summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-10-04login: T5521: do not call system-login.py in vyos-router initChristian Breunig
Calling system-login.py with no mounted VyOS config has the negative effect that the script will not detect any local useraccounts and thus assumes they all need to be removed from the password backend. As soon as the VyOS configuration is mounted and the CLI content is processed, system-login.py get's invoked and re-creates the before deleted user accounts. As the account names are sorted in alphabetical order, the name <-> UID mapping can get mixed up during system reboot. The intention behind calling system-login.py from vyos-router init was to reset system services (PAM, NSS) back to sane defaults with the defaults provided via system-login.py. As PAM is already reset in vyos-router startup script, /etc/nsswitch.conf was the only candidate left. This is now accomplished by simply creating a standard NSS configuration file tailored for local system accounts. This is the second revision after the first change via commit 64d32329958 ("login: T5521: home directory owner changed during reboot") got reverted. (cherry picked from commit 12069d5653034b46a47430353c3867b3678c196f)
2023-10-04Revert "login: T5521: home directory owner changed during reboot"Christian Breunig
This reverts commit 074870dad33d80e78128736f9e89bdfa1a0e08fd.
2023-10-03login: T5521: home directory owner changed during rebootChristian Breunig
During system startup the system-login.py script is invoked by vyos-router systemd service. As there is no complete configuration available at this point in time - and the sole purpose of this call is to reset/re-render the system NSS/PAM configs back to default - it accidently also deleted the local useraccounts. Once the VyOS configuration got mounted, users got recreated in alphabetical order and thus UIDs flipped and the /home suddenely belonged to a different account. This commit prevents any mangling with the local userdatabase during VyOS bootup phase. (cherry picked from commit 64d323299586da646ca847e78255ff2cd8464578)
2023-10-03T5436: Add missing preconfig-scriptApachez
(cherry picked from commit 646f08fc5a302e08aad90af3fa0ee32e138ee585)
2023-10-03login: T5628: fix spwd deprecation warningChristian Breunig
vyos@vyos:~$ show system login users Username Type Locked Tty From Last login ---------- ------ -------- ----- ------------- ------------------------ vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023 (cherry picked from commit 80f08af76db0ccee4d6dc1a99b6d8d90884fa33f)
2023-10-02T5165: Migrate policy local-route rule x destination to addressViacheslav Hletenko
Migrate policy local-route <destination|source> to node address replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>' => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>' (cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
2023-09-28mdns: T5615: Rename avahi-daemon config fileIndrajit Raychaudhuri
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the convention used by other config files. (cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
2023-09-28mdns: T5615: Allow controlling IP version to use for mDNS repeaterIndrajit Raychaudhuri
This commit adds a new configuration option to the mDNS repeater service to allow controlling which IP version to use for mDNS repeater. Additionally, publishing AAAA record over IPv4 and A record over IPv6 is disabled as suggested. See: - https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104 - https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2 (cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
2023-09-28T5165: Add option protocol for policy local-routeViacheslav Hletenko
Add option `protocol` for policy local-route set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100' (cherry picked from commit 96b8b38a3c17aa08fa964eef9141cf89f1c1d442)
2023-09-28ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify (cherry picked from commit 1ac230548c86d3308ff5b479b79b0e64b75a0e8a)
2023-09-27conf-mode: T5412: move dependency check from smoketest to nosetestJohn Estabrook
(cherry picked from commit 12440ea1af8e60482a6a91c1cb04dcb86d7f4a68)
2023-09-27conf-mode: T5412: add script for add-on package check of dependenciesJohn Estabrook
(cherry picked from commit 0869b91c0b15ddedd72b4d0e1475c52eb45994f0)
2023-09-26Merge pull request #2311 from vyos/mergify/bp/sagitta/pr-2308Christian Breunig
firewall: T5160: Remove zone policy op-mode (backport #2308)
2023-09-26firewall: T5160: Remove zone policy op-modesarthurdev
(cherry picked from commit 9b9b37e9cbb225eaacac2ad8cb03bef735fed117)
2023-09-26T5497: op-mode: Add generate firewall rule-resequenceViacheslav Hletenko
Add op-mode command `generate firewall rule-resequence` Generates output with new sequences for firewall rules set firewall ipv4 input filter rule 1 action 'accept' set firewall ipv4 input filter rule 1 description 'Allow loopback' $ generate firewall rule-resequence start 10 step 10 set firewall ipv4 input filter rule 10 action 'accept' set firewall ipv4 input filter rule 10 description 'Allow loopback' (cherry picked from commit 7ad1e8c7d3440046dce2ffa7bcb70a38bfddc298)
2023-09-22op-mode: raid: T5608: define add/delete raid memberJohn Estabrook
(cherry picked from commit 2d3f3297b575f88662495e14a7c7324ff73b6bfc)
2023-09-22op-mode: disk: T5609: add arg by-id to format diskJohn Estabrook
(cherry picked from commit 42736111facf08ac37b86e6fc3cbd395aab166bc)
2023-09-22Merge pull request #2292 from vyos/mergify/bp/sagitta/pr-2289Christian Breunig
init: T5239: configure system hostname prior to FRR startup (backport #2289)
2023-09-20openvpn: T5269: add a deprecation warning for shared-secretDaniil Baturin
(cherry picked from commit 4bbbaab60d56bfd6f3a145378027642b4c47adee)
2023-09-19init: T5239: configure system hostname prior to FRR startupChristian Breunig
On first boot after an upgrade /etc/hostname and FRR configuration is not populated. FRR determines the system hostname once during startup and does not repect changes of the hostname CLI value. Thus after an upgrade of VyOS FRR started with a hostname of debian that was propagated to peers. The commit retrieves the hostname from the CLI and presets this before FRR is initially started. (cherry picked from commit ac21a4e69fac27504b62927a20d0a6a273abb034)
2023-09-19utils: T5239: add low-level read from config.bootJohn Estabrook
(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)
2023-09-16Merge pull request #2267 from vyos/mergify/bp/sagitta/pr-2253Christian Breunig
T5561: nat: inbound|outbound interface should not be mandatory (backport #2253)
2023-09-15Merge pull request #2271 from vyos/mergify/bp/sagitta/pr-2270Christian Breunig
ddclient: T5585: Fix file access mode for dynamic dns configuration (backport #2270)
2023-09-15Merge pull request #2266 from vyos/mergify/bp/sagitta/pr-2255Christian Breunig
T5575: ARP/NDP table-size isnt set properly (backport #2255)
2023-09-15T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp (cherry picked from commit 47875457cd8b176f7f23a3141175d745aeb14d8a)
2023-09-15system: T5505: T5575: support calling system-ip(v6).py from init processChristian Breunig
After commit 976f82785 ("T5575: ARP/NDP table-size isnt set properly") the system bootup process got interrupted as both system-ip.py and system-ipv6.py tried to talk to FRR which was yet not started. This has been fixed by using a conditional path to only execute when FRR service has been enabled. This is safe to do as the initial commit call will has FRR service running and the path will be executed. (cherry picked from commit 22d5cd42f082fb11060edc51128f0b246198d2c1)
2023-09-15ddclient: T5585: Fix file access mode for dynamic dns configurationIndrajit Raychaudhuri
ddclient.conf file is expected to have permission 600. We need to set the permission explicitly while creating the file. (cherry picked from commit 7a66413d6010485dd913832f54167bce38c12250)
2023-09-14T5561: nat: defining inbound|outbound interface should not be mandatory ↵Nicolas Fort
while configuring dNAT|sNAT rule (cherry picked from commit ec5437913e489f40fea6bab89a6bb5f565cd1ab7)
2023-09-14Merge pull request #2254 from vyos/mergify/bp/sagitta/pr-2245Christian Breunig
frr: T5239: fix process startup order (backport #2245)
2023-09-14T5575: ARP/NDP table-size isnt set properlyApachez
(cherry picked from commit 976f827859102a4e453b38bc6d2a628c66c9b582)
2023-09-14T5575: ARP/NDP table-size isnt set properlyApachez
(cherry picked from commit 9391fc273ce95ff92a6b40b2dee4a688d3048f9f)
2023-09-14Merge pull request #2212 from sever-sever/T5480-sagDaniil Baturin
T5480: Ability to disable SNMP for keepalived service VRRP
2023-09-13frr: T5239: fix process startup orderChristian Breunig
- Reuse existing utility functions to check if a boot is ongoing (boot_configuration_complete()) - Run system_frr.py script to configure FRR daemon before initial launch - Add safety net to always have FRR running on the system This does yet not solve the error in T5239 but it's a small step towards the solution. (cherry picked from commit df74a09b80df0c2ec769a10ef4f7bac01f50eb2d)
2023-09-11T5564: Fix show firewall group and show firewall summaryViacheslav Hletenko
The `rule` key could be not exists in the entry of the dictionary for examppe `{'default_action': 'drop'}` Fix it (cherry picked from commit 9daac1632df96b6d2089244e3c7a7b42ae682eb9)
2023-09-11init: remove dependency on frr.service - required for router shutdownChristian Breunig
(cherry picked from commit af398c51f7d06cdf582b347a35b1e5c867aaea58)
2023-09-10Merge pull request #2214 from sever-sever/T5533-sagJohn Estabrook
T5533: Fix for vrrp dict key if virtual-server is used
2023-09-09container: T5563 Fix environment replaced by labelCyrus
(cherry picked from commit 79a46675b031a4edc0ea925a45066077c0804b9b)
2023-09-09vxlan: T3700: support VLAN tunnel mapping of VLAN aware bridgesChristian Breunig
FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a VNI is configured against a container VXLAN interface which is referred to as a 'Single VXLAN device (SVD)'. Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI. Sample configuration of SVD with VLAN to VNI mappings is shown below. set interfaces bridge br0 member interface vxlan0 set interfaces vxlan vxlan0 external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' (cherry picked from commit 7f6624f5a6f8bd1749b54103ea5ec9f010adf778)
2023-09-08Merge pull request #2224 from sever-sever/T5489-sagViacheslav Hletenko
T5489: Add sysctl TCP congestion control by default to BBR
2023-09-08Merge pull request #2226 from sever-sever/T5423-sagViacheslav Hletenko
T5423: Fix for op-mode show vpn ike secrets
2023-09-08T5554: Disable sudo for PAM RADIUSViacheslav Hletenko
Disable sudo for PAM RADIUS template that slows down the CLI commands To fix it add: session [default=ignore success=2] pam_succeed_if.so service = sudo (cherry picked from commit 01b30eb6d83cdb2ae43b956d29ac7ac1d4445776)
2023-09-08T5423: Fix for op-mode show vpn ike secretsViacheslav Hletenko
We don't use ipsec.secrets anymore Fix op-mode for "show vpn ike secrets". Ability to get "RAW" format (cherry picked from commit 97326920e2907bdb545853887dc54c6a02b76f28)
2023-09-08T5489: Add sysctl TCP congestion control by default to BBRViacheslav Hletenko
Add by default sysctl TCP congestion control to BBR. Default value `cubic` is not optimal. net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr (cherry picked from commit b99ed37dd1cff3310437ff8ccf1a27cd20714c41)
2023-09-08Merge pull request #2207 from jestabro/T5551-sagittaChristian Breunig
save-config: T5551: check if None before write, as is the case at boot
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-06T5533: Fix for vrrp dict key if virtual-server is usedViacheslav Hletenko
When using `virtual-server` alongside Keepalived, there can be situations where the `vrrp` key is completely unused. (cherry picked from commit 5f2926cf04e8a569bb25cd4121179d12b9e04c6c)
2023-09-06T5480: Ability to disable SNMP for keepalived service VRRPViacheslav Hletenko
By default we enable `--snmp` for keepalived unit service Add ability to disable it set high-availability vrrp disable-snmp (cherry picked from commit 5ae730a52de2f284e45cd433bb0cf66c8508f2f7)
2023-09-05T2958: Refactor DHCP-server systemd unit and leaseViacheslav Hletenko
Render isc-dhcp-server systemd unit from configuration
2023-09-05save-config: T5551: check if None before write, as is the case at bootJohn Estabrook
(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)
2023-09-04Merge pull request #2192 from sever-sever/T5533vyos/1.5dev0zdc
T5533: Fix VRRP IPv6 group enters in FAULT state