Two engineers SSH into the same router. Both type configure. Both make changes. Both commit. One overwrites the other’s work. Nobody knows what happened until something breaks.
VyOS configuration sessions solve this. Each session is isolated. Changes don’t interfere. Conflicts are detected before commit, not after outage.
Sessions prevent “who changed what” mysteries before they become incidents.
The Problem
Without sessions, configuration mode is a shared space:
Engineer A Engineer B----------- -----------configure configureset firewall rule 10... set interfaces eth1... commit ← B's changes savedcommit ← A overwrites B's changes!Engineer B’s changes are silently lost. No warning, no merge, just gone.
How Sessions Work
VyOS 1.4+ supports configuration sessions. Each session:
- Has unique ID
- Isolated working copy of config
- Can see other sessions
- Detects conflicts on commit
Engineer A (session abc123) Engineer B (session def456)-------------------------- --------------------------configure configure# Working on isolated copy # Working on isolated copyset firewall... set interfaces...# Changes only in abc123 # Changes only in def456Session Management
View Active Sessions
# List all configuration sessionsshow configuration sessions
# Example output:# Session ID User Started# abc123 admin 2025-01-08 10:15:03# def456 engineer 2025-01-08 10:18:22Enter Named Session
# Create or resume named sessionconfigure session my-firewall-changes
# Session persists even if you disconnect# SSH back in, resume:configure session my-firewall-changes
# All your uncommitted changes are still thereDiscard Session
# Exit and discard changesexit discard
# Or explicitly delete sessiondelete configuration session my-firewall-changesConflict Detection
What Happens on Conflict
# Engineer A in session abc123:configureset interfaces ethernet eth0 description "WAN Link"commit # Success
# Engineer B in session def456:configureset interfaces ethernet eth0 description "Internet Uplink"commit # ERROR: Configuration conflict detected
# Output:# The following configuration conflicts were detected:# interfaces ethernet eth0 description# Current: "WAN Link"# Your change: "Internet Uplink"Resolving Conflicts
# Option 1: Refresh and redoexit discardconfigure# See current configshow interfaces ethernet eth0# Make decision, apply changeset interfaces ethernet eth0 description "Internet Uplink"commit
# Option 2: Force your versioncommit --force # Overwrites conflicting values# Use with caution - you're overwriting someone's work
# Option 3: Merge manuallycompare # See differences# Adjust your changes to accommodate bothSession Workflow Examples
Example 1: Large Firewall Update
# Start named session for trackingconfigure session firewall-2025-01-08
# Make many changes over timeset firewall ipv4 name WAN-IN rule 100 ...set firewall ipv4 name WAN-IN rule 101 ...set firewall ipv4 name WAN-IN rule 102 ...
# Save session, exit for lunchexit
# Come back, continue workconfigure session firewall-2025-01-08set firewall ipv4 name WAN-IN rule 103 ...
# Review all changesshow | compare
# Commit when readycommit-confirm 5confirm
# Session automatically cleaned up after commitExample 2: Team Coordination
# Engineer A: Working on BGPconfigure session bgp-changesset protocols bgp neighbor 10.0.0.1 ...
# Engineer B: Working on firewall (different session)configure session firewall-changesset firewall ipv4 name ...
# Both can work simultaneously# Both can commit (no conflicts - different config sections)Example 3: Testing Before Commit
# Create test sessionconfigure session testing-nat
# Make changesset nat source rule 100 ...
# Compare what would changeshow | compare
# Show the commands that would be appliedshow | commands
# Decide to discardexit discard# Or decide to applycommitViewing Session Differences
Compare Session to Running Config
configure session my-changes
# What would change if I commit?show | compare
# Output shows:# +set interfaces ethernet eth0 description "New description"# -set interfaces ethernet eth0 description "Old description"Compare Sessions to Each Other
# Not directly supported, but you can:
# From session A, save diffshow | compare > /tmp/session-a-diff.txt
# From session B, save diffshow | compare > /tmp/session-b-diff.txt
# Compare filesdiff /tmp/session-a-diff.txt /tmp/session-b-diff.txtSession Timeout
Sessions don’t persist forever:
# Default: sessions expire after 30 minutes of inactivity
# Check current timeoutshow configuration session-timeout
# Modify timeout (in minutes)configureset system session-timeout 60commitPersistent Sessions
For long-running work:
# Keep session alive with periodic activity# Or increase timeout significantly
# Check session statusshow configuration sessionsBest Practices
1. Use Named Sessions for Major Changes
# Bad: Anonymous sessionconfigure # What was I working on?
# Good: Descriptive nameconfigure session ticket-12345-add-bgp-peer2. One Logical Change Per Session
# Bad: Everything in one sessionconfigure session all-my-stuffset firewall ...set bgp ...set nat ...# Huge commit, hard to rollback one thing
# Good: Separate sessionsconfigure session firewall-update# ... only firewall changes
configure session bgp-peer-addition# ... only BGP changes3. Review Before Commit
configure session important-change
# Always review what you're committingshow | compareshow | commands
# Then commitcommit-confirm 54. Clean Up Abandoned Sessions
# List old sessionsshow configuration sessions
# Delete abandoned onesdelete configuration session old-test-sessiondelete configuration session johns-forgotten-workLimitations
What Sessions Don’t Do
- Don’t provide history - Sessions are temporary workspaces, not audit trails
- Don’t allow collaborative editing - One user per session
- Don’t auto-merge - Conflicts must be resolved manually
- Don’t persist across reboots - Uncommitted sessions are lost
When Sessions Aren’t Enough
For complex team workflows, consider:
- Git-based configuration management
- Ansible/Terraform for deployments
- Separate staging environment
Sessions handle concurrent edits. Version control handles history and rollback.
Troubleshooting
Can’t Enter Configuration Mode
# Another session might be lockedshow configuration sessions
# If stuck session exists# Try to take ownership (if you're sure)configure session stuck-sessionexit discardLost Session Changes
# Session timed out or router rebooted?# Uncommitted changes are gone
# Always commit before:# - Long breaks# - Router maintenance# - End of work dayConflict on Every Commit
# Another process might be modifying config
# Check for automationshow log | grep -i commit
# Coordinate with team# Pause automated deployments during manual workThe Lesson
Sessions prevent “who changed what” mysteries before they become incidents.
On a shared router:
- Without sessions: Chaos, overwrites, mystery changes
- With sessions: Isolation, conflict detection, clear ownership
The few seconds to type configure session descriptive-name saves hours of debugging “why did this config disappear?”
Every team environment should use sessions. Every major change should use a named session. Every commit should follow a review.
The router knows when you’re about to overwrite someone’s work. Let it tell you.