NETCONF is an XML-based protocol used for configuration and monitoring
devices in the network. The base NETCONF protocol is described in
-`RFC-6241 <http://tools.ietf.org/html/rfc6241>`__.
+`RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__.
**NETCONF in OpenDaylight:.**
In terms of RFCs, the connector supports:
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-- `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
+- `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
-- `RFC-7895 <https://tools.ietf.org/html/rfc7895>`__
+- `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
**Netconf-connector is fully model-driven (utilizing the YANG modeling
language) so in addition to the above RFCs, it supports any
NETCONF southbound can be activated by installing
``odl-netconf-connector-all`` Karaf feature.
+.. _netconf-connector:
+
Netconf-connector configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since 2022.09 Chlorine there is only one RESTCONF endpoint:
- - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://tools.ietf.org/html/rfc8040>`__,
+ - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://www.rfc-editor.org/rfc/rfc8040>`__,
| can be activated by installing ``odl-restconf-nb``
Karaf feature.
* - rfc8040
- http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
-Payload:
+Payload for password authentication:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>new-netconf-device</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
+ <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
+ </login-password-unencrypted>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
+ <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
+ <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
+ <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
+ <!-- keepalive-delay set to 0 turns off keepalives-->
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:reconnect-on-changed-schema": false,
+ "netconf-node-topology:connection-timeout-millis": 20000,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:max-connection-attempts": 0,
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:password": "admin"
+ },
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
+ "netconf-node-topology:keepalive-delay": 120
+ }
+ ]
+ }
+
+.. note::
+
+ You have the option to use the 'login-password' configuration for authentication as shown below:
+
+ .. code-block:: json
+
+ "login-password": {
+ "netconf-node-topology:username": "netconf",
+ "netconf-node-topology:password": "c5R3aLBss7J8T2VC3pEeAQ=="
+ }
+
+ In OpenDaylight's configuration, the AAAEncryptionServiceImpl generates a new encryption key with
+ each application build. You can use this method if you have access to the current encryption key.
+ Additionally, it is important to ensure that the entire password is encoded in base64 format and
+ that its length is a multiple of 16 bytes for successful authentication.
+
+There is also option of using key-based authentication instead
+of password. First we need to create key in datastore.
+
+*Adding a client private key credential to the netconf-keystore*
+
+.. code-block::
+
+ POST HTTP/1.1
+ /rests/operations/netconf-keystore:add-keystore-entry
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "input": {
+ "key-credential": [
+ {
+ "key-id": "example-client-key-id",
+ "private-key": "PEM-format-private-key",
+ "passphrase": "passphrase"
+ }
+ ]
+ }
+ }
+
+After we can use this key to create connector using this key.
+
+Payload for key-based authentication via SSH:
.. tabs::
<node-id>new-netconf-device</node-id>
<host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
<port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
- <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
- <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
+ <key-based xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <key-id xmlns="urn:opendaylight:netconf-node-topology">key-id</password>
+ </key-based>
<tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
<!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
<reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
<connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
<max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
- <between-attempts-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">2000</between-attempts-timeout-millis>
- <sleep-factor xmlns="urn:opendaylight:netconf-node-topology">1.5</sleep-factor>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
<!-- keepalive-delay set to 0 turns off keepalives-->
<keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
</node>
"netconf-node-topology:connection-timeout-millis": 20000,
"netconf-node-topology:tcp-only": false,
"netconf-node-topology:max-connection-attempts": 0,
- "netconf-node-topology:username": "admin",
- "netconf-node-topology:password": "admin",
- "netconf-node-topology:sleep-factor": 1.5,
+ "netconf-node-topology:key-based": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:key-id": "key-id"
+ },
"netconf-node-topology:host": "127.0.0.1",
- "netconf-node-topology:between-attempts-timeout-millis": 2000,
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
"netconf-node-topology:keepalive-delay": 120
}
]
}
+Connecting via TLS protocol is similar to SSH. First setup keystore
+by using three RPCs from `Configure device to connect over TLS protocol`_
+to add a client private key, associate a private key with a client and CA
+certificates chain and add a list of trusted CA and server certificates.
+Only after that we can process and create a new NETCONF connector you need
+to send the following PUT request.
+
+Payload for key-based authentication via TLS:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>new-netconf-device</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
+ <key-based xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <key-id xmlns="urn:opendaylight:netconf-node-topology">key-id</password>
+ </key-based>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
+ <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
+ <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
+ <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
+ <!-- keepalive-delay set to 0 turns off keepalives-->
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
+ <protocol xmlns="urn:opendaylight:netconf-node-topology">
+ <name xmlns="urn:opendaylight:netconf-node-topology">TLS</name>
+ </protocol>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:reconnect-on-changed-schema": false,
+ "netconf-node-topology:connection-timeout-millis": 20000,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:max-connection-attempts": 0,
+ "netconf-node-topology:key-based": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:key-id": "key-id"
+ },
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
+ "netconf-node-topology:keepalive-delay": 120,
+ "protocol": {
+ "name": "TLS"
+ }
+ }
+ ]
+ }
+
+
Note that the device name in <node-id> element must match the last
element of the restconf URL.
request will fail for that reason.
Additionally, a PATCH request can be used to modify an existing
-configuration. Currently, only yang-patch (`RFC-8072 <https://tools.ietf.org/html/rfc8072>`__)
+configuration. Currently, only yang-patch (`RFC-8072 <https://www.rfc-editor.org/rfc/rfc8072>`__)
is supported. The URL would be the same as the above PUT examples.
Using JSON for the body, the headers needed for the request would
be:
<node-id>r5</node-id>
<host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
<port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
- <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
- <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
+ <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
+ <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
+ </login-password-unencrypted>
<tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
<keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
<yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
{
"node-id": "device",
"netconf-node-topology:host": "127.0.0.1",
- "netconf-node-topology:password": "root",
- "netconf-node-topology:username": "root",
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:password": "root",
+ "netconf-node-topology:username": "root"
+ },
"netconf-node-topology:yang-module-capabilities": {
"override": true,
"capability": [
NETCONF connector can communicate also with these devices, but the
trade-offs are worsened possibilities in utilization of NETCONF
-mountpoints. Using RESTCONF with such devices is not suported. Also
+mountpoints. Using RESTCONF with such devices is not supported. Also
communicating with schemaless devices from application code is slightly
different.
Receiving Netconf Device Notifications on a http client
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-Devices emit netconf alarms and notifictions on certain situtations, which can demand
+Devices emit netconf alarms and notifications in certain situations, which can demand
attention from Device Administration. The notifications are received as Netconf messages on an
active Netconf session.
The subscription call may be modified with the following query parameters defined in the RESTCONF RFC:
-- `filter <https://tools.ietf.org/html/draft-ietf-netconf-restconf-05#section-4.8.6>`__
+- `filter <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.4>`__
-- `start-time <https://tools.ietf.org/html/draft-ietf-netconf-restconf-05#section-4.8.7>`__
+- `start-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.7>`__
-- `end-time <https://tools.ietf.org/html/draft-ietf-netconf-restconf-05#section-4.8.8>`__
+- `end-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.8>`__
In addition, the following ODL extension query parameter is supported:
Enabling WebSocket notifications in OpenDaylight requires a manual setup before starting the application.
The following steps can be followed to enable WebSocket notifications in OpenDaylight:
-1. Open the file `restconf8040.cfg`, at `etc/` folder inside your Karaf distribution.
-2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`.
-3. Uncomment the `use-sse` parameter if it is commented out.
-4. Save the changes made to the `restconf8040.cfg` file.
-5. Restart OpenDaylight if it is already running.
+1. Open the file `org.opendaylight.restconf.nb.rfc8040.cfg`, at `etc/` folder inside your Karaf distribution. Or create in case it does not exist.
+2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`. Or add ``use-sse=false`` as new line in case this parameter is not present.
+3. Save the changes made to the `org.opendaylight.restconf.nb.rfc8040.cfg` file.
+4. Restart OpenDaylight if it is already running.
Once these steps are completed, WebSocket notifications will be enabled in OpenDaylight,
and they can be used for receiving notifications instead of SSE.
Also, for testing purposes, there is simple Java application named
WebSocketClient. The application is placed in the
*/restconf/websocket-client* project. It accepts a WebSocket URI
-as and input parameter. After starting the utility (WebSocketClient
+as an input parameter. After starting the utility (WebSocketClient
class directly in Eclipse/InteliJ Idea) received notifications should be
displayed in console.
~~~~~~~~~~~~~~~~
The typical use case is listening to data change events to update web
-page data in real-time. In this tutorial we will be using toaster as the
+page data in real time. In this tutorial we will be using toaster as the
base.
When you call *make-toast* RPC, it sets *toasterStatus* to "down" to
reflect that the toaster is busy making toast. When it finishes,
-*toasterStatus* is set to "up" again. We will listen to this toaster
+*toasterStatus* is set to "up" again. We will listen to these toaster
status changes in data store and will reflect it on our web page in
real-time thanks to WebSocket data change notification.
Simple javascript client implementation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-We will create simple JavaScript web application that will listen
-updates on *toasterStatus* leaf and update some element of our web page
-according to new toaster status state.
+We will create a simple JavaScript web application that will listen for
+updates on *toasterStatus* leaf and update some elements of our web page
+according to the new toaster status state.
Create stream
^^^^^^^^^^^^^
-First you need to create stream that you are planing to subscribe to.
+First you need to create stream that you are planning to subscribe to.
This can be achieved by invoking "create-data-change-event-subscription"
RPC on RESTCONF via AJAX request. You need to provide data store
**path** that you plan to listen on, **data store type** and **scope**.
If the request is successful you can extract the **stream-name** from
the response and use that to subscribe to the newly created stream. The
-*{username}* and *{password}* fields represent your credentials that you
+*{username}* and *{password}* fields represent the credentials that you
use to connect to OpenDaylight via RESTCONF:
.. note::
Receive notifications
^^^^^^^^^^^^^^^^^^^^^
-Once you got WebSocket server location you can now connect to it and
+Once you have WebSocket server location you can now connect to it and
start receiving data change events. You need to define functions that
will handle events on WebSocket. In order to process incoming events
from OpenDaylight you need to provide a function that will handle
for more information about WebSockets in JavaScript visit `Writing
WebSocket client
- applications <https://developer.mozilla.org/en-US/docs/WebSockets/Writing_WebSocket_client_applications>`__
+ applications <https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications>`__
Netconf-connector + Netopeer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
following steps:
-1. Install docker http://docs.docker.com/linux/step_one/
+1. Install docker https://docs.docker.com/get-started/
2. Start the netopeer image:
- Netopeer is up and running in docker
-Now just follow the section: `Spawning new NETCONF connectors`_.
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+password authentication.
+In the payload change the:
+
+- name, e.g., to netopeer
+
+- username/password to your system credentials
+
+- ip to localhost
+
+- port to 830.
+
+After netopeer is mounted successfully, its configuration can be read
+using RESTCONF by invoking:
+
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
+
+Mounting netopeer NETCONF server using key-based authentication SSH
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. Install docker https://docs.docker.com/get-started/
+
+2. Create RSA key pair - it will be user for connection.
+
+3. Start the netopeer image(this command will also copy you pub key
+ into docker container):
+
+ ::
+
+ docker run -dt -p 830:830 -v {path-to-pub-key}:/home/{netopeer-username}/.ssh/authorized_keys sysrepo/sysrepo-netopeer2:latest netopeer2-server -d -v 2
+
+4. Verify netopeer is running by invoking (netopeer should send its
+ HELLO message right away:
+
+ ::
+
+ ssh root@localhost -p 830 -s netconf
+ (password root)
+
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+key-based authentication(SSH) to create device.
+In the payload change the:
+
+- name, e.g., to netopeer
+
+- username/password to your system credentials
+
+- ip to localhost
+
+- port to 830.
+
+After netopeer is mounted successfully, its configuration can be read
+using RESTCONF by invoking:
+
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
+
+Mounting netopeer NETCONF server using key-based authentication TLS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. Install docker https://docs.docker.com/get-started/
+
+2. Run netopeer2
+
+ ::
+
+ docker pull sysrepo/sysrepo-netopeer2
+ docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
+
+3. Enable TLS communication on server netopeer2
+
+ ::
+
+ ssh root@localhost -p 830 -s netconf
+ (type password root)
+
+ After successful connecting to netopeer2 setup your
+ TLS configuration xml
+ (See: https://github.com/CESNET/netopeer2/tree/master/example_configuration).
+
+4. Run ODL:
+
+- :~/netconf/karaf/target/assembly/bin$ ./karaf
+
+- feature:install odl-netconf-topology odl-restconf-nb-bierman02 odl-mdsal-apidocs
+
+5. Set up ODL netconf keystore
+
+ To setup keystore is needed to send three RPCs from
+ `Configure device to connect over TLS protocol`_
+ to add a client private key, associate a private key with a client and CA
+ certificates chain and add a list of trusted CA and server certificates.
+
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+key-based authentication(TLS) to create device.
In the payload change the:
- name, e.g., to netopeer
- ip to localhost
-- port to 1831.
+- port to 830.
After netopeer is mounted successfully, its configuration can be read
using RESTCONF by invoking:
The reason for having 2 NETCONF servers is that config-subsystem and
MD-SAL are 2 different components of OpenDaylight and require
- different approach for NETCONF message handling and data
+ different approaches for NETCONF message handling and data
translation. These 2 components will probably merge in the future.
.. note::
- Since Nitrogen release, there is performance regression in NETCONF
+ Since Nitrogen release, there has been performance regression in NETCONF
servers accepting SSH connections. While opening a connection takes
less than 10 seconds on Carbon, on Nitrogen time can increase up to
- 60 seconds. Please see https://bugs.opendaylight.org/show_bug.cgi?id=9020
+ 60 seconds. Please see https://jira.opendaylight.org/browse/ODLPARENT-112
NETCONF server for config-subsystem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In terms of RFCs, these are supported:
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-- `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
+- `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
-- `RFC-6470 <https://tools.ietf.org/html/rfc6470>`__
+- `RFC-6470 <https://www.rfc-editor.org/rfc/rfc6470>`__
- (partially, only the schema-change notification is available in
Boron release)
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
For regular users it is recommended to use RESTCONF + the
controller-config loopback mountpoint instead of using pure NETCONF. How
-to do that is spesific for each component/module/application in
+to do that is specific for each component/module/application in
OpenDaylight and can be found in their dedicated user guides.
NETCONF server for MD-SAL
~~~~~~~~~~~~~~~~~~~~~~~~~
This NETCONF server is just a generic interface to MD-SAL in
-OpenDaylight. It uses the stadard MD-SAL APIs and serves as an
-alternative to RESTCONF. It is fully model driven and supports any data
+OpenDaylight. It uses the standard MD-SAL APIs and serves as an
+alternative to RESTCONF. It is fully model-driven and supports any data
and rpcs that are supported by MD-SAL.
In terms of RFCs, these are supported:
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
-- `RFC-7895 <https://tools.ietf.org/html/rfc7895>`__
+- `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
Notifications over NETCONF are not supported in the Boron release.
have to configure YANGLIB either through RESTCONF or NETCONF. We will
show how to configure YANGLIB through RESTCONF.
-YANGLIB configuration through RESTCONF
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-You have to specify what local YANG modules directory you want to provide.
-Then you have to specify address and port whre you want to provide YANG
-sources. For example, we want to serve yang sources from folder /sources
-on localhost:8181 adress. The configuration for this scenario will be
-as follows:
+YANGLIB configuration
+~~~~~~~~~~~~~~~~~~~~~
+YANGLIB configuration works through OSGi Configuration Admin interface, in the
+``org.opendaylight.netconf.yanglib`` configuration PID. There are three tuneables you can
+set:
-::
+* ``cache-folder``, which defaults to ``cache/schema``
+* ``binding-address``, which defaults to ``localhost``
+* ``binding-port``, which defaults to ``8181``
- PUT http://localhost:8181/rests/data/yanglib:yanglib-config
+In order to change these settings, you can either modify the corresponding configuration
+file, ``etc/org.opendaylight.netconf.yanglib.cfg``, for example:
-Headers:
-
-- Accept: application/xml
-
-- Content-Type: application/xml
+::
+ cache-folder = cache/newSchema
+ binding-address = localhost
+ binding-port = 8181
-Payload:
+Or use Karaf CLI:
::
+ opendaylight-user@root>config:edit org.opendaylight.netconf.yanglib
+ opendaylight-user@root>config:property-set cache-folder cache/newSchema
+ opendaylight-user@root>config:property-set binding-address localhost
+ opendaylight-user@root>config:property-set binding-port 8181
+ opendaylight-user@root>config:update
- <yanglib-config xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">
- <cache-folder>cache/newSchema</cache-folder>
- <binding-addr>localhost</binding-addr>
- <binding-port>8181</binding-port>
- </yanglib-config>
-
-This should result in a 2xx response and new YANGLIB instance should be
-created. This YANGLIB takes all YANG sources from /sources folder and
+This YANGLIB takes all YANG sources from the configured sources folder and
for each generates URL in form:
::
On this URL will be hosted YANG source for particular module.
-YANGLIB instance also write this URL along with source identifier to
+YANGLIB instance also writes this URL along with source identifier to
ietf-netconf-yang-library/modules-state/module list.
Netconf-connector with YANG library as fallback
This will register YANGLIB provided sources as a fallback schemas for
particular mount point.
+Restconf northbound configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Restconf-nb configuration works through OSGi Configuration Admin interface, in the
+``org.opendaylight.restconf.nb.rfc8040`` configuration PID. There are six tuneables you can
+set:
+
+* ``maximum-fragment-length``, which defaults to ``0``
+* ``heartbeat-interval``, which defaults to ``10000``
+* ``idle-timeout``, which defaults to ``30000``
+* ``ping-executor-name-prefix``, which defaults to ``ping-executor``
+* ``max-thread-count``, which defaults to ``1``
+* ``use-sse``, which defaults to ``true``
+* ``restconf``, which defaults to ``rests``
+
+*maximum-fragment-length* — Maximum web-socket fragment length in number of Unicode code units (characters)
+(exceeded message length leads to fragmentation of messages)
+
+*heartbeat-interval* — Interval in milliseconds between sending of ping control frames.
+
+*idle-timeout* — Maximum idle time of web-socket session before the session is closed (milliseconds).
+
+*ping-executor-name-prefix* — Name of thread group Ping Executor will be run with.
+
+*max-thread-count* — Number of threads Ping Executor will be run with.
+
+*use-sse* — In case of ``true`` access to notification streams will be via Server-Sent Events.
+Otherwise web-socket servlet will be initialized.
+
+*restconf* — The value of RFC8040 restconf URI template, pointing to the root resource. Must not end with '/'.
+
+In order to change these settings, you can either modify the corresponding configuration
+file, ``org.opendaylight.restconf.nb.rfc8040.cfg``, for example:
+
+::
+
+ maximum-fragment-length=0
+ heartbeat-interval=10000
+ idle-timeout=30000
+ ping-executor-name-prefix=ping-executor
+ max-thread-count=1
+ use-sse=true
+ restconf=rests
+
+Or use Karaf CLI:
+
+::
+
+ opendaylight-user@root>config:edit org.opendaylight.restconf.nb.rfc8040
+ opendaylight-user@root>config:property-set maximum-fragment_length 0
+ opendaylight-user@root>config:property-set heartbeat-interval 10000
+ opendaylight-user@root>config:property-set idle-timeout 30000
+ opendaylight-user@root>config:property-set ping-executor-name-prefix "ping-executor"
+ opendaylight-user@root>config:property-set max-thread-count 1
+ opendaylight-user@root>config:property-set use-sse true
+ opendaylight-user@root>config:property-set restconf "rests"
+ opendaylight-user@root>config:update
+
NETCONF Call Home
-----------------
.. important::
The global configuration is not a part of the `RFC 8071
- <https://tools.ietf.org/html/rfc8071>`__ and, therefore, subject to change.
+ <https://www.rfc-editor.org/rfc/rfc8071>`__ and, therefore, subject to change.
Configuring global credentials
''''''''''''''''''''''''''''''
-ODL Call-Home server allows user to configure global credentials, which will be
-used for connected over SSH transport protocol devices which does not have
+The ODL Call-Home server allows user to configure global credentials, which will be
+used for devices connecting over SSH transport protocol that do not have
device-specific credentials configured.
This is done by creating
By default Netconf Call-Home Server accepts only incoming connections
from allowed devices
``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
-if user desire to allow all incoming connections, it is possible to set
+if user desires to allow all incoming connections, it is possible to set
``accept-all-ssh-keys`` to ``true`` in
``/odl-netconf-callhome-server:netconf-callhome-server/global``.
-The name of this devices in ``netconf-topology`` will be in format
+The name of these devices in ``netconf-topology`` will be in format
``ip-address:port``. For naming devices see Device-Specific
Configuration.
Netconf Call Home Server uses device provided SSH server key (host key)
to identify device. The pairing of name and server key is configured in
``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
-This list is colloquially called a whitelist.
+This list is colloquially called a allowlist.
-If the Call-Home Server finds the SSH host key in the whitelist, it continues
+If the Call-Home Server finds the SSH host key in the allowlist, it continues
to negotiate a NETCONF connection over an SSH session. If the SSH host key is
not found, the connection between the Call Home server and the device is dropped
immediately. In either case, the device that connects to the Call home server
Deprecated configuration models for devices accessed with SSH protocol
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
-With `RFC 8071 <https://tools.ietf.org/html/rfc8071>`__ alignment and adding
-support for TLS transport following configuration models has been marked
+With `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8071>`__ alignment and adding
+support for TLS transport following configuration models have been marked
deprecated.
Configuring Device with Global Credentials
Configuring Device with Device-specific Credentials
'''''''''''''''''''''''''''''''''''''''''''''''''''
-Call Home Server also allows to configure credentials per device basis,
-this is done by introducing ``credentials`` container into
+Call Home Server also allows the configuration of credentials per device basis.
+This is done by introducing ``credentials`` container into the
device-specific configuration. Format is same as in global credentials.
*Configuring Device with Credentials*
"key-credential": [
{
"key-id": "example-client-key-id",
- "private-key": "base64encoded-private-key",
+ "private-key": "PEM-format-private-key",
"passphrase": "passphrase"
}
]
Operational Status
^^^^^^^^^^^^^^^^^^
-Once an entry is made into the config side of "allowed-devices", the Call-Home Server will
-populate an corresponding operational device that is the same as the config device but
+Once an entry is made on the config side of "allowed-devices", the Call-Home Server will
+populate a corresponding operational device that is the same as the config device but
has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
home, this status will change to one of:
Rogue Devices
'''''''''''''
-Devices which are not on the whitelist might try to connect to the Call-Home Server. In
+Devices that are not on the allowlist might try to connect to the Call-Home Server. In
these cases, the server will keep a record by instantiating an operational device. There
will be no corresponding config device for these rogues. They can be identified readily
because their device id, rather than being user-supplied, will be of the form
The Call-Home Server listens for incoming TCP connections and assumes that the other side of
the connection is a device calling home via a NETCONF connection with SSH for
-management. The server uses port 6666 by default and this can be configured via a
+management. The server uses port 4334 by default and this can be configured via a
blueprint configuration file.
The device **must** initiate the connection and the server will not try to re-establish the
Overview
~~~~~~~~
-If user would like to read only selected fields from NETCONF device, it is possible to use
-fields query parameter that is described by RFC-8040. RESTCONF parses content of query
+If user would like to read only selected fields from a NETCONF device, it is possible to use
+the fields query parameter that is described by RFC-8040. RESTCONF parses content of query
parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
because data in which user doesn't have interest, is not transferred over network.
.. note::
- More information about fields query parameter: `RFC 8071 <https://tools.ietf.org/html/rfc8040#section-4.8.3>`__
+ More information about fields query parameter: `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.3>`__
Preparation of data
~~~~~~~~~~~~~~~~~~~
"netconf-node-topology:port": 17830,
"netconf-node-topology:keepalive-delay": 100,
"netconf-node-topology:tcp-only": false,
- "netconf-node-topology:username": "admin",
- "netconf-node-topology:password": "admin"
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:password": "admin"
+ },
}
]
}'
]
}
}
+
+RESTCONF OpenAPI
+----------------
+
+Overview
+~~~~~~~~
+
+The OpenAPI provides full API for configurational data which can be edited (by POST, PUT, PATCH and DELETE).
+For operational data we only provide GET API. For the majority of requests you can see only config data in examples.
+That’s because we can show only one example per request. The exception when you can see operational data in an
+example is when data are representing an operational (config false) container with no config data in it.
+
+
+Using the OpenAPI Explorer through HTTP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+1. Install OpenApi into Karaf by installing karaf feature:
+
+::
+
+ $ feature:install odl-restconf-openapi
+
+2. Navigate to OpenAPI in your web browser which is available at URLs:
+
+- http://localhost:8181/openapi/explorer/index.html for general overview
+
+- http://localhost:8181/openapi/api/v3/single for JSON data
+
+.. note::
+
+ In the URL links for OpenAPI, change *localhost* to the IP/Host name of your actual server.
+
+3. Enter the username and password.
+ By default the credentials are *admin/admin*.
+
+4. Select any model to try out.
+
+5. Select any available request to try out.
+
+6. Click on the **Try it out** button.
+
+7. Provide any required parameters or edit request body.
+
+8. Click the **Execute** button.
+
+9. You can see responses to the given request.
+
+
+OpenAPI Explorer can also be used for connected device. How to connect a device can be found :ref:`here <netconf-connector>`.
+
+OpenAPI URLs in that case would look like this:
+
+- `http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device resources - RestConf RFC 8040 <http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device%20resources%20-%20RestConf%20RFC%208040>`_ for device overview
+
+- http://localhost:8181/openapi/api/v3/mounts/1 for JSON data
+
+- `http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20) <http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20)>`__ JSON data for given model
+
+.. note::
+
+ The URL links for OpenAPI are made for device with name *17830-sim-device* and model toaster
+ with *2009-11-20* revision and need to be changed accordingly to connected device.
Code Review / netconf.git / blobdiff