Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Requirements for Executing Python Automation Scripts on Junos Devices

Requirements for Executing Python Scripts

You can write your Junos OS commit, event, op, and SNMP automation scripts in Python. To prevent the execution of unauthorized Python code, Junos devices, by default, do not permit executing unsigned Python scripts. To execute an unsigned Python script, the following requirements must be met, which are in addition to the normal requirements for onbox automation scripts:

  • File owner is either root or a user in the Junos OS super-user login class.

  • Only the file owner has write permission for the file.

  • The device configuration includes the language python or language python3 statement at the [edit system scripts] hierarchy level.

    Note:

    If you configure the language python3 statement, the device uses Python 3 to execute scripts that support this Python version. Otherwise, the device uses Python 2.7 to execute scripts for which the script type does not support Python 3 in the given Junos OS release. For more information, see Understanding Python Automation Scripts for Junos Devices.
    Note:

    Starting in Junos OS Evolved Release 21.2R1, the junos-defaults configuration group includes the language python statement by default.

    Note:

    To enable a user who does not belong to the file’s user or group class to execute an unsigned Python script, the script’s file permissions must include read permission for others.

As with SLAX and XSLT automation scripts, you must store Python automation scripts in the appropriate script directory on the device. Additionally, you must enable individual scripts by configuring the script filename under the hierarchy level appropriate to the script type in the configuration. For information about storing and enabling automation scripts, see Store and Enable Junos Automation Scripts.

We recommend that you configure a checksum to verify the integrity of Python scripts. To specify a checksum for a local script, configure the checksum statement under the [file filename] statement in the hierarchy for your specific type of script. To specify a checksum for a remote op script, include the key argument when you execute the script using the op url command. Starting in Junos OS Release 18.2R2 and 18.3R1, if you execute an unsigned Python script that does not have a checksum configured, Junos devices log a CSCRIPT_SECURITY_WARNING message in the system log file. For example:

Configuring Access Privileges for Python Scripts

A script's type determines its access privileges during execution. Interactive Python scripts, such as commit and op scripts, run with the access privileges of the user who executes the command or operation that invokes the script. Non-interactive Python scripts, such as event and SNMP scripts, by default, execute with the privileges of the user and group nobody. To execute event or SNMP scripts using the access privileges of a specific user, you must configure the python-script-user username statement at the appropriate hierarchy level for the script type.

Note:

You cannot configure Python event scripts or Python SNMP scripts to execute with root access privileges.

For event scripts, configure the statement at the [edit event-options event-script file filename] hierarchy level.

For SNMP scripts, configure the statement at the [edit system scripts snmp file filename] hierarchy level.

Summary of Requirements

Table 1 summarizes the requirements for executing unsigned Python automation scripts on Junos devices.

Table 1: Python Automation Script Requirements

Requirement/Restriction Type

Requirement

File owner

Root user or a user in the Junos OS super-user login class.

File write permissions

Only the file owner can have write permission.

Configuration for unsigned Python scripts

Configure the language python or language python3 statement at the [edit system scripts] hierarchy level.

Configuration to enable an individual script

Configure the script filename under the hierarchy level appropriate to that script type.

Access privileges

Python commit and op scripts execute with the access privileges of the user who invokes the script.

Python event and SNMP scripts execute with the access privileges of the user configured in the python-script-user statement. If you do not configure the python-script-user statement, the script executes with the access privileges of the user and group nobody.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
22.3R1-EVO
Starting in Junos OS Evolved Release 22.3R1, Python 3 is the default and only supported Python version for executing Python scripts.
21.2R1-EVO
Starting in Junos OS Evolved Release 21.2R1, the language python statement is configured by default in the junos-defaults configuration group.