Page MenuHomeVyOS Platform

VRF support for SSH, NTP, SNMP service
Closed, ResolvedPublicFEATURE REQUEST

Description

Hi,

it would be nice to be allowed to select VRF for ssh, ntp and smtp service to bind to.

  • SSH
  • NTP
  • SNMP

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

StatusSubtypeAssignedTask
OpenFEATURE REQUESTNone
ResolvedFEATURE REQUESTc-po

Event Timeline

All that's really needed is to somehow edit /usr/lib/systemd/system/ssh.service to change

ExecStart=ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

this should probaby be configurable, but have no idea what's the vyos-ish way of doing this.

Can use systemd module file override?

example:

cat /etc/systemd/system/ssh@.service.d/override.conf 
[Service]
ExecStart=
ExecStart=/sbin/ip vrf exec %i /usr/sbin/sshd -D $SSHD_OPTS

@daniil that would work of course. You tested it manuslly that this works?

In T2321#66700, @c-po wrote:

@daniil that would work of course. You tested it manuslly that this works?

I am using this configuration:

cat /etc/systemd/system/ssh.service.d/override.conf 

[Service]
LimitMEMLOCK=infinity
ExecStart=
ExecStart=/sbin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS
c-po renamed this task from VRF support for services to VRF support for SSH, NTP, SNMP service.Jun 9 2020, 4:47 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus board.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).

Tomorrows rolling ISO will support VRF sourced SSH.

Please feedback as this is what you expect. Also it would be nice if could write something about that in our documentation: https://docs.vyos.io/en/latest/

If this works out I will add SNMP and NTP support

SNMPD must listen to the socket on the loop in vrf default. This is necessary for the protocol agentx to work.

Hmm, sshd listens on port 2 by default.

@daniil it will be fixed in tomorrows rolling ISO.

vyos@vyos:~$ show vrf black processes
 4624  sshd
 4404  ntpd
c-po changed the task status from Open to Needs testing.Jun 13 2020, 9:21 PM
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)

I have ntp listening in vrf mgmt, note that i have not set vrf bind-to-all.

vyos@ip# show system ntp
 listen-address 2001:db8::1
 server 2001:db8:1::1 {
 }
 vrf mgmt
[edit]
Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET 127.0.0.1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84145) for 127.0.0.1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address 127.0.0.1
Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET6 ::1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84146) for ::1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address ::1

Or just do this: https://phabricator.vyos.net/T3008

The current NTP config always binds to localhost and localhost is not a part of the mgmt VRF thus this error message.

Similar issue for snmpd:

Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Service RestartSec=10s expired, scheduling restart.
Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Scheduled restart job, restart counter is at 91.
Jan  2 07:27:31 aebi systemd[1]: Stopped Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Jan  2 07:27:31 aebi systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi snmpd[4822]: Error opening specified endpoint "udp:127.0.0.1:161"
Jan  2 07:27:31 aebi snmpd[4822]: Server Exiting with code 1

Amending /etc/snmp/snmpd.conf as follows got it working for me (albeit temporarily). Our snmp listen-address is 10.13.0.56 in this instance.

From:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161,udp:127.0.0.1:161,udp6:[::1]:161

To:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161

The system tries to bind itself to the localhost address which is not in the VRF, this is definately a fault, Why did I not see that?

I will investigate if it is possible to drop or to add the localhost address from the listen addresses as we also have a UNIX domain socket here. Will update this task.

Cumulus states: The management VRF configurations in this chapter contain a localhost loopback IPv4 address of 127.0.0.1/8 and IPv6 address of ::1/128. Management VRF must have an IPv6 address as well as an IPv4 address to work correctly. Adding the loopback address to the layer 3 domain of the management VRF prevents issues with applications that expect the loopback IP address to exist in the VRF, such as NTP.

Loopback IP addresses are now automatically assigned to every VRF interface

47: bar: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000
    link/ether 76:7d:c0:53:6d:89 brd ff:ff:ff:ff:ff:ff
    inet 127.0.0.1/8 scope host bar
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
erkin set Issue type to Feature (new functionality).Aug 30 2021, 6:49 AM
erkin removed a subscriber: Active contributors.