this procedure Only the running configuration will be affected by the rollback If the lt confirmed gt parameter is used again in the second lt commit gt operation then the timeout interval will be extended and any changes made to the candidate configuration will be committed If Page 17 Version 2 2 Yuma netconfd Manual the running and candidate configurations are reverted any intermediate edits made since the first lt commit gt operation will be lost The interleave capability indicates that the server will accept lt rpc gt requests other than lt close session gt during notification delivery It is supported at all times and cannot be configured The netconf monitoring capability indicates that the ietf netconf monitoring data sub tree is supported The netconfd server supports all of the t
33. server if modified since o type date and time o usage optional o This parameter requests that configuration data only be returned if any of the running datastore contents have been modified since this value Monitoring data config false does not affect the datastore timestamp If the running datastore has not been modified since this timestamp then an empty lt data gt element will be returned and the request will not be processed Returns e lt data gt element Possible Operation Errors e access denied e invalid value Page 53 Version 2 2 Yuma netconfd Manual Example subtree Filter Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 4 gt lt nc get gt lt nc filter type subtree gt lt proc proc xmlns proc http netconfcentral org ns proc gt lt proc cpuinfo gt lt proc cpu gt lt proc cpu MHz gt lt proc cpu gt lt proc cpuinfo gt lt proc proc gt lt nc filter gt lt nc get gt lt nc rpc gt Equivalent XPath Filter Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 4 gt lt nc get gt lt nc filter type xpath select proc cpuinfo cpu cpu_MHz gt lt nc get gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 l
34. test to send or drop each notification delivered from the server If any nodes are left in the test response the server will send the entire notification If the result is empty after the filter is applied to the test response then the server will not send the notification at all Itis possible that access control will either cause the a notification to be dropped entirely or may be pruned and still delivered The standard is not clear on this topic The netconfd server will prune any unauthorized payload from an eventType but if the lt eventType gt itself is unauthorized the entire notification will be dropped startTime Page 46 Version 2 2 Yuma netconfd Manual o type yang date and time o This parameter causes any matching replay notifications to be delivered by the server if notification replay is supported by the server A notification will match if its lt eventTime gt value is greater or equal to the value of this parameter stopTime o type yang date and time o usage not allowed unless startTime is also present o This parameter causes any matching replay notifications to be delivered by the server if notification replay is supported by the server A notification will match if its lt eventTime gt value is less than the value of this parameter This parameter must be greater than the startTime parameter or an error will be returned by the server Returns e lt ok gt Possible Operat
35. the contents of the lt running gt configuration to the lt startup gt configuration The lt get config gt operation can be used to retrieve the contents of the lt startup gt configuration The lt delete config gt operation can be used to delete the lt startup gt configuration Only the superuser account is allowed to do this by default All NETCONF server access is done through the NETCONF protocol except the server can be shutdown with the Control C character sequence if it being run interactively This section describes any netconfd implementation details which may NETCONF sessions The user name string associated with a NETCONF session is derived from the SSH_CONNECTION environment variable which is available to the netconf subsystem program when it is called by sshd Any user name accepted by sshd will be accepted by netconfd In order for access control to work properly the sshd user name must also conform to the NacmUserName type definition Page 24 Version 2 2 Yuma netconfd Manual typedef NacmUserName description General Purpose User Name string type string length 1 63 pattern a z A Z a z A Z 0 9 0 62 A user name cane be 1 to 63 characters long The first character must be a letter a to z or A to Z The remaining characters must be a letter a to z or A to Z or a number 0 to 9 The lt session id gt assigned by the server is simply a monotonically i
36. the result node set matches a node in the target database then it is included in the lt rpc reply gt If a node selected for retrieval are contained within a YANG list node then all the key leaf nodes for the specific list entry will be returned in the response The powerful operator equivalent to descendant or self node can be used to construct really simple XPath expressions The following example shows how a simple filter like name will return nodes from all over the database yet they can all be fully identified because the path from root is part of the response data Example Request e xget name lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 43 gt lt nc get gt lt nc filter type xpath select name gt lt nc get gt lt nc rpc gt gt gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 43 gt lt nc data gt lt nacm nacm xmlns nacm http netconfcentral org ns nacm gt lt nacm rules gt lt nacm data rule gt lt nacm name gt nacm tree lt nacm name gt lt nacm data rule gt lt nacm data rule gt lt nacm name gt it f 1 lt nacm name gt lt nacm data rule gt lt nacm rules gt lt nacm nacm gt lt t xpath 1 xmlns t http netconfcentral org ns test gt lt t name gt barney lt t name gt lt t xpath 1 gt lt if interfaces xmlns if ht
37. xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt ns get schema xmlns ns urn ietf params xml ns netconf state gt lt ns identifier gt foo lt ns identifier gt lt ns version gt lt ns format gt ns yang lt ns format gt lt ns get schema gt lt nc rpc gt Example Error Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 xmlns ns urn ietf params xml ns netconf state xmlns ncx http netconfcentral org ncx gt lt nc rpc error gt lt nc error type gt protocol lt nc error type gt lt nc error tag gt operation failed lt nc error tag gt Page 37 Version 2 2 Yuma netconfd Manual lt nc error severity gt error lt nc error severity gt lt nc error app tag gt no matches lt nc error app tag gt lt nc error path gt nc rpc ns get schema ns input ns identifier lt nc error path gt lt nc error message xml lang en gt no matches found lt nc error message gt lt nc error info gt lt ncx bad value gt foo lt ncx bad value gt lt ncx error number gt 365 lt ncx error number gt lt nc error info gt lt nc rpc error gt lt nc rpc reply gt The not in range error is generated when a numeric type viaolates a YANG range statement not in range data description error tag invalid value error app tag not in range error path identifies the leaf or leaf list node that is not in
38. G module namespace XPath 2 0 behavior instead of matching the NULL namespace XPath 1 0 behavior e the preceding and following axes should not be used The database is dynamic and the relative document order is not stable This is also a very resource intensive operation XPath filtering affects whether the server will return particular subtrees or not It does not change the format of the lt get gt or lt get config gt output The result returned by the server will not be the raw XPath node set from evaluating the specified select expression against a database The server will normalize the XPath search results it returns e There will be no duplicate nodes even if there were duplicates in the XPath result node set e All result nodes with common ancestor nodes will be grouped together in the lt rpc reply gt e All list nodes will include child nodes for any missing key leafs even if they were not requested in the select expression 2 3 Databases A NETCONF database is conceptually represented as an XML instance document There are 3 conceptual databases which all share the exact same structure e lt candidate gt scratch pad to gather edits to apply to lt running gt all at once e lt running gt configuration data in effect e lt startup gt configuration data for the next reboot When the lt running gt configuration is saved to non volatile storage the top level element of this document is the lt config gt contai
39. ONS NOOO a e O 72 20 22 lt ShUtdOWN O 73 PG DS A AAE E E AAEE AAA AAA AE A RR RR 75 2 0 24 Val Sihir a E E EERTE E E E A TETEE 76 ZT ACCOSS COMM Obae oa na dc de a e Ra 78 2 7 1 NACM Module Structure susi cota 79 a lp o EION S EA E wen voce parton ARNO T RR 80 21 3 Creating New Groups eii N E ee cad aaah Dae Balser dit 81 2 7 A ACCESS Control Mode eioriicric ir ae Lirio 82 A A OO 82 2 7 6 Special YANG Extensions For Access Control riram 82 2 7 7 Default Enforcement BehaviO Tocino o ie 83 2 7 8 Access Control Algorithm iii 83 2 1 9 Module Access Control RU SS it 86 2 7 10 RPC Access Control Rules sneaiceanna E AAEE EA 87 2 7 11 Data Access Control RUSS 0 iii 88 Page 2 Version 2 2 Yuma netconfd Manual 228 MONITO A AAA Sm 90 2 0 1 Using S ptree PICU Sisco UT RR DE DS PR RD NPR yam PR Atiak 90 220 2 USINO XPath Als ao ida 93 2 8 3 Using Time ECS woes A a ADE RR RR eels Cae 96 2 9 NOUTICATONS ra ssl 97 2 9 1 SUDSCM PLION Sisi a ea 97 A LOS celson eearces tes on ra prada nina cect baa Nui OS Gaara banen oucaa ets abra adia CORRS pata apaid 98 2 9 3 Using Notification Filters cui gies Ridge a pls Seas ein cect ne yaa cede Mamta rae ath 98 2 9 4 lt notitication gt Element 98 2 9 5 lt replayComplete gt Vent bala a js ii 99 2 9 6 lt notificationComplete gt EVEN it 99 2 9 7 lt sysStartup gt Eran A ATA weeks 100 2 98 SyssessionStart EVO arica tacon artilleria 101 2 9 9 2sysS ssion End gt EVEN ii Odo 102
40. RA ad sea A 17 2 24 CO OE a e tet led LA 17 A O RN 18 22250 MELCO MOMO ros a io de eee duel 18 AS A O O 18 E O eidean 18 2 29 OIDO EK OMS ErrO ip a E O Aa 19 2 2 10 Scene va do ee 19 E e A Sesauts a A A lade RAD VERDE PNR DOT ERP VS PU AAA PR 19 a 2 AVA AO E asia da neues SA AS aa REA DR ST TS RS 19 ASP dee RE AO AD Roe EAR PINUS PEE A PARAN REDE REINA Rn ER A E OR A RA ae 20 22 A VENCE TAN ES ccs ick dica oe ua sie hi nies Ana asd asia EEA ANE AAE SETA EATA a e aa Aaa aaa 21 2 2 LO Wrta OIG AU IR A O RP q RA AR ANE RSRS RD ORNE OR RE RR PNR AA 21 PRO DR 40 a ER RP PD ttt othe NOR RN AR PP RE 21 2 3 DADAS SR es RR NEAR DN RENDA RE RR CE RR 22 2 3 1 Database LOCKING cassasaepassssispaiere pesa iii eine 23 2 3 2 Using the Candidate gt DataDast causada soda 23 2 33 Using Lhe lt r nning gt Database c f usc are anana po eae ecg nae cd 24 2 3 4 Using the lt startup gt Database es s sseeesascama ensinada seas actos senseretsancsecestaceeacaeyareenieceenredy 24 Zi SOSSIONS sors cc A A eta E aa Da a aa 24 2 41 User Nader 24 P OPASTE AT I D EAA E E ORAR RI si seers sc oa ANANDA ONCE ED ARO ee cata 25 2423 Server lt hello gt MESSAGE assis ias aa anaE EEA e A lhe ete ARs BS Ae anand 25 Page 1 Version 2 2 Yuma netconfd Manual 2 4 4 Client lt hello gt Message iio id iii 28 2 4 5 RPC Request Processing toa lc EI 28 Malo PI O 29 2 5 Error REPO Usain dt SSD AAA ES e iai 30 2 5 1 lt error severity gt ElOMEnL sa issassassis rastrear i
41. The netconfd program does not directly process the SSH protocol messages Instead it is implemented as an SSH subsystem The number of concurrent SSH sessions that can connect to the netconfd server at once may be limited by the SSH server configuration Refer to the Yuma Installation Guide for more details on configuring the SSH server for use with netconfd The netconfd program can be invoked several ways e To get the current version and exit netconfd version To get program help and exit netconfd help netconfd help brief netconfd help full e To start the server in the background set the loggin level to debug and send logging messages to a log file netconfd log level debug log mylog e To start the server interactively and send all log messages to STDOUT netconfd e To start the server interactively with a new log file netconfd logfile mylogfile Page 10 Version 2 2 Yuma netconfd Manual e To start the server interactively and append to an existing log file netconfd logfile mylogfile log append To get parameters from a configuration file netconfd config etc yuma netconfd conf To terminate the netconfd program when running interactively use the control C character sequence This will cause the server to cleanup and terminate gracefully The lt shutdown gt or lt restart gt operations can also be used to terminate or restart the server The yuma nacm yang access contr
42. Yuma netconfd Manual YANG Based Unified Modular Automation Tools NETCONF Over SSH Server Version 2 2 Last Updated January 26 2012 Yuma netconfd Manual Table Of Contents Yuma netconfd Manual T PRE TAC APPO RR DO DD DDD OT GNR uss bensGaeeneenadauaasaabudeanscead ER RE 5 Ld beGal Statements eee DA Lo 5 1 2 Additional RESOU r OS erama ian aeaea a eaaa EE A A ra 5 12 WEB SOS cada AN A oa 5 ELL E O lo 6 1 3 Conventions Used in this DOoCUMEN occcccccccnconccoconcnnconcnnconnnncnnnnncnnnonnnnonannnnnananonos 6 2 p tconfd User GI at IO EAI aaa na Saad 7 A A a Saes E nd bd 7 A A A O decano ca E gds dee 7 2 1 2 Setting the Server PROTO sasaasasao ss do ii ei dis asa a 9 2 1 3 Loading YANG MoOQUI S cross agupis pers sato canibais cli italia 9 2 1 4 Starting netcontd ics scree creda es ionni sake eds wet deetd chines dado Dane aaa E Sia seas ans desde e aa 10 2 1 5 Stopping e RT ate oc eh aU E sane baat sk D ea Ea ea 11 2 16 Signal Handling ea innara eenaa raana ENA ETE da cao a cada 11 2 1 7 Error Handlinga sainan a aaa te ede eaa tM ceded ov leet eh eee ee hae eee 11 2 1 8 Module SUI is A RNE EnA 12 2 1 9 Notification SUMMA serenos rie S cola 13 2 1 10 Operation SUMMA Vid a Ra cele dey tek 14 2 1 11 Configuration Parameter LISE ans ici id SAS 15 A A na arise nada 17 Zs A oTe EI O PAO E RR AI RARA DI RAIOS PR DEI RIR RT REI EIN O PR REU 17 A A a RR URDU VR RAE SARTRE A Do PR RR RR RR 17 223 o AA RR RD RN PIE NR UR RR RR
43. ables in this module except partial locking because the partial lock capability is not supported at this time The netconf state capabilities subtree can be examined to discover the active set of NETCONF capabilities The netconf state datastores subtree can be examined to discover the active database locks The netconf state schemas subtree can be examined for all the YANG modules that are available for download with the lt get schema gt operation The netconf state sessions subtree can be examined for monitoring NETCONF session activity The netconf state statistics subtree can be examined for monitoring global NETCONF counters The notification capability indicates that the server will accept the lt create subscription gt operation and deliver notifications to the session according to the subscription request All lt create subscription gt options and features are supported A notification log is maintained on the server which is restarted every time the server reboots This log can be accessed as a replay subscription The first notification in the log will be for the lt sysStartup gt event The lt replayComplete gt and lt notificationComplete gt event types are not stored in the log The partial lock capability indicates that RFC 5717 is implemented and partial locking of the lt running gt database is supported The lt copy config gt operation is not supported using the lt running gt database as a t
44. ace gt entry for ethoO lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 9 gt lt nc get gt lt nc filter type subtree gt lt if interfaces xmlns if http netconfcentral org ns yuma interfaces gt lt if interface gt lt if name gt eth0 lt if name gt lt if interface gt lt if interfaces gt lt nc filter gt lt nc get gt lt nc rpc gt Page 91 Version 2 2 Yuma netconfd Manual To retrieve only specific nodes such as counters from a single list entry use select nodes for the desired counter s and include a content match node for each key leaf A missing key leaf will match any entry for that key The following example request shows how just the lt inBytes gt and lt outBytes gt counters could be retrieved from the lt interface gt entry for ethO Page 92 Version 2 2 Yuma netconfd Manual Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 10 gt lt nc get gt lt nc filter type subtree gt lt if interfaces xmlns if http netconfcentral org ns yuma interfaces gt lt if interface gt lt if name gt eth0 lt if name gt lt if counters gt lt if inBytes gt lt if outBytes gt lt if counters gt lt if interface gt lt if interfaces gt lt nc filter gt lt nc get gt lt nc rpc gt Example Reply
45. any errors at all are found in the validation phase During execution phase this parameter will affect error processing When set to rollback on error if any part of the requested configuration change cannot be performed the database will be restored to its previous state and server instrumentation callbacks to undo any changes made will be invoked The schema retrieval capability indicates that the lt get schema gt operation is supported The netconfd server supports this operation for all YANG modules in use at the time The lt identifier gt parameter must be set to the name of the YANG module The lt format gt parameter must be set to YANG The lt version gt parameter must be set to a revision date to retrieve a specific version of the module or the empty string to retrieve whatever version the server is using The startup capability indicates that the lt startup gt configuration is supported by the server By default this capability is not supported This capability is controlled by the with startup configuration parameter If this parameter is set to true then the startup capability will be supported If this capability is supported the server will allow the lt startup gt configuration to be the source of a lt get config gt the server will allow the lt startup gt configuration to be the target of a lt copy config gt operation if the source is the lt running gt configuration Ifthe validat
46. arget so partial locks do not affect that operation The lt edit config gt operation on the lt running gt database is allowed if the target parameter is set to running The lt commit gt operation will fail if any portion of the altered configuration is locked by another session Data in the lt candidate gt database which is identical to the corresponding data in the lt running gt configuration is not affected by a lt partial lock gt operation The constant VAL MAX PLOCKS in ncx val h controls the maximum number of concurrent locks that a single session can own on a database node The default value is 4 There is no hard resource limit for Page 18 Version 2 2 Yuma netconfd Manual e the number of total partial locks the number of lt select gt parameters in the lt partial lock gt request the number of nodes that can be locked by a single partial lock When the maximum lt lock id gt is reached MAX_UINT the server will not reset the lt lock id gt to 1 unless there are no partial locks currently held on the lt running gt database The lt lock id gt 0 is not used The rollback on error capability indicates that the server supports all or nothing editing for a single lt edit config gt operation This is a standard enumeration value for the lt error option gt parameter The server will perform all PDU validation no matter what lt error option gt is selected Execution phase will not occur if
47. art A confirmed commit procedure has started o Sent once when the first lt commit gt operation is executed o This event starts the confirmed commit procedure o If the lt candidate gt database is not altered then the confirmed commit procedure will be skipped e cancel A confirmed commit procedure has been canceled o Sent only if the original session is terminated o This event terminates the confirmed commit procedure e timeout A confirmed commit procedure has timed out o Sent only if the confirm timeout interval expires o This event terminates the confirmed commit procedure e extend A confirmed commit procedure has been extended o Sent if the 2nd to N 1th lt confirm gt operation contains a lt confirmed gt parameter Page 108 Version 2 2 Yuma netconfd Manual o This event restarts the confirm timeout interval but does not reset the backup database o Any new changes in the lt candidate gt database will be committed complete A confirmed commit procedure has completed o Sent if the 2nd to Nth lt commit gt operation is executed before the confirm timeout interval expires o This event terminates the confirmed commit procedure lt sysConfirmedCommit gt notification Description The state of the confirmed commit procedure has changed Min parameters 1 Max parameters 4 YANG file yuma system yang Parameters userName o type string o usage mandatory o This parame
48. ast modified 2011 08 21T117 51 46Z message id 4 gt lt nc data gt lt proc proc xmlns proc http netconfcentral org ns proc gt lt proc cpuinfo gt lt proc cpu gt lt proc cpu MHz gt 1600 000 lt proc cpu MHz gt lt proc processor gt 0 lt proc processor gt lt proc cpu gt lt proc cpu gt lt proc cpu MHz gt 2667 000 lt proc cpu MHz gt lt proc processor gt 1 lt proc processor gt lt proc cpu gt lt proc cpuinfo gt lt proc proc gt lt nc data gt lt nc rpc reply gt Page 54 Version 2 2 Yuma netconfd Manual The lt get config gt operation is used to retrieve data from a NETCONF configuration database To select only specific subsets of all available data use subtree or XPath filtering by providing a lt filter gt parameter Namespace prefixes are optional to use in XPath expressions The netconfd will figure out the proper namespace if possible If prefixes are used then they must be valid XML prefixes with a namespace properly declared in the PDU The retrieval of leaf or leaf list nodes with default values is controlled with the lt with defaults gt parameter If a portion of the requested data is not available due to access control restrictions then that data is silently dropped from the lt rpc reply gt message It is implicitly understood that the client is only requesting data for which it is authorized to receive in the event such data is selected in the request lt get config g
49. ation contains any edits that have not been committed then these edits will all be lost if the lt unlock gt operation is invoked A lt discard changes gt operation is performed automatically by the server when the lt candidate gt database is unlocked lt unlock gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma netconf yang Capabilities needed none Capabilities optional candidate startup Mandatory Parameters e target o type container with 1 of N choice of leafs o This parameter specifies the name of the target database to be unlocked o container contents 1 of N candidate e type empty capabilities needed candidate running e type empty capabilities needed none startup type empty e capabilities needed startup Optional Parameters e none Page 75 Version 2 2 Yuma netconfd Manual Returns e lt ok gt Possible Operation Errors e access denied no access database not locked e invalid value database not supported Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 65 gt lt nc unlock gt lt nc target gt lt nc candidate gt lt nc target gt lt nc unlock gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 65 gt
50. ax parameters 3 Page 43 Version 2 2 Yuma netconfd Manual Return type status YANG file yuma netconf yang Capabilities needed none Capabilities optional candidate writable running startup Mandatory Parameters Source o type container with 1 of N choice of leafs o Usage mandatory o default none o This parameter specifies the name of the source database for the copy operation o container contents 1 of N candidate e type empty e capabilities needed candidate running type empty e capabilities needed none startup type empty e capabilities needed startup config e type container in line configuration data e capabilities needed none o The netconfd server will only the superuser account is allowed to copy in line data into a database All other users will get an access denied error Access to the entire database is required for this operational mode target o type container with 1 of N choice of leafs o Usage mandatory o default none o This parameter specifies the name of the target database for the copy operation o container contents 1 of N candidate e type empty e capabilities needed candidate startup Page 44 Version 2 2 Yuma netconfd Manual type empty e capabilities needed startup Optional Parameters e with defaults o type enumeration none report all report all tagged trim explicit o default none o capabilities neede
51. be allowed disabled All read write and execute requests will be allowed unless the object contains the nacm secure or nacm very secure extension o Ifthe nacm secure extension is in effect then all configured access control rules will be enforced for write and execute requests o If the nacm very secure extension is in effect then all configured access control rules will be enforced for all requests Use this mode with caution off All access control enforcement is disabled Use this mode with extreme caution access control parameter Syntax enumeration enforcing permissive disabled off Default enforcing Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd access control permissive config The config parameter specifies the name of a Yuma configuration file that contains more parameters to process in addition to the CLI parameters Refer to the Configuration Files section for details on the format of this file config parameter Syntax string complete file specification of the text file to parse for more parameters Default etc yuma lt program name gt conf Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli Page 112 Version 2 2 Yuma netconfd Manual yangdiff yangdump netconfd config testconf conf The datapath parameter specifies the directory search path to use while searching for
52. cm data rule gt lt nacm data rule nc operation create gt lt nacm name gt it f 2 lt nacm name gt lt nacm path xmlins if http netconfcentral org ns interfaces gt if interfaces if interface if name eth0 lt nacm path gt lt nacm allowed rights gt read lt nacm allowed rights gt lt nacm allowed group gt nacm monitor lt nacm allowed group gt lt nacm comment gt let monitor group read interface ethQ lt nacm comment gt lt nacm data rule gt lt nacm data rule nc operation create gt lt nacm name gt itf 3 lt nacm name gt lt nacm path xmlns if http netconfcentral org ns interfaces gt if interfaces lt nacm path gt lt nacm allowed rights gt lt nacm allowed group gt nacm guest lt nacm allowed group gt lt nacm comment gt do not let guest group read any interfaces info lt nacm comment gt lt nacm data rule gt lt nacm rules gt lt nacm nacm gt lt nc config gt lt nc edit config gt Page 89 Version 2 2 Yuma netconfd Manual lt nc rpc gt The lt get gt and lt get config gt operations are fully supported for retrieving data from the lt candidate gt and lt running gt configuration databases The lt get config gt operation is not supported for the lt startup gt configuration The lt copy config gt operation is only supported copying the lt running gt configuration to the lt startup gt configuration If the NACM access contro
53. conditions present for either operation lt edit config gt operation Min parameters 2 Max parameters 5 Return type status YANG file yuma netconf yang Capabilities needed candidate or writable running Capabilities optional rollback on error Validate Mandatory Parameters config o type anyxml o This parameter specifies the subset of the database that should be changed target o type container with 1 of N choice of leafs o This parameter specifies the name of the target database for the edit operation o container contents choice 1 of N candidate e type empty e capabilities needed candidate running type empty capabilities needed writable running Optional Parameters Page 50 Version 2 2 Yuma netconfd Manual default operation o type enumeration merge replace none o default merge o This parameter specifies which edit operation will be in effect at the start of the operation before any nc operation attribute is found error option o type enumeration stop on error continue on error rollback on error o default stop on error o This parameter specifies what the server should do when an error is encountered e test option o type enumeration test then set set test only o default test then set if validate capability is supported and set otherwise Returns e lt ok gt Possible Operation Errors e access denied e in use target database
54. confd Manual Min parameters 4 Max parameters 4 YANG file yuma system yang Parameters userName o type string o usage mandatory o This parameter identifies the SSH user name that is associated with the session Ssessionld o type uint32 range 1 to max o Usage mandatory o This parameter identifies the NETCONF session ID assigned to the session remoteHost o type inet ip address o Usage mandatory o This parameter identifies the remote host IP address that is associated with the session edit o list with no key of edit operations performed 1 entry for each edit target e type instance identifier usage mandatory e This parameter contains the absolute path expression of the database object node that was modified operation e type enumeration merge replace create delete e usage mandatory e This parameter identifies the nc operation that was performed on the target node in the database Page 105 Version 2 2 Yuma netconfd Manual Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T22 21 18Z lt ncEvent eventTime gt lt sys sysConfigChange xmlns sys http netconfcentral org ns system gt lt sys userName gt andy lt sys userName gt lt sys sessionld gt 3 lt sys sessionId gt lt sys remoteHost gt 192 168 0 6 lt sys remoteHost gt lt sys ed
55. d Page 82 Version 2 2 Yuma netconfd Manual There are 3 YANG language extensions defined that can be used to force access control behavior for specific data nodes in the configuration database 1 nacm secure no parameter If present in a data node statement this extension will cause the write default to be ignored and any write access to instances of this object will be rejected with an access denied error unless there is an explicit NACM rule allowing write access to the user session If present in an rpc statement then exec access will be denied unless there is an explicit NACM rule granting exec access 2 nacm very secure no parameter If present in a data node statement this extension will cause the read and write defaults to be ignored and any write access to instances of this object will be rejected with an access denied error unless there is an explicit NACM rule allowing write access to the user session Read access will be denied which causes that data to be removed from the lt rpc reply gt If present in an rpc statement then exec access will be denied unless there is an explicit NACM rule granting exec access 3 ncx user write parameter permitted type bits create update delete Used within database configuration data definition statements to control user write access to the database object containing this statement The permitted argument is a list of operations that users are permitted to invoke
56. d with defaults o This parameter controls how nodes containing only default values are copied to the target database If the lt target gt parameter is lt candidate gt then this parameter will be ignored Returns e lt ok gt Possible Operation Errors e access denied access control configured to deny access to this operation in use the configuration indicated by the lt target gt parameter is locked by another session e lt commit gt errors if the target parameter is the lt running gt configuration Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 7 gt lt nc copy config gt lt nc source gt lt nc running gt lt nc source gt lt nc target gt lt nc startup gt lt nc target gt lt nc copy config gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 7 gt lt nc 0k gt lt nc rpc reply gt The lt create subscription gt operation is used to start a NETCONF notifications subscription Only the NETCONF stream is supported by netconfd Page 45 Version 2 2 Yuma netconfd Manual A replay subscription is created by including the lt startTime gt parameter The subscription will continue until the session is closed unless the lt stopTime gt parameter is present In that case the subscription
57. d gt notification with a lt terminationReason gt field set to closed will be generated when this operation is invoked lt cancel commit gt operation Min parameters Max parameters YANG file Capabilities needed 1 ietf netconf yang base 1 1 Mandatory Parameters none Optional Parameters e persist If the persist string was provided in the lt commit gt operation then this parameter must be present and the value must match Only the session that started the confirmed commit can use this operation without providing a persist parameter Returns lt ok gt an lt rpc reply gt will be sent to the session before terminating the session Possible Operation Errors Page 39 Version 2 2 Yuma netconfd Manual none Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc cancel commit gt lt nc persist gt mycommit lt nc persist gt lt nc cancel commit gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc 0k gt lt nc rpc reply gt The lt close session gt operation is always allowed even if access control rules exist which somehow disallow exec privileges to a session for this operation A lt sysSessionEnd gt notificati
58. data files It consists of a colon separated list of path specifications commonly found in Unix such as the PATH environment variable Example This parameter overrides the YUMA_DATAPATH environment variable if it is present datapath parameter Syntax string list of directory specifications Default YUMA DATAPATH environment variable Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli yangdiff yangdump Example netconfd datapath work2 data The default style parameter specifies the way leafs with default values are returned from the server for data retrieval operations This setting will be used as the default behavior when processing the operations that support the lt with defaults gt extension and no value is provided The values and their meanings are defined in ietf with defaults yang Here is a summary report all Report all nodes as the default behavior The will be the behavior used if this parameter is not specified trim Report only nodes that do not have the server assigned value as the default behavior This includes all leafs with a YANG default and any other node created by the server explicit Report only nodes that have been set by client action as the default behavior Any node created via the lt startup gt configuration at boot time is considered to be a client created node It does not matter what the actual values are with resp
59. determines the protocol version used for the session If there are no common versions found the session will be dropped By default the server will enable both protocol versions The following table shows the outcomes of all possible lt hello gt processing scenarios Client lt hello gt Server lt hello gt Outcome none any combination Session dropped base 1 0 base 1 0 base 1 0 session started base 1 1 base 1 0 Session dropped base 1 0 base 1 1 base 1 0 base 1 0 session started base 1 0 base 1 1 Session dropped base 1 1 base 1 1 base 1 1 session started base 1 0 base 1 1 base 1 1 base 1 1 session started base 1 0 base 1 0 base 1 1 base 1 0 session started base 1 1 base 1 0 base 1 1 base 1 1 session started base 1 0 base 1 1 base 1 0 base 1 1 base 1 1 session started Example client lt hello gt Message lt xml version 1 0 encoding UTF 8 gt lt nc hello xmlns nc urn ietf params xml ns netconf base 1 0 gt lt nc capabilities gt lt nc capability gt urn ietf params netconf base 1 0 lt nc capability gt lt nc capabilities gt lt nc hello gt The only PDU the netconfd server will accept during a NETCONF session is the lt rpc gt message All aspects of NETCONF protocol conformance are supported for contents of the lt rpc gt elements All XML attributes in the lt rpc gt start tag will be return
60. ds to be used carefully e set This option is not the default but it is probably the desired behavior for the lt candidate gt database In order to fully utilize the incremental editing capability of this database the set value should be used This will prevent any validation error messages unrelated to the current edit The lt validate gt operation can be used before the lt commit gt is done if desired The same errors if any should be reported by lt validate gt or lt commit gt test then set This option is the default and will cause a resource intensive validation procedure to be invoked every time the lt candidate gt database is edited The validation procedure is always invoked on every edit to the lt running gt configuration If any database validation errors are found in addition to the requested edit then they will be reported Use the lt error path gt field to determine which type of error is being reported by the server The url capability indicates that the server accepts the lt url gt parameter in NETCONF operations that use this parameter This capability can be disabled with the with url CLI configuration parameter The following operations are affected by the url capability e edit config o lt url gt accepted instead of lt config gt as a configuration data source e copy config o lt url gt accepted as a source parameter o lt url gt accepted as a target paramter o lt url gt to lt url gt
61. e 117 Version 2 2 Yuma netconfd Manual Example netconfd hello timeout 300 The help parameter causes program help text to be printed and then the program will exit instead of running as normal This parameter can be combined with the help mode parameter to control the verbosity of the help text Use brief for less and full for more than the normal verbosity This parameter can be combined with the version parameter in all programs It can also be combined with the show errors parameter in yangdump The program configuration parameters will be displayed in alphabetical order not in schema order help parameter Syntax Default Min Allowed Max Allowed Supported by netconfd yangcli yangdiff yangdump Example netconfd help The help mode parameter is used to control the amount of detail printed when help text is requested in some command It is always used with another command and makes no sense by itself It is ignored unless used with the help parameter help mode parameter Syntax choice of 3 empty leafs brief normal full Default normal Min Allowed Max Allowed Supported by netconfd yangcli yangdiff yangdump Page 118 Version 2 2 Yuma netconfd Manual Example netconfd help help mode full e default choice normal e choice help mode o brief type empty This parameter specifies that brief documenta
62. e capability is enabled then the server will allow the lt startup gt configuration to be the target of a lt validate gt operation Ifthe user is the super user account or access is configured in NACM to allow it then the server will allow the lt startup gt configuration to be the target of a lt delete config gt operation No other operations on the lt startup gt database are supported The lt startup gt database cannot be edited with lt edit config gt or over written with lt copy config gt Page 19 Version 2 2 Yuma netconfd Manual The validate capability indicates that the lt validate gt operation is accepted and the lt test option gt for the lt edit config gt operation is also accepted by the server Versions supported e validate 1 0 e validate 1 1 This capability is controlled by the with validate configuration parameter If it is set to false then this capability will not be available in netconfd The lt validate gt operation can be invoked in several ways e validate the lt candidate gt database if the candidate capability is supported e validate the lt running gt database e validate the lt startup gt database if the startup capability is supported e validate an inline lt config gt element which represents the entire contents of a database The lt test option gt parameter for the lt edit config gt operation can be used This parameter has a significant impact on operations and nee
63. e deleted capability o o o Page 107 type leaf list of capability URI strings usage optional This parameter contains one entry for each capability that was just deleted Version 2 2 Yuma netconfd Manual Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmins ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T23 03 06Z lt ncEvent eventTime gt lt sys sysCapabilityChange xmIns sys http netconfcentral org ns system gt lt sys changed by gt lt sys userName gt andy lt sys userName gt lt sys sessionld gt 3 lt sys sessionld gt lt sys remoteHost gt 192 168 0 61 lt sys remoteHost gt lt sys changed by gt lt sys added capability gt http netconfcentral org ns toaster module toaster amp amp revision 2009 06 23 amp amp features clock lt sys added capability gt lt sys sysCapabilityChange gt lt sys sequence id xmins sys http netconfcentral org ns system gt 8 lt sys sequence id gt lt ncEvent notification gt The lt sysConfirmedCommit gt notification is generated when the state of the confirmed commit procedure has changed The confirmed commit procedure is started when a lt commit gt operation with a lt confirmed gt parameter is executed A lt sysConfirmedCommit gt notification is generated several times for a single confirmed commit procedure One or more of the following sub events will be generated e st
64. e name gt netconf lt nacm rpc module name gt lt nacm rpc name gt get config lt nacm rpc name gt lt nacm allowed rights gt lt nacm allowed group gt nacm guest lt nacm allowed group gt lt nacm rpc rule gt lt nacm rules gt lt nacm nacm gt lt nc config gt lt nc edit config gt lt nc rpc gt The nacm rules data rule data structure is used to configure access for a specific set of database nodes or notification payload nodes If the requested node in contained within the node set result of the lt path gt XPath path expression then the data rule is considered a match Multiple instances of the same lt path gt expression or equivalent expressions can appear at any time and in any order The lt path gt leaf is not allowed to contain an arbitrary XPath expression at this time Instead an ncx schema instance string is allowed This has the same syntax as a YANG instance identifier built in type except that the key leaf predicates e g name eth0 are optional instead of mandatory A missing key leaf predicate indicates that all instances of that key leaf are going to match the data rule This is a user created list and the key leaf is the arbitrary lt name gt field Use the YANG insert operation to add data rules in some order other than last Entries are checked in the same order they are returned in a lt get config gt reply message If a group appears in multiple entries then t
65. e optional to use in XPath expressions The netconfd will figure out the proper namespace if possible If prefixes are used then they must be valid XML prefixes with a namespace properly declared in the PDU The retrieval of leaf or leaf list nodes with default values is controlled with the lt with defaults gt parameter If a portion of the requested data is not available due to access control restrictions then that data is silently dropped from the lt rpc reply gt message It is implicitly understood that the client is only requesting data for which it is authorized to receive in the event such data is selected in the request lt get gt operation Min parameters 0 Max parameters 3 Return type data YANG file yuma netconf yang Capabilities needed none Capabilities optional candidate startup with defaults Mandatory Parameters none Optional Parameters filter o type subtree type anyxml This parameter specifies the subset of the database that should be retrieved o type xpath select expr type empty The unqualified select attribute is used to specify an XPath filter with defaults o type enumeration none report all report all tagged trim explicit Page 52 Version 2 2 Yuma netconfd Manual o usage default style configuration parameter used as the default if no value is provided o This parameter controls how default leaf and leaf list nodes are returned by the
66. ect to YANG defaults or server supplied defaults Any nodes created by the server are skipped default style parameter Syntax enumeration Page 113 Version 2 2 Yuma netconfd Manual report all trim explicit Default report all Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd default style trim The delete empty npcontainers parameter is a boolean that indicates whether the server should keep or delete empty non presence containers in the database If true empty NP containers will be deleted If false they will not be deleted delete empty npcontainers parameter Default Min Allowed Max Allowed Supported by netconfd Example netconfd delete empty npcontainers true The deviation parameter is a leaf list of modules that should be loaded automatically when the program starts as a deviation module In this mode only the deviation statements are parsed and then made available later when the module that contains the objects being deviated is parsed The deviations must be known to the parser before the target module is parsed This parameter is used to identify any modules that have deviation statements for the set of modules being parsed e g module and subtree parameters A module can be listed with both the module and deviation parameters but that is not needed unless the module contains external deviations If the modu
67. ed to the client unchanged in the lt rpc reply gt element The order of the XML attributes may not be preserved Page 28 Version 2 2 Yuma netconfd Manual All XML namespace prefix assignments declared in the lt rpc gt element via the xmins attribute will be used within the lt rpc reply gt and most descendant nodes of the lt rpc reply The exception is the lt error path gt element which may use the default XML prefix for a given module by declaring a new xmins attribute for the namespace The so called mandatory message id attribute is ignored by the server along will all other XML attributes in the lt rpc gt element The server will not generate an error if this attribute is missing as specified in RFC 4741 The new version of the NETCONF protocol removes this rule All lt rpc gt element contents must be declared within the proper namespace except the contents of a subtree lt filter gt element for a lt get gt or lt get config gt operation Access control will be enforced as follows All lt rpc gt operation requests except lt close session gt will be checked in the access control model yuma nacm yang This operation can always be invoked by any user to allow graceful session termination in all cases If the user name for the session matches the superuser configuration parameter then the operation will always be allowed If the access control no rule default for RPC execution is set to permit a
68. en one lt sysCapabilityChange gt event will be generated for all the changes There will be multiple instances of the lt added capability gt or lt deleted capability gt leaf list elements in this case When this notification is generated the etf netconf monitoring data model lt capabilities gt data structure is updated to reflect the changes lt sysCapabilityChange gt notification Description The set of currently active lt capability gt URIs has changed Page 106 Version 2 2 Parameters Yuma netconfd Manual Min parameters 2 Max parameters 5 YANG file yuma system yang e choice changed by server or by user o o server type empty usage mandatory If this empty leaf is present then the server caused the capability change case by user if a NETCONF session caused the capability change userName e type string e usage mandatory e This parameter identifies the SSH user name that is associated with the session sessionld e type uint32 range 1 to max e usage mandatory e This parameter identifies the NETCONF session ID assigned to the session remoteHost e type inet ip address usage mandatory e This parameter identifies the remote host IP address that is associated with the session e added capability o o o type leaf list of capability URI strings usage optional This parameter contains one entry for each capability that was just added
69. erminates the server does the following will release any locks the session had if any will discard all changes in the lt candidate gt configuration if this database was locked by the session will remove the lt session gt list entry from the netconf state sessions container will generate a lt sysSessionEnd gt notification entry for the closed or killed session Page 29 Version 2 2 Yuma netconfd Manual All errors are reported using the standard lt rpc error gt element If the operation does not return any data then the lt rpc reply gt element will either contain 1 lt ok gt element or 1 or more lt rpc error gt elements If the operation returns any data i e the YANG rpc definition for the operation has an output section then the lt rpc reply gt element may have both lt rpc error gt and data elements within it If there were errors in the input then only 1 or more lt rpc error gt elements will be returned It is possible that the required data will be returned after any errors but not likely The internal netconfd error code for each lt rpc error gt is returned in an lt error info gt extension called lt error number gt Normally the same lt error app tag gt and lt error message gt values are returned for a specific error number However some YANG errors allow these fields to be user defined If there is a user defined lt error app tag gt and or lt error message gt values then they wil
70. error path gt t test2 t a2 lt nc error path gt lt nc error message xml lang en gt required value instance not found lt nc error message gt lt nc error info gt lt ncx error number gt 310 lt ncx error number gt lt nc error info gt lt nc rpc error gt lt nc rpc reply gt The missing choice error is generated when a YANG choice is mandatory but no case from the choice was set An error will be returned right away if the target is the lt running gt configuration or if the Page 35 Version 2 2 Yuma netconfd Manual default test then set option is used for the lt test option gt Otherwise this error is generated when the lt commit gt operation is invoked missing choice error data description error tag data missing error app tag missing choice error path identifies the parent of the missing choice error info lt missing choice gt error number 296 Example Request create target musttest s skip the mandatory choice lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt none lt nc default operation gt lt nc config gt lt t musttest nc operation create xmlns t http netconfcentral org ns test gt lt nc config gt lt nc edit config gt lt nc rpc gt Example Error Repl
71. ersion The lt identifier gt parameter must contain the name of the YANG file without any path or file extension specification lt get schema gt operation Min parameters 3 Max parameters 3 Return type data YANG file yuma netconf yang Capabilities needed schema retrieval Mandatory Parameters identifier o type string o This parameter specifies the name of the module to retrieve Do not use any path specification of file extension just the module name is entered The name is case sensitive and must be specified exactly as defined version o type string o This parameter specifies the version of the module to retrieve This will be the most recent YANG revision date string defined in a module revision statement If any version is acceptable or if the specific version is not known then use the empty string e format o type enumeration XSD YANG YIN RNG o This parameter specifies the format of the module to be retrieved Only the YANG format is supported YANG RFC 6020 YIN RFC 6020 Returns e lt data gt element contents of the YANG file Possible Operation Errors e access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 Page 60 Version 2 2 Yuma netconfd Manual message id 55 gt lt ns get schema xmlns ns urn ietf params xml ns netconf state gt lt ns identifier gt ietf
72. et in the lt startup gt are considered to be set by the client not the server The default style configuration parameter is used to control the behavior the server will use for these operations when the lt with defaults gt parameter is missing The server will also use this default value when automatically saving the lt running gt configuration to non volatile storage The writable running capability indicates that the server uses the lt running gt configuration as its edit target In this case the lt target gt parameter for the lt edit config gt operation can only be set to lt running gt All edits are activated immediately but only if the entire database is going to be valid after the edits A non destructive test is performed before activating the requested changes If this capability is advertised then netconfd will also advertise the startup capability They are always used together Edits to the lt running gt configuration take affect right away but they are only saved to non volatile storage automatically if the with startup configuration parameter is set to false The xpath capability indicates that XPath filtering is supported for the lt get gt and lt get config gt operations The netconfd server implements all of XPath 1 0 plus the following additions the current function from XPath 2 0 is supported Page 21 Version 2 2 Yuma netconfd Manual e a missing XML namespace will match any YAN
73. etconfd usexmlorder Supported by The version parameter causes the program version string to be printed and then the program will exit instead of running as normal All Yuma version strings use the same format DEBUG lt major gt lt minor gt lt svn build version gt Page 128 Version 2 2 Yuma netconfd Manual or NON DEBUG lt major gt lt minor gt lt release gt An example version number that may be printed netconfd 2 0 0 This parameter can be combined with the help parameter version parameter Syntax Default Min Allowed Max Allowed Supported by netconfd yangcli yangdiff yangdump Example netconfd version The warn idlen parameter controls whether identifier length warnings will be generated The value zero disables all identifier length checking If non zero then a warning will be generated if an identifier is defined which has a length is greater than this amount warn idlen parameter Syntax uint32 O to disable or 8 1023 Default 64 Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli yangdiff yangdump Example netconfd warn idlen 50 The warn linelen parameter controls whether line length warnings will be generated Page 129 Version 2 2 Yuma netconfd Manual The value zero disables all line length checking If non zero then a warning will be generated if a YANG file line is entered which has a length is greater than this a
74. event type 3 sequence id The system event sequence ID Session or subscription specific events such as replayComplete and notficationComplete do not have this element The namespace URI for this element is http netconfcentral org ns system The lt replayComplete gt event is generated on a subscription that requested notification replay by supplying the lt startTime gt parameter This event type cannot be filtered out The server will always attempt to deliver this notification event type when it is generated lt replayComplete gt notification Description Buffered notification delivery has ended for a subscription Min parameters 0 Max parameters 0 YANG file nc notifications yang Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T17 21 37Z lt ncEvent eventTime gt lt manageEvent replayComplete xmlns manageEvent urn ietf params xml ns netmod notification gt lt ncEvent notification gt The lt notificationComplete gt event is generated on a subscription that requested notification replay and requested that the notification delivery stop i e terminate subscription after a certain time using the lt stopTime gt parameter This event type cannot be filtered out The server will always attempt to deliver this notification event type when it
75. f no log file is specified The log levels are incremental meaning that each higher level includes everything from the previous level plus additional messages There are 7 settings that can be used none All logging is suppressed Use with extreme caution e error Error messages are printed indicating problems that require attention warn Warning messages are printed indicating problems that may require attention info Informational messages are printed that indicate program status changes debug Debugging messages are printed that indicate program activity e debug2 Protocol debugging and trace messages are enabled debug3 Very verbose debugging messages are enabled This has an impact on resources and performance and should be used with caution Page 121 log level parameter Syntax enumeration off error warn info debug debug2 debug3 debug4 Default info debug for DEBUG builds Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli Version 2 2 Yuma netconfd Manual yangdiff yangdump netconfd log level debug log server log Example The max burst parameter specifies the maximum number of notifications to send in a burst to one session Even though TCP will control the transmission rate this parameter can limit the memory usage due to buffering of notifications waiting to be sent The value zer
76. f name lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 44 gt lt nc get gt lt nc filter type xpath xmlns if http netconfcentral org ns interfaces select if name gt lt nc get gt lt nc rpc gt Page 95 Version 2 2 Yuma netconfd Manual Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 44 gt lt nc data gt lt if interfaces xmlns if http netconfcentral org ns interfaces gt lt if interface gt lt if name gt lo lt if name gt lt if interface gt lt if interface gt lt if name gt eth0 lt if name gt lt if interface gt lt if interface gt lt if name gt virbr0 lt if name gt lt if interface gt lt if interface gt lt if name gt pan0 lt if name gt lt if interface gt lt if interfaces gt lt nc data gt lt nc rpc reply gt The module yuma time filter yang defines a timestamp mechanism to help reduce polling overhead for a client Timestamps are specified in date and time format from the ietf yang types yang module The timestamp parameter if modified since is added to the lt get gt and lt get config gt operations The timestamp monitoring node last modified is added to the netconf state datastores datastore list The XML attribute last modified is added to the lt rpc reply gt element
77. f params xml ns netconf base 1 0 message id 5 gt lt nc 0k gt lt nc rpc reply gt The lt copy config gt operation is used to transfer entire configuration databases in one operation This is a destructive stop on error operation It is not like lt edit config gt or lt commit gt which can be used in an all or nothing manner A failed lt copy config gt can leave the target of the operation in an unstable invalid state This operation should be used with caution The lt source gt and lt target gt parameters are simple to understand but there are many interactions and some complexity due to so many combinations of optional capabilities that are possible When in line configuration data is used in the lt source gt parameter it is applied to the lt target gt differently depending on the database e Ifthe lt target gt is the lt startup gt configuration then the new configuration simply overwrites the old one and no validation is done at all e If the lt target gt is the lt candidate gt or lt running gt configuration then the new configuration is applied as if the operation was an lt edit config gt operation with a lt default operation gt parameter set to replace All validation and access control procedures are followed The lt with defaults gt parameter is also available for filtering the output as it is copied to the target lt copy config gt operation Min parameters 2 M
78. first one encountered will be used Entries are checked in the same order they are returned in a lt get config gt reply message If the read or write access bits are set in the lt allowed rights gt key leaf then they will be ignored This will not cause an error but it these bits have no effect within an RPC rule Page 87 Version 2 2 Yuma netconfd Manual The following example shows an lt edit config gt operation which creates 2 lt module rule gt entries for the following configuration e the admin and monitor groups are allowed to execute the lt get config gt operation e the guest group is not allowed to execute the lt get config gt operation lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 5 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc config gt lt nacm nacm xmlns nacm http netconfcentral org ns yuma nacm gt lt nacm rules gt lt nacm rpc rule nc operation create gt lt nacm rpc module name gt netconf lt nacm rpc module name gt lt nacm rpc name gt get config lt nacm rpc name gt lt nacm allowed rights gt exec lt nacm allowed rights gt lt nacm allowed group gt nacm admin lt nacm allowed group gt lt nacm allowed group gt nacm monitor lt nacm allowed group gt lt nacm rpc rule gt lt nacm rpc rule nc operation create gt lt nacm rpc modul
79. for replies to lt get gt and lt get config gt operations The per datastore last modified timestamp is for the entire datastore contents If the if modified since parameter is present in the lt get gt or lt get config gt request the the server will check the corresponding last modified timestamp o If the last modified timestamp is more recent than the if modified since value then the lt get gt or lt get config gt operation is processed as normal o Ifthe last modified timestamp is not more recent than the if modified since value then the lt get gt or lt get config gt operation is not processed Instead an empty lt data gt element is returned The last modified XML attribute in the lt rpc reply gt will indicate the last modification timestamp for the datastore Example Page 96 Version 2 2 Yuma netconfd Manual Request lt xml version 1 0 encoding UTF 8 gt lt get config xmIns urn ietf params xml ns netconf base 1 0 gt lt source gt lt running gt lt source gt lt if modified since xmlns http netconfcentral org ns yuma time filter gt 2011 08 21T21 51 46Z lt if modified since gt lt get config gt lt rpc gt Empty reply because datastore not modified since specified time lt xml version 1 0 encoding UTF 8 gt lt rpc reply message id 4 xmins nc urn ietf params xml ns netconf base 1 0 Last modified 2011 08 21T17 51 46Z xmins urn ietf params x
80. he feature disable parameter directs all programs to disable a specific feature This parameter is a formatted string containing a module name followed by a colon followed by a feature name e g test featurel Page 115 Version 2 2 Yuma netconfd Manual It is an error if a feature enable and feature disable parameter specify the same feature Parameters for unknown features will be ignored feature disable parameter Syntax formatted string module feature Default none Min Allowed 0 Max Allowed unlimited Supported by yangcli yangdiff yangdump netconfd Example netconfd feature disable test featurel 3 11 feature enable The feature enable parameter directs all programs to enable a specific feature This parameter is a formatted string containing a module name followed by a colon followed by a feature name e g test featurel It is an error if a feature disable and feature enable parameter specify the same feature Parameters for unknown features will be ignored feature enable parameter Syntax formatted string module feature Default none Min Allowed 0 Max Allowed unlimited Supported by yangcli yangdiff yangdump netconfd Example netconfd feature enable test featurel Page 116 Version 2 2 Yuma netconfd Manual The feature enable default parameter controls how yangdump will generate C code for YANG fea
81. he first one that produces a result node set with a matching node wiill be used If the exec access bit is set in the lt allowed rights gt key leaf then it will be ignored This will not cause an error but it this bit has no effect within a data rule Page 88 Version 2 2 Yuma netconfd Manual The following example shows an lt edit config gt operation which creates 3 lt data rule gt entries for the following configuration the admin group is allowed to read or write all interfaces e the monitor group is allowed to read the ethO interface e the guest group is not allowed to read any interfaces information lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt none lt nc default operation gt lt nc config gt lt nacm nacm xmlns nacm http netconfcentral org ns yuma nacm gt lt nacm rules gt lt nacm data rule nc operation create gt lt nacm name gt itf 1 lt nacm name gt lt nacm path xmlns if http netconfcentral org ns yuma interfaces gt if interfaces if interface lt nacm path gt lt nacm allowed rights gt read write lt nacm allowed rights gt lt nacm allowed group gt nacm admin lt nacm allowed group gt lt nacm comment gt let admin group read and write all interfaces lt nacm comment gt lt na
82. hen an empty lt data gt element will be returned and the request will not be processed Returns e lt data gt element Possible Operation Errors e access denied e invalid value Example subtree Filter Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc get config gt lt nc source gt lt nc candidate gt lt nc source gt lt nc filter type subtree gt lt nacm nacm xmlns nacm http netconfcentral org ns nacm gt lt nacm rules gt lt nacm moduleRule gt lt nacm rules gt lt nacm nacm gt lt nc filter gt lt nc get config gt lt nc rpc gt Equivalent XPath Filter Request lt xml version 1 0 encoding UTF 8 gt Page 56 Version 2 2 Yuma netconfd Manual Page 57 Version 2 2 Yuma netconfd Manual Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 last modified 2011 08 21T17 51 462 message id 3 gt lt nc data gt lt nacm nacm xmlns nacm http netconfcentral org ns nacm gt lt nacm rules gt lt nacm moduleRule gt lt nacm moduleName gt netconf lt nacm moduleName gt lt nacm allowed rights gt read exec lt nacm allowed rights gt lt nacm allowed group gt nacm guest lt nacm allowed group gt lt nacm moduleRule gt lt nacm moduleRule gt lt nacm moduleName gt netconfd lt nacm moduleName gt
83. ia is seabeahadeelaacabssuenbedusadexvesssecueed 30 2 0 2 ds A coral scans Ada den UE aaa ER ER Jed SS da O Sa eG 30 2 5 3 lt error app tag gt Ele MENE an olaria ias a ada diana nada dali co 31 2 54 lt error path gt Element tdci ta ie bailaba TE TATA 32 2 5 9 error Message Elementas a 33 2 5 6 lt error info gt El cto sand Rasa did aa 33 2 5 7 instance required Error Example i tica eiii 33 2 5 8 missing choice Error Example a eee vpiieg a alia ee dada ars 35 2 5 9 no matches Error Example sao scr O o bt ra DS ando dd ra use UN Maeno 36 2 5 10 not in range Error EXAMES cs ctaicinio lidia beses il sl 38 2 6 Protocol OPE AIN Sii ee 39 26 CANCE COMME ia sia 39 2 6 2 SA chains do iara yan Woe Sa neon cave nay EA EAS alauatay ana NADO Arad aucun aad 40 LO COIN MA 41 20d CODVECONTIO usadas idas age asa earn 43 200 Create Subscription gt een aide Siad ra da NR E 45 2 0 6 lt delete config Rar 47 e nge S gt rrini ean aaaea a ERAWAN EEI Sudan Sae Tone aa PETIERE TSE Lin dede ade 48 2768 SOI A A a o 49 O io e RR 51 20 10 get CONTO iaa a aaria iraa iraak 55 2 Bold E sessions a a O 58 260 12 SO EL SCNEMA Ar ade 59 2013 MS A arnee ce vance ANA pala nen ELE TANEN ATOE E ssa cavbeugesuedunsseenaantetannanewenees 61 O A O AC re Stine te A RS Ue at 63 DOLO SOCK oi Aaa 64 A cr TE RR RR O RR E T RPE ORNE 66 20 19 a isa madonna a E Sm A e TS oases 67 2 6 18 partial Un ca O 68 A A TA 70 26 20 ESP LOG RUE A a A A 70 2 60 21 lt set My SOSSI
84. idate capability is advertised by the server The lt lock gt operation will fail on this database if there are any edits already pending in the lt candidate gt If a lock failed error occurs and no session is holding a lock then use the lt discard changes gt operation to clear the lt candidate gt buffer of any edits Once all the edits have been made the lt validate gt operation can be used to check if all database validation tests will pass This step is optional Once the edits are completed the lt commit gt operation is used to activate the configuration changes and save them in non volatile storage The lt discard changes gt operation is used to clear any edits from this database The lt running gt database is available at all times for reading If the writable running capability is advertised by the server then this database will be available as the target for lt edit config gt operations Edits to the lt running gt configuration will take affect right away as each lt edit config gt operation is completed Once all the edits are completed the lt copy config gt operation can be used to save the current lt running gt configuration to non volatile storage by setting the target of the lt copy config gt operation to the lt startup gt configuration The lt startup gt database is available if the startup capability is advertised by the server The lt copy config gt operation can be used to save
85. ifies the server instrumentation library SIL search path to use while searching for library files It consists of a colon separated list of path specifications commonly found in Unix such as the PATH environment variable This parameter overrides the YUMA_RUNPATH environment variable if it is present If no path is specified or a SIL is not found the directories usr lib yuma and usr lib64 yuma for 64 bit platforms are checked Page 124 Version 2 2 3 28 Yuma netconfd Manual runpath parameter Syntax string list of directory specifications Default YUMA_RUNPATH environment variable Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli Example netconfd runpath testsil yuma device Start The start parameter is a choice specifying how the netconfd server will load the non volatile startup configuration at boot time If no choice is made at all then the server will check its data path for the file startup cfg xml e choice start o Page 125 no startup type empty Specifies that no configuration will be loaded at all at boot time factory startup type empty Force the system to use the factory configuration and delete the startup config file if it exists Force the NV storage startup to contain the factory default configuration startup type string Specifies the file name of the boot time configuration The server expects thi
86. ing conventions are used throughout this document Documentation Conventions Convention Description foo CLI parameter foo lt foo gt XML parameter foo foo yangcli command or parameter FOO Environment variable FOO foo yangcli global variable foo some text Example command or PDU some text Plain text Page 6 Version 2 2 Yuma netconfd Manual 2 netconfd User Guide netconfd Program Components netconfd NETCONF Agent The netconfd program is a NETCONF over SSH server implementation It is driven directly by YANG files and provides a robust and secure database interface using standard NETCONF protocol operations All aspects of NETCONF protocol operation handling can be done automatically by the netconfd server However the interface between the NETCONF database and the device instrumentation is not covered in this document Refer to the server Developers Guide for details on adding YANG module instrumentation code to the netconfd server The netconfd server has the following features Complete implementation of NETCONF versions 1 0 and 1 1 e Automatic support for all NETCONF operations including the YANG insert operation Page 7 Version 2 2 Page 8 Yuma netconfd Manual Supports lt candidate gt lt running gt and lt startup gt databases Supports the complete NETCONF protocol defined in RFC 4741 and RFC 6241 Supports the complete SSH transport binding defined in
87. ing the confirmed commit automatically e persist o o o o type string default none capabilities needed confirmed commit and base 1 1 This parameter sets the string that all sessions can use to access this confirmed commit procedure e persist id o o o o Returns type string default none capabilities needed confirmed commit and base 1 1 This parameter changes the persist string that all sessions can use to access this confirmed commit procedure It is used to allow access to the confirmed commit operation if the persist parameter is not present e lt ok gt Possible Operation Errors e access denied access control configured to deny access to this operation e in use the lt candidate gt or lt running gt configuration is locked by another session e operation failed o o o Page 42 must violation must statement is false too few elements min elements expression is false too many elements max elements expression is false Version 2 2 Yuma netconfd Manual o data not unique unique statement violation e data missing mandatory statement violation or missing leafref path object Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 5 gt lt nc commit gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn iet
88. ion Errors e access denied e subscription already active Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt ncEvent create subscription xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent startTime gt 2009 01 01T00 00 00Z lt ncEvent startTime gt lt ncEvent create subscription gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc ok gt lt nc rpc reply gt The lt delete config gt operation is used to delete the entire contents of a NETCONF database By default only the superuser account is allowed to invoke this operation If the startup capability is supported then the lt startup gt configuration can be cleared This will affect the startup file that was actually loaded into the server or the default file if the no startup configuration parameter was used Page 47 Version 2 2 Yuma netconfd Manual The lt running gt and lt candidate gt configurations cannot be deleted The lt startup gt configuration can be repopulated with the lt copy config gt or lt commit gt operations lt delete config gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma netconf yang Capabilities needed startup Mandato
89. is capability can be controlled with the protocols CLI parameter This capability is supported by default The base 1 1 capability indicates that the RFC 6241 version of the NETCONF protocol is supported This capability can be controlled with the protocols CLI parameter This capability is supported by default The candidate capability indicates that database edits will be done to the lt candidate gt database and saved with the lt commit gt operation The lt candidate gt configuration is a shared scratch pad so it should be used with the locking Database edits are collected in the lt candidate gt and then applied all or nothing to the lt running gt database with the lt commit gt operation This capability is supported by default It is controlled by the target configuration parameter target candidate By default only the superuser account can use the lt delete config gt operation on the lt candidate gt configuration The confirmed commit capability indicates that the server will support the lt confirmed gt and lt confirm timeout gt parameters to the lt commit gt operation If the base 1 1 protocol version is in use then the lt persist gt and lt persist id gt parameters are also supported The confirmed commit procedure requires that two lt commit gt operations be used to apply changes from the candidate configuration to the running configuration If the second lt commit gt operation is not
90. it gt lt sys target gt nd config nacm nacm nacm groups nacm group nacm groupIdentity na cm admin lt sys target gt lt sys operation gt create lt sys operation gt lt sys edit gt lt sys sysConfigChange gt lt sys sequence id xmlns sys http netconfcentral org ns system gt 7 lt sys sequence id gt lt ncEvent notification gt The lt sysCapabilityChange gt notification is generated when the set of active capabilities for the server has changed The most common way this notification is generated is after the lt load gt operation has been used to add a new YANG module to the system It is possible that this notification will be generated for removal of capabilities However at this time there are no NETCONF capabilities that can be removed from the running system The lt added capability gt leaf list will contain the capability URI for each new capability that has just been added The lt deleted capability gt leaf list will contain the capability URI for each existing capability that has just been deleted The lt changedBy gt container will identity whether the server or a NETCONF session caused the capability change If the change was made by the server then this container will have an empty leaf named lt server gt If the change was made by a NETCONF session the user name remote address and session ID for the session that caused the change are reported If multiple changes are made at once th
91. l be used instead of the default values This section describes the netconfd implementation details which may affect lt rpc error gt processing by a client application The lt error severity gt field will always be set to error There are no warnings generated by netconfd All NETCONF lt error tag gt enumerations are supported except partial operation This error is being deprecated in the standard because nobody has implemented it If this field is set to invalid value then the lt bad value gt element should be present in the lt error info gt identifying the invalid value that caused the problem All standard lt error info gt contents are supported The following table summarizes the different lt error tag gt values The lt error number gt parameter is not shown in the error info column because it is added for every error tag lt error tag gt Summary error tag error info description access denied none NACM denied access bad attribute lt bad attribute gt just for the few attributes lt bad element gt used in NETCONF lt bad value gt bad element lt bad element gt sometimes used instead lt bad value gt of invalid value data exists none nc operation create data missing none nc operation delete or replace in use none edit on locked database invalid value lt bad value gt for typedef constraints Page 30 Version 2 2 Yuma netconfd Manual lock denied lt session id g
92. l policy denies permission to read a particular node then that node is silently skipped in the output No error or warning messages will be generated client applications should be prepared to receive XML subtrees that have been pruned by access control The lt data gt element will always be present so an empty lt data gt element indicates that no data was returned either because the lt filter gt did not match or because access control pruned the requested nodes There are really five types of filters available for retrieval operations Filter Types type description is config Choose the lt get gt operation for all objects or lt get config gt for just config true objects is default Set the lt with defaults gt parameter to trim is_client_set Set the lt with defaults gt parameter to explicit subtree filtering Use lt filter type subtree gt some xml subtree lt filter gt to retrieve portions of the lt candidate gt or lt running gt configurations XPath filtering Use lt filter type xpath select expr gt to retrieve portions of the lt candidate gt or lt running gt configurations The subtree filtering feature is fully supported Page 90 Version 2 2 Yuma netconfd Manual The order of nodes within the lt filter gt element is not relevant Data returned in the lt rpc reply gt should follow the same top level order as the request but this sh
93. le only contains deviations for objects in the same module then the deviation parameter does not need to be used The program will attempt to load each module in deviation parsing mode in the order the parameters are entered For the netconfd program If any modules have fatal errors then the program will terminate For the yangdump and yangcli programs each module will be processed as requested Page 114 Version 2 2 Yuma netconfd Manual deviation parameter Syntax module name or filespec Default Min Allowed Max Allowed unlimited Supported by netconfd yangcli yangdump Example netconfd deviation testl deviations The eventlog size parameter controls the maximum number of events that will be stored in the notification replay buffer by the netconfd server If set to 0 then notification replay will be disabled meaning that all requests for replay subscriptions will cause the lt replayComplete gt event to be sent right away since there are no stored notifications The server will delete the oldest entry when this limit is reached and a new event is added to the replay buffer No memory is actually set aside for the notification replay buffer so memory limits may be reached before the maximum number of events is actually stored at any given time eventlog size parameter Syntax uint32 1000 0 Default Min Allowed Max Allowed Example netconfd eventlog size 20000 T
94. lns nacm http netconfcentral org ns yuma nacm gt lt nacm rules gt lt nacm module rule nc operation create gt lt nacm module name gt nacm lt nacm module name gt lt nacm allowed rights gt read write lt nacm allowed rights gt lt nacm allowed group gt nacm admin lt nacm allowed group gt lt nacm module rule gt lt nacm module rule nc operation create gt lt nacm module name gt nacm lt nacm module name gt lt nacm allowed rights gt read lt nacm allowed rights gt lt nacm allowed group gt nacm monitor lt nacm allowed group gt lt nacm module rule gt lt nacm rules gt lt nacm nacm gt lt nc config gt lt nc edit config gt lt nc rpc gt The nacm rules rpc rule data structure is used to configure access for a specific RPC operation from a specific YANG module If the module namespace URI for the lt rpc module name gt value is the same as the XML namespace used in the NETCONF PDU and the lt rpc name gt value is the same as the RPC method name then the RPC rule is considered a match Multiple instances can appear for a single RPC operation as long as the lt allowed access gt key leaf value is different in each entry This allows different groups to get different access to the same operation e g exec vs no access There is no way to move lt rpc rule gt entries around once they are created If a group appears in multiple entries for the same RPC operation then the
95. ml ns netconf base 1 0 gt lt data gt lt data gt lt rpc reply gt The netconfd server supports all the capabilities of RFC 5277 and the notification monitoring portion of the ietf netconf monitoring yang data model There are also some proprietary notifications defined in yuma system yang The lt create subscription gt operation is used to start receiving notification It can be used in 4 different modes Get all or some of the stored notifications o lt startTime gt and lt stopTime gt parameters used The stop time is in the past Get all or some of the stored notifications then receive live notifications until some point in the future o lt startTime gt and lt stopTime gt parameters used The stop time is in the future Get all or some of the stored notifications then start receiving live notifications until the session is terminated o lt startTime gt parameter used but lt stopTime gt parameter is not used e Start receiving live notifications until the session is terminated Page 97 Version 2 2 Yuma netconfd Manual o neither lt startTime gt or lt startTime gt are used Once a subscription is started notifications may start arriving after the lt rpc reply gt for the lt create subscription gt operation is sent If the lt startTime gt parameter is used then zero or more stored notifications will be returned followed by the lt replayComplete gt notification If the lt stopTime gt
96. mmit gt operation is invoked instance required data description Page 33 Version 2 2 Page 34 Yuma netconfd Manual error tag data missing error app tag instance required error path identifies the leaf that is missing error info none error number 310 Version 2 2 Yuma netconfd Manual Example Request e create test2 s used to skip the mandatory lt a2 gt leaf but the lt foo gt leaf is set lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc default operation gt none lt nc default operation gt lt nc config gt lt t test2 nc operation create xmlns t http netconfcentral org ns test gt lt t f00 gt xxx lt t foo gt lt t test2 gt lt nc config gt lt nc edit config gt lt nc rpc gt Example Error Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmins nc urn ietf params xml ns netconf base 1 0 message id 2 xmins t http netconfcentral org ns test xmins ncx http netconfcentral org ncx gt lt nc rpc error gt lt nc error type gt application lt nc error type gt lt nc error tag gt data missing lt nc error tag gt lt nc error severity gt error lt nc error severity gt lt nc error app tag gt instance required lt nc error app tag gt lt nc
97. mount Tab characters are counted as 8 spaces warn linelen parameter Syntax Default uint32 O to disable or 40 4095 Min Allowed Max Allowed Supported by Example netconfd yangcli yangdiff yangdump netconfd warn linelen 79 The warn off parameter suppresses a specific warning number The error and warning numbers and the default messages can be viewed with the yangdump program by using the show errors configuration parameter The specific warning message will be disabled for all modules No message will be printed and the warning will not count towards the total for that module warn off parameter Syntax uint32 400 899 Default Min Allowed 0 Max Allowed 499 Supported by Example netconfd yangcli yangdiff yangdump netconfd warn off 435 revision order not descending The with startup parameter controls whether the server will support the startup capability or not This is a memory intensive capability and setting this parameter to false will reduce memory usage during normal operations The non volatile copy of the lt running gt configuration will not be saved Page 130 Version 2 2 Yuma netconfd Manual automatically if this capability is enabled Instead a lt copy config gt operation from the lt running gt to lt startup gt configuration will be needed with startup parameter Syntax boolean Min Allowed 0 Su
98. ncreasing number typedef Sessionld description NETCONF Session Id type uint32 range 1 max The server will start using session ID values over again at 1 if the maximum session id value is ever reached The netconfd server will send a lt hello gt message if a valid SSH2 session to the netconf subsystem is established The server will list all the capabilities it supports The YANG module capability URI format is supported for all modules including ones that only contain typedefs or groupings The URI format is defined in the YANG specification and follows this format lt module namespace gt module lt module name gt amp revision lt module date gt If the module does not have any revision statements then the revision field will not be present in the module capability URI If the module contains any supported features then the following field will be added and each supported feature name will be listed Sfeatures lt feature name gt lt feature name gt Page 25 Version 2 2 Yuma netconfd Manual If the module needs any external deviations applied then the following field will be added and each deviation module name will be listed Sdeviations lt deviation module name gt lt deviation module name gt Note that the deviation modules will be listed in the capabilities along with other modules The deviations extension allows a client tool to know that the deviations apply t
99. nd there is no access control rule found to match the current lt rpc gt request the the operation will always be allowed The default for this parameter is permit If a matching access control rule is found execution access will be permitted or denied based on the specific rule l e exec privilege bit set or not If the operation reads or writes any database data then the access control model will be checked again for each database node specified in the request o If the operation is requesting read access then any nodes for which read permission is not granted will simply be skipped in the result No error or warning will be reported o Ifthe operation is requesting write access then any nodes for which write permission is not granted will cause an access denied error The server does not generate inline lt rpc error gt elements at this time for any runtime exceptions that occur while retrieving data for a lt get gt lt get config gt or lt copy config gt operation Instead unavailable nodes are just skipped A future version will support this feature so managers should expect that lt rpc error gt might appear within the data in a reply not just a child node of the lt rpc reply gt element A session can terminate for several reasons lt close session gt operation invoked lt kill session gt operation invoked SSH session terminated unexpectedly TCP connection terminated unexpectedly When a session t
100. ner element The XML namespace of this element is the netconfd module namespace but a client application should expect that other server implementations may use a different namespace such as the NETCONF namespace or perhaps no namespace at all for this top level element When database contents are returned in the lt get gt lt get config gt or lt copy config gt operations the top level container will be the lt data gt element in the NETCONF base namespace The top level YANG module data structures that are present in the configuration will be present as child nodes of the lt config gt or lt data gt container node The exact databases that are present in the server are controlled by 3 capabilities e candidate e writable running e startup The edit target in the server is set with the target configuration parameter This will select either the candidate or writable running capabilities The server behavior for non volatile storage of the lt running gt configuration is set with the with startup configuration parameter The startup capability will be supported if this parameter is set to true The following diagram shows the 4 database usage modes that netconfd supports Page 22 Version 2 2 Yuma netconfd Manual writable running edit config crua Automatic NV save copy config writable running startup confi edit config COPY COnNE Soi E candidate commit edit config sr
101. nt session It the lt candidate gt or lt running gt configurations are locked by another session then this operation will fail with an in use error Normally if there have been no changes made to the lt candidate gt configuration then this operation has no effect An lt ok gt response will be returned without altering the lt running gt configuration However if the lt running gt configuration encountered any errors during the initial load from NV storage such as startup cfg xml then the current contents of the lt running gt configuration will be written to NV storage even if there are no changes to the lt candidate gt configuration The confirmed commit capability is fully supported confirmed commit 1 0 e confirmed commit 1 1 lt commit gt operation YANG file Min parameters 0 Max parameters 4 Return type status yuma netconf yang Page 41 Version 2 2 Yuma netconfd Manual Capabilities needed candidate confirmed commit Mandatory Parameters none Optional Parameters confirmed o o o o type empty default none capabilities needed confirmed commit This parameter indicates that a confirmed commit operation should be started or extended confirm timeout o o o o type number default 600 capabilities needed confirmed commit This parameter indicates the number of seconds to wait before cancel
102. o a If there were no groups found in step 5 or no rules found in step 6 then If the requested object is tagged as nacm secure or nacm very secure then deny access otherwise e If the lt write default gt is set to permit then grant access otherwise deny access and exit o bp If there are some groups and rules then proceed to step 18 to start checking access control rules e Step 18 Check for any nacm rules data rule entries that contain a lt path gt expression that evaluates to an XPath node set that contains the requested database node and the lt allowed groups gt leaf list contains an entry with the same value as one of the groups found in step 5 The first such entry found will be used If an entry is found then check its lt allowed rights gt leaf for the write bit e If the write bit is found then grant access otherwise deny access and exit If an entry is not found then proceed to step 19 Page 85 Version 2 2 Yuma netconfd Manual Step 19 Check for any nacm rules module mule entries that contain an lt allowed group gt with the same value as one of the groups found in step 5 and is also for the same module as the requested database node The first entry found will be used If an entry is found then check its lt allowed rights gt leaf for the write bit e If the write bit is found then grant access otherwise deny access and exit If an entry is not found then proceed to ste
103. o means no limit will be used at all max burst parameter Syntax uint32 Default Min Allowed Max Allowed 1 Supported by netconfd yangcli Example netconfd max burst 100 The modpath parameter specifies the YANG module search path to use while searching for YANG files It consists of a colon separated list of path specifications commonly found in Unix such as the PATH environment variable This parameter overrides the YUMA_MODPATH environment variable if it is present modpath parameter Syntax string list of directory specifications Default YUMA_MODPATH environment variable Min Allowed Max Allowed Supported by netconfd yangcli yangdiff yangdump Example netconfd modpath testmodules modules trunk netconf modules Page 122 Version 2 2 Yuma netconfd Manual The module parameter is a leaf list of modules that should be loaded automatically when the program starts The program will attempt to load each module in the order the parameters were entered For the netconfd program If any modules have fatal errors then the program will terminate For the yangdump program each module will be processed as requested module parameter Syntax module name or filespec Default Min Allowed Max Allowed unlimited Supported by netconfd yangcli yangdump Example netconfd module test1 module test2 The port paramete
104. o the specific module since special processing may be required Example server lt hello gt Message lt nc hello xmlns nc urn ietf params xml ns netconf base 1 0 gt lt nc capabilities gt lt nc capability gt urn ietf params netconf base 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability candidate 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability confirmed commit 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability rollback on error 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability validate 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability xpath 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability notification 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability interleave 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability with defaults 1 0 basic explicit amp amp supported report all trim lt nc capability gt lt nc capability gt urn ietf params netconf capability netconf monitoring 1 0 lt nc capability gt lt nc capability gt urn ietf params netconf capability schema retrieval 1 0 lt nc capability gt lt nc capability gt urn ietf params xml ns yang inet types module ietf inet types amp amp revision 2009 05 13 lt nc capability gt lt nc capability gt
105. ock will be released as if the lt unlock gt operation was invoked lt lock gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma netconf yang Capabilities needed none Capabilities optional candidate startup Mandatory Parameters target o type container with 1 of N choice of leafs o This parameter specifies the name of the target database to be locked o container contents 1 of N candidate e type empty e capabilities needed candidate running e type empty e capabilities needed none startup type empty e capabilities needed startup Optional Parameters e none Returns e lt ok gt Possible Operation Errors e access denied e lock denied lock already held by lt session id gt in the lt error info gt e resource denied candidate is dirty lt discard changes gt needed Page 65 Version 2 2 Yuma netconfd Manual Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 62 gt lt nc lock gt lt nc target gt lt nc candidate gt lt nc target gt lt nc lock gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 62 gt lt nc 0k gt lt nc rpc reply gt The lt no op gt operation is used for debugging and performance testing pu
106. ol rules must be configured to allow any user except the superuser account to invoke this operation The server will respond to Unix signals sent to the netconfd process If the server is being run in the foreground then the Control C character sequence will perform the same action as a SIGINT signal Signals Recognized by netconfd signal number description SIGHUP Hangup 1 Restart the server SIGINT Control C 2 Shutdown the server SIGQUIT 3 Shutdown the server SIGILL 4 Shutdown the server SIGTRAP 5 Shutdown the server SIGABRT 6 Shutdown the server SIGKILL 9 Shutdown the server SIGPIPE 13 Handle I O connection error SIGTERM 15 Shutdown the server The kill command in Unix can be used to send signals to a process running in the background Refer to the Unix man pages for more details Page 11 Version 2 2 Yuma netconfd Manual All of the error handling requirements specified by the NETCONF protocol and the YANG language error extensions for NETCONF are supported automatically by netconfd There are 4 categories of error handling done by the server e incoming PDU validation o o Errors for invalid PDU contents are reported immediately The server will attempt to find all the errors in the input lt rpc gt request and not stop detecting errors after one is found All machine readable YANG statements are utilized to automate the detection and reporting of errors
107. on gt lt myses indent gt 4 lt myses indent gt lt myses linesize gt 64 lt myses linesize gt lt myses with defaults gt trim lt myses with defaults gt lt myses set my session gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc ok gt lt nc rpc reply gt The lt shutdown gt operation is used to shut down the netconfd server By default only the superuser account is allowed to invoke this operation If permission is granted then the current NETCONF session will dropped during the server shutdown lt shutdown gt operation Min parameters 0 Max parameters 0 Return type none YANG file yuma system yang Capabilities needed none Mandatory Parameters none Optional Parameters none Returns none session will be dropped upon success Possible Operation Errors e access denied Example Request Page 73 Version 2 2 Yuma netconfd Manual Page 74 Version 2 2 Yuma netconfd Manual Example Reply no reply will be sent session will be dropped instead The lt unlock gt operation is used to release a global lock held by the current session The specified configuration database must be locked or a no access lt error app tag gt and an lt error message gt of wrong config state will be returned If the lt candidate gt configur
108. on with a lt terminationReason gt field set to closed will be generated when this operation is invoked lt close session gt operation Min parameters 0 Max parameters 0 Return type status YANG file yuma netconf yang Capabilities needed none Mandatory Parameters none Optional Parameters none Returns e lt ok gt an lt rpc reply gt will be sent to the session before terminating the session Possible Operation Errors Page 40 Version 2 2 Yuma netconfd Manual none Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc close session gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc 0k gt lt nc rpc reply gt The lt commit gt operation is only available when the candidate capability is supported The parameters are only supported if the confirmed commit capability is supported This operation causes all the edits in the lt candidate gt configuration to be applied to the lt running gt configuration If there are no edits then this operation has no affect If multiple sessions have made edits to the lt candidate gt configuration because locking was not used then all these edits will be applied at once not just the edits from the curre
109. ort all tagged trim explicit o This parameter specifies the desired default with defaults behavior for the session The server wide default value is set with the default style configuration parameter Possible Operation Errors e access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt myses get my session xmlns myses http netconfcentral org ns mysession gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt myses indent xmlns myses http netconfcentral org ns mysession gt lt myses indent gt lt myses linesize xmlns myses http netconfcentral org ns mysession gt 72 lt myses linesize gt lt myses with defaults xmlns myses http netconfcentral org ns mysession gt report all lt myses with defaults gt lt nc rpc reply gt The lt get schema gt operation is used to retrieve YANG modules and submodules from the server The YANG and YIN formats are supported for all YANG files loaded into the server Page 59 Version 2 2 Yuma netconfd Manual If the lt version gt parameter is set to the empty string then the server will return whichever version it supports If multiple versions are supported then the server will pick a canonical version which may not be the most recent v
110. ot to the node that caused the error lt error path gt nacm nacm nacm groups nacm group name admin groupIdentity lt error path gt The lt error message gt field provides a short English language description of the error that usually corresponds to the lt error number gt field If the YANG lt error message gt statement is available for the error that occurred it will be used instead of the default error message The lt error info gt container is used to add error specific data to the error report There are some standard elements that are returned for specific errors and some elements specific to the netconfd server lt error info gt Summary child node description lt bad attribute gt name of the XML attribute that caused the error lt bad element gt name of the element that caused the error or contains the attribute that caused the error lt bad value gt value that caused the error lt error number gt internal error number for the error condition lt missing choice gt name of the missing mandatory YANG choice lt session id gt session number of the current lock holder The instance required error app tag is generated when a YANG leaf is mandatory but was not set An error will be returned right away if the target is the lt running gt configuration or if the default test then set option is used for the lt test option gt Otherwise this error is generated when the lt co
111. ould not be relied on to always be the case Duplicate or overlapping subtrees within the request will be combined in the output so the common ancestor nodes are not duplicated in the reply XML namespaces are optional to use e If there is no namespace in affect for a filter component or the NETCONF namespace is in effect the server will attempt to find any top level data node which matches Namespaces within descendant nodes of the lt filter gt node children are inherited from their parent If none is in effect then the first matching child node for the current parent node will be used e Invalid namespace errors for the lt filter gt element are suppressed in the server An invalid namespace or unknown element is simply a no match condition For example the following PDU would be valid even though it is not technically valid XML lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 8 gt lt nc get gt lt nc filter gt lt nacm gt lt rules gt lt nacm gt lt nc filter gt lt nc get gt lt nc rpc gt Note that there is no default namespace in effect for the lt nacm gt subtree However the server will accept this filter as if the yuma nacm yang module namespace was properly declared Subtree filters can select specific list entries using content match nodes The following example would return the entire contents of the lt interf
112. p 20 e Step 20 If the lt write default gt leaf is set to permit then grant access otherwise deny access and exit The nacm rules module rule data structure is used to configure access for any object or RPC operation from a specific YANG module If the module namespace URI is the same as the XML namespace used in the NETCONF PDU then the module rule is considered a match Multiple instances can appear for a single module as long as the lt allowed access gt key leaf value is different in each entry This allows different groups to get different access to the same module e g read vs read and write There is no way to move lt module rule gt entries around once they are created If a group appears in multiple entries for the same module name then the first one encountered will be used Entries are checked in the same order they are returned in a lt get config gt reply message Page 86 Version 2 2 Yuma netconfd Manual The following example shows an lt edit config gt operation which creates 2 lt moduleRule gt entries for the following configuration e the admin group is allowed to read and write the NACM module the monitor group is allowed to read the NACM module lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 4 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc config gt lt nacm nacm xm
113. parameter is also used then the lt notificationComplete gt notification will be sent when this stop time has passed After that no more notifications will be sent to the session and the subscription is terminated After this point another subscription could be started Only one subscription can be active on a session at a time There is no way to terminate a subscription other than to close the session Each system event is saved to the notification replay buffer The lt replayComplete gt and lt notificationComplete gt notifications are not saved to this buffer because they are subscription specific events and not system events The size of the replay buffer is controlled by the eventlog size configuration parameter The default size is 1000 events The oldest event will be deleted when a new event is added when this limit is reached If eventlog size is set to zero then there will be no replayed notifications available and the lt replayComplete gt notification will be sent right away if lt startTlme gt is present Each event in the replay buffer is assigned a sequential sequence ID starting from 1 The lt sequence id gt leaf is an unsigned 32 bit integer which is added to the lt notification gt element after the event element This sequence can be used to debug filters by comparing the sequence IDs of the notifications that were delivered against the expected sequence IDs A notification filter is different than
114. ple netconfd subdirs false Page 126 Version 2 2 Yuma netconfd Manual The superuser parameter specifies the user name that the netconfd server will treat as the super user account The root account should be used with caution It is strongly suggested that root access be disabled in sshd and a different account be used as the NETCONF super user account Any NETCONF session started with this user name will be exempt from access control enforcement This is especially useful if the current yuma nacm yang configuration is preventing access to the lt nacm gt subtree itself The super user account can be used in this situation to repair the mis configured access control rules By default no user will be accepted as the super user account if no value is specified To disable all super user account privileges set this parameter to a zero length string superuser parameter Default none Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd superuser admin The system sorted parameter specifies whether the server will keep system ordered lists and leaf lists in sorted order If true then lists and leaf lists will be maintained in order based on the list keys or leaf list value itself If false then system ordered entries will be kept in the order they were entered in the database All entries are maintained in schema order except list keys are ordered first sy
115. pported by netconfd The with url parameter controls whether the server will support the url capability or not This capability requires file system storage with url parameter Syntax boolean Default TRUE Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd with url false The with validate parameter controls whether the server will support the validate capability or not This is a memory intensive capability and setting this parameter to false will reduce memory usage during lt edit config gt operations with validate parameter Default TRUE Max Allowed 1 Example netconfd with validate false Page 131 Version 2 2 Yuma netconfd Manual The yuma home parameter specifies the project directory root to use when searching for files If present this directory location will override the YUMA_HOME environment variable if it is set If this parameter is set to a zero length string then the YUMA HOME environment variable will be ignored The following directories are searched when either the YUMA_HOME environment variable or this parameter is set e YUMA_HOME modules o This sub tree is searched for YANG files YUMA_HOME data o This directory is searched for data files gt YUMA_HOME scripts o This directory is searched for yangcli script files yuma home parameter Syntax string directory specification Defa
116. r specifies the TCP port number S that should be used for NETCONF sessions This parameter specifies the TCP port numbers to accept NETCONF session from If any instances of this parameter are found then the default port 830 will not be added automatically Up to 4 port parameter values can be entered port parameter Default 830 Min Allowed 0 Max Allowed 4 Supported by netconfd Example netconfd port 22 port 830 Page 123 Version 2 2 Yuma netconfd Manual The protocols parameter specifies which NETCONF protocol versions should be enabled The base 1 0 RFC 4741 4742 and base 1 1 RFC 6241 6242 capabilities are controlled with this parameter protocols parameter Syntax bits Default netconf1 0 netconf1 1 Max Allowed 1 Supported by netconfd Example netconfd protocols netconf1 0 The running error parameter is an enumeration specifying how the netconfd server will treat errors encountered while validating the running database when loaded from the non volatile startup configuration at boot time leaf running error o type enumeration stop or continue o Specifies if running configuration errors will be treated as fatal or recoverable errors startup error parameter Syntax enum stop continue Default Min Allowed Max Allowed Supported by netconfd Example netconfd running error continue The runpath parameter spec
117. rams xml ns netconf partial lock 1 0 gt if interfaces if interface if name virbr0 lt pl locked node gt lt pl locked node xmlns pl urn ietf params xml ns netconf partial lock 1 0 gt if interfaces if interface if name eth0 lt pl locked node gt lt pl locked node xmlns pl urn ietf params xml ns netconf partial lock 1 0 gt if interfaces if interface if name lo lt pl locked node gt lt nc rpc reply gt The lt partial unlock gt operation is used to unlock part of the lt running gt database that was previously locked with the lt partial lock gt operation Only the session that called lt partial lock gt can release the lock with this operation Refer to RFC 5717 or the ietf netconf partial lock yang module for details on this operation Page 68 Version 2 2 Yuma netconfd Manual lt partial unlock gt operation Min parameters 1 Max parameters 1 Return type status YANG file ietf netconf partial lock yang Capabilities needed partial lock Mandatory Parameters e lt lock id gt o o o o type unit32 1 MAX UINT This parameter contains the lock ID of the partial lock to release One of more instances of this parameter is reguired The server allows relaxed XPath syntax If prefixes are used then a proper namespace declaration must be present in the request If prefixes are not used then any available namespace that matches the local name will be used Op
118. ror SSH transport error too few elements min elements violation YANG sec 13 3 too many elements max elements violation YANG sec 13 2 The lt error path gt field indicates the node that caused the error It is encoded as a YANG instance identifier If the node that caused the error is within the incoming lt rpc gt request then the error path will start with the lt rpc gt element and contain all the node identifiers from this document root to the node that caused the error lt error path gt nc rpc nc edit config nc config nacm nacm nacm groups nacm group lt error path gt The xmins attributes which define the nc and nacm prefixes would be present in the lt rpc reply gt or the lt rpc error gt element start tags If the node that caused the error is not within the incoming lt rpc gt request then the error path will start with the top level YANG module element that contains the error not the lt rpc gt element Page 32 Version 2 2 Yuma netconfd Manual This extended usage of the lt error path gt field is defined in the YANG specification not the NETCONF specification This situation will occur if lt validate gt or lt commit gt operations detect errors It can also occur if the lt test option gt for the lt edit config gt operation is test then set and errors unrelated to the provided in line lt config gt content are reported and contain all the node identifiers from this document ro
119. rposes This operation does not do anything It simply returns lt ok gt unless any parameters are provided lt no op gt operation Min parameters 0 Max parameters 0 YANG file yuma system yang Capabilities needed none Mandatory Parameters none Optional Parameters e none Returns e lt ok gt Possible Operation Errors e access denied Page 66 Version 2 2 Yuma netconfd Manual Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 63 gt lt nd no op xmlns nd http netconfcentral org ns netconfd gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 63 gt lt nc 0k gt lt nc rpc reply gt The lt partial lock gt operation is used to lock part of the lt running gt database Refer to RFC 5717 or the ietf netconf partial lock yang module for details on this operation lt partial lock gt operation Min parameters 1 Max parameters 1 Return type data YANG file ietf netconf partial lock yang Capabilities needed partial lock Mandatory Parameters e lt select gt o type XPath 1 0 string o This parameter contains an XPath expression for a node set result identifying the database nodes to lock o One of more instances of this parameter is req
120. ry Parameters e target o type container with 1 of N choice of leafs o This parameter specifies the name of the target database for the lt delete config gt operation o container contents 1 empty leaf value supported startup Optional Parameters none Returns e lt ok gt Possible Operation Errors e access denied e in use lt startup gt database is locked Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 2 gt lt nc delete config gt lt nc target gt lt nc startup gt lt nc target gt lt nc delete config gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 Page 48 Version 2 2 Yuma netconfd Manual message id 2 gt lt nc ok gt lt nc rpc reply gt The lt discard changes gt operation is used to remove any edits from the lt candidate gt configuration This is done by deleting the contents of the lt candidate gt and re filling it with the contents of the lt running gt configuration If the lt candidate gt configuration is locked by another session this operation will fail lt discard changes gt operation Min parameters 0 Max parameters 0 Return type status YANG file yuma netconf yang Capabilities needed candidate Mandatory Parameters none Optional Parameters
121. s control model at this time Normally some configuration is required groups configure one or more administrative groups e rules configure one or more access control rules The entire nacm subtree is tagged as nacm very secure By default only the super user account can read or write any of its contents It is suggested that even read access to this data structure be controlled carefully at all times The nacm subtree consists of 3 read only leafs and 2 containers leaf lt enable nacm gt enable or disable access control enforcement e leaf lt read default gt permit or deny read access when no rule found leaf lt write default gt permit or deny write access when no rule found leaf lt exec default gt permit or deny execute access when no rule found e leaf lt denied rpcs gt read only counter of denied RPC operation requests leaf lt denied data writes gt read only counter of denied database write requests container lt groups gt need 1 or more group list entries in order for rules to have any effect o list lt group gt principle that is assigned access privileges leaf lt group identity gt group identifier string Page 79 Version 2 2 Yuma netconfd Manual leaf list lt user name gt leaf list of users that belong to the group container lt rules gt o list o list lt module rule gt an access rule for an entire module namespace leaf lt module name gt key name of the YANG module associa
122. s to send all messages to STDOUT and use the info logging level If the server is a DEBUG image then the default logging level will be debug instead e eventlog size setting will control the memory used by the notification replay buffer e max burst will control the of notifications sent at once to a single session hello timeout will control how long sessions can be stuck waiting for a hello message before they are dropped e idle timeout will control how long active sessions can remain idle before they are dropped The module parameter can be used from the CLI or conf file to pre load YANG modules and any related device instrumentation code into the server A fatal error will occur if any module cannot be loaded or it contains any YANG errors At run time the lt load gt operation defined in yuma system yang can be used to do the same thing except the server will simply return an lt rpc error gt instead of terminate if the requested module cannot be loaded Page 9 Version 2 2 Yuma netconfd Manual The current working directory in use when netconfd is invoked is important It is most convenient to run netconfd in the background and save all output to a log file The netconfd program listens for connection requests on a local socket that is located in tmp ncxserver sock In order for NETCONF sessions to be enabled the SSH server and the netconf subsystem programs must be properly installed first
123. s to be an XML configuration file Unless a path specification is included the YUMA_DATAPATH environment variable or datapath parameter will be used to search for the specified file name No xml extension will be added The exact file name will be used instead start parameter Syntax choice no startup factory startup startup filespec Default first startup cfg xml in the data path Min Allowed 0 Max Allowed 1 Supported by netconfd Version 2 2 Yuma netconfd Manual Example netconfd startup TESTDIR testrun The startup error parameter is an enumeration specifying how the netconfd server will treat errors encountered while loading the non volatile startup configuration at boot time leaf startup error o type enumeration stop or continue o Specifies if startup configuration errors will be treated as fatal or recoverable errors startup error parameter Syntax enum stop continue Default continue Min Allowed 0 Max Allowed 1 Supported by netconfd Example netconfd startup error stop The subdirs parameter controls whether sub directories should be searched or not if they are found during a module search If false the file search paths for modules scripts and data files will not include sub directories if they exist in the specified path subdirs parameter Syntax boolean Default Min Allowed Supported by yangdump Exam
124. se 1 0 message id 42 gt lt nc kill session gt lt nc session id gt 1 lt nc session id gt lt nc kill session gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 42 gt lt nc 0k gt lt nc rpc reply gt The lt load gt operation is used to load new YANG modules at run time The module file must already be present in the module search path of the server There must not be any version of the module already loaded This operation is tagged as nacm secure so by default only the super user account is allowed to use it lt load gt operation Min parameters 1 Max parameters 3 Return type data YANG file yuma system yang Capabilities needed none Mandatory Parameters module o The name of the YANG module to load Optional Parameters revision o The revision date of the module to load If missing then server can select the version to use Page 63 Version 2 2 Yuma netconfd Manual deviation o The name of a deviation module to load before loading this module Zero or more instances of this parameter can be entered Duplicates will be ignored Returns e lt mod revision gt o The revision date of the module that was already loaded or was just loaded Possible Operation Errors e access denied e module not found e version not found e different version
125. sion gt operation is used to configure the session customization data for the current session The session indent amount line size and default behavior for the with defaults parameter can be controlled at this time lt set my session gt operation Min parameters 0 Max parameters 3 Return type status YANG file yuma mysession yang Capabilities needed none Mandatory Parameters none Optional Parameters e lt indent gt o type uint32 range O 9 o default 3 can be changed with the indent configuration parameter o This parameter specifies the desired indent amount for the session e lt linesize gt o type uint32 range 40 1024 o default 72 o This parameter specifies the desired line length for the session lt with defaults gt o type enumeration report all report all tagged trim explicit o default report all can be changed with the default style configuration parameter o This parameter specifies the desired default with defaults behavior for the session The server wide default value is set with the default style configuration parameter Returns e lt ok gt Possible Operation Errors e access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt Page 72 Version 2 2 Yuma netconfd Manual lt myses set my session xmlns myses http netconfcentral org ns mysessi
126. sions including lt bad value gt and lt error number gt for easier debugging Comprehensive fully NETCONF configurable access control model defined in yuma nacm yang Complete RFC 5277 Notification support including notification replay interleave capability and several useful notifications implemented in yuma system yang Complete RFC 5717 Partial Lock support with full XPath support and all partial locking monitoring data defined in etf netconf monitoring yang Full support for all YANG constructs including deviations Full support of YANG sub modules including nested sub modules Multiple concurrent module versions supported import by revision Multiple concurrent submodule versions supported include by revision Optimized full XPath 1 0 implementation including all YANG extensions Full implementation of the ietf netconf monitoring data model including the lt get schema gt operation to retrieve YANG or YIN modules from the server Configurable default node handling including full support of the lt with defaults gt standard in ietf with defaults yang Version 2 2 Yuma netconfd Manual e System information automatically supported as defined in yuma system yang e Comprehensive logging capabilities for easy debugging during YANG content development or normal operation Time filtering support for lt get gt and lt get config gt requests with modified since and if modified since per datastore times
127. stem sorted parameter Syntax boolean Min Allowed 0 Supported by netconfd Example netconfd system sorted false Page 127 Version 2 2 Yuma netconfd Manual The target parameter specifies the name of the database that netconfd will use as its edit target There are two targets supported at this time running Edits will be written directly to the lt running gt configuration The startup capability will also be used in this mode This means that a lt copy config gt operation from lt running gt to lt startup gt must be used to save any edits to non volatile storage for use on the next reboot candidate Edits will be written to the lt candidate gt configuration The lt commit gt operation must be used to save any edits in lt candidate gt configuration into the lt running gt configuration The non volatile storage is updated automatically in this mode and the lt startup gt configuration will not be present target parameter Syntax enumeration running candidate Default candidate Supported by netconfd Example netconfd target running The usexmlorder parameter specifies that the netconfd server should enforce XML ordering when applicable such as YANG list key leafs entered first The default is not to check for adherence to strict XML order as defined by YANG usexmlorder parameter Default off Min Allowed 0 Max Allowed 1 Example n
128. t for lt lock gt only missing attribute lt bad attribute gt just for the few attributes used in NETCONF missing element lt bad element gt mandatory parameters operation not supported none unsupported false if feature inside rpc operation failed none when no other error tag applies partial operation lt ok element gt lt err element gt lt noop element gt not implemented resource denied none malloc failed rollback failed none rollback on error failed too big none input too big to buffer unknown attribute lt bad attribute gt lt bad element gt for any non NETCONF attributes found unknown element unknown namespace lt bad element gt lt bad element gt wrong element name in a known namespace module not loaded malformed message None base 1 1 framing lost in transport layer The lt error app tag gt field provided a more specific error classification than the lt error tag gt field It is included in every lt rpc error gt response This field is encoded as a simple string It is possible that error app tag values from different vendors will use the same string A client application needs to account for this shared namespace If the YANG error app tag statement is defined for the specific error that occured then it will be used instead of the default value The following table describes the default lt error app
129. t operation Min parameters 1 Max parameters 4 Return type data YANG file yuma netconf yang Capabilities needed none Capabilities optional candidate startup with defaults Mandatory Parameters Source o type container with 1 of N choice of leafs o Usage mandatory o This parameter specifies the name of the source database for the retrieval operation o container contents 1 of N candidate type empty capabilities needed candidate running e type empty capabilities needed none startup e type empty e capabilities needed startup Optional Parameters filter o type subtree Page 55 Version 2 2 Yuma netconfd Manual type anyxml This parameter specifies the subset of the database that should be retrieved o type xpath select expr type empty The unqualified select attribute is used to specify an XPath filter with defaults o type enumeration none report all report all tagged trim explicit o usage default style configuration parameter used as the default if no value is provided o This parameter controls how default leaf and leaf list nodes are returned by the server e if modified since o type date and time o Usage optional o This parameter requests that configuration data only be returned if any of the specified datastore contents have been modified since this value If the specified datastore has not been modified since this timestamp t
130. tag gt values used by netconfd lt error app tag gt Summary error app tag description data incomplete the input parameters are incomplete data invalid one or more input parameters are invalid data not unique unique statement violation YANG sec 13 1 duplicate error trying to create a duplicate list or leaf list entry general error no other description fits instance required missing mandatory node YANG sec 13 5 Page 31 Version 2 2 Yuma netconfd Manual internal error internal software error io error NETCONF session IO error libxml2 error libxml2 internal error or parsing error limit reached some sort of defined limit was reached malloc error malloc function call failed missing choice mandatory choice not found YANG sec 13 6 missing instance mandatory leaf not found YANG sec 13 7 must violation must expression is false YANG sec 13 4 no access access control violation no matches lt get schema gt module or revision search failed no support operation or sub operation not implemented not in range YANG range test failed not in value set YANG enumeration or bits name is invalid pattern test failed YANG pattern test failed recover failed commit or rollback on error failed to leave the target database unchanged resource in use in use error or lt create subscription gt while a subscription is already active ssh er
131. tamps The netconfd server can behave in different ways depending on the initial configuration parameters used The following parameters should be considered and if the default behavior is not desired then an explicit value should be provided instead yuma home or YUMA_HOME setting will affect YANG search path modpath or YUMA MODPATH setting will affect YANG search path datapath or YUMA DATAPATH setting will affect startup cfg xml search path target setting will select the edit target The default is candidate so this parameter must be set to choose running as the edit target e with startup setting will enable the lt startup gt database if set to true e with validate setting will enable the validate capability if set to true e access control setting will affect how access control is enforced The default is fully on enforcing superuser setting will affect access control if it is enabled The default is superuser e default style setting will affect how default leaf values are returned in retrieval requests The default is trim This returns everything except leafs containing the YANG default stmt value by default To report every leaf value by default set this parameter to report all To report only leafs not set by the server by default use the explicit enumeration e log and log level settings will affect how log messages are generated The default i
132. tconfd lt shutdown gt Shutdown the server ietf netconf lt unlock gt Unlock a database ietf netconf lt validate gt Validate a database The following configuration parameters are used by netconfd Refer to the CLI Reference for more details parameter netconfd CLI Parameters description audit log Specifies the audit log of changes to the running database after initial load is done audit log append Append audit entryies to the existing log is present Otherwise start a new audit log access control Specifies how access control will be enforced config Specifies the configuration file to use for parameters datapath Specifies the search path for the lt startup gt configuration file default style Specifies the default lt with defaults gt behavior delete empty npcontainers Specifies that empty NP containers should be deleted or not deviation eventlog size Species one or more YANG modules to load as deviations Specifies the maximum number of events stored in the notification replay buffer feature disable Leaf list of features to disable feature enable Specifies a feature that should be enabled feature enable default Specifies if a feature should be enabled or disabled by default help hello timeout Get context sensitive help with brief or full extension Set the number of seconds to wait for a
133. ted with the rule leaf lt allowed rights gt key privileges granted to all groups associated with the rule leaf list lt allowed group gt leaf list of one or more group identifiers that are associated with the rule leaf lt comment gt comment string for the rule ignored by the server lt rpc rule gt an access rule for one specific protocol operation defined in a YANG rpc statement leaf lt rpc module name gt key name of the YANG module associated with the rule leaf lt rpc name gt key name of the RPC operation associated with the rule leaf lt allowed rights gt key privileges granted to all groups associated with the rule leaf list lt allowed group gt leaf list of one or more group identifiers that are associated with the rule leaf lt comment gt comment string for the rule ignored by the server lt data rule gt an user ordered access rule for one or more database subtrees leaf lt name gt key arbitrary name string for the rule leaf lt path gt XPath expression for the database instances which are associated with the rule leaf lt allowed rights gt privileges granted to all groups associated with the rule leaf list lt allowed group gt leaf list of one or more group identifiers that are associated with the rule leaf lt comment gt comment string for the rule ignored by the server lt notification rule gt an user ordered access rule for one notification events leaf lt notification
134. ter identifies the SSH user name that is associated with the session that caused the confirmed commit procedure state change sessionld o type uint32 range 1 to max o usage mandatory o This parameter identifies the NETCONF session ID assigned to the session remoteHost o type inet ip address o Usage mandatory o This parameter identifies the remote host IP address that is associated with the session confirmEvent o type enumeration start cancel timeout extend complete o Usage mandatory o This parameter indicates why the confirmed commit procedure changed state Page 109 Version 2 2 Yuma netconfd Manual Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmins ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 08 29T23 03 06Z lt ncEvent eventTime gt lt sys sysConfirmedCommit xmins sys http netconfcentral org ns system gt lt sys userName gt andy lt sys userName gt lt sys sessionld gt 3 lt sys sessionld gt lt sys remoteHost gt 192 168 0 61 lt sys remoteHost gt lt sys confirmEvent gt start lt sys confirmEvent gt lt sys sysConfirmedCommit gt lt sys sequence id xmins sys http netconfcentral org ns system gt 9 lt sys sequence id gt lt ncEvent notification gt Page 110 Version 2 2 Yuma netconfd Manual 3 CLI Reference The netconfd program uses command line interface CLI parameters to control program beha
135. tf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T21 53 12Z lt ncEvent eventTime gt lt sys sysSessionEnd xmlns sys http netconfcentral org ns system gt lt sys userName gt andy lt sys userName gt lt sys sessionId gt 2 lt sys sessionId gt lt sys remoteHost gt 192 168 0 6 lt sys remoteHost gt lt sys terminationReason gt closed lt sys terminationReason gt lt sys sysSessionEnd gt lt sys sequence id xmlns sys http netconfcentral org ns system gt 5 lt sys sequence id gt lt ncEvent notification gt The lt sysConfigChange gt notification is generated when the lt running gt configuration database is altered by a NETCONF session If the candidate capability is supported then this event is generated when the lt commit gt operation completes If the writable running capability is supported instead then this even is generated when the lt edit config gt operation completes The user name remote address and session ID that made the change are reported A summary of the changes that were made is also included in the event payload If multiple changes are made at once then one lt sysConfigChange gt event will be generated for each change There is no significance to the order that these events are generated lt sysConfigChange gt notification Description The lt running gt configuration has been changed by a NETCONF session Page 104 Version 2 2 Yuma net
136. tion and activation o Errors can occur related to the specific YANG data model module which can only be detected and reported by the server instrumentation Resource denied errors can occur while the server instrumentation is attempting to activate the networking features associated with some configuration parameters Instrumentation code can fail for a number of reasons such as underlying hardware failure or removal Page 12 Version 2 2 Yuma netconfd Manual The following YANG modules are built into the netconfd server and cannot be loaded manually with the module parameter or lt load gt operation Pre loaded YANG Modules module description ietf inet types standard data types ietf netconf monitoring standard NETCONF monitoring and the lt get schema gt operation ietf netconf partial lock ietf netconf with defaults standard NETCONF lt partial lock gt and lt partial unlock gt operations lt with defaults gt extension ietf yang types standard data types yuma interfaces network interfaces information yuma nacm NETCONF Access Control Model nc notifications standard replay notifications netconfd notifications Server CLI parameters standard notification operations yuma arp ARP configuration and monitoring yuma ncx Yuma NETCONF extensions yuma app common Common CLI parameters yuma types Yuma common data types
137. tion mode should be used o normal type empty This parameter specifies that normal documentation mode should be used o full type empty This parameter specifies that full documentation mode should be used 3 16 idle timeout The idle timeout parameter controls the maximum number of seconds that the netconfd server will wait for a lt rpc gt PDU for each session If set to O then idle state timeouts will be disabled meaning that no sessions will be deleted while waiting for a lt rpc gt PDU A session will never be considered idle while a notification subscription is active It is strongly suggested that this parameter not be disabled since a denial of service attack will be possible if sessions are allowed to remain in the idle wait state forever A finite number of SSH and NETCONF sessions are supported so if an attacker simply opened lots of SSH connections to the netconf subsystem the server would quickly run out of available sessions This parameter will affect a lt confirmed commit gt operation Make sure this timeout interval is larger than the value of the lt confirm timeout gt parameter used in the confirmed commit procedure Otherwise it is possible that the session will be terminated before the confirm timeout interval has expired effectively replacing that timer with this one idle timeout parameter Syntax uint32 0 disabled range 30 360000 seconds 100 hours max
138. tional Parameters e none Returns e lt ok gt Possible Operation Errors access denied invalid value Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 263 gt lt pl partial unlock xmlns pl urn ietf params xml ns netconf partial lock 1 0 gt lt pl lock id gt 1 lt pl lock id gt lt pl partial unlock gt lt nc rpc gt Example Reply Page 69 lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 263 gt lt nc ok gt lt nc rpc reply gt Version 2 2 Yuma netconfd Manual The lt restart gt operation is used to restart the netconfd server By default only the superuser account is allowed to invoke this operation If permission is granted then the current NETCONF session will dropped during the server restart lt restart gt operation Min parameters 0 Max parameters 0 Return type none YANG file yuma system yang Capabilities needed none Mandatory Parameters none Optional Parameters none Returns none session will be dropped upon success Possible Operation Errors access denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 63 gt lt nd restart xmlns nd http netconfcentral org ns netconfd gt
139. tor will know which user names are valid within each managed device The lt edit config gt operation can be used to create new group entries Each group is identified only by its lt groupldentity gt leaf A user name can appear within the same group zero or one times A user name can appear in zero or more groups When a user is a member of multiple groups all these groups will be used to match against rules ina conceptual OR expression If any of these groups matches one of the lt allowed group gt leaf list nodes within one of the 3 rule types then that rule will be the one that is used Rules are always searched in the order they are entered even the system ordered lists The path to the group element is nacm nacm nacm groups nacm group The following lt edit config gt example shows how a group can be defined The group name is nacm guest and the users fred and barney are the initial members of this group Page 81 Version 2 2 Yuma netconfd Manual lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 3 gt lt nc edit config gt lt nc target gt lt nc candidate gt lt nc target gt lt nc config gt lt nacm nacm xmlns nacm http netconfcentral org ns yuma nacm gt lt nacm groups gt lt nacm group nc operation create gt lt nacm group identity gt nacm guest lt nacm group identity gt lt nacm user name gt fred lt nacm user name gt
140. tp netconfcentral org ns interfaces gt lt if interface gt lt if name gt lo lt if name gt lt if interface gt lt if interface gt lt if name gt eth0 lt if name gt lt if interface gt lt if interface gt lt if name gt virbr0 lt if name gt lt if interface gt Page 94 Version 2 2 Yuma netconfd Manual lt if interface gt lt if name gt pan0 lt if name gt lt if interface gt lt if interfaces gt lt ns netconf state xmlns ns urn ietf params xml ns netconf monitoring gt lt ns datastores gt lt ns datastore gt lt ns name gt lt ns candidate gt lt ns name gt lt ns datastore gt lt ns datastore gt lt ns name gt lt ns running gt lt ns name gt lt ns datastore gt lt ns datastore gt lt ns name gt lt ns startup gt lt ns name gt lt ns datastore gt lt ns datastores gt lt ns netconf state gt lt manageEvent netconf xmlns manageEvent urn ietf params xml ns netmod notification gt lt manageEvent streams gt lt manageEvent stream gt lt manageEvent name gt NETCONF lt manageEvent name gt lt manageEvent stream gt lt manageEvent streams gt lt manageEvent netconf gt lt nc data gt lt nc rpc reply gt In order to refine the previous filter to select nodes from just one module the use the XML prefix in the node identifier The example below selects only the lt name gt nodes from the interfaces module Example Request e xget i
141. tring o usage mandatory o This parameter identifies the SSH user name that is associated with the session sessionld o type uint32 range 1 to max o usage mandatory o This parameter identifies the NETCONF session ID assigned to the session e remoteHost o type inet ip address o Usage mandatory o This parameter identifies the remote host IP address that is associated with the session Page 102 Version 2 2 Yuma netconfd Manual Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ietf params xml ns netconf notification 1 0 gt lt ncEvent eventTime gt 2009 07 29T21 53 04Z lt ncEvent eventTime gt lt sys sysSessionStart xmlns sys http netconfcentral org ns system gt lt sys userName gt andy lt sys userName gt lt sys sessionId gt 2 lt sys sessionId gt lt sys remoteHost gt 192 168 0 6 lt sys remoteHost gt lt sys sysSessionStart gt lt sys sequence id xmlns sys http netconfcentral org ns system gt 4 lt sys sequence id gt lt ncEvent notification gt The lt sysSessionEnd gt notification is generated when a NETCONF session is terminated The username remote address and session ID that was assigned are returned in the event payload The termination reason is also included If the session was terminated before it properly started it is possible that there will not be a lt sysSessionStart gt notification event to match the lt sysSessionEnd gt e
142. tures by default If true then by default features will be enabled If false then by default features will be disabled If a feature enable or feature disable parameter is present for a specific feature then this parameter will be ignored for that feature feature enable default parameter Syntax boolean true or false Default TRUE 0 Min Allowed Max Allowed 1 Supported by yangcli yangdiff yangdump netconfd Example netconfd feature enable default false The hello timeout parameter controls the maximum number of seconds that the netconfd server will wait for a lt hello gt PDU for each session If set to O then hello state timeouts will be disabled meaning that no sessions will be deleted while waiting for a lt hello gt PDU It is strongly suggested that this parameter not be disabled since a denial of service attack will be possible if sessions are allowed to remain in the hello wait state forever A finite number of SSH and NETCONF sessions are supported so if an attacker simply opened lots of SSH connections to the netconf subsystem the server would quickly run out of available sessions Sessions cannot be deleted manually via lt kill session gt operation if no new sessions are being allocated by the server hello timeout parameter Syntax uint32 0 disabled range 10 3600 seconds 1 hour max Default 600 10 minutes Min Allowed Max Allowed Pag
143. uired o The server allows relaxed XPath syntax If prefixes are used then a proper namespace declaration must be present in the request If prefixes are not used then any available namespace that matches the local name will be used Optional Parameters none Returns Page 67 Version 2 2 Yuma netconfd Manual e lt lock id gt o type uint32 range 1 MAX UINT o This data identifies the lock ID to use when releasing the lock with the lt partial unlock gt operation o There will be one of these elements in the reply e lt locked node gt o type instance identifier o This data identifies a locked node as a result of the request o There will be one or more of these elements in the reply Possible Operation Errors access denied in use resource denied Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf base 1 0 message id 260 gt lt pl partial lock xmlns pl urn ietf params xml ns netconf partial lock 1 0 gt lt pl select gt interface lt pl select gt lt pl partial lock gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 260 xmlns if http netconfcentral org ns yuma interfaces gt lt pl lock id xmlns pl urn ietf params xml ns netconf partial lock 1 0 gt 1 lt pl lock id gt lt pl locked node xmlns pl urn ietf pa
144. ult YUMA_HOME environment variable Min Allowed 0 Max Allowed 1 Supported by netconfd yangcli yangdiff yangdump Example netconfd yuma home sw netconf log server log amp Page 132 Version 2 2
145. un Automatic NV save copy config candidate startup commit copy config edit config copy config It is strongly suggested that the lt lock gt and lt unlock gt operations be used whenever a database is being edited All the databases on the server should be locked not just one because different operations are controlled by different locks The only way to insure that the entire database transaction is done in isolation is to keep all the databases locked during the entire transaction The affected configurations should be locked during the entire transaction and not released until the edits have been saved in non volatile storage If the edit target is the lt candidate gt configuration then the lt candidate gt and lt running gt configurations should be locked If the edit target is the lt running gt configuration then the lt running gt and lt startup gt configurations should be locked Whenever the lock on the lt candidate gt configuration is released a lt discard changes gt operation is performed by the server This is required by the NETCONF protocol Of the lt candidate gt configuration contains any edits then a lock will fail with a resource denied error In this case a lock on the lt candidate gt configuration cannot be granted until the lt discard changes gt operation is completed Page 23 Version 2 2 Yuma netconfd Manual The lt candidate gt database is available if the cand
146. vent For example if the initial SSH connection setup fails before the lt hello gt message is processed then only a lt sysSessionEnd gt notification event will be generated In this case the user name and other session information may not be available lt sysSessionEnd gt notification Description NETCONF session has terminated Min parameters YANG file Max parameters yuma system yang Parameters userName o type string o usage mandatory o This parameter identifies the SSH user name that is associated with the session sessionld o type uint32 range 1 to max o usage mandatory o This parameter identifies the NETCONF session ID assigned to the session e remoteHost o type inet ip address Page 103 Version 2 2 Yuma netconfd Manual o usage mandatory o This parameter identifies the remote host IP address that is associated with the session killedBy o type uint32 range 1 to max o usage optional will only be present if the terminationReason leaf is equal to killed o This parameter identifies the session number of the session that issued the lt kill session gt operation e terminationReason o type enumeration closed killed dropped timeout bad start bad hello other o usage mandatory o This parameter indicates why the session was terminated Example lt xml version 1 0 encoding UTF 8 gt lt ncEvent notification xmlns ncEvent urn ie
147. vior The following sections document all the Yuma CLI parameters relevant to this program in alphabetical order The audit log parameter specifies the file path of the configuration edit audit log If this parameter is present then edits to the running database will cause an audit log entry to be created for each edit point This is done in addition to normal logging but it is not affected by the log level parameter audit log parameter Default Min Allowed Max Allowed Supported by The audit log append parameter specifies that the existing audit log file if any should be appended instead of deleted It is ignored unless the audit log parameter is present audit log append parameter Syntax Default Min Allowed Max Allowed Supported by netconfd Example netconfd audit log var log ncaudit log audit log append The access control parameter specifies how access control is enforced in the netconfd program Page 111 Version 2 2 Yuma netconfd Manual It is an enumeration with the following values 3 4 enforcing All configured access control rules will be enforced permissive All configured access control rules will be enforced for write and execute requests All read requests will be allowed unless the requested object contains the nacm very secure extension In that case all configured access control rules will be enforced and no default access will
148. will terminate at that tim if in the future or when all replay notifications with a lower lt eventTime gt value have been delivered The notification and interleave capabilities are always supported by netconfd The replay notification feature can be controlled with the eventlog size configuration parameter If this is set to 0 then no stored notifications will be available for replay The default is store the most recent 1000 system notification events An entry will be created in the subscriptions data structure in the ietf netconf monitoring module when the subscription is successfully started lt create subscription gt operation Min parameters 0 Max parameters 4 Return type status YANG file notifications yang Capabilities needed notification Capabilities optional interleave Mandatory Parameters none Optional Parameters stream o type string o default NETCONF o This parameter specifies the name of the notification stream for this subscription request Only the NETCONF stream is supported filter o type anyxml same as the lt get gt or lt get config gt filter parameter o default none o This parameter specifies a boolean filter that should be applied to the stream This is the same format as the standard lt filter gt element in RFC 4741 except that instead of creating a subset of the database for an lt rpc reply gt PDU the filter is used as a boolean
149. with defaults lt ns identifier gt lt ns format gt YANG lt ns format gt lt ns version gt lt ns get schema gt lt nc rpc gt Example Reply lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmlns nc urn ietf params xml ns netconf base 1 0 message id 55 gt lt ns data xmlns ns urn ietf params xml ns netconf state gt entire contents of YANG module would be here no extra indenting lt ns data gt lt nc rpc reply gt The lt kill session gt operation is used to force the termination of another NETCONF session This is sometimes needed if an idle session which is holding one or more locks was abandoned It may also be needed for security reasons In any case this operation should be used with extreme caution lt kill session gt operation Min parameters 1 Max parameters 1 Return type status YANG file yuma netconf yang Capabilities needed none Mandatory Parameters session id o type uint32 range 1 max o default none o This parameter specifies the session number of the currently active NETCONF session that should be terminated Optional Parameters e none Returns e lt ok gt Possible Operation Errors Page 61 Version 2 2 Yuma netconfd Manual e access denied Page 62 Version 2 2 Yuma netconfd Manual Example Request lt xml version 1 0 encoding UTF 8 gt lt nc rpc xmlns nc urn ietf params xml ns netconf ba
150. y lt xml version 1 0 encoding UTF 8 gt lt nc rpc reply xmins nc urn ietf params xml ns netconf base 1 0 message id 2 xmins t http netconfcentral org ns test xmins ncx http netconfcentral org ncx gt lt nc rpc error xmins y urn ietf params xml ns yang 1 gt lt nc error type gt application lt nc error type gt lt nc error tag gt data missing lt nc error tag gt lt nc error severity gt error lt nc error severity gt lt nc error app tag gt missing choice lt nc error app tag gt lt nc error path gt t musttest lt nc error path gt lt nc error message xml lang en gt missing mandatory choice lt nc error message gt lt nc error info gt Page 36 Version 2 2 Yuma netconfd Manual lt y missing choice xmins y urn ietf params xml ns yang 1 gt musttest lt y missing choice gt lt ncx error number gt 296 lt ncx error number gt lt nc error info gt lt nc rpc error gt lt nc rpc reply gt The no matches error is generated when parameters for the lt get schema gt operation identify a non existent YANG file No Matches data description error tag operation failed error app tag no matches error path identifies the lt identifier gt or lt revision gt parameter in the lt get schema gt request error info lt bad value gt error number 365 Example Request e get schema identifier foo version format yang lt xml version 1 0 encoding UTF 8 gt lt nc rpc
Download Pdf Manuals
Related Search