diff options
author | rebortg <github@ghlr.de> | 2020-12-08 14:57:44 +0100 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2020-12-08 14:57:44 +0100 |
commit | f6c43343bbea7c98b6e735f5204da1759343ca23 (patch) | |
tree | 8ddd1150ffaf65cd36678ebc95c7d9fb22ae1dce /docs/system | |
parent | e6d0a80db37769a3d40084a8d55abfd7b24b941a (diff) | |
parent | 0bb741b58bc0dd7f0beae7364ed519f7165bdbb7 (diff) | |
download | vyos-documentation-f6c43343bbea7c98b6e735f5204da1759343ca23.tar.gz vyos-documentation-f6c43343bbea7c98b6e735f5204da1759343ca23.zip |
Merge branch 'sagitta' of https://github.com/rebortg/vyos-documentation
Diffstat (limited to 'docs/system')
-rw-r--r-- | docs/system/advanced-index.rst | 19 | ||||
-rw-r--r-- | docs/system/basic-index.rst | 14 | ||||
-rw-r--r-- | docs/system/boot-options.rst | 57 | ||||
-rw-r--r-- | docs/system/default-route.rst | 40 | ||||
-rw-r--r-- | docs/system/eventhandler.rst | 48 | ||||
-rw-r--r-- | docs/system/flow-accounting.rst | 203 | ||||
-rw-r--r-- | docs/system/host-information.rst | 63 | ||||
-rw-r--r-- | docs/system/lcd.rst | 45 | ||||
-rw-r--r-- | docs/system/ntp.rst | 77 | ||||
-rw-r--r-- | docs/system/option.rst | 94 | ||||
-rw-r--r-- | docs/system/proxy.rst | 28 | ||||
-rw-r--r-- | docs/system/serial-console.rst | 43 | ||||
-rw-r--r-- | docs/system/syslog.rst | 226 | ||||
-rw-r--r-- | docs/system/system-dns.rst | 69 | ||||
-rw-r--r-- | docs/system/task-scheduler.rst | 40 | ||||
-rw-r--r-- | docs/system/time-zone.rst | 18 | ||||
-rw-r--r-- | docs/system/user-management.rst | 160 |
17 files changed, 0 insertions, 1244 deletions
diff --git a/docs/system/advanced-index.rst b/docs/system/advanced-index.rst deleted file mode 100644 index 8e855789..00000000 --- a/docs/system/advanced-index.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. _advanced_system_tweaks: - -###### -System -###### - -.. toctree:: - :maxdepth: 2 - - boot-options - eventhandler - flow-accounting - lcd - ntp - option - proxy - serial-console - syslog - task-scheduler diff --git a/docs/system/basic-index.rst b/docs/system/basic-index.rst deleted file mode 100644 index b7bbf1c5..00000000 --- a/docs/system/basic-index.rst +++ /dev/null @@ -1,14 +0,0 @@ -.. _basic_system_tweaks: - -################### -Basic System Tweaks -################### - -.. toctree:: - :maxdepth: 2 - - user-management - host-information - default-route - time-zone - system-dns diff --git a/docs/system/boot-options.rst b/docs/system/boot-options.rst deleted file mode 100644 index d054748f..00000000 --- a/docs/system/boot-options.rst +++ /dev/null @@ -1,57 +0,0 @@ -.. _boot-options: - - -############ -Boot Options -############ - -.. warning:: This function may be highly disruptive. - It may cause major service interruption, so make sure you really - need it and verify your input carefully. - - - -VyOS has several kernel command line options to modify the normal boot -process. -To add an option, select the desired image in GRUB menu at load -time, press **e**, edit the first line, and press **Ctrl-x** to boot when -ready. - -.. image:: /_static/images/boot-options.png - :width: 80% - :align: center - - -Specify custom config file -========================== - -Tells the system to use specified file instead of ``/config/config.boot``. -If specified file does not exist or is not readable, fall back to -default config. No additional verification is performed, so make sure -you specify a valid config file. - -.. code-block:: none - - vyos-config=/path/to/file - -To load the *factory default* config, use: - -.. code-block:: none - - vyos-config=/opt/vyatta/etc/config.boot.default - - -Disable specific boot process steps -=================================== - -These options disable some boot steps. Make sure you understand the -:ref:`boot process <boot-steps>` well before using them! - -.. glossary:: - - no-vyos-migrate - Do not perform config migration. - - no-vyos-firewall - Do not initialize default firewall chains, renders any firewall configuration unusable. - diff --git a/docs/system/default-route.rst b/docs/system/default-route.rst deleted file mode 100644 index 27c74188..00000000 --- a/docs/system/default-route.rst +++ /dev/null @@ -1,40 +0,0 @@ -.. _default_gateway: - -##################### -Default Gateway/Route -##################### - -In the past (VyOS 1.1) used a gateway-address configured under the system tree -(:cfgcmd:`set system gateway-address <address>`), this is no longer supported -and existing configurations are migrated to the new CLI command. - -Configuration -============= - -.. cfgcmd:: set protocols static route 0.0.0.0/0 next-hop <address> - - Specify static route into the routing table sending all non local traffic - to the nexthop address `<address>`. - - -.. cfgcmd:: delete protocols static route 0.0.0.0/0 - - Delete default route from the system. - -Operation -========= - -.. opcmd:: show ip route 0.0.0.0 - - Show routing table entry for the default route. - - .. code-block:: none - - vyos@vyos:~$ show ip route 0.0.0.0 - Routing entry for 0.0.0.0/0 - Known via "static", distance 10, metric 0, best - Last update 09:46:30 ago - * 172.18.201.254, via eth0.201 - -.. seealso:: Configuration of :ref:`static-routing` - diff --git a/docs/system/eventhandler.rst b/docs/system/eventhandler.rst deleted file mode 100644 index a68b3924..00000000 --- a/docs/system/eventhandler.rst +++ /dev/null @@ -1,48 +0,0 @@ -.. _event-handler: - -Event Handler -------------- - -Event handler allows you to execute scripts when a string that matches a regex appears in a text stream (e.g. log file). - -It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched. - -.. code-block:: none - - system - event-handler - feed <name> - description <feed description> - policy <policy name> - source - preset - syslog # Use the syslog logs for feed - custom - command <command to execute> # E.g. "tail -f /var/log/somelogfile" - named-pipe <path to a names pipe> - policy <policy name> - description <policy description> - event <event name> - description <event description> - pattern <regex> - run <command to run> - -In this small example a script runs every time a login failed and an interface goes down - -.. code-block:: none - - vyos@vyos# show system event-handler - feed Syslog { - policy MyPolicy - source { - preset syslog - } - } - policy MyPolicy { - description "Test policy" - event BadThingsHappened { - pattern "authentication failure" - pattern "interface \.* index \d+ .* DOWN.*" - run /config/scripts/email-to-admin - } - }
\ No newline at end of file diff --git a/docs/system/flow-accounting.rst b/docs/system/flow-accounting.rst deleted file mode 100644 index f09c1c9a..00000000 --- a/docs/system/flow-accounting.rst +++ /dev/null @@ -1,203 +0,0 @@ -.. _flow-accounting: - -############### -Flow Accounting -############### - -VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts -as a flow exporter, and you are free to use it with any compatible collector. - -Flows can be exported via two different protocols: NetFlow (versions 5, 9 and -10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table -internally in a router. - -.. warning:: You need to disable the in-memory table in production environments! - Using :abbr:`IMT (In-Memory Table)` may lead to heavy CPU overloading and - unstable flow-accounting behavior. - - -NetFlow / IPFIX -=============== -NetFlow is a feature that was introduced on Cisco routers around 1996 that -provides the ability to collect IP network traffic as it enters or exits an -interface. By analyzing the data provided by NetFlow, a network administrator -can determine things such as the source and destination of traffic, class of -service, and the causes of congestion. A typical flow monitoring setup (using -NetFlow) consists of three main components: - -* **exporter**: aggregates packets into flows and exports flow records towards - one or more flow collectors -* **collector**: responsible for reception, storage and pre-processing of flow - data received from a flow exporter -* **application**: analyzes received flow data in the context of intrusion - detection or traffic profiling, for example - -For connectionless protocols as like ICMP and UDP, a flow is considered -complete once no more packets for this flow appear after configurable timeout. - -NetFlow is usually enabled on a per-interface basis to limit load on the router -components involved in NetFlow, or to limit the amount of NetFlow records -exported. - -Configuration -============= - -In order for flow accounting information to be collected and displayed for an -interface, the interface must be configured for flow accounting. - -.. cfgcmd:: set system flow-accounting interface <interface> - - Configure and enable collection of flow information for the interface - identified by `<interface>`. - - You can configure multiple interfaces which whould participate in flow - accounting. - -.. note:: Will be recorded only packets/flows on **incoming** direction in - configured interfaces. - - -By default, recorded flows will be saved internally and can be listed with the -CLI command. You may disable using the local in-memory table with the command: - -.. cfgcmd:: set system flow-accounting disable-imt - - Internally, in flow-accounting processes exist a buffer for data exchanging - between core process and plugins (each export target is a separated plugin). - If you have high traffic levels or noted some problems with missed records - or stopping exporting, you may try to increase a default buffer size (10 - MiB) with the next command: - -.. cfgcmd:: set system flow-accounting buffer-size <buffer size> - - In case, if you need to catch some logs from flow-accounting daemon, you may - configure logging facility: - -.. cfgcmd:: set system flow-accounting syslog-facility <facility> - - TBD - -Flow Export ------------ - -In addition to displaying flow accounting information locally, one can also -exported them to a collection server. - -NetFlow -^^^^^^^ - -.. cfgcmd:: set system flow-accounting netflow version <version> - - There are multiple versions available for the NetFlow data. The `<version>` - used in the exported flow data can be configured here. The following - versions are supported: - - * **5** - Most common version, but restricted to IPv4 flows only - * **9** - NetFlow version 9 (default) - * **10** - :abbr:`IPFIX (IP Flow Information Export)` as per :rfc:`3917` - -.. cfgcmd:: set system flow-accounting netflow server <address> - - Configure address of NetFlow collector. NetFlow server at `<address>` can - be both listening on an IPv4 or IPv6 address. - -.. cfgcmd:: set system flow-accounting netflow source-ip <address> - - IPv4 or IPv6 source address of NetFlow packets - -.. cfgcmd:: set system flow-accounting netflow engine-id <id> - - NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255. - -.. cfgcmd:: set system flow-accounting netflow sampling-rate <rate> - - Use this command to configure the sampling rate for flow accounting. The - system samples one in every `<rate>` packets, where `<rate>` is the value - configured for the sampling-rate option. The advantage of sampling every n - packets, where n > 1, allows you to decrease the amount of processing - resources required for flow accounting. The disadvantage of not sampling - every packet is that the statistics produced are estimates of actual data - flows. - - Per default every packet is sampled (that is, the sampling rate is 1). - -.. cfgcmd:: set system flow-accounting netflow timeout expiry-interval <interval> - - Specifies the interval at which Netflow data will be sent to a collector. As - per default, Netflow data will be sent every 60 seconds. - - You may also additionally configure timeouts for different types of - connections. - -.. cfgcmd:: set system flow-accounting netflow max-flows <n> - - If you want to change the maximum number of flows, which are tracking - simultaneously, you may do this with this command (default 8192). - -sFlow -^^^^^ - -.. cfgcmd:: set system flow-accounting sflow server <address> - - Configure address of sFlow collector. sFlow server at `<address>` can - be an IPv4 or IPv6 address. But you cannot export to both IPv4 and - IPv6 collectors at the same time! - -.. cfgcmd:: set system flow-accounting sflow sampling-rate <rate> - - Enable sampling of packets, which will be transmitted to sFlow collectors. - -.. cfgcmd:: set system flow-accounting sflow agent-address <address> - - Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you - must set the same protocol, which is used for sFlow collector addresses. By - default, using router-id from BGP or OSPF protocol, or the primary IP - address from the first interface. - -Example: --------- - -NetFlow v5 example: - -.. code-block:: none - - set system flow-accounting netflow engine-id 100 - set system flow-accounting netflow version 5 - set system flow-accounting netflow server 192.168.2.10 port 2055 - -Operation -========= - -Once flow accounting is configured on an interfaces it provides the ability to -display captured network traffic information for all configured interfaces. - -.. opcmd:: show flow-accounting interface <interface> - - Show flow accounting information for given `<interface>`. - - .. code-block:: none - - vyos@vyos:~$ show flow-accounting interface eth0 - IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES - ---------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- ------- - eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178 - eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144 - eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72 - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064 - eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154 - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444 - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455 - -.. opcmd:: show flow-accounting interface <interface> host <address> - - Show flow accounting information for given `<interface>` for a specific host - only. - - .. code-block:: none - - vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14 - IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES - ---------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- ------- - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940 - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924 - eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877 diff --git a/docs/system/host-information.rst b/docs/system/host-information.rst deleted file mode 100644 index 30efe01e..00000000 --- a/docs/system/host-information.rst +++ /dev/null @@ -1,63 +0,0 @@ -.. _host-information: - -################ -Host Information -################ - -This section describes the system's host information and how to configure them, -it covers the following topics: - -* Host name -* Domain -* IP address -* Aliases - -Hostname -======== - -A hostname is the label (name) assigned to a network device (a host) on a -network and is used to distinguish one device from another on specific networks -or over the internet. On the other hand this will be the name which appears on -the command line prompt. - -.. cfgcmd:: set system host-name <hostname> - - Set system hostname. The hostname can be up to 63 characters. A hostname - must start and end with a letter or digit, and have as interior characters - only letters, digits, or a hyphen. - - The default hostname used is `vyos`. - -Domain Name -=========== - -A domain name is the label (name) assigned to a computer network and is thus -unique. VyOS appends the domain name as a suffix to any unqualified name. For -example, if you set the domain name `example.com`, and you would ping the -unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`. - -.. cfgcmd:: set system domain-name <domain> - - Configure system domain name. A domain name must start and end with a letter - or digit, and have as interior characters only letters, digits, or a hyphen. - -Static Hostname Mapping -======================= - -How an IP address is assigned to an interface in :ref:`ethernet-interface`. -This section shows how to statically map an IP address to a hostname for local -(meaning on this VyOS instance) name resolution. - -.. cfgcmd:: set system static-host-mapping host-name <hostname> inet <address> - - Create a static hostname mapping which will always resolve the name - `<hostname>` to IP address `<address>`. - - -.. cfgcmd:: set system static-host-mapping host-name <hostname> alias <alias> - - Create named `<alias>` for the configured static mapping for `<hostname>`. - Thus the address configured as :cfgcmd:`set system static-host-mapping - host-name <hostname> inet <address>` can be reached via multiple names. - - Multiple aliases can pe specified per host-name. diff --git a/docs/system/lcd.rst b/docs/system/lcd.rst deleted file mode 100644 index 441becf5..00000000 --- a/docs/system/lcd.rst +++ /dev/null @@ -1,45 +0,0 @@ -.. _system-display: - -******************** -System Display (LCD) -******************** - -The system LCD :abbr:`LCD (Liquid-crystal display)` option is for users running -VyOS on hardware that features an LCD display. This is typically a small display -built in an 19 inch rack-mountable appliance. Those displays are used to show -runtime data. - -To configure your LCD display you must first identify the used hardware, and -connectivity of the display to your system. This can be any serial port -(`ttySxx`) or serial via USB or even old parallel port interfaces. - -Configuration -============= - -.. cfgcmd:: set system lcd device <device> - - This is the name of the physical interface used to connect to your LCD - display. Tab completion is supported and it will list you all available - serial interface. - - For serial via USB port information please refor to: :ref:`hardware_usb`. - -.. cfgcmd:: set system lcd model <model> - - This is the LCD model used in your system. - - At the time of this writing the following displays are supported: - - * Crystalfontz CFA-533 - - * Crystalfontz CFA-631 - - * Crystalfontz CFA-633 - - * Crystalfontz CFA-635 - - .. note:: We can't support all displays from the beginning. If your display - type is missing, please create a feature request via Phabricator_. - -.. include:: ../common-references.rst - diff --git a/docs/system/ntp.rst b/docs/system/ntp.rst deleted file mode 100644 index 223447f5..00000000 --- a/docs/system/ntp.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. _ntp: - -### -NTP -### - -:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock -synchronization between computer systems over packet-switched, variable-latency -data networks. In operation since before 1985, NTP is one of the oldest Internet -protocols in current use. - -NTP is intended to synchronize all participating computers to within a few -milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the -intersection algorithm, a modified version of Marzullo's algorithm, to select -accurate time servers and is designed to mitigate the effects of variable -network latency. NTP can usually maintain time to within tens of milliseconds -over the public Internet, and can achieve better than one millisecond accuracy -in local area networks under ideal conditions. Asymmetric routes and network -congestion can cause errors of 100 ms or more. - -The protocol is usually described in terms of a client-server model, but can as -easily be used in peer-to-peer relationships where both peers consider the other -to be a potential time source. Implementations send and receive timestamps using -:abbr:`UDP (User Datagram Protocol)` on port number 123. - -NTP supplies a warning of any impending leap second adjustment, but no -information about local time zones or daylight saving time is transmitted. - -The current protocol is version 4 (NTPv4), which is a proposed standard as -documented in :rfc:`5905`. It is backward compatible with version 3, specified -in :rfc:`1305`. - -Configuration -============= - -.. cfgcmd:: set system ntp server <address> - - Configure one or more servers for synchronisation. Server name can be either - an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. - - There are 3 default NTP server set. You are able to change them. - - * ``0.pool.ntp.org`` - * ``1.pool.ntp.org`` - * ``2.pool.ntp.org`` - -.. cfgcmd:: set system ntp server <address> <noselect | pool | preempt | prefer> - - Configure one or more attributes to the given NTP server. - - * ``noselect`` marks the server as unused, except for display purposes. The - server is discarded by the selection algorithm. - - * ``pool`` mobilizes persistent client mode association with a number of - remote servers. - - * ``preempt`` a preemptable association is expendable. - - * ``prefer`` marks the server as preferred. All other things being equal, - this host will be chosen for synchronization among a set of correctly - operating hosts. - -.. cfgcmd:: set system ntp listen-address <address> - - NTP process will only listen on the specified IP address. You must specify - the `<address>` and optionally the permitted clients. Multiple listen - addresses can be configured. - -.. cfgcmd:: set system ntp allow-clients address <address> - - List of networks or client addresses permitted to contact this NTP server. - - Multiple networks can be configured. - -.. cfgcmd:: set system ntp vrf <name> - - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/system/option.rst b/docs/system/option.rst deleted file mode 100644 index e7661492..00000000 --- a/docs/system/option.rst +++ /dev/null @@ -1,94 +0,0 @@ -.. _system_option: - -####### -Options -####### - -This chapter describe the possibilities of advanced system behavior. - -******* -General -******* - -.. cfgcmd:: set system option ctrl-alt-delete <ignore | reboot | poweroff> - - Action which will be run once the ctrl-alt-del keystroke is received. - -.. cfgcmd:: set system option reboot-on-panic - - Automatically reboot system on kernel panic after 60 seconds. - -.. cfgcmd:: set system option startup-beep - - Play an audible beep to the system speaker when system is ready. - -*********** -HTTP client -*********** - -.. cfgcmd:: set system option http-client source-address <address> - - Several commands utilize curl to initiate transfers. Configure the local - source IPv4/IPv6 address used for all CURL operations. - -.. cfgcmd:: set system option http-client source-interface <interface> - - Several commands utilize curl to initiate transfers. Configure the local - source interface used for all CURL operations. - -.. note:: `source-address` and `source-interface` can not be used at the same time. - -*************** -Keyboard Layout -*************** - -When starting a VyOS live system (the installation CD) the configured keyboard -layout defaults to US. As this might not suite everyones use case you can adjust -the used keyboard layout on the system console. - -.. cfgcmd:: set system option keyboard-layout <us | fr | de | fi | no | dk> - - Change system keyboard layout to given language. - - Defaults to ``us``. - - .. note:: Changing the keymap only has an effect on the system console, using - SSH oder Serial remote access to the device is not affected as the keyboard - layout here corresponds to your access system. - -.. _system_options_performance: - -*********** -Performance -*********** - -As more and more routers run on Hypervisors, expecially with a :abbr:`NOS -(Network Operating System)` as VyOS, it makes fewer and fewer sense to use -static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and -earlier to pin certain interrupt handlers to specific CPUs. - -We now utilize `tuned` for dynamic resource balancing based on profiles. - - .. seealso:: https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf - -.. cfgcmd:: set system option performance < throughput | latency > - - Configure one of the predefined system performance profiles. - - * ``throughput``: A server profile focused on improving network throughput. - This profile favors performance over power savings by setting ``intel_pstate`` - and ``max_perf_pct=100`` and increasing kernel network buffer sizes. - - It enables transparent huge pages, and uses cpupower to set the performance - cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, - ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to - 40%. - - * ``latency``: A server profile focused on lowering network latency. - This profile favors performance over power savings by setting ``intel_pstate`` - and ``min_perf_pct=100``. - - It disables transparent huge pages, and automatic NUMA balancing. It also - uses cpupower to set the performance cpufreq governor, and requests a - cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to - 50 us, and tcp_fastopen to 3. diff --git a/docs/system/proxy.rst b/docs/system/proxy.rst deleted file mode 100644 index 8e0339a7..00000000 --- a/docs/system/proxy.rst +++ /dev/null @@ -1,28 +0,0 @@ -.. _system_proxy: - -############ -System Proxy -############ - -Some IT environments require the use of a proxy to connect to the Internet. -Without this configuration VyOS updates could not be installed directly by -using the :opcmd:`add system image` command (:ref:`update_vyos`). - -.. cfgcmd:: set system proxy url <url> - - Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and - FTP (anonymous ftp). - -.. cfgcmd:: set system proxy port <port> - - Configure proxy port if it does not listen to the default port 80. - -.. cfgcmd:: set system proxy username <username> - - Some proxys require/support the "basic" HTTP authentication scheme as per - :rfc:`7617`, thus a username can be configured. - -.. cfgcmd:: set system proxy password <password> - - Some proxys require/support the "basic" HTTP authentication scheme as per - :rfc:`7617`, thus a password can be configured. diff --git a/docs/system/serial-console.rst b/docs/system/serial-console.rst deleted file mode 100644 index 4a750ada..00000000 --- a/docs/system/serial-console.rst +++ /dev/null @@ -1,43 +0,0 @@ -.. _serial-console: - -############## -Serial Console -############## - -For the average user a serial console has no advantage over a console offered -by a directly attached keyboard and screen. Serial consoles are much slower, -taking up to a second to fill a 80 column by 24 line screen. Serial consoles -generally only support non-proportional ASCII text, with limited support for -languages other than English. - -There are some scenarios where serial consoles are useful. System administration -of remote computers is usually done using :ref:`ssh`, but there are times when -access to the console is the only way to diagnose and correct software failures. -Major upgrades to the installed distribution may also require console access. - - -.. cfgcmd:: set system console device <device> - - Defines the specified device as a system console. Available console devices - can be (see completion helper): - - * ``ttySN`` - Serial device name - * ``ttyUSBX`` - USB Serial device name - * ``hvc0`` - Xen console - -.. cfgcmd:: set system console device <device> speed <speed> - - The speed (baudrate) of the console device. Supported values are: - - * ``1200`` - 1200 bps - * ``2400`` - 2400 bps - * ``4800`` - 4800 bps - * ``9600`` - 9600 bps - * ``19200`` - 19,200 bps - * ``38400`` - 38,400 bps (default for Xen console) - * ``57600`` - 57,600 bps - * ``115200`` - 115,200 bps (default for serial console) - - .. note:: If you use a USB to serial converter please note that most of them - use software emulation without flow control, thus you should start with a - common baud rate of 9600 as otherwise you could get diff --git a/docs/system/syslog.rst b/docs/system/syslog.rst deleted file mode 100644 index 3449c15b..00000000 --- a/docs/system/syslog.rst +++ /dev/null @@ -1,226 +0,0 @@ -.. _syslog: - -###### -Syslog -###### - -Per default VyOSs has minimal syslog logging enabled which is stored and -rotated locally. Errors will be always logged to a local file, which includes -`local7` error messages, emergency messages will be sent to the console, too. - -To configure syslog, you need to switch into configuration mode. - -Logging -======= - -Syslog supports logging to multiple targets, those targets could be a plain -file on your VyOS installation itself, a serial console or a remote syslog -server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP. - -Console -------- - -.. cfgcmd:: set system syslog console facility <keyword> level <keyword> - -Log syslog messages to ``/dev/console``, for an explanation on -:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords -see tables below. - - -Custom File ------------ - -.. cfgcmd:: set system syslog file <filename> facility <keyword> level <keyword> - -Log syslog messages to file specified via `<filename>`, for en explanation on -:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see -tables below. - -.. cfgcmd:: set system syslog file <filename> archive size <size> - -Syslog will write `<size>` kilobytes into the file specified by `<filename>`. -After this limit has been reached, the custom file is "rotated" by logrotate -and a new custom file is created. - -.. cfgcmd:: set system syslog file <filename> archive file <number> - -Syslog uses logrotate to rotate logiles after a number of gives bytes. We keep -as many as `<number>` rotated file before they are deleted on the system. - - -Remote Host ------------ - -Logging to a remote host leaves the local logging configuration intact, it -can be configured in parallel to a custom file or console logging. You can log -to multiple hosts at the same time, using either TCP or UDP. The default is -sending the messages via port 514/UDP. - - -.. cfgcmd:: set system syslog host <address> facility <keyword> level <keyword> - -Log syslog messages to remote host specified by `<address>`. The address can be -specified by either FQDN or IP address. For en explanation on -:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see -tables below. - - -.. cfgcmd:: set system syslog host <address> facility <keyword> protocol <udp|tcp> - -Configure protocol used for communication to remote syslog host. This can be -either UDP or TCP. - - -Local User Account ------------------- - -.. cfgcmd:: set system syslog user <username> facility <keyword> level <keyword> - -If logging to a local user account is configured, all defined log messages are -display on the console if the local user is logged in, if the user is not -logged in, no messages are being displayed. For en explanation on -:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see -tables below. - -.. _syslog_facilities: - -Facilities -========== - -List of facilities used by syslog. Most facilities names are self explanatory. -Facilities local0 - local7 common usage is f.e. as network logs facilities for -nodes and network equipment. Generally it depends on the situation how to -classify logs and put them to facilities. See facilities more as a tool rather -than a directive to follow. - -Facilities can be adjusted to meet the needs of the user: - -+----------+----------+----------------------------------------------------+ -| Facility | Keyword | Description | -| Code | | | -+==========+==========+====================================================+ -| | all | All facilities | -+----------+----------+----------------------------------------------------+ -| 0 | kern | Kernel messages | -+----------+----------+----------------------------------------------------+ -| 1 | user | User-level messages | -+----------+----------+----------------------------------------------------+ -| 2 | mail | Mail system | -+----------+----------+----------------------------------------------------+ -| 3 | daemon | System daemons | -+----------+----------+----------------------------------------------------+ -| 4 | auth | Security/authentication messages | -+----------+----------+----------------------------------------------------+ -| 5 | syslog | Messages generated internally by syslogd | -+----------+----------+----------------------------------------------------+ -| 6 | lpr | Line printer subsystem | -+----------+----------+----------------------------------------------------+ -| 7 | news | Network news subsystem | -+----------+----------+----------------------------------------------------+ -| 8 | uucp | UUCP subsystem | -+----------+----------+----------------------------------------------------+ -| 9 | cron | Clock daemon | -+----------+----------+----------------------------------------------------+ -| 10 | security | Security/authentication messages | -+----------+----------+----------------------------------------------------+ -| 11 | ftp | FTP daemon | -+----------+----------+----------------------------------------------------+ -| 12 | ntp | NTP subsystem | -+----------+----------+----------------------------------------------------+ -| 13 | logaudit | Log audit | -+----------+----------+----------------------------------------------------+ -| 14 | logalert | Log alert | -+----------+----------+----------------------------------------------------+ -| 15 | clock | clock daemon (note 2) | -+----------+----------+----------------------------------------------------+ -| 16 | local0 | local use 0 (local0) | -+----------+----------+----------------------------------------------------+ -| 17 | local1 | local use 1 (local1) | -+----------+----------+----------------------------------------------------+ -| 18 | local2 | local use 2 (local2) | -+----------+----------+----------------------------------------------------+ -| 19 | local3 | local use 3 (local3) | -+----------+----------+----------------------------------------------------+ -| 20 | local4 | local use 4 (local4) | -+----------+----------+----------------------------------------------------+ -| 21 | local5 | local use 5 (local5) | -+----------+----------+----------------------------------------------------+ -| 22 | local6 | use 6 (local6) | -+----------+----------+----------------------------------------------------+ -| 23 | local7 | local use 7 (local7) | -+----------+----------+----------------------------------------------------+ - -.. _syslog_severity_level: - -Severity Level -============== - -+-------+---------------+---------+-------------------------------------------+ -| Value | Severity | Keyword | Description | -+=======+===============+=========+===========================================+ -| | | all | Log everything | -+-------+---------------+---------+-------------------------------------------+ -| 0 | Emergency | emerg | System is unusable - a panic condition | -+-------+---------------+---------+-------------------------------------------+ -| 1 | Alert | alert | Action must be taken immediately - A | -| | | | condition that should be corrected | -| | | | immediately, such as a corrupted system | -| | | | database. | -+-------+---------------+---------+-------------------------------------------+ -| 2 | Critical | crit | Critical conditions - e.g. hard drive | -| | | | errors. | -+-------+---------------+---------+-------------------------------------------+ -| 3 | Error | err | Error conditions | -+-------+---------------+---------+-------------------------------------------+ -| 4 | Warning | warning | Warning conditions | -+-------+---------------+---------+-------------------------------------------+ -| 5 | Notice | notice | Normal but significant conditions - | -| | | | conditions that are not error conditions, | -| | | | but that may require special handling. | -+-------+---------------+---------+-------------------------------------------+ -| 6 | Informational | info | Informational messages | -+-------+---------------+---------+-------------------------------------------+ -| 7 | Debug | debug | Debug-level messages - Messages that | -| | | | contain information normally of use only | -| | | | when debugging a program. | -+-------+---------------+---------+-------------------------------------------+ - - -Display Logs -============ - -.. opcmd:: show log [all | authorization | cluster | conntrack-sync | ...] - -Display log files of given category on the console. Use tab completion to get -a list of available categories. Thos categories could be: all, authorization, -cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image -lldp, nat, openvpn, snmp, tail, vpn, vrrp - -If no option is specified, this defaults to `all`. - -.. opcmd:: show log image <name> [all | authorization | directory | file <file name> | tail <lines>] - -Log messages from a specified image can be displayed on the console. Details of -allowed parameters: - -.. list-table:: - :widths: 25 75 - :header-rows: 0 - - * - all - - Display contents of all master log files of the specified image - * - authorization - - Display all authorization attempts of the specified image - * - directory - - Display list of all user-defined log files of the specified image - * - file <file name> - - Display contents of a specified user-defined log file of the specified image - * - tail - - Display last lines of the system log of the specified image - * - <lines> - - Number of lines to be displayed, default 10 - -When no options/parameters are used, the contents of the main syslog file are -displayed. - -.. hint:: Use ``show log | strip-private`` if you want to hide private data when sharing your logs. diff --git a/docs/system/system-dns.rst b/docs/system/system-dns.rst deleted file mode 100644 index 59cfdb5d..00000000 --- a/docs/system/system-dns.rst +++ /dev/null @@ -1,69 +0,0 @@ -.. _system-dns: - -########## -System DNS -########## - - -This section describes configuring DNS on the system, namely: - - * DNS name servers - * Domain search order - - -DNS name servers -================ - -.. cfgcmd:: set system name-server <address> - - Use this command to specify a DNS server for the system to be used - for DNS lookups. More than one DNS server can be added, configuring - one at a time. Both IPv4 and IPv6 addresses are supported. - - - -Example -------- - -In this example, some *OpenNIC* servers are used, two IPv4 addresses -and two IPv6 addresses: - - -.. code-block:: none - - set system name-server 176.9.37.132 - set system name-server 195.10.195.195 - set system name-server 2a01:4f8:161:3441::1 - set system name-server 2a00:f826:8:2::195 - - -Domain search order -=================== - -In order for the system to use and complete unqualified host names, a -list can be defined which will be used for domain searches. - - -.. cfgcmd:: set system domain-search domain <domain> - - Use this command to define domains, one at a time, so that the system - uses them to complete unqualified host names. Maximum: 6 entries. - - -.. note:: Domain names can include letters, numbers, hyphens and periods - with a maximum length of 253 characters. - - -Example -------- - -The system is configured to attempt domain completion in the following -order: vyos.io (first), vyos.net (second) and vyos.network (last): - - -.. code-block:: none - - set system domain-search domain vyos.io - set system domain-search domain vyos.net - set system domain-search domain vyos.network - diff --git a/docs/system/task-scheduler.rst b/docs/system/task-scheduler.rst deleted file mode 100644 index 382da39f..00000000 --- a/docs/system/task-scheduler.rst +++ /dev/null @@ -1,40 +0,0 @@ -.. _task-scheduler: - -############## -Task Scheduler -############## - -The task scheduler allows you to execute tasks on a given schedule. It makes -use of UNIX cron_. - -.. note:: All scripts excecuted this way are executed as root user - this may - be dangerous. Together with :ref:`command-scripting` this can be used for - automating (re-)configuration. - -.. cfgcmd:: set system task-scheduler task <task> interval <interval> - - Specify the time interval when `<task>` should be executed. The interval - is specified as number with one of the following suffixes: - - * ``none`` - Execution interval in minutes - * ``m`` - Execution interval in minutes - * ``h`` - Execution interval in hours - * ``d`` - Execution interval in days - - .. note:: If suffix is omitted, minutes are implied. - -.. cfgcmd:: set system task-scheduler task <task> crontab-spec <spec> - - Set execution time in common cron_ time format. A cron `<spec>` of - ``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour. - -.. cfgcmd:: set system task-scheduler task <task> executable path <path> - - Specify absolute `<path>` to script which will be run when `<task>` is - executed. - -.. cfgcmd:: set system task-scheduler task <task> executable arguments <args> - - Arguments which will be passed to the executable. - -.. _cron: https://en.wikipedia.org/wiki/Cron diff --git a/docs/system/time-zone.rst b/docs/system/time-zone.rst deleted file mode 100644 index 025c4376..00000000 --- a/docs/system/time-zone.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. _timezone: - -######### -Time Zone -######### - -Time Zone setting is very important as e.g all your logfile entries will be -based on the configured zone. Without proper time zone configuration it will -be very difficult to compare logfiles from different systems. - -.. cfgcmd:: set system time-zone <timezone> - - Specify the systems `<timezone>` as the Region/Location that best defines - your location. For example, specifying US/Pacific sets the time zone to US - Pacific time. - - Command completion can be used to list available time zones. The adjustment - for daylight time will take place automatically based on the time of year.
\ No newline at end of file diff --git a/docs/system/user-management.rst b/docs/system/user-management.rst deleted file mode 100644 index 6d89735f..00000000 --- a/docs/system/user-management.rst +++ /dev/null @@ -1,160 +0,0 @@ -.. _user_management: - -############### -User Management -############### - -The default VyOS user account (`vyos`), as well as newly created user accounts, -have all capabilities to configure the system. All accounts have sudo -capabilities and therefore can operate as root on the system. - -Both local administered and remote administered :abbr:`RADIUS (Remote -Authentication Dial-In User Service)` accounts are supported. - -Local -===== - -.. cfgcmd:: set system login user <name> full-name "<string>" - - Create new system user with username `<name>` and real-name specified by - `<string>`. - -.. cfgcmd:: set system login user <name> authentication plaintext-password <password> - - Specify the plaintext password user by user `<name>` on this system. The - plaintext password will be automatically transferred into a secure hashed - password and not saved anywhere in plaintext. - -.. cfgcmd:: set system login user <name> authentication encrypted-password <password> - - Setup encrypted password for given username. This is useful for - transferring a hashed password from system to system. - -.. _ssh_key_based_authentication: - -Key Based Authentication ------------------------- - -It is highly recommended to use SSH key authentication. By default there is -only one user (``vyos``), and you can assign any number of keys to that user. -You can generate a ssh key with the ``ssh-keygen`` command on your local -machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``. - -Every SSH key comes in three parts: - -``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com`` - -Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the -key will usually be several hundred characters long, and you will need to copy -and paste it. Some terminal emulators may accidentally split this over several -lines. Be attentive when you paste it that it only pastes as a single line. -The third part is simply an identifier, and is for your own reference. - -.. cfgcmd:: set system login user <username> authentication public-keys <identifier> key <key> - - Assign the SSH public key portion `<key>` identified by per-key - `<identifier>` to the local user `<username>`. - -.. cfgcmd:: set system login user <username> authentication public-keys <identifier> type <type> - - Every SSH public key portion referenced by `<identifier>` requires the - configuration of the `<type>` of public-key used. This type can be any of: - - * ``ecdsa-sha2-nistp256`` - * ``ecdsa-sha2-nistp384`` - * ``ecdsa-sha2-nistp521`` - * ``ssh-dss`` - * ``ssh-ed25519`` - * ``ssh-rsa`` - - .. note:: You can assign multiple keys to the same user by using a unique - identifier per SSH key. - -.. cfgcmd:: loadkey <username> <location> - - SSH keys can not only be specified on the command-line but also loaded for - a given user with `<username>` from a file pointed to by `<location>.` Keys - can be either loaded from local filesystem or any given remote location - using one of the following :abbr:`URIs (Uniform Resource Identifier)`: - - * ``<file>`` - Load from file on local filesystem path - * ``scp://<user>@<host>:/<file>`` - Load via SCP from remote machine - * ``sftp://<user>@<host>/<file>`` - Load via SFTP from remote machine - * ``ftp://<user>@<host>/<file>`` - Load via FTP from remote machine - * ``http://<host>/<file>`` - Load via HTTP from remote machine - * ``tftp://<host>/<file>`` - Load via TFTP from remote machine - -Example -------- - -In the following example, both `User1` and `User2` will be able to SSH into -VyOS as user ``vyos`` using their very own keys. - -.. code-block:: none - - set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" - set system login user vyos authentication public-keys 'User1' type ssh-rsa - set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" - set system login user vyos authentication public-keys 'User2' type ssh-rsa - - -RADIUS -====== - -In large deployments it is not reasonable to configure each user individually -on every system. VyOS supports using :abbr:`RADIUS (Remote Authentication -Dial-In User Service)` servers as backend for user authentication. - -Configuration -------------- - -.. cfgcmd:: set system login radius server <address> secret <secret> - - Specify the `<address>` of the RADIUS server user with the pre-shared-secret - given in `<secret>`. Multiple servers can be specified. - -.. cfgcmd:: set system login radius server <address> port <port> - - Configure the discrete port under which the RADIUS server can be reached. - This defaults to 1812. - -.. cfgcmd:: set system login radius server <address> timeout <timeout> - - Setup the `<timeout>` in seconds when querying the RADIUS server. - -.. cfgcmd:: set system login radius server <address> disable - - Temporary disable this RADIUS server. It won't be queried. - -.. cfgcmd:: set system login radius source-address <address> - - RADIUS servers could be hardened by only allowing certain IP addresses to - connect. As of this the source address of each RADIUS query can be - configured. If this is not set, incoming connections to the RADIUS server - will use the nearest interface address pointing towards the server - making - it error prone on e.g. OSPF networks when a link fails and a backup route is - taken. - -.. hint:: If you want to have admin users to authenticate via RADIUS it is - essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without - the attribute you will only get regular, non privilegued, system users. - - - -Login Banner -============ - -You are able to set post-login or pre-login banner messages to display certain -information for this system. - -.. cfgcmd:: set system login banner pre-login <message> - - Configure `<message>` which is shown during SSH connect and before a user is - logged in. - -.. cfgcmd:: set system login banner post-login <message> - - Configure `<message>` which is shown after user has logged in to the system. - -.. note:: To create a new line in your login message you need to escape the new - line character by using ``\\n``. |