Page MenuHomeVyOS Platform

SSH: make configuration (sshd_config) volatile and store it to /run
Closed, ResolvedPublicBUG


T769 has drawn attention to a much larger issue than its own scope. It would be reasonable to expect that if configuration for some service is not present in the VyOS config, a config file for the target application should not be present in the system either. In reality, it's not the case.

Most scripts remove configuration files when their node is deleted from the VyOS config. However, there's no mechanism that would remove those files if configuration was not deleted from the config, but has gone from it, typically because the user forgot to save the config before rebooting.

Simplest reproducing procedure:

  1. set service ssh
  2. commit
  3. exit
  4. reboot
  5. After reboot, /etc/ssh/sshd_config is there

If a service is configured to start on boot (in most cases it shouldn't, but as T769 showed, it does happen), it may cause unconfigured services come back from the dead.

Since config scripts that delete unneeded files cannot run unless triggered by actual deletion, the only way to fix this is to identify all files managed by VyOS and run a script that removes them at boot time, before config is loaded.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Could we work around this by implementing an overlay for every commit, with the entire stack of overlays being combined with the root overlay when a save is issued?

Most of these files are autogenerated and dont need to be saved across reboots.. is it possible to make them in a overlay that does not save to disk? Or another aproach is to just delete them when the device starts (before or when vyatta starts)

Most of the services have been migrated to systemd and the configuration files have been moved to /run so they won't survive a reboot.

This is yet not the case for SSH.

c-po renamed this task from Configuration files are kept in the system when VyOS config is commited but not saved to SSH: make configuration (sshd_config) volatile and store it to /run.Aug 3 2020, 4:25 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 7:13 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.