Capabilities augment the base operations of the device, describing both additional operations and the content allowed inside operations. The client can discover the server’s capabilities and use any additional operations, parameters, and content defined by those capabilities.
The capability definition might name one or more dependent capabilities. To support a capability, the server MUST support any capabilities upon which it depends.
功能定义可以命名一个或多个相关功能。要支持某项功能,服务器必须支持它所依赖的任何功能。
Section 8 defines the capabilities exchange that allows the client to discover the server’s capabilities. Section 8 also lists the set of capabilities defined in this document.
第8节定义了允许客户端发现服务器功能的功能交换。第8节还列出了本文件中定义的一组功能。
Additional capabilities can be defined at any time in external documents, allowing the set of capabilities to expand over time. Standards bodies can define standardized capabilities, and implementations can define proprietary ones. A capability URI MUST sufficiently distinguish the naming authority to avoid naming collisions.
o Comparisons of configuration data sets would be dominated by irrelevant entries such as different statistics.
o 配置数据集的比较主要是不相关的条目,如不同的统计数据。
o Incoming data could contain nonsensical requests, such as attempts to write read-only data.
o 传入数据可能包含无意义的请求,例如试图写入只读数据。
o The data sets would be large.
o 数据集将会很大。
o Archived data could contain values for read-only data items, complicating the processing required to restore archived data.
o 归档数据可能包含只读数据项的值,从而使恢复归档数据所需的处理复杂化。
To account for these issues, the NETCONF protocol recognizes the difference between configuration data and state data and provides operations for each. The <get-config> operation retrieves configuration data only, while the <get> operation retrieves configuration and state data.
Note that the NETCONF protocol is focused on the information required to get the device into its desired running state. The inclusion of other important, persistent data is implementation specific. For example, user files and databases are not treated as configuration data by the NETCONF protocol.
For example, if a local database of user authentication data is stored on the device, it is an implementation-dependent matter whether it is included in configuration data.
The NETCONF protocol can be layered on any transport protocol that provides the required set of functionality. It is not bound to any particular transport protocol, but allows a mapping to define how it can be implemented over any specific protocol.
In addition, resources requested from the server for a particular connection MUST be automatically released when the connection closes, making failure recovery simpler and more robust. For example, when a lock is acquired by a client, the lock persists until either it is explicitly released or the server determines that the connection has been terminated. If a connection is terminated while the client holds a lock, the server can perform any appropriate recovery. The <lock> operation is further discussed in Section 7.5.
NETCONF connections MUST be authenticated. The transport protocol is responsible for authentication of the server to the client and authentication of the client to the server. A NETCONF peer assumes that the connection’s authentication information has been validated by the underlying transport protocol using sufficiently trustworthy mechanisms and that the peer’s identity has been sufficiently proven.
One goal of NETCONF is to provide a programmatic interface to the device that closely follows the functionality of the device’s native interface. Therefore, it is expected that the underlying protocol uses existing authentication mechanisms available on the device. For example, a NETCONF server on a device that supports RADIUS [RFC2865] might allow the use of RADIUS to authenticate NETCONF sessions.
The authentication process MUST result in an authenticated client identity whose permissions are known to the server. The authenticated identity of a client is commonly referred to as the NETCONF username. The username is a string of characters that match the “Char” production from Section 2.2 of [W3C.REC-xml-20001006]. The algorithm used to derive the username is transport protocol specific and in addition specific to the authentication mechanism used by the transport protocol. The transport protocol MUST provide a username to be used by the other NETCONF layers.
The access permissions of a given client, identified by its NETCONF username, are part of the configuration of the NETCONF server. These permissions MUST be enforced during the remainder of the NETCONF session. The details of how access control is configured is outside the scope of this document.
A NETCONF implementation MUST support the SSH transport protocol mapping [RFC6242].
NETCONF实现必须支持SSH传输协议映射[RFC6242]。
3. XML注意事项
XML serves as the encoding format for NETCONF, allowing complex hierarchical data to be expressed in a text format that can be read, saved, and manipulated with both traditional text tools and tools specific to XML.
All NETCONF messages MUST be well-formed XML, encoded in UTF-8 [RFC3629]. If a peer receives an <rpc> message that is not well-formed XML or not encoded in UTF-8, it SHOULD reply with a “malformed-message” error. If a reply cannot be sent for any reason, the server MUST terminate the session.
The NETCONF protocol uses an RPC-based communication model. NETCONF peers use <rpc> and <rpc-reply> elements to provide transport-protocol-independent framing of NETCONF requests and responses.
The syntax and XML encoding of the Messages-layer RPCs are formally defined in the XML schema in Appendix B.
消息层RPC的语法和XML编码在附录B的XML模式中正式定义。
4.1. <rpc> Element元素
The <rpc> element is used to enclose a NETCONF request sent from the client to the server.
元素用于封装从客户端发送到服务器的NETCONF请求。
The <rpc> element has a mandatory attribute “message-id”, which is a string chosen by the sender of the RPC that will commonly encode a monotonically increasing integer. The receiver of the RPC does not decode or interpret this string but simply saves it to be used as a “message-id” attribute in any resulting <rpc-reply> message. The sender MUST ensure that the “message-id” value is normalized according to the XML attribute value normalization rules defined in [W3C.REC-xml-20001006] if the sender wants the string to be returned unmodified. For example:
If additional attributes are present in an <rpc> element, a NETCONF peer MUST return them unmodified in the <rpc-reply> element. This includes any “xmlns” attributes.
The name and parameters of an RPC are encoded as the contents of the <rpc> element. The name of the RPC is an element directly inside the <rpc> element, and any parameters are encoded inside this element.
The following example invokes a method called <my-own-method>, which has two parameters, <my-first-parameter>, with a value of “14”, and <another-parameter>, with a value of “fred”:
下面的示例调用一个名为<my own method>的方法,该方法有两个参数,<my first parameter>,值为“14”,和<Other parameter>,值为“fred”:
The <rpc-reply> message is sent in response to an <rpc> message.
<rpc reply>消息是响应<rpc>消息而发送的。
The <rpc-reply> element has a mandatory attribute “message-id”, which is equal to the “message-id” attribute of the <rpc> for which this is a response.
The response data is encoded as one or more child elements to the <rpc-reply> element.
响应数据被编码为<rpc reply>元素的一个或多个子元素。
For example:
例如:
The following <rpc> element invokes the NETCONF <get> method and includes an additional attribute called “user-id”. Note that the “user-id” attribute is not in the NETCONF namespace. The returned <rpc-reply> element returns the “user-id” attribute, as well as the requested content.
If a server encounters multiple errors during the processing of an <rpc> request, the <rpc-reply> MAY contain multiple <rpc-error> elements. However, a server is not required to detect or report more than one <rpc-error> element, if a request contains multiple errors. A server is not required to check for particular error conditions in a specific sequence. A server MUST return an <rpc-error> element if any error conditions occur during processing.
A server MUST NOT return application-level- or data-model-specific error information in an <rpc-error> element for which the client does not have sufficient access rights.
error-type: Defines the conceptual layer that the error occurred. Enumeration. One of:
* transport (layer: Secure Transport)
* rpc (layer: Messages)
* protocol (layer: Operations)
* application (layer: Content)
error-tag: Contains a string identifying the error condition. See Appendix A for allowed values.
错误标记:包含标识错误条件的字符串。允许值见附录A。
error-severity: Contains a string identifying the error severity, as determined by the device. One of:
错误严重性:包含一个字符串,标识由设备确定的错误严重性。什么之中的一个:
* error
* warning
Note that there are no <error-tag> values defined in this document that utilize the “warning” enumeration. This is reserved for future use.
请注意,本文档中没有定义使用“警告”枚举的<error tag>值。这是留作将来使用的。
error-app-tag: Contains a string identifying the data-model-specific or implementation-specific error condition, if one exists. This element will not be present if no appropriate application error-tag can be associated with a particular error condition. If a
data-model-specific and an implementation-specific error-app-tag both exist, then the data-model-specific value MUST be used by the server.
特定于数据模型和特定于实现的错误应用标记都存在,那么服务器必须使用特定于数据模型的值。
error-path: Contains the absolute XPath [W3C.REC-xpath-19991116] expression identifying the element path to the node that is associated with the error being reported in a particular <rpc-error> element. This element will not be present if no appropriate payload element or datastore node can be associated with a particular error condition.
The XPath expression is interpreted in the following context:
XPath表达式在以下上下文中解释:
* The set of namespace declarations are those in scope on the <rpc-error> element.
* 命名空间声明集是<rpc error>元素作用域中的声明。
* The set of variable bindings is empty.
* 变量绑定集为空。
* The function library is the core function library.
* 函数库是核心函数库。
The context node depends on the node associated with the error being reported:
上下文节点取决于与报告的错误关联的节点:
* If a payload element can be associated with the error, the context node is the rpc request’s document node (i.e., the <rpc> element).
* 如果有效负载元素可以与错误关联,则上下文节点是rpc请求的文档节点(即<rpc>元素)。
* Otherwise, the context node is the root of all data models, i.e., the node that has the top-level nodes from all data models as children.
* 否则,上下文节点是所有数据模型的根,即,将所有数据模型的顶级节点作为子节点的节点。
error-message: Contains a string suitable for human display that describes the error condition. This element will not be present if no appropriate message is provided for a particular error condition. This element SHOULD include an “xml:lang” attribute as defined in [W3C.REC-xml-20001006] and discussed in [RFC3470].
error-info: Contains protocol- or data-model-specific error content. This element will not be present if no such error content is provided for a particular error condition. The list in Appendix A defines any mandatory error-info content for each error. After any protocol-mandated content, a data model definition MAY mandate that certain application-layer error information be included in the error-info container. An implementation MAY include additional elements to provide extended and/or implementation-specific debugging information.
Appendix A enumerates the standard NETCONF errors.
附录A列举了标准NETCONF错误。
Example: An error is returned if an <rpc> element is received without a “message-id” attribute. Note that only in this case is it acceptable for the NETCONF peer to omit the “message-id” attribute in the <rpc-reply> element.
The following <rpc-reply> illustrates the case of returning multiple <rpc-error> elements.
下面的<rpc reply>说明了返回多个<rpc error>元素的情况。
Note that the data models used in the examples in this section use the <name> element to distinguish between multiple instances of the <interface> element.
请注意,本节示例中使用的数据模型使用<name>元素来区分<interface>元素的多个实例。
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-type>application</error-type>
<error-tag>invalid-value</error-tag>
<error-severity>error</error-severity>
<error-path xmlns:t="http://example.com/schema/1.2/config">
/t:top/t:interface[t:name="Ethernet0/0"]/t:mtu
</error-path>
<error-message xml:lang="en">
MTU value 25000 is not within range 256..9192
</error-message>
</rpc-error>
<rpc-error>
<error-type>application</error-type>
<error-tag>invalid-value</error-tag>
<error-severity>error</error-severity>
<error-path xmlns:t="http://example.com/schema/1.2/config">
/t:top/t:interface[t:name="Ethernet1/0"]/t:address/t:name
</error-path>
<error-message xml:lang="en">
Invalid IP address for interface Ethernet1/0
</error-message>
</rpc-error>
</rpc-reply>
4.4. <ok> Element
The <ok> element is sent in <rpc-reply> messages if no errors or warnings occurred during the processing of an <rpc> request, and no data was returned from the operation. For example:
NETCONF <rpc> requests MUST be processed serially by the managed device. Additional <rpc> requests MAY be sent before previous ones have been completed. The managed device MUST send responses only in the order the requests were received.
NETCONF provides an initial set of operations and a number of capabilities that can be used to extend the base. NETCONF peers exchange device capabilities when the session is initiated as described in Section 8.1.
NETCONF defines the existence of one or more configuration datastores and allows configuration operations on them. A configuration datastore is defined as the complete set of configuration data that is required to get a device from its initial default state into a desired operational state. The configuration datastore does not include state data or executive commands.
The running configuration datastore holds the complete configuration currently active on the network device. Only one configuration datastore of this type exists on the device, and it is always present. NETCONF protocol operations refer to this datastore using the <running> element.
Only the <running> configuration datastore is present in the base model. Additional configuration datastores MAY be defined by capabilities. Such configuration datastores are available only on devices that advertise the capabilities.
The capabilities in Sections 8.3 and 8.7 define the <candidate> and <startup> configuration datastores, respectively.
第8.3节和第8.7节中的功能分别定义了<candidate>和<startup>配置数据存储。
5.2. Data Modeling
Data modeling and content issues are outside the scope of the NETCONF protocol. An assumption is made that the device’s data model is well-known to the application and that both parties are aware of issues such as the layout, containment, keying, lookup, replacement, and management of the data, as well as any other constraints imposed by the data model.
NETCONF carries configuration data inside the <config> element that is specific to the device’s data model. The protocol treats the contents of that element as opaque data. The device uses capabilities to announce the set of data models that the device implements. The capability definition details the operation and constraints imposed by data model.
Devices and managers can support multiple data models, including both standard and proprietary data models.
设备和管理器可以支持多种数据模型,包括标准和专有数据模型。
6. Subtree Filtering
6.1. Overview
XML subtree filtering is a mechanism that allows an application to select particular XML subtrees to include in the <rpc-reply> for a <get> or <get-config> operation. A small set of filters for inclusion, simple content exact-match, and selection is provided, which allows some useful, but also very limited, selection mechanisms. The server does not need to utilize any data-model-specific semantics during processing, allowing for simple and centralized implementation strategies.
Conceptually, a subtree filter is comprised of zero or more element subtrees, which represent the filter selection criteria. At each containment level within a subtree, the set of sibling nodes is logically processed by the server to determine if its subtree and path of elements to the root are included in the filter output.
Each node specified in a subtree filter represents an inclusive filter. Only associated nodes in underlying data model(s) within the specified datastore on the server are selected by the filter. A node is selected if it matches the selection criteria and hierarchy of elements given in the filter data, except that the filter absolute path name is adjusted to start from the layer below <filter>.
Response messages contain only the subtrees selected by the filter. Any selection criteria that were present in the request, within a particular selected subtree, are also included in the response. Note that some elements expressed in the filter as leaf nodes will be expanded (i.e., subtrees included) in the filter output. Specific data instances are not duplicated in the response in the event that the request contains multiple filter subtree expressions that select the same data.
A subtree filter is comprised of XML elements and their XML attributes. There are five types of components that can be present in a subtree filter:
子树过滤器由XML元素及其XML属性组成。子树筛选器中可以存在五种类型的组件:
o Namespace Selection
o 名称空间选择
o Attribute Match Expressions
o 属性匹配表达式
o Containment Nodes
o 包容节点
o Selection Nodes
o 选择节点
o Content Match Nodes
o 内容匹配节点
6.2.1. Namespace Selection
6.2.1. 名称空间选择
A namespace is considered to match (for filter purposes) if the XML namespace associated with a particular node within the <filter> element is the same as in the underlying data model. Note that namespace selection cannot be used by itself. At least one element MUST be specified in the filter if any elements are to be included in the filter output.
An XML namespace wildcard mechanism is defined for subtree filtering. If an element within the <filter> element is not qualified by a namespace (e.g., xmlns=””), then the server MUST evaluate all the XML namespaces it supports, when processing that subtree filter node. This wildcard mechanism is not applicable to XML attributes.
In this example, the <top> element is a selection node, and only this node in the “http://example.com/schema/1.2/config” namespace and any child nodes (from the underlying data model) will be included in the filter output.
An attribute that appears in a subtree filter is part of an “attribute match expression”. Any number of (unqualified or qualified) XML attributes MAY be present in any type of filter node. In addition to the selection criteria normally applicable to that node, the selected data MUST have matching values for every attribute specified in the node. If an element is not defined to include a specified attribute, then it is not selected in the filter output.
In this example, the <top> and <interfaces> elements are containment nodes, the <interface> element is a selection node, and “ifName” is an attribute match expression. Only “interface” nodes in the “http://example.com/schema/1.2/config” namespace that have an “ifName” attribute with the value “eth0” and occur within “interfaces” nodes within “top” nodes will be included in the filter output.
Nodes that contain child elements within a subtree filter are called “containment nodes”. Each child element can be any type of node, including another containment node. For each containment node specified in a subtree filter, all data model instances that exactly match the specified namespaces, element hierarchy, and any attribute match expressions are included in the filter output.
In this example, the <top> element is a containment node.
在本例中,<top>元素是一个包含节点。
6.2.4. Selection Nodes
6.2.4. 选择节点
An empty leaf node within a filter is called a “selection node”, and it represents an “explicit selection” filter on the underlying data model. Presence of any selection nodes within a set of sibling nodes will cause the filter to select the specified subtree(s) and suppress automatic selection of the entire set of sibling nodes in the underlying data model. For filtering purposes, an empty leaf node can be declared either with an empty tag (e.g., <foo/>) or with explicit start and end tags (e.g., <foo> </foo>). Any whitespace characters are ignored in this form.
In this example, the <top> element is a containment node, and the <users> element is a selection node. Only “users” nodes in the “http://example.com/schema/1.2/config” namespace that occur within a <top> element that is the root of the configuration datastore will be included in the filter output.
A leaf node that contains simple content is called a “content match node”. It is used to select some or all of its sibling nodes for filter output, and it represents an exact-match filter on the leaf node element content. The following constraints apply to content match nodes:
o A content match node MUST NOT contain nested elements.
o 内容匹配节点不得包含嵌套元素。
o Multiple content match nodes (i.e., sibling nodes) are logically combined in an “AND” expression.
o 多个内容匹配节点(即同级节点)在逻辑上组合在一个“和”表达式中。
o Filtering of mixed content is not supported.
o 不支持筛选混合内容。
o Filtering of list content is not supported.
o 不支持筛选列表内容。
o Filtering of whitespace-only content is not supported.
o 不支持过滤纯空白内容。
o A content match node MUST contain non-whitespace characters. An empty element (e.g., <foo></foo>) will be interpreted as a selection node (e.g., <foo/>).
o 内容匹配节点必须包含非空白字符。空元素(例如,<foo></foo>)将被解释为选择节点(例如,<foo/>)。
o Leading and trailing whitespace characters are ignored, but any whitespace characters within a block of text characters are not ignored or modified.
o 将忽略前导和尾随空白字符,但不会忽略或修改文本字符块中的任何空白字符。
If all specified sibling content match nodes in a subtree filter expression are “true”, then the filter output nodes are selected in the following manner:
o Each content match node in the sibling set is included in the filter output.
o 同级集中的每个内容匹配节点都包含在过滤器输出中。
o If any containment nodes are present in the sibling set, then they are processed further and included if any nested filter criteria are also met.
o 如果同级集中存在任何包含节点,则会进一步处理这些节点,并在满足任何嵌套筛选条件时将其包括在内。
o If any selection nodes are present in the sibling set, then all of them are included in the filter output.
o 如果兄弟节点集中存在任何选择节点,则所有选择节点都将包含在过滤器输出中。
o If any sibling nodes of the selection node are instance identifier components for a conceptual data structure (e.g., list key leaf), then they MAY also be included in the filter output.
o 如果选择节点的任何同级节点是概念数据结构(例如,列表键叶)的实例标识符组件,则它们也可以包括在过滤器输出中。
o Otherwise (i.e., there are no selection or containment nodes in the filter sibling set), all the nodes defined at this level in the underlying data model (and their subtrees, if any) are returned in the filter output.
o 否则(即,过滤器同级集合中没有选择或包含节点),在基础数据模型(及其子树,如果有的话)中在该级别定义的所有节点都将在过滤器输出中返回。
If any of the sibling content match node tests are “false”, then no further filter processing is performed on that sibling set, and none of the sibling subtrees are selected by the filter, including the content match node(s).
In this example, the <users> and <user> nodes are both containment nodes, and <name> is a content match node. Since no sibling nodes of <name> are specified (and therefore no containment or selection nodes), all of the sibling nodes of <name> are returned in the filter output. Only “user” nodes in the “http://example.com/schema/1.2/config” namespace that match the element hierarchy and for which the <name> element is equal to “fred” will be included in the filter output.
The filter output (the set of selected nodes) is initially empty.
过滤器输出(所选节点集)最初为空。
Each subtree filter can contain one or more data model fragments, which represent portions of the data model that will be selected (with all child nodes) in the filter output.
Each subtree data fragment is compared by the server to the internal data models supported by the server. If the entire subtree data-fragment filter (starting from the root to the innermost element specified in the filter) exactly matches a corresponding portion of the supported data model, then that node and all its children are included in the result data.
The server processes all nodes with the same parent node (sibling set) together, starting from the root to the leaf nodes. The root
服务器一起处理具有相同父节点(同级节点集)的所有节点,从根节点到叶节点。根
elements in the filter are considered in the same sibling set (assuming they are in the same namespace), even though they do not have a common parent.
筛选器中的元素被视为在同一个同级集中(假定它们位于同一命名空间中),即使它们没有公共父级。
For each sibling set, the server determines which nodes are included (or potentially included) in the filter output, and which sibling subtrees are excluded (pruned) from the filter output. The server first determines which types of nodes are present in the sibling set and processes the nodes according to the rules for their type. If any nodes in the sibling set are selected, then the process is recursively applied to the sibling sets of each selected node. The algorithm continues until all sibling sets in all subtrees specified in the filter have been processed.
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<!-- ... entire set of data returned ... -->
</data>
</rpc-reply>
6.4.2. Empty Filter
6.4.2. 空过滤器
An empty filter will select nothing because no content match or selection nodes are present. This is not an error. The <filter> element’s “type” attribute used in these examples is discussed further in Section 7.1.
The filter in this example contains one selection node (<users>), so just that subtree is selected by the filter. This example represents the fully populated <users> data model in most of the filter examples that follow. In a real data model, the <company-info> would not likely be returned with the list of users for a particular host or network.
NOTE: The filtering and configuration examples used in this document appear in the namespace “http://example.com/schema/1.2/config”. The root element of this namespace is <top>. The <top> element and its descendents represent an example configuration data model only.
6.4.4. Select All <name> Elements within the <users> Subtree
6.4.4. 选择<users>子树中的所有<name>元素
This filter contains two containment nodes (<users>, <user>) and one selection node (<name>). All instances of the <name> element in the same sibling set are selected in the filter output. The client might need to know that <name> is used as an instance identifier in this particular data structure, but the server does not need to know that meta-data in order to process the request.
This filter contains two containment nodes (<users>, <user>) and one content match node (<name>). All instances of the sibling set containing <name> for which the value of <name> equals “fred” are selected in the filter output.
6.4.6. Specific Elements from a Specific <user> Entry
6.4.6. 特定<user>条目中的特定元素
This filter contains two containment nodes (<users>, <user>), one content match node (<name>), and two selection nodes (<type>, <full-name>). All instances of the <type> and <full-name> elements in the same sibling set containing <name> for which the value of <name> equals “fred” are selected in the filter output. The <company-info> element is not included because the sibling set contains selection nodes.
This filter contains three subtrees (name=root, fred, barney).
此筛选器包含三个子树(name=root、fred、barney)。
The “root” subtree filter contains two containment nodes (<users>, <user>), one content match node (<name>), and one selection node (<company-info>). The subtree selection criteria are met, and just the company-info subtree for “root” is selected in the filter output.
The “fred” subtree filter contains three containment nodes (<users>, <user>, <company-info>), one content match node (<name>), and one selection node (<id>). The subtree selection criteria are met, and just the <id> element within the company-info subtree for “fred” is selected in the filter output.
The “barney” subtree filter contains three containment nodes (<users>, <user>, <company-info>), two content match nodes (<name>, <type>), and one selection node (<dept>). The subtree selection criteria are not met because user “barney” is not a “superuser”, and the entire subtree for “barney” (including its parent <user> entry) is excluded from the filter output.
In this example, the filter contains one containment node (<interfaces>), one attribute match expression (“ifName”), and one selection node (<interface>). All instances of the <interface> subtree that have an “ifName” attribute equal to “eth0” are selected in the filter output. The filter data elements and attributes are qualified because the “ifName” attribute will not be considered part of the “schema/1.2” namespace if it is unqualified.
The NETCONF protocol provides a small set of low-level operations to manage device configurations and retrieve device state information. The base protocol provides operations to retrieve, configure, copy, and delete configuration datastores. Additional operations are provided, based on the capabilities advertised by the device.
The base protocol includes the following protocol operations:
基本协议包括以下协议操作:
o get
o 收到
o get-config
o 获取配置
o edit-config
o 编辑配置
o copy-config
o 复制配置
o delete-config
o 删除配置
o lock
o 锁
o unlock
o 解锁
o close-session
o 闭门会议
o kill-session
o 终止会话
A protocol operation can fail for various reasons, including “operation not supported”. An initiator SHOULD NOT assume that any operation will always succeed. The return values in any RPC reply SHOULD be checked for error responses.
The syntax and XML encoding of the protocol operations are formally defined in the YANG module in Appendix C. The following sections describe the semantics of each protocol operation.
协议操作的语法和XML编码在附录C的YANG模块中正式定义。以下各节描述了每个协议操作的语义。
7.1. <get-config>
7.1. <get config>
Description: Retrieve all or part of a specified configuration datastore.
描述:检索指定配置数据存储的全部或部分。
Parameters:
参数:
source: Name of the configuration datastore being queried, such as <running/>.
source:正在查询的配置数据存储的名称,例如<running/>。
filter: This parameter identifies the portions of the device configuration datastore to retrieve. If this parameter is not present, the entire configuration is returned.
筛选器:此参数标识要检索的设备配置数据存储的部分。如果此参数不存在,则返回整个配置。
The <filter> element MAY optionally contain a “type” attribute. This attribute indicates the type of filtering syntax used within the <filter> element. The default filtering mechanism in NETCONF is referred to as subtree filtering and is described in Section 6. The value “subtree” explicitly identifies this type of filtering.
If the NETCONF peer supports the :xpath capability (Section 8.9), the value “xpath” MAY be used to indicate that the “select” attribute on the <filter> element contains an XPath expression.
Positive Response: If the device can satisfy the request, the server sends an <rpc-reply> element containing a <data> element with the results of the query.
Section 6 contains additional examples of subtree filtering.
第6节包含子树过滤的其他示例。
7.2. <edit-config>
**7.2. <编辑配置>**
Description:
说明:
The <edit-config> operation loads all or part of a specified configuration to the specified target configuration datastore. This operation allows the new configuration to be expressed in several ways, such as using a local file, a remote file, or inline. If the target configuration datastore does not exist, it will be created.
The device analyzes the source and target configurations and performs the requested changes. The target configuration is not necessarily replaced, as with the <copy-config> message. Instead, the target configuration is changed in accordance with the source’s data and requested operations.
If the <edit-config> operation contains multiple sub-operations that apply to the same conceptual node in the underlying data model, then the result of the operation is undefined (i.e., outside the scope of the NETCONF protocol).
operation: Elements in the <config> subtree MAY contain an “operation” attribute, which belongs to the NETCONF namespace defined in Section 3.1. The attribute identifies the point in the configuration to perform the operation and MAY appear on multiple elements throughout the <config> subtree.
If the “operation” attribute is not specified, the configuration is merged into the configuration datastore.
如果未指定“操作”属性,则配置将合并到配置数据存储中。
The “operation” attribute has one of the following values:
“操作”属性具有以下值之一:
merge: The configuration data identified by the element containing this attribute is merged with the configuration at the corresponding level in the configuration datastore identified by the <target> parameter. This is the default behavior.
replace: The configuration data identified by the element containing this attribute replaces any related configuration in the configuration datastore identified by the <target> parameter. If no such configuration data exists in the configuration datastore, it is created. Unlike a <copy-config> operation, which replaces the entire target configuration, only the configuration actually present in the <config> parameter is affected.
create: The configuration data identified by the element containing this attribute is added to the configuration if and only if the configuration data does not already exist in the configuration datastore. If the configuration data exists, an <rpc-error> element is returned with an <error-tag> value of “data-exists”.
delete: The configuration data identified by the element containing this attribute is deleted from the configuration if and only if the configuration data currently exists in the configuration datastore. If the configuration data does not exist, an <rpc-error> element is returned with an <error-tag> value of “data-missing”.
remove: The configuration data identified by the element containing this attribute is deleted from the configuration if the configuration data currently exists in the configuration datastore. If the configuration data does not exist, the “remove” operation is silently ignored by the server.
target: Name of the configuration datastore being edited, such as <running/> or <candidate/>.
目标:正在编辑的配置数据存储的名称,例如<running/>或<candidate/>。
default-operation: Selects the default operation (as described in the “operation” attribute) for this <edit-config> request. The default value for the <default-operation> parameter is “merge”.
The <default-operation> parameter is optional, but if provided, it has one of the following values:
<default operation>参数是可选的,但如果提供,它具有以下值之一:
merge: The configuration data in the <config> parameter is merged with the configuration at the corresponding level in the target datastore. This is the default behavior.
合并:<config>参数中的配置数据与目标数据存储中相应级别的配置合并。这是默认行为。
replace: The configuration data in the <config> parameter completely replaces the configuration in the target datastore. This is useful for loading previously saved configuration data.
none: The target datastore is unaffected by the configuration in the <config> parameter, unless and until the incoming configuration data uses the “operation” attribute to request a different operation. If the configuration in the <config> parameter contains data for which there is not a corresponding level in the target datastore, an <rpc-error> is returned with an <error-tag> value of data-missing. Using “none” allows operations like “delete” to avoid unintentionally creating the parent hierarchy of the element to be deleted.
test-option: The <test-option> element MAY be specified only if the device advertises the :validate:1.1 capability (Section 8.6).
测试选项:仅当设备宣传:验证:1.1功能(第8.6节)时,才可指定<test option>元素。
The <test-option> element has one of the following values:
<test option>元素具有以下值之一:
test-then-set: Perform a validation test before attempting to set. If validation errors occur, do not perform the <edit-config> operation. This is the default test-option.
set: Perform a set without a validation test first.
set:先执行set而不进行验证测试。
test-only: Perform only the validation test, without attempting to set.
仅测试:仅执行验证测试,而不尝试设置。
error-option: The <error-option> element has one of the following values:
错误选项:<error option>元素具有以下值之一:
stop-on-error: Abort the <edit-config> operation on first error. This is the default error-option.
错误时停止:在出现第一个错误时中止<edit config>操作。这是默认的错误选项。
continue-on-error: Continue to process configuration data on error; error is recorded, and negative response is generated if any errors occur.
出错时继续:出错时继续处理配置数据;记录错误,如果出现任何错误,将生成否定响应。
rollback-on-error: If an error condition occurs such that an error severity <rpc-error> element is generated, the server will stop processing the <edit-config> operation and restore the specified configuration to its complete state at the start of this <edit-config> operation. This option requires the server to support the :rollback-on-error capability described in Section 8.5.
config: A hierarchy of configuration data as defined by one of the device’s data models. The contents MUST be placed in an appropriate namespace, to allow the device to detect the appropriate data model, and the contents MUST follow the constraints of that data model, as defined by its capability definition. Capabilities are discussed in Section 8.
Positive Response: If the device was able to satisfy the request, an <rpc-reply> is sent containing an <ok> element.
肯定响应:如果设备能够满足请求,则发送包含<ok>元素的<rpc reply>。
Negative Response: An <rpc-error> response is sent if the request cannot be completed for any reason.
否定响应:如果由于任何原因无法完成请求,将发送<rpc error>响应。
Example: The <edit-config> examples in this section utilize a simple data model, in which multiple instances of the <interface> element can be present, and an instance is distinguished by the <name> element within each <interface> element.
Description: Create or replace an entire configuration datastore with the contents of another complete configuration datastore. If the target datastore exists, it is overwritten. Otherwise, a new one is created, if allowed.
Even if it advertises the :writable-running capability, a device MAY choose not to support the <running/> configuration datastore as the <target> parameter of a <copy-config> operation. A device MAY choose not to support remote-to-remote copy operations, where both the <source> and <target> parameters use the <url> element. If the <source> and <target> parameters identify the same URL or configuration datastore, an error MUST be returned with an error-tag containing “invalid-value”.
target: Name of the configuration datastore to use as the destination of the <copy-config> operation.
target:用作<copy config>操作目标的配置数据存储的名称。
source: Name of the configuration datastore to use as the source of the <copy-config> operation, or the <config> element containing the complete configuration to copy.
Description: The <lock> operation allows the client to lock the entire configuration datastore system of a device. Such locks are intended to be short-lived and allow a client to make a change without fear of interaction with other NETCONF clients, non-NETCONF clients (e.g., SNMP and command line interface (CLI) scripts), and human users.
An attempt to lock the configuration datastore MUST fail if an existing session or other entity holds a lock on any portion of the lock target.
如果现有会话或其他实体持有锁定目标任何部分的锁,则锁定配置数据存储的尝试必须失败。
When the lock is acquired, the server MUST prevent any changes to the locked resource other than those requested by this session. SNMP and CLI requests to modify the resource MUST fail with an appropriate error.
The duration of the lock is defined as beginning when the lock is acquired and lasting until either the lock is released or the NETCONF session closes. The session closure can be explicitly performed by the client, or implicitly performed by the server based on criteria such as failure of the underlying transport, simple inactivity timeout, or detection of abusive behavior on the part of the client. These criteria are dependent on the implementation and the underlying transport.
The <lock> operation takes a mandatory parameter, <target>. The <target> parameter names the configuration datastore that will be locked. When a lock is active, using the <edit-config> operation on the locked configuration datastore and using the locked configuration as a target of the <copy-config> operation will be disallowed by any other NETCONF session. Additionally, the system will ensure that these locked configuration resources will not be modified by other non-NETCONF management operations such as SNMP and CLI. The <kill-session> operation can be used to force the release of a lock owned by another NETCONF session. It is beyond the scope of this document to define how to break locks held by other entities.
If the lock is already held, the <error-tag> element will be “lock-denied” and the <error-info> element will include the <session-id> of the lock owner. If the lock is held by a non-NETCONF entity, a <session-id> of 0 (zero) is included. Note that any other entity performing a lock on even a partial piece of a target will prevent a NETCONF lock (which is global) from being obtained on that target.
Description: Retrieve running configuration and device state information.
描述:检索正在运行的配置和设备状态信息。
Parameters:
参数:
filter: This parameter specifies the portion of the system configuration and state data to retrieve. If this parameter is not present, all the device configuration and state information is returned.
The <filter> element MAY optionally contain a “type” attribute. This attribute indicates the type of filtering syntax used within the <filter> element. The default filtering mechanism in NETCONF is referred to as subtree filtering and is described in Section 6. The value “subtree” explicitly identifies this type of filtering.
If the NETCONF peer supports the :xpath capability (Section 8.9), the value “xpath” MAY be used to indicate that the “select” attribute of the <filter> element contains an XPath expression.
Description: Request graceful termination of a NETCONF session.
描述:请求终止NETCONF会话。
When a NETCONF server receives a <close-session> request, it will gracefully close the session. The server will release any locks and resources associated with the session and gracefully close any associated connections. Any NETCONF requests received after a <close-session> request will be ignored.
Description: Force the termination of a NETCONF session.
描述:强制终止NETCONF会话。
When a NETCONF entity receives a <kill-session> request for an open session, it will abort any operations currently in process, release any locks and resources associated with the session, and close any associated connections.
If a NETCONF server receives a <kill-session> request while processing a confirmed commit (Section 8.4), it MUST restore the configuration to its state before the confirmed commit was issued.
Otherwise, the <kill-session> operation does not roll back configuration or other device state modifications made by the entity holding the lock.
否则,<kill session>操作不会回滚持有锁的实体所做的配置或其他设备状态修改。
Parameters:
参数:
session-id: Session identifier of the NETCONF session to be terminated. If this value is equal to the current session ID, an “invalid-value” error is returned.
会话id:要终止的NETCONF会话的会话标识符。如果此值等于当前会话ID,则返回“无效值”错误。
Positive Response: If the device was able to satisfy the request, an <rpc-reply> is sent that includes an <ok> element.
肯定响应:如果设备能够满足请求,则发送包含<ok>元素的<rpc reply>。
Negative Response: An <rpc-error> element is included in the <rpc-reply> if the request cannot be completed for any reason.
This section defines a set of capabilities that a client or a server MAY implement. Each peer advertises its capabilities by sending them during an initial capabilities exchange. Each peer needs to understand only those capabilities that it might use and MUST ignore any capability received from the other peer that it does not require or does not understand.
Additional capabilities can be defined using the template in Appendix D. Future capability definitions can be published as standards by standards bodies or published as proprietary extensions.
可使用附录D中的模板定义其他功能。未来的功能定义可由标准机构作为标准发布,或作为专有扩展发布。
A NETCONF capability is identified with a URI. The base capabilities are defined using URNs following the method described in RFC 3553 [RFC3553]. Capabilities defined in this document have the following format:
where {name} is the name of the capability. Capabilities are often referenced in discussions and email using the shorthand :{name}, or :{name}:{version} if the capability exists in multiple versions. For example, the foo capability would have the formal name “urn:ietf:params:netconf:capability:foo:1.0” and be called “:foo”. The shorthand form MUST NOT be used inside the protocol.
Capabilities are advertised in messages sent by each peer during session establishment. When the NETCONF session is opened, each peer (both client and server) MUST send a <hello> element containing a list of that peer’s capabilities. Each peer MUST send at least the
base NETCONF capability, “urn:ietf:params:netconf:base:1.1”. A peer MAY include capabilities for previous NETCONF versions, to indicate that it supports multiple protocol versions.
Both NETCONF peers MUST verify that the other peer has advertised a common protocol version. When comparing protocol version capability URIs, only the base part is used, in the event any parameters are encoded at the end of the URI string. If no protocol version capability in common is found, the NETCONF peer MUST NOT continue the session. If more than one protocol version URI in common is present, then the highest numbered (most recent) protocol version MUST be used by both peers.
A server sending the <hello> element MUST include a <session-id> element containing the session ID for this NETCONF session. A client sending the <hello> element MUST NOT include a <session-id> element.
A server receiving a <hello> message with a <session-id> element MUST terminate the NETCONF session. Similarly, a client that does not receive a <session-id> element in the server’s <hello> message MUST terminate the NETCONF session (without first sending a <close-session>).
In the following example, a server advertises the base NETCONF capability, one NETCONF capability defined in the base NETCONF document, and one implementation-specific capability.
Each peer sends its <hello> element simultaneously as soon as the connection is open. A peer MUST NOT wait to receive the capability set from the other side before sending its own set.
The :writable-running capability indicates that the device supports direct writes to the <running> configuration datastore. In other words, the device supports <edit-config> and <copy-config> operations where the <running> configuration is the target.
The candidate configuration capability, :candidate, indicates that the device supports a candidate configuration datastore, which is used to hold configuration data that can be manipulated without impacting the device’s current configuration. The candidate configuration is a full configuration data set that serves as a work place for creating and manipulating configuration data. Additions, deletions, and changes can be made to this data to construct the
desired configuration data. A <commit> operation MAY be performed at any time that causes the device’s running configuration to be set to the value of the candidate configuration.
所需的配置数据。任何时候都可以执行<commit>操作,从而将设备的运行配置设置为候选配置的值。
The <commit> operation effectively sets the running configuration to the current contents of the candidate configuration. While it could be modeled as a simple copy, it is done as a distinct operation for a number of reasons. In keeping high-level concepts as first-class operations, we allow developers to see more clearly both what the client is requesting and what the server must perform. This keeps the intentions more obvious, the special cases less complex, and the interactions between operations more straightforward. For example, the :confirmed-commit:1.1 capability (Section 8.4) would make no sense as a “copy confirmed” operation.
The candidate configuration can be shared among multiple sessions. Unless a client has specific information that the candidate configuration is not shared, it MUST assume that other sessions are able to modify the candidate configuration at the same time. It is therefore prudent for a client to lock the candidate configuration before modifying it.
The client can discard any uncommitted changes to the candidate configuration by executing the <discard-changes> operation. This operation reverts the contents of the candidate configuration to the contents of the running configuration.
The :candidate capability is identified by the following capability string:
:候选能力由以下能力字符串标识:
urn:ietf:params:netconf:capability:candidate:1.0
urn:ietf:params:netconf:capability:candidate:1.0
8.3.4. New Operations
8.3.4. 新业务
8.3.4.1. <commit>
8.3.4.1. <commit>
Description:
说明:
When the candidate configuration’s content is complete, the configuration data can be committed, publishing the data set to the rest of the device and requesting the device to conform to the behavior described in the new configuration.
To commit the candidate configuration as the device’s new current configuration, use the <commit> operation.
要将候选配置提交为设备的新当前配置,请使用<commit>操作。
The <commit> operation instructs the device to implement the configuration data contained in the candidate configuration. If the device is unable to commit all of the changes in the candidate configuration datastore, then the running configuration MUST remain unchanged. If the device does succeed in committing, the running configuration MUST be updated with the contents of the candidate configuration.
If the running or candidate configuration is currently locked by a different session, the <commit> operation MUST fail with an <error-tag> value of “in-use”.
If the client decides that the candidate configuration is not to be committed, the <discard-changes> operation can be used to revert the candidate configuration to the current running configuration.
The candidate configuration can be used as a source or target of any <get-config>, <edit-config>, <copy-config>, or <validate> operation as a <source> or <target> parameter. The <candidate> element is used to indicate the candidate configuration:
When a client fails with outstanding changes to the candidate configuration, recovery can be difficult. To facilitate easy recovery, any outstanding changes are discarded when the lock is released, whether explicitly with the <unlock> operation or implicitly from session failure.
The :confirmed-commit:1.1 capability indicates that the server will support the <cancel-commit> operation and the <confirmed>, <confirm-timeout>, <persist>, and <persist-id> parameters for the <commit> operation. See Section 8.3 for further details on the <commit> operation.
A confirmed <commit> operation MUST be reverted if a confirming commit is not issued within the timeout period (by default 600 seconds = 10 minutes). The confirming commit is a <commit> operation without the <confirmed> parameter. The timeout period can be adjusted with the <confirm-timeout> parameter. If a follow-up confirmed <commit> operation is issued before the timer expires, the timer is reset to the new value (600 seconds by default). Both the confirming commit and a follow-up confirmed <commit> operation MAY introduce additional changes to the configuration.
If the <persist> element is not given in the confirmed commit operation, any follow-up commit and the confirming commit MUST be issued on the same session that issued the confirmed commit. If the <persist> element is given in the confirmed <commit> operation, a follow-up commit and the confirming commit can be given on any session, and they MUST include a <persist-id> element with a value equal to the given value of the <persist> element.
If the session issuing the confirmed commit is terminated for any reason before the confirm timeout expires, the server MUST restore the configuration to its state before the confirmed commit was issued, unless the confirmed commit also included a <persist> element.
If the device reboots for any reason before the confirm timeout expires, the server MUST restore the configuration to its state before the confirmed commit was issued.
如果设备在确认超时过期之前因任何原因重新启动,服务器必须将配置恢复到发出确认提交之前的状态。
If a confirming commit is not issued, the device will revert its configuration to the state prior to the issuance of the confirmed commit. To cancel a confirmed commit and revert changes without waiting for the confirm timeout to expire, the client can explicitly restore the configuration to its state before the confirmed commit was issued, by using the <cancel-commit> operation.
For shared configurations, this feature can cause other configuration changes (for example, via other NETCONF sessions) to be inadvertently altered or removed, unless the configuration locking feature is used (in other words, the lock is obtained before the <edit-config> operation is started). Therefore, it is strongly suggested that in order to use this feature with shared configuration datastores, configuration locking SHOULD also be used.
Version 1.0 of this capability was defined in [RFC4741]. Version 1.1 is defined in this document, and extends version 1.0 by adding a new operation, <cancel-commit>, and two new optional parameters, <persist> and <persist-id>. For backwards compatibility with old clients, servers conforming to this specification MAY advertise version 1.0 in addition to version 1.1.
Cancels an ongoing confirmed commit. If the <persist-id> parameter is not given, the <cancel-commit> operation MUST be issued on the same session that issued the confirmed commit.
Cancels a persistent confirmed commit. The value MUST be equal to the value given in the <persist> parameter to the <commit> operation. If the value does not match, the operation fails with an “invalid-value” error.
This capability indicates that the server will support the “rollback-on-error” value in the <error-option> parameter to the <edit-config> operation.
此功能表示服务器将支持<edit config>操作的<error option>参数中的“rollback on error”值。
For shared configurations, this feature can cause other configuration changes (for example, via other NETCONF sessions) to be inadvertently altered or removed, unless the configuration locking feature is used (in other words, the lock is obtained before the <edit-config> operation is started). Therefore, it is strongly suggested that in order to use this feature with shared configuration datastores, configuration locking also be used.
Validation consists of checking a complete configuration for syntactical and semantic errors before applying the configuration to the device.
验证包括在将配置应用于设备之前检查完整配置的语法和语义错误。
If this capability is advertised, the device supports the <validate> protocol operation and checks at least for syntax errors. In addition, this capability supports the <test-option> parameter to the <edit-config> operation and, when it is provided, checks at least for syntax errors.
Version 1.0 of this capability was defined in [RFC4741]. Version 1.1 is defined in this document, and extends version 1.0 by adding a new value, “test-only”, to the <test-option> parameter of the <edit-config> operation. For backwards compatibility with old clients, servers conforming to this specification MAY advertise version 1.0 in addition to version 1.1.
If the device was able to satisfy the request, an <rpc-reply> is sent that contains an <ok> element.
如果设备能够满足请求,则发送包含<ok>元素的<rpc reply>。
Negative Response:
否定回答:
An <rpc-error> element is included in the <rpc-reply> if the request cannot be completed for any reason.
如果由于任何原因无法完成请求,则<rpc error>元素将包含在<rpc reply>中。
A <validate> operation can fail for a number of reasons, such as syntax errors, missing parameters, references to undefined configuration data, or any other violations of rules established by the underlying data model.
The device supports separate running and startup configuration datastores. The startup configuration is loaded by the device when it boots. Operations that affect the running configuration will not be automatically copied to the startup configuration. An explicit <copy-config> operation from the <running> to the <startup> is used to update the startup configuration to the current contents of the
running configuration. NETCONF protocol operations refer to the startup datastore using the <startup> element.
运行配置。NETCONF协议操作是指使用<startup>元素的启动数据存储。
8.7.2. Dependencies
8.7.2. 依赖关系
None.
没有一个
8.7.3. Capability Identifier
8.7.3. 能力标识符
The :startup capability is identified by the following capability string:
:启动功能由以下功能字符串标识:
urn:ietf:params:netconf:capability:startup:1.0
urn:ietf:params:netconf:capability:startup:1.0
8.7.4. New Operations
8.7.4. 新业务
None.
没有一个
8.7.5. Modifications to Existing Operations
8.7.5. 对现有业务的修改
8.7.5.1. General
8.7.5.1. 全体的
The :startup capability adds the <startup/> configuration datastore to arguments of several NETCONF operations. The server MUST support the following additional values:
To save the startup configuration, use the <copy-config> operation to copy the <running> configuration datastore to the <startup> configuration datastore.
The NETCONF peer has the ability to accept the <url> element in <source> and <target> parameters. The capability is further identified by URL arguments indicating the URL schemes supported.
The :url capability URI MUST contain a “scheme” argument assigned a comma-separated list of scheme names indicating which schemes the NETCONF peer supports. For example:
The :url capability modifies the <edit-config> operation to accept the <url> element as an alternative to the <config> parameter.
:url功能修改<edit config>操作以接受<url>元素作为<config>参数的替代。
The file that the url refers to contains the configuration data hierarchy to be modified, encoded in XML under the element <config> in the “urn:ietf:params:xml:ns:netconf:base:1.0” namespace.
The file that the url refers to contains the complete datastore, encoded in XML under the element <config> in the “urn:ietf:params:xml:ns:netconf:base:1.0” namespace.
The :url capability modifies the <validate> operation to accept the <url> element as the value of the <source> parameter.
:url功能修改<validate>操作以接受<url>元素作为<source>参数的值。
8.9. XPath Capability
8.9. XPath功能
8.9.1. Description
8.9.1. 描述
The XPath capability indicates that the NETCONF peer supports the use of XPath expressions in the <filter> element. XPath is described in [W3C.REC-xpath-19991116].
The data model used in the XPath expression is the same as that used in XPath 1.0 [W3C.REC-xpath-19991116], with the same extension for root node children as used by XSLT 1.0 ([W3C.REC-xslt-19991116], Section 3.1). Specifically, it means that the root node MAY have any number of element nodes as its children.
The XPath expression is evaluated in the following context:
XPath表达式在以下上下文中求值:
o The set of namespace declarations are those in scope on the <filter> element.
o 命名空间声明集是<filter>元素作用域中的声明。
o The set of variable bindings is defined by the data model. If no such variable bindings are defined, the set is empty.
o 变量绑定集由数据模型定义。如果未定义此类变量绑定,则该集为空。
o The function library is the core function library, plus any functions defined by the data model.
o 函数库是核心函数库,加上数据模型定义的任何函数。
o The context node is the root node.
o 上下文节点是根节点。
The XPath expression MUST return a node set. If it does not return a node set, the operation fails with an “invalid-value” error.
XPath表达式必须返回节点集。如果不返回节点集,操作将失败,并出现“无效值”错误。
The response message contains the subtrees selected by the filter expression. For each such subtree, the path from the data model root node down to the subtree, including any elements or attributes necessary to uniquely identify the subtree, are included in the response message. Specific data instances are not duplicated in the response.
The :xpath capability is identified by the following capability string:
:xpath功能由以下功能字符串标识:
urn:ietf:params:netconf:capability:xpath:1.0
urn:ietf:params:netconf:capability:xpath:1.0
8.9.4. New Operations
8.9.4. 新业务
None.
没有一个
8.9.5. Modifications to Existing Operations
8.9.5. 对现有业务的修改
8.9.5.1. <get-config> and <get>
8.9.5.1. <get config>和<get>
The :xpath capability modifies the <get> and <get-config> operations to accept the value “xpath” in the “type” attribute of the <filter> element. When the “type” attribute is set to “xpath”, a “select” attribute MUST be present on the <filter> element. The “select” attribute will be treated as an XPath expression and used to filter the returned data. The <filter> element itself MUST be empty in this case.
The XPath result for the select expression MUST be a node-set. Each node in the node-set MUST correspond to a node in the underlying data model. In order to properly identify each node, the following encoding rules are defined:
o All ancestor nodes of the result node MUST be encoded first, so the <data> element returned in the reply contains only fully specified subtrees, according to the underlying data model.
o 必须首先对结果节点的所有祖先节点进行编码,因此根据底层数据模型,回复中返回的<data>元素只包含完全指定的子树。
o If any sibling or ancestor nodes of the result node are needed to identify a particular instance within a conceptual data structure, then these nodes MUST also be encoded in the response.
o 如果需要结果节点的任何兄弟节点或祖先节点来标识概念数据结构中的特定实例,那么这些节点也必须在响应中进行编码。
For example:
例如:
<rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running/>
</source>
<!-- get the user named fred -->
<filter xmlns:t="http://example.com/schema/1.2/config"
type="xpath"
select="/t:top/t:users/t:user[t:name='fred']"/>
</get-config>
</rpc>
<rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running/>
</source>
<!-- get the user named fred -->
<filter xmlns:t="http://example.com/schema/1.2/config"
type="xpath"
select="/t:top/t:users/t:user[t:name='fred']"/>
</get-config>
</rpc>
This section provides security considerations for the base NETCONF message layer and the base operations of the NETCONF protocol. Security considerations for the NETCONF transports are provided in the transport documents, and security considerations for the content manipulated by NETCONF can be found in the documents defining data models.
This document does not specify an authorization scheme, as such a scheme will likely be tied to a meta-data model or a data model. Implementors SHOULD provide a comprehensive authorization scheme with NETCONF.
Authorization of individual users via the NETCONF server may or may not map 1:1 to other interfaces. First, the data models might be incompatible. Second, it could be desirable to authorize based on mechanisms available in the Secure Transport layer (e.g., SSH, Blocks Extensible Exchange Protocol (BEEP), etc.).
In addition, operations on configurations could have unintended consequences if those operations are also not guarded by the global lock on the files or objects being operated upon. For instance, if the running configuration is not locked, a partially complete access list could be committed from the candidate configuration unbeknownst to the owner of the lock of the candidate configuration, leading to either an insecure or inaccessible device.
Configuration information is by its very nature sensitive. Its transmission in the clear and without integrity checking leaves devices open to classic eavesdropping and false data injection attacks. Configuration information often contains passwords, user names, service descriptions, and topological information, all of which are sensitive. Because of this, this protocol SHOULD be implemented carefully with adequate attention to all manner of attack one might expect to experience with other management interfaces.
The protocol, therefore, MUST minimally support options for both confidentiality and authentication. It is anticipated that the underlying protocol (SSH, BEEP, etc.) will provide for both confidentiality and authentication, as is required. It is further expected that the identity of each end of a NETCONF session will be available to the other in order to determine authorization for any given request. One could also easily envision additional information, such as transport and encryption methods, being made available for purposes of authorization. NETCONF itself provides no means to re-authenticate, much less authenticate. All such actions occur at lower layers.
Different environments may well allow different rights prior to and then after authentication. Thus, an authorization model is not specified in this document. When an operation is not properly authorized, a simple “access denied” is sufficient. Note that authorization information can be exchanged in the form of configuration information, which is all the more reason to ensure the security of the connection.
That having been said, it is important to recognize that some operations are clearly more sensitive by nature than others. For instance, <copy-config> to the startup or running configurations is clearly not a normal provisioning operation, whereas <edit-config> is. Such global operations MUST disallow the changing of information
that an individual does not have authorization to perform. For example, if user A is not allowed to configure an IP address on an interface but user B has configured an IP address on an interface in the <candidate> configuration, user A MUST NOT be allowed to commit the <candidate> configuration.
Similarly, just because someone says “go write a configuration through the URL capability at a particular place”, this does not mean that an element will do it without proper authorization.
The <lock> operation will demonstrate that NETCONF is intended for use by systems that have at least some trust of the administrator. As specified in this document, it is possible to lock portions of a configuration that a principal might not otherwise have access to. After all, the entire configuration is locked. To mitigate this problem, there are two approaches. It is possible to kill another NETCONF session programmatically from within NETCONF if one knows the session identifier of the offending session. The other possible way to break a lock is to provide a function within the device’s native user interface. These two mechanisms suffer from a race condition that could be ameliorated by removing the offending user from an Authentication, Authorization, and Accounting (AAA) server. However, such a solution is not useful in all deployment scenarios, such as those where SSH public/private key pairs are used.
IANA has created and now maintains a registry “Network Configuration Protocol (NETCONF) Capability URNs” that allocates NETCONF capability identifiers. Additions to the registry require IETF Standards Action.
In addition to the editors, this document was written by:
除编辑外,本文件由以下人员编写:
Ken Crozier, Cisco Systems
Ken Crozier,思科系统公司
Ted Goddard, IceSoft
特德·戈达德,冰软
Eliot Lear, Cisco Systems
艾略特·李尔,思科系统公司
Phil Shafer, Juniper Networks
Phil Shafer,Juniper Networks
Steve Waldbusser
史蒂夫·瓦尔德布瑟
Margaret Wasserman, Painless Security, LLC
Margaret Wasserman,无痛安全有限责任公司
12. Acknowledgements
12. 致谢
The authors would like to acknowledge the members of the NETCONF working group. In particular, we would like to thank Wes Hardaker for his persistence and patience in assisting us with security considerations. We would also like to thank Randy Presuhn, Sharon Chisholm, Glenn Waters, David Perkins, Weijing Chen, Simon Leinen, Keith Allen, Dave Harrington, Ladislav Lhotka, Tom Petch, and Kent Watsen for all of their valuable advice.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, “An IETF URN Sub-namespace for Registered Protocol Parameters”, BCP 73, RFC 3553, June 2003.
[W3C.REC-xml-20001006] Sperberg-McQueen, C., Bray, T., Paoli, J., and E. Maler, “Extensible Markup Language (XML) 1.0 (Second Edition)”, World Wide Web Consortium REC-xml-20001006, October 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
[W3C.REC-xpath-19991116] DeRose, S. and J. Clark, “XML Path Language (XPath) Version 1.0”, World Wide Web Consortium Recommendation REC-xpath-19991116, November 1999, <http://www.w3.org/TR/1999/REC-xpath-19991116>.
[RFC3470] Hollenbeck, S., Rose, M., and L. Masinter, “Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols”, BCP 70, RFC 3470, January 2003.
[W3C.REC-xslt-19991116] Clark, J., “XSL Transformations (XSLT) Version 1.0”, World Wide Web Consortium Recommendation REC-xslt-19991116, November 1999, <http://www.w3.org/TR/1999/REC-xslt-19991116>.
For each error-tag, the valid error-type and error-severity values are listed, together with any mandatory error-info, if any.
对于每个错误标记,将列出有效的错误类型和错误严重性值,以及任何必需的错误信息(如果有)。
error-tag: in-use error-type: protocol, application error-severity: error error-info: none Description: The request requires a resource that already is in use.
错误标记:正在使用错误类型:协议,应用程序错误严重性:错误信息:无描述:请求需要已在使用的资源。
error-tag: invalid-value error-type: protocol, application error-severity: error error-info: none Description: The request specifies an unacceptable value for one or more parameters.
error-tag: too-big error-type: transport, rpc, protocol, application error-severity: error error-info: none Description: The request or response (that would be generated) is too large for the implementation to handle.
error-tag: missing-attribute error-type: rpc, protocol, application error-severity: error error-info: <bad-attribute> : name of the missing attribute <bad-element> : name of the element that is supposed to contain the missing attribute Description: An expected attribute is missing.
error-tag: bad-attribute error-type: rpc, protocol, application error-severity: error error-info: <bad-attribute> : name of the attribute w/ bad value <bad-element> : name of the element that contains the attribute with the bad value Description: An attribute value is not correct; e.g., wrong type, out of range, pattern mismatch.
error-tag: unknown-attribute error-type: rpc, protocol, application error-severity: error error-info: <bad-attribute> : name of the unexpected attribute <bad-element> : name of the element that contains the unexpected attribute Description: An unexpected attribute is present.
error-tag: missing-element error-type: protocol, application error-severity: error error-info: <bad-element> : name of the missing element Description: An expected element is missing.
error-tag: bad-element error-type: protocol, application error-severity: error error-info: <bad-element> : name of the element w/ bad value Description: An element value is not correct; e.g., wrong type, out of range, pattern mismatch.
error-tag: unknown-element error-type: protocol, application error-severity: error error-info: <bad-element> : name of the unexpected element Description: An unexpected element is present.
error-tag: unknown-namespace error-type: protocol, application error-severity: error error-info: <bad-element> : name of the element that contains the unexpected namespace <bad-namespace> : name of the unexpected namespace Description: An unexpected namespace is present.
error-tag: access-denied error-type: protocol, application error-severity: error error-info: none Description: Access to the requested protocol operation or data model is denied because authorization failed.
error-tag: lock-denied error-type: protocol error-severity: error error-info: <session-id> : session ID of session holding the requested lock, or zero to indicate a non-NETCONF entity holds the lock Description: Access to the requested lock is denied because the lock is currently held by another entity.
error-tag: resource-denied error-type: transport, rpc, protocol, application error-severity: error error-info: none Description: Request could not be completed because of insufficient resources.
error-tag: rollback-failed error-type: protocol, application error-severity: error error-info: none Description: Request to roll back some configuration change (via rollback-on-error or <discard-changes> operations) was not completed for some reason.
error-tag: data-exists error-type: application error-severity: error error-info: none Description: Request could not be completed because the relevant data model content already exists. For example, a “create” operation was attempted on data that already exists.
error-tag: data-missing error-type: application error-severity: error error-info: none Description: Request could not be completed because the relevant data model content does not exist. For example, a “delete” operation was attempted on data that does not exist.
error-tag: operation-not-supported error-type: protocol, application error-severity: error error-info: none Description: Request could not be completed because the requested operation is not supported by this implementation.
error-tag: operation-failed error-type: rpc, protocol, application error-severity: error error-info: none Description: Request could not be completed because the requested operation failed for some reason not covered by any other error condition.
error-tag: partial-operation error-type: application error-severity: error error-info: <ok-element> : identifies an element in the data model for which the requested operation has been completed for that node and all its child nodes. This element can appear zero or more times in the <error-info> container.
<err-element> : identifies an element in the data model for which the requested operation has failed for that node and all its child nodes. This element can appear zero or more times in the <error-info> container.
<noop-element> : identifies an element in the data model for which the requested operation was not attempted for that node and all its child nodes. This element can appear zero or more times in the <error-info> container.
Description: This error-tag is obsolete, and SHOULD NOT be sent by servers conforming to this document.
说明:此错误标签已过时,不应由符合本文件要求的服务器发送。
Some part of the requested operation failed or was not attempted for some reason. Full cleanup has not been performed (e.g., rollback not supported) by the server. The error-info container is used to identify which portions of the application data model content for which the requested operation has succeeded (<ok-element>), failed (<bad-element>), or not been attempted (<noop-element>).
error-tag: malformed-message error-type: rpc error-severity: error error-info: none Description: A message could not be handled because it failed to be parsed correctly. For example, the message is not well-formed XML or it uses an invalid character set.
<xs:annotation>
<xs:documentation>
This schema defines the syntax for the NETCONF Messages layer
messages 'hello', 'rpc', and 'rpc-reply'.
</xs:documentation>
</xs:annotation>
<xs:annotation>
<xs:documentation>
This schema defines the syntax for the NETCONF Messages layer
messages 'hello', 'rpc', and 'rpc-reply'.
</xs:documentation>
</xs:annotation>
<!--
import standard XML definitions
-->
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd">
<xs:annotation>
<xs:documentation>
This import accesses the xml: attribute groups for the
xml:lang as declared on the error-message element.
</xs:documentation>
</xs:annotation>
</xs:import>
<!--
message-id attribute
-->
<!--
import standard XML definitions
-->
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd">
<xs:annotation>
<xs:documentation>
This import accesses the xml: attribute groups for the
xml:lang as declared on the error-message element.
</xs:documentation>
</xs:annotation>
</xs:import>
<!--
message-id attribute
-->
<xs:simpleType name="messageIdType">
<xs:restriction base="xs:string">
<xs:maxLength value="4095"/>
</xs:restriction>
</xs:simpleType>
<!--
Types used for session-id
-->
<xs:simpleType name="SessionId">
<xs:restriction base="xs:unsignedInt">
<xs:minInclusive value="1"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="SessionIdOrZero">
<xs:restriction base="xs:unsignedInt"/>
</xs:simpleType>
<!--
<rpc> element
-->
<xs:complexType name="rpcType">
<xs:sequence>
<xs:element ref="rpcOperation"/>
</xs:sequence>
<xs:attribute name="message-id" type="messageIdType"
use="required"/>
<!--
Arbitrary attributes can be supplied with <rpc> element.
-->
<xs:anyAttribute processContents="lax"/>
</xs:complexType>
<xs:element name="rpc" type="rpcType"/>
<!--
data types and elements used to construct rpc-errors
-->
<xs:simpleType name="ErrorType">
<xs:restriction base="xs:string">
<xs:enumeration value="transport"/>
<xs:enumeration value="rpc"/>
<xs:enumeration value="protocol"/>
<xs:enumeration value="application"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ErrorTag">
<xs:restriction base="xs:string">
<xs:enumeration value="in-use"/>
<xs:enumeration value="invalid-value"/>
<xs:enumeration value="too-big"/>
<xs:enumeration value="missing-attribute"/>
<xs:simpleType name="messageIdType">
<xs:restriction base="xs:string">
<xs:maxLength value="4095"/>
</xs:restriction>
</xs:simpleType>
<!--
Types used for session-id
-->
<xs:simpleType name="SessionId">
<xs:restriction base="xs:unsignedInt">
<xs:minInclusive value="1"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="SessionIdOrZero">
<xs:restriction base="xs:unsignedInt"/>
</xs:simpleType>
<!--
<rpc> element
-->
<xs:complexType name="rpcType">
<xs:sequence>
<xs:element ref="rpcOperation"/>
</xs:sequence>
<xs:attribute name="message-id" type="messageIdType"
use="required"/>
<!--
Arbitrary attributes can be supplied with <rpc> element.
-->
<xs:anyAttribute processContents="lax"/>
</xs:complexType>
<xs:element name="rpc" type="rpcType"/>
<!--
data types and elements used to construct rpc-errors
-->
<xs:simpleType name="ErrorType">
<xs:restriction base="xs:string">
<xs:enumeration value="transport"/>
<xs:enumeration value="rpc"/>
<xs:enumeration value="protocol"/>
<xs:enumeration value="application"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ErrorTag">
<xs:restriction base="xs:string">
<xs:enumeration value="in-use"/>
<xs:enumeration value="invalid-value"/>
<xs:enumeration value="too-big"/>
<xs:enumeration value="missing-attribute"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="message-id" type="messageIdType"
use="optional"/>
<!--
Any attributes supplied with <rpc> element must be returned
on <rpc-reply>.
-->
<xs:anyAttribute processContents="lax"/>
</xs:complexType>
<xs:element name="rpc-reply" type="rpcReplyType"/>
<!--
<rpc-error> element
-->
<xs:element name="rpc-error" type="rpcErrorType"/>
<!--
rpcOperationType: used as a base type for all
NETCONF operations
-->
<xs:complexType name="rpcOperationType"/>
<xs:element name="rpcOperation" type="rpcOperationType"
abstract="true"/>
<!--
rpcResponseType: used as a base type for all
NETCONF responses
-->
<xs:complexType name="rpcResponseType"/>
<xs:element name="rpcResponse" type="rpcResponseType"
abstract="true"/>
<!--
<hello> element
-->
<xs:element name="hello">
<xs:complexType>
<xs:sequence>
<xs:element name="capabilities">
<xs:complexType>
<xs:sequence>
<xs:element name="capability" type="xs:anyURI"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="session-id" type="SessionId"
minOccurs="0"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="message-id" type="messageIdType"
use="optional"/>
<!--
Any attributes supplied with <rpc> element must be returned
on <rpc-reply>.
-->
<xs:anyAttribute processContents="lax"/>
</xs:complexType>
<xs:element name="rpc-reply" type="rpcReplyType"/>
<!--
<rpc-error> element
-->
<xs:element name="rpc-error" type="rpcErrorType"/>
<!--
rpcOperationType: used as a base type for all
NETCONF operations
-->
<xs:complexType name="rpcOperationType"/>
<xs:element name="rpcOperation" type="rpcOperationType"
abstract="true"/>
<!--
rpcResponseType: used as a base type for all
NETCONF responses
-->
<xs:complexType name="rpcResponseType"/>
<xs:element name="rpcResponse" type="rpcResponseType"
abstract="true"/>
<!--
<hello> element
-->
<xs:element name="hello">
<xs:complexType>
<xs:sequence>
<xs:element name="capabilities">
<xs:complexType>
<xs:sequence>
<xs:element name="capability" type="xs:anyURI"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="session-id" type="SessionId"
minOccurs="0"/>
<代码结束>
**Appendix C. YANG Module for NETCONF Protocol Operations**
**附录C.NETCONF协议操作模块**
This section is normative.
本节是规范性的。
The ietf-netconf YANG module imports typedefs from \[RFC6021].
ietf网络配置模块从\[RFC6021]导入TypeDef。
```
file "ietf-netconf@2011-06-01.yang"
```
```
file "ietf-netconf@2011-06-01.yang"
```
module ietf-netconf {
ietf网络配置模块{
```
// the namespace for NETCONF XML definitions is unchanged
// from RFC 4741, which this document replaces
namespace "urn:ietf:params:xml:ns:netconf:base:1.0";
```
```
// the namespace for NETCONF XML definitions is unchanged
// from RFC 4741, which this document replaces
namespace "urn:ietf:params:xml:ns:netconf:base:1.0";
```
prefix nc;
前缀nc;
```
import ietf-inet-types {
prefix inet;
}
```
```
import ietf-inet-types {
prefix inet;
}
```
organization "IETF NETCONF (Network Configuration) Working Group";
组织“IETF网络配置工作组”;
```
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <netconf@ietf.org>
```
```
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <netconf@ietf.org>
```
```
WG Chair: Bert Wijnen
<bertietf@bwijnen.net>
```
```
WG Chair: Bert Wijnen
<bertietf@bwijnen.net>
```
```
WG Chair: Mehmet Ersue
<mehmet.ersue@nsn.com>
```
```
WG Chair: Mehmet Ersue
<mehmet.ersue@nsn.com>
```
```
Editor: Martin Bjorklund
<mbj@tail-f.com>
```
```
Editor: Martin Bjorklund
<mbj@tail-f.com>
```
```
Editor: Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de>
```
```
Editor: Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de>
```
```
Editor: Andy Bierman
<andy.bierman@brocade.com>";
```
```
Editor: Andy Bierman
<andy.bierman@brocade.com>";
```
description "NETCONF Protocol Data Types and Protocol Operations.
说明“NETCONF协议数据类型和协议操作。
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
```
This version of this YANG module is part of RFC 6241; see
the RFC itself for full legal notices.";
revision 2011-06-01 {
description
"Initial revision";
reference
"RFC 6241: Network Configuration Protocol";
}
```
```
This version of this YANG module is part of RFC 6241; see
the RFC itself for full legal notices.";
revision 2011-06-01 {
description
"Initial revision";
reference
"RFC 6241: Network Configuration Protocol";
}
```
extension get-filter-element-attributes { description "If this extension is present within an 'anyxml' statement named 'filter', which must be conceptually defined within the RPC input section for the \ and \ protocol operations, then the following unqualified XML attribute is supported within the \ element, within a \ or \ protocol operation:
扩展获取筛选器元素属性{说明“如果此扩展名存在于名为'filter'的'anyxml'语句中,必须在RPC输入节中为\和\协议操作从概念上定义该语句,则\元素中的\或\协议操作中支持以下非限定XML属性:
type : optional attribute with allowed value strings 'subtree' and 'xpath'. If missing, the default value is 'subtree'.
类型:可选属性,具有允许的值字符串“subtree”和“xpath”。如果缺少,默认值为“子树”。
If the 'xpath' feature is supported, then the following unqualified XML attribute is also supported:
如果支持“xpath”功能,则还支持以下非限定XML属性:
```
select: optional attribute containing a
string representing an XPath expression.
The 'type' attribute must be equal to 'xpath'
if this attribute is present.";
}
```
```
select: optional attribute containing a
string representing an XPath expression.
The 'type' attribute must be equal to 'xpath'
if this attribute is present.";
}
```
// NETCONF capabilities defined as features feature writable-running {
//NETCONF功能定义为功能可写运行{
```
description
"NETCONF :writable-running capability;
If the server advertises the :writable-running
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.2";
}
```
```
description
"NETCONF :writable-running capability;
If the server advertises the :writable-running
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.2";
}
```
```
feature candidate {
description
"NETCONF :candidate capability;
If the server advertises the :candidate
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.3";
}
```
```
feature candidate {
description
"NETCONF :candidate capability;
If the server advertises the :candidate
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.3";
}
```
```
feature confirmed-commit {
if-feature candidate;
description
"NETCONF :confirmed-commit:1.1 capability;
If the server advertises the :confirmed-commit:1.1
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
```
```
feature confirmed-commit {
if-feature candidate;
description
"NETCONF :confirmed-commit:1.1 capability;
If the server advertises the :confirmed-commit:1.1
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
```
```
reference "RFC 6241, Section 8.4";
}
```
```
reference "RFC 6241, Section 8.4";
}
```
```
feature rollback-on-error {
description
"NETCONF :rollback-on-error capability;
If the server advertises the :rollback-on-error
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.5";
}
```
```
feature rollback-on-error {
description
"NETCONF :rollback-on-error capability;
If the server advertises the :rollback-on-error
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.5";
}
```
```
feature validate {
description
"NETCONF :validate:1.1 capability;
If the server advertises the :validate:1.1
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
```
```
feature validate {
description
"NETCONF :validate:1.1 capability;
If the server advertises the :validate:1.1
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
```
```
reference "RFC 6241, Section 8.6";
}
```
```
reference "RFC 6241, Section 8.6";
}
```
```
feature startup {
description
"NETCONF :startup capability;
If the server advertises the :startup
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.7";
}
```
```
feature startup {
description
"NETCONF :startup capability;
If the server advertises the :startup
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.7";
}
```
```
feature url {
description
"NETCONF :url capability;
If the server advertises the :url
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.8";
}
```
```
feature url {
description
"NETCONF :url capability;
If the server advertises the :url
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.8";
}
```
```
feature xpath {
description
"NETCONF :xpath capability;
If the server advertises the :xpath
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.9";
}
```
```
feature xpath {
description
"NETCONF :xpath capability;
If the server advertises the :xpath
capability for a session, then this feature must
also be enabled for that session. Otherwise,
this feature must not be enabled.";
reference "RFC 6241, Section 8.9";
}
```
// NETCONF Simple Types
//NETCONF简单类型
```
typedef session-id-type {
type uint32 {
range "1..max";
}
description
"NETCONF Session Id";
}
```
```
typedef session-id-type {
type uint32 {
range "1..max";
}
description
"NETCONF Session Id";
}
```
```
typedef session-id-or-zero-type {
type uint32;
description
"NETCONF Session Id or Zero to indicate none";
}
```
```
typedef session-id-or-zero-type {
type uint32;
description
"NETCONF Session Id or Zero to indicate none";
}
```
```
typedef error-tag-type {
type enumeration {
enum in-use {
description
"The request requires a resource that
already is in use.";
}
enum invalid-value {
description
"The request specifies an unacceptable value for one
or more parameters.";
}
enum too-big {
description
"The request or response (that would be generated) is
too large for the implementation to handle.";
}
enum missing-attribute {
description
"An expected attribute is missing.";
}
enum bad-attribute {
description
"An attribute value is not correct; e.g., wrong type,
out of range, pattern mismatch.";
}
enum unknown-attribute {
description
"An unexpected attribute is present.";
}
enum missing-element {
description
"An expected element is missing.";
}
enum bad-element {
description
"An element value is not correct; e.g., wrong type,
out of range, pattern mismatch.";
}
enum unknown-element {
description
"An unexpected element is present.";
}
enum unknown-namespace {
description
"An unexpected namespace is present.";
}
enum access-denied {
```
```
typedef error-tag-type {
type enumeration {
enum in-use {
description
"The request requires a resource that
already is in use.";
}
enum invalid-value {
description
"The request specifies an unacceptable value for one
or more parameters.";
}
enum too-big {
description
"The request or response (that would be generated) is
too large for the implementation to handle.";
}
enum missing-attribute {
description
"An expected attribute is missing.";
}
enum bad-attribute {
description
"An attribute value is not correct; e.g., wrong type,
out of range, pattern mismatch.";
}
enum unknown-attribute {
description
"An unexpected attribute is present.";
}
enum missing-element {
description
"An expected element is missing.";
}
enum bad-element {
description
"An element value is not correct; e.g., wrong type,
out of range, pattern mismatch.";
}
enum unknown-element {
description
"An unexpected element is present.";
}
enum unknown-namespace {
description
"An unexpected namespace is present.";
}
enum access-denied {
```
```
description
"Access to the requested protocol operation or
data model is denied because authorization failed.";
}
enum lock-denied {
description
"Access to the requested lock is denied because the
lock is currently held by another entity.";
}
enum resource-denied {
description
"Request could not be completed because of
insufficient resources.";
}
enum rollback-failed {
description
"Request to roll back some configuration change (via
rollback-on-error or operations)
was not completed for some reason.";
```
```
description
"Access to the requested protocol operation or
data model is denied because authorization failed.";
}
enum lock-denied {
description
"Access to the requested lock is denied because the
lock is currently held by another entity.";
}
enum resource-denied {
description
"Request could not be completed because of
insufficient resources.";
}
enum rollback-failed {
description
"Request to roll back some configuration change (via
rollback-on-error or operations)
was not completed for some reason.";
```
```
}
enum data-exists {
description
"Request could not be completed because the relevant
data model content already exists. For example,
a 'create' operation was attempted on data that
already exists.";
}
enum data-missing {
description
"Request could not be completed because the relevant
data model content does not exist. For example,
a 'delete' operation was attempted on
data that does not exist.";
}
enum operation-not-supported {
description
"Request could not be completed because the requested
operation is not supported by this implementation.";
}
enum operation-failed {
description
"Request could not be completed because the requested
operation failed for some reason not covered by
any other error condition.";
}
enum partial-operation {
description
```
```
}
enum data-exists {
description
"Request could not be completed because the relevant
data model content already exists. For example,
a 'create' operation was attempted on data that
already exists.";
}
enum data-missing {
description
"Request could not be completed because the relevant
data model content does not exist. For example,
a 'delete' operation was attempted on
data that does not exist.";
}
enum operation-not-supported {
description
"Request could not be completed because the requested
operation is not supported by this implementation.";
}
enum operation-failed {
description
"Request could not be completed because the requested
operation failed for some reason not covered by
any other error condition.";
}
enum partial-operation {
description
```
```
"This error-tag is obsolete, and SHOULD NOT be sent
by servers conforming to this document.";
}
enum malformed-message {
description
"A message could not be handled because it failed to
be parsed correctly. For example, the message is not
well-formed XML or it uses an invalid character set.";
}
}
description "NETCONF Error Tag";
reference "RFC 6241, Appendix A";
}
```
```
"This error-tag is obsolete, and SHOULD NOT be sent
by servers conforming to this document.";
}
enum malformed-message {
description
"A message could not be handled because it failed to
be parsed correctly. For example, the message is not
well-formed XML or it uses an invalid character set.";
}
}
description "NETCONF Error Tag";
reference "RFC 6241, Appendix A";
}
```
```
typedef error-severity-type {
type enumeration {
enum error {
description "Error severity";
}
enum warning {
description "Warning severity";
}
}
description "NETCONF Error Severity";
reference "RFC 6241, Section 4.3";
}
```
```
typedef error-severity-type {
type enumeration {
enum error {
description "Error severity";
}
enum warning {
description "Warning severity";
}
}
description "NETCONF Error Severity";
reference "RFC 6241, Section 4.3";
}
```
```
typedef edit-operation-type {
type enumeration {
enum merge {
description
"The configuration data identified by the
element containing this attribute is merged
with the configuration at the corresponding
level in the configuration datastore identified
by the target parameter.";
}
enum replace {
description
"The configuration data identified by the element
containing this attribute replaces any related
configuration in the configuration datastore
identified by the target parameter. If no such
configuration data exists in the configuration
datastore, it is created. Unlike a
operation, which replaces the
entire target configuration, only the configuration
actually present in the config parameter is affected.";
```
```
typedef edit-operation-type {
type enumeration {
enum merge {
description
"The configuration data identified by the
element containing this attribute is merged
with the configuration at the corresponding
level in the configuration datastore identified
by the target parameter.";
}
enum replace {
description
"The configuration data identified by the element
containing this attribute replaces any related
configuration in the configuration datastore
identified by the target parameter. If no such
configuration data exists in the configuration
datastore, it is created. Unlike a
operation, which replaces the
entire target configuration, only the configuration
actually present in the config parameter is affected.";
```
```
}
enum create {
description
"The configuration data identified by the element
containing this attribute is added to the
configuration if and only if the configuration
data does not already exist in the configuration
datastore. If the configuration data exists, an
element is returned with an
value of 'data-exists'.";
}
enum delete {
description
"The configuration data identified by the element
containing this attribute is deleted from the
configuration if and only if the configuration
data currently exists in the configuration
datastore. If the configuration data does not
exist, an element is returned with
an value of 'data-missing'.";
}
enum remove {
description
"The configuration data identified by the element
containing this attribute is deleted from the
configuration if the configuration
data currently exists in the configuration
datastore. If the configuration data does not
exist, the 'remove' operation is silently ignored
by the server.";
}
}
default "merge";
description "NETCONF 'operation' attribute values";
reference "RFC 6241, Section 7.2";
}
```
```
}
enum create {
description
"The configuration data identified by the element
containing this attribute is added to the
configuration if and only if the configuration
data does not already exist in the configuration
datastore. If the configuration data exists, an
element is returned with an
value of 'data-exists'.";
}
enum delete {
description
"The configuration data identified by the element
containing this attribute is deleted from the
configuration if and only if the configuration
data currently exists in the configuration
datastore. If the configuration data does not
exist, an element is returned with
an value of 'data-missing'.";
}
enum remove {
description
"The configuration data identified by the element
containing this attribute is deleted from the
configuration if the configuration
data currently exists in the configuration
datastore. If the configuration data does not
exist, the 'remove' operation is silently ignored
by the server.";
}
}
default "merge";
description "NETCONF 'operation' attribute values";
reference "RFC 6241, Section 7.2";
}
```
// NETCONF Standard Protocol Operations
//NETCONF标准协议操作
```
rpc get-config {
description
"Retrieve all or part of a specified configuration.";
```
```
rpc get-config {
description
"Retrieve all or part of a specified configuration.";
```
reference "RFC 6241, Section 7.1";
参考“RFC 6241,第7.1节”;
```
input {
container source {
description
```
```
input {
container source {
description
```
"Particular configuration to retrieve.";
“要检索的特定配置。”;
```
choice config-source {
mandatory true;
description
"The configuration to retrieve.";
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.
This is optional-to-implement on the server because
not all servers will support filtering for this
datastore.";
}
}
}
```
```
choice config-source {
mandatory true;
description
"The configuration to retrieve.";
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.
This is optional-to-implement on the server because
not all servers will support filtering for this
datastore.";
}
}
}
```
```
anyxml filter {
description
"Subtree or XPath filter to use.";
nc:get-filter-element-attributes;
}
}
```
```
anyxml filter {
description
"Subtree or XPath filter to use.";
nc:get-filter-element-attributes;
}
}
```
```
output {
anyxml data {
description
"Copy of the source datastore subset that matched
the filter criteria (if any). An empty data container
indicates that the request did not produce any results.";
}
}
}
```
```
output {
anyxml data {
description
"Copy of the source datastore subset that matched
the filter criteria (if any). An empty data container
indicates that the request did not produce any results.";
}
}
}
```
rpc edit-config { description
rpc编辑配置{说明
"The \ operation loads all or part of a specified configuration to the specified target configuration.";
“操作将指定配置的全部或部分加载到指定的目标配置。”;
reference "RFC 6241, Section 7.2";
参考“RFC 6241,第7.2节”;
```
input {
container target {
description
"Particular configuration to edit.";
```
```
input {
container target {
description
"Particular configuration to edit.";
```
```
choice config-target {
mandatory true;
description
"The configuration target.";
```
```
choice config-target {
mandatory true;
description
"The configuration target.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
if-feature writable-running;
type empty;
description
"The running configuration is the config source.";
}
}
}
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
if-feature writable-running;
type empty;
description
"The running configuration is the config source.";
}
}
}
```
```
leaf default-operation {
type enumeration {
enum merge {
description
"The default operation is merge.";
}
enum replace {
description
"The default operation is replace.";
}
enum none {
description
"There is no default operation.";
}
}
default "merge";
description
"The default operation to use.";
```
```
leaf default-operation {
type enumeration {
enum merge {
description
"The default operation is merge.";
}
enum replace {
description
"The default operation is replace.";
}
enum none {
description
"There is no default operation.";
}
}
default "merge";
description
"The default operation to use.";
```
}
}
```
leaf test-option {
if-feature validate;
type enumeration {
enum test-then-set {
description
"The server will test and then set if no errors.";
}
enum set {
description
"The server will set without a test first.";
}
```
```
leaf test-option {
if-feature validate;
type enumeration {
enum test-then-set {
description
"The server will test and then set if no errors.";
}
enum set {
description
"The server will set without a test first.";
}
```
```
enum test-only {
description
"The server will only test and not set, even
if there are no errors.";
}
}
default "test-then-set";
description
"The test option to use.";
}
```
```
enum test-only {
description
"The server will only test and not set, even
if there are no errors.";
}
}
default "test-then-set";
description
"The test option to use.";
}
```
```
leaf error-option {
type enumeration {
enum stop-on-error {
description
"The server will stop on errors.";
}
enum continue-on-error {
description
"The server may continue on errors.";
}
enum rollback-on-error {
description
"The server will roll back on errors.
This value can only be used if the 'rollback-on-error'
feature is supported.";
}
}
default "stop-on-error";
description
"The error option to use.";
}
```
```
leaf error-option {
type enumeration {
enum stop-on-error {
description
"The server will stop on errors.";
}
enum continue-on-error {
description
"The server may continue on errors.";
}
enum rollback-on-error {
description
"The server will roll back on errors.
This value can only be used if the 'rollback-on-error'
feature is supported.";
}
}
default "stop-on-error";
description
"The error option to use.";
}
```
choice edit-content {
选择编辑内容{
```
mandatory true;
description
"The content for the edit operation.";
```
```
mandatory true;
description
"The content for the edit operation.";
```
```
anyxml config {
description
"Inline Config content.";
}
leaf url {
if-feature url;
type inet:uri;
description
"URL-based config content.";
}
}
}
}
```
```
anyxml config {
description
"Inline Config content.";
}
leaf url {
if-feature url;
type inet:uri;
description
"URL-based config content.";
}
}
}
}
```
```
rpc copy-config {
description
"Create or replace an entire configuration datastore with the
contents of another complete configuration datastore.";
```
```
rpc copy-config {
description
"Create or replace an entire configuration datastore with the
contents of another complete configuration datastore.";
```
reference "RFC 6241, Section 7.3";
参考“RFC 6241,第7.3节”;
```
input {
container target {
description
"Particular configuration to copy to.";
```
```
input {
container target {
description
"Particular configuration to copy to.";
```
```
choice config-target {
mandatory true;
description
"The configuration target of the copy operation.";
```
```
choice config-target {
mandatory true;
description
"The configuration target of the copy operation.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
if-feature writable-running;
type empty;
description
"The running configuration is the config target.
This is optional-to-implement on the server.";
}
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
if-feature writable-running;
type empty;
description
"The running configuration is the config target.
This is optional-to-implement on the server.";
}
```
```
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config target.";
}
}
}
```
```
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config target.";
}
}
}
```
```
container source {
description
"Particular configuration to copy from.";
```
```
container source {
description
"Particular configuration to copy from.";
```
```
choice config-source {
mandatory true;
description
"The configuration source for the copy operation.";
```
```
choice config-source {
mandatory true;
description
"The configuration source for the copy operation.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config source.";
}
anyxml config {
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config source.";
}
anyxml config {
```
```
description
"Inline Config content: element. Represents
an entire configuration datastore, not
a subset of the running datastore.";
}
}
}
}
}
```
```
description
"Inline Config content: element. Represents
an entire configuration datastore, not
a subset of the running datastore.";
}
}
}
}
}
```
```
rpc delete-config {
description
"Delete a configuration datastore.";
```
```
rpc delete-config {
description
"Delete a configuration datastore.";
```
reference "RFC 6241, Section 7.4";
参考“RFC 6241,第7.4节”;
```
input {
container target {
description
"Particular configuration to delete.";
```
```
input {
container target {
description
"Particular configuration to delete.";
```
```
choice config-target {
mandatory true;
description
"The configuration target to delete.";
```
```
choice config-target {
mandatory true;
description
"The configuration target to delete.";
```
```
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config target.";
}
}
}
}
}
```
```
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config target.";
}
}
}
}
}
```
```
rpc lock {
description
"The lock operation allows the client to lock the configuration
system of a device.";
```
```
rpc lock {
description
"The lock operation allows the client to lock the configuration
system of a device.";
```
reference "RFC 6241, Section 7.5";
参考“RFC 6241,第7.5节”;
```
input {
container target {
description
"Particular configuration to lock.";
```
```
input {
container target {
description
"Particular configuration to lock.";
```
```
choice config-target {
mandatory true;
description
"The configuration target to lock.";
```
```
choice config-target {
mandatory true;
description
"The configuration target to lock.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
type empty;
description
"The running configuration is the config target.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
}
}
}
}
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
type empty;
description
"The running configuration is the config target.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
}
}
}
}
```
```
rpc unlock {
description
"The unlock operation is used to release a configuration lock,
previously obtained with the 'lock' operation.";
```
```
rpc unlock {
description
"The unlock operation is used to release a configuration lock,
previously obtained with the 'lock' operation.";
```
reference "RFC 6241, Section 7.6";
参考“RFC 6241,第7.6节”;
```
input {
container target {
description
"Particular configuration to unlock.";
```
```
input {
container target {
description
"Particular configuration to unlock.";
```
```
choice config-target {
mandatory true;
```
```
choice config-target {
mandatory true;
```
description "The configuration target to unlock.";
说明“要解锁的配置目标。”;
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
type empty;
description
"The running configuration is the config target.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
}
}
}
}
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config target.";
}
leaf running {
type empty;
description
"The running configuration is the config target.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config target.";
}
}
}
}
}
```
```
rpc get {
description
"Retrieve running configuration and device state information.";
```
```
rpc get {
description
"Retrieve running configuration and device state information.";
```
reference "RFC 6241, Section 7.7";
参考“RFC 6241,第7.7节”;
```
input {
anyxml filter {
description
"This parameter specifies the portion of the system
configuration and state data to retrieve.";
nc:get-filter-element-attributes;
}
}
```
```
input {
anyxml filter {
description
"This parameter specifies the portion of the system
configuration and state data to retrieve.";
nc:get-filter-element-attributes;
}
}
```
```
output {
anyxml data {
description
"Copy of the running datastore subset and/or state
data that matched the filter criteria (if any).
An empty data container indicates that the request did not
produce any results.";
}
```
```
output {
anyxml data {
description
"Copy of the running datastore subset and/or state
data that matched the filter criteria (if any).
An empty data container indicates that the request did not
produce any results.";
}
```
```
}
}
```
```
}
}
```
```
rpc close-session {
description
"Request graceful termination of a NETCONF session.";
```
```
rpc close-session {
description
"Request graceful termination of a NETCONF session.";
```
```
reference "RFC 6241, Section 7.8";
}
```
```
reference "RFC 6241, Section 7.8";
}
```
```
rpc kill-session {
description
"Force the termination of a NETCONF session.";
```
```
rpc kill-session {
description
"Force the termination of a NETCONF session.";
```
reference "RFC 6241, Section 7.9";
参考“RFC 6241,第7.9节”;
```
input {
leaf session-id {
type session-id-type;
mandatory true;
description
"Particular session to kill.";
}
}
}
```
```
input {
leaf session-id {
type session-id-type;
mandatory true;
description
"Particular session to kill.";
}
}
}
```
```
rpc commit {
if-feature candidate;
```
```
rpc commit {
if-feature candidate;
```
description "Commit the candidate configuration as the device's new current configuration.";
描述“将候选配置作为设备的新当前配置提交。”;
reference "RFC 6241, Section 8.3.4.1";
参考“RFC 6241,第8.3.4.1节”;
```
input {
leaf confirmed {
if-feature confirmed-commit;
type empty;
description
"Requests a confirmed commit.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
input {
leaf confirmed {
if-feature confirmed-commit;
type empty;
description
"Requests a confirmed commit.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
leaf confirm-timeout {
if-feature confirmed-commit;
type uint32 {
range "1..max";
```
```
leaf confirm-timeout {
if-feature confirmed-commit;
type uint32 {
range "1..max";
```
```
}
units "seconds";
default "600"; // 10 minutes
description
"The timeout interval for a confirmed commit.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
}
units "seconds";
default "600"; // 10 minutes
description
"The timeout interval for a confirmed commit.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
leaf persist {
if-feature confirmed-commit;
type string;
description
"This parameter is used to make a confirmed commit
persistent. A persistent confirmed commit is not aborted
if the NETCONF session terminates. The only way to abort
a persistent confirmed commit is to let the timer expire,
or to use the operation.
```
```
leaf persist {
if-feature confirmed-commit;
type string;
description
"This parameter is used to make a confirmed commit
persistent. A persistent confirmed commit is not aborted
if the NETCONF session terminates. The only way to abort
a persistent confirmed commit is to let the timer expire,
or to use the operation.
```
The value of this parameter is a token that must be given in the 'persist-id' parameter of \ or \ operations in order to confirm or cancel the persistent confirmed commit.
此参数的值是一个令牌,必须在\或\操作的“persist id”参数中给出,以便确认或取消持久确认的提交。
```
The token should be a random string.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
The token should be a random string.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
leaf persist-id {
if-feature confirmed-commit;
type string;
description
"This parameter is given in order to commit a persistent
confirmed commit. The value must be equal to the value
given in the 'persist' parameter to the operation.
If it does not match, the operation fails with an
'invalid-value' error.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
leaf persist-id {
if-feature confirmed-commit;
type string;
description
"This parameter is given in order to commit a persistent
confirmed commit. The value must be equal to the value
given in the 'persist' parameter to the operation.
If it does not match, the operation fails with an
'invalid-value' error.";
reference "RFC 6241, Section 8.3.4.1";
}
```
```
}
}
```
```
}
}
```
```
rpc discard-changes {
if-feature candidate;
```
```
rpc discard-changes {
if-feature candidate;
```
description "Revert the candidate configuration to the current running configuration.";
说明“将候选配置还原为当前正在运行的配置。”;
```
reference "RFC 6241, Section 8.3.4.2";
}
```
```
reference "RFC 6241, Section 8.3.4.2";
}
```
```
rpc cancel-commit {
if-feature confirmed-commit;
description
"This operation is used to cancel an ongoing confirmed commit.
If the confirmed commit is persistent, the parameter
'persist-id' must be given, and it must match the value of the
'persist' parameter.";
reference "RFC 6241, Section 8.4.4.1";
```
```
rpc cancel-commit {
if-feature confirmed-commit;
description
"This operation is used to cancel an ongoing confirmed commit.
If the confirmed commit is persistent, the parameter
'persist-id' must be given, and it must match the value of the
'persist' parameter.";
reference "RFC 6241, Section 8.4.4.1";
```
```
input {
leaf persist-id {
type string;
description
"This parameter is given in order to cancel a persistent
confirmed commit. The value must be equal to the value
given in the 'persist' parameter to the operation.
If it does not match, the operation fails with an
'invalid-value' error.";
}
}
}
```
```
input {
leaf persist-id {
type string;
description
"This parameter is given in order to cancel a persistent
confirmed commit. The value must be equal to the value
given in the 'persist' parameter to the operation.
If it does not match, the operation fails with an
'invalid-value' error.";
}
}
}
```
```
rpc validate {
if-feature validate;
```
```
rpc validate {
if-feature validate;
```
description "Validates the contents of the specified configuration.";
description“验证指定配置的内容。”;
reference "RFC 6241, Section 8.6.4.1";
参考“RFC 6241,第8.6.4.1节”;
```
input {
container source {
description
"Particular configuration to validate.";
```
```
input {
container source {
description
"Particular configuration to validate.";
```
```
choice config-source {
mandatory true;
description
"The configuration source to validate.";
```
```
choice config-source {
mandatory true;
description
"The configuration source to validate.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
```
```
leaf candidate {
if-feature candidate;
type empty;
description
"The candidate configuration is the config source.";
```
```
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config source.";
}
anyxml config {
description
"Inline Config content: element. Represents
an entire configuration datastore, not
a subset of the running datastore.";
}
}
}
}
}
```
```
}
leaf running {
type empty;
description
"The running configuration is the config source.";
}
leaf startup {
if-feature startup;
type empty;
description
"The startup configuration is the config source.";
}
leaf url {
if-feature url;
type inet:uri;
description
"The URL-based configuration is the config source.";
}
anyxml config {
description
"Inline Config content: element. Represents
an entire configuration datastore, not
a subset of the running datastore.";
}
}
}
}
}
```
}
}
\
<代码结束>
**Appendix D. Capability Template**
**附录D.能力模板**
This non-normative section defines a template that can be used to define protocol capabilities. Data models written in YANG usually do not need to define protocol capabilities since the usage of YANG automatically leads to a capability announcing the data model and any optional portions of the data model, so called features in YANG terminology. The capabilities template is intended to be used in cases where the YANG mechanisms are not powerful enough (e.g., for handling parameterized features) or a different data modeling language is used.
本非规范性章节定义了可用于定义协议功能的模板。用YANG编写的数据模型通常不需要定义协议功能,因为使用YANG会自动产生一种功能,宣布数据模型和数据模型的任何可选部分,在YANG术语中称为功能。功能模板旨在用于YANG机制功能不够强大(例如,用于处理参数化特征)或使用不同数据建模语言的情况。
**D.1. capability-name (template)**
**D.1. 功能名称(模板)**
**D.1.1. Overview**
**D.1.1. 概述**
**D.1.2. Dependencies**
**D.1.2. 依赖关系**
**D.1.3. Capability Identifier**
**D.1.3. 能力标识符**
The {name} capability is identified by the following capability string:
{name}功能由以下功能字符串标识:
{capability uri}
{capability uri}
**D.1.4. New Operations**
**D.1.4. 新业务**
**D.1.4.1. \**
**D.1.4.1. \**
**D.1.5. Modifications to Existing Operations**
**D.1.5. 对现有业务的修改**
**D.1.5.1. \**
**D.1.5.1. \**
If existing operations are not modified by this capability, this section may be omitted.
如果现有操作未通过此功能进行修改,则可省略本节。
**D.1.6. Interactions with Other Capabilities**
**D.1.6. 与其他功能的交互**
If this capability does not interact with other capabilities, this section may be omitted.
如果此功能不与其他功能交互,则可以省略此部分。
**Appendix E. Configuring Multiple Devices with NETCONF**
**附录E.使用NETCONF配置多个设备**
This section is non-normative.
本节是非规范性的。
**E.1. Operations on Individual Devices**
**E.1. 单个设备上的操作**
Consider the work involved in performing a configuration update against a single individual device. In making a change to the configuration, the application needs to build trust that its change has been made correctly and that it has not impacted the operation of the device. The application (and the application user) should feel confident that their change has not damaged the network.
考虑对单个设备执行配置更新所涉及的工作。在对配置进行更改时,应用程序需要建立信任,确保其更改已正确进行,并且未影响设备的操作。应用程序(和应用程序用户)应该确信他们的更改没有损坏网络。
Protecting each individual device consists of a number of steps:
保护每个单独的设备包括多个步骤:
o Acquiring the configuration lock.
o 获取配置锁。
o Checkpointing the running configuration.
o 检查正在运行的配置。
o Loading and validating the incoming configuration.
o 加载和验证传入配置。
o Changing the running configuration.
o 更改正在运行的配置。
o Testing the new configuration.
o 测试新配置。
o Making the change permanent (if desired).
o 使更改永久化(如果需要)。
o Releasing the configuration lock.
o 释放配置锁。
Let's look at the details of each step.
让我们看看每个步骤的细节。
**E.1.1. Acquiring the Configuration Lock**
**E.1.1. 获取配置锁**
A lock should be acquired to prevent simultaneous updates from multiple sources. If multiple sources are affecting the device, the application is hampered in both testing of its change to the configuration and in recovery if the update fails. Acquiring a short-lived lock is a simple defense to prevent other parties from introducing unrelated changes.
应获取锁以防止来自多个源的同时更新。如果多个源影响设备,则应用程序在测试其对配置的更改以及在更新失败时进行恢复时都会受到阻碍。获取短期锁是一种简单的防御措施,可以防止其他方引入不相关的更改。
The lock can be acquired using the \ operation.
可以使用\操作获取锁。
```
```
```
```
If the :candidate capability is supported, the candidate configuration should be locked.
如果支持:候选功能,则应锁定候选配置。
```
```
```
```
**E.1.2. Checkpointing the Running Configuration**
**E.1.2. 检查正在运行的配置**
The running configuration can be saved into a local file as a checkpoint before loading the new configuration. If the update fails, the configuration can be restored by reloading the checkpoint file.
在加载新配置之前,可以将正在运行的配置保存到本地文件中作为检查点。如果更新失败,可以通过重新加载检查点文件来恢复配置。
The checkpoint file can be created using the \ operation.
可以使用\操作创建检查点文件。
```
file://checkpoint.conf
</source>
```
```
file://checkpoint.conf
</source>
```
To restore the checkpoint file, reverse the \ and \ parameters.
要恢复检查点文件,请反转\和\参数。
**E.1.3. Loading and Validating the Incoming Configuration**
**E.1.3. 加载和验证传入配置**
If the :candidate capability is supported, the configuration can be loaded onto the device without impacting the running system.
如果支持:候选功能,则可以将配置加载到设备上,而不会影响正在运行的系统。
```
```
```
```
If the device supports the :validate:1.1 capability, it will by default validate the incoming configuration when it is loaded into the candidate. To avoid this validation, pass the \ parameter with the value "set". Full validation can be requested with the \ operation.
如果设备支持:validate:1.1功能,则在将其加载到候选设备时,默认情况下将验证传入配置。要避免此验证,请使用值“set”传递\参数。可以通过\操作请求完全验证。
```
</source>
```
```
</source>
```
**E.1.4. Changing the Running Configuration**
**E.1.4. 更改正在运行的配置**
When the incoming configuration has been safely loaded onto the device and validated, it is ready to impact the running system.
当传入配置已安全加载到设备上并经过验证后,它就可以影响正在运行的系统。
If the device supports the :candidate capability, use the \ operation to set the running configuration to the candidate configuration. Use the \ parameter to allow automatic reversion to the original configuration if connectivity to the device fails.
如果设备支持:候选功能,请使用\操作将正在运行的配置设置为候选配置。如果设备连接失败,使用\参数允许自动恢复到原始配置。
```
120
```
```
120
```
If the candidate is not supported by the device, the incoming configuration change is loaded directly into running.
如果设备不支持候选者,则传入的配置更改将直接加载到running中。
```
```
```
```
**E.1.5. Testing the New Configuration**
**E.1.5. 测试新配置**
Now that the incoming configuration has been integrated into the running configuration, the application needs to gain trust that the change has affected the device in the way intended without affecting it negatively.
既然传入的配置已集成到正在运行的配置中,应用程序需要获得信任,即更改已以预期方式影响设备,而不会对其产生负面影响。
To gain this confidence, the application can run tests of the operational state of the device. The nature of the test is dependent on the nature of the change and is outside the scope of this document. Such tests may include reachability from the system running the application (using ping), changes in reachability to the rest of the network (by comparing the device's routing table), or inspection of the particular change (looking for operational evidence of the BGP peer that was just added).
为了获得这种信心,应用程序可以运行设备运行状态的测试。测试的性质取决于变更的性质,不在本文件的范围内。此类测试可能包括运行应用程序的系统的可达性(使用ping)、对网络其余部分的可达性的更改(通过比较设备的路由表)或对特定更改的检查(寻找刚刚添加的BGP对等方的操作证据)。
**E.1.6. Making the Change Permanent**
**E.1.6. 使变化永久化**
When the configuration change is in place and the application has sufficient faith in the proper function of this change, the application is expected to make the change permanent.
当配置更改到位并且应用程序对该更改的正确功能有足够的信心时,应用程序将使更改永久化。
If the device supports the :startup capability, the current configuration can be saved to the startup configuration by using the startup configuration as the target of the \ operation.
如果设备支持:启动功能,则可以将启动配置用作\操作的目标,将当前配置保存到启动配置中。
```
</source>
```
```
</source>
```
If the device supports the :candidate capability and a confirmed commit was requested, the confirming commit must be sent before the timeout expires.
如果设备支持:候选功能并且请求了确认提交,则必须在超时过期之前发送确认提交。
```
```
```
```
**E.1.7. Releasing the Configuration Lock**
**E.1.7. 释放配置锁**
When the configuration update is complete, the lock must be released, allowing other applications access to the configuration.
配置更新完成后,必须释放锁,以允许其他应用程序访问配置。
Use the \ operation to release the configuration lock.
使用\操作释放配置锁。
```
```
```
```
If the :candidate capability is supported, the candidate configuration should be unlocked.
如果支持:候选功能,则应解锁候选配置。
```
```
```
```
**E.2. Operations on Multiple Devices**
**E.2. 在多个设备上的操作**
When a configuration change requires updates across a number of devices, care needs to be taken to provide the required transaction semantics. The NETCONF protocol contains sufficient primitives upon which transaction-oriented operations can be built. Providing complete transactional semantics across multiple devices is prohibitively expensive, but the size and number of windows for failure scenarios can be reduced.
当配置更改需要跨多个设备进行更新时,需要注意提供所需的事务语义。NETCONF协议包含足够的原语,在这些原语上可以构建面向事务的操作。跨多个设备提供完整的事务语义代价高昂,但可以减少故障场景的窗口大小和数量。
There are two classes of multi-device operations. The first class allows the operation to fail on individual devices without requiring all devices to revert to their original state. The operation can be retried at a later time, or its failure simply reported to the user. An example of this class might be adding an NTP server. For this class of operations, failure avoidance and recovery are focused on the individual device. This means recovery of the device, reporting the failure, and perhaps scheduling another attempt.
有两类多设备操作。第一类允许操作在单个设备上失败,而不要求所有设备恢复到其原始状态。该操作可以在以后重试,或者将其失败简单地报告给用户。此类的一个示例可能是添加NTP服务器。对于这类操作,故障避免和恢复的重点是单个设备。这意味着恢复设备,报告故障,并可能安排另一次尝试。
The second class is more interesting, requiring that the operation should complete on all devices or be fully reversed. The network should either be transformed into a new state or be reset to its original state. For example, a change to a VPN may require updates to a number of devices. Another example of this might be adding a class-of-service definition. Leaving the network in a state where only a portion of the devices have been updated with the new definition will lead to future failures when the definition is referenced.
第二类更有趣,要求操作应在所有设备上完成或完全反转。网络应转换为新状态或重置为其原始状态。例如,对VPN的更改可能需要对多个设备进行更新。另一个例子可能是添加一个服务定义类。如果将网络保持在仅使用新定义更新了部分设备的状态,则在引用该定义时,将导致将来的故障。
To give transactional semantics, the same steps used in single-device operations listed above are used, but are performed in parallel across all devices. Configuration locks should be acquired on all target devices and kept until all devices are updated and the changes made permanent. Configuration changes should be uploaded and validation performed across all devices. Checkpoints should be made on each device. Then the running configuration can be changed, tested, and made permanent. If any of these steps fail, the previous configurations can be restored on any devices upon which they were changed. After the changes have been completely implemented or completely discarded, the locks on each device can be released.
为了给出事务语义,可以使用上面列出的单个设备操作中使用的相同步骤,但在所有设备上并行执行。应在所有目标设备上获取配置锁,并保留配置锁,直到所有设备都更新并且更改永久化。应上传配置更改,并在所有设备上执行验证。应在每个设备上设置检查点。然后可以更改、测试运行配置并使其永久化。如果这些步骤中的任何一个失败,则可以在更改之前的配置的任何设备上恢复这些配置。在完全实现更改或完全放弃更改后,可以释放每个设备上的锁。