From bd3a8411037d4be5f23582d4d0192fd3babeaf21 Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Wed, 3 Apr 2024 17:39:50 +0200 Subject: [PATCH] New `clixon-config@2024-04-01.yang` revision Added options: `CLICON_NETCONF_DUPLICATE_ALLOW` - Disable duplicate check in NETCONF messages New `clixon-lib@2024-04-01.yang` revision --- CHANGELOG.md | 5 + apps/backend/backend_client.c | 5 +- docker/test/start.sh | 4 +- test/config.sh.in | 4 +- yang/clixon/Makefile.in | 5 +- yang/clixon/clixon-config@2024-04-01.yang | 1285 +++++++++++++++++ ...-11-01.yang => clixon-lib@2024-04-01.yang} | 29 +- 7 files changed, 1313 insertions(+), 24 deletions(-) create mode 100644 yang/clixon/clixon-config@2024-04-01.yang rename yang/clixon/{clixon-lib@2023-11-01.yang => clixon-lib@2024-04-01.yang} (95%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53952eed..40929bda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,11 @@ ## 7.1.0 Expected: June 2024 +### Features + +* New `clixon-config@2024-04-01.yang` revision + * Added options: `CLICON_NETCONF_DUPLICATE_ALLOW` - Disable duplicate check in NETCONF messages +* New `clixon-lib@2024-04-01.yang` revision ## 7.0.1 3 April 2024 diff --git a/apps/backend/backend_client.c b/apps/backend/backend_client.c index 579c666f..15e597f2 100644 --- a/apps/backend/backend_client.c +++ b/apps/backend/backend_client.c @@ -557,7 +557,10 @@ from_client_edit_config(clixon_handle h, */ if ((ret = xml_yang_validate_minmax(xc, 1, &xret)) < 0) goto done; - if (ret == 1 && (ret = xml_yang_validate_unique_recurse(xc, &xret)) < 0) + /* Disable duplicate check in NETCONF messages.*/ + if (clicon_option_bool(h, "CLICON_NETCONF_DUPLICATE_ALLOW")) + ; + else if (ret == 1 && (ret = xml_yang_validate_unique_recurse(xc, &xret)) < 0) goto done; /* xmldb_put (difflist handling) requires list keys */ if (ret == 1 && (ret = xml_yang_validate_list_key_only(xc, &xret)) < 0) diff --git a/docker/test/start.sh b/docker/test/start.sh index 3240a6c8..68f4ca7d 100755 --- a/docker/test/start.sh +++ b/docker/test/start.sh @@ -50,6 +50,8 @@ err(){ # Turn on debug in containers (restconf, backend) DBG=${DBG:-0} +NAME=${NAME:-"clixon-test"} + # Expose other host port than port 80 PORT=${PORT:-8080} @@ -85,7 +87,7 @@ CONFIG=${CONFIG:-$CONFIG0} # Create clixon-test container >&2 echo -n "Starting Container..." -sudo docker run -p $PORT:80 -p $SPORT:443 --name clixon-test --rm -e DBG=$DBG -e CONFIG="$CONFIG" -e STORE="$STORE" -td clixon/clixon-test || err "Error starting clixon-test" +sudo docker run -p $PORT:80 -p $SPORT:443 --name ${NAME} --rm -e DBG=$DBG -e CONFIG="$CONFIG" -e STORE="$STORE" -td clixon/clixon-test || err "Error starting clixon-test" # Wait for snmpd to start sudo docker exec -t clixon-test bash -c 'while [ ! -S /var/run/snmp.sock ]; do sleep 1; done' diff --git a/test/config.sh.in b/test/config.sh.in index c4f83372..784ffd1c 100755 --- a/test/config.sh.in +++ b/test/config.sh.in @@ -76,8 +76,8 @@ DATASTORE_TOP="config" # clixon yang revisions occuring in tests (see eg yang/clixon/Makefile.in) CLIXON_AUTOCLI_REV="2023-09-01" -CLIXON_LIB_REV="2024-01-01" -CLIXON_CONFIG_REV="2024-01-01" +CLIXON_LIB_REV="2024-04-01" +CLIXON_CONFIG_REV="2024-04-01" CLIXON_RESTCONF_REV="2022-08-01" CLIXON_EXAMPLE_REV="2022-11-01" diff --git a/yang/clixon/Makefile.in b/yang/clixon/Makefile.in index 31ad6976..c05c9427 100644 --- a/yang/clixon/Makefile.in +++ b/yang/clixon/Makefile.in @@ -42,9 +42,8 @@ datarootdir = @datarootdir@ YANG_INSTALLDIR = @YANG_INSTALLDIR@ # Note: mirror these to test/config.sh.in -YANGSPECS = clixon-config@2024-01-01.yang # 7.0 -YANGSPECS += clixon-lib@2023-11-01.yang # 6.5 -YANGSPECS += clixon-lib@2024-01-01.yang # 7.0 +YANGSPECS = clixon-config@2024-04-01.yang # 7.1 +YANGSPECS += clixon-lib@2024-04-01.yang # 7.1 YANGSPECS += clixon-rfc5277@2008-07-01.yang YANGSPECS += clixon-xml-changelog@2019-03-21.yang YANGSPECS += clixon-restconf@2022-08-01.yang # 5.9 diff --git a/yang/clixon/clixon-config@2024-04-01.yang b/yang/clixon/clixon-config@2024-04-01.yang new file mode 100644 index 00000000..ee9fb06f --- /dev/null +++ b/yang/clixon/clixon-config@2024-04-01.yang @@ -0,0 +1,1285 @@ +module clixon-config { + yang-version 1.1; + namespace "http://clicon.org/config"; + prefix cc; + + import clixon-restconf { + prefix clrc; + } + import clixon-autocli { + prefix autocli; + } + import clixon-lib { + prefix cl; + } + organization + "Clicon / Clixon"; + + contact + "Olof Hagsand "; + + description + "Clixon configuration file + ***** BEGIN LICENSE BLOCK ***** + Copyright (C) 2009-2019 Olof Hagsand + Copyright (C) 2020-2022 Olof Hagsand and Rubicon Communications, LLC(Netgate) + + This file is part of CLIXON + + Licensed under the Apache License, Version 2.0 (the \"License\"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an \"AS IS\" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Alternatively, the contents of this file may be used under the terms of + the GNU General Public License Version 3 or later (the \"GPL\"), + in which case the provisions of the GPL are applicable instead + of those above. If you wish to allow use of your version of this file only + under the terms of the GPL, and not to allow others to + use your version of this file under the terms of Apache License version 2, + indicate your decision by deleting the provisions above and replace them with + the notice and other provisions required by the GPL. If you do not delete + the provisions above, a recipient may use your version of this file under + the terms of any one of the Apache License version 2 or the GPL. + + ***** END LICENSE BLOCK *****"; + + revision 2024-04-01 { + description + "Added options: + CLICON_NETCONF_DUPLICATE_ALLOW - Disable duplicate check in NETCONF messages. + Released in Clixon 7.1"; + } + revision 2024-01-01 { + description + "Changed semantics: + CLICON_VALIDATE_STATE_XML - disable return sanity checks if false + Marked as obsolete: + CLICON_DATASTORE_CACHE + CLICON_NETCONF_CREATOR_ATTR + Changed semantics of + Released in Clixon 7.0"; + } + revision 2023-11-01 { + description + "Added options: + CLICON_NETCONF_CREATOR_ATTR + Released in Clixon 6.5"; + } + revision 2023-05-01 { + description + "Added options: + CLICON_CONFIG_EXTEND + CLICON_PLUGIN_DLOPEN_GLOBAL + Moved datastore-format datatype to clixon-lib + Released in Clixon 6.3"; + } + revision 2023-03-01 { + description + "Added options: + CLICON_RESTCONF_NOALPN_DEFAULT + Extended datastore-format with CLI and text + Released in Clixon 6.2"; + } + revision 2022-12-01 { + description + "Added options: + CLICON_YANG_SCHEMA_MOUNT + Removed (previosly marked) obsolete options: + CLICON_MODULE_LIBRARY_RFC7895 + Released in Clixon 6.1"; + } + revision 2022-11-01 { + description + "Added option: + CLICON_NETCONF_MONITORING + CLICON_NETCONF_MONITORING_LOCATION + Released in Clixon 6.0"; + } + revision 2022-03-21 { + description + "Added option: + CLICON_RESTCONF_API_ROOT + CLICON_NETCONF_BASE_CAPABILITY + CLICON_HTTP_DATA_PATH + CLICON_HTTP_DATA_ROOT + CLICON_CLI_EXPAND_LEAFREF + Released in Clixon 5.7"; + } + revision 2022-02-11 { + description + "Added option: + CLICON_LOG_STRING_LIMIT + CLICON_YANG_LIBRARY + Changed default value: + CLICON_MODULE_LIBRARY_RFC7895 to false + Removed (previosly marked) obsolete options: + CLICON_RESTCONF_PATH + CLICON_RESTCONF_PRETTY + CLICON_CLI_GENMODEL + CLICON_CLI_GENMODEL_TYPE + CLICON_CLI_GENMODEL_COMPLETION + CLICON_CLI_AUTOCLI_EXCLUDE + CLICON_CLI_MODEL_TREENAME + Released in Clixon 5.6"; + } + revision 2021-12-05 { + description + "Imported + clixon-autocli.yang + Removed (previosly marked) obsolete options: + CLICON_YANG_LIST_CHECK + Marked as obsolete: + CLICON_CLI_GENMODEL (use autocli/enable-autocli instead) + CLICON_CLI_GENMODEL_TYPE (use autocli/list-keyword-default and compress rules instead) + CLICON_CLI_GENMODEL_COMPLETION (use autocli/completion-default instead) + CLICON_CLI_AUTOCLI_EXCLUDE (use autocli/module-default, rule/enable logic instead) + CLICON_CLI_MODEL_TREENAME (use constant AUTOCLI_TREENAME instead) + Released in Clixon 5.5"; + } + revision 2021-11-11 { + description + "Added option: + CLICON_PLUGIN_CALLBACK_CHECK + CLICON_YANG_AUGMENT_ACCEPT_BROKEN + Modified options: + CLICON_CLI_GENMODEL_TYPE: added OC_COMPRESS enum + CLICON_YANG_DIR: recursive search + Released in Clixon 5.4"; + } + revision 2021-07-11 { + description + "Added option: + CLICON_RESTCONF_HTTP2_PLAIN + Removed default value: + CLICON_RESTCONF_INSTALLDIR + Marked as obsolete: + CLICON_YANG_LIST_CHECK + Released in Clixon 5.3"; + } + revision 2021-05-20 { + description + "Added option: + CLICON_RESTCONF_USER + CLICON_RESTCONF_PRIVILEGES + CLICON_RESTCONF_INSTALLDIR + CLICON_RESTCONF_STARTUP_DONTUPDATE + CLICON_NETCONF_MESSAGE_ID_OPTIONAL + Released in Clixon 5.2"; + } + revision 2021-03-08 { + description + "Added option: + CLICON_NETCONF_HELLO_OPTIONAL + CLICON_CLI_AUTOCLI_EXCLUDE + CLICON_XMLDB_UPGRADE_CHECKOLD + Released in Clixon 5.1"; + } + revision 2020-12-30 { + description + "Added option: + CLICON_ANONYMOUS_USER + Removed obsolete options: + CLICON_RESTCONF_IPV4_ADDR + CLICON_RESTCONF_IPV6_ADDR + CLICON_RESTCONF_HTTP_PORT + CLICON_RESTCONF_HTTPS_PORT + CLICON_SSL_SERVER_CERT + CLICON_SSL_SERVER_KEY + CLICON_SSL_CA_CERT + CLICON_TRANSACTION_MOD + Marked as obsolete and moved to clixon-restconf.yang: + CLICON_RESTCONF_PATH + CLICON_RESTCONF_PRETTY"; + } + revision 2020-11-03 { + description + "Added CLICON_BACKEND_RESTCONF_PROCESS + Copied to clixon-restconf.yang and marked as obsolete: + CLICON_RESTCONF_IPV4_ADDR + CLICON_RESTCONF_IPV6_ADDR + CLICON_RESTCONF_HTTP_PORT + CLICON_RESTCONF_HTTPS_PORT + CLICON_SSL_SERVER_CERT + CLICON_SSL_SERVER_KEY + CLICON_SSL_CA_CERT + Removed obsolete option CLICON_TRANSACTION_MOD"; + } + revision 2020-10-01 { + description + "Added: CLICON_CONFIGDIR."; + } + revision 2020-08-17 { + description + "Added: CLICON_RESTCONF_IPV4_ADDR, CLICON_RESTCONF_IPV6_ADDR, + CLICON_RESTCONF_HTTP_PORT, CLICON_RESTCONF_HTTPS_PORT + CLICON_NAMESPACE_NETCONF_DEFAULT, + CLICON_CLI_HELPSTRING_TRUNCATE, CLICON_CLI_HELPSTRING_LINES"; + } + revision 2020-06-17 { + description + "Added: CLICON_CLI_LINES_DEFAULT + Added enum HIDE to CLICON_CLI_GENMODEL + Added CLICON_SSL_SERVER_CERT, CLICON_SSL_SERVER_KEY, CLICON_SSL_CA_CERT + Added CLICON_NACM_DISABLED_ON_EMPTY + Removed default valude of CLICON_NACM_RECOVERY_USER"; + } + revision 2020-04-23 { + description + "Added: CLICON_YANG_UNKNOWN_ANYDATA to treat unknown XML (wrt YANG) as anydata. + Deleted: xml-stats non-config data (replaced by rpc stats in clixon-lib.yang)"; + } + revision 2020-02-22 { + description + "Added: search index extension, + Added: clixon-stats state for clixon XML and memory statistics. + Added: CLICON_CLI_BUF_START and CLICON_CLI_BUF_THRESHOLD for quadratic and linear + growth of CLIgen buffers (cbuf:s) + Added: CLICON_VALIDATE_STATE_XML for controling validation of user state XML + Added: CLICON_CLICON_YANG_LIST_CHECK to skip list key checks"; + } + revision 2019-09-11 { + description + "Added: CLICON_BACKEND_USER: drop of privileges to user, + CLICON_BACKEND_PRIVILEGES: how to drop privileges + CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM + CLICON_NACM_RECOVERY_USER: Name of NACM recovery user."; + } + revision 2019-06-05 { + description + "Added: CLICON_YANG_REGEXP, CLICON_CLI_TAB_MODE, + CLICON_CLI_HIST_FILE, CLICON_CLI_HIST_SIZE, + CLICON_XML_CHANGELOG, CLICON_XML_CHANGELOG_FILE; + Renamed CLICON_XMLDB_CACHE to CLICON_DATASTORE_CACHE (changed type) + Deleted: CLICON_XMLDB_PLUGIN, CLICON_USE_STARTUP_CONFIG"; + } + revision 2019-03-05{ + description + "Changed URN. Changed top-level symbol to clixon-config. + Released in Clixon 3.10"; + } + revision 2019-02-06 { + description + "Released in Clixon 3.9"; + } + revision 2018-10-21 { + description + "Released in Clixon 3.8"; + } + extension search_index { + description "This list argument acts as a search index using optimized binary search. + "; + } + typedef startup_mode{ + description + "Which method to boot/start clicon backend. + The methods differ in how they reach a running state + Which source database to commit from, if any."; + type enumeration{ + enum none{ + description + "Do not touch running state + Typically after crash when running state and db are synched"; + } + enum init{ + description + "Initialize running state. + Start with a completely clean running state"; + } + enum running{ + description + "Commit running db configuration into running state + After reboot if a persistent running db exists"; + } + enum startup{ + description + "Commit startup configuration into running state + After reboot when no persistent running db exists"; + } + enum running-startup{ + description + "First try running db, if it is empty try startup db."; + } + } + } + typedef datastore_cache{ + description + "XML configuration, ie running/candididate/ datastore cache behaviour."; + type enumeration{ + enum nocache{ + description "No cache always work directly with file"; + } + enum cache{ + description "Use in-memory cache. + Make copies when accessing internally."; + } + enum cache-zerocopy{ + description "Use in-memory cache and dont copy. + Fastest but opens up for callbacks changing cache."; + } + } + } + typedef nacm_mode{ + description + "Mode of RFC8341 Network Configuration Access Control Model. + It is unclear from the RFC whether NACM rules are internal + in a configuration (ie embedded in regular config) or external/OOB + in s separate, specific NACM-config"; + type enumeration{ + enum disabled{ + description "NACM is disabled"; + } + enum internal{ + description "NACM is enabled and available in the regular config"; + } + enum external{ + description "NACM is enabled and available in a separate config"; + } + } + } + typedef regexp_mode{ + description + "The regular expression engine Clixon uses in its validation of + Yang patterns, and in the CLI. + Yang RFC 7950 stipulates XSD XML Schema regexps + according to W3 CXML Schema Part 2: Datatypes Second Edition, + see http://www.w3.org/TR/2004/REC-xmlschema-2-20041028#regexs"; + type enumeration{ + enum posix { + description + "Translate XSD XML Schema regexp:s to Posix regexp. This is + not a complete translation, but can be considered good-enough + for Yang use-cases as defined by openconfig and yang-models + for example."; + } + enum libxml2 { + description + "Use libxml2 XSD XML Schema regexp engine. This is a complete + XSD regexp engine.. + Requires libxml2 to be available at configure time + (HAVE_LIBXML2 should be set)"; + } + } + } + typedef priv_mode{ + description + "Privilege mode, used for dropping (or not) privileges to a non-provileged + user after initialization"; + type enumeration{ + enum none { + description + "Make no drop/change in privileges."; + } + enum drop_perm { + description + "After initialization, drop privileges permanently to a uid"; + } + enum drop_temp { + description + "After initialization, drop privileges temporarily to a euid"; + } + } + } + typedef nacm_cred_mode{ + description + "How NACM user should be matched with unix socket peer credentials. + This means nacm user must match socket peer user accessing the + backend socket. For IP sockets only mode none makes sense."; + type enumeration{ + enum none { + description + "Dont match NACM user to any user credentials. Any user can pose + as any other user. Set this for IP sockets, or dont use NACM."; + } + enum exact { + description + "Exact match between NACM user and unix socket peer user."; + } + enum except { + description + "Exact match between NACM user and unix socket peer user, except + for root and www user (restconf)."; + } + } + } + typedef socket_address_family { + description "Address family for internal socket"; + type enumeration{ + enum UNIX { + description "Unix domain socket"; + } + enum IPv4 { + description "IPv4"; + } + enum IPv6 { + description "IPv6"; + } + } + } + container clixon-config { + container restconf { + uses clrc:clixon-restconf; + } + container autocli { + uses autocli:clixon-autocli; + } + leaf-list CLICON_FEATURE { + description + "Supported features as used by YANG feature/if-feature + value is: :, where and + are either names, or the special character '*'. + *:* means enable all features + :* means enable all features in the specified module + *: means enable the specific feature in all modules"; + type string; + } + leaf-list CLICON_YANG_DIR { + ordered-by user; + type string; + description + "Yang directory path for finding module and submodule files. + A list of these options should be in the configuration. + When loading a Yang module, Clixon searches this list in the order + they appear. + Note since Clixon 5.4 such a directory is searched recursively, not just the + directory itself. + Ensure that YANG_INSTALLDIR (default + /usr/local/share/clixon) is present in the path"; + } + leaf CLICON_CONFIGFILE{ + type string; + description + "Location of the main configuration-file. + Default is CLIXON_DEFAULT_CONFIG=/usr/local/etc/clicon.xml set in configure. + Note that due to bootstrapping, this value is not actually read from file + and therefore a default value would be meaningless."; + } + leaf CLICON_CONFIGDIR{ + type string; + description + "Location of directory of extra configuration files. + If not given, only main configfile is read. + If given, and if the directory exists, all files in this directory will be loaded + AFTER the main config file (CLICON_CONFIGFILE) in the following way: + - leaf values are overwritten + - leaf-list values are appended + The files in this directory will be loaded alphabetically. + If the dir is given but does not exist will result in an error. + You can override file setting with -E command-line option. + Note that due to bootstraping this value is only meaningful in the main config file"; + } + leaf CLICON_CONFIG_EXTEND { + type string; + description + "If specified load an application-specific configuration YANG that overrides + this config. + Normally, that YANG imports clixon-config. + This field is a 'bootstrap' field. + "; + } + leaf CLICON_YANG_MAIN_FILE { + type string; + description + "If specified load a yang module in a specific absolute filename. + This corresponds to the -y command-line option in most CLixon + programs."; + } + leaf CLICON_YANG_MAIN_DIR { + type string; + description + "If given, load all modules in this directory (all .yang files) + See also CLICON_YANG_DIR which specifies a path of dirs"; + } + leaf CLICON_YANG_MODULE_MAIN { + type string; + description + "Option used to construct initial yang file: + [@]"; + } + leaf CLICON_YANG_MODULE_REVISION { + type string; + description + "Option used to construct initial yang file: + [@]. + Used together with CLICON_YANG_MODULE_MAIN"; + } + leaf CLICON_YANG_REGEXP { + type regexp_mode; + default posix; + description + "The regular expression engine Clixon uses in its validation of + Yang patterns, and in the CLI. + There is a 'good-enough' posix translation mode and a complete + libxml2 mode"; + } + leaf CLICON_YANG_UNKNOWN_ANYDATA{ + type boolean; + default false; + description + "Treat unknown XML/JSON nodes as anydata when loading from startup db. + This does not apply to namespaces, which means a top-level node: xxx:yyy + is accepted only if yyy is unknown, not xxx. + Note that this option has several caveats which needs to be fixed. Please + use with care. + The primary issue is that the unknown->anydata handling is not restricted to + only loading from startup but may occur in other circumstances as well. This + means that sanity checks of erroneous XML/JSON may not be properly signalled. + Note this is similar to what happens to YANG nodes that are disabled by a false + if-feature statement."; + } + leaf CLICON_BACKEND_DIR { + type string; + description + "Location of backend .so plugins. Load all .so + plugins in this dir as backend plugins"; + } + leaf CLICON_YANG_SCHEMA_MOUNT{ + type boolean; + description + "YANG schema mount, RFC 8528. + When enabled, mount-points as defined by the 'yangmnt:mount-point' extension can + be populated by other YANGs than the root. + This is controlled by the ca_yang_mount plugin callback by returning a assigning a + yanglib module-set section that corresponds to the mounted YANGs. + Also, schema mount statistics is added to state data + Further, autocli syntax is added by definining a tree resolve wrapper"; + default false; + } + leaf CLICON_BACKEND_REGEXP { + type string; + description + "Regexp of matching backend plugins in CLICON_BACKEND_DIR"; + default "(.so)$"; + } + leaf CLICON_NETCONF_DIR{ + type string; + description "Location of netconf (frontend) .so plugins"; + } + leaf CLICON_NETCONF_HELLO_OPTIONAL { + type boolean; + default false; + description + "This option relates to RFC 6241 Sec 8.1 Capabilies Exchange where it says: + When the NETCONF session is opened, each peer (both client and server) MUST + send a element... + If true, an RPC can be processed directly with no preceeding hello message. + This is legacy clixon but invalid according to the RFC. + If false, NETCONF hello messages are mandatory before any RPC can be processed. + That is, if clixon receives an rpc with no previous hello message, an error + is returned, which conforms to the RFC. + Note this applies only to external NETCONF, not the internal (IPC) netconf"; + } + leaf CLICON_NETCONF_MESSAGE_ID_OPTIONAL { + type boolean; + default false; + description + "This option relates to RFC 6241 Sec 4.1 Element + The element has a mandatory attribute 'message-id', which is a + string chosen by the sender of the RPC. + If true, an RPC can be sent without a message-id. + This applies to both external NETCONF and internal (IPC) netconf"; + } + leaf CLICON_NETCONF_BASE_CAPABILITY { + type int32; + default 1; + description + "This option relates to RFC6241 Sec 8.1 capabilities exchange. + This number is the highest netconf base capability announced during + the hello protocol. + Specifically, If the option number is 0, only 'urn:ietf:params:netconf:base:1.0' + is announced, if it is 1, both 'urn:ietf:params:netconf:base:1.0' and + 'urn:ietf:params:netconf:base:1.1' are announced. + Base capability '1' includes switching over to chunked framing as defined in + RFC6242 for example. + This only applies to the external NETCONF"; + } + leaf CLICON_NETCONF_DUPLICATE_ALLOW { + type boolean; + default false; + description + "Disable duplicate check in NETCONF messages. + In Clixon 7.0, a stricter check of duplicate entries in incoming NETCONF messages was made. + More specifically: lists and leaf-lists with non-unique entries. + Enable to disable this check, and to allow duplicates in incoming NETCONF messages. + Note that this is an error by such a client, but there is some legacy code that uses this"; + } + leaf CLICON_NETCONF_CREATOR_ATTR { + type boolean; + default false; + description + "If set, clixon will accept the 'creator' attribute as defined by the + creator annotation in clixon-lib. + It can be used when several clients (such as a 'service') can create the same object. + If one such client/service is deleted, the object is deleted only if all services + that created the object are deleted. + The clixon controller uses this feature, but could in principle be used by other + applications. + Marked as obsolete in 7.0 since creators attribute replaced by clixon-lib creators + config"; + status obsolete; + } + leaf CLICON_RESTCONF_API_ROOT { + type string; + default "/restconf"; + description + "The RESTCONF API root path + See RFC 8040 Sec 1.16 and 3.1"; + } + leaf CLICON_RESTCONF_DIR { + type string; + description + "Location of restconf (frontend) .so plugins. Load all .so + plugins in this dir as restconf code plugins + Note: This cannot be moved to clixon-restconf.yang because it is needed + early in the bootstrapping phase, before clixon-restconf.yang config may + be loaded."; + } + leaf CLICON_RESTCONF_INSTALLDIR { + type string; + description + "If set, path to dir of clixon-restconf daemon binary as used by backend if + started internally (run-time). + If this path is not set, clixon_restconf will be looked for according to + configured installdir: $(sbindir) (install-time) + Since programs can be moved around at install/cross-compile time the installed + dir may be difficult to know at install time, which is the reason why + CLICON_RESTCONF_INSTALLDIR exists, in order to override the Makefile + installdir. + Note on the installdir, DESTDIR is not included since according to man pages: + by specifying DESTDIR should not change the operation of the software in + any way, so its value should not be included in any file contents. "; + } + leaf CLICON_RESTCONF_STARTUP_DONTUPDATE { + type boolean; + default false; + description + "According to RFC 8040 Sec 1.4: + If the NETCONF server supports :startup, the RESTCONF server MUST automatically + update the [...] startup configuration [...] as a consequence of a RESTCONF + edit operation. + Setting this option disables this behaviour, ie the startup configuration is NOT + automatically updated. + If this option is false, the startup is automatically updated following the RFC"; + } + leaf CLICON_RESTCONF_USER { + type string; + description + "Run clixon_daemon as this user + When drop privileges is used, the daemon will drop privileges to this user. + In pre-5.2 code this was configured as compile-time constant WWWUSER with + default value www-data + See also CLICON_PRIVILEGES setting"; + default www-data; + } + leaf CLICON_RESTCONF_PRIVILEGES { + type priv_mode; + default drop_perm; + description + "Restconf privileges mode. + If drop_perm or drop_temp then drop privileges to CLICON_RESTCONF_USER. + If the platform does not support getresuid and accompanying functions, the mode + must be set to 'none'. + "; + } + leaf CLICON_RESTCONF_HTTP2_PLAIN { + type boolean; + default false; + description + "Applies to plain (non-tls) http/2 ie when clixon is configured with --enable-nghttp2 + If false, disable direct and upgrade for plain(non-tls) HTTP/2. + If true, allow direct and upgrade for plain(non-tls) HTTP/2. + It may especially useful to disable in http/1 + http/2 mode to avoid the complex + upgrade/switch from http/1 to http/2. + Note this also disables plain http/2 in prior-knowledge, that is, in http/2-only mode. + HTTP/2 in https(TLS) is unaffected"; + } + leaf CLICON_NOALPN_DEFAULT { + type string; + description + "By default Clixon Restconf over TLS/HTTPS uses ALPN for protocol selection. + This option controls the behavior if a client does NOT use ALPN for TLS. + AND both http/1 and http/2 is configured in Clixon. + If the value is not set (or other value), Clixon closes the socket(reset) + If the value is 'http/1.1' then HTTP/1.1 is selected + If the value is 'http/2' then HTTP/2 is selected + Note that if Clixon is configured for only HTTP/1 (--disable-nghttp2), + then HTTP/1 is selected if the client does not use ALPN. + Likewise, if Clixon is configured for only HTTP/2 (--disable-http1), + then HTTP/2 is selected if the client does not use ALPN. + This option does not apply for plain (non-TLS) HTTP"; + } + leaf CLICON_HTTP_DATA_PATH { + if-feature "clrc:http-data"; + default "/"; + type string; + description + "URI match for http-data serving files specified by CLICON_HTTP_DATA_ROOT. + Must start with / (example: /) + Restconf paths at /restconf is always done before data (or streams) + The PATH is appended to CLICON_HTTP_DATA_ROOT to find a file. + Example, if PATH is /data and ROOT is /www, and a GET /index.html, the + corresponding file is '/www/data/index.html' + Both feature clixon-restconf:http-data and restconf/enable-http-data + must be enabled for this match to occur."; + } + leaf CLICON_HTTP_DATA_ROOT{ + if-feature "clrc:http-data"; + type string; + default "/var/www"; + description + "Location in file system where http-data files are looked for. + Soft links, '..', '~' etc are not followed. + See also CLICON_HTTP_DATA_PATH + Both feature clixon-restconf:http-data and restconf/enable-http-data + must be enabled for this match to occur."; + } + leaf CLICON_CLI_DIR { + type string; + description + "Directory containing frontend cli loadable plugins. Load all .so + plugins in this directory as CLI object plugins"; + } + leaf CLICON_CLISPEC_DIR { + type string; + description + "Directory containing frontend cligen spec files. Load all .cli + files in this directory as CLI specification files. + See also CLICON_CLISPEC_FILE."; + } + leaf CLICON_CLISPEC_FILE { + type string; + description + "Specific frontend cligen spec file as alternative or complement + to CLICON_CLISPEC_DIR. Also available as -c in clixon_cli."; + } + leaf CLICON_CLI_MODE { + type string; + default "base"; + description + "Startup CLI mode. This should match a CLICON_MODE variable set in + one of the clispec files"; + } + leaf CLICON_CLI_VARONLY { + type int32; + default 1; + description + "Dont include keys in cvec in cli vars callbacks, + ie a & k in 'a k ' ignored + (consider boolean)"; + } + leaf CLICON_CLI_LINESCROLLING { + type int32; + default 1; + description + "Set to 0 if you want CLI to wrap to next line. + Set to 1 if you want CLI to scroll sideways when approaching + right margin"; + } + leaf CLICON_CLI_LINES_DEFAULT { + type int32; + default 24; + description + "Set to number of CLI terminal rows for scrolling. 0 means unlimited. + The number is set statically UNLESS: + - there is no terminal, such as file input, in which case nr lines is 0 + - there is a terminal sufficiently powerful to read the number of lines from + ioctl calls. + In other words, this setting is used ONLY on raw terminals such as serial + consoles."; + } + leaf CLICON_CLI_TAB_MODE { + type int8; + default 0; + description + "Set CLI tab mode. This is a bitfield of three bits: + bit 1: 0: shows short info of available commands + 1: has same output as , ie line per command + bit 2: 0: On , select a command over a if both exist + 1: Commands and vars have same preference. + bit 3: 0: On , never complete more than one level per + 1: Complete all levels at once if possible. + "; + } + leaf CLICON_CLI_UTF8 { + type int8; + default 0; + description + "Set to 1 to enable CLIgen UTF-8 experimental mode. + Note that this feature is EXPERIMENTAL and may not properly handle + scrolling, control characters, etc + (consider boolean)"; + } + leaf CLICON_CLI_HIST_FILE { + type string; + default "~/.clixon_cli_history"; + description + "Name of CLI history file. If not given, history is not saved. + The number of lines is saved is given by CLICON_CLI_HIST_SIZE."; + } + leaf CLICON_CLI_HIST_SIZE { + type int32; + default 300; + description + "Number of lines to save in CLI history. + Also, if CLICON_CLI_HIST_FILE is set, also the size in lines + of the saved history."; + } + leaf CLICON_CLI_BUF_START { + type uint32; + default 256; + description + "CLIgen buffer (cbuf) initial size. + When the buffer needs to grow, the allocation grows quadratic up to a threshold + after which linear growth continues. + See CLICON_CLI_BUF_THRESHOLD"; + } + leaf CLICON_CLI_BUF_THRESHOLD { + type uint32; + default 65536; + description + "CLIgen buffer (cbuf) threshold size. + When the buffer exceeds the threshold, the allocation grows by adding the threshold + value to the buffer length. + If 0, the growth continues with quadratic growth. + See CLICON_CLI_BUF_THRESHOLD"; + } + leaf CLICON_CLI_HELPSTRING_TRUNCATE { + type boolean; + default false; + description + "CLIgen help string on query (?): Truncate help string on right margin mode + This only applies if you have long help strings, such as when generating them from a + spec such as the autocli"; + } + leaf CLICON_CLI_HELPSTRING_LINES { + type int32; + default 0; + description + "CLIgen help string on query (?) limit of number of lines to show, 0 means unlimited. + This only applies if you have multi-line help strings, such as when generating + from a spec, such as in the autocli."; + } + leaf CLICON_CLI_EXPAND_LEAFREF { + type boolean; + default false; + description + "If true, then CLI expansion of leafrefs (in expand_dbvar) are done using the + source values, not the references. + This applies to the autocli but also in a handcrafted CLI if expand_dbvar is used. + Example, assume ifref with leafref pointing to source if values: + abc + b + If true, expansion will suggest a, b, c (source if values) + If false, expansion will suggest b (destination ifref values) + While setting this value makes sense for adding new values, it makes less sense for + deleting."; + } + leaf CLICON_SOCK_FAMILY { + type socket_address_family; + default UNIX; + description + "Address family for communicating with clixon_backend with one of: + Note IPv6 not implemented. + Note that UNIX socket makes credential check as follows: + (1) client needs rw access to the socket + (2) NACM credentials can be checked according to CLICON_NACM_CREDENTIALS + Warning: Only UNIX (not IPv4) sockets have credential mechanism. + "; + } + leaf CLICON_SOCK { + type string; + mandatory true; + description + "String description of Clixon Internal (IPC) socket that connects a clixon + client to the clixon backend. This string is dependent on family. + If CLICON_SOCK_FAMILY is: + - UNIX: The value is a Unix socket path + - IPv4: IPv4 address string + - IPv6: IPv6 address string (NYI)"; + } + leaf CLICON_SOCK_PORT { + type int32; + default 4535; + description + "Inet socket port for communicating with clixon_backend + (only IPv4|IPv6)"; + } + leaf CLICON_SOCK_GROUP { + type string; + default "clicon"; + description + "Group membership to access clixon_backend unix socket and gid for + deamon"; + } + leaf CLICON_BACKEND_USER { + type string; + description + "User name for backend (both foreground and daemonized). + If you set this value the backend if started as root will lower + the privileges after initialization. + The ownership of files created by the backend will also be set to this + user (eg datastores). + It also sets the backend unix socket owner to this user, but its group + is set by CLICON_SOCK_GROUP. + See also CLICON_BACKEND_PRIVILEGES setting"; + } + leaf CLICON_BACKEND_PRIVILEGES { + type priv_mode; + default none; + description + "Backend privileges mode. + If CLICON_BACKEND_USER user is set, mode can be set to drop_perm or + drop_temp."; + } + leaf CLICON_BACKEND_PIDFILE { + type string; + mandatory true; + description "Process-id file of backend daemon"; + } + leaf CLICON_BACKEND_RESTCONF_PROCESS { + type boolean; + default false; + description + "If set, enable process-control of restconf daemon, ie start/stop restconf + daemon internally from backend daemon. + Also, if set, restconf daemon queries backend for its config + if not set, restconf daemon reads its config from main config file + It uses clixon-restconf.yang for config and clixon-lib.yang for RPC + Process control of restconf daemon is as follows: + - on RPC start, if enable is true, start the service, if false, error or ignore it + - on RPC stop, stop the service + - on backend start make the state as configured + - on enable change, make the state as configured + Disable if you start the restconf daemon by other means."; + } + leaf CLICON_AUTOCOMMIT { + type int32; + default 0; + description + "Set if all configuration changes are committed automatically + on every edit change. Explicit commit commands unnecessary + If confirm-commit, follow RESTCONF semantics: commit ephemeral but fail on + persistent confirming commit. + (consider boolean)"; + } + leaf CLICON_XMLDB_DIR { + type string; + mandatory true; + description + "Directory where \"running\", \"candidate\" and \"startup\" are placed."; + } + leaf CLICON_DATASTORE_CACHE { + type datastore_cache; + default cache; + description + "Clixon datastore cache behaviour. There are three values: no cache, + cache with copy, or cache without copy. + Note: 'cache' is default value and supported with regressions etc. + Others are experimental (in Clixon 5.5) + Note that from 7.0 this is OBSOLETED, only datastore_cache is supported"; + status obsolete; + } + leaf CLICON_XMLDB_FORMAT { + type cl:datastore_format; + default xml; + description "XMLDB datastore format."; + } + leaf CLICON_XMLDB_PRETTY { + type boolean; + default true; + description + "XMLDB datastore pretty print. + If set, insert spaces and line-feeds making the XML/JSON human + readable. If not set, make the XML/JSON more compact."; + } + leaf CLICON_XMLDB_MODSTATE { + type boolean; + default false; + description + "If set, tag datastores with RFC 8525 YANG Module Library + info. When loaded at startup, a check is made if the system + yang modules match."; + } + leaf CLICON_XMLDB_UPGRADE_CHECKOLD { + type boolean; + default true; + description + "Controls behavior of check of startup in upgrade scenarios. + If set, yang bind and check datastore syntax against the old Yang. + The old yang must be accessible via YANG_DIR. + Will fail startup if old yang not found or if old config does not match. + If not set, no yang check of old config is made until it is upgraded to new yang."; + } + leaf CLICON_XML_CHANGELOG { + type boolean; + default false; + description "If true enable automatic upgrade using yang clixon + changelog."; + } + leaf CLICON_XML_CHANGELOG_FILE { + type string; + description "Name of file with module revision changelog. + If CLICON_XML_CHANGELOG is true, Clixon + reads the module changelog from this file."; + } + leaf CLICON_VALIDATE_STATE_XML { + type boolean; + default false; + description + "Validate user state callback content. + AND NETCONF reply sanity (misnomer) + Users may register state callbacks using ca_statedata callback + When set, the XML returned from the callback is validated after merging with + the running db. If it fails, an internal error is returned to the originating + user. + If the option is not set, the XML returned by the user is not validated. + Note that enabling currently causes a large performance overhead for large + lists, therefore it is recommended to enable it during development and debugging + but disable it in production, until this has been resolved."; + } + leaf CLICON_PLUGIN_CALLBACK_CHECK { + type int32; + default 0; + description + "Debug option. + If >0, make a check of resources before and after each plugin callback code + to check if the plugin violated resources. + This is primarily intended for development and debugging but may also be enabled + in a running system. + If 1, errors will be logged to syslog as WARNINGs. + If 2, the program will abort using assert() on first error + The checks are currently made by plugin_context_check() and include: + - termios settings + - signal vectors + The checks will be made for all callbacks as defined in struct clixon_plugin_api + as well as the CLIgen callbacks. + See https://clixon-docs.readthedocs.io/en/latest/backend.html#plugin-callback-guidelines"; + } + leaf CLICON_PLUGIN_DLOPEN_GLOBAL { + type boolean; + default false; + description + "Local/global flag for dlopen as described in the man page. + This applies to the opening of all clixon plugins (backend/cli/netconf/restconf) + when loading the shared .so file with dlopen. + If false: Symbols defined in this shared object are not made available to resolve + references in subsequently loaded shared objects (default). + If true: The symbols defined by this shared object will be made available for symbol res‐ + olution of subsequently loaded shared objects."; + } + leaf CLICON_YANG_AUGMENT_ACCEPT_BROKEN { + type boolean; + default false; + description + "Debug option. If enabled, accept broken augments on the form: + augment { ... } + where is an XPath which MUST be an existing node but for many + yangmodels do not. + There are several cases why this may be the case: + - syntax errors, + - features that need to be enabled + - wrong XPaths, etc + This option should be enabled only for passing some testcases it should + normally never be enabled in system YANGs that are used in a system."; + } + leaf CLICON_NAMESPACE_NETCONF_DEFAULT { + type boolean; + default false; + description + "Undefine if you want to ensure strict namespace assignment on all netconf + and XML statements according to the standard RFC 6241. + If defined, top-level rpc calls need not have namespaces (eg using xmlns=) + since the default NETCONF namespace will be assumed. (This is not standard). + See rfc6241 3.1: urn:ietf:params:xml:ns:netconf:base:1.0."; + + } + leaf CLICON_STARTUP_MODE { + type startup_mode; + description "Which method to boot/start clicon backend"; + } + leaf CLICON_ANONYMOUS_USER { + type string; + default "anonymous"; + description + "Name of anonymous user. + The current only case where such a user is used is in RESTCONF authentication when + auth-type=none and no known user is known."; + } + leaf CLICON_NACM_MODE { + type nacm_mode; + default disabled; + description + "RFC8341 network access configuration control model (NACM) mode: disabled, + in regular (internal) config or separate external file given by CLICON_NACM_FILE"; + } + leaf CLICON_NACM_FILE { + type string; + description + "RFC8341 NACM external configuration file (if CLIXON_NACM_MODE is external)"; + } + leaf CLICON_NACM_CREDENTIALS { + type nacm_cred_mode; + default except; + description + "Verify nacm user credentials with unix socket peer cred. + This means nacm user must match unix user accessing the backend + socket."; + } + leaf CLICON_NACM_RECOVERY_USER { + type string; + description + "RFC8341 defines a 'recovery session' as outside its scope. Clixon + defines this user as having special admin rights to exempt from + all access control enforcements. + Note setting of CLICON_NACM_CREDENTIALS is important, if set to + exact for example, this user must exist and be used, otherwise + another user (such as root or www) can pose as the recovery user."; + } + leaf CLICON_NACM_DISABLED_ON_EMPTY { + type boolean; + default false; + description + "RFC 8341 and ietf-netconf-acm@2018-02-14.yang defines enable-nacm as true by + default. Since also write-default is deny by default it leads to that empty + configs can not be edited. + This means that a startup config must always have a NACM configuration or + that the NACM recovery session is used to edit an empty config. + If this option is set, Clixon disables NACM if a datastore does NOT contain a + NACM config on load."; + } + leaf CLICON_YANG_LIBRARY { + type boolean; + default true; + description + "Enable YANG library support as state data according to RFC8525. + If enabled, module info will appear when doing netconf get or + restconf GET. + The module state data is on the form: + ... + instead where the module state is on the form: + ... + See also CLICON_XMLDB_MODSTATE where the module state info is used to tag datastores + with module information."; + } + leaf CLICON_MODULE_SET_ID { + type string; + default "0"; + description + "Only if CLICON_YANG_LIBRARY enabled. + Contains a server-specific identifier representing the current set of modules + and submodules. The server MUST change the value of this leaf if the + information represented by the 'module' list instances has changed. + The /yang-library/content-id state-data leaf is set with this value + If CLICON_MODULE_LIBRARY_RFC7895 is enabled, it sets the modules-state/module-set-id + instead"; + } + leaf CLICON_NETCONF_MONITORING { + type boolean; + default true; + description + "Enable Netconf monitoring support as state data according to RFC6022. + If enabled, netconf monitoring info will appear when doing netconf get or + restconf GET."; + } + leaf CLICON_NETCONF_MONITORING_LOCATION { + type string; + description + "Extra Netconf monitoring location directory where schemas can be retrieved + apart from NETCONF. + Only if CLICON_NETCONF_MONITORING"; + } + leaf CLICON_STREAM_DISCOVERY_RFC5277 { + type boolean; + default false; + description + "Enable event stream discovery as described in RFC 5277 + section 3.2. If enabled, available streams will appear + when doing netconf get or restconf GET"; + } + leaf CLICON_STREAM_DISCOVERY_RFC8040 { + type boolean; + default false; + description + "Enable monitoring information for the RESTCONF protocol from RFC 8040 as specified + in module ietf-restconf-monitoring.yang + Note that the name of this option is misleading, the monitoring module defines state + for both capabilities and streams, not only streams which the name indicates. + Also, consider changinf default to true."; + } + leaf CLICON_STREAM_PATH { + type string; + default "streams"; + description + "Stream path appended to CLICON_STREAM_URL to form + stream subscription URL. + See CLICON_RESTCONF_API_ROOT and CLICON_HTTP_DATA_ROOT + Should be changed to include '/' "; + } + leaf CLICON_STREAM_URL { + type string; + default "https://localhost"; + description "Prepend this to CLICON_STREAM_PATH to form URL. + See RFC 8040 Sec 9.3 location leaf: + 'Contains a URL that represents the entry point for + establishing notification delivery via server-sent events.' + Prepend this constant to name of stream. + Example: https://localhost/streams/NETCONF. Note this is the + external URL, not local behind a reverse-proxy. + Note that -s command-line option to clixon_restconf + should correspond to last path of url (eg 'streams')"; + } + leaf CLICON_STREAM_PUB { + type string; + description "For stream publish using eg nchan, the base address + to publish to. Example value: http://localhost/pub + Example: stream NETCONF would then be pushed to + http://localhost/pub/NETCONF. + Note this may be a local/provate URL behind reverse-proxy. + If not given, do NOT enable stream publishing using NCHAN."; + } + leaf CLICON_STREAM_RETENTION { + type uint32; + default 3600; + units s; + description "Retention for stream replay buffers in seconds, ie how much + data to store before dropping. 0 means no retention"; + + } + leaf CLICON_LOG_STRING_LIMIT { + type uint32; + default 0; + description + "Length limitation of debug and log strings. + Especially useful for dynamic debug strings, such as packet dumps. + 0 means no limit"; + + } + leaf-list CLICON_SNMP_MIB { + description + "Names of MIBs that are used by clixon_snmp. + For each MIB M, a YANG file M.yang is expected to be found. + If not found, an error is genereated. + The YANG file M.yang is typically generated from the source MIB but can also + be handcrafted. An example of such a script is scripts/mib_to_yang.sh. + A list of these options should be in the configuration."; + type string; + } + leaf CLICON_SNMP_AGENT_SOCK { + type string; + default "unix:/tmp/clixon_snmp.sock"; + description + "String description of AgentX socket that clixon_snmp listens to. + For example, for net-snmpd, the socket is created by using the following: + --agentXSocket=unix: + This string currently only supports UNIX socket path. + Note also that the user should consider setting permissions appropriately + XXX: This should be in later yang revision and documented as added when + merged with master"; + } + } +} diff --git a/yang/clixon/clixon-lib@2023-11-01.yang b/yang/clixon/clixon-lib@2024-04-01.yang similarity index 95% rename from yang/clixon/clixon-lib@2023-11-01.yang rename to yang/clixon/clixon-lib@2024-04-01.yang index f34a6f01..21ba5072 100644 --- a/yang/clixon/clixon-lib@2023-11-01.yang +++ b/yang/clixon/clixon-lib@2024-04-01.yang @@ -68,6 +68,15 @@ module clixon-lib { - objectexisted "; + revision 2024-04-01 { + description + "Released in Clixon 7.1"; + } + revision 2024-01-01 { + description + "Removed container creators from 6.5 + Released in 7.0"; + } revision 2023-11-01 { description "Added ignore-compare extension @@ -197,8 +206,9 @@ module clixon-lib { extension ignore-compare { description "The object should be ignored when comparing device configs for equality. - One example is auto-created objects by the server, such as uid. - Another example is a plain-text password is changed to an encrypted by the server."; + The object should never be added, modified, or deleted on target. + Essentially a read-only object + One example is auto-created objects by the , such as uid."; } md:annotation creator { type string; @@ -210,21 +220,6 @@ module clixon-lib { Limitations: only objects that are actually added or deleted. A sub-object will not be noted"; } - container creators{ - config false; - description "Meta-data for creator attribute."; - list creator { - key name; - leaf name { - description "Name of creator / service (instance) name"; - type string; - } - leaf-list path { - description "Path to object"; - type string; - } - } - } rpc debug { description "Set debug level of backend."; input {