Nmstate

A Declarative API for Host Network Management

View on GitHub

Introduction

This document holds all the API detail of the libnmstate Python module. For rust crate API, please refer to our doc in docs.rs

For quick start, you may refer to Python code examples

The libnmstate package exposes the following API::

All constants and functions are available since version 1.0.0 unless state explicitly.

Besides using python dictionary with constants in libnmstate.schema as desire state for libnmstate.apply(), you may also use yaml.load() or json.loads() to convert desire state from YAML/JSON to dictionary libnmstate.apply() needs. Please use YAML API document if you prefer do show/apply the state in YAML format.

Query network state

Example of querying network state:

import json
import libnmstate
from libnmstate.schema import Interface

net_state = libnmstate.show()
for iface_state in net_state[Interface.KEY]:
    print(iface_state[Interface.NAME])

Apply network state

Nmstate supports partial editing, only the specified data is changed, the unspecified data is preserved/untouched. Some properties(e.g. InterfaceIPv4.ADDRESS ) do not support partial editing, please refer to their document for detail.

Example of changing eth1 MTU to 1460:

import libnmstate
from libnmstate.schema import Interface

libnmstate.apply({
    Interface.KEY: [
        {
            Interface.NAME: 'eth1',
            Interface.MTU: 1460
        }
    ]
})

Change Network State with Manual Transaction Control

Error handling

NmstateError

All the exceptions are stored in libnmstate.error and are all is inherited from NmstateError.

NmstateDependencyError

Nmstate requires external tools installed and/or started for desired state.

NmstateValueError

Exception happens at pre-apply check, user should resubmit the amended desired state. Example: * JSON/YAML syntax issue. * Nmstate schema issue. * Invalid value of desired property, like bond missing port.

NmstatePermissionError

Permission deny when applying the desired state.

NmstateConflictError

An existing Nmstate transaction is in progress.

NmstateLibnmError

Exception for unexpected NetworkManager libnm failure.

NmstateVerificationError

After applied desired state, the desired state does not match the refreshed current state.

NmstateNotImplementedError

Desired feature is not supported by Nmstate yet.

NmstateInternalError

Unexpected behaviour happened. It is a bug of libnmstate which should be fixed.

NmstateNotSupportedError

A resource like a device does not support the requested feature.

NmstateTimeoutError

The transaction execution timed out.

NmstatePluginError

Unexpected plugin behaviour happens, it is a bug of the plugin.

Schema

The YAML schema file is placed at libnmstate/schemas/operational-state.yaml.

In stead of using hard coded string, please use constants defined in libnmstate.schema.

Network State Main layout

The network state is represented in a dictionary:

from libnmstate.schema import Interface
from libnmstate.schema import Route
from libnmstate.schema import DNS

network_state = {
    DNS.KEY: {},            # Check section of 'DNS'
    Route.KEY: {},          # Check section of 'Route'
    Interface.KEY: [],      # Check section of 'Interface -- Basic'
}

Basic Interface

An interface represents a hardware or software network interface. Each interface has these basic properties represented as a dictionary.

Basic Interface: Example

{
    Interface.NAME: 'eth1',
    Interface.STATE: InterfaceState.UP,
    Interface.TYPE: InterfaceType.ETHERNET,
    Interface.IPV4: {
        InterfaceIPv4.ENABLED: True,
        InterfaceIPv4.DHCP: False,
        InterfaceIPv4.ADDRESS: [
            {
                InterfaceIPv4.ADDRESS_IP: '192.0.2.251',
                InterfaceIPv4.ADDRESS_PREFIX_LENGTH: 24,
            }
        ],
    },
    Interface.IPV6: {
        InterfaceIPv6.ENABLED: True,
        InterfaceIPv6.DHCP: True,
        InterfaceIPv6.AUTOCONF: True,
        InterfaceIPv6.AUTO_DNS: True,
        InterfaceIPv6.AUTO_GATEWAY: True,
        InterfaceIPv6.AUTO_ROUTES: True,
        InterfaceIPv6.ADDRESS: [],
    }
}

Interface.NAME

The kernel name of the interface.

Type: string

Interface.TYPE

The interface type.

Type: string

Possible values:

Interface.STATE

The interface state.

Type: string

Possible values:

Interface.MTU

The maximum transmission unit of interface.

Type: interger

Interface.MIN_MTU

The minimum MTU supported by specified interface. This is a query only property and will be ignored when applying.

Type: integer

Interface.MAX_MTU

The maximum MTU supported by specified interface. This is a query only property and will be ignored when applying.

Type: integer

Interface.MAC

The MAC address of interface.

Type: String in the format of EA:60:E4:08:17:F1. Case insensitive.

Interface.COPY_MAC_FROM

New in 1.0.2.

Only valid for InterfaceType.BOND, InterfaceType.LINUX_BRIDGE and InterfaceType.OVS_INTERFACE. The Interface.COPY_MAC_FROM could hold the name of port which you want this controller interface to use the same MAC with.

The MAC address is read from permanent hardware MAC address and fallback to current MAC address.

For example, below yaml state will create/change linux bridge br0 to use the MAC address of eth2.

---
interfaces:
  - name: br0
    type: linux-bridge
    state: up
    copy-mac-from: eth2
    bridge:
      port:
      - name: eth2
      - name: eth1

Interface.DESCRIPTION

The description of the interface.

Type: String

InterfaceIP

The InterfaceIP class is holding the share constants between InterfaceIPv4 and InterfaceIPv6:

Interface.IPV4

The Interface.IPV4 property holds the IPv4 stack information in a dictionary.

Example:

{
    Interface.IPV4: {
        InterfaceIPv4.ENABLED: True,
        InterfaceIPv4.DHCP: True,
        InterfaceIPv4.ADDRESS: [],
        InterfaceIPv4.AUTO_DNS: True,
        InterfaceIPv4.AUTO_GATEWAY: True,
        InterfaceIPv4.AUTO_ROUTES: True,
        InterfaceIPv4.AUTO_ROUTE_TABLE_ID: 100,
    }
}

InterfaceIPv4.ENABLED

Type: bool

Possible values:

When applying network state with IPv4 disabled, all the remaining IPv4 configurations are ignored.

When showing the network state, if IPv4 is disabled, all the remaining properties are excluded in returned network state.

InterfaceIPv4.DHCP

Type: bool

Possible values:

InterfaceIPv4.AUTO_ROUTES

Type: bool

Possible values:

This property only shows when Interface.IPV4[InterfaceIPv4.DHCP] is True when querying.

This property is ignored when Interface.IPV4[InterfaceIPv4.DHCP] is False when applying.

InterfaceIPv4.AUTO_GATEWAY

Type: bool

Possible values:

This property only shows when Interface.IPV4[InterfaceIPv4.DHCP] is True when querying.

This property is ignored when Interface.IPV4[InterfaceIPv4.DHCP] is False when applying.

InterfaceIPv4.AUTO_DNS

Type: bool

Possible values:

This property only shows when Interface.IPV4[InterfaceIPv4.DHCP] is True when querying.

This property is ignored when Interface.IPV4[InterfaceIPv4.DHCP] is False when applying.

InterfaceIPv4.AUTO_ROUTE_TABLE_ID

The table where the route will be configured when InterfaceIPv4.AUTO_ROUTES is enabled.

Type: integer

InterfaceIPv4.AUTO_ROUTE_METRIC

New in 1.4 and 2.2.

The metric number assigned to routes retried from DHCPv4 or IPv6 autoconf.

Type: integer

InterfaceIPv4.ADDRESS

The static IPv4 addresses. This property does not support partial editing, the full list of IP addresses is required in desired state.

Type: array of dictionary.

When Interface.IPV4[InterfaceIPv4.DHCP] is set to True, the address defined in this property is also ignored.

Example:

InterfaceIPv4.ADDRESS: [
    {
        InterfaceIPv4.ADDRESS_IP: '192.0.2.251',
        InterfaceIPv4.ADDRESS_PREFIX_LENGTH: 24,
    }
]

InterfaceIPv4.ADDRESS_IP

The static IPv4 address.

Type: string

Format: 192.0.2.251

InterfaceIPv4.ADDRESS_PREFIX_LENGTH

The prefix length of static IPv4 address.

Type: interger.

Interface.IPV6

The Interface.IPV6 property holds the IPv6 stack information in a dictionary.

Example:

{
    Interface.IPV6: {
        InterfaceIPv6.ENABLED: True,
        InterfaceIPv6.DHCP: True,
        InterfaceIPv6.ADDRESS: [],
        InterfaceIPv6.AUTO_DNS: True,
        InterfaceIPv6.AUTO_GATEWAY: True,
        InterfaceIPv6.AUTO_ROUTES: True,
        InterfaceIPv6.AUTO_ROUTE_TABLE_ID: 100,
    }
}

InterfaceIPv6.ENABLED

Type: bool

Possible values:

When applying network state with IPv6 disabled, all the remaining IPv6 configurations are ignored.

When showing network state, if IPv6 is disabled, all the remaining properties are excluded in the returned network state.

InterfaceIPv6.DHCP

Type: bool

Possible values:

InterfaceIPv6.AUTOCONF

Type: bool

Possible values:

InterfaceIPv6.AUTO_ROUTES

Type: bool

Possible values:

InterfaceIPv6.AUTO_GATEWAY

Type: bool

Possible values:

InterfaceIPv6.AUTO_DNS

Type: bool

Possible values:

InterfaceIPv6.AUTO_ROUTE_TABLE_ID

The table where the route will be configured when InterfaceIPv6.AUTO_ROUTES is enabled.

Type: integer

InterfaceIPv6.AUTO_ROUTE_METRIC

New in 1.4 and 2.2.

The metric number assigned to routes retried from DHCPv4 or IPv6 autoconf.

Type: integer

InterfaceIPv6.ADDRESS

The static IPv6 addresses. This property does not support partial editing, the full list of IP addresses is required in desired state.

Type: array of dictionary.

When Interface.IPV6[InterfaceIPv6.DHCP] or Interface.IPV6[InterfaceIPv6.AUTOCONF] is set to True, the address defined in this property is also ignored.

Example:

InterfaceIPv6.ADDRESS: [
    {
        InterfaceIPv6.ADDRESS_IP: '2001:db8:1::f',
        InterfaceIPv6.ADDRESS_PREFIX_LENGTH: 64,
    }
]

InterfaceIPv6.ADDRESS_IP

The static IPv6 address.

Type: string

Format: 2001:db8:1::f

InterfaceIPv6.ADDRESS_PREFIX_LENGTH

The prefix length of static IPv6 address.

Type: interger.

Ethernet

Besides basic interface properties, each Ethernet interface state also contains a dictionary saved in key Ethernet.CONFIG_SUBTREE.

For virtual interface like virtio_net or veth, there is no Ethernet.CONFIG_SUBTREE.

Example:

{
    Interface.KEY: [
        {
            Interface.NAME: "eth1",
            Interface.TYPE: InterfaceType.ETHERNET,
            Interface.STATE: InterfaceState.UP,
            Ethernet.CONFIG_SUBTREE: {
                Ethernet.AUTO_NEGOTIATION: True,
                Ethernet.DUPLEX: Ethernet.FULL_DUPLEX,
                Ethernet.SPEED: 1000
            }
        }
    ]
}

Interface.ACCEPT_ALL_MAC_ADDRESSES

Type: bool

The Interface.ACCEPT_ALL_MAC_ADDRESSES causes the kernel to accept ethernet packages even its destination MAC address is not for current interface.

Interface.WAIT_IP

Type: string

The Interface.WAIT_IPproperty defines which IP stack should network backend wait before considering the interface activation finished.

It supports these values: any, ipv4, ipv6 and ipv4+ipv6. For more details please check the YAML API documentation

Interface.CONTROLLER

Type: string

The Interface.CONTROLLER property defines the controller of the specified interface. This property is hidden when querying and only used for controller attaching and detaching. Setting as empty means deatching from current controller.

Interface.PROFILE_NAME

Type: string

The profile name used by network backed.

Interface.IDENTIFIER

Type: string

The Interface.IDENTIFIER property is only valid for applying or generating configurations. The valid values are: Interface.IDENTIFIER_NAME or Interface.IDENTIFIER_MAC. For further information, please read the YAML API documentation.

Ethernet.AUTO_NEGOTIATION

Type: bool

When TRUE, enforce auto-negotiation of speed and duplex mode. If Ethernet.SPEED and Ethernet.DUPLEX properties are both specified, only that single mode is advertised and accepted during the link auto-negotiation process: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabits modes, as in these cases link negotiation is mandatory. When FALSE, Ethernet.SPEED and Ethernet.DUPLEX properties should be both set or link configuration is skipped.

Ethernet.DUPLEX

Type: string, Ethernet.FULL_DUPLEX or Ethernet.HALF_DUPLEX.

Ethernet duplex mode.

Ethernet.SPEED

Type: integer

Ethernet speed in the unit of Mbps.

Ethernet.SRIOV_SUBTREE

If the ethernet interface supports SR-IOV, the Ethernet.SRIOV_SUBTREE dictionary allows to configure it.

Limitations of SR-IOV configuration

Nmstate supports the following options:

Ethernet.SRIOV.TOTAL_VFS

Type: integer

Total number of Virtual Functions per Physical Function. Changing the total VFs will also change the interfaces that are visible in the Nmstate state. Reducing the total VFs without setting Interface.STATE to InterfaceState.ABSENT for the corresponding interfaces might lead to an undefined system state or error.

Example:

{
    Interface.KEY: [
    {
        Interface.NAME: "eth1",
        Interface.TYPE: InterfaceType.ETHERNET,
        Interface.STATE: InterfaceState.UP,
        Ethernet.CONFIG_SUBTREE: {
            Ethernet.SRIOV_SUBTREE: {
                Ethernet.SRIOV.TOTAL_VFS: 1,
                Ethernet.SRIOV.VFS_SUBTREE: [
                    {
                        Ethernet.SRIOV.VFS.ID: 0,
                        Ethernet.SRIOV.VFS.MAC_ADDRESS: 76:A5:0B:F1:8A:C6,
                        Ethernet.SRIOV.VFS.MAX_TX_RATE: 1000,
                        Ethernet.SRIOV.VFS.MIN_TX_RATE: 100,
                        Ethernet.SRIOV.VFS.TRUST: False,
                    }
                ],
            }
        }
    }
    ]
}

Ethernet.SRIOV.VFS_SUBTREE

If the ethernet SR-IOV is enabled and the Ethernet.SRIOV.TOTAL_VFS is greater than 0, this will contain a list of dictionaries that allows to configure each VF. Nmstate supports the following options:

Ethernet.SRIOV.VFS.ID

The VF id. This parameter is read-only.

Type: integer

Ethernet.SRIOV.VFS.MAC_ADDRESS

The MAC address of the VF.

Type: string in the format of EA:60:E4:08:17:F1. Case insensitive.

Ethernet.SRIOV.VFS.SPOOF_CHECK

Enable or disable spoof check in the VF.

Type: bool

Ethernet.SRIOV.VFS.TRUST

Enable or disable trust in the VF.

Type: bool

Ethernet.SRIOV.VFS.MIN_TX_RATE

The minimum TX rate. Please, note that not all the NICs support this option.

Type: integer

Ethernet.SRIOV.VFS.VLAN_ID

Available since 1.2.1

The VLAN ID of SRIOV VF.

Type: integer

Ethernet.SRIOV.VFS.QOS

Available since 1.2.1

The QoS value of SRIOV VF.

Type: integer

VLAN

Besides basic interface properties, each VLAN interface state also contains a dictionary saved in key VLAN.CONFIG_SUBTREE.

Example:

{
    Interface.KEY: [
        {
            Interface.NAME: "eth1.101",
            Interface.TYPE: VLAN.TYPE,
            Interface.STATE: InterfaceState.UP,
            VLAN.CONFIG_SUBTREE: {
                VLAN.ID: 101,
                VLAN.BASE_IFACE: 'eth1'
            }
        }
    ]
}

VLAN.ID

Type: integer

The VLAN ID.

To change VLAN ID, please use InterfaceState.ABSENT for existing one and add new one after that.

VLAN.BASE_IFACE

Type: string

The interface name which current VLAN is based on.

VXLAN

Besides basic interface properties, each VXLAN interface state also contains a dictionary saved in key VXLAN.CONFIG_SUBTREE.

Example:

{
    Interface.KEY: [{
        Interface.NAME: 'eth1.101',
        Interface.TYPE: VXLAN.TYPE,
        Interface.STATE: InterfaceState.UP,
        VXLAN.CONFIG_SUBTREE: {
            VXLAN.ID: 101,
            VXLAN.BASE_IFACE: 'eth1',
            VXLAN.REMOTE: '192.0.2.2',
            VXLAN.DESTINATION_PORT: 4790 # optional
        }
    }]
}

VXLAN.ID

Type: integer

The VXLAN ID.

To change the VXLAN ID, please remove the interface first by setting the state to InterfaceState.ABSENT and then add a new one.

VXLAN.BASE_IFACE

Type: string

The name of the underlying interface for the VXLAN.

VXLAN.REMOTE

Type: string

The unicast destination IP address to use in outgoing packets when the destination link layer address is not known in the VXLAN device forwarding database, or the multicast IP address to join.

VXLAN.DESTINATION_PORT

Type: integer

The UDP destination port to communicate to the remote VXLAN tunnel endpoint. Default: 4789

VXLAN.LOCAL

Type: string

The source IP address for out-going package of VxLAN tunnel.

VXLAN.LEARNING

Type: bool

Whether to learn link layer address for forward database.

Linux Bridge

Besides basic interface properties, each Linux Bridge interface state also contains a dictionary saved in key LinuxBridge.CONFIG_SUBTREE.

Example:

{
    Interface.KEY: [{
        Interface.NAME: "linux-br0",
        Interface.TYPE: LinuxBridge.TYPE,
        Interface.STATE: InterfaceState.UP,
        LinuxBridge.CONFIG_SUBTREE: {
            LinuxBridge.OPTIONS_SUBTREE: {
                LinuxBridge.Options.GROUP_FORWARD_MASK: 0,
                LinuxBridge.Options.MAC_AGEING_TIME: 300,
                LinuxBridge.Options.MULTICAST_SNOOPING: True,
                LinuxBridge.STP_SUBTREE: {
                    LinuxBridge.STP.ENABLED: True,
                    LinuxBridge.STP.FORWARD_DELAY: 15,
                    LinuxBridge.STP.HELLO_TIME: 2,
                    LinuxBridge.STP.MAX_AGE: 20,
                    LinuxBridge.STP.PRIORITY: 32768
                }
            },
            LinuxBridge.PORT_SUBTREE: [
                {
                    LinuxBridge.Port.NAME: "eth1",
                    LinuxBridge.Port.STP_PRIORITY: 32,
                    LinuxBridge.Port.STP_HAIRPIN_MODE: False,
                    LinuxBridge.Port.STP_PATH_COST: 100
                }
            ]
        }
    }]
}

Limitations of Linux Bridge Interface

If Interface.MAC_ADDRESS is not defined in desire state of Linux Bridge, nmstate will trust kernel and systemd to determine the MAC address of this bridge:

If you want to enforcing bridge to use MAC address of first attached port, you may create /etc/systemd/network/98-bridge-inherit-mac.link with below contents:

[Match]
Type=bridge

[Link]
MACAddressPolicy=none

Of course, you can always explicitly define assign a MAC address to a bridge without worrying above.

LinuxBridge.Options.GROUP_FORWARD_MASK

Type: integer

The mask of group address to forward.

LinuxBridge.Options.MAC_AGEING_TIME

Type: integer

The Spanning Tree Protocol (STP) maximum message age, in seconds.

LinuxBridge.Options.MULTICAST_SNOOPING

Type: bool

Whether IGMP snooping is enabled for this bridge.

LinuxBridge.Options.GROUP_ADDR

Type: string in the format of 01:80:C2:00:00:00.

The MAC address of the multicast group this bridge uses for STP.

LinuxBridge.Options.GROUP_FWD_MASK

Type: integer

A mask of group addresses to forward.

LinuxBridge.Options.HASH_ELASTICITY

Type: integer

LinuxBridge.Options.HASH_MAX

Type: integer

LinuxBridge.Options.MULTICAST_ROUTER

Type: string

Sets bridge’s multicast router. Multicast-snooping must be enabled for this option to work.

LinuxBridge.Options.MULTICAST_LAST_MEMBER_COUNT

Type: integer

Set the number of queries the bridge will send before stopping forwarding a multicast group after a “leave” message has been received.

LinuxBridge.Options.MULTICAST_LAST_MEMBER_INTERVAL

Type: integer

Set interval (in deciseconds) between queries to find remaining members of a group, after a “leave” message is received.

LinuxBridge.Options.MULTICAST_MEMBERSHIP_INTERVAL

Type: integer

Set delay (in deciseconds) after which the bridge will leave a group, if no membership reports for this group are received.

LinuxBridge.Options.MULTICAST_QUERIER

Type: bool

Enable or disable sending of multicast queries by the bridge. If not specified the option is disabled.

LinuxBridge.Options.MULTICAST_QUERIER_INTERVAL

Type: integer

If no queries are seen after this delay (in deciseconds) has passed, the bridge will start to send its own queries.

LinuxBridge.Options.MULTICAST_QUERY_USE_IFADDR

Type: bool

If enabled the bridge’s own IP address is used as the source address for IGMP queries otherwise the default of 0.0.0.0 is used.

LinuxBridge.Options.MULTICAST_QUERY_INTERVAL

Type: integer

Interval (in deciseconds) between queries sent by the bridge after the end of the startup phase.

LinuxBridge.Options.MULTICAST_QUERY_RESPONSE_INTERVAL

Type: integer

Set the Max Response Time/Max Response Delay (in deciseconds) for IGMP/MLD queries sent by the bridge.

LinuxBridge.Options.MULTICAST_STARTUP_QUERY_COUNT

Type: integer

Set the number of IGMP queries to send during startup phase.

LinuxBridge.Options.MULTICAST_STARTUP_QUERY_INTERVAL

Type: integer

Sets the time (in deciseconds) between queries sent out at startup to determine membership information.

LinuxBridge.Options.VLAN_DEFAULT_PVID

Type: integer

The drfault PVID for the ports of the bridge, that is the VLAN id assigned to incoming untagged frames.

LinuxBridge.STP.ENABLED

Type: bool

Whether Spanning Tree Protocol (STP) is enabled for this bridge.

LinuxBridge.STP.FORWARD_DELAY

Type: integer

The Spanning Tree Protocol (STP) forwarding delay, in seconds.

LinuxBridge.STP.HELLO_TIME

Type: integer

The Spanning Tree Protocol (STP) hello time, in seconds.

LinuxBridge.STP.MAX_AGE

Type: integer

The Spanning Tree Protocol (STP) maximum message age, in seconds.

LinuxBridge.STP.PRIORITY

Type: integer

Sets the Spanning Tree Protocol (STP) priority for this bridge. Lower values are “better”; the lowest priority bridge will be elected the root bridge.

LinuxBridge.Port.SUBTREE

Type: List of dictionary.

This property does not support partial editing, the full list of ports is required in desired state.

LinuxBridge.Port.NAME

Type: string

The interface name of the linux bridge port.

LinuxBridge.Port.STP_PRIORITY

Type: integer

The Spanning Tree Protocol (STP) priority of this bridge port. Lower values are “better”.

LinuxBridge.Port.STP_HAIRPIN_MODE

Type: bool

Whether hairpin mode is enabled or not for the port.

LinuxBridge.Port.STP_PATH_COST

Type: integer

The Spanning Tree Protocol (STP) port cost for destinations via this port.

LinuxBridge.Port.VLAN_SUBTREE

Each Linux Bridge port also features a subtree to configure the allowed VLANs passing through it. If the VLAN subtree is not configured, all the VLANs are allowed; when the VLAN subtree is specified, the user needs to provide the full list of bridge ports.

Example:

{
    LinuxBridge.Port.VLAN_SUBTREE: {
        LinuxBridge.Port.Vlan.MODE: LinuxBridge.Port.Vlan.Mode.TRUNK,
        LinuxBridge.Port.Vlan.ENABLE_NATIVE: True,
        LinuxBridge.Port.Vlan.TAG: 105,
        LinuxBridge.Port.Vlan.TRUNK_TAGS: [
            LinuxBridge.Port.TrunkTags.ID: 100,
            LinuxBridge.Port.TrunkTags.ID_RANGE: {
                LinuxBridge.Port.TrunkTags.MIN_RANGE: 500,
                LinuxBridge.Port.TrunkTags.MAX_RANGE: 599,
            }
        ]
    }
}

LinuxBridge.Port.Vlan.MODE

Type: string

The operational mode of the port. Allowed values are:

LinuxBridge.Port.Vlan.ENABLE_NATIVE

Type: bool Default: false

Can only be used for trunk ports. When enabled, it configures the VLAN specified by LinuxBridge.Port.Vlan.TAG as a native VLAN.

LinuxBridge.Port.Vlan.TAG

Type: integer

The access tag of the access port, or the native vlan of the trunk port.

LinuxBridge.Port.Vlan.TRUNK_TAGS

Type: array of dictionary.

Defines the white-list of VLANs accepted on this port. It accepts two formats:

Interface - Bond

Besides basic interface properties, each bond interface state also contains a dictionary saved in key BOND.CONFIG_SUBTREE.

Example:

{
    Interface.KEY: [
        {
            Interface.NAME: "bond99",
            Interface.TYPE: InterfaceType.BOND,
            Interface.STATE: InterfaceState.UP,
            Bond.CONFIG_SUBTREE: {
                Bond.MODE: "balance-rr",
                Bond.OPTIONS_SUBTREE: {},
                Bond.PORT: ["eth1"]
            },
        }
    ]
}

Bond.MODE

Type: string

The bond mode in kernel. Possible values are:

Please refer to kernel document for detail.

When changing bond mode, the Bond.OPTIONS_SUBTREE will not merge from current state. User is required to provide full desire bond options when switching bond mode.

Bond.OPTIONS_SUBTREE

Type: dictionary

The dictionary of bond options. Please refer to kernel document for detail.

Set to Bond.OPTIONS_SUBTREE: {} will revert all bond options back to kernel defaults.

Nmstate will not perform verification on whether desired bond options is applied to kernel due to complexity of it, please verify the bond options by yourself.

Bond.PORT

Type: list of string

The names of bond port interfaces. This property does not support partial editing, full list of ports is required in desired state. If not defined in desire state, current status will be preserved.

Interface - Open vSwitch(OVS) Bridge

Besides basic interface properties, each OVS bridge interface state also contains a dictionary saved in key OVSBridge.CONFIG_SUBTREE.

Example:


{
    Interface.KEY: [{
        Interface.NAME: "ovs-br0",
        Interface.TYPE: InterfaceType.BOND,
        Interface.STATE: InterfaceState.UP,
        OVSBridge.CONFIG_SUBTREE: {
            OVSBridge.OPTIONS_SUBTREE: {
                OVSBridge.Options.FAIL_MODE: "",
                OVSBridge.Options.MCAST_SNOOPING_ENABLE: False,
                OVSBridge.Options.RSTP: False,
                OVSBridge.Options.STP: True
            },
            OVSBridge.PORT_SUBTREE: [
                {
                    OVSBridge.Port.NAME: "ovs0",
                },
                {
                    OVSBridge.Port.NAME: "eth1",
                }
            ]
        },
    }]
}

Limitations of OpenvSwitch Interfaces

When certain OVS interfaces interface is not created by NetworkManager or nmstate, the libnmstate.show() might showing the incorrect running state of it.

OVSBridge.Options.FAIL_MODE

Type: string, ‘secure’ or ‘standalone’ or empty.

The bridge failure mode.

OVSBridge.Options.MCAST_SNOOPING_ENABLE

Type: bool

Enable or disable multicast snooping.

OVSBridge.Options.RSTP

Type: bool

Enable or disable RSTP.

OVSBridge.Options.STP

Type: bool

Enable or disable STP.

OVSBridge.PORT_SUBTREE

Type: List of dictionary.

This property does not support partial editing, the full list of ports is required in desired state.

OVSBridge.Port.NAME

Type: string

The OVS bridge port name.

Interface - Open vSwitch(OVS) Internal

Each OVS internal interface state contains a dictionary saved in key OVSInterface.PATCH_CONFIG_SUBTREE.

OVSInterface.Patch.PEER

Type: string

Interface patch peer name.

MAC VTAP

Besides basic interface properties, each Macvtap interface state also contains a dictionary saved in key MacVtap.CONFIG_SUBTREE holding information for MacVtap.BASE_IFACE, MacVtap.MODE and MacVtap.PROMISCUOUS.

MacVtap.BASE_IFACE

The interface name which current Macvtap is based on.

MacVtap.MODE

The mode of Macvtap interface. Possible values are:

MacVtap.PROMISCUOUS

Bool. Whether accept all mac addresses mode is enabled or not.

MAC VLAN

Besides basic interface properties, each Macvvlan interface state also contains a dictionary saved in key MacVlan.CONFIG_SUBTREE holding information for MacVlan.BASE_IFACE, MacVlan.MODE and MacVlan.PROMISCUOUS.

MacVlan.BASE_IFACE

The interface name which current Macvvlan is based on.

MacVlan.MODE

The mode of Macvvlan interface. Possible values are:

MacVlan.PROMISCUOUS

Bool. Whether accept all mac addresses mode is enabled or not.

IP over InfiniBand(IPoIB)

Besides basic interface properties, each IP over InfiniBand interface state also contains a dictionary saved in key InfiniBand.CONFIG_SUBTREE holding information for InfiniBand.BASE_IFACE, InfiniBand.MODE and InfiniBand.PKEY.

InfiniBand.BASE_IFACE

The parent interface current IPoIB interface is based on.

InfiniBand.MODE

IPoIB can run in two modes of operation: Connected mode(InfiniBand.Mode.CONNECTED) and Datagram mode(InfiniBand.Mode.DATAGRAM).

InfiniBand.PKEY

The Partition Keys (PKeys) used to partition IPoIB communication. You may use integer or hex string. The InfiniBand.DEFAULT_PKEY indicating this IPoIB interface is not using pkey partitioning.

Virtual Routing and Forwarding (VRF)

Besides basic interface properties, each VRF interface state also contains a dictionary saved in key VRF.CONFIG_SUBTREE holding information for VRF.ROUTE_TABLE_ID, VRF.PORT_SUBTREE.

VRF.ROUTE_TABLE_ID

Integer, the route table id this VRF is assigned to.

VRF.PORT_SUBTREE

List of string, the name of interfaces assigned to this VRF interface.

Team

Besides basic interface properties, each Team interface state also contains a dictionary saved in key Team.CONFIG_SUBTREE. In addition, this dictionary contains a list of dictionaries saved in key Team.PORT_SUBTREE and a dictionary saved in key Team.RUNNER_SUBTREE.

Example:

{
    Interface.KEY : [
        Interface.NAME: "team0",
        Interface.TYPE: InterfaceType.TEAM,
        Interface.STATE: InterfaceState.UP,
        Team.CONFIG_SUBTREE: {
            Team.PORT_SUBTREE: [
                {
                    Team.Port.NAME: "eth1"
                },
                {
                    Team.Port.NAME: "eth2"
                }
            ],
            Team.RUNNER_SUBTREE: {
                Team.Runner.NAME: Team.Runner.RunnerMode.LOAD_BALANCE
            }
        }
    ]
}

These values are based on the teamd JSON API. For further information please refer to teamd manual page

Limitations of Team interface

When certain team interface is not created by NetworkManager or nmstate, the libnmstate.show() might showing the incorrect running state of it.

Team.Port.NAME

Type: string

The interface name of the port.

Team.Runner.NAME

Type: string

The mode in which the interface is operating. Currently we are supporting the following values:

Linux Virtual Ethernet(veth)

New in version 1.0.1.

Besides basic interface properties, each Veth interface state also contains a dictionary saved in key Veth.CONFIG_SUBTREE. In addition, this dictionary contains a property named Veth.PEER.

Example:

{
    Interface.KEY : [
        Interface.NAME: "veth0",
        Interface.TYPE: InterfaceType.VETH,
        Interface.STATE: InterfaceState.UP,
        Veth.CONFIG_SUBTREE: {
            Veth.PEER: "veth1"
        }
    ]
}

Veth.CONFIG_SUBTREE

It contains the option to set the veth peer.

Veth.PEER

Type: string

Set the veth interface peer.

LLDP

Nmstate provides Link Layer Discovery Protocol information for each interface.

LLDP.CONFIG_SUBTREE

It contains the option to enable LLDP and the neighbors information.

LLDP.ENABLED

Type: bool

Enable or disable LLDP on the interface.

LLDP.NEIGHBORS_SUBTREE

Contains a list of lists. Each element of the list is a neighbor announced by LLDP and each element of the neighbor is a dictionary containing the TLV information.

LLDP.Nieghbors.DESCRIPTION

Type: string

Description of the TLV.

LLDP.Neighbors.TLV_TYPE

Type: integer

LLDP.Neighbors.TLV_SUBTYPE

Type: integer

LLDP.Neighbors.ORGANIZATION_CODE

Type: string in the format 00:80:c2

Route

Nmstate provides both running and in-config routes via libnmstate.show(). Example:

{
    Route.KEY: {
        Route.CONFIG: [
            {
                Route.TABLE_ID: 0,
                Route.DESTINATION: "0.0.0.0/0",
                Route.NEXT_HOP_INTERFACE: "eth1",
                Route.NEXT_HOP_ADDRESS: "192.0.2.1",
                Route.METRIC: -1
            }
        ],
        Route.RUNNING: [
            {
                Route.TABLE_ID: 254,
                Route.DESTINATION: "192.0.2.0/24",
                Route.NEXT_HOP_INTERFACE: "eth1",
                Route.NEXT_HOP_ADDRESS: "",
                Route.METRIC: 100
            },
    }
}

The running routes contains route entries in kernel, which might contain:

The config routes are the static routes saved in configuration files.

The libnmstate.apply(desire_state) merges current config routes into desire_state, to remove config route entry, please use Route.STATE: Route.STATE_ABSENT in the route entry:

    {
        Route.STATE: Route.STATE_ABSENT,
        Route.NEXT_HOP_INTERFACE: "eth1"
    }

Route.TABLE_ID

Type: integer

The route table ID. If not defined, set as Route.USE_DEFAULT_ROUTE_TABLE to use the default route table.

Route.DESTINATION

Type: string

The route destination in the format like 192.0.2.0/24 or 2001:db8:1::/64.

Route.NEXT_HOP_INTERFACE

Type: string

The next hop interface. Mandatory.

Route.NEXT_HOP_ADDRESS

Type: string

The next hop address.

Route.METRIC

Type: integer

The route metric. If not define, set to Route.USE_DEFAULT_METRIC for the default metric.

Route.WEIGHT

Type: integer

The route weight. Please, notice that this property is only effective on ECMP route. Nmstate will configure ECMP route when possible on kernel.

Route Rule

Nmstate provides routes rules via libnmstate.show(). Example:

{
    RouteRule.KEY: {
        RouteRule.CONFIG: [
            {
                RouteRule.IP_TO: 192.0.2.0/24,
                RouteRule.PRIORITY: 1000,
                RouteRule.ROUTE_TABLE: 50,
            },
        ],
    },
}

RouteRule.CONFIG

A list containing the multiple rule configurations.

RouteRule.IP_FROM

Type: string in the format 192.0.2.1/24

RouteRule.IP_TO

Type: string in the format 192.0.2.1/24

RouteRule.PRIORITY

Type: integer

The priority of the rule over the others.

RouteRule.ROUTE_TABLE

Type: integer

The table id where the rule should be applied.

RouteRule.USE_DEFAULT_PRIORITY

Type: integer

RouteRule.USE_DEFAULT_ROUTE_TABLE

Type: integer

RouteRule.FWMARK

Type: integer

The fwmark value used. The format reported by Nmstate is hexadecimal as 0x30 and it is also supported for applying the state.

RouteRule.FWMASK

Type: integer

The fwmask value used. The format reported by Nmstate is hexadecimal as 0x30 and it is also supported for applying the state. In addition, notice that this value is optional and only valid when fwmark is set.

RouteRule.FAMILY

Type: string

The address family for this route rule. This option is specially useful when configuring from all to all routing policy. The supported values are ipv4 and ipv6.

RouteRule.FAMILY_IPV4

Type: string

RouteRule.FAMILY_IPV6

Type: string

RouteRule.IIF

Type: string

This property defines the matching on incoming interface name.

RouteRule.ACTION

Type: string

This property defines the action for the routing policy. The supported values are: RouteRule.ACTION_BLACKHOLE, RouteRule.ACTION_UNREACHABLE and RouteRule.ACTION_PROHIBIT

DNS client configuration

Nmstate provides both running and in-config DNS client configuration via libnmstate.show(). Example:

{
    DNS.KEY: {
        DNS.CONFIG: {
            DNS.SEARCH: [
                "example.org",
                "example.com",
            ],
            DNS.SERVER: [
                "192.0.2.1"
            ]
        },
        DNS.RUNNING: {
            DNS.SEARCH: [
                "example.org",
                "example.com",
            ],
            DNS.SERVER: [
                "192.0.2.1"
            ]
        }
    },
}

The running DNS config it might contains DNS config from DHCP or IPv6-RA. The config DNS is the static configuration saved in configuration files.

The libnmstate.apply(desire_state) copies current DNS config to desire_state if DNS.KEY is missing from desire_state. Otherwise, DNS config in desire_state overrides current DNS configurations.

Limitations of static DNS configuration

Currently nmstate only support configuring static DNS on any of these situations:

DNS.SEARCH

Type: list of string

Search list for host-name lookup.

DNS.SERVER

Type: list of string

Name server IP addresses.

Placing IPv4/IPv6 name server in the middle of IPv6/IPv4 name servers is not supported yet.

Multipath TCP

Available since 2.2.0.

The Interface.MPTCP section of interface holds the Multipath TCP interface level flags, it will apply flags to all valid IP addresses(both static and dynamic). Network backend might has its own rule on excusing special scope of IP address, e.g. IPv6 multicast address.

Example:

desired_state = {
    Interface.KEY: [
        {
            Interface.NAME: "eth1",
            Interface.TYPE: InterfaceType.ETHERNET,
            Interface.STATE: InterfaceState.UP,
            Interface.MPTCP: {
                Mptcp.ADDRESS_FLAGS: [
                    Mptcp.FLAG_SIGNAL,
                    Mptcp.FLAG_BACKUP,
                ]
            },
        }
    ]
}
libnmstate.apply(desired_state)

Supported MPTCP flags are:

Limitations: