NED settings details

This NED is equipped with a number of runtime configuration options "NED settings" allowing for customization by the end user. All options are configurable using the NSO API for NED settings. Most NED settings can be configured globally, per device profile or per device instance in the following locations:

global /ncs:devices/global-settings/ned-settings/nokia-sros_nc/ profile /ncs:devices/ncs:profiles/profile:/ned-settings/nokia-sros_nc/ device /ncs:/device/devices/device:/ned-settings/nokia-sros_nc/

Profiles setting overrides global-settings and device settings override profile settings, hence the narrowest scope of the setting is used by the device.

If user changes a ned-setting, then user must reconnect to the device, i.e. disconnect and connect in order for the new setting to take effect.

From the NSO CLI the device instance NED settings for this NED are available under:

Table of contents

1. ned-settings nokia-sros_nc

This file describes the ned-settings for nokia-sros_nc.

2. ned-settings nokia-sros_nc transaction

Settings affecting different aspects of NSO transactions towards device.

2.1. ned-settings nokia-sros_nc transaction ignore-rpc-errors

Configure additional device errors that shall be treated as warnings (i.e. to be ignored, not aborting transaction).

2.2. ned-settings nokia-sros_nc transaction extra-get-config-paths

This list can be used to add extra filters when sending get-config RPC to the device. For example if there is a bug in the device which makes it not include all config under certain top-nodes. The key of the list is the path to add (non-unique nodes must be prefixed with 'global' prefix, i.e. prefix from module).

2.3. ned-settings nokia-sros_nc transaction exclude-namespaces

This list can be used to filter out certain namespaces from the configuration (i.e. all nodes belonging to namespaces given in this list will be dropped from the config before sent to NSO).

2.4. ned-settings nokia-sros_nc transaction inject-meta-data

Inject tailf:meta-data extension into schema at given path, used for example to trigger xml transform methods (java methods annotated with XMLTransformMethod) before xml is sent to NSO, or when editing, to device. The meta-data can also be used for other purposes in custom java code in the NED. The path supplied can even be a key-path, i.e. containg list keys within curly braces.

NOTE: For more information about custom xml transforms, see section 'Custom XML transforms' in the README.md.

2.5. ned-settings nokia-sros_nc transaction bof-settings

Control NED behaviour regarding 'bof' settings.The SROS devices regard 'bof' settings as a separate datastore, meaning that it is not permitted to deploy together with standard config.

3. ned-settings nokia-sros_nc connection

Settings related to the initial connection to the device, including the initial hand-shake (hello).

3.1. ned-settings nokia-sros_nc connection capabilities

Settings related the netconf capablities, and the discovery of supported yang modules.

3.1.1. ned-settings nokia-sros_nc connection capabilities regex-exclude

List of regex patterns to use for excluding capabilities sent from device in hello, for example to exclude a capability which the device announces in hello, but which is not correctly implemented

3.1.2. ned-settings nokia-sros_nc connection capabilities regex-include

List of regex patterns to use for including capabilities sent from device in hello. Note that when this list is non-empty, only capabilities matching any of the patterns in this list will be included

3.1.3. ned-settings nokia-sros_nc connection capabilities inject

This list can be used to inject capabilities into the hello from the device, before processed and sent to NSO, for example if a capability sent from the device is invalid, it can be filtered out using 'regex-exclude', and replaced with an inject. Also if device leaves out a capability that should be present and is needed, it can be injected.

3.2. ned-settings nokia-sros_nc connection ssh

Settings related to the SSH client used by the NED to connect to the device.

4. ned-settings nokia-sros_nc proxy

Configure NED to access device via an ssh proxy (i.e. a ssh 'jump-host'). By default, when this options is used, the address, port, and credentials normally given for the device in NSO, is used as the address and credentials for the ssh proxy, in which case the ned-settings here are then used to access the actual device.

This 'reverse' logic is the effect of how the API historically worked, and can be changed by enabling the setting 'global-proxy'. When this setting is set to true, the device config is the address/port and credentials for the actual device (behind the proxy), and the proxy host is configured in this section. This means that the proxy can be configured globally, or in a profile, which is a convenient way to switch all or some devices to connect through a jump-host.

5. ned-settings nokia-sros_nc live-status

Configure NED settings related to live-status.

5.1. ned-settings nokia-sros_nc live-status regex-exclude

This list of regular expressions match the schema path of nodes to filter out from live-status (oper) data before sending it to NSO. The regex matches on either of the pure tag-path, 'global' path, or the key-path (i.e. possibly including keys within curly braces) of nodes in the data. I.e. if a path is unique, prefixes can be omitted, but not when used in a key-path, then a 'global' path is needed, i.e. prefixed as it would appear in NSO, including the prefix on each level where new namespace occurs.

5.2. ned-settings nokia-sros_nc live-status cli

Configuration of CLI interaction through 'exec any '.

5.2.1. ned-settings nokia-sros_nc live-status cli auto-prompts

Sometimes when entering commands in an interative shell, the device prompts for some specific input, in cases like this, this list can be configured with pairs of "questions" and "answers" to be used when interacting with the device. The "questions" are in the form of regular-expressions, which matches the prompt or "question" output from the device, and the "answers" are the string to send back to the device, when that specific "question" is found in the output from the device.

For example, to add the response "secret" for a password prompt, one can add the below ned-settings:

6. ned-settings nokia-sros_nc logger

Settings for controlling logs generated.

7. ned-settings nokia-sros_nc developer

Contains settings used by the NED developers.

Table of contents

1. General

This document describes the nokia-sros_nc NED.

IMPORTANT: This NED is delivered without any of the device YANG models bundled to the NED package.

It is required to download the YANG files separately and rebuild the NED package before the NED is fully operational. See the README-rebuild.md for further information.

In summary, the below steps are needed to have a fully functioning NED:

Additional README files bundled with this NED package

Common NED Features

Verified target systems

Verified YANG model bundles

1.1 Extract the NED package

It is assumed the NED package ncs-<NSO version>-nokia-sros_nc-<NED version>.signed.bin has already been downloaded from software.cisco.com.

In this instruction the following example settings will be used:

• NSO version: 6.0

• NED version: 1.0.1

• NED package downloaded to: /tmp/ned-package-store

1. Extract the NED package and verify its signature:

2. In case the signature can not be verified (for instance if no internet connection), do as below instead:

3. The result of the extraction shall be a tar.gz file with the same name as the .bin file:

1.2 Install the NED package

There are two alternative ways to install this NED package. Which one to use depends on how NSO itself is setup.

In the instructions below the following example settings will be used:

• NSO version: 6.0

• NED version: 1.0.1

• NED download directory: /tmp/ned-package-store

• NSO run time directory: ~/nso-lab-rundir

A prerequisite is to set the environment variable NSO_RUNDIR to point at the NSO run time directory:

IMPORTANT:

This NED is delivered as an “empty” package, i.e without any device YANG models bundled. It must be rebuilt with the device YANG models to become operational.

The procedure to rebuild the empty NED (described in the README-rebuild.md) shall typically be done in a lab environment. For this step a “local install” of the NED shall be used. It is not suitable to use “system install” here since it is intended for production systems only.

Once this NED has been rebuilt with the device YANG and exported to one or many separate tar.gz customized NED packages, a “system installation” can be used on them.

1.2.1 Local install

This section describes how to install a NED package on a locally installed NSO (see "NSO Local Install" in the NSO Installation guide).

It is assumed the NED package has been been unpacked to a tar.gz file as described in 1.1.

1. Untar the tar.gz file. This creates a new sub-directory named: nokia-sros_nc-<NED major digit>.<NED minor digit>:

2. Install the NED into NSO, using the ncs-setup tool:

3. Open a NSO CLI session and load the new NED package like below:

Alternatively the tar.gz file can be installed directly into NSO. Then skip steps 1 and 2 and do like below instead:

Set the environment variable NED_ROOT_DIR to point at the NSO NED package:

1.2.2 System install

This section describes how to install a NED package on a system installed NSO (see "NSO System Install" in the NSO Installation Guide).

It is assumed the NED package has been been unpacked to a tar.gz file as described in 1.1.

1. Do a NSO backup before installing the new NED package:

2. Start a NSO CLI session and fetch the NED package:

3. Install the NED package (add the argument replace-existing if a previous version has been loaded):

4. Load the NED package

1.3 Configure the NED in NSO

This section describes the steps for configuring a device instance using the newly installed NED package.

• Start a NSO CLI session:

• Enter configuration mode:

• Configure a new authentication group (my-group) to be used for this device:

• Configure a new device instance (example: dev-1):

  IMPORTANT:

If the sync-from was not successful, check the NED configuration again.

2. Optional debug and trace setup

It is often desirable to see details from when and how the NED interacts with the device(Example: troubleshooting)

This can be achieved by configuring NSO to generate a trace file for the NED. A trace file contains information about all interactions with the device. Messages sent and received as well as debug printouts, depending on the log level configured.

NSO creates one separate trace file for each device instance with tracing enabled. Stored in the following location:

$NSO_RUNDIR/logs/ned-nokia-sros_nc-gen-1.0-<device name>.trace

Do as follows to enable tracing in one specific device instance in NSO:

1. Start a NSO CLI session:

2. Enter configuration mode:

3. Enable trace raw:

   Alternatively, tracing can be enabled globally affecting all configured device instances:

4. Configure the log level for printouts to the trace file:

The log level 'info' is used by default and the 'debug' level is the most verbose.

IMPORTANT: Tracing shall be used with caution. This feature does increase the number of IPC messages sent between the NED and NSO. In some cases this can affect the performance in NSO. Hence, tracing should normally be disabled in production systems.

An alternative method for generating printouts from the NED is to enable the Java logging mechanism. This makes the NED print log messages to common NSO Java log file.

$NSO_RUNDIR/logs/ncs-java-vm.log

Do as follows to enable Java logging in the NED

1. Start a NSO CLI session:

2. Enter configuration mode:

3. Enable Java logging with level all from the NED package:

4. Configure the NED to log to the Java logger

   Alternatively Java logging can be enabled globally affecting all configured device instances using this NED package.

IMPORTANT: Java logging does not use any IPC messages sent to NSO. Consequently, NSO performance is not affected. However, all log printouts from all log enabled devices are saved in one single file. This means that the usability is limited. Typically single device use cases etc.

SSHJ DEBUG LOGGING For issues related to the ssh connection it is often useful to enable full logging in the SSHJ ssh client. This will make SSHJ print additional log entries in $NSO_RUNDIR/logs/ncs-java-vm.log:

3. Dependencies

This NED has the following host environment dependencies:

• Java 1.8 (NSO version < 6.2)

• Java 17 (NSO version >= 6.2)

• Gnu Sed

Dependencies for NED recompile:

• Apache Ant

• Bash

• Gnu Sort

• Gnu awk

4. Sample device configuration

5. Built in RPC actions

5.1. rpc add-filter-path

5.2. rpc clean-package

5.3. rpc clear-cached-capabilities

5.4. rpc clear-filter-paths

5.5. rpc compare-config

5.6. rpc compile-modules

5.7. rpc export-package

5.8. rpc get-modules

5.9. rpc import-filter-paths

5.10. rpc list-filter-paths

5.11. rpc list-module-sets

5.12. rpc list-modules

5.13. rpc list-profiles

5.14. rpc patch-modules

5.15. rpc rebuild-package

5.16. rpc remove-filter-path

5.17. rpc show-default-local-dir

5.18. rpc show-loaded-schema

5.19. rpc verify-get-config

5.20. rpc xpath-trace-analyzer

6. Built in live-status show

The nokia-sroc_nc NED has full support for fetching operational data via the NSO live-status API.

7. Limitations

The SROS device must be properly configured in model driven mode and with netconf enabled for this NED to function properly. Any other mode such as 'mixed mode' makes SROS limited and will prevent the NED from using certain features. For instance the fast transaction id calculation nethod which has been customized for SROS.

Some issues has been observed when running towards SROS devices. These are briefly described here, please note that these are only what have been observed in specific use-cases, it might be related to device/SROS model/version, and also to specific configuration used in these use-cases. Hence, these issues might not be relevant for your use-case, and of course, there might be other issues which have not been observed.

As has been observed with many vendors yang-models, SROS seems to contain some leafrefs that are not enforced in the device, which might lead to NSO reporting "illegal reference" when doing sync-from. See file src/customize-schema.schypp for these, i.e. paths which have an 'inline_type' operation in this file. Also see the README-rebuild.md for more info on mitigating "illegal reference".

In some older versions of SROS, support for yang-library version 1.1 is announced, however, the implementation has bugs in it (this relates at least to SROS versions <= 20.10 which announce yang-library 1.1 support). In this case the NED needs to be configured to make it look like the device actually implements yang-library 1.0. This can be done by setting the below ned-settings:

NOTE: The "fake" module-set-id used here is not relevant, it can be anything

Another issue which has been observed is that while the device announces support for the yang-module ietf-interfaces, it can not be used for example inside the filter of a get-config request. Hence this module needs to be filtered out, which is done with the below ned-setting:

At least SROS version 22 has problems with properly returning valid data from the openconfig data tree when the NED is doing a get-config request. The device seems to have problems with the default filter used by the NED. If the NED is built with openconfig, this filter will contain namespaces of the openconfig models. This will result in the device returning an error instead of the valid config.

This issue can be solved by configuring the following NED setting:

All current versions of SROS have a special non rfc compliant behaviour for settings related to the configuration groups 'bof' and 'li'. These configuration trees are regarded as separate datastores by SROS. This means SROS does not allow editing standard config together with 'bof' or 'li' settings in the same transaction. Furthermore editing 'bof' and 'li' settings does require Nokia specific non rfc compliant extensions to the netconf messages.

Do as follows to enable support for managing 'bof' settings in the NED:

1. Make sure the Nokia 'bof' models are included when rebuilding the NED. For example, use the profile 'sros-combined-with-bof-from-device' when downloading the models.

2. Configure the following NED setting:

1. Set the following NED setting to true for devices running SROS version 23 or newer. Default is false.

The NED does currently not support managing 'li' settings. This is something that can be added upon request.

8. How to report NED issues and feature requests

Issues like bugs and errors shall always be reported to the Cisco NSO NED team through the Cisco Support channel:

The following information is required for the Cisco NSO NED team to be able to investigate an issue:

Do as follows to gather the necessary information needed for your device, here named 'dev-1':

1. Enable full debug logging in the NED

2. Configure the NSO to generate a raw trace file from the NED

3. If the NED already had trace enabled, clear it in order to submit only relevant information

   Do as follows for NSO 6.4 or newer:

   Do as follows for older NSO versions:

Requests for new features and extensions of the NED are handled by the Cisco NSO NED team when applicable. Such requests shall also go through the Cisco support channel.

The following information is required for feature requests and extensions:

1. A detailed use case description, with details like:

   • Data of interest

   • The kind of operations to be used on the data. Like: 'read', 'create', 'update', 'delete' and the order of the operation

   • Device APIs involved in the operations (For example: REST URLs and payloads)

9. How to rebuild a NED

Check the README-rebuild.md file, chapter 1.3, for more information.

10. Configure the NED to use ssh multi factor authentication

This NED supports multi factor authentication (MFA) using the ssh authentication method 'keyboard-interactive'.

Some additional steps are required to enable the MFA support:

1. Verify that your NSO version supports MFA. This is configurable as additional settings in the authentication group used by the device instance.

   Enter a NSO CLI and enter the following and do tab completion:

   If 'mfa' is displayed in the output like above, NSO has MFA support enabled. In case MFA is not supported it is necessary to upgrade NSO before proceeding.

2. Implement the authenticator executable. The MFA feature relies on an external executable to take care of the client part of the multi factor authentication. The NED will automatically call this executable for each challenge presented by the ssh server and expects to get a proper response in return.

   The executable can be a simple shell script or a program implemented in any programming language.

   The required behaviour is like this:

10.1 Trouble shooting

In case of connection problems the following steps can help for debugging:

Enable the NED trace in debug level:

Try connect again

Inspect the generated trace file.

Verify that the ssh client is using the external authenticator executable:

Verify that the executable is called with the challenges presented by the ssh server:

Check for any errors reported by the NED when calling the executable

11. Run arbitrary commands on device

Some commands that are available to a user logged in to an interactive CLI session on the device might not be available through NETCONF. For situations like this the NED provides the feature to run arbitrary commands on the device.

The NED feature to execute commands is connected in NSO to a live-status action called 'exec any'.

The NED does by default use the 'md-cli-raw-command' feature to tunnel commands to the device. This feature is supported by all newer versions of Nokia SROS.

It is also possible to configure the NED to use an interactive SSH login to the device. This extra SSH session is then handled internally in the NED. This option works also with older versions of SROS.

There are some ned-settings to control the behaviour of this feature, see the section 'ned-settings nokia-sros_nc live-status exec-any-mode and cli' in README-ned-settings.md for details on this.

Note that when using ncs_cli, the command-line given might need to be quoted if it contains characters that are interpreted by the ncs_cli itself.

Table of contents

1. General

1.1 Overview

The nokia-sros_nc NED is delivered without any YANG models included in the package.

To make the NED fully operational, you must first download the required models, then rebuild and reload the package.

This NED provides an optional built-in tool to simplify the download of device models.

Alternatively, you can download the models manually, as described in chapter 4.

Before using the downloader tool, ensure that the NED package (without device models) is properly configured in a running NSO environment. Complete the steps outlined in Chapters 1.1 through 1.3 of the before proceeding.

1.2 Using the Built-in Tool for Simple YANG Download

The downloader tool is implemented as an NSO RPC, which can be invoked, for example, from the NSO CLI.

When executed, the tool causes the NED to automatically connect to the target device to download the necessary YANG models. During this process, the NED requests the device to provide a list of supported models by probing its capabilities.

This list serves as the basis for downloading the models. Additionally, the tool scans each downloaded YANG file for further dependencies specified by import or include statements and attempts to download all such dependent YANG files as well.

When using the NETCONF protocol, YANG models can typically be downloaded directly from the device. This is also true for Nokia SROS devices, as long as the models have been properly loaded onto the device.

Important: Ensure that the device is configured to advertise the correct models. You should enable one or both of the following:

• nokia-combined-modules

• openconfig-modules

Note: The use of nokia-submodules should be avoided. The corresponding YANG files are known to cause compilation problems with some NSO versions.

Simple Usage

The downloader tool comes pre-configured with the following profiles:

• sros-combined-from-device: Downloads the Nokia SROS combined YANG models from the device, including dependencies. This is the default profile.

• sros-combined-with-bof-from-device: Downloads the Nokia SROS combined YANG models from the device, including the bof models. Managing bof settings through NSO requires additional NED configuration and has certain limitations. Refer to README-ned-settings.md and the "Limitations" section in README.md for more information.

To download files using the sros-combined-from-device profile, run the following command in the NSO CLI:

Or simply:

(since this is the default profile)

To download files using the openconfig-from-device profile, use:

Do as follows in the NSO CLI to download the files using the openconfig-from-device profiles.

Note: If a built-in profile is selected and the user specifies additional module-include-regex and/or module-exclude-regex options on the command line, the tool will merge the profile's regex patterns with those provided by the user.

For more advanced options when using the downloader tool, see Chapter 3.

Chapter 5 ("rpc get-modules") of the provides more details about the downloader tool, including a complete list of available command line arguments.

1.3 Rebuild the NED With the Downloaded YANG Models

The NED must be rebuilt after the device models have been successfully downloaded and stored.

It is common to encounter issues when building device YANG models. Such issues can result in compiler errors or unexpected runtime behaviors in NSO.

To address this, the NED is configured to handle all currently known build and runtime issues. It automatically patches problematic files to ensure they build correctly for NSO, using a set of YANG build recipes included with the NED package.

Please note that adapting the YANG build recipes is an ongoing process. If new issues are discovered, the Cisco NSO NED team will update the recipes and release a new version of the NED as needed.

End users are strongly encouraged to report any new YANG build issues to the Cisco NSO NED team through a support request.

The NED offers two options for rebuilding: you can either use the built-in tool within NSO, or run gnu make in an external shell.

Rebuild Using the Built-in Tool

The built-in RPC command rebuild-package rebuilds the NED package by automatically invoking gnu make in the source directory of the package installation root.

Example usage:

Note: This RPC may take a significant amount of time to complete, as compiling YANG models is a time-consuming process.

Additional Arguments:

• verbose: Prints the full output returned from gnu make. By default, output is shown only if errors occur.

• profile: Applies a specified build profile during the rebuild process.

• ned-id: Parameters for customizing the NED ID. For more information, see Chapter 5.

Rebuild Using a Separate Shell

The NED must be rebuilt from within the NED package installation root (i.e., $NED_ROOT_DIR as configured in Chapter 1.1 of the ).

To rebuild the NED, follow these steps:

1.4 Reload the NED Package In NSO

After the NED has been successfully rebuilt with the device models, it is necessary to reload the package in NSO.

To reload, use the following NSO CLI command:

Note: If the NED package has been rebuilt with a new NED-ID (as described in Chapter 5), you must add the force option to the reload command:

2. Cleaning And Resetting the NED Package

2.1 Removing All Downloaded YANG Models

If you plan to download a new set of YANG models for an already installed and reloaded NED, it is mandatory to first remove all old device YANG models from the previous download. Failing to do so may result in unintended mixing of different YANG models.

Clean Using the Built-in Tool

Clean Using a Separate Shell

2.2 Resetting NED Package to Its Original Initial State

If you have rebuilt the NED with downloaded YANG files and a custom ned-id, the original default ned-id is no longer available. To reset the NED package to its original state, follow the steps below.

Reset Using the Built-in Tool

1. Remove the downloaded YANG files:

2. Rebuild NED package without any additional arguments. This will reset the NED-ID to its original initial state:

Reset Using a Separate Shell

3. Using the Built-in Downloader Tool For a Custom Download

Using a pre-configured download profile is the easiest way to download device YANG models.

If this approach is not suitable, the downloader tool offers several additional arguments for customizing the download-for example, by limiting the scope of the YANG models to be downloaded.

3.1 Creating a Custom Download

To customize the download scope, use the module-include-regex and module-exclude-regex arguments. Both should be specified as regular expressions.

The easiest way to determine the correct arguments is by using the RPC command list-modules.

Example:

Start with fetching a full list of the YANG models supported by the device:

Limit the scope to only include some models, by specifying a simply regular expression for the argument module-include-regex:

Now use the argument module-exclude-regex to exclude some of the files matching the module-include-regex:

When the list-modules rpc returns only the models of interest you can use the same arguments for the get-modules rpc.

For more details about the get-modules and list-modules RPC commands, see Chapter 5 in the .

4. Alternative Download Methods

Device models can also be downloaded manually. To use this option, the NED package must first be unpacked. Complete the steps described in Chapter 1.1 of the beforehand. It is also recommended to follow the steps in Chapters 1.2 and 1.3 for best results.

4.1 Copy the Files Into the NED Source Directory

When YANG models have been downloaded manually, all files must be copied into the source directory of the NED installation:

Note:

YANG files named in the format <module name>@<date revision>.yang must be renamed to <module name>.yang. This is due to a limitation in the current NED make system.

This manual procedure is equivalent to using the downloader tool with a path to a local directory as the remote source. For more information, see Chapter 5 ("rpc get-modules") in the .

Important:

Do not remove any of the YANG files used internally by the NED in $NED_ROOT_DIR/src/yang.

This includes the following files:

The recommended way to clean the source directory is to follow the steps described in Chapter 5.

5. Rebuilding the NED Using a Custom NED-ID

A common use case is managing multiple versions of the same device in a network controlled by NSO. Each device may require its own unique set of YANG files, which means the NED must be rebuilt for each version.

To support this scenario, each built variant of the NED must have a unique NED-ID. This allows NSO to support multiple versions of the same NED package simultaneously.

There are two ways to rebuild the NED with a custom NED-ID:

1. Using the built-in RPC:

Specify the following additional arguments:

• suffix

• major

• minor

2. Using gmake in a separate shell:

Set the following make variables:

• NED_ID_SUFFIX

• NED_ID_MAJOR

• NED_ID_MINOR

The default NED-ID is: nokia-sros_nc-gen-1.0

5.1 Rebuild With a Custom NED-ID

Do as follows to build each flavour of the nokia-sros_nc NED. Do it in iterations, one at the time:

1. Follow the instructions in chapter 1.1 to 1.3 in to unpack the NED and install a device instance

   using it. Make sure a unique location is selected and update the environment variable $NED_ROOT_DIR

   accordingly and configure a device instance.

2. Follow the instructions in chapter 1.2 to download the YANG models matching the configured device.

5.2 Exporting the Rebuilt NED Package

After rebuilding the NED with a new NED-ID, it is often necessary to export it as a separate NED package. This new package will include both the raw and the customized, compiled versions of the third-party YANG models. The exported package can then be loaded into a new NSO instance or used like any other NED package.

The NED provides a built-in tool to simplify the export process. This tool is implemented as an additional RPC that can be invoked through the NSO CLI or any other northbound NSO interface.

The export tool copies all relevant files from the "source" directory of the rebuilt NED into a .tar.gz archive. The top-level directory of the archive will be named according to the generated NED-ID, for example: nokia-sros_nc<NED_ID_SUFFIX>-gen-<NED_ID_MAJOR>.<NED_ID_MINOR>.

Usage Example:

Additional arguments:

• destination: Destination directory for the exported .tar.gz archive. Default is /tmp.

• suffix: Suffix to append to the archive file name. Default is -customized.

6. YANG Fixes Applied When Rebuilding the NED

Third-party YANG files often contain errors that can cause issues during compilation or at runtime. In addition to standard YANG bugs, there may be constructs that are incompatible with NSO, or cases where the device does not fully adhere to the models.

The NED build system includes a set of tools that can automatically apply various fixes to third-party YANG files. These fixes, known as YANG recipes, ensure that the YANG files compile correctly when the NED package is rebuilt. Note that these recipes only cover YANG file versions that have been verified by the Cisco NED team. New build-time issues may still occur if the NED is rebuilt with unverified YANG file versions.

If you encounter any such issues, it is recommended to contact the Cisco NED team by opening a support ticket. See Chapter 8 in the for more information.

Below is a description of the YANG recipes currently used by the nokia-sros_nc NED.

6.1 General

The YANG recipes used by this NED are divided into one group for Nokia SROS specific fixes and one for OpenConfig fixes

6.2 Fixes listed by schema paths

6.3 Fixes listed by YANG file paths

openconfig-segment-routing.yang

nokia-sr-openconfig-platform-deviations.yang

nokia-sr-openconfig-network-instance-deviations.yang

nokia-sr-openconfig-platform-transceiver-deviations.yang

6.4 Other fixes

Not applicable

7. Advanced: Repairing Third-Party YANG Modules

Many third-party YANG models have issues that prevent them from being compiled or used with NSO - they often require repairs.

This NED package has been verified to work with the device models and YANG model revisions listed in the . Any issues found in these verified revisions have already been addressed, and the necessary fixes are included in the package.

However, new issues with YANG models may still arise. This can happen if the NED is used with YANG models that have not been verified by the Cisco NED team, or if the NED is used in a new scenario that has not previously been tested.

In such cases, additional YANG repairs may be required.

It is strongly encouraged to contact the Cisco NED team for assistance with these issues.

Create a support case with a detailed description of the problem and the use case, following the instructions in the .

There is also a do-it-yourself option for advanced users who have a strong understanding of the YANG modeling language. The NED package includes tools to help automate YANG repairs. This chapter provides an overview of how to use these tools.

7.1 Types of YANG Related Issues

When preparing YANG modules for use with NSO, issues can generally be classified as either compile-time or run-time.

• Compile-time issues are problems that must be resolved before the YANG modules can be successfully compiled and loaded into NSO.

• Run-time issues are problems that arise after the YANG has been compiled and loaded, such as invalid constraints that are not met by the actual device.

7.2 Compile-time Issues

Before using YANG modules in NSO, the first step is to ensure they can be compiled successfully. For convenience, most standard issues found in YANG files are automatically patched during the build process. The patched files are placed in src/tmp-yang (note: the original YANG files in src/yang are not modified).

This behavior is controlled by the make variable AUTOPATCH_YANG_NED. It is usually enabled by default in the NED makefile $NED_ROOT_DIR/src/Makefile, as shown below:

The auto-patcher feature only fixes the most common, standard issues.

If YANG compilation still fails (for example, as shown below), additional steps are required:

Always avoid modifying the original YANG files in src/yang. Instead, use the provided tools to patch the YANG files at compile time. The patched files will be placed in src/tmp-yang, which is where the make process looks for the active files.

The NED package includes three different YANG pre-processor tools for compile-time patching:

• schypp

• jypp

• ypp

7.2.1 The schypp Tool

schypp is the schema-aware YANG pre-processor tool. It is automatically invoked at compile time and reads directives from the file $NED_ROOT_DIR/src/customize-schema.schypp.

Each line in this file contains a single pragma, starting with one of the keywords: add, remove, replace, or inline-type. This keyword is followed by the globally unique schema-path for the node to operate on. No line breaks are allowed.

If a prefix is needed for a non-unique name in the path, it must match the prefix declared in the module. Depending on the operation type, the schema-path is followed by :: (two colons) and additional arguments as needed. The details for each directive are described below.

Supported Pragmas

• inline-type

• add

• remove

• replace

The schypp tool operates by first building an in-memory schema tree from all available YANG files. It then applies each defined pragma to the corresponding nodes in this schema. Once all pragmas have been applied, schypp automatically generates patched versions of the YANG files and stores them in src/tmp-yang.

By inspecting the patched YANG files in src/tmp-yang, you can see exactly what changes have been made. For example:

This approach allows you to track and verify all changes made to the YANG files during the patching process.

inline-type

Applicable for leafs of type leafref. The tool looks up the type of the referred leaf and inlines the same type on the referee. This is especially useful for resolving issues related to leafrefs.

Syntax:

inline-type <schema-path>

Example:

inline-type /oc-netinst:network-instances/network-instance/protocols/protocol/name

add

Adds YANG statements to the schema.

Syntax:

Example:

remove

Removes a YANG statement from the schema.

Syntax:

Example:

replace

Replaces a YANG statement in the schema. The matching statement (must be a unique match) is replaced by the provided statement(s). The rules for stmt-match and YANG-stmt(s) are the same as for add and remove.

Syntax:

Example:

7.2.2 The jypp Tool

jypp is a YANG pre-processor tool implemented in Java (hence the name). It provides similar functionality to the schypp tool, but operates in a YANG model-aware manner rather than schema-aware.

The jypp tool requires a "path" within the YANG model file to identify the node or area to operate on.

Finding the YANG Path

To determine the path to a node:

1. Identify the file containing the declaration of the node you wish to modify.

2. Open the file and locate the node.

3. Run jypp from a shell to print the path:

Example:

Suppose you need to modify the range for MPLS label values in openconfig-mpls-types.yang at line 278:

To find the path:

The path is: /#mpls-label/type/#uint32/range

Supported Operations

• --add-stmt:

  Add a statement to the node identified by the YANG path.

  Syntax:

  ./tools/jypp --add-stmt=<YANG path>::<statement to add> <file to modify>

  Example:

  ./tools/jypp --add-stmt=/#mpls-label/type/#uint32::description "This is an addition"; tmp-yang/openconfig-mpls-types.yang

Applying jypp Rules Automatically

After testing your jypp rules in a shell and confirming that the corresponding files in tmp-yang are updated as expected, you can add these rules to the build process so they're applied automatically each time the NED package is rebuilt.

1. Open $NED_ROOT_DIR/src/ned-custom.mk.

2. Locate the do-profile-default make target.

3. Add your jypp rules to this section.

Example:

7.2.3 The ypp Tool

ypp is the oldest of the three YANG pre-processor tools. It is a pattern-matching, text-processing utility that operates using regular expressions - essentially an advanced version of sed. While most tasks can be accomplished more easily with schypp or jypp, there are situations where ypp is the only workable option.

Syntax:

Examples:

After testing your ypp rules in a shell and verifying that the files in tmp-yang are updated as expected, you should add these rules to the build process so they are applied automatically each time the NED package is rebuilt:

1. Open $NED_ROOT_DIR/src/ned-custom.mk.

2. Locate the do-profile-default make target.

3. Add your ypp rules to this section.

Example:

7.2.4 Verify the YANG Repair

There is a dedicated make target for running only the "pre-processing" of the YANG modules, which includes automatic patching and application of local schema customizations. You can run it as follows:

After running this command, you can immediately review the resulting YANG modules in the src/tmp-yang directory. These are the files that will be used by the NED at runtime.

7.3 Run-time Issues

After all YANG modules have been successfully compiled and loaded into NSO, there may still be issues that only appear at run time. These are typically related to constraints defined in the YANG modules but not strictly followed by the device, such as integer value ranges or missing leafref targets. These issues can only be identified using actual device configurations, so a NED instance must be able to connect to the device and perform a full sync-from.

Example:

If the device returns configuration containing a leaf of type leafref whose target is missing, running a full sync-from might produce output like:

This indicates that the device is not fully compliant with the YANG models it uses, and further YANG repair is needed.

You can use the same toolkit described in section 7.2 to fix run-time issues.

For the example above, you could repair the issue with an additional schypp statement:

8. Advanced: Customizing Third-Party YANG Schemas

YANG models provided by many third-party vendors are often very large. When compiled, these schemas may contain tens of thousands of nodes, and in some cases, even exceed one million. Such large schemas can negatively impact NSO in several ways:

• Runtime memory footprint: A single NED package that includes a large third-party YANG schema can easily consume several hundred megabytes to up to a gigabyte of memory. In an NSO environment with many such NED packages installed, the overall memory usage can become significantly high.

• Persistent footprint: Large YANG files also result in large compiled schema files being installed in NSO, requiring more disk space on the host.

• Runtime performance: Large schemas can degrade NSO's performance, affecting everything from CLI responsiveness to diff calculations during commit operations as well as sync-from operations.

In many cases, it may not be necessary or even beneficial to include the entire third-party YANG schema when building the NED package. Often, the use cases deployed through NSO only require a fraction of the full schema. In such cases, it is recommended to consider schema customization when rebuilding the NED package.

All third-party YANG NED packages include filtering tools that allow you to customize the schema during the package rebuild process. This chapter provides a detailed description of these tools, including how to use them, their benefits, and limitations.

This chapter applies generally to all third-party YANG NEDs and includes examples from various device types and vendors.

8.1 Scope Filtering

Scope filtering is typically the first method to try when aiming to reduce the size of the schema during the rebuilding of a NED package. It works by automatically limiting the number of YANG models included to only those required for your specific use cases. This means that only the necessary YANG models are incorporated, which helps in minimizing the overall schema size and improving performance and resource usage during NSO operations.

This approach is straightforward and effective because it excludes unnecessary parts of large third-party YANG schemas that are not relevant to your deployment.

This method is recommended as the initial step in schema customization when building or rebuilding NED packages to optimize NSO resource consumption and responsiveness.

8.1.1 How it Works

YANG models that define the schema are typically organized into functional groups. For example, one module might cover interface configuration, another system settings, and a third router settings. Each group is usually defined in a separate YANG module with its own XML namespace, as illustrated below:

These namespaces appear in the device's running configuration and in the configuration snippets sent when deploying new settings. This is evident when displaying the configuration in XML format. The example below shows a simple commit dry-run involving the description leaf on an interface:

To apply the configuration in this example, the NED only needs built-in support for the namespace http://openconfig.net/yang/interfaces. This means that only the YANG module openconfig-interfaces.yang and its dependencies (as indicated by the import statements above) must be compiled into the NED package. Other YANG modules, such as those defining system settings, are not required and can be excluded.

The scope filtering feature is an automatic pre-processing step invoked when rebuilding the NED package. It analyzes the use cases and the XML namespaces they require, then generates a list of YANG modules necessary to support all use cases. This list is provided to the YANG compiler, which compiles only the specified modules instead of all third-party YANG files currently downloaded.

What is a Use Case?

Before using scope filtering, you need to gather relevant use cases.

From the NED perspective, a use case is a configuration snippet that will be deployed to the device, typically generated by one or more service packages.

When collecting use cases, you must execute your services so they produce the configuration intended for the device. It is important to exercise all service options thoroughly, as certain service package options may trigger configuration nodes belonging to different XML namespaces, which must be included as separate use cases.

However, it is not necessary to deploy all use cases on the device physically. You can use NSO's commit dry-run outformat xml feature to collect use cases without actual deployment.

Example:

Another important use case to consider is the device's day-0 configuration. Your services might depend on existing device configuration, which should also be included as a use case.

All collected use cases need to be saved as XML files in an appropriate directory for use during NED package rebuilding.

8.1.2 Usage

To rebuild the NED package using the scope filtering feature with collected use cases stored in the directory /tmp/use-cases, you have two main options:

Using the NED Built-in Rebuild Tool (RPC)

This is the recommended method. Invoke the rebuild tool via the NSO CLI with the following command:

After the rebuild completes, reload the NED package:

If the reload fails because NSO detects that some XML namespaces have disappeared (which is expected when scope filtering removes unused modules), retry with the force flag:

Using a Unix Shell

Alternatively, you can rebuild the NED package directly from a Unix shell. Run the following command, specifying the scope filter directory:

8.1.3 Examples

This simple example shows how to use the scope filter to adapt the NED to only include the YANG modules covering the running config on the device together with the configuration that will be deployed through a simple service package named my-service.

1. Make the NED fully operational with the full schema by following the initial setup steps (chapters 1.2 - 1.4).

2. Connect to the device:

3. Optionally, list the modules currently supported by the NED:

   This lists all YANG modules with revisions built into the NED package.

8.1.4 Limitations

The scope filtering feature depends on YANG models being properly partitioned into distinct XML namespaces, which is true for most third-party YANG models. However, there are notable limitations:

• Namespace Partitioning Exception: Some models, such as the Nokia SROS YANG distribution, have the majority of their nodes within a single namespace. In these cases, scope filtering is ineffective.

  It is worth mentioning that all standard NEDs developed by the Cisco NSO NED team also utilize single-namespaced YANG models.

• Granularity Limitation: Scope filtering can only remove complete YANG modules representing entire namespaces. It cannot remove individual nodes or subsets within a module.

To address these limitations, the trim filter feature shall be used instead. The trim filter allows more granular customization by removing specific nodes within a YANG model rather than entire modules, thus overcoming the constraints of scope filtering.

8.2 Trim Filtering

Trim filtering customizes third-party YANG schemas by patching the YANG files during the NED package rebuild process. This is done through a pre-processing step handled by the tool named schypp, which reads all installed YANG files into an in-memory schema representation. The schypp tool then applies modifications based on pragma directives, as described in the relevant documentation section 7.1. After applying these modifications, schypp automatically generates new patched versions of the YANG files.

Specifically for trimming, schypp can also remove any node from the schema, ranging from a single leaf to an entire subtree. It also intelligently resolves dependencies related to the trimmed nodes. For example, if there are references such as leafrefs, deviations, augments, or refines that point to the node or any of its subnodes being trimmed, schypp will automatically handle and resolve these references to maintain schema consistency.

This approach allows for much finer granularity in schema customization compared to scope filtering, which only removes entire modules based on XML namespaces. Trim filtering with schypp enables precise removal of unwanted parts of the schema while ensuring that all dependent references are correctly managed during the rebuild process.

8.2.1 How it Works

When trimming nodes using the schypp based trimmer tool, the process works as follows:

• It removes the specified nodes from the schema, and generates new patched versions of the YANG files.

• The trimmer tool automatically generates additional comments in the patched YANG files indicating which nodes have been trimmed and the reasons for their removal.

• This helps maintain clarity and traceability in the modified YANG files.

Trimming Normal Nodes

Normal nodes refer to nodes that are directly modeled in YANG modules or nodes modeled within groupings that are not shared with other parts of the schema. These nodes are generally straightforward to trim.

Below is a simple YANG module that will be used for illustrating how the trimming works.

Assume the nodes identified with the schema paths /conf:top/a and /conf:top/c shall be trimmed.

Then the resulting patched YANG file will look like below:

Trimming Nodes Defined in Shared Groupings

When nodes to be trimmed are defined within groupings shared across multiple parts of the schema, the trimming process becomes more complex than trimming normal nodes. This is because directly trimming nodes from a shared grouping would affect all instances where that grouping is used, which is usually undesirable.

Trimmer Approach for Shared Groupings

• The trimmer tool first expands the shared groupings at each location where they are used. This means it replaces the uses statement with the actual content of the grouping in that specific location.

• After expansion, the nodes to be trimmed can be removed locally at each instance without affecting other parts of the schema.

• The tool adds new auto-patch comments in the YANG files to document these changes, showing where groupings were expanded and which nodes were trimmed.

Example:

Given the YANG module below:

If the nodes /conf:top/a and /conf:top/subtree1/b need to be trimmed:

• The grouping ab is used in three places (top, subtree1, and subtree2), so it is a shared grouping.

• The trimmer tool will expand the grouping ab at top and subtree1 (where trimming is needed).

• Then it trims the specified nodes locally.

The resulting patched YANG module will look like:

Additional Notes

• If nodes to be trimmed are defined through multiple nested groupings, the trimmer tool will locate the top-most shared grouping and expand it recursively, including any sub-groupings as long as they represent the same XML namespace.

• This approach ensures that trimming is precise and localized, avoiding unintended removal of nodes in other parts of the schema.

Trimming Augmented Nodes in YANG Schemas

Augmented nodes in YANG schemas are nodes added to existing schema trees via the augment statement, often representing a different XML namespace than their siblings. Trimming these nodes requires special handling to maintain the correct namespace and schema integrity.

Key Points on Trimming Augmented Nodes

• Trimming must be done in the same YANG module where the augment is defined to preserve the XML namespace.

• The trimming process is similar to trimming normal nodes but localized within the augmenting module.

• The trimmer tool inserts comments indicating which nodes have been trimmed.

Example 1: Simple Augmented Node Trimming

Given a YANG module augmenting /conf:top/conf:subtree1 with a container extra having leaves x and y:

If the node /conf:top/subtree1/conf-aug:extra/y is to be trimmed, the patched module will look like:

Example 2: Trimming Augmented Nodes Defined Through Shared Groupings

When augmented nodes are defined via shared groupings used in multiple augmentations, trimming requires a more complex approach:

​ • The trimmer tool clones the shared grouping for the specific augmentation where trimming is needed.

​ • The cloned grouping is patched with the trimmed nodes.

​ • The augmentation is updated to use the cloned grouping instead of the original.

Given a YANG module below:

If /conf:top/subtree1/conf-aug:extra/y is to be trimmed, the patched module will be:

Summary

• Trimming augmented nodes preserves the XML namespace by modifying the augmenting module.

• For augmented nodes defined via shared groupings, the trimmer clones the grouping, applies trimming to the clone, and updates the augmentation to use the clone.

• This approach ensures precise, localized trimming without affecting other schema parts.

Resolving Dependencies

When trimming YANG schemas, resolving dependencies is crucial to maintain schema integrity and ensure successful compilation of the patched modules. The trimmer tool automatically handles these dependencies using the following approaches:

1. Leafrefs

• If a node to be trimmed is referenced by other nodes as a leafref, the tool automatically inlines the node type into all such references. This means the leafref is replaced by the actual type of the referenced node, removing the dependency on the trimmed node.

2. Augments, Deviations, and Refines

• YANG statements such as augment, deviation, and refine that refer to a trimmed node are themselves automatically trimmed.

• This ensures no dangling references remain in the schema.

Example Scenario

Consider three YANG modules:

• Base module (trim-schema) defines a grouping ab with leaves a and b, a container top using ab, and a list sublist also using ab. It has a leaf active of type leafref pointing to ../sublist/a.

• Augment module (trim-schema-test-aug) augments /conf:top/conf:sublist with a grouping extra containing leaves x and y.

• Deviation module (trim-schema-test-dev) deviates leaf b in /conf:top/conf:sublist to replace its type.

If the node /conf:top/sublist is trimmed, the trimmer tool patches the modules as follows:

• In the base module, the sublist list is removed (trimmed), and the leafref type for active is replaced by the inlined type (string) from the original leaf it referenced.

• In the augment module, the augment statement for /conf:top/conf:sublist is removed.

• In the deviation module, the deviation for /conf:top/conf:sublist/conf:b is removed.

This automatic resolution ensures the patched YANG modules remain consistent and compilable as shown below.

8.2.2 Usage

This is a detailed guide on using the NED built-in rebuild tool with the trim-schema filter for trimming YANG schema nodes:

Using the NED Built-in Rebuild Tool (RPC)

This is the recommended method to trim schema nodes. You invoke the rebuild tool via any NSO northbound interface and specify the trim-schema filter.

Basic Command Structure:

Options for the trim-schema Filter:

• all-unused: Trim all currently unused nodes in the schema.

• all-with-status: Trim all nodes annotated with specific 'status' statements (e.g., deprecated, obsolete).

• method: Select the trimming method.

• nodes: List specific nodes to trim by their full schema paths.

Trimming Specific Nodes from the Command Line

Use the nodes option to specify one or more nodes by their full schema paths.

Example:

See chapter 8.2.3 on how to find out the full schema path for a any node in the schema.

Trimming Nodes from a File

If you have many nodes to trim, list them in a file (one schema path per line). Lines not starting with / are treated as comments.

Example file content:

Invoke the rebuild tool with:

Trimming All Deprecated and/or Obsolete Nodes

Third-party YANG models often contain many deprecated or obsolete nodes. Trimming these is usually safe and is a straightforward way to reduce schema size.

Trimming All Unused Nodes

This option trims all nodes not currently used in the NSO CDB database. Use with caution as it can be drastic.

Customized Trimming Using show-loaded-schema Tool

To create a customized list of nodes to trim, use the show-loaded-schema tool to extract schema paths based on filters.

Example:

• To list all currently used nodes (populated in CDB):

  An alternative is to use the standard show running-config command like below:

  The output of this command displays instance xpaths, which differ from schema paths. To obtain the schema paths, you must perform the following extractions:

  • Remove the preceding path /ncs:devices/device['dev-1']/config from each xpath of interest.

  • Eliminate all xpath predicates, meaning everything enclosed within and including the square brackets []To list all unused nodes:

You can then concatenate and edit these files to create a final list of nodes to trim.

Note:

• Keep in mind, that nodes removed or commented out from the file are the ones that will not be trimmed.

• The list includes nodes and their subnodes; including subnodes is optional but harmless.

After preparing the file with nodes to trim, rebuild the NED package:

Using a Unix Shell

Alternatively, rebuild the NED package directly from a Unix shell by specifying the trim filter file:

8.2.3 Schema Path Formats

When specifying schema paths for the trimmer tool, it is essential to use the full raw schema path, including prefixes whenever there is a namespace change. This is generally straightforward except for YANG choice statements. In the case of choice statements, both the choice node and the relevant case node must be included in the path.

For example, consider the following YANG module snippet:

In this example, the leaves x and z are defined within a YANG choice construct. To trim these leaves, the following full schema paths must be specified:

• /conf:top/sublist/my-choice/first/x

• /conf:top/sublist/my-choice/z/z

Note the extra z in the second path. This is because the leaf z is defined without an explicit surrounding case statement in the YANG. In such cases, the schypp tool adds an implicit case node to the schema when building the in-memory representation, which must be reflected in the path.

Thus, when trimming nodes under choice statements, always include both the choice and case nodes explicitly in the schema path to ensure correct trimming by the tool. For all other nodes, specifying the full raw schema path with appropriate prefixes is sufficient.

Using the show-loaded-schema tool is highly recommended to generate accurate and properly formatted schema paths for your schema trimming or filtering tasks.

8.2.4 Limitations

Schema trimming is an advanced process designed to handle complex YANG constructs. It has been tested with third-party YANG models from multiple vendors such as Cisco IOSXR, Juniper JunOS, Nokia SROS, Nokia SRLinux, Arista EOS, and OpenConfig.

However, due to the vast number of schema nodes and possible combinations, not all scenarios can be exhaustively tested, and the tool should be considered experimental.

Currently, the schema trimming tool does not support trimming of YANG unique statements. This limitation means that nodes or constraints defined using the unique statement in YANG models cannot be trimmed by the tool at this time.

8.3 Auto-config Filtering

Auto-config filtering in NSO is designed to address device configuration artifacts known as auto-config. These artifacts occur when a device automatically applies additional configuration related to the configuration explicitly deployed by NSO. For example, if NSO applies configuration A, the device will automatically also set configuration B.

NSO maintains its own Configuration Database (CDB) as the source of truth, so any auto-configured nodes not explicitly managed by NSO will immediately cause out-of-sync issues.

Devices exhibiting auto-config behavior are very common. There are basically three main strategies to handle this in NSO:

1. Ignore the auto-config artifacts: Accept that out-of-sync states may occur if they are not critical for the use case.

2. Adapt the services: Modify service logic to explicitly configure the auto-configured nodes s (e.g., A + B). This keeps NSO in sync but can be complex. It may also cause issues for example during rollback if the device does not handle explicit deletion of auto-config nodes well.

3. Remove auto-configured nodes from the schema: This approach removes the auto-configured nodes from NSO's schema so that NSO is unaware of them, preventing out-of-sync issues caused by these nodes.

Auto-config filtering focuses on this third option to improve synchronization by filtering out device-generated configuration artifacts.

8.3.1 How it Works

The auto-config filtering in NSO works by identifying nodes that get auto-configured by the device after a service commits configuration. This process relies on two snapshots of the running configuration:

• The before snapshot is taken immediately after the intended configuration has been committed on the device. It reflects the configuration that NSO intended to set.

• The after snapshot is taken after a subsequent sync-from operation. It reflects both the intended configuration and any additional auto-configured nodes the device has applied.

By comparing these two snapshots, auto-config filter generates a diff that corresponds to the auto-configured configuration. The filter then uses this diff to generate an extra YANG deviation file. In this file, all auto-configured nodes are tagged with a not-supported statement, effectively removing them from the schema once loaded into NSO.

For example, the deviation file may look like this:

This deviation file is created in a pre-processor step and then compiled together with the remaining YANG files, ensuring that the auto-configured nodes are excluded from NSO's schema and thus preventing out-of-sync issues caused by device auto-configuration.

8.3.2 Usage

To ensure proper functionality, confirm that the NED is fully operational with its complete schema built-in. This can be achieved by following the initial setup steps outlined in chapters 1.2 - 1.4, possibly followed by installation of your service packages.

Before you can utilize the auto-config filter, it is essential to create two snapshots. Follow these steps:

1. Perform an initial sync-from operation.

2. Apply the desired configuration to the device (e.g., via a service).

3. Execute show running-config and save the output in XML format to a file named before.xml. This specific file name is mandatory.

4. Perform a new sync-from operation.

Once these steps are completed, you are ready to use the auto-config filter.

Using the NED Built-in Rebuild Tool (RPC)

The recommended method for trimming schema nodes is by using the NED built-in rebuild tool. You can invoke this tool via any NSO northbound interface, specifying the auto-config filter.

Basic Command Structure:

Options for auto-config Filter:

• dir: Specifies the directory containing the before.xml and after.xml files used for auto-config filtering.

• file: An optional parameter for the name of the auto-generated deviation file.

Using a Unix Shell

Alternatively, you can rebuild the NED package directly from a Unix shell. This method is slightly more complex and does require multiple tests.

1. Generate the deviation file:

2. Rebuild the NED package

8.3.3 Examples

This simple example demonstrates how to effectively use the auto-config filter to remove automatically configured artifacts from a device. For this example, we assume a basic service named my-service has already been installed.

First, ensure the NED is fully operational with its complete schema by following the initial setup steps outlined in chapters 1.2 through 1.4.

Next, configure and commit a new instance of the my-service service. The commit is labeled '1' to facilitate restoring the device to its previous state if needed.

Now, save the current running configuration to the file: /tmp/auto-config/before.xml.

Optionally, you can perform a compare-config at this stage. This action should generate a diff, indicating that the device indeed has automatically configured certain elements..

Proceed by performing a sync-from operation. This action will populate the CDB with the auto-configured settings from the device.

After the sync-from, save the new running configuration to the file: /tmp/auto-config/after.xml.

Optionally, you may choose to restore the device to its previous state. To do this, first identify the commit ID associated with the label '1' by viewing the rollback files:

Then, you can rollback and commit the configuration:

Finally, rebuild the NED package by utilizing the auto-config filter.

After rebuilding the package, reload it to apply the changes.

8.3.4 Limitations

The auto-config filter employs a best-effort approach. It's important to note that if any automatically configured nodes overlap with the configurations being deployed through NSO, these overlapping nodes cannot be removed.

For instance, consider a scenario where you create a new entry in a list on the device, and the device subsequently adds another entry to the same list. In such a case, this list node cannot be made to disappear, as doing so would prevent the application of the initial configuration.

Since the auto-config filter leverages YANG deviations, it does not impact the resulting schema size. In other words, using an auto-config filter will not reduce the overall schema size.

9. Advanced: Issues Solvable with Schema Customization

This chapter addresses various issues and problems, all of which can be resolved using the schema customization techniques detailed in the preceding chapters. Each of these listed issues stems from real-world support cases, involving a range of different devices and third-party YANG NEDs.

The intention is for the described issues and their solutions to serve as an inspiration or a foundational knowledge base for other challenges that may arise when working with third-party YANG NEDs.

9.1 Excessive RPCs Leading to Unresponsive NSO CLI

Third-party YANG models can include a substantial number of Remote Procedure Calls (RPCs). For instance, a recent JunOS YANG distribution may contain over 6500 RPCs.

It has been observed that when all these RPCs are incorporated into the NED package, the NSO CLI can become unresponsive, especially affecting tab completion, when a user attempts to invoke them.

Should this unresponsiveness pose a problem for end-users, a simple workaround is to remove all unnecessary RPCs from the schema. In most scenarios, it is highly unlikely that all available RPCs would be needed.

Step-by-Step Guide: Trimming RPCs from the schema

First, ensure the NED is fully operational with its complete schema by following the initial setup steps outlined in chapters 1.2 through 1.4.

1. Use the show-loaded-schema tool to list all RPCs currently installed in the NED package:

   This command will generate a file containing the schema paths for each defined RPC.

2. Open and edit this generated file.

   Comment out (by adding a # at the beginning of the line) the RPCs you wish to keep, as shown in the example below:

3. Rebuild the NED package using the trim-filter feature

9.2 Removing Deprecated Nodes from the Schema

The YANG modeling language supports annotating schema nodes with status information. Two status values, in particular, indicate that nodes are scheduled for removal in future model versions:

• deprecated: The node is still supported but its use is no longer recommended.

• obsolete: The node is no longer supported and should not be used.

If you want to reduce the size of a third-party YANG schema, a logical first step is to consider removing deprecated and/or obsolete nodes, since their use is already discouraged.

Currently, the NSO YANG compiler (yanger) does not provide a built-in method to automatically trim such nodes. However, you can achieve this using the schema trimming build filter, which removes specified nodes from the YANG modules before compilation.

Step-by-Step Guide: Trimming deprecated and obsolete nodes from the schema

1. Check for deprecated/obsolete nodes:

   First, verify whether the schema contains any nodes with these statuses. The following example command counts all nodes with a status of deprecated or obsolete

   If the tool returns a number greater than zero, the schema contains nodes with the specified statuses.

2. Rebuild the NED with the trim filter:

9.3 Identifying Problematic XPath Expressions Causing Performance Degradation in NSO

Many third-party YANG models are annotated with additional expressions to describe dependencies between different nodes in the schema. Typically, these dependencies are defined using xpath expressions in must or when statements, or by using the leafref type.

These kinds of dependency rules are always computationally intensive for NSO. Depending on how the xpath expressions are constructed, they can significantly impact overall NSO performance.

It can be very difficult for an end user to understand why a particular operation in NSO suddenly takes an unusually long time to complete. Identifying which specific xpath expression is causing the issue can be even more challenging.

Real Case Description:

This example is based on a support case involving the third-party YANG NED for Huawei VRP NETCONF. The VRP YANG models contain numerous dependency rules - about 4,000 must statements and 3,000 when statements in a recent distribution.

A delete operation of an interface instance led to unresponsiveness in the NSO CLI, as illustrated below:

When this kind of unresponsiveness occurs, it is often due to NSO having to evaluate poorly designed xpath expressions.

In this case, even the "no operation" during an open transaction took an unacceptably long time, suggesting that xpath calculations were involved-likely due to inefficient when statements. NSO verifies when expressions every time changes are made in an open transaction.

During the commit phase, NSO performs even more thorough verification of all dependencies, including all must, when, and leafref statements.

Step-by-Step Guide: Finding Problematic xpath Expressions

Here is a process to identify problematic xpath expressions when performance issues are suspected:

1. Enable the NSO xpath tracer:

   Enabling the xpath tracer is essential for identifying xpath-related issues. Note that the tracer is disabled by default due to its significant impact on NSO performance. Operations like the simple delete above can take up to 10 times longer with the tracer enabled.

   To enable the xpath tracer, edit the ncs.conf configuration file located in <NSO RUNTIME DIR>/ncs.conf. Locate the <xpath-trace-log> section and ensure it is enabled:

   Restart NSO for the changes to take effect:

Why are Absolute Paths Problematic in XPath Expressions?

Absolute paths in xpath expressions can easily expand the scope of verification in unintended ways.

In the examples above, all the absolute paths reference the interfaces section of the schema-specifically, the node /ifm:ifm/ifm:interfaces/ifm:interface, which represents a list of interfaces.

Since these expressions do not specify a particular interface (for example, by using xpath predicates), NSO must evaluate the condition against every interface instance in the list. The more interfaces that are configured, the longer the evaluation takes. In this specific case, there were about 750 interfaces configured, resulting in significant performance degradation.

Important: There is no way for NSO to automatically protect itself against problematic xpath expressions. Such expressions should be regarded as bugs in the YANG model. They must be fixed - ideally by the third-party YANG vendor - or removed from the schema.

9.4 Solving Issues Related to the NSO Brownfield Feature

With the release of NSO 6.5, a new feature was introduced to better manage brownfield network setups. In such environments, agents other than NSO — including manual operators, automation scripts, or other orchestrators — can deploy configurations to network devices. A key challenge for NSO when orchestrating a brownfield network is that it is likely to be perpetually out of sync with the network's actual configuration.

Frequent "sync-from" operations are often ineffective in a brownfield network. To address this, NSO 6.5 introduced the new confirm-network-state commit feature, specifically designed for brownfield scenarios. A comprehensive description of this feature can be found in the NSO documentation. In essence, this feature ensures that NSO thoroughly verifies the network's current state as an initial step before committing new configurations. From a 3PY NED perspective, this typically involves one or more additional read operations towards the device, often performed as partial sync-from operations.

The confirm-network-state feature relies on the schema to determine which schema paths to validate during these read operations. Furthermore, it completely depends on the schema precisely matching the configuration tree on the target device for these read operations.

This dependency can lead to problems with third-party YANG models because there's no guarantee that these models perfectly correspond to the devices advertising them. In fact, it's common for third-party YANG models to be constructed as a superset, covering multiple device types.

Example:

To illustrate this problem, consider the simple YANG model below. This model acts as a superset, simultaneously supporting both device type A and device type B.

Now, imagine NSO needs to delete an entry from the /conf:/common-settings/master list on a device of type A. Since the network is brownfield and NSO is out-of-sync, the confirm-network-state feature will be engaged.

When deleting an entry from the /conf:/common-settings/master list using this commit feature, NSO must first verify that the entry is not referenced elsewhere. The schema includes two other lists that reference the master list. Consequently, NSO will query the device for all entries in both /conf:device-type-A-settings/used/used and /conf:device-type-B-settings/used/used.

However, the device itself is of type A and has no knowledge of the path /conf:device-type-B-settings/used/used. As a result, it will return an error for any read operations attempting to access that path.

How Common is This?

The use of superset third-party YANG models is quite common. A prominent example is the Nokia SROS models, which encompass all devices utilizing the SROS platform. Another instance can be found in vendor-neutral models like OpenConfig. Vendors that claim support for such models typically only implement a fraction of the full schema. While some vendors handle this appropriately by using YANG deviation modules to remove unsupported parts, others simply disregard this discrepancy.

It's also worth noting that most of the standard NEDs developed by the Cisco NSO NED team also employ superset YANG models.

How Severe is This?

The severity of this issue largely depends on the management protocol in use. For certain protocols, such as RESTCONF, it's often possible for the NED to ignore errors returned on specific read paths.

Unfortunately, the NETCONF protocol is particularly susceptible to this problem. This is because NETCONF can consolidate all paths to be read into a single request, which is usually very efficient as it minimizes round trips. However, if an invalid path is included among the valid ones, the device will return an error instead of any useful data.

For NETCONF, the partial-show operation in the previous example would typically appear as follows:

And a typical NETCONF device would respond with an error similar to this:

How to Solve the Problem?

Fortunately, a solution exists for this type of problem: utilizing the schema trimming feature available in every 3PY NED.

By first customizing the schema to precisely map to the device it will be used with, it will no longer function as a superset. This involves removing parts of the schema that are not relevant to the specific device — a task ideally suited for the schema trimmer feature.

Determining which nodes to trim can be quite challenging — often requiring consultation of device documentation — and can be a tedious process.

The 3PY NED toolbox can offer valuable hints on what should be trimmed, as will be demonstrated with the example below.

Real Case Description

This example is based on a real support case involving the third-party YANG NED for Nokia SROS NETCONF. It demonstrates how an issue encountered when using the confirm-network-state commit feature can be resolved by rebuilding the NED with the schema trimming feature.

The problem was triggered by a seemingly straightforward delete operation for a single list entry: association 123

The commit failed, and the device reported an error related to a seemingly unrelated node: service-activation-testhead.

Let's examine the NED trace to understand why. The additional read operation required by the confirm-network-state feature appears as follows:

Each XML element within the filter above represents a path that NSO attempts to read from the device. In this case, NSO needs to inspect ten different paths to successfully remove the association 123 list entry.

A relevant question here is, "Why?"

The built-in show-loaded-schema tool can help answer this. To inspect the schema corresponding to the association list, the details option is necessary.

The output will appear as follows:

The output reveals that 17 other nodes within the schema are defined as leafrefs pointing to the ma-admin-name key element in the association list. One of these nodes has a schema path beginning with /conf:configure/test-oam/service-activation-testhead.

Evidently, the device we are connected to does not support this specific schema node.

Therefore, it is necessary to remove this node from the schema embedded within the NED package. This is achieved by rebuilding the NED with a schema trim filter:

Next, reload the NED package:

To verify the removal of the /conf:configure/test-oam/service-activation-testhead node, execute the following command:

The output now appears as follows:

The ma-admin-name is no longer referenced from the path beginning with /conf:configure/test-oam/service-activation-testhead.

Finally, confirm that the delete operation is now successful:

In some cases, it might be necessary to repeat this procedure until the commit finally succeeds. In this specific example, there are potentially 16 additional nodes that might also require trimming.