CESNET/netopeer2 CESNET/netopeer2

  • Stars
    star
    301
  • Rank 138,451 (Top 3 %)
  • Language
    C
  • License
    BSD 3-Clause "New...
  • Created almost 9 years ago
  • Updated 18 days ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CESNET/netopeer2
github

CESNET

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

NETCONF toolset

Netopeer2 – NETCONF Server

BSD license Build Status Coverity Codecov Ohloh Project Status

Netopeer2 is a server for implementing network configuration management based on the NETCONF Protocol. This is the second generation, originally available as the Netopeer project. Netopeer2 is based on the new generation of the NETCONF and YANG libraries - libyang and libnetconf2. The Netopeer2 server uses sysrepo as a NETCONF datastore implementation.

Netopeer2 is maintained and further developed by the Tools for Monitoring and Configuration department of CESNET. Any feedback, testing or feature requests are welcome. Please contact us via the issue tracker.

Branches

The project uses 2 main branches master and devel. Other branches should not be cloned. In master there are files of the last official release. Any latest improvements and changes (of the server), which were tested at least briefly are found in devel. On every new release, devel is merged into master.

This means that when only stable official releases are to be used, either master can be used or specific releases downloaded. If all the latest bugfixes should be applied, devel branch is the one to be used. Note that whenever a new issue is created and it occurs on the master branch, the first response will likely be to use devel before any further provided support.

RFC Compliance

  • RFC 5277 NETCONF Event Notifications
  • RFC 6022 YANG Module for NETCONF Monitoring
  • RFC 6241 Network Configuration Protocol (NETCONF)
  • RFC 6242 Using the NETCONF Protocol over Secure Shell (SSH)
  • RFC 6243 With-defaults Capability for NETCONF
  • RFC 6470 Network Configuration Protocol (NETCONF) Base Notifications
  • RFC 7589 Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication
  • RFC 8071 NETCONF Call Home and RESTCONF Call Home
  • RFC 8341 Network Configuration Access Control Model
  • RFC 8525 YANG Library
  • RFC 8526 NETCONF Extensions to Support the Network Management Datastore Architecture
  • RFC 8639 Subscription to YANG Notifications
  • RFC 8640 Dynamic Subscription to YANG Events and Datastores over NETCONF
  • RFC 8641 Subscription to YANG Notifications for Datastore Updates

Packages

Binary RPM or DEB packages of the latest release can be built locally using apkg, look into README in the distro directory.

Requirements

Optional

  • pkg-config & libsystemd (to support netopeer2-server systemd service)
  • cmocka >= 1.0.1 (for tests)
  • valgrind (for enhanced testing)
  • gcov (for code coverage)
  • lcov (for code coverage)
  • genhtml (for code coverage)

Compilation and installation

$ mkdir build; cd build
$ cmake ..
$ make
# make install

Compilation options

The netopeer2-server requires ietf-netconf-server and all connected YANG modules to be installed in sysrepo to work correctly. This is performed automatically during the installation process. Moreover, default SSH configuration listening on all IPv4 interfaces and a newly generated SSH host key are imported so that it can be connected to the server out-of-the-box. However, it may not always be desired to perform all these steps even though the executed scripts check whether the modules/some configuration already exist and do not repeat/overwrite any modules/configuration.

These are the options that affect the initial setup:

INSTALL_MODULES:ON
GENERATE_HOSTKEY:ON
MERGE_LISTEN_CONFIG:ON

If cross-compiling for a different architecture, you will likey want to turn all these options off and then run the scripts setup.sh, merge_hostkey.sh, and merge_config.sh manually.

Sysrepo callbacks

When implementing a sysrepo application with some callbacks, in case the particular event will be generated by netopeer2, there will be the NETCONF session ID and NETCONF username of the originator NETCONF session provided. It can be retrieved from the event sysrepo session and the originator name will be netopeer2. Following is a table with the exact data format.

Index Type Meaning
0 uint32_t NETCONF session ID
1 char * NETCONF username

It is also possible to communicate a specific NETCONF error back to the server, use sysrepo utility functions to create it.

CLI

A simple command-line NETCONF client netopeer2-cli is included and build/installed by default. This can be adjusted by an option:

BUILD_CLI:ON

There is also a separate netconf-cli project that you may want to give a try if you need an advanced and more user-friendly command-line NETCONF client.

Tests

There are several tests included and built with cmocka. The tests can be found in tests subdirectory and they are designed for checking library functionality after code changes.

The tests are by default built in the Debug build mode by running

$ make

In case of the Release mode, the tests are not built by default (it requires additional dependency), but they can be enabled via cmake option:

$ cmake -DENABLE_TESTS=ON ..

Note that if the necessary cmocka headers are not present in the system include paths, tests are not available despite the build mode or cmake's options.

Tests can be run by the make's test target:

$ make test

Code Coverage

Based on the tests run, it is possible to generate code coverage report. But it must be enabled and these commands are needed to generate the report:

$ cmake -DENABLE_COVERAGE=ON ..
$ make
$ make coverage

NACM

This NETCONF server uses ietf-netconf-acm access control of sysrepo. NACM is enabled by default, so except for the recovery user, no others will be allowed to write any data but should be granted read and execute permissions unless the access was modified by a NACM extension. When deploying this server, it is strongly advised to configure NACM properly.

Server configuration

Right after installation SSH listen and Call Home and TLS listen and Call Home are supported. By default, only SSH listen configuration is imported so to enable any other connection methods, they need to be configured manually. Example configuration XML files can be found in the example_configuration directory. These files can be easily modified to create configuration specific for a particular environment and configured authentication.

SSH Call Home

To enable SSH Call Home, only ssh_callhome.xml file needs to be imported to sysrepo provided that the default SSH host key genkey was imported into ietf-keystore configuration.

TLS listen

To support clients connecting using TLS, configuration files tls_keystore.xml, tls_truststore.xml, and tls_listen.xml needs to be merged into sysrepo configuration of modules ietf-keystore, ietf-truststore, and ietf-netconf-server, respectively. After doing so, a NETCONF client can connect using client.crt certificate and client.key private key and having ca.pem CA certificate set as trusted. These example certificates can be found in example_configuration/tls_certs. netopeer2-cli can easily be configured this way and the TLS connection tested.

To pass server identity check, the client must be connecting to localhost, which is the default server domain if left empty. Once connected, the client will be identified with tls-test NETCONF username.

TLS Call Home

Using the same certificates and authorization options, a TLS client can be connected to using Call Home when tls_callhome.xml file is imported. But tls_keystore.xml and tls_truststore.xml need to be imported first.

More Repositories

1

UltraGrid

UltraGrid low-latency audio and video network transmission system
C
499
star
2

libyang

YANG data modeling language library
C
367
star
3

GPUJPEG

JPEG encoder and decoder library and console application for NVIDIA GPUs from CESNET and SITOLA of Faculty of Informatics at Masaryk University.
C
240
star
4

libnetconf2

C NETCONF library
C
203
star
5

ipfixcol2

High-performance NetFlow v5/v9 and IPFIX collector (RFC7011)
C
119
star
6

netopeer

NETCONF Protocol Toolset
Shell
116
star
7

libnetconf

C NETCONF library
C
110
star
8

Nemea

System for network traffic analysis and anomaly detection.
Shell
79
star
9

ipfixcol

IPFIXcol is an implementation of an IPFIX (RFC 7011) collector
C++
64
star
10

libyang-python

Python bindings for the libyang library
Python
62
star
11

perun

Perun Identity and Access Management System
Java
57
star
12

pakiti-server

Pakiti provides a monitoring mechanism to check the patching status of Linux systems.
PHP
49
star
13

Netopeer-GUI

Graphical user interface for NETCONF client
PHP
35
star
14

NERD

Network Entity Reputation Database
Python
31
star
15

ipfixprobe

C++
30
star
16

FlowTest

Testbed for testing NetFlow/IPFIX network monitoring probes. Includes tools for PCAP generation and replay of 1/10/100G network traffic.
C++
29
star
17

Netopeer2GUI

Web-based NETCONF management center
TypeScript
25
star
18

ndk-app-minimal

Minimal Application based on Network Development Kit (NDK) for FPGA cards
VHDL
24
star
19

ofm

Open FPGA Modules
VHDL
22
star
20

Nemea-Detectors

Detection modules of the Nemea system.
C++
21
star
21

sphinx-vhdl

Python
20
star
22

fake-oidc-server

A simple OpenID Connect Authorization Server that provides a single user
Java
19
star
23

cesnet-datazoo

CESNET DataZoo: A toolset for large network traffic datasets
Python
17
star
24

netconf-cli

A NETCONF-talking CLI
C++
15
star
25

Nemea-Modules

Base modules of the Nemea system. This repository contains modules for export, replay, filtering, merging etc.
C++
14
star
26

rad_eap_test

Nagios compatible shell script used for testing RADIUS servers by EAP
Shell
14
star
27

secant

Security Cloud Assessment Tool
Shell
11
star
28

torque

MetaCentrum fork of Torque batch system used on the Czech National Grid
C
11
star
29

libyang-cpp

C++ bindings for the libyang library
C++
10
star
30

Nemea-Framework

Nemea framework is the heart of the Nemea system. It contains implementation of common communication interfaces, UniRec data format and useful datastructures and algorithms.
C
10
star
31

perun-services

Scripts used by Perun to (de)provision services with authorization data
Perl
9
star
32

velia

YANG System management for embedded devices running Linux
C++
9
star
33

libfds

Flow Data Storage library
C++
9
star
34

pbspro.hooks

Python
8
star
35

ALF

Active Learning Framework
Python
8
star
36

cesnet-models

CESNET Models: Neural networks for network traffic classification
Python
8
star
37

rousette

An almost-RESTCONF server
C++
7
star
38

wayf

The CESNET WAYF service
JavaScript
7
star
39

cesnet-tcexamples

Jupyter notebooks with traffic classification examples using CESNET DataZoo and CESNET Models packages
Jupyter Notebook
7
star
40

TorqueFastSched

High performance scheduler for Torque resource manager. Optimized for highly heterogeneous environments.
C++
6
star
41

liberouter-gui

Python
6
star
42

pOCCI

OCCI Compliance Tests
Python
6
star
43

libfastbit

Clone of FastBit repository
C++
6
star
44

NEMEA-SIoT

NEMEA modules for securing IoT networks.
C
6
star
45

exafs

ExaFS is a tool for creation, validation, and execution of ExaBGP messages.
Python
6
star
46

eduroam-icinga

new ermon (eduroam monitoring)
Shell
6
star
47

ansible-freeradius

Ansible role to install FreeRADIUS v3 for eduroam.cz
Shell
6
star
48

etlog

eduroam traffic log analysis
JavaScript
5
star
49

gridsite

Grid Security for the Web.
C
5
star
50

php-perun-ws

PHP
5
star
51

lighterwall

LighterWall is an iptables/ip6tables wrapper to ease writing of corresponding IPv4/IPv6 firewalls
Shell
5
star
52

connector-kerberos

Native MIT Kerberos Polygon+ConnId connector
Java
4
star
53

ndk-core

Common CORE of Network Development Kit (NDK)
VHDL
4
star
54

eInfra-docs

Python
4
star
55

perun-ansible

Ansible scripts for Perun installation
4
star
56

389ds-plugin-ssm

Server Side Modification plugin
C
4
star
57

LiST

Security Tools as a Service
Python
4
star
58

perun-ansible-roles

repo with git submodules for Ansible roles
4
star
59

Nemea-OpenWRT

The NEMEA packages feed
Makefile
4
star
60

dp3

Dynamic Profile Processing Platform (DP³), the base platform for ADiCT project
Python
4
star
61

ndk-sw

Linux driver and SW tools for Network Development Kit (NDK)
C
4
star
62

libnetconf2-cpp

C++ bindings for the libnetconf2 library
C++
4
star
63

satosa-module-webauthn

WebAuthn module for SaToSa
Python
3
star
64

shongo

Shongo Resource Management System
Java
3
star
65

DHuSTools

Small tools developed to accompany ESA DHuS instances
Shell
3
star
66

metacentrum-accounting

Accounting for MetaCentrum
Java
3
star
67

lgbm2vhdl

LGBM2VHDL: Tool for converting LightGBM models into VHDL implementation.
Python
3
star
68

IndigoVR

Virtual Router Appliance for virtual networks
3
star
69

perun-mitreid

OpenID Connect Provider for Perun
Java
3
star
70

occi-schemas

OCCI (Open Cloud Computing Interface) Rendering Schemas
Makefile
3
star
71

ndk-cards-open

FPGA cards files for the NDK
VHDL
3
star
72

php-authz-ws

Authorization web service
PHP
3
star
73

canl-c

Common Authentication library - bindings for C.
C
3
star
74

shongo-authn-server

Authentication server for the Shongo project
PHP
3
star
75

pakiti-client

Client for Pakiti patching status monitoring system
Perl
3
star
76

glite-lb

gLite Logging and Bookkeeping.
C
3
star
77

fdistdump

Tool for distributed quering of flow data.
C
3
star
78

sysrepo-ietf-alarms

Alarm management (ietf-alarms) YANG module for sysrepo
C++
3
star
79

ansible-role-yubikeys

Ansible Galaxy role cesnet.yubikeys
2
star
80

simplesamlphp-module-authswitcher

PHP
2
star
81

theme-cesnet

Custom CESNET theme for ownCloud
PHP
2
star
82

ansible-role-apache-tls

Ansible Galaxy role cesnet.apache_tls
2
star
83

user_openidc

ownCloud user backend app providing OpenID Connect authentication
PHP
2
star
84

perun-simplesamlphp-module

Module which allows simpleSAMLphp to get data from Perun
PHP
2
star
85

proxyrenewal

Proxyrenewal renews existing proxy certificates for grid users.
C
2
star
86

NOW

Component to extend OpenNebula network orchestration capabilities
Ruby
2
star
87

Nemea-Supervisor

Management and monitoring module for the Nemea system.
Shell
2
star
88

glite-testsuites

Testsuites for gLite middleware and EMI products - canl-c, L&B, Proxyrenewal and Gridsite.
Shell
2
star
89

metaman-helpers

Client-side and server-side Git hooks along with other possible helpers for MetaMan.
Shell
2
star
90

eduroam-db

tools for management of eduroam database data
JavaScript
2
star
91

eduroam-live

live demonstration of eduroam service in action
JavaScript
2
star
92

netopeerguid

Netopeer-GUI backend
C
2
star
93

Phishingator

Phishingator – Phishing Training System (Systém pro rozesílání cvičných phishingových zpráv)
PHP
2
star
94

lbr-testsuite

Python
2
star
95

google-group-connector

Tool for provisioning users and groups in your domain in G Suite
Java
2
star
96

shibboleth-sp-access-control

Shibboleth service provider access control
PHP
2
star
97

PerQoDA

1
star
98

satosa-microservice-webauthn

WebAuthn microservice for SaToSa
Python
1
star
99

ansible-role-postgresql

Ansible Galaxy role cesnet.postgresql
1
star
100

metacentrum-hands-on

Repository for MetaCentrum hands-on courses
1
star