summaryrefslogtreecommitdiff
path: root/debian
AgeCommit message (Collapse)Author
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig
2023-08-28Debian: T5521: both RADIUS and TACACS users belong to aaa group, add group firstChristian Breunig
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-10T5434: drop unneeded cache generation from old libJohn Estabrook
2023-08-09T5448: Add service zabbix-agent version 2Viacheslav Hletenko
Add service zabbix-agent set service zabbix-agent directory '/config/zabbix/' set service zabbix-agent limits buffer-flush-interval '8' set service zabbix-agent limits buffer-size '120' set service zabbix-agent log debug-level 'warning' set service zabbix-agent log size '1' set service zabbix-agent server '192.0.2.5' set service zabbix-agent server-active 192.0.2.5 port '10051' set service zabbix-agent server-active 2001:db8::123
2023-08-04T5436: Add missing preconfig-scriptApachez
2023-08-01xml: T5403: drop unnecessary copy of xml_cacheJohn Estabrook
2023-07-29xml: T5403: fix installation of xml cacheJohn Estabrook
2023-07-29vpp: T1797: change dependency to amd64 builds onlyChristian Breunig
2023-07-27xml: T5403: add support for supplemental xml cacheJohn Estabrook
2023-07-22Revert "Debian: T4974: add openvpn-dco dependency"Christian Breunig
This reverts commit 9f7b51370732606611253e2e6a16692bf706659b.
2023-07-15Debian: T4974: add openvpn-dco dependencyChristian Breunig
2023-07-12debian: T5003: add power management userspace toolsChristian Breunig
2023-07-12container: T5352: Fix missing dependency for netavarkYouyuan
There is a missing dependency iptables for netavark . Debian marked it as optional but should be a dependency. If not installed, container cannot be created with assigned network. The rolling release is built with package iptables so there is no bug. But if users build iso on their own, container will not work if container network is assigned.
2023-07-09T3355: import startup scripts from vyatta-cfg repo for vyos-routerChristian Breunig
2023-07-08vpp: T1797:: support re-installation of vyos-1x packageChristian Breunig
2023-07-01T1797: Divert sysctl 80-vpp.confViacheslav Hletenko
2023-06-29vpp: T1797: disable CLI in rolling releasesChristian Breunig
2023-06-29Merge pull request #2059 from sever-sever/T1797-vppChristian Breunig
T1797: Add initial vpp configuration
2023-06-29tacacs: T141: tacacs is not available for arm64 (yet)Christian Breunig
2023-06-27VPP: T1797: Replaced CLI with APIViacheslav Hletenko
2023-06-27T1797: Add initial vpp configurationViacheslav Hletenko
Add initial configuration mode for VPP (PoC) set vpp cpu corelist-workers '2' set vpp cpu main-core '1' set vpp interface eth1 num-rx-desc '256' set vpp interface eth1 num-rx-queues '512' set vpp interface eth1 num-tx-desc '256' set vpp interface eth1 num-tx-queues '512' set vpp interface eth1 pci '0000:02:00.0' set vpp interface eth1 rx-mode 'polling' set vpp interface eth2 pci '0000:08:00.0' Limitation: - 'set vpp interface ethX pci auto' works only per first commit, then interface detached from default stack and creates tun interface 'ethX' to communicate with default stack. In this case we can't get PCI address via ethtool for 'tun' interfaces. But we can set pci address manualy. - Interface sync between default stack and VPP-DPDK stack After vpp change it doesn't trigger iproute2 for changes (should be written later) I.e. if we change something in vpp per each commit it restarts vpp.service it gets empty interface config as we don't configure vpp directly and it should be configured via iproute2 But then if we do any change on interface (for example description) it gets IP address, MTU, state, etc.
2023-06-22tacacs: T141: initial implementationChristian Breunig
2023-06-21tacacs: T141: create new UNIX group for aaaChristian Breunig
2023-06-21tacacs: T141: add debian package dependenciesChristian Breunig
2023-06-12Debian: T5286: cleanup dependenciesChristian Breunig
2023-06-12T5286: drop XDP support for ethernet and bonding interfacesChristian Breunig
... this is a step towards a new and better implementation that will utilize VPP.
2023-05-21T5234: add bash prompt identifier for given VRF instanceChristian Breunig
2023-05-17T5222: Add load-balancing for web trafficViacheslav Hletenko
2023-05-09Merge pull request #1978 from zdc/T5190-sagittaChristian Breunig
cloud-init: T5190: Added Cloud-init pre-configurator
2023-05-08syslog: T2778: migrate to get_config_dict()Christian Breunig
2023-05-04cloud-init: T5190: Added Cloud-init pre-configuratorzsdc
Added a new service that starts before Cloud-init, waits for all network interfaces initialization, and if requested by config, checks which interfaces can get configuration via DHCP server and creates a corresponding Cloud-init network configuration. This protects from two situations: * when Cloud-init tries to get meta-data via eth0 (default and fallback variant for any data source which depends on network), but the real network is connected to another interface * when Cloud-init starts simultaneously with udev and initializes the first interface to get meta-data before it is renamed to eth0 by udev
2023-04-21debian packaging: T5172: set minimum Python version to 3.10Daniil Baturin
since it's required for match statements and for op mode introspection
2023-04-14container: T5082: enable aardvark-dns supportChristian Breunig
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack") moving to a new network stack we should also enable the new DNS plugin provided by default. TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers to the container.
2023-04-04T5142: Add audit tool to monitor security-relevant eventsViacheslav Hletenko
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-03-29T5110: Fix op-mode FRR vtysh_pam account validationViacheslav Hletenko
With FRR 8.5 there is exists file /etc/pam.d/frr With this file by default we have cosmtetic error for any op-mode command $ show ip bgp vtysh_pam: Failed in account validation: Success(0)No BGP prefixes displayed, 0 exist Fix it
2023-03-16T5086: Add sFlow feature based on hsflowdViacheslav Hletenko
Add sFlow feature based on hsflowd According to user reviews, it works more stable and more productive than pmacct I haven't deleted 'pmacct' 'system flow-accounting sflow' yet It could be migrated or deprecated later set system sflow agent-address '192.0.2.14' set system sflow interface 'eth0' set system sflow interface 'eth1' set system sflow polling '30' set system sflow sampling-rate '100' set system sflow server 192.0.2.1 port '6343' set system sflow server 192.0.2.11 port '6343'
2023-03-12Debian: bump compat (debian helper) version 10 -> 12Christian Breunig
2023-03-12Revert "Debian: T2216: add netavark dependency for podman containers"Christian Breunig
This reverts commit 9ed4113d6c4809a0126d04c99d60eaa76a7b6b15.
2023-03-11container: T5003: add dependency on fuse-overlayfsChristian Breunig
Fix podman error about invalid storage: [graphdriver] prior storage driver overlay failed: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver" Error: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver.
2023-03-11Debian: T2216: add netavark dependency for podman containersChristian Breunig
2023-03-11Debian: remove python3-pyhumps from build dependencies, provided via pip in ↵Christian Breunig
container
2023-03-01graphql: T5040: generate schema in vyos-1x.postinstJohn Estabrook
2023-02-25python: T5026: Replace deprecated Python modules crypt, spwdsarthurdev
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13 DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
2023-02-24Merge pull request #1851 from zdc/T4943-sagittaChristian Breunig
login: T4943: Fixed 2FA + RADIUS compatibility
2023-02-24login: T4943: Fixed 2FA + RADIUS compatibilityzsdc
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ```
2023-02-24T5029: Change nginx default root directoryViacheslav Hletenko
2023-02-15Merge pull request #1817 from sarthurdev/bookwormChristian Breunig
debian: T5003: Upgrade base system to Debian 12 "Bookworm"