Page MenuHomeVyOS Platform
Create Task
Maniphest T2321

VRF support for SSH, NTP, SNMP service
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Hi,

it would be nice to be allowed to select VRF for ssh, ntp and smtp service to bind to.

  • SSH
  • NTP
  • SNMP

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTViacheslavT2579 The root task for VRF features
 ResolvedFEATURE REQUESTc-poT2321 VRF support for SSH, NTP, SNMP service
 ResolvedFEATURE REQUESTc-poT6192 Multi VRF support for SSH

Event Timeline

primoz created this task.Apr 18 2020, 12:52 PM
primoz added a comment.Apr 18 2020, 7:36 PM

All that's really needed is to somehow edit /usr/lib/systemd/system/ssh.service to change

ExecStart=ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

this should probaby be configurable, but have no idea what's the vyos-ish way of doing this.

pasik added a subscriber: pasik.Apr 19 2020, 8:35 AM
daniil added a subscriber: daniil.EditedJun 8 2020, 7:08 PM

Can use systemd module file override?

example:

cat /etc/systemd/system/[email protected]/override.conf 
[Service]
ExecStart=
ExecStart=/sbin/ip vrf exec %i /usr/sbin/sshd -D $SSHD_OPTS
c-po added a subscriber: c-po.Jun 8 2020, 8:56 PM

@daniil that would work of course. You tested it manuslly that this works?

daniil added a comment.Jun 9 2020, 10:41 AM
In T2321#66700, @c-po wrote:

@daniil that would work of course. You tested it manuslly that this works?

I am using this configuration:

cat /etc/systemd/system/ssh.service.d/override.conf 

[Service]
LimitMEMLOCK=infinity
ExecStart=
ExecStart=/sbin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS
c-po renamed this task from VRF support for services to VRF support for SSH, NTP, SNMP service.Jun 9 2020, 4:47 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus board.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
Viacheslav added a parent task: T2579: The root task for VRF features.Jun 10 2020, 12:55 PM
c-po added a comment.EditedJun 11 2020, 1:59 PM

Tomorrows rolling ISO will support VRF sourced SSH.

c-po added a comment.Jun 11 2020, 3:52 PM

Please feedback as this is what you expect. Also it would be nice if could write something about that in our documentation: https://docs.vyos.io/en/latest/

If this works out I will add SNMP and NTP support

daniil added a comment.Jun 11 2020, 5:28 PM

SNMPD must listen to the socket on the loop in vrf default. This is necessary for the protocol agentx to work.

daniil added a comment.Jun 11 2020, 7:02 PM

VirtualBox_vyos_11_06_2020_21_58_51.png (400×720 px, 9 KB)

Hmm, sshd listens on port 2 by default.

c-po added a comment.Jun 13 2020, 8:38 PM

@daniil it will be fixed in tomorrows rolling ISO.

c-po added a comment.Jun 13 2020, 9:17 PM
vyos@vyos:~$ show vrf black processes
 4624  sshd
 4404  ntpd
c-po changed the task status from Open to Needs testing.Jun 13 2020, 9:21 PM
c-po updated the task description. (Show Details)
c-po closed this task as Resolved.Jun 13 2020, 9:47 PM
c-po updated the task description. (Show Details)
c-po moved this task from Backlog to Finished on the VyOS 1.3 Equuleus board.Jul 7 2020, 4:10 PM
Gunni added a subscriber: Gunni.EditedOct 21 2020, 6:24 PM

I have ntp listening in vrf mgmt, note that i have not set vrf bind-to-all.

vyos@ip# show system ntp
 listen-address 2001:db8::1
 server 2001:db8:1::1 {
 }
 vrf mgmt
[edit]
Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET 127.0.0.1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84145) for 127.0.0.1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address 127.0.0.1
Oct 21 18:22:06 ip ntpd[2521]: bind(20) AF_INET6 ::1#123 flags 0x5 failed: Cannot assign requested address
Oct 21 18:22:06 ip ntpd[2521]: unable to create socket on lo (84146) for ::1#123
Oct 21 18:22:06 ip ntpd[2521]: failed to init interface for address ::1

Or just do this: https://phabricator.vyos.net/T3008

c-po added a comment.Oct 22 2020, 7:57 PM

The current NTP config always binds to localhost and localhost is not a part of the mgmt VRF thus this error message.

maznu added a subscriber: maznu.Jan 2 2021, 7:32 AM

Similar issue for snmpd:

Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Service RestartSec=10s expired, scheduling restart.
Jan  2 07:27:31 aebi systemd[1]: snmpd.service: Scheduled restart job, restart counter is at 91.
Jan  2 07:27:31 aebi systemd[1]: Stopped Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Jan  2 07:27:31 aebi systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Jan  2 07:27:31 aebi snmpd[4822]: Error opening specified endpoint "udp:127.0.0.1:161"
Jan  2 07:27:31 aebi snmpd[4822]: Server Exiting with code 1
maznu added a comment.Jan 2 2021, 7:37 AM

Amending /etc/snmp/snmpd.conf as follows got it working for me (albeit temporarily). Our snmp listen-address is 10.13.0.56 in this instance.

From:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161,udp:127.0.0.1:161,udp6:[::1]:161

To:

agentaddress unix:/run/snmpd.socket,udp:10.13.0.56:161
c-po added a comment.EditedJan 2 2021, 9:59 AM

The system tries to bind itself to the localhost address which is not in the VRF, this is definately a fault, Why did I not see that?

I will investigate if it is possible to drop or to add the localhost address from the listen addresses as we also have a UNIX domain socket here. Will update this task.

Cumulus states: The management VRF configurations in this chapter contain a localhost loopback IPv4 address of 127.0.0.1/8 and IPv6 address of ::1/128. Management VRF must have an IPv6 address as well as an IPv4 address to work correctly. Adding the loopback address to the layer 3 domain of the management VRF prevents issues with applications that expect the loopback IP address to exist in the VRF, such as NTP.

c-po reopened this task as Confirmed.Jan 2 2021, 9:59 AM
c-po added a comment.Jan 2 2021, 11:20 AM

Loopback IP addresses are now automatically assigned to every VRF interface

47: bar: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000
    link/ether 76:7d:c0:53:6d:89 brd ff:ff:ff:ff:ff:ff
    inet 127.0.0.1/8 scope host bar
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
c-po closed this task as Resolved.Jan 2 2021, 12:00 PM
erkin set Issue type to Feature (new functionality).Aug 30 2021, 6:49 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.
c-po changed the status of subtask T6192: Multi VRF support for SSH from Open to In progress.Sun, Mar 31, 12:51 PM
c-po closed subtask T6192: Multi VRF support for SSH as Resolved.Wed, Apr 3, 6:36 AM