Mailing List Archive: nsp: juniper

Getting configuration diffs via NETCONF

Index | Next | Previous | View Threaded

ross at kallisti

Nov 16, 2009, 8:55 AM

Post #1 of 12 (929 views)
Permalink

Getting configuration diffs via NETCONF

Hey all,

Is there anyway to programmatically request a diff of the candidate
and committed configurations? I want the exact output of "show |
compare", and I want it in the form at the CLI for human documentation
purposes.

I've seen that I can request the candidate configuration hierarchy
with "junos:changed" attributes on all elements that either have been
changed or have changed children. Generating a diff from this will be
awful...

I assume that JUNOS uses some XSLT/SLAX to convert XML hierarchies to
the form presented at the CLI. Are those sheets available somewhere
for me to use? An acceptable solution might be to fetch the candidate
and committed configurations, process them with the appropriate style
sheets, and produce the diff myself.

Thanks,
Ross

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

phil at juniper

Nov 16, 2009, 9:43 AM

Post #2 of 12 (905 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

Ross Vandegrift writes:
>Is there anyway to programmatically request a diff of the candidate
>and committed configurations? I want the exact output of "show |
>compare", and I want it in the form at the CLI for human documentation
>purposes.

No, we don't have this yet, but should. We can easily make both
the text output and the equivalent XML (think of the content that
will make that delta using the delete, insert, etc attributes), but
we simply have not done it.

>I assume that JUNOS uses some XSLT/SLAX to convert XML hierarchies to
>the form presented at the CLI. Are those sheets available somewhere
>for me to use? An acceptable solution might be to fetch the candidate
>and committed configurations, process them with the appropriate style
>sheets, and produce the diff myself.

JUNOS does not use XSLT internally at all. Most command output is
generated at the source (RPD, DCD, etc) as XML and is converted to
XML in the CLI using a proprietary formatting language called ODL
(Output Definition Language). But config is handled differently,
with MGD generating text or xml (as required) from the config
database as needed. For normal "show configuration" output, MGD
does the heavy lifting and the CLI just displays the lines in an
opaque way.

Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ross at kallisti

Nov 16, 2009, 10:33 AM

Post #3 of 12 (903 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

On Mon, Nov 16, 2009 at 12:43:47PM -0500, Phil Shafer wrote:
> Ross Vandegrift writes:
> >Is there anyway to programmatically request a diff of the candidate
> >and committed configurations? I want the exact output of "show |
> >compare", and I want it in the form at the CLI for human documentation
> >purposes.
>
> No, we don't have this yet, but should. We can easily make both
> the text output and the equivalent XML (think of the content that
> will make that delta using the delete, insert, etc attributes), but
> we simply have not done it.

Damn, that'd have been a really great feature. I need to record
deltas of automated changes for approval by a human in a change
control application.

The idea was:
1) Collect and submit the user's proposed change.
2) Collect the delta, rollback the candidate.
3) Submit delta to change control system.
4) Wait for human approval of change request.
5) Resubmit change, but commit instead of rollback.

> >I assume that JUNOS uses some XSLT/SLAX to convert XML hierarchies to
> >the form presented at the CLI. Are those sheets available somewhere
> >for me to use? An acceptable solution might be to fetch the candidate
> >and committed configurations, process them with the appropriate style
> >sheets, and produce the diff myself.
>
> JUNOS does not use XSLT internally at all. Most command output is
> generated at the source (RPD, DCD, etc) as XML and is converted to
> XML in the CLI using a proprietary formatting language called ODL
> (Output Definition Language). But config is handled differently,
> with MGD generating text or xml (as required) from the config
> database as needed. For normal "show configuration" output, MGD
> does the heavy lifting and the CLI just displays the lines in an
> opaque way.

Wow, that's pretty surprising. Though I guess JUNOS's move to XML
could've happened before the prevalence of stylesheets.

It looks like I can kind of emulate what I need by piping scripts to
/usr/sbin/cli through ssh. For the archives, something like this does
the trick for now:

-----
rvandegrift [at] malaclyps:~$ cat << EOF | ssh lab-4200
configure
show | compare
EOF
{master:0}
rvandegrift [at] lab-420> configure
Entering configuration mode
The configuration has been changed but not committed

{master:0}[edit]
rvandegrift [at] lab-420# show | compare
[edit interfaces ge-0/0/0]
+ description asdfasdf;

{master:0}[edit]
rvandegrift [at] lab-420#
rvandegrift [at] malaclyps:~$
-----

Ross

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

phil at juniper

Nov 16, 2009, 10:42 AM

Post #4 of 12 (903 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

Ross Vandegrift writes:
>Damn, that'd have been a really great feature. I need to record
>deltas of automated changes for approval by a human in a change
>control application.

I'm not recommending this but....

I've seen folks use events to trigger event policies that issue the
commands you need. The main script can then retrieve the saved
file from the event policy. It's an odd code path, but until there's
a "compare" or "patch" attribute (or a "render='true'" option)
there's no other viable option.

>Wow, that's pretty surprising. Though I guess JUNOS's move to XML
>could've happened before the prevalence of stylesheets.

Stylesheets (currently) need the full xml document and we
don't want to buffer it (size and delay), so we went a
different way.

Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

jmadrid2 at gmail

Nov 16, 2009, 1:32 PM

Post #5 of 12 (906 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

Maybe what you want/need would be Rancid. It does exactly what you are requesting. Its distributed by Shrubbery Networks.

Sent via BlackBerry by AT&T

-----Original Message-----
From: Ross Vandegrift <ross [at] kallisti>
Date: Mon, 16 Nov 2009 11:55:47
To: <juniper-nsp [at] puck>
Subject: [j-nsp] Getting configuration diffs via NETCONF

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ross at kallisti

Nov 16, 2009, 1:49 PM

Post #6 of 12 (903 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

On Mon, Nov 16, 2009 at 09:32:52PM +0000, jmadrid2 [at] gmail wrote:
> Maybe what you want/need would be Rancid. It does exactly what you
> are requesting. Its distributed by Shrubbery Networks.

No, Rancid isn't going to address this, since I need diffs between
candidate and commited configurations without committing.

Ross

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

ccall at juniper

Nov 16, 2009, 2:57 PM

Post #7 of 12 (902 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

> Ross Vandegrift writes:
> >Damn, that'd have been a really great feature. I need to record
> deltas
> >of automated changes for approval by a human in a change control
> >application.
>

Would "file compare ..." output, rather than "show | compare" output, be good enough? Because you can do that through an op script. Couldn't these RPC calls be translated into an equivalent NETCONF script?

Here is some example output, the op script name is test.slax:

[edit]
jnpr [at] j435# show | compare
[edit system]
- host-name j4350;
+ host-name changed;

[edit]
jnpr [at] j435# run op test
1c1
< ## Last commit: 2009-11-16 22:40:35 UTC by jnpr
---
> ## Last changed: 2009-11-16 22:40:50 UTC
4c4
< host-name j4350;
---
> host-name changed;

[edit]
jnpr [at] j435# run op test | display xml
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.2I0/junos">
<output>
1c1
< ## Last commit: 2009-11-16 22:40:35 UTC by jnpr
---
> ## Last changed: 2009-11-16 22:40:50 UTC
4c4
< host-name j4350;
---
> host-name changed;
</output>
<cli>
<banner>[edit]</banner>
</cli>
</rpc-reply>

Here is the op script code used to get the above output. Fairly crude, but it was just a proof-of-concept:

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match / {
<op-script-results> {

var $candidate-rpc = <get-configuration database="candidate" format="text">;
var $candidate = jcs:invoke( $candidate-rpc );
var $committed-rpc = <get-configuration database="committed" format="text">;
var $committed = jcs:invoke( $committed-rpc );

var $write-candidate = {
<file-put> {
<filename> "/var/tmp/candidate";
<encoding> "ascii";
<delete-if-exist>;
<file-contents> $candidate;
}
}
var $results-1 = jcs:invoke( $write-candidate );
var $write-committed = {
<file-put> {
<filename> "/var/tmp/committed";
<encoding> "ascii";
<delete-if-exist>;
<file-contents> $committed;
}
}
var $results-2 = jcs:invoke( $write-committed );

var $compare-rpc = {
<file-compare> {
<from-file> "/var/tmp/committed";
<to-file> "/var/tmp/candidate";
}
}
var $compare-results = jcs:invoke( $compare-rpc );

/* Copy to result tree */
copy-of $compare-results;

/* Cleanup */
var $delete-candidate = {
<file-delete> {
<path> "/var/tmp/candidate";
}
}
var $results-3 = jcs:invoke( $delete-candidate );
var $delete-committed = {
<file-delete> {
<path> "/var/tmp/committed";
}
}
var $results-4 = jcs:invoke( $delete-committed );
}
}
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ross at kallisti

Nov 17, 2009, 5:37 AM

Post #8 of 12 (892 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

On Mon, Nov 16, 2009 at 02:57:43PM -0800, Curtis Call wrote:
> Would "file compare ..." output, rather than "show | compare"
> output, be good enough? Because you can do that through an op
> script. Couldn't these RPC calls be translated into an equivalent
> NETCONF script?

This looks perfect! I should easily be able to translate this into a
NETCONF process that does exactly what I hoped for. I'll lay around
with this today to make sure it behaves as I want.

Thanks a ton,
Ross

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

ross at kallisti

Nov 17, 2009, 10:27 AM

Post #9 of 12 (894 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

On Tue, Nov 17, 2009 at 08:37:42AM -0500, Ross Vandegrift wrote:
> On Mon, Nov 16, 2009 at 02:57:43PM -0800, Curtis Call wrote:
> > Would "file compare ..." output, rather than "show | compare"
> > output, be good enough? Because you can do that through an op
> > script. Couldn't these RPC calls be translated into an equivalent
> > NETCONF script?
>
> This looks perfect! I should easily be able to translate this into a
> NETCONF process that does exactly what I hoped for. I'll lay around
> with this today to make sure it behaves as I want.

Looks like I spoke too soon - the NETCONF equivalent of
<get-configuration> doesn't provide format control - it always returns
the full XML tree. I can use NETCONF to call the op script, but at
that point, ssh does basically the same thing without needing to
distribute a script to all of my boxes.

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

phil at juniper

Nov 17, 2009, 10:43 AM

Post #10 of 12 (890 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

Ross Vandegrift writes:
>Looks like I spoke too soon - the NETCONF equivalent of
><get-configuration> doesn't provide format control - it always returns
>the full XML tree. I can use NETCONF to call the op script, but at
>that point, ssh does basically the same thing without needing to
>distribute a script to all of my boxes.

You can use any JUNOS XML API call a NETCONF session,
so <get-configuration format="text"/> will work.

Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ross at kallisti

Nov 17, 2009, 11:12 AM

Post #11 of 12 (889 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

On Tue, Nov 17, 2009 at 01:43:31PM -0500, Phil Shafer wrote:
> Ross Vandegrift writes:
> >Looks like I spoke too soon - the NETCONF equivalent of
> ><get-configuration> doesn't provide format control - it always returns
> >the full XML tree. I can use NETCONF to call the op script, but at
> >that point, ssh does basically the same thing without needing to
> >distribute a script to all of my boxes.
>
> You can use any JUNOS XML API call a NETCONF session,
> so <get-configuration format="text"/> will work.

It doesn't work as an RPC call on 9.5R2:

rvandegrift [at] malaclyps:~$ ssh -s lab-4200 netconf


<hello>
<capabilities>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
<capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability>
<capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
<capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability>
<capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>
<capability>http://xml.juniper.net/netconf/junos/1.0</capability>
<capability>http://xml.juniper.net/dmi/system/1.0</capability>
</capabilities>
<session-id>24377</session-id>
</hello>
]]>]]>
<hello></hello>
]]>]]>
<rpc><get-configuration format="text'/></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/9.5R2/junos">
</rpc-reply>
]]>]]>
]]>]]>

Any get-configuration RPC gives me empty responses.

--
Ross Vandegrift
ross [at] kallisti

"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie

Attachments:

signature.asc (0.19 KB)

phil at juniper

Nov 17, 2009, 12:02 PM

Post #12 of 12 (889 views)
Permalink

Re: Getting configuration diffs via NETCONF [In reply to]

Ross Vandegrift writes:
>It doesn't work as an RPC call on 9.5R2:

Sorry about that. All JS RPCs should work in NETCONF mode. This
is now PR 488377.

Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads