Enable Netconf for SR Linux (#2322)

* use net snmp

* init netconf

* added netconf server config

* remove stale links

* use sudo with docker

* remove tty from the docker run

* skip nc test if not running docker

docs/manual/kinds/srl.md

@@ -92,15 +92,30 @@ EOF
 SR Linux nodes come up with SNMPv2 server enabled and running on port 161. The default SNMP community is `public`.
 
 ```shell
-docker run --init -ti goatatwork/snmpwalk:latest -v 2c -c public $address
+docker run -i -t ghcr.io/hellt/net-snmp-tools:5.9.4-r0 \
+  snmpwalk -v 2c -c public $address
 ```
 
 ///
-/// note
-Default credentials[^4]: `admin:NokiaSrl1!`  
-Containerlab will automatically enable public-key authentication for `root`, `admin` and `linuxadmin` users if public key files are found at `~/.ssh` directory[^1].
+
+/// tab | NETCONF
+From SR Linux release 24.7.1 onwards, SR Linux comes with NETCONF server enabled and running on port 830.
+
+```bash
+docker run --rm --network clab -i -t \
+ghcr.io/hellt/netconf-console2:3.0.1 \
+--host srl --port 830 -u admin -p 'NokiaSrl1!' \
+--hello
+```
+
 ///
 
+### Credentials
+
+Default credentials[^4]: `admin:NokiaSrl1!`
+
+Containerlab will automatically enable public-key authentication for `root`, `admin` and `linuxadmin` users if public key files are found at `~/.ssh` directory[^1].
+
 ## Interfaces naming
 
 You can use [interfaces names](../topo-def-file.md#interface-naming) in the topology file like they appear in SR Linux.
@@ -165,7 +180,7 @@ SR Linux uses a `/etc/opt/srlinux/config.json` file to persist its configuration
 
 #### Default node configuration
 
-When a node is defined without the `startup-config` statement present, containerlab will make [additional configurations](https://github.com/srl-labs/containerlab/blob/srl-template-in-a-file/nodes/srl/srl_default_config.go.tpl) on top of the factory config:
+When a node is defined without the `startup-config` statement present, containerlab will make [additional configurations](https://github.com/srl-labs/containerlab/blob/main/nodes/srl/srl_default_config.go.tpl) on top of the factory config:
 
 ```yaml
 # example of a topo file that does not define a custom startup-config
@@ -304,23 +319,6 @@ INFO[0001] saved SR Linux configuration from leaf2 node. Output:
     Saved current running configuration as initial (startup) configuration '/etc/opt/srlinux/config.json'
 ```
 
-#### User defined custom agents for SR Linux nodes
-
-SR Linux supports custom "agents", i.e. small independent pieces of software that extend the functionality of the core platform and integrate with the CLI and the rest of the system. To deploy an agent, a YAML configuration file must be placed under `/etc/opt/srlinux/appmgr/`. This feature adds the ability to copy agent YAML file(s) to the config directory of a specific SRL node, or all such nodes.
-
-```yaml
-name: srl_lab_with_custom_agents
-topology:
-  nodes:
-    srl1:
-      kind: nokia_srlinux
-      ...
-      extras:
-        srl-agents:
-        - path1/my_custom_agent.yml
-        - path2/my_other_agent.yml
-```
-
 ### TLS
 
 By default, containerlab will generate TLS certificates and keys for each SR Linux node of a lab. The TLS-related files that containerlab creates are located in the TLS directory, which can be found by the `<lab-directory>/.tls/` path. Here is a list of files that containerlab creates relative to the TLS directory:
@@ -360,6 +358,14 @@ These additions are meant to make all gRPC services available to the user out of
 
 Besides augmenting the factory-provided `mgmt` gRPC server block, containerlab also adds a new `insecure-mgmt` gRPC server that provides the same services as the `mgmt` server but without TLS. This server runs on port 57401 and is meant to be used for testing purposes as well as for local gNMI clients running as part of the NDK apps or local Event Handler scripts.
 
+### SSH Keys
+
+Containerlab will read the public keys found in `~/.ssh` directory of a sudo user as well as the contents of a `~/.ssh/authorized_keys` file if it exists[^2]. The public keys will be added to the startup configuration for `admin` and `linuxadmin` users to enable passwordless access.
+
+### NETCONF
+
+Containerlab will configure the `netconf-mgmt` ssh server running over port 830 and the netconf-server instance using this SSH server to enable NETCONF management.
+
 ### License
 
 SR Linux container can run without a license emulating the datacenter types (7220 IXR) :partying_face:.  
@@ -369,7 +375,7 @@ The license file lifts these limitations as well as unlocks chassis-based platfo
 
 ## Container configuration
 
-To start an SR Linux NOS containerlab uses the configuration that is described in [SR Linux Software Installation Guide](https://documentation.nokia.com/cgi-bin/dbaccessfilename.cgi/3HE16113AAAATQZZA01_V1_SR%20Linux%20R20.6%20Software%20Installation.pdf)
+To start an SR Linux NOS containerlab uses the configuration that is described in SR Linux Software Installation Guide
 
 /// tab | Startup command
 `sudo bash -c /opt/srlinux/bin/sr_linux`
@@ -410,16 +416,6 @@ banner  cli  config.json  devices  tls  ztp
 
 The topology file that defines the emulated hardware type is driven by the value of the kinds `type` parameter. Depending on a specified `type`, the appropriate content will be populated into the `topology.yml` file that will get mounted to `/tmp/topology.yml` directory inside the container in `ro` mode.
 
-#### Authorized keys
-
-Additionally, containerlab will mount the `authorized_keys` file that will have contents of every public key found in `~/.ssh` directory as well as the contents of a `~/.ssh/authorized_keys` file if it exists[^2]. This file will be mounted to `~/.ssh/authorized_keys` path for the following users:
-
-* `root`
-* `linuxadmin`
-* `admin`
-
-This will enable passwordless access for the users above if any public key is found in the user's directory.
-
 #### YUM/APT repositories
 
 Containerlab will create and mount repository files for YUM and APT to ensure that SR Linux users can install packages from the aforementioned repos.

docs/rn/0.18.md

@@ -1,18 +1,23 @@
 # Release 0.18
+
 :material-calendar: 2021-09-14
 
 ## exec parameter
+
 The new [`exec`](../manual/nodes.md#exec) node parameter allows users to specify a list of commands that will run once the nodes are created.
 
 A typical application of this parameter is to call some boot script that configures something on the node, for example its IP address.
 
 ## Entrypoint
+
 With the new `entrypoint` node parameter it is possible to change the entrypoint of the container.
 
 ## SR Linux agents
-A new [`srl-agents`](../manual/kinds/srl.md#user-defined-custom-agents-for-sr-linux-nodes) parameter of the node's extra config will allow to copy SR Linux agent definition file to the container's `appmgr` dir.
+
+A new `srl-agents` parameter of the node's extra config will allow to copy SR Linux agent definition file to the container's `appmgr` dir.
 
 ## Dell FTOS support
+
 Thanks to @log1cb0mb contribution, containerlab now knows how to start [Dell FTOS](../manual/kinds/vr-ftosv.md) systems.
 
 ## Miscellaneous
@@ -25,4 +30,5 @@ Thanks to @log1cb0mb contribution, containerlab now knows how to start [Dell FTO
 * `srl` nodes additional config is now pushed once the nodes are started, instead of templating the config beforehand. This allows to follow the factory config of the release, without keeping the outdated template as it was before.
 
 ## New contributors
+
 Welcome [@nlgotz](https://github.com/nlgotz), [@log1cb0mb](https://github.com/log1cb0mb) and thank you for your contributions to containerlab!

docs/rn/0.22.md

@@ -1,22 +1,27 @@
 # Release 0.22
+
 :material-calendar: 2021-12-22
 
 ## SR Linux password-less login
+
 Containerlab now generates yet another file that will be stored in a lab directory - `authorized_keys`. This file will catenate all public keys found in `~/.ssh` directory.
 
-[SR Linux](../manual/kinds/srl.md#authorized-keys) nodes will mount this file for `admin`, `linuxadmin`, and `root` users; this will allow for password-less SSH access :joy:
+SR Linux nodes will mount this file for `admin`, `linuxadmin`, and `root` users; this will allow for password-less SSH access :joy:
 
 ## Containerlab schema
+
 To help users navigate in the sheer sea of configuration options containerlab has, we cleaned up the [JSON schema](https://github.com/srl-labs/containerlab/blob/main/schemas/clab.schema.json).
 
 ## Reworked prefix logic
+
 In [0.16](0.16.md#0162), we added a new top-level field - `prefix` - to let users decide if they want to have containers prefixed with a string other than `clab`. Now we got a few requests to make containers ditch the prefixes altogether, such as if you named a node `mynode` it will be created as a `mynode` container.
 
 Your wish came true. Now, if you have an empty string `prefix`, the container name will be stripped of everything but name. The magic `__lab-name` prefix value will add lab name to the container name; leaving the prefix out in the topo file will set the container name to `clab-<lab-name>-<node-name>`. Read more [here](../manual/topo-def-file.md#prefix).
 
 ## Miscellaneous
+
 * new SR Linux variants `ixrd2l` and `ixrd3l` have been added in #726
 * containerlab assigned SR Linux MACs will have `1a:b0:` prefix and the node index will be the rightmost byte. This makes it easier to identify the macs in the outputs. #713
 * our beloved users created some awesome blogs and streams about containerlab! We featured them on our [community page](../community.md).
 * fixed doubled dot in the container's fqdn #724
-* `tools cert` command gained more checks #725
+* `tools cert` command gained more checks #725

nodes/srl/srl.go

@@ -526,6 +526,8 @@ type srlTemplateData struct {
 	GRPCConfig string
 	// ACLConfig is a string containing ACL configuration
 	ACLConfig string
+	// NetconfConfig is a string containing Netconf server configuration
+	NetconfConfig string
 }
 
 // tplIFace template interface struct.

nodes/srl/srl_default_config.go.tpl

@@ -27,6 +27,8 @@ set / system json-rpc-server admin-state enable network-instance mgmt https admi
 
 {{ .SNMPConfig }}
 
+{{ .NetconfConfig }}
+
 set / system lldp admin-state enable
 set / system aaa authentication idle-timeout 7200
 

nodes/srl/version.go

@@ -94,6 +94,13 @@ set / acl acl-filter cpm type ipv6 entry 368 match ipv6 next-header tcp
 set / acl acl-filter cpm type ipv6 entry 368 match transport destination-port operator eq
 set / acl acl-filter cpm type ipv6 entry 368 match transport destination-port value 57401
 set / acl acl-filter cpm type ipv6 entry 368 action accept`
+
+	netconfConfig = `set / system netconf-server mgmt admin-state enable ssh-server mgmt-netconf
+set / system ssh-server mgmt-netconf admin-state enable
+set / system ssh-server mgmt-netconf network-instance mgmt
+set / system ssh-server mgmt-netconf port 830
+set / system ssh-server mgmt-netconf disable-shell true
+`
 )
 
 // SrlVersion represents an sr linux version as a set of fields.
@@ -164,6 +171,11 @@ func (n *srl) setVersionSpecificParams(tplData *srlTemplateData) {
 		tplData.ACLConfig = aclConfig
 	}
 
+	// in srlinux >= v24.7+ we add Netconf server config to enable Netconf.
+	if semver.Compare(v, "v24.7") >= 0 || n.swVersion.Major == "0" {
+		tplData.NetconfConfig = netconfConfig
+	}
+
 	// in srlinux v23.10.x we need to enable GNMI unix socket services to enable
 	// communications over unix socket (e.g. NDK agents)
 	if semver.Compare(v, "v23.10") == 0 {

tests/02-basic-srl/01-two-srls.robot

@@ -145,6 +145,14 @@ Verify TLS works with JSON-RPC, certificate check and IP address as SAN
     Should Be Equal As Integers    ${rc}    0
     Should Not Contain    ${output}    error
 
+Verify NETCONF works
+    Skip If    '${runtime}' != 'docker'
+    ${rc}    ${output} =    Run And Return Rc And Output
+    ...    sudo docker run --rm --network clab ghcr.io/hellt/netconf-console2:3.0.1 --host clab-${lab-name}-srl1 --port 830 -u admin -p 'NokiaSrl1!' --hello
+    Log    ${output}
+    Should Be Equal As Integers    ${rc}    0
+    Should Contain    ${output}    base:1.1
+
 
 *** Keywords ***
 Cleanup