Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Execute an Op Script from a Remote Site

As an alternative to storing operation (op) scripts locally on the device, you can store op scripts at a remote site. You then execute a remote op script by issuing the op command and specifying the url url option. You can execute SLAX and XSLT op scripts from a remote site by default. To execute Python op scripts from a remote site, you must first configure the allow-url-for-python statement at the [edit system scripts op] hierarchy level. Because you cannot guarantee that scripts executed from remote sites are secure, we recommend that you only authorize trusted users to execute scripts using the op url command.

Note:

Statements configured under the [edit system scripts op] hierarchy level are only enforced for op scripts that are local to the device. Thus, even if you configure memory allocation, script dampening, script start options, traceoptions, or other op script-specific statements within that hierarchy, the device does not apply the configuration when you execute a remote script using the op url command.

To execute an op script from a remote site:

  1. Create the script.
  2. (Optional) Store the script temporarily in the /var/tmp directory on the device, and run the script through one or more hash functions to calculate hash values.

    Starting in Junos OS Release 18.2R2 and 18.3R1, Junos OS supports only the SHA-256 hash function for script checksum hashes. Earlier releases support the MD5, SHA-1, and SHA-256 hash functions.

  3. For Python scripts, configure the allow-url-for-python statement and the language python or language python3 statement.
  4. Place the script on the remote server.
  5. Provide the script URL and the optional hash values to the administrators who will execute the script.
  6. Execute the script by running the op url command and specifying the URL that points to the remote file.

    This example shows how to include the key option and the SHA-256 checksum information.

If you instead want to prevent the execution of any op scripts from remote sites, configure the no-allow-url statement at the [edit system scripts op] hierarchy level.

When you configure the no-allow-url statement, issuing the op url url operational mode command generates an error. This statement takes precedence when the allow-url-for-python statement is also present in the configuration.

Related Documentation

Release History Table
Release
Description
18.3R1
Starting in Junos OS Release 18.2R2 and 18.3R1, Junos OS supports only the SHA-256 hash function for script checksum hashes.