diff options
Diffstat (limited to 'src/init/vyos-router')
-rwxr-xr-x | src/init/vyos-router | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router index 96f163213..ff95be994 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -105,6 +105,9 @@ load_bootfile () restore_if_missing_preconfig_script () { if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then + mkdir -p ${vyatta_sysconfdir}/config/scripts + chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts + chmod 775 ${vyatta_sysconfdir}/config/scripts cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/ chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script @@ -123,6 +126,9 @@ run_preconfig_script () restore_if_missing_postconfig_script () { if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then + mkdir -p ${vyatta_sysconfdir}/config/scripts + chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts + chmod 775 ${vyatta_sysconfdir}/config/scripts cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/ chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script @@ -228,11 +234,34 @@ cleanup_post_commit_hooks () { # system defaults. security_reset () { + + # restore NSS cofniguration back to sane system defaults + # will be overwritten later when configuration is loaded + cat <<EOF >/etc/nsswitch.conf +passwd: files +group: files +shadow: files +gshadow: files + +# Per T2678, commenting out myhostname +hosts: files dns #myhostname +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis +EOF + # restore PAM back to virgin state (no radius/tacacs services) - pam-auth-update --package --remove radius + pam-auth-update --disable radius-mandatory radius-optional rm -f /etc/pam_radius_auth.conf - pam-auth-update --package --remove tacplus + pam-auth-update --disable tacplus-mandatory tacplus-optional rm -f /etc/tacplus_nss.conf /etc/tacplus_servers + # and no Google authenticator for 2FA/MFA + pam-auth-update --disable mfa-google-authenticator # Certain configuration files are re-generated by the configuration # subsystem and must reside under /etc and can not easily be moved to /run. @@ -337,17 +366,14 @@ start () nfct helper add tns inet tcp nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules" - rm -f /etc/hostname - ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name" - systemctl start frr.service - # As VyOS does not execute commands that are not present in the CLI we call # the script by hand to have a single source for the login banner and MOTD ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console" - ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login" - ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files" - ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files" - ${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem" + ${vyos_conf_scripts_dir}/system_login_banner.py || log_failure_msg "could not reset motd and issue files" + ${vyos_conf_scripts_dir}/system_option.py || log_failure_msg "could not reset system option files" + ${vyos_conf_scripts_dir}/system_ip.py || log_failure_msg "could not reset system IPv4 options" + ${vyos_conf_scripts_dir}/system_ipv6.py || log_failure_msg "could not reset system IPv6 options" + ${vyos_conf_scripts_dir}/system_conntrack.py || log_failure_msg "could not reset conntrack subsystem" ${vyos_conf_scripts_dir}/container.py || log_failure_msg "could not reset container subsystem" clear_or_override_config_files || log_failure_msg "could not reset config files" @@ -373,6 +399,16 @@ start () && chgrp ${GROUP} ${vyatta_configdir} log_action_end_msg $? + # T5239: early read of system hostname as this value is read-only once during + # FRR initialisation + tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name") + hostnamectl set-hostname --static "$tmp" + + ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config" + # If for any reason FRR was not started by system_frr.py - start it anyways. + # This is a safety net! + systemctl start frr.service + disabled bootfile || init_bootfile cleanup_post_commit_hooks |