Automation

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.
Expand all | Collapse all

Question on Salt execution modules.

  • 1.  Question on Salt execution modules.

     
    Posted 08-05-2024 14:23

    Hi.

    I can run the following Salt execution model without netconf enabled on the target Juniper vMX. Does this mean that netconf is not being used? If not, how are the RPCs being exchanged?

    [[lab@desktop ]$ sudo salt vMX-1 junos.rpc get-system-information 
    vMX-1:
        ----------
        out:
            True
        rpc_reply:
            ----------
            system-information:
                ----------
                hardware-model:
                    vmx
                host-name:
                    vMX-1
                os-name:
                    junos
                os-version:
                    21.3R1.9
                serial-number:
                    VM614F08F48E

    Thanks,

    Deepak



  • 2.  RE: Question on Salt execution modules.

     
    Posted 08-06-2024 03:40

    Are you sure that NETCONF isn't available?  For example, what happens when you try the following:

    ssh user@vmx-1 -s netconf

    Do you get a NETCONF header response?

    Just that looking at the junos module for Salt, it all looks to be PyEZ based so I would expect that NETCONF is being used.

    Regards,



    ------------------------------
    Andy Sharp
    ------------------------------



  • 3.  RE: Question on Salt execution modules.

    Posted 08-06-2024 12:28

    Salt with Junos OS can do NETCONF over port 22. So if you have configured SSH, it is using that. 



    ------------------------------
    Jessica Garrison
    ------------------------------



  • 4.  RE: Question on Salt execution modules.

     
    Posted 08-07-2024 15:58
    Edited by asharp 08-07-2024 16:16

    Unless I'm mistaken, you still require netconf configured as a service.

    e.g.

    system {
      services {
        netconf {
          ssh;
        }
      }
    }

    I don't recall that it is possible to leverage NETCONF over SSH without this configuration.  I know that PyEZ can also leverage NETCONF via console, but that is leveraging "xml-mode" rather than NETCONF as a protocol.

    Unless this is a change in the behaviour of Junos that I wasn't aware of?

    Of course it could be that NETCONF is being configured via an apply-group, so it should be possible to see if it is being applied to the configuration via "show system services | display inheritance", which could be a cause of confusion if "show system services" doesn't display netconf.

    show configuration system services
    
    show configuration system services | display inheritance
    
    ##
    ## 'netconf' was inherited from group 'global'
    ##
    netconf {
        ##
        ## 'ssh' was inherited from group 'global'
        ##
        ssh;
    }

    Regards,



    ------------------------------
    Andy Sharp
    ------------------------------



  • 5.  RE: Question on Salt execution modules.

    Posted 08-09-2024 14:37

    I just looked up the technical documentation and it supports Andy. 

    Deepak please confirm that there was an inherited configuration.  



    ------------------------------
    Jessica Garrison
    ------------------------------



  • 6.  RE: Question on Salt execution modules.

     
    Posted 29 days ago

    Hi Jessica.

    I don't have the setup anymore, but there was no inherited configuration. 

    What was strange was that I deactivated all services on my router, thus losing my login session. However, Salt was still able to retrieve information from the router via execution modules.

    --Deepak




  • 7.  RE: Question on Salt execution modules.

    Posted 28 days ago
    Edited by STUART RIDSDALE 28 days ago

    Oh, forcing the TTY to be created even if netconf isn't enabled appears to work:

    [lab-salt:~]$ssh salt@some-router -s netconf
    subsystem request failed on channel 0
    [lab-salt:~]$ssh salt@some-router -f netconf
    [lab-salt:~]$<!-- No zombies were killed during the creation of this user interface -->
    <!-- user salt, class j-salt -->
    <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
      <capabilities>
        <capability>urn:ietf:params:netconf:base:1.0</capability>
        <capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>
        <capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</capability>
        <capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
        <capability>urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file</capability>
        <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
        <capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability>
        <capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
        <capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability>
        <capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?scheme=http,ftp,file</capability>
        <capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang-metadata&amp;revision=2016-08-05</capability>
        <capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring</capability>
        <capability>http://xml.juniper.net/netconf/junos/1.0</capability>
        <capability>http://xml.juniper.net/dmi/system/1.0</capability>
        <capability>http://yang.juniper.net/junos/jcmd?module=junos-configuration-metadata&amp;revision=2021-09-01</capability>
      </capabilities>
      <session-id>93783</session-id>
    </hello>
    ]]>]]>
    <!-- session end at 2024-08-12 11:29:42 UTC -->



    ------------------------------
    STUART RIDSDALE
    ------------------------------



  • 8.  RE: Question on Salt execution modules.

    Posted 28 days ago

    Best I got is with or without the netconf configuration, you see these interactive cli command log messages using the hidden xml-mode command to to setup the the netconf interface. You then see the specific RPC commands being logged interactively as they are sent. 

    UI_LOGIN_EVENT: User 'sridsdale' login, class 'j-gbone' [912], ssh-connection '<blah> 59380 <blah> 22', client-mode 'cli'
    UI_CMDLINE_READ_LINE: User 'sridsdale', command 'xml-mode netconf need-trailer '


    run "xml-mode netconf need-trailer " at the cli and you'll see what happens. Works with or without any netconf settings.

    salt@some_router> xml-mode ?
    Possible completions:
      <[Enter]>            Execute this command
      attributes           List of attributes to pass to management daemon
      interactive          Start interactive session (not for scripts)
      netconf              Run in NETCONF mode
      version              JUNOScript version number
      |                    Pipe through a command


    This isn't Salt specific. The Junos and NAPALM proxy minons both use PyEz which in turn uses ncclient. A simple script using ncclient does this.

    So shrug appears you can't actually turn it off!



    ------------------------------
    STUART RIDSDALE
    ------------------------------



  • 9.  RE: Question on Salt execution modules.

    Posted 28 days ago

    Thank you, Stuart.  I remember xml-mode over SSH working with SaltStack and Junos. When I couldn't find the documentation, I thought I was wrong. I believe this is the RFC for it. 

    Using NETCONF Protocol over Secure Shell (SSH) : https://datatracker.ietf.org/doc/html/rfc6242



    ------------------------------
    Jessica Garrison
    ------------------------------



  • 10.  RE: Question on Salt execution modules.

     
    Posted 28 days ago

    xml-mode isn't running over any particular protocol,  it works via console, ssh, telnet in the same way.  It is used mainly for console/terminal access when you want to do NETCONF but you haven't setup any IP etc.  Typical scenario being NOOB (new-out-of-box) setup.  It has limitations though, for example log messages might pop up on the console and terrorise your session and then you have broken XML responses etc.



    ------------------------------
    Andy Sharp
    ------------------------------



  • 11.  RE: Question on Salt execution modules.

    Posted 27 days ago

    Agree with you on xml-mode, Andy. 

    There was a use case years ago where the customer would only have SSH enabled at the time of SaltStack installation with Junos, so I was pretty sure this was validated in testing and expected to see it in documentation. So this was more about if I remember something from 7 years ago correctly. because if xml-mode wasn't at play, I was going to be annoyed at myself for mixing things. up. 



    ------------------------------
    Jessica Garrison
    ------------------------------



  • 12.  RE: Question on Salt execution modules.

    Posted 27 days ago

    Here's the function in ncclient that's part of the exception handling when it doesn't find the NETCONF SSH subsystem:

    https://github.com/ncclient/ncclient/blob/673da3c58e7767a550faf2b1804e17f29d6fdcfc/ncclient/devices/junos.py#L91

    I can confirm after fiddling about with the code that this is the crux of the thread!

    Thanks to the OP, this was interesting. I'd always assumes that ncclient was NETCONF subsystem or nothing. Apparently not for Juniper!



    ------------------------------
    STUART RIDSDALE
    ------------------------------



  • 13.  RE: Question on Salt execution modules.

     
    Posted 27 days ago

    Thanks for sharing your findings Stuart, I've learnt something new, I had no idea that ncclient had taken the effort to leverage xml-mode as a fallback.  I recall when we had implemented something similar many years ago to perform new out of box deployments with PyEZ to support deployments via console with the likes of Ansible etc., but great to see that it is being used for ncclient.

    Regards,



    ------------------------------
    Andy Sharp
    ------------------------------