Question

How to modify config on all the devices (FlexVNFs) from Versa Director using Netconf?

Solution 

Refer to the addnacm.xml (Netconf) and the Shell Script to understand how the NACM rules are edited for all the OPER users on all the devices (FlexVNFs) from the Versa Director.


The addnacm.xml file iterates over all the devices (FlexVNFs), fetches their name and IP addresses, runs the netconf-console application and places the xml file in /tmp/addnacm.xml folder (assumes the username/password as admin/versa123). 

The shell script excludes the device names containing DataStore or ScratchPad. A similar approach is used to prune the list for Branches or Controllers.


The addnacm.xml 

<?xml version="1.0" encoding="UTF-8"?>

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

  <capabilities>

    <capability>urn:ietf:params:netconf:base:1.0</capability>

  </capabilities>

</hello>

]]>]]>

<?xml version="1.0" encoding="UTF-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">

  <edit-config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">

        <target>

          <candidate/>

        </target>

    <config>

           <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">

              <rule-list operation="replace">  <!-- NOTE: this is required because of user-defined order -->

                <name>oper</name>

                <group>oper</group>

                <rule>

                  <name>allow</name>

                  <access-operations>read</access-operations>

                  <action>permit</action>

                </rule>

                <rule>

                  <name>rest</name>

                  <action>deny</action>

                </rule>

                <cmdrule xmlns="http://tail-f.com/yang/acm">

                  <name>denyshell</name>

                  <command>shell</command>

                  <action>deny</action>

                </cmdrule>

                <cmdrule xmlns="http://tail-f.com/yang/acm"> <!-- we want this as last but one -->

                  <name>denyrbk</name>

                  <command>rollback</command>

                  <action>deny</action>

                </cmdrule>

                <cmdrule xmlns="http://tail-f.com/yang/acm">

                  <name>read_only</name>

                  <command>*</command>

                  <access-operations>read exec</access-operations>

                  <action>permit</action>

                </cmdrule>

              </rule-list>

            </nacm>

    </config>

  </edit-config>

</rpc>

]]>]]>

<?xml version="1.0" encoding="UTF-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">

  <commit/>

</rpc>

]]>]]>

<?xml version="1.0" encoding="UTF-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">

  <close-session/>

</rpc>

]]>]]>

 

 

The Shell Script

INPUTXML=/tmp/addnacm.xml

echo -e "configure\nshow devices device address | display set" | \

     /opt/versa/vnms/ncs/current/bin/ncs_cli  -u Administrator 2>&1 | \

    while read LINE; do

        read ORG IP <<<$(echo $LINE | awk '{print $4" "$6}');

        if [[ ! $ORG =-DataStore ]] && [[ ! $ORG =-ScratchPad ]]; then

             # echo "$ORG  => $IP "

             if ping -W 2 -c 1 $IP >& /dev/null; then

                   echo "$ORG is reachable, editing config ..."

                 /opt/versa/vnms/ncs/current/bin/netconf-console --host=$IP --port=2022 -u admin -p versa123 $INPUTXML

             else

                   echo "$ORG UNREACHABLE. Ignore."

             fi

        fi

done