Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
2
Helpful
18
Replies

CLI pipe to save to a file

Go to solution
sm000x
Level 1
Level 1

‎10-05-2023 01:24 PM

Hi,

I want to save a cli output to a file, however, cli does not allow me to save to a directory other than where I starts the ncs_cli.

For example, if I am in /root and start ncs_cli and I want to save cli output
to /tmp:

[root@mtnj06 ~]# ncs_cli -u admin
admin@ncs> show configuration devices device lab7smf | save /tmp/xyz100
-------------------------------------------------------------^
syntax error: access denied
[error][2023-10-05 16:11:04]

I can only save it to the directory where I start the ncs_cli:
sm000x@ncs> show configuration devices device lab7smf | save xyz100
[ok][2023-10-05 16:11:38]
sm000x@ncs> exit

I probably did something wrong.
Does anyone have same issue?

THX
sm000x

Labels:
0 Helpful
18 Replies 18

Go to solution
sm000x
Level 1
Level 1
In response to cohult

‎11-23-2023 09:45 AM

Hi, Cohult:

Thank you for the reply. I will try your suggestion to use ncs_load.

As for ncs_cli save to some directory, I have an example here:

(1) I am user sm000x, I have access right to /tmp:
[sm000x@mtnjdslncs06 ~]$ cd /tmp
[sm000x@mtnjdslncs06 tmp]$ echo xyz > /tmp/xyz
[sm000x@mtnjdslncs06 tmp]$

(2) Now I start ncs_cli as a root under /root directory(folder)
[sm000x@mtnjdslncs06 root]$ su - root
Password:
Last login: Thu Nov 23 12:28:40 EST 2023 from attapkzupuw0wen.itservices.sbc.com on pts/2
[root@mtnjdslncs06 ~]# ncs_cli -u sm000x

User sm000x last logged in 2023-11-23T17:32:22.927493+00:00, to mtnjdslncs06, from 135.91.110.32 using cli-ssh
sm000x connected from 127.0.0.1 using console on mtnjdslncs06
sm000x@ncs> show configuration devices global-settings | save /tmp/global-settings.xml
---------------------------------------------------------------------------------------^
syntax error: access denied
[error][2023-11-23 12:40:37]
sm000x@ncs>

I got access denied error.

The ncs is started as root, ncs_cli is started as sm000x which has access permission on /tmp, but it still returns access denied.

THX
sm000x
0 Helpful

Go to solution
cohult
Cisco Employee
Cisco Employee

‎11-24-2023 08:52 AM - edited ‎11-24-2023 10:01 AM

You can use, for example, the process status Linux command to determine if NSO was started from a non-root user. Example:

Started by the 'root' user:

ps -C ncs.smp uc
USER PID %CPU %MEM VSZ      RSS     TTY STAT START TIME  COMMAND
root 640 16.4 70.8 10351564 5697440 ?   Ssl  09:33 70:51 ncs.smp

Started by the non-root 'admin' user:

# ps -C ncs.smp uc
USER  PID %CPU %MEM VSZ     RSS     TTY STAT START TIME  COMMAND
admin 644 14.5 18.5 5604616 1495112 ?   Ssl  07:53 11:36 ncs.smp 
0 Helpful

Go to solution
cohult
Cisco Employee
Cisco Employee
In response to cohult

‎11-24-2023 09:44 AM - edited ‎11-26-2023 06:41 PM

Also, make sure you have 'restricted-file-access' in ncs.conf set to 'false'. However, be mindful of the implications where CLI users will be less restricted. See the ncs.conf(5) man page for details on the restricted-file-access setting.

 

 

<cli>
    <enabled>true</enabled>
...
    <restricted-file-access>false</restricted-file-access>
...
</cli>

 

 

Note that the default ncs.conf for an NSO system installation has restricted-file-access set to true.

Go to solution
sm000x
Level 1
Level 1
In response to cohult

‎11-25-2023 06:34 AM

Hi, Cohult:

Thank you so much. Somehow my system-installation has
true

I changed to false and it is working now. Now NCS is able to access to any directories as long as the login user has the permission.

This is very helpful information.

THX
sm000x
0 Helpful
Customers Also Viewed These Support Documents