diff options
Diffstat (limited to 'docs/configuration/system')
22 files changed, 2921 insertions, 0 deletions
diff --git a/docs/configuration/system/md-acceleration.md b/docs/configuration/system/md-acceleration.md new file mode 100644 index 00000000..871129e6 --- /dev/null +++ b/docs/configuration/system/md-acceleration.md @@ -0,0 +1,158 @@ +(acceleration)= + +# Acceleration + +In this command tree, all hardware acceleration options will be handled. +At the moment only [Intel® QAT] is supported + +## Intel® QAT + +```{opcmd} show system acceleration qat + +use this command to check if there is an Intel® QAT supported Processor in your system. + +:::{code-block} none +vyos@vyos:~$ show system acceleration qat +01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11) +::: + +if there is non device the command will show `` `No QAT device found` `` +``` + +```{cfgcmd} set system acceleration qat + +if there is a supported device, enable Intel® QAT +``` + + +```{opcmd} show system acceleration qat status + +Check if the Intel® QAT device is up and ready to do the job. + +:::{code-block} none +vyos@vyos:~$ show system acceleration qat status +Checking status of all devices. +There is 1 QAT acceleration device(s) in the system: +qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up +::: +``` + + +### Operation Mode + +```{opcmd} show system acceleration qat device \<device\> config + +Show the full config uploaded to the QAT device. +``` + + +```{opcmd} show system acceleration qat device \<device\> flows + +Get an overview over the encryption counters. +``` + + +```{opcmd} show system acceleration qat interrupts + +Show binded qat device interrupts to certain core. +``` + + +### Example + +Let's build a simple VPN between 2 Intel® QAT ready devices. + +Side A: + +``` +set interfaces vti vti1 address '192.168.1.2/24' +set vpn ipsec authentication psk right id '10.10.10.2' +set vpn ipsec authentication psk right id '10.10.10.1' +set vpn ipsec authentication psk right secret 'Qwerty123' +set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' +set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' +set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' +set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' +set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' +set vpn ipsec interface 'eth0' +set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' +set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' +set vpn ipsec site-to-site peer right connection-type 'initiate' +set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' +set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' +set vpn ipsec site-to-site peer right local-address '10.10.10.2' +set vpn ipsec site-to-site peer right remote-address '10.10.10.1' +set vpn ipsec site-to-site peer right vti bind 'vti1' +``` + +Side B: + +``` +set interfaces vti vti1 address '192.168.1.1/24' +set vpn ipsec authentication psk left id '10.10.10.2' +set vpn ipsec authentication psk left id '10.10.10.1' +set vpn ipsec authentication psk left secret 'Qwerty123' +set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' +set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' +set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' +set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' +set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' +set vpn ipsec interface 'eth0' +set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' +set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' +set vpn ipsec site-to-site peer left connection-type 'initiate' +set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' +set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' +set vpn ipsec site-to-site peer left local-address '10.10.10.1' +set vpn ipsec site-to-site peer left remote-address '10.10.10.2' +set vpn ipsec site-to-site peer left vti bind 'vti1' +``` + +a bandwidth test over the VPN got these results: + +``` +Connecting to host 192.168.1.2, port 5201 +[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201 +[ ID] Interval Transfer Bitrate Retr Cwnd +[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes +[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes +[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes +[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes +[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes +[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes +[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes +[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes +[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes +[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes +- - - - - - - - - - - - - - - - - - - - - - - - - +[ ID] Interval Transfer Bitrate Retr +[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender +[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver +``` + +with {cfgcmd}`set system acceleration qat` on both systems the bandwidth +increases. + +``` +Connecting to host 192.168.1.2, port 5201 +[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201 +[ ID] Interval Transfer Bitrate Retr Cwnd +[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes +[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes +[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes +[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes +[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes +[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes +[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes +[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes +[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes +[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes +- - - - - - - - - - - - - - - - - - - - - - - - - +[ ID] Interval Transfer Bitrate Retr +[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender +[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver +``` + +[intel® qat]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html diff --git a/docs/configuration/system/md-conntrack.md b/docs/configuration/system/md-conntrack.md new file mode 100644 index 00000000..f83f0684 --- /dev/null +++ b/docs/configuration/system/md-conntrack.md @@ -0,0 +1,218 @@ +# Conntrack + +VyOS can be configured to track connections using the connection +tracking subsystem. Connection tracking becomes operational once either +stateful firewall or NAT is configured. + +## Configure + +```{cfgcmd} set system conntrack table-size \<1-50000000\> +:defaultvalue: + +The connection tracking table contains one entry for each connection being +tracked by the system. +``` + +```{cfgcmd} set system conntrack expect-table-size \<1-50000000\> +:defaultvalue: + +The connection tracking expect table contains one entry for each expected +connection related to an existing connection. These are generally used by +“connection tracking helper” modules such as FTP. +The default size of the expect table is 2048 entries. +``` + +```{cfgcmd} set system conntrack hash-size \<1-50000000\> +:defaultvalue: + +Set the size of the hash table. The connection tracking hash table makes +searching the connection tracking table faster. The hash table uses +“buckets” to record entries in the connection tracking table. +``` + +```{eval-rst} +.. cfgcmd:: set system conntrack modules ftp +.. cfgcmd:: set system conntrack modules h323 +.. cfgcmd:: set system conntrack modules nfs +.. cfgcmd:: set system conntrack modules pptp +.. cfgcmd:: set system conntrack modules sip +.. cfgcmd:: set system conntrack modules sqlnet +.. cfgcmd:: set system conntrack modules tftp + + Configure the connection tracking protocol helper modules. + All modules are enable by default. + + | Use `delete system conntrack modules` to deactive all modules. + | Or, for example ftp, `delete system conntrack modules ftp`. +``` + +```{cfgcmd} set system conntrack tcp half-open-connections \<1-21474836\> +:defaultvalue: + +Set the maximum number of TCP half-open connections. +``` + +```{cfgcmd} set system conntrack tcp loose \<enable | disable\> +:defaultvalue: + +Policy to track previously established connections. +``` + +```{cfgcmd} set system conntrack tcp max-retrans \<1-2147483647\> +:defaultvalue: + +Set the number of TCP maximum retransmit attempts. +``` + +### Contrack Timeouts + +You can define custom timeout values to apply to a specific subset of +connections, based on a packet and flow selector. To do this, you need to +create a rule defining the packet and flow selector. + +```{eval-rst} +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + description <test> + + Set a rule description. + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination address <ip-address> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source address <ip-address> + + Set a destination and/or source address. Accepted input for ipv4: + + .. code-block:: none + + set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address + Possible completions: + <x.x.x.x> IPv4 address to match + <x.x.x.x/x> IPv4 prefix to match + <x.x.x.x>-<x.x.x.x> IPv4 address range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified prefix + !<x.x.x.x>-<x.x.x.x> Match everything except the specified range + + set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address + Possible completions: + <h:h:h:h:h:h:h:h> IP address to match + <h:h:h:h:h:h:h:h/x> Subnet to match + <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> + IP range to match + !<h:h:h:h:h:h:h:h> Match everything except the specified address + !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix + !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> + Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination port <value> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source port <value> + + Set a destination and/or source port. Accepted input: + + .. code-block:: none + + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) + + Multiple destination ports can be specified as a comma-separated list. + The whole list can also be "negated" using '!'. For example: + `!22,telnet,http,123,1001-1005`` + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp replied <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp unreplied <1-21474836> + + Set the timeout in seconds for a protocol or state in a custom rule. +``` + +### Conntrack ignore rules + +:::{note} +**Important note about conntrack ignore rules:** +Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in +``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in +the future the conntrack ignore rules will be removed. + +> Customized ignore rules, based on a packet and flow selector. +::: + +```{eval-rst} +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + description <text> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination address <ip-address> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination port <port> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + inbound-interface <interface> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + protocol <protocol> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source address <ip-address> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source port <port> +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. +``` + +### Conntrack log + +```{eval-rst} +.. cfgcmd:: set system conntrack log event destroy +.. cfgcmd:: set system conntrack log event new +.. cfgcmd:: set system conntrack log event update + + Log the connection tracking events per type. + +.. cfgcmd:: set system conntrack log event destroy icmp +.. cfgcmd:: set system conntrack log event destroy other +.. cfgcmd:: set system conntrack log event destroy tcp +.. cfgcmd:: set system conntrack log event destroy udp +.. cfgcmd:: set system conntrack log event new icmp +.. cfgcmd:: set system conntrack log event new other +.. cfgcmd:: set system conntrack log event new tcp +.. cfgcmd:: set system conntrack log event new udp +.. cfgcmd:: set system conntrack log event update icmp +.. cfgcmd:: set system conntrack log event update other +.. cfgcmd:: set system conntrack log event update tcp +.. cfgcmd:: set system conntrack log event update udp + + Log the connection tracking events per protocol. + +.. cfgcmd:: set system conntrack log timestamp + + Turn on flow-based timestamp extension. + +.. cfgcmd:: set system conntrack log queue-size <100-999999> + + Manage internal queue size, default size is 4096 events. + +.. cfgcmd:: set system conntrack log log-level <info | debug> + + Manage log level +```
\ No newline at end of file diff --git a/docs/configuration/system/md-console.md b/docs/configuration/system/md-console.md new file mode 100644 index 00000000..9017fa30 --- /dev/null +++ b/docs/configuration/system/md-console.md @@ -0,0 +1,59 @@ +(serial-console)= + +# Serial Console + +For the average user a serial console has no advantage over a console offered +by a directly attached keyboard and screen. Serial consoles are much slower, +taking up to a second to fill a 80 column by 24 line screen. Serial consoles +generally only support non-proportional ASCII text, with limited support for +languages other than English. + +There are some scenarios where serial consoles are useful. System administration +of remote computers is usually done using {ref}`ssh`, but there are times when +access to the console is the only way to diagnose and correct software failures. +Major upgrades to the installed distribution may also require console access. + +```{cfgcmd} set system console device \<device\> + +Defines the specified device as a system console. Available console devices +can be (see completion helper): +* ``ttySN`` - Serial device name +* ``ttyAMAN``- Serial device name for some arm64 systems +* ``ttyUSBX`` - USB Serial device name +* ``hvc0`` - Xen console +``` + +```{cfgcmd} set system console device \<device\> kernel + +When set, the selected serial console is used as the kernel boot console. +When removed, the kernel boot console falls back to tty0. + +:::{note} +Only one serial console can carry the ``kernel`` option. +When VyOS is installed via serial console, this option is set automatically +for the serial interface used during installation; usually ``ttyS0`` or +``ttyAMA0``. +::: +``` + +```{cfgcmd} set system console device \<device\> speed \<speed\> + +The speed (baudrate) of the console device. Supported values are: +* ``1200`` - 1200 bps +* ``2400`` - 2400 bps +* ``4800`` - 4800 bps +* ``9600`` - 9600 bps +* ``19200`` - 19,200 bps +* ``38400`` - 38,400 bps (default for Xen console) +* ``57600`` - 57,600 bps +* ``115200`` - 115,200 bps (default for serial console) + +:::{note} +If you use USB to serial converters for connecting to your VyOS +appliance please note that most of them use software emulation without flow +control. This means you should start with a common baud rate (most likely +9600 baud) as otherwise you probably can not connect to the device using +high speed baud rates as your serial converter simply can not process this +data rate. +::: +```
\ No newline at end of file diff --git a/docs/configuration/system/md-default-route.md b/docs/configuration/system/md-default-route.md new file mode 100644 index 00000000..9f2793d1 --- /dev/null +++ b/docs/configuration/system/md-default-route.md @@ -0,0 +1,40 @@ +(default-gateway)= + +# Default Gateway/Route + +In the past (VyOS 1.1) used a gateway-address configured under the system tree +({cfgcmd}`set system gateway-address <address>`), this is no longer supported +and existing configurations are migrated to the new CLI command. + +## Configuration + +```{cfgcmd} set protocols static route 0.0.0.0/0 next-hop \<address\> + +Specify static route into the routing table sending all non local traffic +to the nexthop address \<address\>. +``` + +```{cfgcmd} delete protocols static route 0.0.0.0/0 + +Delete default route from the system. +``` + + +## Operation + +```{opcmd} show ip route 0.0.0.0 + +Show routing table entry for the default route. + +:::{code-block} none +vyos@vyos:~$ show ip route 0.0.0.0 +Routing entry for 0.0.0.0/0 +Known via "static", distance 10, metric 0, best +Last update 09:46:30 ago +* 172.18.201.254, via eth0.201 +::: +``` + +:::{seealso} +Configuration of {ref}`routing-static` +::: diff --git a/docs/configuration/system/md-flow-accounting.md b/docs/configuration/system/md-flow-accounting.md new file mode 100644 index 00000000..c97d5473 --- /dev/null +++ b/docs/configuration/system/md-flow-accounting.md @@ -0,0 +1,209 @@ +(flow-accounting)= + +# Flow Accounting + +VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts +as a flow exporter, and you are free to use it with any compatible collector. + +Flows can be exported via protocol NetFlow (versions 5, 9 and +10/IPFIX). Additionally, you may save flows to an in-memory table +internally in a router. + +:::{warning} +You need to disable the in-memory table in production environments! +Using {abbr}`IMT (In-Memory Table)` may lead to heavy CPU overloading and +unstable flow-accounting behavior. +::: + +## NetFlow / IPFIX + +NetFlow is a feature that was introduced on Cisco routers around 1996 that +provides the ability to collect IP network traffic as it enters or exits an +interface. By analyzing the data provided by NetFlow, a network administrator +can determine things such as the source and destination of traffic, class of +service, and the causes of congestion. A typical flow monitoring setup (using +NetFlow) consists of three main components: + +- **exporter**: aggregates packets into flows and exports flow records towards + one or more flow collectors +- **collector**: responsible for reception, storage and pre-processing of flow + data received from a flow exporter +- **application**: analyzes received flow data in the context of intrusion + detection or traffic profiling, for example + +For connectionless protocols as like ICMP and UDP, a flow is considered +complete once no more packets for this flow appear after configurable timeout. + +NetFlow is usually enabled on a per-interface basis to limit load on the router +components involved in NetFlow, or to limit the amount of NetFlow records +exported. + +## Configuration + +:::{warning} +Using NetFlow on routers with high traffic levels may lead to +high CPU usage and may affect the router's performance. In such cases, +consider using sFlow instead. +::: + +In order for flow accounting information to be collected and displayed for an +interface, the interface must be configured for flow accounting. + +```{cfgcmd} set system flow-accounting interface \<interface\> + +Configure and enable collection of flow information for the interface +identified by \<interface\>. + +You can configure multiple interfaces which would participate in flow +accounting. +``` + +:::{note} +Will be recorded only packets/flows on **incoming** direction in +configured interfaces by default. +::: + +By default, recorded flows will be saved internally and can be listed with the +CLI command. You may disable using the local in-memory table with the command: + +```{cfgcmd} set system flow-accounting disable-imt + +If you need to sample also egress traffic, you may want to +configure egress flow-accounting: +``` + +```{cfgcmd} set system flow-accounting enable-egress + +Internally, in flow-accounting processes exist a buffer for data exchanging +between core process and plugins (each export target is a separated plugin). +If you have high traffic levels or noted some problems with missed records +or stopping exporting, you may try to increase a default buffer size (10 +MiB) with the next command: +``` + +```{cfgcmd} set system flow-accounting buffer-size \<buffer size\> + +In case, if you need to catch some logs from flow-accounting daemon, you may +configure logging facility: +``` + +```{cfgcmd} set system flow-accounting syslog-facility \<facility\> + +Set the syslog facility for flow-accounting log messages. Supported values +include ``daemon``, ``local0`` through ``local7``, and other standard syslog +facilities. +``` + + +### Flow Export + +In addition to displaying flow accounting information locally, one can also +exported them to a collection server. + +#### NetFlow + +```{cfgcmd} set system flow-accounting netflow version \<version\> + +There are multiple versions available for the NetFlow data. The \<version\> +used in the exported flow data can be configured here. The following +versions are supported: +* **5** - Most common version, but restricted to IPv4 flows only +* **9** - NetFlow version 9 (default) +* **10** - {abbr}`IPFIX (IP Flow Information Export)` as per {rfc}`3917` +``` + +```{cfgcmd} set system flow-accounting netflow server \<address\> + +Configure address of NetFlow collector. NetFlow server at \<address\> can +be both listening on an IPv4 or IPv6 address. +``` + +```{cfgcmd} set system flow-accounting netflow source-ip \<address\> + +IPv4 or IPv6 source address of NetFlow packets +``` + +```{cfgcmd} set system flow-accounting netflow engine-id \<id\> + +NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255. +``` + +```{cfgcmd} set system flow-accounting netflow sampling-rate \<rate\> + +Use this command to configure the sampling rate for flow accounting. The +system samples one in every \<rate\> packets, where \<rate\> is the value +configured for the sampling-rate option. The advantage of sampling every n +packets, where n > 1, allows you to decrease the amount of processing +resources required for flow accounting. The disadvantage of not sampling +every packet is that the statistics produced are estimates of actual data +flows. + +Per default every packet is sampled (that is, the sampling rate is 1). +``` + +```{cfgcmd} set system flow-accounting netflow timeout expiry-interval \<interval\> + +Specifies the interval at which Netflow data will be sent to a collector. As +per default, Netflow data will be sent every 60 seconds. + +You may also additionally configure timeouts for different types of +connections. +``` + +```{cfgcmd} set system flow-accounting netflow max-flows \<n\> + +If you want to change the maximum number of flows, which are tracking +simultaneously, you may do this with this command (default 8192). +``` + + +### Example: + +NetFlow v5 example: + +```none +set system flow-accounting netflow engine-id 100 +set system flow-accounting netflow version 5 +set system flow-accounting netflow server 192.168.2.10 port 2055 +``` + + +## Operation + +Once flow accounting is configured on an interfaces it provides the ability to +display captured network traffic information for all configured interfaces. + +```{opcmd} show flow-accounting interface \<interface\> + +Show flow accounting information for given \<interface\>. + + +:::{code-block} none +vyos@vyos:~$ show flow-accounting interface eth0 +IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES +---------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- ------- +eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178 +eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144 +eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72 +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064 +eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154 +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444 +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455 +::: +``` + +```{opcmd} show flow-accounting interface \<interface\> host \<address\> + +Show flow accounting information for given \<interface\> for a specific host +only. + + +:::{code-block} none +vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14 +IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES +---------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- ------- +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940 +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924 +eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877 +::: +```
\ No newline at end of file diff --git a/docs/configuration/system/md-frr.md b/docs/configuration/system/md-frr.md new file mode 100644 index 00000000..1741e286 --- /dev/null +++ b/docs/configuration/system/md-frr.md @@ -0,0 +1,45 @@ +(system-frr)= + +# FRR + +VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic +and static routing. The routing daemon behavior can be adjusted during runtime, +but requires either a restart of the routing daemon, or a reboot of the system. + +```{cfgcmd} set system frr bmp + +Enable {abbr}`BMP (BGP Monitoring Protocol)` support. +``` + +```{cfgcmd} set system frr descriptors \<numer\> + +This allows the operator to control the number of open file descriptors +each daemon is allowed to start with. If the operator plans to run bgp with +several thousands of peers then this is where we would modify FRR to allow +this to happen. +``` + +```{cfgcmd} set system frr irdp + +Enable ICMP Router Discovery Protocol support. +``` + +```{cfgcmd} set system frr profile \<traditional | datacenter\> + +Select an FRR profile to adapt its default settings. If unset, the +traditional profile is applied. +``` + +```{cfgcmd} set system frr snmp \<daemon\> + +Enable SNMP support for an individual routing daemon. + +Supported daemons: +- bgpd +- isisd +- ldpd +- ospf6d +- ospfd +- ripd +- zebra +```
\ No newline at end of file diff --git a/docs/configuration/system/md-host-name.md b/docs/configuration/system/md-host-name.md new file mode 100644 index 00000000..81840d1f --- /dev/null +++ b/docs/configuration/system/md-host-name.md @@ -0,0 +1,70 @@ +(host-information)= + +# Host Information + +This section describes the system's host information and how to configure them, +it covers the following topics: + +- Host name +- Domain +- IP address +- Aliases + +## Hostname + +A hostname is the label (name) assigned to a network device (a host) on a +network and is used to distinguish one device from another on specific networks +or over the internet. On the other hand this will be the name which appears on +the command line prompt. + +```{cfgcmd} set system host-name \<hostname\> + + The hostname can be up to 63 characters. A hostname + must start and end with a letter or digit, and have as interior characters + only letters, digits, or a hyphen. + + The default hostname used is `vyos`. +``` + +## Domain Name + + +A domain name is the label (name) assigned to a computer network and is thus +unique. VyOS appends the domain name as a suffix to any unqualified name. For +example, if you set the domain name `example.com`, and you would ping the +unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`. + +```{cfgcmd} set system domain-name \<domain\> + +Configure system domain name. A domain name must start and end with a letter +or digit, and have as interior characters only letters, digits, or a hyphen. +``` + +## Static Hostname Mapping + + +How an IP address is assigned to an interface in {ref}`ethernet-interface`. +This section shows how to statically map an IP address to a hostname for local +(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to +`/etc/hosts` file entries. + + +:::{note} +Do *not* manually edit `/etc/hosts`. This file will automatically be +regenerated on boot based on the settings in this section, which means you'll +lose all your manual edits. Instead, configure static host mappings as follows. +::: + +```{cfgcmd} set system static-host-mapping host-name \<hostname\> inet \<address\> + +Create a static hostname mapping which will always resolve the name +`<hostname>` to IP address `<address>`. +``` +```{cfgcmd} set system static-host-mapping host-name \<hostname\> alias \<alias\> + +Create named `<alias>` for the configured static mapping for `<hostname>`. +Thus the address configured as {cfgcmd}`set system static-host-mapping +host-name <hostname> inet <address>` can be reached via multiple names. + +Multiple aliases can be specified per host-name. +```
\ No newline at end of file diff --git a/docs/configuration/system/md-index.md b/docs/configuration/system/md-index.md new file mode 100644 index 00000000..e0b8a5a1 --- /dev/null +++ b/docs/configuration/system/md-index.md @@ -0,0 +1,34 @@ +# System + +```{toctree} +:includehidden: true +:maxdepth: 1 + +acceleration +conntrack +console +flow-accounting +frr +host-name +ip +ipv6 +lcd +login +name-server +option +proxy +sflow +syslog +sysctl +task-scheduler +time-zone +updates +watchdog +``` + +```{toctree} +:includehidden: true +:maxdepth: 1 + +default-route +``` diff --git a/docs/configuration/system/md-ip.md b/docs/configuration/system/md-ip.md new file mode 100644 index 00000000..717ee57d --- /dev/null +++ b/docs/configuration/system/md-ip.md @@ -0,0 +1,126 @@ +# IP + +## System configuration commands + +```{cfgcmd} set system ip disable-forwarding + +Use this command to disable IPv4 forwarding on all interfaces. +``` + +```{cfgcmd} set system ip disable-directed-broadcast + +Use this command to disable IPv4 directed broadcast forwarding on all +interfaces. + +If set, IPv4 directed broadcast forwarding will be completely disabled +regardless of whether per-interface directed broadcast forwarding is +enabled or not. +``` + +```{cfgcmd} set system ip arp table-size \<number\> + +Use this command to define the maximum number of entries to keep in +the ARP cache (1024, 2048, 4096, 8192, 16384, 32768). +``` + +```{cfgcmd} set system ip multipath layer4-hashing + +Use this command to use Layer 4 information for IPv4 ECMP hashing. +``` + +```{cfgcmd} set system ip import-table \<table-id\> + +Use this command to immport the table, by given table id, into the main RIB. +``` + +```{cfgcmd} set system ip import-table \<table-id\> distance \<distance\> + +Use this command to override the default distance when importing routers +from the alternate table. +``` + +```{cfgcmd} set system ip import-table \<table-id\> route-map \<route-map\> + +Use this command to filter routes that are imported into the main table +from alternate table using route-map. +``` + + +### Zebra/Kernel route filtering + +Zebra supports prefix-lists and Route Maps to match routes received from +other FRR components. The permit/deny facilities provided by these commands +can be used to filter which routes zebra will install in the kernel. + +```{cfgcmd} set system ip protocol \<protocol\> route-map \<route-map\> + +Apply a route-map filter to routes for the specified protocol. The following +protocols can be used: any, babel, bgp, eigrp, isis, ospf, rip, static + +:::{note} +If you choose any as the option that will cause all protocols that +are sending routes to zebra. +::: +``` + + +### Nexthop Tracking + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not want to e.g. allow BGP to peer across the default route. + +```{cfgcmd} set system ip nht no-resolve-via-default + +Do not allow IPv4 nexthop tracking to resolve via the default route. This +parameter is configured per-VRF, so the command is also available in the VRF +subnode. +``` + + +## Operational commands + +### show commands + +See below the different parameters available for the IPv4 **show** command: + +```none +vyos@vyos:~$ show ip +Possible completions: + access-list Show all IP access-lists + as-path-access-list + Show all as-path-access-lists + bgp Show Border Gateway Protocol (BGP) information + community-list + Show IP community-lists + extcommunity-list + Show extended IP community-lists + forwarding Show IP forwarding status + groups Show IP multicast group membership + igmp Show IGMP (Internet Group Management Protocol) information + large-community-list + Show IP large-community-lists + multicast Show IP multicast + ospf Show IPv4 Open Shortest Path First (OSPF) routing information + pim Show PIM (Protocol Independent Multicast) information + ports Show IP ports in use by various system services + prefix-list Show all IP prefix-lists + protocol Show IP route-maps per protocol + rip Show Routing Information Protocol (RIP) information + route Show IP routes +``` + + +### reset commands + +And the different IPv4 **reset** commands available: + +```none +vyos@vyos:~$ reset ip +Possible completions: + arp Reset Address Resolution Protocol (ARP) cache + bgp Clear Border Gateway Protocol (BGP) statistics or status + igmp IGMP clear commands + multicast IP multicast routing table + route Reset IP route +``` diff --git a/docs/configuration/system/md-ipv6.md b/docs/configuration/system/md-ipv6.md new file mode 100644 index 00000000..ee0a6ade --- /dev/null +++ b/docs/configuration/system/md-ipv6.md @@ -0,0 +1,193 @@ +# IPv6 + +## System configuration commands + +```{cfgcmd} set system ipv6 disable-forwarding + + Use this command to disable IPv6 forwarding on all interfaces. +``` + + +```{cfgcmd} set system ipv6 neighbor table-size \<number\> + +Use this command to define the maximum number of entries to keep in +the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768). +``` + + +```{cfgcmd} set system ipv6 strict-dad + +Use this command to disable IPv6 operation on interface when +Duplicate Address Detection fails on Link-Local address. +``` + + +```{cfgcmd} set system ipv6 multipath layer4-hashing + +Use this command to user Layer 4 information for ECMP hashing. +``` + +### Zebra/Kernel route filtering + + +Zebra supports prefix-lists and Route Maps to match routes received from +other FRR components. The permit/deny facilities provided by these commands +can be used to filter which routes zebra will install in the kernel. + +```{cfgcmd} set system ipv6 protocol \<protocol\> route-map \<route-map\> + +Apply a route-map filter to routes for the specified protocol. The following +protocols can be used: any, babel, bgp, isis, ospfv3, ripng, static + +:::{note} +If you choose any as the option that will cause all protocols that +are sending routes to zebra. +::: +``` + +### Nexthop Tracking + + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not want to e.g. allow BGP to peer across the default route. + +```{cfgcmd} set system ipv6 nht no-resolve-via-default + +Do not allow IPv6 nexthop tracking to resolve via the default route. This +parameter is configured per-VRF, so the command is also available in the VRF +subnode. +``` + +## Operational commands + + +### Show commands + +```{opcmd} show ipv6 neighbors + +Use this command to show IPv6 Neighbor Discovery Protocol information. +``` + + +```{opcmd} show ipv6 groups + +Use this command to show IPv6 multicast group membership. +``` + + +```{opcmd} show ipv6 forwarding + +Use this command to show IPv6 forwarding status. +``` + + +```{opcmd} show ipv6 route + +Use this command to show IPv6 routes. + +Check the many parameters available for the show ipv6 route command: + +:::{code-block} none +vyos@vyos:~$ show ipv6 route +Possible completions: + <Enter> Execute the current command + <X:X::X:X> Show IPv6 routes of given address or prefix + <X:X::X:X/M> + bgp Show IPv6 BGP routes + cache Show kernel IPv6 route cache + connected Show IPv6 connected routes + forward Show kernel IPv6 route table + isis Show IPv6 ISIS routes + kernel Show IPv6 kernel routes + ospfv3 Show IPv6 OSPF6 routes + ripng Show IPv6 RIPNG routes + static Show IPv6 static routes + summary Show IPv6 routes summary + table Show IP routes in policy table + tag Show only routes with tag + vrf Show IPv6 routes in VRF +::: +``` +```{opcmd} show ipv6 prefix-list + + Use this command to show all IPv6 prefix lists + + There are different parameters for getting prefix-list information: + + :::{code-block} none + vyos@vyos:~$ show ipv6 prefix-list + Possible completions: + <Enter> Execute the current command + <WORD> Show specified IPv6 prefix-list + detail Show detail of IPv6 prefix-lists + summary Show summary of IPv6 prefix-lists + ::: +``` + + +```{opcmd} show ipv6 access-list + +Use this command to show all IPv6 access lists + +You can also specify which IPv6 access-list should be shown: + +:::{code-block} none +vyos@vyos:~$ show ipv6 access-list +Possible completions: + <Enter> Execute the current command + <text> Show specified IPv6 access-list +::: +``` +```{opcmd} show ipv6 ospfv3 + + Use this command to get information about OSPFv3. + + You can get more specific OSPFv3 information by using the parameters + shown below: + + :::{code-block} none + vyos@vyos:~$ show ipv6 ospfv3 + Possible completions: + <Enter> Execute the current command + area Show OSPFv3 spf-tree information + border-routers + Show OSPFv3 border-router (ABR and ASBR) information + database Show OSPFv3 Link state database information + interface Show OSPFv3 interface information + linkstate Show OSPFv3 linkstate routing information + neighbor Show OSPFv3 neighbor information + redistribute Show OSPFv3 redistribute External information + route Show OSPFv3 routing table information + ::: +``` + + +```{opcmd} show ipv6 ripng + +Use this command to get information about the RIPNG protocol +``` + + +```{opcmd} show ipv6 ripng status + +Use this command to show the status of the RIPNG protocol +``` + +### Reset commands + +```{opcmd} reset bgp ipv6 \<address\> + +Use this command to clear Border Gateway Protocol statistics or +status. +``` +```{opcmd} reset ipv6 neighbors \<address | interface\> + +Use this command to reset IPv6 Neighbor Discovery Protocol cache for +an address or interface. +``` +```{opcmd} reset ipv6 route cache + +Use this command to flush the kernel IPv6 route cache. +An address can be added to flush it only for that route. +```
\ No newline at end of file diff --git a/docs/configuration/system/md-lcd.md b/docs/configuration/system/md-lcd.md new file mode 100644 index 00000000..ef9031ea --- /dev/null +++ b/docs/configuration/system/md-lcd.md @@ -0,0 +1,41 @@ +(system-display)= + +# System Display (LCD) + +The system LCD {abbr}`LCD (Liquid-crystal display)` option is for users running +VyOS on hardware that features an LCD display. This is typically a small display +built in an 19 inch rack-mountable appliance. Those displays are used to show +runtime data. + +To configure your LCD display you must first identify the used hardware, and +connectivity of the display to your system. This can be any serial port +(`ttySxx`) or serial via USB or even old parallel port interfaces. + +## Configuration + +```{cfgcmd} set system lcd device \<device\> + +This is the name of the physical interface used to connect to your LCD +display. Tab completion is supported and it will list you all available +serial interface. + +For serial via USB port information please refer to the USB hardware section. +``` + +```{cfgcmd} set system lcd model \<model\> + +This is the LCD model used in your system. + +At the time of this writing the following displays are supported: +* Crystalfontz CFA-533 +* Crystalfontz CFA-631 +* Crystalfontz CFA-633 +* Crystalfontz CFA-635 + +:::{note} +We can't support all displays from the beginning. If your display +type is missing, please create a feature request via +Phabricator. +::: +``` + diff --git a/docs/configuration/system/md-login.md b/docs/configuration/system/md-login.md new file mode 100644 index 00000000..288d30a8 --- /dev/null +++ b/docs/configuration/system/md-login.md @@ -0,0 +1,604 @@ +--- +lastproofread: '2026-01-12' +--- + +(user-management)= + +# Login/user management + +The default VyOS user account (`vyos`), as well as newly created user accounts, +possess full system configuration privileges. These accounts are granted sudo +privileges, allowing them to execute commands as the root user. + +VyOS supports both local authentication and remote authentication via +{abbr}`RADIUS (Remote Authentication Dial-In User Service)`/ {abbr}`TACACS+ +(Terminal Access Controller Access-Control System)`. + +## Local authentication + +```{cfgcmd} set system login user \<name\> full-name "\<string\>" + +**Configure the real name or description for a system user.** + +If the description includes spaces, enclose ``<string>`` in double quotes. + +If the user ``<name>`` already exists, the command updates the current +description. If not, it creates a new user with the specified description. +``` + +```{cfgcmd} set system login user \<name\> authentication plaintext-password \<password\> + +**Configure a password for a system user.** + +Enter the password in plaintext. Upon ``commit``, VyOS hashes the password for +secure storage and removes the plaintext value. + +If the user ``<name>`` already exists, the command updates the current password. +If not, it creates a new user with the specified plaintext password. +``` + +```{cfgcmd} set system login user \<name\> authentication encrypted-password \<password\> + +**Configure a pre-encrypted password for a system user.** + +Enter the password in its hashed format. Upon ``commit``, VyOS stores this value +directly without modification. + +If the user ``<name>`` already exists, the command updates the current password. +If not, it creates a new user with the specified pre-encrypted password. +``` + +```{cfgcmd} set system login user \<name\> authentication principal \<principal\> + +**Configure an SSH certificate principal for a system user.** + +Enter the principal (a string included in the user's signed SSH certificate). +Upon ``commit``, VyOS stores this mapping, allowing the user to log in if the +certificate they present contains this principal. + +If the user ``<name>`` already exists, the command updates the principal. If not, +it creates a new user linked to the specified principal. + +**If not configured**, the principal defaults to ``<name>``. +``` + +```{cfgcmd} set system login user \<name\> disable + +**Disable a system user account.** + +VyOS locks the account, preventing the user from logging in. +``` + +(ssh_key_based_authentication)= + +## Key-based authentication + +Key-based authentication is the recommended method for securing SSH access in +VyOS. It uses a **public/private key pair** to verify user identity without +requiring a password. To authorize access, you assign **SSH public keys** to +user accounts on the router, while SSH private keys remain on local devices. +VyOS allows assigning multiple SSH public keys to a single user account, which +is useful for accessing a router from different devices. + +### Generate the key pair + +Generate an SSH key pair on your **local machine** using the `ssh-keygen` +command. This creates two files: +- **Private key** (e.g., `id_rsa`): Remains on your local machine and must + never be shared. +- **Public key** (e.g., `id_rsa.pub`): Is used to configure the VyOS user + account. By default, it is saved to `~/.ssh/id_rsa.pub`. + +Each SSH public key consists of three parts, separated by spaces: +- **Encryption algorithm type:** `ssh-rsa`, `ssh-ed25519`, etc. +- **Key:** The actual data (a long string beginning with `AAAA...`). +- **Comment:** An identifier for your reference (e.g., `user@host`). + +Only the encryption algorithm type and key parts are required to +configure the authorization entry in VyOS. The comment part is optional. + +:::{seealso} +{ref}`SSH operation <ssh_operation>` +::: + +:::{warning} +SSH key strings are long. When copying and pasting, ensure your +terminal does not insert line breaks. The key must be entered as a **single +line** to function correctly. +::: + +### Configure the router + +To configure SSH public key authentication for a user account, run the +following two commands using the same `<identifier>`: + +```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> key \<key\> + +**Configure the SSH public key for the user account.** +* ``<identifier>``: A unique label that identifies this specific key entry. +* ``<key>``: The actual string of characters from your public key. +``` + +```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> type \<type\> + +**Configure the SSH key's encryption type.** + +The following encryption algorithm types are available: + +* ``ecdsa-sha2-nistp256`` +* ``ecdsa-sha2-nistp384`` +* ``ecdsa-sha2-nistp521`` +* ``ssh-dss`` +* ``ssh-ed25519`` +* ``ssh-rsa`` + +:::{note} +To assign multiple SSH public keys to a user account, repeat the +commands above with a unique identifier for each key. +::: +``` + +```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> options \<options\> + +**Configure specific restrictions or behaviors for an SSH public key.** + +``<options>``: A string of comma-separated values that define permissions +or restrictions for this key. + +The command accepts standard OpenSSH options listed in the router's +``~/.ssh/authorized_keys`` file. + +To include a ``"`` character in the options string, use ``"``. + +For example, to restrict allowed source IP addresses for an SSH public key, +use: ``from="10.0.0.0/24"``. +``` + + +## OTP-based MFA + +VyOS lets you enhance user access security by enabling {abbr}`OTP (One-time +password)`-based {abbr}`MFA (Multi-factor Authentication)` for individual +users. Users with {abbr}`OTP (One-time password)`-based {abbr}`MFA +(Multi-factor Authentication)` must enter a valid {abbr}`OTP (One-time +password)` along with their password at login. Users without {abbr}`OTP +(One-time password)`-based {abbr}`MFA (Multi-factor Authentication)` use +standard authentication. + +```{cfgcmd} set system login user \<username\> authentication otp key \<key\> + +**Configure** {abbr}`OTP (One-time password)`**-based** {abbr}`MFA +(Multi-factor Authentication)` **for a user.** + +``<key>``: A Base32-encoded secret key. This key must be added to the user's +authenticator app to generate valid {abbr}`OTPs (One-time passwords)`. + +**When configured**, the user is required to enter their password followed by +a valid OTP for all subsequent logins. +``` + + +### OTP settings + +```{cfgcmd} set system login user \<username\> authentication otp rate-limit \<limit\> + +**Configure the number of** {abbr}`OTP (One-time password)` **authentication +attempts allowed within a specified time period.** + +If this limit is exceeded, the user is temporarily blocked. + +The default value is 3 attempts. The valid range is 1 to 10 attempts. +``` + +```{cfgcmd} set system login user \<username\> authentication otp rate-time \<seconds\> + +**Configure the time period, in seconds, for tracking** {abbr}`OTP (One-time +password)` **authentication attempts.** + +The default value is 30 seconds. The valid range is 1 to 600 seconds. +``` + +```{cfgcmd} set system login user \<username\> authentication otp window-size \<size\> + +**Configure the** {abbr}`OTP (One-time password)` **window size for a user.** + +The {abbr}`OTP (One-time password)` window size defines the number of +concurrently valid {abbr}`OTPs (One-time passwords)` that the authentication +server accepts. This setting assumes a new token is generated every 30 seconds. + +The default value is 3. This permits 3 concurrent codes: the code for the +current 30-second interval, the preceding code, and the following code. This +allows up to 30 seconds of time skew between the authentication server and +client. + +If the window size is increased to 17, the system permits 17 concurrent codes +(the current code, the 8 preceding codes, and the 8 following codes). This +allows for a time skew of up to 4 minutes. + +The valid range is 1 to 21. +``` + + +### Generate an OTP-key + +Use the following command to generate an OTP key: + +```{cfgcmd} generate system login username \<username\> otp-key hotp-time rate-limit \<1-10\> rate-time \<15-600\> window-size \<1-21\> +``` + +Key generation example: + +```none +vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5 +# You can share it with the user, he just needs to scan the QR in his OTP app +# username: otptester +# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY +# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30 +█████████████████████████████████████████████ +█████████████████████████████████████████████ +████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████ +████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████ +████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████ +████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████ +████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████ +████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████ +█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████ +████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████ +████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████ +████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████ +████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████ +████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████ +████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████ +████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████ +████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████ +████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████ +████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████ +████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████ +████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████ +█████████████████████████████████████████████ +█████████████████████████████████████████████ +# To add this OTP key to configuration, run the following commands: +set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY' +set system login user otptester authentication otp rate-limit '2' +set system login user otptester authentication otp rate-time '20' +set system login user otptester authentication otp window-size '5' +``` + +### Display the OTP key for a user + +Use the following command to display the {abbr}`OTP (One-time password)` +key for a user: + +```{cfgcmd} sh system login authentication user \<username\> otp \<full | key-b32 | qrcode | uri\> +``` + +Example: + +```none +vyos@vyos:~$ sh system login authentication user otptester otp full +# You can share the OTP key with the user. They just need to scan the QR in their OTP app. +# username: otptester +# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY +# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30 +█████████████████████████████████████████████ +█████████████████████████████████████████████ +████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████ +████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████ +████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████ +████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████ +████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████ +████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████ +█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████ +████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████ +████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████ +████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████ +████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████ +████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████ +████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████ +████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████ +████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████ +████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████ +████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████ +████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████ +████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████ +█████████████████████████████████████████████ +█████████████████████████████████████████████ +# To add this OTP key to configuration, run the following commands: +set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY' +set system login user otptester authentication otp rate-limit '2' +set system login user otptester authentication otp rate-time '20' +set system login user otptester authentication otp window-size '5' +``` + +Once {abbr}`OTP (One-time password)`-based {abbr}`MFA (Multi-factor +Authentication)` is configured for a user account, this user must enter their +standard password followed by the current 6-digit OTP code at login. For +example, if the user's password is `vyosrocks` and the OTP is `817454`, they +should enter `vyosrocks817454`. + +## RADIUS authentication + +For large-scale deployments, managing individual user accounts across multiple +VyOS instances is inefficient. VyOS supports centralized authentication via +{abbr}`RADIUS (Remote Authentication Dial-In User Service)`, consolidating user +account management on a single backend server. + +### Configuration + +```{cfgcmd} set system login radius server \<address\> key \<secret\> + +**Configure the** {abbr}`RADIUS (Remote Authentication Dial-In User Service)` +**server's IP address and shared secret.** + +The shared secret is used to verify the router's identity and to encrypt user +passwords during authentication. + +You can configure multiple {abbr}`RADIUS (Remote Authentication Dial-In User +Service)` servers. +``` + +```{cfgcmd} set system login radius server \<address\> port \<port\> + +**Configure the UDP port for communication with the** {abbr}`RADIUS (Remote +Authentication Dial-In User Service)` **server.** + +The default port is 1812. +``` + +```{cfgcmd} set system login radius server \<address\> disable + +**Disable a** {abbr}`RADIUS (Remote Authentication Dial-In User Service)` +**server from the authentication process.** + +Disabling a specific {abbr}`RADIUS (Remote Authentication Dial-In User +Service)` server doesn’t remove its configuration settings (the server’s IP +address and shared secret). +``` + +```{cfgcmd} set system login radius server \<address\> timeout \<timeout\> + +Configure the duration, in seconds, that the VyOS router waits for a +response from the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` +server after sending an authentication request. + +If the server does not respond within this timeframe, the VyOS router tries to +connect to another configured server or falls back to local authentication. +``` + +```{cfgcmd} set system login radius source-address \<address\> + +**Configure the source IP address the router uses for** {abbr}`RADIUS (Remote +Authentication Dial-In User Service)` **authentication requests.** + +A consistent source IP address is recommended as RADIUS servers typically +accept requests only from known, trusted IP addresses. + +If not explicitly defined, the router uses the current egress interface +address, which may change (e.g., due to a link outage), causing authentication +failures. +``` + +```{cfgcmd} set system login radius vrf \<name\> + +**Configure the router to send all** {abbr}`RADIUS (Remote Authentication +Dial-In User Service)` **authentication requests via a specific VRF.** + +By default, {abbr}`RADIUS (Remote Authentication Dial-In User Service)` +authentication requests are sent via the global routing table. +``` + +### Configuration example + +```none +set system login radius server 192.168.0.2 key 'test-vyos' +set system login radius server 192.168.0.2 port '1812' +set system login radius server 192.168.0.2 timeout '5' +set system login radius source-address '192.168.0.1' +``` + +If communication with the {abbr}`RADIUS (Remote Authentication Dial-In User +Service)` server fails, the router falls back to local user authentication. +During this process, users may experience a login delay while the system waits +for the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` request to +time out. This delay depends on the configured timeout value. + +:::{hint} +To grant administrative privileges to {abbr}`RADIUS (Remote +Authentication Dial-In User Service)`-authenticated users, the server must +return the Cisco-AV-Pair attribute set to `shell:priv-lvl=15`. Otherwise, users +receive standard privileges and cannot perform configuration tasks. +::: + +## TACACS+ authentication + +In addition to {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, +VyOS supports {abbr}`TACACS+ (Terminal Access Controller Access Control +System)`, which is commonly used in large enterprise environments. + +Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, +{abbr}`TACACS+ (Terminal Access Controller Access Control System)` separates +Authentication, Authorization, and Accounting (AAA) into independent processes +and encrypts the entire packet body for enhanced security. + +{abbr}`TACACS+ (Terminal Access Controller Access Control System)` is defined +in {rfc}`8907`. +(tacacs-configuration)= + +### Configuration + +```{cfgcmd} set system login tacacs server \<address\> key \<secret\> + +**Configure the** {abbr}`TACACS+ (Terminal Access Controller Access Control +System)` **server IP address and shared secret.** + +Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, which +encrypts only passwords, {abbr}`TACACS+ (Terminal Access Controller Access +Control System)` encrypts the entire packet body for enhanced security. + +You can configure multiple {abbr}`TACACS+ (Terminal Access Controller Access +Control System)` servers. +``` + +```{cfgcmd} set system login tacacs server \<address\> port \<port\> + +**Configure the TCP port for communication with the** {abbr}`TACACS+ (Terminal +Access Controller Access Control System)` **server.** + +The default port is 49. +``` + +```{cfgcmd} set system login tacacs server \<address\> disable + +**Disable a** {abbr}`TACACS+ (Terminal Access Controller Access Control +System)` **server from the authentication process.** + +Disabling a specific {abbr}`TACACS+ (Terminal Access Controller Access Control +System)` server doesn’t remove its configuration settings (the server’s IP +address and shared secret). +``` + +```{cfgcmd} set system login tacacs server \<address\> timeout \<timeout\> + +Configure the duration, in seconds, that the VyOS router waits for a +response from the {abbr}`TACACS+ (Terminal Access Controller Access +Control System)` server after sending an authentication request. + +If the server does not respond within this timeframe, the VyOS router tries +to connect to another configured server or falls back to local authentication. +``` + +```{cfgcmd} set system login tacacs source-address \<address\> + +**Configure the source IP address the router uses for** +{abbr}`TACACS+ (Terminal Access Controller Access Control System)` +**authentication requests.** + +A consistent source IP address is recommended as {abbr}`TACACS+ (Terminal +Access Controller Access Control System)` servers typically accept requests +only from known, trusted IP addresses. + +If not explicitly defined, the router uses the current egress interface address, +which may change (e.g., due to a link outage), causing authentication failures. +``` + +```{cfgcmd} set system login tacacs vrf \<name\> + +Configure the router to send all {abbr}`TACACS+ (Terminal Access Controller +Access Control System)` authentication requests via a specific VRF. + +By default, {abbr}`TACACS+ (Terminal Access Controller Access Control System)` +authentication requests are sent via the global routing table. +``` + +(login-tacacs-example)= + +### Configuration example + +```none +set system login tacacs server 192.168.0.2 key 'test-vyos' +set system login tacacs server 192.168.0.2 port '49' +set system login tacacs source-address '192.168.0.1' +``` + +If communication with the {abbr}`TACACS+ (Terminal Access Controller Access +Control System)` server fails, the router falls back to local user +authentication. + +## Login banners + +VyOS allows you to configure **pre-login** and **post-login** banners. +Pre-login banners are typically used for system identification, legal disclaimers, or security warnings +displayed before authentication, while post-login banners provide system +information or operational notices to users after login. + +```{cfgcmd} set system login banner pre-login \<message\> + +Configure a message to be shown to users before the ``username`` and ``password`` +prompts appear. +``` + +```{cfgcmd} set system login banner post-login \<message\> + +Configure a message to be shown to users after successful authentication. +``` +:::{note} +Use `\\n` to insert line breaks in multi-line banner messages. +::: + +## Login session limits + +```{cfgcmd} set system login max-login-session \<number\> + +**Configure the maximum number of concurrent login sessions.** +``` +:::{note} +If you limit concurrent login sessions, you must also configure a +session `<timeout>`. This clears inactive sessions and prevents blocking new +login attempts. +::: +```{cfgcmd} set system login timeout \<timeout\> + +**Configure the login session timeout, in seconds.** + +Idle login sessions are terminated after this period. +``` + +## Configuration examples + +Example 1: Multi-key SSH with MFA and source restrictions + +In this configuration, `User1` and `User2` both use the vyos user account, +each with a unique SSH key. `User1` is restricted to authentication from a +single IP address. + +For both users, password-based logins require {abbr}`OTP (One-time password)` +-based {abbr}`MFA (Multi-factor Authentication)`. + +```none +set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" +set system login user vyos authentication public-keys 'User1' type ssh-rsa +set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" + +set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" +set system login user vyos authentication public-keys 'User2' type ssh-rsa + +set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 +set system login user vyos authentication plaintext-password vyos +``` + +Example 2: Containerized {abbr}`TACACS+ (Terminal Access Controller Access Control System)` +deployment with redundancy. + +In this configuration, the VyOS router hosts its own authentication +infrastructure using two containerized {abbr}`TACACS+ (Terminal Access +Controller Access Control System)` servers (`tacacs1` and `tacacs2`) on a +private network for redundancy. + +System logins are authenticated against credentials stored within these internal +containers rather than the router's local user database. + +First, download the image in operational mode: + +```none +add container image lfkeitel/tacacs_plus:latest +``` + +Next, configure the containers in configuration mode: + +```none +set container network tac-test prefix '100.64.0.0/24' + +set container name tacacs1 image 'lfkeitel/tacacs_plus:latest' +set container name tacacs1 network tac-test address '100.64.0.11' + +set container name tacacs2 image 'lfkeitel/tacacs_plus:latest' +set container name tacacs2 network tac-test address '100.64.0.12' + +set system login tacacs server 100.64.0.11 key 'tac_plus_key' +set system login tacacs server 100.64.0.12 key 'tac_plus_key' + +commit +``` + +You can now log in via SSH or console using `admin/admin` credentials supplied +by the container image. diff --git a/docs/configuration/system/md-name-server.md b/docs/configuration/system/md-name-server.md new file mode 100644 index 00000000..9090ba5f --- /dev/null +++ b/docs/configuration/system/md-name-server.md @@ -0,0 +1,65 @@ +(system-dns)= + +# System DNS + +:::{warning} +If you are configuring a VRF for management purposes, there is +currently no way to force system DNS traffic via a specific VRF. +::: + +This section describes configuring DNS on the system, namely: + +> - DNS name servers +> - Domain search order + +## DNS name servers + +```{cfgcmd} set system name-server \<address\> + +Use this command to specify a DNS server for the system to be used +for DNS lookups. More than one DNS server can be added, configuring +one at a time. Both IPv4 and IPv6 addresses are supported. +``` + + +### Example + +In this example, some *OpenNIC* servers are used, two IPv4 addresses +and two IPv6 addresses: + +```none +set system name-server 176.9.37.132 +set system name-server 195.10.195.195 +set system name-server 2a01:4f8:161:3441::1 +set system name-server 2a00:f826:8:2::195 +``` + + +## Domain search order + +In order for the system to use and complete unqualified host names, a +list can be defined which will be used for domain searches. + +```{cfgcmd} set system domain-search \<domain\> + +Use this command to define domains, one at a time, so that the system +uses them to complete unqualified host names. Maximum: 6 entries. +``` + +:::{note} +Domain names can include letters, numbers, hyphens and periods +with a maximum length of 253 characters. +::: + +(name-server-domain-search-order-example)= + +### Example + +The system is configured to attempt domain completion in the following +order: vyos.io (first), vyos.net (second) and vyos.network (last): + +```none +set system domain-search vyos.io +set system domain-search vyos.net +set system domain-search vyos.network +``` diff --git a/docs/configuration/system/md-option.md b/docs/configuration/system/md-option.md new file mode 100644 index 00000000..c7a6ccf2 --- /dev/null +++ b/docs/configuration/system/md-option.md @@ -0,0 +1,190 @@ +(system-option)= + +# Option + +This chapter describe the possibilities of advanced system behavior. + +## General + +```{cfgcmd} set system option ctrl-alt-delete \<ignore | reboot | poweroff\> + +Action which will be run once the ctrl-alt-del keystroke is received. +``` + +```{cfgcmd} set system option reboot-on-panic + +Automatically reboot system on kernel panic after 60 seconds. +``` + +```{cfgcmd} set system option reboot-on-upgrade-failure \<timeout\> + +Automatically reboot after `timeout` minutes into the previous running +image, that was used to perform the image upgrade. + +Reboot `timeout` is configurable in minutes. This gives the user the change +to log into the system and perform some analysis before automatic rebooting. + +Automatic reboot can be cancelled after login using: {opcmd}`reboot cancel` +``` + +```{cfgcmd} set system option startup-beep + +Play an audible beep to the system speaker when system is ready. +``` + +```{cfgcmd} set system option root-partition-auto-resize + +Enables the root partition auto-extension and resizes to the maximum +available space on system boot. +``` + + +### Kernel + +```{cfgcmd} set system option kernel disable-mitigations + +Disable all optional CPU mitigations. This improves system performance, +but it may also expose users to several CPU vulnerabilities. + +This will add the following option to the Kernel commandline: +* ``mitigations=off`` + +:::{note} +Setting will only become active with the next reboot! +::: +``` + +```{cfgcmd} set system option kernel disable-power-saving + +This will add the following two options to the Kernel commandline: +* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle +* ``processor.max_cstate=1`` Limit processor to maximum C-state 1 + +:::{note} +Setting will only become active with the next reboot! +::: +``` + +```{cfgcmd} set system option kernel amd-pstate-driver \<mode\> + +Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs. + +The available modes are: +* ``active`` This is the low-level firmware control mode based on the profile +set and the system governor has no effect. +* ``passive`` The driver allows the system governor to manage CPU frequency +while providing available performance states. +* ``guided`` The driver allows to set desired performance levels and the firmware +selects a performance level in this range and fitting to the current workload. + +This will add the following two options to the Kernel commandline: +* ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale +* ``amd_pstate={mode}`` Sets the p-state mode + +:::{note} +Setting will only become active with the next reboot! +::: + +:::{seealso} +<https://docs.kernel.org/admin-guide/pm/amd-pstate.html> +::: +``` + +```{cfgcmd} set system option kernel quiet + +Suppress most kernel messages during boot. This is useful for systems with +embedded serial console interfaces to speed up the boot process. +``` + + +## HTTP client + +```{cfgcmd} set system option http-client source-address \<address\> + +Several commands utilize cURL to initiate transfers. Configure the local +source IPv4/IPv6 address used for all cURL operations. +``` + +```{cfgcmd} set system option http-client source-interface \<interface\> + +Several commands utilize curl to initiate transfers. Configure the local +source interface used for all CURL operations. +``` + +:::{note} +`source-address` and `source-interface` can not be used at the same +time. +::: + +## SSH client + +```{cfgcmd} set system option ssh-client source-address \<address\> + +Use the specified address on the local machine as the source address of the +connection. Only useful on systems with more than one address. +``` + +```{cfgcmd} set system option ssh-client source-interface \<interface\> + +Use the address of the specified interface on the local machine as the +source address of the connection. +``` + + +## Keyboard Layout + +When starting a VyOS live system (the installation CD) the configured keyboard +layout defaults to US. As this might not suite everyone's use case you can adjust +the used keyboard layout on the system console. + +```{cfgcmd} set system option keyboard-layout \<us | fr | de | fi | no | dk\> + +Change system keyboard layout to given language. + +Defaults to ``us``. + +:::{note} +Changing the keymap only has an effect on the system console, using +SSH or Serial remote access to the device is not affected as the keyboard +layout here corresponds to your access system. +::: +``` + +(system-options-performance)= + +## Performance + +As more and more routers run on Hypervisors, expecially with a {abbr}`NOS +(Network Operating System)` as VyOS, it makes fewer and fewer sense to use +static resource bindings like `smp-affinity` as present in VyOS 1.2 and +earlier to pin certain interrupt handlers to specific CPUs. + +We now utilize `tuned` for dynamic resource balancing based on profiles. + +:::{seealso} +<https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf> +::: + +```{cfgcmd} set system option performance \< throughput | latency \> + +Configure one of the predefined system performance profiles. + +* ``throughput``: A server profile focused on improving network throughput. + This profile favors performance over power savings by setting + ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network + buffer sizes. + + It enables transparent huge pages, and uses cpupower to set the performance + cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, + ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to + 40%. + +* ``latency``: A server profile focused on lowering network latency. + This profile favors performance over power savings by setting + ``intel_pstate`` and ``min_perf_pct=100``. + + It disables transparent huge pages, and automatic NUMA balancing. It also + uses cpupower to set the performance cpufreq governor, and requests a + cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to + 50 us, and tcp_fastopen to 3. +```
\ No newline at end of file diff --git a/docs/configuration/system/md-proxy.md b/docs/configuration/system/md-proxy.md new file mode 100644 index 00000000..286e835f --- /dev/null +++ b/docs/configuration/system/md-proxy.md @@ -0,0 +1,27 @@ +(system-proxy)= + +# System Proxy + +Some IT environments require the use of a proxy to connect to the Internet. +Without this configuration VyOS updates could not be installed directly by +using the {opcmd}`add system image` command ({ref}`update_vyos`). + +```{cfgcmd} set system proxy url \<url\> + +Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and +FTP (anonymous ftp). +``` +```{cfgcmd} set system proxy port \<port\> + +Configure proxy port if it does not listen to the default port 80. +``` +```{cfgcmd} set system proxy username \<username\> + +Some proxys require/support the "basic" HTTP authentication scheme as per +{rfc}`7617`, thus a username can be configured. +``` +```{cfgcmd} set system proxy password \<password\> + +Some proxys require/support the "basic" HTTP authentication scheme as per +{rfc}`7617`, thus a password can be configured. +```
\ No newline at end of file diff --git a/docs/configuration/system/md-sflow.md b/docs/configuration/system/md-sflow.md new file mode 100644 index 00000000..350bbdd8 --- /dev/null +++ b/docs/configuration/system/md-sflow.md @@ -0,0 +1,66 @@ +# sFlow + +VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector. + +sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device. + +The sFlow accounting based on hsflowd <https://sflow.net/> + +## Configuration + +```{cfgcmd} set system sflow agent-address \<address\> + +Configure sFlow agent IPv4 or IPv6 address +``` +```{cfgcmd} set system sflow agent-interface \<interface\> + +Configure agent IP address associated with this interface. +``` +```{cfgcmd} set system sflow drop-monitor-limit \<limit\> + + Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets +``` + + +```{cfgcmd} set system sflow interface \<interface\> + +Configure and enable collection of flow information for the interface identified by \<interface\>. + +You can configure multiple interfaces which would participate in sflow accounting. +``` +```{cfgcmd} set system sflow polling \<sec\> + + Configure schedule counter-polling in seconds (default: 30) +``` + + +```{cfgcmd} set system sflow sampling-rate \<rate\> + +Use this command to configure the sampling rate for sFlow accounting (default: 1000) +``` + + +```{cfgcmd} set system sflow server \<address\> port \<port\> + +Configure address of sFlow collector. sFlow server at \<address\> can be both listening on an IPv4 or IPv6 address. +``` + + +```{cfgcmd} set system sflow enable-egress + +Use this command to if you need to sample also egress traffic +``` + +## Example + +```none +set system sflow agent-address '192.0.2.14' +set system sflow agent-interface 'eth0' +set system sflow drop-monitor-limit '50' +set system sflow interface 'eth0' +set system sflow interface 'eth1' +set system sflow polling '30' +set system sflow sampling-rate '1000' +set system sflow server 192.0.2.1 port '6343' +set system sflow server 203.0.113.23 port '6343' +``` diff --git a/docs/configuration/system/md-sysctl.md b/docs/configuration/system/md-sysctl.md new file mode 100644 index 00000000..90434fb2 --- /dev/null +++ b/docs/configuration/system/md-sysctl.md @@ -0,0 +1,16 @@ +(sysctl)= + +# Sysctl + +:::{note} +This page is a stub and needs expansion. Contributions +welcome via the [VyOS documentation repository](https://github.com/vyos/vyos-documentation). +::: + +This chapter describes how to configure kernel parameters at runtime. + +`sysctl` is used to modify kernel parameters at runtime. The parameters +available are those listed under /proc/sys/. + +```{cfgcmd} set system sysctl parameter \<parameter\> value \<value\> +```
\ No newline at end of file diff --git a/docs/configuration/system/md-syslog.md b/docs/configuration/system/md-syslog.md new file mode 100644 index 00000000..ae30d272 --- /dev/null +++ b/docs/configuration/system/md-syslog.md @@ -0,0 +1,450 @@ +(syslog)= + +# Syslog + +## Overview + +By default, VyOS provides a minimal logging configuration with local storage +and log rotation. All errors, including local7 messages, are saved to a local +file. Emergency alerts are sent to the console. + +To change these settings, enter configuration mode. + +## Syslog configuration + +Syslog supports logging to multiple destinations: a local file, a console, or +a remote syslog server over UDP or TCP. + +The syslog configuration is organized into the following categories: + +- Global settings +- Local logging +- Console logging +- Remote logging +- TLS-encrypted remote logging + +### Global settings + +Configure the general behavior of the syslog service. + +```{cfgcmd} set system syslog marker interval \<number\> + +**Configure the interval, in seconds, for sending syslog mark messages.** + +Syslog mark messages confirm the logging service is operational. + +Default: 1200 seconds. +``` + +```{cfgcmd} set system syslog marker disable + +Disable sending syslog mark messages. +``` + +```{cfgcmd} set system syslog preserve-fqdn + +**Configure how the logging device's hostname appears in log messages sent +to a remote syslog server.** + +If configured, the device includes its {abbr}`FQDN (Fully Qualified Domain +Name)` in log messages, even if the syslog server is in the same domain. +``` + + +### Local logging + +Configure which log messages to save to a local log file. + +```{cfgcmd} set system syslog local \<filename\> facility \<keyword\> level \<keyword\> + +**Configure syslog to save log messages for a specific facility and +severity level to \`\`/var/log/messages\`\`.** + +Refer to the tables below for valid facility and severity options. +``` + +(syslog-console)= + +### Console logging + +Configure which log messages to send to `/dev/console`. + +```{cfgcmd} set system syslog console facility \<keyword\> level \<keyword\> + +**Configure syslog to send log messages for a specific facility and severity +level to the device's console.** + +Refer to the tables below for valid facility and severity options. +``` + +(syslog-remote)= + +### Remote logging + +Configure **remote logging** to send log messages to a remote syslog server. + +Remote logging does not affect either **local** or **console logging** and +runs in parallel with them. Remote logging supports sending log messages +to multiple hosts. + +```{cfgcmd} set system syslog remote \<address\> facility \<keyword\> level \<keyword\> + +**Configure log transmission to the remote syslog server for a specific +facility and severity level.** + +The server’s address can be specified using either a {abbr}`FQDN (Fully +Qualified Domain Name)` or an IP address. + +Refer to the tables below for valid facility and severity options. +``` + +```{cfgcmd} set system syslog remote \<address\> protocol \<udp | tcp\> + +**Configure the protocol for log transmission.** + +The protocol can be either UDP or TCP. By default, log messages are sent +over UDP. +``` + +```{cfgcmd} set system syslog remote \<address\> port \<port\> + +**Configure the port for log transmission.** + +By default, the standard port 514 is used. +``` + +```{cfgcmd} set system syslog remote \<address\> format include-timezone + +**Configure log transmission in the RFC 5424 format.** + +The RFC 5424 format includes the timezone in the timestamp. For example: + +:::{code-block} none +<34>1 2003-10-11T22:14:15.003-07:00 mymachine.example.com su - ID47 - BOM’su root’ failed for lonvick on /dev/pts/8. +::: + +By default, log messages are sent in the RFC 3164 format. For example: + +:::{code-block} none +<34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8 +::: +``` + +```{cfgcmd} set system syslog remote \<address\> format octet-counted + +**Enable octet-counted framing for log transmission.** + +When enabled, multi-line log messages are sent without splitting. Ensure +the remote server supports octet-counted framing to avoid parsing errors. + +Octet-counted framing is not available for the UDP protocol. +``` + +```{cfgcmd} set system syslog remote \<address\> vrf \<name\> + +Configure the {abbr}`VRF (Virtual Routing and Forwarding)` instance +for log transmission. +``` + +```{cfgcmd} set system syslog remote \<address\> source-address \<address\> + +Configure the source IP address (IPv4 or IPv6) for log transmission. +``` + + +#### {abbr}`TLS (Transport Layer Security)`-encrypted remote logging + +VyOS supports {abbr}`TLS (Transport Layer Security)`-encrypted remote logging +over TCP to ensure secure transmission of syslog data to remote syslog servers. + +**Prerequisites**: Before configuring {abbr}`TLS (Transport Layer +Security)`-encrypted remote logging, ensure you have: +- A valid remote syslog server address. +- Valid {abbr}`CA (Certificate Authority)` and client certificates uploaded + to the local {abbr}`PKI (Public Key Infrastructure)` storage. +- The **remote syslog transport protocol** is set to **TCP**: + + ```none + set system syslog remote <address> protocol tcp + ``` + +:::{note} +{abbr}`TLS (Transport Layer Security)`-encrypted remote logging is +**not supported** over **UDP**. +::: +```{cfgcmd} set system syslog remote \<address\> tls + +Enable TLS-encrypted remote logging. + +``` + +```{cfgcmd} set system syslog remote \<address\> tls ca-certificate \<ca_name\> + +**Configure the** {abbr}`CA (Certificate Authority)` **certificate.** + +The syslog client uses the {abbr}`CA (Certificate Authority)` certificate to +verify the identity of the remote syslog server. + +The {abbr}`CA (Certificate Authority)` certificate is required for **all** +authentication modes except ``anon``. + +``` + +```{cfgcmd} set system syslog remote \<address\> tls certificate \<cert_name\> + +**Configure the client certificate.** + +The remote syslog server uses the client certificate to verify the identity +of the syslog client. + +The client certificate is required if the remote syslog server enforces +client certificate verification. + +``` + +````{cfgcmd} set system syslog remote \<address\> tls auth-mode \<anon | fingerprint | certvalid | name\> + +**Configure the authentication mode.** + +The authentication mode defines how the syslog client verifies the syslog +server's identity. + +The following authentication modes are available: + +```{eval-rst} +* ``anon`` **(default)**: Allows encrypted connections without verifying the syslog + server's identity. This mode is **not recommended**, as it is vulnerable to + :abbr:`MITM (Man-in-the-Middle)` attacks. +* ``fingerprint``: Verifies the server’s certificate fingerprint against the + value preconfigured with: + + .. code-block:: none + + set system syslog remote <address> tls permitted-peer <peer> + +* ``certvalid``: Verifies the server certificate is signed by a trusted + :abbr:`CA (Certificate Authority)`, skipping :abbr:`CN (Common Name)` check. +* ``name``: Verifies that: + + * The server’s certificate is signed by a trusted :abbr:`CA (Certificate + Authority)`. + * The :abbr:`CN (Common Name)` in the certificate matches the value + preconfigured with: + + .. code-block:: none + + set system syslog remote <address> tls permitted-peer <peer> + + This is a **recommended** secure mode for production environments. +``` + +```` + +```{cfgcmd} set system syslog remote \<address\> tls permitted-peer \<peer\> + +**Configure the peer certificate identifiers.** + +The certificate identifier format depends on the authentication mode: +* ``fingerprint``: Enter the expected certificate fingerprints (SHA-1 or +SHA-256). +* ``name``: Enter the expected certificate {abbr}`CNs (Common Names)`. + +For ``anon`` and ``certvalid`` authentication modes, certificate identifiers +are not required. + +``` + +#### Examples: + +```none +# Example of 'anon' authentication mode +set system syslog remote 10.10.2.3 facility all level debug +set system syslog remote 10.10.2.3 port 6514 +set system syslog remote 10.10.2.3 protocol tcp +set system syslog remote 10.10.2.3 tls auth-mode anon +# or just use 'set system syslog remote 10.10.2.3 tls' + +# Example of 'certvalid' authentication mode +set system syslog remote elk.example.com facility all level debug +set system syslog remote elk.example.com port 6514 +set system syslog remote elk.example.com protocol tcp +set system syslog remote elk.example.com tls ca-certificate my-ca +set system syslog remote elk.example.com tls auth-mode certvalid + +# Example of 'fingerprint' authentication mode +set system syslog remote syslog.example.com facility all level debug +set system syslog remote syslog.example.com port 6514 +set system syslog remote syslog.example.com protocol tcp +set system syslog remote syslog.example.com tls ca-certificate my-ca +set system syslog remote syslog.example.com tls auth-mode fingerprint +set system syslog remote syslog.example.com tls permitted-peers 'SHA1:10:C4:26:...,SHA256:7B:4B:10:...' + +# Example of 'name' authentication mode +set system syslog remote graylog.example.com facility all level debug +set system syslog remote graylog.example.com port 6514 +set system syslog remote graylog.example.com protocol tcp +set system syslog remote graylog.example.com tls ca-certificate my-ca +set system syslog remote graylog.example.com tls certificate syslog-client +set system syslog remote graylog.example.com tls auth-mode name +set system syslog remote graylog.example.com tls permitted-peers 'graylog.example.com' +``` + +#### Security recommendations + +- For secure deployments, always use the `name` authentication mode. It + ensures that the server is validated by a trusted {abbr}`CA (Certificate + Authority)` and that the hostname matches the certificate. +- Use the `anon` authentication mode only in testing environments, as it + doesn't provide server authentication. +- Ensure private keys are generated, stored, and maintained exclusively within + the {doc}`PKI system </configuration/pki/index>`. +(syslog_facilities)= + +## Syslog facilities + +This section lists facilities used by syslog. Most facility names are self- +explanatory. The local0–local7 facilities are used for custom purposes, such as +logging from network nodes and equipment. Facility assignment is flexible and +should be tailored to your company's needs. Consider facilities as categorization +tools, rather than strict directives. + +```{eval-rst} ++----------+----------+----------------------------------------------------+ +| Facility | Keyword | Description | +| code | | | ++==========+==========+====================================================+ +| | all | All facilities | ++----------+----------+----------------------------------------------------+ +| 0 | kern | Kernel messages | ++----------+----------+----------------------------------------------------+ +| 1 | user | User-level messages | ++----------+----------+----------------------------------------------------+ +| 2 | mail | Mail system | ++----------+----------+----------------------------------------------------+ +| 3 | daemon | System daemons | ++----------+----------+----------------------------------------------------+ +| 4 | auth | Security/authentication messages | ++----------+----------+----------------------------------------------------+ +| 5 | syslog | Messages generated internally by syslog | ++----------+----------+----------------------------------------------------+ +| 6 | lpr | Line printer subsystem | ++----------+----------+----------------------------------------------------+ +| 7 | news | Network news subsystem | ++----------+----------+----------------------------------------------------+ +| 8 | uucp | UUCP subsystem | ++----------+----------+----------------------------------------------------+ +| 9 | cron | Clock daemon | ++----------+----------+----------------------------------------------------+ +| 10 | security | Security/authentication messages | ++----------+----------+----------------------------------------------------+ +| 11 | ftp | FTP daemon | ++----------+----------+----------------------------------------------------+ +| 12 | ntp | NTP subsystem | ++----------+----------+----------------------------------------------------+ +| 13 | logaudit | Log audit | ++----------+----------+----------------------------------------------------+ +| 14 | logalert | Log alert | ++----------+----------+----------------------------------------------------+ +| 15 | clock | clock daemon (note 2) | ++----------+----------+----------------------------------------------------+ +| 16 | local0 | local use 0 (local0) | ++----------+----------+----------------------------------------------------+ +| 17 | local1 | local use 1 (local1) | ++----------+----------+----------------------------------------------------+ +| 18 | local2 | local use 2 (local2) | ++----------+----------+----------------------------------------------------+ +| 19 | local3 | local use 3 (local3) | ++----------+----------+----------------------------------------------------+ +| 20 | local4 | local use 4 (local4) | ++----------+----------+----------------------------------------------------+ +| 21 | local5 | local use 5 (local5) | ++----------+----------+----------------------------------------------------+ +| 22 | local6 | local use 6 (local6) | ++----------+----------+----------------------------------------------------+ +| 23 | local7 | local use 7 (local7) | ++----------+----------+----------------------------------------------------+ +``` + +(syslog_severity_level)= + +## Severity levels + +```{eval-rst} ++-------+---------------+---------+-------------------------------------------+ +| Value | Severity | Keyword | Description | ++=======+===============+=========+===========================================+ +| | | all | Log everything. | ++-------+---------------+---------+-------------------------------------------+ +| 0 | Emergency | emerg | System is unusable - a panic condition. | ++-------+---------------+---------+-------------------------------------------+ +| 1 | Alert | alert | Action must be taken immediately - A | +| | | | condition that should be corrected | +| | | | immediately, such as a corrupted system | +| | | | database. | ++-------+---------------+---------+-------------------------------------------+ +| 2 | Critical | crit | Critical conditions - e.g., hard drive | +| | | | errors. | ++-------+---------------+---------+-------------------------------------------+ +| 3 | Error | err | Error conditions. | ++-------+---------------+---------+-------------------------------------------+ +| 4 | Warning | warning | Warning conditions. | ++-------+---------------+---------+-------------------------------------------+ +| 5 | Notice | notice | Normal but significant conditions - | +| | | | conditions that are not error conditions, | +| | | | but that may require special handling. | ++-------+---------------+---------+-------------------------------------------+ +| 6 | Informational | info | Informational messages. | ++-------+---------------+---------+-------------------------------------------+ +| 7 | Debug | debug | Debug-level messages - Messages that | +| | | | contain information normally of use only | +| | | | when debugging a program. | ++-------+---------------+---------+-------------------------------------------+ +``` + +## Display logs + +```{opcmd} show log [all | authorization | cluster | conntrack-sync | ...] + +**Display logs for a specific category on the console.** + +Use tab completion to view a list of available categories. + +If no category is specified, all logs are shown. + +``` + +````{opcmd} show log image \<name\> [all | authorization | directory | file \<file name\> | tail \<lines\>] + +**Display logs for a specific image on the console.** + +Available log categories: + +```{eval-rst} +.. list-table:: + :widths: 25 75 + :header-rows: 0 + + * - all + - Displays the contents of system log files of the specified image. + * - authorization + - Displays authorization attempts of the specified image. + * - directory + - Displays user-defined log files of the specified image. + * - file <file name> + - Displays the contents of a specified user-defined log file of the specified + image. + * - tail + - Displays last lines of the system log of the specified image. + * - <lines> + - Number of lines to be displayed, default 10. +``` + +```` + +If no category is specified, the contents of the main syslog file are +displayed. + +:::{hint} +Use `show log | strip-private` to hide private data +when displaying your logs. +::: diff --git a/docs/configuration/system/md-task-scheduler.md b/docs/configuration/system/md-task-scheduler.md new file mode 100644 index 00000000..94ca9f4d --- /dev/null +++ b/docs/configuration/system/md-task-scheduler.md @@ -0,0 +1,45 @@ +(task-scheduler)= + +# Task Scheduler + +The task scheduler allows you to execute tasks on a given schedule. It makes +use of UNIX [cron]. + +:::{note} +All scripts executed this way are executed as root user - this may +be dangerous. Together with {ref}`command-scripting` this can be used for +automating (re-)configuration. +::: + +```{cfgcmd} set system task-scheduler task \<task\> interval \<interval\> + +Specify the time interval when `<task>` should be executed. The interval +is specified as number with one of the following suffixes: +* ``none`` - Execution interval in minutes +* ``m`` - Execution interval in minutes +* ``h`` - Execution interval in hours +* ``d`` - Execution interval in days + +:::{note} +If suffix is omitted, minutes are implied. +::: +``` + +```{cfgcmd} set system task-scheduler task \<task\> crontab-spec \<spec\> + +Set execution time in common cron time format. A cron `<spec>` of +``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour. +``` + +```{cfgcmd} set system task-scheduler task \<task\> executable path \<path\> + +Specify absolute `<path>` to script which will be run when `<task>` is +executed. +``` + +```{cfgcmd} set system task-scheduler task \<task\> executable arguments \<args\> + +Arguments which will be passed to the executable. +``` + +[cron]: https://en.wikipedia.org/wiki/Cron diff --git a/docs/configuration/system/md-time-zone.md b/docs/configuration/system/md-time-zone.md new file mode 100644 index 00000000..2279a773 --- /dev/null +++ b/docs/configuration/system/md-time-zone.md @@ -0,0 +1,17 @@ +(timezone)= + +# Time Zone + +Time Zone setting is very important as e.g all your logfile entries will be +based on the configured zone. Without proper time zone configuration it will +be very difficult to compare logfiles from different systems. + +```{cfgcmd} set system time-zone \<timezone\> + +Specify the systems \<timezone\> as the Region/Location that best defines +your location. For example, specifying US/Pacific sets the time zone to US +Pacific time. + +Command completion can be used to list available time zones. The adjustment +for daylight time will take place automatically based on the time of year. +```
\ No newline at end of file diff --git a/docs/configuration/system/md-updates.md b/docs/configuration/system/md-updates.md new file mode 100644 index 00000000..c82d37be --- /dev/null +++ b/docs/configuration/system/md-updates.md @@ -0,0 +1,36 @@ +# Updates + +VyOS supports online checking for updates + +## Configuration + +```{cfgcmd} set system update-check auto-check + +Configure auto-checking for new images +``` + +```{cfgcmd} set system update-check url \<url\> + +Configure a URL that contains information about images. +``` + + +## Example + +```none +set system update-check auto-check +set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' +``` + +Check: + +```none +vyos@r4:~$ show system updates +Current version: 1.5-rolling-202312220023 + +Update available: 1.5-rolling-202312250024 +Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso +vyos@r4:~$ + +vyos@r4:~$ add system image latest +``` diff --git a/docs/configuration/system/md-watchdog.md b/docs/configuration/system/md-watchdog.md new file mode 100644 index 00000000..700051a6 --- /dev/null +++ b/docs/configuration/system/md-watchdog.md @@ -0,0 +1,212 @@ +(system-watchdog)= + +# Watchdog + +VyOS supports hardware watchdog timers to automatically reboot the system if +it becomes unresponsive. This is particularly useful for remote or embedded +systems where physical access is limited. + +A watchdog timer is a hardware or software mechanism that automatically resets +the system if the operating system stops responding within a configured timeout +period. The system will periodically notify the watchdog that it is still +running. If the watchdog is not notified within the timeout period, the watchdog +will reset the system. + +## Configuration + +The watchdog feature is configured under the `system watchdog` configuration +tree. The presence of the `system watchdog` node enables the watchdog feature. + +```{cfgcmd} set system watchdog + +Enable watchdog support. + +The watchdog is enabled only when a watchdog device is available as +``/dev/watchdog0``. + +:::{note} +If multiple watchdog devices are present, only the first watchdog +device is supported (VyOS uses ``/dev/watchdog0`` only). +::: +If ``/dev/watchdog0`` does not exist and no module is configured, commit will +fail. If a module is configured but ``/dev/watchdog0`` still cannot be +created, VyOS will emit a warning and will not enable the systemd watchdog. +``` + +```{cfgcmd} set system watchdog module \<module-name\> + +Specify the kernel watchdog driver module to load for ``/dev/watchdog0``. + +The configured module must be a watchdog driver module, not an arbitrary +kernel module. + +**In most cases, this option is not required** as the kernel will +automatically load the appropriate watchdog driver for your system. Use this +option if the kernel fails to load the required driver, or when you want to +use the software watchdog (``softdog``). + +Common modules include: +* ``softdog`` - Software watchdog timer (available on all systems) +* ``iTCO_wdt`` - Intel TCO watchdog timer +* ``sp5100_tco`` - AMD SP5100 TCO watchdog timer +* ``i6300esb`` - Intel 6300ESB watchdog timer +* ``ipmi_watchdog`` - IPMI watchdog timer + +:::{warning} +``softdog`` is not a hardware watchdog. It is implemented using +kernel timers and therefore depends on the Linux kernel continuing to run. +In some fault conditions (for example, a kernel hang), ``softdog`` may not +be able to trigger a reset. + +Prefer a hardware watchdog driver whenever possible, as hardware watchdogs +can operate independently of the operating system. +::: + +If no module is specified, VyOS will use an existing ``/dev/watchdog0`` +device if available. + +:::{note} +If a module is specified but a different driver is actually bound +to ``watchdog0``, VyOS will emit a warning during commit. +::: +Example: + +:::{code-block} none +set system watchdog module softdog +::: +``` + +```{cfgcmd} set system watchdog timeout \<seconds\> +:defaultvalue: + +Set the watchdog timeout for normal runtime operation in seconds. + +Valid range: 1-65535 seconds + +:::{note} +Some watchdog drivers expose minimum and maximum supported runtime +timeouts via sysfs. When available, VyOS validates ``timeout`` against +those driver limits during commit. +::: + +This is the interval during which the system must respond to the watchdog. +If the system does not respond within this time, the watchdog will trigger +a reboot. + +Example: + +:::{code-block} none +set system watchdog timeout 30 +::: +``` + +```{cfgcmd} set system watchdog shutdown-timeout \<seconds\> +:defaultvalue: + +Set the watchdog timeout during system shutdown in seconds. + +Valid range: 60-65535 seconds + +This extended timeout allows the system to complete a graceful shutdown +without triggering the watchdog. + +:::{warning} +Setting this value too low (below 120 seconds) may cause +unclean shutdowns, as the system may not have enough time to properly +stop all services and flush disk buffers. The recommended minimum value +is 120 seconds. +::: +Example: + +:::{code-block} none +set system watchdog shutdown-timeout 180 +::: +``` + +```{cfgcmd} set system watchdog reboot-timeout \<seconds\> +:defaultvalue: + +Set the watchdog timeout during system reboot in seconds. + +Valid range: 60-65535 seconds + +This extended timeout allows the system to complete the reboot process +without triggering the watchdog during the transition. + +:::{warning} +Setting this value too low (below 120 seconds) may cause +unclean reboots, as the system may not have enough time to properly +stop all services before restarting. The recommended minimum value +is 120 seconds. +::: +Example: + +:::{code-block} none +set system watchdog reboot-timeout 180 +::: +``` + + +## Examples + +### Basic Configuration with Software Watchdog + +This example configures a basic software watchdog with default timeouts: + +```none +set system watchdog module softdog +``` + +This will: +- Enable the watchdog feature +- Load the `softdog` kernel module +- Use a 10-second runtime timeout (default) +- Use 120-second shutdown and reboot timeouts (default) + +### Advanced Configuration + +This example shows a more customized configuration suitable for a production +system: + +```none +set system watchdog module iTCO_wdt +set system watchdog timeout 30 +set system watchdog shutdown-timeout 300 +set system watchdog reboot-timeout 300 +``` + +This configuration: + +- Enables the watchdog feature +- Loads the Intel TCO hardware watchdog module +- Sets a 30-second runtime timeout +- Allows 5 minutes for shutdown and reboot operations + +## Best Practices + +- **Start with conservative timeouts**: Use longer timeouts initially and + reduce them as you gain confidence in system stability. +- **Test before deployment**: Verify the watchdog works as expected in a + non-production environment before deploying to production systems. +- **Choose appropriate modules**: Use hardware watchdog modules (like + `iTCO_wdt`) when available, as they are more reliable than software + watchdogs. +- **Consider shutdown time**: Set `shutdown-timeout` and `reboot-timeout` + values high enough to allow for normal shutdown procedures, especially on + systems with many services or slow storage. +- **Monitor watchdog events**: Check system logs after any unexpected reboots + to determine if the watchdog triggered the reboot. +- **Remote systems**: For systems without physical console access, use + conservative timeout values to avoid false-positive reboots during high + load conditions. + +:::{note} +The watchdog configuration takes effect immediately after commit, +but systemd must be reloaded. This happens automatically during commit. +::: + +:::{warning} +Incorrect watchdog configuration on remote systems can result +in unexpected reboots. Always test watchdog settings in a controlled +environment before deploying to production systems. +::: |
