diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 6 | ||||
| -rwxr-xr-x | src/helpers/read-saved-value.py | 30 | ||||
| -rwxr-xr-x | src/init/vyos-router | 7 |
3 files changed, 41 insertions, 2 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 1d0feb56f..85905fd9a 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -30,6 +30,7 @@ from netifaces import interfaces from secrets import SystemRandom from shutil import rmtree +from vyos.base import DeprecationWarning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import is_node_changed @@ -165,6 +166,11 @@ def verify_pki(openvpn): if shared_secret_key not in pki['openvpn']['shared_secret']: raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') + # If PSK settings are correct, warn about its deprecation + DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\ + Please migrate your site-to-site tunnels to TLS.\n\ + You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.") + if tls: if (mode in ['server', 'client']) and ('ca_certificate' not in tls): raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ diff --git a/src/helpers/read-saved-value.py b/src/helpers/read-saved-value.py new file mode 100755 index 000000000..1463e9ffe --- /dev/null +++ b/src/helpers/read-saved-value.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +from argparse import ArgumentParser +from vyos.utils.config import read_saved_value + +if __name__ == '__main__': + parser = ArgumentParser() + parser.add_argument('--path', nargs='*') + args = parser.parse_args() + + out = read_saved_value(args.path) if args.path else '' + if isinstance(out, list): + out = ' '.join(out) + print(out) diff --git a/src/init/vyos-router b/src/init/vyos-router index cc69fae5a..b8833a8a0 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -371,8 +371,11 @@ start () && chgrp ${GROUP} ${vyatta_configdir} log_action_end_msg $? - rm -f /etc/hostname - ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name" + # T5239: early read of system hostname as this value is read-only once during + # FRR initialisation + tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name") + hostnamectl set-hostname --static "$tmp" + ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config" # If for any reason FRR was not started by system_frr.py - start it anyways. # This is a safety net! |