Merge pull request #3229 from c-po/multi-vrf

T6192: allow binding SSH to multiple VRF instances

5 files changed, 28 insertions, 15 deletions

diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index e967bee71..910a92a7c 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -32,6 +32,7 @@ from vyos.utils.file import write_file
 from vyos.utils.process import call
 from vyos.utils.process import cmd
 from vyos.utils.process import run
+from vyos.utils.network import interface_exists
 from vyos.template import bracketize_ipv6
 from vyos.template import inc_ip
 from vyos.template import is_ipv4
@@ -471,7 +472,7 @@ def apply(container):
             # T5147: Networks are started only as soon as there is a consumer.
             # If only a network is created in the first place, no need to assign
             # it to a VRF as there's no consumer, yet.
-            if os.path.exists(f'/sys/class/net/{network_name}'):
+            if interface_exists(network_name):
                 tmp = Interface(network_name)
                 tmp.add_ipv6_eui64_address('fe80::/64')
                 tmp.set_vrf(network_config.get('vrf', ''))
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index 4a0b4d0c5..2b4fcc1bf 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -36,8 +36,9 @@ from vyos.qos import RateLimiter
 from vyos.qos import RoundRobin
 from vyos.qos import TrafficShaper
 from vyos.qos import TrafficShaperHFSC
-from vyos.utils.process import run
 from vyos.utils.dict import dict_search_recursive
+from vyos.utils.network import interface_exists
+from vyos.utils.process import run
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -214,7 +215,7 @@ def apply(qos):
         return None
 
     for interface, interface_config in qos['interface'].items():
-        if not os.path.exists(f'/sys/class/net/{interface}'):
+        if not interface_exists(interface):
             # When shaper is bound to a dialup (e.g. PPPoE) interface it is
             # possible that it is yet not availbale when to QoS code runs.
             # Skip the configuration and inform the user
diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py
index ee5e1eca2..9abdd33dc 100755
--- a/src/conf_mode/service_ssh.py
+++ b/src/conf_mode/service_ssh.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -30,7 +30,6 @@ from vyos import airbag
 airbag.enable()
 
 config_file = r'/run/sshd/sshd_config'
-systemd_override = r'/run/systemd/system/ssh.service.d/override.conf'
 
 sshguard_config_file = '/etc/sshguard/sshguard.conf'
 sshguard_whitelist = '/etc/sshguard/whitelist'
@@ -81,8 +80,6 @@ def generate(ssh):
     if not ssh:
         if os.path.isfile(config_file):
             os.unlink(config_file)
-        if os.path.isfile(systemd_override):
-            os.unlink(systemd_override)
 
         return None
 
@@ -99,13 +96,10 @@ def generate(ssh):
         call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}')
 
     render(config_file, 'ssh/sshd_config.j2', ssh)
-    render(systemd_override, 'ssh/override.conf.j2', ssh)
 
     if 'dynamic_protection' in ssh:
         render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh)
         render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh)
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
 
     return None
 
@@ -114,7 +108,7 @@ def apply(ssh):
     systemd_service_sshguard = 'sshguard.service'
     if not ssh:
         # SSH access is removed in the commit
-        call(f'systemctl stop {systemd_service_ssh}')
+        call(f'systemctl stop ssh@*.service')
         call(f'systemctl stop {systemd_service_sshguard}')
         return None
 
@@ -126,9 +120,13 @@ def apply(ssh):
     # we need to restart the service if e.g. the VRF name changed
     systemd_action = 'reload-or-restart'
     if 'restart_required' in ssh:
+        # this is only true if something for the VRFs changed, thus we
+        # stop all VRF services and only restart then new ones
+        call(f'systemctl stop ssh@*.service')
         systemd_action = 'restart'
 
-    call(f'systemctl {systemd_action} {systemd_service_ssh}')
+    for vrf in ssh['vrf']:
+        call(f'systemctl {systemd_action} ssh@{vrf}.service')
     return None
 
 if __name__ == '__main__':
diff --git a/src/etc/systemd/system/ssh@.service.d/vrf-override.conf b/src/etc/systemd/system/ssh@.service.d/vrf-override.conf
new file mode 100644
index 000000000..b8952d86c
--- /dev/null
+++ b/src/etc/systemd/system/ssh@.service.d/vrf-override.conf
@@ -0,0 +1,13 @@
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+ConditionPathExists=/run/sshd/sshd_config
+
+[Service]
+EnvironmentFile=
+ExecStart=
+ExecStart=ip vrf exec %i /usr/sbin/sshd -f /run/sshd/sshd_config
+Restart=always
+RestartPreventExitStatus=
+RestartSec=10
+RuntimeDirectoryPreserve=yes
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index aba97015e..dbb86b40b 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,9 +14,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
 import vyos.template
 
+from vyos.utils.network import interface_exists
 from ipaddress import ip_network
 from unittest import TestCase
 
@@ -26,7 +26,7 @@ class TestVyOSTemplate(TestCase):
 
     def test_is_interface(self):
         for interface in ['lo', 'eth0']:
-            if os.path.exists(f'/sys/class/net/{interface}'):
+            if interface_exists(interface):
                 self.assertTrue(vyos.template.is_interface(interface))
             else:
                 self.assertFalse(vyos.template.is_interface(interface))