DOKK / manpages / debian 12 / netconfd / netconfd.1.en
netconfd(1) netconfd 2.13 netconfd(1)

netconfd - YANG-based NETCONF-over-SSH server



   netconfd [parameter=value...]


   netconfd --help [brief | normal | full]


   netconfd --version

netconfd is a YANG-based NETCONF server, which can be used with an SSH server such as OpenSSH. This version of netconfd supports the YANG data modeling language defined in RFC 6020.

Parameters can be entered in any order, and have the form:


[start] name [separator [value]]

where:


start == 0, 1, or 2 dashes (foo, -foo, --foo)


name == parameter name



         Parameter name completion will be attempted 


         if a partial name is entered.

separator == whitespace or equals sign (foo=bar, foo bar)


value == string value for the parameter.



         Strings with whitespace need to be double quoted 


         (--foo="some string")
Some examples of valid command line parameters: 


   foo=3


   -foo=3


   --foo=3


   foo 3


   foo=fred


   --foo "fred flintstone"

Partial parameter names can be entered if they are unique.

Controls how the ietf-netconf-acm access control model will be enforced during server operation. 


 Enum values:


    enforcing:


      All configured access control rules will be


      enforced.


    permissive:


      All configured access control rules will be


      enforced for write and execute requests.


      All read requests will be allowed, unless


      the requested object contains the


      'nacm:very-secure' extension.  In that case,


      all configured access control rules will


      be enforced.


   disabled:


      All read, write, and execute requests will be


      allowed, unless the object contains the


      'nacm:secure' or 'nacm:very-secure' extension.


      If the 'nacm:secure' extension is in effect,


      then all configured access control rules


      will be enforced for write and execute requests.


      If the 'nacm:very-secure' extension is in effect,


      then all configured access control rules


      will be enforced for all requests.


      Use this mode with caution.


   off:


      All access control enforcement is disabled.


      Use this mode with extreme caution.
Filespec for the server audit log file to use in addition to the normal log file or STDOUT.
If present, the audit log will be appended not over-written. If not, the audit log will be over-written. Only meaningful if the 'audit-log' parameter is also present.
The name of the configuration file to use. Any parameter except this one can be set in the config file. The default config file /etc/yuma/netconfd.conf will not be checked if this parameter is present.
Internal file search path for configuration data files. Overrides the YUMA_DATAPATH environment variable. This parameter affects the search for the startup configuration file (default: startup-cfg.xml).
Selects the type of filtering behavior the server will advertise as the 'basic' behavior in the 'with-defaults' capability. The server will use this default handling behavior if the 'with-defaults' parameter is not explicitly set.

Also, when saving a configuration to NV-storage, this value will be used for filtering defaults from the saved configuration.



  Enum values:


     report-all: report all values


     trim: remove leafs containing the YANG


        default value


     explicit: report only the nodes that have


        been created by the client or the server.


        This is the default value.
Selects whether the server will keep or delete empty non-presence containers in the running and startup configurations. Set to true to delete these containers, and false to keep them. Default: false. This parameter is deprecated! It is ignored by the server!

This parameter identifies a YANG module that should only be checked for deviation statements for external modules. These will be collected and applied to the real module(s) being processed.

Deviations are applied as patches to the target module. Since they are not identified in the target module at all (ala imports), they have to be specified explicitly, so they will be correctly processed. Zero or more instances of this parameter are allowed.

Specifies the maximum number of notification events that will be saved in the notification replay buffer. The oldest entries will be deleted first. The default value is 1000.
Identifies a feature which should be considered disabled. Zero or more entries are allowed.
If true (the default), then features will be enabled by default. If false, then features will be disabled by default.
Identifies a feature which should be considered enabled. Zero or more entries are allowed.
Specifies the number of seconds that a session may exist before the hello PDU is received. A seesion will be dropped if no hello PDU is received before this number of seconds elapses.

If this parameter is set to zero, then the server will wait forever for a hello message, and not drop any sessions stuck in 'hello-wait' state.

Setting this parameter to zero may permit denial of service attacks, since only a limited number of concurrent sessions are supported by the server. (range 0 | 10 .. 3600). The default value is 600 seconds (10 minutes).

Print this help text and exit. The help-mode choice (--brief, --normal, or --full) may also be present to control the amount of help text printed.
Directory specification for the home directory to use instead of HOME.
Specifies the number of seconds that a session may remain idle without issuing any RPC requests. A seesion will be dropped if it is idle for an interval longer than this number of seconds.

Sessions that have a notification subscription active are never dropped.

If this parameter is set to zero, then the server will never drop a session because it is idle. (range 0 | 10 .. 360000). The default value is 3600 seconds (1 hour).

Number of spaces to indent (0..9) in formatted output. The default is 2 spaces.
Filespec for the log file to use instead of STDOUT. If this string begins with a '~' character, then a username is expected to follow or a directory separator character. If it begins with a '$' character, then an environment variable name is expected to follow.
If present, the log will be appended not over-written. If not, the log will be over-written. Only meaningful if the log parameter is also present.
Sets the debug logging level for the program.
Specifies the maximum number of notifications that should be sent to one session, within a one second time interval. The value 0 indicates that the server should not limit notification bursts at all. The default value is 10.
Directory search path for YANG and YIN files. Overrides the YUMA_MODPATH environment variable.
YANG or YIN source module name to load at startup. The server will attempt to load the specified module and its corresponding server instrumentation library (SIL) .

If this string represents a filespec, ending with the .yang or .yin extension, then only that file location will be checked.

If this string represents a module name, then the module search path will be checked for a file the .yang or .yin extension.

If this string begins with a '~' character, then a username is expected to follow or a directory separator character. If it begins with a '$' character, then an environment variable name is expected to follow.



      ~/some/path ==> <my-home-dir>/some/path


      ~fred/some/path ==> <fred-home-dir>/some/path


      $workdir/some/path ==> <workdir-env-var>/some/path
Overrides the default /tmp/ncxserver.sock UNIX socket name netconfd listens on for incoming connections. You have to add corresponding entry to /etc/ssh/sshd_config e.g.: 
...
Port 1830
Subsystem netconf
...
Specifies the TCP ports that the server will accept connections from. These ports must also be configured in the /etc/ssh/sshd_config file for the SSH master server to accept the connection and invoke the netconf subsystem.

Up to 4 port numbers can be configured.

If any ports are configured, then only those values will be accepted by the server.

If no ports are configured, then the server will accept connections on the netconf-ssh port (tcp/830).

Specifies which NETCONF protocol versions the server will attempt to use. The empty set is not allowed. The values 'netconf1.0' and 'netconf1.1' are supported. The default is to enable both NETCONF protocol versions.
Internal file search path for executable modules. Overrides the YUMA_RUNPATH environment variable.
If 'stop', then errors in the running configuration will be treated as fatal errors. If 'continue', the server will attempt to continue if any validataion errors are found in the running configuration at startup. The default is 'stop'.
The full or relative filespec of the startup config file to use. If present, overrides the default startup config file name 'startup-cfg.xml', This will also override the YUMA_DATAPATH environment variable and the datapath CLI parameter, if the first character is the forward slash '/', indicating an absolute file path. If this parameter is present, then the --no-startup and --factory-startup parameters cannot be present. This is the default, which will cause startup-cfg.xml to be used if not present.
If present, do not load the startup config file. Use only factory default values instead. Does not affect the startup.cfg file, if present. If this parameter is present, then the --startup or --factory-startup parameter cannot be present.
Force the system to use the factory configuration and delete the startup config file if it exists. Force the NV-storage startup to contain the factory default configuration. If this parameter is present, then the --no-startup and --startup parameters cannot be present.
If 'stop', then any errors in the startup configuration will be treated as fatal errors. If 'continue', the server will attempt to continue if any errors are found in the database loaded from NV-storage to running at boot-time. The default is 'stop'.
If false, the file search paths for modules, scripts, and data files will not include sub-directories if they exist in the specified path.

If true, then these file search paths will include sub-directories, if present. Any directory name beginning with a dot (.) character, or named CVS, will be ignored. This is the default mode.

The user name to use as the superuser account. Any session associated with this user name will bypass all access control enforcement. See ietf-netconf-acm.yang for more details. There is no default value.
Indicates whether ordered-by system leaf-lists and lists will be kept in sorted order. The default is true.
Specifies the database to use as the target of edit-config operations. 


  Enum values:


    running:


      Write to the running config and support the


      :writable-running capability.


    candidate:


      Write to the candidate config and support the


      :candidate and :confirmed-commit capabilities.
If present, then XML element order will be enforced. Otherwise, XML element order errors will not be generated if possible. Default is no enforcement of strict XML order.
Print the program version string and exit.
If present, netconfd acts as command line YANG configuration validator. Load the YANG schema modules, validate the startup configuration and exit without opening socket and listening for incoming sessions.

Control whether identifier length warnings will be generated. The value zero disables all identifier length checking. If non-zero, then a warning will be generated if an identifier is defined which has a length is greater than this amount. range: 0 | 8 .. 1023. The default value is 64.
Control whether line length warnings will be generated. The value zero disables all line length checking. If non-zero, then a warning will be generated if the line length is greater than this amount. Tab characters are counted as 8 spaces. range: 0 | 40 .. 4095. The default value is 72.
Control whether the specified warning number will be generated and counted in the warning total for the module being parsed. range: 400 .. 899. This parameter may be entered zero or more times.
If set to 'true', then the :startup capability will be enabled. Otherwise, the :startup capability will not be enabled. This capability makes the NV-save operation an explicit operation instead of an automatic save. The default value is false.
If set to 'false', then the :url capability will be disabled. Otherwise, the :url capability will be enabled. This capability allows local files to be stored as backups on the server. The default value is true.
If set to 'true', then the :validate capability will be enabled. Otherwise, the :validate capability will not be enabled. This capability requires extensive memory resources. The default value is true.
Directory for the yuma project root to use. If present, this directory location will override the YUMA_HOME environment variable, if it is present. If a zero-length string is entered, then the YUMA_HOME environment variable will be ignored.

YANG modules can be loaded at startup with the '--module' command, or loaded at run-time with the 'load' operation.

When a module name is entered as input, or when a module or submodule name is specified in an import or include statement within the file, the following search algorithm is used to find the file:



  1) file is in the current directory


  2) YUMA_MODPATH environment var (or set by modpath parameter)


  3) $HOME/modules directory


  4) $YUMA_HOME/modules directory


  5) $YUMA_INSTALL/modules directory OR


     default install module location, '/usr/share/yuma/modules'

By default, the entire directory tree for all locations (except step 1) will be searched, not just the specified directory. The subdirs parameter can be used to prevent sub-directories from being searched.

Any directory name beginning with a dot character (.) will be skipped. Also, any directory named CVS will be skipped in directory searches.

By default, warnings and errors are sent to STDOUT.

A log file can be specified instead with the log' parameter.

Existing log files can be reused with the 'logappend' parameter, otherwise log files are overwritten.

The logging level can be controlled with the log-level parameter.

The default log level is 'info'. The log-levels are additive:



     off:    suppress all errors (not recommended!)


             A program return code of '1' indicates some error.


     error:  print errors


     warn:   print warnings


     info:   print generally interesting trace info


     debug:  print general debugging trace info


     debug2: print verbose debugging trace info


     debug3: print very verbose debugging trace info


     debug4: print maximum debugging trace info

The following optional environment variables can be used to control module search behavior:

The user's home directory (e.g., /home/andy)
The root of the user's Yuma work directory (e.g., /home/andy/swdev/netconf)
The root of the directory that yangdump is installed on this system (default is, /usr/share/yuma)
Colon-separated list of directories to search for data files. (e.g.: './workdir/data-files:/home/andy/data') The datapath parameter will override this environment variable, if both are present.
Colon-separated list of directories to search for modules and submodules. (e.g.: './workdir/modules:/home/andy/test-modules') The modpath parameter will override this environment variable, if both are present.

YANG config file The default is: /etc/yuma/netconfd.conf

An ASCII configuration file format is supported to store command line parameters.

The config parameter is used to specify a specific config file, otherwise the default config file will be checked.



   - A hash mark until EOLN is treated as a comment


   - All text is case-sensitive


   - Whitespace within a line is not significant


   - Whitespace to end a line is significant/


     Unless the line starts a multi-line string,


     an escaped EOLN (backslash EOLN) is needed


     to enter a leaf on multiple lines.


   - For parameters that define lists, the key components


     are listed just after the parameter name, without


     any name,  e.g.,


    


            interface eth0 {


              # name = eth0 is not listed inside the braces


              ifMtu 1500


              ifName mySystem


            }
A config file can contain any number of parameter sets for different programs.

Each program must have its own section, identifies by its name:



     # this is a comment


     yangdump {


        log-level debug


        output "~/swdev/testfiles"


     }


    


     netconfd {


        ...


     }

The following data files must be present in the module search path in order for this program to function:


* YANG module library
default: /usr/share/yuma/modules/

Internal diagnostics may generate the following type of message if any bugs are detected at runtime:



    [E0]


         filename.c:linenum error-number (error-msg)

Andy Bierman, <andy at netconfcentral dot org>

Vladimir Vassilev, <vladimir at lightside-instruments dot com>

netconf-subsystem(1) pyang(1) yangcli(1)

November 30, 2022 Linux