ON THIS PAGE
Apstra Server Configuration File
/etc/aos/aos.conf
Controller
admin@aos-server:/etc/aos$ cat aos.conf [controller] metadb=eth0 # Role for the controller. Set the option to "slave" in order to setup AOS as a # slave AOS. The options "metadb" and "node_id" should be also set while # setting "role" to "slave" role = controller # Id of the slave node. Empty in case the server is the controller. The ID is # generated by the controller. node_id =
Security
[security] # ***EXPERIMENTAL FEATURE*** This feature should not be enabled without Apstra # engineering assistance. Enable secure connections for AOS system agents. enable_secure_sysdb_connection = 0 # This encrypts sensitive data when sending configuration to device. This also # enables aos agents to use appropriate credentials to access and/or configure # device. Default behavior to configure or run commands using device root # Note: Manual agent installation will not work if this is enabled. enable_encryption_to_device = 0
Log Rotate
[logrotate] # AOS has builtin log rotate functionality. You can disable it by setting # <enable_log_rotate> to 0 if you want to use linux logrotate utility to manage # your log files. AOS agent reopens log file on SIGHUP enable_log_rotate = 1 # Log file will be rotated when its size exceeds <max_file_size> max_file_size = 1M # The most recent <max_kept_backups> rotated log files will be saved. Older # ones will be removed. Specify 0 to not save rotated log files, i.e. the log # file will be removed as soon as its size exceeds limit. max_kept_backups = 5 # Interval, specified as <hh:mm:ss>, at which log files are checked for # rotation. check_interval = 1:00:00 # Maximum number of recent invalid persistence group kept max_kept_invalid_persistence_groups = 3
Auth Sysdb Log Rotator
[auth_sysdb_log_rotator] # AOS has builtin auth sysdb persistence file rotation functionality. Default # value is 1 which means sysdb retention policy is enabled. You can disable it # by setting it to 0 and you also can enable it again by setting it to 1. All # retention policy parameters will be reloaded by restarting AOS service, or # sending SIGHUP signal to SysdbResourceManager agent via "sudo kill -s 1 # $(pgrep -f SysdbResourceManager)" enable_auth_sysdb_rotate = 1 # Maximum number of backup copies of valid auth sysdb persistence file groups # in /var/lib/aos/db. AOS will remove all the older groups. Default value is 5, # which means AOS will keep the latest 5 groups. Min value is 3. It should be # specified as a positive number or empty. Leaving it empty means no groups # number limitation. It will be set to default value if it is configured in # invalid format. It will be set to minimum value if it is configured to a # smaller value. max_kept_backups = 5 # Maximum total size of valid auth sysdb persistence file groups in # /var/lib/aos/db. Default value is empty, which means no size limitation. It # should be specified as empty or a positive number ending with k/m/g (case # insensitive) or no suffix. Otherwise, it will be set to default value. AOS # will keep at least 3 valid groups no matter how <max_total_files_size> being # configured. max_total_files_size = # Interval, specified as <hh:mm:ss>, at which auth sysdb persistence files are # checked for rotation. Default value is 1:00:00. It will be set to default # value is it is configured in invalid format. Min value is 00:01:00. It will # be set to min value if it is configured to a smaller value. AOS also update # all the retention policy parameters per <check_interval> when it is enabled. check_interval = 1:00:00
Main Sysdb Log Rotator
Four parameters for configuring the main graph datastore retention policy.
[main_sysdb_log_rotator] # AOS has builtin main sysdb persistence file rotation functionality. Default # value is 1 which means sysdb retention policy is enabled. You can disable it # by setting it to 0 and you also can enable it again by setting it to 1. All # retention policy parameters will be reloaded by restarting AOS service, or # sending SIGHUP signal to SysdbResourceManager agent via "sudo kill -s 1 # $(pgrep -f SysdbResourceManager)" enable_main_sysdb_rotate = 1 # Maximum number of backup copies of valid main sysdb persistence file groups # in /var/lib/aos/db. AOS will remove all the older groups. Default value is 5, # which means AOS will keep the latest 5 groups. Min value is 3. It should be # specified as a positive number or empty. Leaving it empty means no groups # number limitation. It will be set to default value if it is configured in # invalid format. It will be set to minimum value if it is configured to a # smaller value. max_kept_backups = 5 # Maximum total size of valid main sysdb persistence file groups in # /var/lib/aos/db. Default value is empty, which means no size limitation. It # should be specified as empty or a positive number ending with k/m/g (case # insensitive) or no suffix. Otherwise, it will be set to default value. AOS # will keep at least 3 valid groups no matter how <max_total_files_size> being # configured. max_total_files_size = # Interval, specified as <hh:mm:ss>, at which main sysdb persistence files are # checked for rotation. Default value is 1:00:00. It will be set to default # value is it is configured in invalid format. Min value is 00:01:00. It will # be set to min value if it is configured to a smaller value. AOS also update # all the retention policy parameters per <check_interval> when it is enabled. check_interval = 1:00:00
enable_main_sysdb_rotate = 1 enables and disables the policy.
- Set to 1 to enable the retention policy (default). If you enable the policy after it has been disabled, you must restart the Apstra server for it to be enabled again.
- Set to 0 to disable the retention policy and keep all backups. AOS VM
file disk utilization issues may occur. The policy will be disabled during the
next retention check (
check_interval). There is no need to restart the Apstra server unless you want to disable the policy immediately.
max_kept_backups = 5 maximum number of backups to store in
/var/lib/aos/db.
- Leave default of 5 to keep the latest five backups.
- Set to an empty string to keep an unlimited number of backups.
- Setting to an invalid number results in the default value of 5.
- Setting to a number smaller than 3 (the minimum) results in the minimum value of 3.
max_total_files_size = maximum file group size to store in
/var/lib/aos/db
- Leave default of an empty string for no size limitation.
- Set to a number ending in k, m, or g (case-sensitve) or without a suffix.
The effect of max_kept_backups and
max_total_files_size is cumulative. For security, Apstra keeps
a minimum of three groups of valid Main Graph Datastore persistence files.
check_interval = 1:00:00 time between retention checks and parameter
updates (if file has been updated) (format: <hh:mm:ss>).
- Leave default of 1:00:00 to check every hour.
- Setting to an invalid number results in the default value of 1:00:00.
- Setting to a number smaller than 00:01:00 (the minimum) results in the minimum value of 1:00:00.
Anomaly Sysdb Log Rotator
[anomaly_sysdb_log_rotator] # AOS has builtin anomaly sysdb persistence file rotation functionality. # Default value is 1 which means sysdb retention policy is enabled. You can # disable it by setting it to 0 and you also can enable it again by setting it # to 1. All retention policy parameters will be reloaded by restarting AOS # service, or sending SIGHUP signal to SysdbResourceManager agent via "sudo # kill -s 1 $(pgrep -f SysdbResourceManager)" enable_anomaly_sysdb_rotate = 1 # Maximum number of backup copies of valid anomaly sysdb persistence file # groups in /var/lib/aos/db. AOS will remove all the older groups. Default # value is 5, which means AOS will keep the latest 5 groups. Min value is 3. It # should be specified as a positive number or empty. Leaving it empty means no # groups number limitation. It will be set to default value if it is configured # in invalid format. It will be set to minimum value if it is configured to a # smaller value. max_kept_backups = 5 # Maximum total size of valid anomaly sysdb persistence file groups in # /var/lib/aos/db. Default value is empty, which means no size limitation. It # should be specified as empty or a positive number ending with k/m/g (case # insensitive) or no suffix. Otherwise, it will be set to default value. AOS # will keep at least 3 valid groups no matter how <max_total_files_size> being # configured. max_total_files_size = # Interval, specified as <hh:mm:ss>, at which anomaly sysdb persistence files # are checked for rotation. Default value is 1:00:00. It will be set to default # value is it is configured in invalid format. Min value is 00:01:00. It will # be set to min value if it is configured to a smaller value. AOS also update # all the retention policy parameters per <check_interval> when it is enabled. check_interval = 1:00:00
Device Image Management
[device_image_management] # Enable version compatibility check. By default version compatibility check is # enabled. A device will not connect to AOS if its version of AOS device agent # is not compatible with AOS controller enable_version_check = 1 # Enable AOS device agent image auto upgrade. By default auto image upgrade is # disabled. With this option enabled a device can download an image from the # controller and upgrade itself if needed. enable_auto_upgrade = 0 # A device will retry in specified timeout (in seconds) if it fails version # compatibility check or to download/install new image. retry_timeout = 600
Authentication
[authentication] # Enable authentication/authorization check. By default # authentication/authorization is enabled. You can disable it by setting enable # to 0 enable = 1 # Set token expiration time (in seconds). By default token will be expired # after 24 hours (86400 seconds). token_expiration = 86400 # Enable ratelimiting. This mechanism protects against password bruteforce. By # default ratelimiting is enabled. You can disable it by setting # enable_ratelimit to 0 enable_ratelimit = 1
Device Config Management
[device_config_management] # Setting to push quarantine config to unacknowledged devices. By default it is # disabled as it causes traffic disruptions.Set the value to 1 to enable # pushing quarantine config, which shuts down all interfaces on the device. enable_push_quarantine_config = 0
Telemetry Init
[telemetry_init] # Number of initial BGP telemetry update rounds before anomaly detection is # started. bgp = 4 # Number of initial interface telemetry update rounds before anomaly detection # is started. interface = 4 # Number of initial LAG telemetry update rounds before anomaly detection is # started. lag = 4 # Number of initial LLDP telemetry update rounds before anomaly detection is # started. lldp = 4 # Number of initial route telemetry update rounds before anomaly detection is # started. route = 4 # Number of initial MLAG telemetry update rounds before anomaly detection is # started. mlag = 4
Telemetry Global Config
[telemetry_global_config] # Python multithreading enable/disable knob for telemetry collection multithreading_config = 1 # Execution timeout for extensible telemetry collectors command_timeout = 120
Task API
[task_api] # Default maximum time in seconds a task can stay in its current state. default_timeout = 600.0 # Time in seconds a blueprint.create task can stay in its current state.Format: # "timeout_<task_type>" timeout_blueprint.create = 360.0 # Time in seconds a blueprint.deploy task can stay in its current state.Format: # "timeout_<task_type>" timeout_blueprint.deploy = 300.0 # Time in seconds blueprint.facade.* tasks can stay in their current state. # Specific facade task overrides prevail over this one.Format: # "timeout_<task_type>" timeout_blueprint.facade = 600.0 # Maximum number of tasks, which allowed in the queue. When number of tasks # becomes higher this value, task rotation will be started. max_tasks_in_queue = 100 # Maximum number of Bytes in data field which does not require compression. If # data size is greater than threshold data will be compressed before storing it # in sysdb. max_uncompressed_data_size = 1000
Statistics
[statistics] # Enable or disable full validation for pod statistics. Disable if Racks and/or # Pods tabs load times are excessive pod_full_validation = enabled
Enterprise
[enterprise] # Enable or disable Enterprise related features enable = 0
Syslog
[syslog] # Interval, specified as <hh:mm:ss>, at which collector will recollect hostname hostname_check_interval = 00:00:10
Builtin Telemetry Disable
[builtin_telemetry_disable] # Disable telemetry service lldp for the specified set of system IDs. System # IDs can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". lldp_disable_devices = # Disable telemetry service arp for the specified set of system IDs. System IDs # can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". arp_disable_devices = # Disable telemetry service hostname for the specified set of system IDs. # System IDs can be provided as a comma seperated list(eg: a, b, c, d). In # order to disable the service for all devices, specify the value "all". hostname_disable_devices = # Disable telemetry service mac for the specified set of system IDs. System IDs # can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". mac_disable_devices = # Disable telemetry service xcvr for the specified set of system IDs. System # IDs can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". xcvr_disable_devices = # Disable telemetry service interface for the specified set of system IDs. # System IDs can be provided as a comma seperated list(eg: a, b, c, d). In # order to disable the service for all devices, specify the value "all". interface_disable_devices = # Disable telemetry service interface_counters for the specified set of system # IDs. System IDs can be provided as a comma seperated list(eg: a, b, c, d). In # order to disable the service for all devices, specify the value "all". interface_counters_disable_devices = # Disable telemetry service bgp for the specified set of system IDs. System IDs # can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". bgp_disable_devices = # Disable telemetry service mlag for the specified set of system IDs. System # IDs can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". mlag_disable_devices = # Disable telemetry service route for the specified set of system IDs. System # IDs can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". route_disable_devices = # Disable telemetry service lag for the specified set of system IDs. System IDs # can be provided as a comma seperated list(eg: a, b, c, d). In order to # disable the service for all devices, specify the value "all". lag_disable_devices =
Agent Management
[agent_management] # Override the default heartbeat timeout for agents spawned dynamically by # AgentManager. The value must be a non-negative number. The unit is seconds. # The value 0 is used to turn off heartbeat-based agent timeouts and restarts. # The minimum non-0 value allowed is 60. If not provided, then the default # timeout value (600 seconds) is used. heartbeat_period =
Show Tech
[show_tech] # Minimum free space in the file system for /var/lib/aos/show_tech needed to # initiate controller show tech collection via the Apstra API (in MBytes, # default: 4096, min: 4096) min_free_disk_space = 4096 # The directory /var/lib/aos/show_tech must be smaller than this size to # initiate controller show tech collection via the Apstra API (in MBytes, # default: 10240, min: 4096) max_directory_size = 10240 # Maximum controller show tech collection duration before job times out (in # seconds, default: 1200, min: 1200) controller_timeout = 1200.0
System Operation Filesystem Thresholds
[system_operation_filesystem_thresholds] # Default operation thresholds for filesystem utilization, used unless an # option for a specific filesystem is specified in the section. Two thresholds # are specified - warning and critical. When resource utilization passes each # threshold, an operation anomaly is raised at the corresponding level. When a # critical threshold is crossed the APIs are automatically transitioned into # read-only mode. Numbers here are utilization levels, between 0.0 and 1.0. # Note: Both 0.0 and 1.0 utilization levels are not allowed. default = warning:0.8 critical:0.9
System Operation Memory Thresholds
[system_operation_memory_thresholds] # Operation thresholds for memory utilization of the controller VM. Two # thresholds are specified - warning and critical. When resource utilization # passes each threshold, an operation anomaly is raised at the corresponding # level. When a critical threshold is crossed the APIs are automatically # transitioned into read-only mode. Numbers here are utilization levels, # between 0.0 and 1.0. Note: Both 0.0 and 1.0 utilization levels are not # allowed. default = warning:0.8 critical:0.9