Provided by: netopeer2_2.0.35-1ubuntu1_amd64 
NAME
netopeer2-cli - NETCONF client with command line interface build on libnetconf2
DESCRIPTION
netopeer2-cli serves as a generic NETCONF client providing a simple interactive command line interface.
It allows user to establish a NETCONF session with a NETCONF-enabled device on the network and to obtain
and manipulate its configuration data. netopeer2-cli is limited to a single NETCONF connection at a time
via a forward or a reverse (Call Home) connecting method.
Here is the list of NETCONF capabilities supported by netopeer2-cli:
• NETCONF protocol version 1.0 and 1.1 (RFC 6241)
• SSH transport (RFC 6242)
• TLS transport (RFC 5539bis)
• Call Home (reverse SSH/TLS)
• Event Notifications (RFC 5277)
• Access Control (RFC 6536)
• :writable-running capability
• :startup capability
• :candidate capability
• :confirmed-commit capability
• :validate capability version 1.1
• :with-defaults capability (RFC 6243)
• :url capability
• :xpath capability
TRANSPORT
The supported transport protocols are detected automatically based on how was libnetconf2 compiled.
Unsupported (sub)commands are then not available and are hidden in the help. This page, however, contains
them all.
COMMANDS
help
Display list of commands. --(h)elp option is also accepted by all commands to show detailed information
about the command.
connect
Connect to a NETCONF server.
connect [--help] [--host hostname] [--port num]
[--ssh] [--login username]
--tls [--cert cert_path [--key key_path]] [--trusted trusted_CA_store.pem]
--h(o)st hostname
Specifies the hostname of the NETCONF server to connect to. If not specified, 'localhost' is
used.
--(p)ort num
Port to connect to the NETCONF server on. By default, port 830 for SSH or 6513 for TLS transport
is used.
--(s)sh
Use NETCONF over SSH transport. This is the default, when both SSH and TLS are enabled.
--(l)ogin username
Specify the SSH username to connect with. By default, the current system user is used.
--(t)ls
Use NETCONF over TLS transport.
--(c)ert cert_path
Use a specific certificate for TLS handshake. cert_path specifies path to the client certificate
in CRT format. If the --key option is not specified, cert_path is expected to contain also the
private key for the client certificate, in PEM format.
--(k)ey key_path
Specifies path to the private key for the client certificate in KEY format. If not specified,
cert_path is expected to contain also the private key for the client certificate, in PEM format.
--t(r)usted trusted_CA_store.pem
Specifies path to a trusted CA certificate bundle in PEM format to be used exclusively for server
verification for this connection instead of the default CA directory.
listen
Listen for a NETCONF Call Home.
listen [--help] [--timeout sec] [--host hostname] [--port num]
[--ssh] [--login username]
--tls [--cert cert_path [--key key_path]] [--trusted trusted_CA_store.pem]
--t(i)meout sec
Specifies the time for how long the CLI will listen for the Call Home connection. By default, 60
(a minute) is used.
--h(o)st hostname
Specifies the hostname (interface) to listen on. By default, ::0 is used.
other options
The rest of the options have similar meaning as in connect.
disconnect
Disconnect from a NETCONF server.
commit
Perform NETCONF <commit> operation. For more details see RFC 6241 section 8.3.4.1.
commit [--help] [--confirmed] [--confirm-timeout sec] [--persist new-commit-id] [--persist-id commit-id]
--(c)onfirmed
Make the <commit> a confirmed commit. See RFC 6421 section 8.4.
--confirm-(t)imeout sec
Specify the confirmed commit timeout. Can be used only with --confirmed.
--(p)ersist new-commit-id
Make the commit a persistent commit. new-commit-id is the identificator of the commit.
--persist-(i)d commit-id
Confirm a persistent commit with the commit-id identificator.
cancel-commit
Cancel a pending confirmed commit.
cancel-commit [--help] [--persist-id commit-id]
--persist-(i)d commit-id
Cancel a specific commit-id pending confirmed commit.
copy-config
Perform NETCONF <copy-config> operation. For more details see RFC 6241 section 7.3.
copy-config [--help] --target running|startup|candidate|url:url (--source
running|startup|candidate|url:url | --src-config [file]) [--defaults report-all|report-all-
tagged|trim|explicit]
--(t)arget running|startup|candidate|url:url
Specifies the target of the <copy-config> operation. Either a datastore or a specific URL can be
specified.
--(s)ource running|startup|candidate|url:url
Specifies the source of the <copy-config> operation. Either a datastore or a specific URL can be
specified.
--src-(c)onfig [file]
Specifies the source of the <copy-config> operation. If a file with the configuration is not
specified, the configuration is read from the standard input.
--(d)efaults report-all|report-all-tagged|trim|explicit
Use :with-defaults capability with the specified retrieval mode. For more details see RFC 6243
section 3.
delete-config
Perform NETCONF <delete-config> operation. For more details see RFC 6241 section 7.4.
delete-config [--help] --target startup|url:url
--(t)arget startup|url:url
Specifies the target of the <delete-config> operation. Either the startup datastore or a specific
URL can be specified.
discard-changes
Perform NETCONF <discard-changes> operation. It reverts the candidate configuration to the current
running configuration. For more details see RFC 6241 section 8.3.4.2.
edit-config
Perform NETCONF <edit-config> operation. For more details see RFC 6241 section 7.2.
edit-config [--help] --target running|candidate (--config [file] | --url url) [--defop
merge|replace|none] [--test set|test-only|test-then-set] [--error stop|continue|rollback]
--(t)arget running|candidate
Specifies the target of the <edit-config> operation.
--(c)onfig [file]
Specifies the content of the <edit-config> operation. If a file with the configuration is not
specified, the configuration is read from the standard input.
--(u)rl ur
Specifies the content of the <edit-config> operation. It is retrieved from that specific URL.
--def(o)p merge|replace|none
Specifies default operation for applying configuration data.
merge Merge configuration data at the corresponding level. This is the default value.
replace
Edit configuration data completely replaces the configuration in the target datastore.
none The target datastore is unaffected by the edit configuration data, unless and until the
edit configuration data contains the operation attribute to request a different operation.
--t(e)st set|test-only|test-then-set
Perform validation of the modified configuration data. This option is available only if the
server supports :validate:1.1 capability (see RFC 6241 section 8.6).
set Do not perform validation test.
test-only
Do not apply the modified data, only perform the validation test.
test-then-set
Perform a validation test before attempting to apply modified configuration data. This is
the default value.
--e(r)ror stop|continue|rollback
Set reaction to an error.
stop Abort the operation on first error. This is the default value.
continue
Continue to process configuration data on error. The error is recorded and negative
response is returned.
rollback
Stop the operation processing on error and restore the configuration to its complete state
at the start of this operation. This action is available only if the server supports
:rollback-on-error capability (see RFC 6241 section 8.5).
get
Perform NETCONF <get> operation. Retrieves both status as well as configuration data from the current
running datastore. For more details see RFC 6241 section 7.7.
get [--help] [--filter-subtree [file] | --filter-xpath XPath] [--defaults report-all|report-all-
tagged|trim|explicit] [--out file]
--filter-(s)ubtree [file]
Specifies if the request will contain a subtree filter (RFC 6241 section 6). The file is
expected to contain the filter specification. If it is not specified, it is read from standard
input.
--filter-(x)path XPath
Specififes is the request will contain an XPath filter. XPath is the expression used for
filtering.
--(d)efaults report-all|report-all-tagged|trim|explicit
Use :with-defaults capability with specified retrieval mode. For more details see RFC 6243
section 3.
--(o)ut file
Print the result of the command into a file rather than to the standard output.
get-config
Perform NETCONF <get-config> operation. Retrieves only configuration data from the specified source. For
more details see RFC 6241 section 7.1.
get-config [--help] --source running|startup|candidate [--filter-subtree [file] | --filter-xpath XPath]
[--defaults report-all|report-all-tagged|trim|explicit] [--out file]
--(s)ource running|startup|candidate
Specifies the source of the <get-config> operation.
--filter-(s)ubtree [file]
Specifies if the request will contain a subtree filter (RFC 6241 section 6). The file is
expected to contain the filter specification. If it is not specified, it is read from standard
input.
--filter-(x)path XPath
Specififes is the request will contain an XPath filter. XPath is the expression used for
filtering.
--(d)efaults report-all|report-all-tagged|trim|explicit
Use :with-defaults capability with specified retrieval mode. For more details see RFC 6243
section 3.
--(o)ut file
Print the result of the command into a file rather than to the standard output.
get-schema
Perform NETCONF <get-schema> operation that retrieves specified data model used by the server. This
operation is available only if the server implements the YANG Module for NETCONF Monitoring. The list of
available schemas can be retrieved from /netconf-state/schemas subtree via the <get> operation. For more
details see RFC 6022 sections 3.1 and 4.
get-schema [--help] --model identifier [--version version] [--format format] [--out file]
--(m)odel identifier
Identifier for the schema list entry.
--(v)ersion version
Version of the requested schema.
--(f)ormat format
The data modeling language (format) of the requested schema. Default value is yang.
--(o)ut file
Print the result of the command into a file rather than to the standard output.
kill-session
Perform NETCONF <kill-session> operation to terminate specified NETCONF session. To terminate the
current session, use the disconnect command. For more details see RFC 6241 section 7.9.
kill-session [--help] --sid sesion-ID
--(s)id session-ID
Session identifier of the NETCONF session to be terminated.
lock
Perform the NETCONF <lock> operation to lock the entire configuration datastore of a server. For more
details see RFC 6241 section 7.5.
lock [--help] --target running|startup|candidate
--(t)arget running|startup|candidate
Target datastore to lock..
unlock
Perform the NETCONF <unlock> operation to release a configuration lock, previously obtained with the
<lock> operation. For more details see RFC 6241 section 7.6.
lock [--help] --target running|startup|candidate
--(t)arget running|startup|candidate
Target datastore to unlock.
validate
Perform the NETCONF <validate> operation to validate configuration data. For more details see RFC 6241
section 8.6.4.1.
validate [--help] (--source running|startup|candidate|url:url | --src-config [file])
--(s)ource running|startup|candidate|url:url
Specifies the source of the <validate> operation. Either a datastore or a specific URL can be
specified.
--src-(c)onfig [file]
Specifies the source of the <validate> operation. If a file with the configuration is not
specified, the configuration is read from the standard input.
subscribe
Perform NETCONF Event Notifications <create-subscription> operation. For more details see RFC 5277
section 2.1.1.
subscribe [--help] [--filter-subtree [file] | --filter-xpath XPath] [--begin time] [--end time] [--stream
stream] [--out file]
--filter-(s)ubtree [file]
Specifies if the request will contain a subtree filter (RFC 6241 section 6). The file is
expected to contain the filter specification. If it is not specified, it is read from standard
input.
--filter-(x)path XPath
Specififes is the request will contain an XPath filter. XPath is the expression used for
filtering.
--(b)egin time
Start to replay event notifications from past (future time is not valid). If the start time is
not specified, replay feature is not activated and only new event notifications are received.
Format of the time parameter is described below.
--(e)nd time
Specifies when the event replay stops. Format of the time parameter is as follows:
+time Current time plus the given number of seconds.
time Absolute time as number of seconds since 1970-01-01.
-time Current time minus the given number of seconds.
--s(t)ream stream
Specifies which event stream is of the interest. If not specified, default NETCONF stream is
received. The list of available streams can be retrieved from /netconf/streams subtree via the
<get> operation.
--(o)ut file
Print the received notifications into a file rather than to the standard output.
cert
Manage client and trusted Certificate Authority certificates that are used for TLS verification stored in
~/.netopeer2-cli/client.* and ~/.netopeer2-cli/certs respectively.
This command is available with TLS support.
cert [--help] [display] [add cert_path] [remove cert_name] [displayown] [replaceown (cert_path.pem |
cert_path.crt key_path.key)]
display
Displays all the recognized certificates in ~/.netopeer2-cli/certs. First the file name and
serial number, then subject, issuer and validity are shown for each certificate.
add cert_path
Adds the cert_path certificate to the trusted CA dir ~/.netopeer2-cli/certs and recalculates
hashes of all the certificates.
remove cert_name
Removes the cert_name certificate from the trusted CA dir ~/.netopeer2-cli/certs and recalculates
hashes of all the certificates. cert_name is the certificate file name, as displayed in the cert
display command output.
displayown
Shows information about the status of the default client certificates and displays information
about any relevant found client certificates ~/.netopeer2-cli/client.crt and
~/.netopeer2-cli/client.pem.
replaceown cert_path [key_path]
Replaces the default client certificates with the PEM certificate in cert_path or the CRT
certificate cert_path and private key key_path. All previous client certificates are deleted.
crl
Manage Certificate Revocation List certificates that are stored in the ~/.netopeer2-cli/crl directory.
This command is available only with TLS support.
crl [--help] [display] [add crl_path] [remove crl_name]
display
Displays all the recognized CRLs in ~/.netopeer2-cli/crl. First the file name, then issuer, last
and next update dates are shown for each CRL followed by the serial numbers and revocation dates
of all the revocated certificates.
add crl_path
Adds the crl_path CRL to the ~/.netopeer2-cli/crl dir and recalculates hashes of all the CRLs.
remove crl_name
Removes the cert_name CRL from the ~/.netopeer2-cli/crl dir and recalculates hashes of all the
CRLs. crl_name is the CRL file name, as displayed in the crl display command output.
auth
Manage SSH authentication options - authentication preferences and private keys.
This command is available with SSH support.
auth (--help | pref [(publickey | interactive | password) preference] | keys [add private_key_path]
[remove key_index])
pref
Print the current authentication method preferences or change a specific method preference.
preference
The new preference of the authentication method. Negative values disable the authentication
method.
keys
Manage keys used for authentication.
path_to_the_key
If specified, add or remove the keys. If not, show the current keys.
editor
Manage the external editor used for modifying raw input data.
editor [--help] [path/name_of_the_editor]
path/name_of_the_editor
The full path or just the name of the editor to be used.
status
Print information about the current NETCONF session.
user-rpc
Send your own content in an RPC envelope.
user-rpc [--help] [--content file] [--out file]
--(c)ontent file
Specifies a file containing NETCONF RPC operation in XML format. Only the NETCONF <rpc> envelope
is added to the file content and then it is sent to a server. If the file is omitted, the RPC
content is read from the standard input.
--(o)ut file
Print the command result into a file rather than to the standard output.
searchpath
Set the directory, which will be used when searching for modules. Modules are always needed to be able to
work with the same data as a NETCONF server. They are searched locally (in this directory) only if the
server does not support the <get-schema> NETCONF operation. If it does, all the modules (except ietf-
netconf-monitoring, which includes the definition of the <get-schema> RPC itself) are downloaded from the
server.
searchpath model-dir-path
outputformat
Set the format for all the output data. XML is the default.
outputformat (xml | xml_noformat | json)
version
Print the CLI version.
verb
Set CLI verbosity. Only errors are printed by default.
verb (error/0 | warning/1 | verbose/2 | debug/3)
quit
Quit the program.
FILES
~/.netopeer2-cli/config.xml
Per user configuration for NETCONF <hello> message (see RFC 6241 for further details).
~/.netopeer2-cli/history
Per user history of executed commands.
~/.netopeer2-cli/client.pem
Per user certificate with its private key that is sent to the server for verification. If present
together with client.crt and client.key it is not utilized. Only with TLS support.
~/.netopeer2-cli/client.crt
Per user certificate that is sent to the server for verification. Needs a corresponding private
key to be utilized. Only with TLS support.
~/.netopeer2-cli/client.key
Per user private key for the user certificate. Needs a corresponding certificate to be utilized.
Only with TLS support.
~/.netopeer2-cli/certs
Per user trusted Certificate Authority directory that is searched when verifying a server
certificate. Only with TLS support.
~/.netopeer2-cli/crl
Per user Certificate Revocation List directory that is searched when verifying a server
certificate. Only with TLS support.
SEE ALSO
RFC 5277 (Event Notifications)
RFC 6241 (NETCONF v1.1)
RFC 6242 (NETCONF over SSH)
RFC 6243 (With-defaults capability)
RFC 6536 (NETCONF Access Control)
http://tools.ietf.org/html/draft-ietf-netconf-rfc5539bis-05 (NETCONF over TLS)
http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-05 (Call Home)
https://github.com/CESNET/netopeer2 (Netopeer homepage)
AUTHORS
Michal Vasko <mvasko@cesnet.cz>
Radek Krejci <rkrejci@cesnet.cz>
COPYRIGHT
Copyright © 2012-2021 CESNET, a.l.e.
Copyright © 2018-2021 Deutsche Telekom AG.
Netopeer 2021-11-10 netopeer2-cli(1)