psagrera
commented
6 years ago Hi
is /source/jti.pem file inside the container ?
Regards
Open mnanduri opened 6 years ago
psagrera
commented
6 years ago Hi
is /source/jti.pem file inside the container ?
Regards
mnanduri
commented
6 years ago yes, made sure its inside the container.
On Thu, Aug 9, 2018 at 6:37 AM, psagrera notifications@github.com wrote:
Hi
is /source/jti.pem file inside the container ?
Regards
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-411714621, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0O8bNB3EdYB0Bw_9-0H1wQdPNgh6uks5uPBDUgaJpZM4VpbNk .
psagrera
commented
6 years ago Hi,
Try this:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -out mx1_re.key 2048
openssl req -new -key mx1_re.key -out mx1_re.csr
openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
cat mx1_re.key mx1_re.crt > mx1_re.pem
scp mx1_re.pem "user@router:/var/tmp"
set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate router_mx
set system services extension-service request-response grpc skip-authentication
set system services extension-service notification allow-clients address 0.0.0.0/0logs from the router:
Aug 14 00:34:11 readGrpcConfig Restarting Grpc server as there is a change in parameters Old/new: address: ::/::, port: 50051/50051, session: 5/5, SSL enabled: 1/1, skip-authentication: 0/1, buffer size: 1048576/1048576, tcp maximum segment size: 0/0, retry_count: 15/15, retry_interval: 1/1, RequestResponse grpc knob status: 1/1logs from telegraf (running a debugging version) :
2018-08-14T08:18:25Z I! Tags enabled: host=ubuntu
2018-08-14T08:18:25Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"ubuntu", Flush Interval:5s
2018-08-14T08:18:30Z I! Transport credentials &{%!s(*tls.Config=&{<nil> <nil> [] map[] <nil> <nil> <nil> <nil> 0xc420011950 [h2] 0 <nil> false [] false false [130 97 114 66 255 149 209 160 114 53 133 177 76 61 142 84 106 70 91 51 78 95 5 236 219 92 102 193 219 63 136 199] <nil> 0 0 [] false 0 <nil> {{0 0} 0} {{0 0} 0 0 0 0} [{[15 236 112 160 210 126 118 101 39 196 242 85 109 29 197 239] [154 107 17 78 35 216 211 56 19 120 89 182 107 126 131 198] [46 176 98 10 125 222 125 213 174 64 2 164 158 252 229 44]}]})}
2018-08-14T08:18:30Z I! Transport credentials set
2018-08-14T08:18:30Z D! Opened a new gRPC session to mx1_re on port 50051
2018-08-14T08:18:35Z D! Output [file] buffer fullness: 0 / 10000 metrics.
2018-08-14T08:18:36Z D! Received from mx1_re: system_id:"mx1_re" path:"sensor_1002:/junos/system/linecard/packet/usage/:/junos/system/linecard /packet/usage/:PFE" timestamp:1534234716137 kv:<key:"__timestamp__" uint_value:1534234716140 > kv:<key:"__prefix__" str_value:"/components/ component[name='FPC0:CPU0']/" > kv:<key:"properties/property[name='lts-input-packets']/state/value" uint_value:555819 > kv:<key:"properties/ property[name='lts-output-packets']/state/value" uint_value:947824 >telegraf file config:
[........]
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
#username = "root"
#password = "Embe1mpls"
#client_id = "telegraf"
sensors = [
"junos-cpu /junos/system/cpu/memory/",
"junos-linecard-packet /junos/system/linecard/packet/usage/",
"junos-linecard-fabric /junos/system/linecard/fabric/",
"oc-bgp /bgp",
"oc-interfaces /interfaces/interface/[name='fxp0'] /interfaces/interface/[name='ge-0/0/0'] /interfaces/interface/[name='ge-0/0/1'] / interfaces/interface/[name='gr-0/0/0']",
"oc-components /components/",
"junos-kernel-ifstate /junos/kernel-ifstate/",
"oc-bgp-neighbors /bgp/neighbors/neighbor/"
]
ssl_cert = "mx1_re.pem"
[.......]Ahh, let me try this out. How did you get the router log? I have this one configured.
set system services management-grpc-api-service traceoptions file grpc.log set system services management-grpc-api-service traceoptions flag all
Cheers, -Mohan
On Tue, Aug 14, 2018 at 5:11 AM, psagrera notifications@github.com wrote:
Hi,
Try this:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -out mx1_re.key 2048
openssl req -new -key mx1_re.key -out mx1_re.csr
openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
cat mx1_re.key mx1_re.crt > mx1_re.pem
scp mx1_re.pem "user@router:/var/tmp"
set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
set system services extension-service request-response grpc ssl port 50051 set system services extension-service request-response grpc ssl local-certificate router_mx set system services extension-service request-response grpc skip-authentication set system services extension-service notification allow-clients address 0.0.0.0/0
logs from the router:
Aug 14 00:34:11 readGrpcConfig Restarting Grpc server as there is a change in parameters Old/new: address: ::/::, port: 50051/50051, session: 5/5, SSL enabled: 1/1, skip-authentication: 0/1, buffer size: 1048576/1048576, tcp maximum segment size: 0/0, retry_count: 15/15, retry_interval: 1/1, RequestResponse grpc knob status: 1/1
logs from telegraf (running a debugging version) :
2018-08-14T08:18:25Z I! Tags enabled: host=ubuntu 2018-08-14T08:18:25Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"ubuntu", Flush Interval:5s 2018-08-14T08:18:30Z I! Transport credentials &{%!s(*tls.Config=&{
[] map[] 0xc420011950 [h2] 0 false [] false false [130 97 114 66 255 149 209 160 114 53 133 177 76 61 142 84 106 70 91 51 78 95 5 236 219 92 102 193 219 63 136 199] 0 0 [] false 0 {{0 0} 0} {{0 0} 0 0 0 0} [{[15 236 112 160 210 126 118 101 39 196 242 85 109 29 197 239] [154 107 17 78 35 216 211 56 19 120 89 182 107 126 131 198] [46 176 98 10 125 222 125 213 174 64 2 164 158 252 229 44]}]})} 2018-08-14T08:18:30Z I! Transport credentials set 2018-08-14T08:18:30Z D! Opened a new gRPC session to mx1_re on port 50051 2018-08-14T08:18:35Z D! Output [file] buffer fullness: 0 / 10000 metrics. 2018-08-14T08:18:36Z D! Received from mx1_re: system_id:"mx1_re" path:"sensor_1002:/junos/system/linecard/packet/usage/:/junos/system/linecard /packet/usage/:PFE" timestamp:1534234716137 kv:<key:"timestamp" uint_value:1534234716140 > kv:<key:"prefix" str_value:"/components/ component[name='FPC0:CPU0']/" > kv:<key:"properties/property[name='lts-input-packets']/state/value" uint_value:555819 > kv:<key:"properties/ property[name='lts-output-packets']/state/value" uint_value:947824 > telegraf file config:
[........] [[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
username = "root"
password = "Embe1mpls"
client_id = "telegraf"
sensors = [ "junos-cpu /junos/system/cpu/memory/", "junos-linecard-packet /junos/system/linecard/packet/usage/", "junos-linecard-fabric /junos/system/linecard/fabric/", "oc-bgp /bgp", "oc-interfaces /interfaces/interface/[name='fxp0'] /interfaces/interface/[name='ge-0/0/0'] /interfaces/interface/[name='ge-0/0/1'] / interfaces/interface/[name='gr-0/0/0']", "oc-components /components/", "junos-kernel-ifstate /junos/kernel-ifstate/", "oc-bgp-neighbors /bgp/neighbors/neighbor/" ]
ssl_cert = "mx1_re.pem" [.......]
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-412806903, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0O3FSAtXmCdu5oHyPQiHUOEDms7bcks5uQpQngaJpZM4VpbNk .
psagrera
commented
6 years ago Like that :
set system services extension-service traceoptions file extension-service.log
set system services extension-service traceoptions file size 5m
set system services extension-service traceoptions file files 2
set system services extension-service traceoptions flag allI am getting this, followed your procedure. Ideas?
[edit system services extension-service] lab@vmx17# Aug 14 14:52:02 rtmDeleteEvent: topic: "/junos/events/kernel/route/delete/inet/192.168.1.133/32" Aug 14 14:52:27 ssl_transport_security.c:1290: No match found for server name: mx1_re. Aug 14 14:52:27 rtmAddEvent: topic: "/junos/events/kernel/route/add/inet/ 192.168.1.133/32" Aug 14 14:52:27 ssl_transport_security.c:201: ssl_info_callback: error occured.
Aug 14 14:52:27 ssl_transport_security.c:947: Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate. Aug 14 14:52:27 handshake.c:128: Security handshake failed: {"created":"@1534258347.582136792","description":"Handshake failed","file":"../../../../../../../../src/dist/grpc/src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} Aug 14 14:52:27 server_secure_chttp2.c:119: Secure transport failed with error 1
lab@vmx17# run show version Aug 14 14:53:39 Hostname: vmx17 Model: vmx Junos: 17.4R1-S2.2
request-response { grpc { ssl { port 50051; local-certificate router_mx; } skip-authentication; } } notification { allow-clients { address 0.0.0.0/0; } }
On Tue, Aug 14, 2018 at 6:42 AM, psagrera notifications@github.com wrote:
Like that :
set system services extension-service traceoptions file extension-service.log set system services extension-service traceoptions file size 5m set system services extension-service traceoptions file files 2 set system services extension-service traceoptions flag all
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-412830177, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0O-7WK-9swa8ze22u4bxHKquZef0vks5uQqmEgaJpZM4VpbNk .
psagrera
commented
6 years ago Hi,
That's what I've done :
On the server
############
1) openssl genrsa -out ca.key 2048
2) openssl req -new -x509 -key ca.key -out ca.crt (all answers in blank except FQDN:mx1_re)
3) openssl genrsa -out mx1_re.key 2048
4) openssl req -new -key mx1_re.key -out mx1_re.csr (all answers in blank except FQDN:mx1_re)
5) openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
6) cat mx1_re.key mx1_re.crt > mx1_re.pem
On the router
#############
7) delete security
delete system services
commit
8) file delete /var/tmp/mx1_re.pem
9) scp mx1_re.pem "user@router:/var/tmp"
10) set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
11)
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate router_mx
set system services extension-service request-response grpc skip-authentication
set system services extension-service notification allow-clients address 0.0.0.0/0
Telegraf file (the hostname of the router I'm using is mx1_re junos version: 18.1R2-S1):
##############
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
#username = "lab"
#password = "lab123"
#client_id = "mx1_re"
......
ssl_cert = "mx1_re.pem"
.......hmm, I missed the FQDN part earlier. Now, I followed your steps on a 18.1R1.9 device again, still getting an error message.
lab@mx1_re# run show version Hostname: mx1_re Model: vmx Junos: 18.1R1.9
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"] ssl_cert = "mx1_re.pem"
[edit] lab@mx1_re# Aug 17 05:29:20 ssl_transport_security.c:1290: No match found for server name: mx1_re. Aug 17 05:29:20 ssl_transport_security.c:201: ssl_info_callback: error occured.
Aug 17 05:29:20 ssl_transport_security.c:947: Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate. Aug 17 05:29:20 handshake.c:128: Security handshake failed: {"created":"@1534483760.559614319","description":"Handshake failed","file":"../../../../../../../../src/dist/grpc/src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} Aug 17 05:29:20 server_secure_chttp2.c:119: Secure transport failed with error 1
On Thu, Aug 16, 2018 at 3:49 AM psagrera notifications@github.com wrote:
Hi,
That's what I've done :
On the server ############
1) openssl genrsa -out ca.key 2048
2) openssl req -new -x509 -key ca.key -out ca.crt (all answers in blank except FQDN:mx1_re)
3) openssl genrsa -out mx1_re.key 2048
4) openssl req -new -key mx1_re.key -out mx1_re.csr (all answers in blank except FQDN:mx1_re)
5) openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
6) cat mx1_re.key mx1_re.crt > mx1_re.pem
On the router #############
7) delete security delete system services commit
8) file delete /var/tmp/mx1_re.pem
9) scp mx1_re.pem "user@router:/var/tmp"
10) set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
11) set system services extension-service request-response grpc ssl port 50051 set system services extension-service request-response grpc ssl local-certificate router_mx set system services extension-service request-response grpc skip-authentication set system services extension-service notification allow-clients address 0.0.0.0/0
Telegraf file (the hostname of the router I'm using is mx1_re junos version: 18.1R2-S1): ##############
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
username = "lab"
password = "lab123"
client_id = "mx1_re"
......
ssl_cert = "mx1_re.pem"
.......
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-413457360, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0OwAYE_F8jWl4FSvg6x-Cj49Ir0_xks5uRSQJgaJpZM4VpbNk .
psagrera
commented
6 years ago Well, another thing I did :
in the file /etc/ssl/openssl.cnf I added the following in the v3_ca section:
[ v3_ca ]
..........
subjectAltName = IP:10.102.186.0 --> mx IP
.........
If you modify that file, you'll have to recreate the certifcate again and follow the steps described above in the thread.
Regards
psagrera
commented
6 years ago Please turn debug on in the telegraf config file (agent section) .......... [agent] ........... debug = true
and share logs
Thanks
mnanduri
commented
6 years ago Here's the log. No clues in it. The timeout is till I add the host manually in /etc/hosts on the OC container.
root@Jumphost2:/home/mohan/open-nti/plugins/input-oc# more telegraf.log 2018-08-17T13:45:10Z D! Attempting connection to output: influxdb 2018-08-17T13:45:10Z D! Successfully connected to output: influxdb 2018-08-17T13:45:10Z I! Starting Telegraf v1.7.0~503fcdb 2018-08-17T13:45:10Z I! Loaded outputs: influxdb 2018-08-17T13:45:10Z I! Loaded inputs: inputs.jti_openconfig_telemetry 2018-08-17T13:45:10Z I! Tags enabled: host=234777a00ade 2018-08-17T13:45:10Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"234777a00ade", Flush Interval:5s 2018-08-17T13:45:10Z D! Opened a new gRPC session to mx1_re on port 50051 2018-08-17T13:45:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s ... 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:00Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:05Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:10Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
On Fri, Aug 17, 2018 at 4:19 AM psagrera notifications@github.com wrote:
Please turn debug on in the telegraf config file (agent section) .......... [agent] ........... debug = true
and share logs
Thanks
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
mnanduri
commented
6 years ago Interesting, when i tried the above procedure with FQDN on a real MX, it worked. Still does not work on vMX.
Cheers, -Mohan On Fri, Aug 17, 2018 at 11:00 AM Mohan Nanduri mohan.nanduri@gmail.com wrote:
Here's the log. No clues in it. The timeout is till I add the host manually in /etc/hosts on the OC container.
root@Jumphost2:/home/mohan/open-nti/plugins/input-oc# more telegraf.log 2018-08-17T13:45:10Z D! Attempting connection to output: influxdb 2018-08-17T13:45:10Z D! Successfully connected to output: influxdb 2018-08-17T13:45:10Z I! Starting Telegraf v1.7.0~503fcdb 2018-08-17T13:45:10Z I! Loaded outputs: influxdb 2018-08-17T13:45:10Z I! Loaded inputs: inputs.jti_openconfig_telemetry 2018-08-17T13:45:10Z I! Tags enabled: host=234777a00ade 2018-08-17T13:45:10Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"234777a00ade", Flush Interval:5s 2018-08-17T13:45:10Z D! Opened a new gRPC session to mx1_re on port 50051 2018-08-17T13:45:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s ... 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:00Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:05Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:10Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
On Fri, Aug 17, 2018 at 4:19 AM psagrera notifications@github.com wrote:
Please turn debug on in the telegraf config file (agent section) .......... [agent] ........... debug = true
and share logs
Thanks
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
psagrera
commented
6 years ago Hi,
I’ll try to test with the Junos release you are using, but I ‘ll be out for a couple of weeks
Regards
Enviado desde mi iPhone
El 17 ago 2018, a las 20:22, mnanduri notifications@github.com escribió:
Interesting, when i tried the above procedure with FQDN on a real MX, it worked. Still does not work on vMX.
Cheers, -Mohan On Fri, Aug 17, 2018 at 11:00 AM Mohan Nanduri mohan.nanduri@gmail.com wrote:
Here's the log. No clues in it. The timeout is till I add the host manually in /etc/hosts on the OC container.
root@Jumphost2:/home/mohan/open-nti/plugins/input-oc# more telegraf.log 2018-08-17T13:45:10Z D! Attempting connection to output: influxdb 2018-08-17T13:45:10Z D! Successfully connected to output: influxdb 2018-08-17T13:45:10Z I! Starting Telegraf v1.7.0~503fcdb 2018-08-17T13:45:10Z I! Loaded outputs: influxdb 2018-08-17T13:45:10Z I! Loaded inputs: inputs.jti_openconfig_telemetry 2018-08-17T13:45:10Z I! Tags enabled: host=234777a00ade 2018-08-17T13:45:10Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"234777a00ade", Flush Interval:5s 2018-08-17T13:45:10Z D! Opened a new gRPC session to mx1_re on port 50051 2018-08-17T13:45:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:30Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:45:50Z D! Retrying mx1_re with timeout 1s ... 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:10Z D! Retrying mx1_re with timeout 1s 2018-08-17T13:46:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:40Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:45Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:50Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:46:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:00Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:05Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:10Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:15Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:20Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:30Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-08-17T13:47:35Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
On Fri, Aug 17, 2018 at 4:19 AM psagrera notifications@github.com wrote:
Please turn debug on in the telegraf config file (agent section) .......... [agent] ........... debug = true
and share logs
Thanks
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
mnanduri
commented
6 years ago I was trying to do mutual authentication on Junipers and open-nti. Does open-nti send cert? The router is expecting the cert and it fails with bad cert error.
When we use gnmi_client to connect to the router, we dont see that error but a diff one.
Here's the config:
set system services ssh set system services extension-service request-response grpc ssl port 50051 set system services extension-service request-response grpc ssl local-certificate nqa3-mx-d12-12 set system services extension-service request-response grpc ssl mutual-authentication certificate-authority JTI set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate
set system services extension-service traceoptions file ext.log set system services extension-service traceoptions flag all
Error with bad cert -
Aug 28 02:10:30 server_secure_chttp2.c:119: Secure transport failed with error 1 Aug 28 02:12:28 ssl_transport_security.c:947: Handshake failed with fatal error SSL_ERROR_SSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate. Aug 28 02:12:28 handshake.c:128: Security handshake failed: {"created":"@1535422348.938953752","description":"Handshake failed","file":"../../../../../../../../src/dist/grpc/src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
When using gnmi_cli client
Aug 28 03:12:23 server_secure_chttp2.c:119: Secure transport failed with error 1 Aug 28 03:12:34 TerminateClientThreads: Number of grpc clients connected: 0 Aug 28 03:12:34 JGrpcServerStart: Proto Desriptor object not found in proto map for RPC /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo for peer ipv6:::ffff:10.144.96.34:35556 Aug 28 03:12:34 AllocCallMem:GRPC Server Call Completion queue created successfully Aug 28 03:12:34 AllocCallMem:GRPC Server Call Details initialized successfully Aug 28 03:12:35 TerminateClientThreads: Number of grpc clients connected: 0 Aug 28 03:12:35 JGrpcServerStart: Proto Desriptor object not found in proto map for RPC /gnmi.gNMI/Subscribe for peer ipv6:::ffff:10.144.96.34:35556 Aug 28 03:12:35 AllocCallMem:GRPC Server Call Completion queue created successfully Aug 28 03:12:35 AllocCallMem:GRPC Server Call Details initialized successfully Aug 28 03:12:35 ssl_transport_security.c:439: SSL_read returned 0 unexpectedly. Aug 28 03:12:35 secure_endpoint.c:176: Decryption error: TSI_INTERNAL_ERROR
./gnmi_cli -a mx-d12-12:50051 -qt s -q "/lldp/" --ca_crt /home/mnanduri/ca.crt --client_crt /home/mnanduri/pivo.crt --client_key /home/mnanduri/pivo.key -logtostderr
E0828 09:43:38.684796 23426 gnmi_cli.go:190] cli.QueryDisplay:
sendQueryAndDisplay(ctx, {Addrs:[nqa3-mx10003-d12-12:50051] Target: Replica:0 UpdatesOnly:false Queries:[[lldp]] Type:stream Timeout:30s NotificationHandler:
psagrera
commented
6 years ago Hi
The current implementation of open NTI it doesn't support mutual authentication, I did a quick test modifying the code of the telegraf plugin and it works ok, so probably mutual authentication be supported in the future.
mnanduri
commented
6 years ago ah cool, thanks for the update and checking. Do you mind providing the code that you played/modified with?
On Tue, Sep 4, 2018 at 10:04 AM psagrera notifications@github.com wrote:
Hi
The current implementation of open NTI it doesn't support mutual authentication, I did a quick test modifying the code of the telegraf plugin and it works ok, so probably mutual authentication be supported in the future.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-418379228, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0O5CGKn14k2_Yjij_eOKFQSXwrCBgks5uXohqgaJpZM4VpbNk .
psagrera
commented
6 years ago Hi,
Follow those steps in order to test mutual-auth in open NTI (bear in mind that is only for testing/demo purposes at the moment).
1 ) clone my personal repo of openNTI
git clone https://github.com/psagrera/open-nti.git 2 ) Modify the following files:
2.1 ) Under ~/open-nti/plugins/input-oc --> telegraf.tmpl
[[inputs.jti_openconfig_telemetry]]
servers = ["mx2_re:50051"] <-- your vMX / MX hostname
username = "lab"
password = "lab123"
client_id = "telegraf"
Keep debug flag to true to verify easily if it's working or not
You can add/modify sensors from the original file
2.2 ) Under ~/open-nti/plugins/input-oc --> cert_files dierctory
Put there all files related to the certificate (follow the process you mentioned above in the thread )
2.2.1 That's what I did
SERVER SIDE
###########
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -out mx2_re.key 2048
openssl req -new -key mx2_re.key -out mx2_re.csr
openssl genrsa -out oc.key 2048
openssl req -new -key oc.key -out oc.csr
openssl x509 -req -in mx2_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx2_re.crt
openssl x509 -req -in oc.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out oc.crt
cat mx2_re.key mx2_re.crt > mx2_re.pem
ROUTER
######
set security pki ca-profile OC ca-identity OC
request security pki ca-certificate load ca-profile OC filename /var/tmp/ca.crt
set security certificates certification-authority OC ca-name OC
set security certificates local mx2_re load-key-file /var/tmp/mx2_re.pem
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate mx2_re
set system services extension-service request-response grpc ssl mutual-authentication certificate-authority OC
set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate
set system services extension-service notification allow-clients address 0.0.0.0/0
set system services extension-service traceoptions file extension-service.log
set system services extension-service traceoptions file size 5m
set system services extension-service traceoptions file files 2
set system services extension-service traceoptions flag all
2.3 ) Under ~/open-nti --> docker-compose.yml
input-oc:
#image: telegraf:1.5
build: $INPUT_OC_DIR
extra_hosts:
mx2_re: 10.102.183.150 <-- put here your hostname/IP mapping
container_name: $INPUT_OC_CONTAINER_NAME
volumes:
- /etc/localtime:/etc/localtime:ro
- ./$INPUT_OC_DIR/telegraf.tmpl:/source/telegraf.tmpl
ports:
- "$LOCAL_PORT_OC:50051/udp"
links:
- opennti
2.4 ) make build
2.5 ) make start
2.6 ) docker logs opennti_input_oc (If it's working you will see something like:)
[...]
2018-09-05T11:55:18Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"c7fb8b1cd83c", Flush Interval:5s
2018-09-05T11:55:20Z D! Opened a new gRPC session to mx2_re on port 50051
2018-09-05T11:55:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
2018-09-05T11:55:27Z D! Received from mx2_re: system_id:"mx2_re" component_id:1 path:
[...]P.S : I'm using vMX (18.1R2-S1)
mnanduri
commented
6 years ago Thanks a ton, let me try it out. Will keep you posted.
On Wed, Sep 5, 2018 at 9:35 AM psagrera notifications@github.com wrote:
Hi,
Follow those steps in order to test mutual-auth in open NTI (bear in mind that is only for testing/demo purposes at the moment).
1 ) clone my personal repo of openNTI
git clone https://github.com/psagrera/open-nti.git
2 ) Modify the following files:
2.1 ) Under ~/open-nti/plugins/input-oc --> telegraf.tmpl
[[inputs.jti_openconfig_telemetry]] servers = ["mx2_re:50051"] <-- your vMX / MX hostname username = "lab" password = "lab123" client_id = "telegraf" Keep debug flag to true to verify easily if it's working or not You can add/modify sensors from the original file2.2 ) Under ~/open-nti/plugins/input-oc --> cert_files dierctory Put there all files related to the certificate (follow the process you mentioned above in the thread ) 2.2.1 That's what I did
SERVER SIDE ########### openssl genrsa -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt openssl genrsa -out mx2_re.key 2048 openssl req -new -key mx2_re.key -out mx2_re.csr openssl genrsa -out oc.key 2048 openssl req -new -key oc.key -out oc.csr openssl x509 -req -in mx2_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx2_re.crt openssl x509 -req -in oc.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out oc.crt cat mx2_re.key mx2_re.crt > mx2_re.pem ROUTER ###### set security pki ca-profile OC ca-identity OC request security pki ca-certificate load ca-profile OC filename /var/tmp/ca.crt set security certificates certification-authority OC ca-name OC set security certificates local mx2_re load-key-file /var/tmp/mx2_re.pem set system services extension-service request-response grpc ssl port 50051 set system services extension-service request-response grpc ssl local-certificate mx2_re set system services extension-service request-response grpc ssl mutual-authentication certificate-authority OC set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate set system services extension-service notification allow-clients address 0.0.0.0/0 set system services extension-service traceoptions file extension-service.log set system services extension-service traceoptions file size 5m set system services extension-service traceoptions file files 2 set system services extension-service traceoptions flag all2.3 ) Under ~/open-nti --> docker-compose.yml
input-oc: #image: telegraf:1.5 build: $INPUT_OC_DIR extra_hosts: mx2_re: 10.102.183.150 <-- put here your hostname/IP mapping container_name: $INPUT_OC_CONTAINER_NAME volumes: - /etc/localtime:/etc/localtime:ro - ./$INPUT_OC_DIR/telegraf.tmpl:/source/telegraf.tmpl ports: - "$LOCAL_PORT_OC:50051/udp" links: - opennti2.4 ) make build
2.5 ) make start
2.6 ) docker logs opennti_input_oc (If it's working you will see something like:)
[...]2018-09-05T11:55:18Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"c7fb8b1cd83c", Flush Interval:5s 2018-09-05T11:55:20Z D! Opened a new gRPC session to mx2_re on port 50051 2018-09-05T11:55:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-09-05T11:55:27Z D! Received from mx2_re: system_id:"mx2_re" component_id:1 path: [...]
P.S : I'm using vMX (18.1R2-S1)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-418732445, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0Ox_tIp2CsDKe-wkdcGJyqixXMRFMks5uX9MDgaJpZM4VpbNk .
mnanduri
commented
6 years ago I have tried the steps you provided with the same names you have, getting this error.
mnanduri-mac:open-nti mnanduri$ docker logs opennti_input_oc
2018/09/07 09:16:33 E! Error parsing /opt/telegraf/config/telegraf.conf, line 136: field corresponding to client_crt' is not defined injti_openconfig_telemetry.OpenConfigTelemetry'
2018/09/07 09:17:46 E! Error parsing /opt/telegraf/config/telegraf.conf, line 138: field corresponding to ca_crt' is not defined injti_openconfig_telemetry.OpenConfigTelemetry'
mnanduri-mac:open-nti mnanduri$ ls -latr plugins/input-oc/cert_files/ total 80 -rw-r--r-- 1 mnanduri staff 1273 Sep 6 18:52 ca.crt -rw-r--r-- 1 mnanduri staff 1679 Sep 6 18:52 ca.key -rw-r--r-- 1 mnanduri staff 17 Sep 6 18:52 ca.srl -rw-r--r-- 1 mnanduri staff 1155 Sep 6 18:52 mx2_re.crt -rw-r--r-- 1 mnanduri staff 980 Sep 6 18:52 mx2_re.csr -rw-r--r-- 1 mnanduri staff 1679 Sep 6 18:52 mx2_re.key -rw-r--r-- 1 mnanduri staff 2834 Sep 6 18:52 mx2_re.pem -rw-r--r-- 1 mnanduri staff 1155 Sep 6 18:52 oc.crt -rw-r--r-- 1 mnanduri staff 980 Sep 6 18:52 oc.csr drwxr-xr-x 12 mnanduri staff 384 Sep 6 18:52 . -rw-r--r-- 1 mnanduri staff 1675 Sep 6 18:52 oc.key drwxr-xr-x 7 mnanduri staff 224 Sep 7 05:16 ..
input-oc:
build: $INPUT_OC_DIR extra_hosts: mx2_re: 10.133.85.41 container_name: $INPUT_OC_CONTAINER_NAME volumes:
psagrera
commented
6 years ago Hi,
Did you remove old image of OC ? Maybe it's using old image with new plugin.
mnanduri
commented
6 years ago oh i did not. Let me remove the old image.
mnanduri
commented
6 years ago you are right, it was using the old image. That error is gone. I am getting a cert error, will try to regenerate again.
mnanduri
commented
6 years ago One question i wanted to ask and forgot earlier, i see you generated oc.key and crt but i dont see any reference in your telegraf.tmpl file. Is that expected?
psagrera
commented
6 years ago Yes , its expected. In the telegraf.tmpl file only this references are needed:
client_crt = "/opt/telegraf/config/cert_files/mx2_re.crt" client_key = "/opt/telegraf/config/cert_files/mx2_re.key" ca_crt = "/opt/telegraf/config/cert_files/ca.crt" ssl_cert = "/opt/telegraf/config/cert_files/mx2_re.pem"
I generated those files following the procedure of David Gee (http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/)
psagrera
commented
6 years ago The files I've got in the vMX:
root@mx2_re> file list /var/tmp/
/var/tmp/: [...] ca.crt ca.key ca.srl mx2_re.crt mx2_re.csr mx2_re.key mx2_re.pem [...]
mnanduri
commented
6 years ago Ok. I was thinking that OC will send its cert/key and mx has its cert/key, they will mutually authenticate each others certs.
mnanduri
commented
6 years ago Hi, got it working now, finally.
Do you need username/password or with mutual authentication, can you skip it? Without the username/password, getting below error but when i enable grpc skip-authentication, that error goes away.
2018-09-07T13:12:01Z D! Available collection for nqa3-mx10003-d12-12 is: [] 2018-09-07T13:12:01Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unauthenticated desc = JGrpcServer: Session not authenticated/authorized: nqa3-mx10003-d12-12
psagrera
commented
6 years ago Have you configured lab/lab123 in your router ? In my case it works when I use username/pass + client_id and when I don't use username + password + client_id and configure skip auth in the router.
mnanduri
commented
6 years ago yeah, i was trying to avoid using username password but when I use uid/password or without uid/pwd + skip-auth on router, it works.
psagrera
commented
6 years ago If you use username+passw+client_id without skip config , it works ? (That's the setup I'm using)
mnanduri
commented
6 years ago yeap, that works.
psagrera
commented
6 years ago Ok, glad to hear that. As I said , that version is only for testing/demo purposes, once is published in telegraf we will integrate that into the master branch. Hope it's been useful Thanks.
mnanduri
commented
6 years ago Yes, thanks a ton for your help. WIll keep an eye for the merge.
On Fri, Sep 7, 2018 at 10:35 AM psagrera notifications@github.com wrote:
Ok, glad to hear that. As I said , that version is only for testing/demo purposes, once is published in telegraf we will integrate that into the master branch. Hope it's been useful Thanks.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-419459082, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0OxhEWuuDazPI8_-li19JrWGuh9yjks5uYoQZgaJpZM4VpbNk .
mnanduri
commented
6 years ago Clarification question - if i have this below and using the normal (not your new plugin that supports SSL) instance to authenticate grpc session. I see initially auth failed but get sensor data...
[[inputs.jti_openconfig_telemetry]] servers = ["10.133.85.41:50051"] username = "lab" password = "lab123" client_id = "telegraf"
set system services extension-service request-response grpc clear-text port 50051 set system services extension-service traceoptions file extension-service.log set system services extension-service traceoptions file size 5m set system services extension-service traceoptions file files 2 set system services extension-service traceoptions flag all
2018-09-14T11:14:52Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Internal desc = invalid header field value "Authorization failed\b\xf7\xf5\b\x03": 10.133.85.41 2018-09-14T11:14:54Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:56Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:56Z D! Received from 10.133.85.41: system_id:"nqa3-mx10003-d12-12" path:"sensor_1000:/junos/system/linecard/firewall/:/junos/system/linecard/firewall/:PFE" timestamp:1536952162823 kv:<key:"timestamp" uint_value:1536952162893 > kv:<key:"prefix" str_value:"/junos/firewall[name='IPV4_PROTECT_RE']/state/" > kv:<key:"timestamp" uint_value:1536891839 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:131812 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/0.0-i']/state/" > kv:<key:"timestamp" uint_value:1536884774 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:1396 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/packets" uint_value:577503868 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/bytes" uint_value:285286910792 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/packets" uint_value:264198 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/bytes" uint_value:15644639 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/1.0-i']/state/" > kv:<k
psagrera
commented
6 years ago Hi
Is the data being inserted properly into the database ?
Enviado desde mi iPhone
El 14 sept 2018, a las 13:17, mnanduri notifications@github.com escribió:
Clarification question - if i have this below and using the normal (not your new plugin that supports SSL) instance to authenticate grpc session. I see initially auth failed but get sensor data...
[[inputs.jti_openconfig_telemetry]] servers = ["10.133.85.41:50051"] username = "lab" password = "lab123" client_id = "telegraf"
set system services extension-service request-response grpc clear-text port 50051 set system services extension-service traceoptions file extension-service.log set system services extension-service traceoptions file size 5m set system services extension-service traceoptions file files 2 set system services extension-service traceoptions flag all
2018-09-14T11:14:52Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Internal desc = invalid header field value "Authorization failed\b\xf7\xf5\b\x03": 10.133.85.41 2018-09-14T11:14:54Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics. 2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:56Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41 2018-09-14T11:14:56Z D! Received from 10.133.85.41: system_id:"nqa3-mx10003-d12-12" path:"sensor_1000:/junos/system/linecard/firewall/:/junos/system/linecard/firewall/:PFE" timestamp:1536952162823 kv:<key:"timestamp" uint_value:1536952162893 > kv:<key:"prefix" str_value:"/junos/firewall[name='IPV4_PROTECT_RE']/state/" > kv:<key:"timestamp" uint_value:1536891839 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:131812 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/0.0-i']/state/" > kv:<key:"timestamp" uint_value:1536884774 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:1396 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/packets" uint_value:577503868 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/bytes" uint_value:285286910792 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/packets" uint_value:264198 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/bytes" uint_value:15644639 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/1.0-i']/state/" > kv:<k
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
mnanduri
commented
6 years ago I think so. Did not validate for sure.
psagrera
commented
5 years ago Any clue on the traceoptions ?
mnanduri
commented
5 years ago I lost the log, let me try to do it again and will get back.
littlespace
commented
5 years ago how can we have the SSL setup for multiple devices? should I use the same ssl certificate on all of the devices? I am looking to have SSL for encrypting the traffic between devices and the NTI server. also I would like to have the SSL authentication as well.
psagrera
commented
5 years ago Hi @littlespace
You can define more than one input plugin and therefore attach different certificates to each group of servers (i.e)
###############################################################################
# INPUT PLUGINS #
###############################################################################
# Read OpenConfig Telemetry from listed sensors
[[inputs.jti_openconfig_telemetry]]
servers = ["10.102.183.182:50051"]
## Frequency to get data in millisecond
sample_frequency = "5000ms"
sensors = [
"/network-instances/network-instance/protocols/protocol/bgp/",
]
str_as_tags = false
[[inputs.jti_openconfig_telemetry]]
servers = ["10.102.183.150:50051"]
## Frequency to get data in millisecond
sample_frequency = "5000ms"
sensors = [
"/network-instances/network-instance/protocols/protocol/bgp/",
]
str_as_tags = falseWith regard mutual authentication we are still working on the final code we will merge into the master branch.
Regards
Pablo
mnanduri
commented
5 years ago Hello Pablo,
When you say mutual authentication is being worked on - you mean open-nti to authenticate cert received from the router right? just want to confirm.
Cheers, -Mohan
psagrera
commented
5 years ago Yes, authenticate cert received from the router
Cheers
Pablo
Enviado desde mi iPhone
El 24 sept 2018, a las 19:02, mnanduri notifications@github.com escribió:
Hello Pablo,
When you say mutual authentication is being worked on - you mean open-nti to authenticate cert received from the router right? just want to confirm.
Cheers, -Mohan
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
mnanduri
commented
5 years ago got it, thanks for the confirmation.
On Mon, Sep 24, 2018 at 2:15 PM psagrera notifications@github.com wrote:
Yes, authenticate cert received from the router
Cheers
Pablo
Enviado desde mi iPhone
El 24 sept 2018, a las 19:02, mnanduri notifications@github.com escribió:
Hello Pablo,
When you say mutual authentication is being worked on - you mean open-nti to authenticate cert received from the router right? just want to confirm.
Cheers, -Mohan
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Juniper/open-nti/issues/230#issuecomment-424072944, or mute the thread https://github.com/notifications/unsubscribe-auth/AcT0O5t_-B8ZVdO9sU7f-bVlsa9A6rSPks5ueSFHgaJpZM4VpbNk .
mnanduri
commented
5 years ago Any update on merging this feature with the main?
pravindamodaran
commented
4 years ago Yes , its expected. In the telegraf.tmpl file only this references are needed:
client_crt = "/opt/telegraf/config/cert_files/mx2_re.crt" client_key = "/opt/telegraf/config/cert_files/mx2_re.key" ca_crt = "/opt/telegraf/config/cert_files/ca.crt" ssl_cert = "/opt/telegraf/config/cert_files/mx2_re.pem"
I generated those files following the procedure of David Gee (http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/)
@psagrera Do you have the config for latest telegraf version (1.14)? TLS config params have been changed slightly. And why do you use the router certificate and key (mx2_ce.xxx) as client crt and key? Shouldn't they be the client certs and key (oc.xxx)?
littlespace
commented
4 years ago @pravindamodaran check the telegraf repo. I have added the tls option to the jti plug-in almost a year ago.
pravindamodaran
commented
4 years ago @littlespace Maybe irrelevant here, but my telegraf config looks like this:
[[inputs.jti_openconfig_telemetry]]
## List of device addresses to collect telemetry from
servers = ["ec2-10-10-10-10.us-east-2.compute.amazonaws.com:32767"]
username = "test"
password = "test123"
client_id = "telegraf"
sample_frequency = "50000ms"
sensors = [
"/interfaces"
]
## Optional TLS Config
enable_tls = true
tls_ca = "/etc/telegraf/certs/ca.crt"
tls_cert = "/etc/telegraf/certs/client.crt"
tls_key = "/etc/telegraf/certs/client.key"
## Use TLS but skip chain & host verification
insecure_skip_verify = false
retry_delay = "10000ms"
## To treat all string values as tags, set this to true
str_as_tags = falseAnd I keep getting this error in telegraf:
telegraf_1 | 2020-05-27T15:32:12Z E! [inputs.jti_openconfig_telemetry] Error in plugin: failed to read from ec2-10-10-10-10.us-east-2.compute.amazonaws: rpc error: code = Unknown desc = Authorization failedAny idea? Should I open an issue in the telegraf repo?
littlespace
commented
4 years ago @pravindamodaran I need to check it, what version of junos are you running on the box? Is your username super user as well?
pravindamodaran
commented
4 years ago @pravindamodaran I need to check it, what version of junos are you running on the box? Is your username super user as well?
Junos version: JUNOS 18.4R1.8 Kernel 64-bit JNPR-11.0-20181207.6c2f68b_2_b
This is the default image available in AWS Marketplace for virtual router. And yeah, I have set the class as super-user for my username. For some reason, this image does not let me setup grpc server in junos without tls. So TLS is the only option I have
andrewckh
commented
4 years ago Same question for the TLS problem How do i modify telegraf.tmpl if i use master ???
I just add "username", "password", "client_id", "enable_tls" and the tls cert, but it fails to compose in the opennti_input_oc docker.
Thanks!
Trying to use ssl cert mechanism to talk to the device and its not working? did anyone get it working?
telegraf.tmpl settings for input-oc.
servers = ["192.168.1.139:50051"] ssl_cert = "/source/jti.pem"
I was using the below mechanism to create one.
http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/
Looks like it tries and fails. never attempts to connect again.
root@Jumphost2:/home/mohan/open-nti# tcpdump -i eth0 port 50051 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:07:49.788309 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [S], seq 2391356311, win 29200, options [mss 1460,sackOK,TS val 118401606 ecr 0,nop,wscale 7], length 0 13:07:49.794368 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [S.], seq 3392765012, ack 2391356312, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 2620523829 ecr 118401606,sackOK,eol], length 0 13:07:49.794451 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [.], ack 1, win 229, options [nop,nop,TS val 118401607 ecr 2620523829], length 0 13:07:49.794703 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [P.], seq 1:152, ack 1, win 229, options [nop,nop,TS val 118401607 ecr 2620523829], length 151 13:07:49.817000 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [P.], seq 1:1327, ack 152, win 33304, options [nop,nop,TS val 2620523851 ecr 118401607], length 1326 13:07:49.817078 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [.], ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 0 13:07:49.817496 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [P.], seq 152:159, ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 7 13:07:49.817596 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [R.], seq 159, ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 0 13:07:49.818633 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [F.], seq 1327, ack 159, win 33300, options [nop,nop,TS val 2620523854 ecr 118401613], length 0 13:07:49.818673 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [R], seq 2391356470, win 0, length 0