Scroll to navigation

netconfd(1) netconfd 2.9 netconfd(1)

NAME

netconfd - YANG-based NETCONF-over-SSH server

SYNOPSIS

   netconfd [parameter=value...]
   netconfd --help [brief | normal | full]
   netconfd --version

DESCRIPTION

netconfd is a YANG-based NETCONF server, which can be used with an SSH server such as OpenSSH. This version of netconfd supports the YANG data modeling language defined in RFC 6020.

USAGE

Parameters can be entered in any order, and have the form:

[start] name [separator [value]]

where:

start == 0, 1, or 2 dashes (foo, -foo, --foo)

name == parameter name

         Parameter name completion will be attempted 
         if a partial name is entered.
separator == whitespace or equals sign (foo=bar, foo bar)

value == string value for the parameter.

         Strings with whitespace need to be double quoted 
         (--foo="some string")
Some examples of valid command line parameters: 
   foo=3
   -foo=3
   --foo=3
   foo 3
   foo=fred
   --foo "fred flintstone"

Partial parameter names can be entered if they are unique.

OPTIONS

--access-control=enum
Controls how the ietf-netconf-acm access control model will be enforced during server operation. 
 Enum values:
    enforcing:
      All configured access control rules will be
      enforced.
    permissive:
      All configured access control rules will be
      enforced for write and execute requests.
      All read requests will be allowed, unless
      the requested object contains the
      'nacm:very-secure' extension.  In that case,
      all configured access control rules will
      be enforced.
   disabled:
      All read, write, and execute requests will be
      allowed, unless the object contains the
      'nacm:secure' or 'nacm:very-secure' extension.
      If the 'nacm:secure' extension is in effect,
      then all configured access control rules
      will be enforced for write and execute requests.
      If the 'nacm:very-secure' extension is in effect,
      then all configured access control rules
      will be enforced for all requests.
      Use this mode with caution.
   off:
      All access control enforcement is disabled.
      Use this mode with extreme caution.
--audit-log=filespec
Filespec for the server audit log file to use in addition to the normal log file or STDOUT.
--audit-log-append
If present, the audit log will be appended not over-written. If not, the audit log will be over-written. Only meaningful if the 'audit-log' parameter is also present.
--config=filespec
The name of the configuration file to use. Any parameter except this one can be set in the config file. The default config file /etc/yuma/netconfd.conf will not be checked if this parameter is present.
--datapath=list
Internal file search path for configuration data files. Overrides the YUMA_DATAPATH environment variable. This parameter affects the search for the startup configuration file (default: startup-cfg.xml).
--default-style=enum
Selects the type of filtering behavior the server will advertise as the 'basic' behavior in the 'with-defaults' capability. The server will use this default handling behavior if the 'with-defaults' parameter is not explicitly set.

Also, when saving a configuration to NV-storage, this value will be used for filtering defaults from the saved configuration.

  Enum values:
     report-all: report all values
     trim: remove leafs containing the YANG
        default value
     explicit: report only the nodes that have
        been created by the client or the server.
        This is the default value.
--delete-empty-npcontainers=boolean
Selects whether the server will keep or delete empty non-presence containers in the running and startup configurations. Set to true to delete these containers, and false to keep them. Default: false. This parameter is deprecated! It is ignored by the server!
--deviation=string
This parameter identifies a YANG module that should only be checked for deviation statements for external modules. These will be collected and applied to the real module(s) being processed.

Deviations are applied as patches to the target module. Since they are not identified in the target module at all (ala imports), they have to be specified explicitly, so they will be correctly processed. Zero or more instances of this parameter are allowed.

--eventlog-size=number
Specifies the maximum number of notification events that will be saved in the notification replay buffer. The oldest entries will be deleted first. The default value is 1000.
--feature-disable=module:feature
Identifies a feature which should be considered disabled. Zero or more entries are allowed.
--feature-enable-default=boolean
If true (the default), then features will be enabled by default. If false, then features will be disabled by default.
--feature-enable=module:feature
Identifies a feature which should be considered enabled. Zero or more entries are allowed.
--hello-timeout=number
Specifies the number of seconds that a session may exist before the hello PDU is received. A seesion will be dropped if no hello PDU is received before this number of seconds elapses.

If this parameter is set to zero, then the server will wait forever for a hello message, and not drop any sessions stuck in 'hello-wait' state.

Setting this parameter to zero may permit denial of service attacks, since only a limited number of concurrent sessions are supported by the server. (range 0 | 10 .. 3600). The default value is 600 seconds (10 minutes).

--help
Print this help text and exit. The help-mode choice (--brief, --normal, or --full) may also be present to control the amount of help text printed.
--home=dirspec
Directory specification for the home directory to use instead of HOME.
--idle-timeout=number
Specifies the number of seconds that a session may remain idle without issuing any RPC requests. A seesion will be dropped if it is idle for an interval longer than this number of seconds.

Sessions that have a notification subscription active are never dropped.

If this parameter is set to zero, then the server will never drop a session because it is idle. (range 0 | 10 .. 360000). The default value is 3600 seconds (1 hour).

--indent=number
Number of spaces to indent (0..9) in formatted output. The default is 2 spaces.
--log=filespec
Filespec for the log file to use instead of STDOUT. If this string begins with a '~' character, then a username is expected to follow or a directory separator character. If it begins with a '$' character, then an environment variable name is expected to follow.
--log-append
If present, the log will be appended not over-written. If not, the log will be over-written. Only meaningful if the log parameter is also present.
--log-level=enum
Sets the debug logging level for the program.
--max-burst=number
Specifies the maximum number of notifications that should be sent to one session, within a one second time interval. The value 0 indicates that the server should not limit notification bursts at all. The default value is 10.
--modpath=list
Directory search path for YANG and YIN files. Overrides the YUMA_MODPATH environment variable.
--module=string
YANG or YIN source module name to load at startup. The server will attempt to load the specified module and its corresponding server instrumentation library (SIL) .

If this string represents a filespec, ending with the .yang or .yin extension, then only that file location will be checked.

If this string represents a module name, then the module search path will be checked for a file the .yang or .yin extension.

If this string begins with a '~' character, then a username is expected to follow or a directory separator character. If it begins with a '$' character, then an environment variable name is expected to follow.

      ~/some/path ==> <my-home-dir>/some/path
      ~fred/some/path ==> <fred-home-dir>/some/path
      $workdir/some/path ==> <workdir-env-var>/some/path
--ncxserver-sockname=path
Overrides the default /tmp/ncxserver.sock UNIX socket name netconfd listens on for incoming connections. You have to add corresponding entry to /etc/ssh/sshd_config e.g.: 
...
Port 1830
Subsystem netconf
...
--port=number
Specifies the TCP ports that the server will accept connections from. These ports must also be configured in the /etc/ssh/sshd_config file for the SSH master server to accept the connection and invoke the netconf subsystem.

Up to 4 port numbers can be configured.

If any ports are configured, then only those values will be accepted by the server.

If no ports are configured, then the server will accept connections on the netconf-ssh port (tcp/830).

--protocols=bits
Specifies which NETCONF protocol versions the server will attempt to use. The empty set is not allowed. The values 'netconf1.0' and 'netconf1.1' are supported. The default is to enable both NETCONF protocol versions.
--runpath=pathlist
Internal file search path for executable modules. Overrides the YUMA_RUNPATH environment variable.
--running-error=enum
If 'stop', then errors in the running configuration will be treated as fatal errors. If 'continue', the server will attempt to continue if any validataion errors are found in the running configuration at startup. The default is 'stop'.
--startup=filespec
The full or relative filespec of the startup config file to use. If present, overrides the default startup config file name 'startup-cfg.xml', This will also override the YUMA_DATAPATH environment variable and the datapath CLI parameter, if the first character is the forward slash '/', indicating an absolute file path. If this parameter is present, then the --no-startup and --factory-startup parameters cannot be present. This is the default, which will cause startup-cfg.xml to be used if not present.
--no-startup
If present, do not load the startup config file. Use only factory default values instead. Does not affect the startup.cfg file, if present. If this parameter is present, then the --startup or --factory-startup parameter cannot be present.
--factory-startup
Force the system to use the factory configuration and delete the startup config file if it exists. Force the NV-storage startup to contain the factory default configuration. If this parameter is present, then the --no-startup and --startup parameters cannot be present.
--startup-error=enum
If 'stop', then any errors in the startup configuration will be treated as fatal errors. If 'continue', the server will attempt to continue if any errors are found in the database loaded from NV-storage to running at boot-time. The default is 'stop'.
--subdirs=boolean
If false, the file search paths for modules, scripts, and data files will not include sub-directories if they exist in the specified path.

If true, then these file search paths will include sub-directories, if present. Any directory name beginning with a dot (.) character, or named CVS, will be ignored. This is the default mode.

--superuser=string
The user name to use as the superuser account. Any session associated with this user name will bypass all access control enforcement. See ietf-netconf-acm.yang for more details. There is no default value.
--system-sorted=boolean
Indicates whether ordered-by system leaf-lists and lists will be kept in sorted order. The default is true.
--target=enum
Specifies the database to use as the target of edit-config operations. 
  Enum values:
    running:
      Write to the running config and support the
      :writable-running capability.
    candidate:
      Write to the candidate config and support the
      :candidate and :confirmed-commit capabilities.
--usexmlorder
If present, then XML element order will be enforced. Otherwise, XML element order errors will not be generated if possible. Default is no enforcement of strict XML order.
--version
Print the program version string and exit.
--validate-config-only
If present, netconfd acts as command line YANG configuration validator. Load the YANG schema modules, validate the startup configuration and exit without opening socket and listening for incoming sessions.
--warn-idlen=number
Control whether identifier length warnings will be generated. The value zero disables all identifier length checking. If non-zero, then a warning will be generated if an identifier is defined which has a length is greater than this amount. range: 0 | 8 .. 1023. The default value is 64.
--warn-linelen=number
Control whether line length warnings will be generated. The value zero disables all line length checking. If non-zero, then a warning will be generated if the line length is greater than this amount. Tab characters are counted as 8 spaces. range: 0 | 40 .. 4095. The default value is 72.
--warn-off=number
Control whether the specified warning number will be generated and counted in the warning total for the module being parsed. range: 400 .. 899. This parameter may be entered zero or more times.
--with-startup=boolean
If set to 'true', then the :startup capability will be enabled. Otherwise, the :startup capability will not be enabled. This capability makes the NV-save operation an explicit operation instead of an automatic save. The default value is false.
--with-url=boolean
If set to 'false', then the :url capability will be disabled. Otherwise, the :url capability will be enabled. This capability allows local files to be stored as backups on the server. The default value is true.
--with-validate=boolean
If set to 'true', then the :validate capability will be enabled. Otherwise, the :validate capability will not be enabled. This capability requires extensive memory resources. The default value is true.
--yuma-home=string
Directory for the yuma project root to use. If present, this directory location will override the YUMA_HOME environment variable, if it is present. If a zero-length string is entered, then the YUMA_HOME environment variable will be ignored.

INPUT FILES

YANG modules can be loaded at startup with the '--module' command, or loaded at run-time with the 'load' operation.

SEARCH PATH

When a module name is entered as input, or when a module or submodule name is specified in an import or include statement within the file, the following search algorithm is used to find the file: 
  1) file is in the current directory
  2) YUMA_MODPATH environment var (or set by modpath parameter)
  3) $HOME/modules directory
  4) $YUMA_HOME/modules directory
  5) $YUMA_INSTALL/modules directory OR
     default install module location, '/usr/share/yuma/modules'
By default, the entire directory tree for all locations (except step 1) will be searched, not just the specified directory. The subdirs parameter can be used to prevent sub-directories from being searched.

Any directory name beginning with a dot character (.) will be skipped. Also, any directory named CVS will be skipped in directory searches.

ERROR LOGGING

By default, warnings and errors are sent to STDOUT.

A log file can be specified instead with the log' parameter.

Existing log files can be reused with the 'logappend' parameter, otherwise log files are overwritten.

The logging level can be controlled with the log-level parameter.

The default log level is 'info'. The log-levels are additive:

     off:    suppress all errors (not recommended!)
             A program return code of '1' indicates some error.
     error:  print errors
     warn:   print warnings
     info:   print generally interesting trace info
     debug:  print general debugging trace info
     debug2: print verbose debugging trace info
     debug3: print very verbose debugging trace info
     debug4: print maximum debugging trace info

ENVIRONMENT

The following optional environment variables can be used to control module search behavior:

HOME
The user's home directory (e.g., /home/andy)
YUMA_HOME
The root of the user's Yuma work directory (e.g., /home/andy/swdev/netconf)
YUMA_INSTALL
The root of the directory that yangdump is installed on this system (default is, /usr/share/yuma)
YUMA_DATAPATH
Colon-separated list of directories to search for data files. (e.g.: './workdir/data-files:/home/andy/data') The datapath parameter will override this environment variable, if both are present.
YUMA_MODPATH
Colon-separated list of directories to search for modules and submodules. (e.g.: './workdir/modules:/home/andy/test-modules') The modpath parameter will override this environment variable, if both are present.

CONFIGURATION FILES

netconfd.conf
YANG config file The default is: /etc/yuma/netconfd.conf

An ASCII configuration file format is supported to store command line parameters.

The config parameter is used to specify a specific config file, otherwise the default config file will be checked.

   - A hash mark until EOLN is treated as a comment
   - All text is case-sensitive
   - Whitespace within a line is not significant
   - Whitespace to end a line is significant/
     Unless the line starts a multi-line string,
     an escaped EOLN (backslash EOLN) is needed
     to enter a leaf on multiple lines.
   - For parameters that define lists, the key components
     are listed just after the parameter name, without
     any name,  e.g.,
    
            interface eth0 {
              # name = eth0 is not listed inside the braces
              ifMtu 1500
              ifName mySystem
            }
A config file can contain any number of parameter sets for different programs.

Each program must have its own section, identifies by its name:

     # this is a comment
     yangdump {
        log-level debug
        output "~/swdev/testfiles"
     }
    
     netconfd {
        ...
     }

FILES

The following data files must be present in the module search path in order for this program to function:

* YANG module library default: /usr/share/yuma/modules/

DIAGNOSTICS

Internal diagnostics may generate the following type of message if any bugs are detected at runtime: 
    [E0]
         filename.c:linenum error-number (error-msg)

AUTHORS

Andy Bierman, <andy at netconfcentral dot org>

Vladimir Vassilev, <vladimir at transpacket dot com>

SEE ALSO

netconf-subsystem(1) pyang(1) yangcli(1)

August 20, 2016 Linux