Skip to content


Sometimes it is needed to perform an operation on multiple devices; be it getting the same leaf value from a given set of the network elements or setting a certain configuration element to some value.

For cases like that gnmic offers support for multiple targets operations which a user can configure both via CLI flags as well as with the file-based configuration.

CLI configuration#

Specifying multiple targets in the CLI is as easy as repeating the --address flag.

❯ gnmic -a \
        -a \
        get --path /configure/system/name

File-based configuration#

With the file-based configuration a user has two options to specify multiple targets:

  • using address option
  • using targets option

address option#

With address option the user must provide a list of addresses. In the YAML format that would look like that:

  - ""
  - ""

The limitation this approach has is that it is impossible to set different credentials for the targets, they will essentially share the credentials specified in a file or via flags.

target option#

With the targets option it is possible to set target specific options (such as credentials, subscriptions, TLS config, outputs), and thus this option is recommended to use:

    timeout: 2s
    username: r1
    password: gnmi_pass
    username: r2
    password: gnmi_pass
    tls-key: /path/file1
    tls-cert: /path/file2

The target address is defined as the key under the targets section of the configuration file. The default port (57400) can be omitted as demonstrated with target address. Have a look at the file-based targets configuration example to get a glimpse of what it is capable of.

The target inherits the globally defined options if the matching options are not set on a target level. For example, if a target doesn't have a username defined, it will use the username value set on a global level.

secure/insecure connections#

gnmic supports both secure and insecure gRPC connections to the target.

insecure connection#

Using the --insecure flag it is possible to establish an insecure gRPC connection to the target.

gnmic -a router1:57400 \
      --insecure \
      get --path /configure/system/name
secure connection#
  • A one way secure connection without target certificate verification can be established using the --skip-verify flag.
gnmic -a router1:57400 \
      --skip-verify \
      get --path /configure/system/name
  • Adding target certificate verification can be done using the --tls-ca flag.
gnmic -a router1:57400 \
      --tls-ca /path/to/ca/file \
      get --path /configure/system/name
  • A two way secure connection can be established using the --tls-cert --tls-key flags.
gnmic -a router1:57400 \
      --tls-cert /path/to/certificate/file \
      --tls-key /path/to/certificate/file \
      get --path /configure/system/name
  • It is also possible to control the negotiated TLS version using the --tls-min-version, --tls-max-version and --tls-version (preferred TLS version) flags.

target configuration options#

Target supported options:

  # target name or an address (IP or DNS name).
  # if an address is set it can include a port number or not,
  # if a port is not included, the default gRPC port will be added.
    # target name, will default to the target_key if not specified
    name: target_key
    # target address, if missing the target_key is used as an address.
    # supports comma separated addresses.
    # if any of the addresses is missing a port, the default gRPC port will be added.
    # if multiple addresses are set, all of them will be tried simultaneously,
    # the first established gRPC connection will be used, the other attempts will be canceled.
    # target username
    # target password
    # authentication token, 
    # applied only in the case of a secure gRPC connection.
    # target RPC timeout
    # establish an insecure connection
    # path to tls ca file
    # path to tls certificate
    # path to tls key
    # max tls version to use during negotiation
    # min tls version to use during negotiation
    # preferred tls version to use during negotiation
    # enable logging of a pre-master TLS secret
    # do not verify the target certificate when using tls
    # server name used to verify the hostname on the returned 
    # certificates unless skip-verify is true.    
    # list of subscription names to establish for this target.
    # if empty it defaults to all subscriptions defined under
    # the main level `subscriptions` field
    # list of output names to which the gnmi data will be written.
    # if empty if defaults to all outputs defined under
    # the main level `outputs` field
    # number of subscribe responses to keep in buffer before writing
    # the target outputs
    # target retry period
    # list of tags, relevant when clustering is enabled.
    # a mapping of static tags to add to all events from this target.
    # each key/value pair in this mapping will be added to metadata
    # on all events
    # list of proto file names to decode protoBytes values
    # list of directories to look for the proto files
    # enable grpc gzip compression
    # proxy type and address, only SOCKS5 is supported currently
    # example: socks5://<address>:<port>


Whatever configuration option you choose, the multi-targeted operations will uniformly work across the commands that support them.

Consider the get command acting on two routers getting their names:

❯ gnmic -a \
        -a \
        get --path /configure/system/name

[] {
[]   "source": "",
[]   "timestamp": 1593009759618786781,
[]   "time": "2020-06-24T16:42:39.618786781+02:00",
[]   "updates": [
[]     {
[]       "Path": "configure/system/name",
[]       "values": {
[]         "configure/system/name": "gnmic_r1"
[]       }
[]     }
[]   ]
[] }

[] {
[]   "source": "",
[]   "timestamp": 1593009759748265232,
[]   "time": "2020-06-24T16:42:39.748265232+02:00",
[]   "updates": [
[]     {
[]       "Path": "configure/system/name",
[]       "values": {
[]         "configure/system/name": "gnmic_r2"
[]       }
[]     }
[]   ]
[] }

Notice how in the output the different gNMI targets are prefixed with the target address to make the output easy to read. If those prefixes are not needed, you can make them disappear with --no-prefix global flag.