Last updated on December 20, 2024
Build and Set up Netopeer2 Docker Container for testing Call Home
Netopeer2 Dockerfile:
Using the following latest docker file from sysrepo repository:
https://hub.docker.com/r/sysrepo/sysrepo-netopeer2
Access Netopeer2 using SSH:
Run Docker Container, by default you should be able to access it via SSH
$ docker run -it –name netopeer -p 830:830 -p 6513:6513 –rm netopeer2:latest
Note we are also exposing the TLS port 6513, which we will need when enabling TLS access in the next step.
Start NETCONFc, click “Connect | NETCONF Over SSH”, and enter the following info:
Host: the IP address of the Docker host,
Port: 830
User: netconf
Password: netconf
Click “Connect”, you should be able to connect to your Netopeer2 server.
Access Netopeer2 using TLS:
To support clients connecting using TLS, the following configuration files are found in
/opt/dev/Netopeer2/example_configuration on the running container:
tls_keystore.xml,
tls_truststore.xml, and
tls_listen.xml
need to be merged into sysrepo configuration of modules:
ietf-keystore,
ietf-truststore, and
ietf-netconf-server, respectively.
After doing so, a NETCONF client can connect with the example client certificate client.crt, client private key client.key and CA certificate ca.pem set as trusted.
We can use sysrepo’s sysrepocfg command to do this. Place the following commands into a script file enable_tls.sh:
$ cat enable_tls.sh
#!/bin/bash
docker exec netopeer sysrepocfg –edit=/opt/dev/Netopeer2/example_configuration/tls_keystore.xml –format=xml –datastore=running –module=ietf-keystore
docker exec netopeer sysrepocfg –edit=/opt/dev/Netopeer2/example_configuration/tls_truststore.xml –format=xml –datastore=running –module=ietf-truststore
docker exec netopeer sysrepocfg –edit=/opt/dev/Netopeer2/example_configuration/tls_listen.xml –format=xml –datastore=running –module=ietf-netconf-server
# Since we merged the configuration we must copy it to the startup config store so it won’t get lost
docker exec netopeer sysrepocfg –copy-from=running –datastore=startup
$ chmod 755 enable_tls.sh
$ ./enable_tls.sh
NETCONFC can now connect to this server using client.crt certificate and client.key private key and having ca.pem CA certificate set as trusted.
These example certificates can be found in /opt/dev/Netopeer2/example_configuration/example_configuration/tls_certs on your running Docker container.
Copy it to your host machine (example destination):
docker exec -it netopeer scp -r /opt/dev/Netopeer2/example_configuration/tls_certs bob@192.168.10.133:/home/bob
Then move these files to the Windows computer on which NETCONFc runs.
On NETCONFc, click “Connect | NETCONF Over TLS”, enter the following info:
Host: the IP address of the Docker host,
Port: 6513
Client certificate: client.crt
Client private key file: client.key
Trusted root certificate: ca.pem
Click “Connect”, you should be able to connect to your Netopeer2 server.
SSH and TLS Callhome
Using the same SSH user name and password settings, a SSH client can be connected to the server using Call Home when /opt/dev/Netopeer2/example_configuration/ssh_callhome.xml configuration file is merged into the running store.
Using the same TLS certificate validation settings, a TLS client can be connected to the server using Call Home when /opt/dev/Netopeer2/example_configuration/tls_callhome.xml configuration file is merged into the running store.
Place the following commands into a script file enable_callhome.sh:
$ cat enable_callhome.sh
#!/bin/bash
# First we need to change the default callhome request target so it will be destined to where
# NETCONFc is running.
docker exec netopeer sed -i ‘s/localhost/192.168.10.119/’ /opt/dev/Netopeer2/example_configuration/ssh_callhome.xml
docker exec netopeer sed -i ‘s/localhost/192.168.10.119/’ /opt/dev/Netopeer2/example_configuration/tls_callhome.xml
# Now we need to merge the configuration into using sysrepocfg command. Don’t ‘import’ as the
# official Netopeer server README file says, otherwise the existing configuration may be overwritten.
docker exec netopeer sysrepocfg –edit=/opt/dev/Netopeer2/example_configuration/ssh_callhome.xml –format=xml –datastore=running –module=ietf-netconf-server
docker exec netopeer sysrepocfg –edit=/opt/dev/Netopeer2/example_configuration/tls_callhome.xml –format=xml –datastore=running –module=ietf-netconf-server
docker exec netopeer sysrepocfg –copy-from=running –datastore=startup
$ chmod 755 enable_callhomes.sh
$ ./enable_callhome.sh
Now save these changes and create a new Docker image. Otherwise, these changes will be lost if you stop your running Docker container.
docker commit netopeer netopeer2/callhome:latest
Start the new Docker image created:
docker run -it –name netopeer2 -p 830:830 -p 6513:6513 –rm netopeer2/callhome:latest
Test SSH Callhome:
Start NETCONFc, click “Connect | NETCONF Over SSH”, and enter the following info:
Call home port: 4534
User: netconf
Password: netconf
Click “Start listening for call home”, you should be able to connect to your Netopeer2 server.
Test TLS Callhome:
Click “Connect | NETCONF Over TLS”, and enter the following info:
Call home port: 4535
Client certificate: client.crt
Client private key file: client.key
Trusted root certificate: ca.pem
Click “Start listening for call home”, you should be able to connect to your Netopeer2 server.
Tested Netopeer2 version info:
docker exec -it netopeer /usr/bin/netopeer2-server -V
>>netopeer2-server 1.1.49 and later
Can’t make NETOPEER server to listen on IPv4 only or a specific port
You need to change the startup config in /usr/local/etc/netopeer/cfgnetopeer/datastore-server.xml like the following:
<?xml version="1.0" encoding="UTF-8"?>
<datastores xmlns="urn:cesnet:tmc:datastores:file">
<running lock=""/>
<startup lock="">
<netconf xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
<ssh>
<listen>
<interface>
<address>0.0.0.0</address>
<port>830</port>
</interface>
</listen>
</ssh>
</netconf>
</startup>
<candidate modified="false" lock=""/>
</datastores>