diff options
Diffstat (limited to 'docs/configuration/system')
26 files changed, 1192 insertions, 0 deletions
| diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst new file mode 100644 index 00000000..b09da38b --- /dev/null +++ b/docs/configuration/system/acceleration.rst @@ -0,0 +1,7 @@ +.. _acceleration: + +############ +Acceleration +############ + + diff --git a/docs/configuration/system/config-management.rst b/docs/configuration/system/config-management.rst new file mode 100644 index 00000000..40973713 --- /dev/null +++ b/docs/configuration/system/config-management.rst @@ -0,0 +1,2 @@ +config-management +#################
\ No newline at end of file diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst new file mode 100644 index 00000000..7d5d4308 --- /dev/null +++ b/docs/configuration/system/conntrack.rst @@ -0,0 +1,2 @@ +conntrack +#########
\ No newline at end of file diff --git a/docs/configuration/system/console.rst b/docs/configuration/system/console.rst new file mode 100644 index 00000000..4a750ada --- /dev/null +++ b/docs/configuration/system/console.rst @@ -0,0 +1,43 @@ +.. _serial-console: + +############## +Serial Console +############## + +For the average user a serial console has no advantage over a console offered +by a directly attached keyboard and screen. Serial consoles are much slower, +taking up to a second to fill a 80 column by 24 line screen. Serial consoles +generally only support non-proportional ASCII text, with limited support for +languages other than English. + +There are some scenarios where serial consoles are useful. System administration +of remote computers is usually done using :ref:`ssh`, but there are times when +access to the console is the only way to diagnose and correct software failures. +Major upgrades to the installed distribution may also require console access. + + +.. cfgcmd:: set system console device <device> + +   Defines the specified device as a system console. Available console devices +   can be (see completion helper): + +   * ``ttySN`` - Serial device name +   * ``ttyUSBX`` - USB Serial device name +   * ``hvc0`` - Xen console + +.. cfgcmd:: set system console device <device> speed <speed> + +   The speed (baudrate) of the console device. Supported values are: + +   * ``1200`` - 1200 bps +   * ``2400`` - 2400 bps +   * ``4800`` - 4800 bps +   * ``9600`` - 9600 bps +   * ``19200`` - 19,200 bps +   * ``38400`` - 38,400 bps (default for Xen console) +   * ``57600`` - 57,600 bps +   * ``115200`` - 115,200 bps (default for serial console) + +   .. note:: If you use a USB to serial converter please note that most of them +      use software emulation without flow control, thus you should start with a +      common baud rate of 9600 as otherwise you could get diff --git a/docs/configuration/system/default-route.rst b/docs/configuration/system/default-route.rst new file mode 100644 index 00000000..27c74188 --- /dev/null +++ b/docs/configuration/system/default-route.rst @@ -0,0 +1,40 @@ +.. _default_gateway: + +##################### +Default Gateway/Route +##################### + +In the past (VyOS 1.1) used a gateway-address configured under the system tree +(:cfgcmd:`set system gateway-address <address>`), this is no longer supported +and existing configurations are migrated to the new CLI command. + +Configuration +============= + +.. cfgcmd:: set protocols static route 0.0.0.0/0 next-hop <address> + +   Specify static route into the routing table sending all non local traffic +   to the nexthop address `<address>`. + + +.. cfgcmd:: delete protocols static route 0.0.0.0/0 + +   Delete default route from the system. + +Operation +========= + +.. opcmd:: show ip route 0.0.0.0 + +   Show routing table entry for the default route. + +   .. code-block:: none + +      vyos@vyos:~$ show ip route 0.0.0.0 +      Routing entry for 0.0.0.0/0 +        Known via "static", distance 10, metric 0, best +        Last update 09:46:30 ago +        * 172.18.201.254, via eth0.201 + +.. seealso:: Configuration of :ref:`static-routing` + diff --git a/docs/configuration/system/domain-name.rst b/docs/configuration/system/domain-name.rst new file mode 100644 index 00000000..9028b65b --- /dev/null +++ b/docs/configuration/system/domain-name.rst @@ -0,0 +1,2 @@ +domain-name +###########
\ No newline at end of file diff --git a/docs/configuration/system/domain-search.rst b/docs/configuration/system/domain-search.rst new file mode 100644 index 00000000..f4aef62e --- /dev/null +++ b/docs/configuration/system/domain-search.rst @@ -0,0 +1,2 @@ +domain-search +#############
\ No newline at end of file diff --git a/docs/configuration/system/eventhandler.rst b/docs/configuration/system/eventhandler.rst new file mode 100644 index 00000000..a68b3924 --- /dev/null +++ b/docs/configuration/system/eventhandler.rst @@ -0,0 +1,48 @@ +.. _event-handler: + +Event Handler +------------- + +Event handler allows you to execute scripts when a string that matches a regex appears in a text stream (e.g. log file). + +It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched. + +.. code-block:: none + +  system +  event-handler +      feed <name> +      description <feed description> +      policy <policy name> +      source +          preset +          syslog # Use the syslog logs for feed +          custom +          command <command to execute> # E.g. "tail -f /var/log/somelogfile" +          named-pipe <path to a names pipe> +      policy <policy name> +      description <policy description> +      event <event name> +          description <event description> +          pattern <regex> +          run <command to run> + +In this small example a script runs every time a login failed and an interface goes down + +.. code-block:: none + +  vyos@vyos# show system event-handler +  feed Syslog { +      policy MyPolicy +      source { +          preset syslog +      } +  } +  policy MyPolicy { +      description "Test policy" +      event BadThingsHappened { +          pattern "authentication failure" +          pattern "interface \.* index \d+ .* DOWN.*" +          run /config/scripts/email-to-admin +      } +  }
\ No newline at end of file diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst new file mode 100644 index 00000000..f09c1c9a --- /dev/null +++ b/docs/configuration/system/flow-accounting.rst @@ -0,0 +1,203 @@ +.. _flow-accounting: + +############### +Flow Accounting +############### + +VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts +as a flow exporter, and you are free to use it with any compatible collector. + +Flows can be exported via two different protocols: NetFlow (versions 5, 9 and +10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table +internally in a router. + +.. warning:: You need to disable the in-memory table in production environments! +   Using :abbr:`IMT (In-Memory Table)` may lead to heavy CPU overloading and +   unstable flow-accounting behavior. + + +NetFlow / IPFIX +=============== +NetFlow is a feature that was introduced on Cisco routers around 1996 that +provides the ability to collect IP network traffic as it enters or exits an +interface. By analyzing the data provided by NetFlow, a network administrator +can determine things such as the source and destination of traffic, class of +service, and the causes of congestion. A typical flow monitoring setup (using +NetFlow) consists of three main components: + +* **exporter**: aggregates packets into flows and exports flow records towards +  one or more flow collectors +* **collector**: responsible for reception, storage and pre-processing of flow +  data received from a flow exporter +* **application**: analyzes received flow data in the context of intrusion +  detection or traffic profiling, for example + +For connectionless protocols as like ICMP and UDP, a flow is considered +complete once no more packets for this flow appear after configurable timeout. + +NetFlow is usually enabled on a per-interface basis to limit load on the router +components involved in NetFlow, or to limit the amount of NetFlow records +exported. + +Configuration +============= + +In order for flow accounting information to be collected and displayed for an +interface, the interface must be configured for flow accounting. + +.. cfgcmd:: set system flow-accounting interface <interface> + +   Configure and enable collection of flow information for the interface +   identified by `<interface>`. + +   You can configure multiple interfaces which whould participate in flow +   accounting. + +.. note:: Will be recorded only packets/flows on **incoming** direction in +   configured interfaces. + + +By default, recorded flows will be saved internally and can be listed with the +CLI command. You may disable using the local in-memory table with the command: + +.. cfgcmd:: set system flow-accounting disable-imt + +   Internally, in flow-accounting processes exist a buffer for data exchanging +   between core process and plugins (each export target is a separated plugin). +   If you have high traffic levels or noted some problems with missed records +   or stopping exporting, you may try to increase a default buffer size (10 +   MiB) with the next command: + +.. cfgcmd:: set system flow-accounting buffer-size <buffer size> + +   In case, if you need to catch some logs from flow-accounting daemon, you may +   configure logging facility: + +.. cfgcmd:: set system flow-accounting syslog-facility <facility> + +   TBD + +Flow Export +----------- + +In addition to displaying flow accounting information locally, one can also +exported them to a collection server. + +NetFlow +^^^^^^^ + +.. cfgcmd:: set system flow-accounting netflow version <version> + +   There are multiple versions available for the NetFlow data. The `<version>` +   used in the exported flow data can be configured here. The following +   versions are supported: + +   * **5** - Most common version, but restricted to IPv4 flows only +   * **9** - NetFlow version 9 (default) +   * **10** - :abbr:`IPFIX (IP Flow Information Export)` as per :rfc:`3917` + +.. cfgcmd:: set system flow-accounting netflow server <address> + +   Configure address of NetFlow collector. NetFlow server at `<address>` can +   be both listening on an IPv4 or IPv6 address. + +.. cfgcmd:: set system flow-accounting netflow source-ip <address> + +   IPv4 or IPv6 source address of NetFlow packets + +.. cfgcmd:: set system flow-accounting netflow engine-id <id> + +   NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255. + +.. cfgcmd:: set system flow-accounting netflow sampling-rate <rate> + +   Use this command to configure the  sampling rate for flow accounting. The +   system samples one in every `<rate>` packets, where `<rate>` is the value +   configured for the sampling-rate option. The advantage of sampling every n +   packets, where n > 1, allows you to decrease the amount of processing +   resources required for flow accounting. The disadvantage of not sampling +   every packet is that the statistics produced are estimates of actual data +   flows. + +   Per default every packet is sampled (that is, the sampling rate is 1). + +.. cfgcmd:: set system flow-accounting netflow timeout expiry-interval <interval> + +   Specifies the interval at which Netflow data will be sent to a collector. As +   per default, Netflow data will be sent every 60 seconds. + +   You may also additionally configure timeouts for different types of +   connections. + +.. cfgcmd:: set system flow-accounting netflow max-flows <n> + +   If you want to change the maximum number of flows, which are tracking +   simultaneously, you may do this with this command (default 8192). + +sFlow +^^^^^ + +.. cfgcmd:: set system flow-accounting sflow server <address> + +   Configure address of sFlow collector. sFlow server at `<address>` can +   be an IPv4 or IPv6 address. But you cannot export to both IPv4 and +   IPv6 collectors at the same time! + +.. cfgcmd:: set system flow-accounting sflow sampling-rate <rate> + +   Enable sampling of packets, which will be transmitted to sFlow collectors. + +.. cfgcmd:: set system flow-accounting sflow agent-address <address> + +   Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you +   must set the same protocol, which is used for sFlow collector addresses. By +   default, using router-id from BGP or OSPF protocol, or the primary IP +   address from the first interface. + +Example: +-------- + +NetFlow v5 example: + +.. code-block:: none + +  set system flow-accounting netflow engine-id 100 +  set system flow-accounting netflow version 5 +  set system flow-accounting netflow server 192.168.2.10 port 2055 + +Operation +========= + +Once flow accounting is configured on an interfaces it provides the ability to +display captured network traffic information for all configured interfaces. + +.. opcmd:: show flow-accounting interface <interface> + +   Show flow accounting information for given `<interface>`. + +   .. code-block:: none + +     vyos@vyos:~$ show flow-accounting interface eth0 +     IN_IFACE    SRC_MAC            DST_MAC            SRC_IP                     DST_IP             SRC_PORT    DST_PORT  PROTOCOL      TOS    PACKETS    FLOWS    BYTES +     ----------  -----------------  -----------------  ------------------------  ---------------  ----------  ----------  ----------  -----  ---------  -------  ------- +     eth0        00:53:01:a8:28:ac  ff:ff:ff:ff:ff:ff  192.0.2.2                 255.255.255.255        5678        5678  udp             0          1        1      178 +     eth0        00:53:01:b2:2f:34  33:33:ff:00:00:00  fe80::253:01ff:feb2:2f34  ff02::1:ff00:0            0           0  ipv6-icmp       0          2        1      144 +     eth0        00:53:01:1a:b4:53  33:33:ff:00:00:00  fe80::253:01ff:fe1a:b453  ff02::1:ff00:0            0           0  ipv6-icmp       0          1        1       72 +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100               192.0.2.14            40152          22  tcp            16         39        1     2064 +     eth0        00:53:01:c8:33:af  ff:ff:ff:ff:ff:ff  192.0.2.3                 255.255.255.255        5678        5678  udp             0          1        1      154 +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100               192.0.2.14            40006          22  tcp            16        146        1     9444 +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100               192.0.2.14                0           0  icmp          192         27        1     4455 + +.. opcmd:: show flow-accounting interface <interface> host <address> + +   Show flow accounting information for given `<interface>` for a specific host +   only. + +   .. code-block:: none + +     vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14 +     IN_IFACE    SRC_MAC            DST_MAC            SRC_IP       DST_IP        SRC_PORT    DST_PORT  PROTOCOL      TOS    PACKETS    FLOWS    BYTES +     ----------  -----------------  -----------------  -----------  ----------  ----------  ----------  ----------  -----  ---------  -------  ------- +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100  192.0.2.14       40006          22  tcp            16        197        2    12940 +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100  192.0.2.14       40152          22  tcp            16         94        1     4924 +     eth0        00:53:01:b2:22:48  00:53:02:58:a2:92  192.0.2.100  192.0.2.14           0           0  icmp          192         36        1     5877 diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst new file mode 100644 index 00000000..30efe01e --- /dev/null +++ b/docs/configuration/system/host-name.rst @@ -0,0 +1,63 @@ +.. _host-information: + +################ +Host Information +################ + +This section describes the system's host information and how to configure them, +it covers the following topics: + +* Host name +* Domain +* IP address +* Aliases + +Hostname +======== + +A hostname is the label (name) assigned to a network device (a host) on a +network and is used to distinguish one device from another on specific networks +or over the internet. On the other hand this will be the name which appears on +the command line prompt. + +.. cfgcmd:: set system host-name <hostname> + +   Set system hostname. The hostname can be up to 63 characters. A hostname +   must start and end with a letter or digit, and have as interior characters +   only letters, digits, or a hyphen. + +   The default hostname used is `vyos`. + +Domain Name +=========== + +A domain name is the label (name) assigned to a computer network and is thus +unique. VyOS appends the domain name as a suffix to any unqualified name. For +example, if you set the domain name `example.com`, and you would ping the +unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`. + +.. cfgcmd:: set system domain-name <domain> + +   Configure system domain name. A domain name must start and end with a letter +   or digit, and have as interior characters only letters, digits, or a hyphen. + +Static Hostname Mapping +======================= + +How an IP address is assigned to an interface in :ref:`ethernet-interface`. +This section shows how to statically map an IP address to a hostname for local +(meaning on this VyOS instance) name resolution. + +.. cfgcmd:: set system static-host-mapping host-name <hostname> inet <address> + +   Create a static hostname mapping which will always resolve the name +   `<hostname>` to IP address `<address>`. + + +.. cfgcmd:: set system static-host-mapping host-name <hostname> alias <alias> + +   Create named `<alias>` for the configured static mapping for `<hostname>`. +   Thus the address configured as :cfgcmd:`set system static-host-mapping +   host-name <hostname> inet <address>` can be reached via multiple names. + +   Multiple aliases can pe specified per host-name. diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst new file mode 100644 index 00000000..ecf09a64 --- /dev/null +++ b/docs/configuration/system/index.rst @@ -0,0 +1,32 @@ +###### +System +###### + + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   acceleration +   config-management +   conntrack +   console +   domain-name +   domain-search +   flow-accounting +   host-name +   ip +   ipv6 +   lcd +   login +   name-server +   name-servers-dhcp +   ntp +   options +   proxy +   static-host-mapping +   sysctl +   syslog +   task-scheduler +   time-zone +   wifi-requlatory-domain diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst new file mode 100644 index 00000000..74116eb0 --- /dev/null +++ b/docs/configuration/system/ip.rst @@ -0,0 +1,2 @@ +ip +##
\ No newline at end of file diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst new file mode 100644 index 00000000..19ed6d62 --- /dev/null +++ b/docs/configuration/system/ipv6.rst @@ -0,0 +1,2 @@ +ipv6 +####
\ No newline at end of file diff --git a/docs/configuration/system/lcd.rst b/docs/configuration/system/lcd.rst new file mode 100644 index 00000000..2509946e --- /dev/null +++ b/docs/configuration/system/lcd.rst @@ -0,0 +1,45 @@ +.. _system-display: + +******************** +System Display (LCD) +******************** + +The system LCD :abbr:`LCD (Liquid-crystal display)` option is for users running +VyOS on hardware that features an LCD display. This is typically a small display +built in an 19 inch rack-mountable appliance. Those displays are used to show +runtime data. + +To configure your LCD display you must first identify the used hardware, and +connectivity of the display to your system. This can be any serial port +(`ttySxx`) or serial via USB or even old parallel port interfaces. + +Configuration +============= + +.. cfgcmd:: set system lcd device <device> + +   This is the name of the physical interface used to connect to your LCD +   display. Tab completion is supported and it will list you all available +   serial interface. + +   For serial via USB port information please refor to: :ref:`hardware_usb`. + +.. cfgcmd:: set system lcd model <model> + +   This is the LCD model used in your system. + +   At the time of this writing the following displays are supported: + +   * Crystalfontz CFA-533 + +   * Crystalfontz CFA-631 + +   * Crystalfontz CFA-633 + +   * Crystalfontz CFA-635 + +   .. note:: We can't support all displays from the beginning. If your display +      type is missing, please create a feature request via Phabricator_. + +.. include:: /common-references.rst + diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst new file mode 100644 index 00000000..6d89735f --- /dev/null +++ b/docs/configuration/system/login.rst @@ -0,0 +1,160 @@ +.. _user_management: + +############### +User Management +############### + +The default VyOS user account (`vyos`), as well as newly created user accounts, +have all capabilities to configure the system. All accounts have sudo +capabilities and therefore can operate as root on the system. + +Both local administered and remote administered :abbr:`RADIUS (Remote +Authentication Dial-In User Service)` accounts are supported. + +Local +===== + +.. cfgcmd:: set system login user <name> full-name "<string>" + +   Create new system user with username `<name>` and real-name specified by +   `<string>`. + +.. cfgcmd:: set system login user <name> authentication plaintext-password <password> + +   Specify the plaintext password user by user `<name>` on this system. The +   plaintext password will be automatically transferred into a secure hashed +   password and not saved anywhere in plaintext. + +.. cfgcmd:: set system login user <name> authentication encrypted-password <password> + +   Setup encrypted password for given username. This is useful for +   transferring a hashed password from system to system. + +.. _ssh_key_based_authentication: + +Key Based Authentication +------------------------ + +It is highly recommended to use SSH key authentication. By default there is +only one user (``vyos``), and you can assign any number of keys to that user. +You can generate a ssh key with the ``ssh-keygen`` command on your local +machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``. + +Every SSH key comes in three parts: + +``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com`` + +Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the +key will usually be several hundred characters long, and you will need to copy +and paste it. Some terminal emulators may accidentally split this over several +lines. Be attentive when you paste it that it only pastes as a single line. +The third part is simply an identifier, and is for your own reference. + +.. cfgcmd:: set system login user <username> authentication public-keys <identifier> key <key> + +   Assign the SSH public key portion `<key>` identified by per-key +   `<identifier>` to the local user `<username>`. + +.. cfgcmd:: set system login user <username> authentication public-keys <identifier> type <type> + +   Every SSH public key portion referenced by `<identifier>` requires the +   configuration of the `<type>` of public-key used. This type can be any of: + +   * ``ecdsa-sha2-nistp256`` +   * ``ecdsa-sha2-nistp384`` +   * ``ecdsa-sha2-nistp521`` +   * ``ssh-dss`` +   * ``ssh-ed25519`` +   * ``ssh-rsa`` + +   .. note:: You can assign multiple keys to the same user by using a unique +      identifier per SSH key. + +.. cfgcmd:: loadkey <username> <location> + +   SSH keys can not only be specified on the command-line but also loaded for +   a given user with `<username>` from a file pointed to by `<location>.` Keys +   can be either loaded from local filesystem or any given remote location +   using one of the following :abbr:`URIs (Uniform Resource Identifier)`: + +   * ``<file>`` - Load from file on local filesystem path +   * ``scp://<user>@<host>:/<file>`` - Load via SCP from remote machine +   * ``sftp://<user>@<host>/<file>`` - Load via SFTP from remote machine +   * ``ftp://<user>@<host>/<file>`` - Load via FTP from remote machine +   * ``http://<host>/<file>`` - Load via HTTP from remote machine +   * ``tftp://<host>/<file>`` - Load via TFTP from remote machine + +Example +------- + +In the following example, both `User1` and `User2` will be able to SSH into +VyOS as user ``vyos`` using their very own keys. + +.. code-block:: none + +  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" +  set system login user vyos authentication public-keys 'User1' type ssh-rsa +  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" +  set system login user vyos authentication public-keys 'User2' type ssh-rsa + + +RADIUS +====== + +In large deployments it is not reasonable to configure each user individually +on every system. VyOS supports using :abbr:`RADIUS (Remote Authentication +Dial-In User Service)` servers as backend for user authentication. + +Configuration +------------- + +.. cfgcmd:: set system login radius server <address> secret <secret> + +   Specify the `<address>` of the RADIUS server user with the pre-shared-secret +   given in `<secret>`. Multiple servers can be specified. + +.. cfgcmd:: set system login radius server <address> port <port> + +   Configure the discrete port under which the RADIUS server can be reached. +   This defaults to 1812. + +.. cfgcmd:: set system login radius server <address> timeout <timeout> + +   Setup the `<timeout>` in seconds when querying the RADIUS server. + +.. cfgcmd:: set system login radius server <address> disable + +   Temporary disable this RADIUS server. It won't be queried. + +.. cfgcmd:: set system login radius source-address <address> + +   RADIUS servers could be hardened by only allowing certain IP addresses to +   connect. As of this the source address of each RADIUS query can be +   configured. If this is not set, incoming connections to the RADIUS server +   will use the nearest interface address pointing towards the server - making +   it error prone on e.g. OSPF networks when a link fails and a backup route is +   taken. + +.. hint:: If you want to have admin users to authenticate via RADIUS it is +   essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without +   the attribute you will only get regular, non privilegued, system users. + + + +Login Banner +============ + +You are able to set post-login or pre-login banner messages to display certain +information for this system. + +.. cfgcmd:: set system login banner pre-login <message> + +   Configure `<message>` which is shown during SSH connect and before a user is +   logged in. + +.. cfgcmd:: set system login banner post-login <message> + +   Configure `<message>` which is shown after user has logged in to the system. + +.. note:: To create a new line in your login message you need to escape the new +   line character by using ``\\n``. diff --git a/docs/configuration/system/name-server.rst b/docs/configuration/system/name-server.rst new file mode 100644 index 00000000..59cfdb5d --- /dev/null +++ b/docs/configuration/system/name-server.rst @@ -0,0 +1,69 @@ +.. _system-dns: + +########## +System DNS +########## + + +This section describes configuring DNS on the system, namely: + + * DNS name servers + * Domain search order + + +DNS name servers +================ + +.. cfgcmd:: set system name-server <address> + +   Use this command to specify a DNS server for the system to be used +   for DNS lookups. More than one DNS server can be added, configuring +   one at a time. Both IPv4 and IPv6 addresses are supported. + + + +Example +------- + +In this example, some *OpenNIC* servers are used, two IPv4 addresses +and two IPv6 addresses: + + +.. code-block:: none + +   set system name-server 176.9.37.132 +   set system name-server 195.10.195.195 +   set system name-server 2a01:4f8:161:3441::1 +   set system name-server 2a00:f826:8:2::195 + + +Domain search order +=================== + +In order for the system to use and complete unqualified host names, a +list can be defined which will be used for domain searches. + + +.. cfgcmd:: set system domain-search domain <domain> + +   Use this command to define domains, one at a time, so that the system +   uses them to complete unqualified host names. Maximum: 6 entries. + + +.. note:: Domain names can include letters, numbers, hyphens and periods +   with a maximum length of 253 characters. + + +Example +------- + +The system is configured to attempt domain completion in the following +order: vyos.io (first), vyos.net (second) and vyos.network (last): + + +.. code-block:: none + +   set system domain-search domain vyos.io +   set system domain-search domain vyos.net +   set system domain-search domain vyos.network + diff --git a/docs/configuration/system/name-servers-dhcp.rst b/docs/configuration/system/name-servers-dhcp.rst new file mode 100644 index 00000000..6719fef9 --- /dev/null +++ b/docs/configuration/system/name-servers-dhcp.rst @@ -0,0 +1,2 @@ +name-servers-dhcp +#################
\ No newline at end of file diff --git a/docs/configuration/system/ntp.rst b/docs/configuration/system/ntp.rst new file mode 100644 index 00000000..5fd1837f --- /dev/null +++ b/docs/configuration/system/ntp.rst @@ -0,0 +1,56 @@ +.. _ntp: + +### +NTP +### + +:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock +synchronization between computer systems over packet-switched, variable-latency +data networks. In operation since before 1985, NTP is one of the oldest Internet +protocols in current use. + +NTP is intended to synchronize all participating computers to within a few +milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the +intersection algorithm, a modified version of Marzullo's algorithm, to select +accurate time servers and is designed to mitigate the effects of variable +network latency. NTP can usually maintain time to within tens of milliseconds +over the public Internet, and can achieve better than one millisecond accuracy +in local area networks under ideal conditions. Asymmetric routes and network +congestion can cause errors of 100 ms or more. + +The protocol is usually described in terms of a client-server model, but can as +easily be used in peer-to-peer relationships where both peers consider the other +to be a potential time source. Implementations send and receive timestamps using +:abbr:`UDP (User Datagram Protocol)` on port number 123. + +NTP supplies a warning of any impending leap second adjustment, but no +information about local time zones or daylight saving time is transmitted. + +The current protocol is version 4 (NTPv4), which is a proposed standard as +documented in :rfc:`5905`. It is backward compatible with version 3, specified +in :rfc:`1305`. + +Configuration +============= + +.. cfgcmd:: set system ntp server <address> + +   Configure one or more servers for synchronisation. Server name can be either +   an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. + +   There are 3 default NTP server set. You are able to change them. + +   * 0.pool.ntp.org +   * 1.pool.ntp.org +   * 2.pool.ntp.org + +.. cfgcmd:: set system ntp listen-address <address> + +   Setup VyOS as an NTP responder, you must specify the `<address>` and +   optionally the permitted clients. Multiple listen addresses can be +   configured. + +.. cfgcmd:: set system ntp allow-clients address <address> + +   List of networks or client addresses permitted to contact this NTP server. +   Multiple networks can be configured. diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst new file mode 100644 index 00000000..e7661492 --- /dev/null +++ b/docs/configuration/system/option.rst @@ -0,0 +1,94 @@ +.. _system_option: + +####### +Options +####### + +This chapter describe the possibilities of advanced system behavior. + +******* +General +******* + +.. cfgcmd:: set system option ctrl-alt-delete <ignore | reboot | poweroff> + +   Action which will be run once the ctrl-alt-del keystroke is received. + +.. cfgcmd:: set system option reboot-on-panic + +   Automatically reboot system on kernel panic after 60 seconds. + +.. cfgcmd:: set system option startup-beep + +    Play an audible beep to the system speaker when system is ready. + +*********** +HTTP client +*********** + +.. cfgcmd:: set system option http-client source-address <address> + +   Several commands utilize curl to initiate transfers. Configure the local +   source IPv4/IPv6 address used for all CURL operations. + +.. cfgcmd:: set system option http-client source-interface <interface> + +   Several commands utilize curl to initiate transfers. Configure the local +   source interface used for all CURL operations. + +.. note:: `source-address` and `source-interface` can not be used at the same time. + +*************** +Keyboard Layout +*************** + +When starting a VyOS live system (the installation CD) the configured keyboard +layout defaults to US. As this might not suite everyones use case you can adjust +the used keyboard layout on the system console. + +.. cfgcmd:: set system option keyboard-layout <us | fr | de | fi | no | dk> + +  Change system keyboard layout to given language. + +  Defaults to ``us``. + +  .. note:: Changing the keymap only has an effect on the system console, using +    SSH oder Serial remote access to the device is not affected as the keyboard +    layout here corresponds to your access system. + +.. _system_options_performance: + +*********** +Performance +*********** + +As more and more routers run on Hypervisors, expecially with a :abbr:`NOS +(Network Operating System)` as VyOS, it makes fewer and fewer sense to use +static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and +earlier to pin certain interrupt handlers to specific CPUs. + +We now utilize `tuned` for dynamic resource balancing based on profiles. + +  .. seealso:: https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf + +.. cfgcmd:: set system option performance < throughput | latency > + +  Configure one of the predefined system performance profiles. + +  * ``throughput``: A server profile focused on improving network throughput. +    This profile favors performance over power savings by setting ``intel_pstate`` +    and ``max_perf_pct=100`` and increasing kernel network buffer sizes. + +    It enables transparent huge pages, and uses cpupower to set the performance +    cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, +    ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to +    40%. + +  * ``latency``: A server profile focused on lowering network latency. +    This profile favors performance over power savings by setting ``intel_pstate`` +    and ``min_perf_pct=100``. + +    It disables transparent huge pages, and automatic NUMA balancing. It also +    uses cpupower to set the performance cpufreq governor, and requests a +    cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to +    50 us, and tcp_fastopen to 3. diff --git a/docs/configuration/system/proxy.rst b/docs/configuration/system/proxy.rst new file mode 100644 index 00000000..8e0339a7 --- /dev/null +++ b/docs/configuration/system/proxy.rst @@ -0,0 +1,28 @@ +.. _system_proxy: + +############ +System Proxy +############ + +Some IT environments require the use of a proxy to connect to the Internet. +Without this configuration VyOS updates could not be installed directly by +using the :opcmd:`add system image` command (:ref:`update_vyos`). + +.. cfgcmd:: set system proxy url <url> + +   Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and +   FTP (anonymous ftp). + +.. cfgcmd:: set system proxy port <port> + +   Configure proxy port if it does not listen to the default port 80. + +.. cfgcmd:: set system proxy username <username> + +   Some proxys require/support the "basic" HTTP authentication scheme as per +   :rfc:`7617`, thus a username can be configured. + +.. cfgcmd:: set system proxy password <password> + +   Some proxys require/support the "basic" HTTP authentication scheme as per +   :rfc:`7617`, thus a password can be configured. diff --git a/docs/configuration/system/static-host-mapping.rst b/docs/configuration/system/static-host-mapping.rst new file mode 100644 index 00000000..97d9a443 --- /dev/null +++ b/docs/configuration/system/static-host-mapping.rst @@ -0,0 +1,2 @@ +static-host-mapping +###################
\ No newline at end of file diff --git a/docs/configuration/system/sysctl.rst b/docs/configuration/system/sysctl.rst new file mode 100644 index 00000000..82ffd159 --- /dev/null +++ b/docs/configuration/system/sysctl.rst @@ -0,0 +1,2 @@ +sysctl +######
\ No newline at end of file diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst new file mode 100644 index 00000000..3449c15b --- /dev/null +++ b/docs/configuration/system/syslog.rst @@ -0,0 +1,226 @@ +.. _syslog: + +###### +Syslog +###### + +Per default VyOSs has minimal syslog logging enabled which is stored and +rotated locally. Errors will be always logged to a local file, which includes +`local7` error messages, emergency messages will be sent to the console, too. + +To configure syslog, you need to switch into configuration mode. + +Logging +======= + +Syslog supports logging to multiple targets, those targets could be a plain +file on your VyOS installation itself, a serial console or a remote syslog +server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP. + +Console +------- + +.. cfgcmd:: set system syslog console facility <keyword> level <keyword> + +Log syslog messages to ``/dev/console``, for an explanation on +:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords +see tables below. + + +Custom File +----------- + +.. cfgcmd:: set system syslog file <filename> facility <keyword> level <keyword> + +Log syslog messages to file specified via `<filename>`, for en explanation on +:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see +tables below. + +.. cfgcmd:: set system syslog file <filename> archive size <size> + +Syslog will write `<size>` kilobytes into the file specified by `<filename>`. +After this limit has been reached, the custom file is "rotated" by logrotate +and a new custom file is created. + +.. cfgcmd:: set system syslog file <filename> archive file <number> + +Syslog uses logrotate to rotate logiles after a number of gives bytes. We keep +as many as `<number>` rotated file before they are deleted on the system. + + +Remote Host +----------- + +Logging to a remote host leaves the local logging configuration intact, it +can be configured in parallel to a custom file or console logging. You can log +to multiple hosts at the same time, using either TCP or UDP. The default is +sending the messages via port 514/UDP. + + +.. cfgcmd:: set system syslog host <address> facility <keyword> level <keyword> + +Log syslog messages to remote host specified by `<address>`. The address can be +specified by either FQDN or IP address. For en explanation on +:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see +tables below. + + +.. cfgcmd:: set system syslog host <address> facility <keyword> protocol <udp|tcp> + +Configure protocol used for communication to remote syslog host. This can be +either UDP or TCP. + + +Local User Account +------------------ + +.. cfgcmd:: set system syslog user <username> facility <keyword> level <keyword> + +If logging to a local user account is configured, all defined log messages are +display on the console if the local user is logged in, if the user is not +logged in, no messages are being displayed. For en explanation on +:ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see +tables below. + +.. _syslog_facilities: + +Facilities +========== + +List of facilities used by syslog. Most facilities names are self explanatory. +Facilities local0 - local7 common usage is f.e. as network logs facilities for +nodes and network equipment. Generally it depends on the situation how to +classify logs and put them to facilities. See facilities more as a tool rather +than a directive to follow. + +Facilities can be adjusted to meet the needs of the user: + ++----------+----------+----------------------------------------------------+ +| Facility | Keyword  | Description                                        | +| Code     |          |                                                    | ++==========+==========+====================================================+ +|          | all      | All facilities                                     | ++----------+----------+----------------------------------------------------+ +| 0        | kern     | Kernel messages                                    | ++----------+----------+----------------------------------------------------+ +| 1        | user     | User-level messages                                | ++----------+----------+----------------------------------------------------+ +| 2        | mail     | Mail system                                        | ++----------+----------+----------------------------------------------------+ +| 3        | daemon   | System daemons                                     | ++----------+----------+----------------------------------------------------+ +| 4        | auth     | Security/authentication messages                   | ++----------+----------+----------------------------------------------------+ +| 5        | syslog   | Messages generated internally by syslogd           | ++----------+----------+----------------------------------------------------+ +| 6        | lpr      | Line printer subsystem                             | ++----------+----------+----------------------------------------------------+ +| 7        | news     | Network news subsystem                             | ++----------+----------+----------------------------------------------------+ +| 8        | uucp     | UUCP subsystem                                     | ++----------+----------+----------------------------------------------------+ +| 9        | cron     | Clock daemon                                       | ++----------+----------+----------------------------------------------------+ +| 10       | security | Security/authentication messages                   | ++----------+----------+----------------------------------------------------+ +| 11       | ftp      | FTP daemon                                         | ++----------+----------+----------------------------------------------------+ +| 12       | ntp      | NTP subsystem                                      | ++----------+----------+----------------------------------------------------+ +| 13       | logaudit | Log audit                                          | ++----------+----------+----------------------------------------------------+ +| 14       | logalert | Log alert                                          | ++----------+----------+----------------------------------------------------+ +| 15       | clock    | clock daemon (note 2)                              | ++----------+----------+----------------------------------------------------+ +| 16       | local0   | local use 0 (local0)                               | ++----------+----------+----------------------------------------------------+ +| 17       | local1   | local use 1 (local1)                               | ++----------+----------+----------------------------------------------------+ +| 18       | local2   | local use 2 (local2)                               | ++----------+----------+----------------------------------------------------+ +| 19       | local3   | local use 3 (local3)                               | ++----------+----------+----------------------------------------------------+ +| 20       | local4   | local use 4 (local4)                               | ++----------+----------+----------------------------------------------------+ +| 21       | local5   | local use 5 (local5)                               | ++----------+----------+----------------------------------------------------+ +| 22       | local6   |  use 6 (local6)                                    | ++----------+----------+----------------------------------------------------+ +| 23       | local7   | local use 7 (local7)                               | ++----------+----------+----------------------------------------------------+ + +.. _syslog_severity_level: + +Severity Level +============== + ++-------+---------------+---------+-------------------------------------------+ +| Value | Severity      | Keyword | Description                               | ++=======+===============+=========+===========================================+ +|       |               | all     | Log everything                            | ++-------+---------------+---------+-------------------------------------------+ +| 0     | Emergency     | emerg   | System is unusable - a panic condition    | ++-------+---------------+---------+-------------------------------------------+ +| 1     | Alert         | alert   | Action must be taken immediately - A      | +|       |               |         | condition that should be corrected        | +|       |               |         | immediately, such as a corrupted system   | +|       |               |         | database.                                 | ++-------+---------------+---------+-------------------------------------------+ +| 2     | Critical      | crit    | Critical conditions - e.g. hard drive     | +|       |               |         | errors.                                   | ++-------+---------------+---------+-------------------------------------------+ +| 3     | Error         | err     | Error conditions                          | ++-------+---------------+---------+-------------------------------------------+ +| 4     | Warning       | warning | Warning conditions                        | ++-------+---------------+---------+-------------------------------------------+ +| 5     | Notice        | notice  | Normal but significant conditions -       | +|       |               |         | conditions that are not error conditions, | +|       |               |         | but that may require special handling.    | ++-------+---------------+---------+-------------------------------------------+ +| 6     | Informational | info    | Informational messages                    | ++-------+---------------+---------+-------------------------------------------+ +| 7     | Debug         | debug   | Debug-level messages - Messages that      | +|       |               |         | contain information normally of use only  | +|       |               |         | when debugging a program.                 | ++-------+---------------+---------+-------------------------------------------+ + + +Display Logs +============ + +.. opcmd:: show log [all | authorization | cluster | conntrack-sync | ...] + +Display log files of given category on the console. Use tab completion to get +a list of available categories. Thos categories could be: all, authorization, +cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image +lldp, nat, openvpn, snmp, tail, vpn, vrrp + +If no option is specified, this defaults to `all`. + +.. opcmd:: show log image <name> [all | authorization | directory | file <file name> | tail <lines>] + +Log messages from a specified image can be displayed on the console. Details of +allowed parameters: + +.. list-table:: +   :widths: 25 75 +   :header-rows: 0 + +   * - all +     - Display contents of all master log files of the specified image +   * - authorization +     - Display all authorization attempts of the specified image +   * - directory +     - Display list of all user-defined log files of the specified image +   * - file <file name> +     - Display contents of a specified user-defined log file of the specified image +   * - tail +     - Display last lines of the system log of the specified image +   * - <lines> +     - Number of lines to be displayed, default 10 + +When no options/parameters are used, the contents of the main syslog file are +displayed. + +.. hint:: Use ``show log | strip-private`` if you want to hide private data when sharing your logs. diff --git a/docs/configuration/system/task-scheduler.rst b/docs/configuration/system/task-scheduler.rst new file mode 100644 index 00000000..382da39f --- /dev/null +++ b/docs/configuration/system/task-scheduler.rst @@ -0,0 +1,40 @@ +.. _task-scheduler: + +############## +Task Scheduler +############## + +The task scheduler allows you to execute tasks on a given schedule. It makes +use of UNIX cron_. + +.. note:: All scripts excecuted this way are executed as root user - this may +   be dangerous. Together with :ref:`command-scripting` this can be used for +   automating (re-)configuration. + +.. cfgcmd:: set system task-scheduler task <task> interval <interval> + +   Specify the time interval when `<task>` should be executed. The interval +   is specified as number with one of the following suffixes: + +   * ``none`` - Execution interval in minutes +   * ``m`` - Execution interval in minutes +   * ``h`` - Execution interval in hours +   * ``d`` - Execution interval in days + +   .. note:: If suffix is omitted, minutes are implied. + +.. cfgcmd:: set system task-scheduler task <task> crontab-spec <spec> + +   Set execution time in common cron_ time format. A cron `<spec>` of +   ``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour. + +.. cfgcmd:: set system task-scheduler task <task> executable path <path> + +   Specify absolute `<path>` to script which will be run when `<task>` is +   executed. + +.. cfgcmd:: set system task-scheduler task <task> executable arguments <args> + +   Arguments which will be passed to the executable. + +.. _cron: https://en.wikipedia.org/wiki/Cron diff --git a/docs/configuration/system/time-zone.rst b/docs/configuration/system/time-zone.rst new file mode 100644 index 00000000..025c4376 --- /dev/null +++ b/docs/configuration/system/time-zone.rst @@ -0,0 +1,18 @@ +.. _timezone: + +######### +Time Zone +######### + +Time Zone setting is very important as e.g all your logfile entries will be +based on the configured zone. Without proper time zone configuration it will +be very difficult to compare logfiles from different systems. + +.. cfgcmd:: set system time-zone <timezone> + +   Specify the systems `<timezone>` as the Region/Location that best defines +   your location. For example, specifying US/Pacific sets the time zone to US +   Pacific time. + +   Command completion can be used to list available time zones. The adjustment +   for daylight time will take place automatically based on the time of year.
\ No newline at end of file diff --git a/docs/configuration/system/wifi-requlatory-domain.rst b/docs/configuration/system/wifi-requlatory-domain.rst new file mode 100644 index 00000000..2b6ce7d4 --- /dev/null +++ b/docs/configuration/system/wifi-requlatory-domain.rst @@ -0,0 +1,2 @@ +wifi-requlatory-domain +######################
\ No newline at end of file | 
