summaryrefslogtreecommitdiffstats
path: root/doc/user/vtysh.rst
blob: d94eba110eebf0f212f367b98104a9e8f8c67348 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
.. _VTY_shell:

*********
VTY shell
*********

*vtysh* provides a combined frontend to all FRR daemons in a
single combined session.  It is enabled by default at build time, but can
be disabled through the *--disable-vtysh* option to
*./configure*.

*vtysh* has a configuration file, :file:`vtysh.conf`.  The location
of that file cannot be changed from :file:`|INSTALL_PREFIX_ETC|` since
it contains options controlling authentication behavior.  This file will
also not be written by configuration-save commands, it is intended to be
updated manually by an administrator with an external editor.

@quotation Warning
This also means the *hostname* and *banner motd* commands
(which both do have effect for vtysh) need to be manually updated in
:file:`vtysh.conf`.
@end quotation

Permissions and setup requirements
==================================

*vtysh* connects to running daemons through Unix sockets located in
:file:`|INSTALL_PREFIX_STATE|`.  Running vtysh thus requires access to
that directory, plus membership in the *|INSTALL_VTY_GROUP|*
group (which is the group that the daemons will change ownership of their
sockets to).

To restrict access to FRR configuration, make sure no unauthorized users
are members of the *|INSTALL_VTY_GROUP|* group.

PAM support (experimental)
--------------------------

vtysh has working (but rather useless) PAM support.  It will perform
an "authenticate" PAM call using *|PACKAGE_NAME|* as service
name. No other (accounting, session, password change) calls will be
performed by vtysh.

Users using vtysh still need to have appropriate access to the daemons'
VTY sockets, usually by being member of the *|INSTALL_VTY_GROUP|*
group.  If they have this membership, PAM support is useless since they can
connect to daemons and issue commands using some other tool.  Alternatively,
the *vtysh* binary could be made SGID (set group ID) to the
*|INSTALL_VTY_GROUP|* group.  @strong{No security guarantees are
made for this configuration}.

.. index:: {Command} {username `username` nopassword} {}

{Command} {username `username` nopassword} {}
  If PAM support is enabled at build-time, this command allows disabling the
  use of PAM on a per-user basis.  If vtysh finds that an user is trying to
  use vtysh and a "nopassword" entry is found, no calls to PAM will be made
  at all.


.. _Integrated_configuration_mode:

Integrated configuration mode
=============================

Integrated configuration mode uses a single configuration file,
:file:`frr.conf`, for all daemons.  This replaces the individual files like
:file:`zebra.conf` or :file:`bgpd.conf`.

:file:`frr.conf` is located in :file:`|INSTALL_PREFIX_ETC|`.  All
daemons check for the existence of this file at startup, and if it exists
will not load their individual configuration files.  Instead,
*vtysh -b* must be invoked to process :file:`frr.conf` and apply
its settings to the individual daemons.

@quotation Warning
*vtysh -b* must also be executed after restarting any daemon.
@end quotation

Configuration saving, file ownership and permissions
----------------------------------------------------

The :file:`frr.conf` file is not written by any of the daemons; instead
*vtysh* contains the neccessary logic to collect configuration from
all of the daemons, combine it and write it out.

@quotation Warning
Daemons must be running for *vtysh* to be able to collect their
configuration.  Any configuration from non-running daemons is permanently
lost after doing a configuration save.
@end quotation

Since the *vtysh* command may be running as ordinary user on the
system, configuration writes will be tried through *watchfrr*,
using the *write integrated* command internally.  Since
*watchfrr* is running as superuser, *vtysh* is able to
ensure correct ownership and permissions on :file:`frr.conf`.

If *watchfrr* is not running or the configuration write fails,
*vtysh* will attempt to directly write to the file.  This is likely
to fail if running as unprivileged user;  alternatively it may leave the
file with incorrect owner or permissions.

Writing the configuration can be triggered directly by invoking
*vtysh -w*.  This may be useful for scripting.  Note this command
should be run as either the superuser or the FRR user.

We recommend you do not mix the use of the two types of files. Further, it
is better not to use the integrated frr.conf file, as any syntax error in
it can lead to /all/ of your daemons being unable to start up. Per daemon
files are more robust as impact of errors in configuration are limited to
the daemon in whose file the error is made.

.. index:: {Command} {service integrated-vtysh-config} {}

{Command} {service integrated-vtysh-config} {}
.. index:: {Command} {no service integrated-vtysh-config} {}

{Command} {no service integrated-vtysh-config} {}
    Control whether integrated :file:`frr.conf` file is written when
    'write file' is issued.

    These commands need to be placed in :file:`vtysh.conf` to have any effect.
    Note that since :file:`vtysh.conf` is not written by FRR itself, they
    therefore need to be manually placed in that file.

    This command has 3 states:


``
      *service integrated-vtysh-config*

      *vtysh* will always write :file:`frr.conf`.


``
      *no service integrated-vtysh-config*

      *vtysh* will never write :file:`frr.conf`; instead it will ask
      daemons to write their individual configuration files.


``
      Neither option present (default)

      *vtysh* will check whether :file:`frr.conf` exists.  If it does,
      configuration writes will update that file.  Otherwise, writes are performed
      through the individual daemons.

    This command is primarily intended for packaging/distribution purposes, to
    preset one of the two operating modes and ensure consistent operation across
    installations.

.. index:: {Command} {write integrated} {}

{Command} {write integrated} {}
    Unconditionally (regardless of *service integrated-vtysh-config*
    setting) write out integrated :file:`frr.conf` file through
    *watchfrr*.  If *watchfrr* is not running, this command
    is unavailable.


Caveats
=======

Configuration changes made while some daemon is not running will be invisible
to that daemon.  The daemon will start up with its saved configuration
(either in its individual configuration file, or in :file:`frr.conf`).
This is particularly troublesome for route-maps and prefix lists, which would
otherwise be synchronized between daemons.