Example: Require and Restrict Configuration Statements
Junos OS commit scripts enforce custom configuration rules. When a candidate configuration is committed, it is inspected by each active commit script. This example uses a commit script to specify required and prohibited configuration statements.
Requirements
This example uses a device running Junos OS that has the Ethernet management interface fxp0.
Overview and Commit Script
This example shows how to use a commit script to specify required
and prohibited configuration statements. The following commit script
ensures that the Ethernet management interface (fxp0) is configured
and detects when the interface is improperly disabled. The script
also detects when the bgp statement is not included at
the [edit protocols] hierarchy level. In all cases, the
script generates an error message, and the commit operation fails.
The example script is shown in both XSLT and SLAX syntax:
XSLT Syntax
<?xml version="1.0" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:junos="http://xml.juniper.net/junos/*/junos" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm" xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0"> <xsl:import href="../import/junos.xsl"/> <xsl:template match="configuration"> <xsl:call-template name="error-if-missing"> <xsl:with-param name="must" select="interfaces/interface[name='fxp0']/ unit[name='0']/family/inet/address"/> <xsl:with-param name="statement" select="'interfaces fxp0 unit 0 family inet address'"/> </xsl:call-template> <xsl:call-template name="error-if-present"> <xsl:with-param name="must" select="interfaces/interface[name='fxp0']/disable | interfaces/interface[name='fxp0']/ unit[name='0']/disable"/> <xsl:with-param name="message"> <xsl:text>The fxp0 interface is disabled.</xsl:text> </xsl:with-param> </xsl:call-template> <xsl:call-template name="error-if-missing"> <xsl:with-param name="must" select="protocols/bgp"/> <xsl:with-param name="statement" select="'protocols bgp'"/> </xsl:call-template> </xsl:template> <xsl:template name="error-if-missing"> <xsl:param name="must"/> <xsl:param name="statement" select="'unknown'"/> <xsl:param name="message" select="'missing mandatory configuration statement'"/> <xsl:if test="not($must)"> <xnm:error> <edit-path><xsl:copy-of select="$statement"/></edit-path> <message><xsl:copy-of select="$message"/></message> </xnm:error> </xsl:if> </xsl:template> <xsl:template name="error-if-present"> <xsl:param name="must" select="1"/> <!-- error if param missing --> <xsl:param name="message" select="'invalid configuration statement'"/> <xsl:for-each select="$must"> <xnm:error> <xsl:call-template name="jcs:edit-path"/> <xsl:call-template name="jcs:statement"/> <message><xsl:copy-of select="$message"/></message> </xnm:error> </xsl:for-each> </xsl:template> </xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
call error-if-missing($must =
interfaces/interface[name='fxp0']/unit[name='0']/family/inet/address,
$statement = 'interfaces fxp0 unit 0 family inet address');
call error-if-present($must = interfaces/interface[name='fxp0']/disable |
interfaces/interface[name='fxp0']/unit[name='0']/disable) {
with $message = {
expr "The fxp0 interface is disabled.";
}
}
call error-if-missing($must = protocols/bgp, $statement = 'protocols bgp');
}
error-if-missing ($must, $statement = 'unknown', $message =
'missing mandatory configuration statement') {
if (not($must)) {
<xnm:error> {
<edit-path> {
copy-of $statement;
}
<message> {
copy-of $message;
}
}
}
}
error-if-present ($must = 1, $message = 'invalid configuration statement') {
for-each ($must) {
<xnm:error> {
call jcs:edit-path();
call jcs:statement();
<message> {
copy-of $message;
}
}
}
}Configuration
Procedure
Step-by-Step Procedure
To download, enable, and test the script:
Copy the script into a text file, name the file no-nukes.xsl or no-nukes.slax as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.
If you are using the SLAX version of the script, change the filename at the
[edit system scripts commit file]hierarchy level to no-nukes.slax.system { scripts { commit { file no-nukes.xsl; } } } interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24; } } } }In configuration mode, issue the
load merge terminalcommand to merge the stanzas into your device configuration.[edit] user@host# load merge terminal [Type ^D at a new line to end input] ... Paste the contents of the clipboard here ...
At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
Press Enter.
Press Ctrl+d.
Commit the configuration.
user@host# commit
Verification
Verifying Commit Script Execution
Purpose
Verify that the script behaves as expected.
Action
Review the output of the commit command. The
script requires that the Ethernet management interface (fxp0) is configured
and enabled and that the bgp statement is included at the [edit protocols] hierarchy level. The sample configuration
stanzas include the fxp0 interface but disable it. In addition, the bgp statement is not configured at the [edit protocols] hierarchy level. When you run the script, it generates an error,
and the commit operation fails. The following output appears after
issuing a commit command:
[edit] user@host# commit [edit interfaces interface fxp0 disable] 'disable;' The fxp0 interface is disabled. protocols bgp missing mandatory configuration statement error: 2 errors reported by commit scripts error: commit script failure