]>
Commit | Line | Data |
---|---|---|
718e3744 | 1 | @node VTY shell |
718e3744 | 2 | @chapter VTY shell |
3 | ||
e68ab6bb DL |
4 | @menu |
5 | * Integrated configuration mode:: | |
6 | @end menu | |
718e3744 | 7 | |
438f5286 | 8 | @command{vtysh} provides a combined frontend to all Frr daemons in a |
e68ab6bb DL |
9 | single combined session. It is enabled by default at build time, but can |
10 | be disabled through the @option{--disable-vtysh} option to | |
11 | @command{./configure}. | |
12 | ||
13 | @command{vtysh} has a configuration file, @file{vtysh.conf}. The location | |
14 | of that file cannot be changed from @file{@value{INSTALL_PREFIX_ETC}} since | |
15 | it contains options controlling authentication behavior. This file will | |
16 | also not be written by configuration-save commands, it is intended to be | |
17 | updated manually by an administrator with an external editor. | |
18 | ||
19 | @quotation Warning | |
20 | This also means the @command{hostname} and @command{banner motd} commands | |
21 | (which both do have effect for vtysh) need to be manually updated in | |
22 | @file{vtysh.conf}. | |
23 | @end quotation | |
24 | ||
25 | @section Permissions and setup requirements | |
26 | ||
27 | @command{vtysh} connects to running daemons through Unix sockets located in | |
28 | @file{@value{INSTALL_PREFIX_STATE}}. Running vtysh thus requires access to | |
29 | that directory, plus membership in the @emph{@value{INSTALL_VTY_GROUP}} | |
30 | group (which is the group that the daemons will change ownership of their | |
31 | sockets to). | |
32 | ||
438f5286 | 33 | To restrict access to Frr configuration, make sure no unauthorized users |
e68ab6bb DL |
34 | are members of the @emph{@value{INSTALL_VTY_GROUP}} group. |
35 | ||
36 | @subsection PAM support (experimental) | |
37 | ||
38 | vtysh has working (but rather useless) PAM support. It will perform | |
39 | an "authenticate" PAM call using @emph{@value{PACKAGE_NAME}} as service | |
40 | name. No other (accounting, session, password change) calls will be | |
41 | performed by vtysh. | |
42 | ||
43 | Users using vtysh still need to have appropriate access to the daemons' | |
44 | VTY sockets, usually by being member of the @emph{@value{INSTALL_VTY_GROUP}} | |
45 | group. If they have this membership, PAM support is useless since they can | |
46 | connect to daemons and issue commands using some other tool. Alternatively, | |
47 | the @command{vtysh} binary could be made SGID (set group ID) to the | |
48 | @emph{@value{INSTALL_VTY_GROUP}} group. @strong{No security guarantees are | |
49 | made for this configuration}. | |
718e3744 | 50 | |
e68ab6bb | 51 | @deffn {Command} {username @var{username} nopassword} {} |
718e3744 | 52 | |
e68ab6bb DL |
53 | If PAM support is enabled at build-time, this command allows disabling the |
54 | use of PAM on a per-user basis. If vtysh finds that an user is trying to | |
55 | use vtysh and a "nopassword" entry is found, no calls to PAM will be made | |
56 | at all. | |
718e3744 | 57 | |
e68ab6bb | 58 | @end deffn |
76b89b4a | 59 | |
e68ab6bb DL |
60 | @node Integrated configuration mode |
61 | @section Integrated configuration mode | |
76b89b4a | 62 | |
e68ab6bb | 63 | Integrated configuration mode uses a single configuration file, |
e20dc2ba | 64 | @file{frr.conf}, for all daemons. This replaces the individual files like |
e68ab6bb | 65 | @file{zebra.conf} or @file{bgpd.conf}. |
718e3744 | 66 | |
e20dc2ba | 67 | @file{frr.conf} is located in @file{@value{INSTALL_PREFIX_ETC}}. All |
e68ab6bb DL |
68 | daemons check for the existence of this file at startup, and if it exists |
69 | will not load their individual configuration files. Instead, | |
e20dc2ba | 70 | @command{vtysh -b} must be invoked to process @file{frr.conf} and apply |
e68ab6bb | 71 | its settings to the individual daemons. |
718e3744 | 72 | |
e68ab6bb DL |
73 | @quotation Warning |
74 | @command{vtysh -b} must also be executed after restarting any daemon. | |
75 | @end quotation | |
971a4497 | 76 | |
e68ab6bb | 77 | @subsection Configuration saving, file ownership and permissions |
971a4497 | 78 | |
e20dc2ba | 79 | The @file{frr.conf} file is not written by any of the daemons; instead |
e68ab6bb DL |
80 | @command{vtysh} contains the neccessary logic to collect configuration from |
81 | all of the daemons, combine it and write it out. | |
76b89b4a | 82 | |
e68ab6bb DL |
83 | @quotation Warning |
84 | Daemons must be running for @command{vtysh} to be able to collect their | |
85 | configuration. Any configuration from non-running daemons is permanently | |
86 | lost after doing a configuration save. | |
87 | @end quotation | |
88 | ||
89 | Since the @command{vtysh} command may be running as ordinary user on the | |
9473e340 | 90 | system, configuration writes will be tried through @command{watchfrr}, |
e68ab6bb | 91 | using the @command{write integrated} command internally. Since |
9473e340 | 92 | @command{watchfrr} is running as superuser, @command{vtysh} is able to |
e20dc2ba | 93 | ensure correct ownership and permissions on @file{frr.conf}. |
971a4497 | 94 | |
9473e340 | 95 | If @command{watchfrr} is not running or the configuration write fails, |
e68ab6bb DL |
96 | @command{vtysh} will attempt to directly write to the file. This is likely |
97 | to fail if running as unprivileged user; alternatively it may leave the | |
98 | file with incorrect owner or permissions. | |
971a4497 | 99 | |
e68ab6bb DL |
100 | Writing the configuration can be triggered directly by invoking |
101 | @command{vtysh -w}. This may be useful for scripting. Note this command | |
438f5286 | 102 | should be run as either the superuser or the Frr user. |
76b89b4a | 103 | |
104 | We recommend you do not mix the use of the two types of files. Further, it | |
e20dc2ba | 105 | is better not to use the integrated frr.conf file, as any syntax error in |
76b89b4a | 106 | it can lead to /all/ of your daemons being unable to start up. Per daemon |
107 | files are more robust as impact of errors in configuration are limited to | |
108 | the daemon in whose file the error is made. | |
109 | ||
e68ab6bb DL |
110 | @deffn {Command} {service integrated-vtysh-config} {} |
111 | @deffnx {Command} {no service integrated-vtysh-config} {} | |
112 | ||
e20dc2ba | 113 | Control whether integrated @file{frr.conf} file is written when |
e68ab6bb DL |
114 | 'write file' is issued. |
115 | ||
116 | These commands need to be placed in @file{vtysh.conf} to have any effect. | |
438f5286 | 117 | Note that since @file{vtysh.conf} is not written by Frr itself, they |
e68ab6bb DL |
118 | therefore need to be manually placed in that file. |
119 | ||
120 | This command has 3 states: | |
121 | @itemize @bullet | |
122 | @item | |
123 | @command{service integrated-vtysh-config} | |
124 | ||
e20dc2ba | 125 | @command{vtysh} will always write @file{frr.conf}. |
e68ab6bb DL |
126 | |
127 | @item | |
128 | @command{no service integrated-vtysh-config} | |
129 | ||
e20dc2ba | 130 | @command{vtysh} will never write @file{frr.conf}; instead it will ask |
e68ab6bb DL |
131 | daemons to write their individual configuration files. |
132 | ||
133 | @item | |
134 | Neither option present (default) | |
135 | ||
e20dc2ba | 136 | @command{vtysh} will check whether @file{frr.conf} exists. If it does, |
e68ab6bb DL |
137 | configuration writes will update that file. Otherwise, writes are performed |
138 | through the individual daemons. | |
139 | @end itemize | |
140 | ||
141 | This command is primarily intended for packaging/distribution purposes, to | |
142 | preset one of the two operating modes and ensure consistent operation across | |
143 | installations. | |
76b89b4a | 144 | @end deffn |
e68ab6bb DL |
145 | |
146 | @deffn {Command} {write integrated} {} | |
147 | ||
148 | Unconditionally (regardless of @command{service integrated-vtysh-config} | |
e20dc2ba | 149 | setting) write out integrated @file{frr.conf} file through |
9473e340 | 150 | @command{watchfrr}. If @command{watchfrr} is not running, this command |
e68ab6bb DL |
151 | is unavailable. |
152 | ||
153 | @end deffn | |
154 | ||
155 | @section Caveats | |
156 | ||
157 | Configuration changes made while some daemon is not running will be invisible | |
158 | to that daemon. The daemon will start up with its saved configuration | |
e20dc2ba | 159 | (either in its individual configuration file, or in @file{frr.conf}). |
e68ab6bb DL |
160 | This is particularly troublesome for route-maps and prefix lists, which would |
161 | otherwise be synchronized between daemons. |