10 files changed, 191 insertions, 47 deletions

diff --git a/debian/changelog b/debian/changelog
index c9d925253..d64c66818 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-vyos-1x (1.4dev0) unstable; urgency=medium
+vyos-1x (1.5dev0) unstable; urgency=medium
 
   * Dummy changelog entry for vyos-1x repository
     This is a internal VyOS package and the VyOS package process does not use
@@ -7,4 +7,4 @@ vyos-1x (1.4dev0) unstable; urgency=medium
     The correct verion number of this package is auto-generated by GIT
     on build-time
 
- -- VyOS maintainers and contributors <maintainers@vyos.io>  Mon, 11 Jan 2021 19:02:53 +0100
+ -- VyOS maintainers and contributors <maintainers@vyos.io>  Sun, 10 Sep 2023 15:42:53 +0200
diff --git a/debian/compat b/debian/compat
index f599e28b8..48082f72f 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-10
+12
diff --git a/debian/control b/debian/control
index cf766a825..ee45a5fe3 100644
--- a/debian/control
+++ b/debian/control
@@ -6,16 +6,11 @@ Build-Depends:
   debhelper (>= 9),
   dh-python,
   fakeroot,
-  gcc-multilib [amd64],
-  clang [amd64],
-  llvm [amd64],
-  libbpf-dev [amd64],
-  libelf-dev (>= 0.2) [amd64],
-  libpcap-dev [amd64],
-  build-essential,
+  gcc,
+  iproute2,
   libvyosconfig0 (>= 0.0.7),
   libzmq3-dev,
-  python3,
+  python3 (>= 3.10),
   python3-coverage,
   python3-lxml,
   python3-netifaces,
@@ -31,19 +26,25 @@ Standards-Version: 3.9.6
 
 Package: vyos-1x
 Architecture: amd64 arm64
+Pre-Depends:
+  libnss-tacplus [amd64],
+  libpam-tacplus [amd64],
+  libpam-radius-auth [amd64]
 Depends:
-  ${python3:Depends},
+  ${python3:Depends} (>= 3.10),
+  aardvark-dns,
   accel-ppp,
+  auditd,
   avahi-daemon,
   beep,
   bmon,
   bsdmainutils,
+  charon-systemd,
   conntrack,
   conntrackd,
   conserver-client,
   conserver-server,
   console-data,
-  crda,
   cron,
   curl,
   dbus,
@@ -59,15 +60,19 @@ Depends:
   frr-pythontools,
   frr-rpki-rtrlib,
   frr-snmp,
+  fuse-overlayfs,
   libpam-google-authenticator,
   grc,
+  haproxy,
   hostapd,
+  hsflowd,
   hvinfo,
   igmpproxy,
   ipaddrcheck,
   iperf,
   iperf3,
-  iproute2,
+  iproute2 (>= 6.0.0),
+  iptables,
   iputils-arping,
   isc-dhcp-client,
   isc-dhcp-relay,
@@ -77,17 +82,18 @@ Depends:
   lcdproc,
   lcdproc-extra-drivers,
   libatomic1,
-  libbpf0 [amd64],
+  libauparse0,
   libcharon-extra-plugins (>=5.9),
   libcharon-extauth-plugins (>=5.9),
   libndp-tools,
   libnetfilter-conntrack3,
   libnfnetlink0,
-  libpam-radius-auth (>= 1.5.0),
   libqmi-utils,
   libstrongswan-extra-plugins (>=5.9),
   libstrongswan-standard-plugins (>=5.9),
+  libvppinfra [amd64],
   libvyosconfig0,
+  linux-cpupower,
   lldpd,
   lm-sensors,
   lsscsi,
@@ -96,12 +102,12 @@ Depends:
   mtr-tiny,
   ndisc6,
   ndppd,
+  netavark,
   netplug,
   nfct,
   nftables (>= 0.9.3),
   nginx-light,
-  ntp,
-  ntpdate,
+  chrony,
   nvme-cli,
   ocserv,
   opennhrp,
@@ -130,6 +136,7 @@ Depends:
   python3-netaddr,
   python3-netifaces,
   python3-paramiko,
+  python3-passlib,
   python3-psutil,
   python3-pyhumps,
   python3-pystache,
@@ -138,6 +145,7 @@ Depends:
   python3-tabulate,
   python3-vici (>= 5.7.2),
   python3-voluptuous,
+  python3-vpp-api [amd64],
   python3-xmltodict,
   python3-zmq,
   qrencode,
@@ -153,6 +161,7 @@ Depends:
   squidguard,
   sshguard,
   ssl-cert,
+  sstp-client,
   strongswan (>= 5.9),
   strongswan-swanctl (>= 5.9),
   stunnel4,
@@ -171,6 +180,9 @@ Depends:
   uidmap,
   usb-modeswitch,
   usbutils,
+  vpp [amd64],
+  vpp-plugin-core [amd64],
+  vpp-plugin-dpdk [amd64],
   vyatta-bash,
   vyatta-cfg,
   vyos-http-api-tools,
@@ -179,6 +191,7 @@ Depends:
   wireguard-tools,
   wireless-regdb,
   wpasupplicant (>= 0.6.7),
+  zabbix-agent2,
   ndppd,
   miniupnpd-nftables
 Description: VyOS configuration scripts and data
@@ -195,6 +208,7 @@ Description: VyOS configuration scripts and data for VMware
 Package: vyos-1x-smoketest
 Architecture: all
 Depends:
+ skopeo,
  snmp,
  vyos-1x
 Description: VyOS build sanity checking toolkit
diff --git a/debian/rules b/debian/rules
index 5a58aeeb6..9a6ab2996 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,6 +8,7 @@ VYOS_DATA_DIR := usr/share/vyos
 VYOS_CFG_TMPL_DIR := opt/vyatta/share/vyatta-cfg/templates
 VYOS_OP_TMPL_DIR := opt/vyatta/share/vyatta-op/templates
 VYOS_MIBS_DIR := usr/share/snmp/mibs
+VYOS_LOCALUI_DIR := srv/localui
 
 MIGRATION_SCRIPTS_DIR := opt/vyatta/etc/config-migrate/migrate
 SYSTEM_SCRIPTS_DIR := usr/libexec/vyos/system
@@ -27,17 +28,10 @@ override_dh_gencontrol:
 
 override_dh_auto_build:
 	make all
-ifeq ($(DEB_TARGET_ARCH),amd64)
-	# Only build XDP on amd64 systems
-	make vyxdp
-endif
 
 override_dh_auto_install:
 	dh_auto_install
 
-	# convert the XML to dictionaries
-	env PYTHONPATH=python python3 python/vyos/xml/generate.py
-
 	cd python; python3 setup.py install --install-layout=deb --root ../$(DIR); cd ..
 
 	# Install scripts
@@ -54,6 +48,10 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/op_mode
 	cp -r src/op_mode/* $(DIR)/$(VYOS_LIBEXEC_DIR)/op_mode
 
+	# Install op mode scripts
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/init
+	cp -r src/init/* $(DIR)/$(VYOS_LIBEXEC_DIR)/init
+
 	# Install validators
 	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/validators
 	cp -r src/validators/* $(DIR)/$(VYOS_LIBEXEC_DIR)/validators
@@ -89,6 +87,9 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/$(VYOS_DATA_DIR)
 	cp -r data/* $(DIR)/$(VYOS_DATA_DIR)
 
+	# Create localui dir
+	mkdir -p $(DIR)/$(VYOS_LOCALUI_DIR)
+
 	# Install SNMP MIBs
 	mkdir -p $(DIR)/$(VYOS_MIBS_DIR)
 	cp -d mibs/* $(DIR)/$(VYOS_MIBS_DIR)
@@ -116,6 +117,10 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config/
 	cp -r smoketest/configs/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config
 
+	# Install smoke test config tests
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests/
+	cp -r smoketest/config-tests/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests
+
 	# Install system programs
 	mkdir -p $(DIR)/$(VYOS_BIN_DIR)
 	cp -r smoketest/bin/* $(DIR)/$(VYOS_BIN_DIR)
@@ -124,9 +129,6 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/usr/lib/udev
 	cp src/helpers/vyos_net_name $(DIR)/usr/lib/udev
 
-ifeq ($(DEB_TARGET_ARCH),amd64)
-	# We only install XDP on amd64 systems
-	mkdir -p $(DIR)/$(VYOS_DATA_DIR)/xdp
-	cp -r src/xdp/xdp_prog_kern.o $(DIR)/$(VYOS_DATA_DIR)/xdp
-	find src/xdp -perm /a+x -exec cp {} $(DIR)/$(VYOS_SBIN_DIR) \;
-endif
+override_dh_installsystemd:
+	dh_installsystemd -pvyos-1x --name vyos-router vyos-router.service
+	dh_installsystemd -pvyos-1x --name vyos vyos.target
diff --git a/debian/vyos-1x-smoketest.install b/debian/vyos-1x-smoketest.install
index 406fef4be..739cb189b 100644
--- a/debian/vyos-1x-smoketest.install
+++ b/debian/vyos-1x-smoketest.install
@@ -3,3 +3,4 @@ usr/bin/vyos-configtest
 usr/bin/vyos-configtest-pki
 usr/libexec/vyos/tests/smoke
 usr/libexec/vyos/tests/config
+usr/libexec/vyos/tests/config-tests
diff --git a/debian/vyos-1x-smoketest.postinst b/debian/vyos-1x-smoketest.postinst
new file mode 100755
index 000000000..18612804c
--- /dev/null
+++ b/debian/vyos-1x-smoketest.postinst
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+BUSYBOX_TAG="docker.io/library/busybox:stable"
+OUTPUT_PATH="/usr/share/vyos/busybox-stable.tar"
+
+if [[ -f $OUTPUT_PATH ]]; then
+    rm -f $OUTPUT_PATH
+fi
+
+skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "docker-archive:/$OUTPUT_PATH"
diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
index edd090993..9e43669be 100644
--- a/debian/vyos-1x.install
+++ b/debian/vyos-1x.install
@@ -1,12 +1,15 @@
+etc/commit
 etc/dhcp
 etc/ipsec.d
 etc/logrotate.d
 etc/netplug
 etc/opennhrp
+etc/modprobe.d
 etc/ppp
-etc/rsyslog.d
+etc/rsyslog.conf
 etc/securetty
 etc/security
+etc/skel
 etc/sudoers.d
 etc/systemd
 etc/sysctl.d
@@ -16,7 +19,9 @@ etc/update-motd.d
 etc/vyos
 lib/
 opt/
+srv/localui
 usr/sbin
+usr/bin/config-mgmt
 usr/bin/initial-setup
 usr/bin/vyos-config-file-query
 usr/bin/vyos-config-to-commands
@@ -25,6 +30,7 @@ usr/bin/vyos-hostsd-client
 usr/lib
 usr/libexec/vyos/completion
 usr/libexec/vyos/conf_mode
+usr/libexec/vyos/init
 usr/libexec/vyos/op_mode
 usr/libexec/vyos/services
 usr/libexec/vyos/system
diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links
new file mode 100644
index 000000000..0e2d1b841
--- /dev/null
+++ b/debian/vyos-1x.links
@@ -0,0 +1 @@
+/etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index d92fd8233..b43416152 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/bash
 
 # Turn off Debian default for %sudo
 sed -i -e '/^%sudo/d' /etc/sudoers || true
@@ -24,15 +24,71 @@ fi
 # Enable 2FA/MFA support for SSH and local logins
 for file in /etc/pam.d/sshd /etc/pam.d/login
 do
-    PAM_CONFIG="auth       required     pam_google_authenticator.so nullok"
-    grep -qF -- "${PAM_CONFIG}" $file || \
-    sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file
+    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
+    grep -qF -- "pam_google_authenticator.so" $file || \
+    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
 done
 
+# We do not make use of a TACACS UNIX group - drop it
+if grep -q '^tacacs' /etc/group; then
+    delgroup tacacs
+fi
+
+# Both RADIUS and TACACS users belong to aaa group - this must be added first
+if ! grep -q '^aaa' /etc/group; then
+    addgroup --firstgid 1000 --quiet aaa
+fi
+
+# Remove TACACS user added by base package - we use our own UID range and group
+# assignments - see below
+if grep -q '^tacacs' /etc/passwd; then
+    if [ $(id -u tacacs0) -ge 1000 ]; then
+        level=0
+        vyos_group=vyattaop
+        while [ $level -lt 16 ]; do
+            userdel tacacs${level} || true
+            rm -rf /home/tacacs${level} || true
+            level=$(( level+1 ))
+        done 2>&1
+    fi
+fi
+
+# Add TACACS system users required for TACACS based system authentication
+if ! grep -q '^tacacs' /etc/passwd; then
+    # Add the tacacs group and all 16 possible tacacs privilege-level users to
+    # the password file, home directories, etc. The accounts are not enabled
+    # for local login, since they are only used to provide uid/gid/homedir for
+    # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
+    # is also added to the sudo group, and vyattacfg group rather than vyattaop
+    # (used for tacacs0-14).
+    level=0
+    vyos_group=vyattaop
+    while [ $level -lt 16 ]; do
+        adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+            --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
+            --shell /bin/vbash tacacs${level}
+        adduser --quiet tacacs${level} frrvty
+        adduser --quiet tacacs${level} adm
+        adduser --quiet tacacs${level} dip
+        adduser --quiet tacacs${level} users
+        adduser --quiet tacacs${level} aaa
+        if [ $level -lt 15 ]; then
+            adduser --quiet tacacs${level} vyattaop
+            adduser --quiet tacacs${level} operator
+        else
+            adduser --quiet tacacs${level} vyattacfg
+            adduser --quiet tacacs${level} sudo
+            adduser --quiet tacacs${level} disk
+            adduser --quiet tacacs${level} frr
+        fi
+        level=$(( level+1 ))
+    done 2>&1 | grep -v 'User tacacs${level} already exists'
+fi
+
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
-        --no-create-home --gecos "radius user" \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+        --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
         --shell /sbin/radius_shell radius_user
     adduser --quiet radius_user frrvty
     adduser --quiet radius_user vyattaop
@@ -40,12 +96,13 @@ if ! grep -q '^radius_user' /etc/passwd; then
     adduser --quiet radius_user adm
     adduser --quiet radius_user dip
     adduser --quiet radius_user users
+    adduser --quiet radius_user aaa
 fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
-        --no-create-home --gecos "radius privileged user" \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+        --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
         --shell /sbin/radius_shell radius_priv_user
     adduser --quiet radius_priv_user frrvty
     adduser --quiet radius_priv_user vyattacfg
@@ -55,6 +112,7 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
     adduser --quiet radius_priv_user disk
     adduser --quiet radius_priv_user users
     adduser --quiet radius_priv_user frr
+    adduser --quiet radius_priv_user aaa
 fi
 
 # add hostsd group for vyos-hostsd
@@ -68,9 +126,24 @@ if ! grep -q '^dhcpd' /etc/passwd; then
     adduser --quiet dhcpd hostsd
 fi
 
-# ensure hte proxy user has a proper shell
+# ensure the proxy user has a proper shell
 chsh -s /bin/sh proxy
 
+# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+if [ ! -x $PRECONFIG_SCRIPT ]; then
+    mkdir -p $(dirname $PRECONFIG_SCRIPT)
+    touch $PRECONFIG_SCRIPT
+    chmod 755 $PRECONFIG_SCRIPT
+    cat <<EOF >>$PRECONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time before VyOS configuration is applied.
+# Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
 # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 if [ ! -x $POSTCONFIG_SCRIPT ]; then
@@ -103,7 +176,8 @@ DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/
         /etc/default/pmacctd /etc/pmacct
         /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
         /etc/ntp.conf /etc/default/ssh
-        /etc/powerdns /etc/default/pdns-recursor"
+        /etc/powerdns /etc/default/pdns-recursor
+        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
 for tmp in $DELETE; do
     if [ -e ${tmp} ]; then
         rm -rf ${tmp}
@@ -113,3 +187,31 @@ done
 # Remove logrotate items controlled via CLI and VyOS defaults
 sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
 sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog
+
+# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
+if test -f /etc/pam.d/frr; then
+    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
+        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
+    fi
+fi
+
+# Enable Cloud-init pre-configuration service
+systemctl enable vyos-config-cloud-init.service
+
+# Generate API GraphQL schema
+/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py
+
+# Update XML cache
+python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py
+
+# T1797: disable VPP support for rolling release, should be used by developers
+# only (in the initial phase). If you wan't to enable VPP use the below command
+# on your VyOS installation:
+#
+# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp
+if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then
+    if [ -d /opt/vyatta/share/vyatta-cfg/vpp ]; then
+        rm -rf /opt/vyatta/share/vyatta-cfg/vpp
+    fi
+    mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp
+fi
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index 213a23d9e..16c118cb7 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -1,5 +1,13 @@
-dpkg-divert --package vyos-1x --add --rename /etc/securetty
-dpkg-divert --package vyos-1x --add --rename /etc/security/capability.conf
-dpkg-divert --package vyos-1x --add --rename /lib/systemd/system/lcdproc.service
-dpkg-divert --package vyos-1x --add --rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/radius
+dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
+dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
+dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
+dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
+dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
+dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
+dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
+dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
+dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf
+dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplugd.conf
+dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplug
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.d/45-frr.conf