Solved: Re: Northbound NETCONF Quick Question

tpomerhn · ‎03-12-2020

This is probably a basic question so I apologize if it's something I should have figured out on my own, but I can't seem to find a definitive reason why ncclient and netconf-console are different in how they handle the XML payload. I have some scripts that work fine adding/deleting devices through the RESTCONF API, but was looking for a password-less solution like NETCONF to accomplish the same. I can get the following XML, when output to a file and passed to netconf-console using the --edit-config command, to run properly:

<devices xmlns="http://tail-f.com/ns/ncs">
  <device>
    <name>router1</name>
    <address>10.1.1.1</address>
    <port>22</port>
    <authgroup>general</authgroup>
    <device-type>
      <cli>
        <ned-id>cisco-ios-cli-6.46:cisco-ios-cli-6.46</ned-id>
        <protocol>ssh</protocol>
      </cli>
    </device-type>
    <state>
      <admin-state>unlocked</admin-state>
    </state>
  </device>
</devices>

I can write this to a file and send it using netconf-console, but I'd rather use ncclient and pass this all in memory as a variable to the manager edit_config function instead and not have to write temporary xml files. But if I put the above code into a variable and attempt to send it via ncclient:

NewDeviceXML=''' <the exact code from above> '''
from ncclient import manager
with manager.connect(host=nsohost, port=2022, username="automate", \
    hostkey_verify=False, key_filename="/opt/automate/automate") as conn:
        conn.edit_config(target='running', config=NewDeviceXML)

All I get are "Element [x] does not meet requirement" messages, where x can be anything. I've tried tinkering by adding a <?xml first line, adding <config> wrappers, all kinds of things and none of them work. It's something about how ncclient handles the XML payload versus netconf-console and I'm missing something.

If someone could point out my (probably blatantly obvious to the non-NETCONF-ncclient-novice) error I would appreciate it. :)

perander · ‎03-12-2020

There are several possible solutions to this question.

In order to get the NewDeviceXML <device> payload to work with the supplied

ncclient code, it needs to be wrapped inside <config> like so:

<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
   <device xmlns="...">
   ...
   </device>
</config>

Secondly, it's possible to use External Token Authentication with RESTCONF, which

would enable password less access. In short, configure

/ncs-config/aaa/external-validation according to access requirements in ncs.conf

and supply the X-Auth-Token header to RESTCONF requests.

It's also possible to use External Authentication with RESTCONF, so a custom

authentication mechanism can be tailored. Enable by configuring

/ncs-config/aaa/external-authentication in ncs.conf.

Finally, it's possible to pipe the payload as a multiline string directly to netconf-console,

without storing it in an intermediate file:

$ echo '<devices xmlns="http://tail-f.com/ns/ncs">
> <device>
> <name>router1</name>
> <address>10.1.1.1</address>
> <port>22</port>
> <authgroup>general</authgroup>
> <device-type>
> <cli>
> <ned-id>cisco-ios-cli-6.46:cisco-ios-cli-6.46</ned-id>
> <protocol>ssh</protocol>
> </cli>
> </device-type>
> <state>
> <admin-state>unlocked</admin-state>
> </state>
> </device>
> </devices>' | netconf-console --edit-config -

View solution in original post

perander · ‎03-12-2020

There are several possible solutions to this question.

In order to get the NewDeviceXML <device> payload to work with the supplied

ncclient code, it needs to be wrapped inside <config> like so:

<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
   <device xmlns="...">
   ...
   </device>
</config>

Secondly, it's possible to use External Token Authentication with RESTCONF, which

would enable password less access. In short, configure

/ncs-config/aaa/external-validation according to access requirements in ncs.conf

and supply the X-Auth-Token header to RESTCONF requests.

It's also possible to use External Authentication with RESTCONF, so a custom

authentication mechanism can be tailored. Enable by configuring

/ncs-config/aaa/external-authentication in ncs.conf.

Finally, it's possible to pipe the payload as a multiline string directly to netconf-console,

without storing it in an intermediate file:

$ echo '<devices xmlns="http://tail-f.com/ns/ncs">
> <device>
> <name>router1</name>
> <address>10.1.1.1</address>
> <port>22</port>
> <authgroup>general</authgroup>
> <device-type>
> <cli>
> <ned-id>cisco-ios-cli-6.46:cisco-ios-cli-6.46</ned-id>
> <protocol>ssh</protocol>
> </cli>
> </device-type>
> <state>
> <admin-state>unlocked</admin-state>
> </state>
> </device>
> </devices>' | netconf-console --edit-config -

tpomerhn · ‎03-12-2020

Thanks so much - I had tried with just <config> at the start before, and it failed the XML parsing checks. Now that it has a proper xmlns, it runs great. I also like your pipe solution but obviously getting ncclient to go is also extremely helpful.

I'll look into the RESTCONF using an X-Auth-Token but for now, simple NETCONF using key-based SSH is a good API for me to use to programmatically add/delete devices (instead of using direct CLI on the NSO instance).

Thanks again, for both a quick and thorough response!

Jason Belk · ‎03-12-2020

If you are looking for some basic examples for using the RESTCONF API, we have created a postman collection on the NSO Developer Github Org:

https://github.com/NSO-developer/cisco-nso-postman