Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for Executing Python Automation Scripts on Junos Devices

Requirements for Executing Python Scripts

You can use Python to author Junos OS commit, event, op, and SNMP automation scripts. To prevent the execution of unauthorized Python code, Junos devices, by default, do not permit executing unsigned Python scripts. To execute an unsigned Python script, the following requirements must be met, which are in addition to the normal requirements for onbox automation scripts:

  • File owner is either root or a user in the Junos OS super-user login class.

  • Only the file owner has write permission for the file.

  • The execution of unsigned Python scripts is enabled by configuring the language python or language python3 statement at the [edit system scripts] hierarchy level.

    Note:

    If you configure the language python3 statement, the device uses Python 3 to execute scripts that support this Python version, and it uses Python 2.7 to execute scripts that do not support Python 3 in the given Junos OS release. For more information, see Understanding Python Automation Scripts for Junos Devices.

    Note:

    Starting in Junos OS Evolved Release 21.2R1, the junos-defaults configuration group includes the language python statement by default.

    Note:

    To enable a user who does not belong to the file’s user or group class to execute an unsigned Python automation script, the script’s file permissions must include read permission for others.

As with SLAX and XSLT automation scripts, you must store Python automation scripts in the appropriate directory on the device, and you must enable individual scripts by configuring the script filename under the hierarchy level appropriate to the script type in the configuration. For information about storing and enabling automation scripts, see Store and Enable Junos Automation Scripts.

We recommend that you configure a checksum to verify the integrity of Python scripts. To specify a checksum for a local script, configure the checksum statement under the [file filename] statement in the hierarchy for your specific type of script. To specify a checksum for a remote op script, include the key argument when you execute the script using the op url command. Starting in Junos OS Release 18.2R2 and 18.3R1, if you execute an unsigned Python script that does not have a checksum configured, Junos devices log a CSCRIPT_SECURITY_WARNING message in the system log file. For example:

Configuring Access Privileges for Python Scripts

Starting in Junos OS Release 16.1R3, interactive Python scripts, such as commit and op scripts, run with the access privileges of the user who executes the command or operation that invokes the script. Non-interactive Python scripts, such as event and SNMP scripts, by default, execute under the privileges of the user and group nobody. To execute event or SNMP scripts using the access privileges of a specific user, you must configure the python-script-user username statement at the [edit event-options event-script file filename] hierarchy level for event scripts or the [edit system scripts snmp file filename] hierarchy level for SNMP scripts, and specify a user configured at the [edit system login] hierarchy level.

For example:

Note:

You cannot configure Python event and SNMP scripts to execute with root access privileges.

Summary of Requirement Changes By Release

Starting in Junos OS Release 16.1R3, ownership and access privilege requirements for some unsigned Python scripts are modified. In Junos OS Release 16.1R2 and earlier releases, unsigned Python commit, event, op, and SNMP scripts must be owned by the root user, and Junos OS executes the scripts using the access privileges of the *nix user and group nobody, which is the generic, unprivileged system account. Starting in Junos OS Release 16.1R3, unsigned Python automation scripts must be owned by either the root user or a user in the Junos OS super-user login class, and only the file owner can have write permission for the file. Furthermore, Python automation scripts can be executed with the access privileges of authorized users.

Table 1 outlines the requirements for executing unsigned Python automation scripts in the different Veriexec-enabled versions of Junos OS.

Table 1: Python Automation Script Requirements

Requirement/Restriction

Junos OS Release 16.1R2 or Earlier Release

Junos OS Release 16.1R3 or Later Release

File owner

Root user

Root user or a user in the Junos OS super-user login class.

File write permissions

Any

File owner only

language python or language python3 statement must be configured at the [edit system scripts] hierarchy level

Note:

Python 3 is supported in Junos OS Release 19.4R1 and later releases.

Yes

Yes

Script must be enabled in the configuration under the hierarchy appropriate to that script type

Yes

Yes

Access privileges

All Python automation scripts execute with the access privileges of the user and group nobody

Python commit and op scripts execute with the access privileges of the user who invokes the script.

Python event and SNMP scripts execute with the access privileges of the user configured in the python-script-user statement. If the python-script-user statement is not configured, the script executes with the access privileges of the user and group nobody.

Release History Table
Release
Description
22.3R1-EVO
Starting in Junos OS Evolved Release 22.3R1, Python 3 is the default and only supported Python version for executing Python scripts.
21.2R1-EVO
Starting in Junos OS Evolved Release 21.2R1, the language python statement is configured by default in the junos-defaults configuration group.
16.1R3
Starting in Junos OS Release 16.1R3, ownership and access privilege requirements for some unsigned Python scripts are modified.