========================================== Roadmap and Architecture for NETCONF APK ========================================== 1.0 (2020 Q3) ============= [X] Module management system ---------------------------- * [X] Track name/revision/namespace, and register with NSMAP * Namespace includes prefix, since this is standardised. i.e. ns "urn:ietf:params:xml:ns:yang:ietf-interfaces" -> prefix "if:". * [X] Track features implemented * [X] Handle import-only modules * [ ] Submodule support? (possibly post-1.0) * [X] Respond to state requests * [X] Handle per-module RPC requests The module management system will be the heart of ``ncserver``. Similar to modules in Charybdis/Atheme or GlorIRCd. Each module will provide a piece of functionality (in this case, implementation of a YANG module). Each module will have a callback for retrieving its relevant config and state information. The module management system will be responsible for bookkeeping and also implement the ietf-yang-library module itself. This exposes the internal bookkeeping to the NETCONF world for introspecting the server. This also makes the server more customisable. If a user does not care about a specific YANG module, it can just be removed from the list to import. Outstanding TBDs ```````````````` * None. Resolved TBDs ````````````` * The ``modules-state`` requires a ``module-set-id`` which represents the unique combination of YANG modules present and loaded in a NETCONF server. We have freedom to implement this however we like. One thought is to take the strings of every module's namespace and sha512 the result. Alternatively we could just use Python ``uuid`` to generate a new one on each server start, but this would also mean that tooling that caches modules would pull in all modules on every server restart. **Resolution**: We went with sha256 of a comma-separated list of Python module names. This is expected to be the cleanest way to do this; it allows the implementation to provide the same ``module-set-id`` when modules stay the same, but also changes ``module-set-id`` if a new module replaces an existing one for the same namespace (which may require data to be reloaded). [X] Logging system ------------------ * [X] Output format * [X] Configuration * [X] Event logging * [X] auth * [X] Connection established * [X] Authentication succeess * [X] Authentication failure * [X] Connection closed * [X] operational * [X] RPC executed * [X] RPC unknown * [X] RPC failure * [X] RPC success * [X] config * [X] Configuration editing * [X] Configuration edited * [X] Configuration reading * [X] Configuration operation denied This system is reponsible for all event logging for the NETCONF APK project. See the `logging specification`_ for more details. .. _`logging specification`: ./logging.rst [ ] NACM -------- This feature will require in-depth discussion. [/] Service management module ----------------------------- * [X] Design API * [X] Design YANG model * [X] Implement module * [/] OpenRC * [ ] s6? This module allows administration of services on the system. See the separate `service management specification`_ for more details. .. _`service management specification`: ./service.rst [/] System module ----------------- * [/] Configuration nodes * [X] Retrieve and set admin contact and system location information. * [X] Retrieve and set hostname. * [ ] Clock: * [ ] Retrieve and set timezone name (``/etc/localtime``). * [ ] Determine ``timezone-utc-offset`` from current localtime. * [X] DNS configuration * [ ] NTP configuration * [ ] Local user administration: * [ ] SSH key administration (``$HOME/.ssh/authorized_keys``). * [X] State nodes * [X] Platform information. * [X] Current date and time. * [X] Boot date and time. * [/] RPCs * [ ] Set date/time. * [X] Restart. * [X] Shutdown. The system module allows basic administration of system configuration. Outstanding TBDs ```````````````` * When the admin tries to set ``timezone-utc-offset``, do we make a custom zoneinfo file or do we try to match? * Should there be a group for NETCONF-allowed users? Resolved TBDs ````````````` * Do we support NTP? If so, which implementation? Prefer chrony because it's available on Adélie (openntpd isn't available due to ppc/be issues) **Resolution**: Yes, NTP support is desireable. THe implementation is ``ntpsec``. It has been packaged and tested for Adélie/ppc64, so it appears portable. * Where do we store the ``contact`` and ``location`` node information? **Resolution**: Flat files on the disk. * Can musl be configured for DNS timeout seconds and resolution attempts? Would Rich be open to adding this? **Resolution**: Yes, musl supports these options in ``/etc/resolv.conf``. * Do we calculate boot date/time naively (current time - uptime) or do we try to ascertain the actual boot date/time from something like ctime of ``/run``? **Resolution**: Naive calculation works well. ctime is not always available and may be unreliable (systems that boot with time set to 1970). * Do we support password-based authentication? **Resolution**: No, only key-based authentication. * If we support password-based authentication, do we have a custom database or do we use ``/etc/shadow``? **Resolution**: Not applicable; we do not support password-based authentication. * How do we support ``name`` of DNS resolvers? It is mandatory. **Resolution**: Well-defined comment above each nameserver line. Default to 'Resolver' if not specified. * Do we support RADIUS? **Resolution**: No. [/] Interfaces module --------------------- * [x] Configuration nodes * [x] Name, type * [x] Description * [x] Enabled * [/] State nodes * [x] Operational state * [ ] Time operational state entered * [x] Interface index * [x] MAC address * [ ] Related higher/lower layer interfaces * [x] Link speed (bits/second) * [x] Statistics (``ifctrstat``) The interfaces module allows configuration and inspection of the physical layer of system network interfaces. Outstanding TBDs ```````````````` * How do we retrieve ``last-change``? Resolved TBDs ````````````` * We support ``arbitrary-names``, right? Pretty sure GRE / tuntap / etc all let you name things whatever you want. **Resolution**: No. We do not, as some Linux network tooling cannot properly handle UTF-8 names. * Do we support ``pre-provisioning``? It would make sense, since /e/n/i and /e/c/n both let you just specify whatever configuration you want for whatever interfaces you want. **Resolution**: Yes. * Where do we store interface ``description``? **Resolution**: /e/n/i can do ``netconf-description`` keyword, /e/c/n (if we support it) can do ``description_$IFACE``. [/] IP module ------------- * [/] Configuration nodes * [ ] Enable/disable IPv4 on an interface * [x] Enable/disable IPv4 forwarding on an interface * [x] Set IPv4 MTU * [ ] Retrieve/set IPv4 address(es) * [ ] Handle neighbour / static ARP cache (set) * [x] Enable/disable IPv6 on an interface * [x] Enable/disable IPv6 forwarding on an interface * [x] Set IPv6 MTU * [ ] Retrieve/set IPv6 address(es) * [x] IPv6 DAD: Neighbour-Solicitation messages sent * [x] SLAAC configuration * [ ] State nodes * [ ] Origin of IPv4 address(es) * [ ] Origin of IPv6 address(es) * [ ] IPv6 address status The IP module allows configuration and inspection of the network layer of system network interfaces. Outstanding TBDs ```````````````` * Do we have a way to determine what addresses are static vs DHCP? Can i.e. dhcpcd tell us what addresses it configured? Resolved TBDs ````````````` * Do we support IPv6 privacy extensions? **Resolution**: Yes. 2.0 (2021) ========== [ ] Software module ------------------- * [ ] Define model * [ ] Configuration nodes * [ ] APK repositories * [ ] URL * [ ] Name / description * [ ] State nodes * [ ] Software installed * [ ] Name, description, installed size * [ ] Repository * [ ] RPCs * [ ] Install software * [ ] Deinstall software The Software module allows configuration and inspection of installed packages on a system. This module will need to be properly defined. Outstanding TBDs ```````````````` * Many. Resolved TBDs ````````````` * None. [ ] NAT module? --------------- See `ietf-nat module`_. .. _`ietf-nat module`: https://github.com/YangModels/yang/raw/master/standard/ietf/RFC/ietf-nat%402019-01-10.yang [ ] VRF/VSI module ------------------ See `ietf-network-instance module`_. .. _`ietf-network-instance module`: https://github.com/YangModels/yang/raw/master/standard/ietf/RFC/ietf-network-instance%402019-01-21.yang [ ] Routing module (base) ------------------------- See `ietf-routing module`_. .. _`ietf-routing module`: https://github.com/YangModels/yang/raw/master/standard/ietf/RFC/ietf-routing%402018-03-13.yang Outstanding TBDs ```````````````` * How do we determine when a RIB entry was modified? Resolved TBDs ````````````` * Per kernel docs, the Linux kernel supports 242 user-defined RIBs in addition to default and main. Do we want to expose that (feature ``multiple-ribs``)? **Resolution**: Yes, we expose feature ``multiple-ribs``. [ ] Other features ------------------ Some features that have been tossed around that warrant further investigation, but do not have any concrete proposals or architecture/design. * [ ] 'Audit' system that can ensure malicious/errant users have not manipulated configuration in a way that the NETCONF server can't detect. * [ ] Integration with something like etckeeper for further audit and change logging / documentation capabilities.