ypgnmi-app Installation

The following sections describe the steps to install and test ypgnmi-app application.

gNMI Source Code Installation

gNMI Prerequisites

Install the Go programming language.

Version 'go1.19' or higher is required. To verify the installation and to verify the version of the installed GO run the following:

mydir> go version

go version go1.19 linux/amd64

gNMI Source Code Compilation

If you have installed the YumaPro from the source code then you need to build and install using EVERYTHING=1 or use the WITH_RESTCONF=1 and WITH_YCONTROL=1 flags must be used. In addition, the WITH_GNMI=1 make variable must be used.

Example: Build the netconfd-pro server with gNMI support:

make DEBUG=1 DEBUG2=1 EVERYTHING=1 WITH_GNMI=1 USE_WERROR=1
sudo make DEBUG=1 DEBUG2=1 EVERYTHING=1 WITH_GNMI=1 USE_WERROR=1 install

Additional custom and optional parameters can be added with the GO_PATH=$CUSTOM_GOPATH and GO_BIN=$CUSTOM_GOBIN flags if needed.

Setting up a Custom GO Workspace

To install ypgnmi-app in a custom location set the custom $GOPATH and $GOBIN Variables. Otherwise, the default $HOME/go GO workspace will be used and ypgnmi-app application dependencies will be installed there. Follow these steps to setup a custom workspace and Variables.

The Build Variables GO_PATH=$CUSTOM_GOPATH and GO_BIN=$CUSTOM_GOBIN are needed if a custom workspace is used.

GO_BIN=<dirspec>

This specifies the $GOBIN variable dirspec to use when building ypgnmi-app application. The default is $HOME/go/bin. Ignored if PACKAGE_BUILD=1 is also used.

GO_PATH=<dirspec>

Specifies the $GOPATH variable dirspec to use when building ypgnmi-app application. The default is $HOME/go. Ignored if PACKAGE_BUILD=1 is also used.

In this case, the ypgnmi-app will be installed into your custom $GOBIN location. By default, the application is installed in the /usr/bin/.

gNMI Binary Package Installation

The ypgnmi-app utility is distributed as a precompiled binary, so the Go toolchain is not required on the target system. Only the binary itself is needed at runtime.

When installing YumaPro from a binary package, the ypgnmi-app application is placed by default in the system directory:

/usr/bin/ypgnmi-app

The binary may be relocated to a different directory if required. In such cases, the new directory should be included in the system PATH environment variable.

Note

The ypgnmi-app binary is fully self-contained. The Go toolchain is required only when building the application from source.

Generate CA Certificates

Generate the client and server certificates as described in the section Configure TLS.

In case your gNMI client requires certificates that do not rely on legacy Common Name field and use a Subject Alternative Name (SAN) instead, then refer to Generating Certificates with a SAN

Generate CA Certificates for gNMIc

Note

This section is specific to the gNMIc client. It ensures the CA certificate is a real CA (basicConstraints=CA:TRUE) and that the server certificate includes the proper Subject Alternative Names (SAN).

If you already have TLS certificates installed (as described in Configure TLS), to avoid mixing artifacts from previous runs, clean existing CA/server/client files in the working directory before executing the script. Do not remove production keys.

certs> rm -f ca.* server.* client.* *.srl

Use the dedicated script for gNMIc:

mydir> mkdir -p ~/certs
mydir> cp /usr/share/yumapro/util/generate-keys-gnmic.sh ~/certs

Or:

mydir> cp netconfd/util/generate-keys-gnmic.sh ~/certs
mydir> cd ~/certs

Now generate the certificates:

certs> ./generate-keys-gnmic.sh

Script overview:

  • Creates a CA certificate with CA:TRUE (required by gNMIc as a trust anchor).

  • Issues a server certificate with Extended Key Usage serverAuth and SANs suitable for testing.

  • Issues a client certificate with Extended Key Usage clientAuth for mTLS.

  • Writes a convenience copy of the CA as ca.pem.

By default the script uses the target name restconf. During gNMI client requests, either:

  • use --tls-server-name restconf or

  • add every hostname/IP you will dial to the server certificate SANs.

To customize before running the script:

export SERVER_CN=restconf
export SERVER_SANS="DNS:restconf,DNS:localhost,IP:127.0.0.1,IP:192.168.0.213"

Example gNMIc invocation (mutual TLS):

mydir> gnmic -a 127.0.0.1:10161 \
  --tls-ca   ~/certs/ca.pem \
  --tls-cert ~/certs/client.crt \
  --tls-key  ~/certs/client.key \
  --tls-server-name restconf \
  capabilities