experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* Changed config and install options for Restconf

Browse source 
* clixon_restconf daemon is installed in /usr/local/sbin (as clixon_backend), instead of /www-data
    * `configure --with-wwwdir=<dir>` remains but only applies to fcgi socket and log
    * New option `CLICON_RESTCONF_INSTALL_DIR` is set to where clixon_restconf is installed, with default `/usr/local/sbin/`
  * Restconf drop privileges user is defined by `CLICON_RESTCONF_USER`
    * `configure --with-wwwuser=<user>` is removed
  * clixon_restconf drop of privileges is defined by `CLICON_RESTCONF_PRIVILEGES` option
* New clixon-restconf@2020-05-20.yang revision
  * Added: restconf `log-destination`
This commit is contained in:
Olof hagsand 2021-05-21 15:12:06 +02:00
parent c3e26b004c
commit c20c672d83
32 changed files with 410 additions and 221 deletions
Download patch file Download diff file Expand all files Collapse all files

6
yang/clixon/Makefile.in
View file

@ -41,11 +41,11 @@ datarootdir = @datarootdir@
# See also OPT_YANG_INSTALLDIR for the standard yang files
YANG_INSTALLDIR = @YANG_INSTALLDIR@
YANGSPECS = clixon-config@2021-03-08.yang
YANGSPECS += clixon-lib@2021-03-08.yang
YANGSPECS = clixon-config@2021-05-20.yang # 5.2
YANGSPECS += clixon-lib@2021-03-08.yang # 5.1
YANGSPECS += clixon-rfc5277@2008-07-01.yang
YANGSPECS += clixon-xml-changelog@2019-03-21.yang
YANGSPECS += clixon-restconf@2021-03-15.yang
YANGSPECS += clixon-restconf@2021-05-20.yang # 5.2
APPNAME = clixon # subdir ehere these files are installed

87
yang/clixon/clixon-config@2020-12-30.yang → yang/clixon/clixon-config@2021-05-20.yang
View file

@ -43,6 +43,22 @@ module clixon-config {
***** END LICENSE BLOCK *****";
revision 2021-05-20 {
description
"Added option:
CLICON_RESTCONF_USER
CLICON_RESTCONF_PRIVILEGES
CLICON_RESTCONF_INSTALL_DIR
Released in Clixon 5.2";
}
revision 2021-03-08 {
description
"Added option:
CLICON_NETCONF_HELLO_OPTIONAL
CLICON_CLI_AUTOCLI_EXCLUDE
CLICON_XMLDB_UPGRADE_CHECKOLD
Released in Clixon 5.1";
}
revision 2020-12-30 {
description
"Added option:
@ -197,7 +213,7 @@ module clixon-config {
}
typedef cli_genmodel_type{
description
"How to generate CLI from YANG model,
"How to generate auto CLI from YANG model,
eg {container c {list a{ key x; leaf x; leaf y;}}";
type enumeration{
enum NONE{
@ -430,6 +446,20 @@ module clixon-config {
type string;
description "Location of netconf (frontend) .so plugins";
}
leaf CLICON_NETCONF_HELLO_OPTIONAL {
type boolean;
default false;
description
"This option relates to RFC 6241 Sec 8.1 Capabilies Exchange where it says:
When the NETCONF session is opened, each peer (both client and server) MUST
send a <hello> element...
If true, an RPC can be processed directly with no preceeding hello message.
This is legacy clixon but invalid according to the RFC.
If false, NETCONF hello messages are mandatory before any RPC can be processed.
That is, if clixon receives an rpc with no previous hello message, an error
is returned, which conforms to the RFC.
Note this applies only to external NETCONF, not the internal (IPC) netconf";
}
leaf CLICON_RESTCONF_DIR {
type string;
description
@ -445,10 +475,20 @@ module clixon-config {
description
"FastCGI unix socket. Should be specified in webserver
Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock
Only if with-restconf=fcgi, NOT evhtp
Only if with-restconf=fcgi, NOT native
Note: Obsolete, use fcgi-socket in clixon-restconf.yang instead";
status obsolete;
}
leaf CLICON_RESTCONF_INSTALL_DIR {
type string;
default "/usr/local/sbin";
description
"Path to clixon-restconf daemon binary as used by backend if started internally
Discussion: Somewhat problematic to have it as run time option. It may think it
should be known at configure or install time, but for example the main docker
installation moves the binaries, and this may be true elsewehere too.
Maybe one could locate it via PATHs search";
}
leaf CLICON_RESTCONF_PRETTY {
type boolean;
@ -465,6 +505,22 @@ module clixon-config {
Note: Obsolete, use pretty in clixon-restconf.yang instead";
status obsolete;
}
leaf CLICON_RESTCONF_USER {
type string;
description
"User name for restconf.
In pre-5.2 code this was configured as compile-time constant WWWUSER with
default value www-data
See also CLICON_PRIVILEGES setting";
default www-data;
}
leaf CLICON_RESTCONF_PRIVILEGES {
type priv_mode;
default drop_perm;
description
"Restconf privileges mode.
If drop_perm or drop_temp then drop privileges to CLICON_RESTCONF_USER.";
}
leaf CLICON_CLI_DIR {
type string;
description
@ -506,7 +562,7 @@ module clixon-config {
type string;
default "datamodel";
description
"If CLICON_CLI_GENMOEL is set, CLI specs can reference the
"If CLICON_CLI_GENMODEL is set, CLI specs can reference the
model syntax using a model tree set by this option.
Three trees are generated with this name as a base, (assuming base is datamodel):
- @datamodel - a clispec for navigating in editing a configuration (set/merge/delete)
@ -526,7 +582,16 @@ module clixon-config {
leaf CLICON_CLI_GENMODEL_TYPE {
type cli_genmodel_type;
default "VARS";
description "How to generate and show CLI syntax: VARS|ALL";
description "How to generate and show auto CLI syntax: VARS|ALL|HIDE";
}
leaf CLICON_CLI_AUTOCLI_EXCLUDE {
type string;
description
"List of module names that should not be generated autocli from
Example:
<CLICON_CLI_AUTOCLI_EXCLUDE>clixon-restconf</CLICON_CLI_AUTOCLI_EXCLUDE>
means generate autocli for all models except clixon-restconf.yang
The value can be a list of space separated module names";
}
leaf CLICON_CLI_VARONLY {
type int32;
@ -676,7 +741,7 @@ module clixon-config {
user (eg datastores).
It also sets the backend unix socket owner to this user, but its group
is set by CLICON_SOCK_GROUP.
See also CLICON_PRIVILEGES setting";
See also CLICON_BACKEND_PRIVILEGES setting";
}
leaf CLICON_BACKEND_PRIVILEGES {
type priv_mode;
@ -697,6 +762,8 @@ module clixon-config {
description
"If set, enable process-control of restconf daemon, ie start/stop restconf
daemon internally from backend daemon.
Also, if set, restconf daemon queries backend for its config
if not set, restconf daemon reads its config from main config file
It uses clixon-restconf.yang for config and clixon-lib.yang for RPC
Process control of restconf daemon is as follows:
- on RPC start, if enable is true, start the service, if false, error or ignore it
@ -748,6 +815,16 @@ module clixon-config {
yang modules match.
See also CLICON_MODULE_LIBRARY_RFC7895";
}
leaf CLICON_XMLDB_UPGRADE_CHECKOLD {
type boolean;
default true;
description
"Controls behavior of check of startup in upgrade scenarios.
If set, yang bind and check datastore syntax against the old Yang.
The old yang must be accessible via YANG_DIR.
Will fail startup if old yang not found or if old config does not match.
If not set, no yang check of old config is made until it is upgraded to new yang.";
}
leaf CLICON_XML_CHANGELOG {
type boolean;
default false;

84
yang/clixon/clixon-restconf@2020-12-30.yang → yang/clixon/clixon-restconf@2021-05-20.yang
View file

@ -17,7 +17,7 @@ module clixon-restconf {
"This YANG module provides a data-model for the Clixon RESTCONF daemon.
***** BEGIN LICENSE BLOCK *****
Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate)
This file is part of CLIXON
Licensed under the Apache License, Version 2.0 (the \"License\");
@ -35,7 +35,7 @@ module clixon-restconf {
in which case the provisions of the GPL are applicable instead
of those above. If you wish to allow use of your version of this file only
under the terms of the GPL, and not to allow others to
use your version of this file under the terms of Apache License version 2,
use your version of this file under the terms of Apache License version 2,
indicate your decision by deleting the provisions above and replace them with
the notice and other provisions required by the GPL. If you do not delete
the provisions above, a recipient may use your version of this file under
@ -43,6 +43,17 @@ module clixon-restconf {
***** END LICENSE BLOCK *****";
revision 2021-05-20 {
description
"Added log-destination for restconf
Released in Clixon 5.2";
}
revision 2021-03-15 {
description
"make authentication-type none a feature
Added flag to enable core dumps
Released in Clixon 5.1";
}
revision 2020-12-30 {
description
"Added: debug field
@ -53,6 +64,7 @@ module clixon-restconf {
description
"Initial release";
}
feature fcgi {
description
"This feature indicates that the restconf server supports the fast-cgi reverse
@ -62,12 +74,18 @@ module clixon-restconf {
The alternative is the internal HTTP solution using evhtp.";
}
feature allow-auth-none {
description
"This feature allows the use of authentication-type none.";
}
typedef http-auth-type {
type enumeration {
enum none {
if-feature "allow-auth-none";
description
"Incoming message are set to authenticated by default. No ca-auth callback is called,
Authenticated user is set to special user 'none'.
"Incoming message are set to authenticated by default. No ca-auth callback is called,
Authenticated user is set to special user 'none'.
Typically assumes NACM is not enabled.";
}
enum client-certificate {
@ -85,12 +103,26 @@ module clixon-restconf {
description
"Enumeration of HTTP authorization types.";
}
typedef log-destination {
type enumeration {
enum syslog {
description
"Log to syslog with:
ident: clixon_restconf and PID
facility: LOG_USER";
}
enum file {
description
"Log to generated file at /var/log/clixon_restconf.log";
}
}
}
grouping clixon-restconf{
description
"HTTP RESTCONF configuration.";
leaf enable {
type boolean;
default "false";
default "false";
description
"Enables RESTCONF functionality.
Note that starting/stopping of a restconf daemon is different from it being
@ -103,34 +135,45 @@ module clixon-restconf {
description
"The authentication type.
Note client-certificate applies only if ssl-enable is true and socket has ssl";
default none;
default user;
}
leaf debug {
description
"Set debug level of restconf daemon.
0 is no debug, 1 is debugging, more is detailed debug.
Debug logs will be directed to syslog with
ident: clixon_restconf and PID
facility: LOG_USER
level: LOG_DEBUG";
type uint32;
"Set debug level of restconf daemon.
0 is no debug, 1 is debugging, more is detailed debug.
Debug logs will be directed to log-destination with LOG_DEBUG level (for syslog)";
type uint32;
default 0;
}
leaf log-destination {
description
"Log destination.
If debug is not set, only notice, error and warning will be logged";
type log-destination;
default syslog;
}
leaf enable-core-dump {
description
"enable core dumps.
this is a no-op on systems that don't support it.";
type boolean;
default false;
}
leaf pretty {
type boolean;
default true;
default true;
description
"Restconf return value pretty print.
"Restconf return value pretty print.
Restconf clients may add HTTP header:
Accept: application/yang-data+json, or
Accept: application/yang-data+xml
to get return value in XML or JSON.
to get return value in XML or JSON.
RFC 8040 examples print XML and JSON in pretty-printed form.
Setting this value to false makes restconf return not pretty-printed
which may be desirable for performance or tests
This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang";
}
/* From this point only specific options
/* From this point only specific options
* First fcgi-specific options
*/
leaf fcgi-socket {
@ -142,12 +185,12 @@ module clixon-restconf {
Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock
Only if with-restconf=fcgi, NOT evhtp
This replaces CLICON_RESTCONF_PATH option in clixon-config.yang";
}
}
/* Second, evhtp-specific options */
leaf server-cert-path {
type string;
description
"Path to server certificate file.
"Path to server certificate file.
Note only applies if socket has ssl enabled";
}
leaf server-key-path {
@ -170,7 +213,8 @@ module clixon-restconf {
type string;
description
"Network namespace.
On platforms where namespaces are not suppported, always 'default'";
On platforms where namespaces are not suppported, 'default'
Default value can be changed by RESTCONF_NETNS_DEFAULT";
}
leaf address {
type inet:ip-address;