cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1912
Views
5
Helpful
8
Replies

I'm not seeing backpointers to my service

After applying my service (shown below), I only get a backpointer to the service for one of the several lines of configuration NSO pushed to the device. I thought each line should have a backpointer to the service that configured it.

 

admin@Mothership-6(config)# services ssh test-ssh device-name csr

admin@Mothership-6(config)# commit dry-run outformat native
native {
  device {
    name csr
      data ip ssh time-out 60
              ip ssh authentication-retries 3
              ip ssh rsa keypair-name SSH
              ip scp server enable
  }
}

admin@Mothership-6(config)# commit

Commit complete.

 

admin@Mothership-6(config)# show full-configuration devices device csr | display xml | include test-ssh
<enable refcounter="1" backpointer="[ /ncs:services/ssh:ssh[ssh:name='test-ssh'] ]" />

 

admin@Mothership-6(config)# show full-configuration devices device csr | display xml

...

<ssh>
  <time-out refcounter="1" >60</time-out>
  <authentication-retries refcounter="1" >3</authentication-retries>
  <source-interface>
    <GigabitEthernet>1</GigabitEthernet>
  </source-interface>
  <rsa>
    <keypair-name refcounter="2" original-value="somevalue">SSH</keypair-name>
  </rsa>
</ssh>
<scp>
  <server>
    <enable refcounter="1" backpointer="[ /ncs:services/ssh:ssh[ssh:name='test-ssh'] ]" />
  </server>
</scp>

...

 

In the above, every line with a refcounter should have a backpointer from my understanding, however only the scp server enable does. Is there a reason that time-out, authentication-retries, and rsa keypair-name do not have backpointers to the service that put that configuration there?

1 Accepted Solution

Accepted Solutions

It is not correct to expect a backpointer for every leaf with a refcount. NSO does not add a backpointer on leafs and leaflists but only on lists and containers. The "enable" node was probably a container with presence.

View solution in original post

8 Replies 8

joepak
Cisco Employee
Cisco Employee

Have you tried using different values to see if the behavior is consistent?

I have tried different values for those above which do not have backpointers, I got the same thing, where there was a refcount, but no backpointer.

What happens when you try to remove the service?
It could because the device owned the configuration prior to the service which results in no backpointer. What the scp enable something that previously existed on the device? Could you test by configuring a feature that isn't already on the device through the service vs a feature that is already preeexisting?

My assumption is that the scp enable is owned by the service config and not the device config, which leads to the backpointer. While the other two configurations are already owned by the device, hence no backpointer.

You can see that the below config was not previous on the device prior, and the backpointer does not show up after the configuration is applied to the device.

 

admin@ncs(config)# show full-configuration devices device v-csr0 config ios:ip ssh | display xml
  ...
    <ssh>
      <pubkey-chain>
      <username>
        <name>vagrant</name>
        <key-hash>
          <key-type>ssh-rsa</key-type>
          <key-name>DD3BB82E850406E9ABFFA80AC0046ED6</key-name>
        </key-hash>
      </username>
    </pubkey-chain>
  </ssh>
...


admin@ncs(config)# services ssh test device-name v-csr0
admin@ncs(config-ssh-test)# commit dry-run
cli {
  local-node {
    data devices {
      device v-csr0 {
        config {
          ios:ip {
            ssh {
              + time-out 120;
              + authentication-retries 3;
            rsa {
              + keypair-name SSH;
            }
          }
          scp {
            server {
              + enable;
            }
          }
        }
      }
    }
}
services {
  ssh test {
    + device-name [ v-csr0 ];
  }
 }
}
}

admin@ncs(config)# show full-configuration devices device v-csr0 config ios:ip ssh | display xml
...
  <ssh>
    <time-out refcounter="1" >120</time-out>
    <authentication-retries refcounter="1" >3</authentication-retries>
    <rsa>
      <keypair-name refcounter="1" >SSH</keypair-name>
    </rsa>
    <pubkey-chain>
      <username>
      <name>vagrant</name>
      <key-hash>
        <key-type>ssh-rsa</key-type>
        <key-name>DD3BB82E850406E9ABFFA80AC0046ED6</key-name>
      </key-hash>
    </username>
    </pubkey-chain>
  </ssh>
...

Can you post your service template?

-Dan

<config-template xmlns="http://tail-f.com/ns/config/1.0">
  <devices xmlns="http://tail-f.com/ns/ncs">
  <?foreach {/device-name}?>
  <device>
    <name>{.}</name>
      <config>
        <ip xmlns="urn:ios">
          <ssh>
            <time-out>120</time-out>
            <authentication-retries>3</authentication-retries>
            <rsa>
              <keypair-name>SSH</keypair-name>
            </rsa>
          </ssh>
          <scp>
            <server>
              <enable/>
            </server>
          </scp>
        </ip>
      </config>
    </device>
  <?end?>
  </devices>
</config-template>

Hello,

Did you find the reason of such behaviour ? I am facing the exact same issue. 

Thank you in adavance. 

It is not correct to expect a backpointer for every leaf with a refcount. NSO does not add a backpointer on leafs and leaflists but only on lists and containers. The "enable" node was probably a container with presence.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community: