cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
20
Helpful
9
Replies

Running NSO in a Docker Container, not generating logs in netconf.log file

shkumarj
Cisco Employee
Cisco Employee

Hi,

I am running nso in docker Container, its generating logs in ncs.log but not in netconf.log file.
ncs.conf file:-

 

<!-- -*- nxml -*- -->
<!-- Example configuration file for ncs. -->

<ncs-config xmlns="http://tail-f.com/yang/tailf-ncs-config">

<!-- NCS can be configured to restrict access for incoming connections -->
<!-- to the IPC listener sockets. The access check requires that -->
<!-- connecting clients prove possession of a shared secret. -->
<ncs-ipc-access-check>
<enabled>false</enabled>
<filename>${NCS_CONFIG_DIR}/ipc_access</filename>
</ncs-ipc-access-check>

<!-- Where to look for .fxs and snmp .bin files to load -->

<load-path>
<dir>${NCS_RUN_DIR}/packages</dir>
<dir>${NCS_DIR}/etc/ncs</dir>

<!-- To disable northbound snmp altogether -->
<!-- comment out the path below -->
<dir>${NCS_DIR}/etc/ncs/snmp</dir>
</load-path>

<!-- Plug and play scripting -->
<scripts>
<dir>${NCS_RUN_DIR}/scripts</dir>
<dir>${NCS_DIR}/scripts</dir>
</scripts>

<state-dir>${NCS_RUN_DIR}/state</state-dir>

<notifications>
<event-streams>

<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications whenever the alarm table is changed. -->
<!-- See tailf-ncs-alarms.yang -->
<!-- If you are not interested in NCS northbound netconf notifications -->
<!-- remove this item since it does consume some CPU -->
<stream>
<name>ncs-alarms</name>
<description>NCS alarms according to tailf-ncs-alarms.yang</description>
<replay-support>false</replay-support>
<builtin-replay-store>
<enabled>false</enabled>
<dir>${NCS_RUN_DIR}/state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>

<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for internal events. -->
<!-- See tailf-ncs-devices.yang -->
<!-- Required for cluster mode. -->
<stream>
<name>ncs-events</name>
<description>NCS event according to tailf-ncs-devices.yang</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>${NCS_RUN_DIR}/state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>

<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for kicker event stream. -->
<!-- See tailf-kicker.yang -->
<!-- Required for cluster mode. -->
<stream>
<name>kicker-events</name>
<description>NCS event according to tailf-kicker.yang</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>${NCS_RUN_DIR}/state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>

<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications forwarded from devices. -->
<!-- See tailf-event-forwarding.yang -->
<stream>
<name>device-notifications</name>
<description>NCS events forwarded from devices</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>${NCS_RUN_DIR}/state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>

<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for plan state transitions. -->
<!-- See tailf-ncs-plan.yang -->
<stream>
<name>service-state-changes</name>
<description>Plan state transitions according to
tailf-ncs-plan.yang</description>
<replay-support>false</replay-support>
<builtin-replay-store>
<enabled>false</enabled>
<dir>${NCS_RUN_DIR}/state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
</event-streams>
</notifications>

<!-- Where the database (and init XML) files are kept -->
<cdb>
<db-dir>${NCS_RUN_DIR}/cdb</db-dir>
<!-- Always bring in the good system defaults -->
<init-path>
<dir>${NCS_DIR}/var/ncs/cdb</dir>
</init-path>
</cdb>


<!--
These keys are used to encrypt values of the types
tailf:des3-cbc-encrypted-string, tailf:aes-cfb-128-encrypted-string
and tailf:aes-256-cfb-128-encrypted-string.
For a deployment install it is highly recommended to change
these numbers to something random (done by NCS "system install")
-->
<encrypted-strings>
<external-keys>
<command>${NCS_DIR}/bin/ncs_crypto_keys</command>
<command-argument>${NCS_CONFIG_DIR}/ncs.crypto_keys</command-argument>
</external-keys>
</encrypted-strings>


<logs>
<syslog-config>
<facility>daemon</facility>
</syslog-config>

<ncs-log>
<enabled>true</enabled>
<file>
<name>${NCS_LOG_DIR}/ncs.log</name>
<enabled>true</enabled>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</ncs-log>

<developer-log>
<enabled>true</enabled>
<file>
<name>${NCS_LOG_DIR}/devel.log</name>
<enabled>true</enabled>
</file>
</developer-log>
<developer-log-level>info</developer-log-level>

<audit-log>
<enabled>true</enabled>
<file>
<name>${NCS_LOG_DIR}/audit.log</name>
<enabled>true</enabled>
</file>
</audit-log>

<netconf-log>
<enabled>true</enabled>
<file>
<name>${NCS_LOG_DIR}/netconf.log</name>
<enabled>true</enabled>
</file>
</netconf-log>

<netconf-trace-log>
<enabled>true</enabled>
<filename>${NCS_LOG_DIR}/netconf.trace</filename>
<format>pretty</format>
</netconf-trace-log>

<snmp-log>
<enabled>true</enabled>
<file>
<name>${NCS_LOG_DIR}/snmp.log</name>
<enabled>true</enabled>
</file>
</snmp-log>

<webui-access-log>
<enabled>true</enabled>
<dir>${NCS_LOG_DIR}</dir>
</webui-access-log>


<!-- This log is disabled by default if ncs is installed using -->
<!-- the 'system-install' flag. It consumes a lot of CPU power -->
<!-- to have this log turned on, OTOH it is the best tool to -->
<!-- debug must expressions in YANG models -->

<xpath-trace-log>
<enabled>false</enabled>
<filename>${NCS_LOG_DIR}/xpath.trace</filename>
</xpath-trace-log>

<error-log>
<enabled>true</enabled>
<filename>${NCS_LOG_DIR}/ncserr.log</filename>
</error-log>

<progress-trace>
<enabled>true</enabled>
<dir>${NCS_LOG_DIR}</dir>
</progress-trace>
</logs>

<aaa>
<ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>

<!-- Depending on OS - and also depending on user requirements -->
<!-- the pam service value value must be tuned. -->

<pam>
<enabled>true</enabled>
<service>common-auth</service>
</pam>
<external-authentication>
<enabled>false</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>

<local-authentication>
<enabled>false</enabled>
</local-authentication>

<expiration-warning>prompt</expiration-warning>
</aaa>

<!-- Hash algorithm used when setting leafs of type ianach:crypt-hash, -->
<!-- e.g. /aaa/authentication/users/user/password -->
<crypt-hash>
<algorithm>sha-512</algorithm>
</crypt-hash>

<!-- Disable this for performance critical applications, enabling -->
<!-- rollbacks means additional disk IO for each transaction -->
<rollback>
<enabled>true</enabled>
<directory>${NCS_RUN_DIR}/rollbacks</directory>
<history-size>500</history-size>
</rollback>


<cli>
<enabled>true</enabled>

<!-- Use the builtin SSH server -->
<ssh>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>2024</port>
</ssh>

<prompt1>\u@ncs> </prompt1>
<prompt2>\u@ncs% </prompt2>

<c-prompt1>\u@ncs# </c-prompt1>
<c-prompt2>\u@ncs(\m)# </c-prompt2>

<restricted-file-access>true</restricted-file-access>
<show-log-directory>${NCS_LOG_DIR}</show-log-directory>
<show-commit-progress>true</show-commit-progress>
<suppress-commit-message-context>maapi</suppress-commit-message-context>
<suppress-commit-message-context>system</suppress-commit-message-context>
</cli>

<webui>
<enabled>true</enabled>
<transport>
<tcp>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>8080</port>
</tcp>
<ssl>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>8888</port>
<key-file>${NCS_CONFIG_DIR}/ssl/cert/host.key</key-file>
<cert-file>${NCS_CONFIG_DIR}/ssl/cert/host.cert</cert-file>
</ssl>
</transport>

<cgi>
<enabled>true</enabled>
<php>
<enabled>false</enabled>
</php>
</cgi>
</webui>

<restconf>
<enabled>true</enabled>
</restconf>

<netconf-north-bound>
<enabled>true</enabled>

<transport>
<ssh>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>2022</port>
</ssh>
<tcp>
<enabled>false</enabled>
<ip>127.0.0.1</ip>
<port>2023</port>
</tcp>
</transport>
</netconf-north-bound>

<netconf-call-home>
<enabled>false</enabled>

<transport>
<tcp>
<ip>0.0.0.0</ip>
<port>4334</port>
</tcp>
</transport>
</netconf-call-home>

<!-- <ha> -->
<!-- <enabled>true</enabled> -->
<!-- </ha> -->

<large-scale>
<lsa>
<!-- Enable Layered Service Architecture, LSA. This requires
a separate Cisco Smart License.
-->
<enabled>false</enabled>
</lsa>
</large-scale>

<!-- Override parameters in the submodules of the tailf-ncs.yang module,
preventing setting of those parameters via northbound interfaces
from having any effect, even if the NACM access rules allow it. -->

<java-vm>
<start-command>DEFAULT</start-command>
<run-in-terminal>
<terminal-command>DEFAULT</terminal-command>
</run-in-terminal>
<stdout-capture>
<enabled>true</enabled>
<file>${NCS_LOG_DIR}/ncs-java-vm.log</file>
</stdout-capture>
</java-vm>

<python-vm>
<start-command>DEFAULT</start-command>
<run-in-terminal>
<terminal-command>DEFAULT</terminal-command>
</run-in-terminal>
<logging>
<log-file-prefix>${NCS_LOG_DIR}/ncs-python-vm</log-file-prefix>
</logging>
</python-vm>

<smart-license>
<smart-agent>
<java-executable>DEFAULT</java-executable>
<java-options>DEFAULT</java-options>
<production-url>DEFAULT</production-url>
<alpha-url>DEFAULT</alpha-url>
<override-url>
<url>DEFAULT</url>
</override-url>
<proxy>
<url>DEFAULT</url>
</proxy>
</smart-agent>
</smart-license>

</ncs-config>

 

Dockerfile:-

 

FROM dockerhub.cisco.com/cisco-onc-docker/dev/cisco-nso-base:5.4.1

#RUN mkdir -p /log && useradd -g ncsadmin admin -p admin

ENV HTTP_ENABLE=true ADMIN_PASSWORD=admin

COPY ./neds /nso/run/packages/
COPY ./ncs.conf /etc/ncs/ncs.conf
COPY ./cs_trans_load.beam $NCS_DIR/lib/ncs/patches
COPY ./cs_trans_load.beam /opt/ncs/current/lib/ncs/patches
COPY run-task-post-nso.sh /etc/ncs/post-ncs-start.d/
COPY rotateLogFile.conf /etc/logrotate.d/
COPY logrotate /etc/cron.d/
RUN apt-get update && apt-get -y install logrotate
RUN apt-get install vim -y && apt-get remove nano -y
SHELL ["/bin/sh", "-lc"]
ENTRYPOINT ["/enter-shell.sh"]

EXPOSE 22 80 443 830 4334

HEALTHCHECK --start-period=60s --interval=5s --retries=3 --timeout=5s CMD /opt/ncs/current/bin/ncs_cmd -c get_phase

CMD ["/run-nso.sh"]

Can someone help here?
Did i miss anything ?

9 Replies 9

ramkraja
Cisco Employee
Cisco Employee

You are exposing port 830, which is the 'default' port for Netconf over SSH. But the ports used in your ncs.conf are different - 2022 and 2023. More importantly, both "/netconf-north-bound/transport/ssh/enabled" and "/netconf-north-bound/transport/tcp/enabled" are false - so, I think nothing is listening for Netconf, as per your config.

Port 4334 seems to be exposed for netconf-call-home, but that is also not enabled in ncs.conf.

/Ram

snovello
Cisco Employee
Cisco Employee

netconf.log is used to log netconf access via the northbound netconf interface, but in ncs.conf I see that both possible transports for netconf northbound are disabled, so there would be nothing to log.  What kind of errors are you seeing when accessing NSO from the netconf interface? I expect you would see connection refused, which means NSO is not listening on the port.

We want to log south bound device netconf interactions, which is not happening

For southbound traces you need to turn on device traces (devices global-settings trace raw might be a good thing to set, in the config tree, not ncs.conf)

we r doing it by script and can see in UI as well

#!/bin/bash

ncs_cli <<EOF -C -u admin
config
devices global-settings trace pretty
commit
EOF

still its not happening 

Well, is your trace-dir set to a bad location maybe? This is certainly a mechanism that usually works.

Also, since you spoke about Netconf.log earlier, be aware that device traces do not turn up in Netconf.log, they turn up in individual files for each device.

 if i change trace to pretty or raw for individual device,

getting below error

<INFO> 22-Mar-2021::10:03:44.029 onc-deployerengine-service-866fc64dfc-8df55 ncs[76]: netconf error from netconf agent :undefined: transport closed

i am able to do all the operation by a netconf interface but only logs is not happening,

i am able to do all the operation by a netconf interface but only logs is not happening, but if i change trace to pretty ,

getting below error

<INFO> 22-Mar-2021::10:03:44.029 onc-deployerengine-service-866fc64dfc-8df55 ncs[76]: netconf error from netconf agent :undefined: transport closed