Age | Commit message (Collapse) | Author |
|
Extend `service config-sync` with new sections:
- LeafNodes: pki, policy, vpn, vrf (syncs the whole sections)
- Nodes: interfaces, protocols, service (syncs subsections)
In this cae the Node allows to uses the next level section
i.e subsection
For example any of the subsection of the node `interfaces`:
- set service config-sync section interfaces pseudo-ethernet
- set service config-sync section interfaces virtual-ethernet
Example of the config:
```
set service config-sync mode 'load'
set service config-sync secondary address '192.0.2.1'
set service config-sync secondary key 'xxx'
set service config-sync section firewall
set service config-sync section interfaces pseudo-ethernet
set service config-sync section interfaces virtual-ethernet
set service config-sync section nat
set service config-sync section nat66
set service config-sync section protocols static
set service config-sync section pki
set service config-sync section vrf
```
(cherry picked from commit 25b611f504521181f85cb4460bfdfd702c377b5e)
|
|
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe
and back trace") and adds missing groups to the vyos user. Without this
change the vyos user will only have operator (vyos@vyos>) privileges,
even if this level is discontinued.
One could hack himself up as the user has sudo rights, but rather place
the user in the right groups from the beginning.
NOTE: This user is only added if booted with "vyos-config-debug" and
an error when the configuration can not be loaded at all.
(cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
(cherry picked from commit 90f2d9865051b00290dd5b7328a046e823b658dc)
|
|
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
|
|
Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had
good intention but this will happen:
use-secret foo CLI node will become " secret xxxxxx" so the output of
strip-private invalidates the configuration.
This has been changed to an exact match of "secret" only
(cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)
|
|
Make "strip-private" strip the string after "secret"
(cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)
|
|
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
|
|
(cherry picked from commit 0869b91c0b15ddedd72b4d0e1475c52eb45994f0)
|
|
(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)
|
|
(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)
|
|
|
|
|
|
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
bracketize IPv6 remote address to avoid
Failed to parse: https://2001:db8::2/configure-section
|
|
Service config-sync allows synchronizing a section of
the configuration.
As PoC allow only nat, nat66 and firewall sections
Rertreive the configuration for a section from self node and
send this configuration to the section of the 'secondary' node.
This feature adds a symlink from helper 'vyos_config_sync.py'
to '/config/scripts/commit/post-hooks.d' and config that is
located in '/run/config_sync_conf.conf'
It will synchronyze the config only if the setcion
was changed.
set service config-sync secondary address 192.0.2.11
set service config-sync secondary key xxx
set service config-sync section nat
set service config-sync section nat66
set service config-sync section firewall
set service config-sync mode load
|
|
|
|
Add policy (any-available|all-available) for target checking for failover route
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check policy 'any-available'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '192.168.122.11'
It depends if we need that all targets must be alive on just one target.
|
|
There is only one target for checking ICMP/ARP
Extend it for checking multiple targets
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1'
set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11'
The route will be installed only if all targets are 'alive'
|
|
If there is no route in the routing table (requires install route)
it checks routing table and returns best route None
But if we have 2 routes to the same dest ip but with different
metrics it doesn't get None (not first route install)
It cause that bast metric route cannot be installed (wrong logic)
Add func "is_route_exists" and check route/gateway/metric for
the required route
|
|
routing: T1237: Add new feature failover route
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
|
|
`fqdn` node
|
|
|
|
|
|
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb.
Revert while investigating failure in vyos-configtest.
|
|
This reverts commit c4d389488970c8510200cac96a67182e9333b891.
Revert while investigating failure in vyos-configtest.
|
|
This reverts commit 2a4b45ba7fa4dabf7e592f499cfb06a7ae38cdea.
Revert while investigating failure in vyos-configtest.
|
|
|
|
|
|
|
|
|
|
|
|
Use tempfile to avoid race conditions during virtual migration.
|
|
Add URL, token and bucket hidind data when is used function
"strip-private"
|
|
|
|
After commit ae16a51506c ("configquery: T3402: use vyatta-op-cmd-wrapper to
provide environment") we can now call VyOS op-mode commands from arbitrary
Python scripts.
|
|
(cherry picked from commit eb6247e4b464c36fa7441627b221d0db39429251)
|
|
With the rewrite of vyatta_net_name to Python using ConfigTree, one
runs into the change in the syntax of the component version string when
updating 1.2 --> 1.3/1.4, since the udev rule is run before the
migration of the config file; add an explicit 'virtual' migration on
configtree error.
|
|
(on behalf of Dmitriy Eshenko)
|
|
|
|
|
|
|