• TerminAttr most commonly used flags and sample configurations

 
 
Print Friendly, PDF & Email

TerminAttr is the EOS state streaming telemetry agent running as a single binary that can stream to both CloudVision and 3rd party applications using gNMI. It has been bundled with every EOS release from 4.17.0F and above and it’s also available as a SWIX extension which can be used to upgrade TerminAttr to the latest version. It is recommended to check the release notes for the latest recommended stable version and compatibility between EOS releases. As the release notes say, the minimum supported TerminAttr version on each EOS release, is the one that comes pre-bundled with it, which can be checked with ‘show version detail’ command. 

Note TerminAttr will only show up in the ‘show extensions’ output if it was installed as a SWIX extension.

TerminAttr flags

These are the most common flags used, and the ones used when using the telemetry configlet builder to generate the TerminAttr configuration:

-allowed_ips value

          Comma-separated list of allowed clients of form IP Address/Mask (default 127.0.0.1/32). This applies to TerminAttr’s gNMI server and can be used in EOS-PDP releases where only Service ACLs are allowed and there is no control-plane ACL.

-certfile string

         Path to TLS certificate file for use by the gNMI server

-clientcafile string

         Root certificate authority for gNMI client certificate authentication (disables username/password authentication)

-controllerdbhost string

         Address or socket of Controllerdb host. (default “@/Arista/controllerdb”)

-controllerdbnetwork string

         Type of socket used to connect to Controllerdb (default “unix”)

-counters value

         Interval at which to scrape interface counters (0 to disable) (default 2s). This only applies on EOS versions before 4.20.

-cpu_counters_expiration value

         Interval (in seconds) at which to scrape CPU queue counters via eAPI (0 to disable). The minimum interval is one minute by default, or two minutes if running_config_expiration is also set.

-cvaddr value

         Address of the gRPC CloudVision. Possible formats:

                  addr: single target

                  addr1,addr2,addr3: load-balancing among all targets (multinode cluster members)

                  dns://addr[/?interval=interval]: all IPs for addr

-cvauth value

         Authentication scheme used to connect to CloudVision. Possible values

                  none: no authentication

                  >none-tls[,{caFile}]: no authentication, TLS encryption

                  certs,{certFile},{keyFile}[,{caFile}]: client-side certificate

                  token,{tokenFile}: client-side certificate with token-based enrollment

                  token-secure,{tokenFile}[,{caFile}]: client-side certificate with token-based enrollment, with initial connection verified using TLS. Uses OS default CA for verification if caFile is not given.

                  key,{key}[,{caFile}]: Metadata key authentication with TLS encryption

-cvcompression string

         Compression scheme when streaming to CloudVision. Use one of the following values to override automatic behavior:

                  none: no compression

                  gzip: GZIP compression

Note that compression is enabled by default since TerminAttr 1.6.1 and CVP 2019.1.0 and it’s redundant to specify it in the daemon configuration.

-cvgnmi

         Stream state from EOS GNMI servers to CloudVision

-cvobscurekeyfile

         Encrypt the private key used for authentication to CloudVision

-cvopt cluster.option=value

         Set options for streaming to additional CloudVision clusters. Each cluster needs a unique name. “primary” is reserved for the main CloudVision cluster and non-cvopt CloudVision options always apply to the “primary” cluster.

         Format: -cvopt cluster.option=value

         Options:

                  addr: see -cvaddr

                  auth: see -cvauth

                  sourceip: see -cvsourceip

                  vrf: see -cvvrf

                  obscurekeyfile: see -cvobscurekeyfile

         Example, configure a primary cluster and secondary cluster foo:

                  -cvaddr=10.1.0.1:1234 -cvauth=none -cvopt foo.addr=1.2.3.4:5678 -cvopt foo.auth=none

         Equivalently:

                  -cvopt primary.addr=10.1.0.1:1234 -cvopt primary.auth=non -cvopt foo.addr=1.2.3.4:5678 -cvopt foo.auth=none

         The cluster names can be arbitrary, so the following is also equivalent:

                  -cvopt alpha.addr=10.1.0.1:1234 -cvopt alpha.auth=non -cvopt beta.addr=1.2.3.4:5678 -cvopt beta.auth=none

         More details can be found in https://eos.arista.com/sending-telemetry-data-from-terminattr-to-multiple-cvp-instances/

-cvsourceip string

         ip[:port] to use as source address when connecting to CloudVision using in-band management

-cvvrf string

         Name of the VRF to use to connect to CloudVision

-disableaaa

         Disable AAA checking – all AAA requests pass

Note: Starting from TerminAttr 1.8.2 disableaaa can be used to disable authentication and authorization when performing eAPI-over-TerminAttr requests, also known as Advanced login option for device provisioning in the CloudVision settings. In earlier releases AAA could be only disabled for gNMI requests by gNMI clients (e.g. ocprometheus, ockafka, etc.)

This is useful when the AAA server denies authorization requests that are not preceded by authentication requests, see https://eos.arista.com/toi/cvp-2018-2-3/#one-time-passwords or when enable secrets are used, as enable secrets are only supported with CloudVision when the password is the same as the UI users password that is attempting to make configuration changes to the device, see https://www.arista.com/en/cg-cv/cv-limitations

-ecodhcpaddr string

         ECO DHCP Collector address or ECO DHCP Fingerprint listening addressin standalone mode (default “127.0.0.1:67”)

Note that this flag is enabled by default and does not have to be added to the daemon configuration.

-enrollonly

         Enroll and exit

-grpcaddr string

         VRFs and addresses to listen on to serve data using the gNMI interface.

                  The expected form is [<vrf-name>/]address:port[,[<vrf-name>/]address:port]+ (default “127.0.0.1:6042”)

-grpcreadonly

         gNMI read-only mode – Disable gnmi.Set()

-ingestauth value

         [Deprecated: use -cvauth instead] Authentication scheme used to connect to CloudVision. Possible values

                  none: no authentication

                  none-tls[,{caFile}]: no authentication, TLS encryption

                  certs,{certFile},{keyFile}[,{caFile}]: client-side certificate

                  token,{tokenFile}: client-side certificate with token-based enrollment

                  token-secure,{tokenFile}[,{caFile}]: client-side certificate with token-based enrollment, with initial connection verified using TLS. Uses OS default CA for verification if caFile is not given.

                  key,{key}[,{caFile}]: Metadata key authentication with TLS encryption

-ingestexclude string

                  Comma separated list of path prefixes to not stream (disallowlist, applied after -ingestfilter’s allowlist)

-ingestgrpcurl value

                  [Deprecated: use -cvaddr instead] URL of the gRPC Ingest Gateway. Possible formats:

                                    addr: single target

                                    addr1,addr2/addr3,…: load-balancing among all targets(clusters delimited by /)

                                    dns://addr: all IPs for addr

-ingestvrf string

                  [Deprecated: use -cvvrf instead] Name of the VRF to use to connect to the Ingest Gateway

-ipfix

                Enable IPFIX provider (default true)

Note that this flag is enabled by default and does not have to be added to the daemon configuration.

-ipfixaddr string

                  ECO IPFIX Collector address to listen on to receive IPFIX packets (default “127.0.0.1:4739”)

Note that this flag is enabled by default and does not have to be added to the daemon configuration.

-ipfixdomain string

                  ECO IPFIX domain name (default “default”)

-keyfile string

                  Path to TLS private key file for use by the gNMI server

-lanzaddr string

                  LANZ streaming server address (default “127.0.0.1:50001”)

-memmode_force string

                  Force a memory savings mode, leave unset for automatic behavior.

                  Options are “normal”, “low”, or “idle”.

-restaddr string

                  VRF and address to listen to for TerminAttr’s REST/debugging/expvar/pprof server.

                                    The expected form is [<vrf-name>/]address:port (default “127.0.0.1:6060“)

Note that this flag is enabled by default and does not have to be added to the daemon configuration. It is useful for troubleshooting state changes in EOS, e.g. to check interface counters we can run the following command in bash: curl localhost:6060/rest/Smash/counters/ethIntf/SandCounters/current

-sflow

                  Enable sFlow provider (default true)

Note that this flag is enabled by default and does not have to be added to the daemon configuration.

-sflowaddr string

                  ECO sFlow Collector address to listen on to receive sFlow packets (default “127.0.0.1:6343”)

Note that this flag is enabled by default and does not have to be added to the daemon configuration.

-sflowdomain string

                  ECO sFlow domain name (default “default”)

-smashexcludes string

                  Comma separated list of Smash tables to ignore (default: none, applied after -smashincludes’ allowlist)

                  The default list excludes the following tables: -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata

                  If other tables are to be excluded, they can be added to that list, e.g. if we want to exclude streaming the routing table or VXLAN counters the flag would look like this: -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata,routing,vxlan/counter

                  For seeing the full list of smash tables, you can run bash smash -p

-smashincludes string

                  Comma separated list of Smash tables to mount (default: mount all)

-sysdbexcludes string

                  Comma separated list of paths to ignore. Each path must be to a non-instantiating attribute.

-taillogs

                  Enable log file collection

-tridentmmuperiod duration

                  Interval at which to collect Trident2 MMU data (defaults to 0, which means disabled)

-v value

                  log level for V logs

-version

                  Print the version number

-vmodule value

                  comma-separated list of pattern=N settings for file-filtered logging (e.g. -vmodule=provider=4)

-voqCounters value

                  Interval in second at which to scrape VOQ counters (2 seconds recommended)

-cvproxy

                Proxy server through which CloudVision is reachable. Useful when the CloudVision server is hosted in the cloud. The expected form is [http(s)//]address:port, e.g.: -cvproxy=http://10.83.12.78:3128

                Available as of TerminAttr v1.13.0

Note that the ingestgrpcurl, ingestauth and ingestvrf flags are marked as deprecated, but will still be supported for a few releases.

For more flags use the TerminAttr –help command in bash.

TerminAttr configuration examples

When building the TerminAttr daemon configuration it is highly recommended to use the built-in configlet builders, usually called SYS_TelemetryBuilderX on CloudVision on-prem or by following the instructions revealed once clicking on the Add device button on the CloudVision as a Service offering.

1) Streaming to CloudVision on-prem

When streaming to CloudVision on-prem there are two main ways to authenticate:

a) via certs, introduced in CloudVision 2019.1.0, also described in the Config guide (recommended approach)

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -ingestgrpcurl=10.83.12.79:9910 -taillogs -ingestauth=token,/tmp/token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -ingestvrf=management

   no shutdown

 

or the equivalent using the new cv flags would be:

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -cvaddr=10.83.12.79:9910 -taillogs -cvauth=token,/tmp/token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -cvvrf=management

   no shutdown

 

b) via clear-text ingest key

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -ingestgrpcurl=10.83.12.79:9910 -taillogs -ingestauth=key,mysecretkey -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -ingestvrf=management

   no shutdown

 

2) Streaming to Cloudvision as a Service

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -cvaddr=apiserver.arista.io:443 -cvcompression=gzip -cvvrf=management -taillogs -cvauth=token-secure,/tmp/cv-onboarding-token -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -cvproxy=http://10.83.12.78:3128

   no shutdown

 

Note the -cvproxy flag can be used to stream EOS telemetry states to CloudVision as a Service through a HTTP proxy server.

3) Streaming to an on-prem instance and to CloudVision as a Service

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -cvopt dublin.addr=10.83.12.79:9910 -cvopt dublin.auth=token,/tmp/onboardingtoken1 -cvopt cvaas.addr=apiserver.arista.io:443 -cvopt cvaas.auth=token-secure,/tmp/onboardingtoken2 -cvcompression=gzip -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs

   no shutdown

 

4) Streaming to 3rd party systems

 

daemon TerminAttr

   exec /usr/bin/TerminAttr -grpcaddr MGMT/0.0.0.0:6042 -certfile /persist/secure/ssl/telemetry/server.crt -keyfile /persist/secure/ssl/telemetry/server.key -clientcafile /persist/secure/ssl/telemetry/ca.crt -allowed_ips=10.83.12.78/32

   no shutdown

 

A few other examples can be found on EOS central:

https://eos.arista.com/streaming-eos-telemetry-states-to-elk-stack-using-openconfigbeat/

https://eos.arista.com/streaming-eos-telemetry-states-to-influxdb/

https://eos.arista.com/streaming-eos-telemetry-states-to-prometheus/

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: