diff options
| -rw-r--r-- | data/templates/frr/isisd.frr.j2 | 8 | ||||
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 2 | ||||
| -rw-r--r-- | interface-definitions/include/isis/protocol-common-config.xml.i | 12 | ||||
| -rw-r--r-- | interface-definitions/load-balancing-haproxy.xml.in | 6 | ||||
| -rw-r--r-- | python/vyos/utils/config.py | 34 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_load_balancing_reverse_proxy.py | 2 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_protocols_isis.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 6 | ||||
| -rwxr-xr-x | src/helpers/read-saved-value.py | 30 | ||||
| -rwxr-xr-x | src/init/vyos-router | 7 |
10 files changed, 107 insertions, 4 deletions
diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2 index 3c37e28b9..dbb8c7305 100644 --- a/data/templates/frr/isisd.frr.j2 +++ b/data/templates/frr/isisd.frr.j2 @@ -58,6 +58,12 @@ exit ! router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} net {{ net }} +{% if advertise_high_metrics is vyos_defined %} +advertise-high-metrics +{% endif %} +{% if advertise_passive_only is vyos_defined %} +advertise-passive-only +{% endif %} {% if dynamic_hostname is vyos_defined %} hostname dynamic {% endif %} @@ -191,4 +197,4 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} is-type {{ level }} {% endif %} exit -!
\ No newline at end of file +! diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 0a40e1ecf..a75ee9904 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -146,7 +146,7 @@ backend {{ back }} {% if back_config.server is vyos_defined %} {% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %} {% for server, server_config in back_config.server.items() %} - server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }} + server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }} {% endfor %} {% endif %} {% if back_config.timeout.check is vyos_defined %} diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index 4ca7061db..648f2b319 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -1,4 +1,16 @@ <!-- include start from isis/protocol-common-config.xml.i --> +<leafNode name="advertise-high-metrics"> + <properties> + <help>Advertise high metric value on all interfaces</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="advertise-passive-only"> + <properties> + <help>Advertise prefixes of passive interfaces only</help> + <valueless/> + </properties> +</leafNode> <node name="area-password"> <properties> <help>Configure the authentication password for an area</help> diff --git a/interface-definitions/load-balancing-haproxy.xml.in b/interface-definitions/load-balancing-haproxy.xml.in index f955a2fb7..564c335ec 100644 --- a/interface-definitions/load-balancing-haproxy.xml.in +++ b/interface-definitions/load-balancing-haproxy.xml.in @@ -124,6 +124,12 @@ </constraint> </properties> </leafNode> + <leafNode name="backup"> + <properties> + <help>Use backup server if other servers are not available</help> + <valueless/> + </properties> + </leafNode> <leafNode name="check"> <properties> <help>Active health check backend server</help> diff --git a/python/vyos/utils/config.py b/python/vyos/utils/config.py new file mode 100644 index 000000000..bd363ce46 --- /dev/null +++ b/python/vyos/utils/config.py @@ -0,0 +1,34 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +import os +from vyos.defaults import directories + +config_file = os.path.join(directories['config'], 'config.boot') + +def read_saved_value(path: list): + if not isinstance(path, list) or not path: + return '' + from vyos.configtree import ConfigTree + try: + with open(config_file) as f: + config_string = f.read() + ct = ConfigTree(config_string) + except Exception: + return '' + if not ct.exists(path): + return '' + res = ct.return_values(path) + return res[0] if len(res) == 1 else res diff --git a/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py b/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py index a33fd5c18..274b97f22 100755 --- a/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py +++ b/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py @@ -74,6 +74,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.cli_set(back_base + [bk_second_name, 'mode', mode]) self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'address', bk_server_second]) self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'port', bk_server_port]) + self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'backup']) self.cli_set(base_path + ['global-parameters', 'max-connections', max_connections]) @@ -106,6 +107,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.assertIn(f'backend {bk_second_name}', config) self.assertIn(f'mode {mode}', config) self.assertIn(f'server {bk_second_name} {bk_server_second}:{bk_server_port}', config) + self.assertIn(f'server {bk_second_name} {bk_server_second}:{bk_server_port} backup', config) if __name__ == '__main__': diff --git a/smoketest/scripts/cli/test_protocols_isis.py b/smoketest/scripts/cli/test_protocols_isis.py index 5ab7fae14..747fb5e80 100755 --- a/smoketest/scripts/cli/test_protocols_isis.py +++ b/smoketest/scripts/cli/test_protocols_isis.py @@ -100,6 +100,8 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): self.cli_set(vrf_base + ['table', table]) self.cli_set(vrf_base + ['protocols', 'isis', 'net', net]) self.cli_set(vrf_base + ['protocols', 'isis', 'interface', vrf_iface]) + self.cli_set(vrf_base + ['protocols', 'isis', 'advertise-high-metrics']) + self.cli_set(vrf_base + ['protocols', 'isis', 'advertise-passive-only']) self.cli_set(['interfaces', 'ethernet', vrf_iface, 'vrf', vrf]) # Also set a default VRF IS-IS config @@ -115,6 +117,8 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): tmp = self.getFRRconfig(f'router isis {domain} vrf {vrf}', daemon='isisd') self.assertIn(f'router isis {domain} vrf {vrf}', tmp) self.assertIn(f' net {net}', tmp) + self.assertIn(f' advertise-high-metrics', tmp) + self.assertIn(f' advertise-passive-only', tmp) self.cli_delete(['vrf', 'name', vrf]) self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf']) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 1d0feb56f..85905fd9a 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -30,6 +30,7 @@ from netifaces import interfaces from secrets import SystemRandom from shutil import rmtree +from vyos.base import DeprecationWarning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import is_node_changed @@ -165,6 +166,11 @@ def verify_pki(openvpn): if shared_secret_key not in pki['openvpn']['shared_secret']: raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') + # If PSK settings are correct, warn about its deprecation + DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\ + Please migrate your site-to-site tunnels to TLS.\n\ + You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.") + if tls: if (mode in ['server', 'client']) and ('ca_certificate' not in tls): raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ diff --git a/src/helpers/read-saved-value.py b/src/helpers/read-saved-value.py new file mode 100755 index 000000000..1463e9ffe --- /dev/null +++ b/src/helpers/read-saved-value.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +from argparse import ArgumentParser +from vyos.utils.config import read_saved_value + +if __name__ == '__main__': + parser = ArgumentParser() + parser.add_argument('--path', nargs='*') + args = parser.parse_args() + + out = read_saved_value(args.path) if args.path else '' + if isinstance(out, list): + out = ' '.join(out) + print(out) diff --git a/src/init/vyos-router b/src/init/vyos-router index cc69fae5a..b8833a8a0 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -371,8 +371,11 @@ start () && chgrp ${GROUP} ${vyatta_configdir} log_action_end_msg $? - rm -f /etc/hostname - ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name" + # T5239: early read of system hostname as this value is read-only once during + # FRR initialisation + tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name") + hostnamectl set-hostname --static "$tmp" + ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config" # If for any reason FRR was not started by system_frr.py - start it anyways. # This is a safety net! |