diff options
| -rw-r--r-- | Dockerfile | 27 | ||||
| -rw-r--r-- | README.md | 18 | ||||
| -rw-r--r-- | docker/Dockerfile | 36 | ||||
| -rwxr-xr-x | docker/entrypoint.sh | 32 | ||||
| -rw-r--r-- | docs/conf.py | 4 | ||||
| -rw-r--r-- | docs/services/pppoe-server.rst | 56 | ||||
| -rw-r--r-- | docs/system/index.rst | 6 | ||||
| -rw-r--r-- | docs/system/system-users.rst | 111 | ||||
| -rw-r--r-- | docs/system/systemusers.rst | 56 |
9 files changed, 244 insertions, 102 deletions
diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 929f36a3..00000000 --- a/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Must be run with --privileged flag -# Recommended to run the container with a volume mapped -# in order to easy exprort images built to "external" world -FROM debian:stretch - -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ - vim \ - git \ - mc \ - make \ - python3-sphinx \ - python-sphinx-rtd-theme \ - latexmk \ - texlive-latex-recommended \ - texlive-fonts-recommended \ - texlive-latex-extra sudo \ - && rm -rf /var/lib/apt/lists/* - -RUN groupadd -g 1000 debian -RUN useradd -d /home/debian -ms /bin/bash -g 1000 -u 1000 debian && \ - echo "debian:debian" | chpasswd && \ - adduser debian sudo - -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers - -USER debian -WORKDIR ~ @@ -20,22 +20,18 @@ Required Debian Packages: ## Docker -## Create Container +Using our [Dockerfile](docker/Dockerfile) you create your own Docker container +that is used to build a VyOS documentation. + +## Setup ```bash -$ docker build -t vyos-docu - < Dockerfile +$ docker build -t vyos-docu docker ``` -### Build Documentation +### Build Linux ```bash -$ docker run -v `pwd`:`pwd` -w `pwd`/docs -i -t --rm vyos-docu bash -``` - -Windows PowerShell -```powershell -docker run -v "$($pwd.path):/vyos" -w "/vyos/docs" -i -t --rm vyos-docu bash +$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos-docu make html ``` - -Inside the container you can then build the documentation as stated above. diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..06302f2b --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,36 @@ +# Must be run with --privileged flag +# Recommended to run the container with a volume mapped +# in order to easy exprort images built to "external" world +FROM debian:stretch +LABEL authors="VyOS Maintainers <maintainers@vyos.io>" + +ENV DEBIAN_FRONTEND noninteractive + +# Standard shell should be bash not dash +RUN echo "dash dash/sh boolean false" | debconf-set-selections && \ + dpkg-reconfigure dash + +RUN apt-get update && apt-get install -y \ + vim \ + git \ + mc \ + make \ + python3-sphinx \ + python-sphinx-rtd-theme \ + latexmk \ + texlive-latex-recommended \ + texlive-fonts-recommended \ + texlive-latex-extra \ + sudo \ + gosu + +# Cleanup +RUN rm -rf /var/lib/apt/lists/* + +# Allow password-less 'sudo' for all users in group 'sudo' +RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \ + chmod a+s /usr/sbin/useradd /usr/sbin/groupadd /usr/sbin/gosu /usr/sbin/usermod + +COPY entrypoint.sh /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] + diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100755 index 00000000..8db41103 --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,32 @@ +#!/bin/bash +set -e + +USER_NAME="vyos_bld" +NEW_UID=$(stat -c "%u" .) +NEW_GID=$(stat -c "%g" .) + +# Change effective UID to the one specified via "-e GOSU_UID=`id -u $USER`" +if [ -n "$GOSU_UID" ]; then + NEW_UID=$GOSU_UID +fi + +# Change effective UID to the one specified via "-e GOSU_GID=`id -g $USER`" +if [ -n "$GOSU_GID" ]; then + NEW_GID=$GOSU_GID +fi + +# Notify user about selected UID/GID +echo "Current UID/GID: $NEW_UID/$NEW_GID" + +# Create UNIX group on the fly if it does not exist +if ! grep -q $NEW_GID /etc/group; then + groupadd --gid $NEW_GID $USER_NAME +fi + +useradd --shell /bin/bash --uid $NEW_UID --gid $NEW_GID --non-unique --create-home $USER_NAME +usermod --append --groups sudo $USER_NAME +sudo chown $NEW_UID:$NEW_GID /home/$USER_NAME +export HOME=/home/$USER_NAME + +# Execute process +exec /usr/sbin/gosu $USER_NAME "$@" diff --git a/docs/conf.py b/docs/conf.py index e9960a8e..aa76a7d6 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -24,10 +24,10 @@ copyright = u'2018, VyOS maintainers and contributors' author = u'VyOS maintainers and contributors' # The short X.Y version -version = u'1.2.0' +version = u'1.3.0' # The full version, including alpha/beta/rc tags -release = u'1.2.0-beta' +release = u'current' # -- General configuration --------------------------------------------------- diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst index 1316898e..9c457af5 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/services/pppoe-server.rst @@ -33,9 +33,10 @@ Connections can be locally checked via the command .. code-block:: sh show pppoe-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - -------+----------+-------------------+------------+-------+------+--------+---------- - ppp0 | foo | 08:00:27:fa:3e:50 | 10.1.1.100 | pppoe | | active | 00:04:15 + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 08:00:27:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B + To use a radius server, you need to switch to authentication mode radius and @@ -52,5 +53,54 @@ server configured, if you wish to achieve redundancy. RADIUS provides the IP addresses in the example above via Framed-IP-Address. +Bandwidth Shaping +================= + +Bandwidth rate limits can be set for local users or RADIUS based attributes. + +Local user setup +================ + +The rate-limit is set in kbit/sec. + +.. code-block:: sh + + set service pppoe-server access-concentrator 'ACN' + set service pppoe-server authentication local-users username foo password 'bar' + set service pppoe-server authentication local-users username foo rate-limit download '20480' + set service pppoe-server authentication local-users username foo rate-limit upload '10240' + set service pppoe-server authentication mode 'local' + set service pppoe-server client-ip-pool start '10.1.1.100' + set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server dns-servers server-1 '10.100.100.1' + set service pppoe-server dns-servers server-2 '10.100.200.1' + set service pppoe-server interface 'eth1' + set service pppoe-server local-ip '10.1.1.2' + + +Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'. + +.. code-block:: sh + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 08:00:27:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B + + +RADIUS shaper setup +=================== + +The current attribute 'Filter-ID' is being used as default and can be setup within RADIUS: + +Filter-ID=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate) + +The command below enables it, assuming the RADIUS connection has been setup and is working. + +.. code-block:: sh + + set service pppoe-server authentication radius-settings rate-limit enable + +Other attributes can be used, but they have to be in one of the dictionaries in /usr/share/accel-ppp/radius. .. _`accel-ppp`: https://accel-ppp.org/ diff --git a/docs/system/index.rst b/docs/system/index.rst index f833bcc8..cea729e3 100644 --- a/docs/system/index.rst +++ b/docs/system/index.rst @@ -10,13 +10,13 @@ should be ready for further configuration which is described in this chapter. .. toctree:: :maxdepth: 2 :hidden: - + eventhandler flowaccounting host-information serialconsole - systemusers + system-users syslog task-scheduler config-management - time-zone
\ No newline at end of file + time-zone diff --git a/docs/system/system-users.rst b/docs/system/system-users.rst new file mode 100644 index 00000000..a6be5a05 --- /dev/null +++ b/docs/system/system-users.rst @@ -0,0 +1,111 @@ +.. _systemusers: + +Login +----- + +The default VyOS user account (`vyos`), as well as newly created user accounts, +have all capabilities to configure the system. All accounts have sudo capabilities +and therefore can operate as root on the system. Setting the level to admin is +optional, all accounts on the system will have admin privileges. + +Both local administered and remote administered RADIUS (Remote Authentication +Dial-In User Service) accounts are supported. + +Local +^^^^^ + +Create user account `jsmith` and the password `mypassword`. + +.. code-block:: sh + + set system login user jsmith full-name "Johan Smith" + set system login user jsmith authentication plaintext-password mypassword + +The command: + +.. code-block:: sh + + show system login + +will show the contents of :code:`system login` configuration node: + +.. code-block:: sh + + user jsmith { + authentication { + encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. + plaintext-password "" + } + full-name "Johan Smith" + level admin + } + +SSH with Public Keys +******************** + +The following command will load the public key `dev.pub` for user `jsmith` + +.. code-block:: sh + + loadkey jsmith dev.pub + +.. note:: This requires uploading the `dev.pub` public key to the VyOS router + first. As an alternative you can also load the SSH public key directly + from a remote system: + +.. code-block:: sh + + loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub + +In addition SSH public keys can be fully added using the CLI. Each key can be +given a unique identifier, `calypso` is used oin the example below to id an SSH +key. + +.. code-block:: sh + + set system login user jsmith authentication public-keys callisto key 'AAAAB3Hso...Q==' + set system login user jsmith authentication public-keys callisto type 'ssh-rsa' + +RADIUS +^^^^^^ + +VyOS supports using one or more RADIUS servers as backend for user authentication. + +The following command sets up two servers for RADIUS authentication, one with a +discrete timeout of `5` seconds and a discrete port of `1812` and the other using +a default timeout and port. + +.. code-block:: sh + + set system login radius server 192.168.1.2 secret 's3cr3t0815' + set system login radius server 192.168.1.2 timeout '5' + set system login radius server 192.168.1.2 port '1812' + set system login radius server 192.168.1.3 secret 's3cr3t0816' + +This configuration results in: + +.. code-block:: sh + + show system login radius + server 192.168.1.2 { + secret s3cr3t0815 + timeout 5 + port 1812 + } + server 192.168.1.3 { + secret s3cr3t0816 + } + +RADIUS Source Address +********************* + +If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS +server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a +single source IP e.g. the loopback interface. + +.. code-block:: sh + + set system login radius source-address 3.3.3.3 + +Above command will use `3.3.3.3` as source IPv4 address for all queries originating +from this NAS. diff --git a/docs/system/systemusers.rst b/docs/system/systemusers.rst deleted file mode 100644 index ef153377..00000000 --- a/docs/system/systemusers.rst +++ /dev/null @@ -1,56 +0,0 @@ -.. _systemusers: - -System Users ------------- - -The default vyos user account, as well as newly created user accounts, have all capabilities to configure the system. -All accounts have sudo capabilities and therefore can operate as root on the system. -Setting the level to admin is optional, all accounts on the system -will have admin privileges. - - -Creating Login User Accounts -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Create user account `jsmith` and the password `mypassword`. - -.. code-block:: sh - - set system login user jsmith full-name "Johan Smith" - set system login user jsmith authentication plaintext-password mypassword - -The command: - -.. code-block:: sh - - show system login - -will show the contents of :code:`system login` configuration node: - -.. code-block:: sh - - user jsmith { - authentication { - encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. - plaintext-password "" - } - full-name "Johan Smith" - level admin - } - -SSH Access using Shared Public Keys -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The following command will load the public key `dev.pub` for user `jsmith` - -.. code-block:: sh - - loadkey jsmith dev.pub - -.. note:: This requires uploading the `dev.pub` public key to the VyOS router - first. As an alternative you can also load the SSH public key directly - from a remote system: - -.. code-block:: sh - - loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub |