-
Notifications
You must be signed in to change notification settings - Fork 0
/
confd.conf
622 lines (565 loc) · 19.8 KB
/
confd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
<!-- -*- nxml -*- -->
<!-- Example configuration file for confd. -->
<confdConfig xmlns="http://tail-f.com/ns/confd_cfg/1.0">
<!--
The loadPath is searched for .fxs files etc.
NOTE: if you change the loadPath, the daemon must be restarted,
or the "In-service Data Model Upgrade" procedure described in
the User Guide can be used - 'confd - -reload' is not enough.
-->
<loadPath>
<dir>/confd/etc/confd</dir>
</loadPath>
<!--
This is where ConfD writes persistent state data. Currently the
only state files are 'running.invalid' which exists only if the
running database status is invalid, which it will be if one of
the database implementation fails during the two-phase commit
protocol, and 'global.data' which is used to store some data
that needs to be retained across reboots.
-->
<stateDir>/confd/var/confd/state</stateDir>
<!--
A hide group cannot be unhidden unless it has been listed
here. A missing or empty password indicates that no password
needs to be given when unhiding the group.
If the group is not listed below then it cannot be unhidden
at all.
Multiple hideGroups can be specified in the file.
-->
<hideGroup>
<name>debug</name>
<password>secret</password>
</hideGroup>
<!--
Disable cdb only if you're using your own configuration database
to store all data, including the AAA data.
-->
<cdb>
<enabled>true</enabled>
<dbDir>/confd/var/confd/cdb</dbDir>
<!--
During development it can be useful to set a low timeout to
catch programming errors. In a production system use
"infinity" (default) or a high timeout so as not to timeout
during high CPU load.
-->
<clientTimeout>PT30S</clientTimeout>
<!--
The operational datastore is used when operational data is to be
stored in CDB.
-->
<operational>
<enabled>true</enabled>
</operational>
</cdb>
<!--
These keys are used to encrypt values adhering to the types
tailf:des3-cbc-encrypted-string and tailf:aes-cfb-128-encrypted-string
as defined in the tailf-common YANG module. These types are
described in confd_types(3).
-->
<encryptedStrings>
<DES3CBC>
<key1>0123456789abcdef</key1>
<key2>0123456789abcdef</key2>
<key3>0123456789abcdef</key3>
<initVector>0123456789abcdef</initVector>
</DES3CBC>
<AESCFB128>
<key>0123456789abcdef0123456789abcdef</key>
<initVector>0123456789abcdef0123456789abcdef</initVector>
</AESCFB128>
</encryptedStrings>
<logs>
<!--
Shared settings for how to log to syslog.
Each log can be configured to log to file and/or syslog. If a
log is configured to log to syslog, the settings below are used.
-->
<syslogConfig>
<!-- facility can be 'daemon', 'local0' ... 'local7' or an integer -->
<facility>daemon</facility>
<!-- if udp is not enabled, messages will be sent to local syslog -->
<udp>
<enabled>false</enabled>
<host>syslogsrv.example.com</host>
<port>514</port>
</udp>
</syslogConfig>
<!--
'confdlog' is a normal daemon log. Check this log for
startup problems of confd itself.
By default, it logs directly to a local file, but it can be
configured to send to a local or remote syslog as well.
-->
<confdLog>
<enabled>true</enabled>
<file>
<enabled>false</enabled>
<name>/confd/var/confd/log/confd.log</name>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</confdLog>
<!--
The developer logs are supposed to be used as debug logs
for troubleshooting user-written C code. Enable
and check these logs for problems with validation code, etc.
-->
<developerLog>
<enabled>true</enabled>
<file>
<enabled>false</enabled>
<name>/confd/var/confd/log/devel.log</name>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</developerLog>
<auditLog>
<enabled>true</enabled>
<file>
<enabled>false</enabled>
<name>/confd/var/confd/log/audit.log</name>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</auditLog>
<!--
The netconf log can be used to troubleshoot NETCONF operations,
such as checking why e.g. a filter operation didn't return the
data requested.
-->
<netconfLog>
<enabled>true</enabled>
<file>
<enabled>false</enabled>
<name>/confd/var/confd/log/netconf.log</name>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</netconfLog>
<jsonrpcLog>
<enabled>true</enabled>
<file>
<enabled>false</enabled>
<name>/confd/var/confd/log/jsonrpc.log</name>
</file>
<syslog>
<enabled>false</enabled>
<facility>daemon</facility>
</syslog>
</jsonrpcLog>
<webuiAccessLog>
<enabled>false</enabled>
<dir>/confd/var/confd/log/confd</dir>
</webuiAccessLog>
<snmpLog>
<enabled>false</enabled>
<file>
<enabled>true</enabled>
<name>/confd/var/confd/log/snmp.log</name>
</file>
<syslog>
<enabled>false</enabled>
</syslog>
</snmpLog>
<netconfTraceLog>
<enabled>true</enabled>
<filename>/confd/var/confd/log/netconf.trace</filename>
</netconfTraceLog>
<!--
The error log is used for internal logging from the confd
daemon. It is used for troubleshooting the confd daemon
itself, and should normally be disabled.
-->
<errorLog>
<enabled>false</enabled>
<filename>/tmp/confderr.log</filename>
<maxSize>S10M</maxSize>
</errorLog>
<!--
Progress tracing must be enabled here and then configured
according to tailf-progress.yang.
-->
<progressTrace>
<enabled>true</enabled>
<dir>/confd/var/confd/log</dir>
</progressTrace>
</logs>
<!-- Defines which datastores confd will handle. -->
<datastores>
<!--
'startup' means that the system keeps separate running and
startup configuration databases. When the system reboots for
whatever reason, the running config database is lost, and the
startup is read.
Enable this only if your system uses a separate startup and
running database.
-->
<startup>
<enabled>false</enabled>
</startup>
<!--
The 'candidate' is a shared, named alternative configuration
database which can be modified without impacting the running
configuration. Changes in the candidate can be commit to running,
or discarded.
Enable this if you want your users to use this feature from
NETCONF, CLI or Web UI, or other agents.
-->
<candidate>
<enabled>true</enabled>
<!--
By default, confd implements the candidate configuration
without impacting the application. But if your system
already implements the candidate itself, set 'implementation' to
'external'.
-->
<implementation>confd</implementation>
<storage>auto</storage>
<filename>/confd/var/confd/candidate/candidate.db</filename>
</candidate>
<!--
By default, the running configuration is writable. This means
that the application must be prepared to handle changes to
the configuration dynamically. If this is not the case, set
'access' to 'read-only'. If running is read-only, 'startup'
must be enabled, and 'candidate' must be disabled. This means that
the application reads the configuration at startup, and then
the box must reboot in order for the application to re-read its
configuration.
NOTE: this is not the same as the NETCONF capability
:writable-running, which merely controls which NETCONF
operations are allowed to write to the running configuration.
-->
<running>
<access>read-write</access>
</running>
</datastores>
<!--
This parameter controls if ConfD's attribute feature should
be enabled or not. Currently there are two attributes,
annotations and tags. These are available in northbound
interfaces (e.g. the annotate command in the CLI, and
annotation XML attribute in NETCONF), but in order to be
useful they need support from the underlying configuration
data provider. CDB supports attributes, but if an external
data provider is used for configuration data, and it does
not support the attribute callbacks, this parameter should
be set to 'false'.
-->
<enableAttributes>true</enableAttributes>
<sessionLimits>
<!--
These parameters controls the maximum number of concurrent
sessions towards ConfD. 'context' is 'cli' or 'netconf'.
-->
<maxSessions>unbounded</maxSessions>
<sessionLimit>
<context>cli</context>
<maxSessions>100</maxSessions>
</sessionLimit>
<sessionLimit>
<context>netconf</context>
<maxSessions>unbounded</maxSessions>
</sessionLimit>
</sessionLimits>
<aaa>
<sshServerKeyDir>/confd/etc/confd/ssh</sshServerKeyDir>
<!-- See man page confd_aaa_bridge(1) for a description of this -->
<aaaBridge>
<enabled>false</enabled>
<file>/confd/etc/confd/aaa.conf</file>
</aaaBridge>
<pam>
<!--
If pam is enabled and we want to use pam for login
confd must typically run as root. This depends on how
pam is configured locally. However the default "system-auth"
will typically require root since the pam libs then read
/etc/shadow
-->
<enabled>true</enabled>
<service>system-auth</service>
</pam>
<localAuthentication>
<enabled>true</enabled>
</localAuthentication>
</aaa>
<rollback>
<!--
To enable rollback file creation set enabled to true.
You also have to configure a directory for the rollback files.
A rollback file (rollback0-rollback<historySize>) will be
created whenever a new configuration is committed
-->
<enabled>true</enabled>
<directory>/confd/var/confd/rollback</directory>
<historySize>50</historySize>
<!-- If "full" is specified, then a full configuration dump is
stored in each rollback file. Rollback file 0 will always
contain the running configuration. If "delta" is used, then
only the changes are stored in the rollback file. Rollback
file 0 will contain the changes from the last configuration.
Using deltas is more space and time efficient for large
configurations. Full rollback files are more robust when
multiple external databases are used. If the external
databases becomes inconsistent a previous configuration can
always be restored using a full rollback file.
-->
<type>delta</type>
</rollback>
<cli>
<!-- If a table is too wide to fit in the terminal it will
instead be shown as a path - value list. When table
overflow is allowed it will be displayed as a table
even when the table is to wide to fit on the screen
-->
<allowTableOverflow>false</allowTableOverflow>
<allowTableCellWrap>false</allowTableCellWrap>
<!-- If showAllNs is true then all elem names will be prefixed
with the namespace prefix in the CLI. This is visible
when setting values and when showing the configuratin
-->
<showAllNs>false</showAllNs>
<!-- To log all CLI activity use 'all', to only log
attempts to execute unauthorized commands, use denied,
for only logging actually executed commands use allowed,
and for no logging use 'none'
-->
<!-- Controls if transactions should be used in the CLI or not.
Old style Cisco IOS does not use transactions, Juniper and
Cisco XR does. The commit command is disabled if transactions
are disabled. All modifications are applied immediately.
NOTE: this requires that you have default values for ALL
settings and no complex validation rules.
-->
<transactions>true</transactions>
<auditLogMode>denied</auditLogMode>
<completionShowMax>100</completionShowMax>
<withDefaults>false</withDefaults>
<defaultPrefix></defaultPrefix>
<showDefaults>false</showDefaults>
<docWrap>true</docWrap>
<infoOnTab>true</infoOnTab>
<infoOnSpace>true</infoOnSpace>
<newLogout>true</newLogout>
<!-- Prompt1 is used in operational mode and prompt2 in
configuration mode. The string may contain a number of
backslash-escaped special characters that are decoded
as follows:
\d the date in YYYY-MM-DD format (e.g., "2006-01-18")
\h the hostname up to the first `.'
\H the hostname
\t the current time in 24-hour HH:MM:SS format
\T the current time in 12-hour HH:MM:SS format
\@ the current time in 12-hour am/pm format
\A the current time in 24-hour HH:MM format
\u the username of the current user
\m mode name in the Cisco-style CLI
\M mode name inside parenthesis if set
-->
<prompt1>\u@\h\M \t> </prompt1>
<prompt2>\u@\h\M \t% </prompt2>
<cPrompt1>\h\M# </cPrompt1>
<cPrompt2>\h(\m)# </cPrompt2>
<idleTimeout>PT30M</idleTimeout>
<commandTimeout>infinity</commandTimeout>
<spaceCompletion>
<enabled>true</enabled>
</spaceCompletion>
<showLogDirectory>/var/log</showLogDirectory>
<autoWizard>
<enabled>true</enabled>
</autoWizard>
<ssh>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>2024</port>
</ssh>
<showEmptyContainers>false</showEmptyContainers>
<cTab>false</cTab>
<cHelp>true</cHelp>
<!-- Mode name style is only used by the Cisco style CLIs.
It controls how to calculate the mode name when entering
a submode. If set to 'full' then the entire path will be
used in the mode name, if set to 'short' then only the
last element + dynamic key will be used. If 'two' then
the two last modes will be displayed.
-->
<modeNameStyle>short</modeNameStyle>
<messageMaxSize>10000</messageMaxSize>
<historyMaxSize>1000</historyMaxSize>
<historyRemoveDuplicates>false</historyRemoveDuplicates>
<compactShow>false</compactShow>
<compactStatsShow>false</compactStatsShow>
<reconfirmHidden>false</reconfirmHidden>
<enumKeyInfo>false</enumKeyInfo>
<columnStats>false</columnStats>
<allowAbbrevKeys>true</allowAbbrevKeys>
<allowAbbrevParamNames>false</allowAbbrevParamNames>
<allowAbbrevEnums>true</allowAbbrevEnums>
<allowCaseInsensitiveEnums>true</allowCaseInsensitiveEnums>
<enableDisplayLevel>true</enableDisplayLevel>
<enableLoadMerge>true</enableLoadMerge>
<defaultDisplayLevel>99999999</defaultDisplayLevel>
<unifiedHistory>false</unifiedHistory>
<modeInfoInAAA>false</modeInfoInAAA>
<quoteStyle>backslash</quoteStyle>
<caseInsensitive>false</caseInsensitive>
<ignoreLeadingWhitespace>false</ignoreLeadingWhitespace>
<explicitSetCreate>false</explicitSetCreate>
<mapActions>both</mapActions>
</cli>
<webui>
<enabled>false</enabled>
<docroot>/confd/var/confd/webui/docroot</docroot>
<transport>
<tcp>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>8008</port>
</tcp>
<ssl>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>8888</port>
<keyFile>/confd/var/confd/webui/cert/host.key</keyFile>
<certFile>/confd/var/confd/webui/cert/host.cert</certFile>
</ssl>
</transport>
</webui>
<netconf>
<enabled>true</enabled>
<transport>
<ssh>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<!-- Note that the standard port for NETCONF over SSH is 830 -->
<port>2022</port>
</ssh>
<!--
NETCONF over TCP is not standardized, but it can be useful
during development in order to use e.g. netcat for scripting.
-->
<tcp>
<enabled>false</enabled>
<ip>127.0.0.1</ip>
<port>2023</port>
</tcp>
</transport>
<capabilities>
<!-- enable only if /confdConfig/datastores/startup is enabled -->
<startup>
<enabled>false</enabled>
</startup>
<!-- enable only if /confdConfig/datastores/candidate is enabled -->
<candidate>
<enabled>true</enabled>
</candidate>
<confirmed-commit>
<enabled>true</enabled>
</confirmed-commit>
<!--
enable only if /confdConfig/datastores/running is read-write
-->
<writable-running>
<enabled>true</enabled>
</writable-running>
<rollback-on-error>
<enabled>true</enabled>
</rollback-on-error>
<!-- Turn on the URL capability options you want to support -->
<url>
<enabled>true</enabled>
<file>
<enabled>true</enabled>
<rootDir>/confd/var/confd/state</rootDir>
</file>
<ftp>
<enabled>true</enabled>
</ftp>
</url>
<xpath>
<enabled>true</enabled>
</xpath>
<!--
Enable this to turn on NETCONF Notifications support.
-->
<notification>
<enabled>true</enabled>
<!--
Enable this to make the agent handle RPCs while sending
notifications.
-->
<interleave>
<enabled>true</enabled>
</interleave>
</notification>
</capabilities>
<!--
If extendedSessions are enabled, all ConfD sessions can be
terminated using <kill-session>, i.e. not only can other
NETCONF session be terminated, but also CLI sessions, WebUI
sessions etc. If such a session holds a lock, its session
id will be returned in the <lock-denied>, instead of "0".
Strictly speaking, this extension is not covered by the
NETCONF specification; therefore it's false by default.
-->
<extendedSessions>false</extendedSessions>
</netconf>
<snmpAgent>
<!-- Enable only if snmp agent should be started -->
<enabled>false</enabled>
<!--
Configure the IP address and port that the SNMP Agent
should listen to
-->
<ip>0.0.0.0</ip>
<port>4000</port>
<!-- Differentiated Services Code Point, 6 bits -->
<dscp>0</dscp>
<!--
List mibs that should be loaded into the SNMP Agent
at startup.
With no mibs loaded, the SNMP agent will start with the built-in
standard mibs only. See the User's Guide for details.
-->
<mibs>
<!--
<file>/confd/etc/confd/mibs/EXAMPLE-MIB.bin</file>
-->
</mibs>
<!--
The SNMP Engine ID is a hexList and can be constructed
in many ways. See the SNMP-FRAMEWORK-MIB for more
information about this.
The MaxMessageSize can be set, but should normally not be
modified.
-->
<snmpEngine>
<snmpEngineID>80:00:61:81:05:01</snmpEngineID>
</snmpEngine>
<system>
<sysDescr>Tail-f ConfD agent</sysDescr>
<sysObjectID>1.3.6.1.4.1.24961</sysObjectID>
<sysServices>72</sysServices>
<!-- The sysORTable stores capabilities that this agent supports -->
<sysORTable>
<!--
Example of a capability:
<sysOREntry>
<sysORIndex>1</sysORIndex>
<sysORID>1.3.6.1.4.1.24961.1</sysORID>
<sysORDescr>Example capability</sysORDescr>
</sysOREntry>
-->
</sysORTable>
</system>
</snmpAgent>
</confdConfig>