-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS to Nokia router difficulties #5
Comments
Hi Bruce, Do you have any contact in Nokia? I've compiled info about the SROS gNMI in a slide-deck, which I am trying to keep up-to-date. It contains all the info needed to use this python tool and trouble-shooting guidance. Generally the tool supports some debugging. You need to use the option "-v" while the number of v's defined the log-level. So you could try it with "-vvvvvv" if needed. I have not yet looked into the Arista tool, but likely they have just hijacked the tooling from OpenConfig contributed by Google. From my experience, the "golang" solutions have the benefit, that Google has built a dedicated protocols stack (gRPC/TLS). So the logging is much better and you can even run those tools in "insecure" mode - which basically means that the certificates are not required to be valid or you can accept the server certificate without checking/having the CA cert. So clearly, there is no surprise here, that golang works nicer than python based tools. About tool versions, you need to be careful. The latest version of this python tool only support gNMI version 0.4 (and newer). Major changes have been introduced from 0.3 to 0.4 as the path encoding has changed. In conclusion, this python tool does not longer support nodes implementing gNMI 0.2 or 0.3... As you are using a node in 15.0.R4 - I think the gNMI version is 0.3. Therefore you should try the previous version of this python tool to ensure compatibility. In SROS 16.0 we are introducing quite some changes in SROS. We will support "insecure" mode (unencrypted) to avoid issues with certificates - especially in lab and DevOps environments. Also there is support for Get/Set and on_change coming. /wiso PS: Please come back to me, if you can not get it running. Else I would close the ticket. |
Hey wiso, Thanks for the quick reply! I appreciate your insights on the changes in the gNMI standard between version 0.3 and 0.4, I somehow had the impression that SROS 15.0.R4 supported gNMI 0.4, but I just went back and checked the documentation and sure enough it only supports gNMI 0.3. So we know not to try this anymore, at least not until we get a newer SROS. I think supporting an insecure mode of operation would be very helpful (it exactly matches our current use case). One other thing I've discovered so far is that I wasn't able to import a self-signed certificate generated by libreSSL (on macOS), however a certificate created with exactly the same operation on OpenSSL (on FreeBSD) worked fine. I can tell you who we've been speaking to at Nokia about these topics, but I'd rather not spam their names into a public GitHub issue tracker. Is it OK if we take this conversation to email? My email address is [email protected]. I can also tell you a little more about what we're doing in case you're interested. Thanks again! Bruce. PS. It's fine to close this issue, but I'll leave that up to your discretion. |
Having some issues trying to
gNMI_Subscribe.py
to establish a connection using TLS to a Nokia 7750src4 running TiMOS-B-15.0.R4. Slightly anonymized output (using PR #4):Any ideas about how I would go about debugging this? Weirdly, the Arista golang gNMI client at https://github.com/aristanetworks/goarista/tree/master/cmd/gnmi works fine:
Also,
gNMI_Subscribe.py
connecting to an Arista 7504r running EOS 4.20.3F works with no issues.Thanks for any insights!
The text was updated successfully, but these errors were encountered: