gNOI - OS v0.1.4

services

The OS service provides an interface for OS installation on a Target. The
Client progresses through 3 RPCs:
1) Installation - provide the Target with the OS package.
2) Activation - activate an installed OS package.
3) Verification - verify that the Activation was successful.

Dual Supervisor Target is supported, where the above process is executed once
for the whole Target or once for each Supervisor. Targets that require the
above process executed once per Supervisor will reply with the flag
Verify->VerifyResponse->individual_supervisor_install set to true.

Note that certain platforms may have particular approaches to upgrade the
firmware of specific components, eg., power supply units, etc.. In addition,
platforms may have processes to apply patches to the running OS. Handling
these exceptions introduces extra complexities. For Targets that implement
this service, component firmware upgrade or OS patching MUST be embedded
within an OS upgrade.

Method Name	Request / Response Type	Description
Install	InstallRequest stream InstallResponse stream	Install transfers an OS package into the Target. No concurrent Install RPCs MUST be allowed to the same Target. The OS package file format is platform dependent. The platform MUST validate that the OS package that is supplied is valid and bootable. This SHOULD include a hash check against a known good hash. It is recommended that the hash is embedded in the OS package. The Target manages its own persistent storage, and OS installation process. It stores a set of distinct OS packages, and always proactively frees up space for incoming new OS packages. It is guaranteed that the Target always has enough space for a valid incoming OS package. The currently running OS packages MUST never be removed. The Client MUST expect that the last successfully installed package is available. The Install RPC allows the Client to specify the OS package version. If the Target already has an OS package with the same version then there is no need to transfer the OS package to the Target. If the Target does not have an OS package with the same version, then the OS package is copied. Scenario 1 - When the Target already has the OS package: Client :--------------\|--------------> Target TransferRequest --> <-- [Validated\|InstallError] Scenario 2 - When the Target does not have the OS package: Client :--------------\|--------------> Target TransferRequest --> <-- [TransferReady\|InstallError] transfer_content --> ... <-- [TransferProgress\|InstallError] ... TransferEnd --> <-- [Validated\|InstallError] On a dual Supervisor Target which requires installing the entire system with one Install RPC, one Install RPC is sufficient to install the package on all Supervisors. On a dual Supervisor Target which requires one Install RPC per supervisor, the Install RPC applies to the Active Supervisor unless InstallRequest->TransferRequest->standby_supervisor is set, in which case it applies to the Standby Supervisor. The Target MUST accept any order of package installation. On a dual Supervisor Target which requires installing the entire system with one Install RPC, the package MUST be made available on all Supervisors or none. If upon installation the package is absent from either Supervisor, the Target will transfer to both Supervisors overwriting the existing one. On a dual Supervisor Target which requires one Install RPC per supervisor, the Target MUST always attempt to copy the OS package between Supervisors first before accepting the transfer from the Client. The syncing progress is reported to the client with InstallResponse->SyncProgress messages. If a switchover is triggered during the Install RPC, the RPC MUST immediately abort with Error->type->UNEXPECTED_SWITCHOVER. Scenario 3 - When both Supervisors already have the OS package, regardless of the value in Start.standby_supervisor: Client :--------------\|--------------> Target TransferRequest --> <-- [Validated\|InstallError] Scenario 4 - On a dual Supervisor Target which requires one Install RPC per supervisor, and when one of the Supervisors already has the OS package but the other Supervisor is the target of the Install: Client :--------------\|--------------> Target TransferRequest --> <-- [SyncProgress\|InstallError] ... <-- [Validated\|InstallError] Scenario 5 - When neither of the two Supervisors has the OS package: Client :--------------\|--------------> Target TransferRequest --> <-- [TransferReady\|InstallError] transfer_content --> ... <-- [TransferProgress\|InstallError] ... TransferEnd --> <-- [Validated\|InstallError]
Activate	ActivateRequest ActivateResponse	Activate sets the requested OS version as the version which is used at the next reboot, and reboots the Target if the 'no_reboot' flag is not set. When booting the requested OS version fails, the Target recovers by booting the previously running OS package.
Verify	VerifyRequest VerifyResponse	Verify checks the running OS version. During reboot, gRPC client returns the gRPC status code UNAVAILABLE while the Target is unreachable, which should be retried by the client until successful. After the Target becomes reachable, it should report all ready or error states normally through VerifyResponse. On a dual Supervisor system, if the Standby Supervisor is rebooting, it should be reported in the VerifyResponse via verify_standby as StandbyState UNAVAILABLE.

messages

ActivateError

Field	Type	Description
type	ActivateError.Type
detail	string

ActivateOK

If the Target is already running the requested version in ActivateRequest,
then it replies with ActivateOK. If the Target has the OS package version
requested in ActivateRequest then it replies with ActivateOK and proceeds to
boot.
A dual Supervisor Target which requires installing the entire system with
one Install RPC, will activate the image on all Supervisors in response to
one Activate RPC. The Target should activate the image on both Supervisors
with the least impact possible to forwarding.

On a dual Supervisor Target which requires one Install RPC per supervisor,
performing this RPC on the Active Supervisor triggers a switchover before
booting the (old)Active Supervisor. The Target should perform a switchover
with the least impact possible to forwarding.

Empty message

ActivateRequest

The ActivateRequest is sent by the Client to the Target to initiate a change
in the next bootable OS version that is to be used on the Target.
Dual Supervisor Target which requires installing the entire system with
one Install RPC MUST return NOT_SUPPORTED_ON_BACKUP error when requested
to Activate on standby Supervisor.

Field	Type	Description
version	string	The version that is required to be activated and optionally immediattely booted.
standby_supervisor	bool	For dual Supervisors setting this flag instructs the Target to perform the action on the Standby Supervisor.
no_reboot	bool	If set to 'False' the Target will initiate the reboot process immediatelly after changing the next bootable OS version. If set to 'True' a separate action to reboot the Target and start using the activated OS version is required. This action CAN be executing the gNOI.system.Reboot() RPC.

ActivateResponse

The ActivateResponse is sent from the Target to the Client in response to the
Activate RPC. It indicates the success of making the OS package version
active.

Field	Type	Description
response (one of)
activate_ok	ActivateOK
activate_error	ActivateError

InstallError

The InstallError message MUST be sent by the Target to the Client whenever an
issue occurs. The Target MUST immediately close the RPC without a gRPC error.

Field	Type	Description
type	InstallError.Type
detail	string

InstallRequest

Field	Type	Description
request (one of)
transfer_request	TransferRequest
transfer_content	bytes
transfer_end	TransferEnd

InstallResponse

The InstallResponse is used by the Target to inform the Client about the
state of the Install RPC. At any stage of the process the Target can reply
with an Error message which MUST terminate the stream.
A dual Supervisor Target which requires installing the entire system with
one Install RPC, will either have the image on both Supervisors or neither
Supervisor. Such Targets do not need to sync the image from peer Supervisor
and MUST immediately respond with TransferReady.

Field	Type	Description
response (one of)
transfer_ready	TransferReady
transfer_progress	TransferProgress
sync_progress	SyncProgress
validated	Validated
install_error	InstallError

StandbyResponse

Field	Type	Description
id	string	Standby Supervisor ID, usually the slot number.
version	string
activation_fail_message	string

StandbyState

Field	Type	Description
state	StandbyState.State

SyncProgress

The SyncProgress message signals the Client about the progress of
transferring the OS package between Supervisors.
A dual Supervisor Target which requires installing the entire system with
one Install RPC, does not need to transfer the package between Supervisors
and MUST not send SyncProgress.

Field	Type	Description
percentage_transferred	uint32	The percentage that has transferred between Supervisors.

TransferEnd

The TransferEnd message is sent whenever the Client finishes transferring
the OS package to the Target. At this point the Target MUST perform a general
health check to the OS package. If the Target fails to parse the OS package
it MUST immediately reply with an InstallError->type->PARSE_FAIL. If the
integrity check of the OS package fails it MUST immediately reply with an
InstallError->type->INTEGRITY_FAIL. If the identified OS version contained in
the package is not compatible with the Target either because of the platform
type or the running OS, it MUST immediately reply with an
InstallError->type->INCOMPATIBLE. If the image is force transferred by
omitting the InstallRequest->TransferRequest->version value, and the OS
package is the same as the one running in the Target, the RPC MUST
immediately abort and reply with an InstallError->type->INSTALL_RUN_PACKAGE.

Empty message

TransferProgress

The TransferProgress message is sent by the target asynchronously during a
file transfer. The device SHOULD not respond to each input block received
from the client, but rather determine reasonable intervals at which to send
the message (e.g., 5MB).

Field	Type	Description
bytes_received	uint64	The number of bytes transferred.

TransferReady

The TransferReady message tells the Client that the Target is ready to accept
the transfer of the OS package. At this stage the Target MUST have cleared
enough space to accept the incoming OS package.

Empty message

TransferRequest

Field	Type	Description
version	string	The version string is a vendor defined string that identifies the OS version. It is provided by the vendor and embedded in the OS package. This value states the desired OS package version to transfer to the Target. If the Target already has the OS package version it will reply with InstallResponse->Validated. In the case that the target is a single Supervisor device, or the partner Supervisor does not have the OS image specified, it will respond with InstallResponse->TransferReady. In this case, the client MUST subsequently transfer the image. In the case that the image is available on the peer Supervisor of a dual Supervisor system, it will respond with InstallResponse->SyncProgress. In this, latter, case - the client does not need to transfer the OS image. This value can also be set empty, in which case the OS package is forced transferred to the Target. The Target MUST never validate that this value matches the one in the InstallResponse->Validated message, that is the Client's responsibility. A dual Supervisor Target which requires installing the entire system with one Install RPC, will either have the image on both Supervisors or neither Supervisor. Such Targets do not need to sync the image from peer Supervisor and MUST immediately respond with TransferReady
standby_supervisor	bool	For a Target with dual Supervisors setting this flag instructs the Target to perform the action on the Standby Supervisor. A dual Supervisor Target which requires installing the entire system with one Install RPC MUST return an error code of NOT_SUPPORTED_ON_BACKUP if requested to install on standby only.
package_size	uint64	Optionally specify the package size in bytes of the OS package being transferred. If 1) the value is different than 0 and 2) the required space in the Target is larger than the available space and 3) the Target is unable to release space for the incoming OS package, then the Target must reply with InstallError->Type->TOO_LARGE.

Validated

The Validated message asserts that the Target was able to parse the package
and perform integrity checks to its contents.

Field	Type	Description
version	string	The OS version string that identifies the OS version in the OS package.
description	string	Informational field that SHOULD be used for providing more details about the OS package and its version. This MUST be strictly informational if used, and can contain information such as build date, target platform, developer, etc.

VerifyRequest

Empty message

VerifyResponse

Field	Type	Description
version	string	The OS version currently running.
activation_fail_message	string	Informational message describing fail details of the last boot. This MUST be set when a newly transferred OS fails to boot and the system falls back to the previously running OS version. It MUST be cleared whenever the systems successfully boots the activated OS version.
verify_standby	VerifyStandby
individual_supervisor_install	bool	Dual Supervisor Targets that require the Install/Activate/Verify process executed once per supervisor reply with individual_supervisor_install set to true

VerifyStandby

Field	Type	Description
state (one of)
standby_state	StandbyState	Standby state indicates problems with the standby.
verify_response	StandbyResponse	Standby response indicates that the standby is present and ready.

types

messages

Credentials

Credentials defines credentials needed to perform authentication on a device.

Field	Type	Description
username	string
password (one of)
cleartext	string
hashed	HashType

HashType

HashType defines the valid hash methods for data verification. UNSPECIFIED
should be treated an error.

Field	Type	Description
method	HashType.HashMethod
hash	bytes

Path

Path encodes a data tree path as a series of repeated strings, with
each element of the path representing a data tree node name and the
associated attributes.
Reference: gNMI Specification Section 2.2.2.

Field	Type	Description
origin	string	Label to disambiguate path.
elem (repeated)	PathElem	Elements of the path.

PathElem

PathElem encodes an element of a gNMI path, along with any attributes (keys)
that may be associated with it.
Reference: gNMI Specification Section 2.2.2.

Field	Type	Description
name	string	The name of the element in the path.
key (repeated)	PathElem.KeyEntry	Map of key (attribute) name to value.

PathElem.KeyEntry

Field	Type	Description
key	string
value	string

enums

HashType.HashMethod

Name	Number	Description
UNSPECIFIED	0
SHA256	1
SHA512	2
MD5	3

L3Protocol

Generic Layer 3 Protocol enumeration.

Name	Number	Description
UNSPECIFIED	0
IPV4	1
IPV6	2

extensions

.google.protobuf.FileOptions.gnoi_version

The gNOI service semantic version.

Extension	Type	Base	Number	Description
gnoi_version	string	.google.protobuf.FileOptions	1002	The gNOI service semantic version.

Scalar Value Types

Proto Type	Notes	C++	Java	Python	Go	C#	PHP	Ruby
double		double	double	float	float64	double	float	Float
float		float	float	float	float32	float	float	Float
int32	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
int64	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.	int64	long	int/long	int64	long	integer/string	Bignum
uint32	Uses variable-length encoding.	uint32	int	int/long	uint32	uint	integer	Bignum or Fixnum (as required)
uint64	Uses variable-length encoding.	uint64	long	int/long	uint64	ulong	integer/string	Bignum or Fixnum (as required)
sint32	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sint64	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.	int64	long	int/long	int64	long	integer/string	Bignum
fixed32	Always four bytes. More efficient than uint32 if values are often greater than 2^28.	uint32	int	int	uint32	uint	integer	Bignum or Fixnum (as required)
fixed64	Always eight bytes. More efficient than uint64 if values are often greater than 2^56.	uint64	long	int/long	uint64	ulong	integer/string	Bignum
sfixed32	Always four bytes.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sfixed64	Always eight bytes.	int64	long	int/long	int64	long	integer/string	Bignum
bool		bool	boolean	boolean	bool	bool	boolean	TrueClass/FalseClass
string	A string must always contain UTF-8 encoded or 7-bit ASCII text.	string	String	str/unicode	string	string	string	String (UTF-8)
bytes	May contain any arbitrary sequence of bytes.	string	ByteString	str	[]byte	ByteString	string	String (ASCII-8BIT)

Created by Siva Sivakumar / Roman Dodin / srl-labs