Provided by: netconfd_2.10-1build1_amd64 
NAME
netconfd - YANG-based NETCONF-over-SSH server
SYNOPSIS
netconfd [parameter=value...]
netconfd --help [brief | normal | full]
netconfd --version
DESCRIPTION
netconfd is a YANG-based NETCONF server, which can be used with an SSH server such as OpenSSH. This
version of netconfd supports the YANG data modeling language defined in RFC 6020.
USAGE
Parameters can be entered in any order, and have the form:
[start] name [separator [value]]
where:
start == 0, 1, or 2 dashes (foo, -foo, --foo)
name == parameter name
Parameter name completion will be attempted
if a partial name is entered.
separator == whitespace or equals sign (foo=bar, foo bar)
value == string value for the parameter.
Strings with whitespace need to be double quoted
(--foo="some string")
Some examples of valid command line parameters:
foo=3
-foo=3
--foo=3
foo 3
foo=fred
--foo "fred flintstone"
Partial parameter names can be entered if they are unique.
OPTIONS
--access-control=enum
Controls how the ietf-netconf-acm access control model will be enforced during server operation.
Enum values:
enforcing:
All configured access control rules will be
enforced.
permissive:
All configured access control rules will be
enforced for write and execute requests.
All read requests will be allowed, unless
the requested object contains the
'nacm:very-secure' extension. In that case,
all configured access control rules will
be enforced.
disabled:
All read, write, and execute requests will be
allowed, unless the object contains the
'nacm:secure' or 'nacm:very-secure' extension.
If the 'nacm:secure' extension is in effect,
then all configured access control rules
will be enforced for write and execute requests.
If the 'nacm:very-secure' extension is in effect,
then all configured access control rules
will be enforced for all requests.
Use this mode with caution.
off:
All access control enforcement is disabled.
Use this mode with extreme caution.
--audit-log=filespec
Filespec for the server audit log file to use in addition to the normal log file or STDOUT.
--audit-log-append
If present, the audit log will be appended not over-written. If not, the audit log will be over-
written. Only meaningful if the 'audit-log' parameter is also present.
--config=filespec
The name of the configuration file to use. Any parameter except this one can be set in the config
file. The default config file /etc/yuma/netconfd.conf will not be checked if this parameter is
present.
--datapath=list
Internal file search path for configuration data files. Overrides the YUMA_DATAPATH environment
variable. This parameter affects the search for the startup configuration file (default: startup-
cfg.xml).
--default-style=enum
Selects the type of filtering behavior the server will advertise as the 'basic' behavior in the
'with-defaults' capability. The server will use this default handling behavior if the 'with-
defaults' parameter is not explicitly set.
Also, when saving a configuration to NV-storage, this value will be used for filtering defaults
from the saved configuration.
Enum values:
report-all: report all values
trim: remove leafs containing the YANG
default value
explicit: report only the nodes that have
been created by the client or the server.
This is the default value.
--delete-empty-npcontainers=boolean
Selects whether the server will keep or delete empty non-presence containers in the running and
startup configurations. Set to true to delete these containers, and false to keep them. Default:
false. This parameter is deprecated! It is ignored by the server!
--deviation=string
This parameter identifies a YANG module that should only be checked for deviation statements for
external modules. These will be collected and applied to the real module(s) being processed.
Deviations are applied as patches to the target module. Since they are not identified in the
target module at all (ala imports), they have to be specified explicitly, so they will be
correctly processed. Zero or more instances of this parameter are allowed.
--eventlog-size=number
Specifies the maximum number of notification events that will be saved in the notification replay
buffer. The oldest entries will be deleted first. The default value is 1000.
--feature-disable=module:feature
Identifies a feature which should be considered disabled. Zero or more entries are allowed.
--feature-enable-default=boolean
If true (the default), then features will be enabled by default. If false, then features will be
disabled by default.
--feature-enable=module:feature
Identifies a feature which should be considered enabled. Zero or more entries are allowed.
--hello-timeout=number
Specifies the number of seconds that a session may exist before the hello PDU is received. A
seesion will be dropped if no hello PDU is received before this number of seconds elapses.
If this parameter is set to zero, then the server will wait forever for a hello message, and not
drop any sessions stuck in 'hello-wait' state.
Setting this parameter to zero may permit denial of service attacks, since only a limited number
of concurrent sessions are supported by the server. (range 0 | 10 .. 3600). The default value is
600 seconds (10 minutes).
--help Print this help text and exit. The help-mode choice (--brief, --normal, or --full) may also be
present to control the amount of help text printed.
--home=dirspec
Directory specification for the home directory to use instead of HOME.
--idle-timeout=number
Specifies the number of seconds that a session may remain idle without issuing any RPC requests.
A seesion will be dropped if it is idle for an interval longer than this number of seconds.
Sessions that have a notification subscription active are never dropped.
If this parameter is set to zero, then the server will never drop a session because it is idle.
(range 0 | 10 .. 360000). The default value is 3600 seconds (1 hour).
--indent=number
Number of spaces to indent (0..9) in formatted output. The default is 2 spaces.
--log=filespec
Filespec for the log file to use instead of STDOUT. If this string begins with a '~' character,
then a username is expected to follow or a directory separator character. If it begins with a '$'
character, then an environment variable name is expected to follow.
--log-append
If present, the log will be appended not over-written. If not, the log will be over-written.
Only meaningful if the log parameter is also present.
--log-level=enum
Sets the debug logging level for the program.
--max-burst=number
Specifies the maximum number of notifications that should be sent to one session, within a one
second time interval. The value 0 indicates that the server should not limit notification bursts
at all. The default value is 10.
--modpath=list
Directory search path for YANG and YIN files. Overrides the YUMA_MODPATH environment variable.
--module=string
YANG or YIN source module name to load at startup. The server will attempt to load the specified
module and its corresponding server instrumentation library (SIL) .
If this string represents a filespec, ending with the .yang or .yin extension, then only that file
location will be checked.
If this string represents a module name, then the module search path will be checked for a file
the .yang or .yin extension.
If this string begins with a '~' character, then a username is expected to follow or a directory
separator character. If it begins with a '$' character, then an environment variable name is
expected to follow.
~/some/path ==> <my-home-dir>/some/path
~fred/some/path ==> <fred-home-dir>/some/path
$workdir/some/path ==> <workdir-env-var>/some/path
--ncxserver-sockname=path
Overrides the default /tmp/ncxserver.sock UNIX socket name netconfd listens on for incoming
connections. You have to add corresponding entry to /etc/ssh/sshd_config e.g.:
...
Port 1830
Subsystem netconf
...
--port=number
Specifies the TCP ports that the server will accept connections from. These ports must also be
configured in the /etc/ssh/sshd_config file for the SSH master server to accept the connection and
invoke the netconf subsystem.
Up to 4 port numbers can be configured.
If any ports are configured, then only those values will be accepted by the server.
If no ports are configured, then the server will accept connections on the netconf-ssh port
(tcp/830).
--protocols=bits
Specifies which NETCONF protocol versions the server will attempt to use. The empty set is not
allowed. The values 'netconf1.0' and 'netconf1.1' are supported. The default is to enable both
NETCONF protocol versions.
--runpath=pathlist
Internal file search path for executable modules. Overrides the YUMA_RUNPATH environment
variable.
--running-error=enum
If 'stop', then errors in the running configuration will be treated as fatal errors. If
'continue', the server will attempt to continue if any validataion errors are found in the running
configuration at startup. The default is 'stop'.
--startup=filespec
The full or relative filespec of the startup config file to use. If present, overrides the
default startup config file name 'startup-cfg.xml', This will also override the YUMA_DATAPATH
environment variable and the datapath CLI parameter, if the first character is the forward slash
'/', indicating an absolute file path. If this parameter is present, then the --no-startup and
--factory-startup parameters cannot be present. This is the default, which will cause startup-
cfg.xml to be used if not present.
--no-startup
If present, do not load the startup config file. Use only factory default values instead. Does
not affect the startup.cfg file, if present. If this parameter is present, then the --startup or
--factory-startup parameter cannot be present.
--factory-startup
Force the system to use the factory configuration and delete the startup config file if it exists.
Force the NV-storage startup to contain the factory default configuration. If this parameter is
present, then the --no-startup and --startup parameters cannot be present.
--startup-error=enum
If 'stop', then any errors in the startup configuration will be treated as fatal errors. If
'continue', the server will attempt to continue if any errors are found in the database loaded
from NV-storage to running at boot-time. The default is 'stop'.
--subdirs=boolean
If false, the file search paths for modules, scripts, and data files will not include sub-
directories if they exist in the specified path.
If true, then these file search paths will include sub-directories, if present. Any directory
name beginning with a dot (.) character, or named CVS, will be ignored. This is the default mode.
--superuser=string
The user name to use as the superuser account. Any session associated with this user name will
bypass all access control enforcement. See ietf-netconf-acm.yang for more details. There is no
default value.
--system-sorted=boolean
Indicates whether ordered-by system leaf-lists and lists will be kept in sorted order. The
default is true.
--target=enum
Specifies the database to use as the target of edit-config operations.
Enum values:
running:
Write to the running config and support the
:writable-running capability.
candidate:
Write to the candidate config and support the
:candidate and :confirmed-commit capabilities.
--usexmlorder
If present, then XML element order will be enforced. Otherwise, XML element order errors will not
be generated if possible. Default is no enforcement of strict XML order.
--version
Print the program version string and exit.
--validate-config-only
If present, netconfd acts as command line YANG configuration validator. Load the YANG schema
modules, validate the startup configuration and exit without opening socket and listening for
incoming sessions.
--warn-idlen=number
Control whether identifier length warnings will be generated. The value zero disables all
identifier length checking. If non-zero, then a warning will be generated if an identifier is
defined which has a length is greater than this amount. range: 0 | 8 .. 1023. The default value
is 64.
--warn-linelen=number
Control whether line length warnings will be generated. The value zero disables all line length
checking. If non-zero, then a warning will be generated if the line length is greater than this
amount. Tab characters are counted as 8 spaces. range: 0 | 40 .. 4095. The default value is 72.
--warn-off=number
Control whether the specified warning number will be generated and counted in the warning total
for the module being parsed. range: 400 .. 899. This parameter may be entered zero or more
times.
--with-startup=boolean
If set to 'true', then the :startup capability will be enabled. Otherwise, the :startup capability
will not be enabled. This capability makes the NV-save operation an explicit operation instead of
an automatic save. The default value is false.
--with-url=boolean
If set to 'false', then the :url capability will be disabled. Otherwise, the :url capability will
be enabled. This capability allows local files to be stored as backups on the server. The
default value is true.
--with-validate=boolean
If set to 'true', then the :validate capability will be enabled. Otherwise, the :validate
capability will not be enabled. This capability requires extensive memory resources. The default
value is true.
--yuma-home=string
Directory for the yuma project root to use. If present, this directory location will override the
YUMA_HOME environment variable, if it is present. If a zero-length string is entered, then the
YUMA_HOME environment variable will be ignored.
INPUT FILES
YANG modules can be loaded at startup with the '--module' command, or loaded at run-time with the 'load'
operation.
SEARCH PATH
When a module name is entered as input, or when a module or submodule name is specified in an import or
include statement within the file, the following search algorithm is used to find the file:
1) file is in the current directory
2) YUMA_MODPATH environment var (or set by modpath parameter)
3) $HOME/modules directory
4) $YUMA_HOME/modules directory
5) $YUMA_INSTALL/modules directory OR
default install module location, '/usr/share/yuma/modules'
By default, the entire directory tree for all locations (except step 1) will be searched, not just the
specified directory. The subdirs parameter can be used to prevent sub-directories from being searched.
Any directory name beginning with a dot character (.) will be skipped. Also, any directory named CVS
will be skipped in directory searches.
ERROR LOGGING
By default, warnings and errors are sent to STDOUT.
A log file can be specified instead with the log' parameter.
Existing log files can be reused with the 'logappend' parameter, otherwise log files are overwritten.
The logging level can be controlled with the log-level parameter.
The default log level is 'info'. The log-levels are additive:
off: suppress all errors (not recommended!)
A program return code of '1' indicates some error.
error: print errors
warn: print warnings
info: print generally interesting trace info
debug: print general debugging trace info
debug2: print verbose debugging trace info
debug3: print very verbose debugging trace info
debug4: print maximum debugging trace info
ENVIRONMENT
The following optional environment variables can be used to control module search behavior:
HOME The user's home directory (e.g., /home/andy)
YUMA_HOME
The root of the user's Yuma work directory (e.g., /home/andy/swdev/netconf)
YUMA_INSTALL
The root of the directory that yangdump is installed on this system (default is, /usr/share/yuma)
YUMA_DATAPATH
Colon-separated list of directories to search for data files. (e.g.: './workdir/data-
files:/home/andy/data') The datapath parameter will override this environment variable, if both
are present.
YUMA_MODPATH
Colon-separated list of directories to search for modules and submodules. (e.g.:
'./workdir/modules:/home/andy/test-modules') The modpath parameter will override this environment
variable, if both are present.
CONFIGURATION FILES
netconfd.conf
YANG config file The default is: /etc/yuma/netconfd.conf
An ASCII configuration file format is supported to store command line parameters.
The config parameter is used to specify a specific config file, otherwise the default config file
will be checked.
- A hash mark until EOLN is treated as a comment
- All text is case-sensitive
- Whitespace within a line is not significant
- Whitespace to end a line is significant/
Unless the line starts a multi-line string,
an escaped EOLN (backslash EOLN) is needed
to enter a leaf on multiple lines.
- For parameters that define lists, the key components
are listed just after the parameter name, without
any name, e.g.,
interface eth0 {
# name = eth0 is not listed inside the braces
ifMtu 1500
ifName mySystem
}
A config file can contain any number of parameter sets for different programs.
Each program must have its own section, identifies by its name:
# this is a comment
yangdump {
log-level debug
output "~/swdev/testfiles"
}
netconfd {
...
}
FILES
The following data files must be present in the module search path in order for this program to function:
* YANG module library
default: /usr/share/yuma/modules/
DIAGNOSTICS
Internal diagnostics may generate the following type of message if any bugs are detected at runtime:
[E0]
filename.c:linenum error-number (error-msg)
AUTHORS
Andy Bierman, <andy at netconfcentral dot org>
Vladimir Vassilev, <vladimir at transpacket dot com>
SEE ALSO
netconf-subsystem(1) pyang(1) yangcli(1)