4 files changed, 47 insertions, 6 deletions
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 26c50cab6..516671844 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -122,6 +122,18 @@ def verify(container):
                         raise ConfigError(f'IP address "{address}" can not be used for a container, '\
                                           'reserved for the container engine!')
 
+            if 'device' in container_config:
+                for dev, dev_config in container_config['device'].items():
+                    if 'source' not in dev_config:
+                        raise ConfigError(f'Device "{dev}" has no source path configured!')
+
+                    if 'destination' not in dev_config:
+                        raise ConfigError(f'Device "{dev}" has no destination path configured!')
+
+                    source = dev_config['source']
+                    if not os.path.exists(source):
+                        raise ConfigError(f'Device "{dev}" source path "{source}" does not exist!')
+
             if 'environment' in container_config:
                 for var, cfg in container_config['environment'].items():
                     if 'value' not in cfg:
@@ -266,6 +278,14 @@ def apply(container):
                     c = c.replace('-', '_')
                     cap_add += f' --cap-add={c}'
 
+            # Add a host device to the container /dev/x:/dev/x
+            device = ''
+            if 'device' in container_config:
+                for dev, dev_config in container_config['device'].items():
+                    source_dev = dev_config['source']
+                    dest_dev = dev_config['destination']
+                    device += f' --device={source_dev}:{dest_dev}'
+
             # Check/set environment options "-e foo=bar"
             env_opt = ''
             if 'environment' in container_config:
@@ -296,7 +316,7 @@ def apply(container):
 
             container_base_cmd = f'podman run --detach --interactive --tty --replace {cap_add} ' \
                                  f'--memory {memory}m --memory-swap 0 --restart {restart} ' \
-                                 f'--name {name} {port} {volume} {env_opt}'
+                                 f'--name {name} {device} {port} {volume} {env_opt}'
             if 'allow_host_networks' in container_config:
                 run(f'{container_base_cmd} --net host {image}')
             else:
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index ab8d58f81..2a8a126f2 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -32,7 +32,9 @@ from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
 from vyos.ethtool import Ethtool
 from vyos.ifconfig import EthernetIf
-from vyos.pki import wrap_certificate
+from vyos.pki import find_chain
+from vyos.pki import encode_certificate
+from vyos.pki import load_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
@@ -159,7 +161,14 @@ def generate(ethernet):
         cert_name = ethernet['eapol']['certificate']
         pki_cert = ethernet['pki']['certificate'][cert_name]
 
-        write_file(cert_file_path, wrap_certificate(pki_cert['certificate']))
+        loaded_pki_cert = load_certificate(pki_cert['certificate'])
+        loaded_ca_certs = {load_certificate(c['certificate'])
+            for c in ethernet['pki']['ca'].values()}
+
+        cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+        write_file(cert_file_path,
+                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
         write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
 
         if 'ca_certificate' in ethernet['eapol']:
@@ -167,8 +176,11 @@ def generate(ethernet):
             ca_cert_name = ethernet['eapol']['ca_certificate']
             pki_ca_cert = ethernet['pki']['ca'][ca_cert_name]
 
+            loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
+            ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+
             write_file(ca_cert_file_path,
-                       wrap_certificate(pki_ca_cert['certificate']))
+                       '\n'.join(encode_certificate(c) for c in ca_full_chain))
     else:
         # delete configuration on interface removal
         if os.path.isfile(wpa_suppl_conf.format(**ethernet)):
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 242fae9fb..29a25eedc 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -47,6 +47,7 @@ from vyos.template import is_ipv4
 from vyos.template import is_ipv6
 from vyos.util import call
 from vyos.util import chown
+from vyos.util import cmd
 from vyos.util import dict_search
 from vyos.util import dict_search_args
 from vyos.util import makedir
@@ -424,8 +425,8 @@ def verify(openvpn):
     # verify specified IP address is present on any interface on this system
     if 'local_host' in openvpn:
         if not is_addr_assigned(openvpn['local_host']):
-            raise ConfigError('local-host IP address "{local_host}" not assigned' \
-                              ' to any interface'.format(**openvpn))
+            print('local-host IP address "{local_host}" not assigned' \
+                  ' to any interface'.format(**openvpn))
 
     # TCP active
     if openvpn['protocol'] == 'tcp-active':
diff --git a/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf b/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf
new file mode 100644
index 000000000..aa81b5336
--- /dev/null
+++ b/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf
@@ -0,0 +1,8 @@
+### Added by vyos-1x ###
+#
+# ip_nonlocal_bind - BOOLEAN
+#     If set, allows processes to bind() to non-local IP addresses,
+#     which can be quite useful - but may break some applications.
+#     Default: 0
+net.ipv4.ip_nonlocal_bind = 1
+net.ipv6.ip_nonlocal_bind = 1