The top-level element.

ConfD listens by default on 127.0.0.1:4565 for incoming TCP connections from CDB, MAAPI, the CLI, the external database API, as well as commands from the confd script (such as "confd --reload").

This value and port (below) can be changed. If they are changed all clients using MAAPI, CDB et.c. must be re-compiled to handle this. See the ConfD IPC section in the Advanced Topics chapter in the User Guide on how to do this.

Note that there are severe security implications involved if ConfD is instructed to bind(2) to anything but localhost. Read more about this in the ConfD IPC section in the Advanced Topics chapter in the User Guide. Use the IP 0.0.0.0 if you want ConfD to to listen(2) on all IPv4 addresses.

The port number where ConfD listens for incoming connections from CDB, the CLI and the external database API.

A list of additional IPs to which we wish to bind the ConfD IPC listener. This is useful if we don't want to use the wildcard 0.0.0.0 address in order to never expose the ConfD IPC to certain interfaces.

Enables a user-provided IPC mechanism. ConfD can be set up to use a different protocol than TCP for the IPC connections, see the ConfD IPC section in the Advanced Topics chapter in the User Guide for the details.

The address where ConfD should listen for incoming connections from CDB, MAAPI, etc, when the user-provided IPC mechanism is enabled. See the ConfD IPC section in the Advanced Topics chapter in the User Guide for further details.

The maximum length to which the queue of pending connections for the IPC sockets may grow (see the OS manual page for listen(2)). If a very large number of applications connect to ConfD more or less simultaneously at startup, this value may need to be raised to avoid connection failures.

Enables access check for incoming connections to the IPC listener sockets. The access check requires that connecting clients prove possession of a shared secret. See the section Restricting access to the IPC port in the Advanced Topics chapter in the User Guide for the details.

The full path to a file containing the shared secret for the IPC access check. The file should be protected via OS file permissions, such that it can only be read by the ConfD daemon and client processes that are allowed to connect to the IPC listener sockets. See the section Restricting access to the IPC port in the Advanced Topics chapter in the User Guide for further details.

Controls whether ConfD should find run-time modifiable configuration parameters in the configuration file (config-file setting) or whether ConfD should them from a namespace with the data stored in CDB. See further the Advanced Topics chapter in the Users Guide as well as the confdconf/dyncfg example in the example collection.

enabled is either "true" or "false". By default (false) Confd will refuse to start if any of its nortbound agents fails to bind their respective ports. When enabled, this parameter forces Confd to ignore that fatal error situation and instead it just issues a warning and disables the failing agent. The agent may be enabled by dynamically re-configuring the failing agent to use another port and restart Confd.

is either "true" or "false". If "true", then a C program will be started that loads the schema into shared memory, which then can be accessed by the C and Python APIs.

the executable that setup the shared memory holding the schema. Note that if the default value is changed, it must be specified as an absolute path (i.e containing the root directory and all other subdirectories leading to the executable).

The loadPath element contains any number of dir elements. Each dir element points to a directory path on disk which is searched for compiled YANG files (.fxs files), and compiled clispec files (.ccl file) during daemon startup.

This is where ConfD writes persistent state data. Currently the only state files are 'running.invalid' which exists only if the running database status is invalid, which it will be if one of the database implementation fails during the two-phase commit protocol, and 'global.data' which is used to store some data that needs to be retained across reboots.

Commit timeout in the ConfD backplane. This timeout controls for how long the commit operation will attempt to complete the operation when some other entity is locking the database, e.g. some other commit is in progress or some managed object is locking the database.

Controls how many validation errors are collected and presented to the user at a time when the user performs a validate or commit operation. Note that syntactical errors are detected and reported when the data is entered, and thus not covered by this parameter.

Hide groups that can be unhidden must be listed here. Multiple hideGroup entries are allowed in the confd.conf file.

If a hide groups does not have a hideGroup entry, then it cannot be unhidden using the CLI 'unhide' command. However, it is possible to add a hideGroup entry to the confd.conf file and then use confd --reload to make it available in the CLI. This may be useful to enable for example a diagnostics hide groups that you do not event want accessible using a password.

Name of hide group. This name should correspond to a hide group name in some data model.

A password can optionally be specified for a hide group. If no password or callback is given then the hide group can be unhidden without giving a password.

If a password is specified then the hide group cannot be enabled unless the password is entered.

To completely disable a hide group, ie make it impossible to unhide it, remove the entire hideGroup container for that hide group.

A callback can optionally be specified for a hide group. If no callback or password is given then the hide group can be unhidden without giving a password.

If a callback is specified then the hide group cannot be enabled unless a password is entered and the callback successfully verifies the password. Using a callback it is possible to have short lived unhide passwords and per-user unhide passwords.

The callback must be registered as a command() callback with confd_register_action_cbs(), see confd_lib_dp(3). The path argument to the callback is always "hidegroup", while argv[0] is the name of the hide group, argv[1] is the name of the user issuing the unhide command, and argv[2] is the given password. The callback should return CONFD_OK to allow the unhiding, otherwise CONFD_ERR.

enabled is either "true" or "false". If "false", CDB is disabled.

If persistent is set to false CDB will operate in RAM-only mode. This is only applicable for permanent slave nodes, i.e. slaves that are unable to become master, in a HA cluster.

Controls the way the CDB configuration store does its journal compaction. Never set to anything but the default 'automatic' unless there is an external mechanism which controls the compaction using the cdb_initiate_journal_compaction() API call.

dbDir is the directory on disk which CDB use for its storage and any temporary files being used. It is also the directory where CDB searches for initialization files.

The initPath can contain any number of <dir> items, which should be directories. When CDB first starts it will first look in these directories for initialization files. The directories will be searched in the order they are listed, lastly the dbDir is searched.

clientTimeout specifies how long CDB should wait while a client performs a certain action, before considering that client unresponsive. When set to infinity, CDB will never timeout waiting for a response from a client. A client which doesn't respond will have its socket closed. The timeout is applied to clients in the following situations:

By setting subscriptionReplay/enabled to true it is possible to use the cdb_replay_subscriptions() to “replay” the previously committed transaction to CDB subscribers. This means that CDB subscribers that miss one subscription notification can have it triggered again. CDB will save the previous transaction in a separate file in the dbDir.

When CDB replication is enabled (which it is when high-availability mode is enabled, see /confdConfig/ha) the CDB configuration stores can be replicated either asynchronously or synchronously. With asynchronous replication, a transaction updating the configuration is allowed to complete as soon as the updates have been sent to the connected slaves. With the default synchronous replication, the transaction is suspended until the updates have been completely propagated to the slaves, and the subscribers on the slaves (if any) have acknowledged their subscription notifications (see confd_lib_cdb(3)).

Operational data can either be implemented by external callbacks, or stored in CDB (or a combination of both). The operational datastore is used when data is to be stored in CDB.

Whether to enable storage of operational data in CDB.

By default CDB operational uses the same directory for its storage. Use this setting to make CDB operational use a separate directory.

By default the decision on how operational data in CDB is stored (persistent or volatile) is decided for each element in the YANG data model, via the tailf:persistent substatement to tailf:cdb-oper, see tailf_yang_extensions(5) It is possible to override this by using this setting in confd.conf. If "never", CDB will only keep the operational datastore in RAM. And if set to "always" all CDB stored operational data will be persistently backed to a file.

When CDB replication is enabled (which it is when high-availability mode is enabled, see /confdConfig/ha) the CDB operational store can optionally be replicated too. When set to "persistent", only persistent operational data is replicated. When set to "never", CDB operational is never replicated. Using "always" means that both persistent and non-persistent data is replicated. Note however that non-persistent data is only replicated to connected slaves at the time of writing. I.e. when a new slave connects to the master, only the persistent data is synchronized from the master, even if "always" is used.

When CDB replication is enabled (which it is when high-availability mode is enabled, see /confdConfig/ha) the replication of the CDB operational store (according to /confdConfig/cdb/operational/replication) can be done either asynchronously or synchronously. With the default asynchronous replication, an API call writing operational data will return as soon as the updates have been sent to the connected slaves. With synchronous replication, the API call will block until the updates have been completely propagated to the slaves.

Enables the high-availability mode.

Defines which IP address ConfD should use for incoming requests from other HA nodes.

Defines which port number confd should use for incoming requests from other HA nodes.

Enables a user-provided IPC mechanism for the communication between HA nodes. See the ConfD IPC section in the Advanced Topics chapter in the User Guide for further details.

The address ConfD should use for incoming requests from other HA nodes when the user-provided IPC mechanism is enabled. See the ConfD IPC section in the Advanced Topics chapter in the User Guide for further details.

Defines the timeout between keepalive ticks sent between HA nodes. The special value "PT0" means that no keepalive ticks will ever be sent.

encryptedStrings defines keys used to encrypt strings adhering to the types tailf:des3-cbc-encrypted-string and tailf:aes-cfb-128-encrypted-string as defined in the tailf-common YANG module, see the confd_types(3) manual page.

In the DES3CBC case three 64 bits (8 bytes) keys and a random initial vector are used to encrypt the string. The initVector element is only used when upgrading from versions before ConfD-6.2, but it is kept for backward compatibility reasons.

In the AESCFB128 case one 128 bits (16 bytes) key and a random initial vector are used to encrypt the string. The initVector element is only used when upgrading from versions before ConfD-6.2, but it is kept for backward compatibility reasons.

cryptHash specifies how cleartext values should be hashed for leafs of the types ianach:crypt-hash, tailf:sha-256-digest-string, and tailf:sha-512-digest-string - see the confd_types(3) manual page.

algorithm can be set to one of the values 'md5', 'sha-256', or 'sha-512', to choose the corresponding hash algorithm for hashing of cleartext values for the ianach:crypt-hash type.

For the 'sha-256' and 'sha-512' algorithms for the ianach:crypt-hash type, and for the tailf:sha-256-digest-string and tailf:sha-512-digest-string types, 'rounds' specifies how many times the hashing loop should be executed. If a value other than the default 5000 is specified, the hashed format will have 'rounds=N$', where N is the specified value, prepended to the salt. This parameter is ignored for the 'md5' algorithm for ianach:crypt-hash.

This section defines settings which affect the logging done by ConfD.

Shared settings for how to log to syslog. Logs (see below) can be configured to log to file and/or syslog. If a log is configured to log to syslog, the settings under /confdConfig/logs/syslogConfig are used used.

version is either "bsd" (traditional syslog) or "1" (new IETF syslog format: RFC 5424). "1" implies that /confdConfig/logs/syslogConfig/udp/enabled must be set to true.

facility is either "daemon", "authpriv", "local0", ..., "local7" or an unsigned integer. This facility setting is the default facility and applies if no explicit facility is set for a log. It's also possible to set individual facilities in the different logs below. Furthermore with the syslogServers container described below it is possible to set default facility on a per server basis. If facility is explicitly set for a log type, that item is used.

Is a container for UDP syslog. This container can only contain the configuration for a single UDP syslog server. If we need more than one syslog server we must use the /confdConfig/logs/syslogConfig/syslogServers container instead. If the udp container is used, the syslogServers container is ignored.

enabled is either "true" or "false". If "false", messages will be sent to the local syslog daemon.

host is either a domain name or an IPv4/IPv6 network address. UDP syslog messages are sent to this host.

port is a valid port number to be used in combination with /confdConfig/logs/syslogConfig/udp/host.

We can have an arbitrary long list of syslog servers defined. As mentioned above, the use of the syslogServers container is an complementary alternative to the udp container.

host is either a domain name or an IPv4/IPv6 network address. UDP syslog messages are sent to this host.

port is a valid port number to be used in combination with this syslog server

Version of syslog messages for this syslog server.

Facility of syslog messages for this syslog server.

Is this syslog server enabled.

confdLog is ConfD's daemon log. Check this log for startup problems of the ConfD daemon itself. This log is not rotated, i.e. use logrotate(8).

enabled is either "true" or "false". If "true", the log is enabled.

enabled is either "true" or "false". If "true", file logging is enabled.

name is the full path to the actual log file.

enabled is either "true" or "false". If "true", syslog messages are sent.

facility is either "daemon", "authpriv", "local0", ..., "local7" or an unsigned integer. This optional value overrides the /confdConfig/logs/syslogConfig/facility for this particular log

developerLog is a debug log for troubleshooting user-written C code, AAA rules etc. Enable and check this log for problems with validation code etc. This log is enabled by default. In all other regards it can be configured as confdLog. This log is not rotated, i.e. use logrotate(8).

Controls which level of developer messages are printed in the developer log.

auditLog is an audit log recording successful and failed logins to the ConfD backplane. This log is enabled by default. In all other regards it can be configured as /confdConfig/logs/confdLog. This log is not rotated, i.e. use logrotate(8).

Controls whether the audit log should include messages about the resulting configuration changes for each commit to the running data store. If set to "true", the audit log will include entries of the form:

commit thandle <N> begin [confirmed [extended]]
commit thandle <N> comment <comment>
commit thandle <N> label <label>
commit thandle <N> <path> created
commit thandle <N> <path> deleted
commit thandle <N> <path> moved first
commit thandle <N> <path> moved after {<keys>}
commit thandle <N> <path> set to "<value>"
commit thandle <N> <path> default set (<value>)
commit thandle <N> <path> attribute "<name>" set to "<value>"
commit thandle <N> <path> attribute "<name>" deleted
commit thandle <N> end
commit confirmed completed
commit confirmed canceled

The "commit thandle <N> begin" entry indicates the start of a commit for the transaction with handle N. This is followed by a "commit thandle <N> comment <comment>" entry and/or a "commit thandle <N> label <label>" entry if a commit comment and/or label was given, then a number of "commit thandle <N> <path> ..." entries detailing the changes, and finally a "commit thandle <N> end" entry. If "begin" is followed by "confirmed", it means that the changes are part of a confirmed commit that will not be permanent until a "commit confirmed completed" entry is logged - if "commit confirmed canceled" is logged instead, the changes have been reverted. If "begin confirmed" is followed by "extended", it means that the changes are part of a confirmed commit that extends a confirmed commit that is already in progress.

snmpLog is a log for tracing SNMP requests and responses. This log is disabled by default. In all other regards it can be configured as /confdConfig/logs/confdLog. This log is not rotated, i.e. use logrotate(8).

Controls which level of SNMP pdus are printed in the SNMP log. The value "error" means that only PDUs with error-status not equal to "noError" are printed.

netconfLog is a log for troubleshooting NETCONF operations, such as checking why e.g. a filter operation didn't return the data requested. This log is enabled by default. In all other regards it can be configured as /confdConfig/logs/confdLog. This log is not rotated, i.e. use logrotate(8).

netconfTraceLog is a log for understanding and troubleshooting NETCONF protocol interactions. When this log is enabled, all NETCONF traffic to and from ConfD is stored to a file. By default, all XML is pretty-printed. This will slow down the NETCONF server, so be careful when enabling this log. This log is not rotated, i.e. use logrotate(8).

enabled is either "true" or "false". If "true", all NETCONF traffic is logged.

The name of the file where the NETCONF traffic trace log is written.

The value 'pretty' means that the XML data is pretty-printed. The value 'raw' means that it is not.

xpathTraceLog is a log for understanding and troubleshooting XPath evaluations. When this log is enabled, the execution of all XPath queries evaluated by ConfD is logged to a file.

This will slow down ConfD, so be careful when enabling this log. This log is not rotated, i.e. use logrotate(8).

enabled is either "true" or "false". If "true", all XPath execution is logged.

The name of the file where the XPath trace log is written.

webuiAccessLog is an access log for the embedded ConfD Web server. This file adheres to the Common Log Format, as defined by Apache and others. This log is not enabled by default and is not rotated, i.e. use logrotate(8).

enabled is either "true" or "false". If "true", the access log is used.

The path to the directory whereas the access log should be written to.

Is either "true" or "false". If "true", all HTTP(S) traffic towards the embedded Web server is logged in a log file named "traffic.trace". Beware: Do not use this log in a production setting. This log is not enabled by default and is not rotated, i.e. use logrotate(8).

webuiBrowserLog makes it possible to log Javascript errors/exceptions in a log file on the target device instead of just in the browser's error console. This log is not enabled by default and is not rotated, i.e. use logrotate(8).

enabled is either "true" or "false". If "true", the browser log is used.

The path to the filename whereas browser log entries should be written to.

errorLog is an error log used for internal logging from the ConfD daemon. It is used for troubleshooting the ConfD daemon itself, and should normally be disabled. This log is rotated by the ConfD daemon (see below).

enabled is either "true" or "false". If "true", error logging is performed.

filename is the full path to the actual log file. This parameter must be set if the errorLog is enabled.

maxSize is the maximum size of an individual log file before it is rotated. Log filenames are reused when five logs have been exhausted.

datastores defines which datastores the ConfD daemon should be setup to handle.

ConfD may keep separate running and startup configuration databases. When the system reboots for whatever reason, the running config database is lost, and the startup is read.

enabled is either "true" or "false". If "true", a startup database is managed. Enable this only if our system uses a separate startup and running database.

ConfD may keep a shared, named alternative configuration database which can be modified without impacting the running configuration. Changes in the candidate can be commit to running, or discarded.

enabled is either "true" or "false". If "true", a candidate database is managed. Enable this if we want our users to use this feature from NETCONF, CLI or Webui, or other agents.

implementation is either "confd" or "external". By default, ConfD implements the candidate configuration without impacting the application. But if our system already implements the candidate itself, set "implementation" to "external". This implies that the "external" candidate implementation must implement 5 C function callbacks for candidate manipulation. (See confd_lib_dp(3) and the example "misc/extern_candidate".

storage is either "disk", "ram", or "auto".

filename is the name of the file where the candidate will be stored, if implementation is "confd" and "storage" is "disk" or "auto".

By default, the running configuration is writable. This means that the application must be prepared to handle dynamic changes to the configuration.

access is either "read-write" or "writable-through-candidate". If "writable-through-candidate", the candidate datastore must be enabled.

NOTE: The default value of read-write here is somewhat unfortunate. If the candidate is enabled it is better to set the value writable-through-candidate. When a NETCONF manager reconfigures a node that has the candidate and also read-write running, the manager can never know that running is up to date with the candidate and must thus always (logically) copy running to the candidate prior to modifying the candidate.

It is possible to add scripts to control various things in ConfD, such as post-commit callbacks. New CLI commands can also be added. The scripts must be stored under /confdConfig/scripts/dir where there is a sub-directory for each script category. For some script categories it suffices to just add a script in the correct the sub-directory in order to enable the script. For others some configuration needs to be done.

The directory path to the location of plug-and-play scripts. The scripts directory must have the following sub-directories:

scripts/command/
        policy/
        post-commit/

defaultHandlingModeType is either "explicit", "trim", or "report-all". This parameter controls how default values for leafs are handled in the northbound interfaces.

If the data store has the capability to handle default values, which for example CDB has, it will work with all values for this parameter. In this case, default values are never actaully stored in the data store. The value of this parameter should be chosen to give the end-user the best experience.

If the data store does not have the capability to handle default values, this parameter should be set to 'report-all'.

This parameter controls how ConfD lists newly created, not yet committed list entries. If this value is set to 'false', ConfD will list all new entries before listing existing data. This was the only behavior in pre 2.5 versions of ConfD.

If this value is set to 'true', ConfD will merge new and existing entries, and provide one sorted view of the data. This behavior works well when CDB is used to store configuration data, but if an external data provider is used, ConfD does not know the sort order, and can thus not merge the new entries correctly. If an external data provider is used for configuration data, and the sort order differs from CDB's sort order, this parameter should be set to 'false'.

This parameter controls if ConfD's attribute feature should be enabled or not. Currently there are three attributes, annotation, tags, and inactive. These are available in northbound interfaces (e.g. the annotate command in the CLI, and annotation XML attribute in NETCONF), but in order to be useful they need support from the underlying configuration data provider. CDB supports attributes, but if an external data provider is used for configuration data, and it does not support the attribute callbacks, this parameter should be set to 'false'.

This parameter controls if ConfD's inactive feature should be enabled or not. This feature also requires enableAttributes to be enabled.

Parameters for limiting concurrent access to ConfD.

Puts a limit to the total number of concurrent sessions to ConfD.

Parameters for limiting concurrent access for a specific context to ConfD. There can be multiple instances of this container element, each one specifying parameters for a specific context.

The context is either one of cli, netconf, webui, snmp, rest, or it can be any other context string defined through the use of MAAPI. As an example, if we use MAAPI to implement a CORBA interface to ConfD, our MAAPI program could send the string "corba" as context.

Puts a limit to the total number of concurrent sessions to ConfD for the corresponding context.

Puts a limit to the total number of concurrent configuration sessions to ConfD.

Parameters for limiting concurrent read-write transactions for a specific context to ConfD. There can be multiple instances of this container element, each one specifying parameters for a specific context.

The context is either one of cli, netconf, webui, snmp, rest, or it can be any other context string defined through the use of MAAPI. As an example, if we use MAAPI to implement a CORBA interface to ConfD, our MAAPI program could send the string "corba" as context.

Puts a limit to the total number of concurrent configuration sessions to ConfD for the corresponding context.

C-API parameters.

Timeout for a daemon to respond to a control socket request, see confd_lib_dp(3). If the daemon fails to respond within the given time, it will be disconnected.

Timeout for a daemon to respond to a worker socket query, see confd_lib_dp(3). If the daemon fails to respond within the given time, it will be disconnected.

Timeout for a daemon to send initial message after connecting the socket to the confd server. If the daemon fails to initiate the connection within the given time, it will be disconnected.

Timeout for the cache used by the get_object() and get_next_object() callback requests, see confd_lib_dp(3). ConfD caches the result of these calls and serves get_elem requests from northbound agents from the cache.

Timeout for the reply from an event notification subscriber for a notification that requires a reply, see confd_lib_events(3). If the subscriber fails to reply within the given time, the notification socket will be closed.

Settings controlling if and where rollback files are created. A rollback file contains a copy of the system configuration. The current running configuration is always stored in rollback0, the previous version in rollback1 etc. The oldest saved configuration has the highest suffix.

If "true", then a rollback file will be created whenever the running configuration is modified. If /confdConfig/ha/enabled is set to true then rollback files are replicated from master to slaves. The rollback feature must be enabled on all HA nodes (although is possible to have a slave with rollbacks disabled, that slave will then not replicate the rollback files).

Location where rollback files will be created.

Number of old configurations to save.

Type of rollback file to use. If "full" is specified, then a full configuration dump is stored in each rollback file. Rollback file 0 will always contain the running configuration.

If "delta" is used, then only the changes are stored in the rollback file. Rollback file 0 will contain the changes from the last configuration.

Using deltas is more space and time efficient for large configurations. Full rollback files are more robust when multiple external databases are used. If the external databases becomes inconsistent a previous configuration can always be restored using a full rollback file.

rollbackNumbering is either "fixed" or "rolling". If set to "rolling" then rollback file "0" will always contain the last commit. When using "fixed" each rollback will get a unique increasing number.

This section defines settings which affect the behavior of the builtin SSH implementation.

The maximum time that an authenticated connection to the SSH server is allowed to exist without open channels. If the timeout is reached, the SSH server closes the connection. Default is PT10M, i.e. 10 minutes. If the value is 0, there is no timeout.

This section defines custom lists of algorithms to be usable with the built-in SSH implementation.

For each type of algorithm, an empty value means that all supported algorithms should be usable, and a non-empty value (a comma-separated list of algorithm names) means that the intersection of the supported algorithms and the configured algorithms should be usable.

The supported serverHostKey algorithms (if implemented in libcrypto) are "ssh-dss" and "ssh-rsa", but for any SSH server, it is limited to those algorithms for which there is a host key installed in the directory given by /confdConfig/aaa/sshServerKeyDir.

To limit the usable serverHostKey algorithms to "ssh-dss", set this value to "ssh-dss" or avoid installing a key of any other type than ssh-dss in the sshServerKeyDir.

The supported key exchange algorithms (as long as their hash functions are implemented in libcrypto) are "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1" and "diffie-hellman-group1-sha1".

To limit the usable key exchange algorithms to "diffie-hellman-group14-sha1" and "diffie-hellman-group-exchange-sha256" (in that order) set this value to "diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256".

Range of allowed group size, the SSH server responds to the client during a "diffie-hellman-group-exchange". The range will be the intersection of what the client requests, if there is none the key exchange will be aborted.

Minimal size of p in bits.

Maximal size of p in bits.

The supported mac algorithms (if implemented in libcrypto) are "hmac-md5", "hmac-sha1", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1-96" and "hmac-md5-96".

The supported encryption algorithms (if implemented in libcrypto) are "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-cbc", "aes256-cbc" and "3des-cbc".

If no data has been received from a connected client for this long, a request that requires a response from the client, will be sent over the SSH transport.

If no data has been received from the client, after this many consecutive clientAliveInterval has passed, the connection will be dropped.

CLI parameters.

enabled is either "true" or "false". If "true", the CLI server is started.

Control whether commit should be supported in the CLI or not. When set to false all commands will be automatically committed when the user press ENTER in the CLI.

transactionCtrlCmds is either "true" or "false". If "true", then the CLI will have commands for enabling and disabling transactions in configure mode, ie "enable transactions" and "disable transactions". If set to "false" no such commands will be present.

startupScriptNonInteractive is either "true" or "false". If set to "true" then a CLI startup script will be evaluated also for non-interactive sessions.

tableLabel is either "true" or "false". If "true" then tables displayed in C and I style CLI will have a relative location label to make it possible to know which table is displayed.

addExtraTableSpacing is either "true" or "false". If set to "true" then an additional newline will be added on each side of the table.

The tableLookAhead element tells confd how many rows to pre-fetch when displaying a table. The prefetched rows are used for calculating the required column widths for the table. If set to a small number it is recommended to explicitly configure the column widths in the clispec file.

moreBufferLines is used to limit the buffering done by the more process. It can be "unbounded" or a positive integer describing the maximum number of lines to buffer.

showTableLabelsIfMultiple is either "true" or "false". If set to "true" then table labels will only be displayed if multiple tables, or a table and additional data is displayed. If set to "false" then table labels are always shown if they exists and tableLabel is enabled.

editWrapMode is either "wrap", "newline" or "vt100". If "wrap" or "vt100" is used then cut-and-paste will work in xterms (and other terminal emulators) but the CLI may behave oddly if the screen width is manually configured to something other than the true screen width. If "vt100" is used then no >space<>backspace< is used to force line wrapping. This makes it easier for scripts that rely on command line echoing but the cursor will disappear at the end of the line temporarily.

supportQuoteEOL is either true or false. If set to true then a final backslash (\) on a line means that the next line will be concatenated with the previous line, similarly to a Linux Shell.

useShortEnabled is either "true" or "false". If set to "true" then the CLI will display "enabled" or "disabled" in place of "enabled true" and "enabled false".

smartRenameFiltering is either "true" or "false". If set to "true" then only paths that leads to existing instances will be presented when doing completion. This will lead to some extra calls to get_next() in order to determine if a path has instances or not. When set to "false" all paths with potentially instances are presented.

allowWildcard is either "true" or "false". If "true" then wildcard expressions are allowed in show commands.

allowAllAsWildcard is either "true" or "false". If "true" then "all" can be used in place of "*" as wildcard.

allowRangeExpression is either "true" or "false". If "true" then range expressions are allowed for all key values of type basic type integer. An alternative is to specify hasRange for each path in the clispec.

allowRangeExpressionAllTypes is either "true" or "false". If "true" then range expressions are allowed for all key values regardless of type. An alternative is to specify hasRange for each element in the yang files.

suppressRangeKeyword is either "true" or "false". If "true" then 'range' keyword is not allowed in C- and I-style for range expressions.

exitModeOnEmptyRange is either "true" or "false". If "true" and if standing in a range submode, the CLI will exit to the parent submode if all instances in the range has been deleted by the user.

useDoubleDotRanges is either "true" or "false". If "true" then range expressions are types as 1..3, if set to "false" then ranges are given as 1-3.

singleElemPattern is either "true" or "false". If "true" then filters/patterns to show commands can be used to specify that you want to see a specific leaf element of all lists. Only that leaf element will be shown for each list entry. This works for both tables and row based rendering. To get the old 2.7 behavior set this flag to "false".

multiPatternOperation is one of "any", and "all". When set to "any" a pattern is true if at least one match is found, if set to "all", all patterns needs to be found for the pattern expression to be considered true.

defaultTableBehavior is either "dynamic", "suppress", or "enforce". If set to "dynamic" then list nodes will be displayed as tables if the resulting table will fit on the screen. If set to suppress, then list nodes will not be displayed as tables unless a table has been specified by some other means (ie through a setting in the clispec-file or through a command line parameter), if set to "enforce" then list nodes will always be displayed as tables unless otherwise specified in the clispec-file or on the command line.

allowTableOverflow is either "true" or "false". If "true" then tables displayed in a Cisco style CLI will be allowed to overflow. If "false" a too wide table will be displayed as a "setting - value" list instead.

tableOverflowTruncate is either "true" or "false". If "true" then overflowing tables will be truncated instead of wrapped.

allowTableCellWrap is either "true" or "false". If "true" then tables displayed in a Cisco style CLI will be allowed to wrap if the initial cell-width estimate proves to be too narrow. If "false" a too wide table cell will overflow instead, pushing the rest of the line to the right.

compactTable is either "true" or "false". If "true" then tables with multiple dynamic levels will be displayed more compactly. The first instance of the sub-element will appear on the same row as the parent instance. When set to "false" all new instances will appear on a new row.

showKeyName is either "true" or "false". If "true" then the key name will be displayed in the completion list during completion.

promptEnumLimit controls how many enumerations should be included in the prompt when prompting the user for a value where there are a number of alternatives. If the number of alternatives exceeds the above configured limit then the list will be truncated and the string "..." will be added.

showAllNs is either "true" or "false". If "true" then all element names will be shown with their namespace prefix in the CLI. This is visible when displaying the running configuration and when modifying the configuration.

useExposeNsPrefix is either "true" or "false". If "true" then all nodes annotated with the tailf:cli-expose-ns-prefix will result in the namespace prefix being shown/required. If set to "false" then the tailf:cli-expose-ns-prefix annotation will be ignored.

sortSubmodeCmds is either "true" or "false". If set to "true" then local submode commands are listed before global commands when the user enters ? in a submode in C and I-style.

sortLocalCms is either "true" or "false". If set to "true" and sortSubmodeCmds are also set to true, then local submode commands are listed before global commands when the user enters ? in a submode in C and I-style, and the order of the commands is alphabetically ordered. If set to false then the order of the local submode commands are the same as in the data model.

allowOldStyleModeCmds is either "true" or "false". If set to "true" then CLI commands in I and C-style are interpreted as mode commands if the path coincide with a list in the data-model. The recommended way to mount commands in a submode is instead to use the "mount" attribute.

continueOnErrorCmdStack is either "true" or "false". If set to "true" then command stack execution will continue even if an earlier command in the stack failed with an error, ie show xx ; show zz will execute both 'show xx' and 'show zz' even if 'show xx' failed with an error. If set to "false" then command execution will be aborted as soon as a command fails.

completionShowOldVal is either "true" or "false". If set to "true" a leaf's old value will be displayed inside brackets during command line completion. If set to "false" it will not be shown.

completionMetaInfo is either "false", "alt1" or "alt2". This option only applies to the J-style CLI. If set to "alt1" then the alternatives shown for possible completions will be prefixed as follows: containers with >, lists with +, and leaf-lists +. For example:

Possible completions:
              ...
              > applications
              + apply-groups
              ...
              + dns-servers
              ...

If set to "alt2", then possible completions will be prefixed as follows: containers with >, lists with children with +>, and lists without children +. For example:

              Possible completions:
              ...
              > applications
              +>apply-groups
              ...
              + dns-servers
              ...

reportInvalidCompletionInput is either true or false. If set to 'true' the CLI will display an error message during completion when the user press '?' to indicate if an invalid token has been entered on the command line.

Banner shown to the user when the CLI is started. Default is empty.

Name of file whose contents are shown to the user when the CLI is started. If empty, the message, if any, set via /confdConfig/cli/banner is shown. Default is empty.

Maximum number of possible alternatives to present when doing completion.

If set to true then AAA rules will be applied when a rollback file is loaded. This means that rollback may not be possible if some other user have made changes that the current user does not have access privileges to.

Maximum number of rollback changes to allow through the CLI

rollbackNumbering is either "fixed" or "rolling". If set to "rolling" then rollback file "0" will always contain the last commit. When using "fixed" each rollback will get a unique increasing number.

rollbackNumberingInitial is the starting point of the rollback numbering when the "increasing" rollback numbering scheme is used.

Sets maximum configurable history size.

Maximum size of user message.

Use compact representation when showing the configuration in C and I style CLIs.

Use compact representation when showing the operational data in C and I style CLIs.

Default setting for prettifying, ie changing _ and - to space in element names when displaying config='false' data in key-value listings.

displayEmptyConfigContainers is either "true" or "false". If set to "true" then 'show status' in the J-style CLI will display empty lists that are "config true" even when there is no data to display. If set to "false" the those containers will not be shown.

If set to 'prompt' then the user will be prompted whether to discard uncommitted changes or not. If set to 'discard' then uncommitted changes will be discarded without prompting the user. If set to 'commit' then uncommitted changes will be automatically committed without asking the user.

If set to true the user will have to re-confirm non-echoing values in the CLI. Ie, when the CLI prompts the user for a value that is not echoed the user will be asked to enter it twice.

If set to true the value that the user entered will be unquoted, ie if the user enters \n it will be interpreted as a newline. This is the default behavior for all other leaf types. If set to false then no unquoting will be performed for hidden (non-echoing) data types when the CLI explicitly prompts for their values. Dequoting will still be performed for values entered directly on the command line.

If set to true the CLI will add the text <keyname:enumeration> whenever it is displaying a completion list for entering a key value that is an enumeration. For example:

io(config)# vqe dsp channel 1
Possible completions:
<b-id:enumeration>  10  11  12  13  14  5  6  9

If set to "true" then the CLI history will be saved between CLI sessions. The history is stored in the state directory.

If set to "true" then repeated commands in the CLI will only be stored once in the history. Each invocation of the command will only update the date of the last entry. If set to "false" duplicates will be stored in the history.

If set to "true" then the 'show history' command will display the unified command history, ie the command history from all modes. If set to "false" then only the command history from the current mode will be shown.

showDefaults is either "true" or "false". If "true" then default values will be shown when displaying the configuration. The default value is shown inside a comment on the same line as the value. Showing default values can also be enabled in the CLI per session using the operational mode command "set show defaults true".

reallocateOperTrans is either "true" or "false". If "true" then a new read transaction will be allocated for each oper-mode command. When set to "false" a single oper transaction will be used for the entire CLI session.

quickSshTeardown controls if CLI sessions initiated through an SSH sessions should be torn down directly when the socket is closed, or not. When set to 'true' the socket will be closed as soon as the CLI receives a tcp shutdown, if set to 'false' it will wait until all pending data has been written.

cAlignLeafValues is either "true" or "false". If "true" then the leaf values of all siblings in a container or list will be aligned.

jAlignLeafValues is either "true" or "false". If "true" then the leaf values of all siblings in a container or list will be aligned.

columnStats is either "true" or "false". If "false" then the container element is repeated on each line when displaying config="false" data in the C and I style CLIs using the "show" command. If set to "true" then the name of the container will not be repeated, instead all leaves will be indented.

allowAbbrevCmds is either "true" or "false". If "false" then commands are not allowed to be abbreviated in the CLI.

allowAbbrevCmdsOnLoad is either "true" or "false". If "false" then commands are not allowed to be abbreviated in the CLI in non interactive mode, ie when loading configurations from file.

strictRefsOnLoad is either "true" or "false". If "false" then keyref/leafref targets does not have to exist when loading a config from a file. If set to "true" then the target creation must appear earlier in the loaded file than the reference to the target. Note that there is a rather heavy performance penalty for loading files with many keyrefs when this is set to true, or for piping CLI commands into confd_cli.

allowAbbrevKeys is either "true" or "false". If "false" then key elements are not allowed to be abbreviated in the CLI. This is relevant in the J-style CLI when using the commands 'delete' and 'edit'. In the C/I-style CLIs when using the commands 'no', 'show configuration' and for commands to enter submodes.

allowAbbrevParamNames is either "true" or "false". If "false" then cli command parameter names, ie <name>xx</name>, cannot be abbreviated.

allowAbbrevEnums is either "true" or "false". If "false" then enums entered in the cli cannot be abbreviated.

allowCaseInsensitiveEnums is either "true" or "false". If "false" then enums entered in the cli must match in case, ie you cannot enter FALSE if the cli asks for 'true' or 'false'.

caseInsensitive is either "true" or "false". If "false" then all CLI commands must have the correct case. If set to "true" then case is mostly ignored. Note that if set to "true" then all data model files and clispec-files must be written with this in mind. You cannot have two elems that conflict in case.

caseInsensitiveKeys is either "true" or "false". If "false" then all user defined instance names must have correct case. If set to "true" then case is mostly ignored. Note that if set to "true" then all data model files and clispec-files must be written with this in mind. You cannot have two elems that conflict in case.

ignoreLeadingWhitespace is either "true" or "false". If "false" then the CLI will show completion help when the user enters TAB or SPACE as the first characters on a row. If set to "true" then leading SPACE and TAB are ignored. The user can enter '?' to get a list of possible alternatives. Setting the value to "true" makes it easier to paste scripts into the CLI.

indentTemplates is either "true" or "false". If set to "true" then the text resulting from a show template will be indented to the same level as the surrounding auto-rendered show text. If set to "false" then no automatic indentation will occur. The automatic variable ".indent" may be used in the templates to do manual indentation.

compListCompact is either "true" or "false". If "true" then the CLI will display items with an associated info text one per line, and all the rest in compact format.

completionListLine is either "true" or "false". If "true" then the CLI will display completion lists one item per line. If set to "false" one-line presentation will be used for items with info texts and compact for the rest. (if compListCompact above is set to true there may be a mix of the to formats in the same listing)

showMatchBeforePossible is either "true" or "false". If set to "true" then the match completions will be displayed before the other possible completions, if set to "false" then the match completions will be displayed after.

wrapInfo is either "true" or "false". If "false" then the CLI will not automatically wrap the info field in "Possible completion:" listings. If set to "true" then the info text will be word-wrapped and indented.

wrapPrompt is either "true" or "false". If "false" then the CLI will not automatically word wrap the prompt when prompting the user for some input. If set to "true" then the prompt will be word-wrapped according to the current terminal width.

sortShowElems is either "true" or "false". If "false" then the show commands will display the elements in the order they appear in the data model. If set to "true" then all non-lists will appear before the lists. This setting only applies to the C- and I-style CLIs.

possibleCompletionsFormat is the string displayed before the displaying the actual completion possibilities.

matchCompletionsFormat is the string displayed before the displaying the actual match completion possibilities.

noMatchCompletionsFormat is the string displayed when there are no matching completion possibilities. The string is empty by default.

showDescription is either true or false. If set to false then the Description: xx text will not be displayed.

explicitSetCreate is either "true" or "false". If set to "true" then the 'set' command in J-style CLI cannot be used to create instances. Instead a new command called 'create' becomes available for creating instances. Note that this deviates from a typical Juniper style CLI where instance creation is performed by the 'set' command.

User defined template filters must be listed here. They can be used in show templates in the same manner as the builtin ones. A template filter takes a string as input in 'argv[1]' and returns a modified version of it by invoking 'confd_action_reply_command'. It can also take extra arguments. For example '|a_filter:foo:42' implies 'argv[2]="foo"' and 'argv[3]="42".

Name of template filter.

Name of callback. The callback receives a string as first argument, optionally followed by the list of arguments given to the filter in the show template.

enableDisplayLevel is either "true", "false" or "pipe". If "false" then the 'displaylevel' option to the show command will not be available in the CLIs. If set to "pipe" then a special pipe target called 'display-level' will be available.

The displaylevel option can be used to limit how many levels will be displayed by the show command. If a display level of 1 is specified then only the direct children of an element will be shown. If a display level of 3 is specified then only elements at depth 3 below a given element will be displayed, etc.

A user can also modify the default display level for a given CLI- session using the display-level setting in the CLI, similarly to the screen-width, or idle-timeout settings.

enableDisplayGroups is either "true" or "false". If "false" then the user will not be able to provide a set of display groups when issuing the show command.

If enableDisplayLevel is set to "true" then this settings controls the default display level used if no explicit display level is specified. It is also used as the initial value of the (set) 'display-level' command in the CLI.

instanceDescription is either "true" or "false". If "true" then the CLI will look for description elems and add their values as info texts when displaying possible completions in the CLI. This makes it easier to identify the different instances.

addErrorPrefixSuffix is either "true" or "false". If "true" then the CLI will add "Error: " or "Aborted: " and when operations fail in the CLI. If set to "false" then the prefix will not be added for errors generated by some callback.

autocommitLoad is either "true" or "false". If "true" then when executing the 'load' command each line will be committed as soon as it has been read. Note that this is normally not a good idea. Only applies when transactions are disabled.

autocommitLoadChunkSize is used to avoid auto commit:ing after each line but instead commit after a chunk of lines have been read.

allOrNothingLoad is either true or false. If set to true then the transaction will be reset and all changes discarded if an error is encountered when loading a file. This behavior will not happen when the 'best effort' pipe target is used, nor when stopLoadOnError is set to false, nor when autocommitLoad is set to true.

stopLoadOnError is either "true" or "false". If "false" then the 'load' command in the C and I-style CLIs will not terminate on the first error but continue to process commands form the file.

enableLoadMerge is either "true" or "false". If "false" then the 'load' command in the C and I-style CLIs will not have an option for how to load a config file. If set to "true" then the 'load' command will have an additional option for loading the file either in 'override' mode or in 'merge' mode. 'override' is the mode used if enableLoadMerge is set to 'false'.

oldDetailsArg is either "true" or "false". If "false" then commands that display the configuration will not have a "details" argument but instead have a pipe flag called "details". The setting is present for backwards compatibility, the recommended setting for future use is "false".

DEPRECATED - use /confdConfig/defaultHandlingMode instead to control this behavior consistently for all northbound interfaces. Set /confdConfig/defaultHandlingMode to report-all to display default values.

withDefaults is either "true" or "false". If "false" then leaf nodes that have their default values will not be shown when the user displays the configuration, unless the user gives the "details" option to the "show" command.

This is useful when there are many settings which are seldom used. When set to "false" only the values actually modified by the user will be shown.

When set to 'true' ConfD will ignore the annotation tailf:cli-show-with-default when displaying the configuration changes in the C-style CLI.

trimDefaultShow is either "true" or "false". If "true" then leaf nodes that have the same value as the default value will not be displayed even when explicitly configured to have that value. When set to "false" such leaves will be displayed if explicitly configured to have the value. This setting applies to show commands, ie show running-config and show config.

If this behavior is wanted, it is recommended to set /confdConfig/defaultHandlingMode to trim instead of using this parameter, in order to get a consistent behavior for all northbound interfaces.

If the default handling mode is trim, explicitly configured values that are the same as the default value are never stored in the data store. This means that if the default handling mode is trim, this parameter has no effect.

trimDefaultSave is either "true" or "false". If "true" then leaf nodes that have the same value as the default value will not be displayed even when explicitly configured to have that value. When set to "false" such leaves will be displayed if explicitly configured to have the value. This setting applies to the save command.

If this behavior is wanted, it is recommended to set /confdConfig/defaultHandlingMode to trim instead of using this parameter, in order to get a consistent behavior for all northbound interfaces.

If the default handling mode is trim, explicitly configured values that are the same as the default value are never stored in the data store. This means that if the default handling mode is trim, this parameter has no effect.

docWrap is either "true" or "false". If "false" then certain documentation texts will not be enclosed in "<" and ">", if set to "true" they will be.

infoOnMatch is either "true" or "false". If "true" then the CLI will add info texts when displaying possible match completions. If set to "false" then the info text will not be shown.

The externalActionErrorMsg value is displayed whenever an external error occurs when executing an action in the CLI.

infoOnTab is either "true" or "false". If "false" then no info strings will be displayed in the tab completion list when the user enters TAB.

infoOnSpace is either "true" or "false". If "false" then no info strings will be displayed in the tab completion list when the user enters SPACE.

newLogout is either "true" or "false". If "false" then the I and C modes will have a single "logout" command for logging out a user and a specific session. If set to "true" then there will be two different commands - "logout user <name>" and "logout session <id>"

newInsert is either "true" or "false". If "false" then the old insert command will be used. If set to "true" then the new insert command, capable of inserting ordered-by-user list elements, will be used.

showEditors is either true or false. If set to true then a list of current editors will be displayed when a user enters configure mode.

whoShowMode is either "true" or "false". If set to "true" then an 'Config Mode' column will be added to the table shown when issuing the 'who' command in C- and I-mode.

whoHistoryDateTimeFormat decides if the date should always include the date (long), or only include the date when different from today (short).

messageFormat controls how messages between users and from the system should be presented to the user. The format string may contain the variables $(sender), $(time), $(message), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(user).

messageWordWrap is either "true" or "false". If set to "true" then all system/user/prio messages in the CLI will be word-wrapped to the current terminal width.

Some messages are not displayed in the CLI when a command executed, but are delayed until the current command execution has finished. The size of the queue of pending messages is configured in messageQueueSize.

defaultPrefix is a string that is placed in front of the default value when a configuration is shown with default values as comments.

jWarningPrefix is a string that is placed in front of warnings when they are displayed in the CLI. J-style CLI.

jAbortedPrefix is a string that is placed in front of aborted messages when they are displayed in the CLI. J-style CLI.

jErrorPrefix is a string that is placed in front of error messages when they are displayed in the CLI. J-style CLI.

cWarningPrefix is a string that is placed in front of warnings when they are displayed in the CLI. I- and C-style CLI.

cAbortedPrefix is a string that is placed in front of aborted messages when they are displayed in the CLI. I- and C-style CLI.

cErrorPrefix is a string that is placed in front of error messages when they are displayed in the CLI. I- and C-style CLI.

invalidDataString is a string that is displayed instead of the real value whenever a data provider returns an invalid data element.

Prompt used in operational mode. The string may contain a number of backslash-escaped special characters which are decoded as follows:

Prompt used in configuration mode. The string may contain a number of backslash-escaped special characters which are decoded as described above.

Prompt used in operational mode in C style. The string may contain a number of backslash-escaped special characters which are decoded as described above.

Prompt used in configuration mode in C style. The string may contain a number of backslash-escaped special characters which are decoded as described above.

If set to true then the \m and \M will be expanded just as in C- and I-style

When the \h token is used in a prompt the first part of the hostname up until the first occurrence of the promptHostnameDelimiter is used.

asyncPromptRefresh is either "true" or "false". If set to "true" the CLI prompt will be refreshed when asynchronous tasks prints messages in the CLI, such as messages from other users.

Location where the 'show log' command looks for log files.

modeInfoInAudit is either "true", "false" or "path". If "true", then all commands will be prefixed with major and minor mode name when logged as audit messages. This means that it is possible to differentiate between commands with the same name in different modes. Major mode is "operational" or "configure" and minor mode is "top" in J-style and the name of the submode in C- and I-mode. On the top-level in C- and I-mode it is also "top". If set to "path" the major mode will be followed by the full command path to the submode.

auditLogMode is either "all", "allowed", or "denied". If "all", then all commands that the user tries to execute will be logged in the audit trail log. If "allowed", only allowed commands will be logged, ie commands that are actually run by the user. If "denied", only commands that the user were not allowed to execute will be logged, prefixed with "denied".

style is either "j", "c", or "i". If "j", then the CLI will be presented as a Juniper style CLI. If "c" then the CLI will appear as Cisco XR style, and if "i" then a Cisco IOS style CLI will be rendered.

Maximum idle time before terminating a CLI session. Default is PT30M, ie 30 minutes. PT0M means no timeout. Will be silently capped to 49 days 17 hours

promptSessionsCLI is either "true" or "false". If set to "true" then only the current CLI sessions will be displayed when the user tries to start a new CLI session and the maximum number of sessions has been reached. Note that MAAPI sessions with their context set to "cli" would be regarded as CLI sessions and would be listed as such.

disableIdleTimeoutOnCmd is either "true" or "false". If set to "false" then the idle timeout will trigger even when a command is running in the CLI. If set to "true" the idle timeout will only trigger if the user is idling at the CLI prompt.

Global command timeout. Terminate command unless the command has completed within the timeout. It is generally a bad idea to use this feature since it may have undesirable effects in a loaded system where normal commands take longer to complete than usual.

This timeout can be overridden by a command specific timeout specified in the confd.cli file.

Commit timeout in the CLI. This timeout controls for how long the commit operation will attempt to complete the operation when some other entity is locking the database, e.g. some other commit is in progress or some managed object is locking the database.

There is a similiar configuration parameter, /confdConfig/commitRetry/Timeout, which sets a timeout for all ConfD transactions, not just for CLI transactions.

Used to specify which timezone should be used when displaying the time in the CLI. If "local" is specified then the timezone that is configured on the device will be used.

If the timezone is set to UTC this can be set to specify the UTC offset measured in minutes.

Default value for the timestamps in the CLI. The user can always enable or disable the display of timestamps, this only controls the initial session value.

enabled is either "true" or "false". If "true" the CLI will print a timestamp before the output of each command.

clock24 is either "true" or "false". If "true" the 24-hour time notation wil be used when displaying hours.

Specifies the format of the timestamp. The string may contain a number of backslash-escaped special characters which are decoded as follows:

After each special character another character sequence can be specified in order to control the field width, alignment and padding character. The sequence can be either {A, W, P} or {A,W} where A is the alignment and can be either 'l' or 'r', W is the field width and P is the padding character. If P is not specified, " " will be used as the padding character. Example, the format "\d{l,4}\m{l,5}\D{l,3}\H{r,2,0}:\t{r,2,0}" would translate into "Wed Jun 3 08:35".

Default value for space completion in the CLI. The user can always enable or disable completion on space, this only controls the initial session value.

enabled is either "true" or "false". If "true" command and argument completion will be performed when <space> is entered.

Default value for autowizard in the CLI. The user can always enable or disable the auto wizard in each session, this controls the initial session value.

enabled is either "true" or "false". If "true" the CLI will prompt the user for required attributes when a new identifier is created.

enabled is either "true" or "false". If "true" ConfD will will run the builtin SSH daemon and run the CLI.

ip is an IP address which the ConfD CLI should listen to for SSH sessions. 0.0.0.0 means that it listens to the port (/confdConfig/cli/ssh/port) for all IPv4 addresses on the machine.

The port number for CLI SSH

extraIpPorts is a leaf-list of ip:port pairs which the CLI also listens to for SSH connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/cli/ssh/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the CLI for SSH connections.

banner is a string that will be presented to the client before authenticating when logging in to the CLI via the built-in SSH server.

Name of file whose contents will be presented to the client before authenticating when logging in to the CLI via the built-in SSH server. If /confdConfig/cli/ssh/banner is non-empty, its value will be shown before the contents of this file. Default is empty.

showCommitProgress can be either "true" or "false". If set to "true" then the commit operation in the CLI will provide some progress information when the output is piped to the 'details' target.

commitActivityClock can be either "true" or "false". If set to "true" then a |/-\| style animation will be displayed if the commit operation takes more than 200 ms to complete.

commitMessage is either "true" or "false". If set to "true" then a message will be displayed in the CLI whenever a commit operation is performed in the system. This is always disabled in I-style, and in transactionless mode.

commitMessageFormat controls how commit messages are displayed in the CLI. The format string may contain the variables $(user), $(time), $(ctx), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(proto).

Suppress commit messages from certain contexts.

Suppress commit messages from a certain context. The value of suppressCommitMessages should be the name of a context. For example "system".

jStatusFormat controls which status message is displayed after executing a CLI command in the J-style CLI. The format string may contain the variables $(status), $(time), $(date), $(time12), $(time12ampm), $(time12hm), $(host), $(hostname), and $(proto).

forceExitFormat controls which message to display when a user is forced out of configure mode by another user. The format string may contain the variables $(user), $(time), $(date), $(time12), $(time12ampm), $(time12hm), $(host) and $(hostname).

showSubsystemMessages is either "true" or "false". If "true" the CLI will display a system message whenever a connected daemon is started or stopped.

ignoreSubsystemFailures is either "true" or "false". If "true" the CLI will make a best effort to display data even if a data provider is unavailable.

showEmptyContainers is either "true" or "false". If "true" the CLI will display empty container nodes when displaying the configuration. If "false" then empty static containers will not be shown.

showTags is either "true" or "false". If "true" the CLI will display configuration tags if they are present. If set to "false" then the tags will not be displayed by default.

showAnnotations is either "true" or "false". If "true" the CLI will display configuration annotations if they are present. If set to "false" then the annotations will not be displayed by default.

orderedShowConfig is either "true" or "false". If "true" then the commands displayed when running the "show configuration" command in C-mode will take leafrefs and cli-diff-dependency into account.

suppressFastShow is either "true" or "false". If "true" then the fast show optimization will be suppressed in the C-style CLI. The fast show optimization is somewhat experimental and may break certain operations.

leafPrompting is either "true" or "false". If "true" the CLI will prompt the user for leaf values if they are not provided on the command line. If "false" then an error message will be displayed if the user does not provide a value for a leaf.

jExtendedShow is either "true" or "false". If set to "true" then the J-style CLI will have auto-rendered show commands in the same style as the C and I-style CLIs. The 'show status' command can still be used for viewing config="false" data.

jShowCR is either "true" or "false". If set to "true" then the J-style CLI will show >cr< in the completion list whenever it is legal to press cr.

showPipe is either "true" or "false". If set to "true" in operational mode the completion list will contain | if it is legal to enter |. In J-style the jShowCR must also be set to enable this. If disablePipe is set, it will override the setting of showPipe and imply the same behavior as if showPipe is "false".

showPipeConfig is either "true" or "false". If set to "true" in configure mode the completion list will contain | if it is legal to enter |. In J-style the jShowCR must also be set to enable this. If disablePipeConfig is set, it will override the setting of showPipeConfig and imply the same behavior as if showPipeConfig is "false".

disablePipe is either "true" or "false". If set to "true" then the pipe commands are disabled in operational mode.

disablePipeConfig is either "true" or "false". If set to "true" then the pipe commands are disabled in configure mode.

If showPipe is set to true, then pipeHelpMode determines how the pipe option will be displayed to the user. If set to "auto", then the description text "Output modifiers" will only be displayed if there are any other options with help texts, otherwise it will not be shown. If set to "always" then the help text will always be displayed, if set to "never" then it will never be displayed.

jAllowDeleteAll is either "true" or "false". If set to "true" then the J-style CLI will show the command "delete" without arguments, if set to "false" then an argument is required.

Silently ignore deletes of non-existing instances.

cModeExitFormat is the string used in the CLI when displaying the running configuration to indicate exit from a submode.

If a leaf value is given when an optional leaf is deleted, the given value is normally ignored and the node is deleted regardless of the value. When cRestrictiveNo is set to "true", the given value is required to be equal to the old value in order to the delete operation to be allowed. For example the Cisco style command "no interface eth0 mtu 1500" will only succeed if the mtu has the value 1500.

Extend the available submode commands to all commands in parent (and grand-parent) modes. These commands are not visible during completion but will be executed if entered. If set to "false" then only commands for entering other submodes are available in parent and grand-parent modes, if set to "true" all commands in parent and grand-parent modes are available.

Prevent non-local commands from being executed. This negates the effect of cExtendedCmdSearch above. It is recommended to also set cModeExitFormat to "exit" when this option is set to true.

enterSubmodeOnLeaf is either "true" or "false". If set to "true" (the default) then setting a leaf in a submode from a parent mode results in entering the submode after the command has completed. If set to "false" then an explicit command for entering the submode is needed. For example, if running the command

interface FastEthernet 1/1/1 mtu 1400

from the top level in config mode. If enterSubmodeOnLeaf is true the CLI will end up in the "interface FastEthernet 1/1/1" submode after the command execution. If set to "false" then the CLI will remain at the top level. To enter the submode when set to "false" the command

interface FastEthernet 1/1/1

is needed. Applied to the C- and I- style CLI.

noFollowIncompleteCommand is either "true" or "false". If set to "true" then the 'no' command will take incomplete-command declarations into account. If set to "false" it will not.

jShowUnset is either "true" or "false". If set to "true" then the J-style CLI will show unset leaves with the value of jShowUnsetText when doing "show configuration".

jShowUnsetText is the text printed for unset values if jShowUnset has been set to true.

jShowTableRecursive is either "true" or "false". If "true" the J-style CLI will attempt to display the result of the command "show table" as a table even when a list is not directly specified. If set to "false" then a table will only be produced if a list node is specified as argument to "show table".

cPrivate is either "true" or "false". If set to "true" then the term "private" will be used in place of "terminal" for denoting the private/terminal configuration mode. When set to "false" the term "terminal" will be used instead.

cTab is either "true" or "false". If "true" the Cisco style CLI will not display any help text when the user enters TAB. If "false" then help text will be shown when entering TAB, similarly to the Juniper-style CLI.

cTabInfo is either "true" or "false". If "false" the Cisco style CLI will not display any info text when the user enters TAB. If "true" then info text will be shown when entering TAB, similarly to the Juniper-style CLI.

tabExtend is either "true" or "false". If "true" the CLI will extend the current token to the next longer alternative.

cHelp is either "true" or "false". If "true" the Cisco style CLI will not display any desc text when the user enters '?'. If "false" then desc text will be shown when entering '?', similarly to the Juniper-style CLI.

restrictedFileAccess is either "true" or "false". If this is set to "true", then the user only has access to the home directory (or the directory where confd_cli is started), or if a directory is specified in a cli command parameter (params/param/type/directory{wd} or params/param/type/file{wd}) to that directory.

hideDotFile is either "true" or "false". If "true" then files starting with a '.' will not be visible in the CLI..

restrictedFileRegexp is either an empty string or an regular expression (AWK style). If not empty then all files and directories created or accessed must match the regular expression. This can be used to ensure that certain symbols does not occur in created file names.

mapActions is either "both", "config", or "oper". If "both", then actions are available both in operational mode and in configure mode. If "oper" then they are only available in operational mode, and if "config" then they are only available in configure mode.

modeNameStyle is either "short", "two", or "full". If "short", then the mode name of submodes in the Cisco style CLIs will be constructed from the last element in the path and the instance key. If set to "two" then the two last modes will be used for the mode name. If set to "full" then all components in the path will be used in the mode name.

modeInfoInAAA is either "true", "false" or "path", If "true", then all commands will be prefixed with major and minor mode name when processed by the AAA-rules. This means that it is possible to differentiate between commands with the same name in different modes. Major mode is "operational" or "configure" and minor mode is "top" in J-style and the name of the submode in C- and I-mode. On the top-level in C- and I-mode it is also "top". If set to "path" and if the command operation is "read" the major mode will be followed by the path to the submode which will be followed by the command. If set to "path" and if the command operation is "execute" the major mode will instead be followed by the command and the path to the submode will be prepended to any path arguments of the command.

cmdAAAForAutowizard si either "true" or "false". If set to "true" then the CLI will generate synthetic commands, and perform AAA command rule checks for, for all paths and values requested by the autowizard functionality.

quoteStyle is either "quote" or "backslash". If set to "quote" then the quote characters will be used on the CLI command line for quoting strings with troublesome characters. If set to "backslash" then a backslash will be used. For example:

Using quote:

io(config)# description "description with spaces"

Using backslash:

io(config)# description description\ with\ spaces

laxBarQuoting is either "true" or "false". If set to "true" then | and ; are only quoted if they appear by them selves. A consequence of this is that the user must have whitespace on both sides of | and ; on the command line when these characters are used as pipe (|) or concatenator (;).

expandAliasOnCompletion is either true or false. If set to true then aliases will be expanded before invoking the completion code.

expandAliasEscape is either false or a character. If set to a character then expanding an alias can be prevented by putting the character in front of the alias.

allowParenQuotes is either "true" or "false". If set to "true" then parentheses are treated as quotes, ie the string (xx yy) will be equivalent to "xx yy" and xx\ yy on the CLI command line.

execNavigationCmds is either "true" or "false". If set to "true" then it is possible to enter a submode also in exec mode in C- and I-style CLI.

exitConfigModeOnCtrlC is either "true" or "false". If set to "false" the user will not be thrown out of config mode when ctrl-c is pressed on an empty command line.

allowOverwriteOnCopy is either "true" or "false". If set to "true" then the copy command in the CLI will overwrite the target if it exists. If set to "false" then an error will be displayed if the target exists.

inheritPaginate is either "true" or "false". If set to "true" then the paginate setting of a pipe command will be determined by the paginate setting of the main command. If set to "false", then the output from a pipe command will not be paginated unless pagination for that pipe command has been overridden in a clispec file.

The login procedure to ConfD is fully described in the ConfD User's Guide.

ConfD closes ssh connections after this time if the client has not successfully authenticated itself by then. If the value is PT0S, there is no time limit for client authentication.

This is a global value for all ssh servers in ConfD.

Modification of this value will only affect ssh connections that are established after the modification has been done.

ConfD closes ssh connections when the client has made this number of unsuccessful authentication attempts.

This is a global value for all ssh servers in ConfD.

Modification of this value will only affect ssh connections that are established after the modification has been done.

Controls how the ConfD SSH daemon locates the user keys for public key authentication.

If set to "none", public key authentication is disabled.

If set to "local", and the user exists in /aaa/authentication/users, the keys in the user's 'ssh_keydir' directory are used.

If set to "system", the user is first looked up in /aaa/authentication/users, but only if /confdConfig/aaa/localAuthentication/enabled is set to "true" - if localAuthentication is disabled, or the user does not exist in /aaa/authentication/users, but the user does exist in the OS password database, the keys in the user's $HOME/.ssh directory are used.

sshServerKeyDir is the directory file path where the keys used by the ConfD SSH daemon are found. This parameter must be set if SSH is enabled for NETCONF or the CLI. If SSH is enabled, the server keys used by ConfD are of the same format as the server keys used by openssh, i.e. the same format as generated by 'ssh-keygen'.

Only DSA- and RSA-type keys can be used with the ConfD SSH daemon, as generated by 'ssh-keygen' with the '-t dsa' and '-t rsa' switches, respectively.

The key must be stored with an empty passphrase, and with the name 'ssh_host_dsa_key' if it is a DSA-type key, and with the name 'ssh_host_rsa_key' if it is an RSA-type key.

The SSH server will advertise support for those key types for which there is a key file available and for which the required algorithm is enabled, see the /confdConfig/ssh/algorithms/serverHostKey directive.

If the group of a user cannot be found in the AAA sub-system, a logged in user will end up as a member of the default group (if specified). If a user logs in and the group membership cannot be established, the user will have zero access rights.

By default the AAA system will try to authenticate a user in the following order. (1) localAuthentication i.e. the user is found inside /aaa/authentication/users. (2) pam - i.e PAM authentication - if enabled - is tried. (3) externalAuthentication i.e. an external program is invoked to authenticate the user.

The default is thus:

"localAuthentication pam externalAuthentication"

To change the order - change this string. For example in order to always try pam authentication before local auth set it to: "pam localAuthentication"

When PAM or external authentication is used, the authentication mechanism may give a warning that the user's password is about to expire. This parameter controls how ConfD processes that warning message.

If set to "ignore", the warning is ignored.

If set to "display", interactive user interfaces will display the warning message at login time.

If set to "prompt", interactive user interfaces will display the warning message at login time, and require that the user acknowledges the message before proceeding.

Controls the logging of the user name when a failed authentication attempt is logged to the audit log.

If set to "always", the user name is always logged.

If set to "known", the user name is only logged when it is known to be valid (i.e. when attempting localAuthentication and the user exists in /aaa/authentication/users), otherwise it is logged as "[withheld]".

If set to "never", the user name is always logged as "[withheld]".

enabled is either "true" or "false". If "true", local authentication is used, i.e. the user data kept in the aaa namespace is used to authenticate users. If "false" some other authentication mechanism such as PAM or external authentication must be used.

If PAM is to be used for login the ConfD daemon typically must run as root.

enabled is either "true" or "false". If "true", ConfD uses PAM for authentication.

The PAM service to be used for the authentication. This can be any service we have installed in the /etc/pam.d directory. Different unices have different services installed under /etc/pam.d, and some use a file /etc/pam.conf instead - choose a service which makes sense or create a new one.

The maximum time that authentication will wait for a reply from PAM. If the timeout is reached, the PAM authentication will fail, but authentication attempts may still be done with other mechanisms as configured for /confdConfig/aaa/authOrder. Default is PT10S, i.e. 10 seconds.

enabled is either "true" or "false". If "true", external authentication is used.

If we enable external authentication, an executable on the local host can be launched to authenticate a user. The executable will receive the username and the cleartext password on its standard input. The format is "[${USER};${PASS};]\n". For example if user is "bob" and password is "secret", the executable will receive the string "[bob;secret;]" followed by a newline on its standard input. The program must parse this line.

The task of the external program, which for example could be a RADIUS client, is to authenticate the user and also provide the user to groups mapping. Refer to the External authentication section of the AAA chapter in the User Guide for the details of how the program should report the result back to ConfD.

When set to "true", ${USER} and ${PASS} in the data passed to the executable will be base64-encoded, allowing e.g. for the password to contain ';' characters. For example if user is "bob" and password is "secret", the executable will receive the string "[Ym9i;c2VjcmV0;]" followed by a newline.

When set to "true", additional information items will be provided to the executable: source IP address and port, context, and protocol. I.e. the complete format will be "[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n". Example: "[bob;secret;192.168.1.1;12345;cli;ssh;]\n".

enabled is either "true" or "false". If "true", ConfD will invoke an application callback when authentication has succeeded or failed. The callback may reject an otherwise successful authentication. If the callback has not been registered, all authentication attempts will fail. See confd_lib_dp(3) for the callback details.

enabled is either "true" or "false". If "false", all authorization checks are turned off similar to the -noaaa flag in confd_cli.

enabled is either "true" or "false". If "true", ConfD will invoke application callbacks for authorization. If the callbacks have not been registered, all authorization checks will be rejected. See confd_lib_dp(3) for the callback details.

aaaBridge specifies if the aaa_bridge, as described in confd_aaa_bridge(1), will be used to access external AAA info.

enabled is either "true" or "false". If "true", the confd_aaa_bridge program is automatically started by ConfD

file specifies the location of the AAA data file needed by the confd_aaa_bridge program.

If we want to move the AAA data into another userdefined namespace, we indicate that here.

If we want to move the AAA data into another userdefined namespace, we indicate the prefix path in that namespace where the ConfD AAA namespace has been mounted.

This feature has been deprecated, it is easier to achieve this through a symlink.

This section defines settings which decide how the NETCONF agent should behave, with respect to NETCONF and SSH.

enabled is either "true" or "false". If "true", the NETCONF agent is started.

The list of NETCONF versions that the NETCONF server will understand and advertise.

Setting the value to true will enable NETCONF version 1.0, as defined in RFC 4741.

Setting the value to true will enable NETCONF version 1.1, as defined in RFC 6241.

Settings deciding which transport services the NETCONF agent should listen to, e.g. TCP and SSH.

Settings deciding how the NETCONF SSH transport service should behave.

enabled is either "true" or "false". If "true", the NETCONF agent uses SSH as a transport service.

ip is an IP address which the ConfD NETCONF agent should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/netconf/transport/ssh/port) for all IPv4 addresses on the machine.

port is a valid port number to be used in combination with /confdConfig/netconf/transport/ssh/ip. Note that the standard port for NETCONF over SSH is 830.

extraIpPorts is a leaf-list of ip:port pairs which the NETCONF agent also listens to for SSH connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/netconf/transport/ssh/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the NETCONF server for SSH connections.

NETCONF over TCP is not standardized, but it can be useful during development in order to use e.g. netcat for scripting. It is also useful if we want to use our own proprietary transport. In that case we setup the NETCONF agent to listen to localhost and then proxy it from our transport service module.

enabled is either "true" or "false". If "true", the NETCONF agent uses clear text TCP as a transport service.

ip is an IP address which the ConfD NETCONF agent should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/netconf/transport/tcp/port) for all IPv4 addresses on the machine.

port is a valid port number to be used in combination with /confdConfig/netconf/transport/tcp/ip.

extraIpPorts is a leaf-list of ip:port pairs which the NETCONF agent also listens to for TCP connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/netconf/transport/tcp/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the NETCONF server for TCP connections.

Decide which NETCONF capabilities to enable here.

enabled is either "true" or "false". If "true", the startup NETCONF capability is enabled. Enable only if /confdConfig/datastores/startup is enabled.

enabled is either "true" or "false". If "true", the candidate NETCONF capability is enabled. Enable only if /confdConfig/datastores/candidate is enabled.

enabled is either "true" or "false". If "true", the confirmed-commit NETCONF capability is enabled.

enabled is either "true" or "false". If "true", the writable-running NETCONF capability is enabled. Enable only if /confdConfig/datastores/running/access is read-write.

enabled is either "true" or "false". If "true", the rollback-on-error NETCONF capability is enabled.

enabled is either "true" or "false". If enabled "true", the validate NETCONF capability is enabled.

DEPRECATED - this feature is available in NETCONF 1.1.

If test-only "true", the NETCONF agent allows 'test-only' as a valid value for the '<test-option>' parameter in '<edit-config>'.

Turn on the URL capability options we want to support.

enabled is either "true" or "false". If "true", the url NETCONF capability is enabled.

Decide how the url file support should behave.

enabled is either "true" or "false". If "true", the url file scheme is enabled.

rootDir is a directory path on disk where ConfD will store the result from an NETCONF operation using the url capability. This parameter must be set if the file url scheme is enabled.

Decide how the url ftp scheme should behave.

enabled is either "true" or "false". If "true", the url ftp scheme is enabled.

Decide how the url sftp scheme should behave.

enabled is either "true" or "false". If "true", the url sftp scheme is enabled.

enabled is either "true" or "false". If "true", the xpath capability is enabled.

enabled is either "true" or "false". If "true", the notification capability, defined in RFC 5277, is enabled.

enabled is either "true" or "false". If "true", the interleave capability, defined in RFC 5277, is enabled. With this capability enabled, the NETCONF agent will process RPCs while sending notifications.

enabled is either "true" or "false". If "true", the partial-lock capability defined in RFC 5717 is enabled.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/actions/1.0 capability is enabled.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/transactions/1.0 capability is enabled.

enabled is either "true" or "false". If "true", the with-defaults capability, defined in RFC 6243, is enabled.

The NETCONF server will advertise its 'basic-mode' and 'also-supported' modes depending on the parameter /confdConfig/defaultHandlingMode.

DEPRECATED - use ietf-with-defaults instead.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/with-defaults/1.0 capability is enabled.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/forward/1.0 capability is enabled.

DEPRECATED - this feature is available in NETCONF 1.1.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/commit/1.0 capability is enabled.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/query capability is enabled.

enabled is either "true" or "false". If "true", the http://tail-f.com/ns/netconf/inactive/1.0 capability is enabled.

capability is a parameter can be given multiple times. It specifies a URI string which the NETCONF agent will report as a capability in the hello message sent to the client.

Controls how many concurrent NETCONF batch processes there can be at any time. A batch process can be started by the agent if a new NETCONF operation is implemented as a batch operation. See the NETCONF chapter in the ConfD User's Guide for details.

If extendedSessions are enabled, all ConfD sessions can be terminated using <kill-session>, i.e. not only can other NETCONF session be terminated, but also CLI sessions, Webui sessions etc. If such a session holds a lock, it's session id will be returned in the <lock-denied>, instead of "0".

Strictly speaking, this extension is not covered by the NETCONF specification; therefore it's false by default.

DEPRECATED - use /confdConfig/defaultHandlingMode instead to control this behavior consistently for all northbound interfaces.

If sendDefaults is true, default values will be included in the replies to <get>, <get-config>, and <copy-config>. If sendDefaults is false, default values will not be included by default.

If /confdConfig/netconf/capabilities/with-defaults is enabled, this behavior can be controlled by the NETCONF client.

If rpcErrors is "inline", and an error occurs during the processing of a <get> or <get-config> request when ConfD tries to fetch some data from a data provider, ConfD will generate an rpc-error element in the faulty element, and continue to process the next element.

If an error occurs and rpcErrors is "close", the NETCONF transport is closed by ConfD.

Maximum idle time before terminating a NETCONF session. If the session is waiting for notifications, or has a pending confirmed commit, the idle timeout is not used. The default value is 0, which means no timeout. Modification of this value will only affect connections that are established after the modification has been done.

Maximum time for a write operation towards a client to complete. If the time is exceeded, the NETCONF session is terminated. The default value is 0, which means no timeout. Modification of this value will only affect connections that are established after the modification has been done.

This section defines settings which affect the behavior of Proxy Forwarding.

enabled is either "true" or "false". If "true", proxy forwarding is enabled.

autoLogin is either "true" or "false". If "true", ConfD will try to login to the target system with the current sessions credentials, if it has access to them. In order for ConfD to get access to the session credentials, the builtin SSH daemon must be used.

Parameters for a single proxy.

The name of the proxy target. It is used as a unique identifier of the proxy target. This is the target name that users give when they want to connect to the target.

The name is included in the proxy events (see confd_lib_events(3)) generated by ConfD.

The IP address of the proxy target system.

If present, the target is available for NETCONF proxy forwarding.

If present, the proxy connections between ConfD and the proxy NETCONF target will be over SSH.

The port where the proxy target listens for NETCONF SSH connections.

If present, the proxy connections between ConfD and the proxy NETCONF target will be over TCP.

The port where the proxy target listens for NETCONF TCP connections.

If present, the target is available for CLI proxy forwarding.

If present, the proxy connections between ConfD and the proxy CLI target will be over SSH.

The port where the proxy target listens for CLI SSH connections.

This section defines settings which affect the behavior of the SNMP agent.

enabled is either "true" or "false". If "true", the SNMP agent is enabled.

ip is an IP address which the ConfD SNMP agent should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/snmpAgent/port) for all IPv4 addresses on the machine.

port is a valid port number to be used in combination with /confdConfig/snmpAgent/ip.

extraIpPorts is a leaf-list of ip:port pairs which the SNMP agent also listens to. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/snmpAgent/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the SNMP agent.

This section defines a list of MIBs that should be loaded into the SNMP agent.

file is the location of a MIB file that should be loaded into the SNMP agent. For example:

<file>./TAIL-F-TEST-MIB.bin</file>

The MIB file must be in binary format (.bin) produced with the confdc compiler. For loading of a built-in MIB no path must be given. Example:

<file>SNMP-USER-BASED-SM-MIB.bin</file>

See the ConfD User's Guide for more information about loading MIBs into the SNMP agent.

If true, any ".bin" file found in the /confdConfig/loadPath is loaded at startup. Bult-in MIBs must still be listed explicitly using the "file" element.

The time, in seconds, that the agent keeps temporary table entries before deleting them. A table entry is temporary if its RowStatus column is 'notReady' or 'notInService'.

If true, the SNMP Agent will consider requests originating from one and the same IP Address, and using the same security name, as related, regardless of source port. Per default, the SNMP Agent will consider requests originating from one and the same IP Address and port, and using the same security name, as related. Related requests are handled in the same user session. This is absolutely necessary for achieving good performance when processing consecutive get-next requests, as during SNMP walks.

This section defines the list of SNMP versions that the SNMP agent should understand.

Setting the value to true will enable SNMP v1 in the SNMP agent.

Setting the value to true will enable SNMP v2c in the SNMP agent.

Setting the value to true will enable SNMP v3 in the SNMP agent.

This section defines properties from the SNMP-FRAMEWORK-MIB (RFC3411) for the SNMP agent.

The name of the SNMP engine. snmpEngineID is defined in the SNMP-FRAMEWORK-MIB (RFC3411).

The maximum size of SNMP messages that the agent can send or receive. The snmpEngineMaxMessageSize is defined in the SNMP-FRAMEWORK-MIB (RFC3411).

When the SNMP agent sends the standard authenticationFailure notification, it is delivered to the management targets defined for the snmpNotifyName in the snmpNotifyTable in SNMP-NOTIFICATION-MIB (RFC3413). If authenticationFailureNotifyName is the empty string (default), the notification is delivered to all management targets.

A leaf-list of context names which this SNMP Agent, i.e. one or more external data providers, recognize in addition to the empty context, "".

This element is a leaf-list, i.e. multiple values are represented by multiple <contexts> items.

Whenever a set request cannot be completed, due to competing actions (typically CDB clients, or other transactions) preventing the SNMP Agent from taking the required locks on configuration stores and data providers affected by the request, the SNMP Agent will respond to the set request with an "in use" error. If dropWhenInUse is true, the SNMP Agent will silently drop the request instead.

This section defines properties from the SNMPv2-MIB (RFC3418) for the SNMP agent.

A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. The sysDescr is defined in the SNMPv2-MIB (RFC3418).

The vendor's authoritative identification of the network management subsystem contained in the entity. The sysObjectID is defined in the SNMPv2-MIB (RFC3418).

A value which indicates the set of services that this entity may potentially offer. The sysServices is defined in the SNMPv2-MIB (RFC3418).

Entries that will populate the sysORTable from SNMPv2-MIB.

Corresponds to one entry in the sysORTable from SNMPv2-MIB.

The index for this row in the table.

The OID of the AGENT-CAPABILITIES invocation.

A textual description of capabilities defined in sysORID.

This section defines settings which affect the behavior of the SNMP gateway.

enabled is either "true" or "false". If "true", the gateway is enabled.

The port number to listen for traps on.

Parameters for a single agent.

enabled is either "true" or "false". If "true", the agent is enabled.

A name for the agent, mainly used for error reporting.

The subscription id, if set, is used for indicating to which applications external traps should be sent on.

The forwarding notification stream, if present, indicates that traps should be automatically translated in accordance with the yang definition of the notification, and sent out on the given stream. The given stream may not implement replay support externally.

The community string for communication with the agent. If the community string cannot be expressed in Unicode, use the element community_bin instead (see below). If both community_bin and community are specified, community is ignored.

The community string for communication with the agent, encoded in hexBinary. For example, <community>AB</community> and <community_bin>4142</community_bin> are equivalent. The main use for this is when the community string cannot be expressed in Unicode.

The default protocol version to use. The value indicates the preferred version - if the agent doesn't respond, the other version will be tried.

The amount of time to wait for an answer from the agent before aborting the operation. The default is five seconds.

The host (specified as a name or an IP address) on which the agent is running.

The port number to use for communication with the agent.

A list of MIB module names that this agent implements. Each such MIB must be convert to YANG and compiled with the --snmpgw flag to confdc.

This section defines settings which decide how the embedded ConfD Web server should behave, with respect to TCP and SSL etc.

enabled is either "true" or "false". If "true", the Web server is started.

The hostname the Web server serves.

This setting specifies if the Web server only should serve URLs adhering to the serverName defined above. By default the serverName is "localhost" and matchHostName is "false", i.e. any server name can be given in the URL. If you want the server to only accept URLs adhering to the serverName, enable this setting.

The ConfD Web server uses a RAM cache for static content. An entry sits in the cache for a number of seconds before it is reread from disk (on access). The default is 0.

Leafref and keyref entries are represented as drop-down menus in the automatically generated Web UI. By default no more than 100 entries are fetched. This element makes this number configurable.

The location of the document root on disk. If this configurable is omitted the docroot points to the next generation docroot in the ConfD distro instead.

Where to redirect after successful login, which by default is '/index.html'.

Url where the 'hatchery' webui is mapped if enabled. The default is '/webui'.

The loginDir element points out an alternative login directory which contains your HTML code etc used to login to the Web UI. This directory will be mapped https://<ip-address>/login. If this element is not specified the default login/ directory in the docroot will be used instead.

The custom-dir element points out a custom directory which contains the customizations you want to apply to the auto- generated Web UI. The content of this directory should be as described in the User Guide and it will be mapped to https://<ip-address>/custom.

The customHeaders element contains any number of header elements, with a valid header-field as defined in RFC7230. The headers will be part of HTTP responses on "/login.html", "/index.html" and "/jsonrpc".

RFC7230 field-name, e.g. Accept-Control-Allow-Origin

RFC7230 field-value, e.g. http://www.cisco.com

By default the X-Frame-Options header is set to DENY for the /login.html and /index.html pages. With this header it can be set to SAMEORIGIN or ALLOW-FROM instead.

The disableAuth element contains any number of dir elements. Each dir element points to a directory path in the docroot which should not be restricted by the AAA engine. If no dir elements are specified the following directories and files will not be restricted by the AAA engine: "/login" and "/login.html".

Settings deciding which transport services the Web server should listen to, e.g. TCP and SSL.

Settings deciding how the Web server TCP transport service should behave.

enabled is either "true" or "false". If "true", the Web server uses cleart text TCP as a transport service.

If given the user will be redirected to the specified URL. Two macros can be specified, i.e. @HOST@ and @PORT@. For example https://@HOST@:443 or https://192.12.4.3:@PORT@

disableNonAuthRedirect is either "true" or "false". If "true" non-authenticated HTTP requests (expect "/" and "/index.html") result in a 404 HTTP reply. If false all non-authenticated requests are redirected to "/login.html".

ip is an IP address which the Web server should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/webui/transport/tcp/port) for all IPv4 addresses on the machine.

port is a valid port number to be used in combination with /confdConfig/webui/transport/tcp/ip.

extraIpPorts is a leaf-list of ip:port pairs which the Web server also listens to for TCP connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/webui/transport/tcp/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the Web server for TCP connections.

Settings deciding how the Web server SSL (Secure Sockets Layer) transport service should behave.

SSL is widely deployed on the Internet and virtually all bank transactions as well as all on-line shopping today is done with SSL encryption. There are many good sources on describing SSL in detail, e.g. http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/ which describes how to manage certificates and keys.

enabled is either "true" or "false". If "true", the Web server uses SSL as a transport service.

disableNonAuthRedirect is either "true" or "false". If "true" non-authenticated HTTP requests (expect "/" and "/index.html") result in a 404 HTTP reply. If false all non-authenticated requests are redirected to "/login.html".

If given the user will be redirected to the specified URL. Two macros can be specified, i.e. @HOST@ and @PORT@. For example http://@HOST@:80 or http://192.12.4.3:@PORT@

ip is an IP address which the Web server should listen to. 0.0.0.0 means that it listens to the port (/confdConfig/webui/transport/ssl/port) for all IPv4 addresses on the machine.

port is a valid port number to be used in combination with /confdConfig/webui/transport/ssl/ip.

extraIpPorts is a leaf-list of ip:port pairs which the Web server also listens to for SSL connections. For IPv6 addresses, the syntax [ip]:port may be used. If the ":port" is omitted, /confdConfig/webui/transport/ssl/port is used.

This element is a leaf-list, i.e. multiple values are represented by multiple <extraIpPorts> items. Example:

<extraIpPorts>10.45.22.11:4777</extraIpPorts>
<extraIpPorts>127.0.0.1</extraIpPorts>
<extraIpPorts>:::88</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>

Support for setting the Differentiated Services Code Point (6 bits) for traffic originating from the Web server for SSL connections.

Specifies which file that contains the private key for the certificate. Read more about certificates in /confdConfig/webui/transport/ssl/certFile. If this configurable is omitted the keyFile points to a built-in self signed certificate/key in the ConfD distro instead. Note: Only use this certificate/key for test purposes.

Specifies which file that contains the server certificate. The certificate is either a self-signed test certificate or a genuin and validated certificate bought from a CA (Certificate Authority). If this configurable is omitted the keyFile points to a built-in self signed certificate/key in the ConfD distro instead. Note: Only use this certificate/key for test purposes.

The ConfD distribution comes with a server certificate which can be used for testing purposes ($CONFD_DIST/var/confd/webui/cert/host.{cert,key}). This server certificate has been generated using a local CA certificate:

$ openssl
OpenSSL> genrsa -out ca.key 4096
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.cert
OpenSSL> genrsa -out host.key 4096
OpenSSL> req -new -key host.key -out host.csr
OpenSSL> x509 -req -days 365 -in host.csr -CA ca.cert \
              -CAkey ca.key -set_serial 01 -out host.cert

Specifies which file that contains the trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable CA certificates passed to the client when a certificate is requested.

The ConfD distribution comes with a CA certificate which can be used for testing purposes ($CONFD_DIST/var/confd/webui/ca_cert/ca.cert).

Specifies the level of verification the server does on client certificates. 1 means nothing, 2 means the server will ask the client for a certificate but not fail if the client does not supply a client certificate, 3 means that the server requires the client to supply a client certificate.

If caCertFile has been set to the ca.cert file generated above you can verify that it works correctly using, for example:

$ openssl s_client -connect 127.0.0.1:8888 \
                   -cert client.cert -key client.key

For this to work client.cert must have been generated using the ca.cert from above:

OpenSSL> genrsa -out client.key 4096
OpenSSL> req -new -key client.key -out client.csr
OpenSSL> x509 -req -days 3650 -in client.csr -CA ca.cert \
              -CAkey ca.key -set_serial 01 -out client.cert

Specifies the depth of certificate chains the server is prepared to follow when verifying client certificates.

Specifies the cipher suites to be used by the server as a colon-separated list from the set ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, AES256-GCM-SHA384, AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, AES128-GCM-SHA256, AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, ECDH-ECDSA-AES256-SHA, ECDH-RSA-AES256-SHA, AES256-SHA, ECDHE-ECDSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, ECDH-ECDSA-AES128-SHA, ECDH-RSA-AES128-SHA, AES128-SHA, EDH-RSA-DES-CBC-SHA, and DES-CBC-SHA, or the word "DEFAULT" (use all supported cipher suites in that list). See the OpenSSL manual page ciphers(1) for the definition of the cipher suites. NOTE: The general cipher list syntax described in ciphers(1) is not supported.

Specifies the SSL/TLS protocol versions to be used by the server as a whitespace-separated list from the set sslv3 tlsv1 tlsv1.1 tlsv1.2, or the word "DEFAULT" (use all supported protocol versions except sslv3).

CGI-script support

enabled is either "true" or "false". If "true", CGI-script support is enabled.

The directory path to the location of the CGI-scripts.

Maximum idle time before terminating a Web UI session. PT0M means no timeout. Default is PT30M, ie 30 minutes.

Maximum absolute time before terminating a Web UI session. PT0M means no timeout. Default is PT60M, ie 60 minutes.

Maximum number of allowed JSON-RPC requests every hour. 0 means infinity.

Named commands are used to define a well defined set of executables which can be run on the target device from the browser using a call to Maapi.runCmd().

"exec" directives specify how a named command is mapped to an executable or a shell script. It contains (in order) one "name" directive, one "osCommand" directive, zero or one "args" directives and zero or one "options" directives.

An example:

<exec name="cli">
  <osCommand>confd_cli</osCommand>
  <args>-u$(user) --proto http</args>
</exec>

The command alias name to be used in Maapi.runCmd() calls.

The "osCommand" directive specifies the path to the executable or shell script to be called. If the command is in the $PATH (as specified when we start the ConfD daemon) the path may just be the name of the command.

The command is invoked as if it had been executed by exec(3), i.e. not in a shell environment such as "/bin/sh -c ...".

The "args" directive specifies the arguments to use when executing the command specified by the "osCommand" directive. argsType is a space-separated string of argument strings.

The "options" directive specifies how the command is be executed. It contains (in any order) zero or one "uid" directives and zero or one "wd" directives.

The "uid" directive specifies which user id to use when executing the command. Possible values are:

The "wd" directive specifies which working directory to use when executing the command. If not given, the command is executed from the location of the CLI.

audit is either "true" or "false". If "true", then JSON-RPC/CGI requests are logged to the audit log.

This section defines settings for the RESTful API to ConfD.

enabled is either "true" or "false". If "true", the RESTful API is activated.

Hidden nodes are not shown by default in REST. Such nodes can be unhidden to the REST client by including the query parameter "unhide", which is a comma separated list of

            <hide-group-name>[;<passwd>]
            

If showHidden is set to "true", hidden nodes are always shown in the REST API.

The customHeaders element contains any number of header elements, with a valid header-field as defined in RFC7230 3.2.

RFC7230 field-name, e.g. Accept-Control-Allow-Origin

RFC7230 field-value, e.g. http://www.cisco.com

Present only if ConfD runs as a master agent. Lists all registered subagents.

enabled is either "true" or "false". If "true", ConfD acts as a master agent.

Parameters for a single subagent.

The name of the subagent. It is used as a unique identifier of the subagent. The name is included in the subagent events (see confd_lib_events(3)) generated by ConfD.

enabled is either "true" or "false". If "false", the subagent is ignored by ConfD.

Parameters to be used when the masteragent communicates with the subagent over plain text TCP. This is more efficient than SSH, but TCP is non-standard.

The IP address where the subagent listens for NETCONF TCP connections.

The port where the subagent listens for NETCONF TCP connections.

Currently, in order to use NETCONF over TCP, the subagent must understand the ConfD proprietary TCP header, described in the NETCONF chapter in the ConfD User's Guide.

The user name to be used for authorization on the subagent.

The group name to be used for authorization on the subagent.

Parameters to be used when the masteragent communicates with the subagent over SSH.

The IP address where the subagent listens for NETCONF SSH connections.

The port where the subagent listens for NETCONF SSH connections.

The SSH user name used for authentication at the subagent.

The SSH user's password.

This parameter defines where in the data hierarchy the subagent is registered. It consists of a path which must exist in the data model of the master agent, and the name of the node which the subagent implements.

The path, in restricted XPath syntax, where the subagent's data is mounted. The XPath is restricted as an instance-identifier (See confd_types(3)). To mount on the top level, use "/". Note that the XPath expression must not contain any namespace prefixes.

If the subagent mounts more than one node, this object is a space separated list of paths.

The namespace and name of the top-level node in that namespace.

If the subagent mounts more than one node, this object is a leaf-list of QNames, which must be of the same length as the 'path' object.

This element is a leaf-list, i.e. multiple values are represented by multiple <node> items.

Whenever possible, the master agent sends a single subtree filter request, instead of one request for each object. If the subagent cannot handle these requests, for any reason, set this parameter to "true".

This section defines settings which affect notifications.

Lists all available notification event streams.

Parameters for a single notification event stream.

The name attached to a specific event stream.

A descriptive text attached to a specific event stream.

Signals if replay support is available for a specific event stream.

Parameters for the builtin replay support for this event stream.

If replay support is enabled ConfD automatically stores all notifications on disk ready to be replayed should a NETCONF manager ask for logged notifications. The replay store uses a set of wrapping log files on disk (of a certain number and size) to store the notifications.

The max size of each wrap log file (see below) should not be too large. This to achieve fast replay of notifications in a certain time range. If possible use a larger number of wrap log files instead.

If in doubt use the recommended settings (see below).

enabled is either "true" or "false". If "false", the applications must implement its own replay support.

The wrapping log files will be put in this disk location.

The max size of each log wrap file. The recommended setting is ~S10MB.

The max number of log wrap files. The recommended setting is ~50 files.

This section defines settings which affect the behavior of the operational data cache - see the "Operational data" chapter in the User Guide.

enabled is either "true" or "false". If "true", the cache is enabled.

The amount of time to keep data in the cache, in seconds.