1 .. _netconf-user-guide:
17 NETCONF is an XML-based protocol used for configuration and monitoring
18 devices in the network. The base NETCONF protocol is described in
19 `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__.
21 **NETCONF in OpenDaylight:.**
23 OpenDaylight supports the NETCONF protocol as a northbound server as
24 well as a southbound plugin. It also includes a set of test tools for
25 simulating NETCONF devices and clients.
27 Southbound (netconf-connector)
28 ------------------------------
30 The NETCONF southbound plugin is capable of connecting to remote NETCONF
31 devices and exposing their configuration/operational datastores, RPCs
32 and notifications as MD-SAL mount points. These mount points allow
33 applications and remote users (over RESTCONF) to interact with the
36 In terms of RFCs, the connector supports:
38 - `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
40 - `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
42 - `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
44 - `RFC-7895 <https://tools.ietf.org/html/rfc7895>`__
46 **Netconf-connector is fully model-driven (utilizing the YANG modeling
47 language) so in addition to the above RFCs, it supports any
48 data/RPC/notifications described by a YANG model that is implemented by
53 NETCONF southbound can be activated by installing
54 ``odl-netconf-connector-all`` Karaf feature.
56 Netconf-connector configuration
57 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
59 NETCONF connectors are configured directly through the usage of the
60 network-topology model. You can configure new NETCONF connectors both
61 through the NETCONF server for MD-SAL (port 2830) or RESTCONF. This guide
66 Since 2022.09 Chlorine there is only one RESTCONF endpoint:
68 - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://tools.ietf.org/html/rfc8040>`__,
69 | can be activated by installing ``odl-restconf-nb``
72 | Resources for configuration and operational datastores start
75 http://localhost:8181/rests/data/network-topology:network-topology
76 with response of both datastores. It's allowed to use query
77 parameters to distinguish between them.
79 http://localhost:8181/rests/data/network-topology:network-topology?content=config
80 for configuration datastore
82 http://localhost:8181/rests/data/network-topology:network-topology?content=nonconfig
83 for operational datastore.
85 | Also if a data node in the path expression is a YANG leaf-list or list
86 node, the path segment has to be constructed by having leaf-list or
87 list node name, followed by an "=" character, then followed by the
88 leaf-list or list value. Any reserved characters must be
91 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf?content=config
92 for retrieving data from configuration datastore for
93 topology-netconf value of topology list.
98 1. OpenDaylight is running
100 2. In Karaf, you must have the ``odl-netconf-topology`` or
101 ``odl-netconf-clustered-topology`` feature installed.
103 3. Feature ``odl-restconf-nb`` must be installed
105 Spawning new NETCONF connectors
106 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
108 To create a new NETCONF connector you need to send the following PUT request
115 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
117 You could use the same body to create the new NETCONF connector with a POST
118 without specifying the node in the URL:
124 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
132 **Content-type:** ``application/xml``
134 **Accept:** ``application/xml``
136 **Authentication:** ``admin:admin``
140 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
141 <node-id>new-netconf-device</node-id>
142 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
143 <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
144 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
145 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
146 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
147 <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
148 <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
149 <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
150 <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
151 <between-attempts-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">2000</between-attempts-timeout-millis>
152 <sleep-factor xmlns="urn:opendaylight:netconf-node-topology">1.5</sleep-factor>
153 <!-- keepalive-delay set to 0 turns off keepalives-->
154 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
159 **Content-type:** ``application/json``
161 **Accept:** ``application/json``
163 **Authentication:** ``admin:admin``
170 "node-id": "new-netconf-device",
171 "netconf-node-topology:port": 17830,
172 "netconf-node-topology:reconnect-on-changed-schema": false,
173 "netconf-node-topology:connection-timeout-millis": 20000,
174 "netconf-node-topology:tcp-only": false,
175 "netconf-node-topology:max-connection-attempts": 0,
176 "netconf-node-topology:username": "admin",
177 "netconf-node-topology:password": "admin",
178 "netconf-node-topology:sleep-factor": 1.5,
179 "netconf-node-topology:host": "127.0.0.1",
180 "netconf-node-topology:between-attempts-timeout-millis": 2000,
181 "netconf-node-topology:keepalive-delay": 120
186 Note that the device name in <node-id> element must match the last
187 element of the restconf URL.
189 Reconfiguring an existing connector
190 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
192 The steps to reconfigure an existing connector are exactly the same as
193 when spawning a new connector. The old connection will be disconnected
194 and a new connector with the new configuration will be created. This needs
195 to be done with a PUT request because the node already exists. A POST
196 request will fail for that reason.
198 Additionally, a PATCH request can be used to modify an existing
199 configuration. Currently, only yang-patch (`RFC-8072 <https://tools.ietf.org/html/rfc8072>`__)
200 is supported. The URL would be the same as the above PUT examples.
201 Using JSON for the body, the headers needed for the request would
206 - Accept: application/yang-data+json
208 - Content-Type: application/yang-patch+json
210 Example JSON payload to modify the password entry:
215 "ietf-restconf:yang-patch" : {
220 "operation" : "merge",
225 "node-id": "new-netconf-device",
226 "netconf-node-topology:password" : "newpassword"
235 Deleting an existing connector
236 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
238 To remove an already configured NETCONF connector you need to send a
239 DELETE request to the same PUT request URL that was used to create the
246 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
250 No body is needed to delete the node/device
252 Connecting to a device not supporting NETCONF monitoring
253 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
255 The netconf-connector in OpenDaylight relies on ietf-netconf-monitoring
256 support when connecting to remote NETCONF device. The
257 ietf-netconf-monitoring support allows netconf-connector to list and
258 download all YANG schemas that are used by the device. NETCONF connector
259 can only communicate with a device if it knows the set of used schemas
260 (or at least a subset). However, some devices use YANG models internally
261 but do not support NETCONF monitoring. Netconf-connector can also
262 communicate with these devices, but you have to side load the necessary
263 yang models into OpenDaylight’s YANG model cache for netconf-connector.
264 In general there are 2 situations you might encounter:
266 **1. NETCONF device does not support ietf-netconf-monitoring but it does
267 list all its YANG models as capabilities in HELLO message**
269 This could be a device that internally uses only ietf-inet-types YANG
270 model with revision 2010-09-24. In the HELLO message that is sent from
271 this device there is this capability reported:
275 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24
277 **For such devices you only need to put the schema into folder
278 cache/schema inside your Karaf distribution.**
282 The file with YANG schema for ietf-inet-types has to be called
283 ietf-inet-types@2010-09-24.yang. It is the required naming format of
286 **2. NETCONF device does not support ietf-netconf-monitoring and it does
287 NOT list its YANG models as capabilities in HELLO message**
289 Compared to device that lists its YANG models in HELLO message, in this
290 case there would be no capability with ietf-inet-types in the HELLO
291 message. This type of device basically provides no information about the
292 YANG schemas it uses so its up to the user of OpenDaylight to properly
293 configure netconf-connector for this device.
295 Netconf-connector has an optional configuration attribute called
296 yang-module-capabilities and this attribute can contain a list of "YANG
297 module based" capabilities. So by setting this configuration attribute,
298 it is possible to override the "yang-module-based" capabilities reported
299 in HELLO message of the device. To do this, we need to modify the
300 configuration of netconf-connector like in the example below:
306 **Content-type:** ``application/xml``
308 **Accept:** ``application/xml``
310 **Authentication:** ``admin:admin``
314 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
315 <node-id>r5</node-id>
316 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
317 <port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
318 <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
319 <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
320 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
321 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
322 <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
323 <override>true</override>
324 <capability xmlns="urn:opendaylight:netconf-node-topology">
325 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
327 </yang-module-capabilities>
332 **Content-type:** ``application/json``
334 **Accept:** ``application/json``
336 **Authentication:** ``admin:admin``
344 "netconf-node-topology:host": "127.0.0.1",
345 "netconf-node-topology:password": "root",
346 "netconf-node-topology:username": "root",
347 "netconf-node-topology:yang-module-capabilities": {
350 "urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15"
353 "netconf-node-topology:port": 8305,
354 "netconf-node-topology:tcp-only": false,
355 "netconf-node-topology:keepalive-delay": 30
360 **Remember to also put the YANG schemas into the cache folder.**
364 For putting multiple capabilities, you just need to replicate the
365 capability element inside yang-module-capability element.
366 Capability element is modeled as a leaf-list. With this
367 configuration, we would make the remote device report usage of
368 ietf-inet-types in the eyes of netconf-connector.
370 Connecting to a device supporting only NETCONF 1.0
371 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
373 OpenDaylight is schema-based distribution and heavily depends on YANG
374 models. However some legacy NETCONF devices are not schema-based and
375 implement just RFC 4741. This type of device does not utilize YANG
376 models internally and OpenDaylight does not know how to communicate
377 with such devices, how to validate data, or what the semantics of data
380 NETCONF connector can communicate also with these devices, but the
381 trade-offs are worsened possibilities in utilization of NETCONF
382 mountpoints. Using RESTCONF with such devices is not suported. Also
383 communicating with schemaless devices from application code is slightly
386 To connect to schemaless device, there is a optional configuration option
387 in netconf-node-topology model called schemaless. You have to set this
390 Clustered NETCONF connector
391 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
393 To spawn NETCONF connectors that are cluster-aware you need to install
394 the ``odl-netconf-clustered-topology`` karaf feature.
398 The ``odl-netconf-topology`` and ``odl-netconf-clustered-topology``
399 features are considered **INCOMPATIBLE**. They both manage the same
400 space in the datastore and would issue conflicting writes if
403 Configuration of clustered NETCONF connectors works the same as the
404 configuration through the topology model in the previous section.
406 When a new clustered connector is configured the configuration gets
407 distributed among the member nodes and a NETCONF connector is spawned on
408 each node. From these nodes a master is chosen which handles the schema
409 download from the device and all the communication with the device. You
410 will be able to read/write to/from the device from all slave nodes due
411 to the proxy data brokers implemented.
413 You can use the ``odl-netconf-clustered-topology`` feature in a single
414 node scenario as well but the code that uses akka will be used, so for a
415 scenario where only a single node is used, ``odl-netconf-topology``
418 Netconf-connector utilization
419 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
421 Once the connector is up and running, users can utilize the new mount
422 point instance. By using RESTCONF or from their application code. This
423 chapter deals with using RESTCONF and more information for app
424 developers can be found in the developers guide or in the official
425 tutorial application **ncmount** that can be found in the coretutorials
428 - https://github.com/opendaylight/coretutorials/tree/master/ncmount
430 Reading data from the device
431 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
433 Just invoke (no body needed):
436 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount?content=nonconfig
438 This will return the entire content of operation datastore from the
439 device. To view just the configuration datastore, change **nonconfig**
440 in this URL to **config**.
442 Writing configuration data to the device
443 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
445 In general, you cannot simply write any data you want to the device. The
446 data have to conform to the YANG models implemented by the device. In
447 this example we are adding a new interface-configuration to the mounted
448 device (assuming the device supports Cisco-IOS-XR-ifmgr-cfg YANG model).
449 In fact this request comes from the tutorial dedicated to the
450 **ncmount** tutorial app.
453 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
457 <interface-configuration xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
459 <interface-name>mpls</interface-name>
460 <description>Interface description</description>
461 <bandwidth>32</bandwidth>
462 <link-status></link-status>
463 </interface-configuration>
465 Should return 200 response code with no body.
469 This call is transformed into a couple of NETCONF RPCs. Resulting
470 NETCONF RPCs that go directly to the device can be found in the
471 OpenDaylight logs after invoking ``log:set TRACE
472 org.opendaylight.controller.sal.connect.netconf`` in the Karaf
473 shell. Seeing the NETCONF RPCs might help with debugging.
475 This request is very similar to the one where we spawned a new netconf
476 device. That’s because we used the loopback netconf-connector to write
477 configuration data into config-subsystem datastore and config-subsystem
478 picked it up from there.
483 Devices can implement any additional RPC and as long as it provides YANG
484 models for it, it can be invoked from OpenDaylight. Following example
485 shows how to invoke the get-schema RPC (get-schema is quite common among
486 netconf devices). Invoke:
489 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
493 <input xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
494 <identifier>ietf-yang-types</identifier>
495 <version>2013-07-15</version>
498 This call should fetch the source for ietf-yang-types YANG model from
501 Receiving Netconf Device Notifications on a http client
502 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
504 Devices emit netconf alarms and notifictions on certain situtations, which can demand
505 attention from Device Administration. The notifications are received as Netconf messages on an
506 active Netconf session.
508 Opendaylight provides the way to stream the device notifications over a http session.
510 - Step 1: Mount the device (assume node name is test_device)
512 - Step 2: Wait for the device to be connected.
514 - Step 3: Create the Subscription for notification on the active session.
519 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=test_device/yang-ext:mount/notifications:create-subscription
520 Content-Type: application/json
521 Accept: application/json
531 - Step 4: Create the http Stream for the events.
536 http://localhost:8181/rests/operations/odl-device-notification:subscribe-device-notification
537 Content-Type: application/json
538 Accept: application/json
544 "path":"/network-topology:network-topology/topology[topology-id='topology-netconf']/node[node-id='test_device']"
548 The response suggests the http url for reading the notifications.
553 "odl-device-notification:output": {
554 "stream-path": "http://localhost:8181/rests/notif/test_device?notificationType=test_device"
558 - Step 5: User can access the url in the response and the notifications will be as follows.
563 http://localhost:8181/rests/notif/test_device?notificationType=test_device
564 Content-Type: application/xml
565 Accept: application/xml
580 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:08.60228Z</eventTime><netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><session-id>2</session-id></netconf-session-start></notification>
582 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:12.458258Z</eventTime><netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><termination-reason>closed</termination-reason><session-id>2</session-id></netconf-session-end></notification>
585 Netconf-connector + Netopeer
586 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
588 `Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
589 NETCONF server) can be used for testing/exploring NETCONF southbound in
592 Netopeer installation
593 ^^^^^^^^^^^^^^^^^^^^^
595 A `Docker <https://www.docker.com/>`__ container with netopeer will be
596 used in this guide. To install Docker and start the `netopeer
597 image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
600 1. Install docker http://docs.docker.com/linux/step_one/
602 2. Start the netopeer image:
606 docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
608 3. Verify netopeer is running by invoking (netopeer should send its
609 HELLO message right away:
613 ssh root@localhost -p 830 -s netconf
616 Mounting netopeer NETCONF server
617 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
621 - OpenDaylight is started with features ``odl-restconf-all`` and
622 ``odl-netconf-connector-all``.
624 - Netopeer is up and running in docker
626 Now just follow the section: `Spawning new NETCONF connectors`_.
627 In the payload change the:
629 - name, e.g., to netopeer
631 - username/password to your system credentials
637 After netopeer is mounted successfully, its configuration can be read
638 using RESTCONF by invoking:
641 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
643 Northbound (NETCONF servers)
644 ----------------------------
646 OpenDaylight provides 2 types of NETCONF servers:
648 - **NETCONF server for config-subsystem (listening by default on port
651 - Serves as a default interface for config-subsystem and allows
652 users to spawn/reconfigure/destroy modules (or applications) in
655 - **NETCONF server for MD-SAL (listening by default on port 2830)**
657 - Serves as an alternative interface for MD-SAL (besides RESTCONF)
658 and allows users to read/write data from MD-SAL’s datastore and to
659 invoke its rpcs (NETCONF notifications are not available in the
660 Boron release of OpenDaylight)
664 The reason for having 2 NETCONF servers is that config-subsystem and
665 MD-SAL are 2 different components of OpenDaylight and require
666 different approach for NETCONF message handling and data
667 translation. These 2 components will probably merge in the future.
671 Since Nitrogen release, there is performance regression in NETCONF
672 servers accepting SSH connections. While opening a connection takes
673 less than 10 seconds on Carbon, on Nitrogen time can increase up to
674 60 seconds. Please see https://bugs.opendaylight.org/show_bug.cgi?id=9020
676 NETCONF server for config-subsystem
677 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
679 This NETCONF server is the primary interface for config-subsystem. It
680 allows the users to interact with config-subsystem in a standardized
683 In terms of RFCs, these are supported:
685 - `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
687 - `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
689 - `RFC-6470 <https://tools.ietf.org/html/rfc6470>`__
691 - (partially, only the schema-change notification is available in
694 - `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
696 For regular users it is recommended to use RESTCONF + the
697 controller-config loopback mountpoint instead of using pure NETCONF. How
698 to do that is spesific for each component/module/application in
699 OpenDaylight and can be found in their dedicated user guides.
701 NETCONF server for MD-SAL
702 ~~~~~~~~~~~~~~~~~~~~~~~~~
704 This NETCONF server is just a generic interface to MD-SAL in
705 OpenDaylight. It uses the stadard MD-SAL APIs and serves as an
706 alternative to RESTCONF. It is fully model driven and supports any data
707 and rpcs that are supported by MD-SAL.
709 In terms of RFCs, these are supported:
711 - `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
713 - `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
715 - `RFC-7895 <https://tools.ietf.org/html/rfc7895>`__
717 Notifications over NETCONF are not supported in the Boron release.
721 Install NETCONF northbound for MD-SAL by installing feature:
722 ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
727 The default configuration can be found in file: *08-netconf-mdsal.xml*.
728 The file contains the configuration for all necessary dependencies and a
729 single SSH endpoint starting on port 2830. There is also a (by default
730 disabled) TCP endpoint. It is possible to start multiple endpoints at
731 the same time either in the initial configuration file or while
732 OpenDaylight is running.
734 The credentials for SSH endpoint can also be configured here, the
735 defaults are admin/admin. Credentials in the SSH endpoint are not yet
736 managed by the centralized AAA component and have to be configured
739 Verifying MD-SAL’s NETCONF server
740 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
742 After the NETCONF server is available it can be examined by a command
747 ssh admin@localhost -p 2830 -s netconf
749 The server will respond by sending its HELLO message and can be used as
750 a regular NETCONF server from then on.
752 Mounting the MD-SAL’s NETCONF server
753 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
755 To perform this operation, just spawn a new netconf-connector as
756 described in `Spawning new NETCONF connectors`_. Just change the ip to
757 "127.0.0.1" port to "2830" and its name to "controller-mdsal".
759 Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
763 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=controller-mdsal/yang-ext:mount?content:nonconfig
767 This might not seem very useful, since MD-SAL can be accessed
768 directly from RESTCONF or from Application code, but the same method
769 can be used to mount and control other OpenDaylight instances by the
770 "master OpenDaylight".
772 NETCONF stress/performance measuring tool
773 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
775 This is basically a NETCONF client that puts NETCONF servers under heavy
776 load of NETCONF RPCs and measures the time until a configurable amount
777 of them is processed.
779 RESTCONF stress-performance measuring tool
780 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
782 Very similar to NETCONF stress tool with the difference of using
783 RESTCONF protocol instead of NETCONF.
785 YANGLIB remote repository
786 -------------------------
788 There are scenarios in NETCONF deployment, that require for a centralized
789 YANG models repository. YANGLIB plugin provides such remote repository.
791 To start this plugin, you have to install odl-yanglib feature. Then you
792 have to configure YANGLIB either through RESTCONF or NETCONF. We will
793 show how to configure YANGLIB through RESTCONF.
795 YANGLIB configuration through RESTCONF
796 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
798 You have to specify what local YANG modules directory you want to provide.
799 Then you have to specify address and port whre you want to provide YANG
800 sources. For example, we want to serve yang sources from folder /sources
801 on localhost:8181 adress. The configuration for this scenario will be
806 PUT http://localhost:8181/rests/data/yanglib:yanglib-config
810 - Accept: application/xml
812 - Content-Type: application/xml
818 <yanglib-config xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">
819 <cache-folder>cache/newSchema</cache-folder>
820 <binding-addr>localhost</binding-addr>
821 <binding-port>8181</binding-port>
824 This should result in a 2xx response and new YANGLIB instance should be
825 created. This YANGLIB takes all YANG sources from /sources folder and
826 for each generates URL in form:
830 http://localhost:8181/yanglib/schemas/{modelName}/{revision}
832 On this URL will be hosted YANG source for particular module.
834 YANGLIB instance also write this URL along with source identifier to
835 ietf-netconf-yang-library/modules-state/module list.
837 Netconf-connector with YANG library as fallback
838 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
840 There is an optional configuration in netconf-connector called
841 yang-library. You can specify YANG library to be plugged as additional
842 source provider into the mount's schema repository. Since YANGLIB
843 plugin is advertising provided modules through yang-library model, we
844 can use it in mount point's configuration as YANG library. To do this,
845 we need to modify the configuration of netconf-connector by adding this
850 <yang-library xmlns="urn:opendaylight:netconf-node-topology">
851 <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/rests/data/ietf-yang-library:modules-state</yang-library-url>
852 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
853 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
856 This will register YANGLIB provided sources as a fallback schemas for
857 particular mount point.
862 Call Home Installation
863 ~~~~~~~~~~~~~~~~~~~~~~
865 ODL Call-Home server is installed in Karaf by installing karaf feature
866 ``odl-netconf-callhome-ssh``. RESTCONF feature is recommended for
867 configuring Call Home & testing its functionality.
871 feature:install odl-netconf-callhome-ssh
876 In order to test Call Home functionality we recommend Netopeer or
877 Netopeer2. See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__
878 or `Netopeer2 <https://github.com/CESNET/netopeer2>`__ to learn how to
879 enable call-home on Netopeer.
881 Northbound Call-Home API
882 ~~~~~~~~~~~~~~~~~~~~~~~~
884 The northbound Call Home API is used for administering the Call-Home Server. The
885 following describes this configuration.
891 The global configuration is not a part of the `RFC 8071
892 <https://tools.ietf.org/html/rfc8071>`__ and, therefore, subject to change.
894 Configuring global credentials
895 ''''''''''''''''''''''''''''''
897 ODL Call-Home server allows user to configure global credentials, which will be
898 used for connected over SSH transport protocol devices which does not have
899 device-specific credentials configured.
901 This is done by creating
902 ``/odl-netconf-callhome-server:netconf-callhome-server/global/credentials``
903 with username and passwords specified.
905 *Configuring global username & passwords to try*
910 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/credentials
911 Content-Type: application/json
912 Accept: application/json
919 "username": "example",
920 "passwords": [ "first-password-to-try", "second-password-to-try" ]
924 Configuring to accept any ssh server key using global credentials
925 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
927 By default Netconf Call-Home Server accepts only incoming connections
929 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
930 if user desire to allow all incoming connections, it is possible to set
931 ``accept-all-ssh-keys`` to ``true`` in
932 ``/odl-netconf-callhome-server:netconf-callhome-server/global``.
934 The name of this devices in ``netconf-topology`` will be in format
935 ``ip-address:port``. For naming devices see Device-Specific
938 *Allowing unknown devices to connect*
940 This is a debug feature and should not be used in production. Besides being an obvious
941 security issue, this also causes the Call-Home Server to drastically increase its output
947 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/accept-all-ssh-keys
948 Content-Type: application/json
949 Accept: application/json
954 "accept-all-ssh-keys": "true"
957 Device-Specific Configuration
958 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
960 Netconf Call Home server supports both of the secure transports used
961 by the Network Configuration Protocol (NETCONF) - Secure Shell (SSH),
962 and Transport Layer Security (TLS).
964 Configure device to connect over SSH protocol
965 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
967 Netconf Call Home Server uses device provided SSH server key (host key)
968 to identify device. The pairing of name and server key is configured in
969 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
970 This list is colloquially called a whitelist.
972 If the Call-Home Server finds the SSH host key in the whitelist, it continues
973 to negotiate a NETCONF connection over an SSH session. If the SSH host key is
974 not found, the connection between the Call Home server and the device is dropped
975 immediately. In either case, the device that connects to the Call home server
976 leaves a record of its presence in the operational store.
978 Configuring Device with Device-specific Credentials
979 '''''''''''''''''''''''''''''''''''''''''''''''''''
981 Adding specific device to the allowed list is done by creating
982 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device={device}``
983 with device-id and connection parameters inside the ssh-client-params container.
985 *Configuring Device with Credentials*
990 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
991 Content-Type: application/json
992 Accept: application/json
998 "unique-id": "example",
999 "ssh-client-params": {
1001 "username": "example",
1002 "passwords": [ "password" ]
1004 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1009 Configuring Device with Global Credentials
1010 '''''''''''''''''''''''''''''''''''''''''''''''''''
1012 It is possible to omit ``username`` and ``password`` for ssh-client-params,
1013 in such case values from global credentials will be used.
1015 *Example of configuring device*
1020 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1021 Content-Type: application/json
1022 Accept: application/json
1024 .. code-block:: json
1028 "unique-id": "example",
1029 "ssh-client-params": {
1030 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1035 Deprecated configuration models for devices accessed with SSH protocol
1036 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1038 With `RFC 8071 <https://tools.ietf.org/html/rfc8071>`__ alignment and adding
1039 support for TLS transport following configuration models has been marked
1042 Configuring Device with Global Credentials
1043 '''''''''''''''''''''''''''''''''''''''''''''''''''
1045 *Example of configuring device*
1050 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1051 Content-Type: application/json
1052 Accept: application/json
1054 .. code-block:: json
1058 "unique-id": "example",
1059 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1063 Configuring Device with Device-specific Credentials
1064 '''''''''''''''''''''''''''''''''''''''''''''''''''
1066 Call Home Server also allows to configure credentials per device basis,
1067 this is done by introducing ``credentials`` container into
1068 device-specific configuration. Format is same as in global credentials.
1070 *Configuring Device with Credentials*
1075 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1076 Content-Type: application/json
1077 Accept: application/json
1079 .. code-block:: json
1083 "unique-id": "example",
1085 "username": "example",
1086 "passwords": [ "password" ]
1088 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1092 Configure device to connect over TLS protocol
1093 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1095 Netconf Call Home Server allows devices to use TLS transport protocol to
1096 establish a connection towards the NETCONF device. This communication
1097 requires proper setup to make two-way TLS authentication possible for client
1100 The initial step is to configure certificates and keys for two-way TLS by
1101 storing them within the netconf-keystore.
1103 *Adding a client private key credential to the netconf-keystore*
1108 /rests/operations/netconf-keystore:add-keystore-entry
1109 Content-Type: application/json
1110 Accept: application/json
1112 .. code-block:: json
1118 "key-id": "example-client-key-id",
1119 "private-key": "base64encoded-private-key",
1120 "passphrase": "passphrase"
1126 *Associate a private key with a client and CA certificates chain*
1131 /rests/operations/netconf-keystore:add-private-key
1132 Content-Type: application/json
1133 Accept: application/json
1135 .. code-block:: json
1141 "name": "example-client-key-id",
1143 "certificate-chain": [
1151 *Add a list of trusted CA and server certificates*
1156 /rests/operations/netconf-keystore:add-trusted-certificate
1157 Content-Type: application/json
1158 Accept: application/json
1160 .. code-block:: json
1164 "trusted-certificate": [
1166 "name": "example-ca-certificate",
1167 "certificate": "ca-certificate-data"
1170 "name": "example-server-certificate",
1171 "certificate": "server-certificate-data"
1177 In a second step, it is required to create an allowed device associated with
1178 a server certificate and client key. The server certificate will be used to
1179 identify and pin the NETCONF device during SSL handshake and should be unique
1180 among the allowed devices.
1182 *Add device configuration for TLS protocol to allowed devices list*
1187 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example-device
1188 Content-Type: application/json
1189 Accept: application/json
1191 .. code-block:: json
1195 "unique-id": "example-device",
1196 "tls-client-params": {
1197 "key-id": "example-client-key-id",
1198 "certificate-id": "example-server-certificate"
1206 Once an entry is made into the config side of "allowed-devices", the Call-Home Server will
1207 populate an corresponding operational device that is the same as the config device but
1208 has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
1209 home, this status will change to one of:
1211 *CONNECTED* — The device is currently connected and the NETCONF mount is available for network
1214 *FAILED_AUTH_FAILURE* — The last attempted connection was unsuccessful because the Call-Home
1215 Server was unable to provide the acceptable credentials of the device. The device is also
1216 disconnected and not available for network management.
1218 *FAILED_NOT_ALLOWED* — The last attempted connection was unsuccessful because the device was
1219 not recognized as an acceptable device. The device is also disconnected and not available for
1222 *FAILED* — The last attempted connection was unsuccessful for a reason other than not
1223 allowed to connect or incorrect client credentials. The device is also disconnected and not
1224 available for network management.
1226 *DISCONNECTED* — The device is currently disconnected.
1231 Devices which are not on the whitelist might try to connect to the Call-Home Server. In
1232 these cases, the server will keep a record by instantiating an operational device. There
1233 will be no corresponding config device for these rogues. They can be identified readily
1234 because their device id, rather than being user-supplied, will be of the form
1235 "address:port". Note that if a device calls back multiple times, there will only be
1236 a single operatinal entry (even if the port changes); these devices are recognized by
1237 their unique host key.
1239 Southbound Call-Home API
1240 ~~~~~~~~~~~~~~~~~~~~~~~~
1242 The Call-Home Server listens for incoming TCP connections and assumes that the other side of
1243 the connection is a device calling home via a NETCONF connection with SSH for
1244 management. The server uses port 6666 by default and this can be configured via a
1245 blueprint configuration file.
1247 The device **must** initiate the connection and the server will not try to re-establish the
1248 connection in case of a drop. By requirement, the server cannot assume it has connectivity
1249 to the device due to NAT or firewalls among others.
1251 Reading data with selected fields
1252 ---------------------------------
1257 If user would like to read only selected fields from NETCONF device, it is possible to use
1258 fields query parameter that is described by RFC-8040. RESTCONF parses content of query
1259 parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
1260 on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
1261 because data in which user doesn't have interest, is not transferred over network.
1265 * using single RESTCONF request and single NETCONF RPC for reading multiple subtrees
1266 * possibility to read only selected fields under list node across multiple hierarchies
1267 (it cannot be done without proper selection API)
1271 More information about fields query parameter: `RFC 8071 <https://tools.ietf.org/html/rfc8040#section-4.8.3>`__
1276 For demonstration, we will define next YANG model:
1280 module test-module {
1282 namespace "urn:opendaylight:test-module";
1284 revision "2023-02-16";
1287 container simple-root {
1307 container list-root {
1320 container next-data {
1342 Follow the :doc:`testtool` instructions to save this schema and run it with testtool.
1344 Mounting NETCONF device that runs on NETCONF testtool:
1346 .. code-block:: bash
1348 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool' \
1349 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1350 --header 'Content-Type: application/json' \
1354 "node-id": "testtool",
1355 "netconf-node-topology:host": "127.0.0.1",
1356 "netconf-node-topology:port": 17830,
1357 "netconf-node-topology:keepalive-delay": 100,
1358 "netconf-node-topology:tcp-only": false,
1359 "netconf-node-topology:username": "admin",
1360 "netconf-node-topology:password": "admin"
1365 Setting initial configuration on NETCONF device:
1367 .. code-block:: bash
1369 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root' \
1370 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1371 --header 'Content-Type: application/json' \
1470 1. Reading whole leaf-list 'll' and leaf 'nested/sample-x' under 'simple-root' container.
1474 .. code-block:: bash
1476 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/simple-root?content=config&fields=ll;nested/sample-x' \
1477 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1478 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1480 Generated NETCONF RPC request:
1484 <rpc message-id="m-18" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1489 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1490 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1504 Using fields query parameter it is also possible to read whole leaf-list or list without
1505 necessity to specify value / key predicate (without reading parent entity). Such scenario
1506 is not permitted in RFC-8040 paths alone - fields query parameter can be used as
1507 workaround for this case.
1511 .. code-block:: json
1514 "test-module:simple-root": {
1526 2. Reading all identifiers of 'nested-list' under all elements of 'top-list'.
1530 .. code-block:: bash
1532 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=top-list(nested-list/identifier)' \
1533 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1534 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1536 Generated NETCONF RPC request:
1540 <rpc message-id="m-27" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1545 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1546 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1563 NETCONF client automatically fetches values of list keys since they are required for correct
1564 deserialization of NETCONF response and at the end serialization of response to RESTCONF
1565 response (JSON/XML).
1569 .. code-block:: json
1572 "test-module:list-root": {
1623 3. Reading value of leaf 'branch-ab' and all values of leaves 'switch-1' that are placed
1624 under 'top-list' list elements.
1628 .. code-block:: bash
1630 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=branch-ab;top-list/next-data/switch-1' \
1631 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1632 --header 'Cookie: JSESSIONID=node01jx6o5thwae9t1ft7c2zau5zbz4.node0'
1634 Generated NETCONF RPC request:
1638 <rpc message-id="m-42" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1643 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1644 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1662 .. code-block:: json
1665 "test-module:list-root": {