1module clixon-config { 2 yang-version 1.1; 3 namespace "http://clicon.org/config"; 4 prefix cc; 5 6 organization 7 "Clicon / Clixon"; 8 9 contact 10 "Olof Hagsand <olof@hagsand.se>"; 11 12 description 13 "Clixon configuration file 14 ***** BEGIN LICENSE BLOCK ***** 15 Copyright (C) 2009-2019 Olof Hagsand 16 Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate) 17 18 This file is part of CLIXON 19 20 Licensed under the Apache License, Version 2.0 (the \"License\"); 21 you may not use this file except in compliance with the License. 22 You may obtain a copy of the License at 23 http://www.apache.org/licenses/LICENSE-2.0 24 Unless required by applicable law or agreed to in writing, software 25 distributed under the License is distributed on an \"AS IS\" BASIS, 26 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 27 See the License for the specific language governing permissions and 28 limitations under the License. 29 30 Alternatively, the contents of this file may be used under the terms of 31 the GNU General Public License Version 3 or later (the \"GPL\"), 32 in which case the provisions of the GPL are applicable instead 33 of those above. If you wish to allow use of your version of this file only 34 under the terms of the GPL, and not to allow others to 35 use your version of this file under the terms of Apache License version 2, 36 indicate your decision by deleting the provisions above and replace them with 37 the notice and other provisions required by the GPL. If you do not delete 38 the provisions above, a recipient may use your version of this file under 39 the terms of any one of the Apache License version 2 or the GPL. 40 41 ***** END LICENSE BLOCK *****"; 42 43 revision 2020-10-01 { 44 description 45 "Added: CLICON_CONFIGDIR"; 46 } 47 revision 2020-08-17 { 48 description 49 "Added: CLICON_RESTCONF_IPV4_ADDR, CLICON_RESTCONF_IPV6_ADDR, 50 CLICON_RESTCONF_HTTP_PORT, CLICON_RESTCONF_HTTPS_PORT 51 CLICON_NAMESPACE_NETCONF_DEFAULT, 52 CLICON_CLI_HELPSTRING_TRUNCATE, CLICON_CLI_HELPSTRING_LINES"; 53 } 54 revision 2020-06-17 { 55 description 56 "Added: CLICON_CLI_LINES_DEFAULT 57 Added enum HIDE to CLICON_CLI_GENMODEL 58 Added CLICON_SSL_SERVER_CERT, CLICON_SSL_SERVER_KEY, CLICON_SSL_CA_CERT 59 Added CLICON_NACM_DISABLED_ON_EMPTY 60 Removed default valude of CLICON_NACM_RECOVERY_USER"; 61 } 62 revision 2020-04-23 { 63 description 64 "Added: CLICON_YANG_UNKNOWN_ANYDATA to treat unknown XML (wrt YANG) as anydata. 65 Deleted: xml-stats non-config data (replaced by rpc stats in clixon-lib.yang)"; 66 } 67 revision 2020-02-22 { 68 description 69 "Added: search index extension, 70 Added: clixon-stats state for clixon XML and memory statistics. 71 Added: CLICON_CLI_BUF_START and CLICON_CLI_BUF_THRESHOLD for quadratic and linear 72 growth of CLIgen buffers (cbuf:s) 73 Added: CLICON_VALIDATE_STATE_XML for controling validation of user state XML 74 Added: CLICON_CLICON_YANG_LIST_CHECK to skip list key checks"; 75 } 76 revision 2019-09-11 { 77 description 78 "Added: CLICON_BACKEND_USER: drop of privileges to user, 79 CLICON_BACKEND_PRIVILEGES: how to drop privileges 80 CLICON_NACM_CREDENTIALS: If and how to check backend sock priveleges with NACM 81 CLICON_NACM_RECOVERY_USER: Name of NACM recovery user."; 82 } 83 revision 2019-06-05 { 84 description 85 "Added: CLICON_YANG_REGEXP, CLICON_CLI_TAB_MODE, 86 CLICON_CLI_HIST_FILE, CLICON_CLI_HIST_SIZE, 87 CLICON_XML_CHANGELOG, CLICON_XML_CHANGELOG_FILE; 88 Renamed CLICON_XMLDB_CACHE to CLICON_DATASTORE_CACHE (changed type) 89 Deleted: CLICON_XMLDB_PLUGIN, CLICON_USE_STARTUP_CONFIG"; 90 } 91 revision 2019-03-05{ 92 description 93 "Changed URN. Changed top-level symbol to clixon-config. 94 Released in Clixon 3.10"; 95 } 96 revision 2019-02-06 { 97 description 98 "Released in Clixon 3.9"; 99 } 100 revision 2018-10-21 { 101 description 102 "Released in Clixon 3.8"; 103 } 104 extension search_index { 105 description "This list argument acts as a search index using optimized binary search. 106 "; 107 } 108 typedef startup_mode{ 109 description 110 "Which method to boot/start clicon backend. 111 The methods differ in how they reach a running state 112 Which source database to commit from, if any."; 113 type enumeration{ 114 enum none{ 115 description 116 "Do not touch running state 117 Typically after crash when running state and db are synched"; 118 } 119 enum init{ 120 description 121 "Initialize running state. 122 Start with a completely clean running state"; 123 } 124 enum running{ 125 description 126 "Commit running db configuration into running state 127 After reboot if a persistent running db exists"; 128 } 129 enum startup{ 130 description 131 "Commit startup configuration into running state 132 After reboot when no persistent running db exists"; 133 } 134 } 135 } 136 typedef datastore_format{ 137 description 138 "Datastore format."; 139 type enumeration{ 140 enum xml{ 141 description "Save and load xmldb as XML"; 142 } 143 enum json{ 144 description "Save and load xmldb as JSON"; 145 } 146 } 147 } 148 typedef datastore_cache{ 149 description 150 "XML configuration, ie running/candididate/ datastore cache behaviour."; 151 type enumeration{ 152 enum nocache{ 153 description "No cache always work directly with file"; 154 } 155 enum cache{ 156 description "Use in-memory cache. 157 Make copies when accessing internally."; 158 } 159 enum cache-zerocopy{ 160 description "Use in-memory cache and dont copy. 161 Fastest but opens up for callbacks changing cache."; 162 } 163 } 164 } 165 typedef cli_genmodel_type{ 166 description 167 "How to generate CLI from YANG model, 168 eg {container c {list a{ key x; leaf x; leaf y;}}"; 169 type enumeration{ 170 enum NONE{ 171 description "No extra keywords: c a <x> <y>"; 172 } 173 enum VARS{ 174 description "Keywords on non-key variables: c a <x> y <y>"; 175 } 176 enum ALL{ 177 description "Keywords on all variables: c a x <x> y <y>"; 178 } 179 enum HIDE{ 180 description "Keywords on non-key variables and hide container around lists: a <x> y <y>"; 181 } 182 } 183 } 184 typedef nacm_mode{ 185 description 186 "Mode of RFC8341 Network Configuration Access Control Model. 187 It is unclear from the RFC whether NACM rules are internal 188 in a configuration (ie embedded in regular config) or external/OOB 189 in s separate, specific NACM-config"; 190 type enumeration{ 191 enum disabled{ 192 description "NACM is disabled"; 193 } 194 enum internal{ 195 description "NACM is enabled and available in the regular config"; 196 } 197 enum external{ 198 description "NACM is enabled and available in a separate config"; 199 } 200 } 201 } 202 typedef regexp_mode{ 203 description 204 "The regular expression engine Clixon uses in its validation of 205 Yang patterns, and in the CLI. 206 Yang RFC 7950 stipulates XSD XML Schema regexps 207 according to W3 CXML Schema Part 2: Datatypes Second Edition, 208 see http://www.w3.org/TR/2004/REC-xmlschema-2-20041028#regexs"; 209 type enumeration{ 210 enum posix { 211 description 212 "Translate XSD XML Schema regexp:s to Posix regexp. This is 213 not a complete translation, but can be considered good-enough 214 for Yang use-cases as defined by openconfig and yang-models 215 for example."; 216 } 217 enum libxml2 { 218 description 219 "Use libxml2 XSD XML Schema regexp engine. This is a complete 220 XSD regexp engine.. 221 Requires libxml2 to be available at configure time 222 (HAVE_LIBXML2 should be set)"; 223 } 224 } 225 } 226 typedef priv_mode{ 227 description 228 "Privilege mode, used for dropping (or not) priveleges to a non-provileged 229 user after initialization"; 230 type enumeration{ 231 enum none { 232 description 233 "Make no drop/change in privileges."; 234 } 235 enum drop_perm { 236 description 237 "After initialization, drop privileges permanently to a uid"; 238 } 239 enum drop_temp { 240 description 241 "After initialization, drop privileges temporarily to a euid"; 242 } 243 } 244 } 245 typedef nacm_cred_mode{ 246 description 247 "How NACM user should be matched with unix socket peer credentials. 248 This means nacm user must match socket peer user accessing the 249 backend socket. For IP sockets only mode none makes sense."; 250 type enumeration{ 251 enum none { 252 description 253 "Dont match NACM user to any user credentials. Any user can pose 254 as any other user. Set this for IP sockets, or dont use NACM."; 255 } 256 enum exact { 257 description 258 "Exact match between NACM user and unix socket peer user."; 259 } 260 enum except { 261 description 262 "Exact match between NACM user and unix socket peer user, except 263 for root and www user (restconf)."; 264 } 265 } 266 } 267 268 container clixon-config { 269 leaf-list CLICON_FEATURE { 270 description 271 "Supported features as used by YANG feature/if-feature 272 value is: <module>:<feature>, where <module> and <feature> 273 are either names, or the special character '*'. 274 *:* means enable all features 275 <module>:* means enable all features in the specified module 276 *:<feature> means enable the specific feature in all modules"; 277 type string; 278 } 279 leaf-list CLICON_YANG_DIR { 280 ordered-by user; 281 type string; 282 description 283 "Yang directory path for finding module and submodule files. 284 A list of these options should be in the configuration. 285 When loading a Yang module, Clixon searches this list in the order 286 they appear. Ensure that YANG_INSTALLDIR(default 287 /usr/local/share/clixon) is present in the path"; 288 } 289 leaf CLICON_CONFIGFILE{ 290 type string; 291 description 292 "Location of the main configuration-file. 293 Default is CLIXON_DEFAULT_CONFIG=/usr/local/etc/clicon.xml set in configure. 294 Note that due to bootstrapping, this value is not actually read from file 295 and therefore a default value would be meaningless."; 296 } 297 leaf CLICON_CONFIGDIR{ 298 type string; 299 description 300 "Location of directory of extra configuration files. 301 If not given, only main configfile is read. 302 If given, and if the directory exists, all files in this directory will be loaded 303 AFTER the main config file (CLICON_CONFIGFILE) in the following way: 304 - leaf values are overwritten 305 - leaf-list values are appended 306 The files in this directory will be loaded alphabetically. 307 If the dir is given but does not exist will result in an error. 308 You can override file setting with -E <dir> command-line option. 309 Note that due to bootstraping this value is only meaningful in the main config file"; 310 } 311 leaf CLICON_YANG_MAIN_FILE { 312 type string; 313 description 314 "If specified load a yang module in a specific absolute filename. 315 This corresponds to the -y command-line option in most CLixon 316 programs."; 317 } 318 leaf CLICON_YANG_MAIN_DIR { 319 type string; 320 description 321 "If given, load all modules in this directory (all .yang files) 322 See also CLICON_YANG_DIR which specifies a path of dirs"; 323 } 324 leaf CLICON_YANG_MODULE_MAIN { 325 type string; 326 description 327 "Option used to construct initial yang file: 328 <module>[@<revision>]"; 329 } 330 leaf CLICON_YANG_MODULE_REVISION { 331 type string; 332 description 333 "Option used to construct initial yang file: 334 <module>[@<revision>]. 335 Used together with CLICON_YANG_MODULE_MAIN"; 336 } 337 leaf CLICON_YANG_REGEXP { 338 type regexp_mode; 339 default posix; 340 description 341 "The regular expression engine Clixon uses in its validation of 342 Yang patterns, and in the CLI. 343 There is a 'good-enough' posix translation mode and a complete 344 libxml2 mode"; 345 } 346 leaf CLICON_YANG_LIST_CHECK { 347 type boolean; 348 default true; 349 description 350 "If false, skip Yang list check sanity checks from RFC 7950, Sec 7.8.2: 351 The 'key' statement, which MUST be present if the list represents configuration. 352 Some yang specs seem not to fulfil this. However, if you reset this, there may 353 be follow-up errors due to code that assumes a configuration list has keys"; 354 } 355 leaf CLICON_YANG_UNKNOWN_ANYDATA{ 356 type boolean; 357 default false; 358 description 359 "Treat unknown XML/JSON nodes as anydata when loading from startup db. 360 This does not apply to namespaces, which means a top-level node: xxx:yyy 361 is accepted only if yyy is unknown, not xxx. 362 Note that this option has several caveats which needs to be fixed. Please 363 use with care. 364 The primary issue is that the unknown->anydata handling is not restricted to 365 only loading from startup but may occur in other circumstances as well. This 366 means that sanity checks of erroneous XML/JSON may not be properly signalled."; 367 } 368 leaf CLICON_BACKEND_DIR { 369 type string; 370 description 371 "Location of backend .so plugins. Load all .so 372 plugins in this dir as backend plugins"; 373 } 374 leaf CLICON_BACKEND_REGEXP { 375 type string; 376 description 377 "Regexp of matching backend plugins in CLICON_BACKEND_DIR"; 378 default "(.so)$"; 379 } 380 leaf CLICON_NETCONF_DIR { 381 type string; 382 description "Location of netconf (frontend) .so plugins"; 383 } 384 leaf CLICON_RESTCONF_DIR { 385 type string; 386 description 387 "Location of restconf (frontend) .so plugins. Load all .so 388 plugins in this dir as restconf code plugins"; 389 } 390 leaf CLICON_RESTCONF_PATH { 391 type string; 392 default "/www-data/fastcgi_restconf.sock"; 393 description 394 "FastCGI unix socket. Should be specified in webserver 395 Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock"; 396 } 397 leaf CLICON_RESTCONF_PRETTY { 398 type boolean; 399 default true; 400 description 401 "Restconf return value pretty print. 402 Restconf clients may add HTTP header: 403 Accept: application/yang-data+json, or 404 Accept: application/yang-data+xml 405 to get return value in XML or JSON. 406 RFC 8040 examples print XML and JSON in pretty-printed form. 407 Setting this value to false makes restconf return not pretty-printed 408 which may be desirable for performance or tests"; 409 } 410 leaf CLICON_RESTCONF_IPV4_ADDR { 411 type string; 412 default "0.0.0.0"; 413 description 414 "RESTCONF IPv4 socket binding address. 415 Applies to native http by config option --with-restconf=evhtp."; 416 } 417 leaf CLICON_RESTCONF_IPV6_ADDR { 418 type string; 419 default "::"; 420 description 421 "RESTCONF IPv6 socket binding address. 422 Applies to native http by config option --with-restconf=evhtp."; 423 } 424 leaf CLICON_RESTCONF_HTTP_PORT { 425 type uint16; 426 default 80; 427 description 428 "RESTCONF socket binding port, non-ssl 429 In the restconf daemon, it can be overriden by -P <port> 430 Applies to native http only by config option --with-restconf=evhtp."; 431 } 432 leaf CLICON_RESTCONF_HTTPS_PORT { 433 type uint16; 434 default 443; 435 description 436 "RESTCONF socket binding port, ssl 437 In the restconf daemon, this is the port chosen if -s is given. 438 Note it can be overriden by -P <port> 439 Applies to native http by config option --with-restconf=evhtp."; 440 } 441 leaf CLICON_SSL_SERVER_CERT { 442 type string; 443 default "/etc/ssl/certs/clixon-server-crt.pem"; 444 description 445 "SSL server cert for restconf https. 446 Applies to native http only by config option --with-restconf=evhtp."; 447 } 448 leaf CLICON_SSL_SERVER_KEY { 449 type string; 450 default "/etc/ssl/private/clixon-server-key.pem"; 451 description 452 "SSL server private key for restconf https. 453 Applies to native http only by config option --with-restconf=evhtp."; 454 } 455 leaf CLICON_SSL_CA_CERT { 456 type string; 457 default "/etc/ssl/certs/clixon-ca_crt.pem"; 458 description 459 "SSL CA cert for client authentication. 460 Applies to native http only by config option --with-restconf=evhtp."; 461 } 462 leaf CLICON_CLI_DIR { 463 type string; 464 description 465 "Directory containing frontend cli loadable plugins. Load all .so 466 plugins in this directory as CLI object plugins"; 467 } 468 leaf CLICON_CLISPEC_DIR { 469 type string; 470 description 471 "Directory containing frontend cligen spec files. Load all .cli 472 files in this directory as CLI specification files. 473 See also CLICON_CLISPEC_FILE."; 474 } 475 leaf CLICON_CLISPEC_FILE { 476 type string; 477 description 478 "Specific frontend cligen spec file as aletrnative or complement 479 to CLICON_CLISPEC_DIR. Also available as -c in clixon_cli."; 480 } 481 leaf CLICON_CLI_MODE { 482 type string; 483 default "base"; 484 description 485 "Startup CLI mode. This should match a CLICON_MODE variable set in 486 one of the clispec files"; 487 } 488 leaf CLICON_CLI_GENMODEL { 489 type int32; 490 default 1; 491 description 492 "0: Do not generate CLISPEC syntax for the auto-cli. 493 1: Generate a CLI specification for CLI completion of all loaded Yang modules. 494 This CLI tree can be accessed in CLI-spec files using the tree reference syntax (eg 495 @datamodel). 496 2: Same including state syntax in a tree called @datamodelstate and @datamodelshow 497 See also CLICON_CLI_MODEL_TREENAME."; 498 } 499 leaf CLICON_CLI_MODEL_TREENAME { 500 type string; 501 default "datamodel"; 502 description 503 "If CLICON_CLI_GENMOEL is set, CLI specs can reference the 504 model syntax using a model tree set by this option. 505 Three trees are generated with this name as a base, (assuming base is datamodel): 506 - @datamodel - a clispec for navigating in editing a configuration (set/merge/delete) 507 - @datamodelshow - a clispec for navigating in showing a configuration 508 - @datamodelstate - a clispec for navigating in showing a configuration WITH state 509 Example: set @datamodel, cli_set(); 510 show @datamodelshow, cli_show_auto(); 511 show state @datamodelstate, cli_show_auto_state(); 512 "; 513 } 514 leaf CLICON_CLI_GENMODEL_COMPLETION { 515 type int32; 516 default 1; 517 description "Generate code for CLI completion of existing db symbols. 518 (consider boolean)"; 519 } 520 leaf CLICON_CLI_GENMODEL_TYPE { 521 type cli_genmodel_type; 522 default "VARS"; 523 description "How to generate and show CLI syntax: VARS|ALL"; 524 } 525 leaf CLICON_CLI_VARONLY { 526 type int32; 527 default 1; 528 description 529 "Dont include keys in cvec in cli vars callbacks, 530 ie a & k in 'a <b> k <c>' ignored 531 (consider boolean)"; 532 } 533 leaf CLICON_CLI_LINESCROLLING { 534 type int32; 535 default 1; 536 description 537 "Set to 0 if you want CLI to wrap to next line. 538 Set to 1 if you want CLI to scroll sideways when approaching 539 right margin"; 540 } 541 leaf CLICON_CLI_LINES_DEFAULT { 542 type int32; 543 default 24; 544 description 545 "Set to number of CLI terminal rows for pageing/scrolling. 0 means unlimited. 546 The number is set statically UNLESS: 547 - there is no terminal, such as file input, in which case nr lines is 0 548 - there is a terminal sufficiently powerful to read the number of lines from 549 ioctl calls. 550 In other words, this setting is used ONLY on raw terminals such as serial 551 consoles."; 552 } 553 leaf CLICON_CLI_TAB_MODE { 554 type int8; 555 default 0; 556 description 557 "Set CLI tab mode. This is actually a bitfield of three 558 combinations: 559 bit 1: 0: <tab> shows short info of available commands 560 1: <tab> has same output as <?>, ie line per command 561 bit 2: 0: On <tab>, select a command over a <var> if both exist 562 1: Commands and vars have same preference. 563 bit 3: 0: On <tab>, never complete more than one level per <tab> 564 1: Complete all levels at once if possible. 565 "; 566 } 567 leaf CLICON_CLI_UTF8 { 568 type int8; 569 default 0; 570 description 571 "Set to 1 to enable CLIgen UTF-8 experimental mode. 572 Note that this feature is EXPERIMENTAL and may not properly handle 573 scrolling, control characters, etc 574 (consider boolean)"; 575 } 576 leaf CLICON_CLI_HIST_FILE { 577 type string; 578 default "~/.clixon_cli_history"; 579 description 580 "Name of CLI history file. If not given, history is not saved. 581 The number of lines is saved is given by CLICON_CLI_HIST_SIZE."; 582 } 583 leaf CLICON_CLI_HIST_SIZE { 584 type int32; 585 default 300; 586 description 587 "Number of lines to save in CLI history. 588 Also, if CLICON_CLI_HIST_FILE is set, also the size in lines 589 of the saved history."; 590 } 591 leaf CLICON_CLI_BUF_START { 592 type uint32; 593 default 256; 594 description 595 "CLIgen buffer (cbuf) initial size. 596 When the buffer needs to grow, the allocation grows quadratic up to a threshold 597 after which linear growth continues. 598 See CLICON_CLI_BUF_THRESHOLD"; 599 } 600 leaf CLICON_CLI_BUF_THRESHOLD { 601 type uint32; 602 default 65536; 603 description 604 "CLIgen buffer (cbuf) threshold size. 605 When the buffer exceeds the threshold, the allocation grows by adding the threshold 606 value to the buffer length. 607 If 0, the growth continues with quadratic growth. 608 See CLICON_CLI_BUF_THRESHOLD"; 609 } 610 leaf CLICON_CLI_HELPSTRING_TRUNCATE { 611 type boolean; 612 default false; 613 description 614 "CLIgen help string on query (?): Truncate help string on right margin mode 615 This only applies if you have long help strings, such as when generating them from a 616 spec such as the autocli"; 617 } 618 leaf CLICON_CLI_HELPSTRING_LINES { 619 type int32; 620 default 0; 621 description 622 "CLIgen help string on query (?) limit of number of lines to show, 0 means unlimited. 623 This only applies if you have multi-line help strings, such as when generating 624 from a spec, such as in the autocli."; 625 } 626 leaf CLICON_SOCK_FAMILY { 627 type string; 628 default "UNIX"; 629 description 630 "Address family for communicating with clixon_backend 631 (UNIX|IPv4). IPv6 not yet implemented. 632 Note that UNIX socket makes credential check as follows: 633 (1) client needs rw access to the socket 634 (2) NACM credentials can be checked according to CLICON_NACM_CREDENTIALS 635 Warning: IPv4 and IPv6 sockets have no credential mechanism. 636 "; 637 } 638 leaf CLICON_SOCK { 639 type string; 640 mandatory true; 641 description 642 "If family above is AF_UNIX: Unix socket for communicating 643 with clixon_backend. If family is AF_INET: IPv4 address"; 644 } 645 leaf CLICON_SOCK_PORT { 646 type int32; 647 default 4535; 648 description 649 "Inet socket port for communicating with clixon_backend 650 (only IPv4|IPv6)"; 651 } 652 leaf CLICON_SOCK_GROUP { 653 type string; 654 default "clicon"; 655 description 656 "Group membership to access clixon_backend unix socket and gid for 657 deamon"; 658 } 659 leaf CLICON_BACKEND_USER { 660 type string; 661 description 662 "User name for backend (both foreground and daemonized). 663 If you set this value the backend if started as root will lower 664 the privileges after initialization. 665 The ownership of files created by the backend will also be set to this 666 user (eg datastores). 667 It also sets the backend unix socket owner to this user, but its group 668 is set by CLICON_SOCK_GROUP. 669 See also CLICON_PRIVILEGES setting"; 670 } 671 leaf CLICON_BACKEND_PRIVILEGES { 672 type priv_mode; 673 default none; 674 description 675 "Backend privileges mode. 676 If CLICON_BACKEND_USER user is set, mode can be set to drop_perm or 677 drop_temp."; 678 } 679 leaf CLICON_BACKEND_PIDFILE { 680 type string; 681 mandatory true; 682 description "Process-id file of backend daemon"; 683 } 684 leaf CLICON_AUTOCOMMIT { 685 type int32; 686 default 0; 687 description 688 "Set if all configuration changes are committed automatically 689 on every edit change. Explicit commit commands unnecessary 690 (consider boolean)"; 691 } 692 leaf CLICON_XMLDB_DIR { 693 type string; 694 mandatory true; 695 description 696 "Directory where \"running\", \"candidate\" and \"startup\" are placed."; 697 } 698 leaf CLICON_DATASTORE_CACHE { 699 type datastore_cache; 700 default cache; 701 description 702 "Clixon datastore cache behaviour. There are three values: no cache, 703 cache with copy, or cache without copy."; 704 } 705 leaf CLICON_XMLDB_FORMAT { 706 type datastore_format; 707 default xml; 708 description "XMLDB datastore format."; 709 } 710 leaf CLICON_XMLDB_PRETTY { 711 type boolean; 712 default true; 713 description 714 "XMLDB datastore pretty print. 715 If set, insert spaces and line-feeds making the XML/JSON human 716 readable. If not set, make the XML/JSON more compact."; 717 } 718 leaf CLICON_XMLDB_MODSTATE { 719 type boolean; 720 default false; 721 description 722 "If set, tag datastores with RFC 7895 YANG Module Library 723 info. When loaded at startup, a check is made if the system 724 yang modules match. 725 See also CLICON_MODULE_LIBRARY_RFC7895"; 726 } 727 leaf CLICON_XML_CHANGELOG { 728 type boolean; 729 default false; 730 description "If true enable automatic upgrade using yang clixon 731 changelog."; 732 } 733 leaf CLICON_XML_CHANGELOG_FILE { 734 type string; 735 description "Name of file with module revision changelog. 736 If CLICON_XML_CHANGELOG is true, Clixon 737 reads the module changelog from this file."; 738 } 739 leaf CLICON_VALIDATE_STATE_XML { 740 type boolean; 741 default false; 742 description 743 "Validate user state callback content. 744 Users may register state callbacks using ca_statedata callback 745 When set, the XML returned from the callback is validated after merging with 746 the running db. If it fails, an internal error is returned to the originating 747 user. 748 If the option is not set, the XML returned by the user is not validated. 749 Note that enabling currently causes a large performance overhead for large 750 lists, therefore it is recommended to enable it during development and debugging 751 but disable it in production, until this has been resolved."; 752 } 753 leaf CLICON_NAMESPACE_NETCONF_DEFAULT { 754 type boolean; 755 default false; 756 description 757 "Undefine if you want to ensure strict namespace assignment on all netconf 758 and XML statements according to the standard RFC 6241. 759 If defined, top-level rpc calls need not have namespaces (eg using xmlns=<ns>) 760 since the default NETCONF namespace will be assumed. (This is not standard). 761 See rfc6241 3.1: urn:ietf:params:xml:ns:netconf:base:1.0."; 762 763 } 764 leaf CLICON_STARTUP_MODE { 765 type startup_mode; 766 description "Which method to boot/start clicon backend"; 767 } 768 leaf CLICON_TRANSACTION_MOD { 769 type boolean; 770 default false; 771 description "If set, modifications in validation and commit 772 callbacks are written back into the datastore. 773 This is a bad idea and therefore obsoleted."; 774 status obsolete; 775 } 776 leaf CLICON_NACM_MODE { 777 type nacm_mode; 778 default disabled; 779 description 780 "RFC8341 network access configuration control model (NACM) mode: disabled, 781 in regular (internal) config or separate external file given by CLICON_NACM_FILE"; 782 } 783 leaf CLICON_NACM_FILE { 784 type string; 785 description 786 "RFC8341 NACM external configuration file (if CLIXON_NACM_MODE is external)"; 787 } 788 leaf CLICON_NACM_CREDENTIALS { 789 type nacm_cred_mode; 790 default except; 791 description 792 "Verify nacm user credentials with unix socket peer cred. 793 This means nacm user must match unix user accessing the backend 794 socket."; 795 } 796 leaf CLICON_NACM_RECOVERY_USER { 797 type string; 798 description 799 "RFC8341 defines a 'recovery session' as outside its scope. Clixon 800 defines this user as having special admin rights to exempt from 801 all access control enforcements. 802 Note setting of CLICON_NACM_CREDENTIALS is important, if set to 803 exact for example, this user must exist and be used, otherwise 804 another user (such as root or www) can pose as the recovery user."; 805 } 806 leaf CLICON_NACM_DISABLED_ON_EMPTY { 807 type boolean; 808 default false; 809 description 810 "RFC 8341 and ietf-netconf-acm@2018-02-14.yang defines enable-nacm as true by 811 default. Since also write-default is deny by default it leads to that empty 812 configs can not be edited. 813 This means that a startup config must always have a NACM configuration or 814 that the NACM recovery session is used to edit an empty config. 815 If this option is set, Clixon disables NACM if a datastore does NOT contain a 816 NACM config on load."; 817 } 818 leaf CLICON_MODULE_LIBRARY_RFC7895 { 819 type boolean; 820 default true; 821 description 822 "Enable RFC 7895 YANG Module library support as state data. If 823 enabled, module info will appear when doing netconf get or 824 restconf GET. 825 See also CLICON_XMLDB_MODSTATE"; 826 } 827 leaf CLICON_MODULE_SET_ID { 828 type string; 829 default "0"; 830 description "If RFC 7895 YANG Module library enabled: 831 Contains a server-specific identifier representing 832 the current set of modules and submodules. The 833 server MUST change the value of this leaf if the 834 information represented by the 'module' list instances 835 has changed."; 836 } 837 leaf CLICON_STREAM_DISCOVERY_RFC5277 { 838 type boolean; 839 default false; 840 description "Enable event stream discovery as described in RFC 5277 841 sections 3.2. If enabled, available streams will appear 842 when doing netconf get or restconf GET"; 843 } 844 leaf CLICON_STREAM_DISCOVERY_RFC8040 { 845 type boolean; 846 default false; 847 description 848 "Enable monitoring information for the RESTCONF protocol from RFC 8040"; 849 } 850 leaf CLICON_STREAM_PATH { 851 type string; 852 default "streams"; 853 description "Stream path appended to CLICON_STREAM_URL to form 854 stream subscription URL."; 855 } 856 leaf CLICON_STREAM_URL { 857 type string; 858 default "https://localhost"; 859 description "Prepend this to CLICON_STREAM_PATH to form URL. 860 See RFC 8040 Sec 9.3 location leaf: 861 'Contains a URL that represents the entry point for 862 establishing notification delivery via server-sent events.' 863 Prepend this constant to name of stream. 864 Example: https://localhost/streams/NETCONF. Note this is the 865 external URL, not local behind a reverse-proxy. 866 Note that -s <stream> command-line option to clixon_restconf 867 should correspond to last path of url (eg 'streams')"; 868 } 869 leaf CLICON_STREAM_PUB { 870 type string; 871 description "For stream publish using eg nchan, the base address 872 to publish to. Example value: http://localhost/pub 873 Example: stream NETCONF would then be pushed to 874 http://localhost/pub/NETCONF. 875 Note this may be a local/provate URL behind reverse-proxy. 876 If not given, do NOT enable stream publishing using NCHAN."; 877 } 878 leaf CLICON_STREAM_RETENTION { 879 type uint32; 880 default 3600; 881 units s; 882 description "Retention for stream replay buffers in seconds, ie how much 883 data to store before dropping. 0 means no retention"; 884 885 } 886 } 887} 888