Merge branch 'master' into misc

5 files changed, 210 insertions, 30 deletions

diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
new file mode 100644
index 00000000..520031d8
--- /dev/null
+++ b/docs/configuration/container/index.rst
@@ -0,0 +1,143 @@
+.. include:: /_include/need_improvement.txt
+
+.. _container:
+
+#########
+Container
+#########
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set container <name>
+
+   Set an named container.
+
+.. cfgcmd:: set container network <networkname>
+
+    Creates a named container network
+
+.. cfgcmd:: set container registry <name>
+
+    Adds registry to list of unqualified-search-registries. By default, for any
+    image that does not include the registry in the image name, Vyos will use 
+    docker.io as the container registry. 
+
+.. cfgcmd:: set container <name> image        
+    
+    Sets the image name in the hub registry 
+
+    .. code-block:: none
+
+      set container name mysql-server image mysql:8.0
+
+    If a registry is not specefied, Docker.io will be used as the container 
+    registry unless an alternative registry is specefied using 
+    **set container registry <name>** or the registry is included in the image name
+
+    .. code-block:: none
+
+      set container name mysql-server image quay.io/mysql:8.0
+
+.. cfgcmd:: set container <name> allow-host-networks
+    
+    Allow host networking in container. The network stack of the container is 
+    not isolated from the host and will use the host IP.
+
+    The following commands translates to "--net host" when the container is created 
+
+    .. note:: **allow-host-networks** cannot be used with **network** 
+
+.. cfgcmd:: set container <name> description <text>
+
+    Sets the container description
+
+.. cfgcmd:: set container <name> environment '<key>' value '<value>'
+
+    Adds a custom environment variables. Multiple enviroment variables are allowed. The following commands translates to "-e key=value" when container is created. 
+
+    .. code-block:: none
+
+        set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+.. cfgcmd:: set container <name> network <networkname> 
+
+    Attaches user defined network to container. Only one network must be specefied and must already exist.
+
+    Optionally a specific static IPv4 or IPv6 address can be set for the container. This address must be within the named network.
+
+    .. code-block:: none
+
+        set container <name> network <networkname> address <address> 
+
+    .. note:: The first IP in the container network is reserved by the engine and cannot be used
+
+.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
+
+    Publishes a port for the container
+
+    .. code-block:: none
+
+        set container name zabbix-web-nginx-mysql port http source 80
+        set container name zabbix-web-nginx-mysql port http destination 8080
+
+.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
+
+    Mount a volume into the container
+
+    .. code-block:: none
+
+        set container name coredns volume 'corefile' source /config/coredns/Corefile
+        set container name coredns volume 'corefile' destination /etc/Corefile
+
+*********************
+Example Configuration
+*********************
+
+    For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax.
+
+    .. code-block:: none
+
+        set container network zabbix-net prefix 172.20.0.0/16
+        set container network zabbix-net description 'Network for Zabbix component containers'
+
+        set container name mysql-server image mysql:8.0
+        set container name mysql-server network zabbix-net
+
+        set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' 
+
+        set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest
+        set container name zabbix-java-gateway network zabbix-net
+
+        set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest
+        set container name zabbix-server-mysql network zabbix-net
+
+        set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+        set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name zabbix-server-mysql environment 'MYSQL_USER' value 'zabbix'
+        set container name zabbix-server-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name zabbix-server-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+        set container name zabbix-server-mysql environment 'ZBX_JAVAGATEWAY' value 'zabbix-java-gateway'
+
+        set container name zabbix-server-mysql port zabbix source 10051
+        set container name zabbix-server-mysql port zabbix destination 10051
+
+        set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest
+        set container name zabbix-web-nginx-mysql network zabbix-net
+
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql'
+        set container name zabbix-web-nginx-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_USER' value 'zabbix'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+        set container name zabbix-web-nginx-mysql port http source 80
+        set container name zabbix-web-nginx-mysql port http destination 8080
\ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 667a4653..d52d6f2a 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _firewall:
 
 ########
@@ -29,7 +31,7 @@ or zone based firewall policy.
 Global settings
 ***************
 
-Some firewall settings are global and have a affect on the whole system.
+Some firewall settings are global and have an affect on the whole system.
 
 .. cfgcmd:: set firewall all-ping [enable | disable]
 
@@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall send-redirects [enable | disable]
 
-   enable or disable of ICMPv4 redirect messages send by VyOS 
+   enable or disable  ICMPv4 redirect messages send by VyOS 
    The following system parameter will be altered:
 
    * ``net.ipv4.conf.all.send_redirects``
@@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall state-policy established log enable
 
-   Set the global setting for a established connections.
+   Set the global setting for an established connection.
 
 .. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
 
@@ -163,8 +165,8 @@ names.
 Address Groups
 ==============
 
-In a **address group** a single IP adresses or IP address ranges are
-definded.
+In an **address group** a single IP address or IP address ranges are
+defined.
 
 .. cfgcmd::  set firewall group address-group <name> address [address |
    address range]
@@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
 .. cfgcmd:: set firewall group port-group <name> port
    [portname | portnumber | startport-endport]
 
-   Define a port group. A port name are any name defined in
+   Define a port group. A port name can be any name defined in
    /etc/services. e.g.: http
 
    .. code-block:: none
@@ -240,10 +242,10 @@ Rule-Sets
 *********
 
 A rule-set is a named collection of firewall rules that can be applied
-to an interface or zone. Each rule is numbered, has an action to apply
+to an interface or a zone. Each rule is numbered, has an action to apply
 if the rule is matched, and the ability to specify the criteria to
 match. Data packets go through the rules from 1 - 9999, at the first match
-the action of the rule will executed.
+the action of the rule will be executed.
 
 .. cfgcmd:: set firewall name <name> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> description <text>
@@ -267,7 +269,7 @@ the action of the rule will executed.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
    accept]
 
-   This required setting define the action of the current rule.
+   This required setting defines the action of the current rule.
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@@ -287,7 +289,7 @@ the action of the rule will executed.
 Matching criteria
 =================
 
-There are a lot of matching criteria gainst which the package can be tested.
+There are a lot of matching criteria against which the package can be tested.
 
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> source address 
@@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
    [address | addressrange | CIDR]
 
-   This is similiar to the network groups part, but here you are able to negate
+   This is similar to the network groups part, but here you are able to negate
    the matching addresses.
 
    .. code-block:: none
@@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address 
    <mac-address>
 
-   Only in the source criteria you can specify a mac-address
+   Only in the source criteria, you can specify a mac-address.
 
    .. code-block:: none
 
@@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
    [1-65535 | portname | start-end]
 
-   A port can be set with a portnumber or a name which is here
+   A port can be set with a port number or a name which is here
    defined: ``/etc/services``.
 
    .. code-block:: none
@@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
       set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 
    Match against the state of a packet.
 
@@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
 
 A Rule-Set can be applied to every interface:
 
-* ``in``: Ruleset for forwarded packets on inbound interface
-* ``out``: Ruleset for forwarded packets on outbound interface
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
 * ``local``: Ruleset for packets destined for this router
 
 .. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local] 
@@ -451,7 +453,7 @@ Zone-based Firewall Policy
 As an alternative to applying policy to an interface directly, a
 zone-based firewall can be created to simplify configuration when
 multiple interfaces belong to the same security zone. Instead of
-applying rulesets to interfaces, they are applied to source
+applying rule-sets to interfaces, they are applied to source
 zone-destination zone pairs.
 
 An basic introduction to zone-based firewalls can be found `here
@@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
 
 .. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
 
-   Set a interfaces to a zone. A zone can have multiple interfaces.
-   But a interface can only be member in one zone.
+   Set interfaces to a zone. A zone can have multiple interfaces.
+   But an interface can only be a member in one zone.
 
 .. cfgcmd:: set zone-policy zone <name> local-zone
 
-   Define the Zone as a local zone. A local zone have no interfaces and
+   Define the zone as a local zone. A local zone has no interfaces and
    will be applied to the router itself.
 
 .. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@@ -486,14 +488,14 @@ Applying a Rule-Set to a Zone
 =============================
 
 Before you are able to apply a rule-set to a zone you have to create the zones 
-first. 
+first.
 
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall name
    <rule-set>
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall ipv6-name
    <rule-set>
 
-   You apply a rule-set always to a zone from a other zone, it is recommended
+   You apply a rule-set always to a zone from an other zone, it is recommended
    to create one rule-set for each zone pair.
 
    .. code-block:: none
@@ -577,7 +579,7 @@ Rule-set overview
 
 .. opcmd:: show firewall summary
 
-   This will show you a summary about rule-sets and groups
+   This will show you a summary of rule-sets and groups
 
    .. code-block:: none
 
@@ -630,7 +632,7 @@ Rule-set overview
    
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set
 
 .. opcmd:: show firewall group <name>
 
@@ -658,7 +660,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name>
 
-   This command will give an overview about a single rule-set
+   This command will give an overview of a single rule-set.
 
 .. opcmd:: show firewall [name | ipv6name] <name> statistics
 
@@ -666,7 +668,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set.
 
 
 Zone-Policy Overview
@@ -674,7 +676,7 @@ Zone-Policy Overview
 
 .. opcmd:: show zone-policy zone <name>
 
-   Use this command to get an overview about a zone
+   Use this command to get an overview of a zone.
 
    .. code-block:: none
 
@@ -695,7 +697,7 @@ Show Firewall log
 
 .. opcmd:: show log firewall [name | ipv6name] <name>
 
-   Show the logs of a specific Rule-Set
+   Show the logs of a specific Rule-Set.
 
 .. note::
    At the moment it not possible to look at the whole firewall log with VyOS
diff --git a/docs/configuration/index.rst b/docs/configuration/index.rst
index bce013cb..0fe481da 100644
--- a/docs/configuration/index.rst
+++ b/docs/configuration/index.rst
@@ -8,6 +8,7 @@ The following structure respresent the cli structure.
    :maxdepth: 1
    :includehidden:
 
+   container/index
    firewall/index
    highavailability/index
    interfaces/index
@@ -20,4 +21,4 @@ The following structure respresent the cli structure.
    trafficpolicy/index
    vpn/index
    vrf/index
-   zonepolicy/index
\ No newline at end of file
+   zonepolicy/index
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 6b09d40d..40ec62f5 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -156,3 +156,33 @@ Operation
   Two new files ``/config/auth/id_rsa_rpki`` and
   ``/config/auth/id_rsa_rpki.pub``
   will be created.
+
+.. opcmd:: generate public-key-commands name <username> path <location>
+
+   Generate the configuration mode commands to add a public key for
+   :ref:`ssh_key_based_authentication`.
+   ``<location>`` can be a local path or a URL pointing at a remote file.
+
+   Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP.
+
+  Example:
+
+  .. code-block:: none
+
+    alyssa@vyos:~$ generate public-key-commands name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
+    # To add this key as an embedded key, run the following commands:
+    configure
+    set system login user alyssa authentication public-keys alyssa@example.net key AAA...
+    set system login user alyssa authentication public-keys alyssa@example.net type ssh-rsa
+    commit
+    save
+    exit
+
+    ben@vyos:~$ generate public-key-command user ben path ~/.ssh/id_rsa.pub
+    # To add this key as an embedded key, run the following commands:
+    configure
+    set system login user ben authentication public-keys ben@vyos key AAA...
+    set system login user ben authentication public-keys ben@vyos type ssh-dss
+    commit
+    save
+    exit
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 0492f4d1..09b6e68b 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -76,6 +76,10 @@ The third part is simply an identifier, and is for your own reference.
 
 .. cfgcmd:: loadkey <username> <location>
 
+   **Deprecation notice:** ``loadkey`` has been deprecated in favour of
+   :opcmd:`generate public-key-commands` and will be removed in a future
+   version. See :ref:`ssh`.
+
    SSH keys can not only be specified on the command-line but also loaded for
    a given user with `<username>` from a file pointed to by `<location>.` Keys
    can be either loaded from local filesystem or any given remote location