Solved: Get NSO daemon status

sm000x · ‎10-20-2023

Helo Team:

I have a simple question.
In NSO-3.x, I was able to use the curl to get daemon status:
curl -X GET -u user:passwd http://127.0.0.1:8080/api/operational/ncs-state/daemon-status

However, in NSO-6.1, I cannot use the same curl command. Can anyone help?

THX
sm000x

cohult · ‎10-23-2023

The "authentication failed" message is not coming from NSO. A quick web search for the error message you get indicates a proxy issue.

View solution in original post

sm000x · ‎10-23-2023

Hi, Cohult:

Thank you for the information. I will investigate.

THX
sm000x

View solution in original post

sm000x · ‎10-25-2023

Hi, Cohult:

You are correct. I am confirmed that this is Proxy issue. Thank you so much for pointing out.

THX
sm000x

View solution in original post

sm000x · ‎10-25-2023

Hi, Jesus:

I am confirmed this issue is Proxy issue. But the tool surely is a useful tool.

Thank you so much for providing such a wonderful tool.

THX

sm000x

View solution in original post

Jesus Illescas · ‎10-20-2023

EDIT: Updating answer. Replaced version by daemon-status. By mistake added version instead of the status of the daemon.

In my case I used this path:

/restconf/data/tailf-ncs-monitoring:ncs-state/daemon-status

See the full example here, it might be userful https://developer.cisco.com/codeexchange/github/repo/jillesca/nso_hello_world_restconf/

And you can actually try on the Cisco Cloud IDE environment. the NSO used in on 5.x but I believe it will work with 6.1.

Still you can get the version doing:

show ncs-state daemon-status | display restconf

And add the 'data' path between restconf and tailf-ncs...

sm000x · ‎10-23-2023

Hi, Jesus:

Thank you for the information.

THX
sm000x

cohult · ‎10-21-2023

The old REST API was removed some time ago in favor of the IETF RFC8040-based RESTCONF API. So with NSO 6.1 try something like:

curl -X GET -u admin:admin http://localhost:8080/restconf/data/tailf-ncs-monitoring:ncs-state/tailf-ncs-monitoring2:daemon-status -H "Accept: application/yang-data+json"
{
  "tailf-ncs-monitoring2:daemon-status": "started"
}

sm000x · ‎10-21-2023

Hi, Cohult:

Thank you so much for this information, it really helps.
I am able to do it in NSO 5.7:
curl -X GET -u admin:admin http://localhost:8080/restconf/data/tailf-ncs-monitoring:ncs-state/tailf-ncs-monitoring:daemon-status -H "Accept: application/yang-data+json"
{
"tailf-ncs-monitoring:daemon-status": "started"
}

However, in NSO 6.1, I got error:
curl -X GET -u admin:admin http://localhost:8080/restconf/data/tailf-ncs-monitoring:ncs-state/tailf-ncs-monitoring2:daemon-status -H "Accept: application/yang-data+json"
authentication_failed: Your credentials could not be authenticated: "Credentials are missing.". You will not be permitted access until your credentials can be verified.

Regardless of the pam set as password-auth, common-auth or system-auth. I also added admin to aaa.

And here is my nacm:
show configuration nacm
read-default permit;
write-default permit;
exec-default permit;
groups {
group admin {
user-name [ admin private ];
}
group ncsadmin {
user-name [ admin private ];
}
group ncsoper {
user-name [ admin oper public ];
}
group oper {
user-name [ admin oper public ];
}
}
rule-list admin {
group [ admin ncsadmin ];
rule any-access {
action permit;
}
cmdrule any-command {
action permit;
}
}
rule-list oper {
group [ ncsoper ];
rule tailf-aaa-user {
module-name tailf-aaa;
path /user[name='$USER'];
access-operations create,read,update,delete;
action permit;
}
rule tailf-webui-user {
module-name tailf-webui;
path /webui/data-stores/user-profile[username='$USER'];
access-operations create,read,update,delete;
action permit;
}
rule tailf-aaa-alluser {
module-name tailf-aaa;
path /user;
action permit;
}
rule tailf-aaa-aaa {
module-name tailf-aaa;
path /aaa;
action permit;
}
rule nacm {
module-name ietf-netconf-acm;
path /;
action permit;
}
rule read-only {
path /;
access-operations read;
action permit;
}
cmdrule c-logout {
command logout;
action permit;
}
cmdrule j-logout {
command "request system logout";
action permit;
}
cmdrule any-command {
action permit;
}
}
rule-list any-group {
group [ * ];
rule tailf-aaa-password-change {
module-name tailf-aaa;
path /aaa/authentication/users/user[name='$USER']/change-password;
access-operations read,exec;
action permit;
}
rule tailf-aaa-user {
module-name tailf-aaa;
path /user[name='$USER'];
access-operations create,read,update,delete;
action permit;
}
rule tailf-webui-user {
module-name tailf-webui;
path /webui/data-stores/user-profile[username='$USER'];
access-operations create,read,update,delete;
action permit;
}
rule tailf-aaa-authentication {
access-operations update;
action permit;
}
cmdrule c-logout {
command logout;
action permit;
}
cmdrule j-logout {
command "request system logout";
action permit;
}
}
cmd-read-default permit;
cmd-exec-default permit;

THX
Sm000x

cohult · ‎10-21-2023

If you add an admin user to the NSO local authentication, also make sure /ncs-config/aaa/local-authentication/enabled is set to true in your ncs.conf.

sm000x · ‎10-22-2023

Hi, Cohult:

Thank you for the information. But is still gives me the same error:
##- Please tyauthentication_failed: Your credentials could not be authenticated: "Credentials are missing.". You will not be permitted access until your credentials can be verified.pe your reply above this line -##

I am using the freetrial version, nso-6.1-freetrial.linux.x86_64.signed.bin. Will that be the reason?

THX
sm000x

cohult · ‎10-23-2023

The "authentication failed" message is not coming from NSO. A quick web search for the error message you get indicates a proxy issue.

sm000x · ‎10-23-2023

Hi, Cohult:

Thank you for the information. I will investigate.

THX
sm000x

sm000x · ‎10-25-2023

Hi, Cohult:

You are correct. I am confirmed that this is Proxy issue. Thank you so much for pointing out.

THX
sm000x

Jesus Illescas · ‎10-23-2023

Hi sm000x,

We recently launched the NSO playground, where you can play with NSO in your web browser. Here you can experiment getting the deamon status using curl. We have two variants, local and system install. Since I see you are working with PAM, the system install version can help more.

The playground has a fresh system install so, to get deamon status via curl with admin:admin you need to:

Enable the webUI
1. /ncs-config/webui/transport/tcp/enabled is set to true in your ncs.conf
Enable local authentication
1. /ncs-config/aaa/local-authentication/enabled is set to true in your ncs.conf.
Reload ncs: ncs --reload
Configure ncs. See snippet below.

curl -X GET -u admin:admin http://localhost:8080/restconf/data/tailf-ncs-monitoring:ncs-state/daemon-status -H "Accept: application/yang-data+json"

Here are the instructions with more details: https://github.com/CiscoDevNet/NSO-Playground-System-Install/tree/main/webui it has steps to do the changes manually or via cli.

And here you can find a direct access to the playground: https://developer.cisco.com/codeexchange/devenv/CiscoDevNet/NSO-Playground-System-Install

Hopefully this can help you to pin point the issue.

Feel free to do any changes, you can reset the environment any time to start again. if you have issues loading the page the first time, just refresh it. Also, get familiar with the solution here: https://github.com/CiscoDevNet/NSO-Playground-System-Install

Snippet of point 4:

aaa authentication users user admin
 uid        65534
 gid        65534
 password   admin
 ssh_keydir /var/ncs/homes/admin/.ssh
 homedir    /var/ncs/homes/admin
!
nacm write-default permit
nacm groups group admin
 user-name [ admin ]
!
nacm rule-list admin
 group [ admin ]
 rule any-access
  action permit
 !
 cmdrule any-command
  action permit
 !
!
nacm rule-list any-group
 group [ * ]
 rule tailf-aaa-user
  module-name       tailf-aaa
  path              /user[name='$USER']
  access-operations create,read,update,delete
  action            permit
 !
 rule tailf-webui-user
  module-name       tailf-webui
  path              /webui/data-stores/user-profile[username='$USER']
  access-operations create,read,update,delete
  action            permit
 !
 rule tailf-aaa-authentication
  module-name       tailf-aaa
  path              /aaa/authentication/users/user[name='$USER']
  access-operations read,update
  action            permit
 !
!

sm000x · ‎10-23-2023

Hi, Jesus:

Thank you so very much for this information. I will give it a try.

THX
sm000x

sm000x · ‎10-25-2023

Hi, Jesus:

I am confirmed this issue is Proxy issue. But the tool surely is a useful tool.

Thank you so much for providing such a wonderful tool.

THX

sm000x