summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
m---------docs/_include/vyos-1x0
-rw-r--r--docs/automation/cloud-init.rst81
-rw-r--r--docs/automation/vyos-api.rst2
-rw-r--r--docs/changelog/1.3.rst97
-rw-r--r--docs/changelog/1.4.rst22
-rw-r--r--docs/configuration/service/https.rst14
-rw-r--r--docs/configuration/service/snmp.rst4
-rw-r--r--docs/debugging.rst5
-rw-r--r--docs/installation/install.rst55
9 files changed, 222 insertions, 58 deletions
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject c2dfb24a0672ea93a4262feeddd6929275eb08c
+Subproject 147f655a69cd9526cd23f51ab18027cb5abc95b
diff --git a/docs/automation/cloud-init.rst b/docs/automation/cloud-init.rst
index 2be66f7f..10bab72c 100644
--- a/docs/automation/cloud-init.rst
+++ b/docs/automation/cloud-init.rst
@@ -58,9 +58,19 @@ cloud-config file format
************************
A cloud-config document is written in YAML. The file must begin
-with ``#cloud-config`` line. The key used to designate a VyOS configuration
-is ``vyos_config_commands``. What follows is VyOS configuration using
-the "set-style" syntax. Both "set" and "delete" commands are supported.
+with ``#cloud-config`` line. The only supported top-level keys are
+``vyos_config_commands`` and ``write_files``. The use of these keys is described
+in the following two sections.
+
+
+************************
+Initial Configuration
+************************
+
+
+The key used to designate a VyOS configuration is ``vyos_config_commands``. What
+follows is VyOS configuration using the "set-style" syntax. Both "set" and "delete"
+commands are supported.
Commands requirements:
@@ -75,7 +85,7 @@ proper commands list by copying it from another router.
The configuration specified in the cloud-config document overwrites default
configuration values and values configured via Metadata.
-Here is an example cloud-config.
+Here is an example cloud-config that appends configuration at the time of first boot.
.. code-block:: yaml
@@ -88,9 +98,9 @@ Here is an example cloud-config.
- set interfaces ethernet eth1 address '192.0.2.247/24'
- set protocols static route 198.51.100.0/24 next-hop '192.0.2.1'
-*************************
+-------------------------
System Defaults/Fallbacks
-*************************
+-------------------------
These are the VyOS defaults and fallbacks.
@@ -100,6 +110,65 @@ These are the VyOS defaults and fallbacks.
All of these can be overridden using the configuration in user-data.
+
+*********************************
+Command Execution at Initial Boot
+*********************************
+
+VyOS supports the execution of operational commands and linux commands at
+initial boot. This is accomplished using ``write_files`` to certain
+files in the /opt/vyatta/etc/config/scripts directory. Commands specified
+in opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script are executed
+prior to configuration. The
+/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script file contains
+commands to be executed after configuration. In both cases, commands are
+executed as the root user.
+
+Note that the /opt/vyatta/etc/config is used instead of the /config/scripts
+directory referenced in the :ref:`command-scripting` section of the
+documentation because the /config/script directory isn't mounted when the
+``write_files`` module executes.
+
+The following example shows how to execute commands after the initial
+configuration.
+
+.. code-block:: yaml
+
+ #cloud-config
+ write_files:
+ - path: /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+ owner: root:vyattacfg
+ permissions: '0775'
+ content: |
+ #!/bin/vbash
+ source /opt/vyatta/etc/functions/script-template
+ filename=/tmp/bgp_status_`date +"%Y_%m_%d_%I_%M_%p"`.log
+ run show ip bgp summary >> $filename
+
+
+If you need to gather information from linux commands to configure VyOS, you can
+execute commands and then configure VyOS in the same script.
+
+The following example sets the hostname based on the instance identifier
+obtained from the EC2 metadata service.
+
+.. code-block:: yaml
+
+
+ #cloud-config
+ write_files:
+ - path: /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+ owner: root:vyattacfg
+ permissions: '0775'
+ content: |
+ #!/bin/vbash
+ source /opt/vyatta/etc/functions/script-template
+ hostname=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
+ configure
+ set system host-name $hostname
+ commit
+ exit
+
***************
Troubleshooting
***************
diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst
index 27655483..8bc33d53 100644
--- a/docs/automation/vyos-api.rst
+++ b/docs/automation/vyos-api.rst
@@ -190,7 +190,7 @@ For example, show which images are installed.
/generate
=========
-THe ``generate`` endpoint run a ``generate`` command.
+The ``generate`` endpoint run a ``generate`` command.
.. code-block:: none
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index cf04e5a9..e790813b 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,10 +8,25 @@
_ext/releasenotes.py
+2021-08-30
+==========
+
+* :vytask:`T2558` (feature): Add some CPU information to `show version` + fix broken hypervisor detection
+
+
+2021-08-29
+==========
+
+* :vytask:`T3708` (bug): isisd and gre-bridge commit error
+* :vytask:`T3783` (bug): "set protocols isis spf-delay-ietf" is not working
+* :vytask:`T2750` (default): Use m4 as a template processor
+
+
2021-08-27
==========
* :vytask:`T3182` (bug): Main blocker Task for FRR 7.4/7.5 series update
+* :vytask:`T2108` (default): Use minisign/signify instead of GPG for release signing
2021-08-26
@@ -326,7 +341,7 @@
* :vytask:`T3250` (bug): PPPoE server: wrong local usernames
* :vytask:`T3138` (bug): ddclient improperly updated when apply rfc2136 config
* :vytask:`T2620` (feature): Add ipsec peer-name to log to simplifies grepping and troubleshooting
-* :vytask:`T2645` (default): Editing route-map Action Requires New Rule
+* :vytask:`T2645` (default): Editing route-map action requires adding a new rule
2021-06-09
@@ -383,7 +398,7 @@
* :vytask:`T3103` (default): Rewrite parts of vyos\frr.py for readability, logging and to fix mulitiline regex "bugs"
* :vytask:`T2739` (default): vyos-utils is not compiled with a Jenkins pipeline.
* :vytask:`T2451` (bug): Cannot use !tcp or !tcp_udp while adding firewall rule
-* :vytask:`T2436` (default): equuleus: Testing: vyos-1x: syntax checking python scripts in PR
+* :vytask:`T2436` (default): equuleus: Testing: vyos-1x: syntax checking Python scripts in PR
* :vytask:`T2184` (bug): OpenVPN op_mode tools broken
* :vytask:`T1944` (bug): FRR: Invalid route in BGP causes update storm, memory leak, and failure of Zebra.
* :vytask:`T1995` (bug): "show vpn ike sa" command always show child-sas as down
@@ -564,7 +579,7 @@
==========
* :vytask:`T3458` (default): vyos docs missing gretap from tunnel section
-* :vytask:`T2946` (bug): call to commandd 'stty_size' cause show interfaces API to fail.
+* :vytask:`T2946` (bug): Calling 'stty_size' causes show interfaces API to fail
2021-04-26
@@ -603,7 +618,7 @@
2021-04-14
==========
-* :vytask:`T3055` (bug): op-mode incorrect naming fo ipsec policy-based tunnels
+* :vytask:`T3055` (bug): op-mode incorrect naming for ipsec policy-based tunnels
2021-04-12
@@ -1069,7 +1084,7 @@
2021-01-09
==========
-* :vytask:`T2467` (bug): Restarting Flow Accounting Fails
+* :vytask:`T2467` (bug): Restarting flow accounting fails with systemd error
* :vytask:`T3199` (feature): Update Linux Kernel to v5.4.88 / 5.10.6
@@ -1093,7 +1108,7 @@
* :vytask:`T3185` (bug): [conf-mode] Wrong CompletionHelp for Tunnel local-ip
* :vytask:`T3152` (bug): wan-load-balance does not show connections
-* :vytask:`T2601` (bug): pppoe-server: does not possible to disable ccp
+* :vytask:`T2601` (bug): pppoe-server: Cannot disable CCP
2021-01-03
@@ -1119,8 +1134,8 @@
2020-12-31
==========
-* :vytask:`T3162` (bug): PPPoE server pado-delay issue
-* :vytask:`T3160` (bug): PPPoE server called-sid option does not work
+* :vytask:`T3162` (bug): Wrong PPPoE server pado-delay parameter added to config
+* :vytask:`T3160` (bug): PPPoE server called-sid option defined in wrong section
* :vytask:`T3168` (feature): Update Linux Kernel to v5.4.86
@@ -1149,7 +1164,7 @@
2020-12-23
==========
-* :vytask:`T3143` (bug): OpenVPN server: Push route does not work
+* :vytask:`T3143` (bug): OpenVPN server: Push route config format is wrong
* :vytask:`T3146` (feature): Upgrade FRR from 7.4 -> 7.5 version incl. new libyang
* :vytask:`T3145` (feature): Update Linux Kernel to v5.4.85
* :vytask:`T3147` (feature): Upgrade to SaltStack version 3002.2
@@ -1158,13 +1173,19 @@
2020-12-22
==========
-* :vytask:`T3142` (bug): OpenVPN op-command completion issue
+* :vytask:`T3142` (bug): OpenVPN op-command completion fails due to missing status file
* :vytask:`T2940` (feature): Update FRR to 7.4
-* :vytask:`T2573` (bug): BFD opmode Commands are broken
+* :vytask:`T2573` (bug): BFD op-mode commands are broken
* :vytask:`T2495` (feature): Add xml for ISIS [conf_mode]
* :vytask:`T1316` (feature): Support for IS-IS
+2020-12-21
+==========
+
+* :vytask:`T2619` (bug): Bug: Changes in NAT or ZONES from 1.2 to 1.3
+
+
2020-12-20
==========
@@ -1224,7 +1245,7 @@
2020-12-07
==========
-* :vytask:`T3120` (bug): 1.3-rolling-202012070217 python error when deleting nat rule
+* :vytask:`T3120` (bug): Python error when deleting nat rule
* :vytask:`T3119` (feature): migrate "system ip" to get_config_dict() and provide smoketest
@@ -1237,7 +1258,7 @@
2020-12-04
==========
-* :vytask:`T3108` (bug): Section Config overlapped match with FRRConfig
+* :vytask:`T3108` (bug): Section config overlapped match with FRRConfig
* :vytask:`T3112` (feature): PPPoE IPv6: remove "enable" node
* :vytask:`T3100` (feature): Migrate DHCP/DHCPv6 server to get_config_dict()
@@ -1309,7 +1330,7 @@
* :vytask:`T2153` (bug): traceroute circular reference
* :vytask:`T3081` (bug): get_config_dict() does not honor whitespaces in the CLI values field
* :vytask:`T3080` (bug): OpenVPN failing silently for a number of reasons in rolling post Nov/02
-* :vytask:`T3074` (bug): openvpn site-to-site dosn't work
+* :vytask:`T3074` (bug): OpenVPN site-to-site creates wrong peer address
* :vytask:`T2542` (bug): OpenVPN client tap interfaces not coming up
* :vytask:`T3084` (bug): wifi: TypeError on "show interfaces wireless info"
@@ -1318,7 +1339,7 @@
==========
* :vytask:`T3079` (bug): Fix the problem that VLAN 1 will be deleted in VLAN-aware bridge
-* :vytask:`T3060` (bug): OpenVPN not working in vyos-1.3-rolling-20201101 and after
+* :vytask:`T3060` (bug): OpenVPN virtual interface not coming up after upgrade
2020-11-20
@@ -1349,7 +1370,7 @@
2020-11-15
==========
-* :vytask:`T3069` (bug): openvpn - routed networks not available
+* :vytask:`T3069` (bug): OpenVPN routed networks not available
* :vytask:`T3038` (feature): Supporting AZERTY keyboards
* :vytask:`T2993` (bug): op-mode: lldp: show lldp neighbors - AttributeError: 'str' object has no attribute 'items'
* :vytask:`T2564` (enhancment): Extend VyOS to support appliance LCDs
@@ -1415,7 +1436,7 @@
* :vytask:`T3043` (feature): Wireless: Refactor CLI
* :vytask:`T3034` (feature): Add WiFi WPA 3 support
-* :vytask:`T2967` (bug): Duplicate IPv6 BFD Peers Created
+* :vytask:`T2967` (bug): Duplicate IPv6 BFD peers created
* :vytask:`T2483` (bug): DHCP most likely not restarting pdns_recursor
@@ -1485,7 +1506,7 @@
2020-10-22
==========
-* :vytask:`T2978` (bug): IPoE service does not work on shared mode.
+* :vytask:`T2978` (bug): IPoE service does not work on shared mode
* :vytask:`T2906` (bug): OpenVPN: tls-auth missing key direction
@@ -1493,14 +1514,14 @@
==========
* :vytask:`T2828` (bug): BGP conf_mode error enforce-first-as
-* :vytask:`T2749` (bug): Setting ethx configuration issue.
+* :vytask:`T2749` (bug): Setting ethx configuration takes a long time
* :vytask:`T2138` (default): Can't load archived configs as they are gzipped
2020-10-20
==========
-* :vytask:`T2987` (bug): VxLAN not working properly after upgrading to latest October build (also with newinstallation)
+* :vytask:`T2987` (bug): VxLAN not working properly after upgrading to latest October build and with a new installation
* :vytask:`T2989` (default): MPLS documentation expansion
@@ -1547,7 +1568,7 @@
2020-10-12
==========
-* :vytask:`T2951` (bug): monitor nat not working
+* :vytask:`T2951` (bug): Cannot enable logging for monitor nat
* :vytask:`T2782` (bug): Changing timezone, does not restart rsyslog
@@ -1566,7 +1587,7 @@
2020-10-06
==========
-* :vytask:`T2957` (bug): show openvpn not returning anything
+* :vytask:`T2957` (bug): show openvpn not printing anything
2020-10-05
@@ -1599,7 +1620,7 @@
2020-10-01
==========
-* :vytask:`T2945` (bug): Interface removed from BRIDGE on setting changed
+* :vytask:`T2945` (bug): Interface removed from bridge on setting change
* :vytask:`T2948` (bug): NAT: OSError when configuring translation address range
* :vytask:`T2936` (feature): Migrate PPPoE server to get_config_dict() do reduce boilerplate code
@@ -1697,7 +1718,7 @@
2020-09-14
==========
-* :vytask:`T2872` (bug): "Show log" for nat and openvpn got inter-mixed
+* :vytask:`T2872` (bug): "Show log" for nat and openvpn got intermixed
* :vytask:`T2301` (bug): Delete PBR vyatta_policy_ref
* :vytask:`T2880` (feature): Update Linux Kernel to v4.19.145
* :vytask:`T2879` (feature): Cleanup 4.19.144 kernel configuration
@@ -1749,7 +1770,7 @@
2020-09-02
==========
-* :vytask:`T2833` (bug): vyos 1.3-rolling-202008200357 RIP outgoing update filter list no longer operational
+* :vytask:`T2833` (bug): RIP outgoing update filter list no longer operational
* :vytask:`T2849` (bug): vyos.xml.defaults should return a list on multi nodes, by default
@@ -1811,7 +1832,7 @@
2020-08-23
==========
-* :vytask:`T2811` (bug): Does not possible to delete vpn anyconnect
+* :vytask:`T2811` (bug): Cannot delete vpn anyconnect
* :vytask:`T2823` (bug): VXLAN has state A/D after configuration
* :vytask:`T2812` (default): Add basic smoketest for anyconnect
@@ -1961,7 +1982,7 @@
2020-07-27
==========
-* :vytask:`T2729` (feature): Pseudo-ethernet replace fail message.
+* :vytask:`T2729` (feature): Pseudo-ethernet replace fail message
* :vytask:`T1249` (feature): multiply PBR rules can set to a single interface
* :vytask:`T1956` (feature): PPPoE server: support PADO-delay
* :vytask:`T1295` (feature): FRR: update documentation
@@ -1977,7 +1998,7 @@
* :vytask:`T2734` (feature): WireGuard: fwmark CLI definition is inconsistent
* :vytask:`T2733` (feature): Support MTU configuration on pseudo ethernet devices
-* :vytask:`T2644` (default): Disabling Bonded Interfaces Broken
+* :vytask:`T2644` (default): Bonding interfaces cannot be disabled
* :vytask:`T2476` (bug): Bond member description change leads to network outage
* :vytask:`T2443` (feature): NHRP: Add debugging information to syslog
* :vytask:`T2021` (bug): OSPFv3 doesn't support decimal area syntax
@@ -2027,10 +2048,10 @@
2020-07-22
==========
-* :vytask:`T2718` (bug): ntp.conf updated incorrectly.
+* :vytask:`T2718` (bug): ntp.conf updated incorrectly
* :vytask:`T2658` (bug): Interface description comment display error
-* :vytask:`T2643` (bug): Show Interface Command Issues
-* :vytask:`T2725` (bug): Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted'
+* :vytask:`T2643` (bug): show interfaces does not scale with terminal width
+* :vytask:`T2725` (bug): Config fails to load if user has no password
* :vytask:`T2707` (default): Allow alternative initialization data for Config
@@ -2098,7 +2119,7 @@
2020-07-06
==========
-* :vytask:`T2680` (bug): Dhcp6c service can not recover when it fails.
+* :vytask:`T2680` (bug): dhcp6c service cannot recover when it fails
2020-07-05
@@ -2150,9 +2171,9 @@
2020-06-26
==========
-* :vytask:`T2642` (bug): sshd Broken on Latest Rolling Release
+* :vytask:`T2642` (bug): sshd fails to start due to configuration error
* :vytask:`T2588` (default): Add support for default values to the interface-definition format
-* :vytask:`T2622` (bug): An issue with config migration (interface pseudo ethernet)
+* :vytask:`T2622` (bug): Pseudo-ethernet interface config disappears across versions
* :vytask:`T2057` (feature): Generalised Interface configuration
* :vytask:`T2625` (feature): Provide generic Library for package builds
@@ -2184,7 +2205,7 @@
2020-06-23
==========
-* :vytask:`T2632` (bug): WireGuard: Can not use only one preshared-key for one peer
+* :vytask:`T2632` (bug): WireGuard: Cannot use only one preshared-key for one peer
* :vytask:`T1829` (bug): Install Image script does not respect size of partition greater than 2G but less than disk size
* :vytask:`T2635` (feature): SSH: migrate to get_config_dict()
@@ -2281,8 +2302,8 @@
==========
* :vytask:`T2575` (bug): pppoe-server: does not possibly assign IP address
-* :vytask:`T2565` (bug): Does not possible connect to l2tp server with radius auth
-* :vytask:`T2553` (bug): Regression: set interface ethN vif-s nnnn does not commit on 1.3-rolling-202006050621
+* :vytask:`T2565` (bug): Cannot connect to l2tp server with radius auth
+* :vytask:`T2553` (bug): set interface ethN vif-s nnnn does not commit
2020-06-08
@@ -2368,7 +2389,7 @@
2020-05-26
==========
-* :vytask:`T2520` (bug): Show conntrack fail
+* :vytask:`T2520` (bug): show conntrack fails with Perl error
* :vytask:`T2502` (bug): PPPoE default route not installed for IPv6 when "default-route auto"
* :vytask:`T2458` (feature): Update FRR to 7.3.1
* :vytask:`T2506` (feature): DHCPv6-PD add prefix hint CLI option
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index 87e6de41..57ca2fdb 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,10 +8,26 @@
_ext/releasenotes.py
+2021-08-29
+==========
+
+* :vytask:`T3708` (bug): isisd and gre-bridge commit error
+* :vytask:`T3783` (bug): "set protocols isis spf-delay-ietf" is not working
+* :vytask:`T2750` (default): Use m4 as a template processor
+
+
+2021-08-28
+==========
+
+* :vytask:`T3743` (bug): l2tp doesn't work after reboot if outside-address not 0.0.0.0
+
+
2021-08-27
==========
* :vytask:`T3182` (bug): Main blocker Task for FRR 7.4/7.5 series update
+* :vytask:`T3568` (feature): Add XML for firewall conf-mode
+* :vytask:`T2108` (default): Use minisign/signify instead of GPG for release signing
2021-08-26
@@ -325,7 +341,7 @@
* :vytask:`T3250` (bug): PPPoE server: wrong local usernames
* :vytask:`T3138` (bug): ddclient improperly updated when apply rfc2136 config
* :vytask:`T2620` (feature): Add ipsec peer-name to log to simplifies grepping and troubleshooting
-* :vytask:`T2645` (default): Editing route-map Action Requires New Rule
+* :vytask:`T2645` (default): Editing route-map action requires adding a new rule
2021-06-08
@@ -576,7 +592,7 @@
==========
* :vytask:`T3458` (default): vyos docs missing gretap from tunnel section
-* :vytask:`T2946` (bug): call to commandd 'stty_size' cause show interfaces API to fail.
+* :vytask:`T2946` (bug): Calling 'stty_size' causes show interfaces API to fail
2021-04-26
@@ -639,7 +655,7 @@
==========
* :vytask:`T3398` (bug): Can't commit
-* :vytask:`T3055` (bug): op-mode incorrect naming fo ipsec policy-based tunnels
+* :vytask:`T3055` (bug): op-mode incorrect naming for ipsec policy-based tunnels
2021-04-13
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 1f1e2aa9..c44fffd9 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -4,7 +4,7 @@
HTTP-API
########
-VyOS provide a HTTP API. You can use it to execute op-mode commands,
+VyOS provide an HTTP API. You can use it to execute op-mode commands,
update VyOS, set or delete config.
Please take a look at the :ref:`vyosapi` page for an detailed how-to.
@@ -15,7 +15,7 @@ Configuration
.. cfgcmd:: set service https api keys id <name> key <apikey>
- Set an named api key, every key have the same, full permissions
+ Set a named api key. Every key has the same, full permissions
on the system.
.. cfgcmd:: set service https api debug
@@ -25,7 +25,7 @@ Configuration
.. cfgcmd:: set service https api port
- Set the listen port of the local API, this have non effect of the
+ Set the listen port of the local API, this has no effect on the
webserver. The default is port 8080
.. cfgcmd:: set service https api strict
@@ -42,11 +42,11 @@ Configuration
.. cfgcmd:: set service https virtual-host <vhost> server-name <text>
- Server names for virtual hosts it ca be exact, wildcard or regex.
+ Server names for virtual hosts it can be exact, wildcard or regex.
.. cfgcmd:: set service https api-restrict virtual-host <vhost>
- Nginx exposes the local API on all virtual servers, by default
+ By default, nginx exposes the local API on all virtual servers.
Use this to restrict nginx to one or more virtual hosts.
.. cfgcmd:: set service https certificates certbot domain-name <text>
@@ -78,7 +78,7 @@ Set an API-KEY is the minimal configuration to get a working API Endpoint.
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
-To use this full configuration we asume a publice accessable hostname.
+To use this full configuration we asume a public accessible hostname.
.. code-block:: none
@@ -88,4 +88,4 @@ To use this full configuration we asume a publice accessable hostname.
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 listen-port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
- set service https api-restrict virtual-host rtr01.example.com \ No newline at end of file
+ set service https api-restrict virtual-host rtr01.example.com
diff --git a/docs/configuration/service/snmp.rst b/docs/configuration/service/snmp.rst
index 36dc1787..d4b340c1 100644
--- a/docs/configuration/service/snmp.rst
+++ b/docs/configuration/service/snmp.rst
@@ -129,7 +129,7 @@ sent in clear text between a manager and agent. Each SNMPv3 message contains
security parameters which are encoded as an octet string. The meaning of these
security parameters depends on the security model being used.
-The securityapproach in v3 targets:
+The security approach in SNMPv3 targets:
* Confidentiality – Encryption of packets to prevent snooping by an
unauthorized source.
@@ -163,7 +163,7 @@ Example
set service snmp v3 view default oid 1
After commit the plaintext passwords will be hashed and stored in your
-configuration. The resulting LCI config will look like:
+configuration. The resulting CLI config will look like:
.. code-block:: none
diff --git a/docs/debugging.rst b/docs/debugging.rst
index fec73257..5a25639d 100644
--- a/docs/debugging.rst
+++ b/docs/debugging.rst
@@ -29,6 +29,11 @@ Kernel
an unexpected delay during manual or boot commit, this may be useful in
identifying bottlenecks. The internal flag is ``VYOS_DEBUG``, and is found
in vyatta-cfg_. Output is directed to ``/var/log/vyatta/cfg-stdout.log``.
+
+ In addition this setting creates the runtime debug files for some Live system
+ components (see below). Those files are: ``/tmp/vyos-config-status``,
+ ``/tmp/vyos.container.debug``, ``/tmp/vyos.frr.debug``,
+ ``/tmp/vyos.ifconfig.debug``.
* ``vyos-config-debug`` - During development, coding errors can lead to a
commit failure on boot, possibly resulting in a failed initialization of the
diff --git a/docs/installation/install.rst b/docs/installation/install.rst
index 7b96511a..7cd582f4 100644
--- a/docs/installation/install.rst
+++ b/docs/installation/install.rst
@@ -177,6 +177,59 @@ Finally, verify the authenticity of the downloaded image:
gpg: Good signature from "VyOS Maintainers (VyOS Release) <maintainers@vyos.net>" [unknown]
Primary key fingerprint: 0694 A923 0F51 39BF 834B A458 FD22 0285 A0FE 6D7E
+.. _minisign-verification:
+
+Minisign verification
+^^^^^^^^^^^^^^^^^^^^^
+
+Currently we are using GPG for release signing (pretty much like everyone else).
+
+Popularity of GPG for release signing comes from the fact that many people
+already had it installed for email encryption/signing. Inside a VyOS image,
+signature checking is the only reason to have it installed. However, it still
+comes with all the features no one needs, such as support for multiple outdated
+cipher suits and ability to embed a photo in the key file. More importantly,
+web of trust, the basic premise of PGP, is never used in release signing
+context. Once you have a knowingly authentic image, authenticity of upgrades is
+checked using a key that comes in the image, and to get their first image people
+never rely on keyservers either.
+
+Another point is that we are using RSA now, which requires absurdly large keys
+to be secure.
+
+In 2015, OpenBSD introduced signify. An alternative implementation of the same
+protocol is minisign, which is also available for Windows and macOS, and in most
+GNU/Linux distros it's in the repositories now.
+
+Its installed size (complete with libsodium) is less than that of GPG binary
+alone (not including libgcrypt and some other libs, which I think we only use
+for GPG). Since it uses elliptic curves, it gets away with much smaller keys,
+and it doesn't include as much metadata to begin with.
+
+Another issue of GPG is that it creates a /root/.gnupg directory just for
+release checking. The dir is small so the fact that it's never used again is
+an aesthetic problem, but we've had that process fail in the past. But, small
+key size of the Ed25519 algorithm allows passing public keys in command line
+arguments, so verification process can be completely stateless:
+
+:vytask:`T2180` switched the validation system to prefer minisign over GPG keys.
+
+To verify a VyOS image starting off with VyOS 1.3.0-rc6 you can run:
+
+.. code-block:: none
+
+ $ minisign -V -P RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m vyos-1.3.0-rc6-amd64.iso vyos-1.3.0-rc6-amd64.iso.minisig
+ Signature and comment signature verified
+ Trusted comment: timestamp:1629997936 file:vyos-1.3.0-rc6-amd64.iso
+
+During an image upgrade VyOS performas the following command:
+
+.. code-block:: none
+
+ $ minisign -V -p /usr/share/vyos/keys/vyos-release.minisign.pub -m vyos-1.3.0-rc6-amd64.iso vyos-1.3.0-rc6-amd64.iso.minisig
+ Signature and comment signature verified
+ Trusted comment: timestamp:1629997936 file:vyos-1.3.0-rc6-amd64.iso
+
.. _live_installation:
Live installation
@@ -460,7 +513,7 @@ extracted contents of the ISO file.
so that it shows the correct URL at
``fetch=http://<address_of_your_HTTP_server>/filesystem.squashfs``.
-.. note:: Do not change the name of the *filesystem.squashfs* file. If
+.. note:: Do not change the name of the *filesystem.squashfs* file. If
you are working with different versions, you can create different
directories instead.