experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
clixon/yang/clixon/clixon-config@2024-11-01.yang

1467 lines
65 KiB
YANG
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

module clixon-config {
yang-version 1.1;
namespace "http://clicon.org/config";
prefix cc;
import clixon-restconf {
prefix clrc;
}
import clixon-autocli {
prefix autocli;
}
import clixon-lib {
prefix cl;
}
organization
"Clicon / Clixon";
contact
"Olof Hagsand <olof@hagsand.se>";
description
"Clixon configuration file
***** BEGIN LICENSE BLOCK *****
Copyright (C) 2009-2019 Olof Hagsand
Copyright (C) 2020-2022 Olof Hagsand and Rubicon Communications, LLC(Netgate)
This file is part of CLIXON
Licensed under the Apache License, Version 2.0 (the \"License\");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an \"AS IS\" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Alternatively, the contents of this file may be used under the terms of
the GNU General Public License Version 3 or later (the \"GPL\"),
in which case the provisions of the GPL are applicable instead
of those above. If you wish to allow use of your version of this file only
under the terms of the GPL, and not to allow others to
use your version of this file under the terms of Apache License version 2,
indicate your decision by deleting the provisions above and replace them with
the notice and other provisions required by the GPL. If you do not delete
the provisions above, a recipient may use your version of this file under
the terms of any one of the Apache License version 2 or the GPL.
***** END LICENSE BLOCK *****";
revision 2024-11-01 {
description
"Added options:
CLICON_XMLDB_SYSTEM_ONLY_CONFIG
Changed: CLICON_NETCONF_DUPLICATE_ALLOW to not only check but remove duplicates
Released in Clixon 7.3";
}
revision 2024-08-01 {
description
"Added options:
CLICON_YANG_DOMAIN_DIR
CLICON_YANG_USE_ORIGINAL
Released in Clixon 7.2";
}
revision 2024-04-01 {
description
"Added options:
CLICON_NETCONF_DUPLICATE_ALLOW: Disable duplicate check in NETCONF messages.
CLICON_LOG_DESTINATION: Default log destination
CLICON_LOG_FILE: Which file to log to if file logging
CLICON_DEBUG: Debug flags.
CLICON_YANG_SCHEMA_MOUNT_SHARE: Share same YANGs of equal moint-points.
CLICON_SOCK_PRIO: Enable socket event priority
CLICON_XMLDB_MULTI: Split datastore into multiple sub files
CLICON_CLI_OUTPUT_FORMAT: Defauldirt CLI output format
CLICON_AUTOLOCK: Implicit locks
Released in Clixon 7.1";
}
revision 2024-01-01 {
description
"Changed semantics:
CLICON_VALIDATE_STATE_XML - disable return sanity checks if false
Marked as obsolete:
CLICON_DATASTORE_CACHE
CLICON_NETCONF_CREATOR_ATTR
Changed semantics of
Released in Clixon 7.0";
}
revision 2023-11-01 {
description
"Added options:
CLICON_NETCONF_CREATOR_ATTR
Released in Clixon 6.5";
}
revision 2023-05-01 {
description
"Added options:
CLICON_CONFIG_EXTEND
CLICON_PLUGIN_DLOPEN_GLOBAL
Moved datastore-format datatype to clixon-lib
Released in Clixon 6.3";
}
revision 2023-03-01 {
description
"Added options:
CLICON_RESTCONF_NOALPN_DEFAULT
Extended datastore-format with CLI and text
Released in Clixon 6.2";
}
revision 2022-12-01 {
description
"Added options:
CLICON_YANG_SCHEMA_MOUNT
Removed (previosly marked) obsolete options:
CLICON_MODULE_LIBRARY_RFC7895
Released in Clixon 6.1";
}
revision 2022-11-01 {
description
"Added option:
CLICON_NETCONF_MONITORING
CLICON_NETCONF_MONITORING_LOCATION
Released in Clixon 6.0";
}
revision 2022-03-21 {
description
"Added option:
CLICON_RESTCONF_API_ROOT
CLICON_NETCONF_BASE_CAPABILITY
CLICON_HTTP_DATA_PATH
CLICON_HTTP_DATA_ROOT
CLICON_CLI_EXPAND_LEAFREF
Released in Clixon 5.7";
}
revision 2022-02-11 {
description
"Added option:
CLICON_LOG_STRING_LIMIT
CLICON_YANG_LIBRARY
Changed default value:
CLICON_MODULE_LIBRARY_RFC7895 to false
Removed (previosly marked) obsolete options:
CLICON_RESTCONF_PATH
CLICON_RESTCONF_PRETTY
CLICON_CLI_GENMODEL
CLICON_CLI_GENMODEL_TYPE
CLICON_CLI_GENMODEL_COMPLETION
CLICON_CLI_AUTOCLI_EXCLUDE
CLICON_CLI_MODEL_TREENAME
Released in Clixon 5.6";
}
revision 2021-12-05 {
description
"Imported
clixon-autocli.yang
Removed (previosly marked) obsolete options:
CLICON_YANG_LIST_CHECK
Marked as obsolete:
CLICON_CLI_GENMODEL (use autocli/enable-autocli instead)
CLICON_CLI_GENMODEL_TYPE (use autocli/list-keyword-default and compress rules instead)
CLICON_CLI_GENMODEL_COMPLETION (use autocli/completion-default instead)
CLICON_CLI_AUTOCLI_EXCLUDE (use autocli/module-default, rule/enable logic instead)
CLICON_CLI_MODEL_TREENAME (use constant AUTOCLI_TREENAME instead)
Released in Clixon 5.5";
}
revision 2021-11-11 {
description
"Added option:
CLICON_PLUGIN_CALLBACK_CHECK
CLICON_YANG_AUGMENT_ACCEPT_BROKEN
Modified options:
CLICON_CLI_GENMODEL_TYPE: added OC_COMPRESS enum
CLICON_YANG_DIR: recursive search
Released in Clixon 5.4";
}
revision 2021-07-11 {
description
"Added option:
CLICON_RESTCONF_HTTP2_PLAIN
Removed default value:
CLICON_RESTCONF_INSTALLDIR
Marked as obsolete:
CLICON_YANG_LIST_CHECK
Released in Clixon 5.3";
}
revision 2021-05-20 {
description
"Added option:
CLICON_RESTCONF_USER
CLICON_RESTCONF_PRIVILEGES
CLICON_RESTCONF_INSTALLDIR
CLICON_RESTCONF_STARTUP_DONTUPDATE
CLICON_NETCONF_MESSAGE_ID_OPTIONAL
Released in Clixon 5.2";
}
revision 2021-03-08 {
description
"Added option:
CLICON_NETCONF_HELLO_OPTIONAL
CLICON_CLI_AUTOCLI_EXCLUDE
CLICON_XMLDB_UPGRADE_CHECKOLD
Released in Clixon 5.1";
}
revision 2020-12-30 {
description
"Added option:
CLICON_ANONYMOUS_USER
Removed obsolete options:
CLICON_RESTCONF_IPV4_ADDR
CLICON_RESTCONF_IPV6_ADDR
CLICON_RESTCONF_HTTP_PORT
CLICON_RESTCONF_HTTPS_PORT
CLICON_SSL_SERVER_CERT
CLICON_SSL_SERVER_KEY
CLICON_SSL_CA_CERT
CLICON_TRANSACTION_MOD
Marked as obsolete and moved to clixon-restconf.yang:
CLICON_RESTCONF_PATH
CLICON_RESTCONF_PRETTY";
}
revision 2020-11-03 {
description
"Added CLICON_BACKEND_RESTCONF_PROCESS
Copied to clixon-restconf.yang and marked as obsolete:
CLICON_RESTCONF_IPV4_ADDR
CLICON_RESTCONF_IPV6_ADDR
CLICON_RESTCONF_HTTP_PORT
CLICON_RESTCONF_HTTPS_PORT
CLICON_SSL_SERVER_CERT
CLICON_SSL_SERVER_KEY
CLICON_SSL_CA_CERT
Removed obsolete option CLICON_TRANSACTION_MOD";
}
revision 2020-10-01 {
description
"Added: CLICON_CONFIGDIR.";
}
revision 2020-08-17 {
description
"Added: CLICON_RESTCONF_IPV4_ADDR, CLICON_RESTCONF_IPV6_ADDR,
CLICON_RESTCONF_HTTP_PORT, CLICON_RESTCONF_HTTPS_PORT
CLICON_NAMESPACE_NETCONF_DEFAULT,
CLICON_CLI_HELPSTRING_TRUNCATE, CLICON_CLI_HELPSTRING_LINES";
}
revision 2020-06-17 {
description
"Added: CLICON_CLI_LINES_DEFAULT
Added enum HIDE to CLICON_CLI_GENMODEL
Added CLICON_SSL_SERVER_CERT, CLICON_SSL_SERVER_KEY, CLICON_SSL_CA_CERT
Added CLICON_NACM_DISABLED_ON_EMPTY
Removed default valude of CLICON_NACM_RECOVERY_USER";
}
revision 2020-04-23 {
description
"Added: CLICON_YANG_UNKNOWN_ANYDATA to treat unknown XML (wrt YANG) as anydata.
Deleted: xml-stats non-config data (replaced by rpc stats in clixon-lib.yang)";
}
revision 2020-02-22 {
description
"Added: search index extension,
Added: clixon-stats state for clixon XML and memory statistics.
Added: CLICON_CLI_BUF_START and CLICON_CLI_BUF_THRESHOLD for quadratic and linear
growth of CLIgen buffers (cbuf:s)
Added: CLICON_VALIDATE_STATE_XML for controling validation of user state XML
Added: CLICON_CLICON_YANG_LIST_CHECK to skip list key checks";
}
revision 2019-09-11 {
description
"Added: CLICON_BACKEND_USER: drop of privileges to user,
CLICON_BACKEND_PRIVILEGES: how to drop privileges
CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM
CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.";
}
revision 2019-06-05 {
description
"Added: CLICON_YANG_REGEXP, CLICON_CLI_TAB_MODE,
CLICON_CLI_HIST_FILE, CLICON_CLI_HIST_SIZE,
CLICON_XML_CHANGELOG, CLICON_XML_CHANGELOG_FILE;
Renamed CLICON_XMLDB_CACHE to CLICON_DATASTORE_CACHE (changed type)
Deleted: CLICON_XMLDB_PLUGIN, CLICON_USE_STARTUP_CONFIG";
}
revision 2019-03-05{
description
"Changed URN. Changed top-level symbol to clixon-config.
Released in Clixon 3.10";
}
revision 2019-02-06 {
description
"Released in Clixon 3.9";
}
revision 2018-10-21 {
description
"Released in Clixon 3.8";
}
extension search_index {
description "This list argument acts as a search index using optimized binary search.
";
}
typedef startup_mode{
description
"Which method to boot/start clicon backend.
The methods differ in how they reach a running state
Which source database to commit from, if any.";
type enumeration{
enum none{
description
"Do not touch running state
Typically after crash when running state and db are synched";
}
enum init{
description
"Initialize running state.
Start with a completely clean running state";
}
enum running{
description
"Commit running db configuration into running state
After reboot if a persistent running db exists";
}
enum startup{
description
"Commit startup configuration into running state
After reboot when no persistent running db exists";
}
enum running-startup{
description
"First try running db, if it is empty try startup db.";
}
}
}
typedef datastore_cache{
description
"XML configuration, ie running/candididate/ datastore cache behaviour.";
type enumeration{
enum nocache{
description "No cache always work directly with file";
}
enum cache{
description "Use in-memory cache.
Make copies when accessing internally.";
}
enum cache-zerocopy{
description "Use in-memory cache and dont copy.
Fastest but opens up for callbacks changing cache.";
}
}
}
typedef nacm_mode{
description
"Mode of RFC8341 Network Configuration Access Control Model.
It is unclear from the RFC whether NACM rules are internal
in a configuration (ie embedded in regular config) or external/OOB
in s separate, specific NACM-config";
type enumeration{
enum disabled{
description "NACM is disabled";
}
enum internal{
description "NACM is enabled and available in the regular config";
}
enum external{
description "NACM is enabled and available in a separate config";
}
}
}
typedef regexp_mode{
description
"The regular expression engine Clixon uses in its validation of
Yang patterns, and in the CLI.
Yang RFC 7950 stipulates XSD XML Schema regexps
according to W3 CXML Schema Part 2: Datatypes Second Edition,
see http://www.w3.org/TR/2004/REC-xmlschema-2-20041028#regexs";
type enumeration{
enum posix {
description
"Translate XSD XML Schema regexp:s to Posix regexp. This is
not a complete translation, but can be considered good-enough
for Yang use-cases as defined by openconfig and yang-models
for example.";
}
enum libxml2 {
description
"Use libxml2 XSD XML Schema regexp engine. This is a complete
XSD regexp engine..
Requires libxml2 to be available at configure time
(HAVE_LIBXML2 should be set)";
}
}
}
typedef priv_mode{
description
"Privilege mode, used for dropping (or not) privileges to a non-provileged
user after initialization";
type enumeration{
enum none {
description
"Make no drop/change in privileges.";
}
enum drop_perm {
description
"After initialization, drop privileges permanently to a uid";
}
enum drop_temp {
description
"After initialization, drop privileges temporarily to a euid";
}
}
}
typedef nacm_cred_mode{
description
"How NACM user should be matched with unix socket peer credentials.
This means nacm user must match socket peer user accessing the
backend socket. For IP sockets only mode none makes sense.";
type enumeration{
enum none {
description
"Dont match NACM user to any user credentials. Any user can pose
as any other user. Set this for IP sockets, or dont use NACM.";
}
enum exact {
description
"Exact match between NACM user and unix socket peer user.";
}
enum except {
description
"Exact match between NACM user and unix socket peer user, except
for root and www user (restconf).";
}
}
}
typedef socket_address_family {
description "Address family for internal socket";
type enumeration{
enum UNIX {
description "Unix domain socket";
}
enum IPv4 {
description "IPv4";
}
enum IPv6 {
description "IPv6";
}
}
}
typedef log_destination_t {
description
"Log destination flags
Can also be given directly as -l <flag> to clixon commands
Note there are also constants in the code (logdstmap) that need to be
in sync with these values.
The duplication is because of bootstrapping, logging is needed before YANG
loaded";
type bits {
bit syslog {
position 0;
description "Syslog";
}
bit stderr {
position 1;
description "Standard I/O Error";
}
bit stdout {
position 2;
description "Standard I/O Output";
}
bit file {
position 3;
description "Log to file. By default clixon.log int current directory";
}
}
}
container clixon-config {
container restconf {
uses clrc:clixon-restconf;
}
container autocli {
uses autocli:clixon-autocli;
}
leaf-list CLICON_FEATURE {
description
"Supported features as used by YANG feature/if-feature
value is: <module>:<feature>, where <module> and <feature>
are either names, or the special character '*'.
*:* means enable all features
<module>:* means enable all features in the specified module
*:<feature> means enable the specific feature in all modules";
type string;
}
/* Configuration */
leaf CLICON_CONFIGFILE{
type string;
description
"Location of the main configuration-file.
Default is CLIXON_DEFAULT_CONFIG=/usr/local/etc/clicon.xml set in configure.
Note that due to bootstrapping, this value is not actually read from file
and therefore a default value would be meaningless.";
}
leaf CLICON_CONFIGDIR{
type string;
description
"Location of directory of extra configuration files.
If not given, only main configfile is read.
If given, and if the directory exists, all files in this directory will be loaded
AFTER the main config file (CLICON_CONFIGFILE) in the following way:
- leaf values are overwritten
- leaf-list values are appended
The files in this directory are loaded alphabetically.
Only files ending with .xml are read
Sub-structures, eg <autocli> are replaced with the latest (alphabetically)
If the dir is given but does not exist will result in an error.
You can override file setting with -E <dir> command-line option.
Note that due to bootstraping this value is only meaningful in the main config file";
}
leaf CLICON_CONFIG_EXTEND {
type string;
description
"If specified load an application-specific configuration YANG that overrides
this config.
Normally, that YANG imports clixon-config.
This field is a 'bootstrap' field.
";
}
/* YANG */
leaf-list CLICON_YANG_DIR {
ordered-by user;
type string;
description
"Yang directory path for finding module and submodule files.
A list of these options should be in the configuration.
When loading a Yang module, Clixon searches this list in the order
they appear.
Note since Clixon 5.4 such a directory is searched recursively, not just the
directory itself.
Ensure that YANG_INSTALLDIR (default
/usr/local/share/clixon) is present in the path";
}
leaf CLICON_YANG_MAIN_FILE {
type string;
description
"If specified load a yang module in a specific absolute filename.
This corresponds to the -y command-line option in most CLixon
programs.";
}
leaf CLICON_YANG_MAIN_DIR {
type string;
description
"If given, load all modules in this directory (all .yang files)
See also CLICON_YANG_DIR which specifies a path of dirs";
}
leaf CLICON_YANG_DOMAIN_DIR {
type string;
description
"Virtual domain directory for RFC 8528 mount-points.
If set and domain is given, instead of loading from CLICON_YANG_MAIN_DIR,
look for .yang files first in CLICON_YANG_DOMAIN_DIR/domain,
where domain is given as yangmnt:mount-point <domain>;
Useful in eg mountpoints where another YANG domain may be required,
even isolated from the main YANG context, as well as from other moint-points.
Note that CLICON_YANG_DIR that may be given as library YANGs are not isolated.
If not set, use CLICON_YANG_MAIN_DIR as default.";
}
leaf CLICON_YANG_MODULE_MAIN {
type string;
description
"Option used to construct initial yang file:
<module>[@<revision>]";
}
leaf CLICON_YANG_MODULE_REVISION {
type string;
description
"Option used to construct initial yang file:
<module>[@<revision>].
Used together with CLICON_YANG_MODULE_MAIN";
}
leaf CLICON_YANG_REGEXP {
type regexp_mode;
default posix;
description
"The regular expression engine Clixon uses in its validation of
Yang patterns, and in the CLI.
There is a 'good-enough' posix translation mode and a complete
libxml2 mode";
}
leaf CLICON_YANG_UNKNOWN_ANYDATA{
type boolean;
default false;
description
"Treat unknown XML/JSON nodes as anydata when loading from startup db.
This does not apply to namespaces, which means a top-level node: xxx:yyy
is accepted only if yyy is unknown, not xxx.
Note that this option has several caveats which needs to be fixed. Please
use with care.
The primary issue is that the unknown->anydata handling is not restricted to
only loading from startup but may occur in other circumstances as well. This
means that sanity checks of erroneous XML/JSON may not be properly signalled.
Note this is similar to what happens to YANG nodes that are disabled by a false
if-feature statement.";
}
leaf CLICON_YANG_SCHEMA_MOUNT{
type boolean;
description
"YANG schema mount, RFC 8528.
When enabled, mount-points as defined by the 'yangmnt:mount-point' extension can
be populated by other YANGs than the root.
This is controlled by the ca_yang_mount plugin callback by returning a assigning a
yanglib module-set section that corresponds to the mounted YANGs.
Also, schema mount statistics is added to state data
Further, autocli syntax is added by definining a tree resolve wrapper";
default false;
}
leaf CLICON_YANG_SCHEMA_MOUNT_SHARE {
type boolean;
description
"For optimization purposes, share same YANGs of equal moint-points.
The mount-points need to be 'equal' in the sense that it has the same YANG
(yangmnt:mount-point is on same node).
A comparison is made between yang modules and revision and must match exactly.
If so, a new yang-spec is not created, instead the other is used.
Only if CLICON_YANG_SCHEMA_MOUNT is enabled";
default false;
}
leaf CLICON_YANG_AUGMENT_ACCEPT_BROKEN {
type boolean;
default false;
description
"Debug option. If enabled, accept broken augments on the form:
augment <target> { ... }
where <target> is an XPath which MUST be an existing node but for many
yangmodels do not.
There are several cases why this may be the case:
- syntax errors,
- features that need to be enabled
- wrong XPaths, etc
This option should be enabled only for passing some testcases it should
normally never be enabled in system YANGs that are used in a system.";
}
leaf CLICON_YANG_LIBRARY {
type boolean;
default true;
description
"Enable YANG library support as state data according to RFC8525.
If enabled, module info will appear when doing netconf get or
restconf GET.
The module state data is on the form:
<yang-library><module-set>...
instead where the module state is on the form:
<modules-state>...
See also CLICON_XMLDB_MODSTATE where the module state info is used to tag datastores
with module information.";
}
leaf CLICON_YANG_USE_ORIGINAL{
type boolean;
default false;
description
"YANG memory optimization.
If set, for a selected set of YANG nodes, (see uses_orig_ptr()):
For augmented and grouping/uses, use original YANG node instead of the derived node.
This is safe if all content of derived node is not changed (eg read-only).
It is not safe if the derived node is in some way different than the original node.
";
}
/* Backend */
leaf CLICON_BACKEND_DIR {
type string;
description
"Location of backend .so plugins. Load all .so
plugins in this dir as backend plugins";
}
leaf CLICON_BACKEND_REGEXP {
type string;
description
"Regexp of matching backend plugins in CLICON_BACKEND_DIR";
default "(.so)$";
}
leaf CLICON_BACKEND_USER {
type string;
description
"User name for backend (both foreground and daemonized).
If you set this value the backend if started as root will lower
the privileges after initialization.
The ownership of files created by the backend will also be set to this
user (eg datastores).
It also sets the backend unix socket owner to this user, but its group
is set by CLICON_SOCK_GROUP.
See also CLICON_BACKEND_PRIVILEGES setting";
}
leaf CLICON_BACKEND_PRIVILEGES {
type priv_mode;
default none;
description
"Backend privileges mode.
If CLICON_BACKEND_USER user is set, mode can be set to drop_perm or
drop_temp.
Drop privs may not be used together with CLICON_XMLDB_MULTI";
}
leaf CLICON_BACKEND_PIDFILE {
type string;
mandatory true;
description "Process-id file of backend daemon";
}
leaf CLICON_BACKEND_RESTCONF_PROCESS {
type boolean;
default false;
description
"If set, enable process-control of restconf daemon, ie start/stop restconf
daemon internally from backend daemon.
Also, if set, restconf daemon queries backend for its config
if not set, restconf daemon reads its config from main config file
It uses clixon-restconf.yang for config and clixon-lib.yang for RPC
Process control of restconf daemon is as follows:
- on RPC start, if enable is true, start the service, if false, error or ignore it
- on RPC stop, stop the service
- on backend start make the state as configured
- on enable change, make the state as configured
Disable if you start the restconf daemon by other means.";
}
/* Netconf */
leaf CLICON_NETCONF_DIR{
type string;
description "Location of netconf (frontend) .so plugins";
}
leaf CLICON_NETCONF_HELLO_OPTIONAL {
type boolean;
default false;
description
"This option relates to RFC 6241 Sec 8.1 Capabilies Exchange where it says:
When the NETCONF session is opened, each peer (both client and server) MUST
send a <hello> element...
If true, an RPC can be processed directly with no preceeding hello message.
This is legacy clixon but invalid according to the RFC.
If false, NETCONF hello messages are mandatory before any RPC can be processed.
That is, if clixon receives an rpc with no previous hello message, an error
is returned, which conforms to the RFC.
Note this applies only to external NETCONF, not the internal (IPC) netconf";
}
leaf CLICON_NETCONF_MESSAGE_ID_OPTIONAL {
type boolean;
default false;
description
"This option relates to RFC 6241 Sec 4.1 <rpc> Element
The <rpc> element has a mandatory attribute 'message-id', which is a
string chosen by the sender of the RPC.
If true, an RPC can be sent without a message-id.
This applies to both external NETCONF and internal (IPC) netconf";
}
leaf CLICON_NETCONF_BASE_CAPABILITY {
type int32;
default 1;
description
"This option relates to RFC6241 Sec 8.1 capabilities exchange.
This number is the highest netconf base capability announced during
the hello protocol.
Specifically, If the option number is 0, only 'urn:ietf:params:netconf:base:1.0'
is announced, if it is 1, both 'urn:ietf:params:netconf:base:1.0' and
'urn:ietf:params:netconf:base:1.1' are announced.
Base capability '1' includes switching over to chunked framing as defined in
RFC6242 for example.
This only applies to the external NETCONF";
}
leaf CLICON_NETCONF_CREATOR_ATTR {
type boolean;
default false;
description
"If set, clixon will accept the 'creator' attribute as defined by the
creator annotation in clixon-lib.
It can be used when several clients (such as a 'service') can create the same object.
If one such client/service is deleted, the object is deleted only if all services
that created the object are deleted.
The clixon controller uses this feature, but could in principle be used by other
applications.
Marked as obsolete in 7.0 since creators attribute replaced by clixon-lib creators
config";
status obsolete;
}
leaf CLICON_NETCONF_MONITORING {
type boolean;
default true;
description
"Enable Netconf monitoring support as state data according to RFC6022.
If enabled, netconf monitoring info will appear when doing netconf get or
restconf GET.";
}
leaf CLICON_NETCONF_MONITORING_LOCATION {
type string;
description
"Extra Netconf monitoring location directory where schemas can be retrieved
apart from NETCONF.
Only if CLICON_NETCONF_MONITORING";
}
leaf CLICON_NETCONF_DUPLICATE_ALLOW {
type boolean;
default false;
description
"Remove duplicates in incoming NETCONF messages instead of signaling errors.
In Clixon 7.0, a stricter check of duplicate entries in incoming NETCONF messages was made.
More specifically: lists and leaf-lists with non-unique entries.
Enable to disable this check, and to REMOVE duplicates in incoming NETCONF messages.
When duplicates are removed, only the latest entry is kept.
Note that this is an error by such a client, but there is some legacy code that uses this";
}
/* HTTP and Restconf */
leaf CLICON_RESTCONF_API_ROOT {
type string;
default "/restconf";
description
"The RESTCONF API root path
See RFC 8040 Sec 1.16 and 3.1";
}
leaf CLICON_RESTCONF_DIR {
type string;
description
"Location of restconf (frontend) .so plugins. Load all .so
plugins in this dir as restconf code plugins
Note: This cannot be moved to clixon-restconf.yang because it is needed
early in the bootstrapping phase, before clixon-restconf.yang config may
be loaded.";
}
leaf CLICON_RESTCONF_INSTALLDIR {
type string;
description
"If set, path to dir of clixon-restconf daemon binary as used by backend if
started internally (run-time).
If this path is not set, clixon_restconf will be looked for according to
configured installdir: $(sbindir) (install-time)
Since programs can be moved around at install/cross-compile time the installed
dir may be difficult to know at install time, which is the reason why
CLICON_RESTCONF_INSTALLDIR exists, in order to override the Makefile
installdir.
Note on the installdir, DESTDIR is not included since according to man pages:
by specifying DESTDIR should not change the operation of the software in
any way, so its value should not be included in any file contents. ";
}
leaf CLICON_RESTCONF_STARTUP_DONTUPDATE {
type boolean;
default false;
description
"According to RFC 8040 Sec 1.4:
If the NETCONF server supports :startup, the RESTCONF server MUST automatically
update the [...] startup configuration [...] as a consequence of a RESTCONF
edit operation.
Setting this option disables this behaviour, ie the startup configuration is NOT
automatically updated.
If this option is false, the startup is automatically updated following the RFC";
}
leaf CLICON_RESTCONF_USER {
type string;
description
"Run clixon_daemon as this user
When drop privileges is used, the daemon will drop privileges to this user.
In pre-5.2 code this was configured as compile-time constant WWWUSER with
default value www-data
See also CLICON_PRIVILEGES setting";
default www-data;
}
leaf CLICON_RESTCONF_PRIVILEGES {
type priv_mode;
default drop_perm;
description
"Restconf privileges mode.
If drop_perm or drop_temp then drop privileges to CLICON_RESTCONF_USER.
If the platform does not support getresuid and accompanying functions, the mode
must be set to 'none'.
";
}
leaf CLICON_RESTCONF_HTTP2_PLAIN {
type boolean;
default false;
description
"Applies to plain (non-tls) http/2 ie when clixon is configured with --enable-nghttp2
If false, disable direct and upgrade for plain(non-tls) HTTP/2.
If true, allow direct and upgrade for plain(non-tls) HTTP/2.
It may especially useful to disable in http/1 + http/2 mode to avoid the complex
upgrade/switch from http/1 to http/2.
Note this also disables plain http/2 in prior-knowledge, that is, in http/2-only mode.
HTTP/2 in https(TLS) is unaffected";
}
leaf CLICON_NOALPN_DEFAULT {
type string;
description
"By default Clixon Restconf over TLS/HTTPS uses ALPN for protocol selection.
This option controls the behavior if a client does NOT use ALPN for TLS.
AND both http/1 and http/2 is configured in Clixon.
If the value is not set (or other value), Clixon closes the socket(reset)
If the value is 'http/1.1' then HTTP/1.1 is selected
If the value is 'http/2' then HTTP/2 is selected
Note that if Clixon is configured for only HTTP/1 (--disable-nghttp2),
then HTTP/1 is selected if the client does not use ALPN.
Likewise, if Clixon is configured for only HTTP/2 (--disable-http1),
then HTTP/2 is selected if the client does not use ALPN.
This option does not apply for plain (non-TLS) HTTP";
}
leaf CLICON_HTTP_DATA_PATH {
if-feature "clrc:http-data";
default "/";
type string;
description
"URI match for http-data serving files specified by CLICON_HTTP_DATA_ROOT.
Must start with / (example: /)
Restconf paths at /restconf is always done before data (or streams)
The PATH is appended to CLICON_HTTP_DATA_ROOT to find a file.
Example, if PATH is /data and ROOT is /www, and a GET /index.html, the
corresponding file is '/www/data/index.html'
Both feature clixon-restconf:http-data and restconf/enable-http-data
must be enabled for this match to occur.";
}
leaf CLICON_HTTP_DATA_ROOT{
if-feature "clrc:http-data";
type string;
default "/var/www";
description
"Location in file system where http-data files are looked for.
Soft links, '..', '~' etc are not followed.
See also CLICON_HTTP_DATA_PATH
Both feature clixon-restconf:http-data and restconf/enable-http-data
must be enabled for this match to occur.";
}
/* Clixon CLI */
leaf CLICON_CLI_DIR {
type string;
description
"Directory containing frontend cli loadable plugins. Load all .so
plugins in this directory as CLI object plugins";
}
leaf CLICON_CLISPEC_DIR {
type string;
description
"Directory containing frontend cligen spec files. Load all .cli
files in this directory as CLI specification files.
See also CLICON_CLISPEC_FILE.";
}
leaf CLICON_CLISPEC_FILE {
type string;
description
"Specific frontend cligen spec file as alternative or complement
to CLICON_CLISPEC_DIR. Also available as -c in clixon_cli.";
}
leaf CLICON_CLI_MODE {
type string;
default "base";
description
"Startup CLI mode. This should match a CLICON_MODE variable set in
one of the clispec files";
}
leaf CLICON_CLI_VARONLY {
type int32;
default 1;
description
"Dont include keys in cvec in cli vars callbacks,
ie a & k in 'a <b> k <c>' ignored
(consider boolean)";
}
leaf CLICON_CLI_LINESCROLLING {
type int32;
default 1;
description
"Set to 0 if you want CLI INPUT to wrap to next line.
Set to 1 if you want CLI INPUT to scroll sideways when approaching
right margin";
}
leaf CLICON_CLI_LINES_DEFAULT {
type int32;
default 24;
description
"Set to number of CLI terminal rows for scrolling. 0 means unlimited.
The number is set statically UNLESS:
- there is no terminal, such as file input, in which case nr lines is 0
- there is a terminal sufficiently powerful to read the number of lines from
ioctl calls.
In other words, this setting is used ONLY on raw terminals such as serial
consoles.";
}
leaf CLICON_CLI_TAB_MODE {
type int8;
default 0;
description
"Set CLI tab mode. This is a bitfield of three bits:
bit 1: 0: <tab> shows short info of available commands
1: <tab> has same output as <?>, ie line per command
bit 2: 0: On <tab>, select a command over a <var> if both exist
1: Commands and vars have same preference.
bit 3: 0: On <tab>, never complete more than one level per <tab>
1: Complete all levels at once if possible.
";
}
leaf CLICON_CLI_UTF8 {
type int8;
default 0;
description
"Set to 1 to enable CLIgen UTF-8 experimental mode.
Note that this feature is EXPERIMENTAL and may not properly handle
scrolling, control characters, etc
(consider boolean)";
}
leaf CLICON_CLI_HIST_FILE {
type string;
default "~/.clixon_cli_history";
description
"Name of CLI history file. If not given, history is not saved.
The number of lines is saved is given by CLICON_CLI_HIST_SIZE.";
}
leaf CLICON_CLI_HIST_SIZE {
type int32;
default 300;
description
"Number of lines to save in CLI history.
Also, if CLICON_CLI_HIST_FILE is set, also the size in lines
of the saved history.";
}
leaf CLICON_CLI_BUF_START {
type uint32;
default 256;
description
"CLIgen buffer (cbuf) initial size.
When the buffer needs to grow, the allocation grows quadratic up to a threshold
after which linear growth continues.
See CLICON_CLI_BUF_THRESHOLD";
}
leaf CLICON_CLI_BUF_THRESHOLD {
type uint32;
default 65536;
description
"CLIgen buffer (cbuf) threshold size.
When the buffer exceeds the threshold, the allocation grows by adding the threshold
value to the buffer length.
If 0, the growth continues with quadratic growth.
See CLICON_CLI_BUF_THRESHOLD";
}
leaf CLICON_CLI_HELPSTRING_TRUNCATE {
type boolean;
default false;
description
"CLIgen help string on query (?): Truncate help string on right margin mode
This only applies if you have long help strings, such as when generating them from a
spec such as the autocli";
}
leaf CLICON_CLI_HELPSTRING_LINES {
type int32;
default 0;
description
"CLIgen help string on query (?) limit of number of lines to show, 0 means unlimited.
This only applies if you have multi-line help strings, such as when generating
from a spec, such as in the autocli.";
}
leaf CLICON_CLI_EXPAND_LEAFREF {
type boolean;
default false;
description
"If true, then CLI expansion of leafrefs (in expand_dbvar) are done using the
source values, not the references.
This applies to the autocli but also in a handcrafted CLI if expand_dbvar is used.
Example, assume ifref with leafref pointing to source if values:
<if>a</if><if>b</if><if>c</if>
<ifref>b</ifref>
If true, expansion will suggest a, b, c (source if values)
If false, expansion will suggest b (destination ifref values)
While setting this value makes sense for adding new values, it makes less sense for
deleting.";
}
leaf CLICON_CLI_OUTPUT_FORMAT {
type cl:datastore_format;
default xml;
description
"Default CLI output format.";
}
/* Internal socket */
leaf CLICON_SOCK_FAMILY {
type socket_address_family;
default UNIX;
description
"Address family for communicating with clixon_backend with one of:
Note IPv6 not implemented.
Note that UNIX socket makes credential check as follows:
(1) client needs rw access to the socket
(2) NACM credentials can be checked according to CLICON_NACM_CREDENTIALS
Warning: Only UNIX (not IPv4) sockets have credential mechanism.
";
}
leaf CLICON_SOCK {
type string;
mandatory true;
description
"String description of Clixon Internal (IPC) socket that connects a clixon
client to the clixon backend. This string is dependent on family.
If CLICON_SOCK_FAMILY is:
- UNIX: The value is a Unix socket path
- IPv4: IPv4 address string
- IPv6: IPv6 address string (NYI)";
}
leaf CLICON_SOCK_PORT {
type int32;
default 4535;
description
"Inet socket port for communicating with clixon_backend
(only IPv4|IPv6)";
}
leaf CLICON_SOCK_GROUP {
type string;
default "clicon";
description
"Group membership to access clixon_backend unix socket and gid for
deamon";
}
leaf CLICON_SOCK_PRIO {
type boolean;
default false;
description
"Enable socket event priority.
If enabled, a file-descriptor can be registered as high prio.
Presently, the backend socket has higher prio than others.
(should be made more generic)
Note that a side-effect of enabling this option is that fairness of
non-prio events is disabled
This is useful if the backend opens other sockets, such as the controller";
}
leaf CLICON_AUTOCOMMIT {
type int32;
default 0;
description
"Set if all configuration changes are committed automatically
on every edit change. Explicit commit commands unnecessary
If confirm-commit, follow RESTCONF semantics: commit ephemeral but fail on
persistent confirming commit.
(consider boolean)";
}
leaf CLICON_AUTOLOCK {
type boolean;
default false;
description
"Set if all edit-config implicitly locks without the need of an explicit lock-db
In short, the lock is obtained by edit-config and copy-config and released by
discard and commit.
Also, any edits in candidate are discarded if the client closes the connection.
This effectively disables shared candidate";
}
/* Datastore XMLDB */
leaf CLICON_DATASTORE_CACHE {
type datastore_cache;
default cache;
description
"Clixon datastore cache behaviour. There are three values: no cache,
cache with copy, or cache without copy.
Note: 'cache' is default value and supported with regressions etc.
Others are experimental (in Clixon 5.5)
Note that from 7.0 this is OBSOLETED, only datastore_cache is supported";
status obsolete;
}
leaf CLICON_XMLDB_DIR {
type string;
mandatory true;
description
"Directory where datastores such as \"running\", \"candidate\" and \"startup\"
are placed.
If CLICON_XMLDB_MULTI is enabled, this is the directory where a datastore
subdir is stored, such as \"running.d/\"
";
}
leaf CLICON_XMLDB_FORMAT {
type cl:datastore_format;
default xml;
description "XMLDB datastore format.";
}
leaf CLICON_XMLDB_PRETTY {
type boolean;
default true;
description
"XMLDB datastore pretty print.
If set, insert spaces and line-feeds making the XML/JSON human
readable. If not set, make the XML/JSON more compact.";
}
leaf CLICON_XMLDB_MODSTATE {
type boolean;
default false;
description
"If set, tag datastores with RFC 8525 YANG Module Library
info.
By default, modstate is added last in datastore.
When loaded at startup, a check is made if the system
yang modules match.";
}
leaf CLICON_XMLDB_UPGRADE_CHECKOLD {
type boolean;
default true;
description
"Controls behavior of check of startup in upgrade scenarios.
If set, yang bind and check datastore syntax against the old Yang.
The old yang must be accessible via YANG_DIR.
Will fail startup if old yang not found or if old config does not match.
If not set, no yang check of old config is made until it is upgraded to new yang.";
}
leaf CLICON_XMLDB_MULTI {
type boolean;
default false;
description
"Split configure datastore into multiple sub files
Uses .d/ directory structure with <digest>.xml and 0.xml as root
JSON not supported.
Splits are marked in YANG using extension xl:xmldb-split, (typical usage is
mount-points).
Note that algorithm for not updating unchanged files only applies to edits,
commit copies all files regardless.
May not work together with CLICON_BACKEND_PRIVILEGES=drop and root, since
new files need to be created in XMLDB_DIR";
}
leaf CLICON_XMLDB_SYSTEM_ONLY_CONFIG {
type boolean;
default false;
description
"If set, some fields in the configuration tree are not stored to datastore.
Instead, the application provides a mechanism to save the system-only-config
in the system via commit/system-only-config callbacks.
Specifically, system-only data is read from the system except in the following case:
datastore is candidate, and either locked or modified
In that case, the system-only config is stored in the cache (not in file) and
not read from the system.
The system-only data is still not stored in the datastore however.
See also extension system-only-config in clixon-lib.yang";
}
leaf CLICON_XML_CHANGELOG {
type boolean;
default false;
description "If true enable automatic upgrade using yang clixon
changelog.";
}
leaf CLICON_XML_CHANGELOG_FILE {
type string;
description "Name of file with module revision changelog.
If CLICON_XML_CHANGELOG is true, Clixon
reads the module changelog from this file.";
}
leaf CLICON_VALIDATE_STATE_XML {
type boolean;
default false;
description
"Validate user state callback content.
AND NETCONF reply sanity (misnomer)
Users may register state callbacks using ca_statedata callback
When set, the XML returned from the callback is validated after merging with
the running db. If it fails, an internal error is returned to the originating
user.
If the option is not set, the XML returned by the user is not validated.
Note that enabling currently causes a large performance overhead for large
lists, therefore it is recommended to enable it during development and debugging
but disable it in production, until this has been resolved.";
}
leaf CLICON_PLUGIN_CALLBACK_CHECK {
type int32;
default 0;
description
"Debug option.
If >0, make a check of resources before and after each plugin callback code
to check if the plugin violated resources.
This is primarily intended for development and debugging but may also be enabled
in a running system.
If 1, errors will be logged to syslog as WARNINGs.
If 2, the program will abort using assert() on first error
The checks are currently made by plugin_context_check() and include:
- termios settings
- signal vectors
The checks will be made for all callbacks as defined in struct clixon_plugin_api
as well as the CLIgen callbacks.
See https://clixon-docs.readthedocs.io/en/latest/backend.html#plugin-callback-guidelines";
}
leaf CLICON_PLUGIN_DLOPEN_GLOBAL {
type boolean;
default false;
description
"Local/global flag for dlopen as described in the man page.
This applies to the opening of all clixon plugins (backend/cli/netconf/restconf)
when loading the shared .so file with dlopen.
If false: Symbols defined in this shared object are not made available to resolve
references in subsequently loaded shared objects (default).
If true: The symbols defined by this shared object will be made available for symbol res
olution of subsequently loaded shared objects.";
}
leaf CLICON_NAMESPACE_NETCONF_DEFAULT {
type boolean;
default false;
description
"Undefine if you want to ensure strict namespace assignment on all netconf
and XML statements according to the standard RFC 6241.
If defined, top-level rpc calls need not have namespaces (eg using xmlns=<ns>)
since the default NETCONF namespace will be assumed. (This is not standard).
See rfc6241 3.1: urn:ietf:params:xml:ns:netconf:base:1.0.";
}
leaf CLICON_STARTUP_MODE {
type startup_mode;
description "Which method to boot/start clicon backend";
}
leaf CLICON_ANONYMOUS_USER {
type string;
default "anonymous";
description
"Name of anonymous user.
The current only case where such a user is used is in RESTCONF authentication when
auth-type=none and no known user is known.";
}
/* Network Configuration Access Control Model (NACM) */
leaf CLICON_NACM_MODE {
type nacm_mode;
default disabled;
description
"RFC8341 network access configuration control model (NACM) mode: disabled,
in regular (internal) config or separate external file given by CLICON_NACM_FILE";
}
leaf CLICON_NACM_FILE {
type string;
description
"RFC8341 NACM external configuration file (if CLIXON_NACM_MODE is external)";
}
leaf CLICON_NACM_CREDENTIALS {
type nacm_cred_mode;
default except;
description
"Verify nacm user credentials with unix socket peer cred.
This means nacm user must match unix user accessing the backend
socket.";
}
leaf CLICON_NACM_RECOVERY_USER {
type string;
description
"RFC8341 defines a 'recovery session' as outside its scope. Clixon
defines this user as having special admin rights to exempt from
all access control enforcements.
Note setting of CLICON_NACM_CREDENTIALS is important, if set to
exact for example, this user must exist and be used, otherwise
another user (such as root or www) can pose as the recovery user.";
}
leaf CLICON_NACM_DISABLED_ON_EMPTY {
type boolean;
default false;
description
"RFC 8341 and ietf-netconf-acm@2018-02-14.yang defines enable-nacm as true by
default. Since also write-default is deny by default it leads to that empty
configs can not be edited.
This means that a startup config must always have a NACM configuration or
that the NACM recovery session is used to edit an empty config.
If this option is set, Clixon disables NACM if a datastore does NOT contain a
NACM config on load.";
}
leaf CLICON_MODULE_SET_ID {
type string;
default "0";
description
"Only if CLICON_YANG_LIBRARY enabled.
Contains a server-specific identifier representing the current set of modules
and submodules. The server MUST change the value of this leaf if the
information represented by the 'module' list instances has changed.
The /yang-library/content-id state-data leaf is set with this value
If CLICON_MODULE_LIBRARY_RFC7895 is enabled, it sets the modules-state/module-set-id
instead";
}
/* Notification streams */
leaf CLICON_STREAM_DISCOVERY_RFC5277 {
type boolean;
default false;
description
"Enable event stream discovery as described in RFC 5277
section 3.2. If enabled, available streams will appear
when doing netconf get or restconf GET";
}
leaf CLICON_STREAM_DISCOVERY_RFC8040 {
type boolean;
default false;
description
"Enable monitoring information for the RESTCONF protocol from RFC 8040 as specified
in module ietf-restconf-monitoring.yang
Note that the name of this option is misleading, the monitoring module defines state
for both capabilities and streams, not only streams which the name indicates.
Also, consider changing default to true.";
}
leaf CLICON_STREAM_URL {
type string;
default "https://localhost";
description
"Stream URL
See RFC 8040 Sec 9.3 location leaf:
'Contains a URL that represents the entry point for
establishing notification delivery via server-sent events.'
Prepend this constant to name of stream.
Example: https://localhost/streams/NETCONF. Note this is the
external URL, not local behind a reverse-proxy.
Note that -s <stream> command-line option to clixon_restconf
should correspond to last path of url (eg 'streams')";
}
leaf CLICON_STREAM_PATH {
type string;
default "streams";
description
"Stream path appended to CLICON_STREAM_URL to form
stream subscription URL.
See CLICON_RESTCONF_API_ROOT and CLICON_HTTP_DATA_ROOT
Should be changed to include '/' ";
}
leaf CLICON_STREAM_RETENTION {
type uint32;
default 3600;
units s;
description
"Retention for stream replay buffers in seconds, ie how much
data to store before dropping. 0 means no retention";
}
leaf CLICON_STREAM_PUB {
type string;
description
"For stream publish using eg nchan, the base address
to publish to. Example value: http://localhost/pub
Example: stream NETCONF would then be pushed to
http://localhost/pub/NETCONF.
Note this may be a local/provate URL behind reverse-proxy.
If not given, do NOT enable stream publishing using NCHAN.";
status obsolete;
}
/* Log and debug */
leaf CLICON_DEBUG{
type cl:clixon_debug_t;
description
"Debug flags as bitfields.
Can also be given directly as -D <flag> to clixon commands (which overrides this).";
}
leaf CLICON_LOG_DESTINATION {
type log_destination_t;
description
"Log destination.
If not given, default log destination is syslog for all applications,
except clixon_cli where default is stderr.
See also command-line option -l <s|e|o|n|f>";
}
leaf CLICON_LOG_FILE {
type string;
description
"Which file to log to if log destination is file
That is CLIXON_LOG_DESTINATION is FILE or command started with -l f";
}
leaf CLICON_LOG_STRING_LIMIT {
type uint32;
default 0;
description
"Length limitation of debug and log strings.
Especially useful for dynamic debug strings, such as packet dumps.
0 means no limit";
}
/* SNMP */
leaf-list CLICON_SNMP_MIB {
description
"Names of MIBs that are used by clixon_snmp.
For each MIB M, a YANG file M.yang is expected to be found.
If not found, an error is genereated.
The YANG file M.yang is typically generated from the source MIB but can also
be handcrafted. An example of such a script is scripts/mib_to_yang.sh.
A list of these options should be in the configuration.";
type string;
}
leaf CLICON_SNMP_AGENT_SOCK {
type string;
default "unix:/tmp/clixon_snmp.sock";
description
"String description of AgentX socket that clixon_snmp listens to.
For example, for net-snmpd, the socket is created by using the following:
--agentXSocket=unix:<path>
This string currently only supports UNIX socket path.
Note also that the user should consider setting permissions appropriately
XXX: This should be in later yang revision and documented as added when
merged with master";
}
}
}
Reference in a new issue View git blame Copy permalink