[mirror_frr.git] / doc / vtysh.texi

@node VTY shell
@chapter VTY shell

@menu
* Integrated configuration mode::
@end menu

@command{vtysh} provides a combined frontend to all Frr daemons in a
single combined session.  It is enabled by default at build time, but can
be disabled through the @option{--disable-vtysh} option to
@command{./configure}.

@command{vtysh} has a configuration file, @file{vtysh.conf}.  The location
of that file cannot be changed from @file{@value{INSTALL_PREFIX_ETC}} since
it contains options controlling authentication behavior.  This file will
also not be written by configuration-save commands, it is intended to be
updated manually by an administrator with an external editor.

@quotation Warning
This also means the @command{hostname} and @command{banner motd} commands
(which both do have effect for vtysh) need to be manually updated in
@file{vtysh.conf}.
@end quotation

@section Permissions and setup requirements

@command{vtysh} connects to running daemons through Unix sockets located in
@file{@value{INSTALL_PREFIX_STATE}}.  Running vtysh thus requires access to
that directory, plus membership in the @emph{@value{INSTALL_VTY_GROUP}}
group (which is the group that the daemons will change ownership of their
sockets to).

To restrict access to Frr configuration, make sure no unauthorized users
are members of the @emph{@value{INSTALL_VTY_GROUP}} group.

@subsection PAM support (experimental)

vtysh has working (but rather useless) PAM support.  It will perform
an "authenticate" PAM call using @emph{@value{PACKAGE_NAME}} as service
name. No other (accounting, session, password change) calls will be
performed by vtysh.

Users using vtysh still need to have appropriate access to the daemons'
VTY sockets, usually by being member of the @emph{@value{INSTALL_VTY_GROUP}}
group.  If they have this membership, PAM support is useless since they can
connect to daemons and issue commands using some other tool.  Alternatively,
the @command{vtysh} binary could be made SGID (set group ID) to the
@emph{@value{INSTALL_VTY_GROUP}} group.  @strong{No security guarantees are
made for this configuration}.

@deffn {Command} {username @var{username} nopassword} {}

If PAM support is enabled at build-time, this command allows disabling the
use of PAM on a per-user basis.  If vtysh finds that an user is trying to
use vtysh and a "nopassword" entry is found, no calls to PAM will be made
at all.

@end deffn

@node Integrated configuration mode
@section Integrated configuration mode

Integrated configuration mode uses a single configuration file,
@file{frr.conf}, for all daemons.  This replaces the individual files like
@file{zebra.conf} or @file{bgpd.conf}.

@file{frr.conf} is located in @file{@value{INSTALL_PREFIX_ETC}}.  All
daemons check for the existence of this file at startup, and if it exists
will not load their individual configuration files.  Instead,
@command{vtysh -b} must be invoked to process @file{frr.conf} and apply
its settings to the individual daemons.

@quotation Warning
@command{vtysh -b} must also be executed after restarting any daemon.
@end quotation

@subsection Configuration saving, file ownership and permissions

The @file{frr.conf} file is not written by any of the daemons; instead
@command{vtysh} contains the neccessary logic to collect configuration from
all of the daemons, combine it and write it out.

@quotation Warning
Daemons must be running for @command{vtysh} to be able to collect their
configuration.  Any configuration from non-running daemons is permanently
lost after doing a configuration save.
@end quotation

Since the @command{vtysh} command may be running as ordinary user on the
system, configuration writes will be tried through @command{watchfrr},
using the @command{write integrated} command internally.  Since
@command{watchfrr} is running as superuser, @command{vtysh} is able to
ensure correct ownership and permissions on @file{frr.conf}.

If @command{watchfrr} is not running or the configuration write fails,
@command{vtysh} will attempt to directly write to the file.  This is likely
to fail if running as unprivileged user;  alternatively it may leave the
file with incorrect owner or permissions.

Writing the configuration can be triggered directly by invoking
@command{vtysh -w}.  This may be useful for scripting.  Note this command
should be run as either the superuser or the Frr user.

We recommend you do not mix the use of the two types of files. Further, it
is better not to use the integrated frr.conf file, as any syntax error in
it can lead to /all/ of your daemons being unable to start up. Per daemon
files are more robust as impact of errors in configuration are limited to
the daemon in whose file the error is made.

@deffn {Command} {service integrated-vtysh-config} {}
@deffnx {Command} {no service integrated-vtysh-config} {}

Control whether integrated @file{frr.conf} file is written when
'write file' is issued.

These commands need to be placed in @file{vtysh.conf} to have any effect.
Note that since @file{vtysh.conf} is not written by Frr itself, they
therefore need to be manually placed in that file.

This command has 3 states:
@itemize @bullet
@item
@command{service integrated-vtysh-config}

@command{vtysh} will always write @file{frr.conf}.

@item
@command{no service integrated-vtysh-config}

@command{vtysh} will never write @file{frr.conf}; instead it will ask
daemons to write their individual configuration files.

@item
Neither option present (default)

@command{vtysh} will check whether @file{frr.conf} exists.  If it does,
configuration writes will update that file.  Otherwise, writes are performed
through the individual daemons.
@end itemize

This command is primarily intended for packaging/distribution purposes, to
preset one of the two operating modes and ensure consistent operation across
installations.
@end deffn

@deffn {Command} {write integrated} {}

Unconditionally (regardless of @command{service integrated-vtysh-config}
setting) write out integrated @file{frr.conf} file through
@command{watchfrr}.  If @command{watchfrr} is not running, this command
is unavailable.

@end deffn

@section Caveats

Configuration changes made while some daemon is not running will be invisible
to that daemon.  The daemon will start up with its saved configuration
(either in its individual configuration file, or in @file{frr.conf}).
This is particularly troublesome for route-maps and prefix lists, which would
otherwise be synchronized between daemons.
Commit	Line	Data
718e3744	1	@node VTY shell
718e3744	2	@chapter VTY shell
718e3744	3
e68ab6bb DL	4	@menu
	5	* Integrated configuration mode::
	6	@end menu
718e3744	7
438f5286	8	@command{vtysh} provides a combined frontend to all Frr daemons in a
e68ab6bb DL	9	single combined session. It is enabled by default at build time, but can
	10	be disabled through the @option{--disable-vtysh} option to
	11	@command{./configure}.
	12
	13	@command{vtysh} has a configuration file, @file{vtysh.conf}. The location
	14	of that file cannot be changed from @file{@value{INSTALL_PREFIX_ETC}} since
	15	it contains options controlling authentication behavior. This file will
	16	also not be written by configuration-save commands, it is intended to be
	17	updated manually by an administrator with an external editor.
	18
	19	@quotation Warning
	20	This also means the @command{hostname} and @command{banner motd} commands
	21	(which both do have effect for vtysh) need to be manually updated in
	22	@file{vtysh.conf}.
	23	@end quotation
	24
	25	@section Permissions and setup requirements
	26
	27	@command{vtysh} connects to running daemons through Unix sockets located in
	28	@file{@value{INSTALL_PREFIX_STATE}}. Running vtysh thus requires access to
	29	that directory, plus membership in the @emph{@value{INSTALL_VTY_GROUP}}
	30	group (which is the group that the daemons will change ownership of their
	31	sockets to).
	32
438f5286	33	To restrict access to Frr configuration, make sure no unauthorized users
e68ab6bb DL	34	are members of the @emph{@value{INSTALL_VTY_GROUP}} group.
	35
	36	@subsection PAM support (experimental)
	37
	38	vtysh has working (but rather useless) PAM support. It will perform
	39	an "authenticate" PAM call using @emph{@value{PACKAGE_NAME}} as service
	40	name. No other (accounting, session, password change) calls will be
	41	performed by vtysh.
	42
	43	Users using vtysh still need to have appropriate access to the daemons'
	44	VTY sockets, usually by being member of the @emph{@value{INSTALL_VTY_GROUP}}
	45	group. If they have this membership, PAM support is useless since they can
	46	connect to daemons and issue commands using some other tool. Alternatively,
	47	the @command{vtysh} binary could be made SGID (set group ID) to the
	48	@emph{@value{INSTALL_VTY_GROUP}} group. @strong{No security guarantees are
	49	made for this configuration}.
718e3744	50
e68ab6bb	51	@deffn {Command} {username @var{username} nopassword} {}
718e3744	52
e68ab6bb DL	53	If PAM support is enabled at build-time, this command allows disabling the
	54	use of PAM on a per-user basis. If vtysh finds that an user is trying to
	55	use vtysh and a "nopassword" entry is found, no calls to PAM will be made
	56	at all.
718e3744	57
e68ab6bb	58	@end deffn
76b89b4a	59
e68ab6bb DL	60	@node Integrated configuration mode
e68ab6bb DL	61	@section Integrated configuration mode
76b89b4a	62
e68ab6bb	63	Integrated configuration mode uses a single configuration file,
e20dc2ba	64	@file{frr.conf}, for all daemons. This replaces the individual files like
e68ab6bb	65	@file{zebra.conf} or @file{bgpd.conf}.
718e3744	66
e20dc2ba	67	@file{frr.conf} is located in @file{@value{INSTALL_PREFIX_ETC}}. All
e68ab6bb DL	68	daemons check for the existence of this file at startup, and if it exists
e68ab6bb DL	69	will not load their individual configuration files. Instead,
e20dc2ba	70	@command{vtysh -b} must be invoked to process @file{frr.conf} and apply
e68ab6bb	71	its settings to the individual daemons.
718e3744	72
e68ab6bb DL	73	@quotation Warning
	74	@command{vtysh -b} must also be executed after restarting any daemon.
	75	@end quotation
971a4497	76
e68ab6bb	77	@subsection Configuration saving, file ownership and permissions
971a4497	78
e20dc2ba	79	The @file{frr.conf} file is not written by any of the daemons; instead
e68ab6bb DL	80	@command{vtysh} contains the neccessary logic to collect configuration from
e68ab6bb DL	81	all of the daemons, combine it and write it out.
76b89b4a	82
e68ab6bb DL	83	@quotation Warning
	84	Daemons must be running for @command{vtysh} to be able to collect their
	85	configuration. Any configuration from non-running daemons is permanently
	86	lost after doing a configuration save.
	87	@end quotation
	88
	89	Since the @command{vtysh} command may be running as ordinary user on the
9473e340	90	system, configuration writes will be tried through @command{watchfrr},
e68ab6bb	91	using the @command{write integrated} command internally. Since
9473e340	92	@command{watchfrr} is running as superuser, @command{vtysh} is able to
e20dc2ba	93	ensure correct ownership and permissions on @file{frr.conf}.
971a4497	94
9473e340	95	If @command{watchfrr} is not running or the configuration write fails,
e68ab6bb DL	96	@command{vtysh} will attempt to directly write to the file. This is likely
	97	to fail if running as unprivileged user; alternatively it may leave the
	98	file with incorrect owner or permissions.
971a4497	99
e68ab6bb DL	100	Writing the configuration can be triggered directly by invoking
e68ab6bb DL	101	@command{vtysh -w}. This may be useful for scripting. Note this command
438f5286	102	should be run as either the superuser or the Frr user.
76b89b4a	103
76b89b4a	104	We recommend you do not mix the use of the two types of files. Further, it
e20dc2ba	105	is better not to use the integrated frr.conf file, as any syntax error in
76b89b4a	106	it can lead to /all/ of your daemons being unable to start up. Per daemon
	107	files are more robust as impact of errors in configuration are limited to
	108	the daemon in whose file the error is made.
	109
e68ab6bb DL	110	@deffn {Command} {service integrated-vtysh-config} {}
	111	@deffnx {Command} {no service integrated-vtysh-config} {}
	112
e20dc2ba	113	Control whether integrated @file{frr.conf} file is written when
e68ab6bb DL	114	'write file' is issued.
	115
	116	These commands need to be placed in @file{vtysh.conf} to have any effect.
438f5286	117	Note that since @file{vtysh.conf} is not written by Frr itself, they
e68ab6bb DL	118	therefore need to be manually placed in that file.
	119
	120	This command has 3 states:
	121	@itemize @bullet
	122	@item
	123	@command{service integrated-vtysh-config}
	124
e20dc2ba	125	@command{vtysh} will always write @file{frr.conf}.
e68ab6bb DL	126
	127	@item
	128	@command{no service integrated-vtysh-config}
	129
e20dc2ba	130	@command{vtysh} will never write @file{frr.conf}; instead it will ask
e68ab6bb DL	131	daemons to write their individual configuration files.
	132
	133	@item
	134	Neither option present (default)
	135
e20dc2ba	136	@command{vtysh} will check whether @file{frr.conf} exists. If it does,
e68ab6bb DL	137	configuration writes will update that file. Otherwise, writes are performed
	138	through the individual daemons.
	139	@end itemize
	140
	141	This command is primarily intended for packaging/distribution purposes, to
	142	preset one of the two operating modes and ensure consistent operation across
	143	installations.
76b89b4a	144	@end deffn
e68ab6bb DL	145
	146	@deffn {Command} {write integrated} {}
	147
	148	Unconditionally (regardless of @command{service integrated-vtysh-config}
e20dc2ba	149	setting) write out integrated @file{frr.conf} file through
9473e340	150	@command{watchfrr}. If @command{watchfrr} is not running, this command
e68ab6bb DL	151	is unavailable.
	152
	153	@end deffn
	154
	155	@section Caveats
	156
	157	Configuration changes made while some daemon is not running will be invisible
	158	to that daemon. The daemon will start up with its saved configuration
e20dc2ba	159	(either in its individual configuration file, or in @file{frr.conf}).
e68ab6bb DL	160	This is particularly troublesome for route-maps and prefix lists, which would
e68ab6bb DL	161	otherwise be synchronized between daemons.