Example: Requiring and Restricting Configuration Statements
Junos OS commit scripts enforce custom configuration rules. When a candidate configuration is committed, it is inspected by each active commit script. This example uses a commit script to specify required and prohibited configuration statements.
Requirements
This example uses a device running Junos OS that has the Ethernet management interface fxp0.
Overview and Commit Script
This example shows how to use a commit script to specify required and prohibited configuration statements. The following commit script ensures that the Ethernet management interface (fxp0) is configured and detects when the interface is improperly disabled. The script also detects when the bgp statement is not included at the [edit protocols] hierarchy level. In all cases, the script generates an error message, and the commit operation fails.
The example script is shown in both XSLT and SLAX syntax:
XSLT Syntax
<?xml version="1.0" standalone="yes"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:junos="http://xml.juniper.net/junos/*/junos"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">
<xsl:import href="../import/junos.xsl"/>
<xsl:template match="configuration">
<xsl:call-template name="error-if-missing">
<xsl:with-param name="must"
select="interfaces/interface[name='fxp0']/
unit[name='0']/family/inet/address"/>
<xsl:with-param name="statement"
select="'interfaces fxp0 unit 0 family inet address'"/>
</xsl:call-template>
<xsl:call-template name="error-if-present">
<xsl:with-param name="must"
select="interfaces/interface[name='fxp0']/disable
| interfaces/interface[name='fxp0']/
unit[name='0']/disable"/>
<xsl:with-param name="message">
<xsl:text>The fxp0 interface is disabled.</xsl:text>
</xsl:with-param>
</xsl:call-template>
<xsl:call-template name="error-if-missing">
<xsl:with-param name="must" select="protocols/bgp"/>
<xsl:with-param name="statement" select="'protocols bgp'"/>
</xsl:call-template>
</xsl:template>
<xsl:template name="error-if-missing">
<xsl:param name="must"/>
<xsl:param name="statement" select="'unknown'"/>
<xsl:param name="message"
select="'missing mandatory configuration statement'"/>
<xsl:if test="not($must)">
<xnm:error>
<edit-path><xsl:copy-of select="$statement"/></edit-path>
<message><xsl:copy-of select="$message"/></message>
</xnm:error>
</xsl:if>
</xsl:template>
<xsl:template name="error-if-present">
<xsl:param name="must" select="1"/> <!-- give error if param missing -->
<xsl:param name="message" select="'invalid configuration statement'"/>
<xsl:for-each select="$must">
<xnm:error>
<xsl:call-template name="jcs:edit-path"/>
<xsl:call-template name="jcs:statement"/>
<message><xsl:copy-of select="$message"/></message>
</xnm:error>
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
call error-if-missing($must =
interfaces/interface[name='fxp0']/unit[name='0']/family/inet/address,
$statement = 'interfaces fxp0 unit 0 family inet address');
call error-if-present($must = interfaces/interface[name='fxp0']/disable |
interfaces/interface[name='fxp0']/unit[name='0']/disable) {
with $message = {
expr "The fxp0 interface is disabled.";
}
}
call error-if-missing($must = protocols/bgp, $statement = 'protocols bgp');
}
error-if-missing ($must, $statement = 'unknown', $message =
'missing mandatory configuration statement') {
if (not($must)) {
<xnm:error> {
<edit-path> {
copy-of $statement;
}
<message> {
copy-of $message;
}
}
}
}
error-if-present ($must = 1, $message = 'invalid configuration statement') {
for-each ($must) {
<xnm:error> {
call jcs:edit-path();
call jcs:statement();
<message> {
copy-of $message;
}
}
}
}
Configuration
Step-by-Step Procedure
To download, enable, and test the script:
- Copy the XSLT or SLAX script into a text file, name the
file
no-nukes.xslorno-nukes.slaxas appropriate, and copy it to the/var/db/scripts/commit/directory on the device. Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.
If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to
no-nukes.slax.system {scripts {commit {file no-nukes.xsl;}}}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;}}}}In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration.
[edit]user@host# load merge terminal[Type ^D at a new line to end input]... Paste the contents of the clipboard here ...- At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
- Press Enter.
- Press Ctrl+d.
Issue the commit command to commit the configuration.
user@host# commit
Verification
Verifying Commit Script Execution
Purpose
Verify that the script behaves as expected.
Action
Review the output of the commit command. The script requires that the Ethernet management interface (fxp0) is configured and enabled and that the bgp statement is included at the [edit protocols] hierarchy level. The sample configuration stanzas include the fxp0 interface but disable it. In addition, the bgp statement is not configured at the [edit protocols] hierarchy level. When you run the script, it generates an error, and the commit operation fails. The following output appears after issuing a commit command:
[edit]
user@host# commit
[edit interfaces interface fxp0 disable]
'disable;'
The fxp0 interface is disabled.
protocols bgp
missing mandatory configuration statement
error: 2 errors reported by commit scripts
error: commit script failure
