Age | Commit message (Collapse) | Author |
|
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88
there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password
It cause the unit `kea-ctrl-agent.service` cannot start
systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password)
Override systemd kea-ctrl-agent.service do not check this file
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
|
|
srv6: T591: enable SR enabled packet processing on defined interfaces
|
|
T2898: add ndp-proxy service
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be
processed or not. This is done using
/proc/sys/net/conf/<iface>/seg6_* variables:
seg6_enabled - BOOL
Accept or drop SR-enabled IPv6 packets on this interface.
Relevant packets are those with SRH present and DA = local.
0 - disabled (default)
not 0 - enabled
Or the VyOS CLI command:
* set protocols segment-routing interface eth0 srv6
|
|
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is
possible to associate multiple VRF devices to the same table. Conversely, when
net.vrf.strict_mode=1 a table can be associated to a single VRF device.
A VRF table can be used by the VyOS CLI only once (ensured by verify()), this
simply adds an additional Kernel safety net, but a requirement for IPv6 segment
routing headers.
|
|
and use only PAM auth and JWT
|
|
when no API keys are set
|
|
dhcp: T3316: Adjust dhcp-run script to align with kea hooks
|
|
The hook arguments passed to `on-dhcp-event.sh` have changed in Kea.
Adjust the script to align with the new arguments.
Additionally, remove FQDN mangling from the script. No need to extract
the domain name from `LEASE4_HOSTNAME` only to append it again.
See: https://kea.readthedocs.io/en/latest/arm/hooks.html#hooks-run-script
|
|
* Move Kea socket permission change on-demand and speed up conf scripts
* Fix issue with DHCP reservations when no `ip-address` value
|
|
ddclient: T5144,T5791: Fix migration to avoid config name conflict
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
frr: T4020: add option to define number of open file descriptors
|
|
This allows the operator to control the number of open file descriptors each
daemon is allowed to start with. The current assumed value on most operating
systems is 1024.
If the operator plans to run bgp with several thousands of peers then this is
where we would modify FRR to allow this to happen.
set system frr descriptors <n>
|
|
Add recursive_defaults values for BGP "get_config" dictionary.
|
|
T4163: Add BGP Monitoring Protocol BMP feature
|
|
T5798: load-balancing revese-proxy add multiple SSL certificates
|
|
Add BMP feature.
BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring
data from BGP routers to network management entities
https://docs.frrouting.org/en/latest/bmp.html
Example:
set system frr bmp
commit
run restart bgp
set protocols bgp system-as '65001'
set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast
set protocols bgp neighbor 192.0.2.11 remote-as '65001'
set protocols bgp bmp mirror-buffer-limit '256000000'
set protocols bgp bmp target foo address '127.0.0.1'
set protocols bgp bmp target foo port '5000'
set protocols bgp bmp target foo min-retry '1000'
set protocols bgp bmp target foo max-retry '2000'
set protocols bgp bmp target foo mirror
set protocols bgp bmp target foo monitor ipv4-unicast post-policy
set protocols bgp bmp target foo monitor ipv4-unicast pre-policy
set protocols bgp bmp target foo monitor ipv6-unicast post-policy
set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
|
|
|
|
image-tools: T5821: restore vrf-aware add system image
|
|
|
|
image-tools: T5806: clear previous raid configs on install
|
|
When migrating from `service dns dynamic interface <interface> ...` to
`service dns dynamic address <address> ...`, the config name can
potentially have a conflict when `address == 'web'`.
Although the `/run/ddclient/ddclient.conf` that was generated earlier
was incorrect, one could still potentially have misconfigured VyOS
config without realizing it.
We now append the old <interface> name to the config name to avoid
conflict.
|
|
|
|
SRv6: T591: initial implementation to support locator definition
|
|
ddclient: T5791: Adjust warning messages, minor refactor and smoketest updates
|
|
image-tools: T5819: do not echo password on image install
|
|
dhcp: T3316: Fix raw op-mode lease output
|
|
validator: T5816: large community validator should only allos character set and basic format
|
|
and basic format
|
|
|
|
|
|
T5804: nat: remove inbound|outbound interface from old configuration when it was set to <any>.
|
|
|
|
|
|
VyOS CLI
set protocols segment-routing srv6 locator bar prefix '2001:b::/64'
set protocols segment-routing srv6 locator foo behavior-usid
set protocols segment-routing srv6 locator foo prefix '2001:a::/64'
Will generate in FRR
segment-routing
srv6
locators
locator bar
prefix 2001:b::/64 block-len 40 node-len 24 func-bits 16
exit
!
locator foo
prefix 2001:a::/64 block-len 40 node-len 24 func-bits 16
behavior usid
exit
!
exit
!
exit
!
exit
|
|
set protocols bgp sid vpn per-vrf export '99'
set protocols bgp srv6 locator 'foo'
set protocols bgp system-as '100'
Will generate in FRR config
router bgp 100
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
no bgp network import-check
!
segment-routing srv6
locator foo
exit
sid vpn per-vrf export 99
exit
|
|
configured. In this commit, check is fixed and rules are printed as expected.
|
|
was set to <any>.
|
|
migration: T5413: re-sequence interfaces migration scripts
|
|
Dynamic interfaces such as PPPoE/sstpc can not exist during
verification dns dynamic. As they added and removed dynamically.
Add interface_filter to exclude them from checks
|
|
PR https://github.com/vyos/vyos-1x/pull/2540 backported a migration script from
current to the equuleus LTS branch. As migration scripts are executed in order
to adjust the CLI for necessary improvements in future LTS releases we need to
change the versioning of the migration files to match the new "base" version
from the previous LTS release.
In theory this could break very ancient 1.4 rolling releases (from the early
days of the OSPF refactoring) - but those versions are considered very much
unstable.
Now this is the last chance to sync up the migration scripts before the 1.4 LTS
release.
|
|
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
|
|
login: T4943: use pam-auth-update to enable/disable Google authenticator
|
|
Add ability to configure multiple SSL certificates for
frontend/service
set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert1
set load-balancing reverse-proxy service web ssl certificate cert2
|
|
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.
This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.
Can be tested using:
set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'
See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
|
|
|