Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 5ade35255b3d8438aa6082fe56ae459d50cdc0a5)
|
|
interfaces: T6519: harden config migration if ethernet interface is missing (backport #3724)
|
|
During a corner case where the configuration is migrated to a different system
with fewer ethernet interfaces, migration will fail during an image upgrade.
vyos.ethtool.Ethtool() is instantiated with an invalid interface leading to an
exception that kills the migrator
(cherry picked from commit e47d4fd385631236da6882233b09f6364cbb077b)
|
|
T3202: Enable wireguard debug messages (backport #3679)
|
|
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
|
|
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
|
|
T5949: Add option to disable USB autosuspend (backport #3677)
|
|
openconnect: T6500: add support for multiple ca-certificates (backport #3682)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
* install_certificate() code path handles private_key=None &
key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
where having a null private key is possible
* Self-signing and CA creation always generate a private key
* Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
private key
(cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37)
Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
|
|
op-mode: T6480: must call pki.py helper as root to work with ACME certificates (backport #3645)
|
|
op-mode: T6503: "restart ssh" command not working (backport #3702)
|
|
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required (backport #3646)
|
|
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
|
|
macsec: T5447: fix error message syntax - there is no tx and rx key, only key (backport #3685)
|
|
op-mode: T5514: Allow safe reboots to config defaults when config.boot is deleted (backport #3654)
|
|
Commit e5af1f090 ("ssh: T6192: allow binding to multiple VRF instances")
switched the systemd unit file from ssh.service to ssh@*.service, this change
was not reflected in the "restart ssh" op-mode command.
(cherry picked from commit 059eb3a137a75d502632174cc028b81f49152782)
|
|
deleted
* Added flag to vyos.config_mgmt.unsaved_commits() that will tolerate missing config.boot for specific circumstances
* Shutdown/reboot uses this flag; config will regenerate from defaults after a reboot
(cherry picked from commit 8281383a09f12da20a1c9b4864b38ac3f541b48f)
|
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
T6487: updated central workflows to use current branch (backport #3647)
|
|
(cherry picked from commit 6c4bd6cdaa6008f05ed610742a4cc7e79988b737)
|
|
This is an addition to commit 65fba1cd2 ("op-mode: T6377: must call pki.py
helper as root to work with ACME certificates") which missed out the basic
"show pki" command, as the <command> XML node was deep down in the view.
(cherry picked from commit 9456113a202f98a777d44c756f7f51c95b1df027)
|
|
required
If the requested certificate to generate an Apple IOS profile was based on an
ACME certificate, we also need to mangle in the ACME certs content to retrieve
the certificates issuer name.
(cherry picked from commit 1bc67d498c4d71da78aa46d1d2f9fe9752f59860)
|
|
bgp: T6473: missing completion helper for peer-groups inside a VRF (backport #3638)
|
|
Using BGP peer-groups inside a VRF instance will make use if the global VRFs
peer-group list during tab-completion and not the peer-groups defined within
the BGP instance of the given VRF.
(cherry picked from commit 80ea3d53b2224676d3e9287bce80df4407fe6c01)
|
|
wireless: T6462: add op-mode command for hostapd and wpa_supplicant logs (backport #3611)
|
|
* monitor log wireless hostapd [interface <name>]
* monitor log wireless wpa-supplicant [interface <name>]
* show log wireless hostapd [interface <name>]
* show log wireless wpa-supplicant [interface <name>]
(cherry picked from commit 7ed4abe6cb3886889190f1f7a80c0229fd3a9c78)
|
|
* container: T6219: Add support for container sysctl / kernel parameters
(cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd)
* T6219: align with system sysctl and limit parameters to supported
(cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b)
---------
Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk>
Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
|
|
vyos.utils: T5195: import vyos.cpu to this package (backport #3606)
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
(cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
|
|
pki: T6464: sstpc interface not reloaded when updating SSL certificate(s) (backport #3613)
|
|
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
|
|
pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s) (backport #3612)
|
|
(cherry picked from commit 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687)
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
(cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
|
|
The SSTPC client was not reloaded/restarted with the new SSL certificate(s)
after a change in the PKI subsystem.
This was due to missing dependencies.
(cherry picked from commit 42294ccd904773fa19a6af0f37cf9526321d87e4)
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
(cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
|
|
T6449: added pr update trigger (backport #3596)
|
|
reverse-proxy: T6454: Set default value of http for haproxy mode (backport #3598)
|
|
grub: T6453: Fixed GRUB variables parsing (backport #3592)
|
|
xml: T6423: enforce priority on nodes having an owner (backport #3589)
|
|
vxlan: T6401: Avoid calling get_vxlan_vni_filter() unless we need it (backport #3573)
|
|
(cherry picked from commit 395bd4eb850ff5763a82f29b1ff398c41e200f09)
|
|
T6460: fix DHCPv6 duid formatting
|
|
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
|
|
(cherry picked from commit 61f8250184e927de9ab6bddc207b917bef7da42b)
|
|
To parse variables with `=` a variable name should be limited by alphanumerical
characters only.
(cherry picked from commit d3acecdf129cd940f8b2d1b229a6e2a343cab74b)
|
|
`bridge vni show dev vxlanX` will exit with an error if no VNI filters
are installed, but the getter is used even when we haven't installed any.
This fix avoids fetching a list of VNI filters unless we know we've
created some.
(cherry picked from commit ac7ee2b36df23c3a4dd2be393132631556b6ef40)
|
|
|