.. _netconf-user-guide:
+.. |ss| raw:: html
+
+ <strike>
+
+.. |se| raw:: html
+
+ </strike>
+
NETCONF User Guide
==================
NETCONF is an XML-based protocol used for configuration and monitoring
devices in the network. The base NETCONF protocol is described in
-`RFC-6241 <http://tools.ietf.org/html/rfc6241>`__.
+`RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__.
**NETCONF in OpenDaylight:.**
In terms of RFCs, the connector supports:
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-- `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
+- `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
-- `draft-ietf-netconf-yang-library-06 <https://tools.ietf.org/html/draft-ietf-netconf-yang-library-06>`__
+- `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
**Netconf-connector is fully model-driven (utilizing the YANG modeling
language) so in addition to the above RFCs, it supports any
NETCONF southbound can be activated by installing
``odl-netconf-connector-all`` Karaf feature.
+.. _netconf-connector:
+
Netconf-connector configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-There are 2 ways for configuring netconf-connector: NETCONF or RESTCONF.
-This guide focuses on using RESTCONF.
+NETCONF connectors are configured directly through the usage of the
+network-topology model. You can configure new NETCONF connectors both
+through the NETCONF server for MD-SAL (port 2830) or RESTCONF. This guide
+focuses on RESTCONF.
.. important::
- There are 2 different endpoints related to RESTCONF protocols:
-
- - | ``http://localhost:8181/restconf`` is related to `draft-bierman-netconf-restconf-02 <https://tools.ietf.org/html/draft-bierman-netconf-restconf-02>`__,
- | can be activated by installing ``odl-restconf-nb-bierman02``
- Karaf feature.
- | This user guide uses this approach.
+ Since 2022.09 Chlorine there is only one RESTCONF endpoint:
- - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://tools.ietf.org/html/rfc8040>`__,
- | can be activated by installing ``odl-restconf-nb-rfc8040``
+ - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://www.rfc-editor.org/rfc/rfc8040>`__,
+ | can be activated by installing ``odl-restconf-nb``
Karaf feature.
- | In case of `RFC-8040 <https://tools.ietf.org/html/rfc8040>`__
- resources for configuration and operational datastores start
+ | Resources for configuration and operational datastores start
``/rests/data/``,
| e. g. GET
http://localhost:8181/rests/data/network-topology:network-topology
http://localhost:8181/rests/data/network-topology:network-topology?content=nonconfig
for operational datastore.
+ | Also if a data node in the path expression is a YANG leaf-list or list
+ node, the path segment has to be constructed by having leaf-list or
+ list node name, followed by an "=" character, then followed by the
+ leaf-list or list value. Any reserved characters must be
+ percent-encoded.
+ | e. g. GET
+ http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf?content=config
+ for retrieving data from configuration datastore for
+ topology-netconf value of topology list.
+
+Preconditions
+^^^^^^^^^^^^^
+1. OpenDaylight is running
+2. In Karaf, you must have the ``odl-netconf-topology`` or
+ ``odl-netconf-clustered-topology`` feature installed.
+3. Feature ``odl-restconf-nb`` must be installed
-Default configuration
-^^^^^^^^^^^^^^^^^^^^^
+Spawning new NETCONF connectors
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-The default configuration contains all the necessary dependencies (file:
-01-netconf.xml) and a single instance of netconf-connector (file:
-99-netconf-connector.xml) called **controller-config** which connects
-itself to the NETCONF northbound in OpenDaylight in a loopback fashion.
-The connector mounts the NETCONF server for config-subsystem in order to
-enable RESTCONF protocol for config-subsystem. This RESTCONF still goes
-via NETCONF, but using RESTCONF is much more user friendly than using
-NETCONF.
+To create a new NETCONF connector you need to send the following PUT request
+to RESTCONF:
-Spawning additional netconf-connectors while the controller is running
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. list-table::
+ :widths: 1 5
+
+ * - rfc8040
+ - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
+
+You could use the same body to create the new NETCONF connector with a POST
+without specifying the node in the URL:
+
+.. list-table::
+ :widths: 1 5
+
+ * - rfc8040
+ - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
+
+Payload for password authentication:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>new-netconf-device</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
+ <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
+ </login-password-unencrypted>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
+ <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
+ <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
+ <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
+ <!-- keepalive-delay set to 0 turns off keepalives-->
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:reconnect-on-changed-schema": false,
+ "netconf-node-topology:connection-timeout-millis": 20000,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:max-connection-attempts": 0,
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:password": "admin"
+ },
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
+ "netconf-node-topology:keepalive-delay": 120
+ }
+ ]
+ }
-Preconditions:
+.. note::
-1. OpenDaylight is running
+ You have the option to use the 'login-password' configuration for authentication as shown below:
-2. In Karaf, you must have the netconf-connector installed (at the Karaf
- prompt, type: ``feature:install odl-netconf-connector-all``); the
- loopback NETCONF mountpoint will be automatically configured and
- activated
+ .. code-block:: json
-3. Wait until log displays following entry:
- RemoteDevice{controller-config}: NETCONF connector initialized
- successfully
+ "login-password": {
+ "netconf-node-topology:username": "netconf",
+ "netconf-node-topology:password": "c5R3aLBss7J8T2VC3pEeAQ=="
+ }
-To configure a new netconf-connector you need to send following request
-to RESTCONF:
+ In OpenDaylight's configuration, the AAAEncryptionServiceImpl generates a new encryption key with
+ each application build. You can use this method if you have access to the current encryption key.
+ Additionally, it is important to ensure that the entire password is encoded in base64 format and
+ that its length is a multiple of 16 bytes for successful authentication.
-POST
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules
+There is also option of using key-based authentication instead
+of password. First we need to create key in datastore.
+
+*Adding a client private key credential to the netconf-keystore*
+
+.. code-block::
+
+ POST HTTP/1.1
+ /rests/operations/netconf-keystore:add-keystore-entry
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "input": {
+ "key-credential": [
+ {
+ "key-id": "example-client-key-id",
+ "private-key": "PEM-format-private-key",
+ "passphrase": "passphrase"
+ }
+ ]
+ }
+ }
+
+After we can use this key to create connector using this key.
+
+Payload for key-based authentication via SSH:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>new-netconf-device</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
+ <key-based xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <key-id xmlns="urn:opendaylight:netconf-node-topology">key-id</password>
+ </key-based>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
+ <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
+ <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
+ <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
+ <!-- keepalive-delay set to 0 turns off keepalives-->
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:reconnect-on-changed-schema": false,
+ "netconf-node-topology:connection-timeout-millis": 20000,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:max-connection-attempts": 0,
+ "netconf-node-topology:key-based": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:key-id": "key-id"
+ },
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
+ "netconf-node-topology:keepalive-delay": 120
+ }
+ ]
+ }
+
+Connecting via TLS protocol is similar to SSH. First setup keystore
+by using three RPCs from `Configure device to connect over TLS protocol`_
+to add a client private key, associate a private key with a client and CA
+certificates chain and add a list of trusted CA and server certificates.
+Only after that we can process and create a new NETCONF connector you need
+to send the following PUT request.
+
+Payload for key-based authentication via TLS:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>new-netconf-device</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
+ <key-based xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
+ <key-id xmlns="urn:opendaylight:netconf-node-topology">key-id</password>
+ </key-based>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
+ <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
+ <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
+ <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
+ <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
+ <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
+ <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
+ <!-- keepalive-delay set to 0 turns off keepalives-->
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
+ <protocol xmlns="urn:opendaylight:netconf-node-topology">
+ <name xmlns="urn:opendaylight:netconf-node-topology">TLS</name>
+ </protocol>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:reconnect-on-changed-schema": false,
+ "netconf-node-topology:connection-timeout-millis": 20000,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:max-connection-attempts": 0,
+ "netconf-node-topology:key-based": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:key-id": "key-id"
+ },
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:min-backoff-millis": 2000,
+ "netconf-node-topology:max-backoff-millis": 1800000,
+ "netconf-node-topology:backoff-multiplier": 1.5,
+ "netconf-node-topology:keepalive-delay": 120,
+ "protocol": {
+ "name": "TLS"
+ }
+ }
+ ]
+ }
+
+
+Note that the device name in <node-id> element must match the last
+element of the restconf URL.
+
+Reconfiguring an existing connector
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The steps to reconfigure an existing connector are exactly the same as
+when spawning a new connector. The old connection will be disconnected
+and a new connector with the new configuration will be created. This needs
+to be done with a PUT request because the node already exists. A POST
+request will fail for that reason.
+
+Additionally, a PATCH request can be used to modify an existing
+configuration. Currently, only yang-patch (`RFC-8072 <https://www.rfc-editor.org/rfc/rfc8072>`__)
+is supported. The URL would be the same as the above PUT examples.
+Using JSON for the body, the headers needed for the request would
+be:
Headers:
-- Accept application/xml
+- Accept: application/yang-data+json
+
+- Content-Type: application/yang-patch+json
-- Content-Type application/xml
+Example JSON payload to modify the password entry:
::
- <module xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">prefix:sal-netconf-connector</type>
- <name>new-netconf-device</name>
- <address xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">127.0.0.1</address>
- <port xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">830</port>
- <username xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">admin</username>
- <password xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">admin</password>
- <tcp-only xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">false</tcp-only>
- <event-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:netty">prefix:netty-event-executor</type>
- <name>global-event-executor</name>
- </event-executor>
- <binding-registry xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">prefix:binding-broker-osgi-registry</type>
- <name>binding-osgi-broker</name>
- </binding-registry>
- <dom-registry xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">prefix:dom-broker-osgi-registry</type>
- <name>dom-broker</name>
- </dom-registry>
- <client-dispatcher xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:config:netconf">prefix:netconf-client-dispatcher</type>
- <name>global-netconf-dispatcher</name>
- </client-dispatcher>
- <processing-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:threadpool">prefix:threadpool</type>
- <name>global-netconf-processing-executor</name>
- </processing-executor>
- <keepalive-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:threadpool">prefix:scheduled-threadpool</type>
- <name>global-netconf-ssh-scheduled-executor</name>
- </keepalive-executor>
- </module>
-
-This spawns a new netconf-connector which tries to connect to (or mount)
-a NETCONF device at 127.0.0.1 and port 830. You can check the
-configuration of config-subsystem’s configuration datastore. The new
-netconf-connector will now be present there. Just invoke:
+ {
+ "ietf-restconf:yang-patch" : {
+ "patch-id" : "0",
+ "edit" : [
+ {
+ "edit-id" : "edit1",
+ "operation" : "merge",
+ "target" : "",
+ "value" : {
+ "node": [
+ {
+ "node-id": "new-netconf-device",
+ "netconf-node-topology:password" : "newpassword"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
-GET
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules
+Deleting an existing connector
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-The response will contain the module for new-netconf-device.
+To remove an already configured NETCONF connector you need to send a
+DELETE request to the same PUT request URL that was used to create the
+device:
-Right after the new netconf-connector is created, it writes some useful
-metadata into the datastore of MD-SAL under the network-topology
-subtree. This metadata can be found at:
+.. list-table::
+ :widths: 1 5
-GET
-http://localhost:8181/restconf/operational/network-topology:network-topology/
+ * - rfc8040
+ - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
+
+.. note::
-Information about connection status, device capabilities, etc. can be
-found there.
+ No body is needed to delete the node/device
Connecting to a device not supporting NETCONF monitoring
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
module based" capabilities. So by setting this configuration attribute,
it is possible to override the "yang-module-based" capabilities reported
in HELLO message of the device. To do this, we need to modify the
-configuration of netconf-connector by adding this XML (It needs to be
-added next to the address, port, username etc. configuration elements):
-
-::
-
- <yang-module-capabilities xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <capability xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24
- </capability>
- </yang-module-capabilities>
+configuration of netconf-connector like in the example below:
+
+.. tabs::
+
+ .. tab:: XML
+
+ **Content-type:** ``application/xml``
+
+ **Accept:** ``application/xml``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: xml
+
+ <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
+ <node-id>r5</node-id>
+ <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
+ <port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
+ <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
+ <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
+ <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
+ </login-password-unencrypted>
+ <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
+ <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
+ <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
+ <override>true</override>
+ <capability xmlns="urn:opendaylight:netconf-node-topology">
+ urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
+ </capability>
+ </yang-module-capabilities>
+ </node>
+
+ .. tab:: JSON
+
+ **Content-type:** ``application/json``
+
+ **Accept:** ``application/json``
+
+ **Authentication:** ``admin:admin``
+
+ .. code-block:: json
+
+ {
+ "node": [
+ {
+ "node-id": "device",
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:password": "root",
+ "netconf-node-topology:username": "root"
+ },
+ "netconf-node-topology:yang-module-capabilities": {
+ "override": true,
+ "capability": [
+ "urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15"
+ ]
+ },
+ "netconf-node-topology:port": 8305,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:keepalive-delay": 30
+ }
+ ]
+ }
**Remember to also put the YANG schemas into the cache folder.**
.. note::
For putting multiple capabilities, you just need to replicate the
- capability xml element inside yang-module-capability element.
+ capability element inside yang-module-capability element.
Capability element is modeled as a leaf-list. With this
configuration, we would make the remote device report usage of
ietf-inet-types in the eyes of netconf-connector.
-Reconfiguring Netconf-Connector While the Controller is Running
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-It is possible to change the configuration of a running module while the
-whole controller is running. This example will continue where the last
-left off and will change the configuration for the brand new
-netconf-connector after it was spawned. Using one RESTCONF request, we
-will change both username and password for the netconf-connector.
-
-To update an existing netconf-connector you need to send following
-request to RESTCONF:
-
-PUT
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/module/odl-sal-netconf-connector-cfg:sal-netconf-connector/new-netconf-device
-
-::
-
- <module xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">prefix:sal-netconf-connector</type>
- <name>new-netconf-device</name>
- <username xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">bob</username>
- <password xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">passwd</password>
- <tcp-only xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">false</tcp-only>
- <event-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:netty">prefix:netty-event-executor</type>
- <name>global-event-executor</name>
- </event-executor>
- <binding-registry xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">prefix:binding-broker-osgi-registry</type>
- <name>binding-osgi-broker</name>
- </binding-registry>
- <dom-registry xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">prefix:dom-broker-osgi-registry</type>
- <name>dom-broker</name>
- </dom-registry>
- <client-dispatcher xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:config:netconf">prefix:netconf-client-dispatcher</type>
- <name>global-netconf-dispatcher</name>
- </client-dispatcher>
- <processing-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:threadpool">prefix:threadpool</type>
- <name>global-netconf-processing-executor</name>
- </processing-executor>
- <keepalive-executor xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:threadpool">prefix:scheduled-threadpool</type>
- <name>global-netconf-ssh-scheduled-executor</name>
- </keepalive-executor>
- </module>
-
-Since a PUT is a replace operation, the whole configuration must be
-specified along with the new values for username and password. This
-should result in a 2xx response and the instance of netconf-connector
-called new-netconf-device will be reconfigured to use username bob and
-password passwd. New configuration can be verified by executing:
-
-GET
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/module/odl-sal-netconf-connector-cfg:sal-netconf-connector/new-netconf-device
-
-With new configuration, the old connection will be closed and a new one
-established.
-
-Destroying Netconf-Connector While the Controller is Running
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Using RESTCONF one can also destroy an instance of a module. In case of
-netconf-connector, the module will be destroyed, NETCONF connection
-dropped and all resources will be cleaned. To do this, simply issue a
-request to following URL:
-
-DELETE
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/module/odl-sal-netconf-connector-cfg:sal-netconf-connector/new-netconf-device
-
-The last element of the URL is the name of the instance and its
-predecessor is the type of that module (In our case the type is
-**sal-netconf-connector** and name **new-netconf-device**). The type and
-name are actually the keys of the module list.
-
-Netconf-connector configuration with MD-SAL
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-It is also possible to configure new NETCONF connectors directly through
-MD-SAL with the usage of the network-topology model. You can configure
-new NETCONF connectors both through the NETCONF server for MD-SAL (port
-2830) or RESTCONF. This guide focuses on RESTCONF.
-
-.. tip::
-
- To enable NETCONF connector configuration through MD-SAL install
- either the ``odl-netconf-topology`` or
- ``odl-netconf-clustered-topology`` feature. We will explain the
- difference between these features later.
-
-Preconditions
-^^^^^^^^^^^^^
-
-1. OpenDaylight is running
-
-2. In Karaf, you must have the ``odl-netconf-topology`` or
- ``odl-netconf-clustered-topology`` feature installed.
-
-3. Feature ``odl-restconf`` must be installed
-
-4. Wait until log displays following entry:
-
- ::
-
- Successfully pushed configuration snapshot 02-netconf-topology.xml(odl-netconf-topology,odl-netconf-topology)
-
- or until
-
- ::
-
- GET http://localhost:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/
-
- returns a non-empty response, for example:
-
- ::
-
- <topology xmlns="urn:TBD:params:xml:ns:yang:network-topology">
- <topology-id>topology-netconf</topology-id>
- </topology>
-
-Spawning new NETCONF connectors
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To create a new NETCONF connector you need to send the following request
-to RESTCONF:
-
-::
-
- PUT http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device
-
-Headers:
-
-- Accept: application/xml
-
-- Content-Type: application/xml
-
-Payload:
-
-::
-
- <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
- <node-id>new-netconf-device</node-id>
- <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
- <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
- <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
- <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
- <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
- <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
- <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
- <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
- <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
- <between-attempts-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">2000</between-attempts-timeout-millis>
- <sleep-factor xmlns="urn:opendaylight:netconf-node-topology">1.5</sleep-factor>
- <!-- keepalive-delay set to 0 turns off keepalives-->
- <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
- </node>
-
-Note that the device name in <node-id> element must match the last
-element of the restconf URL.
-
-Reconfiguring an existing connector
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The steps to reconfigure an existing connector are exactly the same as
-when spawning a new connector. The old connection will be disconnected
-and a new connector with the new configuration will be created.
-
-Deleting an existing connector
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To remove an already configured NETCONF connector you need to send the
-following:
-
-::
-
- DELETE http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device
-
Connecting to a device supporting only NETCONF 1.0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
NETCONF connector can communicate also with these devices, but the
trade-offs are worsened possibilities in utilization of NETCONF
-mountpoints. Using RESTCONF with such devices is not suported. Also
+mountpoints. Using RESTCONF with such devices is not supported. Also
communicating with schemaless devices from application code is slightly
different.
tutorial application **ncmount** that can be found in the coretutorials
project:
-- https://github.com/opendaylight/coretutorials/tree/stable/beryllum/ncmount
+- https://github.com/opendaylight/coretutorials/tree/master/ncmount
Reading data from the device
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Just invoke (no body needed):
GET
-http://localhost:8080/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device/yang-ext:mount/
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount?content=nonconfig
This will return the entire content of operation datastore from the
-device. To view just the configuration datastore, change **operational**
+device. To view just the configuration datastore, change **nonconfig**
in this URL to **config**.
Writing configuration data to the device
**ncmount** tutorial app.
POST
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
::
netconf devices). Invoke:
POST
-http://localhost:8181/restconf/operations/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
+http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
::
This call should fetch the source for ietf-yang-types YANG model from
the mounted device.
-Netconf-connector + Netopeer
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Receiving Netconf Device Notifications on a http client
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-`Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
-NETCONF server) can be used for testing/exploring NETCONF southbound in
-OpenDaylight.
+Devices emit netconf alarms and notifications in certain situations, which can demand
+attention from Device Administration. The notifications are received as Netconf messages on an
+active Netconf session.
-Netopeer installation
-^^^^^^^^^^^^^^^^^^^^^
+Opendaylight provides the way to stream the device notifications over a http session.
-A `Docker <https://www.docker.com/>`__ container with netopeer will be
-used in this guide. To install Docker and start the `netopeer
-image <https://index.docker.io/u/dockeruser/netopeer/>`__ perform
-following steps:
+- Step 1: Mount the device (assume node name is test_device)
-1. Install docker http://docs.docker.com/linux/step_one/
+- Step 2: Wait for the device to be connected.
-2. Start the netopeer image:
+- Step 3: Create the Subscription for notification on the active session.
- ::
+ .. code-block::
- docker run -rm -t -p 1831:830 dockeruser/netopeer
+ POST
+ http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=test_device/yang-ext:mount/notifications:create-subscription
+ Content-Type: application/json
+ Accept: application/json
-3. Verify netopeer is running by invoking (netopeer should send its
- HELLO message right away:
+ .. code-block:: json
- ::
+ {
+ "input": {
+ "stream": "NETCONF"
+ }
+ }
- ssh root@localhost -p 1831 -s netconf
- (password root)
+- Step 4: Create the http Stream for the events.
-Mounting netopeer NETCONF server
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. code-block::
-Preconditions:
+ POST
+ http://localhost:8181/rests/operations/odl-device-notification:subscribe-device-notification
+ Content-Type: application/json
+ Accept: application/json
-- OpenDaylight is started with features ``odl-restconf-all`` and
- ``odl-netconf-connector-all``.
+.. code-block:: json
-- Netopeer is up and running in docker
+ {
+ "input": {
+ "path":"/network-topology:network-topology/topology[topology-id='topology-netconf']/node[node-id='test_device']"
+ }
+ }
-Now just follow the chapter: `Spawning
-netconf-connector <#_spawning_additional_netconf_connectors_while_the_controller_is_running>`__.
-In the payload change the:
+The response suggests the http url for reading the notifications.
-- name, e.g., to netopeer
+.. code-block:: json
-- username/password to your system credentials
+ {
+ "odl-device-notification:output": {
+ "stream-path": "http://localhost:8181/rests/notif/test_device?notificationType=test_device"
+ }
+ }
-- ip to localhost
+- Step 5: User can access the url in the response and the notifications will be as follows.
-- port to 1831.
+.. code-block::
-After netopeer is mounted successfully, its configuration can be read
-using RESTCONF by invoking:
+ GET
+ http://localhost:8181/rests/notif/test_device?notificationType=test_device
+ Content-Type: application/xml
+ Accept: application/xml
-GET
-http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/netopeer/yang-ext:mount/
-Northbound (NETCONF servers)
-----------------------------
+.. code-block:: xml
-OpenDaylight provides 2 types of NETCONF servers:
+ : ping
-- **NETCONF server for config-subsystem (listening by default on port
- 1830)**
+ : ping
- - Serves as a default interface for config-subsystem and allows
- users to spawn/reconfigure/destroy modules (or applications) in
- OpenDaylight
+ : ping
-- **NETCONF server for MD-SAL (listening by default on port 2830)**
+ : ping
- - Serves as an alternative interface for MD-SAL (besides RESTCONF)
- and allows users to read/write data from MD-SAL’s datastore and to
- invoke its rpcs (NETCONF notifications are not available in the
- Boron release of OpenDaylight)
+ : ping
-.. note::
+ data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:08.60228Z</eventTime><netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><session-id>2</session-id></netconf-session-start></notification>
- The reason for having 2 NETCONF servers is that config-subsystem and
- MD-SAL are 2 different components of OpenDaylight and require
- different approach for NETCONF message handling and data
- translation. These 2 components will probably merge in the future.
+ data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:12.458258Z</eventTime><netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><termination-reason>closed</termination-reason><session-id>2</session-id></netconf-session-end></notification>
-.. note::
+Change event notification subscription tutorial
+-----------------------------------------------
- Since Nitrogen release, there is performance regression in NETCONF
- servers accepting SSH connections. While opening a connection takes
- less than 10 seconds on Carbon, on Nitrogen time can increase up to
- 60 seconds. Please see https://bugs.opendaylight.org/show_bug.cgi?id=9020
+Subscribing to data change notifications makes it possible to obtain
+notifications about data manipulation (insert, change, delete) which are
+done on any specified **path** of any specified **datastore** with
+specific **scope**. In following examples *{odlAddress}* is address of
+server where ODL is running and *{odlPort}* is port on which
+OpenDaylight is running. OpenDaylight offers two methods for receiving notifications:
+Server-Sent Events (SSE) and WebSocket. SSE is the default notification mechanism used in OpenDaylight.
-NETCONF server for config-subsystem
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SSE notifications subscription process
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-This NETCONF server is the primary interface for config-subsystem. It
-allows the users to interact with config-subsystem in a standardized
-NETCONF manner.
+In this section we will learn what steps need to be taken in order to
+successfully subscribe to data change event notifications.
-In terms of RFCs, these are supported:
+Create stream
+^^^^^^^^^^^^^
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+In order to use event notifications you first need to call RPC that
+creates notification stream that you can later listen to. You need to
+provide three parameters to this RPC:
-- `RFC-5277 <https://tools.ietf.org/html/rfc5277>`__
+- **path**: data store path that you plan to listen to. You can
+ register listener on containers, lists and leaves.
-- `RFC-6470 <https://tools.ietf.org/html/rfc6470>`__
+- **datastore**: data store type. *OPERATIONAL* or *CONFIGURATION*.
- - (partially, only the schema-change notification is available in
- Boron release)
+- **scope**: Represents scope of data change. Possible options are:
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+ - BASE: only changes directly to the data tree node specified in the
+ path will be reported
-For regular users it is recommended to use RESTCONF + the
-controller-config loopback mountpoint instead of using pure NETCONF. How
-to do that is spesific for each component/module/application in
-OpenDaylight and can be found in their dedicated user guides.
+ - ONE: changes to the node and to direct child nodes will be
+ reported
-NETCONF server for MD-SAL
-~~~~~~~~~~~~~~~~~~~~~~~~~
+ - SUBTREE: changes anywhere in the subtree starting at the node will
+ be reported
-This NETCONF server is just a generic interface to MD-SAL in
-OpenDaylight. It uses the stadard MD-SAL APIs and serves as an
-alternative to RESTCONF. It is fully model driven and supports any data
-and rpcs that are supported by MD-SAL.
+The RPC to create the stream can be invoked via RESTCONF like this:
-In terms of RFCs, these are supported:
+::
-- `RFC-6241 <http://tools.ietf.org/html/rfc6241>`__
+ OPERATION: POST
+ URI: http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription
+ HEADER: Content-Type=application/json
+ Accept=application/json
-- `RFC-6022 <https://tools.ietf.org/html/rfc6022>`__
+.. code-block:: json
-- `draft-ietf-netconf-yang-library-06 <https://tools.ietf.org/html/draft-ietf-netconf-yang-library-06>`__
+ {
+ "input": {
+ "path": "/toaster:toaster/toaster:toasterStatus",
+ "sal-remote-augment:datastore": "OPERATIONAL",
+ "sal-remote-augment:scope": "ONE"
+ }
+ }
-Notifications over NETCONF are not supported in the Boron release.
+The response should look something like this:
-.. tip::
+.. code-block:: json
- Install NETCONF northbound for MD-SAL by installing feature:
- ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
+ {
+ "sal-remote:output": {
+ "stream-name": "data-change-event-subscription/toaster:toaster/toaster:toasterStatus/datastore=CONFIGURATION/scope=SUBTREE"
+ }
+ }
-Configuration
-^^^^^^^^^^^^^
+**stream-name** is important because you will need to use it when you
+subscribe to the stream in the next step.
-The default configuration can be found in file: *08-netconf-mdsal.xml*.
-The file contains the configuration for all necessary dependencies and a
-single SSH endpoint starting on port 2830. There is also a (by default
-disabled) TCP endpoint. It is possible to start multiple endpoints at
-the same time either in the initial configuration file or while
-OpenDaylight is running.
+.. note::
-The credentials for SSH endpoint can also be configured here, the
-defaults are admin/admin. Credentials in the SSH endpoint are not yet
-managed by the centralized AAA component and have to be configured
-separately.
+ Internally, this will create a new listener for *stream-name* if it
+ did not already exist.
-Verifying MD-SAL’s NETCONF server
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Subscribe to stream
+^^^^^^^^^^^^^^^^^^^
-After the NETCONF server is available it can be examined by a command
-line ssh tool:
+In order to subscribe to stream and obtain SSE location you need
+to call *GET* on your stream path. The URI should generally be
+`http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{streamName}`,
+where *{streamName}* is the *stream-name* parameter contained in
+response from *create-data-change-event-subscription* RPC from the
+previous step.
::
- ssh admin@localhost -p 2830 -s netconf
+ OPERATION: GET
+ URI: http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/data-change-event-subscription/toaster:toaster/datastore=CONFIGURATION/scope=SUBTREE
-The server will respond by sending its HELLO message and can be used as
-a regular NETCONF server from then on.
+The subscription call may be modified with the following query parameters defined in the RESTCONF RFC:
-Mounting the MD-SAL’s NETCONF server
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- `filter <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.4>`__
-To perform this operation, just spawn a new netconf-connector as
-described in `Spawning
-netconf-connector <#_spawning_additional_netconf_connectors_while_the_controller_is_running>`__.
-Just change the ip to "127.0.0.1" port to "2830" and its name to
-"controller-mdsal".
+- `start-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.7>`__
-Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
-invoking:
-
-GET
-http://localhost:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/controller-mdsal/yang-ext:mount
-
-.. note::
-
- This might not seem very useful, since MD-SAL can be accessed
- directly from RESTCONF or from Application code, but the same method
- can be used to mount and control other OpenDaylight instances by the
- "master OpenDaylight".
-
-NETCONF testtool
-----------------
-
-**NETCONF testtool is a set of standalone runnable jars that can:**
-
-- Simulate NETCONF devices (suitable for scale testing)
+- `end-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.8>`__
-- Stress/Performance test NETCONF devices
+In addition, the following ODL extension query parameter is supported:
-- Stress/Performance test RESTCONF devices
-
-These jars are part of OpenDaylight’s controller project and are built
-from the NETCONF codebase in OpenDaylight.
-
-.. tip::
-
- Download testtool from OpenDaylight Nexus at:
- https://nexus.opendaylight.org/content/repositories/public/org/opendaylight/netconf/netconf-testtool/1.1.0-Boron/
-
-**Nexus contains 3 executable tools:**
-
-- executable.jar - device simulator
-
-- stress.client.tar.gz - NETCONF stress/performance measuring tool
-
-- perf-client.jar - RESTCONF stress/performance measuring tool
-
-.. tip::
-
- Each executable tool provides help. Just invoke ``java -jar
- <name-of-the-tool.jar> --help``
-
-NETCONF device simulator
-~~~~~~~~~~~~~~~~~~~~~~~~
+:odl-leaf-nodes-only:
+ If this parameter is set to "true", create and update notifications will only
+ contain the leaf nodes modified instead of the entire subscription subtree.
+ This can help in reducing the size of the notifications.
-NETCONF testtool (or NETCONF device simulator) is a tool that
+:odl-skip-notification-data:
+ If this parameter is set to "true", create and update notifications will only
+ contain modified leaf nodes without data.
+ This can help in reducing the size of the notifications.
-- Simulates 1 or more NETCONF devices
+The response should look something like this:
-- Is suitable for scale, performance or crud testing
-
-- Uses core implementation of NETCONF server from OpenDaylight
-
-- Generates configuration files for controller so that the OpenDaylight
- distribution (Karaf) can easily connect to all simulated devices
-
-- Provides broad configuration options
-
-- Can start a fully fledged MD-SAL datastore
-
-- Supports notifications
-
-Building testtool
-^^^^^^^^^^^^^^^^^
-
-1. Check out latest NETCONF repository from
- `git <https://git.opendaylight.org/gerrit/#/admin/projects/netconf>`__
-
-2. Move into the ``opendaylight/netconf/tools/netconf-testtool/`` folder
-
-3. Build testtool using the ``mvn clean install`` command
-
-Downloading testtool
-^^^^^^^^^^^^^^^^^^^^
-
-Netconf-testtool is now part of default maven build profile for
-controller and can be also downloaded from nexus. The executable jar for
-testtool can be found at:
-`nexus-artifacts <https://nexus.opendaylight.org/content/repositories/public/org/opendaylight/netconf/netconf-testtool/1.1.0-Boron/>`__
+.. code-block:: json
-Running testtool
-^^^^^^^^^^^^^^^^
+ {
+ "subscribe-to-notification:location": "http://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
+ }
-1. After successfully building or downloading, move into the
- ``opendaylight/netconf/tools/netconf-testtool/target/`` folder and
- there is file ``netconf-testtool-1.1.0-SNAPSHOT-executable.jar`` (or
- if downloaded from nexus just take that jar file)
+.. note::
-2. Execute this file using, e.g.:
+ During this phase there is an internal check for to see if a
+ listener for the *stream-name* from the URI exists. If not, new a
+ new listener is registered with the DOM data broker.
- ::
+Receive notifications
+^^^^^^^^^^^^^^^^^^^^^
- java -jar netconf-testtool-1.1.0-SNAPSHOT-executable.jar
+Once you got SSE location you can now connect to it and
+start receiving data change events. The request should look something like this:
- This execution runs the testtool with default for all parameters and
- you should see this log output from the testtool :
+::
- ::
+ curl -v -X GET http://localhost:8181/rests/notif/data-change-event-subscription/toaster:toaster/toasterStatus/datastore=OPERATIONAL/scope=ONE -H "Content-Type: text/event-stream" -H "Authorization: Basic YWRtaW46YWRtaW4="
- 10:31:08.206 [main] INFO o.o.c.n.t.t.NetconfDeviceSimulator - Starting 1, SSH simulated devices starting on port 17830
- 10:31:08.675 [main] INFO o.o.c.n.t.t.NetconfDeviceSimulator - All simulated devices started successfully from port 17830 to 17830
-Default Parameters
-''''''''''''''''''
+WebSocket notifications subscription process
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The default parameters for testtool are:
+Enabling WebSocket notifications in OpenDaylight requires a manual setup before starting the application.
+The following steps can be followed to enable WebSocket notifications in OpenDaylight:
-- Use SSH
+1. Open the file `org.opendaylight.restconf.nb.rfc8040.cfg`, at `etc/` folder inside your Karaf distribution. Or create in case it does not exist.
+2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`. Or add ``use-sse=false`` as new line in case this parameter is not present.
+3. Save the changes made to the `org.opendaylight.restconf.nb.rfc8040.cfg` file.
+4. Restart OpenDaylight if it is already running.
-- Run 1 simulated device
+Once these steps are completed, WebSocket notifications will be enabled in OpenDaylight,
+and they can be used for receiving notifications instead of SSE.
-- Device port is 17830
+WebSocket Notifications subscription process is the same as SSE until you receive a location of WebSocket.
+You can follow steps given above and after subscribing to a notification stream over WebSocket,
+you will receive a response indicating that the subscription was successful:
-- YANG modules used by device are only: ietf-netconf-monitoring,
- ietf-yang-types, ietf-inet-types (these modules are required for
- device in order to support NETCONF monitoring and are included in the
- netconf-testtool)
+.. code-block:: json
-- Connection timeout is set to 30 minutes (quite high, but when testing
- with 10000 devices it might take some time for all of them to fully
- establish a connection)
+ {
+ "subscribe-to-notification:location": "ws://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
+ }
-- Debug level is set to false
+You can use this WebSocket to listen to data
+change notifications. To listen to notifications you can use a
+JavaScript client or if you are using chrome browser you can use the
+`Simple WebSocket
+Client <https://chrome.google.com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo>`__.
+
+Also, for testing purposes, there is simple Java application named
+WebSocketClient. The application is placed in the
+*/restconf/websocket-client* project. It accepts a WebSocket URI
+as an input parameter. After starting the utility (WebSocketClient
+class directly in Eclipse/InteliJ Idea) received notifications should be
+displayed in console.
+
+Notifications are always in XML format and look like this:
+
+.. code-block:: xml
+
+ <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
+ <eventTime>2014-09-11T09:58:23+02:00</eventTime>
+ <data-changed-notification xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
+ <data-change-event>
+ <path xmlns:meae="http://netconfcentral.org/ns/toaster">/meae:toaster</path>
+ <operation>updated</operation>
+ <data>
+ <!-- updated data -->
+ </data>
+ </data-change-event>
+ </data-changed-notification>
+ </notification>
-- No distribution is modified to connect automatically to the NETCONF
- testtool
+Example use case
+~~~~~~~~~~~~~~~~
-Verifying testtool
-^^^^^^^^^^^^^^^^^^
+The typical use case is listening to data change events to update web
+page data in real time. In this tutorial we will be using toaster as the
+base.
-To verify that the simulated device is up and running, we can try to
-connect to it using command line ssh tool. Execute this command to
-connect to the device:
+When you call *make-toast* RPC, it sets *toasterStatus* to "down" to
+reflect that the toaster is busy making toast. When it finishes,
+*toasterStatus* is set to "up" again. We will listen to these toaster
+status changes in data store and will reflect it on our web page in
+real-time thanks to WebSocket data change notification.
-::
+Simple javascript client implementation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ssh admin@localhost -p 17830 -s netconf
+We will create a simple JavaScript web application that will listen for
+updates on *toasterStatus* leaf and update some elements of our web page
+according to the new toaster status state.
-Just accept the server with yes (if required) and provide any password
-(testtool accepts all users with all passwords). You should see the
-hello message sent by simulated device.
-
-Testtool help
+Create stream
^^^^^^^^^^^^^
-::
+First you need to create stream that you are planning to subscribe to.
+This can be achieved by invoking "create-data-change-event-subscription"
+RPC on RESTCONF via AJAX request. You need to provide data store
+**path** that you plan to listen on, **data store type** and **scope**.
+If the request is successful you can extract the **stream-name** from
+the response and use that to subscribe to the newly created stream. The
+*{username}* and *{password}* fields represent the credentials that you
+use to connect to OpenDaylight via RESTCONF:
- usage: netconf testtool [-h] [--edit-content EDIT-CONTENT] [--async-requests {true,false}] [--thread-amount THREAD-AMOUNT] [--throttle THROTTLE]
- [--auth AUTH AUTH] [--controller-destination CONTROLLER-DESTINATION] [--device-count DEVICES-COUNT]
- [--devices-per-port DEVICES-PER-PORT] [--schemas-dir SCHEMAS-DIR] [--notification-file NOTIFICATION-FILE]
- [--initial-config-xml-file INITIAL-CONFIG-XML-FILE] [--starting-port STARTING-PORT]
- [--generate-config-connection-timeout GENERATE-CONFIG-CONNECTION-TIMEOUT]
- [--generate-config-address GENERATE-CONFIG-ADDRESS] [--generate-configs-batch-size GENERATE-CONFIGS-BATCH-SIZE]
- [--distribution-folder DISTRO-FOLDER] [--ssh {true,false}] [--exi {true,false}] [--debug {true,false}]
- [--md-sal {true,false}] [--time-out TIME-OUT] [-ip IP] [--thread-pool-size THREAD-POOL-SIZE] [--rpc-config RPC-CONFIG]
-
- netconf testtool
-
- named arguments:
- -h, --help show this help message and exit
- --edit-content EDIT-CONTENT
- --async-requests {true,false}
- --thread-amount THREAD-AMOUNT
- The number of threads to use for configuring devices.
- --throttle THROTTLE Maximum amount of async requests that can be open at a time, with mutltiple threads this gets divided among all threads
- --auth AUTH AUTH Username and password for HTTP basic authentication in order username password.
- --controller-destination CONTROLLER-DESTINATION
- Ip address and port of controller. Must be in following format <ip>:<port> if available it will be used for spawning
- netconf connectors via topology configuration as a part of URI. Example (http://<controller
- destination>/restconf/config/network-topology:network-topology/topology/topology-netconf/node/<node-id>)otherwise it will
- just start simulated devices and skip the execution of PUT requests
- --device-count DEVICES-COUNT
- Number of simulated netconf devices to spin. This is the number of actual ports open for the devices.
- --devices-per-port DEVICES-PER-PORT
- Amount of config files generated per port to spoof more devices than are actually running
- --schemas-dir SCHEMAS-DIR
- Directory containing yang schemas to describe simulated devices. Some schemas e.g. netconf monitoring and inet types are
- included by default
- --notification-file NOTIFICATION-FILE
- Xml file containing notifications that should be sent to clients after create subscription is called
- --initial-config-xml-file INITIAL-CONFIG-XML-FILE
- Xml file containing initial simulatted configuration to be returned via get-config rpc
- --starting-port STARTING-PORT
- First port for simulated device. Each other device will have previous+1 port number
- --generate-config-connection-timeout GENERATE-CONFIG-CONNECTION-TIMEOUT
- Timeout to be generated in initial config files
- --generate-config-address GENERATE-CONFIG-ADDRESS
- Address to be placed in generated configs
- --generate-configs-batch-size GENERATE-CONFIGS-BATCH-SIZE
- Number of connector configs per generated file
- --distribution-folder DISTRO-FOLDER
- Directory where the karaf distribution for controller is located
- --ssh {true,false} Whether to use ssh for transport or just pure tcp
- --exi {true,false} Whether to use exi to transport xml content
- --debug {true,false} Whether to use debug log level instead of INFO
- --md-sal {true,false} Whether to use md-sal datastore instead of default simulated datastore.
- --time-out TIME-OUT the maximum time in seconds for executing each PUT request
- -ip IP Ip address which will be used for creating a socket address.It can either be a machine name, such as java.sun.com, or a
- textual representation of its IP address.
- --thread-pool-size THREAD-POOL-SIZE
- The number of threads to keep in the pool, when creating a device simulator. Even if they are idle.
- --rpc-config RPC-CONFIG
- Rpc config file. It can be used to define custom rpc behavior, or override the default one.Usable for testing buggy device
- behavior.
-
-
-Supported operations
-^^^^^^^^^^^^^^^^^^^^
+.. note::
-Testtool default simple datastore supported operations:
+ The default user name and password are "admin".
+
+.. code-block:: javascript
+
+ function createStream() {
+ $.ajax(
+ {
+ url: 'http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription',
+ type: 'POST',
+ headers: {
+ 'Authorization': 'Basic ' + btoa('{username}:{password}'),
+ 'Content-Type': 'application/json'
+ },
+ data: JSON.stringify(
+ {
+ 'input': {
+ 'path': '/toaster:toaster/toaster:toasterStatus',
+ 'sal-remote-augment:datastore': 'OPERATIONAL',
+ 'sal-remote-augment:scope': 'ONE'
+ }
+ }
+ )
+ }).done(function (data) {
+ // this function will be called when ajax call is executed successfully
+ subscribeToStream(data.output['stream-name']);
+ }).fail(function (data) {
+ // this function will be called when ajax call fails
+ console.log("Create stream call unsuccessful");
+ })
+ }
-get-schema
- returns YANG schemas loaded from user specified directory,
+Subscribe to stream
+^^^^^^^^^^^^^^^^^^^
-edit-config
- always returns OK and stores the XML from the input in a local
- variable available for get-config and get RPC. Every edit-config
- replaces the previous data,
+The Next step is to subscribe to the stream. To subscribe to the stream
+you need to call *GET* on
+*http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{stream-name}*.
+If the call is successful, you get WebSocket address for this stream in
+**Location** parameter inside response header. You can get response
+header by calling *getResponseHeader(\ *Location*)* on HttpRequest
+object inside *done()* function call:
+
+.. code-block:: javascript
+
+ function subscribeToStream(streamName) {
+ $.ajax(
+ {
+ url: 'http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/' + streamName;
+ type: 'GET',
+ headers: {
+ 'Authorization': 'Basic ' + btoa('{username}:{password}'),
+ }
+ }
+ ).done(function (data, textStatus, httpReq) {
+ // we need function that has http request object parameter in order to access response headers.
+ listenToNotifications(httpReq.getResponseHeader('Location'));
+ }).fail(function (data) {
+ console.log("Subscribe to stream call unsuccessful");
+ });
+ }
-commit
- always returns OK, but does not actually commit the data,
+Receive notifications
+^^^^^^^^^^^^^^^^^^^^^
-get-config
- returns local XML stored by edit-config,
+Once you have WebSocket server location you can now connect to it and
+start receiving data change events. You need to define functions that
+will handle events on WebSocket. In order to process incoming events
+from OpenDaylight you need to provide a function that will handle
+*onmessage* events. The function must have one parameter that represents
+the received event object. The event data will be stored in
+*event.data*. The data will be in an XML format that you can then easily
+parse using jQuery.
+
+.. code-block:: javascript
+
+ function listenToNotifications(socketLocation) {
+ try {
+ var notificatinSocket = new WebSocket(socketLocation);
+
+ notificatinSocket.onmessage = function (event) {
+ // we process our received event here
+ console.log('Received toaster data change event.');
+ $($.parseXML(event.data)).find('data-change-event').each(
+ function (index) {
+ var operation = $(this).find('operation').text();
+ if (operation == 'updated') {
+ // toaster status was updated so we call function that gets the value of toasterStatus leaf
+ updateToasterStatus();
+ return false;
+ }
+ }
+ );
+ }
+ notificatinSocket.onerror = function (error) {
+ console.log("Socket error: " + error);
+ }
+ notificatinSocket.onopen = function (event) {
+ console.log("Socket connection opened.");
+ }
+ notificatinSocket.onclose = function (event) {
+ console.log("Socket connection closed.");
+ }
+ // if there is a problem on socket creation we get exception (i.e. when socket address is incorrect)
+ } catch(e) {
+ alert("Error when creating WebSocket" + e );
+ }
+ }
-get
- returns local XML stored by edit-config with netconf-state subtree,
- but also supports filtering.
+The *updateToasterStatus()* function represents function that calls
+*GET* on the path that was modified and sets toaster status in some web
+page element according to received data. After the WebSocket connection
+has been established you can test events by calling make-toast RPC via
+RESTCONF.
-(un)lock
- returns always OK with no lock guarantee
+.. note::
-create-subscription
- returns always OK and after the operation is triggered, provided
- NETCONF notifications (if any) are fed to the client. No filtering
- or stream recognition is supported.
+ for more information about WebSockets in JavaScript visit `Writing
+ WebSocket client
+ applications <https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications>`__
-Note: when operation="delete" is present in the payload for edit-config,
-it will wipe its local store to simulate the removal of data.
+Netconf-connector + Netopeer
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-When using the MD-SAL datastore testtool behaves more like normal
-NETCONF server and is suitable for crud testing. create-subscription is
-not supported when testtool is running with the MD-SAL datastore.
+`Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
+NETCONF server) can be used for testing/exploring NETCONF southbound in
+OpenDaylight.
-Notification support
-^^^^^^^^^^^^^^^^^^^^
+Netopeer installation
+^^^^^^^^^^^^^^^^^^^^^
-Testtool supports notifications via the --notification-file switch. To
-trigger the notification feed, create-subscription operation has to be
-invoked. The XML file provided should look like this example file:
+A `Docker <https://www.docker.com/>`__ container with netopeer will be
+used in this guide. To install Docker and start the `netopeer
+image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
+following steps:
-::
+1. Install docker https://docs.docker.com/get-started/
- <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
- <notifications>
-
- <!-- Notifications are processed in the order they are defined in XML -->
-
- <!-- Notification that is sent only once right after create-subscription is called -->
- <notification>
- <!-- Content of each notification entry must contain the entire notification with event time. Event time can be hardcoded, or generated by testtool if XXXX is set as eventtime in this XML -->
- <content><![CDATA[
- <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
- <eventTime>2011-01-04T12:30:46</eventTime>
- <random-notification xmlns="http://www.opendaylight.org/netconf/event:1.0">
- <random-content>single no delay</random-content>
- </random-notification>
- </notification>
- ]]></content>
- </notification>
+2. Start the netopeer image:
- <!-- Repeated Notification that is sent 5 times with 2 second delay inbetween -->
- <notification>
- <!-- Delay in seconds from previous notification -->
- <delay>2</delay>
- <!-- Number of times this notification should be repeated -->
- <times>5</times>
- <content><![CDATA[
- <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
- <eventTime>XXXX</eventTime>
- <random-notification xmlns="http://www.opendaylight.org/netconf/event:1.0">
- <random-content>scheduled 5 times 10 seconds each</random-content>
- </random-notification>
- </notification>
- ]]></content>
- </notification>
+ ::
- <!-- Single notification that is sent only once right after the previous notification -->
- <notification>
- <delay>2</delay>
- <content><![CDATA[
- <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
- <eventTime>XXXX</eventTime>
- <random-notification xmlns="http://www.opendaylight.org/netconf/event:1.0">
- <random-content>single with delay</random-content>
- </random-notification>
- </notification>
- ]]></content>
- </notification>
+ docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
- </notifications>
+3. Verify netopeer is running by invoking (netopeer should send its
+ HELLO message right away:
-Connecting testtool with controller Karaf distribution
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ ::
-Auto connect to OpenDaylight
-''''''''''''''''''''''''''''
+ ssh root@localhost -p 830 -s netconf
+ (password root)
-It is possible to make OpenDaylight auto connect to the simulated
-devices spawned by testtool (so user does not have to post a
-configuration for every NETCONF connector via RESTCONF). The testtool is
-able to modify the OpenDaylight distribution to auto connect to the
-simulated devices after feature ``odl-netconf-connector-all`` is
-installed. When running testtool, issue this command (just point the
-testool to the distribution:
+Mounting netopeer NETCONF server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-::
+Preconditions:
- java -jar netconf-testtool-1.1.0-SNAPSHOT-executable.jar --device-count 10 --distribution-folder ~/distribution-karaf-0.4.0-SNAPSHOT/ --debug true
+- OpenDaylight is started with features ``odl-restconf-all`` and
+ ``odl-netconf-connector-all``.
-With the distribution-folder parameter, the testtool will modify the
-distribution to include configuration for netconf-connector to connect
-to all simulated devices. So there is no need to spawn
-netconf-connectors via RESTCONF.
+- Netopeer is up and running in docker
-Running testtool and OpenDaylight on different machines
-'''''''''''''''''''''''''''''''''''''''''''''''''''''''
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+password authentication.
+In the payload change the:
-The testtool binds by default to 0.0.0.0 so it should be accessible from
-remote machines. However you need to set the parameter
-"generate-config-address" (when using autoconnect) to the address of
-machine where testtool will be run so OpenDaylight can connect. The
-default value is localhost.
+- name, e.g., to netopeer
-Executing operations via RESTCONF on a mounted simulated device
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- username/password to your system credentials
-Simulated devices support basic RPCs for editing their config. This part
-shows how to edit data for simulated device via RESTCONF.
+- ip to localhost
-Test YANG schema
-''''''''''''''''
+- port to 830.
-The controller and RESTCONF assume that the data that can be manipulated
-for mounted device is described by a YANG schema. For demonstration, we
-will define a simple YANG model:
+After netopeer is mounted successfully, its configuration can be read
+using RESTCONF by invoking:
-::
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
- module test {
- yang-version 1;
- namespace "urn:opendaylight:test";
- prefix "tt";
+Mounting netopeer NETCONF server using key-based authentication SSH
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- revision "2014-10-17";
+1. Install docker https://docs.docker.com/get-started/
+2. Create RSA key pair - it will be user for connection.
- container cont {
+3. Start the netopeer image(this command will also copy you pub key
+ into docker container):
- leaf l {
- type string;
- }
- }
- }
-
-Save this schema in file called test@2014-10-17.yang and store it a
-directory called test-schemas/, e.g., your home folder.
+ ::
-Editing data for simulated device
-'''''''''''''''''''''''''''''''''
+ docker run -dt -p 830:830 -v {path-to-pub-key}:/home/{netopeer-username}/.ssh/authorized_keys sysrepo/sysrepo-netopeer2:latest netopeer2-server -d -v 2
-- Start the device with following command:
+4. Verify netopeer is running by invoking (netopeer should send its
+ HELLO message right away:
::
- java -jar netconf-testtool-1.1.0-SNAPSHOT-executable.jar --device-count 10 --distribution-folder ~/distribution-karaf-0.4.0-SNAPSHOT/ --debug true --schemas-dir ~/test-schemas/
-
-- Start OpenDaylight
+ ssh root@localhost -p 830 -s netconf
+ (password root)
-- Install odl-netconf-connector-all feature
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+key-based authentication(SSH) to create device.
+In the payload change the:
-- Install odl-restconf feature
+- name, e.g., to netopeer
-- Check that you can see config data for simulated device by executing
- GET request to
+- username/password to your system credentials
- ::
+- ip to localhost
- http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/17830-sim-device/yang-ext:mount/
+- port to 830.
-- The data should be just and empty data container
+After netopeer is mounted successfully, its configuration can be read
+using RESTCONF by invoking:
-- Now execute edit-config request by executing a POST request to:
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
- ::
+Mounting netopeer NETCONF server using key-based authentication TLS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/17830-sim-device/yang-ext:mount
+1. Install docker https://docs.docker.com/get-started/
- with headers:
+2. Run netopeer2
::
- Accept application/xml
- Content-Type application/xml
+ docker pull sysrepo/sysrepo-netopeer2
+ docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
- and payload:
+3. Enable TLS communication on server netopeer2
::
- <cont xmlns="urn:opendaylight:test">
- <l>Content</l>
- </cont>
+ ssh root@localhost -p 830 -s netconf
+ (type password root)
-- Check that you can see modified config data for simulated device by
- executing GET request to
+ After successful connecting to netopeer2 setup your
+ TLS configuration xml
+ (See: https://github.com/CESNET/netopeer2/tree/master/example_configuration).
- ::
+4. Run ODL:
- http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/17830-sim-device/yang-ext:mount/
+- :~/netconf/karaf/target/assembly/bin$ ./karaf
-- Check that you can see the same modified data in operational for
- simulated device by executing GET request to
+- feature:install odl-netconf-topology odl-restconf-nb-bierman02 odl-mdsal-apidocs
- ::
-
- http://localhost:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/17830-sim-device/yang-ext:mount/
+5. Set up ODL netconf keystore
-.. warning::
-
- Data will be mirrored in operational datastore only when using the
- default simple datastore.
+ To setup keystore is needed to send three RPCs from
+ `Configure device to connect over TLS protocol`_
+ to add a client private key, associate a private key with a client and CA
+ certificates chain and add a list of trusted CA and server certificates.
+Now just follow the section: `Spawning new NETCONF connectors`_ for
+key-based authentication(TLS) to create device.
+In the payload change the:
-Testing User defined RPC
-^^^^^^^^^^^^^^^^^^^^^^^^
+- name, e.g., to netopeer
-The NETCONF test-tool allows using custom RPC. Custom RPC needs to be defined in yang model provide to test-tool along
-with parameter ``--schemas-dir``.
+- username/password to your system credentials
-The input and output of the custom RPC should be provided with ``--rpc-config`` parameter as a path to the file containing
-definition of input and output. The format of the custom RPC file is xml as shown below.
+- ip to localhost
-Start the device with following command:
+- port to 830.
-::
+After netopeer is mounted successfully, its configuration can be read
+using RESTCONF by invoking:
- java -jar netconf/tools/netconf-testtool/target/netconf-testtool-1.7.0-SNAPSHOT-executable.jar --schemas-dir ~/test-schemas/ --rpc-config ~/tmp/customrpc.xml --debug=true
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
-Example YANG model file:
+Northbound (NETCONF servers)
+----------------------------
-::
+OpenDaylight provides 2 types of NETCONF servers:
- module example-ops {
- namespace "urn:example-ops:reboot";
- prefix "ops";
+- **NETCONF server for config-subsystem (listening by default on port
+ 1830)**
- import ietf-yang-types {
- prefix "yang";
- }
+ - Serves as a default interface for config-subsystem and allows
+ users to spawn/reconfigure/destroy modules (or applications) in
+ OpenDaylight
+- **NETCONF server for MD-SAL (listening by default on port 2830)**
- revision "2016-07-07" {
- description "Initial version.";
- reference "example document.";
- }
+ - Serves as an alternative interface for MD-SAL (besides RESTCONF)
+ and allows users to read/write data from MD-SAL’s datastore and to
+ invoke its rpcs (NETCONF notifications are not available in the
+ Boron release of OpenDaylight)
+.. note::
- rpc reboot {
- description "Reboot operation.";
- input {
- leaf delay {
- type uint32;
- units "seconds";
- default 0;
- description
- "Delay in seconds.";
- }
- leaf message {
- type string;
- description
- "Log message.";
- }
- }
- }
- }
+ The reason for having 2 NETCONF servers is that config-subsystem and
+ MD-SAL are 2 different components of OpenDaylight and require
+ different approaches for NETCONF message handling and data
+ translation. These 2 components will probably merge in the future.
+.. note::
-Example payload (RPC config file customrpc.xml):
+ Since Nitrogen release, there has been performance regression in NETCONF
+ servers accepting SSH connections. While opening a connection takes
+ less than 10 seconds on Carbon, on Nitrogen time can increase up to
+ 60 seconds. Please see https://jira.opendaylight.org/browse/ODLPARENT-112
-::
+NETCONF server for config-subsystem
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- <rpcs>
- <rpc>
- <input>
- <reboot xmlns="urn:example-ops:reboot">
- <delay>300</delay>
- <message>message</message>
- </reboot>
- </input>
- <output>
- <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
- <ok/>
- </rpc-reply>
- </output>
- </rpc>
- </rpcs>
+This NETCONF server is the primary interface for config-subsystem. It
+allows the users to interact with config-subsystem in a standardized
+NETCONF manner.
+In terms of RFCs, these are supported:
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-Example of use:
+- `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
-::
+- `RFC-6470 <https://www.rfc-editor.org/rfc/rfc6470>`__
- POST http://localhost:8181/restconf/operations/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device/yang-ext:mount/example-ops:get-reboot-info
+ - (partially, only the schema-change notification is available in
+ Boron release)
-If successful the command will return code 200.
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
+For regular users it is recommended to use RESTCONF + the
+controller-config loopback mountpoint instead of using pure NETCONF. How
+to do that is specific for each component/module/application in
+OpenDaylight and can be found in their dedicated user guides.
+NETCONF server for MD-SAL
+~~~~~~~~~~~~~~~~~~~~~~~~~
-.. note::
+This NETCONF server is just a generic interface to MD-SAL in
+OpenDaylight. It uses the standard MD-SAL APIs and serves as an
+alternative to RESTCONF. It is fully model-driven and supports any data
+and rpcs that are supported by MD-SAL.
- A working example of user defined RPC can be found in TestToolTest.java class of the tools[netconf-testtool] project.
+In terms of RFCs, these are supported:
+- `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
-Known problems
-^^^^^^^^^^^^^^
+- `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
-Slow creation of devices on virtual machines
-''''''''''''''''''''''''''''''''''''''''''''
+- `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
-When testtool seems to take unusually long time to create the devices
-use this flag when running it:
+Notifications over NETCONF are not supported in the Boron release.
-::
+.. tip::
- -Dorg.apache.sshd.registerBouncyCastle=false
+ Install NETCONF northbound for MD-SAL by installing feature:
+ ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
-Too many files open
-'''''''''''''''''''
+Configuration
+^^^^^^^^^^^^^
-When testtool or OpenDaylight starts to fail with TooManyFilesOpen
-exception, you need to increase the limit of open files in your OS. To
-find out the limit in linux execute:
+The default configuration can be found in file: *08-netconf-mdsal.xml*.
+The file contains the configuration for all necessary dependencies and a
+single SSH endpoint starting on port 2830. There is also a (by default
+disabled) TCP endpoint. It is possible to start multiple endpoints at
+the same time either in the initial configuration file or while
+OpenDaylight is running.
-::
+The credentials for SSH endpoint can also be configured here, the
+defaults are admin/admin. Credentials in the SSH endpoint are not yet
+managed by the centralized AAA component and have to be configured
+separately.
- ulimit -a
+Verifying MD-SAL’s NETCONF server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-Example sufficient configuration in linux:
+After the NETCONF server is available it can be examined by a command
+line ssh tool:
::
- core file size (blocks, -c) 0
- data seg size (kbytes, -d) unlimited
- scheduling priority (-e) 0
- file size (blocks, -f) unlimited
- pending signals (-i) 63338
- max locked memory (kbytes, -l) 64
- max memory size (kbytes, -m) unlimited
- open files (-n) 500000
- pipe size (512 bytes, -p) 8
- POSIX message queues (bytes, -q) 819200
- real-time priority (-r) 0
- stack size (kbytes, -s) 8192
- cpu time (seconds, -t) unlimited
- max user processes (-u) 63338
- virtual memory (kbytes, -v) unlimited
- file locks (-x) unlimited
-
-To set these limits edit file: /etc/security/limits.conf, for example:
+ ssh admin@localhost -p 2830 -s netconf
-::
+The server will respond by sending its HELLO message and can be used as
+a regular NETCONF server from then on.
- * hard nofile 500000
- * soft nofile 500000
- root hard nofile 500000
- root soft nofile 500000
+Mounting the MD-SAL’s NETCONF server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-"Killed"
-''''''''
+To perform this operation, just spawn a new netconf-connector as
+described in `Spawning new NETCONF connectors`_. Just change the ip to
+"127.0.0.1" port to "2830" and its name to "controller-mdsal".
-The testtool might end unexpectedly with a simple message: "Killed".
-This means that the OS killed the tool due to too much memory consumed
-or too many threads spawned. To find out the reason on linux you can use
-following command:
+Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
+invoking:
-::
+GET
+http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=controller-mdsal/yang-ext:mount?content:nonconfig
- dmesg | egrep -i -B100 'killed process'
+.. note::
-Also take a look at this file: /proc/sys/kernel/threads-max. It limits
-the number of threads spawned by a process. Sufficient (but probably
-much more than enough) value is, e.g., 126676
+ This might not seem very useful, since MD-SAL can be accessed
+ directly from RESTCONF or from Application code, but the same method
+ can be used to mount and control other OpenDaylight instances by the
+ "master OpenDaylight".
NETCONF stress/performance measuring tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
have to configure YANGLIB either through RESTCONF or NETCONF. We will
show how to configure YANGLIB through RESTCONF.
-YANGLIB configuration through RESTCONF
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-You have to specify what local YANG modules directory you want to provide.
-Then you have to specify address and port whre you want to provide YANG
-sources. For example, we want to serve yang sources from folder /sources
-on localhost:5000 adress. The configuration for this scenario will be
-as follows:
+YANGLIB configuration
+~~~~~~~~~~~~~~~~~~~~~
+YANGLIB configuration works through OSGi Configuration Admin interface, in the
+``org.opendaylight.netconf.yanglib`` configuration PID. There are three tuneables you can
+set:
-::
-
- PUT http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/module/yanglib:yanglib/example
-
-Headers:
+* ``cache-folder``, which defaults to ``cache/schema``
+* ``binding-address``, which defaults to ``localhost``
+* ``binding-port``, which defaults to ``8181``
-- Accept: application/xml
+In order to change these settings, you can either modify the corresponding configuration
+file, ``etc/org.opendaylight.netconf.yanglib.cfg``, for example:
-- Content-Type: application/xml
+::
+ cache-folder = cache/newSchema
+ binding-address = localhost
+ binding-port = 8181
-Payload:
+Or use Karaf CLI:
::
+ opendaylight-user@root>config:edit org.opendaylight.netconf.yanglib
+ opendaylight-user@root>config:property-set cache-folder cache/newSchema
+ opendaylight-user@root>config:property-set binding-address localhost
+ opendaylight-user@root>config:property-set binding-port 8181
+ opendaylight-user@root>config:update
- <module xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
- <name>example</name>
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">prefix:yanglib</type>
- <broker xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">
- <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">prefix:binding-broker-osgi-registry</type>
- <name>binding-osgi-broker</name>
- </broker>
- <cache-folder xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">/sources</cache-folder>
- <binding-addr xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">localhost</binding-addr>
- <binding-port xmlns="urn:opendaylight:params:xml:ns:yang:controller:yanglib:impl">5000</binding-port>
- </module>
-
-This should result in a 2xx response and new YANGLIB instance should be
-created. This YANGLIB takes all YANG sources from /sources folder and
+This YANGLIB takes all YANG sources from the configured sources folder and
for each generates URL in form:
::
- http://localhost:5000/schemas/{modelName}/{revision}
+ http://localhost:8181/yanglib/schemas/{modelName}/{revision}
On this URL will be hosted YANG source for particular module.
-YANGLIB instance also write this URL along with source identifier to
+YANGLIB instance also writes this URL along with source identifier to
ietf-netconf-yang-library/modules-state/module list.
Netconf-connector with YANG library as fallback
::
<yang-library xmlns="urn:opendaylight:netconf-node-topology">
- <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/restconf/operational/ietf-yang-library:modules-state</yang-library-url>
+ <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/rests/data/ietf-yang-library:modules-state</yang-library-url>
<username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
<password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
</yang-library>
This will register YANGLIB provided sources as a fallback schemas for
particular mount point.
-NETCONF Call Home
------------------
+Restconf northbound configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Restconf-nb configuration works through OSGi Configuration Admin interface, in the
+``org.opendaylight.restconf.nb.rfc8040`` configuration PID. There are six tuneables you can
+set:
-.. important::
+* ``maximum-fragment-length``, which defaults to ``0``
+* ``heartbeat-interval``, which defaults to ``10000``
+* ``idle-timeout``, which defaults to ``30000``
+* ``ping-executor-name-prefix``, which defaults to ``ping-executor``
+* ``max-thread-count``, which defaults to ``1``
+* ``use-sse``, which defaults to ``true``
+* ``restconf``, which defaults to ``rests``
+
+*maximum-fragment-length* — Maximum web-socket fragment length in number of Unicode code units (characters)
+(exceeded message length leads to fragmentation of messages)
+
+*heartbeat-interval* — Interval in milliseconds between sending of ping control frames.
+
+*idle-timeout* — Maximum idle time of web-socket session before the session is closed (milliseconds).
- The call home feature is experimental and will change in a future
- release. In particular, the Yang models will change to those specified
- in the `RFC 8071 <https://tools.ietf.org/html/rfc8071>`__
+*ping-executor-name-prefix* — Name of thread group Ping Executor will be run with.
+
+*max-thread-count* — Number of threads Ping Executor will be run with.
+
+*use-sse* — In case of ``true`` access to notification streams will be via Server-Sent Events.
+Otherwise web-socket servlet will be initialized.
+
+*restconf* — The value of RFC8040 restconf URI template, pointing to the root resource. Must not end with '/'.
+
+In order to change these settings, you can either modify the corresponding configuration
+file, ``org.opendaylight.restconf.nb.rfc8040.cfg``, for example:
+
+::
+
+ maximum-fragment-length=0
+ heartbeat-interval=10000
+ idle-timeout=30000
+ ping-executor-name-prefix=ping-executor
+ max-thread-count=1
+ use-sse=true
+ restconf=rests
+
+Or use Karaf CLI:
+
+::
+
+ opendaylight-user@root>config:edit org.opendaylight.restconf.nb.rfc8040
+ opendaylight-user@root>config:property-set maximum-fragment_length 0
+ opendaylight-user@root>config:property-set heartbeat-interval 10000
+ opendaylight-user@root>config:property-set idle-timeout 30000
+ opendaylight-user@root>config:property-set ping-executor-name-prefix "ping-executor"
+ opendaylight-user@root>config:property-set max-thread-count 1
+ opendaylight-user@root>config:property-set use-sse true
+ opendaylight-user@root>config:property-set restconf "rests"
+ opendaylight-user@root>config:update
+
+NETCONF Call Home
+-----------------
Call Home Installation
~~~~~~~~~~~~~~~~~~~~~~
.. note::
- In order to test Call Home functionality we recommend Netopeer.
- See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__ to learn how to enable call-home on Netopeer.
+ In order to test Call Home functionality we recommend Netopeer or
+ Netopeer2. See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__
+ or `Netopeer2 <https://github.com/CESNET/netopeer2>`__ to learn how to
+ enable call-home on Netopeer.
Northbound Call-Home API
~~~~~~~~~~~~~~~~~~~~~~~~
Global Configuration
^^^^^^^^^^^^^^^^^^^^
+.. important::
+ The global configuration is not a part of the `RFC 8071
+ <https://www.rfc-editor.org/rfc/rfc8071>`__ and, therefore, subject to change.
+
Configuring global credentials
''''''''''''''''''''''''''''''
-ODL Call-Home server allows user to configure global credentials, which
-will be used for devices which does not have device-specific credentials
-configured.
+The ODL Call-Home server allows user to configure global credentials, which will be
+used for devices connecting over SSH transport protocol that do not have
+device-specific credentials configured.
This is done by creating
``/odl-netconf-callhome-server:netconf-callhome-server/global/credentials``
*Configuring global username & passwords to try*
-.. code-block:: none
+.. code-block::
- PUT
- /restconf/config/odl-netconf-callhome-server:netconf-callhome-server/global/credentials HTTP/1.1
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/credentials
Content-Type: application/json
Accept: application/json
By default Netconf Call-Home Server accepts only incoming connections
from allowed devices
``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
-if user desire to allow all incoming connections, it is possible to set
+if user desires to allow all incoming connections, it is possible to set
``accept-all-ssh-keys`` to ``true`` in
``/odl-netconf-callhome-server:netconf-callhome-server/global``.
-The name of this devices in ``netconf-topology`` will be in format
+The name of these devices in ``netconf-topology`` will be in format
``ip-address:port``. For naming devices see Device-Specific
Configuration.
security issue, this also causes the Call-Home Server to drastically increase its output
to the log.
-.. code-block:: none
+.. code-block::
- POST
- /restconf/config/odl-netconf-callhome-server:netconf-callhome-server/global HTTP/1.1
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/accept-all-ssh-keys
Content-Type: application/json
Accept: application/json
.. code-block:: json
{
- "global": {
"accept-all-ssh-keys": "true"
- }
}
Device-Specific Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-Allowing Device & Configuring Name
-''''''''''''''''''''''''''''''''''
+Netconf Call Home server supports both of the secure transports used
+by the Network Configuration Protocol (NETCONF) - Secure Shell (SSH),
+and Transport Layer Security (TLS).
+
+Configure device to connect over SSH protocol
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Netconf Call Home Server uses device provided SSH server key (host key)
to identify device. The pairing of name and server key is configured in
``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
-This list is colloquially called a whitelist.
+This list is colloquially called a allowlist.
-If the Call-Home Server finds the SSH host key in the whitelist, it continues
+If the Call-Home Server finds the SSH host key in the allowlist, it continues
to negotiate a NETCONF connection over an SSH session. If the SSH host key is
not found, the connection between the Call Home server and the device is dropped
immediately. In either case, the device that connects to the Call home server
leaves a record of its presence in the operational store.
+Configuring Device with Device-specific Credentials
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+Adding specific device to the allowed list is done by creating
+``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device={device}``
+with device-id and connection parameters inside the ssh-client-params container.
+
+*Configuring Device with Credentials*
+
+.. code-block::
+
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "device": {
+ "unique-id": "example",
+ "ssh-client-params": {
+ "credentials": {
+ "username": "example",
+ "passwords": [ "password" ]
+ },
+ "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
+ }
+ }
+ }
+
+Configuring Device with Global Credentials
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+It is possible to omit ``username`` and ``password`` for ssh-client-params,
+in such case values from global credentials will be used.
+
+*Example of configuring device*
+
+.. code-block::
+
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "device": {
+ "unique-id": "example",
+ "ssh-client-params": {
+ "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
+ }
+ }
+ }
+
+Deprecated configuration models for devices accessed with SSH protocol
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+With `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8071>`__ alignment and adding
+support for TLS transport following configuration models have been marked
+deprecated.
+
+Configuring Device with Global Credentials
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
*Example of configuring device*
-.. code-block:: none
+.. code-block::
- PUT
- /restconf/config/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device/example HTTP/1.1
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
Content-Type: application/json
Accept: application/json
Configuring Device with Device-specific Credentials
'''''''''''''''''''''''''''''''''''''''''''''''''''
-Call Home Server also allows to configure credentials per device basis,
-this is done by introducing ``credentials`` container into
+Call Home Server also allows the configuration of credentials per device basis.
+This is done by introducing ``credentials`` container into the
device-specific configuration. Format is same as in global credentials.
*Configuring Device with Credentials*
-.. code-block:: none
+.. code-block::
- PUT
- /restconf/config/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device/example HTTP/1.1
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
Content-Type: application/json
Accept: application/json
}
}
+Configure device to connect over TLS protocol
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Netconf Call Home Server allows devices to use TLS transport protocol to
+establish a connection towards the NETCONF device. This communication
+requires proper setup to make two-way TLS authentication possible for client
+and server.
+
+The initial step is to configure certificates and keys for two-way TLS by
+storing them within the netconf-keystore.
+
+*Adding a client private key credential to the netconf-keystore*
+
+.. code-block::
+
+ POST HTTP/1.1
+ /rests/operations/netconf-keystore:add-keystore-entry
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "input": {
+ "key-credential": [
+ {
+ "key-id": "example-client-key-id",
+ "private-key": "PEM-format-private-key",
+ "passphrase": "passphrase"
+ }
+ ]
+ }
+ }
+
+*Associate a private key with a client and CA certificates chain*
+
+.. code-block::
+
+ POST HTTP/1.1
+ /rests/operations/netconf-keystore:add-private-key
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "input": {
+ "private-key": [
+ {
+ "name": "example-client-key-id",
+ "data": "key-data",
+ "certificate-chain": [
+ "certificate-data"
+ ]
+ }
+ ]
+ }
+ }
+
+*Add a list of trusted CA and server certificates*
+
+.. code-block::
+
+ POST HTTP/1.1
+ /rests/operations/netconf-keystore:add-trusted-certificate
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "input": {
+ "trusted-certificate": [
+ {
+ "name": "example-ca-certificate",
+ "certificate": "ca-certificate-data"
+ },
+ {
+ "name": "example-server-certificate",
+ "certificate": "server-certificate-data"
+ }
+ ]
+ }
+ }
+
+In a second step, it is required to create an allowed device associated with
+a server certificate and client key. The server certificate will be used to
+identify and pin the NETCONF device during SSL handshake and should be unique
+among the allowed devices.
+
+*Add device configuration for TLS protocol to allowed devices list*
+
+.. code-block::
+
+ PUT HTTP/1.1
+ /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example-device
+ Content-Type: application/json
+ Accept: application/json
+
+.. code-block:: json
+
+ {
+ "device": {
+ "unique-id": "example-device",
+ "tls-client-params": {
+ "key-id": "example-client-key-id",
+ "certificate-id": "example-server-certificate"
+ }
+ }
+ }
+
Operational Status
^^^^^^^^^^^^^^^^^^
-Once an entry is made into the config side of "allowed-devices", the Call-Home Server will
-populate an corresponding operational device that is the same as the config device but
+Once an entry is made on the config side of "allowed-devices", the Call-Home Server will
+populate a corresponding operational device that is the same as the config device but
has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
home, this status will change to one of:
Rogue Devices
'''''''''''''
-Devices which are not on the whitelist might try to connect to the Call-Home Server. In
+Devices that are not on the allowlist might try to connect to the Call-Home Server. In
these cases, the server will keep a record by instantiating an operational device. There
will be no corresponding config device for these rogues. They can be identified readily
because their device id, rather than being user-supplied, will be of the form
The Call-Home Server listens for incoming TCP connections and assumes that the other side of
the connection is a device calling home via a NETCONF connection with SSH for
-management. The server uses port 6666 by default and this can be configured via a
+management. The server uses port 4334 by default and this can be configured via a
blueprint configuration file.
The device **must** initiate the connection and the server will not try to re-establish the
connection in case of a drop. By requirement, the server cannot assume it has connectivity
to the device due to NAT or firewalls among others.
+
+Reading data with selected fields
+---------------------------------
+
+Overview
+~~~~~~~~
+
+If user would like to read only selected fields from a NETCONF device, it is possible to use
+the fields query parameter that is described by RFC-8040. RESTCONF parses content of query
+parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
+on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
+because data in which user doesn't have interest, is not transferred over network.
+
+Next advantages:
+
+* using single RESTCONF request and single NETCONF RPC for reading multiple subtrees
+* possibility to read only selected fields under list node across multiple hierarchies
+ (it cannot be done without proper selection API)
+
+.. note::
+
+ More information about fields query parameter: `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.3>`__
+
+Preparation of data
+~~~~~~~~~~~~~~~~~~~
+
+For demonstration, we will define next YANG model:
+
+::
+
+ module test-module {
+ yang-version 1.1;
+ namespace "urn:opendaylight:test-module";
+ prefix "tm";
+ revision "2023-02-16";
+
+ container root {
+ container simple-root {
+ leaf leaf-a {
+ type string;
+ }
+ leaf leaf-b {
+ type string;
+ }
+ leaf-list ll {
+ type string;
+ }
+ container nested {
+ leaf sample-x {
+ type boolean;
+ }
+ leaf sample-y {
+ type boolean;
+ }
+ }
+ }
+
+ container list-root {
+ leaf branch-ab {
+ type int32;
+ }
+ list top-list {
+ key "key-1 key-2";
+ ordered-by user;
+ leaf key-1 {
+ type string;
+ }
+ leaf key-2 {
+ type string;
+ }
+ container next-data {
+ leaf switch-1 {
+ type empty;
+ }
+ leaf switch-2 {
+ type empty;
+ }
+ }
+ list nested-list {
+ key "identifier";
+ leaf identifier {
+ type string;
+ }
+ leaf foo {
+ type int32;
+ }
+ }
+ }
+ }
+ }
+ }
+
+Follow the :doc:`testtool` instructions to save this schema and run it with testtool.
+
+Mounting NETCONF device that runs on NETCONF testtool:
+
+.. code-block:: bash
+
+ curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool' \
+ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+ --header 'Content-Type: application/json' \
+ --data-raw '{
+ "node": [
+ {
+ "node-id": "testtool",
+ "netconf-node-topology:host": "127.0.0.1",
+ "netconf-node-topology:port": 17830,
+ "netconf-node-topology:keepalive-delay": 100,
+ "netconf-node-topology:tcp-only": false,
+ "netconf-node-topology:login-password-unencrypted": {
+ "netconf-node-topology:username": "admin",
+ "netconf-node-topology:password": "admin"
+ },
+ }
+ ]
+ }'
+
+Setting initial configuration on NETCONF device:
+
+.. code-block:: bash
+
+ curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root' \
+ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+ --header 'Content-Type: application/json' \
+ --data-raw '{
+ "root": {
+ "simple-root": {
+ "leaf-a": "asddhg",
+ "leaf-b": "ffffff",
+ "ll": [
+ "str1",
+ "str2",
+ "str3"
+ ],
+ "nested": {
+ "sample-x": true,
+ "sample-y": false
+ }
+ },
+ "list-root": {
+ "branch-ab": 5,
+ "top-list": [
+ {
+ "key-1": "ka",
+ "key-2": "kb",
+ "next-data": {
+ "switch-1": [
+ null
+ ],
+ "switch-2": [
+ null
+ ]
+ },
+ "nested-list": [
+ {
+ "identifier": "f1",
+ "foo": 1
+ },
+ {
+ "identifier": "f2",
+ "foo": 10
+ },
+ {
+ "identifier": "f3",
+ "foo": 20
+ }
+ ]
+ },
+ {
+ "key-1": "kb",
+ "key-2": "ka",
+ "next-data": {
+ "switch-1": [
+ null
+ ]
+ },
+ "nested-list": [
+ {
+ "identifier": "e1",
+ "foo": 1
+ },
+ {
+ "identifier": "e2",
+ "foo": 2
+ },
+ {
+ "identifier": "e3",
+ "foo": 3
+ }
+ ]
+ },
+ {
+ "key-1": "kc",
+ "key-2": "ke",
+ "next-data": {
+ "switch-2": [
+ null
+ ]
+ },
+ "nested-list": [
+ {
+ "identifier": "q1",
+ "foo": 13
+ },
+ {
+ "identifier": "q2",
+ "foo": 14
+ },
+ {
+ "identifier": "q3",
+ "foo": 15
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }'
+
+Examples
+--------
+
+1. Reading whole leaf-list 'll' and leaf 'nested/sample-x' under 'simple-root' container.
+
+RESTCONF request:
+
+.. code-block:: bash
+
+ curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/simple-root?content=config&fields=ll;nested/sample-x' \
+ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+ --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
+
+Generated NETCONF RPC request:
+
+.. code-block:: xml
+
+ <rpc message-id="m-18" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+ <get-config>
+ <source>
+ <running/>
+ </source>
+ <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
+ <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
+ <simple-root>
+ <ll/>
+ <nested>
+ <sample-x/>
+ </nested>
+ </simple-root>
+ </root>
+ </filter>
+ </get-config>
+ </rpc>
+
+.. note::
+
+ Using fields query parameter it is also possible to read whole leaf-list or list without
+ necessity to specify value / key predicate (without reading parent entity). Such scenario
+ is not permitted in RFC-8040 paths alone - fields query parameter can be used as
+ workaround for this case.
+
+RESTCONF response:
+
+.. code-block:: json
+
+ {
+ "test-module:simple-root": {
+ "ll": [
+ "str3",
+ "str1",
+ "str2"
+ ],
+ "nested": {
+ "sample-x": true
+ }
+ }
+ }
+
+2. Reading all identifiers of 'nested-list' under all elements of 'top-list'.
+
+RESTCONF request:
+
+.. code-block:: bash
+
+ curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=top-list(nested-list/identifier)' \
+ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+ --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
+
+Generated NETCONF RPC request:
+
+.. code-block:: xml
+
+ <rpc message-id="m-27" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+ <get-config>
+ <source>
+ <running/>
+ </source>
+ <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
+ <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
+ <list-root>
+ <top-list>
+ <nested-list>
+ <identifier/>
+ </nested-list>
+ <key-1/>
+ <key-2/>
+ </top-list>
+ </list-root>
+ </root>
+ </filter>
+ </get-config>
+ </rpc>
+
+.. note::
+
+ NETCONF client automatically fetches values of list keys since they are required for correct
+ deserialization of NETCONF response and at the end serialization of response to RESTCONF
+ response (JSON/XML).
+
+RESTCONF response:
+
+.. code-block:: json
+
+ {
+ "test-module:list-root": {
+ "top-list": [
+ {
+ "key-1": "ka",
+ "key-2": "kb",
+ "nested-list": [
+ {
+ "identifier": "f3"
+ },
+ {
+ "identifier": "f2"
+ },
+ {
+ "identifier": "f1"
+ }
+ ]
+ },
+ {
+ "key-1": "kb",
+ "key-2": "ka",
+ "nested-list": [
+ {
+ "identifier": "e3"
+ },
+ {
+ "identifier": "e2"
+ },
+ {
+ "identifier": "e1"
+ }
+ ]
+ },
+ {
+ "key-1": "kc",
+ "key-2": "ke",
+ "nested-list": [
+ {
+ "identifier": "q3"
+ },
+ {
+ "identifier": "q2"
+ },
+ {
+ "identifier": "q1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+
+3. Reading value of leaf 'branch-ab' and all values of leaves 'switch-1' that are placed
+ under 'top-list' list elements.
+
+RESTCONF request:
+
+.. code-block:: bash
+
+ curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=branch-ab;top-list/next-data/switch-1' \
+ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+ --header 'Cookie: JSESSIONID=node01jx6o5thwae9t1ft7c2zau5zbz4.node0'
+
+Generated NETCONF RPC request:
+
+.. code-block:: xml
+
+ <rpc message-id="m-42" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+ <get-config>
+ <source>
+ <running/>
+ </source>
+ <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
+ <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
+ <list-root>
+ <branch-ab/>
+ <top-list>
+ <next-data>
+ <switch-1/>
+ </next-data>
+ <key-1/>
+ <key-2/>
+ </top-list>
+ </list-root>
+ </root>
+ </filter>
+ </get-config>
+ </rpc>
+
+RESTCONF response:
+
+.. code-block:: json
+
+ {
+ "test-module:list-root": {
+ "branch-ab": 5,
+ "top-list": [
+ {
+ "key-1": "ka",
+ "key-2": "kb",
+ "next-data": {
+ "switch-1": [
+ null
+ ]
+ }
+ },
+ {
+ "key-1": "kb",
+ "key-2": "ka",
+ "next-data": {
+ "switch-1": [
+ null
+ ]
+ }
+ },
+ {
+ "key-1": "kc",
+ "key-2": "ke"
+ }
+ ]
+ }
+ }
+
+RESTCONF OpenAPI
+----------------
+
+Overview
+~~~~~~~~
+
+The OpenAPI provides full API for configurational data which can be edited (by POST, PUT, PATCH and DELETE).
+For operational data we only provide GET API. For the majority of requests you can see only config data in examples.
+That’s because we can show only one example per request. The exception when you can see operational data in an
+example is when data are representing an operational (config false) container with no config data in it.
+
+
+Using the OpenAPI Explorer through HTTP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+1. Install OpenApi into Karaf by installing karaf feature:
+
+::
+
+ $ feature:install odl-restconf-openapi
+
+2. Navigate to OpenAPI in your web browser which is available at URLs:
+
+- http://localhost:8181/openapi/explorer/index.html for general overview
+
+- http://localhost:8181/openapi/api/v3/single for JSON data
+
+.. note::
+
+ In the URL links for OpenAPI, change *localhost* to the IP/Host name of your actual server.
+
+3. Enter the username and password.
+ By default the credentials are *admin/admin*.
+
+4. Select any model to try out.
+
+5. Select any available request to try out.
+
+6. Click on the **Try it out** button.
+
+7. Provide any required parameters or edit request body.
+
+8. Click the **Execute** button.
+
+9. You can see responses to the given request.
+
+
+OpenAPI Explorer can also be used for connected device. How to connect a device can be found :ref:`here <netconf-connector>`.
+
+OpenAPI URLs in that case would look like this:
+
+- `http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device resources - RestConf RFC 8040 <http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device%20resources%20-%20RestConf%20RFC%208040>`_ for device overview
+
+- http://localhost:8181/openapi/api/v3/mounts/1 for JSON data
+
+- `http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20) <http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20)>`__ JSON data for given model
+
+.. note::
+
+ The URL links for OpenAPI are made for device with name *17830-sim-device* and model toaster
+ with *2009-11-20* revision and need to be changed accordingly to connected device.
Code Review / netconf.git / blobdiff