summaryrefslogtreecommitdiff
path: root/src/init/vyos-router
diff options
context:
space:
mode:
Diffstat (limited to 'src/init/vyos-router')
-rwxr-xr-xsrc/init/vyos-router56
1 files changed, 46 insertions, 10 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 96f163213..ff95be994 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -105,6 +105,9 @@ load_bootfile ()
restore_if_missing_preconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then
+ mkdir -p ${vyatta_sysconfdir}/config/scripts
+ chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
+ chmod 775 ${vyatta_sysconfdir}/config/scripts
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
@@ -123,6 +126,9 @@ run_preconfig_script ()
restore_if_missing_postconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then
+ mkdir -p ${vyatta_sysconfdir}/config/scripts
+ chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
+ chmod 775 ${vyatta_sysconfdir}/config/scripts
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
@@ -228,11 +234,34 @@ cleanup_post_commit_hooks () {
# system defaults.
security_reset ()
{
+
+ # restore NSS cofniguration back to sane system defaults
+ # will be overwritten later when configuration is loaded
+ cat <<EOF >/etc/nsswitch.conf
+passwd: files
+group: files
+shadow: files
+gshadow: files
+
+# Per T2678, commenting out myhostname
+hosts: files dns #myhostname
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
+EOF
+
# restore PAM back to virgin state (no radius/tacacs services)
- pam-auth-update --package --remove radius
+ pam-auth-update --disable radius-mandatory radius-optional
rm -f /etc/pam_radius_auth.conf
- pam-auth-update --package --remove tacplus
+ pam-auth-update --disable tacplus-mandatory tacplus-optional
rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
+ # and no Google authenticator for 2FA/MFA
+ pam-auth-update --disable mfa-google-authenticator
# Certain configuration files are re-generated by the configuration
# subsystem and must reside under /etc and can not easily be moved to /run.
@@ -337,17 +366,14 @@ start ()
nfct helper add tns inet tcp
nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
- rm -f /etc/hostname
- ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name"
- systemctl start frr.service
-
# As VyOS does not execute commands that are not present in the CLI we call
# the script by hand to have a single source for the login banner and MOTD
${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
- ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login"
- ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files"
- ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files"
- ${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem"
+ ${vyos_conf_scripts_dir}/system_login_banner.py || log_failure_msg "could not reset motd and issue files"
+ ${vyos_conf_scripts_dir}/system_option.py || log_failure_msg "could not reset system option files"
+ ${vyos_conf_scripts_dir}/system_ip.py || log_failure_msg "could not reset system IPv4 options"
+ ${vyos_conf_scripts_dir}/system_ipv6.py || log_failure_msg "could not reset system IPv6 options"
+ ${vyos_conf_scripts_dir}/system_conntrack.py || log_failure_msg "could not reset conntrack subsystem"
${vyos_conf_scripts_dir}/container.py || log_failure_msg "could not reset container subsystem"
clear_or_override_config_files || log_failure_msg "could not reset config files"
@@ -373,6 +399,16 @@ start ()
&& chgrp ${GROUP} ${vyatta_configdir}
log_action_end_msg $?
+ # T5239: early read of system hostname as this value is read-only once during
+ # FRR initialisation
+ tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name")
+ hostnamectl set-hostname --static "$tmp"
+
+ ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config"
+ # If for any reason FRR was not started by system_frr.py - start it anyways.
+ # This is a safety net!
+ systemctl start frr.service
+
disabled bootfile || init_bootfile
cleanup_post_commit_hooks