This module defines the Tail-f ConfD configuration parameters that can be modified in runtime.
Version: 2019-03-21
module confd_dyncfg { yang-version 1; namespace "http://tail-f.com/ns/confd_dyncfg/1.0"; prefix confd_dyncfg; import ietf-yang-types { prefix yang; } import ietf-inet-types { prefix inet; } import tailf-common { prefix tailf; } import tailf-xsd-types { prefix xs; } organization "Tail-f Systems"; description "This module defines the Tail-f ConfD configuration parameters that can be modified in runtime."; revision "2019-03-21" { description "Released as part of ConfD-7.1 Updated the list of cipher suites for /confdConfig/webui/transport/ssl/ciphers. Added /confdConfig/webui/transport/ssl/ellipticCurves. Removed sslv3, and excluded tlsv1 from the default, for /confdConfig/webui/transport/ssl/protocols. Added /confdConfig/aaa/maxPasswordLength. Added /confdConfig/parserLimits. Deprecated /confdConfig/netconf/capabilities: startup, candidate, and writable-running If they are present in confd.conf they will be ignored. The corresponding capabilities are advertised based on the setting under /confdConfig/datastores. Deprecated /confdConfig/netconf/capabilities: transactions, forward, query, inactive. They were all identified with special NETCONF capability strings. They are now defined in YANG files and advertised as such if the corresponding YANG fxs file is found in the load path ('inactive' also needs /confdConfig/enableInactive to be enabled) If they are enabled in confd.conf, the old special capability string is also advertised. Deprecated /confdConfig/netconf/capabilities/partial-lock. The corresponding capability string is advertised if its YANG fxs file is found in the load path. Obsoleted /confdConfig/netconf/capabilities: extensions and with-transaction-id They are advertised if the corresponding YANG fxs file is found in the load path. If they are found in confd.conf they are ignored. Added NCS-specific /confdConfig/javaVm/autoStart. Added NCS-specific /confdConfig/javaVm/autoRestart. Added NCS-specific /confdConfig/javaVm/runInTerminal/enabled. Added default for /confdConfig/javaVm/runInTerminal/terminalCommand. Added NCS-specific /confdConfig/pythonVm/autoStart. Added NCS-specific /confdConfig/pythonVm/autoRestart. Added NCS-specific /confdConfig/pythonVm/runInTerminal/enabled. Added default for /confdConfig/pythonVm/runInTerminal/terminalCommand. Added /confdConfig/restconf/requireModuleName. Added /confdConfig/logs/netconfLog/logReplyStatus."; } revision "2019-03-07" { description "Released as part of ConfD-4.7.3. Added NCS-specific /confdConfig/netconfCallHome. Added JSON-RPC traffic log, /confdConfig/logs/jsonrpcLog."; } revision "2018-09-13" { description "Released as part of ConfD-6.7.1 Added /confdConfig/cli/maxLineLength. Added /confdConfig/newlinesInBinaryBase64. Added /confdConfig/confdIpcDscp. Added /confdConfig/netconf/transport/sshCallHomeExecutable. Changed to use a grouping for common log configuration parameters."; } revision "2018-06-14" { description "Released as part of ConfD-6.7. Added /confdConfig/ha/extraIpPorts."; } revision "2018-06-01" { description "Released as part of ConfD-6.6.2. Added /confdConfig/ha/dscp. Added /confdConfig/confdIpcKeepalive."; } revision "2018-04-19" { description "Released as part of ConfD-6.6.1. Added /confdConfig/enableCompressedSchema."; } revision "2018-03-02" { description "Released as part of ConfD-6.6. Added /confdConfig/aaa/validationOrder. Added /confdConfig/aaa/externalValidation. Added /confdConfig/aaa/externalValidation/enabled. Added /confdConfig/aaa/externalValidation/executable. Added /confdConfig/aaa/externalValidation/useBase64. Added /confdConfig/aaa/externalValidation/includeExtra. Added /confdConfig/restconf/tokenResponse. Added /confdConfig/restconf/tokenResponse/xAuthToken. Added /confdConfig/restconf/tokenResponse/tokenCookie. Added /confdConfig/restconf/tokenResponse/tokenCookie/name. Added /confdConfig/restconf/tokenResponse/tokenCookie/directives. Added /confdConfig/logs/progressTrace/dir. Added /confdConfig/aaa/authorization/nacmCompliant. Added /confdConfig/restconf/customHeaders. Updated /confdConfig/smartLicense."; } revision "2017-09-16" { description "Released as part of ConfD-6.5. Added /confdConfig/cli/cliLeafListStyleType. Added NCS-specific /confdConfig/javaVm, /confdConfig/pythonVm, and /confdConfig/smartLicense. Updated description for /confdConfig/logs/errorLog."; } revision "2017-02-21" { description "Released as part of ConfD-6.4. Changed default for /confdConfig/webui/audit to 'false'."; } revision "2017-01-16" { description "Released as part of ConfD-6.3.1. Added /confdConfig/netconf/writeTimeout."; } revision "2016-11-03" { description "Released as part of ConfD-6.3. Added /confdConfig/ssh/algorithms/dhGroup/{minSize,maxSize}."; } revision "2013-09-05" { description "Released as part of ConfD-4.3.2."; } tailf:id ""; typedef candidateImplementationType { type enumeration { enum "confd" { value 664387550; } enum "external" { value 1055777754; } } } typedef whoHistoryDateTimeFormatType { type enumeration { enum "long" { value 105537656; } enum "short" { value 2029155337; } } } typedef multiPatternOperationType { type enumeration { enum "any" { value 383440309; } enum "all" { value 2031982792; } } } typedef confirmUncommitedOnExitType { type enumeration { enum "prompt" { value 1796253006; } enum "discard" { value 664427145; } enum "commit" { value 128787545; } } } typedef tableBehaviorType { type enumeration { enum "dynamic" { value 1339207079; } enum "suppress" { value 1746378947; } enum "enforce" { value 868039165; } } } typedef rollNumbering { type enumeration { enum "fixed" { value 1180146474; } enum "rolling" { value 492733776; } } } typedef completionMetaInfoType { type enumeration { enum "false" { value 1249155036; } enum "alt1" { value 1173421906; } enum "alt2" { value 780021010; } } } typedef pipeHelpModeType { type enumeration { enum "always" { value 1980885055; } enum "auto" { value 1146214388; } enum "never" { value 1258673503; } } } typedef candidateStorageType { type enumeration { enum "disk" { value 334675513; } enum "ram" { value 781613798; } enum "auto" { value 1146214388; } } } typedef editWrapModeType { type enumeration { enum "wrap" { value 1386835265; } enum "newline" { value 100405574; } enum "vt100" { value 321017956; } } } typedef cliTimezoneType { type enumeration { enum "utc" { value 1427039597; } enum "local" { value 2129802687; } } } typedef journalCompactionType { type enumeration { enum "automatic" { value 1726921432; } enum "manual" { value 48828153; } } } typedef configurationReplicationType { type enumeration { enum "async" { value 1368962940; } enum "sync" { value 2047869128; } } } typedef operationalPersistentType { type enumeration { enum "confspec" { value 2093298699; } enum "always" { value 1980885055; } enum "never" { value 1258673503; } } } typedef operationalReplicationType { type enumeration { enum "never" { value 1258673503; } enum "always" { value 1980885055; } enum "persistent" { value 1783422916; } } } typedef operationalReplicationModeType { type enumeration { enum "async" { value 1368962940; } enum "sync" { value 2047869128; } } } typedef snmpVersionType { type enumeration { enum "v1" { value 1223356638; } enum "v2c" { value 406691283; } } } typedef compressedSchemaLevelType { type uint8 { range "1..2"; } } typedef dscpType { type uint8 { range "0 .. 63"; } } typedef limitType { type union { type uint32; type unboundedType; } } typedef parserLimitType { type union { type limitType; type enumeration { enum "model" { value 1814338831; } } } } typedef unboundedType { type enumeration { enum "unbounded" { value 1813338730; } } } typedef infinityType { type enumeration { enum "infinity" { value 1378257424; } } } typedef timeoutType { type union { type xs:duration; type infinityType; } } typedef rpcErrorType { type enumeration { enum "close" { value 1912083739; } enum "inline" { value 1987224790; } } } typedef dbAccessType { type enumeration { enum "read-write" { value 1464236954; } enum "writable-through-candidate" { value 532826246; } } } typedef pubkeyAuthenticationType { type enumeration { enum "none" { value 432063804; } enum "local" { value 2129802687; } enum "system" { value 1534086422; } } } typedef expirationWarningType { type enumeration { enum "ignore" { value 1852995428; } enum "display" { value 2135153981; } enum "prompt" { value 1796253006; } } } typedef auditUserNameType { type enumeration { enum "always" { value 1980885055; } enum "known" { value 584303659; } enum "never" { value 1258673503; } enum "truncated" { value 258228701; } } } typedef defaultHandlingModeType { type enumeration { enum "explicit" { value 920928367; } enum "trim" { value 250701330; } enum "report-all" { value 1824535838; } } } typedef syslogVersionType { type enumeration { enum "bsd" { value 1701318; } enum "1" { value 1535449617; } } } typedef cliAuditLogType { type enumeration { enum "all" { value 2031982792; } enum "none" { value 432063804; } enum "denied" { value 1293974345; } enum "allowed" { value 1631106802; } } } typedef cliActionMapType { type enumeration { enum "both" { value 1577301616; } enum "config" { value 2105663071; } enum "oper" { value 1313484953; } } } typedef cliModeNameStyleType { type enumeration { enum "short" { value 2029155337; } enum "two" { value 87009233; } enum "full" { value 476261018; } } } typedef quoteStyleType { type enumeration { enum "quote" { value 883581901; } enum "backslash" { value 1857839842; } } } typedef modeInfoInAAAType { type enumeration { enum "true" { value 1808796341; } enum "false" { value 1249155036; } enum "path" { value 1002915403; } } } typedef modeInfoInAuditType { type enumeration { enum "true" { value 1808796341; } enum "false" { value 1249155036; } enum "path" { value 1002915403; } } } typedef enableDisplayLevelType { type enumeration { enum "true" { value 1808796341; } enum "false" { value 1249155036; } enum "pipe" { value 612053909; } } } typedef cliStyle { type enumeration { enum "j" { value 641834109; } enum "c" { value 589337185; } enum "i" { value 1541010383; } } } typedef rollbackType { type enumeration { enum "full" { value 476261018; } enum "delta" { value 1928409309; } } } typedef syslogFacilityType { type union { type bsdFacilityType; type intFacilityType; } } typedef bsdFacilityType { type enumeration { enum "daemon" { value 137874048; } enum "authpriv" { value 2143429981; } enum "local0" { value 1223389442; } enum "local1" { value 659974174; } enum "local2" { value 388815177; } enum "local3" { value 133202671; } enum "local4" { value 1369253367; } enum "local5" { value 37794477; } enum "local6" { value 918612352; } enum "local7" { value 1098748970; } } } typedef intFacilityType { type uint32 { range "min .. 2147483647"; } } typedef cliMax { type uint32 { range "5 .. 2147483647"; } } typedef rollMax { type uint32 { range "0 .. 2147483647"; } } typedef hex8ValueType { type xs:hexBinary { } } typedef charType { type string { length "1"; } } typedef falseType { type enumeration { enum "false" { value 1249155036; } } } typedef aliasQuoteType { type union { type falseType; type charType; } } typedef hex16ValueType { type xs:hexBinary { } } typedef verifyType { type uint32 { range "1 .. 3"; } } typedef pendingChangesActionType { type enumeration { enum "continue" { value 1852005625; } enum "fail" { value 1504483183; } } } typedef developerLogLevelType { type enumeration { enum "error" { value 126243105; } enum "info" { value 2062105651; } enum "trace" { value 1896625767; } } } typedef snmpLogLevelType { type enumeration { enum "error" { value 126243105; } enum "info" { value 2062105651; } } } typedef netconfTraceFormatType { type enumeration { enum "pretty" { value 560733322; } enum "raw" { value 764753385; } } } typedef subagentNameType { type xs:token { length "min .. 31"; } } typedef SNMPAgentNameType { type xs:token { length "min .. 31"; } } typedef SNMPContextNameType { type xs:token { length "min .. 31"; } } typedef cryptHashAlgorithmType { type enumeration { enum "md5" { value 721897608; } enum "sha-256" { value 1426210322; } enum "sha-512" { value 945188773; } } } typedef cryptHashRoundsType { type uint32 { range "1000 .. 999999999"; } } typedef runtimeReconfigurationType { type enumeration { enum "config-file" { value 2073952695; } enum "namespace" { value 1847615892; } } } typedef idType { type union { type uint64 { range "1 .. max"; } type fixedIdType; } } typedef fixedIdType { type enumeration { enum "confd" { value 664387550; } enum "user" { value 1529217067; } enum "root" { value 1945751049; } } } typedef maxFilesType { type int64 { range "2 .. max"; } } typedef X-Frame-OptionsType { type enumeration { enum "DENY" { value 864815184; } enum "SAMEORIGIN" { value 1594198254; } enum "ALLOW-FROM" { value 2088887798; } } } typedef dhGroupSizeType { type uint32 { range "1024 .. 8192"; } } typedef cliLeafListStyleType { type enumeration { enum "flat-list" { value 59492072; } enum "range-list" { value 2027731099; } } } typedef cliActionNoListInst { type enumeration { enum "create-instance" { value 784973112; } enum "deny-call" { value 1762837762; } } } typedef unauthenticatedMessageLimitType { type union { type uint32; type enumeration { enum "nolimit" { value 1288276025; } } } } container confdConfig { tailf:validate "confdConfig" { tailf:internal; tailf:dependency "."; } tailf:info "ConfD configuration."; container subagents { tailf:info "Present only if ConfD runs as a master agent. Lists all registered subagents."; presence ""; list subagent { tailf:info "Parameters for a single subagent."; key "name"; leaf name { tailf:info "The name of the subagent. It is used as a unique identifier of the subagent. The name is included in the subagent events (see confd_lib_events(3)) generated by ConfD."; type subagentNameType; } leaf enabled { tailf:info "Whether the subagent should be considered by ConfD. When set to 'false' the subagent is ignored."; type boolean; default "true"; } container tcp { tailf:info "Parameters to be used when the masteragent communicates with the subagent over plain text TCP. This is more efficient than SSH, but TCP is non-standard."; presence ""; leaf ip { tailf:info "The IP address where the subagent listens for NETCONF TCP connections."; type inet:ip-address; mandatory true; } leaf port { tailf:info "The port where the subagent listens for NETCONF TCP connections."; type inet:port-number; default "2023"; } container confdAuth { tailf:info "In order to use NETCONF over TCP, the subagent must understand the ConfD proprietary TCP header, described in the NETCONF chapter in the ConfD User Guide."; leaf user { tailf:info "The user name to be used for authorization on the subagent."; type string; mandatory true; } leaf group { tailf:info "The group name to be used for authorization on the subagent."; type string; mandatory true; } } // container confdAuth } // container tcp container ssh { tailf:info "Parameters to be used when the masteragent communicates with the subagent over SSH."; presence ""; leaf ip { tailf:info "The IP address where the subagent listens for NETCONF SSH connections."; type inet:ip-address; mandatory true; } leaf port { tailf:info "The port where the subagent listens for NETCONF SSH connections."; type inet:port-number; default "2022"; } leaf user { tailf:info "The SSH user name used for authentication at the subagent."; type string; mandatory true; } leaf password { tailf:info "The SSH user's password."; type string; mandatory true; } } // container ssh container mount { tailf:info "This parameter defines where in the data hierarchy the subagent is registered. It consists of a path which must exist in the data model of the master agent, and the name of the node which the subagent implements."; leaf path { tailf:info "The path, in restricted XPath syntax, where the subagent's data is mounted. The XPath is restricted as an instance-identifier (see confd_types(3)). To mount on the top level, use '/'. Note that the XPath expression must not contain any namespace prefixes. If the subagent mounts more than one node, this object is a space separated list of paths."; type string; mandatory true; } leaf-list node { tailf:info "The namespace and name of the top-level node in that namespace, as a QName. This leaf-list must be of the same length as the 'path' leaf."; type xs:QName; } } // container mount leaf disableSubtreeOptimization { tailf:info "Whenever possible, the master agent sends a single subtree filter request, instead of one request for each object. If the subagent cannot handle these requests, for any reason, set this parameter to 'true'."; type boolean; default "false"; } } // list subagent } // container subagents container notifications { tailf:info "This section defines settings which affect notifications."; presence ""; container eventStreams { tailf:info "Lists all available notification event streams."; list stream { tailf:info "Parameters for a single notification event stream."; key "name"; leaf name { tailf:info "The name attached to a specific event stream."; type xs:token; } leaf description { tailf:info "A descriptive text attached to a specific event stream."; type string; mandatory true; } leaf replaySupport { tailf:info "Signals if replay support is available for a specific event stream."; type boolean; mandatory true; } container builtinReplayStore { tailf:info "Parameters for the built in replay store for this event stream. If replay support is enabled ConfD automatically stores all notifications on disk ready to be replayed should a NETCONF manager or RESTCONF event notification subscriber ask for logged notifications. The replay store uses a set of wrapping log files on disk (of a certain number and size) to store the notifications. The max size of each wrap log file (see below) should not be too large. This to achieve fast replay of notifications in a certain time range. If possible use a larger number of wrap log files instead. If in doubt use the recommended settings (see below)."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'false', the applications must implement its own replay support."; type boolean; default "false"; } leaf dir { tailf:info "The wrapping log files will be put in this disk location."; type string; mandatory true; } leaf maxSize { tailf:info "The max size of each log wrap file. The recommended setting is approximately S10M."; type tailf:size; mandatory true; } leaf maxFiles { tailf:info "The max number of log wrap files. The recommended setting is around 50 files."; type maxFilesType; mandatory true; } } // container builtinReplayStore } // list stream } // container eventStreams } // container notifications container opcache { tailf:info "This section defines settings which affect the behavior of the operational data cache - see the 'Operational data' chapter in the User Guide."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the cache is enabled."; type boolean; default "false"; } leaf timeout { tailf:info "The amount of time to keep data in the cache, in seconds."; type uint64 { range "0 .. max"; } mandatory true; } } // container opcache container snmpgw { tailf:info "This section defines settings which affect the behavior of the SNMP gateway."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the gateway is enabled."; type boolean; default "false"; } leaf trapPort { tailf:info "The port number to listen for traps on."; type inet:port-number; } leaf rowCacheMaxAge { tailf:info "Whenever any object is requested from an agent, all objects in the same conceptual row will be fetched and cached. This value limits the age of values in the cache. Higher values may give higher performance but increases the probability that the SNMP gateway returns stale data. The default is 5 seconds."; type xs:duration; default "PT5S"; } leaf rowCacheMaxSize { tailf:info "Whenever any object is requested from an agent, all objects in the same conceptual row will be fetched and cached. This value limits the number of values in the cache. Higher values may give higher performance but may also cause higher memory utilization. The default is 200."; type uint16; default "200"; } list agent { tailf:info "Parameters for a single agent."; key "name"; leaf name { tailf:info "A name for the agent, mainly used for error reporting."; type SNMPAgentNameType; } leaf subscriptionId { tailf:info "The subscription id, if set, is used for indicating to which applications external traps should be sent."; type xs:token; } leaf forwardNotifStream { tailf:info "The forwarding notification stream , if present, indicates that traps should be automatically translated in accordance with the yang definition of the notification, and sent out on the given stream. The given stream may not implement replay support externally."; type xs:token; } leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the agent is enabled."; type boolean; default "true"; } leaf community { tailf:info "The community string for communication with the agent. If the community string cannot be expressed in Unicode, use the element community_bin instead (see below). If both community_bin and community are specified, community is ignored."; type string; default "private"; } leaf community_bin { tailf:info "The community string for communication with the agent, encoded in hexBinary. For example, <community>AB</community> and <community_bin>4142</community_bin> are equivalent. The main use for this is when the community string cannot be expressed in Unicode."; type xs:hexBinary; } leaf version { tailf:info "The default protocol version to use. The value indicates the preferred version - if the agent doesn't respond, the other version will be tried."; type snmpVersionType; default "v2c"; } leaf timeout { tailf:info "The amount of time to wait for an answer from the agent before retrying or aborting the operation. The default is five seconds."; type xs:duration; default "PT5S"; } leaf retries { tailf:info "The number of times an SNMP request towards the agent should be retried before aborting the operation. The default is 0."; type uint8; default "0"; } leaf ip { tailf:info "The host (specified as a name or an IP address) on which the agent is running."; type inet:ip-address; mandatory true; } leaf port { tailf:info "The port number to use for communication with the agent."; type inet:port-number; default "161"; } leaf-list module { tailf:info "A list of MIB module names that this agent implements. Each such MIB must be convert to YANG and compiled with the --snmpgw flag to confdc."; type string; } } // list agent } // container snmpgw list hideGroup { tailf:info "Hide groups that can be unhidden must be listed here. There can be zero, one or many hideGroup entries in the configuraion. If a hide group does not have a hideGroup entry, then it cannot be unhidden using the CLI 'unhide' command. However, it is possible to add a hideGroup entry to the confd.conf file and then use confd --reload to make it available in the CLI. This may be useful to enable for example a diagnostics hide groups that you do not even want accessible using a password."; key "name"; leaf name { tailf:info "Name of hide group. This name should correspond to a hide group name in some data model."; type string; } leaf password { tailf:info "A password can optionally be specified for a hide group. If no password or callback is given then the hide group can be unhidden without giving a password. If a password is specified then the hide group cannot be enabled unless the password is entered. To completely disable a hide group, ie make it impossible to unhide it, remove the entire hideGroup container for that hide group."; type tailf:md5-digest-string; default ""; } leaf callback { tailf:info "A callback can optionally be specified for a hide group. If no callback or password is given then the hide group can be unhidden without giving a password. If a callback is specified then the hide group cannot be enabled unless a password is entered and the callback successfully verifies the password. Using a callback it is possible to have short lived unhide passwords and per-user unhide passwords. The callback must be registered as a command() callback with confd_register_action_cbs(), see confd_lib_dp(3). The 'path' argument to the callback is always 'hidegroup', while argv[0] is the name of the hide group, argv[1] is the name of the user issuing the unhide command, and argv[2] is the given password. The callback should return CONFD_OK to allow the unhiding, otherwise CONFD_ERR."; type string; } } // list hideGroup container encryptedStrings { tailf:info "encryptedStrings defines keys used to encrypt strings adhering to the types tailf:des3-cbc-encrypted-string and tailf:aes-cfb-128-encrypted-string as defined in the tailf-common YANG module, see the confd_types(3) manual page."; presence ""; container externalKeys { tailf:info "Configuration of an external command that will provide the keys used for encryptedStrings. When set no keys for encrypted-strings can be set in the configuration."; presence ""; leaf command { tailf:info "Path to command executed to output keys."; type string; must 'not(../../DES3CBC) and not(../../AESCFB128)'; mandatory true; } leaf commandTimeout { tailf:info "Command timeout. Timeout is measured between complete lines read from the output."; type timeoutType; default "PT60S"; } leaf commandArgument { tailf:info "Argument available in externalKeys command as the environment variable CONFD_EXTERNAL_KEYS_ARGUMENT."; type string; } } // container externalKeys container DES3CBC { tailf:info "In the DES3CBC case three 64 bits (8 bytes) keys and a random initial vector are used to encrypt the string. The initVector element is only used when upgrading from versions before ConfD-6.2, but it is kept for backward compatibility reasons."; presence ""; leaf key1 { type hex8ValueType; mandatory true; } leaf key2 { type hex8ValueType; mandatory true; } leaf key3 { type hex8ValueType; mandatory true; } leaf initVector { type hex8ValueType; } } // container DES3CBC container AESCFB128 { tailf:info "In the AESCFB128 case one 128 bits (16 bytes) key and a random initial vector are used to encrypt the string. The initVector element is only used when upgrading from versions before ConfD-6.2, but it is kept for backward compatibility reasons."; presence ""; leaf key { type hex16ValueType; mandatory true; } leaf initVector { type hex16ValueType; } } // container AESCFB128 } // container encryptedStrings container logs { tailf:info "This section defines settings which affect the logging done by ConfD."; presence ""; container syslogConfig { tailf:info "Shared settings for how to log to syslog. Logs (see below) can be configured to log to file and/or syslog. If a log is configured to log to syslog, the settings under /confdConfig/logs/syslogConfig are used used."; presence ""; leaf version { tailf:info "version is either 'bsd' (traditional syslog) or '1' (new IETF syslog format: draft-ietf-syslog-protocol-16.txt). '1' implies that /confdConfig/logs/syslogConfig/udp/enabled must be set to 'true'."; type syslogVersionType; default "bsd"; } leaf facility { tailf:info "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This facility setting is the default facility. It's also possible to set individual facilities in the different logs below. Furthermore with the syslogServers container described below it is possible to set default facility on a per server basis. If facility is explictly set for a log type, that item is used."; type syslogFacilityType; default "daemon"; } container udp { tailf:info "This is a container for UDP syslog. This container can only contain the configuration for a single UDP syslog server. If we need more than one syslog server we must use the /confdConfig/logs/syslogConfig/syslogServers container instead. If the udp container is used, the syslogServers container is ignored."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'false', messages will be sent to the local syslog daemon."; type boolean; default "false"; } leaf host { tailf:info "host is either a domain name or an IPv4/IPv6 network address. UDP syslog messages are sent to this host."; type inet:host; mandatory true; } leaf port { tailf:info "port is a valid port number to be used in combination with /confdConfig/logs/syslogConfig/udp/host."; type inet:port-number; default "514"; } } // container udp container syslogServers { tailf:info "This is an alternative way of specifying UDP syslog servers. If we use the /confdCfg/logs/syslogConfig/udp container this container is ignored, alternatively, if we use this container the /confdCfg/logs/syslogConfig/udp container is ignored."; presence ""; list server { tailf:info "A set of syslog servers that get a copy of all syslog messages."; key "host"; leaf host { tailf:info "host is either a domain name or an IPv4/IPv6 network address. UDP syslog messages are sent to this host."; type inet:host; } leaf port { tailf:info "port is the UDP port number where this syslog server is listening."; type inet:port-number; default "514"; } leaf version { tailf:info "version is either 'bsd' (traditional syslog) or '1' (new IETF syslog format: draft-ietf-syslog-protocol-16.txt)."; type syslogVersionType; default "bsd"; } leaf facility { tailf:info "facility is either 'daemon', 'local0', ..., 'local7' or an unsigned integer."; type syslogFacilityType; default "daemon"; } leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'false', this syslog server will not get any udp messages."; type boolean; default "true"; } } // list server } // container syslogServers } // container syslogConfig container confdLog { tailf:info "confdLog is ConfD's daemon log. Check this log for startup problems of the ConfD daemon itself. This log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container confdLog container developerLog { tailf:info "developerLog is a debug log for troubleshooting user-written code, AAA rules etc. Enable and check this log for problems with validation code etc. This log can be configured as /confdConfig/logs/confdLog. The log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container developerLog leaf developerLogLevel { tailf:info "Controls which level of developer messages are printed in the developer log. This configuration parameter takes effect for both existing and new sessions."; type developerLogLevelType; default "info"; } container auditLog { tailf:info "auditLog is an audit log recording successful and failed logins to the ConfD backplane and also user operations performed from the CLI or northbound interfaces. This log is enabled by default. In all other regards it can be configured as /confdConfig/logs/confdLog. This log is not rotated, i.e. use logrotate(8). This configuration parameter takes effect for both existing and new sessions."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container auditLog leaf auditLogCommit { tailf:info "Controls whether the audit log should include messages about the resulting configuration changes for each commit to the running data store. This configuration parameter takes effect for both existing and new sessions. If set to 'true', the audit log will include entries of the form: commit thandle <N> begin [confirmed [extended]] commit thandle <N> comment <comment> commit thandle <N> label <label> commit thandle <N> <path> created commit thandle <N> <path> deleted commit thandle <N> <path> moved first commit thandle <N> <path> moved after {<keys>} commit thandle <N> <path> set to '<value>' commit thandle <N> <path> default set (<value>) (*) commit thandle <N> <path> attribute '<name>' set to '<value>' commit thandle <N> <path> attribute '<name>' deleted commit thandle <N> end commit confirmed completed commit confirmed canceled (*) The presence of these entries are controlled by the parameter auditLogCommitDefaults. The 'commit thandle <N> begin' entry indicates the start of a commit for the transaction with handle N. This is followed by a 'commit thandle <N> comment <comment>' entry and/or a 'commit thandle <N> label <label>' entry if a commit comment and/or label was given, then a number of 'commit thandle <N> <path> ...' entries detailing the changes, and finally a 'commit thandle <N> end' entry. If 'begin' is followed by 'confirmed', it means that the changes are part of a confirmed commit that will not be permanent until a 'commit confirmed completed' entry is logged - if 'commit confirmed canceled' is logged instead, the changes have been reverted. If 'begin confirmed' is followed by 'extended', it means that the changes are part of a confirmed commit that extends a confirmed commit that is already in progress."; type boolean; default "false"; } leaf auditLogCommitDefaults { tailf:info "If this leaf is set to 'true', then the auditCommitLog will contain entries on the form: commit thandle <N> <path> default set (<value>) Adding these entries can have a performance impact."; type boolean; default "false"; } container auditNetworkLog { tailf:info "NCS-specific log, not documented here."; presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container auditNetworkLog container netconfLog { tailf:info "netconfLog is a log for troubleshooting NETCONF operations, such as checking why e.g. a filter operation didn't return the data requested. This log can be configured as /confdConfig/logs/confdLog. The log configuration takes effect for both existing and new sessions. The log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog leaf logReplyStatus { tailf:info "When set to 'true', ConfD extends netconf log with rpc-reply status ('ok' or 'error')."; type boolean; default "false"; } } // container netconfLog container jsonrpcLog { tailf:info "jsonrpcLog is a log of JSON-RPC traffic. This log can be configured as /confdConfig/logs/confdLog. The log configuration takes effect for both existing and new sessions. The log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container jsonrpcLog container snmpLog { tailf:info "snmpLog is a log for tracing SNMP requests and responses. This log can be configured as /confdConfig/logs/confdLog. The log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { type boolean; default "true"; description "enabled is either 'true' or 'false'. If 'true', the log is enabled."; } container file { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', file logging is enabled."; } leaf name { type string; mandatory true; description "name is the full path to the actual log file."; } } // container file container syslog { presence ""; leaf enabled { type boolean; default "false"; description "enabled is either 'true' or 'false'. If 'true', syslog messages are sent."; } leaf facility { type syslogFacilityType; description "facility is either 'daemon', 'authpriv', 'local0', ..., 'local7' or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log."; } } // container syslog } // container snmpLog leaf snmpLogLevel { tailf:info "Controls which level of SNMP pdus are printed in the SNMP log. The value 'error' means that only PDUs with error-status not equal to 'noError' are printed."; type snmpLogLevelType; default "info"; } container snmpGatewayLog { tailf:info "snmpGatewayLog is a log for tracing SNMP Gateway requests and responses. The log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the SNMP Gateway log is used."; type boolean; default "false"; } leaf northbound { tailf:info "enabled is either 'true' or 'false'. If 'true', all requests towards the snmp gateway are logged."; type boolean; default "false"; } leaf southbound { tailf:info "enabled is either 'true' or 'false'. If 'true', all requests done by the snmp gateway are logged."; type boolean; default "false"; } leaf filename { tailf:info "The name of the file where the snmp gateway log is written."; type string; mandatory true; } } // container snmpGatewayLog container webuiBrowserLog { tailf:info "Deprecated. Should not be used."; presence ""; leaf enabled { tailf:info "Deprecated. Should not be used."; type boolean; default "false"; } leaf filename { tailf:info "Deprecated. Should not be used."; type string; mandatory true; } } // container webuiBrowserLog container webuiAccessLog { tailf:info "webuiAccessLog is an access log for the embedded ConfD Web server. This file adheres to the Common Log Format, as defined by Apache and others. This log is not enabled by default and is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the access log is used."; type boolean; default "false"; } leaf trafficLog { tailf:info "Is either 'true' or 'false'. If 'true', all HTTP(S) traffic towards the embedded Web server is logged in a log file named 'traffic.trace'. The log file can be used to debugging JSON-RPC/REST/RESTCONF. Beware: Do not use this log in a production setting. This log is not enabled by default and is not rotated, i.e. use logrotate(8)."; type boolean; default "false"; } leaf dir { tailf:info "The path to the directory whereas the access log should be written to."; type string; mandatory true; } } // container webuiAccessLog container netconfTraceLog { tailf:info "netconfTraceLog is a log for understanding and troubleshooting NETCONF protocol interactions. When this log is enabled, all NETCONF traffic to and from ConfD is stored to a file. By default, all XML is pretty-printed. This will slow down the NETCONF server, so be careful when enabling this log. This log is not rotated, i.e. use logrotate(8). Please note that this means that everything, including potentially sensitive data, is logged. No filtering is done."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', all NETCONF traffic is logged. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf filename { tailf:info "The name of the file where the NETCONF traffic trace log is written."; type string; mandatory true; } leaf format { tailf:info "The value 'pretty' means that the XML data is pretty-printed. The value 'raw' means that it is not. This configuration parameter takes effect for both existing and new sessions."; type netconfTraceFormatType; default "pretty"; } } // container netconfTraceLog container xpathTraceLog { tailf:info "xpathTraceLog is a log for understanding and troubleshooting XPath evaluations. When this log is enabled, the execution of all XPath queries evaluated by ConfD is logged to a file. This will slow down ConfD, so be careful when enabling this log. This log is not rotated, i.e. use logrotate(8)."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', all XPath execution is logged."; type boolean; default "false"; } leaf filename { tailf:info "The name of the file where the XPath trace log is written."; type string; mandatory true; } } // container xpathTraceLog container errorLog { tailf:info "errorLog is an error log used for internal logging from the ConfD daemon. It is used for troubleshooting the ConfD daemon itself, and it is recommended that it is enabled, in order to capture information about problems that are difficult to reproduce. This log is rotated by the ConfD daemon (see below)."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', error logging is performed. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf filename { tailf:info "filename is the full path to the actual log file. This parameter must be set if the errorLog is enabled."; type string; mandatory true; } leaf maxSize { tailf:info "maxSize is the maximum size of an individual log file before it is rotated. Log filenames are reused when five logs have been exhausted. This configuration parameter takes effect for both existing and new sessions."; type tailf:size; default "S1M"; } container debug { presence ""; leaf enabled { type boolean; default "false"; } leaf level { type uint16; default "2"; } leaf-list tag { type xs:token; } } // container debug } // container errorLog container progressTrace { tailf:info "progressTrace is used for tracing progress events emitted by transactions and actions in ConfD. It provides useful information for debugging, diagnostics and profiling. Enabling this setting allows progress trace files to be written to the configured directory. What data to be emitted are configured in /progress/trace."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', progress trace files are written to the configured directory."; type boolean; default "false"; } leaf dir { tailf:info "The directory path to the location of the progress trace files."; type string; mandatory true; } } // container progressTrace } // container logs container sessionLimits { tailf:info "Parameters for limiting concurrent access to ConfD."; presence ""; leaf maxSessions { tailf:info "Puts a limit to the total number of concurrent sessions to ConfD. This configuration parameter takes effect only for new sessions."; type limitType; default "unbounded"; } list sessionLimit { tailf:info "Parameters for limiting concurrent access for a specific context to ConfD. There can be multiple instances of this container element, each one specifying parameters for a specific context."; key "context"; leaf context { tailf:info "The context is either one of cli, netconf, webui, snmp, rest, or it can be any other context string defined through the use of MAAPI. As an example, if we use MAAPI to implement a CORBA interface to ConfD, our MAAPI program could send the string 'corba' as context."; type xs:token; } leaf maxSessions { tailf:info "Puts a limit to the total number of concurrent sessions to ConfD. This configuration parameter takes effect only for new sessions."; type limitType; mandatory true; } } // list sessionLimit leaf maxConfigSessions { tailf:info "Puts a limit to the total number of concurrent configuration sessions to ConfD. This configuration parameter takes effect only for new sessions."; type limitType; default "unbounded"; } list configSessionLimit { tailf:info "Parameters for limiting concurrent read-write transactions for a specific context to ConfD. There can be multiple instances of this container element, each one specifying parameters for a specific context."; key "context"; leaf context { tailf:info "The context is either one of cli, netconf, webui, snmp, rest, or it can be any other context string defined through the use of MAAPI. As an example, if we use MAAPI to implement a CORBA interface to ConfD, our MAAPI program could send the string 'corba' as context."; type xs:token; } leaf maxSessions { tailf:info "Puts a limit to the total number of concurrent configuration sessions to ConfD for the corresponding context. This configuration parameter takes effect only for new sessions."; type limitType; mandatory true; } } // list configSessionLimit } // container sessionLimits container parserLimits { tailf:info "Parameters for limiting parsing of XML data in ConfD."; presence ""; leaf maxTagLength { tailf:info "Maximum number of bytes for tag names including namespace prefix."; type parserLimitType; default "1024"; } leaf maxAttributeLength { tailf:info "Maximum number of bytes for attribute names including namespace prefix."; type parserLimitType; default "1024"; } leaf maxAttributeValueLength { tailf:info "Maximum number of bytes for attribute values in escaped form."; type limitType; default "16384"; } leaf maxAttributeCount { tailf:info "Maximum number of attributes on a single tag."; type parserLimitType; default "64"; } leaf maxXmlnsPrefixLength { tailf:info "Maximum number of bytes for xmlns prefix."; type limitType; default "1024"; } leaf maxXmlnsValueLength { tailf:info "Maximum number of bytes for a namespace value in escaped form."; type parserLimitType; default "1024"; } leaf maxXmlnsCount { tailf:info "Maximum number of xmlns declarations on a single tag."; type limitType; default "1024"; } leaf maxDataLength { tailf:info "Maximum number of bytes of continuous data."; type limitType; default "unbounded"; } } // container parserLimits container aaa { tailf:info "The login procedure to ConfD is fully described in the ConfD User Guide."; presence ""; leaf sshPubkeyAuthentication { tailf:info "Controls how the ConfD SSH daemon locates the user keys for public key authentication. If set to 'none', public key authentication is disabled. If set to 'local', and the user exists in /aaa/authentication/users, the keys in the user's 'ssh_keydir' directory are used. If set to 'system', the user is first looked up in /aaa/authentication/users, but only if /confdConfig/aaa/localAuthentication/enabled is set to 'true' - if localAuthentication is disabled, or the user does not exist in /aaa/authentication/users, but the user does exist in the OS password database, the keys in the user's $HOME/.ssh directory are used."; type pubkeyAuthenticationType; default "system"; } leaf sshLoginGraceTime { tailf:info "ConfD closes ssh connections after this time if the client has not successfully authenticated itself by then. If the value is 0, there is no time limit for client authentication. This is a global value for all ssh servers in ConfD. Modification of this value will only affect ssh connections that are established after the modification has been done."; type xs:duration; default "PT10M"; } leaf sshMaxAuthTries { tailf:info "ConfD closes ssh connections when the client has made this number of unsuccessful authentication attempts. This is a global value for all ssh servers in ConfD. Modification of this value will only affect ssh connections that are established after the modification has been done."; type limitType; default "unbounded"; } leaf defaultGroup { tailf:info "If the group of a user cannot be found in the AAA sub-system, a logged in user will end up as a member of the default group (if specified). If a user logs in and the group membership cannot be established, the user will have zero access rights."; type string; } leaf authOrder { tailf:info "By default the AAA system will try to authenticate a user in the following order. (1) localAuthentication i.e. the user is found inside /aaa/authentication/users. (2) pam - i.e PAM authentication - if enabled - is tried. (3) externalAuthentication i.e. an external program is invoked to authenticate the user. The default is thus: 'localAuthentication pam externalAuthentication' To change the order - change this string. For example in order to always try pam authentication before local auth set it to: 'pam localAuthentication'"; type string; } leaf validationOrder { tailf:info "By default the AAA system will try token validation for a user by the externalValidation configurables, as that is the only one currently available - i.e. an external program is invoked to validate the token. The default is thus: 'externalValidation'"; type string; } leaf expirationWarning { tailf:info "When PAM or external authentication is used, the authentication mechanism may give a warning that the user's password is about to expire. This parameter controls how ConfD processes that warning message. If set to 'ignore', the warning is ignored. If set to 'display', interactive user interfaces will display the warning message at login time. If set to 'prompt', interactive user interfaces will display the warning message at login time, and require that the user acknowledges the message before proceeding."; type expirationWarningType; default "ignore"; } leaf auditUserName { tailf:info "Controls the logging of the user name when a failed authentication attempt is logged to the audit log. If set to 'always', the user name is always logged. If set to 'known', the user name is only logged when it is known to be valid (i.e. when attempting localAuthentication and the user exists in /aaa/authentication/users), otherwise it is logged as '[withheld]'. If set to 'never', the user name is always logged as '[withheld]'. If set to 'truncated', the user name is always logged but will be truncated to 60 characters suffixed by the number of characters removed."; type auditUserNameType; default "always"; } leaf maxPasswordLength { tailf:info "The maximum length of the cleartext password for all forms of password authentication. Authentication attempts using a longer password are rejected without attempting verification. The hashing algorithms used for password verification, in particular those based on sha-256 and sha-512, require extremely high amounts of CPU usage when verification of very long passwords is attempted."; type uint16; default "1024"; } container pam { tailf:info "If PAM is to be used for login the ConfD daemon typically must run as root."; presence ""; leaf enabled { tailf:info "When set to 'true', ConfD uses PAM for authentication."; type boolean; default "false"; } leaf service { tailf:info "The PAM service to be used for the authentication. This can be any service we have installed in the /etc/pam.d directory. Different unices have different services installed under /etc/pam.d, and some use a file /etc/pam.conf instead - choose a service which makes sense or create a new one."; type string; default "common-auth"; } leaf timeout { tailf:info "The maximum time that authentication will wait for a reply from PAM. If the timeout is reached, the PAM authentication will fail, but authentication attempts may still be done with other mechanisms as configured for /confdConfig/aaa/authOrder. Default is PT10S, i.e. 10 seconds."; type xs:duration; default "PT10S"; } } // container pam container rest { presence ""; leaf authCacheTTL { tailf:info "The amount of time that REST API and RESTCONF locally caches authentication credentials before querying the AAA server. Default is PT10S, i.e. 10 seconds. Setting to PT0S, i.e. 0 seconds, effectively disables the authentication cache."; type xs:duration; default "PT10S"; } leaf enableAuthCacheClientIp { tailf:info "If enabled, a clients source IP address will also be stored in the REST/RESTCONF authentication cache."; type boolean; default "false"; } } // container rest container externalAuthentication { presence ""; leaf enabled { tailf:info "When set to 'true', external authentication is used."; type boolean; default "false"; } leaf executable { tailf:info "If we enable external authentication, an executable on the local host can be launched to authenticate a user. The executable will receive the username and the cleartext password on its standard input. The format is '[${USER};${PASS};]\n'. For example if user is 'bob' and password is 'secret', the executable will receive the string '[bob;secret;]' followed by a newline on its standard input. The program must parse this line. The task of the external program, which for example could be a RADIUS client, is to authenticate the user and also provide the user to groups mapping. Refer to the External authentication section of the AAA chapter in the User Guide for the details of how the program should report the result back to ConfD."; type string; } leaf useBase64 { tailf:info "When set to 'true', ${USER} and ${PASS} in the data passed to the executable will be base64-encoded, allowing e.g. for the password to contain ';' characters. For example if user is 'bob' and password is 'secret', the executable will receive the string '[Ym9i;c2VjcmV0;]' followed by a newline."; type boolean; default "false"; } leaf includeExtra { tailf:info "When set to 'true', additional information items will be provided to the executable: source IP address and port, context, and protocol. I.e. the complete format will be '[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n'. Example: '[bob;secret;192.168.1.1;12345;cli;ssh;]\n'."; type boolean; default "false"; } } // container externalAuthentication container localAuthentication { presence ""; leaf enabled { tailf:info "When set to 'true', ConfD uses local authentication. That means that the user data kept in the aaa namespace is used to authenticate users. When set to 'false' some other authentication mechanism such as PAM or external authentication must be used."; type boolean; default "true"; } } // container localAuthentication container authenticationCallback { presence ""; leaf enabled { tailf:info "When set to 'true', ConfD will invoke an application callback when authentication has succeeded or failed. The callback may reject an otherwise successful authentication. If the callback has not been registered, all authentication attempts will fail. See confd_lib_dp(3) for the callback details."; type boolean; default "false"; } } // container authenticationCallback container externalValidation { presence ""; leaf enabled { tailf:info "When set to 'true', external token validation is used."; type boolean; default "false"; } leaf executable { tailf:info "If we enable external token validation, an executable on the local host can be launched to validate a user. The executable will receive a cleartext token on its standard input. The format is '[${TOKEN};]\n'. For example if the token is '7ea345123', the executable will receive the string '[7ea345123;]' followed by a newline on its standard input. The program must parse this line. The task of the external program, which for example could be a FUSION client, is to validate the token and also provide the token to user and groups mappings. Refer to the External validation section of the AAA chapter in the User Guide for the details of how the program should report the result back to ConfD."; type string; } leaf useBase64 { tailf:info "When set to 'true', ${TOKEN} in the data passed to the executable will be base64-encoded, allowing e.g. for the token to contain ';' characters."; type boolean; default "false"; } leaf includeExtra { tailf:info "When set to 'true', additional information items will be provided to the executable: source IP address and port, context, and protocol. I.e. the complete format will be '[${TOKEN};${IP};${PORT};${CONTEXT};${PROTO};]\n'. Example: '[7ea345123;192.168.1.1;12345;cli;ssh;]\n'."; type boolean; default "false"; } } // container externalValidation container validationCallback { presence ""; leaf enabled { tailf:info "When set to 'true', ConfD will invoke an application callback when validation has succeeded or failed. The callback may reject an otherwise successful validation. If the callback has not been registered, all validation attempts will fail. See confd_lib_dp(3) for the callback details."; type boolean; default "false"; } } // container validationCallback container authorization { presence ""; leaf enabled { tailf:info "When set to 'false', all authorization checks are turned off, similar to the -noaaa flag in confd_cli."; type boolean; default "true"; } container callback { presence ""; leaf enabled { tailf:info "When set to 'true', ConfD will invoke application callbacks for authorization. If the callbacks have not been registered, all authorization checks will be rejected. See confd_lib_dp(3) for the callback details."; type boolean; default "false"; } } // container callback leaf nacmCompliant { tailf:info "In earlier versions, ConfD did not fully comply with the NACM specification: the 'module-name' leaf was required to match toplevel nodes, but it was not considered for the node being accessed. If this leaf is set to 'false', this non-compliant behavior remains - this setting is only provided for backward compatibility with existing rule sets, and is not recommended."; type boolean; default "true"; } } // container authorization } // container aaa container ssh { tailf:info "This section defines settings which affect the behavior of the built in SSH implementation."; presence ""; leaf idleConnectionTimeout { tailf:info "The maximum time that an authenticated connection to the SSH server is allowed to exist without open channels. If the timeout is reached, the SSH server closes the connection. Default is PT10M, i.e. 10 minutes. If the value is 0, there is no timeout."; type xs:duration; default "PT10M"; } container algorithms { tailf:info "This section defines custom lists of algorithms to be usable with the built-in SSH implementation. For each type of algorithm, an empty value means that all supported algorithms should be usable, and a non-empty value (a comma-separated list of algorithm names) means that the intersection of the supported algorithms and the configured algorithms should be usable."; presence ""; leaf serverHostKey { tailf:info "The supported serverHostKey algorithms (if implemented in libcrypto) are 'ssh-dss' and 'ssh-rsa', but for any SSH server, it is limited to those algorithms for which there is a host key installed in the directory given by /confdConfig/aaa/sshServerKeyDir. To limit the usable serverHostKey algorithms to 'ssh-dss', set this value to 'ssh-dss' or avoid installing a key of any other type than ssh-dss in the sshServerKeyDir."; type string; default ""; } leaf kex { tailf:info "The supported key exchange algorithms (as long as their hash functions are implemented in libcrypto) are 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1' and 'diffie-hellman-group1-sha1'. To limit the usable key exchange algorithms to 'diffie-hellman-group14-sha1' and 'diffie-hellman-group-exchange-sha256' (in that order) set this value to 'diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256'."; type string; default ""; } container dhGroup { tailf:info "Range of allowed group size, the SSH server responds to the client during a 'diffie-hellman-group-exchange'. The range will be the intersection of what the client requests, if there is none the key exchange will be aborted."; presence ""; leaf minSize { tailf:info "Minimal size of p in bits."; type dhGroupSizeType; must '. <= ../maxSize'; default "2048"; } leaf maxSize { tailf:info "Maximal size of p in bits."; type dhGroupSizeType; default "4096"; } } // container dhGroup leaf mac { tailf:info "The supported mac algorithms (if implemented in libcrypto) are 'hmac-md5', 'hmac-sha1', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1-96' and 'hmac-md5-96'."; type string; default ""; } leaf encryption { tailf:info "The supported encryption algorithms (if implemented in libcrypto) are 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-cbc', 'aes256-cbc' and '3des-cbc'."; type string; default ""; } } // container algorithms leaf clientAliveInterval { tailf:info "If no data has been received from a connected client for this long, a request that requires a response from the client, will be sent over the SSH transport."; type timeoutType; default "infinity"; } leaf clientAliveCountMax { tailf:info "If no data has been received from the client, after this many consecutive clientAliveInterval has passed, the connection will be dropped."; type uint32; default "3"; } } // container ssh container cli { tailf:info "CLI parameters."; presence ""; leaf enabled { tailf:info " When set to 'true', the CLI server is started."; type boolean; default "true"; } leaf maxLineLength { tailf:info "When set to a number larger than zero, this number will be the maximum line length which can be entered into the CLI. This allows ConfD to reject extremely large lines that can otherwise potentially consume all memory. Note that this option does not take effect in the J-style load command."; type uint32; default "0"; } leaf allowImplicitWildcard { tailf:info "When set to 'true', users do not need to explicitly type * in the place of keys in lists, in order to see all list instances. When set to 'false', users have to explicitly type * to see all list instances. This option can be set to 'false', to help in the case where tab completion in the CLI takes long time when performed on lists with many instances."; type boolean; default "true"; } leaf startupScriptNonInteractive { tailf:info "startupScriptNonInteractive is either 'true' or 'false'. If set to 'true' then a CLI startup script will be evaluated also for non-interactive sessions."; type boolean; default "false"; } leaf modeNameStyle { tailf:info "modeNameStyle is either 'short', 'two', or 'full'. If 'short', then the mode name of submodes in the Cisco style CLIs will be constructed from the last element in the path and the instance key. If set to 'two' then the two last modes will be used for the mode name. If set to 'full' then all components in the path will be used in the mode name."; type cliModeNameStyleType; default "short"; } leaf allowOverwriteOnCopy { tailf:info "allowOverwriteOnCopy is either 'true' or 'false'. If set to 'true' then the copy command in the CLI will overwrite the target if it exists. If set to 'false' then an error will be displayed if the target exists."; type boolean; default "false"; } leaf inheritPaginate { tailf:info "inheritPaginate is either 'true' or 'false'. If set to 'true' then the paginate setting of a pipe command will be determined by the paginate setting of the main command. If set to 'false', then the output from a pipe command will not be paginated unless pagination for that pipe command has been overridden in a clispec file."; type boolean; default "true"; } leaf safeScriptExecution { tailf:info "safeScriptExecution is either 'true' or 'false'. If set to 'true' then 'exit', 'abort', 'end', and 'commit' are not allowed inside a script loaded through maapi with maapi_load_config()."; type boolean; default "true"; } leaf exitConfigModeOnCtrlC { tailf:info "exitConfigModeOnCtrlC is either 'true' or 'false'. If set to 'false' the user will not be thrown out of config mode when ctrl-c is pressed on an empty command line."; type boolean; default "true"; } leaf execNavigationCmds { tailf:info "execNavigationCmds is either 'true' or 'false'. If set to 'true' then it is possible to enter a submode also in exec mode in C- and I-style CLI."; type boolean; default "false"; } leaf allowOldStyleModeCmds { tailf:info "allowOldStyleModeCmds is either 'true' or 'false'. If set to 'true' then CLI commands in I and C-style are interpreted as mode commands if the path coincides with a list in the data-model. The recommended way to mount commands in a submode is instead to use the 'mount' attribute."; type boolean; default "false"; } leaf continueOnErrorCmdStack { tailf:info "continueOnErrorCmdStack is either 'true' or 'false'. If set to 'true' then command stack execution will continue even if an earlier command in the stack failed with an error, ie show xx ; show zz will execute both 'show xx' and 'show zz' even if 'show xx' failed with an error. If set to 'false' then command execution will be aborted as soon as a command fails."; type boolean; default "false"; } leaf topLevelCmdsInSubMode { tailf:info "topLevelCmdsInSubMode is either 'true' or 'false'. If set to 'true' all top level commands in I and C-style CLI are available in sub modes."; type boolean; default "false"; } leaf mixedMode { tailf:info "mixedMode is either 'true' or 'false'. If set to 'true' all oper mode commands are available in config mode."; type boolean; default "false"; } leaf completionShowOldVal { tailf:info "completionShowOldVal is either 'true' or 'false'. If set to 'true' a leaf's old value will be displayed inside brackets during command line completion. If set to 'false' it will not be shown."; type boolean; default "true"; } leaf completionMetaInfo { tailf:info "completionMetaInfo is either 'false', 'alt1' or 'alt2'. This option only applies to the J-style CLI. If set to 'alt1' then the alternatives shown for possible completions will be prefixed as follows: containers with > lists with + leaf-lists with + For example: Possible completions: ... > applications + apply-groups ... + dns-servers ... If set to 'alt2', then possible comopletions will be prefixed as follows: containers with > lists with children with +> lists without children with + For example: Possible completions: ... > applications +>apply-groups ... + dns-servers ... "; type completionMetaInfoType; default "false"; } leaf reportInvalidCompletionInput { tailf:info "reportInvalidCompletionInput is either 'true' or 'false'. If set to 'true' the CLI will display an error message during completion when the user press '?' to indicate if an invalid token has been entered on the command line."; type boolean; default "true"; } leaf useShortEnabled { tailf:info "useShortEnabled is either 'true' or 'false'. If set to 'true' then the CLI will display 'enabled' or 'disabled' in place of 'enabled true' and 'enabled false'."; type boolean; default "true"; } leaf smartRenameFiltering { tailf:info "smartRenameFiltering is either 'true' or 'false'. If set to 'true' then only paths that leads to existing instances will be presented when doing completion. This will lead to some extra calls to get_next() in order to determine if a path has instances or not. When set to 'false' all paths with potential instances are presented."; type boolean; default "true"; } leaf allowParenQuotes { tailf:info "allowParenQuotes is either 'true' or 'false'. If set to 'true' then parentheses are treated as quotes, ie the string (xx yy) will be equivalent to 'xx yy' and xx\ yy on the CLI command line."; type boolean; default "false"; } leaf singleElemPattern { tailf:info "singleElemPattern is either 'true' or 'false'. If 'true' then filters/patterns to show commands can be used to specify that you want to see a specific leaf element of all lists. Only that leaf element will be shown for each list entry. This works for both tables and row based rendering."; type boolean; default "true"; } leaf multiPatternOperation { tailf:info "multiPatternOperation is one of 'any', and 'all'. When set to 'any' a pattern is true if at least one match is found, if set to 'all', all patterns needs to be found for the pattern expression to be considered true."; type multiPatternOperationType; default "any"; } leaf sortSubmodeCmds { tailf:info "sortSubmodeCmds is either 'true' or 'false'. If set to 'true' then local submode commands are listed before global commands when the user enters ? in a submode in C and I-style."; type boolean; default "true"; } leaf sortLocalCmds { tailf:info "sortLocalCms is either 'true' or 'false'. If set to 'true' and sortSubmodeCmds are also set to 'true', then local submode commands are listed before global commands when the user enters ? in a submode in C and I-style, and the order of the commands is alphabetically ordered. If set to 'false' then the order of the local submode commands are the same as in the data model."; type boolean; default "true"; } leaf displayEmptyConfigContainers { tailf:info "displayEmptyConfigContainers is either 'true' or 'false'. If set to 'true' then 'show status' in the J-style CLI will display empty lists that are 'config true' even when there is no data to display. If set to 'false' the those containers will not be shown."; type boolean; default "true"; } leaf displayNonPresenceAttributes { tailf:info "displayNonPresenceAttributes is either 'true' or 'false'. If set to 'true' then all non presence containers will display their attributes even if the container is empty similar to how presence containers displays its attributes. If set to 'false' (default behaviour) those attributes will not be shown automatically."; type boolean; default "false"; } leaf showEditors { tailf:info "showEditors is either 'true' or 'false'. If set to 'true' then a list of current editors will be displayed when a user enters configure mode."; type boolean; default "true"; } leaf whoShowMode { tailf:info "whoShowMode is either 'true' or 'false'. If set to 'true' then an 'Config Mode' column will be added to the table shown when issuing the 'who' command in C- and I-mode."; type boolean; default "true"; } leaf whoHistoryDateTimeFormat { tailf:info "whoHistoryDateTimeFormat decides if the date should always include the date (long), or only include the date when different from today (short)."; type whoHistoryDateTimeFormatType; default "short"; } leaf resetScreenAfterMore { tailf:info "resetScreenAfterMore is used to control if a terminal reset sequence should be sent if control characters have been printed. This is to restore the terminal after showing potentially terminal controlling sequences."; type boolean; default "true"; } leaf editWrapMode { tailf:info "editWrapMode is either 'wrap', 'newline' or 'vt100'. If 'wrap' or 'vt100' is used then cut-and-paste will work in xterms (and other terminal emulators) but the CLI may behave oddly if the screen width is manually configured to something other than the true screen width. If 'vt100' is used then no >space<>backspace< sequence is used to force line wrapping. This makes it easier for scripts that rely on command line echoing but the cursor will disappear at the end of the line temporarily."; type editWrapModeType; default "wrap"; } leaf supportQuotedEOL { tailf:info "supportQuotedEOL is either 'true' or 'false'. If set to 'true' then a final backslash (\) on a line means that the next line will be concatenated with the previous line, similarly to a Linux Shell."; type boolean; default "true"; } leaf allowWildcard { tailf:info "allowWildcard is either 'true' or 'false'. If 'true' then wildcard expressions are allowed in show commands."; type boolean; default "true"; } leaf allowAllAsWildcard { tailf:info "Wildcard is normally written as '*' but with 'allowAllAsWildcard' set to 'true' the string 'all' will also be accepted in place of '*'."; type boolean; default "false"; } leaf allowRangeExpression { tailf:info "allowRangeExpression is either 'true' or 'false'. If 'true' then range expressions are allowed for all key values of type basic type integer. An alternative is to specify hasRange for each path in the clispec."; type boolean; default "true"; } leaf allowRangeExpressionAllTypes { tailf:info "allowRangeExpressionAllTypes is either 'true' or 'false'. If 'true' then range expressions are allowed for all key values regardless of type. An alternative is to specify hasRange for each element in the yang files."; type boolean; default "true"; } leaf useDoubleDotRanges { tailf:info "useDoubleDotRanges is either 'true' or 'false'. If 'true' then range expressions are types as 1..3, if set to 'false' then ranges are given as 1-3."; type boolean; default "false"; } leaf addExtraTableSpacing { tailf:info "addExtraTableSpacing is either 'true' or 'false'. If set to 'true' then an additional newline will be added on each side of the table. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf suppressRangeKeyword { tailf:info "suppressRangeKeyword is either 'true' or 'false'. If 'true' then 'range' keyword is not allowed in C- and I-style for range expressions."; type boolean; default "false"; } leaf exitModeOnEmptyRange { tailf:info "exitModeOnEmptyRange is either 'true' or 'false'. If 'true' and if standing in a range submode, the CLI will exit to the parent submode if all instances in the range has been deleted by the user."; type boolean; default "false"; } leaf tableLabel { tailf:info "tableLabel is either 'true' or 'false'. If 'true' then tables displayed in C and I style CLI will have a relative location label to make it possible to know which table is displayed."; type boolean; default "false"; } leaf tableLookAhead { tailf:info "The tableLookAhead element tells confd how many rows to pre-fetch when displaying a table. The prefetched rows are used for calculating the required column widths for the table. If set to a small number it is recommended to explicitly configure the column widths in the clispec file."; type uint64 { range "1 .. max"; } default "50"; } leaf moreBufferLines { tailf:info "moreBufferLines is used to limit the buffering done by the more process. It can be 'unbounded' or a positive integer describing the maximum number of lines to buffer."; type limitType; default "5000"; } leaf showTableLabelsIfMultiple { tailf:info "showTableLabelsIfMultiple is either 'true' or 'false'. If set to 'true' then table labels will only be displayed if multiple tables, or a table and additional data is displayed. If set to 'false' then table labels are always shown if they exists and tableLabel is enabled."; type boolean; default "false"; } leaf defaultTableBehavior { tailf:info "defaultTableBehavior is either 'dynamic', 'suppress', or 'enforce'. If set to 'dynamic' then list nodes will be displayed as tables if the resulting table will fit on the screen. If set to suppress, then list nodes will not be displayed as tables unless a table has been specified by some other means (ie through a setting in the clispec-file or through a command line parameter), if set to 'enforce' then list nodes will always be displayed as tables unless otherwise specified in the clispec-file or on the command line."; type tableBehaviorType; default "dynamic"; } leaf allowTableOverflow { tailf:info "allowTableOverflow is either 'true' or 'false'. If 'true' then tables displayed in a Cisco style CLI will be allowed to overflow. If 'false' a too wide table will be displayed as a 'setting - value' list instead."; type boolean; default "false"; } leaf tableOverflowTruncate { tailf:info "tableOverflowTruncate is either 'true' or 'false'. If 'true' then overflowing tables will be truncated instead of wrapped."; type boolean; default "false"; } leaf allowTableCellWrap { tailf:info "allowTableCellWrap is either 'true' or 'false'. If 'true' then tables displayed in a Cisco style CLI will be allowed to wrap if the initial cell-width estimate proves to be too narrow. If 'false' a too wide table cell will overflow instead, pushing the rest of the line to the right."; type boolean; default "true"; } leaf showAllNs { tailf:info "showAllNs is either 'true' or 'false'. If 'true' then all element names will be shown with their namespace prefix in the CLI. This is visible when displaying the running configuration and when modifying the configuration."; type boolean; default "false"; } leaf useExposeNsPrefix { tailf:info "useExposeNsPrefix is either 'true' or 'false'. If 'true' then all nodes annotated with the tailf:cli-expose-ns-prefix will result in the namespace prefix being shown/required. If set to 'false' then the tailf:cli-expose-ns-prefix annotation will be ignored."; type boolean; default "true"; } leaf orderedShowConfig { tailf:info "orderedShowConfig is either 'true' or 'false'. If 'true' then the commands displayed when running the 'show configuration' command in C-mode will take leafrefs and cli-diff-dependency into account."; type boolean; default "true"; } leaf suppressFastShow { tailf:info "suppressFastShow is either 'true' or 'false'. If 'true' then an internal API is used to determine if a configuration subtree contains any configuration. This avoids exploring the subtree when displaying the configuration."; type boolean; default "false"; } leaf leafPrompting { tailf:info "leafPrompting is either 'true' or 'false'. If 'true' the CLI will prompt the user for leaf values if they are not provided on the command line. If 'false' then an error message will be displayed if the user does not provide a value for a leaf."; type boolean; default "true"; } leaf modeInfoInAudit { tailf:info "modeInfoInAudit is either 'true', 'false' or 'path'. If 'true', then all commands will be prefixed with major and minor mode name when logged as audit messages. This means that it is possible to differentiate between commands with the same name in different modes. Major mode is 'operational' or 'configure' and minor mode is 'top' in J-style and the name of the submode in C- and I-mode. On the top-level in C- and I-mode it is also 'top'. If set to 'path' the major mode will be followed by the full command path to the submode."; type modeInfoInAuditType; default "false"; } leaf auditLogMode { tailf:info "auditLogMode is either 'all', 'allowed', or 'denied'. If 'all', then all commands that the user tries to execute will be logged in the audit trail log. If 'allowed', only allowed commands will be logged, ie commands that are actually run by the user. If 'denied', only commands that the user were not allowed to execute will be logged, prefixed with 'denied'."; type cliAuditLogType; default "all"; } leaf transactions { tailf:info "Control whether commit should be supported in the CLI or not. When set to 'false' all commands will be automatically committed when the user presses ENTER in the CLI."; type boolean; default "true"; } leaf transactionCtrlCmds { tailf:info "transactionCtrlCmds is either 'true' or 'false'. If 'true', then the CLI will have commands for enabling and disabling transactions in configure mode, ie 'enable transactions' and 'disable transactions'. If set to 'false' no such commands will be present."; type boolean; default "false"; } leaf actionCallNoListInstance { tailf:info "actionCallNoListInstance can be set to either 'deny-call', or 'create-instance'. If attempting to call an action placed in a non existing list instance, 'deny-call' will give an error. 'create-instance' will create the missing list instance and subsequently call the action. This is only effective in configuration mode in C-style CLI."; type cliActionNoListInst; default "deny-call"; } leaf style { tailf:info "style is either 'j', 'c', or 'i'. If 'j', then the CLI will be presented as a Juniper style CLI. If 'c' then the CLI will appear as Cisco XR style, and if 'i' then a Cisco IOS style CLI will be rendered."; type cliStyle; default "j"; } leaf completionShowMax { tailf:info "Maximum number of possible alternatives to present when doing completion."; type cliMax; default "100"; } leaf rollbackAAA { tailf:info "If set to 'true' then AAA rules will be applied when a rollback file is loaded. This means that rollback may not be possible if some other user have made changes that the current user does not have access privileges to."; type boolean; default "false"; } leaf rollbackMax { tailf:info "Maximum number of rollback changes to allow through the CLI. This configuration parameter takes effect for both existing and new sessions."; type rollMax; default "1000"; } leaf rollbackNumbering { tailf:info "rollbackNumbering is either 'fixed' or 'rolling'. If set to 'rolling' then rollback file '0' will always contain the last commit. When using 'fixed' each rollback will get a unique increasing number. This configuration parameter takes effect for both existing and new sessions."; type rollNumbering; default "rolling"; } leaf rollbackNumberingInitial { tailf:info "rollbackNumberingInitial is the starting point of the rollback numbering when the 'increasing' rollback numbering scheme is used. This configuration parameter takes effect when ConfD initially starts."; type int64; default "10000"; } leaf inconsistentDatabaseSuffix { tailf:info "The inconsistentDatabaseSuffix is a message that is appended to the warning message that the CLI displays when it detects that the running database have got inconsistent."; type string; default ""; } leaf showDefaults { tailf:info "showDefaults is either 'true' or 'false'. If 'true' then default values will be shown when displaying the configuration. The default value is shown inside a comment on the same line as the value. Showing default values can also be enabled in the CLI per session using the operational mode command 'set show defaults true'. This configuration parameter takes effect only for new sessions."; type boolean; default "false"; } leaf reallocateOperTrans { tailf:info "reallocateOperTrans is either 'true' or 'false'. If 'true' then a new read transaction will be allocated for each oper-mode command. When set to 'false' a single oper transaction will be used for the entire CLI session."; type boolean; default "false"; } leaf quickSshTeardown { tailf:info "quickSshTeardown controls if CLI sessions initiated through an SSH sessions should be torn down directly when the socket is closed, or not. When set to 'true' the socket will be closed as soon as the CLI receives a tcp shutdown, if set to 'false' it will wait until all pending data has been written."; type boolean; default "false"; } leaf cAlignLeafValues { tailf:info "cAlignLeafValues is either 'true' or 'false'. If 'true' then the leaf values of all siblings in a container or list will be aligned."; type boolean; default "true"; } leaf jAlignLeafValues { tailf:info "jAlignLeafValues is either 'true' or 'false'. If 'true' then the leaf values of all siblings in a container or list will be aligned."; type boolean; default "true"; } leaf defaultPrefix { tailf:info "defaultPrefix is a string that is placed in front of the default value when a configuration is shown with default values as comments."; type string; default ""; } leaf jWarningPrefix { tailf:info "jWarningPrefix is a string that is placed in front of warnings when they are displayed in the CLI. J-style CLI."; type string; default "Warning: "; } leaf jAbortedPrefix { tailf:info "jAbortedPrefix is a string that is placed in front of aborted messages when they are displayed in the CLI. J-style CLI."; type string; default "Aborted: "; } leaf jErrorPrefix { tailf:info "jErrorPrefix is a string that is placed in front of error messages when they are displayed in the CLI. J-style CLI."; type string; default "Error: "; } leaf cWarningPrefix { tailf:info "cWarningPrefix is a string that is placed in front of warnings when they are displayed in the CLI. I- and C-style CLI."; type string; default "Warning: "; } leaf cAbortedPrefix { tailf:info "cAbortedPrefix is a string that is placed in front of aborted messages when they are displayed in the CLI. I- and C-style CLI."; type string; default "Aborted: "; } leaf cErrorPrefix { tailf:info "cErrorPrefix is a string that is placed in front of error messages when they are displayed in the CLI. I- and C-style CLI."; type string; default "Error: "; } leaf invalidDataString { tailf:info "invalidDataString is a string that is displayed instead of the real value whenever a data provider returns an invalid data element."; type string; default "--ERROR--"; } leaf noEmbeddedComments { tailf:info "Do not allow embedded comments in the CLI, only comments that are preceeded by whitespace are allowed. All other uses of the comment character is considered valid input."; type boolean; default "false"; } leaf showKeyName { tailf:info "showKeyName controls if the name of the key should be shown in the type string during completion."; type boolean; default "true"; } leaf commitRetryTimeout { tailf:info "Commit timeout in the CLI. This timeout controls for how long the commit operation will attempt to complete the operation when some other entity is locking the database, e.g. some other commit is in progress or some managed object is locking the database. There is a similiar configuration parameter, /confdConfig/commitRetryTimeout, which sets a timeout for all ConfD transactions, not just for CLI transactions."; type timeoutType; default "PT0S"; } leaf timezone { tailf:info "Used to specify which timezone should be used when displaying the time in the CLI. If 'local' is specified then the timezone that is configured on the device will be used."; type cliTimezoneType; default "local"; } leaf utcOffset { tailf:info "If the timezone is set to UTC this can be set to specify the UTC offset measured in minutes."; type int64; default "0"; } leaf oldDetailsArg { tailf:info "oldDetailsArg is either 'true' or 'false'. If 'false' then commands that display the configuration will not have a 'details' argument but instead have a pipe flag called 'details'. The setting is present for backwards compatibility, the recommended setting for future use is 'false'."; type boolean; default "false"; } leaf withDefaults { tailf:info "DEPRECATED - use defaultHandlingMode instead"; type boolean; default "false"; description "DEPRECATED - use /confdConfig/defaultHandlingMode instead to control this behavior consistently for all northbound interfaces. Set /confdConfig/defaultHandlingMode to report-all to display default values. withDefaults is either 'true' or 'false'. If 'false' then leaf nodes that have their default values will not be shown when the user displays the configuration, unless the user gives the 'details' option to the 'show' command. This is useful when there are many settings which are seldom used. When set to 'false' only the values actually modified by the user will be shown."; } leaf ignoreShowWithDefaultOnDiff { tailf:info "When set to 'true' ConfD will ignore the annotation tailf:cli-show-with-default when displaying the configuration changes in the C-style CLI."; type boolean; default "false"; } leaf trimDefaultShow { tailf:info "trimDefaultShow is either 'true' or 'false'. If 'true' then leaf nodes that have the same value as the default value will not be displayed even when explicitly configured to have that value. When set to 'false' such leaves will be displayed if explicitly configured to have the value. This setting applies to show commands, ie show running-config and show config. If this behavior is wanted, it is recommended to set /confdConfig/defaultHandlingMode to trim instead of using this parameter, in order to get a consistent behavior for all northbound interfaces. If the default handling mode is trim, explicitly configured values that are the same as the default value are never stored in the data store. This means that if the default handling mode is trim, this parameter has no effect. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf trimDefaultSave { tailf:info "trimDefaultSave is either 'true' or 'false'. If 'true' then leaf nodes that have the same value as the default value will not be displayed even when explicitly configured to have that value. When set to 'false' such leaves will be displayed if explicitly configured to have the value. This setting applies to the save command. If this behavior is wanted, it is recommended to set /confdConfig/defaultHandlingMode to trim instead of using this parameter, in order to get a consistent behavior for all northbound interfaces. If the default handling mode is trim, explicitly configured values that are the same as the default value are never stored in the data store. This means that if the default handling mode is trim, this parameter has no effect. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf banner { tailf:info "Banner shown to the user when the CLI is started. Default is empty. This configuration parameter takes effect only for new sessions."; type string; default ""; } leaf bannerFile { tailf:info "Name of a file whose contents are shown to the user when the CLI is started. If empty, the message, if any, set via /confdConfig/cli/banner is shown. Default is empty. This configuration parameter takes effect only for new sessions."; type string; default ""; } leaf prompt1 { tailf:info "Prompt used in operational mode. The string may contain a number of backslash-escaped special characters which are decoded as follows: \[ and \] Enclosing sections of the prompt in \[ and \] makes that part not count when calculating the width of the prompt. This makes sense, for example, when including non-printable characters, or control codes that are consumed by the terminal. The common control codes for setting text properties for vt100/xterm are ignored automatically, so are control characters. Updating the xterm title can be done using a control sequence that may look like this: <prompt1>\[]0;\u@\h\]\u@\h> </prompt1> \d the date in 'YYYY-MM-DD' format (e.g., '2006-01-18') \h the hostname up to the first '.' (or delimiter as defined by promptHostnameDelimiter) \H the hostname \s the client source ip \S the name provided by the -H argument to confd_cli \t the current time in 24-hour HH:MM:SS format \T the current time in 12-hour HH:MM:SS format \@ the current time in 12-hour am/pm format \A the current time in 24-hour HH:MM format \u the username of the current user \m the mode name (only used in XR style) \m{N} same as \m, but the number of trailing components in the displayed path is limited to be max N (an integer). Characters removed are replaced with an ellipsis (...). \M the mode name inside parenthesis if in a mode \M{N} same as \M, but the number of trailing components in the displayed path is limited to be max N (an integer). Characters removed are replaced with an ellipsis (...)."; type string; default "\\u@\\h\\M> "; } leaf prompt2 { tailf:info "Prompt used in configuration mode. The string may contain a number of backslash-escaped special characters which are decoded as described for prompt1."; type string; default "\\u@\\h\\M% "; } leaf cPrompt1 { tailf:info "Prompt used in operational mode in C style. The string may contain a number of backslash-escaped special characters which are decoded as described above. This configuration parameter takes effect for both existing and new sessions."; type string; default "\\h\\M# "; } leaf cPrompt2 { tailf:info "Prompt used in configuration mode in C style. The string may contain a number of backslash-escaped special characters which are decoded as described above. This configuration parameter takes effect for both existing and new sessions."; type string; default "\\h(\\m)# "; } leaf cStylePromptInJStyle { tailf:info "If set to 'true' then the \m and \M will be expanded just as in C- and I-style"; type boolean; default "false"; } leaf waitLockedConfigMode { tailf:info "waitLockedConfigMode is either 'true' or 'false'. This setting controls the behaviour when trying to enter configure mode while another entity is locking the database, e.g. some other commit is in progress or some managed object is locking the database. If set to 'true' then the CLI will wait with entering configure mode, rendering the CLI unusable until the database is unlocked. If set to 'false' the CLI will not wait but instead display an error message."; type boolean; default "true"; } leaf promptHostnameDelimiter { tailf:info "When the \h token is used in a prompt the first part of the hostname up until the first occurrence of the promptHostnameDelimiter is used. This configuration parameter takes effect for both existing and new sessions."; type string; default "."; } leaf asyncPromptRefresh { tailf:info "asyncPromptRefresh is either 'true' or 'false'. If set to 'true' the CLI prompt will be refreshed when asynchronous tasks prints messages in the CLI, such as messages from other users."; type boolean; default "true"; } leaf showLogDirectory { tailf:info "Location where the 'show log' command looks for log files."; type string; default "/var/log"; } leaf idleTimeout { tailf:info "Maximum idle time before terminating a CLI session. Default is PT30M, ie 30 minutes. PT0M means no timeout. Will be silently capped to 49 days 17 hours. This configuration parameter takes effect only for new sessions."; type xs:duration; default "PT30M"; } leaf promptSessionsCLI { tailf:info "promptSessionsCLI is either 'true' or 'false'. If set to 'true' then only the current CLI sessions will be displayed when the user tries to start a new CLI session and the maximum number of sessions has been reached. Note that MAAPI sessions with their context set to 'cli' would be regarded as CLI sessions and would be listed as such."; type boolean; default "false"; } leaf disableIdleTimeoutOnCmd { tailf:info "disableIdleTimeoutOnCmd is either 'true' or 'false'. If set to 'false' then the idle timeout will trigger even when a command is running in the CLI. If set to 'true' the idle timeout will only trigger if the user is idling at the CLI prompt."; type boolean; default "true"; } leaf commandTimeout { tailf:info "Global command timeout. Terminate command unless the command has completed within the timeout. It is generally a bad idea to use this feature since it may have undesirable effects in a loaded system where normal commands take longer to complete than usual. This timeout can be overridden by a command specific timeout specified in the confd.cli file."; type timeoutType; default "infinity"; } container spaceCompletion { tailf:info "Default value for space completion in the CLI. The user can always enable or disable completion on space, this only controls the initial session value."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true' command and argument completion will be performed when <space> is entered."; type boolean; default "true"; } } // container spaceCompletion container timestamp { tailf:info "Default value for the timestamps in the CLI. The user can always enable or disable the display of timestamps, this only controls the initial session value."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true' the CLI will print a timestamp before the output of each command. This configuration parameter takes effect only for new sessions."; type boolean; default "false"; } leaf clock24 { tailf:info "clock24 is either 'true' or 'false'. If 'true' the 24-hour time notation will be used when displaying hours. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "true"; } leaf format { tailf:info "Specifies the format of the timestamp. The string may contain a number of backslash-escaped special characters which are decoded as follows: \Y the current year (YYYY) \M the current month (1-12) \D the current day of month (1-31) \m the name of the current month (Jan, Feb, ...) \d the name of the current day of week (Mon, Tue, ...) \H the current hour (0-23 or 1-12) \t the current minute (0-59) \a am/pm (available only in 12-hour notation) \A AM/PM (available only in 12-hour notation) \s the current second (0-59) \c the current microsecond (0+) \u UTC offset sign (-/+) \o UTC offset hour (0-23 or 1-12) \k UTC offset minute (0-59) NOTE: the UTC offset characters \u, \o and \k can still be used even if the timezone (/confdConfig/cli/timezone) is set to 'local'. The characters \a (am/pm) and \A (AM/PM) should only be used when clock24 (/confdConfig/cli/timestamp/clock24) is set to 'false'. After each special character another character sequence can be specified in order to control the field width, alignment and padding character. The sequence can be either {A, W, P} or {A,W} where A is the alignment and can be either 'l' or 'r', W is the field width and P is the padding character. If P is not specified, ' ' will be used as the padding character. Example, the format '\d{l,4}\m{l,5}\D{l,3}\H{r,2,0}:\t{r,2,0}' would translate into 'Wed Jun 3 08:35'. This configuration parameter takes effect for both existing and new sessions."; type string; default "\\d{l,4}\\m{l,5}\\D{l,3}\\H{r,2,0}:\\t{r,2,0}:\\s{r,2,0}.\\c{l,3,0} UTC\\u{l,1}\\o{r,2,0}:\\k{r,2,0}"; } } // container timestamp container autoWizard { tailf:info "Default value for autowizard in the CLI. The user can always enable or disable the auto wizard in each session, this controls the initial session value. This configuration parameter takes effect only for new sessions."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true' the CLI will prompt the user for required attributes when a new identifier is created. This configuration parameter takes effect only for new sessions."; type boolean; default "true"; } } // container autoWizard container ssh { presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true' ConfD will will use the built in SSH server."; type boolean; default "true"; } leaf ip { tailf:info "ip is an IP address which the ConfD CLI should listen to for SSH sessions. 0.0.0.0 means that it listens to the port (/confdConfig/cli/ssh/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "The port number for CLI SSH"; type inet:port-number; default "2024"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the CLI also listens to for SSH connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/cli/ssh/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the CLI for SSH connections."; type dscpType; } leaf banner { tailf:info "banner is a string that will be presented to the client before authenticating when logging in to the CLI via the built-in SSH server."; type string; default ""; } leaf bannerFile { tailf:info "Name of file whose contents will be presented to the client before authenticating when logging in to the CLI via the built-in SSH server. If ../banner is non-empty, the contents of the file will be appended to the value of ../banner."; type string; default ""; } } // container ssh leaf commitMessage { tailf:info "commitMessage is either 'true' or 'false'. If set to 'true' then a message will be displayed in the CLI whenever a commit operation is performed in the system. This is always disabled in I-style, and in transactionless mode. This configuration parameter takes effect only for new sessions."; type boolean; default "true"; } leaf commitMessageFormat { tailf:info "commitMessageFormat controls how commit messages are displayed in the CLI. The format string may contain the variables $(user), $(time), $(ctx), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(proto). This configuration parameter takes effect for both existing and new sessions."; type string; default "\\nSystem message at $(time)...\\nCommit performed by $(user) via $(proto) using $(ctx).\\n"; } container suppressCommitMessages { presence ""; leaf-list context { tailf:info "Suppress commit messages from certain contexts. The values of 'context' should be the name of a context. For example 'system'"; type string; } } // container suppressCommitMessages leaf jShowCR { tailf:info "jShowCR is either 'true' or 'false'. If set to 'true' then the J-style CLI will show >cr< in the completion list whenever it is legal to press cr."; type boolean; default "false"; } leaf showPipe { tailf:info "showPipe is either 'true' or 'false'. If set to 'true' the completion list will contain | in operational mode if it is legal to enter |. In J-style the jShowCR must also be set to enable this. If disablePipe is set to 'true', it will override the setting of showPipe and imply the same behavior as if showPipe is 'false'."; type boolean; default "true"; } leaf showPipeConfig { tailf:info "showPipeConfig is either 'true' or 'false'. If set to 'true' the completion list will contain | in configure mode if it is legal to enter |. In J-style the jShowCR must also be set to enable this. If disablePipeConfig is set to 'true', it will override the setting of showPipeConfig and imply the same behavior as if showPipeConfig is 'false'."; type boolean; default "false"; } leaf disablePipe { tailf:info "disablePipe is either 'true' or 'false'. If set to 'true' then the pipe commands are disabled in operational mode."; type boolean; default "false"; } leaf disablePipeConfig { tailf:info "disablePipeConfig is either 'true' or 'false'. If set to 'true' then the pipe commands are disabled in configure mode."; type boolean; default "false"; } leaf pipeHelpMode { tailf:info "If showPipe is set to 'true', then pipeHelpMode determines how the pipe option will be displayed to the user. If set to 'auto', then the description text 'Output modifiers' will only be displayed if there are any other options with help texts, otherwise it will not be shown. If set to 'always' then the help text will always be displayed, if set to 'never' then it will never be displayed."; type pipeHelpModeType; default "auto"; } leaf jAllowDeleteAll { tailf:info "jAllowDeleteAll is either 'true' or 'false'. If set to 'true' then the J-style CLI will show the command 'delete' without arguments, if set to 'false' then an argument is required."; type boolean; default "true"; } leaf cSilentNo { tailf:info "Silently ignore deletes of non-existing instances."; type boolean; default "true"; } leaf noFollowIncompleteCommand { tailf:info "noFollowIncompleteCommand is either 'true' or 'false'. If set to 'true' then the 'no' command will take incomplete-command declarations into account. If set to 'false' it will not."; type boolean; default "false"; } leaf cRestrictiveNo { tailf:info "If a leaf value is given when an optional leaf is deleted, the given value is normally ignored and the node is deleted regardless of the value. When cRestrictiveNo is set to 'true', the given value is required to be equal to the old value in order to the delete operation to be allowed. For example the Cisco style command 'no interface eth0 mtu 1500' will only succeed if the mtu has the value 1500."; type boolean; default "false"; } leaf prioritizeSubmodeCmds { tailf:info "prioritizeSubmodeCmds is either 'true' or 'false'. If set to 'true' then local submode commands are prioritized before commands in parent (and grand-parent) modes in C and I-style. This means that if a command in local submode is ambiguous with a command in parent (or grand-parent) mode the local submode command is executed. See also cExtendedCmdSearch."; type boolean; default "true"; } leaf cExtendedCmdSearch { tailf:info "Extend the available submode commands to all commands in parent (and grand-parent) modes. These commands are not visible during completion but will be executed if entered. If set to 'false' then only commands for entering other submodes are available in parent and grand-parent modes, if set to 'true' all commands in parent and grand-parent modes are available."; type boolean; default "true"; } leaf cSuppressCmdSearch { tailf:info "Prevent non-local commands from being executed. This negates the effect of cExtendedCmdSearch above. It is recommended to also set cModeExitFormat to 'exit' when this option is set to 'true'."; type boolean; default "false"; } leaf enterSubmodeOnLeaf { tailf:info "enterSubmodeOnLeaf is either 'true' or 'false'. If set to 'true' (the default) then setting a leaf in a submode from a parent mode results in entering the submode after the command has completed. If set to 'false' then an explicit command for entering the submode is needed. For example, if running the command interface FastEthernet 1/1/1 mtu 1400 from the top level in config mode. If enterSubmodeOnLeaf is 'true' the CLI will end up in the 'interface FastEthernet 1/1/1' submode after the command execution. If set to 'false' then the CLI will remain at the top level. To enter the submode when set to 'false' the command interface FastEthernet 1/1/1 is needed. Applied to the C- and I- style CLI."; type boolean; default "true"; } leaf jExtendedShow { tailf:info "jExtendedShow is either 'true' or 'false'. If set to 'true' then the J-style CLI will have auto-rendered show commands in the same style as the C and I-style CLIs. The 'show status' command can still be used for viewing config='false' data."; type boolean; default "true"; } leaf jShowUnset { tailf:info "jShowUnset is either 'true' or 'false'. If set to 'true' then the J-style CLI will show unset leaves with the value of jShowUnsetText when doing 'show configuration'."; type boolean; default "false"; } leaf jShowUnsetText { tailf:info "jShowUnsetText is the text printed for unset values if jShowUnset has been set to 'true'."; type string; default "UNSET"; } leaf jStatusFormat { tailf:info "jStatusFormat controls which status message is displayed after executing a CLI command in the J-style CLI. The format string may contain the variables $(status), $(time), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(proto)."; type string; default "[$(status)][$(time)]\\n"; } leaf cModeExitFormat { tailf:info "cModeExitFormat is the string used in the CLI when displaying the running configuration to indicate exit from a submode."; type string; default "!"; } leaf forcedExitFormat { tailf:info "forceExitFormat controls which message to display when a user is forced out of configure mode by another user. The format string may contain the variables $(user), $(time), $(date), $(time12), $(time12ampm), $(time12hm), $(host) and $(hostname)."; type string; default "\\nYou are forced out of configure mode by $(sender).\\n"; } leaf showSubsystemMessages { tailf:info "showSubsystemMessages is either 'true' or 'false'. If 'true' the CLI will display a system message whenever a connected daemon is started or stopped."; type boolean; default "true"; } leaf ignoreSubsystemFailures { tailf:info "ignoreSubsystemFailures is either 'true' or 'false'. If 'true' the CLI will make a best effort to display data even if a data provider is unavailable."; type boolean; default "false"; } leaf showEmptyContainers { tailf:info "showEmptyContainers is either 'true' or 'false'. If 'true' the CLI will display empty container nodes when displaying the configuration. If 'false' then empty static containers will not be shown."; type boolean; default "false"; } leaf showTags { tailf:info "showTags is either 'true' or 'false'. If 'true' the CLI will display configuration tags if they are present. If set to 'false' then the tags will not be displayed by default."; type boolean; default "true"; } leaf showAnnotations { tailf:info "showAnnotations is either 'true' or 'false'. If 'true' the CLI will display configuration annotations if they are present. If set to 'false' then the annotations will not be displayed by default."; type boolean; default "true"; } leaf showServiceMetaData { type boolean; default "false"; } leaf suppressNedErrors { type boolean; default "false"; } leaf jShowTableRecursive { tailf:info "jShowTableRecursive is either 'true' or 'false'. If 'true' the J-style CLI will attempt to display the result of the command 'show table' as a table even when a list is not directly specified. If set to 'false' then a table will only be produced if a list node is specified as argument to 'show table'."; type boolean; default "false"; } leaf cPrivate { tailf:info "cPrivate is either 'true' or 'false'. If set to 'true' then the term 'private' will be used in place of 'terminal' for denoting the private/terminal configuration mode. When set to 'false' the term 'terminal' will be used instead."; type boolean; default "false"; } leaf cTab { tailf:info "cTab is either 'true' or 'false'. If 'true' the Cisco style CLI will not display any help text when the user enters TAB. If 'false' then help text will be shown when entering TAB, similarly to the Juniper-style CLI."; type boolean; default "false"; } leaf cTabInfo { tailf:info "cTabInfo is either 'true' or 'false'. If 'false' the Cisco style CLI will not display any info text when the user enters TAB. If 'true' then info text will be shown when entering TAB, similarly to the Juniper-style CLI."; type boolean; default "false"; } leaf tabExtend { tailf:info "tabExtend is either 'true' or 'false'. If 'true' the CLI will extend the current token to the next longer alternative."; type boolean; default "true"; } leaf cHelp { tailf:info "cHelp is either 'true' or 'false'. If 'true' the Cisco style CLI will not display any desc text when the user enters '?'. If 'false' then desc text will be shown when entering '?', similarly to the Juniper-style CLI."; type boolean; default "true"; } leaf jHideHelp { tailf:info "jHideHelp is either 'true' or 'false'. If 'true' the Juniper style CLI will not display any desc text when the user enters '?'. If 'false' then desc text will be shown when entering '?'."; type boolean; default "false"; } leaf restrictedFileAccess { tailf:info "restrictedFileAccess is either 'true' or 'false'. If this is set to 'true', then the user only has access to the home directory (or the directory where confd_cli is started), or if a directory is specified in a cli command parameter (params/param/type/directory{wd} or params/param/type/file{wd}) to that directory."; type boolean; default "false"; } leaf hideDotFiles { tailf:info "hideDotFile is either 'true' or 'false'. If 'true' then files starting with a '.' will not be visible in the CLI."; type boolean; default "false"; } leaf restrictedFileRegexp { tailf:info "restrictedFileRegexp is either an empty string or an regular expression (AWK style). If not empty then all files and directories created or accessed must match the regular expression. This can be used to ensure that certain symbols do not occur in created file names."; type string; default ""; } leaf historySave { tailf:info "If set to 'true' then the CLI history will be saved between CLI sessions. The history is stored in the state directory."; type boolean; default "true"; } leaf historyRemoveDuplicates { tailf:info "If set to 'true' then repeated commands in the CLI will only be stored once in the history. Each invocation of the command will only update the date of the last entry. If set to 'false' duplicates will be stored in the history."; type boolean; default "false"; } leaf historyMaxSize { tailf:info "Sets maximum configurable history size."; type int64; default "1000"; } leaf messageMaxSize { tailf:info "Maximum size of user message."; type int64; default "10000"; } leaf mapActions { tailf:info "mapActions is either 'both', 'config', or 'oper'. If 'both', then actions are available both in operational mode and in configure mode. If 'oper' then they are only available in operational mode, and if 'config' then they are only available in configure mode."; type cliActionMapType; default "both"; } leaf compactTable { tailf:info "compactTable is either 'true' or 'false'. If 'true' then tables with multiple dynamic levels will be displayed more compactly. The first instance of the sub-element will appear on the same row as the parent instance. When set to 'false' all new instances will appear on a new row. This configuration parameter takes effect only for new sessions."; type boolean; default "true"; } leaf compactShow { tailf:info "Use compact representation when showing the configuration in C and I style CLIs. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf compactStatsShow { tailf:info "Use compact representation when showing the operational data in C and I style CLIs. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf prettifyStatsName { tailf:info "Default setting for prettifying, ie changing _ and - to space in element names when displaying config='false' data in key-value listings."; type boolean; default "false"; } leaf showCommitProgress { tailf:info "showCommitProgress can be either 'true' or 'false'. If set to 'true' then the commit operation in the CLI will provide some progress information when the output is piped to the 'details' target."; type boolean; default "false"; } leaf commitActivityClock { tailf:info "commitActivityClock can be either 'true' or 'false'. If set to 'true' then a |/-\| style animation will be displayed if the commit operation takes more than 200 ms to complete. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf confirmUncommitedOnExit { tailf:info "If set to 'prompt' then the user will be prompted whether to discard uncommitted changes or not. If set to 'discard' then uncommitted changes will be discarded without prompting the user. If set to 'commit' then uncommitted changes will be automatically committed without asking the user."; type confirmUncommitedOnExitType; default "prompt"; } leaf reconfirmHidden { tailf:info "If set to 'true' the user will have to re-confirm non-echoing values in the CLI. Ie, when the CLI prompts the user for a value that is not echoed the user will be asked to enter it twice."; type boolean; default "false"; } leaf dequoteHidden { tailf:info "If set to 'true' the value that the user entered will be dequoted, ie if the user enters \n it will be interpreted as a newline. This is the default behavior for all other leaf types. If set to 'false' then no unquoting will be performed for hidden (non-echoing) data types when the CLI explicitly prompts for their values. Dequoting will still be performed for values entered directly on the command line."; type boolean; default "false"; } leaf enumKeyInfo { tailf:info "If set to 'true' the CLI will add the text <keyname:enumeration> whenever it is displaying a completion list for entering a key value that is an enumeration. For example: io(config)# vqe dsp channel 1 Possible completions: <b-id:enumeration> 10 11 12 13 14 5 6 9"; type boolean; default "false"; } leaf columnStats { tailf:info "columnStats is either 'true' or 'false'. If 'false' then the container element is repeated on each line when displaying config='false' data in the C and I style CLIs using the 'show' command. If set to 'true' then the name of the container will not be repeated, instead all leaves will be indented. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf allowAbbrevCmds { tailf:info "allowAbbrevCmds is either 'true' or 'false'. If 'false' then commands are not allowed to be abbreviated in the CLI."; type boolean; default "true"; } leaf allowAbbrevCmdsOnLoad { tailf:info "allowAbbrevCmdsOnLoad is either 'true' or 'false'. If 'false' then commands are not allowed to be abbreviated in the CLI in non interactive mode, ie when loading configurations from file."; type boolean; default "true"; } leaf allowAbbrevKeys { tailf:info "allowAbbrevKeys is either 'true' or 'false'. If 'false' then key elements are not allowed to be abbreviated in the CLI. This is relevant in the J-style CLI when using the commands 'delete' and 'edit'. In the C/I-style CLIs when using the commands 'no', 'show configuration' and for commands to enter submodes."; type boolean; default "false"; } leaf allowAbbrevParamNames { tailf:info "allowAbbrevParamNames is either 'true' or 'false'. If 'false' then cli command parameter names, ie <name>xx</name>, cannot be abbreviated."; type boolean; default "false"; } leaf allowAbbrevEnums { tailf:info "allowAbbrevEnums is either 'true' or 'false'. If 'false' then enums entered in the cli cannot be abbreviated."; type boolean; default "true"; } leaf allowCaseInsensitiveEnums { tailf:info "allowCaseInsensitiveEnums is either 'true' or 'false'. If 'false' then enums entered in the cli must match in case, ie you cannot enter FALSE if the cli asks for 'true' or 'false'."; type boolean; default "true"; } leaf strictRefsOnLoad { tailf:info "strictRefsOnLoad is either 'true' or 'false'. If 'false' then keyref/leafref targets does not have to exist when loading a config from a file. If set to 'true' then the target creation must appear earlier in the loaded file than the reference to the target. Note that there is a rather heavy performance penalty for loading files with many keyrefs when this is set to 'true', or for piping CLI commands into confd_cli."; type boolean; default "false"; } leaf stopLoadOnError { tailf:info "stopLoadOnError is either 'true' or 'false'. If 'false' then the 'load' command in the C and I-style CLIs will not terminate on the first error but continue to process commands form the file."; type boolean; default "true"; } leaf suppressBurstErrors { tailf:info "suppressBurstErrors is either 'true' or 'false'. If 'true' then only the first error in a series of consecutive load errors will be reported. If set to 'false' then all errors will be reported."; type boolean; default "true"; } leaf allOrNothingLoad { tailf:info "allOrNothingLoad is either 'true' or 'false'. If set to 'true' then the transaction will be reset and all changes discarded if an error is encountered when loading a file. This behavior will not happen when the 'best effort' pipe target is used, nor when stopLoadOnError is set to 'false', nor when autocommitLoad is set to 'true'."; type boolean; default "false"; } leaf autocommitLoad { tailf:info "autocommitLoad is either 'true' or 'false'. If 'true' then when executing the 'load' command each line will be committed as soon as it has been read. Note that this is normally not a good idea. Only applies when transactions are disabled."; type boolean; default "false"; } leaf autocommitLoadChunkSize { tailf:info "autocommitLoadChunkSize is used to avoid auto commit:ing after each line but instead commit after a chunk of lines have been read."; type uint64 { range "1 .. max"; } default "1"; } leaf enableLoadMerge { tailf:info "enableLoadMerge is either 'true' or 'false'. If 'false' then the 'load' command in the C and I-style CLIs will not have an option for how to load a config file. If set to 'true' then the 'load' command will have an additional option for loading the file either in 'override' mode or in 'merge' mode. 'override' is the mode used if enableLoadMerge is set to 'false'."; type boolean; default "true"; } leaf loadActivityClock { tailf:info "loadActivityClock can be either 'true' or 'false'. If set to 'true' then a |/-\| style animation will be displayed if the load operation takes more than 200 ms to complete."; type boolean; default "false"; } leaf instanceDescription { tailf:info "instanceDescription is either 'true' or 'false'. If 'true' then the CLI will look for description elems and add their values as info texts when displaying possible completions in the CLI. This makes it easier to identify the different instances."; type boolean; default "true"; } leaf addErrorPrefixSuffix { tailf:info "addErrorPrefixSuffix is either 'true' or 'false'. If 'true' then the CLI will add 'Error: ' or 'Aborted: ' and when operations fail in the CLI. If set to 'false' then the prefix will not be added for errors generated by some callback."; type boolean; default "true"; } leaf compListCompact { tailf:info "compListCompact is either 'true' or 'false'. If 'true' then the CLI will display items with an associated info text one per line, and all the rest in compact format. This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf completionListLine { tailf:info "completionListLine is either 'true' or 'false'. If 'true' then the CLI will display completion lists one item per line. If set to 'false' one-line presentation will be used for items with info texts and compact for the rest (if compListCompact above is set to 'true' there may be a mix of the two formats in the same listing). This configuration parameter takes effect for both existing and new sessions."; type boolean; default "false"; } leaf infoOnMatch { tailf:info "infoOnMatch is either 'true' or 'false'. If 'true' then the CLI will add info texts when displaying possible match completions. If set to 'false' then the info text will not be shown."; type boolean; default "true"; } leaf externalActionErrorMsg { tailf:info "The externalActionErrorMsg value is displayed whenever an external error occurs when executing an action in the CLI."; type string; } leaf enableDisplayLevel { tailf:info "enableDisplayLevel is either 'true', 'false' or 'pipe'. If 'false' then the 'displaylevel' option to the show command will not be available in the CLIs. If set to 'pipe' then a special pipe target called 'display-level' will be available. The displaylevel option can be used to limit how many levels will be displayed by the show command. If a display level of 1 is specified then only the direct children of an element will be shown. If a display level of 3 is specified then only elements at depth 3 below a given element will be displayed, etc. A user can also modify the default display level for a given CLI- session using the display-level setting in the CLI, similarly to the screen-width, or idle-timeout settings."; type enableDisplayLevelType; default "pipe"; } leaf defaultDisplayLevel { tailf:info "If enableDisplayLevel is set to 'true' then this settings controls the default display level used if no explicit display level is specified. It is also used as the initial value of the (set) 'display-level' command in the CLI."; type int64; default "99999999"; } leaf enableDisplayGroups { tailf:info "enableDisplayGroups is either 'true' or 'false'. If 'false' then the user will not be able to provide a set of display groups when issuing the show command."; type boolean; default "true"; } leaf unifiedHistory { tailf:info "If set to 'true' then the 'show history' command will display the unified command history, ie the command history from all modes. If set to 'false' then only the command history from the current mode will be shown. Also, if set to 'true' then the 'clear history' command will adopt the same behaviour as described above."; type boolean; default "false"; } leaf modeInfoInAAA { tailf:info "modeInfoInAAA is either 'true', 'false' or 'path', If 'true', then all commands will be prefixed with major and minor mode name when processed by the AAA-rules. This means that it is possible to differentiate between commands with the same name in different modes. Major mode is 'operational' or 'configure' and minor mode is 'top' in J-style and the name of the submode in C- and I-mode. On the top-level in C- and I-mode it is also 'top'. If set to 'path' and if the command operation is 'read' the major mode will be followed by the path to the submode which will be followed by the command. If set to 'path' and if the command operation is 'execute' the major mode will instead be followed by the command and the path to the submode will be prepended to any path arguments of the command."; type modeInfoInAAAType; default "false"; } leaf cmdAAAForAutowizard { tailf:info "cmdAAAForAutowizard is either 'true' or 'false'. If set to 'true' then the CLI will generate synthetic commands, and perform AAA command rule checks for, for all paths and values requested by the autowizard functionality."; type boolean; default "false"; } leaf cStrictAAA { tailf:info "cStrictAAA is either 'true' or 'false'. If set to 'true' then the CLI will match all auto-rendered C-style commands (eg. C-style config commands and C-style actions) against AAA data-rules and all other C-Style commands will be matched against AAA command-rules. If set to 'false', the CLI will match all commands against both AAA data-rules and AAA command-rules."; type boolean; default "false"; } leaf quoteStyle { tailf:info "quoteStyle is either 'quote' or 'backslash'. If set to 'quote' then the quote characters will be used on the CLI command line for quoting strings with troublesome characters. If set to 'backslash' then a backslash will be used. For example Using quote: io(config)# description 'description with spaces' Using backslash: io(config)# description description\ with\ spaces"; type quoteStyleType; default "backslash"; } leaf laxBarQuoting { tailf:info "laxBarQuoting is either 'true' or 'false'. If set to 'true' then | and ; are only quoted if they appear by them selves. A consequence of this is that the user must have whitespace on both sides of | and ; on the command line when these characters are used as pipe (|) or concatenator (;)."; type boolean; default "false"; } leaf expandAliasOnCompletion { tailf:info "expandAliasOnCompletion is either 'true' or 'false'. If set to 'true' then aliases will be expanded before invoking the completion code."; type boolean; default "true"; } leaf expandAliasEscape { tailf:info "expandAliasEscape is either 'false' or a character. If set to a character then expanding an alias can be prevented by putting the character in front of the alias."; type aliasQuoteType; default "false"; } leaf docWrap { tailf:info "docWrap is either 'true' or 'false'. If 'false' then certain documentation texts will not be enclosed in '<' and '>', if set to 'true' they will be."; type boolean; default "true"; } leaf infoOnTab { tailf:info "infoOnTab is either 'true' or 'false'. If 'false' then no info strings will be displayed in the tab completion list when the user enters TAB."; type boolean; default "true"; } leaf infoOnSpace { tailf:info "infoOnSpace is either 'true' or 'false'. If 'false' then no info strings will be displayed in the tab completion list when the user enters SPACE."; type boolean; default "true"; } leaf newLogout { tailf:info "newLogout is either 'true' or 'false'. If 'false' then the I and C modes will have a single 'logout' command for logging out a user and a specific session. If set to 'true' then there will be two different commands - 'logout user <name>' and 'logout session <id>'"; type boolean; default "true"; } leaf newInsert { tailf:info "newInsert is either 'true' or 'false'. If 'false' then the old insert command will be used. If set to 'true' then the new insert command, capable of inserting ordered-by-user list elements, will be used."; type boolean; default "true"; } leaf messageFormat { tailf:info "messageFormat controls how messages between users and from the system should be presented to the user. The format string may contain the variables $(sender), $(time), $(message), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(user)."; type string; default "\\nMessage from $(sender) at $(time)...\\n$(message)\\nEOF\\n"; } leaf messageWordWrap { tailf:info "messageWordWrap is either 'true' or 'false'. If set to 'true' then all system/user/prio messages in the CLI will be word-wrapped to the current terminal width."; type boolean; default "false"; } leaf messageQueueSize { tailf:info "Some messages are not displayed in the CLI when a command executed, but are delayed until the current command execution has finished. The size of the queue of pending messages is configured in messageQueueSize. This configuration parameter takes effect for both existing and new sessions."; type int64; default "10"; } leaf promptEnumLimit { tailf:info "promptEnumLimit controls how many enumerations should be included in the prompt when prompting the user for a value where there are a number of alternatives. If the number of alternatives exceeds the above configured limit then the list will be truncated and the string '...' will be added."; type uint64 { range "0 .. max"; } default "4"; } leaf caseInsensitive { tailf:info "caseInsensitive is either 'true' or 'false'. If 'false' then all CLI commands must have the correct case. If set to 'true' then case is mostly ignored. Note that if set to 'true' then all data model files and clispec-files must be written with this in mind. You cannot have two elems that conflict in case."; type boolean; default "false"; } leaf caseInsensitiveKeys { tailf:info "caseInsensitiveKeys is either 'true' or 'false'. If 'false' then all user defined instance names must have correct case. If set to 'true' then case is mostly ignored. Note that if set to 'true' then all data model files and clispec-files must be written with this in mind. You cannot have two elems that conflict in case."; type boolean; default "false"; } leaf ignoreLeadingWhitespace { tailf:info "ignoreLeadingWhitespace is either 'true' or 'false'. If 'false' then the CLI will show completion help when the user enters TAB or SPACE as the first characters on a row. If set to 'true' then leading SPACE and TAB are ignored. The user can enter '?' to get a list of possible alternatives. Setting the value to 'true' makes it easier to paste scripts into the CLI."; type boolean; default "false"; } leaf indentTemplates { tailf:info "indentTemplates is either 'true' or 'false'. If set to 'true' then the text resulting from a show template will be indented to the same level as the surrounding auto-rendered show text. If set to 'false' then no automatic indentation will occur. The automatic variable '.indent' may be used in the templates to do manual indentation."; type boolean; default "false"; } leaf wrapInfo { tailf:info "wrapInfo is either 'true' or 'false'. If 'false' then the CLI will not automatically wrap the info field in 'Possible completion:' listings. If set to 'true' then the info text will be word-wrapped and indented."; type boolean; default "true"; } leaf wrapPrompt { tailf:info "wrapPrompt is either 'true' or 'false'. If 'false' then the CLI will not automatically word wrap the prompt when prompting the user for some input. If set to 'true' then the prompt will be word-wrapped according to the current terminal width."; type boolean; default "false"; } leaf sortShowElems { tailf:info "sortShowElems is either 'true' or 'false'. If 'false' then the show commands will display the elements in the order they appear in the data model. If set to 'true' then all non-lists will appear before the lists. This setting only applies to the C- and I-style CLIs."; type boolean; default "true"; } leaf showMatchBeforePossible { tailf:info "showMatchBeforePossible is either 'true' or 'false'. If set to 'true' then the match completions will be displayed before the other possible completions, if set to 'false' then the match completions will be displayed after."; type boolean; default "false"; } leaf possibleCompletionsFormat { tailf:info "possibleCompletionsFormat is the string displayed before the displaying the actual completion possibilities."; type string; default "Possible completions:"; } leaf matchCompletionsFormat { tailf:info "matchCompletionsFormat is the string displayed before the displaying the actual match completion possibilities."; type string; default "Possible match completions:"; } leaf noMatchCompletionsFormat { tailf:info "noMatchCompletionsFormat is the string displayed when there are no matching completion possibilities. The string is empty by default."; type string; default ""; } leaf matchCompletionsSearchLimit { tailf:info "matchCompletionsSearchLimit is either unbounded or an integer value. It determines how many list instances should be looked at in order to determine if a leaf should be included in the match completions list. It can be very expensive to explore all instances if the configuration contains many list instances."; type limitType; default "50"; } leaf showDescription { tailf:info "showDescription is either 'true' or 'false'. If set to 'false' then the Description: xx text will not be displayed."; type boolean; default "true"; } leaf explicitSetCreate { tailf:info "explicitSetCreate is either 'true' or 'false'. If set to 'true' then the 'set' command in J-style CLI cannot be used to create instances. Instead a new command called 'create' becomes available for creating instances. Note that this deviates from a typical Juniper style CLI where instance creation is performed by the 'set' command."; type boolean; default "false"; } list templateFilter { tailf:info "User defined template filters must be listed here. They can be used in show templates in the same manner as the builtin ones. A template filter takes a string as input in 'argv[1]' and returns a modified version of it by invoking 'confd_action_reply_command'. It can also take extra arguments. For example '|a_filter:foo:42' implies 'argv[2]='foo'' and 'argv[3]='42'."; key "name"; leaf name { tailf:info "Name of template filter."; type string; } leaf callback { tailf:info "Name of callback. The callback receives a string as first argument, optionally followed by the list of arguments given to the filter in the show template."; type string; } } // list templateFilter leaf escapeBackslash { tailf:info "escapeBackslash is either 'true' or 'false'. If 'true' then backslash is escaped in the CLI."; type boolean; default "false"; } leaf showNedErrorAsInfo { type boolean; default "true"; } leaf defaultLeafListStyle { tailf:info "Make all plain leaf-lists behave as they were decorated with either 'tailf:cli-flat-list-syntax' or 'tailf:cli-range-list-syntax'"; type cliLeafListStyleType; } leaf bypassAllowAbbrevKeys { tailf:info "bypassAllowAbbrevKeys is either 'true' or 'false'. If 'true' then /confdConfig/cli/allowAbbrevKeys setting does not take any effect. It means that no matter what is set for /confdConfig/cli/allowAbbrevKeys, the key elements are not allowed to be abbreviated in the CLI. This is relevant in the J-style CLI when using the commands 'delete' and 'edit'. In the C/I-style CLIs when using the commands 'no', 'show configuration' and for commands to enter submodes."; type boolean; default "false"; } leaf jEnableLoadMergeLeafList { tailf:info "DEPRECATED - use enableLoadMergeLeafList instead. jEnableLoadMergeLeafList is either 'true' or 'false'. If 'true' then the 'load merge' command in the J-style CLI will merge the leaf-list elements in a config file with the existing leaf-list elements. If set to 'false' then the 'load merge' will have same effect as 'load replace' for leaf-list when loading the config file."; type boolean; default "false"; } leaf enableLoadMergeLeafList { tailf:info "enableLoadMergeLeafList is either 'true' or 'false'. If 'true' then the 'load merge' command will merge the leaf-list elements in a config file with the existing leaf-list elements. If set to 'false' then the 'load merge' will have same effect as 'load replace' for leaf-list when loading the config file."; type boolean; default "false"; } leaf enableCliCache { tailf:info "enableCliCache is either 'true' or 'false'. If 'true' the CLI will operate with a builtin caching mechanism to speed up some of its operations. This is the default and preferred method. Only turn this off for very special cases."; type boolean; default "true"; } container turboParser { tailf:info "DEPRECATED - in order to harmonize the embedded ConfD turbo parser with the ConfD CLI, this can no longer be set. Now, reportNoExists is always on."; description "CLI settings for the Cisco style Turbo Parser."; leaf reportNoExists { tailf:info "DEPRECATED - in order to harmonize the embedded ConfD turbo parser with the ConfD CLI, this can no longer be set. Now, reportNoExists is always on."; type boolean; default "true"; status deprecated; } } // container turboParser } // container cli container webui { tailf:info "This section defines settings which decide how the embedded ConfD Web server should behave, with respect to TCP and SSL etc."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the Web server is started."; type boolean; default "false"; } leaf serverName { tailf:info "The hostname the Web server serves."; type xs:token; default "localhost"; } leaf matchHostName { tailf:info "This setting specifies if the Web server only should serve URLs adhering to the serverName defined above. By default the serverName is 'localhost' and matchHostName is 'false', i.e. any server name can be given in the URL. If you want the server to only accept URLs adhering to the serverName, enable this setting."; type boolean; default "false"; } leaf cacheRefreshSecs { tailf:info "The ConfD Web server uses a RAM cache for static content. An entry sits in the cache for a number of seconds before it is reread from disk (on access). The default is 0."; type uint64 { range "0 .. max"; } default "0"; } leaf maxRefEntries { tailf:info "Leafref and keyref entries are represented as drop-down menues in the automatically generated Web UI. By default no more than 100 entries are fetched. This element makes this number configurable."; type uint64 { range "0 .. max"; } default "100"; } leaf docroot { tailf:info "The location of the document root on disk. If this configurable is omitted the docroot points to the next generation docroot in the ConfD distribution instead."; type string; } leaf webuiIndexUrl { tailf:info "Where to redirect after successful login, which by default is '/index.html'."; type string; default "/index.html"; } leaf loginDir { tailf:info "loginDir may be used if a custom login directory is to be used instead of the builtin ditto."; type string; } leaf customDir { tailf:info "customDir should be used if the Web UI is to be customized as described in the User Guide."; type string; } container customHeaders { presence ""; list header { tailf:info "The customHeaders element contains any number of header elements, with a valid header-field as defined in RFC 7230 3.2. The headers will be part of HTTP responses on '/login.html', '/index.html' and '/jsonrpc'."; key "name"; leaf name { tailf:info "RFC 7230 field-name, e.g. Accept-Control-Allow-Origin"; type string; } leaf value { tailf:info "RFC 7230 field-value, e.g. http://www.cisco.com"; type string; mandatory true; } } // list header } // container customHeaders leaf X-Frame-Options { tailf:info "By default the X-Frame-Options header is set to DENY for the /login.html and /index.html pages. With this header it can be set to SAMEORIGIN or ALLOW-FROM instead."; type X-Frame-OptionsType; default "DENY"; } container disableAuth { presence ""; leaf-list dir { tailf:info "The disableAuth element contains any number of 'dir' elements. Each 'dir' element points to a directory path in the docroot which should not be restricted by the AAA engine. If no 'dir' elements are specifed the following directories and files will not be restricted by the AAA engine: '/login' and '/login.html'."; type string; } } // container disableAuth leaf allowSymlinks { tailf:info "Allow symlinks in the docroot directory."; type boolean; default "true"; } container transport { tailf:info "Settings deciding which transport services the Web server should listen to, e.g. TCP and SSL."; presence ""; container tcp { tailf:info "Settings deciding how the Web server TCP transport service should behave."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the Web server uses cleart text TCP as a transport service."; type boolean; default "true"; } leaf disableNonAuthRedirect { tailf:info "disableNonAuthRedirect is either 'true' or 'false'. If 'true' non-authenticated HTTP requests (expect '/' and '/index.html') result in a 404 HTTP reply. If 'false' all non-authenticated requests are redirected to '/login.html'."; type boolean; default "false"; } leaf redirect { tailf:info "If given the user will be redirected to the specified URL. Two macros can be specified, i.e. @HOST@ and @PORT@. For example https://@HOST@:443 or https://192.12.4.3:@PORT@"; type string; } leaf ip { tailf:info "The IP address which the Web server should listen to for TCP connections. 0.0.0.0 means that it listens to the port (/confdConfig/webui/transport/tcp/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "port is a valid port number to be used in combination with the address in /confdConfig/webui/transport/tcp/ip."; type inet:port-number; default "8008"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the Web server also listens to for TCP connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/webui/transport/tcp/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the Web server for TCP connections."; type dscpType; } } // container tcp container ssl { tailf:info "Settings deciding how the Web server SSL (Secure Sockets Layer) transport service should behave. SSL is widely deployed on the Internet and virtually all bank transactions as well as all on-line shopping today is done with SSL encryption. There are many good sources on describing SSL in detail, e.g. http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/ which describes how to manage certificates and keys."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the Web server uses SSL as a transport service."; type boolean; default "false"; } leaf disableNonAuthRedirect { tailf:info "disableNonAuthRedirect is either 'true' or 'false'. If 'true' non-authenticated HTTP requests (expect '/' and '/index.html') result in a 404 HTTP reply. If 'false' all non-authenticated requests are redirected to '/login.html'."; type boolean; default "false"; } leaf redirect { tailf:info "If given the user will be redirected to the specified URL. Two macros can be specified, i.e. @HOST@ and @PORT@. For example http://@HOST@:80 or http://192.12.4.3:@PORT@"; type string; } leaf ip { tailf:info "The IP address which the Web server should listen to for incoming SSL connections. 0.0.0.0 means that it listens to the port (/confdConfig/webui/transport/ssl/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "port is a valid port number to be used in combination with the address in /confdConfig/webui/transport/ssl/ip."; type inet:port-number; default "8888"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the Web server also listens to for SSL connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/webui/transport/ssl/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the Web server for SSL connections."; type dscpType; } leaf keyFile { tailf:info "Specifies which file that contains the private key for the certificate. Read more about certificates in /confdConfig/webui/transport/ssl/certFile. If this configurable is omitted the keyFile points to a built-in self signed certificate/key in the ConfD distribution instead. Note: Only use this certificate/key for test purposes."; type string; } leaf certFile { tailf:info "Specifies which file that contains the server certificate. The certificate is either a self-signed test certificate or a genuin and validated certificate bought from a CA (Certificate Authority). If this configurable is omitted the keyFile points to a built-in self signed certificate/key in the ConfD distribution instead. Note: Only use this certificate/key for test purposes. The ConfD distribution comes with a server certificate which can be used for testing purposes ($CONFD_DIR/src/confd/webui/cert/host.{cert,key}). This server certificate has been generated using a local CA certificate: $ openssl OpenSSL> genrsa -out ca.key 4096 OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.cert OpenSSL> genrsa -out host.key 4096 OpenSSL> req -new -key host.key -out host.csr OpenSSL> x509 -req -days 365 -in host.csr -CA ca.cert \ -CAkey ca.key -set_serial 01 -out host.cert"; type string; } leaf caCertFile { tailf:info "Specifies which file that contains the trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable CA certificates passed to the client when a certificate is requested. The ConfD distribution comes with a CA certificate which can be used for testing purposes ($CONFD_DIR/src/confd/webui/ca_cert/ca.cert). This CA certificate has been generated as shown above."; type string; } leaf verify { tailf:info "Specifies the level of verification the server does on client certificates. 1 means nothing, 2 means the server will ask the client for a certificate but not fail if the client does not supply a client certificate, 3 means that the server requires the client to supply a client certificate. If caCertFile has been set to the ca.cert file generated above you can verify that it works correctly using, for example: $ openssl s_client -connect 127.0.0.1:8888 \ -cert client.cert -key client.key For this to work client.cert must have been generated using the ca.cert from above: $ openssl OpenSSL> genrsa -out client.key 4096 OpenSSL> req -new -key client.key -out client.csr OpenSSL> x509 -req -days 3650 -in client.csr -CA ca.cert \ -CAkey ca.key -set_serial 01 -out client.cert"; type verifyType; default "1"; } leaf depth { tailf:info "Specifies the depth of certificate chains the server is prepared to follow when verifying client certificates."; type uint64 { range "0 .. max"; } default "1"; } leaf ciphers { tailf:info "Specifies the cipher suites to be used by the server as a colon-separated list from the set ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, AES256-GCM-SHA384, AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, AES128-GCM-SHA256, AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, ECDH-ECDSA-AES256-SHA, ECDH-RSA-AES256-SHA, AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, ECDH-ECDSA-AES128-SHA, ECDH-RSA-AES128-SHA, AES128-SHA, ECDHE-ECDSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, and DES-CBC3-SHA, or the word 'DEFAULT' (use all cipher suites in that list for which the required support is implemented in libcrypto). See the OpenSSL manual page ciphers(1) for the definition of the cipher suites. NOTE: The general cipher list syntax described in ciphers(1) is not supported."; type string; default "DEFAULT"; } leaf protocols { tailf:info "Specifies the SSL/TLS protocol versions to be used by the server as a whitespace-separated list from the set tlsv1 tlsv1.1 tlsv1.2, or the word 'DEFAULT' (use all supported protocol versions except tlsv1)."; type string; default "DEFAULT"; } leaf ellipticCurves { tailf:info "Specifies the curves for Elliptic Curve cipher suites to be used by the server as a whitespace-separated list from the set sect571r1, sect571k1, secp521r1, brainpoolP512r1, sect409k1, sect409r1, brainpoolP384r1, secp384r1, sect283k1, sect283r1, brainpoolP256r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, and secp160r2, or the word 'DEFAULT' (use all supported curves)."; type string; default "DEFAULT"; } } // container ssl leaf unauthenticatedMessageLimit { tailf:info " Limit the size of allowed unauthenticated messages. Limit is given in bytes or 'nolimit'. The default is 64kB."; type unauthenticatedMessageLimitType; default "65536"; } } // container transport container cgi { tailf:info "CGI-script support"; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', CGI-script support is enabled."; type boolean; default "false"; } leaf dir { tailf:info " The directory path to the location of the CGI-scripts."; type string; default "cgi-bin"; } leaf requestFilter { tailf:info "Specifies that characters not specified in the given regexp should be filtered out silently."; type string; } leaf maxRequestLength { tailf:info "Specifies the maximum amount of characters in a request. All characters exceeding this limit are silenty ignored."; type uint16; } container php { tailf:info "PHP support"; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', PHP support is enabled."; type boolean; default "false"; } } // container php } // container cgi leaf idleTimeout { tailf:info " Maximum idle time before terminating a Web UI session. PT0M means no timeout. Default is PT30M, ie 30 minutes."; type xs:duration; default "PT30M"; } leaf absoluteTimeout { tailf:info "Maximum absolute time before terminating a Web UI session. PT0M means no timeout. Default is PT16H, ie 16 hours."; type xs:duration; default "PT16H"; } leaf rateLimiting { tailf:info "Maximum number of allowed JSON-RPC requests every hour. 0 means infinity. Default is 1 million."; type uint64 { range "0 .. max"; } default "1000000"; } leaf audit { tailf:info "audit is either 'true' or 'false'. If 'true', then JSON-RPC/CGI requests are logged to the audit log."; type boolean; default "false"; } } // container webui container rest { tailf:info "This section defines settings for the REST API."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the REST API is enabled."; type boolean; default "false"; } leaf showHidden { tailf:info "Hidden nodes are not shown by default in REST. Such nodes can be unhidden to the REST client by including the query parameter 'unhide', which is a comma separated list of <hide-group-name>[;<passwd>] If showHidden is set to 'true', hidden nodes are always shown in the REST API."; type boolean; default "false"; } container customHeaders { presence ""; list header { tailf:info "The customHeaders element contains any number of header elements, with a valid header-field as defined in RFC 7230 3.2."; key "name"; leaf name { tailf:info "RFC 7230 field-name, e.g. Accept-Control-Allow-Origin"; type string; } leaf value { tailf:info "RFC 7230 field-value, e.g. http://www.cisco.com"; type string; mandatory true; } } // list header } // container customHeaders } // container rest container restconf { tailf:info "This section defines settings for the RESTCONF API."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the RESTCONF API is enabled."; type boolean; default "false"; } leaf rootResource { tailf:info "The RESTCONF root resource path."; type string; default "restconf"; } leaf schemaServerUrl { tailf:info "Change the schema element in the ietf-yang-library:modules-state resource response. It is possible to use the placeholders @X_FORWARDED_HOST@ and @X_FORWARDED_PORT@ in order to set the schema URL with HTTP headers X-Forwarded-Host and X-Forwarded_Port, e.g. https://@X_FORWARDED_HOST@:@X_FORWARDED_PORT@ ."; type string; } container tokenResponse { tailf:info " When authenticating via AAA externalAuthentication or externalValidation and a token is returned, it is possible to include a header with the token in the response."; presence ""; leaf xAuthToken { tailf:info " Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any token returned from AAA."; type boolean; default "false"; } container tokenCookie { tailf:info "Configuration of RESTCONF token cookies."; presence ""; leaf name { tailf:info " The cookie name, exactly as it is to be sent. If configured, a HTTP cookie of that name included in the response with any token returned from AAA as value."; type string; default ""; } leaf directives { tailf:info " An optional string with directives appended to the cookie, exactly as it is to be sent."; type string; default ""; } } // container tokenCookie } // container tokenResponse container customHeaders { presence ""; list header { tailf:info "The customHeaders element contains any number of header elements, with a valid header-field as defined in RFC 7230 3.2."; key "name"; leaf name { tailf:info "RFC 7230 field-name, e.g. Accept-Control-Allow-Origin"; type string; } leaf value { tailf:info "RFC 7230 field-value, e.g. http://www.cisco.com"; type string; mandatory true; } } // list header } // container customHeaders container requireModuleName { presence ""; leaf enabled { tailf:info "When set to 'true', the client must explicitly provide the module name of the node if it is defined in a module other than its parent node or its parent node is the datastore. When set to 'false', this configuration parameter allows the client to bypass above requirements. Refer to RFC 8040, section 3.5.3 for detailed information."; type boolean; default "true"; } } // container requireModuleName } // container restconf container proxyForwarding { tailf:info "This section defines settings which affect the behavior of Proxy Forwarding."; presence ""; leaf autoLogin { tailf:info "autoLogin is either 'true' or 'false'. If 'true', ConfD will try to login to the target system with the current session's credentials, if it has access to them. In order for ConfD to get access to the session credentials, the builtin SSH daemon must be used."; type boolean; default "false"; } list proxy { tailf:info "Parameters for a single proxy."; key "target"; leaf target { tailf:info "The name of the proxy target. It is used as a unique identifier of the proxy target. This is the target name that users give when they want to connect to the target. The name is included in the proxy events (see confd_lib_events(3)) generated by ConfD."; type xs:token; } leaf address { tailf:info "The IP address of the proxy target system."; type inet:host; mandatory true; } container netconf { tailf:info "If present, the target is available for NETCONF proxy forwarding."; presence ""; choice transport1 { container ssh { tailf:info "If present, the proxy connections between ConfD and the proxy NETCONF target will be over SSH."; leaf port { tailf:info "The port where the proxy target listens for NETCONF SSH connections."; type inet:port-number; default "2022"; } } // container ssh container tcp { tailf:info "If present, the proxy connections between ConfD and the proxy NETCONF target will be over TCP."; leaf port { tailf:info "The port where the proxy target listens for NETCONF TCP connections."; type inet:port-number; default "2023"; } } // container tcp } // choice transport1 } // container netconf container cli { tailf:info "If present, the target is available for CLI proxy forwarding."; presence ""; choice transport { container ssh { tailf:info "If present, the proxy connections between ConfD and the proxy CLI target will be over SSH."; leaf port { tailf:info "The port where the proxy target listens for CLI SSH connections."; type inet:port-number; default "22"; } } // container ssh } // choice transport } // container cli } // list proxy } // container proxyForwarding container snmpAgent { tailf:info "This section defines settings which affect the behavior of the SNMP agent."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the SNMP agent is enabled."; type boolean; default "false"; } leaf ip { tailf:info "ip is an IP address which the ConfD SNMP agent should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/snmpAgent/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "port is a valid port number to be used in combination with /confdConfig/snmpAgent/ip."; type inet:port-number; default "161"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the SNMP agent also listens to. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/snmpAgent/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the SNMP agent."; type dscpType; } container mibs { tailf:info "A list of MIBs that should be loaded into the SNMP agent."; presence ""; leaf-list file { tailf:info "file is the location of a MIB file that should be loaded into the SNMP agent. For example: <file>./TAIL-F-TEST-MIB.bin</file>. The MIB file must be in binary format (.bin) produced with the confdc compiler. For loading of a built-in MIB no path must be given. Example: <file>SNMP-USER-BASED-SM-MIB.bin</file>. See the ConfD User Guide for more information about loading MIBs into the SNMP agent."; type string; } leaf fromLoadPath { tailf:info "If 'true', any '.bin' file found in the /confdConfig/loadPath is loaded at startup. Bult-in MIBs must still be listed explicitly using the 'file' element."; type boolean; default "false"; } } // container mibs leaf temporaryStorageTime { tailf:info "The time, in seconds, that the agent keeps temporary table entries before deleting them. A table entry is temporary if its RowStatus column is 'notReady' or 'notInService'."; type uint32; default "300"; } container snmpVersions { tailf:info "The list of SNMP versions that the SNMP agent will understand."; presence ""; leaf v1 { tailf:info "Setting the value to 'true' will enable SNMP v1 in the SNMP agent."; type boolean; default "true"; } leaf v2c { tailf:info "Setting the value to 'true' will enable SNMP v2c in the SNMP agent."; type boolean; default "true"; } leaf v3 { tailf:info "Setting the value to 'true' will enable SNMP v3 in the SNMP agent."; type boolean; default "true"; } } // container snmpVersions container snmpEngine { tailf:info "Properties from the SNMP-FRAMEWORK-MIB (RFC 3411) for the SNMP agent."; presence ""; leaf snmpEngineID { tailf:info "The name of the SNMP engine. snmpEngineID is defined in the SNMP-FRAMEWORK-MIB (RFC 3411)."; type tailf:hex-list; mandatory true; } leaf snmpEngineMaxMessageSize { tailf:info "The maximum size of SNMP messages that the agent can send or receive. The snmpEngineMaxMessageSize is defined in the SNMP-FRAMEWORK-MIB (RFC 3411)."; type uint64 { range "0 .. max"; } default "50000"; } } // container snmpEngine leaf sessionIgnorePort { tailf:info "If 'true', the SNMP Agent will consider requests originating from one and the same IP Address, and using the same security name, as related, regardless of source port. Per default, the SNMP Agent will consider requests originating from one and the same IP Address and port, and using the same security name, as related. Related requests are handled in the same user session. This is absolutely necessary for achieving good performance when processing consecutive get-next requests, as during SNMP walks."; type boolean; default "false"; } leaf authenticationFailureNotifyName { tailf:info "When the SNMP agent sends the standard authenticationFailure notification, it is delivered to the management targets defined for the snmpNotifyName in the snmpNotifyTable in SNMP-NOTIFICATION-MIB (RFC 3413). If authenticationFailureNotifyName is the empty string (default), the notification is delivered to all management targets."; type string; default ""; } container candidate { tailf:info "Directives for how to manage locks and changes to the candidate when processing SNMP set requests in systems where /confdConfig/datastores/running/access is writable-through-candidate. When running with this datastore setup, the SNMP Agent must lock the candidate before making changes to it and committing those to the running configuration."; presence ""; leaf maxLockWait { tailf:info "If the candidate is locked by another user session, the SNMP Agent will send a resourceUnavailable response unless the candidate becomes available for locking within this time period. The default value is PT0S, which means the error response will be sent immediately."; type xs:duration; default "PT0S"; } leaf pendingChangesAction { tailf:info "If there are pending changes in the candidate when the SNMP Agent attempts to lock it, these will be discarded (continue) or the lock will not be taken and the SNMP request will fail with resourceUnavailable (fail). The default value is continue."; type pendingChangesActionType; default "continue"; } } // container candidate leaf dropWhenInUse { tailf:info "Whenever a set request cannot be completed, due to competing actions (typically CDB clients, or other transactions) preventing the SNMP Agent from taking the required locks on configuration stores and data providers affected by the request, the SNMP Agent will respond to the set request with an 'in use' error. If dropWhenInUse is 'true', the SNMP Agent will silently drop the request instead."; type boolean; default "false"; } leaf-list contexts { tailf:info "contexts is a leaf-list of context names which this SNMP Agent, i.e. one or more external data providers recognize in addition to the empty context, ''."; type SNMPContextNameType; } container system { tailf:info "The properties from the SNMPv2-MIB (RFC 3418) for the SNMP agent."; presence ""; leaf sysDescr { tailf:info "A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. The sysDescr is defined in the SNMPv2-MIB (RFC 3418)."; type string; } leaf sysObjectID { tailf:info "The vendor's authoritative identification of the network management subsystem contained in the entity. The sysObjectID is defined in the SNMPv2-MIB (RFC 3418)."; type yang:object-identifier; } leaf sysServices { tailf:info "A value which indicates the set of services that this entity may potentially offer. The sysServices is defined in the SNMPv2-MIB (RFC 3418)."; type uint64 { range "0 .. max"; } default "72"; } container sysORTable { tailf:info "Entries that will populate the sysORTable from SNMPv2-MIB."; presence ""; list sysOREntry { tailf:info "Corresponds to one entry in the sysORTable from SNMPv2-MIB."; key "sysORIndex"; leaf sysORIndex { tailf:info "The index for this row in the table."; type uint64 { range "0 .. max"; } } leaf sysORID { tailf:info "The OID of the AGENT-CAPABILITIES invocation."; type yang:object-identifier; mandatory true; } leaf sysORDescr { tailf:info "A textual description of capabilities defined in sysORID."; type string; mandatory true; } } // list sysOREntry } // container sysORTable } // container system } // container snmpAgent container netconf { tailf:info "This section defines settings which decide how the NETCONF server should behave, with respect to NETCONF and SSH."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the NETCONF server is started. If 'false' the NETCONF server is stopped and any existing sessions are closed."; type boolean; default "true"; } container transport { tailf:info "Settings deciding which transport services the NETCONF server should listen to, e.g. TCP and SSH."; presence ""; leaf sshCallHomeExecutable { tailf:info "The full path to an executable program that starts a NETCONF call home session over SSH. Must be used when the internal SSH stack in ConfD is not enabled."; type string; } container ssh { tailf:info "Settings deciding how the NETCONF SSH transport service should behave."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the NETCONF server uses SSH as a transport service."; type boolean; default "true"; } leaf ip { tailf:info "ip is an IP address which the ConfD NETCONF server should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/netconf/transport/ssh/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "port is a valid port number to be used in combination with /confdConfig/netconf/transport/ssh/ip. Note that the standard port for NETCONF over SSH is 830."; type inet:port-number; default "2022"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the NETCONF server also listens to for SSH connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/netconf/transport/ssh/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the NETCONF server for SSH connections."; type dscpType; } } // container ssh container tcp { tailf:info "NETCONF over TCP is not standardized, but it can be useful during development in order to use e.g. netcat for scripting. It is also useful if we want to use our own proprietary transport. In that case we setup the NETCONF server to listen to localhost and then proxy it from our transport service module."; presence ""; leaf enabled { tailf:info "enabled is either 'true' or 'false'. If 'true', the NETCONF server uses clear text TCP as a transport service."; type boolean; default "false"; } leaf ip { tailf:info "ip is an IP address which the ConfD NETCONF server should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/netconf/transport/tcp/port) for all IPv4 addresses on the machine."; type inet:ip-address; default "0.0.0.0"; } leaf port { tailf:info "port is a valid port number to be used in combination with /confdConfig/netconf/transport/tcp/ip."; type inet:port-number; default "2023"; } leaf keepalive { tailf:info "keepalive is either 'true' or 'false' (default). When 'true' periodic polling of the other end of the connection will be done for sockets that have not exchanged data during the OS defined interval."; type boolean; default "false"; } leaf-list extraIpPorts { tailf:info "extraIpPorts is a leaf-list of ip:port pairs which the NETCONF server also listens to for TCP connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ':port' is omitted, /confdConfig/netconf/transport/tcp/port is used. Example: <extraIpPorts>10.45.22.11:4777</extraIpPorts> <extraIpPorts>127.0.0.1</extraIpPorts> <extraIpPorts>:::88</extraIpPorts> <extraIpPorts>[::]</extraIpPorts>"; type xs:token; } leaf dscp { tailf:info "Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the NETCONF server for TCP connections."; type dscpType; } } // container tcp } // container transport leaf extendedSessions { tailf:info "If extendedSessions are enabled, all ConfD sessions can be terminated using <kill-session>, i.e. not only can other NETCONF session be terminated, but also CLI sessions, Webui sessions etc. If such a session holds a lock, it's session id will be returned in the <lock-denied>, instead of '0'. Strictly speaking, this extension is not covered by the NETCONF specification; therefore it's 'false' by default."; type boolean; default "false"; } leaf sendDefaults { tailf:info "DEPRECATED - use defaultHandlingMode instead"; type boolean; default "false"; description "DEPRECATED - use /confdConfig/defaultHandlingMode instead to control this behavior consistently for all northbound interfaces. If sendDefaults is 'true', default values will be included in the replies to <get>, <get-config>, and <copy-config>. If sendDefaults is 'false', default values will not be included by default. If /confdConfig/netconf/capabilities/with-defaults is enabled, this behavior can be controlled by the NETCONF client."; } leaf idleTimeout { tailf:info "Maximum idle time before terminating a NETCONF session. If the session is waiting for notifications, or has a pending confirmed commit, the idle timeout is not used. The default value is 0, which means no timeout. Will be silently capped to 49 days 17 hours. Modification of this value will only affect connections that are established after the modification has been done."; type xs:duration; default "PT0S"; } leaf writeTimeout { tailf:info "Maximum time for a write operation towards a client to complete. If the time is exceeded, the NETCONF session is terminated. The default value is 0, which means no timeout. Modification of this value will only affect connections that are established after the modification has been done."; type xs:duration; default "PT0S"; } leaf rpcErrors { tailf:info "If rpcErrors is 'inline', and an error occurs during the processing of a <get> or <get-config> request when ConfD tries to fetch some data from a data provider, ConfD will generate an rpc-error element in the faulty element, and continue to process the next element. If an error occurs and rpcErrors is 'close', the NETCONF transport is closed by ConfD."; type rpcErrorType; default "close"; } leaf maxBatchProcesses { tailf:info "Controls how many concurrent NETCONF batch processes there can be at any time. A batch process can be started by the server if a new NETCONF operation is implemented as a batch operation. See the NETCONF chapter in the ConfD User's Guide for details."; type limitType; default "unbounded"; } } // container netconf } // container confdConfig } // module confd_dyncfg
© 2023 YumaWorks, Inc. All rights reserved.