39a5086218
* Improved unknown handling
* Configure option `CLICON_YANG_DIR` is changed from a single directory to a path of directories
* Note CLIXON_DATADIR (=/usr/local/share/clixon) need to be in the list
|
||
|---|---|---|
| apps | ||
| build-root/scripts | ||
| datastore | ||
| doc | ||
| docker | ||
| etc | ||
| example | ||
| extras | ||
| include | ||
| lib | ||
| test | ||
| util | ||
| yang | ||
| .gitignore | ||
| CHANGELOG.md | ||
| config.guess | ||
| config.sub | ||
| configure | ||
| configure.ac | ||
| DEVELOP.md | ||
| install-sh | ||
| LICENSE.md | ||
| Makefile.in | ||
| README.md | ||
| ROADMAP.md | ||
Clixon
Clixon is a YANG-based configuration manager, with interactive CLI, NETCONF and RESTCONF interfaces, an embedded database and transaction support.
- Background
- Frequently asked questions
- Installation
- Licenses
- Support
- Dependencies
- Extending
- XML and XPATH
- Yang
- Netconf
- Restconf
- Datastore
- Authentication
- NACM Access control
- Example
- Changelog
- Runtime
- Clixon project page
- Tests
- Docker
- Roadmap
- Reference manual
Background
Clixon was implemented to provide an open-source generic configuration tool. The existing CLIgen tool was for command-lines only, while clixon is a system with configuration database, xml and rest interfaces. Most of the projects using clixon are for embedded network and measuring devices. But Clixon is more generic than that.
Users of clixon currently include:
- Netgate
- CloudMon360
- Grideye
- Netclean # only CLIgen
- Prosilient's PTAnalyzer # only CLIgen
See also Clicon project page.
Clixon runs on Linux, FreeBSD port and Mac/Apple. CPU architecures include x86_64, i686, ARM32.
Installation
A typical installation is as follows:
configure # Configure clixon to platform
make # Compile
sudo make install # Install libs, binaries, and config-files
sudo make install-include # Install include files (for compiling)
One example application is provided, a IETF IP YANG datamodel with generated CLI, Netconf and restconf interface.
Licenses
Clixon is open-source and dual licensed. Either Apache License, Version 2.0 or GNU General Public License Version 2; you choose.
See LICENSE.md for the license.
Dependencies
Clixon depends on the following software packages, which need to exist on the target machine.
- CLIgen If you need to build and install CLIgen:
git clone https://github.com/olofhagsand/cligen.git
cd cligen; configure; make; make install
- Yacc/bison
- Lex/Flex
- Fcgi (if restconf is enabled)
Support
Clixon interaction is best done posting issues, pull requests, or joining the slack channel. Slack invite.
Extending
Clixon provides a core system and can be used as-is using available Yang specifications. However, an application very quickly needs to specialize functions. Clixon is extended by writing plugins for cli and backend. Extensions for netconf and restconf are also available.
Plugins are written in C and easiest is to look at example or consulting the FAQ.
XML
Clixon has its own implementation of XML and XPATH implementation.
The standards covered include:
Not supported:
Yang
YANG and XML is at the heart of Clixon. Yang modules are used as a specification for handling XML configuration data. The YANG spec is used to generate an interactive CLI, netconf and restconf clients. It also manages an XML datastore.
Clixon follows:
However, the following YANG syntax modules are not implemented:
- deviation
- min/max-elements
- unique
- action
- belongs-to
Restrictions on Yang types are as follows:
- The range statement does not support multiple values (RFC7895 sec 9.2.4)
- Submodules cannot re-use a prefix in an import statement that is already used for another imported module in the module that the submodule belongs to.
Netconf
Clixon implements the following NETCONF proposals or standards:
- RFC 6241: NETCONF Configuration Protocol
- RFC 6242: Using the NETCONF Configuration Protocol over Secure Shell (SSH)
- RFC 5277: NETCONF Event Notifications
- RFC 8341: Network Configuration Access Control Model
Clixon does not yet support the following netconf features:
- :url capability
- copy-config source config
- edit-config testopts
- edit-config erropts
- edit-config config-text
- edit-config operation
Restconf
Clixon Restconf is a daemon based on FastCGI C-API. Instructions are available to run with NGINX. The implementatation is based on RFC 8040: RESTCONF Protocol.
The following features are supported:
- OPTIONS, HEAD, GET, POST, PUT, DELETE
- stream notifications (RFC8040 sec 6)
- query parameters start-time and stop-time(RFC8040 section 4.9)
The following features are not implemented:
- PATCH
- query parameters other than start/stop-time.
See more detailed instructions.
Datastore
The Clixon datastore is a stand-alone XML based datastore. The idea is to be able to use different datastores backends with the same API.
The datastore is primarily designed to be used by Clixon but can be used separately.
See more detailed instructions.
Auth
Authentication is managed outside Clixon using SSH, SSL, Oauth2, etc.
For CLI, login is typically made via SSH. For netconf, SSH netconf subsystem can be used.
Restconf however needs credentials. This is done by writing a credentials callback in a restconf plugin. See:
- FAQ.
- Example has an example how to do this with HTTP basic auth.
- I have done this for another project using Oauth2 or (https://github.com/CESNET/Netopeer2/tree/master/server/configuration)
The clients send the ID of the user using a "username" attribute with the RPC calls to the backend. Note that the backend trusts the clients so the clients can in principle fake a username.
NACM
Clixon includes an experimental Network Configuration Access Control Model (NACM) according to RFC8341(NACM). It has limited functionality.
The support is as follows:
- There is a yang config variable
CLICON_NACM_MODEto set whether NACM is disabled, uses internal(embedded) NACM configuration, or external configuration. (See yang/clixon-config.yang) - If the mode is internal, NACM configurations is expected to be in the regular configuration, managed by regular candidate/runing/commit procedures. This mode may have some problems with bootstrapping.
- If the mode is
external, theCLICON_NACM_FILEyang config variable contains the name of a separate configuration file containing the NACM configurations. After changes in this file, the backend needs to be restarted. - The example contains a http basic auth and a NACM backend callback for mandatory state variables.
- There are two tests using internal and external NACM config
- The backend provides a limited NACM support (when enabled) described below
NACM is implemented in the backend and a single access check is made
in from_client_msg() when an internal netconf RPC has
just been received and decoded. The code is in nacm_access().
The functionality is as follows:
- Notification is not supported
- Groups are supported
- Rule-lists are supported
- Rules are supported as follows
- module-name: Only '*' supported
- access-operations: only '*' and 'exec' supported
- rpc-name: fully supported (eg edit-config/get-config, etc)
- action: fully supported (permit/deny)
The tests outlines an example of three groups (taken from the RFC): admin, limited and guest:
- admin: Full access
- limited: Read access (get and get-config)
- guest: No access
Runtime
The figure shows the SDK runtime of Clixon.
Reference
A reference manual can be built using Doxygen. You need to install doxygen and graphviz on your system.
Build it in the doc directory and point the browser to .../clixon/doc/html/index.html as follows:
> cd doc
> make doc
> make graphs # detailed callgraphs