From 02b6370c3cd1b580b0140deed6c250a682c3a4eb Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 1 Sep 2021 14:09:55 -0500 Subject: more 2fa changes --- op-mode-definitions/openvpn.xml.in | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index 781fbdc9d..ee3b073b5 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -55,6 +55,34 @@ ${vyos_op_scripts_dir}/show_interfaces.py --intf=$4 + + + Show OpenVPN interface users + + + + + + + + Show 2fa authentication secret + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=sercret + + + + Show 2fa otpauth uri + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=uri + + + + Show 2fa QR code + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=qrcode + + + Show summary of specified OpenVPN interface information -- cgit v1.2.3 From e3c71af1466da42403fa23bc23e7e530df71c6c8 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 2 Sep 2021 09:58:42 -0500 Subject: remove secrets file if the tunnel is deleted and fix opmode commands --- op-mode-definitions/openvpn.xml.in | 14 +++++++------- src/conf_mode/interfaces-openvpn.py | 4 ++++ 2 files changed, 11 insertions(+), 7 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index ee3b073b5..6549976c5 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -59,27 +59,27 @@ Show OpenVPN interface users - + - + Show 2fa authentication secret - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=sercret + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret - + Show 2fa otpauth uri - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=uri + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri - + Show 2fa QR code - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$4" --intf="$6" --action=qrcode + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index efab07ddc..194126a34 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -177,6 +177,10 @@ def verify_pki(openvpn): def verify(openvpn): if 'deleted' in openvpn: + # remove totp secrets file if totp is not configured + if os.path.isfile(otp_file.format(**openvpn)): + os.remove(otp_file.format(**openvpn)) + verify_bridge_delete(openvpn) return None -- cgit v1.2.3 From 5366f9c9ce9850cdf3fddbf0c2947994a0c7eef6 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Fri, 3 Sep 2021 06:00:07 -0500 Subject: do not use capitals in opmode rename t0 to drift add subnemu for 2fa to make it more readable --- data/templates/openvpn/server.conf.tmpl | 2 +- interface-definitions/interfaces-openvpn.xml.in | 2 +- op-mode-definitions/openvpn.xml.in | 39 +++++++++++++++---------- 3 files changed, 25 insertions(+), 18 deletions(-) (limited to 'op-mode-definitions') diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 679c25dd8..d97ff7717 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -131,7 +131,7 @@ push "dhcp-option DOMAIN {{ server.domain_name }}" {% if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %} plugin "/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop= {{- server['2fa']['totp']['slop']|default(180) }} totp_t0= -{{- server['2fa']['totp']['t0']|default(0) }} totp_step= +{{- server['2fa']['totp']['drift']|default(0) }} totp_step= {{- server['2fa']['totp']['step']|default(30) }} totp_digits= {{- server['2fa']['totp']['digits']|default(6)}} password_is_cr= {%-if server['2fa']['totp']['challenge']|default('enable') == 'enable' %}1{% else %}0{% endif %}" diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 0395f7d65..62fac9be0 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -657,7 +657,7 @@ - + time drift in seconds (default: 0) diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index 6549976c5..068d5d8fb 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -63,24 +63,31 @@ - + - Show 2fa authentication secret + Show 2fa information - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret - - - - Show 2fa otpauth uri - - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri - - - - Show 2fa QR code - - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode - + + + + Show 2fa authentication secret + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret + + + + Show 2fa otpauth uri + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri + + + + Show 2fa QR code + + ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode + + + -- cgit v1.2.3 From f43e02715d92d59da937454d6b9dfeb0e725bed4 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 4 Oct 2021 19:45:22 +0200 Subject: op-mode: T3889: migrate to journalctl when reading daemon logs (cherry picked from commit 3b2523b816556aa911459097c2476a2da4542151) --- op-mode-definitions/show-log.xml.in | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 92c1cf016..f31c85245 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -6,7 +6,7 @@ Show contents of current master log file - /bin/journalctl + journalctl --boot @@ -18,7 +18,7 @@ Show listing of authorization attempts - /bin/journalctl --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 + journalctl --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 @@ -30,7 +30,7 @@ Show log for Conntrack-sync - cat $(printf "%s\n" /var/log/messages* | sort -nr ) | grep -e conntrackd + journalctl --boot --unit conntrackd.service @@ -89,7 +89,7 @@ Show log for HTTPs - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e nginx + journalctl --boot --unit nginx.service @@ -133,7 +133,7 @@ Show log for LLDP - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e lldpd + journalctl --boot --unit lldpd.service @@ -141,17 +141,28 @@ egrep -i "kernel:.*\[NAT-[A-Z]{3,}-[0-9]+(-MASQ)?\]" $(find /var/log -maxdepth 1 -type f -name messages\* | sort -t. -k2nr) - + Show log for OpenVPN - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e openvpn - + journalctl --boot --unit openvpn@*.service + + + + Show OpenVPN log on specific interface + + interfaces openvpn + + + journalctl --boot --unit openvpn@$5.service + + + Show log for Simple Network Monitoring Protocol (SNMP) - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e snmpd + journalctl --boot --unit snmpd.service @@ -195,13 +206,13 @@ Show log for PPTP - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e accel-pptp -e ppp + journalctl --boot --unit accel-ppp@pptp.service Show log for SSTP - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e accel-sstp -e ppp + journalctl --boot --unit accel-ppp@sstp.service @@ -209,13 +220,13 @@ Show log for Virtual Router Redundancy Protocol (VRRP) - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e Keepalived_vrrp + journalctl --boot --unit keepalived.service Show log for Webproxy - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e "squid" + journalctl --boot --unit squid.service -- cgit v1.2.3 From b7189cd1df327621a304ca65626a517223db6432 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 4 Oct 2021 19:49:07 +0200 Subject: op-mode: dhcpv(v6): T3890: retrieve both server and client logfiles * rename: "show log dhcp" will become "show log dhcp server" * add: "show log dhcp client" to display logs from ALL DHCP client processes * add: "show log dhcp client interface " to display logs from individual DHCP client processes * add: "show log dhcpv6 server" to display infos about running DHCPv6 server * add: "show log dhcpv6 client" to display logs from ALL DHCPv6 client processes * add: "show log dhcpv6 client interface " to display logs from individual DHCPv6 client processes (cherry picked from commit ffd73958e42c20f69ded64393491966e0c9230c6) --- op-mode-definitions/show-log.xml.in | 60 +++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 3 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index f31c85245..3156d822a 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -32,12 +32,66 @@ journalctl --boot --unit conntrackd.service - + Show log for Dynamic Host Control Protocol (DHCP) - cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep dhcpd - + + + + Show log for DHCP server + + journalctl --boot --unit isc-dhcp-server.service + + + + Show DHCP client logs + + journalctl --boot --unit "dhclient@*.service" + + + + Show DHCP client log on specific interface + + + + + journalctl --boot --unit "dhclient@$6.service" + + + + + + + + Show log for Dynamic Host Control Protocol IPv6 (DHCPv6) + + + + + Show log for DHCPv6 server + + journalctl --boot --unit isc-dhcp-server6.service + + + + Show DHCPv6 client logs + + journalctl --boot --unit "dhcp6c@*.service" + + + + Show DHCPv6 client log on specific interface + + + + + journalctl --boot --unit "dhcp6c@$6.service" + + + + + Show log for Firewall -- cgit v1.2.3 From adc7ef387d40e92bd7163ee6b401e99e554394a3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 5 Oct 2021 19:43:08 +0200 Subject: op-mode: T3889: do not display redundant hostname when reading logs (cherry picked from commit 30cf3bc79e2253a004fcbbf76c9f99c52e7bc216) --- op-mode-definitions/show-log.xml.in | 38 ++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 3156d822a..4c0a7913b 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -6,7 +6,7 @@ Show contents of current master log file - journalctl --boot + journalctl --no-hostname --boot @@ -18,7 +18,7 @@ Show listing of authorization attempts - journalctl --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 + journalctl --no-hostname --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 @@ -30,7 +30,7 @@ Show log for Conntrack-sync - journalctl --boot --unit conntrackd.service + journalctl --no-hostname --boot --unit conntrackd.service @@ -41,13 +41,13 @@ Show log for DHCP server - journalctl --boot --unit isc-dhcp-server.service + journalctl --no-hostname --boot --unit isc-dhcp-server.service Show DHCP client logs - journalctl --boot --unit "dhclient@*.service" + journalctl --no-hostname --boot --unit "dhclient@*.service" @@ -56,7 +56,7 @@ - journalctl --boot --unit "dhclient@$6.service" + journalctl --no-hostname --boot --unit "dhclient@$6.service" @@ -71,13 +71,13 @@ Show log for DHCPv6 server - journalctl --boot --unit isc-dhcp-server6.service + journalctl --no-hostname --boot --unit isc-dhcp-server6.service Show DHCPv6 client logs - journalctl --boot --unit "dhcp6c@*.service" + journalctl --no-hostname --boot --unit "dhcp6c@*.service" @@ -86,7 +86,7 @@ - journalctl --boot --unit "dhcp6c@$6.service" + journalctl --no-hostname --boot --unit "dhcp6c@$6.service" @@ -143,7 +143,7 @@ Show log for HTTPs - journalctl --boot --unit nginx.service + journalctl --no-hostname --boot --unit nginx.service @@ -173,7 +173,7 @@ <NUMBER> - tail -n "$6" /lib/live/mount/persistence/boot/$4/rw/var/log/messages | ${VYATTA_PAGER:-cat} + tail -n "$6" /lib/live/mount/persistence/boot/$4/rw/var/log/messages | ${VYATTA_PAGER:-cat} @@ -187,7 +187,7 @@ Show log for LLDP - journalctl --boot --unit lldpd.service + journalctl --no-hostname --boot --unit lldpd.service @@ -199,7 +199,7 @@ Show log for OpenVPN - journalctl --boot --unit openvpn@*.service + journalctl --no-hostname --boot --unit openvpn@*.service @@ -208,7 +208,7 @@ interfaces openvpn - journalctl --boot --unit openvpn@$5.service + journalctl --no-hostname --boot --unit openvpn@$5.service @@ -216,7 +216,7 @@ Show log for Simple Network Monitoring Protocol (SNMP) - journalctl --boot --unit snmpd.service + journalctl --no-hostname --boot --unit snmpd.service @@ -260,13 +260,13 @@ Show log for PPTP - journalctl --boot --unit accel-ppp@pptp.service + journalctl --no-hostname --boot --unit accel-ppp@pptp.service Show log for SSTP - journalctl --boot --unit accel-ppp@sstp.service + journalctl --no-hostname --boot --unit accel-ppp@sstp.service @@ -274,13 +274,13 @@ Show log for Virtual Router Redundancy Protocol (VRRP) - journalctl --boot --unit keepalived.service + journalctl --no-hostname --boot --unit keepalived.service Show log for Webproxy - journalctl --boot --unit squid.service + journalctl --no-hostname --boot --unit squid.service -- cgit v1.2.3 From ba8630da96396f09c638fccdc9cfe6a3ee70fd58 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 7 Oct 2021 08:44:00 -0500 Subject: pull request fixes --- data/templates/openvpn/server.conf.tmpl | 12 ++--- interface-definitions/interfaces-openvpn.xml.in | 23 +++++---- op-mode-definitions/openvpn.xml.in | 16 +++---- src/conf_mode/interfaces-openvpn.py | 18 ++++++- src/op_mode/show_openvpn_2fa.py | 64 ------------------------- src/op_mode/show_openvpn_mfa.py | 64 +++++++++++++++++++++++++ 6 files changed, 106 insertions(+), 91 deletions(-) delete mode 100755 src/op_mode/show_openvpn_2fa.py create mode 100755 src/op_mode/show_openvpn_mfa.py (limited to 'op-mode-definitions') diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 644eb805f..3104203ad 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -127,14 +127,10 @@ push "dhcp-option DNS6 {{ nameserver }}" {% if server.domain_name is defined and server.domain_name is not none %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} -{% if server['2fa'] is defined and server['2fa'] is not none %} -{% if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %} -plugin "/usr/lib/openvpn/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop= -{{- server['2fa']['totp']['slop']|default(180) }} totp_t0= -{{- server['2fa']['totp']['drift']|default(0) }} totp_step= -{{- server['2fa']['totp']['step']|default(30) }} totp_digits= -{{- server['2fa']['totp']['digits']|default(6)}} password_is_cr= -{%-if server['2fa']['totp']['challenge']|default('enable') == 'enable' %}1{% else %}0{% endif %}" +{% if server.mfa is defined and server.mfa is not none %} +{% if server.mfa.totp is defined and server.mfa.totp is not none %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" {% endif %} {% endif %} {% endif %} diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 62fac9be0..023f9f55d 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -635,14 +635,14 @@ net30 - + - 2-factor authentication + multi-factor authentication - Time-based One-Time Passwords + Time-based one-time passwords @@ -656,10 +656,11 @@ + 180 - time drift in seconds (default: 0) + Time drift in seconds (default: 0) 1-65535 Seconds @@ -668,10 +669,11 @@ + 0 - Step value for TOTP in seconds (default: 30) + Step value for totp in seconds (default: 30) 1-65535 Seconds @@ -680,10 +682,11 @@ + 30 - Number of digits to use from TOTP hash (default: 6) + Number of digits to use for totp hash (default: 6) 1-65535 Seconds @@ -692,25 +695,27 @@ + 6 - expect password as result of a challenge response protocol (default: enabled) + Expect password as result of a challenge response protocol (default: enabled) disable enable disable - Disable challenge response (default) + Disable challenge-response enable - Enable chalenge response (default) + Enable chalenge-response (default) ^(disable|enable)$ + enable diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index 068d5d8fb..7243d69fd 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -63,28 +63,28 @@ - + - Show 2fa information + Show multi-factor authentication information - Show 2fa authentication secret + Show multi-factor authentication secret - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret + ${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=secret - Show 2fa otpauth uri + Show multi-factor authentication otpauth uri - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri + ${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=uri - Show 2fa QR code + Show multi-factor authentication QR code - ${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode + ${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=qrcode diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 365d0982e..220c4f157 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -80,6 +80,11 @@ def get_config(config=None): tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' + # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. + tmp_openvpn = conf.get_config_dict(base + [os.environ['VYOS_TAGNODE_VALUE']], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + openvpn = get_interface_dict(conf, base) if 'deleted' not in openvpn: @@ -89,6 +94,14 @@ def get_config(config=None): openvpn['daemon_user'] = user openvpn['daemon_group'] = group + # We have to cleanup the config dict, as default values could enable features + # which are not explicitly enabled on the CLI. Example: server mfa totp + # originate comes with defaults, which will enable the + # totp plugin, even when not set via CLI so we + # need to check this first and drop those keys + if 'totp' not in tmp_openvpn['server']: + del openvpn['server']['mfa']['totp'] + return openvpn def is_ec_private_key(pki, cert_name): @@ -369,8 +382,8 @@ def verify(openvpn): if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') - # add 2fa users to the file the 2fa plugin uses - if dict_search('server.2fa.totp', openvpn): + # add mfa users to the file the mfa plugin uses + if dict_search('server.mfa.totp', openvpn): if not Path(otp_file.format(**openvpn)).is_file(): Path(otp_path).mkdir(parents=True, exist_ok=True) Path(otp_file.format(**openvpn)).touch() @@ -590,6 +603,7 @@ def generate_pki_files(openvpn): def generate(openvpn): interface = openvpn['ifname'] directory = os.path.dirname(cfg_file.format(**openvpn)) + plugin_dir = '/usr/lib/openvpn' # we can't know in advance which clients have been removed, # thus all client configs will be removed and re-added on demand diff --git a/src/op_mode/show_openvpn_2fa.py b/src/op_mode/show_openvpn_2fa.py deleted file mode 100755 index 8600f755d..000000000 --- a/src/op_mode/show_openvpn_2fa.py +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env python3 - -# Copyright 2017, 2021 VyOS maintainers and contributors -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see . - -import re -import socket -import urllib.parse -import argparse - -from vyos.util import popen - -otp_file = '/config/auth/openvpn/{interface}-otp-secrets' - -def get_2fa_secret(interface, client): - try: - with open(otp_file.format(interface=interface), "r") as f: - users = f.readlines() - for user in users: - if re.search('^' + client + ' ', user): - return user.split(':')[3] - except: - pass - -def get_2fa_uri(client, secret): - hostname = socket.gethostname() - fqdn = socket.getfqdn() - uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}' - - return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=') - -if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=False, description='Show 2fa information') - parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface') - parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users') - parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') - - args = parser.parse_args() - secret = get_2fa_secret(args.intf, args.user) - - if args.action == "secret" and secret: - print(secret) - - if args.action == "uri" and secret: - uri = get_2fa_uri(args.user, secret) - print(uri) - - if args.action == "qrcode" and secret: - uri = get_2fa_uri(args.user, secret) - qrcode,err = popen('qrencode -t ansiutf8', input=uri) - print(qrcode) - diff --git a/src/op_mode/show_openvpn_mfa.py b/src/op_mode/show_openvpn_mfa.py new file mode 100755 index 000000000..1ab54600c --- /dev/null +++ b/src/op_mode/show_openvpn_mfa.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 + +# Copyright 2017, 2021 VyOS maintainers and contributors +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see . + +import re +import socket +import urllib.parse +import argparse + +from vyos.util import popen + +otp_file = '/config/auth/openvpn/{interface}-otp-secrets' + +def get_mfa_secret(interface, client): + try: + with open(otp_file.format(interface=interface), "r") as f: + users = f.readlines() + for user in users: + if re.search('^' + client + ' ', user): + return user.split(':')[3] + except: + pass + +def get_mfa_uri(client, secret): + hostname = socket.gethostname() + fqdn = socket.getfqdn() + uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}' + + return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=') + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=False, description='Show two-factor authentication information') + parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface') + parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users') + parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') + + args = parser.parse_args() + secret = get_mfa_secret(args.intf, args.user) + + if args.action == "secret" and secret: + print(secret) + + if args.action == "uri" and secret: + uri = get_mfa_uri(args.user, secret) + print(uri) + + if args.action == "qrcode" and secret: + uri = get_mfa_uri(args.user, secret) + qrcode,err = popen('qrencode -t ansiutf8', input=uri) + print(qrcode) + -- cgit v1.2.3 From e48b345f7524761a29b7adf36a13c155e2f34d15 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 19 Oct 2021 18:17:39 +0200 Subject: op-mode: bgp: "show ip bgp ipv4 unicast" should output all BGP routes --- op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i | 1 + 1 file changed, 1 insertion(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i b/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i index e599bfb3f..36cc9a3fa 100644 --- a/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i +++ b/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i @@ -35,6 +35,7 @@ Show BGP IPv4 unicast information + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ -- cgit v1.2.3 From 241a19943b7321aa1f2e2ece86b5ad68997390fe Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 24 Oct 2021 11:17:49 +0700 Subject: T3937: rewrite the "show system memory" script in Python --- op-mode-definitions/show-system.xml.in | 2 +- python/vyos/util.py | 34 ++++++++++++++++++ src/op_mode/show_ram.py | 64 ++++++++++++++++++++++++++++++++++ src/op_mode/show_ram.sh | 33 ------------------ 4 files changed, 99 insertions(+), 34 deletions(-) create mode 100755 src/op_mode/show_ram.py delete mode 100755 src/op_mode/show_ram.sh (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-system.xml.in b/op-mode-definitions/show-system.xml.in index 18a28868d..b32aee0c2 100644 --- a/op-mode-definitions/show-system.xml.in +++ b/op-mode-definitions/show-system.xml.in @@ -104,7 +104,7 @@ Show system memory usage - ${vyos_op_scripts_dir}/show_ram.sh + ${vyos_op_scripts_dir}/show_ram.py diff --git a/python/vyos/util.py b/python/vyos/util.py index 849b27d3b..2c4051a7a 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -489,6 +489,40 @@ def seconds_to_human(s, separator=""): return result +def bytes_to_human(bytes, initial_exponent=0): + """ Converts a value in bytes to a human-readable size string like 640 KB + + The initial_exponent parameter is the exponent of 2, + e.g. 10 (1024) for kilobytes, 20 (1024 * 1024) for megabytes. + """ + + from math import log2 + + bytes = bytes * (2**initial_exponent) + + # log2 is a float, while range checking requires an int + exponent = int(log2(bytes)) + + if exponent < 10: + value = bytes + suffix = "B" + elif exponent in range(10, 20): + value = bytes / 1024 + suffix = "KB" + elif exponent in range(20, 30): + value = bytes / 1024**2 + suffix = "MB" + elif exponent in range(30, 40): + value = bytes / 1024**3 + suffix = "GB" + else: + value = bytes / 1024**4 + suffix = "TB" + # Add a new case when the first machine with petabyte RAM + # hits the market. + + size_string = "{0:.2f} {1}".format(value, suffix) + return size_string def get_cfg_group_id(): from grp import getgrnam diff --git a/src/op_mode/show_ram.py b/src/op_mode/show_ram.py new file mode 100755 index 000000000..5818ec132 --- /dev/null +++ b/src/op_mode/show_ram.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +def get_system_memory(): + from re import search as re_search + + def find_value(keyword, mem_data): + regex = keyword + ':\s+(\d+)' + res = re_search(regex, mem_data).group(1) + return int(res) + + with open("/proc/meminfo", "r") as f: + mem_data = f.read() + + total = find_value('MemTotal', mem_data) + available = find_value('MemAvailable', mem_data) + buffers = find_value('Buffers', mem_data) + cached = find_value('Cached', mem_data) + + used = total - available + + res = { + "total": total, + "free": available, + "used": used, + "buffers": buffers, + "cached": cached + } + + return res + +def get_system_memory_human(): + from vyos.util import bytes_to_human + + mem = get_system_memory() + + for key in mem: + # The Linux kernel exposes memory values in kilobytes, + # so we need to normalize them + mem[key] = bytes_to_human(mem[key], initial_exponent=10) + + return mem + +if __name__ == '__main__': + mem = get_system_memory_human() + + print("Total: {}".format(mem["total"])) + print("Free: {}".format(mem["free"])) + print("Used: {}".format(mem["used"])) + diff --git a/src/op_mode/show_ram.sh b/src/op_mode/show_ram.sh deleted file mode 100755 index b013e16f8..000000000 --- a/src/op_mode/show_ram.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# -# Module: vyos-show-ram.sh -# Displays memory usage information in minimalistic format -# -# Copyright (C) 2019 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -MB_DIVISOR=1024 - -TOTAL=$(cat /proc/meminfo | grep -E "^MemTotal:" | awk -F ' ' '{print $2}') -FREE=$(cat /proc/meminfo | grep -E "^MemFree:" | awk -F ' ' '{print $2}') -BUFFERS=$(cat /proc/meminfo | grep -E "^Buffers:" | awk -F ' ' '{print $2}') -CACHED=$(cat /proc/meminfo | grep -E "^Cached:" | awk -F ' ' '{print $2}') - -DISPLAY_FREE=$(( ($FREE + $BUFFERS + $CACHED) / $MB_DIVISOR )) -DISPLAY_TOTAL=$(( $TOTAL / $MB_DIVISOR )) -DISPLAY_USED=$(( $DISPLAY_TOTAL - $DISPLAY_FREE )) - -echo "Total: $DISPLAY_TOTAL" -echo "Free: $DISPLAY_FREE" -echo "Used: $DISPLAY_USED" -- cgit v1.2.3 From c2866603751f85b98b88d445874e6f1945647c30 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 24 Oct 2021 21:20:02 +0700 Subject: T3938: rewrite the uptime script in Python --- op-mode-definitions/show-system.xml.in | 2 +- src/op_mode/show_uptime.py | 50 ++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100755 src/op_mode/show_uptime.py (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-system.xml.in b/op-mode-definitions/show-system.xml.in index 18a28868d..059cd813b 100644 --- a/op-mode-definitions/show-system.xml.in +++ b/op-mode-definitions/show-system.xml.in @@ -142,7 +142,7 @@ Show summary of system processes - uptime + ${vyos_op_scripts_dir}/show_uptime.py diff --git a/src/op_mode/show_uptime.py b/src/op_mode/show_uptime.py new file mode 100755 index 000000000..c3dea52e6 --- /dev/null +++ b/src/op_mode/show_uptime.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +def get_uptime_seconds(): + from re import search + from vyos.util import read_file + + data = read_file("/proc/uptime") + seconds = search("([0-9\.]+)\s", data).group(1) + + return int(float(seconds)) + +def get_load_averages(): + from re import search + from vyos.util import cmd + + data = cmd("uptime") + matches = search(r"load average:\s*(?P[0-9\.]+)\s*,\s*(?P[0-9\.]+)\s*,\s*(?P[0-9\.]+)\s*", data) + + res = {} + res[1] = float(matches["one"]) + res[5] = float(matches["five"]) + res[15] = float(matches["fifteen"]) + + return res + +if __name__ == '__main__': + from vyos.util import seconds_to_human + + print("Uptime: {}\n".format(seconds_to_human(get_uptime_seconds()))) + + avgs = get_load_averages() + + print("Load averages:") + print("1 minute: {:.02f}%".format(avgs[1]*100)) + print("5 minutes: {:.02f}%".format(avgs[5]*100)) + print("15 minutes: {:.02f}%".format(avgs[15]*100)) -- cgit v1.2.3 From 8bc4c453b1d237bdb3477c3f490435c659a34336 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Mon, 25 Oct 2021 21:11:49 +0000 Subject: op-mode: T3942: Add feature Generate IPSec debug-archive --- .../generate-ipsec-debug-archive.xml.in | 17 ++++++++++ op-mode-definitions/generate-ipsec-profile.xml.in | 2 +- src/op_mode/generate_ipsec_debug_archive.sh | 36 ++++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 op-mode-definitions/generate-ipsec-debug-archive.xml.in create mode 100755 src/op_mode/generate_ipsec_debug_archive.sh (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/generate-ipsec-debug-archive.xml.in b/op-mode-definitions/generate-ipsec-debug-archive.xml.in new file mode 100644 index 000000000..f268d5ae5 --- /dev/null +++ b/op-mode-definitions/generate-ipsec-debug-archive.xml.in @@ -0,0 +1,17 @@ + + + + + + + + + Generate IPSec debug-archive + + ${vyos_op_scripts_dir}/generate_ipsec_debug_archive.sh + + + + + + diff --git a/op-mode-definitions/generate-ipsec-profile.xml.in b/op-mode-definitions/generate-ipsec-profile.xml.in index 8d1051b94..b7203d7d1 100644 --- a/op-mode-definitions/generate-ipsec-profile.xml.in +++ b/op-mode-definitions/generate-ipsec-profile.xml.in @@ -4,7 +4,7 @@ - Generate IPsec related configurations + Generate IPsec related configurations and archives diff --git a/src/op_mode/generate_ipsec_debug_archive.sh b/src/op_mode/generate_ipsec_debug_archive.sh new file mode 100755 index 000000000..53d0a6eaa --- /dev/null +++ b/src/op_mode/generate_ipsec_debug_archive.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# Collecting IPSec Debug Information + +DATE=`date +%d-%m-%Y` + +a_CMD=( + "sudo ipsec status" + "sudo swanctl -L" + "sudo swanctl -l" + "sudo swanctl -P" + "sudo ip x sa show" + "sudo ip x policy show" + "sudo ip tunnel show" + "sudo ip address" + "sudo ip rule show" + "sudo ip route" + "sudo ip route show table 220" + ) + + +echo "DEBUG: ${DATE} on host \"$(hostname)\"" > /tmp/ipsec-status-${DATE}.txt +date >> /tmp/ipsec-status-${DATE}.txt + +# Execute all DEBUG commands and save it to file +for cmd in "${a_CMD[@]}"; do + echo -e "\n### ${cmd} ###" >> /tmp/ipsec-status-${DATE}.txt + ${cmd} >> /tmp/ipsec-status-${DATE}.txt 2>/dev/null +done + +# Collect charon logs, build .tgz archive +sudo journalctl /usr/lib/ipsec/charon > /tmp/journalctl-charon-${DATE}.txt && \ +sudo tar -zcvf /tmp/ipsec-debug-${DATE}.tgz /tmp/journalctl-charon-${DATE}.txt /tmp/ipsec-status-${DATE}.txt >& /dev/null +sudo rm -f /tmp/journalctl-charon-${DATE}.txt /tmp/ipsec-status-${DATE}.txt + +echo "Debug file is generated and located in /tmp/ipsec-debug-${DATE}.tgz" -- cgit v1.2.3 From be63194790559cca79bf1575094b4607b0500a0f Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Fri, 29 Oct 2021 16:41:13 +1000 Subject: L3VPN: T3952: add sh bgp ipv4/ipv6 vpn command --- op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i | 1 + 1 file changed, 1 insertion(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i index ba6edb256..f6737c8bd 100644 --- a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i +++ b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i @@ -19,5 +19,6 @@ #include #include + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ -- cgit v1.2.3