Set up Netopeer2 Server Docker Container to use with NETCONFc
Last updated on December 20, 2020
Netopeer2 Sysrepo Docker Container
Build and Set up Netopeer2 Docker Container for testing Call Home
Netopeer2 Dockerfile:
Using the following latest dockerfile from sysrepo repository:
https://github.com/sysrepo/sysrepo/tree/master/deploy/docker/sysrepo-netopeer2
Note you will need to place a copy of supervisord.conf in the same directory of your Dokcerfile.
To build the development version, change git checkout to devel branch in the Netopeer2 section of Dockerfile instead of master.
Copy the content and save it into a file named “Dockerfile” and then build it:
docker build -t “netopeer2:latest” .
Access Netopeer2 using SSH:
Run Docker Container, by default you should be able to access it via SSH
$ docker run -it --name netopeer -p 830:830 -p 6513:6513 --rm netopeer2:latest
Note we are also exposing the TLS port 6513, which we will need when enabling TLS access in the next step.
Start NETCONFc, click “Connect | NETCONF Over SSH”, enter the following info:
Host: the IP address of the Docker host,
Port: 830
User: netconf
Password: netconf
Click “Connect”, you should be able to connect to your Netopeer2 server.
Access Netopeer2 using TLS:
To support clients connecting using TLS, the following configuration files found in
/opt/dev/Netopeer2/example_configuration on the running container:
tls_keystore.xml,
tls_truststore.xml, and
tls_listen.xml
need to be merged into sysrepo configuration of modules:
ietf-keystore,
ietf-truststore, and
ietf-netconf-server, respectively.
After doing so, a NETCONF client can connect with the example client certificate client.crt, client private key client.key and CA certificate ca.pem set as trusted.
We can use sysrepo’s sysrepocfg command to do this. Place the following commands into a script file enable_tls.sh:
$ cat enable_tls.sh
#!/bin/bash
docker exec netopeer sysrepocfg --edit=/opt/dev/Netopeer2/example_configuration/tls_keystore.xml --format=xml --datastore=running --module=ietf-keystore
docker exec netopeer sysrepocfg --edit=/opt/dev/Netopeer2/example_configuration/tls_truststore.xml --format=xml --datastore=running --module=ietf-truststore
docker exec netopeer sysrepocfg --edit=/opt/dev/Netopeer2/example_configuration/tls_listen.xml --format=xml --datastore=running --module=ietf-netconf-server
# Since we merged the configuration we must copy it to the startup config store so it won't get lost
docker exec netopeer sysrepocfg --copy-from=running --datastore=startup
$ chmod 755 enable_tls.sh
$ ./enable_tls.sh
NETCONFC can now connect to this server using client.crt certificate and client.key private key and having ca.pem CA certificate set as trusted.
These example certificates can be found in /opt/dev/Netopeer2/example_configuration/example_configuration/tls_certs on your running Docker container.
Copy it to your host machine (example destination):
docker exec -it netopeer scp -r /opt/dev/Netopeer2/example_configuration/tls_certs This email address is being protected from spambots. You need JavaScript enabled to view it.:/home/bob
Then move these files to the Windows computer on which NETCONFc runs.
On NETCONFc, click “Connect | NETCONF Over TLS”, enter the following info:
Host: the IP address of the Docker host,
Port: 6513
Client certificate: client.crt
Client private key file: client.key
Trusted root certificate: ca.pem
Click “Connect”, you should be able to connect to your Netopeer2 server.
SSH and TLS Callhome
Using the same SSH user name and password settings, a SSH client can be connected to the server using Call Home when /opt/dev/Netopeer2/example_configuration/ssh_callhome.xml configuration file is merged into the running store.
Using the same TLS certificate validation settings , a TLS client can be connected to the server using Call Home when /opt/dev/Netopeer2/example_configuration/tls_callhome.xml configuration file is merged into the running store.
Place the following commands into a script file enable_callhome.sh:
$ cat enable_callhome.sh
#!/bin/bash
# First we need to change the default callhome request target so it will be destined to where
# NETCONFc is running.
docker exec netopeer sed -i 's/localhost/192.168.10.119/' /opt/dev/Netopeer2/example_configuration/ssh_callhome.xml
docker exec netopeer sed -i 's/localhost/192.168.10.119/' /opt/dev/Netopeer2/example_configuration/tls_callhome.xml
# Now we need to merge the configuration into using sysrepocfg command. Don’t ‘import’ as the
# official Netopeer server README file says, otherwise the existing configuration may be overwritten.
docker exec netopeer sysrepocfg --edit=/opt/dev/Netopeer2/example_configuration/ssh_callhome.xml --format=xml --datastore=running --module=ietf-netconf-server
docker exec netopeer sysrepocfg --edit=/opt/dev/Netopeer2/example_configuration/tls_callhome.xml --format=xml --datastore=running --module=ietf-netconf-server
docker exec netopeer sysrepocfg --copy-from=running --datastore=startup
$ chmod 755 enable_callhomes.sh
$ ./enable_callhome.sh
Now save these changes and create a new Docker image. Otherwise these changes will be lost if you stop your running Docker container.
docker commit netopeer netopeer2/callhome:latest
Start the new Docker image created:
docker run -it --name netopeer2 -p 830:830 -p 6513:6513 --rm netopeer2/callhome:latest
Test SSH Callhome:
Start NETCONFc, click “Connect | NETCONF Over SSH”, enter the following info:
Call home port: 4534
User: netconf
Password: netconf
Click “Start listening for call home”, you should be able to connect to your Netopeer2 server.
Test TLS Callhome:
Click “Connect | NETCONF Over TLS”, enter the following info:
Call home port: 4535
Client certificate: client.crt
Client private key file: client.key
Trusted root certificate: ca.pem
Click “Start listening for call home”, you should be able to connect to your Netopeer2 server.
Tested Netopeer2 version info:
docker exec -it netopeer /usr/bin/netopeer2-server -V
>>netopeer2-server 1.1.49 and later
Legacy Netopeer (Obsolete)
This article shows you how to set up open source Netopeer server on Ubuntu 15.04 or 15.10 and Fedora 20 to use with Seguesoft's NETCONFc client. Officially Netopeer distribution claims it only supports RHEL and SUSE but it should just run fine on other Linux distributions such as Ubuntu and Fedora.
More recent Netopeer distribution has a Dockerfile that can be used to create a container that builds netopeer-server and starts the service. You need a linux with working docker installation to use it. This article does not cover that, rather, it focuses on the classic way (i.e., configure, make & make install) of installing Netopeer from source.
4. Connect to netopeer server from NETCONFc
5. Configure netopeer server modules using netopeer-manager
* No package 'libnetconf' found when running ./configure for netopeer server
* 'Could not open socket to x.x.x.x:830' error when connecting from NETCONFc
* NACM: Module init failed when running netopeer-configurator
* C compiler cannot create executable or cannot run C compiled programs
* lnctool not found when running configure
* When trying to create a connection from NETCONFc, the server says:
np_ssh_create_client: SSH failed to accept a new connection: Failed to import private RSA host key
* Can't make netopeer server to only listen on IPv4 on a different port?
Note Well:
Netopeer server is the leading open source NETCONF reference implementation. It has many features but sometimes it may prove to be a challenging task to gather all pieces and get it installed successfully on your Linux box.
The following instructions are tested Ubuntu 15.04 or 15.10 x86_64 and Fedora 20 x86_64 systems. It is assumed that the system on which netopeer will be installed is an Ubuntu 15.04 or 15.10 desktop or Fedora 20, out-of-box default installation.
These instructions are based on a snapshot of libnetconf and netpeer github source repository on April 20, 2016. Future netopeer releases may require different system packages to be installed. If you find a discrepancy please inform us at This email address is being protected from spambots. You need JavaScript enabled to view it.
Please read the README and/or INSTALL file comes with libnetconf and netopeer distribution for latest information!
Other distributions and versions of Linux should be similar. The key is to identify the names of various dependent packages of netopeer and install them according. A full list of packages that Netopeer depends on is oftern different based on what packages have already been installed on your system. You will surely know what are are needed when you run libnetconf's and netopeer's ./configure script to generate Makefiles. If any of them is missing you must install them first.
1. Build libnetconf
1.1 Get libnetconf source :
$ git clone https://github.com/CESNET/libnetconf.git
1.2 Install the following required packages:
On Ubuntu 15.04 or 15.10:
$ sudo apt-get install libtool
$ sudo apt-get install libtool-bin
$ sudo apt-get install libxml2-dev
$ sudo apt-get install libxslt1-dev
$ sudo apt-get install libcurl4-openssl-dev
$ sudo apt-get install xsltproc
$ sudo apt-get install python-setuptools
$ sudo apt-get install cmake
$ sudo apt-get install zlib1g-dev
$ sudo apt-get install libssl-dev
$ sudo apt-get install pkg-config
$ sudo apt-get install lib-readline-dev
On Fedora 20+:
$ sudo yum install libtool
$ sudo yum install libxml2-devel
$ sudo yum install libxslt-devel
$ sudo yum install libcurl-devel
$ sudo yum install python-setuptools
$ sudo yum install pkg-config
$ sudo yum install readline-devel
1.3 Install pyang
On either Ubuntu 15.04 or 15.10 or Fedora 20:
$ git clone https://github.com/mbj4668/pyang.git
$ cd pyang
$ sudo python setup.py install
$ cd ..
1.4 Install libssh
On Fedora 20+:
We can simply use the system provided libssh-devel 0.6.4
$ sudo yum install libssh-devel
On Ubuntu15.04 or 15.10+:
We need to build the latest libssh ourselves since the system installed libssh is 0.6.3 but libnetconf (and Netopeer server) needs at least 0.6.4.
If you have libssh0.6.3 installed on the system, remove it and the compile libssh 0.6.4 from the source code.
Get libsssh source and build it:
$ git clone https://git.libssh.org/projects/libssh.git libssh
$ cd libssh
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ cd ..
1.5 Now finally we can build libnetconf:
$ ./configure
$ make
$ sudo make install
If libnetconf’s configure scripts still can't find the libssh you just installed, try setting up the following compiler flags before running './configure':
export CPPFLAGS='-I/usr/local/include'
export LDFLAGS='-L/usr/local/lib'
Alternatively you can try installing libssh in /usr, rather than the default /usr/local. To do that, first remove all contents in your libssh ‘build’ directory,
cd build
rm -rf *
then
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
sudo make install
2. Build netopeer server
2.1 Get netopeer source
$ git clone https://github.com/CESNET/netopeer.git
2.2 Install dependent package
Ubuntu 15.04 or 15.10:
$ sudo apt-get install python-libxml2
Fedora 20:
$ sudo yum install libxml2-python
(Note this step may be not be needed since it may have been installed along with libxml2-devel rpm. )
2.3 Build Netopeer server
$ cd netopeer/server
$ ./configure
On Fedora20+, if you get the following error:
configure: error: Package requirements (libnetconf) were not met:
No package 'libnetconf' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
If so, setup PKG_CONFIG_PATH environment variable to point to libnetconf pkg explicitly, as shown below:
$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
then redo
$ ./configure
$ make
$ sudo make install
2.4. Build TransAPI cfgsystem example (ietf-system module sample implementation)
If this cfgsystem is installed, you should be able to view ietf-system module in NETCONFc.
First install dependent augeas package
Ubuntu:
$ sudo apt-get install libaugeas-dev
Fedora:
$ sudo yum install augeas-devel
Then we can build it:
$ cd netopeer/transAPI/cfgsystem
$ ./configure
Note ./configure above may fail because a missing ietf-inet-types.yang module, if that happens, copy This email address is being protected from spambots. You need JavaScript enabled to view it. shipped with NETCONFc, rename it to ietf-inet-types.yang and place it into the source folder. So we have
netopeer/transAPI/cfgsystem/model/ietf-inet-types.yang
and then we redo
$ ./configure
$ make
$ sudo make install
3. Start netopeer server:
Ubuntu 15.04 or 15.10:
On a desktop Ubuntu system installed with default configurations, we must install openssh-server in order to run Netopeer, (or ssh into the box in general).
$ sudo apt-get install openssh-server
Then we can start netopeer:
$ sudo /usr/local/bin/netopeer-server -d
Fedora 20:
$ su (log in as root, then)
First, we need add /usr/local/lib into dynamic library search path:
# export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
Then we need to disable firewall since it is enabled by default
# systemctl stop firewalld
# systemctl disable firewalld
Finally we can start netopeer server
# /usr/local/bin/netopeer-server -d
The -d option makes the server to start in a daemon mode. You can also set logging verbosity by specifying parameter for the -v option from 0 to 3 (errors, warnings, verbose, debug).
4. Connect to netopeer server from NETCONFc
Start NETCONFc, click the 'Connect SSH' toolbar button, enter server’s host name or IP address, port number, user name and password. By default you should be able to use any SSH user configured in your Ubunto box to connect to it. Later you can enable NACM settings to restrict access.
Then click the button “Connect” on the session creation dialog. You should be connected to the server. If error happens, check if the server is running on the specified address and port. Also make sure the correct user name and password are used. See more in troubleshooting section.
For details on how to create a session from NETCONFc and browse default modules on netopeer server, see NETCONFc's menu Help->Help Topics ->First steps with NETCONFc
5. Configure netopeer server modules
To find out the default location to add YANG modules, run
$ sudo /usr/bin/netopeer-configurator
You can find the following information in [Netopeer] section
[Netopeer] Using modules installed in path: /usr/local/etc/netopeer/modules.conf.d
By default all modules's XML instance data (Netopeer calls this datastore, unfortunately the same terminology used as NETCONF's running/candidate/startup datastore) are stored in /usr/local/etc/netopeer/modules.conf.d
When you add a module using netopeer-manager, the --datastore option should point to /usr/local/etc/netopeer/modules.conf.d
Example of using netopeer-manager:
First check what modules are enabled by default:
netopeer-manager list
List of startup Netopeer modules:
No module installed.
Ok, no modules are installed. Let's add some modules. To add a model, first convert .yang file .yin file using Pyang or Seguesoft's NETCONFc. Netopeer uses YIN format internally. As an example, let's add toaster datastore so you can use NETCONFc to configure it.
Download toaster.yang from http://seguesoft.com/get-standard-yang-modules. Then you can do:
$ pyang -f yin /home/bob/YANG_modules/toaster.yang -o /home/bob/YANG_modules/toaster.yin
Then add toaster.yin's datastore into Netopeer as follows
# netopeer-manager add --name toaster --model /home/bob/YANG_modules/toaster.yin --datastore /usr/local/etc/netopeer/modules.conf.d/toaster.xml
For command reference type
netopeer-manager add --help
To actually implement a model, see http://github.com/CESNET/netopeer/tree/master/transAPI/cfgsystem
Possible errors
* No package 'libnetconf' found when running ./configure for netopeer server
On some systems such as Fedora x64, even if we install netconf into the default folder /usr/local, when compiling netopeer server it may fail with the following error:
checking for LIBNETCONF...
configure: error: Package requirements (libnetconf) were not met: No package 'libnetconf' found
We can workaround this by doing the following before running ./configure:
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
You may also need to adjust the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix.
Note In a typical Unix system, it will search in the directories /usr/lib/pkgconfig and /usr/share/pkgconfig. This will usually cover system installed modules. However, some local modules may be installed in a different prefix such as /usr/local. In that case, it's necessary to prepend the search path so that pkg-config can locate the .pc files.
$ pkg-config --modversion libnetconf
Package libnetconf was not found in the pkg-config search path. Perhaps you should add the directory containing `libnetconf.pc' to the PKG_CONFIG_PATH environment variable.
$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
$ pkg-config --modversion libnetconf
0.8.0
* D-Bus error: connection is not allowed to own the service "org.liberouter.netopeer.server" when trying to start the server
When attempting to start netopeer server, you may get this error.
You need to use --with-dbus-services when running ./configure to generate makefile for netopeer server.
* 'Could not open socket to x.x.x.x:830' when connecting from NETCONFc.
The server is not running, or there is firewall between NETCONFc and Netopeer server that may be blocking port 830.
You can test this by quickly disabling Firewall
check the status of the firewall:
#systemctl status firewalld
to disable it:
#systemctl stop firewalld
#systemctl disable firewalld
You may also need to disable your SELinux or add port 830 as an additional port allowed by SELinux. For example, on Fedora:
sudo semanage port -a -t ssh_port_t -p tcp 830
sudo systemctl restart sshd
To disable SELinux,
vi /etc/selinux/config and change to use "disabled", save and restart your computer. To verify:
getenforce
>>Disabled
To set SELinux to permissive without restarting your computer
sudo setenforce 0
* 'Unexpected session close or server is not running' when trying to connect to netopeer server from NETCONFc
This usually indicated netopeer-agent could not be started successfully, perhaps because it was not able to locate dependent libraries etc.
First, try adding /usr/local/lib (or prerix/lib, if you used --prefix when running ./configure) into library search path. To do this, when logged in as root,
# vi /etc/ld.so.conf
and then add a new line /usr/local/lib at the end. So after editing it looks like:
/include ld.so.conf.d/*
/usr/local/lib
save and run the following command:
# ldconfig
If it still does not work, try manually connect to it and check logs for hints:
# ssh yourUserName@your-netopeer-server -p 830 -s netconf -F /usr/local/etc/netopeer/sshd_config
Check sshd log for additional hint:
cat /var/log/secure
If you see the following line:
pam+; pgomuid(sshd:session): set_loginuid failes
It's because the kernel doesn't have AUDIT enabled. So you get a bunch of errors in "/var/log/secure" with "set_loginuid failed opening loginuid".
Then just comment this line in file "/etc/pam.d/sshd":
#session required pam_loginuid.so
It's most likely because the Linux kernel you are using doesn't have AUDIT enabled. This may happen on some Linux installations or Linux VM installed on Oracle Virtual box . If you have no way to recompile kernel just disable pam_loginuid.so as shown above
NACM: Module init failed when running netopeer-configurator
Usually this means you need to update PKG_CONFIG_PATH.
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig for root before invoking this command.)
in root user's .bashrc file: export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
C compiler cannot create executable
If you get an error complaining " C compiler cannot create executable" when doing ./configure
Please make sure you have a complete working c development environment installed, and you may need to use the recent or latest C compiler
For example on Fedora you need to do
yum install "Development Tools"
You may also need to install the following packages:
yum install libssh2-devel
yum install xslt-devel
yum install libcurl-devel
yum install xsltproc
On ubuntu:
sudo apt-get install libssh2-1-dev
sudo apt-get install libxslt1-dev
sudo apt-get install libcurl4-openssl-dev
Inctool not found when running netopeer configure
This usually indicates libnetconf was not built with Pyang present. Check if you have Python and Pyang installed. If not first install them and then resinstall libnetconf
netopeer-server: np_ssh_create_client: SSH failed to accept a new connection: Failed to import private RSA host key
This indicates ssh server is not enabled. On ubuntu Desktop, SSH is not installed or enabled by default in Ubuntu Desktop edition, to enable it:
sudo apt-get install openssh-server
sudo /etc/init.d/ssh restart
Can't make NETOPEER server to listen on IPv4 only or a specific port
You need to change the startup config in /usr/local/etc/netopeer/cfgnetopeer/datastore-server.xml like the following:
<?xml version="1.0" encoding="UTF-8"?> <datastores xmlns="urn:cesnet:tmc:datastores:file"> <running lock=""/> <startup lock=""> <netconf xmlns="urn:ietf:params:xml:ns: yang:ietf-netconf-server"> <ssh> <listen> <interface> <address>0.0.0.0</address> <port>830</port> </interface> </listen> </ssh> </netconf> </startup> <candidate modified="false" lock=""/> </datastores>