Page MenuHomeVyOS Platform
Create Task
Maniphest T1076

SSH: make configuration (sshd_config) volatile and store it to /run
Closed, ResolvedPublicBUG
Actions

Description

T769 has drawn attention to a much larger issue than its own scope. It would be reasonable to expect that if configuration for some service is not present in the VyOS config, a config file for the target application should not be present in the system either. In reality, it's not the case.

Most scripts remove configuration files when their node is deleted from the VyOS config. However, there's no mechanism that would remove those files if configuration was not deleted from the config, but has gone from it, typically because the user forgot to save the config before rebooting.

Simplest reproducing procedure:

  1. set service ssh
  2. commit
  3. exit
  4. reboot
  5. After reboot, /etc/ssh/sshd_config is there

If a service is configured to start on boot (in most cases it shouldn't, but as T769 showed, it does happen), it may cause unconfigured services come back from the dead.

Since config scripts that delete unneeded files cannot run unless triggered by actual deletion, the only way to fix this is to identify all files managed by VyOS and run a script that removes them at boot time, before config is loaded.

Details

Difficulty level
Normal (likely a few hours)
Version
1.2.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

dmbaturin created this task.Dec 3 2018, 1:51 AM
pasik added a subscriber: pasik.Mar 12 2019, 6:08 PM
jestabro added a subscriber: jestabro.Apr 25 2019, 11:52 AM
thinkl33t added a subscriber: thinkl33t.EditedJun 13 2019, 4:36 PM

Could we work around this by implementing an overlay for every commit, with the entire stack of overlays being combined with the root overlay when a save is issued?

runar added a subscriber: runar.Aug 9 2019, 11:50 AM

Most of these files are autogenerated and dont need to be saved across reboots.. is it possible to make them in a overlay that does not save to disk? Or another aproach is to just delete them when the device starts (before or when vyatta starts)

tjh added a subscriber: tjh.Apr 16 2020, 7:38 PM
Viacheslav added a subscriber: Viacheslav.Jul 29 2020, 3:52 PM

T1194

c-po added a subscriber: c-po.Aug 3 2020, 4:24 PM

Most of the services have been migrated to systemd and the configuration files have been moved to /run so they won't survive a reboot.

This is yet not the case for SSH.

c-po renamed this task from Configuration files are kept in the system when VyOS config is commited but not saved to SSH: make configuration (sshd_config) volatile and store it to /run.Aug 3 2020, 4:25 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po closed this task as Resolved.Aug 3 2020, 4:46 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 4 2020, 6:09 AM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 7:13 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.Sep 10 2021, 6:31 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.