1netopeer2-cli(1) General Commands Manual netopeer2-cli(1)
3
7 netopeer2-cli - NETCONF client with command line interface build on
8 libnetconf2
9
11 netopeer2-cli serves as a generic NETCONF client providing a simple in‐
12 teractive command line interface. It allows user to establish a NETCONF
13 session with a NETCONF-enabled device on the network and to obtain and
14 manipulate its configuration data. netopeer2-cli is limited to a sin‐
15 gle NETCONF connection at a time via a forward or a reverse (Call Home)
16 connecting method.
17 Here is the list of NETCONF capabilities supported by netopeer2-cli:
19 • NETCONF protocol version 1.0 and 1.1 (RFC 6241)
21 • SSH transport (RFC 6242)
23 • TLS transport (RFC 5539bis)
25 • Call Home (reverse SSH/TLS)
27 • Event Notifications (RFC 5277)
29 • Access Control (RFC 6536)
31 • :writable-running capability
33 • :startup capability
35 • :candidate capability
37 • :confirmed-commit capability
39 • :validate capability version 1.1
41 • :with-defaults capability (RFC 6243)
43 • :url capability
45 • :xpath capability
47
49 The supported transport protocols are detected automatically based on
50 how was libnetconf2 compiled. Unsupported (sub)commands are then not
51 available and are hidden in the help. This page, however, contains them
52 all.
53
55 help
56 Display list of commands. --(h)elp option is also accepted by all com‐
57 mands to show detailed information about the command.
58 connect
62 Connect to a NETCONF server.
63 connect [--help] [--host hostname] [--port num]
65 [--ssh] [--login username]
66 --tls [--cert cert_path [--key key_path]] [--trusted
67 trusted_CA_store.pem]
68 --h(o)st hostname
70 Specifies the hostname of the NETCONF server to connect to. If
71 not specified, 'localhost' is used.
72 --(p)ort num
74 Port to connect to the NETCONF server on. By default, port 830
75 for SSH or 6513 for TLS transport is used.
76 --(s)sh
78 Use NETCONF over SSH transport. This is the default, when both
79 SSH and TLS are enabled.
80 --(l)ogin username
82 Specify the SSH username to connect with. By default, the cur‐
83 rent system user is used.
84 --(t)ls
86 Use NETCONF over TLS transport.
87 --(c)ert cert_path
89 Use a specific certificate for TLS handshake. cert_path speci‐
90 fies path to the client certificate in CRT format. If the --key
91 option is not specified, cert_path is expected to contain also
92 the private key for the client certificate, in PEM format.
93 --(k)ey key_path
95 Specifies path to the private key for the client certificate in
96 KEY format. If not specified, cert_path is expected to contain
97 also the private key for the client certificate, in PEM format.
98 --t(r)usted trusted_CA_store.pem
100 Specifies path to a trusted CA certificate bundle in PEM format
101 to be used exclusively for server verification for this connec‐
102 tion instead of the default CA directory.
103 listen
107 Listen for a NETCONF Call Home.
108 listen [--help] [--timeout sec] [--host hostname] [--port num]
110 [--ssh] [--login username]
111 --tls [--cert cert_path [--key key_path]] [--trusted
112 trusted_CA_store.pem]
113 --t(i)meout sec
115 Specifies the time for how long the CLI will listen for the
116 Call Home connection. By default, 60 (a minute) is used.
117 --h(o)st hostname
119 Specifies the hostname (interface) to listen on. By default,
120 ::0 is used.
121 other options
123 The rest of the options have similar meaning as in connect.
124 disconnect
128 Disconnect from a NETCONF server.
129 commit
133 Perform NETCONF <commit> operation. For more details see RFC 6241 sec‐
134 tion 8.3.4.1.
135 commit [--help] [--confirmed] [--confirm-timeout sec] [--persist new-
137 commit-id] [--persist-id commit-id]
138 --(c)onfirmed
140 Make the <commit> a confirmed commit. See RFC 6421 section 8.4.
141 --confirm-(t)imeout sec
143 Specify the confirmed commit timeout. Can be used only with
144 --confirmed.
145 --(p)ersist new-commit-id
147 Make the commit a persistent commit. new-commit-id is the iden‐
148 tificator of the commit.
149 --persist-(i)d commit-id
151 Confirm a persistent commit with the commit-id identificator.
152 cancel-commit
156 Cancel a pending confirmed commit.
157 cancel-commit [--help] [--persist-id commit-id]
159 --persist-(i)d commit-id
161 Cancel a specific commit-id pending confirmed commit.
162 copy-config
166 Perform NETCONF <copy-config> operation. For more details see RFC 6241
167 section 7.3.
168 copy-config [--help] --target running|startup|candidate|url:url
170 (--source running|startup|candidate|url:url | --src-config [file])
171 [--defaults report-all|report-all-tagged|trim|explicit]
172 --(t)arget running|startup|candidate|url:url
174 Specifies the target of the <copy-config> operation. Either a
175 datastore or a specific URL can be specified.
176 --(s)ource running|startup|candidate|url:url
178 Specifies the source of the <copy-config> operation. Either a
179 datastore or a specific URL can be specified.
180 --src-(c)onfig [file]
182 Specifies the source of the <copy-config> operation. If a file
183 with the configuration is not specified, the configuration is
184 read from the standard input.
185 --(d)efaults report-all|report-all-tagged|trim|explicit
187 Use :with-defaults capability with the specified retrieval
188 mode. For more details see RFC 6243 section 3.
189 delete-config
193 Perform NETCONF <delete-config> operation. For more details see RFC
194 6241 section 7.4.
195 delete-config [--help] --target startup|url:url
197 --(t)arget startup|url:url
199 Specifies the target of the <delete-config> operation. Either
200 the startup datastore or a specific URL can be specified.
201 discard-changes
205 Perform NETCONF <discard-changes> operation. It reverts the candidate
206 configuration to the current running configuration. For more details
207 see RFC 6241 section 8.3.4.2.
208 edit-config
212 Perform NETCONF <edit-config> operation. For more details see RFC 6241
213 section 7.2.
214 edit-config [--help] --target running|candidate (--config [file] |
216 --url url) [--defop merge|replace|none] [--test set|test-only|test-
217 then-set] [--error stop|continue|rollback]
218 --(t)arget running|candidate
220 Specifies the target of the <edit-config> operation.
221 --(c)onfig [file]
223 Specifies the content of the <edit-config> operation. If a file
224 with the configuration is not specified, the configuration is
225 read from the standard input.
226 --(u)rl ur
228 Specifies the content of the <edit-config> operation. It is re‐
229 trieved from that specific URL.
230 --def(o)p merge|replace|none
232 Specifies default operation for applying configuration data.
233 merge Merge configuration data at the corresponding level.
235 This is the default value.
236 replace
238 Edit configuration data completely replaces the configu‐
239 ration in the target datastore.
240 none The target datastore is unaffected by the edit configu‐
242 ration data, unless and until the edit configuration
243 data contains the operation attribute to request a dif‐
244 ferent operation.
245 --t(e)st set|test-only|test-then-set
247 Perform validation of the modified configuration data. This op‐
248 tion is available only if the server supports :validate:1.1 ca‐
249 pability (see RFC 6241 section 8.6).
250 set Do not perform validation test.
252 test-only
254 Do not apply the modified data, only perform the valida‐
255 tion test.
256 test-then-set
258 Perform a validation test before attempting to apply
259 modified configuration data. This is the default value.
260 --e(r)ror stop|continue|rollback
262 Set reaction to an error.
263 stop Abort the operation on first error. This is the default
265 value.
266 continue
268 Continue to process configuration data on error. The er‐
269 ror is recorded and negative response is returned.
270 rollback
272 Stop the operation processing on error and restore the
273 configuration to its complete state at the start of this
274 operation. This action is available only if the server
275 supports :rollback-on-error capability (see RFC 6241
276 section 8.5).
277 get
281 Perform NETCONF <get> operation. Retrieves both status as well as con‐
282 figuration data from the current running datastore. For more details
283 see RFC 6241 section 7.7.
284 get [--help] [--filter-subtree [file] | --filter-xpath XPath] [--de‐
286 faults report-all|report-all-tagged|trim|explicit] [--out file]
287 --filter-(s)ubtree [file]
289 Specifies if the request will contain a subtree filter (RFC
290 6241 section 6). The file is expected to contain the filter
291 specification. If it is not specified, it is read from standard
292 input.
293 --filter-(x)path XPath
295 Specififes is the request will contain an XPath filter. XPath
296 is the expression used for filtering.
297 --(d)efaults report-all|report-all-tagged|trim|explicit
299 Use :with-defaults capability with specified retrieval mode.
300 For more details see RFC 6243 section 3.
301 --(o)ut file
303 Print the result of the command into a file rather than to the
304 standard output.
305 get-config
309 Perform NETCONF <get-config> operation. Retrieves only configuration
310 data from the specified source. For more details see RFC 6241 section
311 7.1.
312 get-config [--help] --source running|startup|candidate [--filter-sub‐
314 tree [file] | --filter-xpath XPath] [--defaults report-all|report-all-
315 tagged|trim|explicit] [--out file]
316 --(s)ource running|startup|candidate
318 Specifies the source of the <get-config> operation.
319 --filter-(s)ubtree [file]
321 Specifies if the request will contain a subtree filter (RFC
322 6241 section 6). The file is expected to contain the filter
323 specification. If it is not specified, it is read from standard
324 input.
325 --filter-(x)path XPath
327 Specififes is the request will contain an XPath filter. XPath
328 is the expression used for filtering.
329 --(d)efaults report-all|report-all-tagged|trim|explicit
331 Use :with-defaults capability with specified retrieval mode.
332 For more details see RFC 6243 section 3.
333 --(o)ut file
335 Print the result of the command into a file rather than to the
336 standard output.
337 get-schema
341 Perform NETCONF <get-schema> operation that retrieves specified data
342 model used by the server. This operation is available only if the
343 server implements the YANG Module for NETCONF Monitoring. The list of
344 available schemas can be retrieved from /netconf-state/schemas subtree
345 via the <get> operation. For more details see RFC 6022 sections 3.1 and
346 4.
347 get-schema [--help] --model identifier [--version version] [--format
349 format] [--out file]
350 --(m)odel identifier
352 Identifier for the schema list entry.
353 --(v)ersion version
355 Version of the requested schema.
356 --(f)ormat format
358 The data modeling language (format) of the requested schema.
359 Default value is yang.
360 --(o)ut file
362 Print the result of the command into a file rather than to the
363 standard output.
364 kill-session
368 Perform NETCONF <kill-session> operation to terminate specified NETCONF
369 session. To terminate the current session, use the disconnect command.
370 For more details see RFC 6241 section 7.9.
371 kill-session [--help] --sid sesion-ID
373 --(s)id session-ID
375 Session identifier of the NETCONF session to be terminated.
376 lock
380 Perform the NETCONF <lock> operation to lock the entire configuration
381 datastore of a server. For more details see RFC 6241 section 7.5.
382 lock [--help] --target running|startup|candidate
384 --(t)arget running|startup|candidate
386 Target datastore to lock..
387 unlock
391 Perform the NETCONF <unlock> operation to release a configuration lock,
392 previously obtained with the <lock> operation. For more details see RFC
393 6241 section 7.6.
394 lock [--help] --target running|startup|candidate
396 --(t)arget running|startup|candidate
398 Target datastore to unlock.
399 validate
403 Perform the NETCONF <validate> operation to validate configuration
404 data. For more details see RFC 6241 section 8.6.4.1.
405 validate [--help] (--source running|startup|candidate|url:url | --src-
407 config [file])
408 --(s)ource running|startup|candidate|url:url
410 Specifies the source of the <validate> operation. Either a
411 datastore or a specific URL can be specified.
412 --src-(c)onfig [file]
414 Specifies the source of the <validate> operation. If a file
415 with the configuration is not specified, the configuration is
416 read from the standard input.
417 subscribe
421 Perform NETCONF Event Notifications <create-subscription> operation.
422 For more details see RFC 5277 section 2.1.1.
423 subscribe [--help] [--filter-subtree [file] | --filter-xpath XPath]
425 [--begin time] [--end time] [--stream stream] [--out file]
426 --filter-(s)ubtree [file]
428 Specifies if the request will contain a subtree filter (RFC
429 6241 section 6). The file is expected to contain the filter
430 specification. If it is not specified, it is read from standard
431 input.
432 --filter-(x)path XPath
434 Specififes is the request will contain an XPath filter. XPath
435 is the expression used for filtering.
436 --(b)egin time
438 Start to replay event notifications from past (future time is
439 not valid). If the start time is not specified, replay feature
440 is not activated and only new event notifications are received.
441 Format of the time parameter is described below.
442 --(e)nd time
444 Specifies when the event replay stops. Format of the time pa‐
445 rameter is as follows:
446 +time Current time plus the given number of seconds.
448 time Absolute time as number of seconds since 1970-01-01.
450 -time Current time minus the given number of seconds.
452 --s(t)ream stream
454 Specifies which event stream is of the interest. If not speci‐
455 fied, default NETCONF stream is received. The list of available
456 streams can be retrieved from /netconf/streams subtree via the
457 <get> operation.
458 --(o)ut file
460 Print the received notifications into a file rather than to the
461 standard output.
462 cert
466 Manage client and trusted Certificate Authority certificates that are
467 used for TLS verification stored in ~/.netopeer2-cli/client.* and
468 ~/.netopeer2-cli/certs respectively.
469 This command is available with TLS support.
471 cert [--help] [display] [add cert_path] [remove cert_name] [displayown]
473 [replaceown (cert_path.pem | cert_path.crt key_path.key)]
474 display
476 Displays all the recognized certificates in ~/.ne‐
477 topeer2-cli/certs. First the file name and serial number, then
478 subject, issuer and validity are shown for each certificate.
479 add cert_path
481 Adds the cert_path certificate to the trusted CA dir ~/.ne‐
482 topeer2-cli/certs and recalculates hashes of all the certifi‐
483 cates.
484 remove cert_name
486 Removes the cert_name certificate from the trusted CA dir
487 ~/.netopeer2-cli/certs and recalculates hashes of all the cer‐
488 tificates. cert_name is the certificate file name, as displayed
489 in the cert display command output.
490 displayown
492 Shows information about the status of the default client cer‐
493 tificates and displays information about any relevant found
494 client certificates ~/.netopeer2-cli/client.crt and ~/.ne‐
495 topeer2-cli/client.pem.
496 replaceown cert_path [key_path]
498 Replaces the default client certificates with the PEM certifi‐
499 cate in cert_path or the CRT certificate cert_path and private
500 key key_path. All previous client certificates are deleted.
501 crl
503 Manage Certificate Revocation List certificates that are stored in the
504 ~/.netopeer2-cli/crl directory.
505 This command is available only with TLS support.
507 crl [--help] [display] [add crl_path] [remove crl_name]
509 display
511 Displays all the recognized CRLs in ~/.netopeer2-cli/crl. First
512 the file name, then issuer, last and next update dates are
513 shown for each CRL followed by the serial numbers and revoca‐
514 tion dates of all the revocated certificates.
515 add crl_path
517 Adds the crl_path CRL to the ~/.netopeer2-cli/crl dir and re‐
518 calculates hashes of all the CRLs.
519 remove crl_name
521 Removes the cert_name CRL from the ~/.netopeer2-cli/crl dir and
522 recalculates hashes of all the CRLs. crl_name is the CRL file
523 name, as displayed in the crl display command output.
524 auth
528 Manage SSH authentication options - authentication preferences and pri‐
529 vate keys.
530 This command is available with SSH support.
532 auth (--help | pref [(publickey | interactive | password) preference] |
534 keys [add private_key_path] [remove key_index])
535 pref
537 Print the current authentication method preferences or change a
538 specific method preference.
539 preference
541 The new preference of the authentication method. Negative val‐
542 ues disable the authentication method.
543 keys
545 Manage keys used for authentication.
546 path_to_the_key
548 If specified, add or remove the keys. If not, show the current
549 keys.
550 editor
552 Manage the external editor used for modifying raw input data.
553 editor [--help] [path/name_of_the_editor]
555 path/name_of_the_editor
557 The full path or just the name of the editor to be used.
558 status
562 Print information about the current NETCONF session.
563 user-rpc
567 Send your own content in an RPC envelope.
568 user-rpc [--help] [--content file] [--out file]
570 --(c)ontent file
572 Specifies a file containing NETCONF RPC operation in XML for‐
573 mat. Only the NETCONF <rpc> envelope is added to the file con‐
574 tent and then it is sent to a server. If the file is omitted,
575 the RPC content is read from the standard input.
576 --(o)ut file
578 Print the command result into a file rather than to the stan‐
579 dard output.
580 searchpath
584 Set the directory, which will be used when searching for modules. Mod‐
585 ules are always needed to be able to work with the same data as a NET‐
586 CONF server. They are searched locally (in this directory) only if the
587 server does not support the <get-schema> NETCONF operation. If it does,
588 all the modules (except ietf-netconf-monitoring, which includes the
589 definition of the <get-schema> RPC itself) are downloaded from the
590 server.
591 searchpath model-dir-path
593 outputformat
597 Set the format for all the output data. XML is the default.
598 outputformat (xml | xml_noformat | json)
600 version
604 Print the CLI version.
605 verb
609 Set CLI verbosity. Only errors are printed by default.
610 verb (error/0 | warning/1 | verbose/2 | debug/3)
612 quit
616 Quit the program.
617
621 ~/.netopeer2-cli/config.xml
622 Per user configuration for NETCONF <hello> message (see RFC 6241
623 for further details).
624 ~/.netopeer2-cli/history
626 Per user history of executed commands.
627 ~/.netopeer2-cli/client.pem
629 Per user certificate with its private key that is sent to the
630 server for verification. If present together with client.crt and
631 client.key it is not utilized. Only with TLS support.
632 ~/.netopeer2-cli/client.crt
634 Per user certificate that is sent to the server for verifica‐
635 tion. Needs a corresponding private key to be utilized. Only
636 with TLS support.
637 ~/.netopeer2-cli/client.key
639 Per user private key for the user certificate. Needs a corre‐
640 sponding certificate to be utilized. Only with TLS support.
641 ~/.netopeer2-cli/certs
643 Per user trusted Certificate Authority directory that is
644 searched when verifying a server certificate. Only with TLS sup‐
645 port.
646 ~/.netopeer2-cli/crl
648 Per user Certificate Revocation List directory that is searched
649 when verifying a server certificate. Only with TLS support.
650
654 RFC 5277 (Event Notifications)
655 RFC 6241 (NETCONF v1.1)
656 RFC 6242 (NETCONF over SSH)
657 RFC 6243 (With-defaults capability)
658 RFC 6536 (NETCONF Access Control)
659 http://tools.ietf.org/html/draft-ietf-netconf-rfc5539bis-05 (NETCONF
660 over TLS)
661 http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-05 (Call
662 Home)
663 https://github.com/CESNET/netopeer2 (Netopeer homepage)
664
666 Michal Vasko <mvasko@cesnet.cz>
667 Radek Krejci <rkrejci@cesnet.cz>
668
670 Copyright © 2012-2021 CESNET, a.l.e.
671 Copyright © 2018-2021 Deutsche Telekom AG.
672Netopeer 2021-11-10 netopeer2-cli(1)