Added insecure-mgmt grpc server configuration (#1979)

added insecure-mgmt grpc server configuration

docs/manual/kinds/srl.md

@@ -338,6 +338,8 @@ Starting with SR Linux 24.3.1, the gRPC server config block is used to configure
 
 These additions are meant to make all gRPC services available to the user out of the box with the enabled tracing and a custom TLS profile.
 
+Besides augmenting the factory-provided `mgmt` gRPC server block, containerlab also adds a new `insecure-mgmt` gRPC server that provides the same services as the `mgmt` server but without TLS. This server runs on port 57401 and is meant to be used for testing purposes as well as for local gNMI clients running as part of the NDK apps or local Event Handler scripts.
+
 ### License
 
 SR Linux container can run without a license emulating the datacenter types (7220 IXR) :partying_face:.  

docs/rn/0.54.md

@@ -13,3 +13,9 @@ Refer to the [`cisco_c8000v`](../manual/kinds/vr-c8000v.md) kind documentation t
 * root login allowed for crpd #1967
 * support for podman local images #1969
 * fixes to SR Linux v24.3+ startup config #1968 #1971
+
+## Patches
+
+### v0.54.1
+
+* add `insecure-mgmt` gRPC server to the [default SR Linux config](../manual/kinds/srl.md#grpc-server) #1979

nodes/srl/version.go

@@ -29,41 +29,71 @@ set / acl acl-filter cpm type ipv4 entry 88 match ipv4 protocol tcp
 set / acl acl-filter cpm type ipv4 entry 88 match transport source-port operator eq
 set / acl acl-filter cpm type ipv4 entry 88 match transport source-port value 23
 set / acl acl-filter cpm type ipv4 entry 88 action accept
+
 set / acl acl-filter cpm type ipv4 entry 98 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
 set / acl acl-filter cpm type ipv4 entry 98 match ipv4 protocol tcp
 set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port operator eq
 set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port value 23
 set / acl acl-filter cpm type ipv4 entry 98 action accept
+
 set / acl acl-filter cpm type ipv4 entry 158 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
 set / acl acl-filter cpm type ipv4 entry 158 match ipv4 protocol tcp
 set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port operator eq
 set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port value 80
 set / acl acl-filter cpm type ipv4 entry 158 action accept
+
 set / acl acl-filter cpm type ipv6 entry 128 description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection"
 set / acl acl-filter cpm type ipv6 entry 128 match ipv6 next-header tcp
 set / acl acl-filter cpm type ipv6 entry 128 match transport source-port operator eq
 set / acl acl-filter cpm type ipv6 entry 128 match transport source-port value 23
 set / acl acl-filter cpm type ipv6 entry 128 action accept
+
 set / acl acl-filter cpm type ipv6 entry 138 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
 set / acl acl-filter cpm type ipv6 entry 138 match ipv6 next-header tcp
 set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port operator eq
 set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port value 23
 set / acl acl-filter cpm type ipv6 entry 138 action accept
+
 set / acl acl-filter cpm type ipv6 entry 188 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
 set / acl acl-filter cpm type ipv6 entry 188 match ipv6 next-header tcp
 set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port operator eq
 set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port value 80
 set / acl acl-filter cpm type ipv6 entry 188 action accept`
 
 	// grpc contains the grpc server(s) configuration for srlinux versions >= 24.3.
+	// It consists of the gNMI, gNOI, gRIBI, and p4RT services enabled on the `mgmt`
+	// grpc server instance with a custom TLS profile.
+	// And in addition to the TLS secured services, the `insecure-mgmt` server instance
+	// is created that provides the same services but without TLS.
 	grpcConfig = `set / system grpc-server mgmt services [ gnmi gnoi gribi p4rt ]
 set / system grpc-server mgmt tls-profile clab-profile
 set / system grpc-server mgmt rate-limit 65000
 set / system grpc-server mgmt network-instance mgmt
 set / system grpc-server mgmt trace-options [ request response common ]
 set / system grpc-server mgmt unix-socket admin-state enable
 set / system grpc-server mgmt admin-state enable
-delete / system grpc-server mgmt default-tls-profile`
+delete / system grpc-server mgmt default-tls-profile
+
+set / system grpc-server insecure-mgmt services [ gnmi gnoi gribi p4rt ]
+set / system grpc-server insecure-mgmt port 57401
+set / system grpc-server insecure-mgmt rate-limit 65000
+set / system grpc-server insecure-mgmt network-instance mgmt
+set / system grpc-server insecure-mgmt trace-options [ request response common ]
+set / system grpc-server insecure-mgmt unix-socket admin-state enable
+set / system grpc-server insecure-mgmt admin-state enable
+
+# ACL rules allowing incoming tcp/57401 for the insecure-mgmt grpc server
+set / acl acl-filter cpm type ipv4 entry 358 description "Containerlab-added rule: Accept incoming gRPC over port 57401 for the insecure-mgmt gRPC server"
+set / acl acl-filter cpm type ipv4 entry 358 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 358 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 358 match transport destination-port value 57401
+set / acl acl-filter cpm type ipv4 entry 358 action accept
+
+set / acl acl-filter cpm type ipv6 entry 368 description "Containerlab-added rule: Accept incoming gRPC over port 57401 for the insecure-mgmt gRPC server"
+set / acl acl-filter cpm type ipv6 entry 368 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 368 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 368 match transport destination-port value 57401
+set / acl acl-filter cpm type ipv6 entry 368 action accept`
 )
 
 // SrlVersion represents an sr linux version as a set of fields.