9 *vtysh* provides a combined frontend to all FRR daemons in a single combined
10 session. It is enabled by default at build time, but can be disabled through
11 the :option:`--disable-vtysh` option to the configure script.
13 *vtysh* has a configuration file, :file:`vtysh.conf`. The location of that
14 file cannot be changed from |INSTALL_PREFIX_ETC| since it contains options
15 controlling authentication behavior. This file will also not be written by
16 configuration-save commands, it is intended to be updated manually by an
17 administrator with an external editor.
21 This also means the ``hostname`` and ``banner motd`` commands (which both do
22 have effect for vtysh) need to be manually updated in :file:`vtysh.conf`.
28 *vtysh* can call an external paging program (e.g. *more* or *less*) to
29 paginate long output from commands. This feature used to be enabled by
30 default but is now controlled by the ``VTYSH_PAGER`` environment variable
31 and the :clicmd:`terminal paginate` command:
33 .. envvar:: VTYSH_PAGER
35 If set, the ``VTYSH_PAGER`` environment variable causes *vtysh* to pipe
36 output from commands through the given command. Note that this happens
37 regardless of the length of the output. As such, standard pager behavior
38 (particularly waiting at the end of output) tends to be annoying to the
39 user. Using ``less -EFX`` is recommended for a better user experience.
41 If this environment variable is unset, *vtysh* defaults to not using any
44 This variable should be set by the user according to their preferences,
45 in their :file:`~/.profile` file.
47 .. index:: [no] terminal paginate
48 .. clicmd:: [no] terminal paginate
50 Enables/disables vtysh output pagination. This command is intended to
51 be placed in :file:`vtysh.conf` to set a system-wide default. If this
52 is enabled but ``VTYSH_PAGER`` is not set, the system default pager
53 (likely ``more`` or ``/usr/bin/pager``) will be used.
56 Permissions and setup requirements
57 ==================================
59 *vtysh* connects to running daemons through Unix sockets located in
60 |INSTALL_PREFIX_STATE|. Running vtysh thus requires access to that directory,
61 plus membership in the |INSTALL_VTY_GROUP| group (which is the group that the
62 daemons will change ownership of their sockets to).
64 To restrict access to FRR configuration, make sure no unauthorized users are
65 members of the |INSTALL_VTY_GROUP| group.
69 VTYSH implements a CLI option ``-u, --user`` that disallows entering the
70 characters "en" on the command line, which ideally restricts access to
71 configuration commands. However, VTYSH was never designed to be a privilege
72 broker and is not built using secure coding practices. No guarantees of
73 security are provided for this option and under no circumstances should this
74 option be used to provide any semblance of security or read-only access to
77 PAM support (experimental)
78 --------------------------
80 vtysh has working (but rather useless) PAM support. It will perform an
81 "authenticate" PAM call using |PACKAGE_NAME| as service name. No other
82 (accounting, session, password change) calls will be performed by vtysh.
84 Users using vtysh still need to have appropriate access to the daemons' VTY
85 sockets, usually by being member of the |INSTALL_VTY_GROUP| group. If they
86 have this membership, PAM support is useless since they can connect to daemons
87 and issue commands using some other tool. Alternatively, the *vtysh* binary
88 could be made SGID (set group ID) to the |INSTALL_VTY_GROUP| group.
92 No security guarantees are made for this configuration.
95 .. index:: username USERNAME nopassword
96 .. clicmd:: username USERNAME nopassword
98 If PAM support is enabled at build-time, this command allows disabling the
99 use of PAM on a per-user basis. If vtysh finds that an user is trying to
100 use vtysh and a "nopassword" entry is found, no calls to PAM will be made
104 .. _integrated-configuration-mode:
106 Integrated configuration mode
107 =============================
109 Integrated configuration mode uses a single configuration file,
110 :file:`frr.conf`, for all daemons. This replaces the individual files like
111 :file:`zebra.conf` or :file:`bgpd.conf`.
113 :file:`frr.conf` is located in |INSTALL_PREFIX_ETC|. All daemons check for the
114 existence of this file at startup, and if it exists will not load their
115 individual configuration files. Instead, ``vtysh -b`` must be invoked to
116 process :file:`frr.conf` and apply its settings to the individual daemons.
120 *vtysh -b* must also be executed after restarting any daemon.
123 Configuration saving, file ownership and permissions
124 ----------------------------------------------------
126 The :file:`frr.conf` file is not written by any of the daemons; instead *vtysh*
127 contains the necessary logic to collect configuration from all of the daemons,
128 combine it and write it out.
132 Daemons must be running for *vtysh* to be able to collect their
133 configuration. Any configuration from non-running daemons is permanently
134 lost after doing a configuration save.
136 Since the *vtysh* command may be running as ordinary user on the system,
137 configuration writes will be tried through *watchfrr*, using the ``write
138 integrated`` command internally. Since *watchfrr* is running as superuser,
139 *vtysh* is able to ensure correct ownership and permissions on
142 If *watchfrr* is not running or the configuration write fails, *vtysh* will
143 attempt to directly write to the file. This is likely to fail if running as
144 unprivileged user; alternatively it may leave the file with incorrect owner or
147 Writing the configuration can be triggered directly by invoking *vtysh -w*.
148 This may be useful for scripting. Note this command should be run as either the
149 superuser or the FRR user.
151 We recommend you do not mix the use of the two types of files. Further, it is
152 better not to use the integrated :file:`frr.conf` file, as any syntax error in
153 it can lead to /all/ of your daemons being unable to start up. Per daemon files
154 are more robust as impact of errors in configuration are limited to the daemon
155 in whose file the error is made.
157 .. index:: service integrated-vtysh-config
158 .. clicmd:: service integrated-vtysh-config
160 .. index:: no service integrated-vtysh-config
161 .. clicmd:: no service integrated-vtysh-config
163 Control whether integrated :file:`frr.conf` file is written when
164 'write file' is issued.
166 These commands need to be placed in :file:`vtysh.conf` to have any effect.
167 Note that since :file:`vtysh.conf` is not written by FRR itself, they
168 therefore need to be manually placed in that file.
170 This command has 3 states:
173 service integrated-vtysh-config
174 *vtysh* will always write :file:`frr.conf`.
177 no service integrated-vtysh-config
178 *vtysh* will never write :file:`frr.conf`; instead it will ask
179 daemons to write their individual configuration files.
181 Neither option present (default)
182 *vtysh* will check whether :file:`frr.conf` exists. If it does,
183 configuration writes will update that file. Otherwise, writes are performed
184 through the individual daemons.
186 This command is primarily intended for packaging/distribution purposes, to
187 preset one of the two operating modes and ensure consistent operation across
190 .. index:: write integrated
191 .. clicmd:: write integrated
193 Unconditionally (regardless of ``service integrated-vtysh-config`` setting)
194 write out integrated :file:`frr.conf` file through *watchfrr*. If *watchfrr*
195 is not running, this command is unavailable.
199 Configuration changes made while some daemon is not running will be
200 invisible to that daemon. The daemon will start up with its saved
201 configuration (either in its individual configuration file, or in
202 :file:`frr.conf`). This is particularly troublesome for route-maps and
203 prefix lists, which would otherwise be synchronized between daemons.
projects / mirror_frr.git / blob