Age | Commit message (Collapse) | Author |
|
T5915: firewall: re-add opmode command for zone based firewall
|
|
|
|
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
|
image-tools: T5883: preserve file owner in /config on add system update
|
|
T3476: Add option latest to add system image
|
|
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
Add option `latest` for op-mode command `add system image`
If the update check is configured we can get the remote `latest`
version from conrfgure URL
```
set system update-check url 'https://example.com/version.json'
```
This way we can use "latest" option for image update:
```
add system image latest
```
|
|
Move the kea lease file to a separate directory `/config/dhcp` that `kea`
process can write to so that subprocesses spawned by `kea` process can
operate on the lease files.
To allow `kea` process to write to `/config/dhcp`, add `_kea` user to
`vyattacfg` group. And the lease files are owned completely by `_kea`
user to play well with `kea-lfc` process.
Specifically, this is necessary for `kea-lfc` which is spawned by `kea`
process to clean up expired leases. Since `kea-lfc` creates additional
backup lease files, it needs write access to the lease file directory.
Additionally, change the extension of the lease file from `.leases` to
`.csv` to reflect the actual file format.
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
|
|
|
|
image-tools: T5821: restore vrf-aware add system image
|
|
|
|
image-tools: T5806: clear previous raid configs on install
|
|
|
|
image-tools: T5819: do not echo password on image install
|
|
|
|
|
|
|
|
configured. In this commit, check is fixed and rules are printed as expected.
|
|
|
|
T5778: dhcp server: fix op-mode command
|
|
Restore scanning previous installations for config data and ssh host
keys on install.
|
|
|
|
|
|
|
|
|
|
|
|
*pool* empty, this means that lease was granted by fail-over server. Also fix issue that <show dhcp server leases state all> print nothing.
|
|
T5637: firewall: extend rule for default-action to firewall bridge
|
|
to be able to catch logs using separte rule for default-action
|
|
vxlan: T5753: add support for VNI filtering
|
|
In a service provider network a service provider typically supports multiple
bridge domains with overlapping vlans. One bridge domain per customer. Vlans in
each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to
each customer.
Without the ability of VNI filtering, we can not provide VXLAN tunnels
with multiple tenants all requiring e.g. VLAN 10.
To Test:
set interfaces vxlan vxlan987 parameters external
set interfaces vxlan vxlan987 source-interface eth0
set interfaces vxlan vxlan987 parameters vni-filter
set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050
set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051
set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052
set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053
set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054
set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060
set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069
set interfaces bridge br0 member interface vxlan987
Add new op-mode command: show bridge vni
Interface VNI
----------- -----------
vxlan987 10050-10054
vxlan987 10060
vxlan987 10069
|
|
T5749: Swap show interfaces and show interfaces summary
|
|
By default show VRF, MAC, MTU for `show interfaces`
The original `show interfaces` moved to `show interfacces summary`
|
|
image: T4516: Added system image tools
|
|
|
|
|
|
|
|
|
|
|
|
An attempt to upgrade to 1.2.x is caught, but error is of failed
checksum verification; add check and message.
|
|
|
|
Add op-mode "show interfaces summary"
Add MAC, VRF and MTU options:
vyos@r4# run show interfaces summary
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 default 1500 u/u
eth0 192.168.122.14/24 52:54:00:f1:fd:77 default 1500 u/u WAN
eth1 192.0.2.1/24 52:54:00:04:33:2b foo 1500 u/u LAN-eth1
eth2 - 52:54:00:40:2e:af default 1504 u/u LAN-eth2
eth3 - 52:54:00:09:a4:b4 default 1500 A/D
|
|
This commit allows management of system images with either new or legacy
tools: 'add/delete/rename system image' and 'set default' are translated
appropriately on booting between images with the old and new tools.
Consequently, the warning of the initial commit of T4516 is dropped.
|
|
|
|
|
|
|
|
|