ncclient: a python library for netconf client applications · netconf client applications shikhar...
TRANSCRIPT
![Page 1: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/1.jpg)
NCClient: A Python Library for
NETCONF Client Applications
Shikhar Bhushan, Ha Manh Tran, Jurgen Schonwalder
IPOM 2009, Venice, 2009-10-30
Support: EU IST-EMANICS Network of Excellence (#26854)
1 / 1
![Page 2: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/2.jpg)
Outline of the Talk
2 / 1
![Page 3: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/3.jpg)
NETCONF in a Nutshell
3 / 1
![Page 4: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/4.jpg)
What is NETCONF?
NETCONF is a network management protocol specificallydesigned to support configuration management
NETCONF provides the following features:
distinction between configuration and state data
multiple configuration datastores (running, startup, . . . )
support for configuration change transactions
configuration testing and validation support
selective data retrieval with filtering
streaming and playback of event notifications
extensible remote procedure call mechanism
4 / 1
![Page 5: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/5.jpg)
NETCONF Layers (do not trust RFC 4741)
data
(1)
(2)
(3)
(4) Content
Operations
Messages
Secure Transports
<rpc>, <rpc−reply> <notification>
<get>, <get−config>,<edit−config>, ... <eventType>
Configuration Notification
ExampleLayer
SSH, TLS, BEEP, SOAP/HTTPS
data
George: Think CMIP of 21st century ;-)
5 / 1
![Page 6: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/6.jpg)
NETCONF Operations
Operation Argumentsget-config source [filter]edit-config target [default-operation]
[test-option] [error-option] configcopy-config target sourcedelete-config targetlock targetunlock targetget [filter]close-sessionkill-session session-iddiscard-changesvalidate sourcecommit [confirmed confirm-timeout]create-subscription [stream] [filter] [start] [stop]
6 / 1
![Page 7: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/7.jpg)
Transaction Models
<edit−config>
running
candidate running
running startup
<commit><edit−config>
Direct Model
Candidate Model (optional)
Distinct Startup Model (optional)
<commit>
<copy−config>
<edit−config>
Some operations (edit-config) support different errorbehaviours, including rollback behaviours
7 / 1
![Page 8: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/8.jpg)
NCClient Sales Pitch
8 / 1
![Page 9: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/9.jpg)
What is NCClient?
high-level Python API for NETCONF
extensibility to accomodate future protocol extensions
additional transportsadditional protocol capabilitiesadditional remote procedure calls
request pipelining
asynchronous and synchronous RPC calls
robustness through proper error/exception handling
thread safety
exploit Python programming language features
context managers for sessions and locksexception handling
open source (http://code.google.com/p/ncclient)
9 / 1
![Page 10: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/10.jpg)
UML Diagram for Sessions and Transports
<<abstract>>
Session
+connect(...)
+add_listener(...)
+send(...)
+...
SSHSession
+load_known_hosts(...)
+...
<<abstract>>
SessionListener
+callback(...)
+errback(...)
+...
Hel loHandler
+make(...)
+parse(...)
+...
derives
has1 0..*
usesderives
Future transports can be plugged into NCClient byderiving additional classes from Session
10 / 1
![Page 11: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/11.jpg)
UML Diagram for RPCs and Operations
<<abstract>>
RPC
+request(...)
+set_timeout(...)
+...
RPCReply
+parse(...)
+...
RPCError
Get
GetConfig
EditConfig
GetReply
derives
. . .
Lock
RPCReplyListener
+register(...)
+...
derives
concerns
1
0..*
has
1
0..*
has
1
0..1
<<abstract>>
SessionListener
+callback(...)
+errback(...)
+...
derives
Future operations can be plugged into NCClient byderiving additional classes from RPC
11 / 1
![Page 12: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/12.jpg)
Supported Capabilities
Capability Supported
:writable-running√
:candidate√
:confirmed-commit√
:rollback-on-error√
:startup√
:url√
:validate√
:xpath√
:notification
:interleave
12 / 1
![Page 13: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/13.jpg)
Interoperability Tests
Operation Tail-f Cisco Netopeer
get-config√ √ √
edit-config√ √ √
copy-config√ √ √
delete-config√ √ √
lock√ √ √
unlock√ √ √
get√ √ √
close-session√ √ √
kill-session√ √ √
discard-changes√
validate√
commit√
13 / 1
![Page 14: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/14.jpg)
Examples / Demonstration
14 / 1
![Page 15: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/15.jpg)
#! /usr/bin/env python2.6
#
# Connect to the NETCONF server passed on the command line and
# display their capabilities. This script and the following scripts
# all assume that the user calling the script is known by the server
# and that suitable SSH keys are in place. For brevity and clarity
# of the examples, we omit proper exception handling.
#
# $ ./nc01.py broccoli
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
def demo(host, user):
with manager.connect(host=host, port=22, username=user) as m:
for c in m.server_capabilities:
print c
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"))
15 / 1
![Page 16: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/16.jpg)
#! /usr/bin/env python2.6
#
# Retrieve the running config from the NETCONF server passed on the
# command line using get-config and write the XML configs to files.
#
# $ ./nc02.py broccoli
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
def demo(host, user):
with manager.connect(host=host, port=22, username=user) as m:
c = m.get_config(source=’running’).data_xml
with open("%s.xml" % host, ’w’) as f:
f.write(c)
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"))
16 / 1
![Page 17: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/17.jpg)
#! /usr/bin/env python2.6
#
# Retrieve a portion selected by an XPATH expression from the running
# config from the NETCONF server passed on the command line using
# get-config and write the XML configs to files.
#
# $ ./nc03.py broccoli "aaa/authentication/users/user[name=’schoenw’]"
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
def demo(host, user, expr):
with manager.connect(host=host, port=22, username=user) as m:
assert(":xpath" in m.server_capabilities)
c = m.get_config(source=’running’, filter=(’xpath’, expr)).data_xml
with open("%s.xml" % host, ’w’) as f:
f.write(c)
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"), sys.argv[2])
17 / 1
![Page 18: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/18.jpg)
#! /usr/bin/env python2.6
#
# Create a new user to the running configuration using edit-config
# and the test-option provided by the :validate capability.
#
# $ ./nc04.py broccoli bob 42 42
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
def demo(host, user, name, uid, gid):
snippet = """<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
<authentication> <users> <user xc:operation="create">
<name>%s</name> <uid>%s</uid> <gid>%s</gid>
<password>*</password> <ssh_keydir/> <homedir/>
</user></users></authentication></aaa></config>""" % (name, uid, gid)
with manager.connect(host=host, port=22, username=user) as m:
assert(":validate" in m.server_capabilities)
m.edit_config(target=’running’, config=snippet,
test_option=’test-then-set’)
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"), sys.argv[2], sys.argv[3], sys.argv[4])
18 / 1
![Page 19: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/19.jpg)
#! /usr/bin/env python2.6
#
# Delete an existing user from the running configuration using
# edit-config and the test-option provided by the :validate
# capability.
#
# $ ./nc05.py broccoli bob
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
def demo(host, user, name):
snippet = """<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
<authentication> <users> <user xc:operation="delete">
<name>%s</name>
</user></users></authentication></aaa></config>""" % name
with manager.connect(host=host, port=22, username=user) as m:
assert(":validate" in m.server_capabilities)
m.edit_config(target=’running’, config=snippet,
test_option=’test-then-set’)
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"), sys.argv[2])
19 / 1
![Page 20: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/20.jpg)
#! /usr/bin/env python2.6
#
# Delete a list of existing users from the running configuration using
# edit-config; protect the transaction using a lock.
#
# $ ./nc06.py broccoli bob alice
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
template = """<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
<authentication> <users> <user xc:operation="delete">
<name>%s</name> </user></users></authentication></aaa></config>"""
def demo(host, user, names):
with manager.connect(host=host, port=22, username=user) as m:
with m.locked(target=’running’):
for n in names:
m.edit_config(target=’running’, config=template % n)
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"), sys.argv[2:])
20 / 1
![Page 21: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/21.jpg)
#! /usr/bin/env python2.6
#
# Delete a list of existing users from the running configuration using
# edit-config and the candidate datastore protected by a lock.
#
# $ ./nc07.py broccoli bob alice
import sys, os, warnings
warnings.simplefilter("ignore", DeprecationWarning)
from ncclient import manager
template = """<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
<authentication> <users> <user xc:operation="delete">
<name>%s</name> </user></users></authentication></aaa></config>"""
def demo(host, user, names):
with manager.connect(host=host, port=22, username=user) as m:
assert(":candidate" in m.server_capabilities)
m.discard_changes()
with m.locked(target=’candidate’):
for n in names:
m.edit_config(target=’candidate’, config=template % n)
m.commit()
if __name__ == ’__main__’:
demo(sys.argv[1], os.getenv("USER"), sys.argv[2:]) 21 / 1
![Page 22: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/22.jpg)
Conclusions
22 / 1
![Page 23: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/23.jpg)
Conclusions
Recommendations
Stop hacking nasty expect scripts or the like.
Use Python and NCClient — it is cool and fun.
Student assignments utilizing NCClient are a nice idea.
If you use NCClient, please cite our IPOM 2009 paper. ;-)
Future Work
Support for recent protocol extensions(e.g., fine grained locking, data model retrieval)
High-level API supporting network-wide operations
Generate RPC stub classes from YANG data models
. . .
23 / 1
![Page 24: NCClient: A Python Library for NETCONF Client Applications · NETCONF Client Applications Shikhar Bhushan, Ha Manh Tran, Jurg¨ en Sch¨onw¨alder IPOM 2009, Venice, 2009-10-30 Support:](https://reader034.vdocuments.net/reader034/viewer/2022042620/5f420b271ebc057581564503/html5/thumbnails/24.jpg)
References
R. Enns.
NETCONF Configuration Protocol.RFC 4741, Juniper Networks, December 2006.
M. Wasserman and T. Goddard.
Using the NETCONF Configuration Protocol over Secure SHell (SSH).RFC 4742, ThingMagic, ICEsoft Technologies, December 2006.
H. M. Tran, I. Tumar, and J. Schonwalder.
NETCONF Interoperability Testing.In Proc. of the 3rd International Conference on Autonomous Infrastructure, Management and Security(AIMS 2009), number 5637 in LNCS, pages 83–94. Springer, June 2009.
S. Bhushan, H. M. Tran, and J. Schonwalder.
NCClient: A Python Library for NETCONF Clients.In Proc. IPOM 2009, number 5843 in LNCS, Venice, October 2009. Springer.
24 / 1