VRF support for SSH, NTP, SNMP service
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	primoz
	Apr 18 2020, 12:52 PM

Description

Hi,

it would be nice to be allowed to select VRF for ssh, ntp and smtp service to bind to.

SSH
NTP
SNMP

Details

Version: -
Is it a breaking change?: Perfectly compatible
Issue type: Feature (new functionality)

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved	FEATURE REQUEST	Viacheslav	T2579 The root task for VRF features
Resolved	FEATURE REQUEST	c-po	T2321 VRF support for SSH, NTP, SNMP service
Resolved	FEATURE REQUEST	c-po	T6192 Support running SSH server in more than one VRF

Event Timeline

primoz created this task.Apr 18 2020, 12:52 PM

All that's really needed is to somehow edit /usr/lib/systemd/system/ssh.service to change

ExecStart=ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

this should probaby be configurable, but have no idea what's the vyos-ish way of doing this.

pasik subscribed.Apr 19 2020, 8:35 AM

Can use systemd module file override?

example:

cat /etc/systemd/system/ssh@.service.d/override.conf 
[Service]
ExecStart=
ExecStart=/sbin/ip vrf exec %i /usr/sbin/sshd -D $SSHD_OPTS

@daniil that would work of course. You tested it manuslly that this works?

In T2321#66700, @c-po wrote:

@daniil that would work of course. You tested it manuslly that this works?

I am using this configuration:

cat /etc/systemd/system/ssh.service.d/override.conf 

[Service]
LimitMEMLOCK=infinity
ExecStart=
ExecStart=/sbin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

c-po renamed this task from VRF support for services to VRF support for SSH, NTP, SNMP service.Jun 9 2020, 4:47 PM

c-po claimed this task.

c-po triaged this task as Normal priority.

c-po moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus board.

c-po edited a custom field.

Viacheslav added a parent task: T2579: The root task for VRF features.Jun 10 2020, 12:55 PM

c-po mentioned this in rVYOSONEXc2c91c4a7c74: ssh: T2321: use list over string when working with Config().Jun 11 2020, 1:58 PM

c-po mentioned this in rVYOSONEX5deb12c509be: ssh: T2321: add VRF support.

Tomorrows rolling ISO will support VRF sourced SSH.

Please feedback as this is what you expect. Also it would be nice if could write something about that in our documentation: https://docs.vyos.io/en/latest/

If this works out I will add SNMP and NTP support

SNMPD must listen to the socket on the loop in vrf default. This is necessary for the protocol agentx to work.

VirtualBox_vyos_11_06_2020_21_58_51.png (400×720 px, 9 KB)

Hmm, sshd listens on port 2 by default.

c-po mentioned this in rVYOSONEX89a097ea0ad9: ssh: T2321: fix invalid string/list assignment of default port.Jun 13 2020, 8:38 PM

@daniil it will be fixed in tomorrows rolling ISO.

vyos@vyos:~$ show vrf black processes
 4624  sshd
 4404  ntpd

c-po mentioned this in rVYOSONEX13f9b8fab678: ntp: T2321: use list over string when working with Config().Jun 13 2020, 9:19 PM

c-po mentioned this in rVYOSONEX7b1f1fa56f7f: ntp: T2321: remove superfluous verify() step on network addresses.

c-po mentioned this in rVYOSONEX84abe1f9d224: ssh: T2321: always run "systemctl daemon-reload".

c-po mentioned this in rVYOSONEX4dbc229db28c: op-mode: T2321: add "show vrf black processes" command.

c-po mentioned this in rVYOSONEX5b1f06336b9c: ntp: T2321: add VRF support.

c-po changed the task status from Open to Needs testing.Jun 13 2020, 9:21 PM

c-po updated the task description. (Show Details)

c-po mentioned this in rVYOSONEXde112874efc3: snmp: T2321: add VRF support.Jun 13 2020, 9:46 PM

c-po closed this task as Resolved.Jun 13 2020, 9:47 PM

c-po updated the task description. (Show Details)

c-po mentioned this in rVYOSONEX1be2084f3b93: snmp: T2321: use restart of start in systemctl.Jun 16 2020, 4:29 PM

c-po moved this task from Backlog to Finished on the VyOS 1.3 Equuleus board.Jul 7 2020, 4:10 PM

I have ntp listening in vrf mgmt, note that i have not set vrf bind-to-all.

vyos@ip# show system ntp
 listen-address 2001:db8::1
 server 2001:db8:1::1 {
 }
 vrf mgmt
[edit]

Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET 127.0.0.1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84145) for 127.0.0.1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address 127.0.0.1
Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET6 ::1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84146) for ::1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address ::1

Or just do this: https://phabricator.vyos.net/T3008

The current NTP config always binds to localhost and localhost is not a part of the mgmt VRF thus this error message.

Similar issue for snmpd:

Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Service RestartSec=10s expired, scheduling restart.
Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Scheduled restart job, restart counter is at 91.
Jan  2 07:27:31 aebi systemd[1]: Stopped Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Jan  2 07:27:31 aebi systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi snmpd[4822]: Error opening specified endpoint "udp:127.0.0.1:161"
Jan  2 07:27:31 aebi snmpd[4822]: Server Exiting with code 1

Amending /etc/snmp/snmpd.conf as follows got it working for me (albeit temporarily). Our snmp listen-address is 10.13.0.56 in this instance.

From:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161,udp:127.0.0.1:161,udp6:[::1]:161

To:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161

The system tries to bind itself to the localhost address which is not in the VRF, this is definately a fault, Why did I not see that?

I will investigate if it is possible to drop or to add the localhost address from the listen addresses as we also have a UNIX domain socket here. Will update this task.

Cumulus states: The management VRF configurations in this chapter contain a localhost loopback IPv4 address of 127.0.0.1/8 and IPv6 address of ::1/128. Management VRF must have an IPv6 address as well as an IPv4 address to work correctly. Adding the loopback address to the layer 3 domain of the management VRF prevents issues with applications that expect the loopback IP address to exist in the VRF, such as NTP.

c-po reopened this task as Confirmed.Jan 2 2021, 9:59 AM

Loopback IP addresses are now automatically assigned to every VRF interface

47: bar: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000
    link/ether 76:7d:c0:53:6d:89 brd ff:ff:ff:ff:ff:ff
    inet 127.0.0.1/8 scope host bar
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

c-po mentioned this in rVYOSONEX79f44d3cf8dc: vrf: T2321: assign loopback IP addresses to individual VRF interfaces.Jan 2 2021, 11:21 AM

c-po closed this task as Resolved.Jan 2 2021, 12:00 PM

erkin set Issue type to Feature (new functionality).Aug 30 2021, 6:49 AM

erkin removed a subscriber: Global Notifications.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

c-po changed the status of subtask T6192: Support running SSH server in more than one VRF from Open to In progress.Mar 31 2024, 12:51 PM

c-po closed subtask T6192: Support running SSH server in more than one VRF as Resolved.Apr 3 2024, 6:36 AM

	F565011: VirtualBox_vyos_11_06_2020_21_58_51.png
	Jun 11 2020, 7:02 PM

VRF support for SSH, NTP, SNMP serviceClosed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related ObjectsSearch...

Event Timeline

VRF support for SSH, NTP, SNMP service
Closed, ResolvedPublicFEATURE REQUEST
Actions

Related Objects
Search...