-
Samir Faci authoredSamir Faci authored
OpenNSA configuration
Example Configuration
[service]
network=Aruba
logfile=nsalog.log
nrmfile=ports.nrm
peers=http://host.example.org:9080/NSI/discovery.xml
https://nsi.example.com/NSI/discovery.xml
policies=requiretrace,requireuser
serviceid_start=1900000
# Database
database=opennsa
dbuser=dbuser
dbpassword=dbpassword
dbhost=127.0.0.1
[dud]
option1=123
option2=abc
Service block
These are the options for the service block:
network
: The network name managed by OpenNSA. Mandatory.
logfile
: File to log to. Default: /var/log/opennsa.log
nrmmap
: Path to port/topology NRM description file
peers
: URLs to NSAs to peer with control-plane wise.
Separate multiple entries with newline (only peers= on the first
line). If using multiple lines, the following peer urls must be in
indented at least pass the =
on the first line (parser limitation).
Optional. No peers will put OpenNSA into UPA mode.
policies
: What policies are required. Currently requiretrace
, requireuser
,
and aggregator
are the possible options. These require a connection
trace, a user security attribute, and allow proxy aggregation
respectively. Optional.
serviceid_start
: Initial service id to set in the database. Requires a plugin
to use. Optional.
database
: Name of the PostgreSQL database to connect to. Mandatory.
dbuser
: Username to use when connecting to database. Mandatory.
dbpassword
: Password to use when connecting to database. Mandatory.
dbhost
: Host to connect to for database. Optional. If not specified,
OpenNSA will connect to PostgreSQL over the unix domain socket
OpenNSA does not require anything big from the database, so using a
different host/vm is almost surely a waste of resources. It is
however useful when running a PostgreSQL in docker.
Backend
A backend is configured by a section describing the type of backend, e.g. dud
(for testing) or junosmx
. The configuration options in the section are
specific to the backend. Reading the setup code in backend, is the easiest way
to see the options.
Custom Backend
If you have written your own backend that is specific to an organization or project, you can use the custombackend option:
[custombackend]
module=mycustombackend
op1=123
op2=abc
This will import the Python module named mycustombackend
and pass along the
configuration options. You will probably need to specify PYTHONPATH to include
the path of the module.
It is strongly recommended that you keep the module out of the OpenNSA module such that you can upgrade OpenNSA without having to re-deploy your backend.
NRM Configuration
Configuration the nrm file is typically the most confusing parts of setting up OpenNSA. In short the NRM file defines the ports available through the NSI protocol, as OpenNSA does not make everything available. An NRM is line based and typically looks like this:
# type name remote label bandwith interface attributes
ethernet ps - vlan:1780-1799,2000 1000 em0 user=johndoe@example.org
ethernet bon bonaire.net:topology#arb(-in|-out) vlan:1780-1799 1000 em3 restricttransit
ethernet cur curacao.net:topology#arb(-in|-out) vlan:1780-1799 1000 em3 restricttransit,hostdn=curacao.example.net
Each line describes an STP (NSI term). An STP is more or less the same as a port. Note that two STPs can point to the same underlying interface / port, which can occasionally be useful (you will probably know if this happens). OpenNSA does reservations on the interface resources internally, to ensure that resource do not get double booked.
NRM Configuration options
type
: The port type. Only ethernet is recognized at the moment.
Bidirectional is implied.
name
: The name of the STP. The STP address will be a URN with the network and name in it.
Remote
: The network and port the port is connected to. Format:
network#port(-inprefix|-outprefix)
Use '-' if not connected to any network (termination inside the network).
label
: STP configuration options. Currently vlan
and mpls
are supported.
Note that not all backend support those. Can specify single values and ranges. Comma separated.
Use '-' if no labels are to be used (i.e., ethernet trunk).
bandwidth
: The available bandwidth on the port (or the bandwidth that is
available to OpenNSA on the port).
interface
: The interface / port on the network device.
attributes
: A list of comma separated attributes that describes security
attributes or policies for the port. Security attributes always have the form
key=value
, otherwise it is a policy. Despite the name, security attributes
are not very secure.
The hostdn will match against the hostname of a certificate. For this to work
OpenNSA must be configured to run with TLS (see docs/tls-guide).
The only supported policy at the moment is `restricttransit`. If
two ports both have the `restricttransit` attribute, connecions
between the two will not be allowed.