NSO System Management

Introduction

Cisco Network Service Orchestrator enabled by Tail-f (NSO) version 6.2_240507 is an evolution of the Tail-f Network Control System (NCS). Tail-f was acquired by Cisco in 2014. The product has been enhanced and forms the base for Cisco NSO. Note that the 'ncs' and 'tail-f' terms are used extensively in file names, command-line command names, YANG models, application programming interfaces (API), etc. Throughout this document we will use NSO to mean the product, which consists of a number of modules and executable components. These executable components will be referred to by their command line name, e.g. ncs, ncs-netsim, ncs_cli, etc. ncs is used to refer to the executable, the running daemon.

Configuring NSO

Overview

NSO is configured in two different ways. Its configuration file, ncs.conf, and also through whatever data that is configured at run-time over any northbound, for example turning on trace using the CLI.

Configuration file

The ncs.conf file is described by the the section called “CONFIGURATION PARAMETERS” in Manual Pages manual page. There is a large number of configuration items in ncs.conf, most of them have sane default values. The ncs.conf file is an XML file that must adhere to the tailf-ncs-config.yang model. If we start the NSO daemon directly we must provide the path to the ncs config file as in: 

# ncs -c /etc/ncs/ncs.conf

However in a "system install", the init script must be used to start NSO, and it will pass the appropriate options to the ncs command. Thus NSO is started with the command: 

# /etc/init.d/ncs start

It is possible to edit the ncs.conf file, and then tell NSO to reload the edited file without restarting the daemon as in: 

# ncs --reload

This command also tells NSO to close and reopen all log files, which makes it suitable to use from a system like logrotate.

In this section some of the important configuration settings will be described and discussed.

Exposed interfaces

NSO allows access through a number of different interfaces, depending on the use case. In the default configuration, clients can access the system locally through an unauthenticated IPC socket (with the ncs* family of commands, port 4569) and plain (non-HTTPS) HTTP web server (port 8080). Additionally, the system enables remote access through SSH-secured NETCONF and CLI (ports 2022 and 2024).

We strongly encourage you to review and customize the exposed interfaces to your needs in the ncs.conf configuration file. In particular, set:

  • /ncs-config/webui/match-host-name to true.

  • /ncs-config/webui/server-name to the hostname of the server.

If you decide to allow remote access to the web server, also make sure you use TLS-secured HTTPS instead of HTTP. Not doing so exposes you to security risks.

Note

Using /ncs-config/webui/match-host-name = true requires you to use the configured hostname when accessing the server. Web browsers do this automatically but you may need to set the Host header when performing requests programmatically using an IP address instead of the hostname.

To additionally secure IPC access, refer to the section called “Restricting access to the IPC port”.

For more details on individual interfaces and their use, see Northbound APIs .

Dynamic configuration

In this section all settings that can be manipulated through the NSO northbound interfaces are briefly described. NSO itself has a number of built-in YANG modules. These YANG modules describe structure that is stored in CDB. Whenever we change anything under, say /devices/device, it will change the CDB, but it will also change the configuration of NSO. We call this dynamic config since it can be changed at will through all northbound APIs.

We summarize the most relevant parts below: 

ncs@ncs(config)#
Possible completions:
  aaa                        AAA management, users and groups
  cluster                    Cluster configuration
  devices                    Device communication settings
  java-vm                    Control of the NCS Java VM
  nacm                       Access control
  packages                   Installed packages
  python-vm                  Control of the NCS Python VM
  services                   Global settings for services, (the services themselves might be augmented somewhere else)
  session                    Global default CLI session parameters
  snmp                       Top-level container for SNMP related configuration and status objects.
  snmp-notification-receiver Configure reception of SNMP notifications
  software                   Software management
  ssh                        Global SSH connection configuration

tailf-ncs.yang

This is the most important YANG module that is used to control and configure NSO. The module can be found at: $NCS_DIR/src/ncs/yang/tailf-ncs.yang in the release. Everything in that module is available through the northbound APIs. The YANG module has descriptions for everything that can be configured.

tailf-common-monitoring2.yang and tailf-ncs-monitoring2.yang are two modules that are relevant to monitoring NSO.

Built-in or external SSH server

NSO has a built-in SSH server which makes it possible to SSH directly into the NSO daemon. Both NSO northbound NETCONF agent and the CLI need SSH. To configure the built-in SSH server we need a directory with server SSH keys - it is specified via /ncs-config/aaa/ssh-server-key-dir in ncs.conf. We also need to enable /ncs-config/netconf-north-bound/transport/ssh and /ncs-config/cli/ssh in ncs.conf. In a "system install", ncs.conf is installed in the "config directory", by default /etc/ncs, with the SSH server keys in /etc/ncs/ssh.

Starting NSO

When NSO is started, it reads its configuration file and starts all subsystems configured to start (such as NETCONF, CLI etc.).

By default, NSO starts in the background without an associated terminal. It is recommended to use a "system install" when installing NSO for production deployment, see the section called “System Install Steps” in Getting Started. This will create an init script that starts NSO when the system boots, and make NSO start the service manager.

Licensing NSO

NSO is licensed using Cisco Smart Licensing. To register your NSO instance, you need to enter a token from your Cisco Smart Software Manager account. For more information on this topic, please see Cisco Smart Licensing

Monitoring NSO

This section describes how to monitor NSO. Also read the dedicated session on alarms, the section called “Overview”

NSO status

Checking the overall status of NSO can be done using the shell: 

$ ncs --status

or in the CLI 

ncs# show ncs-state

For details on the output see $NCS_DIR/src/yang/tailf-common-monitoring2.yang and

Below follows an overview of the output:

  • daemon-status You can see the NSO daemon mode, starting, phase0, phase1, started, stopping. The phase0 and phase1 modes are schema upgrade modes and will appear if you have upgraded any data-models.

  • version The NSO version.

  • smp Number of threads used by the daemon.

  • ha The High-Availability mode of the ncs daemon will show up here: secondary, primary, relay-secondary.

  • internal/callpoints Next section is call-points. Make sure that any validation points etc are registered. (The ncs-rfs-service-hook is an obsolete call-point, ignore this one).

    • UNKNOWN code tries to register a call-point that does not exist in a data-model.

    • NOT-REGISTERED a loaded data-model has a call-point but no code has registered.

    Of special interest is of course the servicepoints. All your deployed service models should have a corresponding service-point. For example: 

    servicepoints:
  id=l3vpn-servicepoint daemonId=10 daemonName=ncs-dp-6-l3vpn:L3VPN
  id=nsr-servicepoint daemonId=11 daemonName=ncs-dp-7-nsd:NSRService
  id=vm-esc-servicepoint daemonId=12 daemonName=ncs-dp-8-vm-manager-
    esc:ServiceforVMstarting
  id=vnf-catalogue-esc daemonId=13 daemonName=ncs-dp-9-vnf-catalogue-
    esc:ESCVNFCatalogueService

  • internal/cdb The cdb section is important. Look for any locks. This might be a sign that a developer has taken a CDB lock without releasing it. The subscriber section is also important. A design pattern is to register subscribers to wait for something to change in NSO and then trigger an action. Reactive FASTMAP is designed around that. Validate that all expected subscribers are OK.

  • loaded-data-models The next section shows all namespaces and YANG modules that are loaded. If you for example are missing a service model, make sure it is really loaded.

  • cli, netconf, rest, snmp, webui All northbound agents like CLI, REST, NETCONF, SNMP etc are listed with their IP and port. So if you want to connect over REST for example, you can see the port number here.

  • patches Lists any installed patches.

  • upgrade-mode If the node is in upgrade mode, it is not possible to get any information from the system over NETCONF. Existing CLI sessions can get system information.

It is also important to look at the packages that are loaded. This can be done in the CLI with: 

admin> show packages
packages package cisco-asa
 package-version 3.4.0
 description     "NED package for Cisco ASA"
 ncs-min-version [ 3.2.2 3.3 3.4 4.0 ]
 directory       ./state/packages-in-use/1/cisco-asa
 component upgrade-ned-id
  upgrade java-class-name com.tailf.packages.ned.asa.UpgradeNedId
 component ASADp
  callback java-class-name [ com.tailf.packages.ned.asa.ASADp ]
 component cisco-asa
  ned cli ned-id  cisco-asa
  ned cli java-class-name com.tailf.packages.ned.asa.ASANedCli
  ned device vendor Cisco

Monitoring the NSO daemon

NSO runs following processes:

  • The daemon: ncs.smp: this is the ncs process running in the Erlang VM.

  • Java VM: com.tailf.ncs.NcsJVMLauncher: service applications implemented in Java runs in this VM. There are several options on how to start the Java VM, it can be monitored and started/restarted by NSO or by an external monitor. See ncs.conf(5) man page and the java-vm settings in the CLI.

  • Python VMs: NSO packages can be implemented in Python. The individual packages can be configured to run a VM each or share Python VM. Use the show python-vm status current to see current threads and show python-vm status start to see which threads where started at startup-time.

Logging

NSO has extensive logging functionality. Log settings are typically very different for a production system compared to a development system. Furthermore, the logging of the NSO daemon and the NSO Java VM/Python VM is controlled by different mechanisms. During development, we typically want to turn on the developer-log. The sample ncs.conf that comes with the NSO release has log settings suitable for development, while the ncs.conf created by a "system install" are suitable for production deployment.

NSO logs in /logs in your running directory, (depends on your settings in ncs.conf). You might want the log files to be stored somewhere else. See man ncs.conf for details on how to configure the various logs. Below follows a list of the most useful log files:

  • ncs.log : ncs daemon log. See the section called “Log messages and formats”. Can be configured to syslog.

  • ncserr.log.1, ncserr.log.idx, ncserr.log.siz: if the NSO daemon has a problem. this contains debug information relevant for support. The content can be displayed with "ncs --printlog ncserr.log".

  • audit.log: central audit log covering all northbound interfaces. See the section called “Log messages and formats” for formats. Can be configured to syslog.

  • localhost:8080.access: all HTTP requests to the daemon. This an access log for the embedded Web server. This file adheres to the Common Log Format, as defined by Apache and others. This log is not enabled by default and is not rotated, i.e., use logrotate(8). Can be configured to syslog.

  • devel.log: developer-log is a debug log for troubleshooting user-written code. This log is enabled by default and is not rotated, i.e., use logrotate(8). This log shall be used in combination with the java-vm or python-vm logs. The user code logs in the VM logs and corresponding library logs in devel.log. Disable this log in production systems. Can be configured to syslog. You can manage this log and set its logging level in ncs.conf. 

        <developer-log>
      <enabled>true</enabled>
      <file>
        <name>${NCS_LOG_DIR}/devel.log</name>
        <enabled>false</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </developer-log>
    <developer-log-level>trace</developer-log-level>

  • ncs-java-vm.log, ncs-python-vm.log: logger for code running in Java or Python VM, for example service applications. Developers writing Java and Python code use this log (in combination with devel.log) for debugging. Both Java and Python log levels can be set from their respective VM settings in, for example, the CLI. 

    
admin@ncs(config)# python-vm logging level level-info
admin@ncs(config)# java-vm java-logging logger com.tailf.maapi level level-info

  • netconf.log, snmp.log: log for northbound agents. Can be configured to Syslog.

  • rollbackNNNNN: all NSO commits generates a corresponding rollback file. The maximum number of rollback files and file numbering can be configured in ncs.conf.

  • xpath.trace: XPATH is used in many places, for example XML templates. This log file shows the evaluation of all XPATH expressions and can be enabled in the ncs.conf. 

        <xpathTraceLog>
      <enabled>true</enabled>
      <filename>${NCS_LOG_DIR}/xpath.trace</filename>
    </xpathTraceLog>

    To debug XPATH for a template, use the pipe-target debug in the CLI instead. 

    admin@ncs(config)# commit | debug template

  • ned-cisco-ios-xr-pe1.trace (for example): if device trace is turned on a trace file will be created per device. The file location is not configured in ncs.conf but is configured when device trace is turned on, for example in the CLI. 

    admin@ncs(config)# devices device r0 trace pretty

  • Progress trace log: When a transaction or action is applied, NSO emits specific progress events. These events can be displayed and recorded in a number of different ways, either in CLI with the pipe-target details on a commit, or by writing it to a log file. You can read more about progress trace log in Progress Trace in Development Guide.

  • Transaction error log: log for collecting information on failed transactions that lead to either CDB boot error or a runtime transaction failure. The default is 'false' (disabled). More information about the log is available in the section called “CONFIGURATION PARAMETERS” in Manual Pages under logs/transaction-log.

  • Upgrade log: log containing information about CDB upgrade. The log is enabled by default and not rotated (i.e., use logrotate). With the NSO example set, the following examples populate the log in the logs/upgrade.log file: examples.ncs/development-guide/ned-upgrade/yang-revision, examples.ncs/development-guide/high-availability/upgrade-basic, examples.ncs/development-guide/high-availability/upgrade-cluster, and examples.ncs/getting-started/developing-with-ncs/14-upgrade-service. More information about the log is available in the section called “CONFIGURATION PARAMETERS” in Manual Pages under logs/upgrade-log.

syslog

NSO can syslog to a local syslog. See man ncs.conf how to configure the syslog settings. All syslog messages are documented in "Log messages". The ncs.conf also lets you decide which of the logs should go into syslog: ncs.log, devel.log, netconf.log, snmp.log, audit.log, WebUI access log. There is also a possibility to integrate with rsyslog to log the ncs, developer, audit, netconf, snmp, and webui access logs to syslog with facility set to daemon in ncs.conf. For reference, see the upgrade-l2 example, located in examples.ncs/development-guide/high-availability/hcc .

Below follows an example of syslog configuration: 

    <syslog-config>
      <facility>daemon</facility>
    </syslog-config>

    <ncs-log>
      <enabled>true</enabled>
      <file>
        <name>./logs/ncs.log</name>
        <enabled>true</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </ncs-log>

Log messages and formats

Table 1. Syslog Messages
Symbol Severity
Comment
Format String
AAA_LOAD_FAIL CRIT

Failed to load the AAA data, it could be that an external db is misbehaving or AAA is mounted/populated badly
"Failed to load AAA: ~s"
ABORT_CAND_COMMIT INFO

Aborting candidate commit, request from user, reverting configuration.
"Aborting candidate commit, request from user, reverting configuration."
ABORT_CAND_COMMIT_REBOOT INFO

ConfD restarted while having a ongoing candidate commit timer, reverting configuration.
"ConfD restarted while having a ongoing candidate commit timer, reverting configuration."
ABORT_CAND_COMMIT_TERM INFO

Candidate commit session terminated, reverting configuration.
"Candidate commit session terminated, reverting configuration."
ABORT_CAND_COMMIT_TIMER INFO

Candidate commit timer expired, reverting configuration.
"Candidate commit timer expired, reverting configuration."
ACCEPT_FATAL CRIT

ConfD encountered an OS-specific error indicating that networking support is unavailable.
"Fatal error for accept() - ~s"
ACCEPT_FDLIMIT CRIT

ConfD failed to accept a connection due to reaching the process or system-wide file descriptor limit.
"Out of file descriptors for accept() - ~s limit reached"
AUTH_LOGIN_FAIL INFO

A user failed to log in to ConfD.
"login failed via ~s from ~s with ~s: ~s"
AUTH_LOGIN_SUCCESS INFO

A user logged into ConfD.
"logged in via ~s from ~s with ~s using ~s authentication"
AUTH_LOGOUT INFO

A user was logged out from ConfD.
"logged out <~s> user"
BADCONFIG CRIT

confd.conf contained bad data.
"Bad configuration: ~s:~s: ~s"
BAD_DEPENDENCY ERR

A dependency was not found
"The dependency node '~s' for node '~s' in module '~s' does not exist"
BAD_NS_HASH CRIT

Two namespaces have the same hash value. The namespace hashvalue MUST be unique. You can pass the flag --nshash <value> to confdc when linking the .xso files to force another value for the namespace hash.

"~s"
BIND_ERR CRIT

ConfD failed to bind to one of the internally used listen sockets.
"~s"
BRIDGE_DIED ERR

ConfD is configured to start the confd_aaa_bridge and the C program died.
"confd_aaa_bridge died - ~s"
CAND_COMMIT_ROLLBACK_DONE INFO

Candidate commit rollback done
"Candidate commit rollback done"
CAND_COMMIT_ROLLBACK_FAILURE ERR

Failed to rollback candidate commit
"Failed to rollback candidate commit due to: ~s"
CANDIDATE_BAD_FILE_FORMAT WARNING

The candidate database file has a bad format. The candidate database is reset to the empty database.
"Bad format found in candidate db file ~s; resetting candidate"
CANDIDATE_CORRUPT_FILE WARNING

The candidate database file is corrupt and cannot be read. The candidate database is reset to the empty database.
"Corrupt candidate db file ~s; resetting candidate"
CDB_BOOT_ERR CRIT

CDB failed to start. Some grave error in the cdb data files prevented CDB from starting - a recovery from backup is necessary.
"CDB boot error: ~s"
CDB_CLIENT_TIMEOUT ERR

A CDB client failed to answer within the timeout period. The client will be disconnected.
"CDB client (~s) timed out, waiting for ~s"
CDB_CONFIG_LOST INFO

CDB found it's data files but no schema file. CDB recovers by starting from an empty database.
"CDB: lost config, deleting DB"
CDB_DB_LOST INFO

CDB found it's data schema file but not it's data file. CDB recovers by starting from an empty database.
"CDB: lost DB, deleting old config"
CDB_FATAL_ERROR CRIT

CDB encounterad an unrecoverable error
"fatal error in CDB: ~s"
CDB_INIT_LOAD INFO

CDB is processing an initialization file.
"CDB load: processing file: ~s"
CDB_OP_INIT ERR

The operational DB was deleted and re-initialized (because of upgrade or corrupt file)
"CDB: Operational DB re-initialized"
CDB_UPGRADE_FAILED ERR

Automatic CDB upgrade failed. This means that the data model has been changed in a non-supported way.
"CDB: Upgrade failed: ~s"
CGI_REQUEST INFO

CGI script requested.
"CGI: '~s' script with method ~s"
CLI_CMD_ABORTED INFO

CLI command aborted.
"CLI aborted"
CLI_CMD_DONE INFO

CLI command finished successfully.
"CLI done"
CLI_CMD INFO

User executed a CLI command.
"CLI '~s'"
CLI_DENIED INFO

User was denied to execute a CLI command due to permissions.
"CLI denied '~s'"
COMMIT_INFO INFO

Information about configuration changes committed to the running data store.
"commit ~s"
COMMIT_QUEUE_CORRUPT ERR

Failed to load commit queue. ConfD recovers by starting from an empty commit queue.
"Resetting commit queue due do inconsistent or corrupt data."
CONFIG_CHANGE INFO

A change to ConfD configuration has taken place, e.g., by a reload of the configuration file
"ConfD configuration change: ~s"
CONFIG_TRANSACTION_LIMIT INFO

Configuration transaction limit reached, rejected new transaction request.
"Configuration transaction limit of type '~s' reached, rejected new transaction request"
CONSULT_FILE INFO

ConfD is reading its configuration file.
"Consulting daemon configuration file ~s"
DAEMON_DIED CRIT

An external database daemon closed its control socket.
"Daemon ~s died"
DAEMON_TIMEOUT CRIT

An external database daemon did not respond to a query.
"Daemon ~s timed out"
DEVEL_AAA INFO

Developer aaa log message
"~s"
DEVEL_CAPI INFO

Developer C api log message
"~s"
DEVEL_CDB INFO

Developer CDB log message
"~s"
DEVEL_CONFD INFO

Developer ConfD log message
"~s"
DEVEL_ECONFD INFO

Developer econfd api log message
"~s"
DEVEL_SLS INFO

Developer smartlicensing api log message
"~s"
DEVEL_SNMPA INFO

Developer snmp agent log message
"~s"
DEVEL_SNMPGW INFO

Developer snmp GW log message
"~s"
DEVEL_WEBUI INFO

Developer webui log message
"~s"
DUPLICATE_NAMESPACE CRIT

Duplicate namespace found.
"The namespace ~s is defined in both module ~s and ~s."
DUPLICATE_PREFIX CRIT

Duplicate prefix found.
"The prefix ~s is defined in both ~s and ~s."
ERRLOG_SIZE_CHANGED INFO

Notify change of log size for error log
"Changing size of error log (~s) to ~s (was ~s)"
EVENT_SOCKET_TIMEOUT CRIT

An event notification subscriber did not reply within the configured timeout period
"Event notification subscriber with bitmask ~s timed out, waiting for ~s"
EVENT_SOCKET_WRITE_BLOCK CRIT

Write on an event socket blocked for too long time
"~s"
EXEC_WHEN_CIRCULAR_DEPENDENCY WARNING

An error occurred while evaluating a when-expression.
"When-expression evaluation error: circular dependency in ~s"
EXT_AUTH_2FA_FAIL INFO

External challenge authentication failed for a user.
"external challenge authentication failed via ~s from ~s with ~s: ~s"
EXT_AUTH_2FA INFO

External challenge sent to a user.
"external challenge sent to ~s from ~s with ~s"
EXT_AUTH_2FA_SUCCESS INFO

An external challenge authenticated user logged in.
"external challenge authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"
EXTAUTH_BAD_RET ERR

Authentication is external and the external program returned badly formatted data.
"External auth program (user=~s) ret bad output: ~s"
EXT_AUTH_FAIL INFO

External authentication failed for a user.
"external authentication failed via ~s from ~s with ~s: ~s"
EXT_AUTH_SUCCESS INFO

An externally authenticated user logged in.
"external authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"
EXT_AUTH_TOKEN_FAIL INFO

External token authentication failed for a user.
"external token authentication failed via ~s from ~s with ~s: ~s"
EXT_AUTH_TOKEN_SUCCESS INFO

An externally token authenticated user logged in.
"external token authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"
EXT_BIND_ERR CRIT

ConfD failed to bind to one of the externally visible listen sockets.
"~s"
FILE_ERROR CRIT

File error
"~s: ~s"
FILE_LOAD DEBUG

System loaded a file.
"Loaded file ~s"
FILE_LOAD_ERR CRIT

System tried to load a file in its load path and failed.
"Failed to load file ~s: ~s"
FILE_LOADING DEBUG

System starts to load a file.
"Loading file ~s"
FXS_MISMATCH ERR

A secondary connected to a primary where the fxs files are different
"Fxs mismatch, secondary is not allowed"
GROUP_ASSIGN INFO

A user was assigned to a set of groups.
"assigned to groups: ~s"
GROUP_NO_ASSIGN INFO

A user was logged in but wasn't assigned to any groups at all.
"Not assigned to any groups - all access is denied"
HA_BAD_VSN ERR

A secondary connected to a primary with an incompatible HA protocol version
"Incompatible HA version (~s, expected ~s), secondary is not allowed"
HA_DUPLICATE_NODEID ERR

A secondary arrived with a node id which already exists
"Nodeid ~s already exists"
HA_FAILED_CONNECT ERR

An attempted library become secondary call failed because the secondary couldn't connect to the primary
"Failed to connect to primary: ~s"
HA_SECONDARY_KILLED ERR

A secondary node didn't produce its ticks
"Secondary ~s killed due to no ticks"
INTERNAL_ERROR CRIT

A ConfD internal error - should be reported to support@tail-f.com.
"Internal error: ~s"
JIT_ENABLED INFO

Show if JIT is enabled.
"JIT ~s"
JSONRPC_LOG_MSG INFO

JSON-RPC traffic log message
"JSON-RPC traffic log: ~s"
JSONRPC_REQUEST_ABSOLUTE_TIMEOUT INFO

JSON-RPC absolute timeout.
"Stopping session due to absolute timeout: ~s"
JSONRPC_REQUEST_IDLE_TIMEOUT INFO

JSON-RPC idle timeout.
"Stopping session due to idle timeout: ~s"
JSONRPC_REQUEST INFO

JSON-RPC method requested.
"JSON-RPC: '~s' with JSON params ~s"
JSONRPC_WARN_MSG WARNING

JSON-RPC warning message
"JSON-RPC warning: ~s"
KICKER_MISSING_SCHEMA INFO

Failed to load kicker schema
"Failed to load kicker schema"
LIB_BAD_SIZES ERR

An application connecting to ConfD used a library version that can't handle the depth and number of keys used by the data model.

"Got connect from library with insufficient keypath depth/keys support (~s/~s, needs ~s/~s)"
LIB_BAD_VSN ERR

An application connecting to ConfD used a library version that doesn't match the ConfD version (e.g. old version of the client library).

"Got library connect from wrong version (~s, expected ~s)"
LIB_NO_ACCESS ERR

Access check failure occurred when an application connected to ConfD.
"Got library connect with failed access check: ~s"
LISTENER_INFO INFO

ConfD starts or stops to listen for incoming connections.
"~s to listen for ~s on ~s:~s"
LOCAL_AUTH_FAIL_BADPASS INFO

Authentication for a locally configured user failed due to providing bad password.
"local authentication failed via ~s from ~s with ~s: ~s"
LOCAL_AUTH_FAIL INFO

Authentication for a locally configured user failed.
"local authentication failed via ~s from ~s with ~s: ~s"
LOCAL_AUTH_FAIL_NOUSER INFO

Authentication for a locally configured user failed due to user not found.
"local authentication failed via ~s from ~s with ~s: ~s"
LOCAL_AUTH_SUCCESS INFO

A locally authenticated user logged in.
"local authentication succeeded via ~s from ~s with ~s, member of groups: ~s"
LOGGING_DEST_CHANGED INFO

The target logfile will change to another file
"Changing destination of ~s log to ~s"
LOGGING_SHUTDOWN INFO

Logging subsystem terminating
"Daemon logging terminating, reason: ~s"
LOGGING_STARTED INFO

Logging subsystem started
"Daemon logging started"
LOGGING_STARTED_TO INFO

Write logs for a subsystem to a specific file
"Writing ~s log to ~s"
LOGGING_STATUS_CHANGED INFO

Notify a change of logging status (enabled/disabled) for a subsystem
"~s ~s log"
LOGIN_REJECTED INFO

Authentication for a user was rejected by application callback.
"~s"
MAAPI_LOGOUT INFO

A maapi user was logged out.
"Logged out from maapi ctx=~s (~s)"
MAAPI_WRITE_TO_SOCKET_FAIL INFO

maapi failed to write to a socket.
"maapi server failed to write to a socket. Op: ~s Ecode: ~s Error: ~s~s"
MISSING_AES256CFB128_SETTINGS ERR

AES256CFB128 keys were not found in confd.conf
"AES256CFB128 keys were not found in confd.conf"
MISSING_AESCFB128_SETTINGS ERR

AESCFB128 keys were not found in confd.conf
"AESCFB128 keys were not found in confd.conf"
MISSING_DES3CBC_SETTINGS ERR

DES3CBC keys were not found in confd.conf
"DES3CBC keys were not found in confd.conf"
MISSING_NS2 CRIT

While validating the consistency of the config - a required namespace was missing.
"The namespace ~s (referenced by ~s) could not be found in the loadPath."
MISSING_NS CRIT

While validating the consistency of the config - a required namespace was missing.
"The namespace ~s could not be found in the loadPath."
MMAP_SCHEMA_FAIL ERR

Failed to setup the shared memory schema
"Failed to setup the shared memory schema"
NCS_PACKAGE_AUTH_BAD_RET ERR

Package authentication program returned badly formatted data.
"package authentication using ~s program ret bad output: ~s"
NCS_PACKAGE_AUTH_FAIL INFO

Package authentication failed.
"package authentication using ~s failed via ~s from ~s with ~s: ~s"
NCS_PACKAGE_AUTH_SUCCESS INFO

A package authenticated user logged in.
"package authentication using ~s succeeded via ~s from ~s with ~s, member of groups: ~s~s"
NCS_PACKAGE_CHAL_2FA INFO

Package authentication challenge sent to a user.
"package authentication challenge sent to ~s from ~s with ~s"
NCS_PACKAGE_CHAL_FAIL INFO

Package authentication challenge failed.
"package authentication challenge using ~s failed via ~s from ~s with ~s: ~s"
NETCONF_HDR_ERR ERR

The cleartext header indicating user and groups was badly formatted.
"Got bad NETCONF TCP header"
NETCONF INFO

NETCONF traffic log message
"~s"
NIF_LOG INFO

Log message from NIF code.
"~s: ~s"
NOAAA_CLI_LOGIN INFO

A user used the --noaaa flag to confd_cli
"logged in from the CLI with aaa disabled"
NO_CALLPOINT CRIT

ConfD tried to populate an XML tree but no code had registered under the relevant callpoint.
"no registration found for callpoint ~s of type=~s"
NO_SUCH_IDENTITY CRIT

The fxs file with the base identity is not loaded
"The identity ~s in namespace ~s refers to a non-existing base identity ~s in namespace ~s"
NO_SUCH_NS CRIT

A nonexistent namespace was referred to. Typically this means that a .fxs was missing from the loadPath.
"No such namespace ~s, used by ~s"
NO_SUCH_TYPE CRIT

A nonexistent type was referred to from a ns. Typically this means that a bad version of an .fxs file was found in the loadPath.
"No such simpleType '~s' in ~s, used by ~s"
NOTIFICATION_REPLAY_STORE_FAILURE CRIT

A failure occurred in the builtin notification replay store
"~s"
NS_LOAD_ERR2 CRIT

System tried to process a loaded namespace and failed.
"Failed to process namespaces: ~s"
NS_LOAD_ERR CRIT

System tried to process a loaded namespace and failed.
"Failed to process namespace ~s: ~s"
OPEN_LOGFILE INFO

Indicate target file for certain type of logging
"Logging subsystem, opening log file '~s' for ~s"
PAM_AUTH_FAIL INFO

A user failed to authenticate through PAM.
"PAM authentication failed via ~s from ~s with ~s: phase ~s, ~s"
PAM_AUTH_SUCCESS INFO

A PAM authenticated user logged in.
"pam authentication succeeded via ~s from ~s with ~s"
PHASE0_STARTED INFO

ConfD has just started its start phase 0.
"ConfD phase0 started"
PHASE1_STARTED INFO

ConfD has just started its start phase 1.
"ConfD phase1 started"
READ_STATE_FILE_FAILED CRIT

Reading of a state file failed
"Reading state file failed: ~s: ~s (~s)"
RELOAD INFO

Reload of daemon configuration has been initiated.
"Reloading daemon configuration."
REOPEN_LOGS INFO

Logging subsystem, reopening log files
"Logging subsystem, reopening log files"
REST_AUTH_FAIL INFO

Rest authentication for a user failed.
"rest authentication failed from ~s"
REST_AUTH_SUCCESS INFO

A rest authenticated user logged in.
"rest authentication succeeded from ~s , member of groups: ~s"
RESTCONF_REQUEST INFO

RESTCONF request
"RESTCONF: request with ~s: ~s"
RESTCONF_RESPONSE INFO

RESTCONF response
"RESTCONF: response with ~s: ~s duration ~s us"
REST_REQUEST INFO

REST request
"REST: request with ~s: ~s"
REST_RESPONSE INFO

REST response
"REST: response with ~s: ~s duration ~s ms"
ROLLBACK_FAIL_CREATE ERR

Error while creating rollback file.
"Error while creating rollback file: ~s: ~s"
ROLLBACK_FAIL_DELETE ERR

Failed to delete rollback file.
"Failed to delete rollback file ~s: ~s"
ROLLBACK_FAIL_RENAME ERR

Failed to rename rollback file.
"Failed to rename rollback file ~s to ~s: ~s"
ROLLBACK_FAIL_REPAIR ERR

Failed to repair rollback files.
"Failed to repair rollback files."
ROLLBACK_REMOVE INFO

Found half created rollback0 file - removing and creating new.
"Found half created rollback0 file - removing and creating new"
ROLLBACK_REPAIR INFO

Found half created rollback0 file - repairing.
"Found half created rollback0 file - repairing"
SESSION_CREATE INFO

A new user session was created
"created new session via ~s from ~s with ~s"
SESSION_LIMIT INFO

Session limit reached, rejected new session request.
"Session limit of type '~s' reached, rejected new session request"
SESSION_MAX_EXCEEDED INFO

A user failed to create a new user sessions due to exceeding sessions limits
"could not create new session via ~s from ~s with ~s due to session limits"
SESSION_TERMINATION INFO

A user session was terminated due to specified reason
"terminated session (reason: ~s)"
SKIP_FILE_LOADING DEBUG

System skips a file.
"Skipping file ~s: ~s"
SNMP_AUTHENTICATION_FAILED INFO

An SNMP authentication failed.
"SNMP authentication failed: ~s"
SNMP_CANT_LOAD_MIB CRIT

The SNMP Agent failed to load a MIB file
"Can't load MIB file: ~s"
SNMP_MIB_LOADING DEBUG

SNMP Agent loading a MIB file
"Loading MIB: ~s"
SNMP_NOT_A_TRAP INFO

An UDP package was received on the trap receiving port, but it's not an SNMP trap.
"SNMP gateway: Non-trap received from ~s"
SNMP_READ_STATE_FILE_FAILED CRIT

Read SNMP agent state file failed
"Read state file failed: ~s: ~s"
SNMP_REQUIRES_CDB WARNING

The SNMP agent requires CDB to be enabled in order to be started.
"Can't start SNMP. CDB is not enabled"
SNMP_TRAP_NOT_FORWARDED INFO

An SNMP trap was to be forwarded, but couldn't be.
"SNMP gateway: Can't forward trap from ~s; ~s"
SNMP_TRAP_NOT_RECOGNIZED INFO

An SNMP trap was received on the trap receiving port, but its definition is not known
"SNMP gateway: Can't forward trap with OID ~s from ~s; There is no notification with this OID in the loaded models."
SNMP_TRAP_OPEN_PORT ERR

The port for listening to SNMP traps could not be opened.
"SNMP gateway: Can't open trap listening port ~s: ~s"
SNMP_TRAP_UNKNOWN_SENDER INFO

An SNMP trap was to be forwarded, but the sender was not listed in confd.conf.
"SNMP gateway: Not forwarding trap from ~s; the sender is not recognized"
SNMP_TRAP_V1 INFO

An SNMP v1 trap was received on the trap receiving port, but forwarding v1 traps is not supported.
"SNMP gateway: V1 trap received from ~s"
SNMP_WRITE_STATE_FILE_FAILED WARNING

Write SNMP agent state file failed
"Write state file failed: ~s: ~s"
SSH_HOST_KEY_UNAVAILABLE ERR

No SSH host keys available.
"No SSH host keys available"
SSH_SUBSYS_ERR INFO

Typically errors where the client doesn't properly send the \"subsystem\" command.
"ssh protocol subsys - ~s"
STARTED INFO

ConfD has started.
"ConfD started vsn: ~s"
STARTING INFO

ConfD is starting.
"Starting ConfD vsn: ~s"
STOPPING INFO

ConfD is stopping (due to e.g. confd --stop).
"ConfD stopping (~s)"
TOKEN_MISMATCH ERR

A secondary connected to a primary with a bad auth token
"Token mismatch, secondary is not allowed"
UPGRADE_ABORTED INFO

In-service upgrade was aborted.
"Upgrade aborted"
UPGRADE_COMMITTED INFO

In-service upgrade was committed.
"Upgrade committed"
UPGRADE_INIT_STARTED INFO

In-service upgrade initialization has started.
"Upgrade init started"
UPGRADE_INIT_SUCCEEDED INFO

In-service upgrade initialization succeeded.
"Upgrade init succeeded"
UPGRADE_PERFORMED INFO

In-service upgrade has been performed (not committed yet).
"Upgrade performed"
WEB_ACTION INFO

User executed a Web UI action.
"WebUI action '~s'"
WEB_CMD INFO

User executed a Web UI command.
"WebUI cmd '~s'"
WEB_COMMIT INFO

User performed Web UI commit.
"WebUI commit ~s"
WEBUI_LOG_MSG INFO

WebUI access log message
"WebUI access log: ~s"
WRITE_STATE_FILE_FAILED CRIT

Writing of a state file failed
"Writing state file failed: ~s: ~s (~s)"
XPATH_EVAL_ERROR1 WARNING

An error occurred while evaluating an XPath expression.
"XPath evaluation error: ~s for ~s"
XPATH_EVAL_ERROR2 WARNING

An error occurred while evaluating an XPath expression.
"XPath evaluation error: '~s' resulted in ~s for ~s"
COMMIT_UN_SYNCED_DEV INFO

Data was committed toward a device with bad or unknown sync state
"Committed data towards device ~s which is out of sync"
NCS_DEVICE_OUT_OF_SYNC INFO

A check-sync action reported out-of-sync for a device
"NCS device-out-of-sync Device '~s' Info '~s'"
NCS_JAVA_VM_FAIL ERR

The NCS Java VM failure/timeout
"The NCS Java VM ~s"
NCS_JAVA_VM_START INFO

Starting the NCS Java VM
"Starting the NCS Java VM"
NCS_PACKAGE_BAD_DEPENDENCY CRIT

Bad NCS package dependency
"Failed to load NCS package: ~s; required package ~s of version ~s is not present (found ~s)"
NCS_PACKAGE_BAD_NCS_VERSION CRIT

Bad NCS version for package
"Failed to load NCS package: ~s; requires NCS version ~s"
NCS_PACKAGE_CIRCULAR_DEPENDENCY CRIT

Circular NCS package dependency
"Failed to load NCS package: ~s; circular dependency found"
NCS_PACKAGE_COPYING DEBUG

A package is copied from the load path to private directory
"Copying NCS package from ~s to ~s"
NCS_PACKAGE_DUPLICATE CRIT

Duplicate package found
"Failed to load duplicate NCS package ~s: (~s)"
NCS_PACKAGE_SYNTAX_ERROR CRIT

Syntax error in package file
"Failed to load NCS package: ~s; syntax error in package file"
NCS_PACKAGE_UPGRADE_ABORTED CRIT

The CDB upgrade was aborted implying that CDB is untouched. However the package state is changed
"NCS package upgrade failed with reason '~s'"
NCS_PACKAGE_UPGRADE_UNSAFE CRIT

Package upgrade has been aborted due to warnings.
"NCS package upgrade has been aborted due to warnings:\n~s"
NCS_PYTHON_VM_FAIL ERR

The NCS Python VM failure/timeout
"The NCS Python VM ~s"
NCS_PYTHON_VM_START INFO

Starting the named NCS Python VM
"Starting the NCS Python VM ~s"
NCS_PYTHON_VM_START_UPGRADE INFO

Starting a Python VM to run upgrade code
"Starting upgrade of NCS Python package ~s"
NCS_SERVICE_OUT_OF_SYNC INFO

A check-sync action reported out-of-sync for a service
"NCS service-out-of-sync Service '~s' Info '~s'"
NCS_SET_PLATFORM_DATA_ERROR ERR

The device failed to set the platform operational data at connect
"NCS Device '~s' failed to set platform data Info '~s'"
NCS_SMART_LICENSING_ENTITLEMENT_NOTIFICATION INFO

Smart Licensing Entitlement Notification
"Smart Licensing Entitlement Notification: ~s"
NCS_SMART_LICENSING_EVALUATION_COUNTDOWN INFO

Smart Licensing evaluation time remaining
"Smart Licensing evaluation time remaining: ~s"
NCS_SMART_LICENSING_FAIL INFO

The NCS Smart Licensing Java VM failure/timeout
"The NCS Smart Licensing Java VM ~s"
NCS_SMART_LICENSING_GLOBAL_NOTIFICATION INFO

Smart Licensing Global Notification
"Smart Licensing Global Notification: ~s"
NCS_SMART_LICENSING_START INFO

Starting the NCS Smart Licensing Java VM
"Starting the NCS Smart Licensing Java VM"
NCS_SNMP_INIT_ERR INFO

Failed to locate snmp_init.xml in loadpath
"Failed to locate snmp_init.xml in loadpath ~s"
NCS_SNMPM_START INFO

Starting the NCS SNMP manager component
"Starting the NCS SNMP manager component"
NCS_SNMPM_STOP INFO

The NCS SNMP manager component has been stopped
"The NCS SNMP manager component has been stopped"
BAD_LOCAL_PASS INFO

A locally configured user provided a bad password.
"Provided bad password"
EXT_LOGIN INFO

An externally authenticated user logged in.
"Logged in over ~s using externalauth, member of groups: ~s~s"
EXT_NO_LOGIN INFO

External authentication failed for a user.
"failed to login using externalauth: ~s"
NO_SUCH_LOCAL_USER INFO

A non existing local user tried to login.
"no such local user"
PAM_LOGIN_FAILED INFO

A user failed to login through PAM.
"pam phase ~s failed to login through PAM: ~s"
PAM_NO_LOGIN INFO

A user failed to login through PAM
"failed to login through PAM: ~s"
SSH_LOGIN INFO

A user logged into ConfD's builtin ssh server.
"logged in over ssh from ~s with authmeth:~s"
SSH_LOGOUT INFO

A user was logged out from ConfD's builtin ssh server.
"Logged out ssh <~s> user"
SSH_NO_LOGIN INFO

A user failed to login to ConfD's builtin SSH server.
"Failed to login over ssh: ~s"
WEB_LOGIN INFO

A user logged in through the WebUI.
"logged in through Web UI from ~s"
WEB_LOGOUT INFO

A Web UI user logged out.
"logged out from Web UI"

Trace ID

NSO can issue a unique Trace ID per northbound request, visible in logs and trace headers. This Trace ID can be used to follow the request from service invocation to configuration changes pushed to any device affected by the change. The Trace ID may either be passed in from external client or generated by NSO

Trace ID is enabled by default, and can be turned off by adding the following snippet to NSO.conf: 

          <trace-id>false</trace-id>

Trace ID is propagated downwards in LSA setups and is fully integrated with commit queues.

Trace ID can be passed to NSO over NETCONF, RESTCONF, JSON-RPC or CLI as a commit parameter.

If Trace ID is not given as a commit parameter, NSO will generate one if the feature is enabled. This generated Trace ID will be on the form UUID version 4.

For RESTCONF request, this generated Trace ID will be communicated back to the requesting client as a HTTP header called "X-Cisco-NSO-Trace-ID". The trace-id query parameter can also be used with RPCs and actions to relay a trace-id from northbound requests.

For NETCONF, the Trace ID will be returned as an attributed called "trace-id".

Trace ID will appear in relevant log entries and trace file headers on the form "trace-id=...".

Backup and restore

All parts of the NSO installation, can be backed up and restored with standard file system backup procedures.

In a "system install" of NSO, the most convenient way to do backup and restore is to use the ncs-backup command. In that case the following procedure is used.

Backup

NSO Backup backs up the database (CDB) files, state files, config files and rollback files from the installation directory. To take a complete backup (for disaster recovery), use 

# ncs-backup

The backup will be stored in the "run directory", by default /var/opt/ncs, as /var/opt/ncs/backups/ncs-VERSION@DATETIME.backup

For more information on backup, refer to the ncs-backup(1) in Manual Pages manual page.

NSO Restore

NSO Restore is performed if you would like to switch back to a previous good state or restore a backup.

Note

NSO must be stopped before performing Restore.

  1. Stop NSO if it is running.

    # /etc/init.d/ncs stop

  2. Restore the backup.

    # ncs-backup --restore

    Select the backup to be restored from the available list of backups. The configuration and database with run-time state files are restored in /etc/ncs and /var/opt/ncs.

  3. Start NSO.

    # /etc/init.d/ncs start

Disaster management

This section describes a number of disaster scenarios and recommends various actions to take in the different disaster variants.

NSO fails to start

CDB keeps its data in four files A.cdb, C.cdb, O.cdb and S.cdb. If NSO is stopped, these four files can simply be copied, and the copy is then a full backup of CDB.

Furthermore, if neither files exists in the configured CDB directory, CDB will attempt to initialize from all files in the CDB directory with the suffix ".xml".

Thus, there exists two different ways to re-initiate CDB from a previous known good state, either from .xml files or from a CDB backup. The .xml files would typically be used to reinstall "factory defaults" whereas a CDB backup could be used in more complex scenarios.

If the S.cdb file has become inconsistent or has been removed, all commit queue items will be removed and devices not yet processed out of sync. For such an event appropriate alarms will be raised on the devices and any service instance that has unprocessed device changes will be set in the failed state.

When NSO starts and fails to initialize, the following exit codes can occur:

  • Exit codes 1 and 19 mean that an internal error has occurred. A text message should be in the logs, or if the error occurred at startup before logging had been activated, on standard error (standard output if NSO was started with --foreground --verbose). Generally the message will only be meaningful to the NSO developers, and an internal error should always be reported to support.

  • Exit codes 2 and 3 are only used for the ncs "control commands" (see the section COMMUNICATING WITH NCS in the ncs(1) in Manual Pages manual page), and mean that the command failed due to timeout. Code 2 is used when the initial connect to NSO didn't succeed within 5 seconds (or the TryTime if given), while code 3 means that the NSO daemon did not complete the command within the time given by the --timeout option.

  • Exit code 10 means that one of the init files in the CDB directory was faulty in some way. Further information in the log.

  • Exit code 11 means that the CDB configuration was changed in an unsupported way. This will only happen when an existing database is detected, which was created with another configuration than the current in ncs.conf.

  • Exit code 13 means that the schema change caused an upgrade, but for some reason the upgrade failed. Details are in the log. The way to recover from this situation is either to correct the problem or to re-install the old schema (fxs) files.

  • Exit code 14 means that the schema change caused an upgrade, but for some reason the upgrade failed, corrupting the database in the process. This is rare and usually caused by a bug. To recover, either start from an empty database with the new schema, or re-install the old schema files and apply a backup.

  • Exit code 15 means that A.cdb or C.cdb is corrupt in a non-recoverable way. Remove the files and re-start using a backup or init files.

  • Exit code 16 means that CDB ran into an unrecoverable file-error (such as running out of space on the device while performing journal compaction).

  • Exit code 20 means that NSO failed to bind a socket.

  • Exit code 21 means that some NSO configuration file is faulty. More information in the logs.

  • Exit code 22 indicates a NSO installation related problem, e.g. that the user does not have read access to some library files, or that some file is missing.

If the NSO daemon starts normally, the exit code is 0.

If the AAA database is broken, NSO will start but with no authorization rules loaded. This means that all write access to the configuration is denied. The NSO CLI can be started with a flag ncs_cli --noaaa which will allow full unauthorized access to the configuration.

NSO failure after startup

NSO attempts to handle all runtime problems without terminating, e.g. by restarting specific components. However there are some cases where this is not possible, described below. When NSO is started the default way, i.e. as a daemon, the exit codes will of course not be available, but see the --foreground option in the ncs(1) manual page.

  • Out of memory: If NSO is unable to allocate memory, it will exit by calling abort(3). This will generate an exit code as for reception of the SIGABRT signal - e.g. if NSO is started from a shell script, it will see 134 as exit code (128 + the signal number).

  • Out of file descriptors for accept(2): If NSO fails to accept a TCP connection due to lack of file descriptors, it will log this and then exit with code 25. To avoid this problem, make sure that the process and system-wide file descriptor limits are set high enough, and if needed configure session limits in ncs.conf.

    Note

    The out-of-file descriptors issue may also manifest itself in that applications are no longer able to open new file descriptors.

    In many Linux systems the default limit is 1024, but if we, for example, assume that there are 4 northbound interface ports, CLI, RESTCONF, SNMP, WebUI/JSON-RPC, or similar, plus a few hundreds of IPC ports, x 1024 == 5120. But one might as well use the next power of two, 8192, to be on the safe side.

    Several application issues can contribute to consuming extra ports. In the scope of a NSO application that could, for example, be a script application that invokes CLI command or a callback daemon application that does not close the connection socket as they should.

    A commonly used command for changing the maximum number of open file descriptors is ulimit -n [limit]. Commands such as netstat and lsof can be useful to debug file descriptor related issues.

Transaction commit failure

When the system is updated, NSO executes a two phase commit protocol towards the different participating databases including CDB. If a participant fails in the commit() phase although the participant succeeded in the prepare phase, the configuration is possibly in an inconsistent state.

When NSO considers the configuration to be in a inconsistent state, operations will continue. It is still possible to use NETCONF, the CLI and all other northbound management agents. The CLI has a different prompt which reflects that the system is considered to be in an inconsistent state and also the Web UI shows this: 

  -- WARNING ------------------------------------------------------
  Running db may be inconsistent. Enter private configuration mode and
  install a rollback configuration or load a saved configuration.
  ------------------------------------------------------------------

The MAAPI API has two interface functions which can be used to set and retrieve the consistency status, those are maapi_set_running_db_status() and maapi_get_running_db_status() corresponding. This API can thus be used to manually reset the consistency state. The only alternative to reset the state to a consistent state is by reloading the entire configuration.

Troubleshooting

This section discusses problems that new users have seen when they started to use NSO. Please do not hesitate to contact our support team (see below) if you are having trouble, regardless of whether your problem is listed here or not. A very useful tool in that regard is the ncs-collect-tech-report tool, which is Bash script that comes with the product. It collects all log files, CDB backup, and several debug dumps as a TAR file. Note that it only works with a system install. 

        
root@linux:/# ncs-collect-tech-report --full

Installation Problems

Error messages during installation

The installation program gives a lot of error messages, the first few like the ones below. The resulting installation is obviously incomplete. 

tar: Skipping to next header
gzip: stdin: invalid compressed data--format violated

Cause: This happens if the installation program has been damaged, most likely because it has been downloaded in 'ascii' mode.

Resolution: Remove the installation directory. Download a new copy of NSO from our servers. Make sure you use binary transfer mode every step of the way.

Problems Starting NSO

NSO terminating with GLIBC error

NSO terminates immediately with a message similar to the one below. 

Internal error: Open failed: /lib/tls/libc.so.6: version
`GLIBC_2.3.4' not found (required by
.../lib/ncs/priv/util/syst_drv.so)

Cause: This happens if you are running on a very old Linux version. The GNU libc (GLIBC) version is older than 2.3.4, which was released 2004.

Resolution: Use a newer Linux system, or upgrade the GLIBC installation.

Problems Running Examples

The 'netconf-console' program fails

Sending NETCONF commands and queries with 'netconf-console' fails, while it works using 'netconf-console-tcp'. The error message is below.

You must install the Python SSH implementation Paramiko in order to use SSH.

Cause: The netconf-console command is implemented using the Python programming language. It depends on the Python SSHv2 implementation Paramiko. Since you are seeing this message, your operating system doesn't have the Python-module Paramiko installed.

Resolution: Install Paramiko using the instructions from

When properly installed, you are be able to import the Paramiko module without error messages. 

$ python
...
>>> import paramiko
>>>

Exit the Python interpreter with Ctrl+D.

A workaround is to use 'netconf-console-tcp'. It uses TCP instead of SSH and doesn't require Paramiko. Note that TCP traffic is not encrypted.

Problems Using and Developing Services

If you encounter issues while loading service packages, creating service instances, or developing service models, template, and code, you can consult the Troubleshooting section in Implementing Services in Development Guide.

General Troubleshooting Strategies

If you have trouble starting or running NSO, the examples or the clients you write, here are some troubleshooting tips.

Transcript

When contacting support, it often helps the support engineer to understand what you are trying to achieve if you copy-paste the commands, responses and shell scripts that you used to trigger the problem, together with any CLI outputs and logs produced by NSO.

Source ENV variables

If you have problems executing ncs commands, make sure you source the ncsrc script in your NSO directory (your path may be different than the one in the example if you are using a local install), which sets the required environmental variables. 

$ source /etc/profile.d/ncs.sh
Log files

To find out what NSO is/was doing, browsing NSO log files is often helpful. In the examples, they are called 'devel.log', 'ncs.log', 'audit.log'. If you are working with your own system, make sure the log files are enabled in ncs.conf. They are already enabled in all the examples. You can read more about how to enable and inspect various logs in the logging chapter

Verify hardware resources

Both high CPU utilization and a lack of memory can negatively affect the performance of NSO. You can use commands such as top to examine resource utilization, and free -mh to see the amount of free and consumed memory. A common symptom of a lack of memory is NSO or Java-VM restarting. A sufficient amount of disk space is also required for CDB persistence and logs, so you can also check disk space with df -h command. In case there is enough space on disk and you still encounter ENOSPC errors, check the inode usage with df -i command.

Status

NSO will give you a comprehensive status of daemon status, YANG modules, loaded packages, MIBs, active user sessions, CDB locks and more, if you run 

$ ncs --status

NSO status information is also available as operational data under /ncs-state.

Check data provider

If you are implementing a data provider (for operational or configuration data), you can verify that it works for all possible data items using 

$ ncs --check-callbacks

Debug dump

If you suspect you have experienced a bug in NSO, or NSO told you so, you can give Support a debug dump to help us diagnose the problem. It contains a lot of status information (including a full ncs --status report) and some internal state information. This information is only readable and comprehensible to the NSO development team, so send the dump to your support contact. A debug dump is created using 

$ ncs --debug-dump mydump1

Just as in CSI on TV, it's important that the information is collected as soon as possible after the event. Many interesting traces will wash away with time, or stay undetected if there are lots of irrelevant facts in the dump.

If NSO gets stuck while terminating, it can optionally create a debug dump after being stuck for 60 seconds. To enable this mechanism, set the environment variable $NCS_DEBUG_DUMP_NAME to a filename of your choice.

Error log

Another thing you can do in case you suspect that you have experienced a bug in NSO, is to collect the error log. The logged information is only readable and comprehensible to the NSO development team, so send the log to your support contact. The log actually consists of a number of files called ncserr.log.* - make sure to provide them all.

System dump

If NSO aborts due to failure to allocate memory (see the section called “Disaster management”), and you believe that this is due to a memory leak in NSO, creating one or more debug dumps as described above (before NSO aborts) will produce the most useful information for Support. If this is not possible, NSO will produce a system dump by default before aborting, unless DISABLE_NCS_DUMP is set. The default system dump file name is ncs_crash.dump and it could be changed by setting the environment variable $NCS_DUMP before starting NSO. The dumped information is only comprehensible to the NSO development team, so send the dump to your support contact.

System call trace

To catch certain types of problems, especially relating to system start and configuration, the operating system's system call trace can be invaluable. This tool is called strace/ktrace/truss. Please send the result to your support contact for a diagnosis. Running instructions below.

Linux:

# strace -f -o mylog1.strace -s 1024 ncs ...

BSD:

# ktrace -ad -f mylog1.ktrace ncs ...
# kdump -f mylog1.ktrace > mylog1.kdump

Solaris:

# truss -f -o mylog1.truss ncs ...