summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-10pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible. (cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08Merge pull request #2774 from vyos/mergify/bp/sagitta/pr-2758Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt) (backport #2758)
2024-01-08smoketest: T5905: always delete pki in ipsec test startupChristian Breunig
(cherry picked from commit 2095eb75a2326b8f493944aef07f65b150cfbc60)
2024-01-08ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
(cherry picked from commit 410458c00e6202dd9a5c52b3c5ac00a90db5bc53)
2024-01-08pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add op-mode commands for log and renewalChristian Breunig
* show log certbot * monitor log certbot * renew certbot (cherry picked from commit 9d02d32319f9328df618910a038ef580588e13c8)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-08Merge pull request #2772 from vyos/mergify/bp/sagitta/pr-2760Christian Breunig
image: T5898: fix kernel-level partition rescan (backport #2760)
2024-01-08image: T5898: fix kernel-level partition rescanMatt Clauson
This fix moves from partprobe to partx to rescan the partition table on an affected disk. (cherry picked from commit f883455d9a3081780c43426ab26de9d26f24c9aa)
2024-01-08Merge pull request #2771 from nicolas-fort/T5896Christian Breunig
T5896: firewall: backport interface validator for firewall rules.
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2024-01-07Merge pull request #2770 from vyos/mergify/bp/sagitta/pr-2769Viacheslav Hletenko
smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penalty (backport #2769)
2024-01-07smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penaltyChristian Breunig
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup. (cherry picked from commit 041db49533d57cabfccd319492b85ee0bafdd40c)
2024-01-07Merge pull request #2767 from vyos/mergify/bp/sagitta/pr-2764Christian Breunig
T5195: add timeout argument to process_named_running() (backport #2764)
2024-01-07Merge pull request #2766 from vyos/mergify/bp/sagitta/pr-2765Viacheslav Hletenko
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command (backport #2765)
2024-01-07T5195: add timeout argument to process_named_running()Christian Breunig
Smoketests heavily rely on process_named_running() so in order to "relax" system constraints during a test we will add a timeout of 10 seconds for every testcase provided by base_interfaces_test.py (cherry picked from commit ad9bdfc248cf47b3361bd0e5d7371d56131160a0)
2024-01-07op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" commandChristian Breunig
We've always had a command to display discrete IPv6 routes/prefixes within the global VRF. This commit also adds support for a discrete VRF. vyos@vyos:~$ show ipv6 route vrf <name> Possible completions: <Enter> Execute the current command <h:h:h:h:h:h:h:h> Show IPv6 routes of given address or prefix <h:h:h:h:h:h:h:h/x> (cherry picked from commit 119d94bdb05d0c88bfc452d903e64000b278c43e)
2024-01-06Merge pull request #2763 from vyos/mergify/bp/sagitta/pr-1637Christian Breunig
openvpn: T3214: fix server-ipv6 and nopool handling (backport #1637)
2024-01-06Merge pull request #2762 from vyos/mergify/bp/sagitta/pr-2761Viacheslav Hletenko
dns: T5900: fix smoketests for serve-stale-extension and exclude-throttle-address (backport #2761)
2024-01-06smoketests: drop nopool/net30 from testcasesChristian Breunig
After commit 0ccbbca01b ("openvpn: T3214: specify nopool on --server line only if needed") that removed the net30 option and nopool smoketests needed a fix. (cherry picked from commit 455943cd7f759a5a3fc53d421b479044730d1f08)
2024-01-06openvpn: T3214: specify nopool on --server line only if neededAntonio Quartulli
The --server directive will already create a pool automatically. For this reason noppol should be used only when an explicit client-ip-pool was configured by the user. If that's not the case, then the nopool flag should not be specified and no manual pool should be configured. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 0ccbbca01b22232b5cba63d64ab00eb54af7b068)
2024-01-06openvpn: T3214: warn when setting nopool and server-ipv6 is being usedAntonio Quartulli
Currently OpenVPN does not allow having an IPv6 subnet if 'nopool' was specified on the --server directive. For this eason warn if this specific configuration is being hit. This is probably something that should be fixed upstream, but for now we can't allow this combination of parameters. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 7a0e40ce8df386c0ea2de84bce8fb6c81a0353ce)
2024-01-06openvpn: T3214: allow configuring server with v6 onlyAntonio Quartulli
Starting with v2.5.0 OpenVPN allows configuring a server with an IPv6 only tunnel. For this reason there is no need to depend on the existence of an IPv4 subnet anymore. Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> (cherry picked from commit 3072e507eb1cdc18cfe5429fd0c03d223d2576fe)
2024-01-06dns: T5900: fix smoketests for serve-stale-extension and ↵Christian Breunig
exclude-throttle-address This fixes commit 199ceb1f0a ("dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns features") where after the latest review round the Jinja2 template was inconsitently changed and smoketests were not re-run. (cherry picked from commit 9baeafa890f7b1d3829df633322fb4288e9ea882)
2024-01-06Merge pull request #2759 from vyos/mergify/bp/sagitta/pr-2757Christian Breunig
T5900 dns forwarding: reliability improvements (backport #2757)
2024-01-06dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns ↵fvlaicu
features (cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
2024-01-05Merge pull request #2755 from vyos/mergify/bp/sagitta/pr-2694Viacheslav Hletenko
T5169: nat: add option to map network and ports. (backport #2694)
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694) (cherry picked from commit 3fc76505d0642c32a3eae9c0ce6ab3dd2ec32dbd)
2024-01-04Merge pull request #2753 from vyos/mergify/bp/sagitta/pr-2752Christian Breunig
T5897: frr should be stopped before vyos-router (backport #2752)
2024-01-04Merge pull request #2754 from vyos/mergify/bp/sagitta/pr-2749Christian Breunig
smoketests: T5887: remove IXGB driver (backport #2749)
2024-01-04smoketests: T5887: remove IXGB driverChristian Breunig
From Kernel commit e485f3a6eae0 ("ixgb: Remove ixgb driver") There are likely no users of this driver as the hardware has been discontinued since 2010. Remove the driver and all references to it in documentation. (cherry picked from commit 8eabba331f2615a284348b70a9ef3dd49e15f76d)
2024-01-04T5897: frr should be stopped before vyos-routerDate Huang
Signed-off-by: Date Huang <tjjh89017@hotmail.com> (cherry picked from commit 6d16ab081b70bc4ea837b66dfe032ec6bdb563d7)
2024-01-04Merge pull request #2751 from vyos/mergify/bp/sagitta/pr-2750Christian Breunig
configdict: T5894: add get_config_dict() flag with_pki (backport #2750)
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary. (cherry picked from commit b152b52023ba0cf0d4919eae39e92de28a458917)
2024-01-04configdict: T5837: node_changed() shall not return duplicate list itemsChristian Breunig
This extends commit 4ee406470 ("configdict: T5837: add support to return added nodes when calling node_changed()") so no duplicate list elements get returned. (cherry picked from commit 301312b293238d3041c8912af6fdb86b506d7ab4)
2024-01-04xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot (cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)
2024-01-03Merge pull request #2719 from c-po/sagitta-backports-accel-pppChristian Breunig
Backports for Accel-PPP based serviced T5801, T5842 and T5688
2024-01-03Merge pull request #2745 from vyos/fix-wg-helpDaniil Baturin
op-mode: T5884: correct "generate wireguard" help string (backport)
2024-01-03Merge pull request #2732 from vyos/mergify/bp/sagitta/pr-2728Christian Breunig
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
2024-01-03Merge pull request #2747 from vyos/mergify/bp/sagitta/pr-2746Viacheslav Hletenko
op-mode: T5890: Fix arguments passed to generate_system_login_user.py (backport #2746)
2024-01-03op-mode: T5890: Fix arguments passed to generate_system_login_user.pyMatthew Kobayashi
(cherry picked from commit 51bb6d0487c5a0918276f142f41ea5bca7b380fc)
2024-01-02Merge pull request #2744 from vyos/mergify/bp/sagitta/pr-2743Christian Breunig
T5888: fix migration script in order to fit new type-names for icmp and icmpv6 (backport #2743)
2024-01-02Merge pull request #2742 from c-po/t5261-aws-backportChristian Breunig
T5474: remove "aws glb" XML definitions as feature is not available in VyOS 1.4
2024-01-02op-mode: T5884: correct "generate wireguard" help stringhwlnx
(cherry picked from commit e2c9ffd8bc2d6119b78ec166fe5b90764fb38563)
2024-01-02T5888: fix migration script in order to fit new type-names for icmp and icmpv6.Nicolas Fort
(cherry picked from commit 1ccb3e634d45d0d1a8e190297cc0a310cb0069d6)
2024-01-02T5474: remove "aws glb" XML definitions as feature is not available in VyOS 1.4Christian Breunig
Files got added by accident in commit c9eaafd9f ("T5474: establish common file name pattern for XML conf mode commands")
2024-01-02Merge pull request #2740 from vyos/mergify/bp/sagitta/pr-2739Christian Breunig
T3642: add missing base64 CLI validators (backport #2739)
2024-01-02Merge pull request #2741 from vyos/mergify/bp/sagitta/pr-2736Christian Breunig
vyos-configd: extend list of included scripts (backport #2736)