summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/container/index.rst143
-rw-r--r--docs/configuration/firewall/index.rst60
-rw-r--r--docs/configuration/index.rst3
-rw-r--r--docs/configuration/service/ssh.rst30
-rw-r--r--docs/configuration/system/login.rst4
5 files changed, 210 insertions, 30 deletions
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
new file mode 100644
index 00000000..520031d8
--- /dev/null
+++ b/docs/configuration/container/index.rst
@@ -0,0 +1,143 @@
+.. include:: /_include/need_improvement.txt
+
+.. _container:
+
+#########
+Container
+#########
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set container <name>
+
+ Set an named container.
+
+.. cfgcmd:: set container network <networkname>
+
+ Creates a named container network
+
+.. cfgcmd:: set container registry <name>
+
+ Adds registry to list of unqualified-search-registries. By default, for any
+ image that does not include the registry in the image name, Vyos will use
+ docker.io as the container registry.
+
+.. cfgcmd:: set container <name> image
+
+ Sets the image name in the hub registry
+
+ .. code-block:: none
+
+ set container name mysql-server image mysql:8.0
+
+ If a registry is not specefied, Docker.io will be used as the container
+ registry unless an alternative registry is specefied using
+ **set container registry <name>** or the registry is included in the image name
+
+ .. code-block:: none
+
+ set container name mysql-server image quay.io/mysql:8.0
+
+.. cfgcmd:: set container <name> allow-host-networks
+
+ Allow host networking in container. The network stack of the container is
+ not isolated from the host and will use the host IP.
+
+ The following commands translates to "--net host" when the container is created
+
+ .. note:: **allow-host-networks** cannot be used with **network**
+
+.. cfgcmd:: set container <name> description <text>
+
+ Sets the container description
+
+.. cfgcmd:: set container <name> environment '<key>' value '<value>'
+
+ Adds a custom environment variables. Multiple enviroment variables are allowed. The following commands translates to "-e key=value" when container is created.
+
+ .. code-block:: none
+
+ set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+.. cfgcmd:: set container <name> network <networkname>
+
+ Attaches user defined network to container. Only one network must be specefied and must already exist.
+
+ Optionally a specific static IPv4 or IPv6 address can be set for the container. This address must be within the named network.
+
+ .. code-block:: none
+
+ set container <name> network <networkname> address <address>
+
+ .. note:: The first IP in the container network is reserved by the engine and cannot be used
+
+.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
+
+ Publishes a port for the container
+
+ .. code-block:: none
+
+ set container name zabbix-web-nginx-mysql port http source 80
+ set container name zabbix-web-nginx-mysql port http destination 8080
+
+.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
+
+ Mount a volume into the container
+
+ .. code-block:: none
+
+ set container name coredns volume 'corefile' source /config/coredns/Corefile
+ set container name coredns volume 'corefile' destination /etc/Corefile
+
+*********************
+Example Configuration
+*********************
+
+ For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax.
+
+ .. code-block:: none
+
+ set container network zabbix-net prefix 172.20.0.0/16
+ set container network zabbix-net description 'Network for Zabbix component containers'
+
+ set container name mysql-server image mysql:8.0
+ set container name mysql-server network zabbix-net
+
+ set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+ set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+ set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest
+ set container name zabbix-java-gateway network zabbix-net
+
+ set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest
+ set container name zabbix-server-mysql network zabbix-net
+
+ set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+ set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name zabbix-server-mysql environment 'MYSQL_USER' value 'zabbix'
+ set container name zabbix-server-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name zabbix-server-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+ set container name zabbix-server-mysql environment 'ZBX_JAVAGATEWAY' value 'zabbix-java-gateway'
+
+ set container name zabbix-server-mysql port zabbix source 10051
+ set container name zabbix-server-mysql port zabbix destination 10051
+
+ set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest
+ set container name zabbix-web-nginx-mysql network zabbix-net
+
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+ set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql'
+ set container name zabbix-web-nginx-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_USER' value 'zabbix'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+ set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+ set container name zabbix-web-nginx-mysql port http source 80
+ set container name zabbix-web-nginx-mysql port http destination 8080 \ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 667a4653..d52d6f2a 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _firewall:
########
@@ -29,7 +31,7 @@ or zone based firewall policy.
Global settings
***************
-Some firewall settings are global and have a affect on the whole system.
+Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
@@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall send-redirects [enable | disable]
- enable or disable of ICMPv4 redirect messages send by VyOS
+ enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
@@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall state-policy established log enable
- Set the global setting for a established connections.
+ Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
@@ -163,8 +165,8 @@ names.
Address Groups
==============
-In a **address group** a single IP adresses or IP address ranges are
-definded.
+In an **address group** a single IP address or IP address ranges are
+defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
- Define a port group. A port name are any name defined in
+ Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
@@ -240,10 +242,10 @@ Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
-to an interface or zone. Each rule is numbered, has an action to apply
+to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 9999, at the first match
-the action of the rule will executed.
+the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
@@ -267,7 +269,7 @@ the action of the rule will executed.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
accept]
- This required setting define the action of the current rule.
+ This required setting defines the action of the current rule.
.. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@@ -287,7 +289,7 @@ the action of the rule will executed.
Matching criteria
=================
-There are a lot of matching criteria gainst which the package can be tested.
+There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-9999> source address
@@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
[address | addressrange | CIDR]
- This is similiar to the network groups part, but here you are able to negate
+ This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
@@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address
<mac-address>
- Only in the source criteria you can specify a mac-address
+ Only in the source criteria, you can specify a mac-address.
.. code-block:: none
@@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
[1-65535 | portname | start-end]
- A port can be set with a portnumber or a name which is here
+ A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
@@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
- invalid | new | related] [enable | disable ]
+ invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
- invalid | new | related] [enable | disable ]
+ invalid | new | related] [enable | disable]
Match against the state of a packet.
@@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
A Rule-Set can be applied to every interface:
-* ``in``: Ruleset for forwarded packets on inbound interface
-* ``out``: Ruleset for forwarded packets on outbound interface
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
@@ -451,7 +453,7 @@ Zone-based Firewall Policy
As an alternative to applying policy to an interface directly, a
zone-based firewall can be created to simplify configuration when
multiple interfaces belong to the same security zone. Instead of
-applying rulesets to interfaces, they are applied to source
+applying rule-sets to interfaces, they are applied to source
zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found `here
@@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
- Set a interfaces to a zone. A zone can have multiple interfaces.
- But a interface can only be member in one zone.
+ Set interfaces to a zone. A zone can have multiple interfaces.
+ But an interface can only be a member in one zone.
.. cfgcmd:: set zone-policy zone <name> local-zone
- Define the Zone as a local zone. A local zone have no interfaces and
+ Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@@ -486,14 +488,14 @@ Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
-first.
+first.
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name
<rule-set>
- You apply a rule-set always to a zone from a other zone, it is recommended
+ You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
@@ -577,7 +579,7 @@ Rule-set overview
.. opcmd:: show firewall summary
- This will show you a summary about rule-sets and groups
+ This will show you a summary of rule-sets and groups
.. code-block:: none
@@ -630,7 +632,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
- This command will give an overview about a rule in a single rule-set
+ This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
@@ -658,7 +660,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name>
- This command will give an overview about a single rule-set
+ This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
@@ -666,7 +668,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
- This command will give an overview about a rule in a single rule-set
+ This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
@@ -674,7 +676,7 @@ Zone-Policy Overview
.. opcmd:: show zone-policy zone <name>
- Use this command to get an overview about a zone
+ Use this command to get an overview of a zone.
.. code-block:: none
@@ -695,7 +697,7 @@ Show Firewall log
.. opcmd:: show log firewall [name | ipv6name] <name>
- Show the logs of a specific Rule-Set
+ Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS
diff --git a/docs/configuration/index.rst b/docs/configuration/index.rst
index bce013cb..0fe481da 100644
--- a/docs/configuration/index.rst
+++ b/docs/configuration/index.rst
@@ -8,6 +8,7 @@ The following structure respresent the cli structure.
:maxdepth: 1
:includehidden:
+ container/index
firewall/index
highavailability/index
interfaces/index
@@ -20,4 +21,4 @@ The following structure respresent the cli structure.
trafficpolicy/index
vpn/index
vrf/index
- zonepolicy/index \ No newline at end of file
+ zonepolicy/index
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 6b09d40d..40ec62f5 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -156,3 +156,33 @@ Operation
Two new files ``/config/auth/id_rsa_rpki`` and
``/config/auth/id_rsa_rpki.pub``
will be created.
+
+.. opcmd:: generate public-key-commands name <username> path <location>
+
+ Generate the configuration mode commands to add a public key for
+ :ref:`ssh_key_based_authentication`.
+ ``<location>`` can be a local path or a URL pointing at a remote file.
+
+ Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP.
+
+ Example:
+
+ .. code-block:: none
+
+ alyssa@vyos:~$ generate public-key-commands name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
+ # To add this key as an embedded key, run the following commands:
+ configure
+ set system login user alyssa authentication public-keys alyssa@example.net key AAA...
+ set system login user alyssa authentication public-keys alyssa@example.net type ssh-rsa
+ commit
+ save
+ exit
+
+ ben@vyos:~$ generate public-key-command user ben path ~/.ssh/id_rsa.pub
+ # To add this key as an embedded key, run the following commands:
+ configure
+ set system login user ben authentication public-keys ben@vyos key AAA...
+ set system login user ben authentication public-keys ben@vyos type ssh-dss
+ commit
+ save
+ exit
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 0492f4d1..09b6e68b 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -76,6 +76,10 @@ The third part is simply an identifier, and is for your own reference.
.. cfgcmd:: loadkey <username> <location>
+ **Deprecation notice:** ``loadkey`` has been deprecated in favour of
+ :opcmd:`generate public-key-commands` and will be removed in a future
+ version. See :ref:`ssh`.
+
SSH keys can not only be specified on the command-line but also loaded for
a given user with `<username>` from a file pointed to by `<location>.` Keys
can be either loaded from local filesystem or any given remote location
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 17:27:04 +0000