gRPC Service
gRPC is an open-source framework that provides secure and reliable data transport. You can use a set of Remote Procedure Call (RPC) interfaces to configure the Junos telemetry interface and stream telemetry data using the gRPC framework. gRPC remote procedure calls (gRPC) are used to provision sensors and to subscribe to and receive telemetry data. OpenConfig supports the YANG data models. The OpenConfig data model generates data as Google Protocol Buffer (gpb) messages in a universal key/value format.
Using gRPC to Stream Data
According to the OpenConfig specification, only gRPC-based transport is supported for streaming data. The gRPC server terminates the gRPC sessions from the management system that runs the client. RPC calls trigger the creation of Junos OS sensors that either stream data periodically or report events, which are then funneled onto the appropriate gRPC channel .
Starting in Junos OS Release 18.2R1, when an external streaming server, or collector,
provisions sensors to export data through gRPC on devices running Junos OS, the sensor
configuration is committed to the junos-analytics instance of the
ephemeral configuration database, and the configuration can be viewed by using the
show ephemeral-configuration instance junos-analytics operational
command. In earlier releases, the sensor configuration is committed to the default
instance of the ephemeral configuration database.
The Juniper telemetry header that was exported as part of updates is now exported as an extension header. GnmiJuniperTelemetryHeader.proto is used to decode the updates from Juniper devices running Junos OS Release 19.3 or earlier and GnmiJuniperTelemetryHeaderExtension.proto is used for devices running Junos OS Release 19.4 or later.
See Table 1 for a list and descriptions of the RPCs implemented to support the Junos telemetry interface.
|
RPC Name |
Description |
|---|---|
|
|
Specify telemetry parameters and stream data for the specified list of OpenConfig paths. |
|
|
Retrieve the list of subscriptions that are created through
|
|
|
Unsubscribe a subscription created through
|
Data streamed through gRPC is formatted in OpenConfig key/value pairs in protocol buffers (gpb) messages. In this universal format, keys are strings that correspond to the path of the system resources in the OpenConfig schema for the device being monitored. The values correspond to integers or strings that identify the operational state of the system resource, such as interface counters, and the state of the resource.
Starting in Junos OS Release 18.2R1, data streamed through gRPC can be formatted as protobuf in addition to key/value pairs for OpenConfig-based routing engine (RE) sensors. These sensors are in addition to the packet forwarding engine (PFE) sensors.
The following shows the universal key/value format:
message KeyValue {
string key = 1 [(telemetry_options).is_key = true];
uint64 int_value = 2;
string str_value = 3;
string prefix_str = 4;
}
message TelemetryStream {
// router name or export IP address
required string system_id = 1 [(telemetry_options).is_key = true];
// line card / RE (slot number)
optional uint32 component_id = 2 [(telemetry_options).is_key = true];
// PFE (if applicable)
optional uint32 sub_component_id = 3 [(telemetry_options).is_key = true];
// timestamp (common to all entries in the kv array)
optional uint64 timestamp = 4 [(telemetry_options).is_timestamp = true];
// key / value pairs
repeated KeyValue kv;
}
The following example shows how a set of counters for an interface can be represented:
key = “/interfaces/counters/rx-bytes”, int_value = 1000 key = “/interfaces/counters/tx-bytes”, int_value = 2000 key = “/interfaces/counters/rx-packets”, int_value = 10 key = “/interfaces/counters/rx-bytes” , int_value = 20 key = “/interfaces/counters/oper-state”, str_value = “up”
A mapping table maps field names to the OpenConfig key strings.
Using OpenConfig for Junos OS to Enable Junos Telemetry Interface
OpenConfig for Junos OS specifies an RPC model to enable the Junos telemetry interface. This package also includes the required YANG models.
You can locate all YANG data models in a GitHub repository for a given OS and release in a single download package. The package and repository include the native configuration, state, and RPC data models and the OpenConfig and IETF data models supported by that OS. You can also access the YANG data models from the Juniper Networks download site.
Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage: https://www.juniper.net/support/downloads/. From the Network Management tab, scroll down to select OpenConfig. Select the Software tab. Select the appropriate version of OpenConfig module.
The programmatic interface OpenConfigTelemetry
defines the telemetry gRPC service.
The telemetrySubscribe RPC specifies the following subscription parameters:
-
OpenConfig path that identifies the system resource to stream telemetry data, for example:
/interfaces/interface/state/counters/ -
Interval at which data is reported and streamed to the collector server, in milliseconds, for example:
sample_frequency = 4000
The telemetrySubscribe RPC is used by a streaming server, or collector, to
request an inline subscription for data at the specified path. The device should then send
telemetry data back on the same connection as the subscription request.
Configuring gRPC for the Junos Telemetry Interface
You can stream telemetry data for various network elements through gRPC, an open source framework for handling remote procedure calls based on TCP. The Junos Telemetry Interface relies on a so-called push model to deliver data asynchronously, which eliminates polling.
Before you begin:
-
Install Junos OS Release 16.1R3 or later on your Juniper Networks device.
To configure your system for gRPC services specify the API connection setting based on Transport Layer Security (TLS) technology.
For example, to set the API connection:
[edit system services] user@host# set extension-service request-response grpc tls
For an TLS-based connection, you must specify a local-certificate name. You can rely on the default IP address (::) to enable Junos to “listen” for all IPv4 and IPv6 addresses on incoming connections. If you would rather specify an IP address, follow step 2 below.
- Specify a local certificate-name. The certificate can be any user-defined value from the
certificate configuration (not shown here). The certificate name used in this example is
jsd_certificate:[edit system services extension-service request-response grpc] user@host# set tls local-certificate jsd_certificate
Note:Enter the name of a certificate you have configured with the
local certificate-namestatement at the[edit security certificates]hierarchy level. (Optional) Specify an IP address to listen for incoming connections. The IP address used in this example is
192.0.2.0:[edit system services extension-service request-response grpc] user@host# set tls ip-address 192.0.2.0
Note:If you do not specify an IP address, the default address of :: is used to listen for incoming connections.
Note: The maximum number of concurrent gRPC connections supported are "30".To specify the maximum number of connections, include themax-connectionsstatement at the[edit system services extension-service request-response grpc]hierarchy level.
Configuring Mutual Authentication for gRPC for Junos Telemetry Interface
Starting with Junos OS Release 17.4R1, you can configure mutual authentication for gRPC
sessions used to stream telemetry data. Previously, only authentication of the server, that
is, Juniper device, was supported. Now the external client, that is management station that
collects data, can also be authenticated using TLS certificates. The JET service process
(jsd), which supports application interaction with Junos OS, uses the
credentials provided by the external client to authenticate the client and authorize a
connection.
Before you begin:
-
Configure the gRPC server. For more information, see Configuring gRPC for the Junos Telemetry Interface.
To configure authentication for the external client, that is, management station that collects telemetry data streamed from the Juniper device:
Enable mutual authentication and specify the requirements for a client certificate.
For example, to specify the strongest authentication, which requires a certificate and its validation:
[edit system services extention-service request-response grpc tls] user@host# set mutual-authentication client-certificate-request require-certificate-and-verify
Note:The default is
no-certificate. The other options are:request-certificate,request-certificate-and-verify,require-certificate,require-certificate-and-verfiy.We recommend that you use
no-certificateoption in a test environment only.Specify the certificate authority.
Note:For the certificate authority, specify a certificate-authority profile you have configured at the
[edit security pki ca-profile]hierarchy level. This profile is used to validate the certificate provided by the client.A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered. For more information, see Digital Certificates Overview and Example: Requesting a CA Digital Certificate.
For example, to specify a certificate-authority profile named
jsd_certificate:[edit system services extention-service request-response grpc tls mutual-authentication] user@host# set certificate-authority jsd_certificate
Verify that an external client can successfully connect with the Juniper device through the
jsdprocess and invoke OpenConfig RPCs.The external client passes username and password credentials as part of metadata in each RPC. The RPC is allowed if valid credentials are used. Otherwise an error message is returned.