gNMI for Ciena SAOS 10.x devices fails path string validation #11903
Comments
|
If you specify "openconfig-interfaces" as origin you dont have to put "oc-if:" part in the path afaik |
|
Hmm, pretty sure I tried that, but I'll give it a go just as soon as I can and report back. |
|
No go. Regardless of origin="openconfig-interfaces" or origin="oc-if", I now get: 2022-09-28T20:23:49Z E! [inputs.gnmi] Subscribe error (7), "Access Denied" with path = "/interfaces/interface[name=7]/state/counters" |
|
But access denied seems like the user you use doesnt have rights to subscribe to gnmi. You should check. |
|
True, and I double checked that, but I used the exact same
user/password/device, the only change was the telegraf version itself.
On Sun, Oct 2, 2022 at 5:20 AM peterbaumert ***@***.***> wrote:
But access denied seems like the user you use doesnt have rights to
subscribe to gnmi. You should check.
—
Reply to this email directly, view it on GitHub
<#11903 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHWZ2KTVE6UPFFKUUC4XIYTWBFHWXANCNFSM6AAAAAAQYBDNBE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Todd Witten
***@***.***
|
|
I am running into the same problem with telegraf 1.24 and finding out that this is a problem for any sensor. Not only oc-interfaces. Here debug logs with 1.21.4 (working) and 1.24.2 (fail) using exact same config file. ddichev |
|
@ddichev-hub could you possibly test 1.23.1. It will help narrow down exactly what pr caused this. As this pr is after 1.23.1 but these prs (pr1) (pr2) were before 1.23.1 but after your working version of 1.21.4. Thanks in advance :) |
|
hi @MyaLongmire , |
|
where we will get the certificates and key . What all are mandatory things required to configure telemetry on ciena Sios 10. Could someone share the full telegraf configuration for the above scenario ? |
|
Here's my production gNMI config for the Ciena's. We only have 5 devices in there currently. [[inputs.gnmi]] [[inputs.gnmi.subscription]] [[inputs.gnmi.subscription]] [[inputs.gnmi.subscription]] [[inputs.gnmi.subscription]] [[inputs.gnmi.subscription]] |
|
Is there any helpful links regarding the certificates. Who will provide
these certificates.
Is that we generate on the server where we installed telegraf.
Currently I have generated ca cert and .p13 certificates from server and
installed same on ciena device, but it's throwing certificate error
…On Sat, 19 Nov 2022, 01:52 whizkidTRW, ***@***.***> wrote:
Here's my production gNMI config for the Ciena's. We only have 5 devices
in there currently.
`[[inputs.gnmi]]
addresses = ["10.255.30.5:6702","10.255.30.6:6702","10.255.30.14:6702","
10.255.30.33:6702","10.255.32.14:6702"]
username = "XXXXXXX"
password = "XXXXXXX"
encoding = "proto"
redial = "10s"
enable_tls = true
tls_ca = "/etc/telegraf/ca.cert.pem"
insecure_skip_verify = true
tls_cert = "/etc/telegraf/client.cert.pem"
tls_key = "/etc/telegraf/client.key.pem"
name_override = "saos10xgnmi"
updates_only = true
[[inputs.gnmi.subscription]]
name = "ifcounters"
origin = "openconfig-interfaces"
path =
"/oc-if:interfaces/oc-if:interface[name=7]/oc-if:state/oc-if:counters"
subscription_mode = "sample"
sample_interval = "30s"
[[inputs.gnmi.subscription]]
name = "ifcounters"
origin = "openconfig-interfaces"
path =
"/oc-if:interfaces/oc-if:interface[name=9]/oc-if:state/oc-if:counters"
subscription_mode = "sample"
sample_interval = "30s"
[[inputs.gnmi.subscription]]
name = "ifcounters"
origin = "openconfig-interfaces"
path =
"/oc-if:interfaces/oc-if:interface[name=28]/oc-if:state/oc-if:counters"
subscription_mode = "sample"
sample_interval = "30s"
[[inputs.gnmi.subscription]]
name = "ifcounters"
origin = "openconfig-interfaces"
path =
"/oc-if:interfaces/oc-if:interface[name=33]/oc-if:state/oc-if:counters"
subscription_mode = "sample"
sample_interval = "30s"
[[inputs.gnmi.subscription]]
name = "ifcounters"
origin = "openconfig-interfaces"
path =
"/oc-if:interfaces/oc-if:interface[name=36]/oc-if:state/oc-if:counters"
subscription_mode = "sample"
sample_interval = "30s"
`
—
Reply to this email directly, view it on GitHub
<#11903 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4FQUBLBV2WDYIDKNUFXWYLWI7QRLANCNFSM6AAAAAAQYBDNBE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
telegraf error: [inputs.gnmi] Error in plugin: failed to setup subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: remote error: tls: unknown certificate authority" |
|
certificates generated from server on which telegraf is installed ca-key.pem |
|
I don't understand. The error is happening when parsing the path, why do you need the certs? Just turn off verification with insecure_skip_verify = true |
|
I have configured same as per the configuration shared by you. And I am getting below error telegraf error: [inputs.gnmi] Error in plugin: failed to setup subscription: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: remote error: tls: unknown certificate authority" looks like thats the tls certificate related. i have followed the below steps to create certificates on the telegraf server Copied the CA certificate and client certificate to ciena device SIOS Installed a CA certificate on ciena device Client certificate pkix-certificates install cert-name client-cert cert-passphrase secret cert-only false remote-file uri sftp://client-cert.p12 I am actually not sure about whether I am following it correctly. I want to know how to get these certificates and key tls_ca = "/etc/telegraf/ca.cert.pem" |
|
As far as I know, the certs came with Telegraf. We didn't have to put any certs on the Ciena devices. |
|
can you confirm whether there is any config we need to do on ciena device ? Also I cannot find these certificates. tls_ca = "/etc/telegraf/ca.cert.pem" |
|
I see same issue with Huawei NE40 device. They do not implement origin so the path contains a ":". [telegraf] Error running agent: starting input inputs.gnmi: invalid string path /huawei-ifm:ifm/interfaces/interface/mib-statistics: invalid node name: "huawei-ifm:ifm" When I use gnmic to subscribe it works and I start receiving data. When I tried to look at the code is seems like xpath.ToGNMIPath() function causes the error to be raised. |
|
@whizkidTRW and @ddichev-hub can you please test PR #12272? CI will build a binary for you... Let me know if it fixes the issue! |
srebhan
added
area/gnmi
plugin/input
|
@srebhan I have tested #12272 and that fixes the issue with path validation. So I do not see the invalid node name anymore. Also now as per the updated debug logs below it seem to be parsing the path correct. I however still have issue that the subscription is rejected by the router. When I compare with the gnmic request the main difference is the empty prefix that is included in the request. Could the prefix be removed if null? |
|
@jrventer would you be so kind and open another issue for this!? Otherwise we get lost here. Feel free to ping me in the new issue. |
Ok will open new issue for the prefix issue. |
|
Sven, I’m running Telegraf in a container and not sure how to test that PR.
I’m more than happy to if someone can show me how.
Thanks!
On Wed, Nov 23, 2022 at 8:08 AM Rudolf Venter ***@***.***> wrote:
@jrventer <https://github.com/jrventer> would you be so kind and open
another issue for this!? Otherwise we get lost here. Feel free to ping me
in the new issue.
Ok will open new issue for the prefix issue.
—
Reply to this email directly, view it on GitHub
<#11903 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHWZ2KULUYOLUMCK2QYB7ZLWJYQOPANCNFSM6AAAAAAQYBDNBE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Todd Witten
***@***.***
|
Hi @whizkidTRW You can try use this Dockerfile to compile a built version with the PR: Run: then use "srebhan/telegraf:gnmi_issue_11903" as the container name once you built it |
|
@whizkidTRW you can also download the static binary for your arch (it's only one file without dependencies) and run it in your existing container e.g. by providing it in a mount-point or downloading it in the container. |
|
@jrventer please note that you should use go 1.19 as this is the current requirement for building Telegraf. :-) |
|
Thanks Rudolf & Sven. I'll try the binary as soon as I can, might be
Monday, but I'll certainly get back to you on it.
Todd Witten
***@***.***
…On Wed, Nov 23, 2022 at 12:47 PM Sven Rebhan ***@***.***> wrote:
@jrventer <https://github.com/jrventer> please note that you should use
go 1.19 as this is the current requirement for building Telegraf. :-)
—
Reply to this email directly, view it on GitHub
<#11903 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHWZ2KTAG2W6K2K6OSWLB6LWJZRDDANCNFSM6AAAAAAQYBDNBE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I was able to pull it down into my Telegraf container and test. It does parse the config and subscribe, but now the errors are different and it still doesn't return valid data. I'm attaching the output. I exported just the Ciena relevant sections of my main telegraf.conf file to telegraf-ciena.conf and tested with that using --test-wait 30 |
Thanks I have updated was mostly building plugin that was based on telegraf 1.20 so adapted from that environment which was using older golang version. |
|
@whizkidTRW thanks for testing! Can you please open another issue for this so others can find the issue if they experience similar problems... It would also be helpful to provide debug output (running telegraf with |
|
Absolutely. Will do shortly.
Todd Witten
***@***.***
…On Wed, Nov 23, 2022 at 2:08 PM Sven Rebhan ***@***.***> wrote:
@whizkidTRW <https://github.com/whizkidTRW> thanks for testing! Can you
please open another issue for this so others can find the issue if they
experience similar problems... It would also be helpful to provide debug
output (running telegraf with --debug) for the new issue.
—
Reply to this email directly, view it on GitHub
<#11903 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHWZ2KRGV5KWEUQHJR7SZK3WJZ2SXANCNFSM6AAAAAAQYBDNBE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Relevant telegraf.conf
Logs from Telegraf
System info
Telegraf 1.22.0+, Debian 11 (bullseye), Docker 20.10.5
Docker
telegraf:
image: telegraf
container_name: telegraf
restart: always
volumes:
- /opt/TIGstack/telegraf/etc:/etc/telegraf:rw
- /opt/TIGstack/telegraf.conf:/etc/telegraf/telegraf.conf:rw
- /opt/TIGstack/var/lib/mibs/ietf:/var/lib/mibs:rw
- /opt/TIGstack/var/lib/mibs/ietf:/usr/share/snmp/mibs:rw
- /opt/TIGstack/telegraf/etc/ca.cert.pem:/etc/telegraf/ca.cert.pem
- /opt/TIGstack/telegraf/etc/client.cert.pem:/etc/telegraf/client.cert.pem
- /opt/TIGstack/telegraf/etc/client.key.pem:/etc/telegraf/client.key.pem
depends_on:
- influxdb
links:
- influxdb
ports:
- '8125:8125'
Steps to reproduce
Expected behavior
Successful gNMI subscription consistent with version 1.21 and lower
Actual behavior
Telegraf fails with "invalid string path" error and exits
Additional info
No response
The text was updated successfully, but these errors were encountered: