Executing an Op Script from a Remote Site
As an alternative to storing operation (op) scripts locally on the device, you can store op scripts at a remote site. You then execute a remote op script by specifying the URL as an argument to the op command when you execute the script on the command line. You can execute SLAX and XSLT op scripts from a remote site by default. To execute Python op scripts from a remote site, you must first configure the allow-url-for-python statement at the [edit system scripts op] hierarchy level. Because you cannot guarantee that scripts executed from remote sites are secure, we recommend that you only authorize trusted users to execute scripts using the op url command.
Statements configured under the [edit system scripts op] hierarchy level are only enforced for op scripts that are local to the device. Thus, even if you configure memory allocation, script dampening, traceoptions, or other op script-specific statements within that hierarchy, Junos OS does not apply the configuration when you execute a remote script using the op url command.
To execute an op script from a remote site:
- Create the script.
- (Optional) Store the script temporarily in the
/var/tmpdirectory on the device, and run the script through one or more hash functions to calculate hash values.user@host> file checksum md5 /var/tmp/script1.slax
MD5 (/var/tmp/script1.slax) = 3af7884eb56e2d4489c2e49b26a39a97user@host> file checksum sha1 /var/tmp/script1.slax
SHA1 (/var/tmp/script1.slax) = 00dc690fb08fb049577d012486c9a6dad34212c0user@host> file checksum sha-256 /var/tmp/script1.slax
SHA256 (/var/tmp/script1.slax) = 150bf53383769f3bfedd41fe73320777f208d4fda81230cb27b8738
- For Python scripts, configure the allow-url-for-python statement and the language python or
language python3statement.user@host# set system scripts op allow-url-for-pythonuser@host# set system scripts language (python | python3)user@host# commit
- Place the script on the remote server.
- Provide the script URL and the optional hash values to the administrators who will execute the script.
- Execute the script by running the op url command
and specifying the URL that points to the remote file.user@host> op url https://www.juniper.net/scripts/script1.slax
key sha-256 150bf53383769f3bfedd41fe73320777f208d4fda81230cb27b8738
This example shows how to include the key option and the SHA-256 checksum information.
To prevent the execution of any op scripts from remote sites, configure the no-allow-url statement at the [edit system scripts op] hierarchy level.
When you configure the no-allow-url statement, issuing the op url url operational mode command generates an error. This statement takes precedence when the allow-url-for-python statement is also present in the configuration.