VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=1.4.0-epa2 2024-03-06T04:33:40+00:00 2024-03-06T04:33:40+00:00 Apachez apachez@gmail.com 2024-03-04T17:59:54+00:00 urn:sha1:72e82a5ba0159f1cb3e077afa33f5141374aa953 (cherry picked from commit 433faaa9fe7d7dfc02db78ff039e772f5037037a) 2024-02-12T20:33:06+00:00 Christian Breunig christian@breunig.cc 2024-02-12T20:26:35+00:00 urn:sha1:e021dee485fb6f90c00509f9461a11a457a67918 Fix commit 9b8e11e07 ("init: T2044: only start rpki if cache is configured") which showed a disturbing error on tty0 after boot that a "binary operator expected" when checking for RPKI caches when multiple results got returned. (cherry picked from commit a5ac522f8c675ee2b2c2f4f08be7c41943632e94) 2024-02-07T20:56:38+00:00 Christian Breunig christian@breunig.cc 2024-02-07T20:34:45+00:00 urn:sha1:f7a83728d4179ae5eedf0a109bc37733b79c82b4 This extends commit 9199c87cf ("init: T2044: always start/stop rpki during system boot") to check the bootup configuration if an RPKI cache is defined. Only start RPKI if this is the case. (cherry picked from commit 9b8e11e078c42e3ae86ebfa45fec57336f25a0af) 2024-01-18T21:09:30+00:00 Christian Breunig christian@breunig.cc 2024-01-18T21:05:16+00:00 urn:sha1:80068c8ce453a385981999c25e4ff5aeaa6bf030 Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059) 2024-01-01T08:25:32+00:00 Christian Breunig christian@breunig.cc 2023-12-30T22:25:20+00:00 urn:sha1:c9eaafd9f808aba8d29be73054e11d37577e539a We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) 2023-12-08T17:06:26+00:00 Christian Breunig christian@breunig.cc 2023-12-07T20:30:57+00:00 urn:sha1:14b107442ebf1f4f44bad485c585d4b9cfd97384 The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details. (cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2) 2023-11-20T16:57:20+00:00 Christian Breunig christian@breunig.cc 2023-10-03T07:23:20+00:00 urn:sha1:e1bf5516bbb00de5689a1091a6e21b1fc45a7340 This complements commit 5181ab60bb ("RADIUS: T5577: Added 'mandatory' and 'optional' modes for RADIUS") and commit 1c804685d0 ("TACACS: T5577: Added 'mandatory' and 'optional' modes for TACACS+"). As those new services should also be cleaned during system boot. 2023-10-04T18:58:21+00:00 Christian Breunig christian@breunig.cc 2023-10-04T14:45:13+00:00 urn:sha1:7498c30ef56b9727c037c5c79ec82507dd792d82 Calling system-login.py with no mounted VyOS config has the negative effect that the script will not detect any local useraccounts and thus assumes they all need to be removed from the password backend. As soon as the VyOS configuration is mounted and the CLI content is processed, system-login.py get's invoked and re-creates the before deleted user accounts. As the account names are sorted in alphabetical order, the name <-> UID mapping can get mixed up during system reboot. The intention behind calling system-login.py from vyos-router init was to reset system services (PAM, NSS) back to sane defaults with the defaults provided via system-login.py. As PAM is already reset in vyos-router startup script, /etc/nsswitch.conf was the only candidate left. This is now accomplished by simply creating a standard NSS configuration file tailored for local system accounts. This is the second revision after the first change via commit 64d32329958 ("login: T5521: home directory owner changed during reboot") got reverted. (cherry picked from commit 12069d5653034b46a47430353c3867b3678c196f) 2023-10-03T09:18:35+00:00 Apachez apachez@gmail.com 2023-09-30T20:26:44+00:00 urn:sha1:4bbbca984f9067359378cbe1430a05a37945c1d3 (cherry picked from commit 646f08fc5a302e08aad90af3fa0ee32e138ee585) 2023-09-19T18:39:54+00:00 Christian Breunig christian@breunig.cc 2023-09-19T16:41:07+00:00 urn:sha1:e8581998c2bfbbee349eee89df6d59cc6c4fca16 On first boot after an upgrade /etc/hostname and FRR configuration is not populated. FRR determines the system hostname once during startup and does not repect changes of the hostname CLI value. Thus after an upgrade of VyOS FRR started with a hostname of debian that was propagated to peers. The commit retrieves the hostname from the CLI and presets this before FRR is initially started. (cherry picked from commit ac21a4e69fac27504b62927a20d0a6a273abb034)