summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/flow_accounting_conf.py4
-rwxr-xr-xsrc/conf_mode/https.py2
-rwxr-xr-xsrc/conf_mode/ntp.py23
-rwxr-xr-xsrc/conf_mode/protocols_failover.py2
-rwxr-xr-xsrc/conf_mode/protocols_ospfv3.py4
-rwxr-xr-xsrc/conf_mode/service_console-server.py2
-rwxr-xr-xsrc/conf_mode/service_monitoring_telegraf.py2
-rwxr-xr-xsrc/conf_mode/service_sla.py6
-rwxr-xr-xsrc/conf_mode/service_webproxy.py2
-rwxr-xr-xsrc/conf_mode/snmp.py2
-rwxr-xr-xsrc/conf_mode/ssh.py2
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py9
12 files changed, 39 insertions, 21 deletions
diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py
index 7e16235c1..f67f1710e 100755
--- a/src/conf_mode/flow_accounting_conf.py
+++ b/src/conf_mode/flow_accounting_conf.py
@@ -38,7 +38,7 @@ airbag.enable()
uacctd_conf_path = '/run/pmacct/uacctd.conf'
systemd_service = 'uacctd.service'
-systemd_override = f'/etc/systemd/system/{systemd_service}.d/override.conf'
+systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf'
nftables_nflog_table = 'raw'
nftables_nflog_chain = 'VYOS_CT_PREROUTING_HOOK'
egress_nftables_nflog_table = 'inet mangle'
@@ -192,7 +192,7 @@ def verify(flow_config):
raise ConfigError("All sFlow servers must use the same IP protocol")
else:
sflow_collector_ipver = ip_address(server).version
-
+
# check if vrf is defined for Sflow
sflow_vrf = None
if 'vrf' in flow_config:
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 7cd7ea42e..ce5e63928 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -37,7 +37,7 @@ from vyos import airbag
airbag.enable()
config_file = '/etc/nginx/sites-available/default'
-systemd_override = r'/etc/systemd/system/nginx.service.d/override.conf'
+systemd_override = r'/run/systemd/system/nginx.service.d/override.conf'
cert_dir = '/etc/ssl/certs'
key_dir = '/etc/ssl/private'
certbot_dir = vyos.defaults.directories['certbot']
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index 0ecb4d736..92cb73aab 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -21,26 +21,29 @@ from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.configverify import verify_interface_exists
from vyos.util import call
+from vyos.util import chmod_750
from vyos.util import get_interface_config
from vyos.template import render
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-config_file = r'/run/ntpd/ntpd.conf'
-systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf'
+config_file = r'/run/chrony/chrony.conf'
+systemd_override = r'/run/systemd/system/chrony.service.d/override.conf'
+user_group = '_chrony'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
- base = ['system', 'ntp']
+ base = ['service', 'ntp']
if not conf.exists(base):
return None
ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
ntp['config_file'] = config_file
+ ntp['user'] = user_group
tmp = is_node_changed(conf, base + ['vrf'])
if tmp: ntp.update({'restart_required': {}})
@@ -52,7 +55,7 @@ def verify(ntp):
if not ntp:
return None
- if 'allow_clients' in ntp and 'server' not in ntp:
+ if 'server' not in ntp:
raise ConfigError('NTP server not configured')
verify_vrf(ntp)
@@ -77,13 +80,17 @@ def generate(ntp):
if not ntp:
return None
- render(config_file, 'ntp/ntpd.conf.j2', ntp)
- render(systemd_override, 'ntp/override.conf.j2', ntp)
+ render(config_file, 'chrony/chrony.conf.j2', ntp, user=user_group, group=user_group)
+ render(systemd_override, 'chrony/override.conf.j2', ntp, user=user_group, group=user_group)
+
+ # Ensure proper permission for chrony command socket
+ config_dir = os.path.dirname(config_file)
+ chmod_750(config_dir)
return None
def apply(ntp):
- systemd_service = 'ntp.service'
+ systemd_service = 'chrony.service'
# Reload systemd manager configuration
call('systemctl daemon-reload')
diff --git a/src/conf_mode/protocols_failover.py b/src/conf_mode/protocols_failover.py
index 048ba7a89..85e984afe 100755
--- a/src/conf_mode/protocols_failover.py
+++ b/src/conf_mode/protocols_failover.py
@@ -31,7 +31,7 @@ airbag.enable()
service_name = 'vyos-failover'
service_conf = Path(f'/run/{service_name}.conf')
-systemd_service = '/etc/systemd/system/vyos-failover.service'
+systemd_service = '/run/systemd/system/vyos-failover.service'
rt_proto_failover = '/etc/iproute2/rt_protos.d/failover.conf'
diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py
index ee4eaf59d..ed0a8fba2 100755
--- a/src/conf_mode/protocols_ospfv3.py
+++ b/src/conf_mode/protocols_ospfv3.py
@@ -117,6 +117,10 @@ def verify(ospfv3):
if 'area_type' in area_config:
if len(area_config['area_type']) > 1:
raise ConfigError(f'Can only configure one area-type for OSPFv3 area "{area}"!')
+ if 'range' in area_config:
+ for range, range_config in area_config['range'].items():
+ if {'not_advertise', 'advertise'} <= range_config.keys():
+ raise ConfigError(f'"not-advertise" and "advertise" for "range {range}" cannot be both configured at the same time!')
if 'interface' in ospfv3:
for interface, interface_config in ospfv3['interface'].items():
diff --git a/src/conf_mode/service_console-server.py b/src/conf_mode/service_console-server.py
index ee4fe42ab..60eff6543 100755
--- a/src/conf_mode/service_console-server.py
+++ b/src/conf_mode/service_console-server.py
@@ -27,7 +27,7 @@ from vyos.xml import defaults
from vyos import ConfigError
config_file = '/run/conserver/conserver.cf'
-dropbear_systemd_file = '/etc/systemd/system/dropbear@{port}.service.d/override.conf'
+dropbear_systemd_file = '/run/systemd/system/dropbear@{port}.service.d/override.conf'
def get_config(config=None):
if config:
diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py
index aafece47a..363408679 100755
--- a/src/conf_mode/service_monitoring_telegraf.py
+++ b/src/conf_mode/service_monitoring_telegraf.py
@@ -38,7 +38,7 @@ cache_dir = f'/etc/telegraf/.cache'
config_telegraf = f'/run/telegraf/telegraf.conf'
custom_scripts_dir = '/etc/telegraf/custom_scripts'
syslog_telegraf = '/etc/rsyslog.d/50-telegraf.conf'
-systemd_override = '/etc/systemd/system/telegraf.service.d/10-override.conf'
+systemd_override = '/run/systemd/system/telegraf.service.d/10-override.conf'
def get_nft_filter_chains():
""" Get nft chains for table filter """
diff --git a/src/conf_mode/service_sla.py b/src/conf_mode/service_sla.py
index e7c3ca59c..b1e22f37b 100755
--- a/src/conf_mode/service_sla.py
+++ b/src/conf_mode/service_sla.py
@@ -27,15 +27,13 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
-
owamp_config_dir = '/etc/owamp-server'
owamp_config_file = f'{owamp_config_dir}/owamp-server.conf'
-systemd_override_owamp = r'/etc/systemd/system/owamp-server.d/20-override.conf'
+systemd_override_owamp = r'/run/systemd/system/owamp-server.d/20-override.conf'
twamp_config_dir = '/etc/twamp-server'
twamp_config_file = f'{twamp_config_dir}/twamp-server.conf'
-systemd_override_twamp = r'/etc/systemd/system/twamp-server.d/20-override.conf'
-
+systemd_override_twamp = r'/run/systemd/system/twamp-server.d/20-override.conf'
def get_config(config=None):
if config:
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 41a1deaa3..658e496a6 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -246,7 +246,7 @@ def apply(proxy):
if os.path.exists(squidguard_db_dir):
chmod_755(squidguard_db_dir)
- call('systemctl restart squid.service')
+ call('systemctl reload-or-restart squid.service')
return None
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 5cd24db32..914ec245c 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -40,7 +40,7 @@ config_file_client = r'/etc/snmp/snmp.conf'
config_file_daemon = r'/etc/snmp/snmpd.conf'
config_file_access = r'/usr/share/snmp/snmpd.conf'
config_file_user = r'/var/lib/snmp/snmpd.conf'
-systemd_override = r'/etc/systemd/system/snmpd.service.d/override.conf'
+systemd_override = r'/run/systemd/system/snmpd.service.d/override.conf'
systemd_service = 'snmpd.service'
def get_config(config=None):
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 8746cc701..8de0617af 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -32,7 +32,7 @@ from vyos import airbag
airbag.enable()
config_file = r'/run/sshd/sshd_config'
-systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
+systemd_override = r'/run/systemd/system/ssh.service.d/override.conf'
sshguard_config_file = '/etc/sshguard/sshguard.conf'
sshguard_whitelist = '/etc/sshguard/whitelist'
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index b79e9847a..3af2af4d9 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -95,6 +95,7 @@ def get_config(config=None):
del default_values['esp_group']
del default_values['ike_group']
del default_values['remote_access']
+ del default_values['site_to_site']
ipsec = dict_merge(default_values, ipsec)
if 'esp_group' in ipsec:
@@ -143,6 +144,14 @@ def get_config(config=None):
ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values,
ipsec['remote_access']['radius']['server'][server])
+ # XXX: T2665: we can not safely rely on the defaults() when there are
+ # tagNodes in place, it is better to blend in the defaults manually.
+ if dict_search('site_to_site.peer', ipsec):
+ default_values = defaults(base + ['site-to-site', 'peer'])
+ for peer in ipsec['site_to_site']['peer']:
+ ipsec['site_to_site']['peer'][peer] = dict_merge(default_values,
+ ipsec['site_to_site']['peer'][peer])
+
ipsec['dhcp_no_address'] = {}
ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-14 00:03:03 +0000