diff options
| -rw-r--r-- | .github/workflows/submodules.yml | 36 | ||||
| m--------- | docs/_include/vyos-1x | 0 | ||||
| -rw-r--r-- | docs/_static/images/ansible.png | bin | 0 -> 204124 bytes | |||
| -rw-r--r-- | docs/automation/vyos-api.rst | 37 | ||||
| -rw-r--r-- | docs/changelog/1.3.rst | 18 | ||||
| -rw-r--r-- | docs/changelog/1.4.rst | 56 | ||||
| -rw-r--r-- | docs/changelog/1.5.rst | 43 | ||||
| -rw-r--r-- | docs/configexamples/ansible.rst | 216 | ||||
| -rw-r--r-- | docs/configexamples/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 8 |
10 files changed, 411 insertions, 4 deletions
diff --git a/.github/workflows/submodules.yml b/.github/workflows/submodules.yml index d2e3f99f..f76e32f7 100644 --- a/.github/workflows/submodules.yml +++ b/.github/workflows/submodules.yml @@ -41,6 +41,42 @@ jobs: branch: update-dependencies-master delete-branch: true + update_sagitta: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + repository: ${{ github.repository }} + ref: sagitta + - name: update submodule + run: | + git submodule status + git submodule update --init --force + cd docs/_include/vyos-1x + git checkout sagitta + git pull + git submodule status + - name: update releasenotes + env: + PHABRICATOR_API: ${{ secrets.PHABRICATOR_API }} + if: env.PHABRICATOR_API != null + run: | + pip3 install phabricator==0.8.0 + python3 docs/_ext/releasenotes.py -t ${{ secrets.PHABRICATOR_API }} -b sagitta + - name: Create Pull Request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{secrets.GITHUB_TOKEN}} + commit-message: "Github: update sagitta branch" + committer: GitHub <noreply@github.com> + author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> + title: "Github: update sagitta branch" + body: | + Autoupdate vyos-1x submodule + update releasenotes + branch: update-dependencies-sagitta + delete-branch: true + update_equuleus: runs-on: ubuntu-latest diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject cd19b9d6b0c21a5d07a9f5a98e5e90d09d8d4cc +Subproject 11d531ece3e06dc68349d8ea1fd3bf39d5d857f diff --git a/docs/_static/images/ansible.png b/docs/_static/images/ansible.png Binary files differnew file mode 100644 index 00000000..1d80b3f4 --- /dev/null +++ b/docs/_static/images/ansible.png diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst index efd00dd8..afcc1767 100644 --- a/docs/automation/vyos-api.rst +++ b/docs/automation/vyos-api.rst @@ -143,6 +143,43 @@ The ``reset`` endpoint run a ``reset`` command. "error": null } +/reboot +======= + +To initiate a reboot use the ``reboot`` endpoint. + +.. code-block:: none + + curl --location --request POST 'https://vyos/reboot' \ + --form data='{"op": "reboot", "path": ["now"]}' \ + --form key='MY-HTTPS-API-PLAINTEXT-KEY' + + respone: + { + "success": true, + "data": "", + "error": null + } + +/poweroff +========= + +To power off the system use the ``poweroff`` endpoint. + +.. code-block:: none + + curl --location --request POST 'https://vyos/poweroff' \ + --form data='{"op": "poweroff", "path": ["now"]}' \ + --form key='MY-HTTPS-API-PLAINTEXT-KEY' + + respone: + { + "success": true, + "data": "", + "error": null + } + + /image ====== diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index 5ce9f5cf..05adb0c5 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,24 @@ _ext/releasenotes.py +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` + + +2023-11-24 +========== + +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` + + +2023-11-22 +========== + +* :vytask:`T5578` ``(bug): "ikev2-reauth" description contains outdated information`` + + 2023-11-15 ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 96bdae15..d22cfb7a 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,62 @@ _ext/releasenotes.py +2023-11-26 +========== + +* :vytask:`T5760` ``(feature): DHCP client custom dhcp-options`` +* :vytask:`T2405` ``(feature): archive to GIT or other platform`` + + +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` +* :vytask:`T4946` ``(default): Rewrite "add system image" in the new op-mode`` +* :vytask:`T4454` ``(default): `install-image` should check free storage`` + + +2023-11-24 +========== + +* :vytask:`T5776` ``(feature): Enable VFIO support`` +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` +* :vytask:`T3895` ``(default): VYOS firewall rules do not adhere to time schedule unless placed in UTC mode.`` + + +2023-11-23 +========== + +* :vytask:`T4891` ``(bug): BFD flapping loop`` +* :vytask:`T4867` ``(bug): "show bgp neighbors ... advertised-routes" and some other commands fail for IPv4 neighbors`` + + +2023-11-22 +========== + +* :vytask:`T5767` ``(feature): Add reboot and poweroff the system via API`` +* :vytask:`T5729` ``(bug): Firewall, nat and policy route - Switch to valueless`` +* :vytask:`T5681` ``(feature): Interface match - Simplified and unified cli`` +* :vytask:`T4877` ``(bug): Need verification in using import vrf and import vpn, export vpn commands`` +* :vytask:`T4021` ``(bug): Long commit time on bridge interface with 1-4094 allowed VLAN tags`` +* :vytask:`T5338` ``(feature): Add 'mpls bgp forwarding' feature`` +* :vytask:`T3818` ``(bug): BGP export route-map only works after bgpd restart`` +* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` +* :vytask:`T5426` ``(default): Add exceptions in vici functions calls`` + + +2023-11-21 +========== + +* :vytask:`T5762` ``(bug): http: api: smoketests fail as they can not establish IPv6 connection to uvicorn backend server`` + + +2023-11-20 +========== + +* :vytask:`T2816` ``(default): Rewrite IPsec scripts with the new XML/Python approach`` + + 2023-11-18 ========== diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst index 145cf648..e24aca9a 100644 --- a/docs/changelog/1.5.rst +++ b/docs/changelog/1.5.rst @@ -8,6 +8,49 @@ _ext/releasenotes.py +2023-11-26 +========== + +* :vytask:`T5760` ``(feature): DHCP client custom dhcp-options`` +* :vytask:`T2405` ``(feature): archive to GIT or other platform`` + + +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` + + +2023-11-24 +========== + +* :vytask:`T5776` ``(feature): Enable VFIO support`` +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` + + +2023-11-23 +========== + +* :vytask:`T5659` ``(bug): VPP cannot add interface to dataplane if it already has an address configured`` + + +2023-11-22 +========== + +* :vytask:`T5767` ``(feature): Add reboot and poweroff the system via API`` +* :vytask:`T5729` ``(bug): Firewall, nat and policy route - Switch to valueless`` +* :vytask:`T5681` ``(feature): Interface match - Simplified and unified cli`` +* :vytask:`T5643` ``(feature): NAT - Allow interface groups on nat rules`` +* :vytask:`T5616` ``(feature): Firewall mark - Add capabilities for matching firewall mark`` +* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` + + +2023-11-21 +========== + +* :vytask:`T5762` ``(bug): http: api: smoketests fail as they can not establish IPv6 connection to uvicorn backend server`` + + 2023-11-18 ========== diff --git a/docs/configexamples/ansible.rst b/docs/configexamples/ansible.rst new file mode 100644 index 00000000..431ad8c3 --- /dev/null +++ b/docs/configexamples/ansible.rst @@ -0,0 +1,216 @@ +:lastproofread: 2023-10-18 + +.. _examples-ansible: + +############### +Ansible example +############### + +Setting up Ansible on a server running the Debian operating system. +=================================================================== + +In this example, we will set up a simple use of Ansible to configure multiple VyoS routers. +We have four pre-configured routers with this configuration: + +Using the general schema for example: + +.. image:: /_static/images/ansible.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +We have four pre-configured routers with this configuration: + +.. code-block:: none + + set interfaces ethernet eth0 address dhcp + set service ssh + commit + save + +* vyos7 - 192.0.2.105 +* vyos8 - 192.0.2.106 +* vyos9 - 192.0.2.107 +* vyos10 - 192.0.2.108 + +Install the Ansible: +==================== +.. code-block:: none + + # apt-get install ansible + Do you want to continue? [Y/n] y + +Install the paramiko: +===================== + +.. code-block:: none + + #apt-get install -y python3-paramiko + +Check the version: +================== + +.. code-block:: none + + # ansible --version + ansible 2.10.8 + config file = None + configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] + ansible python module location = /usr/lib/python3/dist-packages/ansible + executable location = /usr/bin/ansible + python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] + +Basik configuration of the ansible.cfg: +======================================= + +.. code-block:: none + + # nano /root/ansible.cfg + [defaults] + host_key_checking = no + +Add all the hosts of VyOS: +========================== + +.. code-block:: none + + # nano /root/hosts + [vyos_hosts] + vyos7 ansible_ssh_host=192.0.2.105 + vyos8 ansible_ssh_host=192.0.2.106 + vyos9 ansible_ssh_host=192.0.2.107 + vyos10 ansible_ssh_host=192.0.2.108 + +Add general variables: +====================== + +.. code-block:: none + + # mkdir /root/group_vars/ + # nano /root/group_vars/vyos_hosts + ansible_python_interpreter: /usr/bin/python3 + ansible_network_os: vyos + ansible_connection: network_cli + ansible_user: vyos + ansible_ssh_pass: vyos + + +Add the simple playbook with the tasks for each router: +======================================================= + +.. code-block:: none + + # nano /root/main.yml + + --- + - hosts: vyos_hosts + gather_facts: 'no' + tasks: + - name: Configure general settings for the vyos hosts group + vyos_config: + lines: + - set system name-server 8.8.8.8 + - set interfaces ethernet eth0 description '#WAN#' + - set interfaces ethernet eth1 description '#LAN#' + - set interfaces ethernet eth2 disable + - set interfaces ethernet eth3 disable + - set system host-name {{ inventory_hostname }} + save: + true + +Start the playbook: +================== + +.. code-block:: none + + ansible-playbook -i hosts main.yml + PLAY [vyos_hosts] ************************************************************** + + TASK [Configure general settings for the vyos hosts group] ********************* + ok: [vyos9] + ok: [vyos10] + ok: [vyos7] + ok: [vyos8] + + PLAY RECAP ********************************************************************* + vyos10 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos7 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos8 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos9 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + +Check the result on the vyos10 router: +====================================== + +.. code-block:: none + + vyos@vyos10:~$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 192.0.2.108/24 u/u WAN + eth1 - u/u LAN + eth2 - A/D + eth3 - A/D + lo 127.0.0.1/8 u/u + ::1/128 + + vyos@vyos10:~$ sh configuration commands | grep 8.8.8.8 + set system name-server '8.8.8.8' + +The simple way without configuration of the hostname (one task for all routers): +============================================================================ + +.. code-block:: none + + # nano /root/hosts_v2 + [vyos_hosts_group] + vyos7 ansible_ssh_host=192.0.2.105 + vyos8 ansible_ssh_host=192.0.2.106 + vyos9 ansible_ssh_host=192.0.2.107 + vyos10 ansible_ssh_host=192.0.2.108 + [vyos_hosts_group:vars] + ansible_python_interpreter=/usr/bin/python3 + ansible_user=vyos + ansible_ssh_pass=vyos + ansible_network_os=vyos + ansible_connection=network_cli + + # nano /root/main_v2.yml + --- + - hosts: vyos_hosts_group + + connection: network_cli + gather_facts: 'no' + + tasks: + - name: Configure remote vyos_hosts_group + vyos_config: + lines: + - set system name-server 8.8.8.8 + - set interfaces ethernet eth0 description WAN + - set interfaces ethernet eth1 description LAN + - set interfaces ethernet eth2 disable + - set interfaces ethernet eth3 disable + save: + true + +.. code-block:: none + + # ansible-playbook -i hosts_v2 main_v2.yml + + PLAY [vyos_hosts_group] ******************************************************** + + TASK [Configure remote vyos_hosts_group] *************************************** + ok: [vyos8] + ok: [vyos7] + ok: [vyos9] + ok: [vyos10] + + PLAY RECAP ********************************************************************* + vyos10 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos7 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos8 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos9 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + + +In the next chapter of the example, we'll use the Ansible with jinja2 templates and variables. diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 5528d280..7134e14c 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -21,6 +21,7 @@ This chapter contains various configuration examples: qos segment-routing-isis nmp + ansible policy-based-ipsec-and-firewall site-2-site-cisco diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index ece06fa2..b6ee86af 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -221,8 +221,8 @@ On the LEFT: On the RIGHT, setup by analogy and swap local and remote addresses. -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Source tunnel from dummy interface +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a @@ -240,7 +240,7 @@ On the LEFT: .. code-block:: none - set interfaces loopback lo address 192.168.99.1/32 + set interfaces dummy dum0 address 192.168.99.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.1/30 @@ -251,7 +251,7 @@ On the RIGHT: .. code-block:: none - set interfaces loopback lo address 192.168.99.2/32 + set interfaces dummy dum0 address 192.168.99.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.2/30 |
