Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
ipsec: T4594: Rewrite op-mode 'show vpn ipsec sa' to the new format
|
|
We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
|
|
Convert multiple types of data to types usable in CLI
For example 'vici' returns values in bytestring/bytes and we can
decode them all at once
|
|
It is useful to have both a return code and output of the command
Add a new wrapper "rc_cmd" that returns both
% rc_cmd('uname')
(0, 'Linux')
% rc_cmd('ip link show dev fake')
(1, 'Device "fake" does not exist.')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
entry
|
|
|
|
netns: T3829: Ability to configure network namespaces
|
|
|
|
|
|
interfaces
(cherry picked from commit a032d73f1d405f3bae269791e9064026faa491d9)
|
|
|
|
|
|
|
|
data = {
'interfaces': {'dummy': {'dum0': {'address': ['192.0.2.17/29']}},
'ethernet': {'eth0': {'address': ['2001:db8::1/64', '192.0.2.1/29'],
'description': 'Test123',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:01',
'speed': 'auto'},
'eth1': {'address': ['192.0.2.9/29'],
'description': 'Test456',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:02',
'speed': 'auto'}}}
}
dict_search_recursive(data, 'hw_id') will yield both '00:00:00:00:00:01' and
'00:00:00:00:00:02' as generator object.
|
|
implementations
|
|
`print` was removed or replaced to `ValueError`, where possible.
|
|
Each wireguard interface requires a unique port for in and out
connections. This commit adds the new `vyos.util` function -
`check_port_availability`, and uses it to be sure that a port
that is planned to be used for wireguard interface is truly
available and not used by any other services (not only other
wireguard interfaces).
|
|
commit_in_progress()
|
|
Inspired by the comments of https://unix.stackexchange.com/a/435317 use a more
robust approach. A service can be "active" but not "running" (e.g. restarting
with a configuration error). We can now test if a systemd unit is "activated"
and if it is "running" at all.
>>> from vyos.util import is_systemd_service_active
>>> from vyos.util import is_systemd_service_running
>>> is_systemd_service_active('ssh')
True
>>> is_systemd_service_running('sshd')
False
>>> is_systemd_service_running('ssh')
True
|
|
Test is a specified systemd service is actually running.
Returns True if service is running, false otherwise.
|
|
|
|
When waiting for processes that don't take long,
we need add an inotify watcher _before_ starting that process.
The pre-hook arguments allows the user to pass a () -> () anonymous function
to be called before adding a watch.
|
|
|
|
Also adds check for the charon socket instead of an arbitrary sleep()
|
|
vyos.util method `dict_search_args` to allow for dot characters in keys.
|
|
Keep the vyos.util function clean and not pull in the rest of the world
when importing it.
|
|
|
|
Remove python3-crypto dependency.
|
|
The IPSec ceritifcate handling is now done by storing the CA key inside the
running configuration.
|
|
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x:
pki: ipsec: T3642: Update migration script to account for file permission issues
pki: ipsec: T3642: Migrate IPSec to use PKI configuration
pki: T3642: New PKI config and management
|
|
Commit 5303ec39 ("vyos.util: add new helper copy_file()") added a new helper
function to copy a file from A -> B and create the destination directory if
required. It did also throw an excpetion if the destination file already
existed and consisted of the same file - this is now ignored and we always
copy the source to the destination.
|
|
|
|
Copy a file from A -> B but also support adjusting Bs file permissions
and creation of Bs base directory if required.
|
|
|
|
|
|
Implementing a wrapper which will - based on the command - add a sudo prefix
to the execution string seemed to be a nice idea but unfortunately it did not
only not get momentum but also the codebase somethis added an implicit "sudo"
call a second time.
This resulted in a call: "sudo sudo systemctl"
The entire functionality was removed again and if an op-mode script requires
root priviledges it must be explicitly called with them - no black magic.
|
|
|