From 3978dd30e50ac94a8728e0b1f4e691e7a93a1d2f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 16 Oct 2022 16:28:15 +0200 Subject: login: 2fa: T874: fix PAM string generation on multiple package installations Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used different strings for grep and sed resulting in the same line beeing added on every installation of the package. This is only disturbing during development not during ISO build. --- debian/vyos-1x.postinst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'debian') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 031e91595..959e1d486 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -21,13 +21,13 @@ if ! grep -q '^openvpn' /etc/passwd; then adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn fi -# Add 2FA support for SSH -sudo grep -qF -- "auth required pam_google_authenticator.so nullok" "/etc/pam.d/sshd" || \ -sudo sed -i '/^@include common-auth/a # Check OTP 2FA, if configured for the user\nauth required pam_google_authenticator.so nullok' /etc/pam.d/sshd - -# Add 2FA support for local authentication -sudo grep -qF -- "auth required pam_google_authenticator.so nullok" "/etc/pam.d/login" || \ -sudo sed -i '/^@include common-auth/a # Check OTP 2FA, if configured for the user\nauth required pam_google_authenticator.so nullok' /etc/pam.d/login +# Enable 2FA/MFA support for SSH and local logins +for file in /etc/pam.d/sshd /etc/pam.d/login +do + PAM_CONFIG="auth required pam_google_authenticator.so nullok" + grep -qF -- "$PAM_CONFIG" $file || \ + sed -i '/^@include common-auth/a \\n# Check 2FA/MFA authentication token if enabled (per user)\n$PAM_CONFIG' $file +done # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then -- cgit v1.2.3 From b147c020bae07cc58bd9ec96b781e79b732c102b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 16 Oct 2022 22:02:53 +0200 Subject: xdp: T4284: migrate to Debian libbpf In order to properly retrieve JSON information in the Smoketests for the new QoS implementation we need a recent (>6.0) version of iproute2. This requires the libbpf-dev package and this small source-code change. --- debian/control | 2 ++ src/xdp/common/common.mk | 2 +- src/xdp/common/common_user_bpf_xdp.c | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 1f2151284..d26b9689b 100644 --- a/debian/control +++ b/debian/control @@ -9,6 +9,7 @@ Build-Depends: gcc-multilib [amd64], clang [amd64], llvm [amd64], + libbpf-dev, libelf-dev (>= 0.2) [amd64], libpcap-dev [amd64], build-essential, @@ -76,6 +77,7 @@ Depends: lcdproc, lcdproc-extra-drivers, libatomic1, + libbpf0, libcharon-extra-plugins (>=5.9), libcharon-extauth-plugins (>=5.9), libndp-tools, diff --git a/src/xdp/common/common.mk b/src/xdp/common/common.mk index ebe23a9ed..ffb86a65c 100644 --- a/src/xdp/common/common.mk +++ b/src/xdp/common/common.mk @@ -39,7 +39,7 @@ KERN_USER_H ?= $(wildcard common_kern_user.h) CFLAGS ?= -g -I../include/ BPF_CFLAGS ?= -I../include/ -LIBS = -l:libbpf.a -lelf $(USER_LIBS) +LIBS = -lbpf -lelf $(USER_LIBS) all: llvm-check $(USER_TARGETS) $(XDP_OBJ) $(COPY_LOADER) $(COPY_STATS) diff --git a/src/xdp/common/common_user_bpf_xdp.c b/src/xdp/common/common_user_bpf_xdp.c index e7ef77174..faf7f4f91 100644 --- a/src/xdp/common/common_user_bpf_xdp.c +++ b/src/xdp/common/common_user_bpf_xdp.c @@ -274,7 +274,7 @@ struct bpf_object *load_bpf_and_xdp_attach(struct config *cfg) exit(EXIT_FAIL_BPF); } - strncpy(cfg->progsec, bpf_program__title(bpf_prog, false), sizeof(cfg->progsec)); + strncpy(cfg->progsec, bpf_program__section_name(bpf_prog), sizeof(cfg->progsec)); prog_fd = bpf_program__fd(bpf_prog); if (prog_fd <= 0) { -- cgit v1.2.3 From 288d917b7c87b9a328220c8e978f2952fc7dbc32 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 17 Oct 2022 07:59:50 +0200 Subject: xdp: T4284: libbpf-dev/libbpf0 is only available for VyOS on amd64 --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index d26b9689b..0ed8f85c4 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: gcc-multilib [amd64], clang [amd64], llvm [amd64], - libbpf-dev, + libbpf-dev [amd64], libelf-dev (>= 0.2) [amd64], libpcap-dev [amd64], build-essential, @@ -77,7 +77,7 @@ Depends: lcdproc, lcdproc-extra-drivers, libatomic1, - libbpf0, + libbpf0 [amd64], libcharon-extra-plugins (>=5.9), libcharon-extauth-plugins (>=5.9), libndp-tools, -- cgit v1.2.3 From 8403848a338d54f9e489fca1efd1143d820a14a6 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 17 Oct 2022 20:48:45 +0200 Subject: login: 2fa: T874: fix PAM string during ISO build Turns out a local installation of a package using "dpkg -i" differs when assembling an ISO using live-build. The previous version worked when using "dpkg -i" but it failed hard (no login possible) during ISO build. This has been fixed by using double quotes. --- debian/vyos-1x.postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 959e1d486..d92fd8233 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -25,8 +25,8 @@ fi for file in /etc/pam.d/sshd /etc/pam.d/login do PAM_CONFIG="auth required pam_google_authenticator.so nullok" - grep -qF -- "$PAM_CONFIG" $file || \ - sed -i '/^@include common-auth/a \\n# Check 2FA/MFA authentication token if enabled (per user)\n$PAM_CONFIG' $file + grep -qF -- "${PAM_CONFIG}" $file || \ + sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file done # Add RADIUS operator user for RADIUS authenticated users to map to -- cgit v1.2.3 From 2b90e401455ec6a3de54e3825068632cc914143c Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sat, 29 Oct 2022 06:15:21 -0400 Subject: T4783: add stunnel to the image --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index 0ed8f85c4..16b7ee814 100644 --- a/debian/control +++ b/debian/control @@ -154,6 +154,7 @@ Depends: ssl-cert, strongswan (>= 5.9), strongswan-swanctl (>= 5.9), + stunnel4, sudo, systemd, telegraf (>= 1.20), -- cgit v1.2.3 From a3ae748608097170063888ce121579ed5a315744 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 31 Oct 2022 10:58:34 +0000 Subject: T4786: Add package python3-pyhumps humps Convert strings (and dictionary keys) between snake case, camel case and pascal case in Python % decamelize('superTCPOption') 'super_tcp_option' % % decamelize({'ParamOption': 'one', 'fooBarBaz': True}) {'param_option': 'one', 'foo_bar_baz': True} % --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index 16b7ee814..cf766a825 100644 --- a/debian/control +++ b/debian/control @@ -131,6 +131,7 @@ Depends: python3-netifaces, python3-paramiko, python3-psutil, + python3-pyhumps, python3-pystache, python3-pyudev, python3-six, -- cgit v1.2.3 From 702fc62726723136c46e0c116504b4e6ff7d38ca Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 1 Nov 2022 13:36:01 -0500 Subject: op-mode: T4791: add python3-pyhumps as build dep for op-mode nosetest Using humps.decamelize in vyos.opmode requires python3-pyhumps to be a build dependency for the nosetest test_op_mode.py. --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index cf766a825..d7cd5b688 100644 --- a/debian/control +++ b/debian/control @@ -25,6 +25,7 @@ Build-Depends: python3-setuptools, python3-sphinx, python3-xmltodict, + python3-pyhumps, quilt, whois Standards-Version: 3.9.6 -- cgit v1.2.3 From f9d19a14f96efc531595cea01601241dfff7473d Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Mon, 7 Nov 2022 15:42:04 +0100 Subject: containers: T2216: Move skopeo and busybox image to smoketest post-install --- debian/control | 1 + debian/vyos-1x-smoketest.postinst | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100755 debian/vyos-1x-smoketest.postinst (limited to 'debian') diff --git a/debian/control b/debian/control index d7cd5b688..66ac3c6f7 100644 --- a/debian/control +++ b/debian/control @@ -196,6 +196,7 @@ Description: VyOS configuration scripts and data for VMware Package: vyos-1x-smoketest Architecture: all Depends: + skopeo, snmp, vyos-1x Description: VyOS build sanity checking toolkit diff --git a/debian/vyos-1x-smoketest.postinst b/debian/vyos-1x-smoketest.postinst new file mode 100755 index 000000000..b33376bc3 --- /dev/null +++ b/debian/vyos-1x-smoketest.postinst @@ -0,0 +1,6 @@ +#!/bin/sh -e + +BUSYBOX_TAG="docker.io/library/busybox:stable" +OUTPUT_PATH="docker-archive://usr/share/vyos/busybox-stable.tar" + +skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "$OUTPUT_PATH" -- cgit v1.2.3 From 00ec496877453cc37ceec0633821a47f128d9f4f Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Mon, 14 Nov 2022 10:23:46 +0800 Subject: T4815: Fix various name server config issues 1. When a PPPoE session is connected, `pppd` will update `/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set. This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`, which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection. This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead. 2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`. This causes IPv6 name server entries in `vyos-hostsd` not updated when dhclient receives nameservers from DHCPv6. 3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and `/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6 reason (like `BOUND6`) is given. --- debian/vyos-1x.postinst | 3 ++- .../dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf | 4 ++-- src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup | 4 ++-- .../dhclient-exit-hooks.d/vyatta-dhclient-hook | 6 +++--- .../ip-down.d/98-vyos-pppoe-cleanup-nameservers | 15 ++++++++++++++ .../ppp/ip-up.d/98-vyos-pppoe-setup-nameservers | 24 ++++++++++++++++++++++ 6 files changed, 48 insertions(+), 8 deletions(-) create mode 100644 src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers create mode 100644 src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers (limited to 'debian') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index d92fd8233..d5f5cbbc7 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -103,7 +103,8 @@ DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/ /etc/default/pmacctd /etc/pmacct /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf /etc/ntp.conf /etc/default/ssh - /etc/powerdns /etc/default/pdns-recursor" + /etc/powerdns /etc/default/pdns-recursor + /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns" for tmp in $DELETE; do if [ -e ${tmp} ]; then rm -rf ${tmp} diff --git a/src/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf b/src/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf index b1902b585..518abeaec 100644 --- a/src/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf +++ b/src/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf @@ -33,8 +33,8 @@ if /usr/bin/systemctl -q is-active vyos-hostsd; then if [ -n "$new_dhcp6_name_servers" ]; then logmsg info "Deleting nameservers with tag \"dhcpv6-$interface\" via vyos-hostsd-client" $hostsd_client --delete-name-servers --tag "dhcpv6-$interface" - logmsg info "Adding nameservers \"$new_dhcpv6_name_servers\" with tag \"dhcpv6-$interface\" via vyos-hostsd-client" - $hostsd_client --add-name-servers $new_dhcpv6_name_servers --tag "dhcpv6-$interface" + logmsg info "Adding nameservers \"$new_dhcp6_name_servers\" with tag \"dhcpv6-$interface\" via vyos-hostsd-client" + $hostsd_client --add-name-servers $new_dhcp6_name_servers --tag "dhcpv6-$interface" hostsd_changes=y fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup b/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup index ad6a1d5eb..da1bda137 100644 --- a/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup +++ b/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup @@ -8,7 +8,7 @@ hostsd_changes= /usr/bin/systemctl -q is-active vyos-hostsd hostsd_status=$? -if [[ $reason =~ (EXPIRE|FAIL|RELEASE|STOP) ]]; then +if [[ $reason =~ ^(EXPIRE|FAIL|RELEASE|STOP)$ ]]; then if [[ $hostsd_status -eq 0 ]]; then # delete search domains and nameservers via vyos-hostsd logmsg info "Deleting search domains with tag \"dhcp-$interface\" via vyos-hostsd-client" @@ -96,7 +96,7 @@ if [[ $reason =~ (EXPIRE|FAIL|RELEASE|STOP) ]]; then fi fi -if [[ $reason =~ (EXPIRE6|RELEASE6|STOP6) ]]; then +if [[ $reason =~ ^(EXPIRE6|RELEASE6|STOP6)$ ]]; then if [[ $hostsd_status -eq 0 ]]; then # delete search domains and nameservers via vyos-hostsd logmsg info "Deleting search domains with tag \"dhcpv6-$interface\" via vyos-hostsd-client" diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook index eeb8b0782..49bb18372 100644 --- a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook +++ b/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook @@ -8,12 +8,12 @@ # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. -# +# # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2006, 2007, 2008 Vyatta, Inc. # All Rights Reserved. @@ -23,7 +23,7 @@ RUN="yes" proto="" -if [[ $reason =~ (REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6) ]]; then +if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6)$ ]]; then proto="v6" fi diff --git a/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers new file mode 100644 index 000000000..222c75f21 --- /dev/null +++ b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers @@ -0,0 +1,15 @@ +#!/bin/bash +### Autogenerated by interfaces-pppoe.py ### + +interface=$6 +if [ -z "$interface" ]; then + exit +fi + +if ! /usr/bin/systemctl -q is-active vyos-hostsd; then + exit # vyos-hostsd is not running +fi + +hostsd_client="/usr/bin/vyos-hostsd-client" +$hostsd_client --delete-name-servers --tag "dhcp-$interface" +$hostsd_client --apply diff --git a/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers new file mode 100644 index 000000000..0fcedbedc --- /dev/null +++ b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers @@ -0,0 +1,24 @@ +#!/bin/bash +### Autogenerated by interfaces-pppoe.py ### + +interface=$6 +if [ -z "$interface" ]; then + exit +fi + +if ! /usr/bin/systemctl -q is-active vyos-hostsd; then + exit # vyos-hostsd is not running +fi + +hostsd_client="/usr/bin/vyos-hostsd-client" + +$hostsd_client --delete-name-servers --tag "dhcp-$interface" + +if [ "$USEPEERDNS" ] && [ -n "$DNS1" ]; then +$hostsd_client --add-name-servers "$DNS1" --tag "dhcp-$interface" +fi +if [ "$USEPEERDNS" ] && [ -n "$DNS2" ]; then +$hostsd_client --add-name-servers "$DNS2" --tag "dhcp-$interface" +fi + +$hostsd_client --apply -- cgit v1.2.3 From a679b2da9543ad1d071a43caf9f646fbb2857c49 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 16 Nov 2022 17:48:35 +0100 Subject: containers: T2216: support re-install via dpkg of vyos-1x-smoketest package skopeo does not support overwriting an image - simply remove and readd it. --- debian/vyos-1x-smoketest.postinst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/vyos-1x-smoketest.postinst b/debian/vyos-1x-smoketest.postinst index b33376bc3..18612804c 100755 --- a/debian/vyos-1x-smoketest.postinst +++ b/debian/vyos-1x-smoketest.postinst @@ -1,6 +1,10 @@ #!/bin/sh -e BUSYBOX_TAG="docker.io/library/busybox:stable" -OUTPUT_PATH="docker-archive://usr/share/vyos/busybox-stable.tar" +OUTPUT_PATH="/usr/share/vyos/busybox-stable.tar" -skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "$OUTPUT_PATH" +if [[ -f $OUTPUT_PATH ]]; then + rm -f $OUTPUT_PATH +fi + +skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "docker-archive:/$OUTPUT_PATH" -- cgit v1.2.3 From 15828b9e86f46ca7f5cfa06be59f87055c4e3fef Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 11 Dec 2022 09:03:48 +0100 Subject: sstp: T4792: add sstp-client package dependency --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index 66ac3c6f7..7e69003ff 100644 --- a/debian/control +++ b/debian/control @@ -154,6 +154,7 @@ Depends: squidguard, sshguard, ssl-cert, + sstp-client, strongswan (>= 5.9), strongswan-swanctl (>= 5.9), stunnel4, -- cgit v1.2.3