From fd3073eef7bcbd64112e0581ba10afb58100b30d Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 25 Dec 2023 17:23:32 +0200 Subject: Add system update-check example Add an example of online checking for updates ``` set system update-check auto-check set system update-check url ``` --- docs/configuration/system/index.rst | 1 + docs/configuration/system/updates.rst | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 docs/configuration/system/updates.rst (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index bfda7747..dbb63d09 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -25,6 +25,7 @@ System sysctl task-scheduler time-zone + updates .. toctree:: diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst new file mode 100644 index 00000000..a55bfa9a --- /dev/null +++ b/docs/configuration/system/updates.rst @@ -0,0 +1,37 @@ +####### +Updates +####### + +VyOS supports online checking for updates + +Configuration +============= + +.. cfgcmd:: set system update-check auto-check + + Configure auto-checking for new images + + +.. cfgcmd:: set system update-check url + + Configure a URL that contains information about images. + + +Example +======= + +.. code-block:: none + + set system update-check auto-check + set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' + +Check: + +.. code-block:: none + + vyos@r4:~$ show system updates + Current version: 1.5-rolling-202312220023 + + Update available: 1.5-rolling-202312250024 + Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso + vyos@r4:~$ -- cgit v1.2.3 From 3c4d9ec2e93740eb9bd398736b228af356d2b2a8 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 27 Dec 2023 07:45:07 -0300 Subject: System Conntrack: update commands for timeout rules; update commands for ignore rules, since both ipv4 and ipv6 rules are supported. --- docs/configuration/system/conntrack.rst | 149 ++++++++++++++++++++------------ 1 file changed, 93 insertions(+), 56 deletions(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 68a4f2b8..6ed5fef7 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -46,9 +46,23 @@ Configure | Use `delete system conntrack modules` to deactive all modules. | Or, for example ftp, `delete system conntrack modules ftp`. +.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> + :defaultvalue: -Define Conection Timeouts -========================= + Set the maximum number of TCP half-open connections. + +.. cfgcmd:: set system conntrack tcp loose + :defaultvalue: + + Policy to track previously established connections. + +.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> + :defaultvalue: + + Set the number of TCP maximum retransmit attempts. + +Contrack Timeouts +================= VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP @@ -82,34 +96,48 @@ states. Set the timeout in secounds for a protocol or state. - You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + description Set a rule description. +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination address +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source address -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address - - set a destination and/or source address. Accepted input: + Set a destination and/or source address. Accepted input for ipv4: .. code-block:: none - IP address to match - Subnet to match - - - IP range to match - ! Match everything except the specified address - ! Match everything except the specified subnet - !- - Match everything except the specified range - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port + set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address + Possible completions: + IPv4 address to match + IPv4 prefix to match + - IPv4 address range to match + ! Match everything except the specified address + ! Match everything except the specified prefix + !- Match everything except the specified range + + set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address + Possible completions: + IP address to match + Subnet to match + - + IP range to match + ! Match everything except the specified address + ! Match everything except the specified prefix + !- + Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination port +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source port Set a destination and/or source port. Accepted input: @@ -123,49 +151,58 @@ create a rule defining the packet and flow selector. The whole list can also be "negated" using '!'. For example: `!22,telnet,http,123,1001-1005`` - - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp replied <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp unreplied <1-21474836> Set the timeout in secounds for a protocol or state in a custom rule. - -.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> - :defaultvalue: - - Set the maximum number of TCP half-open connections. - -.. cfgcmd:: set system conntrack tcp loose - :defaultvalue: - - Policy to track previously established connections. - -.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> - :defaultvalue: - - Set the number of TCP maximum retransmit attempts. - -.. cfgcmd:: set system conntrack ignore rule <1-9999> description -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port -.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface -.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol -.. cfgcmd:: set system conntrack ignore rule <1-9999> source address -.. cfgcmd:: set system conntrack ignore rule <1-9999> source port +Conntrack ignore rules +====================== Customized ignore rules, based on a packet and flow selector. +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + description +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination address +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination port +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + inbound-interface +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + protocol +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source address +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source port +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + tcp flags [not] + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + +Conntrack log +============= + .. cfgcmd:: set system conntrack log icmp destroy .. cfgcmd:: set system conntrack log icmp new .. cfgcmd:: set system conntrack log icmp update -- cgit v1.2.3 From 05215848a5df37a4cc4075a58b05f19871a56306 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 10:44:58 +0100 Subject: system: T5877: Shorten system domain-search config path Documentation pdate for https://github.com/vyos/vyos-1x/pull/2718 --- docs/configuration/system/name-server.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/name-server.rst b/docs/configuration/system/name-server.rst index f18cb5a3..5d08dbc5 100644 --- a/docs/configuration/system/name-server.rst +++ b/docs/configuration/system/name-server.rst @@ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a list can be defined which will be used for domain searches. -.. cfgcmd:: set system domain-search domain +.. cfgcmd:: set system domain-search Use this command to define domains, one at a time, so that the system uses them to complete unqualified host names. Maximum: 6 entries. @@ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last): .. code-block:: none - set system domain-search domain vyos.io - set system domain-search domain vyos.net - set system domain-search domain vyos.network + set system domain-search vyos.io + set system domain-search vyos.net + set system domain-search vyos.network -- cgit v1.2.3 From 59ed69455cea99d5d905ffdef51690eb85de5e13 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 3 Jan 2024 13:42:54 +0200 Subject: updates: add system image latest If we configure "update-check url" we can use `latest` option to update system image. ``` add system image latest ``` --- docs/configuration/system/updates.rst | 2 ++ docs/installation/update.rst | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst index a55bfa9a..505d9318 100644 --- a/docs/configuration/system/updates.rst +++ b/docs/configuration/system/updates.rst @@ -35,3 +35,5 @@ Check: Update available: 1.5-rolling-202312250024 Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso vyos@r4:~$ + + vyos@r4:~$ add system image latest diff --git a/docs/installation/update.rst b/docs/installation/update.rst index 5f75f9db..b0b43836 100644 --- a/docs/installation/update.rst +++ b/docs/installation/update.rst @@ -10,7 +10,7 @@ for the new image to boot using the current configuration. .. note:: Only LTS releases are PGP-signed. -.. opcmd:: add system image [vrf name] +.. opcmd:: add system image | [latest] [vrf name] [username user [password pass]] Use this command to install a new system image. You can reach the @@ -72,6 +72,13 @@ Example OK. This image will be named: vyos-1.3-rolling-201912201452 +You can use ``latest`` option. It loads the latest available Rolling release. + +.. code-block:: none + + vyos@vyos:~$ add system image latest + +.. note:: To use the `latest` option the "system update-check url" must be configured. .. hint:: The most up-do-date Rolling Release for AMD64 can be accessed using the following URL: -- cgit v1.2.3 From 38e13fbab0560758baf3d676657254a490890376 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 2 Feb 2024 20:19:30 +0100 Subject: T5979: add configurable kernel boot option 'disable-mitigations' --- docs/configuration/system/option.rst | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index c9c9bfb1..4a1c3bd3 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,14 @@ General Play an audible beep to the system speaker when system is ready. +Kernel +====== + +.. cfgcmd:: set system option kernel disable-mitigations + + Disable all optional CPU mitigations. This improves system performance, + but it may also expose users to several CPU vulnerabilities. + *********** HTTP client *********** -- cgit v1.2.3 From e50b510c0c5c980047bd77775a0c4d763aaa838b Mon Sep 17 00:00:00 2001 From: rebortg Date: Wed, 14 Feb 2024 21:37:56 +0100 Subject: Added information related to root-partition-auto-resize --- docs/configuration/system/option.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index 4a1c3bd3..788765f0 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,11 @@ General Play an audible beep to the system speaker when system is ready. +.. cfgcmd:: set system option root-partition-auto-resize + + Enables the root partition auto-extension and resizes to the maximum + available space on system boot. + Kernel ====== -- cgit v1.2.3 From 7a6cc0cf0ff081b4367c212821c7bf125bbb7427 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 08:51:52 +0100 Subject: T6001: add option to disable next-hop-tracking resolve-via-default --- docs/configuration/system/ip.rst | 13 +++++++++++++ docs/configuration/system/ipv6.rst | 13 +++++++++++++ 2 files changed, 26 insertions(+) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 0f45b7ca..279630e2 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -43,6 +43,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ip nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index c7308f9d..d8d3c4c9 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -39,6 +39,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ipv6 nht no-resolve-via-default + + Do not allow IPv6 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- -- cgit v1.2.3 From e6b534942b8eaedfc3a6290f97d0040e61179b79 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 14:33:15 +0100 Subject: login: T5972: add possibility to disable individual local user accounts --- docs/configuration/system/login.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 98e05cdd..09e27c53 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -34,6 +34,10 @@ Local Setup encrypted password for given username. This is useful for transferring a hashed password from system to system. +.. cfgcmd:: set system login user disable + + Disable (lock) account. User will not be able to log in. + .. _ssh_key_based_authentication: Key Based Authentication -- cgit v1.2.3 From f0324d8a03c0c0cd7ed250b722ca4a2aff55f617 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 5 Mar 2024 20:32:16 +0100 Subject: T2447: add configurable kernel boot option 'disable-power-saving' Lower available CPU C states to a minimum if this option set. This will set Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1". --- docs/configuration/system/option.rst | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'docs/configuration/system') diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index 788765f0..02c889dd 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -24,7 +24,7 @@ General .. cfgcmd:: set system option root-partition-auto-resize - Enables the root partition auto-extension and resizes to the maximum + Enables the root partition auto-extension and resizes to the maximum available space on system boot. Kernel @@ -35,6 +35,23 @@ Kernel Disable all optional CPU mitigations. This improves system performance, but it may also expose users to several CPU vulnerabilities. + This will add the following option to the Kernel commandline: + + * ``mitigations=off`` + + .. note:: Setting will only become active with the next reboot! + +.. cfgcmd:: set system option kernel disable-power-saving + + Disable CPU power saving mechanisms also known as C states. + + This will add the following two options to the Kernel commandline: + + * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle + * ``processor.max_cstate=1`` Limit processor to maximum C-state 1 + + .. note:: Setting will only become active with the next reboot! + *********** HTTP client *********** -- cgit v1.2.3