summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-04-03 02:30:00 +0200
committerGitHub <noreply@github.com>2024-04-03 02:30:00 +0200
commitdf2f99f2db19194ece81141c85e6bbb27cbe24ca (patch)
tree50a3f92f2423ec700a1f5fa987c7531847bb591a /src
parent516235769726e1e270c6a50523559daad528abac (diff)
parentcc208d74567e44d6cffa4fc9fd58bd9bcf050930 (diff)
downloadvyos-1x-df2f99f2db19194ece81141c85e6bbb27cbe24ca.tar.gz
vyos-1x-df2f99f2db19194ece81141c85e6bbb27cbe24ca.zip
Merge pull request #3235 from vyos/mergify/bp/sagitta/pr-3229
T6192: allow binding SSH to multiple VRF instances (backport #3229)
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/container.py3
-rwxr-xr-xsrc/conf_mode/qos.py5
-rwxr-xr-xsrc/conf_mode/service_ssh.py16
-rw-r--r--src/etc/systemd/system/ssh@.service.d/vrf-override.conf13
-rw-r--r--src/tests/test_template.py6
5 files changed, 28 insertions, 15 deletions
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index e967bee71..910a92a7c 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -32,6 +32,7 @@ from vyos.utils.file import write_file
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.process import run
+from vyos.utils.network import interface_exists
from vyos.template import bracketize_ipv6
from vyos.template import inc_ip
from vyos.template import is_ipv4
@@ -471,7 +472,7 @@ def apply(container):
# T5147: Networks are started only as soon as there is a consumer.
# If only a network is created in the first place, no need to assign
# it to a VRF as there's no consumer, yet.
- if os.path.exists(f'/sys/class/net/{network_name}'):
+ if interface_exists(network_name):
tmp = Interface(network_name)
tmp.add_ipv6_eui64_address('fe80::/64')
tmp.set_vrf(network_config.get('vrf', ''))
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index 4a0b4d0c5..2b4fcc1bf 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -36,8 +36,9 @@ from vyos.qos import RateLimiter
from vyos.qos import RoundRobin
from vyos.qos import TrafficShaper
from vyos.qos import TrafficShaperHFSC
-from vyos.utils.process import run
from vyos.utils.dict import dict_search_recursive
+from vyos.utils.network import interface_exists
+from vyos.utils.process import run
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -214,7 +215,7 @@ def apply(qos):
return None
for interface, interface_config in qos['interface'].items():
- if not os.path.exists(f'/sys/class/net/{interface}'):
+ if not interface_exists(interface):
# When shaper is bound to a dialup (e.g. PPPoE) interface it is
# possible that it is yet not availbale when to QoS code runs.
# Skip the configuration and inform the user
diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py
index ee5e1eca2..9abdd33dc 100755
--- a/src/conf_mode/service_ssh.py
+++ b/src/conf_mode/service_ssh.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -30,7 +30,6 @@ from vyos import airbag
airbag.enable()
config_file = r'/run/sshd/sshd_config'
-systemd_override = r'/run/systemd/system/ssh.service.d/override.conf'
sshguard_config_file = '/etc/sshguard/sshguard.conf'
sshguard_whitelist = '/etc/sshguard/whitelist'
@@ -81,8 +80,6 @@ def generate(ssh):
if not ssh:
if os.path.isfile(config_file):
os.unlink(config_file)
- if os.path.isfile(systemd_override):
- os.unlink(systemd_override)
return None
@@ -99,13 +96,10 @@ def generate(ssh):
call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}')
render(config_file, 'ssh/sshd_config.j2', ssh)
- render(systemd_override, 'ssh/override.conf.j2', ssh)
if 'dynamic_protection' in ssh:
render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh)
render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh)
- # Reload systemd manager configuration
- call('systemctl daemon-reload')
return None
@@ -114,7 +108,7 @@ def apply(ssh):
systemd_service_sshguard = 'sshguard.service'
if not ssh:
# SSH access is removed in the commit
- call(f'systemctl stop {systemd_service_ssh}')
+ call(f'systemctl stop ssh@*.service')
call(f'systemctl stop {systemd_service_sshguard}')
return None
@@ -126,9 +120,13 @@ def apply(ssh):
# we need to restart the service if e.g. the VRF name changed
systemd_action = 'reload-or-restart'
if 'restart_required' in ssh:
+ # this is only true if something for the VRFs changed, thus we
+ # stop all VRF services and only restart then new ones
+ call(f'systemctl stop ssh@*.service')
systemd_action = 'restart'
- call(f'systemctl {systemd_action} {systemd_service_ssh}')
+ for vrf in ssh['vrf']:
+ call(f'systemctl {systemd_action} ssh@{vrf}.service')
return None
if __name__ == '__main__':
diff --git a/src/etc/systemd/system/ssh@.service.d/vrf-override.conf b/src/etc/systemd/system/ssh@.service.d/vrf-override.conf
new file mode 100644
index 000000000..b8952d86c
--- /dev/null
+++ b/src/etc/systemd/system/ssh@.service.d/vrf-override.conf
@@ -0,0 +1,13 @@
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+ConditionPathExists=/run/sshd/sshd_config
+
+[Service]
+EnvironmentFile=
+ExecStart=
+ExecStart=ip vrf exec %i /usr/sbin/sshd -f /run/sshd/sshd_config
+Restart=always
+RestartPreventExitStatus=
+RestartSec=10
+RuntimeDirectoryPreserve=yes
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index aba97015e..dbb86b40b 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -14,9 +14,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import os
import vyos.template
+from vyos.utils.network import interface_exists
from ipaddress import ip_network
from unittest import TestCase
@@ -26,7 +26,7 @@ class TestVyOSTemplate(TestCase):
def test_is_interface(self):
for interface in ['lo', 'eth0']:
- if os.path.exists(f'/sys/class/net/{interface}'):
+ if interface_exists(interface):
self.assertTrue(vyos.template.is_interface(interface))
else:
self.assertFalse(vyos.template.is_interface(interface))