Contents
Introduction
TerminAttr is the EOS state streaming telemetry agent running as a single binary that can stream to both CloudVision and 3rd party applications using gNMI. It has been bundled with every EOS release from 4.17.0F and above and it’s also available as a SWIX extension which can be used to upgrade TerminAttr to the latest version. It is recommended to check the release notes for the latest recommended stable version and compatibility between EOS releases.
How to check which version of TerminAttr is running on EOS
As the release notes say, the minimum supported TerminAttr version on each EOS release, is the one that comes pre-bundled with it, which can be checked with show version detail command.
#show version detail | grep TerminAttr-core TerminAttr-core v1.13.3 1
Note TerminAttr will only show up in the
show extensionsoutput if it was installed as a SWIX extension.
How to check if TerminAttr is running
There are multiple ways to check if TerminAttr is running after we made sure the daemon is configured
1) using the show daemon TerminAttr EOS CLI command (make sure there’s a PID allocated to the process) e.g.:
#show daemon TerminAttr Process: TerminAttr (running with PID 2430)
2) using bash e.g.:
#bash ps aux | grep TerminAtt[r] root 2430 8.2 2.3 827280 189384 ? Sl Apr24 1150:13 /usr/bin/TerminAttr -ingestgrpcurl=10.83.12.79:9910 -cvcompression=gzip -ingestauth=token,/tmp/token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -ingestvrf=management -taillogs
TerminAttr flags
These are the most common flags used, and the ones used when using the telemetry configlet builder to generate the TerminAttr configuration:
-allowed_ips value
Comma-separated list of allowed clients of form IP Address/Mask (default 127.0.0.1/32). This applies to TerminAttr’s gNMI server and can be used in EOS-PDP releases where only Service ACLs are allowed and there is no control-plane ACL.
-certfile string
Path to TLS certificate file for use by the gNMI server
-clientcafile string
Root certificate authority for gNMI client certificate authentication (disables username/password authentication)
-controllerdbhost string
Address or socket of Controllerdb host. (default “@/Arista/controllerdb”)
-controllerdbnetwork string
Type of socket used to connect to Controllerdb (default “unix”)
-counters value
Interval at which to scrape interface counters (0 to disable) (default 2s). This only applies on EOS versions before 4.20.
-cpu_counters_expiration value
Interval (in seconds) at which to scrape CPU queue counters via eAPI (0 to disable). The minimum interval is one minute by default, or two minutes if running_config_expiration is also set.
-cvaddr value
Address of the gRPC CloudVision. Possible formats:
addr: single target
addr1,addr2,addr3: load-balancing among all targets (multinode cluster members)
dns://addr[/?interval=interval]: all IPs for addr
-cvauth value
Authentication scheme used to connect to CloudVision. Possible values
none: no authentication
>none-tls[,{caFile}]: no authentication, TLS encryption
certs,{certFile},{keyFile}[,{caFile}]: client-side certificate
token,{tokenFile}: client-side certificate with token-based enrollment
token-secure,{tokenFile}[,{caFile}]: client-side certificate with token-based enrollment, with initial connection verified using TLS. Uses OS default CA for verification if caFile is not given.
key,{key}[,{caFile}]: Metadata key authentication with TLS encryption
-cvcompression string
Compression scheme when streaming to CloudVision. Use one of the following values to override automatic behavior:
none: no compression
gzip: GZIP compression
Note that compression is enabled by default since TerminAttr 1.6.1 and CVP 2019.1.0 and it’s redundant to specify it in the daemon configuration.
-cvgnmi
Stream state from EOS GNMI servers to CloudVision
-cvobscurekeyfile
Encrypt the private key used for authentication to CloudVision
-cvopt cluster.option=value
Set options for streaming to additional CloudVision clusters. Each cluster needs a unique name. “primary” is reserved for the main CloudVision cluster and non-cvopt CloudVision options always apply to the “primary” cluster.
Format: -cvopt cluster.option=value
Options:
addr: see -cvaddr
auth: see -cvauth
sourceip: see -cvsourceip
vrf: see -cvvrf
obscurekeyfile: see -cvobscurekeyfile
proxy: see -cvproxy
Example, configure a primary cluster and secondary cluster foo:
-cvaddr=10.1.0.1:1234 -cvauth=none -cvopt foo.addr=1.2.3.4:5678 -cvopt foo.auth=none
Equivalently:
-cvopt primary.addr=10.1.0.1:1234 -cvopt primary.auth=non -cvopt foo.addr=1.2.3.4:5678 -cvopt foo.auth=none
The cluster names can be arbitrary, so the following is also equivalent:
-cvopt alpha.addr=10.1.0.1:1234 -cvopt alpha.auth=non -cvopt beta.addr=1.2.3.4:5678 -cvopt beta.auth=none
More details can be found in https://eos.arista.com/sending-telemetry-data-from-terminattr-to-multiple-cvp-instances/
-cvsourceip string
ip[:port] to use as source address when connecting to CloudVision using in-band management
-cvvrf string
Name of the VRF to use to connect to CloudVision
-disableaaa
Disable AAA checking – all AAA requests pass
Note: Starting from TerminAttr 1.8.2 disableaaa can be used to disable authentication and authorization when performing eAPI-over-TerminAttr requests, also known as Advanced login option for device provisioning in the CloudVision settings. In earlier releases AAA could be only disabled for gNMI requests by gNMI clients (e.g. ocprometheus, ockafka, etc.)
This is useful when the AAA server denies authorization requests that are not preceded by authentication requests, see https://eos.arista.com/toi/cvp-2018-2-3/#one-time-passwords or when enable secrets are used, as enable secrets are only supported with CloudVision when the password is the same as the UI users password that is attempting to make configuration changes to the device, see https://www.arista.com/en/cg-cv/cv-limitations
-ecodhcpaddr string
ECO DHCP Collector address or ECO DHCP Fingerprint listening addressin standalone mode (default “127.0.0.1:67”)
Note that this flag is enabled by default and does not have to be added to the daemon configuration.
-enrollonly
Enroll and exit
-grpcaddr string
VRFs and addresses to listen on to serve data using the gNMI interface.
The expected form is [<vrf-name>/]address:port[,[<vrf-name>/]address:port]+ (default “127.0.0.1:6042”)
-grpcreadonly
gNMI read-only mode – Disable gnmi.Set()
-ingestauth value
[Deprecated: use -cvauth instead] Authentication scheme used to connect to CloudVision. Possible values
none: no authentication
none-tls[,{caFile}]: no authentication, TLS encryption
certs,{certFile},{keyFile}[,{caFile}]: client-side certificate
token,{tokenFile}: client-side certificate with token-based enrollment
token-secure,{tokenFile}[,{caFile}]: client-side certificate with token-based enrollment, with initial connection verified using TLS. Uses OS default CA for verification if caFile is not given.
key,{key}[,{caFile}]: Metadata key authentication with TLS encryption
-ingestexclude string
Comma separated list of path prefixes to not stream (disallowlist, applied after -ingestfilter’s allowlist)
-ingestgrpcurl value
[Deprecated: use -cvaddr instead] URL of the gRPC Ingest Gateway. Possible formats:
addr: single target
addr1,addr2/addr3,…: load-balancing among all targets(clusters delimited by /)
dns://addr: all IPs for addr
-ingestvrf string
[Deprecated: use -cvvrf instead] Name of the VRF to use to connect to the Ingest Gateway
-ipfix
Enable IPFIX provider (default true)
Note that this flag is enabled by default and does not have to be added to the daemon configuration.
-ipfixaddr string
ECO IPFIX Collector address to listen on to receive IPFIX packets (default “127.0.0.1:4739”)
Note that this flag is enabled by default and does not have to be added to the daemon configuration.
-ipfixdomain string
ECO IPFIX domain name (default “default”)
-keyfile string
Path to TLS private key file for use by the gNMI server
-lanzaddr string
LANZ streaming server address (default “127.0.0.1:50001”)
-memmode_force string
Force a memory savings mode, leave unset for automatic behavior.
Options are “normal”, “low”, or “idle”.
-restaddr string
VRF and address to listen to for TerminAttr’s REST/debugging/expvar/pprof server.
The expected form is [<vrf-name>/]address:port (default “127.0.0.1:6060“)
Note that this flag is enabled by default and does not have to be added to the daemon configuration. It is useful for troubleshooting state changes in EOS, e.g. to check interface counters we can run the following command in bash:
curl localhost:6060/rest/Smash/counters/ethIntf/SandCounters/current
-sflow
Enable sFlow provider (default true)
Note that this flag is enabled by default and does not have to be added to the daemon configuration.
-sflowaddr string
ECO sFlow Collector address to listen on to receive sFlow packets (default “127.0.0.1:6343”)
Note that this flag is enabled by default and does not have to be added to the daemon configuration.
-sflowdomain string
ECO sFlow domain name (default “default”)
-smashexcludes string
Comma separated list of Smash tables to ignore (default: none, applied after -smashincludes’ allowlist)
The default list excludes the following tables: -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata
If other tables are to be excluded, they can be added to that list, e.g. if we want to exclude streaming the routing table or VXLAN counters the flag would look like this: -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata,routing,vxlan/counter
For seeing the full list of smash tables, you can run bash smash -p
-smashincludes string
Comma separated list of Smash tables to mount (default: mount all)
-sysdbexcludes string
Comma separated list of paths to ignore. Each path must be to a non-instantiating attribute.
-taillogs
Enable log file collection
-tridentmmuperiod duration
Interval at which to collect Trident2 MMU data (defaults to 0, which means disabled)
-v value
log level for V logs
-version
Print the version number
-vmodule value
comma-separated list of pattern=N settings for file-filtered logging (e.g. -vmodule=provider=4)
-voqCounters value
Interval in second at which to scrape VOQ counters (2 seconds recommended)
-cvproxy
Proxy server through which CloudVision is reachable. Useful when the CloudVision server is hosted in the cloud. The expected form is http://[user:password@]ip:port, e.g.: -cvproxy=http://arista:arista@10.83.12.78:3128
Available as of TerminAttr v1.13.0
Note that the ingestgrpcurl, ingestauth and ingestvrf flags are marked as deprecated, but will still be supported for a few releases.
For more flags use the TerminAttr –help command in bash.
TerminAttr configuration examples
When building the TerminAttr daemon configuration it is highly recommended to use the built-in configlet builders, usually called SYS_TelemetryBuilderX on CloudVision on-prem or by following the instructions revealed once clicking on the Add device button on the CloudVision as a Service offering.
1) Streaming to CloudVision on-prem
When streaming to CloudVision on-prem there are two main ways to authenticate:
a) via certs, introduced in CloudVision 2019.1.0, also described in the Config guide (recommended approach)
daemon TerminAttr exec /usr/bin/TerminAttr -ingestgrpcurl=10.83.12.79:9910 -taillogs -ingestauth=token,/tmp/token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -ingestvrf=management no shutdown
or the equivalent using the new cv flags would be:
daemon TerminAttr exec /usr/bin/TerminAttr -cvaddr=10.83.12.79:9910 -taillogs -cvauth=token,/tmp/token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -cvvrf=management no shutdown
b) via clear-text ingest key
daemon TerminAttr exec /usr/bin/TerminAttr -ingestgrpcurl=10.83.12.79:9910 -taillogs -ingestauth=key,mysecretkey -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -ingestvrf=management no shutdown
2) Streaming to Cloudvision as a Service
daemon TerminAttr exec /usr/bin/TerminAttr -cvaddr=apiserver.arista.io:443 -cvcompression=gzip -cvvrf=management -taillogs -cvauth=token-secure,/tmp/cv-onboarding-token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -cvproxy=http://10.83.12.78:3128 no shutdown
Note the -cvproxy flag can be used to stream EOS telemetry states to CloudVision as a Service through a HTTP proxy server.
3) Streaming to an on-prem instance and to CloudVision as a Service
daemon TerminAttr exec /usr/bin/TerminAttr -cvopt dublin.addr=10.83.12.79:9910 -cvopt dublin.auth=token,/tmp/onboardingtoken1 -cvopt cvaas.addr=apiserver.arista.io:443 -cvopt cvaas.auth=token-secure,/tmp/onboardingtoken2 -cvcompression=gzip -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs no shutdown
4) Streaming to 3rd party systems
daemon TerminAttr exec /usr/bin/TerminAttr -grpcaddr MGMT/0.0.0.0:6042 -certfile /persist/secure/ssl/telemetry/server.crt -keyfile /persist/secure/ssl/telemetry/server.key -clientcafile /persist/secure/ssl/telemetry/ca.crt -allowed_ips=10.83.12.78/32 no shutdown
A few other examples can be found on EOS central:
https://eos.arista.com/streaming-eos-telemetry-states-to-elk-stack-using-openconfigbeat/
https://eos.arista.com/streaming-eos-telemetry-states-to-influxdb/
https://eos.arista.com/streaming-eos-telemetry-states-to-prometheus/