前言

NETCONF 的自动化配置系统采用 Client/Server 架构，而 netopeer 即实现了 netconf 的 C/S 框架的开源项目。

netopeer简介

本人所用环境介绍

之前我一直用的是openwrt系统，非常好集成netconf。所有的依赖项，只要选择最终需要的，它所依赖的都会被自动编译上。后来有一个新的系统，用的SDK，并非某个系统，这就非常不好移植整个netconf，因为依赖的东西实在是多。

netopeer所依赖的库

工作需要，之前整理了工作中用到的netconf功能所需安装的安装包。 netopeer和sysrepo能成功安装并启动所需：

安装的库	版本	所需成果
libpcre	8.43	libpcre.so以及连接，libpcreposix.so及连接
libssh	0.7.6	libssh 以及 libssh_threads
libyang	1.0.130	libyang.so
libnetconf2	1.1.7	libnetconf.so
libredblack	0.2.3	libredblack.so redblack.h
libev	4.25	libev.so
protobuf-c	1.3.1	libprotobuf-c.so.1
protobuf	3.7.1
Netopeer2	1.1.7	/bin/netopeer2-cli /bin/netopeer2-server /etc/init.d/netopeer2-server
sysrepo	1.4.2	/bin/sysrepo-plugind /bin/sysrepocfg /bin/sysrepoctl /etc/init.d/sysrepo

netconf的链接

设备起来之后先安装一系列 ietf-netconf等的yang文件

# ietf-netconf-acm
$SYSREPOCTL -i $MODDIR/ietf-netconf-acm@2018-02-14.yang -v2
$SYSREPOCTL -c ietf-netconf-acm -o $OWNER -g $GROUP -v2
# ietf-netconf
$SYSREPOCTL -U /etc/Netconf/yang/ietf-netconf@2013-09-29.yang -s $MODDIR -v2
$SYSREPOCTL -c ietf-netconf -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -o $OWNER -g $GROUP -v2
# ietf-netconf-monitoring
$SYSREPOCTL -i $MODDIR/ietf-netconf-monitoring@2010-10-04.yang -v2
$SYSREPOCTL -c ietf-netconf-monitoring -o $OWNER -g $GROUP -v2
# ietf-netconf-nmda
$SYSREPOCTL -i $MODDIR/ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults -s $MODDIR -v2
$SYSREPOCTL -c ietf-netconf-nmda -o $OWNER -g $GROUP -v2
# notification modules
$SYSREPOCTL -i $MODDIR/nc-notifications@2008-07-14.yang -s $MODDIR -v2
$SYSREPOCTL -c nc-notifications -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/notifications@2008-07-14.yang -v2
$SYSREPOCTL -c notifications -o $OWNER -g $GROUP -v2
# ietf-netconf-server modules
$SYSREPOCTL -i $MODDIR/ietf-x509-cert-to-name@2014-12-10.yang -v2
$SYSREPOCTL -c ietf-x509-cert-to-name -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-crypto-types@2019-07-02.yang -v2
$SYSREPOCTL -c ietf-crypto-types -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-keystore@2019-07-02.yang -e keystore-supported -s $MODDIR -v2
$SYSREPOCTL -c ietf-keystore -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-truststore@2019-07-02.yang -e truststore-supported -e x509-certificates -s $MODDIR -v2
$SYSREPOCTL -c ietf-truststore -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-tcp-common@2019-07-02.yang -e keepalives-supported -s $MODDIR -v2
$SYSREPOCTL -c ietf-tcp-common -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-ssh-server@2019-07-02.yang -e local-client-auth-supported -s $MODDIR -v2
$SYSREPOCTL -c ietf-ssh-server -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-tls-server@2019-07-02.yang -e local-client-auth-supported -s $MODDIR -v2
$SYSREPOCTL -c ietf-tls-server -o $OWNER -g $GROUP -v2
$SYSREPOCTL -i $MODDIR/ietf-netconf-server@2019-07-02.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -s $MODDIR -v2
$SYSREPOCTL -c ietf-netconf-server -o $OWNER -g $GROUP -v2

通过openssl生成秘钥，然后创建keystore xml

SYSREPOCFG=sysrepocfg
KS_KEY_NAME=genkey

  PRIVPEM=`$OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM 2>/dev/null`

PRIVKEY=`grep -v -- "-----" - <<STDIN
$PRIVPEM
`
PUBPEM=`openssl rsa -pubout 2>/dev/null <<STDIN
$PRIVPEM
STDIN`
PUBKEY=`grep -v -- "-----" - <<STDIN
$PUBPEM
`

CONFIG="<keystore xmlns=\"urn:ietf:params:xml:ns:yang:ietf-keystore\">
    <asymmetric-keys>
        <asymmetric-key>
            <name>genkey</name>
            <algorithm>rsa2048</algorithm>
            <public-key>$PUBKEY</public-key>
            <private-key>$PRIVKEY</private-key>
        </asymmetric-key>
    </asymmetric-keys>
</keystore>"
TMPFILE="/tmp/tmp.ietfks"
touch $TMPFILE
printf -- "$CONFIG" > $TMPFILE

$SYSREPOCFG --edit=$TMPFILE -d startup -f xml -m ietf-keystore -v2
$SYSREPOCFG -C startup -m ietf-keystore -v2

安装功能所需的yang文件
生成callhome xml

 <call-home>
    <netconf-client>
      <name>default-client</name>
      <endpoints>
        <endpoint>
          <name>server1</name>
          <ssh>
            <tcp-client-parameters>
              <remote-address>192.168.10.123</remote-address>
              <remote-port>6666</remote-port>
              <keepalives>
                <idle-time>1</idle-time>
                <max-probes>10</max-probes>
                <probe-interval>5</probe-interval>
              </keepalives>
            </tcp-client-parameters>
            <ssh-server-parameters>
              <server-identity>
                <host-key>
                  <name>default-key</name>
                  <public-key>
                    <keystore-reference>genkey</keystore-reference>
                  </public-key>
                </host-key>
              </server-identity>
              <client-authentication>
                <supported-authentication-methods>
                  <publickey/>
                  <passsword/>
            <other>interactive</other>
                </supported-authentication-methods>
                <users/>
              </client-authentication>
            </ssh-server-parameters>
          </ssh>
        </endpoint>
      </endpoints>
      <connection-type>
        <persistent/>
      </connection-type>
    </netconf-client>
  </call-home>

将call home地址安装

sysrepocfg --edit=${DEL_FILE} -d startup -f xml -m ietf-netconf-server -w -l

启动sysrepo netopeer进程

netopeer工具的使用

Netopeer是基于开源项目libnetconf库完成的，已实现client和server端的代码。主要涉及的组件为netopeer-cli和netopeer-server；其中netopeer-cli为一个CLI程序，允许通过该程序连接到netconfserver，和操纵它的配置数据；netopeer-server为一个netconf服务器端的守护进程，允许与netconf client建立连接，接收配置数据等操作。

netopeer-server

该进程负责netconf的连接，通常启动为/bin/netopeer2-server -d -v 0

netopeer-cli

netopeer-cli能模拟netconf的客户端，可以监控notification操作、下发配置、查询配置等等：

Available commands:
  auth            Manage SSH authentication options
  knownhosts      Manage the user knownhosts file
  cert            Manage trusted or your own certificates
  crl             Manage Certificate Revocation List directory
  outputformat    Set the output format of all the data
  searchpath      Set the search path for models
  verb            Change verbosity
  version         Print Netopeer2 CLI version
  disconnect      Disconnect from a NETCONF server
  status          Display information about the current NETCONF session
  connect         Connect to a NETCONF server
  listen          Wait for a Call Home connection from a NETCONF server
  quit            Quit the program
  help            Display commands description
  editor          Set the text editor for working with XML data
  cancel-commit   ietf-netconf <cancel-commit> operation
  commit          ietf-netconf <commit> operation
  copy-config     ietf-netconf <copy-config> operation
  delete-config   ietf-netconf <delete-config> operation
  discard-changes ietf-netconf <discard-changes> operation
  edit-config     ietf-netconf <edit-config> operation
  get             ietf-netconf <get> operation
  get-config      ietf-netconf <get-config> operation
  kill-session    ietf-netconf <kill-session> operation
  lock            ietf-netconf <lock> operation
  unlock          ietf-netconf <unlock> operation
  validate        ietf-netconf <validate> operation
  subscribe       notifications <create-subscription> operation
  get-schema      ietf-netconf-monitoring <get-schema> operation
  get-data        ietf-netconf-nmda <get-data> operation
  edit-data       ietf-netconf-nmda <edit-data> operation
  user-rpc        Send your own content in an RPC envelope
  timed           Time all the commands (that communicate with a server) from issuing a RPC to getting a reply

常用的功能：

edit-config:下发配置
get-config:get配置，对应到yang中的config false;以及下发的配置数据
subscribe：订阅，用于监听yang中notification的上报事件。

netopeer使用

前言