Page MenuHomeVyOS Platform
Create Task
Maniphest T5431

Services not enabled or configured are started anyway within frr-family
Closed, WontfixPublicBUG
Actions

Description

I have noticed that even if I didnt enable or configure bgp, rip, ripng, ospf, babl, mpls (ldpd), eigrup and bfd these services are started by default anyway:

vyos@vyos:~$ ps auxwww | grep -i frr
root         859  0.0  0.0   8208  3560 ?        S<s  Aug02   0:21 /usr/lib/frr/watchfrr -d -F traditional zebra bgpd ripd ripngd ospfd ospf6d isisd babeld ldpd eigrpd staticd bfdd
frr          897  0.0  0.2 1148868 20760 ?       S<sl Aug02   0:01 /usr/lib/frr/zebra -d -F traditional -s 90000000 --daemon -A 127.0.0.1 -M snmp
frr          902  0.0  0.2 257552 18596 ?        S<sl Aug02   0:01 /usr/lib/frr/bgpd -d -F traditional --daemon -A 127.0.0.1 -M snmp -M rpki -M bmp
frr          909  0.0  0.1  26336 10948 ?        S<s  Aug02   0:01 /usr/lib/frr/ripd -d -F traditional --daemon -A 127.0.0.1 -M snmp
frr          912  0.0  0.0   9648  5416 ?        S<s  Aug02   0:00 /usr/lib/frr/ripngd -d -F traditional --daemon -A ::1
frr          915  0.0  0.1  28628 12720 ?        S<s  Aug02   0:01 /usr/lib/frr/ospfd -d -F traditional --daemon -A 127.0.0.1 -M snmp
frr          920  0.0  0.1  27668 12140 ?        S<s  Aug02   0:01 /usr/lib/frr/ospf6d -d -F traditional --daemon -A ::1 -M snmp
frr          924  0.0  0.1  28248 12812 ?        S<s  Aug02   0:01 /usr/lib/frr/isisd -d -F traditional --daemon -A 127.0.0.1 -M snmp
frr          927  0.0  0.0   9228  5140 ?        S<s  Aug02   0:00 /usr/lib/frr/babeld -d -F traditional --daemon -A 127.0.0.1
frr          930  0.0  0.0   9696  6920 ?        S<   Aug02   0:00 /usr/lib/frr/ldpd -L -u frr -g frr
frr          931  0.0  0.0   9700  7000 ?        S<   Aug02   0:00 /usr/lib/frr/ldpd -E -u frr -g frr
frr          932  0.0  0.0  10260  5568 ?        S<s  Aug02   0:00 /usr/lib/frr/ldpd -d -F traditional --daemon -A 127.0.0.1
frr          936  0.0  0.0   9836  5664 ?        S<s  Aug02   0:00 /usr/lib/frr/eigrpd -d -F traditional --daemon -A 127.0.0.1
frr          941  0.0  0.0   9348  5916 ?        S<s  Aug02   0:00 /usr/lib/frr/staticd -d -F traditional --daemon -A 127.0.0.1
frr          945  0.0  0.0   9452  5312 ?        S<s  Aug02   0:01 /usr/lib/frr/bfdd -d -F traditional --daemon -A 127.0.0.1

In order to lower available attacksurfaces but also to better utilize available hardware (mainly CPU and RAM) for services who are enabled then services who is not enabled by the configuration should remain shutdown until they are really needed.

In short, dont have services running who are not being used.

Of above I estimate that only watchfrr, zebra and staticd should be enabled by default - the rest should only be enabled when needed (aka configured in VyOS config-mode).

It seems like it is /etc/frr/daemons that defines which services should be runned (and monitored) or not but Im not sure this is correct file in VyOS case since that file also says "watchfrr_enable=no" which isnt true since watchfrr do run by default.

Also note that above change should be tested so that when for example eigrpd is enabled/disabled this shouldnt affect bgpd (who then would need to exchange routes with its peers again).

Ref: Current content of /etc/frr/daemons:

zebra=yes
bgpd=yes
ospfd=yes
ospf6d=yes
ripd=yes
ripngd=yes
isisd=yes
pimd=no
ldpd=yes
nhrpd=no
eigrpd=yes
babeld=yes
sharpd=no
pbrd=no
bfdd=yes
staticd=yes

vtysh_enable=yes
zebra_options="-s 90000000 --daemon -A 127.0.0.1 -M snmp"
bgpd_options="--daemon -A 127.0.0.1 -M snmp -M rpki -M bmp"
ospfd_options="--daemon -A 127.0.0.1 -M snmp"
ospf6d_options="--daemon -A ::1 -M snmp"
ripd_options="--daemon -A 127.0.0.1 -M snmp"
ripngd_options="--daemon -A ::1"
isisd_options="--daemon -A 127.0.0.1 -M snmp"
pimd_options="--daemon -A 127.0.0.1"
ldpd_options="--daemon -A 127.0.0.1"
nhrpd_options="--daemon -A 127.0.0.1"
eigrpd_options="--daemon -A 127.0.0.1"
babeld_options="--daemon -A 127.0.0.1"
sharpd_options="--daemon -A 127.0.0.1"
pbrd_options="--daemon -A 127.0.0.1"
staticd_options="--daemon -A 127.0.0.1"
bfdd_options="--daemon -A 127.0.0.1"

watchfrr_enable=no
valgrind_enable=no

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202308020317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Apachez created this task.Aug 3 2023, 6:58 AM
Apachez added a comment.Aug 3 2023, 9:28 AM

Found that the defaults in daemons-file are set by VyOS in /usr/share/vyos/templates/frr/daemons.frr.tmpl

pasik added a subscriber: pasik.Aug 3 2023, 10:14 AM
Apachez closed this task as Wontfix.Sep 18 2023, 1:08 PM
Apachez claimed this task.

I will put this as "wontfix" because a fix would need additional work of stopping/starting correct FRR-service (if this occurs in future then this task can be reopened).

For example you dont want the bgpd daemon to be reloaded just because something with ospfd got changed that needed a restart of the ospfd daemon.

That is the daemons relates to which features FRR itself will bring to VyOS through vtysh.

Also the services are locked to localhost (IPv4 or IPv6) and not exposed (except for when the service will have a peer such as bgp, bfd etc).

Code cleanup of FRR daemons-file and various FRR fixes are handled in https://vyos.dev/T5591