7. Telemetry
7.1. Telemetry Overview
Telemetry is a network monitoring and fault management framework. Telemetry is driven by the need to use fresh data obtained from the network to make fast networking decisions such as traffic optimization and preventive troubleshooting.
Unlike legacy monitoring platforms such as SNMP, telemetry does not only rely on continuously pulling data from the network devices. Instead, network devices push and stream data (such as statistics) continuously to data collectors, based on subscriptions. The data collectors can then filter, analyze, store, and make decisions using the collected data from the network devices. Figure 21 shows a telemetry application.
Figure 21: Telemetry Application
7.2. Telemetry in SR OS
Telemetry uses the proprietary Nokia SR OS YANG data models to stream data that is encoded as protocol buffers into a language-neutral, platform-independent, extendible mechanism for serializing structured data. Remote Procedure Call (RPC) is the generic transport protocol used to subscribe to the SR OS device and receive streamed telemetry data
7.2.1. gRPC in Telemetry
The gRPC transport service uses HTTP/2 bidirectional streaming between the gRPC client (the data collector) and the gRPC server (the SR OS device). A gRPC session is a single connection from the gRPC client to the gRPC server over the TCP/TLS port. A gRPC session can be used by:
- a gRPC client to send a telemetry subscription request to the gRPC server
- a gRPC server to send asynchronous telemetry data to the gRPC collector
Each RPC within a session is a gRPC channel.
The gRPC version supported on the SR OS gRPC server is 1.0.1.
The SR OS gRPC encryption and authentication follows the basic conventions described in the OpenConfig gnmi-authentication.md published on github.com (version 0.1.0 from Oct 5, 2016).
TLS encryption is used for added security. The following summarizes the process of encryption and authentication:
- TLS encryption
- The gRPC session must be in an encrypted state before it can be used.
- If the gRPC client and gRPC server are unable to negotiate an encrypted gRPC session, the gRPC session fails and the gRPC server sends an error.
- Fallback from an encrypted to an unencrypted gRPC session is not allowed.
For information about how to configure TLS with gRPC, see the TLS chapter. - SR OS device authentication
- The gRPC clients do not share gRPC sessions. Each gRPC client initially starts a separate gRPC session.
- When a gRPC session is established, the gRPC server certificates are verified by the gRPC client to ensure that every gRPC server is authenticated by the gRPC client.
- If gRPC is shutdown on the gRPC server, and a gRPC client is trying to establish a gRPC session, the gRPC client will get an error for every sent RPC.
- If gRPC is shutdown on the gRPC server, and a gRPC session is established, all active RPCs are gracefully terminated, and an error is returned for every active RPC.
- User authentication
- Each RPC sent by the gRPC client carries a username and password.
- For the first RPC in the gRPC session, the gRPC server tries to authenticate the user via the specified authentication order, such as by the local user database, RADIUS, or TACACS+.For example, if TACACS+ is first in the authentication order, the gRPC server sends a request to the TACACs+ server to authenticate the gRPC user.
- For the subsequent RPCs on that same authenticated gRPC session, the username and password are reauthenticated only if changed.
- When there is no username and password provided with the RPC, the gRPC server returns an error.
- If the RPC user is changed, any active subscriber RPCs on that same gRPC session are terminated by the gRPC server.
- If the RPC password is changed, the active gRPC session will continue to exist until a different username and password is sent in a subsequent RPC, or the gRPC session is terminated.
- Each telemetry message is carried over a gRPC session that was previously encrypted; the session is not reencrypted.
Figure 22 shows the telemetry protocol stack.
Figure 22: Protocol Stack
The gRPC service runs on port 57400 by default in SR OS. The service is not configurable.
A single gRPC server supports concurrent gRPC sessions and channels.
- There is a maximum of eight concurrent gRPC sessions for all of the gRPC clients.
- There is a maximum of 225 concurrent gRPC channels for all of the gRPC clients. Since each RPC is a unique channel, the maximum number of subscriptions for all the gRPC clients on a single SR OS device is 225.
Disconnecting a gRPC channel disconnects an active telemetry subscription. A gRPC session that is used by the disconnected subscription should not be terminated. Terminating the entire gRPC session disconnects all active telemetry subscriptions on the terminated gRPC session.
A telemetry subscription can be administratively terminated from the CLI. An active gRPC session that is used by the terminated subscription is not terminated. See gRPC Command Reference for command details.
Figure 23 shows a gRPC service using the TLS architecture.
Figure 23: gRPC Using TLS Architecture
7.2.2. Operations Layer
This section summarizes support for subscription requests and subscription responses.
SR OS telemetry follows the OpenConfig gnmi.proto published on github.com (version 0.4.0). This model defines the relationship and behavior between the gRPC client and server.
SR OS telemetry follows the basic conventions described in the OpenConfig gnmi-specification.md published on github.com (version 0.2.2 from March 7th, 2017).
A subscription is initiated from the gRPC client by sending a "Subscribe" RPC that contains a "SubscribeRequest" message to the gRPC server. A “prefix” can be specified to be used with all paths specified in the "SubscribeRequest". If a "prefix" is present, then it is logically appended to the start of every "path" to provide a full path.
A subscription contains:
- a path list of one or more paths. The following conditions apply.
- A path represents the data tree as a series of repeated strings and elements. Each element represents a data tree node name and its associated attributes.
- A path must be syntactically valid within the set of schema modules that the gRPC server supports.
- The path list cannot be modified throughout the lifetime of the subscription.
- If the subscription path is to a container node, all children leafs of that container node are considered to be subscribed to.
- Any specified path must be unique within the list (paths cannot be repeated within the list). An error is returned if the same path is used more than one time in a single subscription.
- A specified path does not need to preexist within the current data tree on the gRPC server. If a path does not exist, the gRPC server continues to monitor for the existence of the path, and transmits telemetry updates if the path exists in the future.
- The gRPC server does not send any data for a nonexistent path; for example, if a path is nonexistent at the time of subscription creation or if the path was deleted after the subscription was established.
- The maximum number of paths per all subscriptions on a single SR OS device is 14 400. A path using a wildcard is still considered a single path.
- a subscription mode. The following conditions apply.
- SAMPLE mode is supported for each path, where the gRPC server sends notifications at the specified sampling interval.
- TARGET_DEFINED mode also means SAMPLE mode.
- a sample interval:
- A sample_interval is supported for each path. A sample_interval of 0 means 10 seconds by default. If a sample_interval of less than 10 seconds is specified, the gRPC server returns an error. A sample_interval is specified in nanoseconds (10 000 000 000, by default).
Figure 24 shows the SR OS support of a subscription request.
Figure 24: Subscription Request
When a subscription is successfully initiated on the gRPC server, SubscribeReponse messages are sent from the gRPC server to the gRPC client. The SubscribeResponse message contains update notifications as per the subscription's path list.
A sync_response notification is sent one time, after the gRPC server sends all of the updates for the subscribed-to paths. The sync_response must be set to “true” for the gRPC client to consider that the stream has synced one time. A sync_response is used to signal the gRPC client that it has a full view of the subscribed-to data.
The gRPC server sends an error if required. The error contains a description of the context of the error.
An update notification contains:
- a timestamp of the statistics collection time, represented in nanoseconds
- a prefix:
- If a prefix is present, it is logically appended to the start of every path to provide the full path.
- The presence of a prefix in the SubscriptionResponse message is not related to the presence of a prefix in the original SubscriptionRequest message. The prefix in the SubscriptionResponse message is optimized by the gRPC server.
- a list of update (path and value pairs):
- A path represents the data tree path as a series of repeated strings or elements, where each element represents a data tree node name and its associated attributes. See the Schema Paths section for more information.
- The TypedValue message represents the data tree node’s value where encoding is always “JSON”.
Figure 25 shows the SR OS support of a subscription response.Figure 25: Subscription Response
7.2.3. Schema Paths
Telemetry subscriptions include a set of schema paths used to identify which data nodes are of interest to the collector.
The paths in Telemetry Subscribe RPC requests follow the basic conventions described in the OpenConfig gnmi-path-conventions.md published on github.com (version 0.2.0 from February 24th, 2017).
A path consists of a set of path segments often shown with a “/” character as a delimiter; for example, /configure/router[router-instance=Base]/interface[interface-name=my-interface1]/description.
These paths are encoded as a set of individual string segments in gnmi.proto (without any “/” characters); for example, ["configure", "router[router-instance=Base]", "interface[interface-name=my-interface1]", "description"].
A path selects an entire subtree of the data model and includes all descendants of the node indicated in the path. Table 95 describes the types of schema paths that are supported in SR OS telemetry.
Table 95: Schema Paths
Path example | Description |
/configure/router[router-instance=Base]/interface[interface-name=abc] | Selects all config leafs of interface abc and all descendants. |
/configure/router[router-instance=Base]/interface[interface-name=abc]/description | Selects only the description leaf of interface abc. |
/state/router[router-instance=Base]/interface[interface-name=*] | Selects all state information for all Base router interfaces using a wildcard in a single segment of a path. |
/configure/router[router-instance=Base]/interface[interface-name=*]/description | Selects all state information for all Base router interfaces using a wildcard in a single segment of a path. |
/ | The root path. This selects all config and state data from all models (in all namespaces) supported on the router. Encoded as “” in gRPC/gPB. |
The following list describes types of telemetry paths that are not supported in SR OS:
- Wildcards for entire path segments are not supported.For example: /state/service/*/oper-status
- If a wildcard is used for any key of a list, a wildcard must be used for all the keys of that list. In a single path segment, all the keys must either have specific values or all the keys must have wildcards. A mix of wildcards and specific values for different parts of a list key is not supported.For example:Supported:/a/b[key1=*][key2=*]/c[key1=foo]/a/b[key1=foo][key2=bar]/c[key1=*]Not supported:/a/b[key1=foo][key2=*]
- Functions such as “current()”, “last()” and mathematical operators, such as stat<5 or octets>3 are not supported in paths. The “|” (OR operator, used to select multiple paths) is not supported.
- Wildcards in multiple segments of a path are supported.For example: /state/card[slot-number=*]/mda[mda-slot=*]
- The “//” wildcard pattern is not supported.For example: /state//oper-status
7.3. Telemetry Examples
This section contains examples of Telemetry subscription requests and responses. The following examples are dumps of protobuf messages from a Python API. Formats may vary across different implementations.
Example 1 — Subscribe to a single path
Example 2 — Subscribe to a single path with wildcard
Example 3: Subscribe to more than one path
Example 4: Subscribe to a list with wildcard
Example 5: Subscribe to path where the object did not exist before subscription
Example 6: Subscribe to a path where the object existed before subscription then was deleted after subscription