Correct way to customize system

General questions
1

Hello,
I’d like to understand what is the correct way to make system configuration customization that can survive after a reboot.

For example, I customized my /etc/ssh/sshd_config but I lost this customization after reboot.
The strange thing is that, for example, I was able to change the .ssh/authorized_keys and find the modification after reboot.

What is the correct way to do it? Should I rely on post boot script: /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script?

Some extra info:

  • I’m using VyOS 1.0.3.
  • I installed it by install image.

Thank you
Adriano

2

VyOS uses runtime reconfiguration script which runs just before login prompt (you can see it, it writes “configuration” word at boot time).

Main configuration file resides under /opt/vyatta/etc/config dir which is mounted to /config at boot.
Next, the script begins it’s job: it parses this configuration file and regenerates many of system configs (under /etc) on the fly.
That’s why you lost direct changes in sshd_config.

Direct editing files under /etc is not right way for serious router. Because if you start editing that 100500 files under /etc then you’ll get unique router that will be unsupportable by anyone else (even in case you’ll comment your changes). And that’s why none of networking hardware manufacturers gives low-level access to the system, all of them have some kind of standard configuration interface and standard use cases for every config line. That’s the right way even if you have just two routers.

But sometimes user gets into situation when he can’t get the things working just with standard interface. He wants to “screw that bolt a little bit more”. Then, in case of using propietary vendor hard/software, he must ask the vendor to add the feature he wants. But what the vendor will say? “No problems, it will cost $x00000 and we’ll do it in next XX months”. None of the vendors will do unique modifications just for one user. Because they’re just making money on mainstream. And that’s why nearly all of customers have an old Pentium-90 PC under Linux which is standing near coolest Cisco ASR and making one-two simple things that ASR can’t do :slight_smile:

And here the open source can beat propietary. Do you need to screw that bolt? No problems, here’s a screwdriver, but you should screw it yourself with support of the community. And get the results public if you can.

Try to use standard VyOS configuration shell to get things working. It will work for many-many of standard use cases.
Again, the main idea of this shell is to make configuration standard to keep it supportable. User shouldn’t remeber all of config files, their syntax and relationships. And there is no any reasons to break this axiom.

If the things you need are really missing then there are two ways to make the configuration, I think:

  1. Directly edit config files and make some script to overwrite autogenerated ones. It’s good for testing, but bad for production: in this case you’ll get unique system with all of it’s limitations.
  2. Add missing features to the VyOS shell. It’s not as difficult as it seems, but it can be well documented and used/supported by someone else.

So, the both ways are suitable, and only you can decide which of them is right for the situation :slight_smile:

3

Hello Valentin,
thank you for your reply, it was really useful for me.
What I was trying to achieve was more a minor configuration rather than a feature (for example: one of these was increase the SSH timeout) so I suppose I’m more in case [font=Courier][1][/font].

I looked into[font=Courier] /opt/vyatta/etc[/font] and, for what is my understanding, there I can also find some system files that will be used as template/replacement after the vyos boot.
What I’m still missing is the piece of code/configuration doing the coldfusion:

[font=Courier]final config[/font] = [[font=Courier]system base[/font]] + [[font=Courier]/opt/vyatta/etc files[/font]]

A concrete example: I was trying to avoid the SSH timeout (for diagnostic reason) and add into [font=Courier]/etc/ssh/sshd_config[/font] lines:

TCPKeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 99999

how could I take advantage of dir [font=Courier] /opt/vyatta/etc[/font] to be vyos-compliant?
I would use the [font=Courier]vyatta-postconfig-bootup.script[/font] to add something like:

echo TCPKeepAlive yes >> /etc/ssh/sshd_config

but, of course, I would follow a more “clean” approach.

Thank you
Adriano

4

Not only that files. Some files are generated by the script at boot time (just like /etc/dnsmasq.conf, ntp.conf in case they’re enabled).

I’ve missed that you’d installed the system using “install image”. Try to reinstall it using “install system” command.

In case of installing it via “install image” installer just copies live image (which is read-only) to HDD and kernel mounts it at boot time. Any modifications you’ll do in that image will use “copy-on-write” technique, simulating file writing to R/O filesystem. But after reboot you’re get clean image again.
Take a look to “mount -a” output and “/proc/cmdline” and you’ll understand what I’m speaking about (especially with my terrible english :))

Read-only images are good for production routers because it’s not so simple to modify them via root-kits in case of possible security breaks, for example.

In case of “install system” the whole image gets unpacked to an HDD partition as ordinary files, so they can be modified, but some of them still will be overwriten by configuration script at next boot time.

It’s good for debugging.

Another way: take a look into /opt/vyatta/share/vyatta-cfg/templates/service/ssh/node.def. There you’ll find the command that runs when parser reaches the end of “system ssh” section of config file:

end: if [ -z "$VAR(port/@)" ]; then exit 0; fi
     STR="SSHD_OPTS=\"-p $VAR(port/@)\""
     sudo sh -c "echo '$STR' > /etc/default/ssh"
     sudo /usr/sbin/invoke-rc.d ssh restart

So, we can modify script a bit to set necessary options to sshd just like this:

end: if [ -z "$VAR(port/@)" ]; then exit 0; fi
     STR="SSHD_OPTS=\"-p $VAR(port/@)\" -o TCPKeepAlive=yes -o ClientAliveInterval=30"
     sudo sh -c "echo '$STR' > /etc/default/ssh"
     sudo /usr/sbin/invoke-rc.d ssh restart

I’m not sure about sshd’s command-line options syntax, but I think you’ve got the idea.

Then, after restart, script will populate /etc/default/ssh file with options we’ve provided.

Take a look into other .def files under /opt/vyatta/share/vyatta-cfg/templates/service/ssh/. You’ll find that some of them calls sed to modify some of sshd options at boot time. And that’s the VyOS’s way: keep all of that modifications out of user’s eyes.

Hope this will help you.

5

Hello Valentin,
your english is really understandable and surely better than mine.

I supposed it was related to UnionFS, I chose the install image to have more flexibility with updates.

I like the possibility to extend configuration in vyos extending .def files. I could do it by myself but I want submit the proposal to community and after implement it: I don’t want produce a personal dialect in configuration :), I much prefer define commands to be standard and included in future VyOS releases.

I’d like to learn more about the .def files and mechanism: have you got any suggestion about where start reading? (a part from reading source code, of course :).

Thank you
Adriano

6

Here’s some information about .def syntax and Perl/Shell APIs:

http://vyos.net/wiki/Configuration_mode_templates
http://vyos.net/wiki/Perl_API
http://vyos.net/wiki/Shell_API
http://wiki.het.net/wiki/Category:Development

7

Thank you!

8

Hello Adriano

It is mean that you want to create the following commands?

set service ssh tcpkeepalive yes/no
set service ssh client-alive-interval 30
set service ssh client-alive-count-max 99999

For easy development

cp -a /opt/vyatta/share/vyatta-cfg/templates/service/ssh/listen-address /opt/vyatta/share/vyatta-cfg/templates/service/ssh/tcpkeepalive

and Edit /opt/vyatta/share/vyatta-cfg/templates/service/ssh/tcpkeepalive/node.def

If this modification work well, please fork and modify GitHub - vyos/vyatta-cfg-system: Vyatta system-level configuration templates/scripts.

This url might be help

This is the implementation of

set service ssh listen-address xxx.xxx.xxx.xx

Happy hacking!!


Hiroyuki Sato

9

Great, thank you Hiroyuki! I’m delighted by so much support.

I’ll follow your indications and keep you update.

Thank you.
Adriano C.

10

Updating this post after 11years !!
Anyone who is still seeking for a solution to customize sshd_config.

Problem: Due to security requirements in my workplace, and not being able to upgrade vyos 1.3.2 to latest versions, I had to modify ssh daemon config to strip the depricated algorithms from sshd config.
By default, vyos does support a wide ranges of algorithms, but security won’t allow keeping SHA-1 mostly.
Also vyos cli config mode will allow to select algorithms for kex, mac, ciphers but not HostKeyAlgorithms.

set service ssh [TAB]

Possible completions will not show HostKeyAlgorithms

By default, supported HostKeyAlgorithms are:-

rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519

This requires direct modification of the /etc/ssh/sshd_config file. and then restart ssh service.
But if we reboot the router for any case, this change will wipe out as the reboot will load the fresh router image into running config.

Procedure:

1.Save sshd_config in the file.

Using your favorite editor, add the following entry to /etc/ssh/sshd_config:

HostKeyAlgorithms any_desired_Algo_for_example ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

sudo service ssh restart

2.Persist the change to survive reboot.

Edit /opt/vyatta/share/vyatta-cfg/templates/service/ssh/node.def

My original file looked like this -

priority: 1000
help: Secure Shell (SSH)
end: sudo sh -c “${vyshim} ${vyos_conf_scripts_dir}/ssh.py”

And I have modified to this-

priority: 1000
help: Secure Shell (SSH)
end: sudo sh -c “${vyshim} ${vyos_conf_scripts_dir}/ssh.py”
------STR=“HostKeyAlgorithms paste your desired algorithms here”
------sudo sh -c “echo -e ‘# new custom config for HostKeyAlgorithms\n \n’ >> /etc/ssh/sshd_config”
------sudo sh -c “echo ‘$STR’ >> /etc/ssh/sshd_config”
----- sudo /usr/sbin/invoke-rc.d ssh restart

careful about the indentation, all lines need be aligned after "end: "

Thats it.
I appreciate all the helpful posts from this forum which worked a guideline for me to solve my problem.

Cheers!

2 Likes
11

Do not recommend to use it for everyone as the system with those changes will not survive upgrade :wink: