Thanks for sharing your findings Stuart, I've learnt something new, I had no idea that ncclient had taken the effort to leverage xml-mode as a fallback. I recall when we had implemented something similar many years ago to perform new out of box deployments with PyEZ to support deployments via console with the likes of Ansible etc., but great to see that it is being used for ncclient.
Original Message:
Sent: 08-13-2024 04:33
From: STUART RIDSDALE
Subject: Question on Salt execution modules.
Here's the function in ncclient that's part of the exception handling when it doesn't find the NETCONF SSH subsystem:
https://github.com/ncclient/ncclient/blob/673da3c58e7767a550faf2b1804e17f29d6fdcfc/ncclient/devices/junos.py#L91
I can confirm after fiddling about with the code that this is the crux of the thread!
Thanks to the OP, this was interesting. I'd always assumes that ncclient was NETCONF subsystem or nothing. Apparently not for Juniper!
------------------------------
STUART RIDSDALE
Original Message:
Sent: 08-13-2024 03:35
From: Jessica Garrison
Subject: Question on Salt execution modules.
Agree with you on xml-mode, Andy.
There was a use case years ago where the customer would only have SSH enabled at the time of SaltStack installation with Junos, so I was pretty sure this was validated in testing and expected to see it in documentation. So this was more about if I remember something from 7 years ago correctly. because if xml-mode wasn't at play, I was going to be annoyed at myself for mixing things. up.
------------------------------
Jessica Garrison
Original Message:
Sent: 08-12-2024 16:40
From: asharp
Subject: Question on Salt execution modules.
xml-mode isn't running over any particular protocol, it works via console, ssh, telnet in the same way. It is used mainly for console/terminal access when you want to do NETCONF but you haven't setup any IP etc. Typical scenario being NOOB (new-out-of-box) setup. It has limitations though, for example log messages might pop up on the console and terrorise your session and then you have broken XML responses etc.
------------------------------
Andy Sharp
Original Message:
Sent: 08-12-2024 12:33
From: Jessica Garrison
Subject: Question on Salt execution modules.
Thank you, Stuart. I remember xml-mode over SSH working with SaltStack and Junos. When I couldn't find the documentation, I thought I was wrong. I believe this is the RFC for it.
Using NETCONF Protocol over Secure Shell (SSH) : https://datatracker.ietf.org/doc/html/rfc6242
------------------------------
Jessica Garrison
Original Message:
Sent: 08-12-2024 09:10
From: STUART RIDSDALE
Subject: Question on Salt execution modules.
Best I got is with or without the netconf configuration, you see these interactive cli command log messages using the hidden xml-mode command to to setup the the netconf interface. You then see the specific RPC commands being logged interactively as they are sent.
UI_LOGIN_EVENT: User 'sridsdale' login, class 'j-gbone' [912], ssh-connection '<blah> 59380 <blah> 22', client-mode 'cli'UI_CMDLINE_READ_LINE: User 'sridsdale', command 'xml-mode netconf need-trailer '
run "xml-mode netconf need-trailer " at the cli and you'll see what happens. Works with or without any netconf settings.
salt@some_router> xml-mode ?Possible completions: <[Enter]> Execute this command attributes List of attributes to pass to management daemon interactive Start interactive session (not for scripts) netconf Run in NETCONF mode version JUNOScript version number | Pipe through a command
This isn't Salt specific. The Junos and NAPALM proxy minons both use PyEz which in turn uses ncclient. A simple script using ncclient does this.
So shrug appears you can't actually turn it off!
------------------------------
STUART RIDSDALE
Original Message:
Sent: 08-12-2024 06:48
From: STUART RIDSDALE
Subject: Question on Salt execution modules.
Oh, forcing the TTY to be created even if netconf isn't enabled appears to work:
[lab-salt:~]$ssh salt@some-router -s netconfsubsystem request failed on channel 0[lab-salt:~]$ssh salt@some-router -f netconf[lab-salt:~]$<!-- No zombies were killed during the creation of this user interface --><!-- user salt, class j-salt --><hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:capability:candidate:1.0</capability> <capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</capability> <capability>urn:ietf:params:netconf:capability:validate:1.0</capability> <capability>urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file</capability> <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability> <capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability> <capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability> <capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability> <capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?scheme=http,ftp,file</capability> <capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang-metadata&revision=2016-08-05</capability> <capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring</capability> <capability>http://xml.juniper.net/netconf/junos/1.0</capability> <capability>http://xml.juniper.net/dmi/system/1.0</capability> <capability>http://yang.juniper.net/junos/jcmd?module=junos-configuration-metadata&revision=2021-09-01</capability> </capabilities> <session-id>93783</session-id></hello>]]>]]><!-- session end at 2024-08-12 11:29:42 UTC -->
------------------------------
STUART RIDSDALE
Original Message:
Sent: 08-11-2024 09:25
From: djadhav
Subject: Question on Salt execution modules.
Hi Jessica.
I don't have the setup anymore, but there was no inherited configuration.
What was strange was that I deactivated all services on my router, thus losing my login session. However, Salt was still able to retrieve information from the router via execution modules.
--Deepak
Original Message:
Sent: 08-09-2024 14:37
From: Jessica Garrison
Subject: Question on Salt execution modules.
I just looked up the technical documentation and it supports Andy.
Deepak please confirm that there was an inherited configuration.
------------------------------
Jessica Garrison
Original Message:
Sent: 08-07-2024 15:58
From: asharp
Subject: Question on Salt execution modules.
Unless I'm mistaken, you still require netconf configured as a service.
e.g.
system { services { netconf { ssh; } }}
I don't recall that it is possible to leverage NETCONF over SSH without this configuration. I know that PyEZ can also leverage NETCONF via console, but that is leveraging "xml-mode" rather than NETCONF as a protocol.
Unless this is a change in the behaviour of Junos that I wasn't aware of?
Of course it could be that NETCONF is being configured via an apply-group, so it should be possible to see if it is being applied to the configuration via "show system services | display inheritance", which could be a cause of confusion if "show system services" doesn't display netconf.
show configuration system servicesshow configuration system services | display inheritance#### 'netconf' was inherited from group 'global'##netconf { ## ## 'ssh' was inherited from group 'global' ## ssh;}
Regards,
------------------------------
Andy Sharp
Original Message:
Sent: 08-06-2024 12:27
From: Jessica Garrison
Subject: Question on Salt execution modules.
Salt with Junos OS can do NETCONF over port 22. So if you have configured SSH, it is using that.
------------------------------
Jessica Garrison
Original Message:
Sent: 08-05-2024 14:22
From: Unknown User
Subject: Question on Salt execution modules.
Hi.
I can run the following Salt execution model without netconf enabled on the target Juniper vMX. Does this mean that netconf is not being used? If not, how are the RPCs being exchanged?
[[lab@desktop ]$ sudo salt vMX-1 junos.rpc get-system-information
vMX-1:
----------
out:
True
rpc_reply:
----------
system-information:
----------
hardware-model:
vmx
host-name:
vMX-1
os-name:
junos
os-version:
21.3R1.9
serial-number:
VM614F08F48E
Thanks,
Deepak