Committing vyos config to gitlab (while using vrf’s)

Gert-JanMarch 22, 2024Tech

It took me quite some time to get this working. When looking at the configs found on the internet I found several seperate individual configs, but nothing to combine the following:

  • Using a separate routing and a separate management vrf.
  • Uploading the config to gitlab after every commit

This post will describe how to get the combination of both working with a minimum of special settings.

Setting up separate vrf’s

In my installation of vyos, I use BGP to do the routing. So I defined 2 separate vrfs. One for BGP and one for the management. So no services are available in the default vrf.

set vrf name MGT table '100'
set vrf name MGT description 'Management'
set vrf name BGP table '200'
set vrf name BGP description 'BGP upstreams'
set interfaces ethernet eth0 vrf 'BGP'
set interfaces ethernet eth1 vrf 'MGT'
set interfaces ethernet eth2 vrf 'BGP'
set service ntp vrf 'MGT'
set service snmp vrf 'MGT'
set service ssh vrf 'MGT'
set system syslog vrf 'MGT'
set vrf name MGT protocols static route 0.0.0.0/0 next-hop 172.17.17.1

Beside this I’ve of course a lot of configuration in the BGP vrf but that is out of scope of this post.

Commit push to gitlab

Vyos has an internal system to automaticly upload your config after each commit. This works quite easy if your default vrf has access to your gitlab repository then it’s just a question of 1 or 2 commands in your config and it works. But without your default vrf it’s a bit more complicated. The following considerations I made:

  • Add an host alias in order to resolve the right host for gitlab. This is only neccessary because I run gitlab behind a reverse proxy, so I need to connect to the host with the correct hostname.
  • Commits will only work from the MGT vrf, so somehow this must be enforced.

The first step was easy:

set system static-host-mapping host-name gitlab.example.com inet '172.17.17.12'

This statement will automaticly create an entry in /etc/hosts, which means that this setting will also be backed-up to gitlab.

set system config-management commit-archive location 'git+https://<user>:<password>@gitlab.example.com/user/vyos.git'

This will enable the push to gitlab of the config on every commit. But when you commit this statement it returns with an error that it can’t reach gitlab.example.com, because the default vrf doesn’t have any connectivity.

force vrf MGT

This statement creates a subshell within the supplied vrf. When I issued it manually, changed an interface description name and committed the change, the push to gitlab went fine. So the only step to do is to enforce the MGT vrf on login. This is resolved by updating the .profile of the user and adding the following:

if [ -z "${VRF}" ]; then
    force vrf MGT
fi

When you are in a subshell within a specific vrf the environment variable $VRF is set to that vrf name. If you would just put “force vrf MGT” in the .profile it will loop in creating new subshells as .profile is also being executed within the subshell. The if statements prevents this loop.

And this solves the entire problem and gets the configs pushed to gitlab.