Age | Commit message (Collapse) | Author |
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
(cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
This fix moves from partprobe to partx to rescan the partition table on an affected disk.
(cherry picked from commit f883455d9a3081780c43426ab26de9d26f24c9aa)
|
|
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()")
added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6).
This leads to long runs of "make test" after an ISO build.
There is no need to wait 10 seconds for a test that checks for a process
not running. The timeout is there to give the process some time to startup.
(cherry picked from commit 041db49533d57cabfccd319492b85ee0bafdd40c)
|
|
Smoketests heavily rely on process_named_running() so in order to "relax"
system constraints during a test we will add a timeout of 10 seconds for
every testcase provided by base_interfaces_test.py
(cherry picked from commit ad9bdfc248cf47b3361bd0e5d7371d56131160a0)
|
|
deployments in cgnat. (#2694)
(cherry picked from commit 3fc76505d0642c32a3eae9c0ce6ab3dd2ec32dbd)
|
|
VyOS has several services relaying on the PKI CLI tree to retrieve certificates.
Consuming services like ethernet, openvpn or ipsec all re-implemented the same
code to retrieve the certificates from the CLI.
This commit extends the signature of get_config_dict() with a new option with_pki
that defaults to false. If this option is set, the PKI CLI tree will be blended
into the resulting dictionary.
(cherry picked from commit b152b52023ba0cf0d4919eae39e92de28a458917)
|
|
This extends commit 4ee406470 ("configdict: T5837: add support to return added
nodes when calling node_changed()") so no duplicate list elements get returned.
(cherry picked from commit 301312b293238d3041c8912af6fdb86b506d7ab4)
|
|
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
|
|
(cherry picked from commit 3a9688ddb07f6bac1eb92aa13c20e897129e8958)
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
(cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
(cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
|
|
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1 (backport #2704)
|
|
After deleting a user account and working with a newly added account, we see
that after rebooting in the previously saved configuration, the user is
re-added but it's home directory might have an old UID set on the filesystem.
This is due to the fact that vyos config does not store UIDs. When adding a
user account to the system we now check if the home directory already exists
and adjust the ownership to the new UID.
(cherry picked from commit 3c990f49e2bf9347bd2cc478995baa995ee822fd)
|
|
The subnet router anycast address is predefined. Its format is as follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that identifies a
specific link. This anycast address is syntactically the same as a unicast
address for an interface on the link with the interface identifier set to zero.
Packets sent to the Subnet-Router anycast address will be delivered to one
router on the subnet. All routers are required to support the Subnet-Router
anycast addresses for the subnets to which they have interfaces.
The Subnet-Router anycast address is intended to be used for applications where
a node needs to communicate with any one of the set of routers.
Our code as of now returns the subnet router anycast address as the
first_host_address().
(cherry picked from commit cc4ce81ece57faca8ce111b8f3748389ecb40202)
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
VyOS is a routing (packet pushing) platform, thus supporting EEE which
potentially causes issues is not a good idea. Some recent Intel drivers enable
EEE by default, thus we will disable this for every NIC supporting EEE.
(cherry picked from commit ab30509b25d54dac99294b76ba03fd49c3d2c946)
|
|
In the past, node_changed() suggested it would also return nodes that got added
(function comment) but in reality only deleted keys got accounted for.
This commit changes the signature and adds an argument expand_nodes to specify
the users interest of a node was deleted (default), added (expand_nodes=Diff.ADD)
or even both (expand_nodes=Diff.ADD|Diff.DELETE).
(cherry picked from commit 4ee4064705ebd1e1a6a59be0c6df3b96755a067e)
|
|
node_changed() will return a list of changed keys under "path". We are not
always interested what changed, sometimes we are only interested if something
changed at all, that what vyos.configdict.is_node_changed() is for.
(cherry picked from commit 5e7a8288d06a6d6beee5e1abd2e06698ab778650)
|
|
(cherry picked from commit f19b2acb34e77baeae34aa156ea96d0580a61725)
|
|
Add the ability to rollback configs without rebooting
```
sudo /usr/bin/config-mgmt rollback_soft --rev 1
rollback-soft 1
```
(cherry picked from commit f208e9b9acaec45468295e33b113bbef6c0309a1)
|
|
(cherry picked from commit d01aba1f5055cdaa43c8429a2c13580679ec12f7)
|
|
(cherry picked from commit e3cd779d0bd8dd8be6231c7b2028326a03e6a06c)
|
|
(cherry picked from commit cf83979636c686a459d6dc75dcd98e342c70b1b3)
|
|
(cherry picked from commit ea30fc962049226e869171f69c6ab1879f9e7085)
|
|
Restore scanning previous installations for config data and ssh host
keys on install.
(cherry picked from commit 32551842bb0f710f590e8c030395a3a7902aa1df)
|
|
(cherry picked from commit 2ccb567bba6dba69a1523daf9096ba39a18b35d1)
|
|
(cherry picked from commit 35f69340ef189e27b380074bb687ad58f29e9433)
|
|
(cherry picked from commit 0b97bde2cb04cf5e23350798f972abcee4bfe4ee)
|
|
(cherry picked from commit e036f783bc85e4d2bad5f5cbfd688a03a352223e)
|
|
(cherry picked from commit bd701768796d6ebb03ca943faf96d1dbea030edd)
|
|
(cherry picked from commit 9ffa3e82d951756696367578dd5e82ef0f690065)
|
|
This commit allows management of system images with either new or legacy
tools: 'add/delete/rename system image' and 'set default' are translated
appropriately on booting between images with the old and new tools.
Consequently, the warning of the initial commit of T4516 is dropped.
(cherry picked from commit 96b65e90fbfa1fe63d97929ac86fc910abb0caa9)
|
|
(cherry picked from commit 8efab9ee8cdb0e65dddb9d3ba97de8ddcf3666dc)
|
|
(cherry picked from commit fcded7930b5426193e8490c6df2a70e300a60e31)
|
|
(cherry picked from commit 9e3b769f8402a816f6c7fa80ff12c9579c3f5243)
|
|
(cherry picked from commit 74b00c1f6961d1bd3a59768021f154bdb64c154e)
|
|
This commit adds the whole set of system image tools written from the scratch in
Python that allows performing all the operations on images:
* check information
* perform installation and deletion
* versions management
Also, it contains a new service that will update the GRUB menu and keep tracking
its version in the future.
WARNING: The commit contains non-reversible changes. Because of boot menu
changes, it will not be possible to manage images from older VyOS versions after
an update.
(cherry picked from commit 8f94262e8fa2477700c50303ea6e2c6ddad72adb)
|
|
included in <set firewall global-options state-policy> node.
|
|
The current implementation is wrong as it searches `master` in the
iproute2 JSON output. It is a worng as it could include bridges
or bonding interfaces
Add the more strict search `info_slave_kind == vrf`
(cherry picked from commit 2ebac5af10a36668ed3b8cfa6e5a9f61cf5d1068)
|
|
(cherry picked from commit 6b325962a4b8b3e67d7976bf161aed34a9fe6cce)
|
|
Collect in a module several versions of a 'load config' function.
They have different use cases according to performance and error
reporting, and allow comparison of non-legacy and legacy variants.
(cherry picked from commit 7e4caa118692d9b6fd798783596bd018f805e5eb)
|
|
(cherry picked from commit ccbf03f1a87ac37eef78aeb29420ceea9a730a90)
|
|
(cherry picked from commit f019ed91b5444d2f446ca4f7332602c03a074190)
|
|
(cherry picked from commit 63bbd1afdd21563cf673ee34b47156889bd5e349)
|
|
(cherry picked from commit 020410a1e2009cb47d72bd18d360b9dc4b9c764f)
|
|
|
|
|
|
The iproute2 master argument is used for both a VRF and a bridge device. Using
this in the VRF context would retrieve and report back the wrong interfaces:
Old implementation:
===================
>>> from vyos.utils.network import get_vrf_members
>>> get_vrf_members('br1')
['eth1', 'eth2', 'vxlan1']
>>> get_vrf_members('black')
['br1.3002', 'br1.4000', 'pim6reg10200']
The new implementation:
=======================
>>> from vyos.utils.network import get_vrf_members
>>> get_vrf_members('br1')
[]
>>> get_vrf_members('black')
['br1.3002', 'br1.4000', 'pim6reg10200']
(cherry picked from commit e02546655adefe1a6fb3660402e697f872d3ffe7)
|