VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project July 2023 Update

Daniil Baturin
Posted 14 Jul, 2023

Hello, Сommunity!

We hope you enjoy your summer!

In June, there was a lot of work done on VyOS. Why is this update so short, then?

One reason is that VyOS 1.4 is now on the way to becoming the new LTS release, and there's a lot of work on smoke tests and refactoring that is required to stabilize it.

However, a few long-awaited features also landed in the rolling release in June, including TACACS+, config sync, and initial support for accelerated networking with VPP. Let's review the user-visible changes in the 1.3 LTS branch and the rolling release.

VyOS 1.3 Equuleus

  • VRRP version can be explicitly set (T5315): set high-availability vrrp group <name> version [2|3]

VyOS 1.4 Sagitta

TACACS+ authentication support (T141)

VyOS has had usable RADIUS login support for a while now, but TACACS+ remained a frequently-requested feature. There has been work done on it, on and off, and currently, it's finally working (thanks to the efforts of Christian Breunig!). Here's how to enable it:

set system login tacacs server <address> key <key>
# Optionally
set system login tacacs server <address> timeout <n>
set system login tacacs server <address> port <port>
set system login tacacs server <address> source-address <address>

Command accounting through TACACS+ is not supported yet, but it's on the list of planned features.

Configuration synchronization between VyOS routers (T775)

Config synchronization is another long-awaited feature. In the VyOS 1.1 and early 1.2 eras, our excuse for not implementing it was that there wasn't a proper remote API for working with configuration. Sending commands over SSH is an anti-pattern and a potential cause of multiple problems. However, with the proper HTTP API, there were no excuses anymore — only design questions.

Viacheslav Hletenko stepped forward and made an initial implementation. Some things to note about it:

  • It's strictly unidirectional — primary to the replica. This avoids the problem of trying to reconcile divergent configs, but the administrator needs to remember not to configure the secondary router by hand.
  • It comes with two modes: "load" (replace) and "set" (add).
  • So far it's only available for select configuration sections.
set service config-sync secondary address <address>
set service config-sync secondary key <key>
set service config-sync section [nat|nat66|firewall]
set service config-sync mode [load|set]

We'll be glad to hear from everyone who tests that feature and reports on their experience or any issues they may find!

VPP is set to replace XDP (T1797, T5286)

The question of how to do 40 and 100-gigabit networking with VyOS becomes increasingly frequent as network speeds increase. Currently, kernel bypass networking is the answer to that question. General-purpose hardware and Linux kernel networking stack certainly caught up with 10 gigabits already, but everything beyond that still requires a fast path.

The most promising project for that role, as of now, is VPP.

Now, thanks to the efforts of Taras Pudiak, we have a prototype. The current implementation is experimental and has to be manually enabled in the CLI in the rolling release.

# Enable the VPP CLI
sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp

# Configure set vpp cpu main-core '1' set vpp cpu corelist-workers '2' set vpp physmem max-size '2048m' set vpp interface eth1 num-rx-desc '256' set vpp interface eth1 num-rx-queues '512' set vpp interface eth1 num-tx-desc '256' set vpp interface eth1 num-tx-queues '512' set vpp interface eth1 pci '0000:02:00.0' set vpp interface eth1 rx-mode 'polling' set vpp interface eth2 pci '0000:08:00.0'

As you can see from the CLI, Ethernet devices need to be switched into the VPP mode explicitly. That is intentional. Many network OSes that use a kernel bypass data plane make it mandatory. That's not an option because we are committed to keeping VyOS available on small devices with a single CPU, hardware with network cards without VPP drivers, and on all virtual platforms. We believe the user should be free to choose whether they use only kernel networking or the VPP-based data plane, so we will keep it optional in all future releases.

If you require high-speed networking and are in a position to test it, please get in touch! Many things still can't be used with VPP right now, but we intend to keep expanding feature support for it.

Other changes

  • Bind mount propagation mode for container volumes can be manually set (T5304): set container name <name> volume <name> propagation [shared|slave|private|rshared|rslave|rprivate]
  • Dynamic DNS implementation was revamped. Existing configurations will be automatically migrated with an update. See the pull request for details (T5144).
  • Op mode CLI will warn you about unsaved commits before a shutdown (T5262) and boot config errors before entering config mode (T5320).
  • It is now possible to declare a list of extended community addresses in the BGP route-map configuration (T4660): set policy route-map <name> rule <n> set extcommunity rt '<address> <address> ...'

That's all for now, but we continue!


The post categories: