diff options
43 files changed, 546 insertions, 242 deletions
diff --git a/Makefile.am b/Makefile.am index 531c5d99..e487007f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,14 +1,19 @@ cfgdir = $(datadir)/vyatta-cfg/templates -share_perl5dir = $(datarootdir)/perl5 +share_perl5dir = $(datarootdir)/perl5/Vyatta libudevdir = /lib/udev etcudevdir = /etc/udev bin_sudo_usersdir = $(bindir)/sudo-users curverdir = $(sysconfdir)/config-migrate/current +netplugupdir = /etc/netplug/linkup.d +netplugdowndir = /etc/netplug/linkdown.d bin_SCRIPTS = sbin_SCRIPTS = sysconf_DATA = +netplugup_SCRIPTS = scripts/netplug/linkup/dhclient +netplugdown_SCRIPTS = scripts/netplug/linkdown/dhclient + bin_SCRIPTS += scripts/progress-indicator bin_SCRIPTS += scripts/vyatta-functions @@ -38,7 +43,7 @@ sbin_SCRIPTS += scripts/vyatta-raid-event noinst_DATA = test_bootfile -share_perl5_DATA = scripts/keepalived/VyattaKeepalived.pm +share_perl5_DATA = lib/Vyatta/Keepalived.pm bin_sudo_users_SCRIPTS = scripts/keepalived/vyatta-clear-vrrp.pl bin_sudo_users_SCRIPTS += scripts/keepalived/vyatta-show-vrrp.pl diff --git a/debian/control b/debian/control index b8128287..8b05318a 100644 --- a/debian/control +++ b/debian/control @@ -39,7 +39,8 @@ Depends: sed (>= 4.1.5), dnsmasq, mdadm, ddclient, - libio-socket-ssl-perl + libio-socket-ssl-perl, + pam-tacplus Pre-Depends: bash-completion Suggests: util-linux (>= 2.13-5), net-tools, diff --git a/debian/rules b/debian/rules index 7955e31c..530a2145 100755 --- a/debian/rules +++ b/debian/rules @@ -88,7 +88,11 @@ binary-indep: build install dh_compress dh_fixperms dh_installdeb - dh_gencontrol + if [ -f "../.VYATTA_DEV_BUILD" ]; then \ + dh_gencontrol -- -v999.dev; \ + else \ + dh_gencontrol; \ + fi dh_md5sums dh_builddeb diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 3304fdd8..0f699d2b 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -11,6 +11,11 @@ for init in ntp ssh snmpd openhpid vyatta-keepalived ipvsadm dnsmasq ddclient; d update-rc.d -f ${init} remove >/dev/null done +# remove extra call to clock setup only need one +if [ -L /etc/rcS.d/S08hwclockfirst.sh -a -L /etc/rcS.d/S11hwclock.sh ]; then + rm /etc/init.d/rcS.d/S11hwclock.sh +fi + case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in *z25_persistent-net.rules* ) vyatta_net_rules=z24_vyatta-net.rules;; diff --git a/scripts/keepalived/VyattaKeepalived.pm b/lib/Vyatta/Keepalived.pm index 6507d8f7..325022f6 100755 --- a/scripts/keepalived/VyattaKeepalived.pm +++ b/lib/Vyatta/Keepalived.pm @@ -21,9 +21,13 @@ # # **** End License **** # -package VyattaKeepalived; +package Vyatta::Keepalived; +our @EXPORT = qw(get_conf_file get_state_script get_state_file + vrrp_log vrrp_get_init_state + start_daemon restart_daemon stop_daemon); +use base qw(Exporter); -use VyattaConfig; +use Vyatta::Config; use POSIX; use strict; @@ -81,7 +85,7 @@ sub stop_daemon { sub restart_daemon { my ($conf) = @_; - if (VyattaKeepalived::is_running()) { + if (is_running()) { my $pid = `cat $keepalived_pid`; $pid =~ s/\s+$//; # chomp doesn't remove nl system("kill -1 $pid"); @@ -139,7 +143,7 @@ sub vrrp_get_config { my ($intf, $group) = @_; my $path; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; if ($intf =~ m/(eth\d+)\.(\d+)/) { $path = "interfaces ethernet $1 vif $2"; @@ -232,12 +236,12 @@ sub vrrp_get_init_state { my ($intf, $group, $vips, $preempt) = @_; my $init_state; - if (VyattaKeepalived::is_running()) { - my @state_files = VyattaKeepalived::get_state_files($intf, $group); + if (is_running()) { + my @state_files = get_state_files($intf, $group); chomp @state_files; if (scalar(@state_files) > 0) { my ($start_time, $f_intf, $f_group, $state, $ltime) = - VyattaKeepalived::vrrp_state_parse($state_files[0]); + vrrp_state_parse($state_files[0]); if ($state eq "master") { $init_state = 'MASTER'; } else { diff --git a/scripts/dns-forwarding/vyatta-dns-forwarding.pl b/scripts/dns-forwarding/vyatta-dns-forwarding.pl index d0d7e36c..8c28becd 100644 --- a/scripts/dns-forwarding/vyatta-dns-forwarding.pl +++ b/scripts/dns-forwarding/vyatta-dns-forwarding.pl @@ -24,8 +24,8 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; -use VyattaMisc; +use Vyatta::Config; +use Vyatta::Misc; use Getopt::Long; use strict; @@ -60,7 +60,7 @@ sub dnsforwarding_get_values { my $outside_cli = shift; my $output = ''; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; my $use_dnsmasq_conf = 0; my (@listen_interfaces, $cache_size, @use_nameservers, $use_system_nameservers, @use_dhcp_nameservers); @@ -101,7 +101,7 @@ sub dnsforwarding_get_values { if (defined($use_system_nameservers)) { $use_dnsmasq_conf = 1; - my $sys_config = new VyattaConfig; + my $sys_config = new Vyatta::Config; $sys_config->setLevel("system"); my @system_nameservers; if ($outside_cli == 1){ @@ -156,7 +156,7 @@ sub check_nameserver { sub check_system_nameserver { - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("system"); my @system_nameservers = $config->returnValues("name-server"); return(@system_nameservers); @@ -165,7 +165,7 @@ sub check_system_nameserver { sub check_dhcp_any_interface { - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("interfaces ethernet"); my @eths = $config->listNodes("."); foreach my $eth (@eths) { @@ -207,7 +207,7 @@ sub check_dhcp_any_interface { sub is_dhcp_enabled { my $intf = shift; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; if ($intf =~ m/^eth/) { if ($intf =~ m/(\w+)\.(\d+)/) { @@ -278,7 +278,7 @@ if (defined $dhcp_interface) { if (defined $update_dnsforwarding) { my $config; - my $vyatta_config = new VyattaConfig; + my $vyatta_config = new Vyatta::Config; $vyatta_config->setLevel("service dns forwarding"); my $use_system_nameservers = $vyatta_config->exists("system"); diff --git a/scripts/dynamic-dns/vyatta-dynamic-dns.pl b/scripts/dynamic-dns/vyatta-dynamic-dns.pl index 06bd1ee5..30512bae 100644 --- a/scripts/dynamic-dns/vyatta-dynamic-dns.pl +++ b/scripts/dynamic-dns/vyatta-dynamic-dns.pl @@ -24,8 +24,8 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; -use VyattaMisc; +use Vyatta::Config; +use Vyatta::Misc; use Getopt::Long; use strict; @@ -110,7 +110,7 @@ sub dynamicdns_get_constants { sub dynamicdns_get_values { my $output = ''; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("service dns dynamic interface $interface"); my @services = $config->listNodes("service"); diff --git a/scripts/install-system b/scripts/install-system index eb182e39..6dd7f360 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -50,9 +50,9 @@ rootfsdir=/mnt/rootfs # UNION=false # install log file name -INSTALL_LOG="install.log" +INSTALL_LOG=/tmp/install-$$.log # root partition minimum size in MB -ROOT_MIN="450" +ROOT_MIN=500 # the base install drive e.g. sda if [ -n "$INSTALL_DRIVE" ]; then INSTALL_DRIVE="" @@ -75,9 +75,6 @@ PARTITION='' # Process ID of this script for the lame marketing spinner SPID=$$ -# Path to standalone root password reset script -PWRESET=/opt/vyatta/sbin/standalone_root_pw_reset - # Grub options GRUB_OPTIONS="quiet" @@ -85,20 +82,6 @@ GRUB_OPTIONS="quiet" VTY_CONSOLE="console=ttyS0,9600 console=tty0" SERIAL_CONSOLE="console=tty0 console=ttyS0,9600" -# If VGA_LOGO is set, enable use of the VGA monitor for displaying the -# logo during boot. The "vga=" boot command specifies a VGA mode that -# is encoded as shown below. We pick a value that is likely to work -# on most systems: -# -# Color depth | 640x480 | 800x600 | 1024x768 | 1280x1024 -# -----------------+---------+---------+----------+---------- -# 256 (8bit) | 769 771 773 775 -# 32000 (15bit) | 784 787 790 793 -# 65000 (16bit) | 785 788 791 794 -# 16.7 Mill.(24bit)| 786 789 792 795 -# -VGA_LOGO="vga=788" - # trap signals so we can kill runaway progress indicators trap 'progress_indicator stop; exit 1' 1 trap 'progress_indicator stop; exit 1' 2 @@ -271,9 +254,41 @@ check_for_old_raid () { response=$(get_response "Yes" "Yes No Y N") if [ "$response" == "no" ] || [ "$response" == "n" ]; then + echo echo "Ok. Not using existing RAID groups." - echo "Stopping existing RAID groups:" - mdadm --stop --scan + echo + + # pick the first RAID group to be broken + raid_drive=$(echo $raid_drives | /usr/bin/awk '{ print $1 }') + + echo "Would you like to break RAID group $raid_drive so that its" + echo "members can be re-used for a new installation, understanding" + echo -n "that doing so will destroy all data on it? (Yes/No) [No]:" + destroy_raid=$(get_response "No" "Yes No Y N") + echo + + if [ "${destroy_raid:0:1}" = "y" ]; then + echo "OK. Breaking the RAID group $raid_drive." + + members=`ls /sys/block/$raid_drive/slaves` + + echo "First, stopping all existing RAID groups:" + mdadm --stop --scan + + for member in $members ; do + drive=${member:0:3} + part=${member:3:1} + echo "Re-setting partition ID for RAID group $raid_drive member /dev/${member}:" + sfdisk --change-id /dev/$drive $part 0x83 + echo "Clearing RAID superblock from RAID group $raid_drive member /dev/${member}." + mdadm --zero-superblock /dev/$member + done + else + echo "OK. Stopping, but not breaking, existing RAID groups:" + mdadm --stop --scan + fi + + echo return fi @@ -798,7 +813,7 @@ install_root_filesystem () { echo "Unable to read filesystem UUID. Exiting." exit 1 else - echo -e "UUID=$uuid\t/\text3\tdefaults\t0 1" >> $rootfsdir/etc/fstab + echo -e "UUID=$uuid\t/\text3\tnoatime\t0 1" >> $rootfsdir/etc/fstab fi #setup the hostname file @@ -915,17 +930,6 @@ change_password() { set_encrypted_password $user $epwd $rootfsdir$ofrconfdir/config.boot } -system_setup () { - echo -n "Would you like to set the passwords for system users (Yes/No) [Yes]: " - local response=$(get_response "Yes" "Yes No Y N") - - if [ "$response" == "yes" ] || [ "$response" == "y" ]; then - change_password root - change_password vyatta - fi -} - - # setup grub on the boot sector of a user queried drive install_grub () { # we now use INSTALL_DRIVE to reference the grub boot drive. @@ -1240,15 +1244,6 @@ progress_indicator () { ##### Main ## -# clean up existing log files -if [ -f $INSTALL_LOG.old ]; then - rm -f $INSTALL_LOG.old -fi -if [ -f $INSTALL_LOG ]; then - mv $INSTALL_LOG $INSTALL_LOG.old - rm -f $INSTALL_LOG -fi - # turn off any mounted swap files turnoffswap @@ -1341,7 +1336,11 @@ copy_config "$CONFIG_PARTITION" # Modify config to match system # Assume user wants to keep password from old config if [ ! -d /mnt/config ]; then - system_setup + # Disable root login + set_encrypted_password root "*" $rootfsdir$ofrconfdir/config.boot + + echo "Enter password for administrator account" + change_password vyatta fi # check for xen part images in /var/xen diff --git a/scripts/keepalived/vyatta-clear-vrrp.pl b/scripts/keepalived/vyatta-clear-vrrp.pl index be33f2b9..a44b0305 100644 --- a/scripts/keepalived/vyatta-clear-vrrp.pl +++ b/scripts/keepalived/vyatta-clear-vrrp.pl @@ -24,14 +24,14 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaKeepalived; +use Vyatta::Keepalived; use Getopt::Long; use Sys::Syslog qw(:standard :macros); use strict; use warnings; -my $conf_file = VyattaKeepalived::get_conf_file(); +my $conf_file = Vyatta::Keepalived::get_conf_file(); sub keepalived_write_file { @@ -109,7 +109,7 @@ sub get_vrrp_intf_group { # return an array of hashes that contains all the intf/group pairs # - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("interfaces ethernet"); my @eths = $config->listOrigNodes(); foreach my $eth (@eths) { @@ -174,7 +174,7 @@ sub set_inital_state { my ($tmp_conf, $match_instance) = vrrp_extract_instance($conf, $instance); if (defined $match_instance) { - my $init = VyattaKeepalived::vrrp_get_init_state($intf, $group, + my $init = Vyatta::Keepalived::vrrp_get_init_state($intf, $group, "", "false"); $match_instance = set_instance_inital_state($match_instance, $init); $new_conf .= $match_instance . "\n\n"; @@ -207,12 +207,12 @@ my $login = getlogin(); # if ($action eq "clear_process") { syslog("warning", "clear vrrp process requested by $login"); - if (VyattaKeepalived::is_running()) { + if (Vyatta::Keepalived::is_running()) { print "Restarting VRRP...\n"; - VyattaKeepalived::restart_daemon(VyattaKeepalived::get_conf_file()); + Vyatta::Keepalived::restart_daemon(VyattaKeepalived::get_conf_file()); } else { print "Starting VRRP...\n"; - VyattaKeepalived::start_daemon(VyattaKeepalived::get_conf_file()); + Vyatta::Keepalived::start_daemon(VyattaKeepalived::get_conf_file()); } exit 0; } @@ -239,21 +239,21 @@ if ($action eq "clear_master") { } my $instance = "vyatta-" . "$vrrp_intf" . "-" . "$vrrp_group"; - my $state_file = VyattaKeepalived::get_state_file($vrrp_intf, $vrrp_group); + my $state_file = Vyatta::Keepalived::get_state_file($vrrp_intf, $vrrp_group); if (! -f $state_file) { print "Invalid interface/group [$vrrp_intf][$vrrp_group]\n"; exit 1; } my ($start_time, $intf, $group, $state, $ltime) = - VyattaKeepalived::vrrp_state_parse($state_file); + Vyatta::Keepalived::vrrp_state_parse($state_file); if ($state ne "master") { print "vrrp group $vrrp_group on $vrrp_intf is already in backup\n"; exit 1; } syslog("warning", "clear vrrp master [$instance] requested by $login"); - VyattaKeepalived::vrrp_log("vrrp clear_master $vrrp_intf $vrrp_group"); + Vyatta::Keepalived::vrrp_log("vrrp clear_master $vrrp_intf $vrrp_group"); # should add a file lock local($/, *FILE); # slurp mode @@ -283,7 +283,7 @@ if ($action eq "clear_master") { system("mv $conf_file $conf_file_bak"); system("cp $tmp_conf_file $conf_file"); - VyattaKeepalived::restart_daemon($conf_file); + Vyatta::Keepalived::restart_daemon($conf_file); print "Forcing $vrrp_intf-$group to BACKUP...\n"; sleep(3); @@ -294,7 +294,7 @@ if ($action eq "clear_master") { $new_conf .= "\n" . $match_instance . "\n"; keepalived_write_file($conf_file, $new_conf); - VyattaKeepalived::restart_daemon($conf_file); + Vyatta::Keepalived::restart_daemon($conf_file); system("rm $conf_file_bak $tmp_conf_file"); exit 0; diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index c41fa7e2..b2f0ba3b 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -24,15 +24,15 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; -use VyattaKeepalived; +use Vyatta::Config; +use Vyatta::Keepalived; use Getopt::Long; use strict; use warnings; my $changes_file = '/var/log/vrrpd/changes'; -my $conf_file = VyattaKeepalived::get_conf_file(); +my $conf_file = get_conf_file(); my %HoA_sync_groups; @@ -41,9 +41,9 @@ sub keepalived_get_values { my ($intf, $path) = @_; my $output = ''; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; - my $state_transition_script = VyattaKeepalived::get_state_script(); + my $state_transition_script = get_state_script(); $config->setLevel("$path vrrp vrrp-group"); my @groups = $config->listNodes(); @@ -51,8 +51,8 @@ sub keepalived_get_values { my $vrrp_instance = "vyatta-$intf-$group"; $config->setLevel("$path vrrp vrrp-group $group"); if ($config->exists("disable")) { - VyattaKeepalived::vrrp_log("$vrrp_instance disabled - skipping"); - my $state_file = VyattaKeepalived::get_state_file($intf, $group); + vrrp_log("$vrrp_instance disabled - skipping"); + my $state_file = get_state_file($intf, $group); system("rm -f $state_file"); next; } @@ -116,7 +116,7 @@ sub keepalived_get_values { $output .= "vrrp_instance $vrrp_instance \{\n"; my $init_state; - $init_state = VyattaKeepalived::vrrp_get_init_state($intf, $group, + $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); $output .= "\tstate $init_state\n"; $output .= "\tinterface $intf\n"; @@ -179,7 +179,7 @@ sub vrrp_save_changes { my @list = @_; my $num_changes = scalar(@list); - VyattaKeepalived::vrrp_log("saving changes file $num_changes"); + vrrp_log("saving changes file $num_changes"); open(my $FILE, ">", $changes_file) or die "Error: write $!"; print $FILE join("\n", @list), "\n"; close($FILE); @@ -188,7 +188,7 @@ sub vrrp_save_changes { sub vrrp_find_changes { my @list = (); - my $config = new VyattaConfig; + my $config = new Vyatta::Config; my $vrrp_instances = 0; $config->setLevel("interfaces ethernet"); @@ -201,7 +201,7 @@ sub vrrp_find_changes { my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); if ($vrrp_status ne "static") { push @list, $eth; - VyattaKeepalived::vrrp_log("$vrrp_status found $eth"); + vrrp_log("$vrrp_status found $eth"); } } if ($config->exists("vif")) { @@ -217,7 +217,7 @@ sub vrrp_find_changes { my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); if ($vrrp_status ne "static") { push @list, "$eth.$vif"; - VyattaKeepalived::vrrp_log("$vrrp_status found $eth.$vif"); + vrrp_log("$vrrp_status found $eth.$vif"); } } } @@ -234,7 +234,7 @@ sub vrrp_find_changes { $config->setLevel($path); if ($config->isDeleted("vrrp")) { push @list, $eth; - VyattaKeepalived::vrrp_log("Delete found $eth"); + vrrp_log("Delete found $eth"); } $config->setLevel("$path vif"); my @vifs = $config->listOrigNodes(); @@ -244,13 +244,13 @@ sub vrrp_find_changes { $config->setLevel($vif_path); if ($config->isDeleted("vrrp")) { push @list, "$eth.$vif"; - VyattaKeepalived::vrrp_log("Delete found $eth.$vif"); + vrrp_log("Delete found $eth.$vif"); } } } my $num = scalar(@list); - VyattaKeepalived::vrrp_log("Start transation: $num changes"); + vrrp_log("Start transation: $num changes"); if ($num) { vrrp_save_changes(@list); } @@ -271,7 +271,7 @@ sub remove_from_changes { my @new_lines = (); foreach my $line (@lines) { if ($line =~ /$intf$/) { - VyattaKeepalived::vrrp_log("remove_from_changes [$line]"); + vrrp_log("remove_from_changes [$line]"); } else { push @new_lines, $line; } @@ -292,7 +292,7 @@ sub vrrp_update_config { my $date = localtime(); my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("interfaces ethernet"); my @eths = $config->listNodes(); @@ -316,7 +316,7 @@ sub vrrp_update_config { # my $vif_intf = $eth . "." . $vif; if (!(-d "/sys/class/net/$vif_intf")) { - VyattaKeepalived::vrrp_log("skipping $vif_intf"); + vrrp_log("skipping $vif_intf"); next; } my $vif_path = "$path $vif"; @@ -363,24 +363,24 @@ if (! defined $action) { } if ($action eq "update") { - VyattaKeepalived::vrrp_log("vrrp update $vrrp_intf"); + vrrp_log("vrrp update $vrrp_intf"); if ( ! -e $changes_file) { my $num_changes = vrrp_find_changes(); if ($num_changes == 0) { # # Shouldn't happen, but ... # - VyattaKeepalived::vrrp_log("unexpected 0 changes"); + vrrp_log("unexpected 0 changes"); } } my $vrrp_instances = vrrp_update_config($vrrp_intf); my $more_changes = remove_from_changes($vrrp_intf); - VyattaKeepalived::vrrp_log(" instances $vrrp_instances, $more_changes"); + vrrp_log(" instances $vrrp_instances, $more_changes"); if ($vrrp_instances > 0 and $more_changes == 0) { - VyattaKeepalived::restart_daemon($conf_file); + restart_daemon($conf_file); } if ($vrrp_instances == 0) { - VyattaKeepalived::stop_daemon(); + stop_daemon(); system("rm -f $conf_file"); } } @@ -390,8 +390,8 @@ if ($action eq "delete") { print "must include interface & group"; exit 1; } - VyattaKeepalived::vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); - my $state_file = VyattaKeepalived::get_state_file($vrrp_intf, $vrrp_group); + vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); + my $state_file = get_state_file($vrrp_intf, $vrrp_group); system("rm -f $state_file"); exit 0; } diff --git a/scripts/keepalived/vyatta-show-vrrp.pl b/scripts/keepalived/vyatta-show-vrrp.pl index e8157d21..4b8d6fec 100755 --- a/scripts/keepalived/vyatta-show-vrrp.pl +++ b/scripts/keepalived/vyatta-show-vrrp.pl @@ -23,7 +23,7 @@ # **** End License **** # use lib "/opt/vyatta/share/perl5/"; -use VyattaKeepalived; +use Vyatta::Keepalived; use strict; use warnings; @@ -119,14 +119,14 @@ sub get_master_info { # address and compare it to our masterfile. If it doesn't match # then we will snoop for the new master. - my $master_file = VyattaKeepalived::get_master_file($intf, $group); + my $master_file = Vyatta::Keepalived::get_master_file($intf, $group); my $arp_file = "$master_file.arp"; system("/usr/bin/arping -c1 -f -I $intf $vip > $arp_file"); my $arp_mac = parse_arping($arp_file); if ( ! -f $master_file) { - VyattaKeepalived::snoop_for_master($intf, $group, $vip, 2); + Vyatta::Keepalived::snoop_for_master($intf, $group, $vip, 2); } if ( -f $master_file) { @@ -140,7 +140,7 @@ sub get_master_info { { $master_mac = uc($1); if ($arp_mac ne $master_mac) { - VyattaKeepalived::snoop_for_master($intf, $group, $vip, 2); + Vyatta::Keepalived::snoop_for_master($intf, $group, $vip, 2); $master_ip = `grep ip.src $master_file 2> /dev/null`; } } @@ -172,11 +172,11 @@ sub vrrp_showsummary { my ($file) = @_; my ($start_time, $intf, $group, $state, $ltime) = - VyattaKeepalived::vrrp_state_parse($file); + Vyatta::Keepalived::vrrp_state_parse($file); my ($interface_state, $link) = get_state_link($intf); if ($state eq "master" || $state eq "backup" || $state eq "fault") { my ($primary_addr, $priority, $preempt, $advert_int, $auth_type, - @vips) = VyattaKeepalived::vrrp_get_config($intf, $group); + @vips) = Vyatta::Keepalived::vrrp_get_config($intf, $group); my $format = "\n%-16s%-8s%-8s%-16s%-16s%-16s"; printf($format, $intf, $group, 'int', $primary_addr, $link, $state); foreach my $vip (@vips){ @@ -192,12 +192,12 @@ sub vrrp_show { my $now_time = time; my ($start_time, $intf, $group, $state, $ltime) = - VyattaKeepalived::vrrp_state_parse($file); + Vyatta::Keepalived::vrrp_state_parse($file); my ($interface_state, $link) = get_state_link($intf); my $first_vip = ''; if ($state eq "master" || $state eq "backup" || $state eq "fault") { my ($primary_addr, $priority, $preempt, $advert_int, $auth_type, - @vips) = VyattaKeepalived::vrrp_get_config($intf, $group); + @vips) = Vyatta::Keepalived::vrrp_get_config($intf, $group); print "Physical interface: $intf, Address $primary_addr\n"; print " Interface state: $link, Group $group, State: $state\n"; print " Priority: $priority, Advertisement interval: $advert_int, "; @@ -256,7 +256,7 @@ if ($#ARGV == 1) { $group = $ARGV[1]; } -if (!VyattaKeepalived::is_running()) { +if (!Vyatta::Keepalived::is_running()) { print "VRRP isn't running\n"; exit 1; } @@ -273,7 +273,7 @@ if ($showsummary == 1) { $display_func = \&vrrp_show; } -my @state_files = VyattaKeepalived::get_state_files($intf, $group); +my @state_files = Vyatta::Keepalived::get_state_files($intf, $group); foreach my $state_file (@state_files) { &$display_func($state_file); } diff --git a/scripts/keepalived/vyatta-vrrp-state.pl b/scripts/keepalived/vyatta-vrrp-state.pl index a3be3095..930c7cd0 100755 --- a/scripts/keepalived/vyatta-vrrp-state.pl +++ b/scripts/keepalived/vyatta-vrrp-state.pl @@ -24,7 +24,7 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaKeepalived; +use Vyatta::Keepalived; use POSIX; use strict; @@ -35,7 +35,7 @@ sub vrrp_state_log { my ($state, $intf, $group) = @_; my $timestamp = strftime("%Y%m%d-%H:%M.%S", localtime); - my $file = VyattaKeepalived::get_state_file($intf, $group); + my $file = Vyatta::Keepalived::get_state_file($intf, $group); my $time = time(); my $line = "$time $intf $group $state $timestamp"; open my $fh, ">", $file; @@ -52,22 +52,22 @@ foreach my $arg (4 .. $#ARGV) { push @vrrp_vips, $ARGV[$arg]; } -my $sfile = VyattaKeepalived::get_state_file($vrrp_intf, $vrrp_group); +my $sfile = Vyatta::Keepalived::get_state_file($vrrp_intf, $vrrp_group); my ($old_time, $old_intf, $old_group, $old_state, $old_ltime) = - VyattaKeepalived::vrrp_state_parse($sfile); + Vyatta::Keepalived::vrrp_state_parse($sfile); if (defined $old_state and $vrrp_state eq $old_state) { # # restarts call the transition script even if it really hasn't # changed. # - VyattaKeepalived::vrrp_log("$vrrp_intf $vrrp_group same - $vrrp_state"); + Vyatta::Keepalived::vrrp_log("$vrrp_intf $vrrp_group same - $vrrp_state"); exit 0; } -VyattaKeepalived::vrrp_log("$vrrp_intf $vrrp_group transition to $vrrp_state"); +Vyatta::Keepalived::vrrp_log("$vrrp_intf $vrrp_group transition to $vrrp_state"); vrrp_state_log($vrrp_state, $vrrp_intf, $vrrp_group); if ($vrrp_state eq "backup") { - VyattaKeepalived::snoop_for_master($vrrp_intf, $vrrp_group, $vrrp_vips[0], + Vyatta::Keepalived::snoop_for_master($vrrp_intf, $vrrp_group, $vrrp_vips[0], 60); } elsif ($vrrp_state eq "master") { # @@ -83,7 +83,7 @@ if ($vrrp_state eq "backup") { # # remove the old master file since we are now master # - my $mfile = VyattaKeepalived::get_master_file($vrrp_intf, $vrrp_group); + my $mfile = Vyatta::Keepalived::get_master_file($vrrp_intf, $vrrp_group); system("rm -f $mfile"); } diff --git a/scripts/netplug/linkdown/dhclient b/scripts/netplug/linkdown/dhclient new file mode 100755 index 00000000..a69caed3 --- /dev/null +++ b/scripts/netplug/linkdown/dhclient @@ -0,0 +1,64 @@ +#!/usr/bin/perl +# +# Module: dhclient +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# A copy of the GNU General Public License is available as +# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution +# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. +# You can also obtain it by writing to the Free Software Foundation, +# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +# MA 02110-1301, USA. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Mohit Mehta +# Date: November 2008 +# Description: Script to release lease on link down +# +# **** End License **** +# + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use Vyatta::Misc; + +use strict; +use warnings; + +sub stop_dhclient { + my $intf = shift; + my $dhcp_daemon = '/sbin/dhclient'; + my ($intf_config_file, $intf_process_id_file, $intf_leases_file) = Vyatta::Misc::generate_dhclient_intf_files($intf); + my $release_cmd = "sudo $dhcp_daemon -q -cf $intf_config_file -pf $intf_process_id_file -lf $intf_leases_file -r $intf 2> /dev/null"; + system ($release_cmd); +} + + +# +# main +# + +my $dev=shift; + +# only do this if interface is configured to use dhcp for getting IP address +if (Vyatta::Misc::is_dhcp_enabled($dev, "outside_cli")) { + # do a dhcp lease release for interface + stop_dhclient($dev); +} + +exit 0; + +# end of file + diff --git a/scripts/netplug/linkup/dhclient b/scripts/netplug/linkup/dhclient new file mode 100755 index 00000000..c7370841 --- /dev/null +++ b/scripts/netplug/linkup/dhclient @@ -0,0 +1,63 @@ +#!/usr/bin/perl +# +# Module: dhclient +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# A copy of the GNU General Public License is available as +# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution +# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. +# You can also obtain it by writing to the Free Software Foundation, +# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +# MA 02110-1301, USA. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Mohit Mehta +# Date: November 2008 +# Description: Script to renew lease on link up +# +# **** End License **** +# + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use Vyatta::Misc; + +use strict; +use warnings; + +sub run_dhclient { + my $intf = shift; + my $dhcp_daemon = '/sbin/dhclient'; + my ($intf_config_file, $intf_process_id_file, $intf_leases_file) = Vyatta::Misc::generate_dhclient_intf_files($intf); + my $cmd = "sudo $dhcp_daemon -q -nw -cf $intf_config_file -pf $intf_process_id_file -lf $intf_leases_file $intf 2> /dev/null &"; + system ($cmd); +} + +# +# main +# + +my $dev=shift; + +# only do this if interface is configured to use dhcp for getting IP address +if (Vyatta::Misc::is_dhcp_enabled($dev, "outside_cli")) { + # do a dhcp lease renew for interface + run_dhclient($dev); +} + +exit 0; + +# end of file + diff --git a/scripts/rl-system.init b/scripts/rl-system.init index 5391d409..0570924f 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -53,10 +53,16 @@ syslog () logger -p user.warning -t "$progname" "$*" } +# easy way to make empty file without any command +empty() +{ + >$1 +} + shopt -s extglob nullglob search_config_if_wan () { - grep "\<serial\>.*\<$1\>" $BOOTFILE >/dev/null + grep -q "\<serial\>.*\<$1\>" $BOOTFILE } add_new_serial_if () { @@ -85,23 +91,11 @@ update_version_info () { fi } -## Clear out apt config file--it will be filled in by rtrmgr -clear_apt_config() -{ - cat /dev/null >/etc/apt/sources.list || true -} - ## snmp should be a separate package, ## but for now load the kernel module here add_snmp_stats_module() { - modprobe ipt_rlsnmpstats || true -} - -set_reboot_on_panic() -{ - echo 1 > /proc/sys/kernel/panic_on_oops - echo 60 > /proc/sys/kernel/panic + modprobe ipt_rlsnmpstats & } clear_or_override_config_files () @@ -111,11 +105,9 @@ clear_or_override_config_files () ipvsadm.rules default/ipvsadm resolv.conf do if [ -f /etc/$conf ] ; then - cat /dev/null > /etc/$conf || true + empty /etc/$conf fi done - # ssh v1. remove the empty key file - rm -f /etc/ssh/ssh_host_key } udev_rescan () @@ -151,19 +143,19 @@ create_ssh_host_keys () { start () { udev_rescan + add_snmp_stats_module create_ssh_host_keys || \ log_failure_msg "can't initialize ssh host keys" clear_or_override_config_files || \ log_failure_msg "can\'t reset config files" - set_reboot_on_panic || \ - log_failure_msg "can\'t set reboot on panic" add_new_serial_if || \ log_failure_msg "can\'t add serial interfaces" sysctl -q -p /opt/vyatta/etc/vyatta-sysctl.conf || log_failure_msg "can\'t configure kernel settings" update_version_info - clear_apt_config - add_snmp_stats_module + + ## Clear out apt config file--it will be filled in by rtrmgr + empty /etc/apt/sources.list } case "$ACTION" in diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 65247788..eb8e9ede 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -24,8 +24,8 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; -use VyattaMisc; +use Vyatta::Config; +use Vyatta::Misc; use Getopt::Long; use strict; @@ -74,7 +74,7 @@ sub snmp_get_constants { sub snmp_get_values { my $output = ''; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("protocols snmp community"); my @communities = $config->listNodes(); diff --git a/scripts/standalone_root_pw_reset b/scripts/standalone_root_pw_reset index d089b50d..b75d19df 100755 --- a/scripts/standalone_root_pw_reset +++ b/scripts/standalone_root_pw_reset @@ -14,7 +14,7 @@ # All Rights Reserved. # # Author: Bob Gilligan <gilligan@vyatta.com> -# Description: Standalone script to set the root passwd to new value +# Description: Standalone script to set the admin passwd to new value # value. Note: This script can ONLY be run as a standalone # init program by grub. # @@ -23,9 +23,11 @@ # The Vyatta config file: CF=/opt/vyatta/etc/config/config.boot +# Admin user name +ADMIN=vyatta set_encrypted_password() { sed -i \ - -e "/ user $1 {/,/}/s/encrypted-password.*\$/encrypted-password \"$2\"/" $3 + -e "/ user $1 {/,/}/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3 } change_password() { @@ -65,18 +67,18 @@ fi # OK, now we know we are running in standalone mode. Talk to the # user. # -read -p "Do you wish to change the root password? " response +echo "Do you wish to reset the admin password?" +read response response=${response:0:1} - if [ "$response" != "y" -a "$response" != "Y" ]; then - echo "OK, the root password will not be changed." + echo "OK, the admin password will not be reset." echo -n "Rebooting in 5 seconds..." sleep 5 echo /sbin/reboot -f fi -echo "Starting process to change the root password..." +echo "Starting process to reset the admin password..." echo "Re-mounting root filesystem read/write..." mount -o remount,rw / @@ -88,14 +90,19 @@ then mount /opt/vyatta/etc/config/ fi +if ! grep -q " user $ADMIN " $CF +then + echo "Administrator account $ADMIN missing..." + exit 1 +fi + echo "Saving backup copy of config.boot..." cp $CF ${CF}.before_pwrecovery -echo -change_password root +echo "Setting the administrator ($ADMIN) password..." +change_password $ADMIN -echo "Root password changed" -echo $(date "+%b%e %T") $(hostname) "Root password changed" \ +echo $(date "+%b%e %T") $(hostname) "Admin password changed" \ | tee -a /var/log/auth.log >>/var/log/messages sync diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index 1f71434b..eb7baeee 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -18,10 +18,10 @@ use strict; use lib "/opt/vyatta/share/perl5"; -use VyattaConfig; +use Vyatta::Config; # handle "user" -my $uconfig = new VyattaConfig; +my $uconfig = new Vyatta::Config; $uconfig->setLevel("system login user"); my %users = $uconfig->listNodeStatus(); @@ -57,18 +57,48 @@ my %level_map = ( 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], ); +# Construct a map from existing users to group membership +# Use space seperated format +my %group_map; +while (my ($name, undef, undef, $members) = getgrent()) { + foreach my $user (split / /,$members) { + my $g = $group_map{$user}; + if ($g) { + my @l = split / /, $g; + push @l, $name; + $group_map{$user} = join(' ', sort @l); + } else { + $group_map{$user} = $name; + } + + } +} + # we have some users for my $user (@user_keys) { if ( $users{$user} eq 'deleted' ) { - system("sudo userdel -r '$user'"); - die "userdel failed\n" if ( $? >> 8 ); + system("sudo userdel -r '$user'") == 0 + or die "userdel failed: $?\n" } elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { $uconfig->setLevel("system login user $user"); + my $pwd = $uconfig->returnValue('authentication encrypted-password'); + $pwd or die "Encrypted password not in configuration for $user"; + + my $level = $uconfig->returnValue('level'); + $level or die "Level not defined for $user"; - # See if this is a modification of existing account - my (undef, undef, $uid, undef, undef, - undef, undef, undef, $shell, undef) = getpwnam($user); + # map level to group membership + my @groups = @{$level_map{$level}}; + # add any additional groups from configuration + push( @groups, $uconfig->returnValues('group') ); + + my $fname = $uconfig->returnValue('full-name'); + my $home = $uconfig->returnValue('home-directory'); + + # Read existing settings + my (undef, $opwd, $uid, $gid, undef, $comment, + undef, $dir, $shell, undef) = getpwnam($user); my $cmd; # not found in existing passwd, must be new @@ -77,48 +107,124 @@ for my $user (@user_keys) { # and make home directory (-m) # and with default group of 100 (users) $cmd = 'useradd -s /bin/vbash -m -N'; - } - # TODO Add checks for attempts to put system users - # in configuration file + } else { + # If no part of password or group file changed + # then there is nothing to do here. + next if ( $opwd eq $pwd && + (!$fname || $fname eq $comment) && + (!$home || $home eq $dir) && + join(' ', sort @groups) eq $group_map{$user} ); - # TODO Check if nothing changed and just skip - else { $cmd = "usermod"; } - my $pwd = $uconfig->returnValue('authentication encrypted-password'); - $pwd or die 'encrypted password not set'; $cmd .= " -p '$pwd'"; - - my $fname = $uconfig->returnValue('full-name'); $cmd .= " -c \"$fname\"" if ( defined $fname ); - - my $home = $uconfig->returnValue('home-directory'); $cmd .= " -d \"$home\"" if ( defined $home ); + $cmd .= ' -G ' . join( ',', @groups ); + system("sudo $cmd $user") == 0 + or die "sudo $cmd $user failed: $?"; + } +} - # map level to group membership - my $level = $uconfig->returnValue('level'); - my $gref = $level_map{$level}; - my @groups = @{$gref}; +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; - # add any additional groups from configuration - push( @groups, $uconfig->returnValues('group') ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' + . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' + . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; - $cmd .= ' -G ' . join( ',', @groups ); + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} - system("sudo $cmd $user"); - if ( $? == -1 ) { - die "failed to exec $cmd"; - } - elsif ( $? & 127 ) { - die "$cmd died with signal" . ( $? & 127 ); - } - elsif ( $? != 0 ) { - my $reason = $reasons{ $? >> 8 }; - die "$cmd failed: $reason\n"; - } +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +# main tacacs +# There is a race confition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new Vyatta::Config; +if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ($acctall, $debug, $firsthit, $noencrypt); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '') { + my ($authstr, $accountstr, $sessionstr, $ip); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if (! $noencrypt ) { $authstr = "encrypt "; } + # single secret + $authstr .= "secret=$secret "; + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } + if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } + + add_tacacs("$authstr", "auth"); + add_tacacs("$accountstr", "account"); + add_tacacs("$sessionstr", "session"); } + else { exit 1; } } +## end tacacs my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; @@ -185,7 +291,7 @@ sub add_radius_servers { } # handle "radius-server" -my $rconfig = new VyattaConfig; +my $rconfig = new Vyatta::Config; $rconfig->setLevel("system login radius-server"); my %servers = $rconfig->listNodeStatus(); my @server_keys = sort keys %servers; @@ -214,11 +320,9 @@ if ($all_deleted) { # all radius servers deleted exit 1 if ( !remove_pam_radius() ); -} -else { +} else { exit 1 if ( !add_radius_servers($server_str) ); exit 1 if ( !add_pam_radius() ); } exit 0; - diff --git a/scripts/system/vyatta_update_resolv.pl b/scripts/system/vyatta_update_resolv.pl index 8f0e9ead..d8e30961 100755 --- a/scripts/system/vyatta_update_resolv.pl +++ b/scripts/system/vyatta_update_resolv.pl @@ -34,8 +34,8 @@ my $dhclient_script = 0; GetOptions("change_dir=s" => \$change_dir, "modify_dir=s" => \$modify_dir, "dhclient-script=i" => \$dhclient_script ); -use VyattaConfig; -my $vc = new VyattaConfig(); +use Vyatta::Config; +my $vc = new Vyatta::Config(); if ($change_dir ne '') { $vc->{_changes_only_dir_base} = $change_dir; diff --git a/scripts/vyatta-bonding.pl b/scripts/vyatta-bonding.pl index 4e44d67b..d9e0ebc4 100755 --- a/scripts/vyatta-bonding.pl +++ b/scripts/vyatta-bonding.pl @@ -29,7 +29,7 @@ # use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; +use Vyatta::Config; use Getopt::Long; use strict; @@ -47,7 +47,7 @@ my %modes = ( sub create_bond { my $bond = shift; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("interfaces bonding $bond"); my $mode = $modes{$config->returnValue("mode")}; @@ -78,7 +78,7 @@ sub delete_bond { # See if bonding device exists and the mode has changed sub change_bond { my $bond = shift; - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel("interfaces bonding"); if ( !( $config->isAdded($bond) || $config->isDeleted($bond) ) diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup index 88486eaf..26a322f2 100755 --- a/scripts/vyatta-grub-setup +++ b/scripts/vyatta-grub-setup @@ -69,7 +69,7 @@ serial_console="console=tty0 console=ttyS0,9600" # 65000 (16bit) | 785 788 791 794 # 16.7 Mill.(24bit)| 786 789 792 795 # -vga_logo="vga=785" +#vga_logo="vga=785" # get list of kernels, except Xen kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r) @@ -228,13 +228,13 @@ fi # options for both serial and KVM console. echo - echo -e "menuentry \"Root password reset to factory (KVM console)\" {" + echo -e "menuentry \"Lost password change (KVM console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console init=$pass_reset" echo -e "\tinitrd /boot/initrd.img" echo -e "}" echo - echo -e "menuentry \"Root password reset to factory (Serial console)\" {" + echo -e "menuentry \"Lost password change (Serial console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset" echo -e "\tinitrd /boot/initrd.img" echo -e "}" diff --git a/scripts/vyatta-passwd-sync b/scripts/vyatta-passwd-sync index 29748b67..f8c07a8f 100755 --- a/scripts/vyatta-passwd-sync +++ b/scripts/vyatta-passwd-sync @@ -15,7 +15,7 @@ # **** End License **** use lib "/opt/vyatta/share/perl5/"; -use VyattaConfig; +use Vyatta::Config; use strict; use Getopt::Long; @@ -29,7 +29,7 @@ GetOptions( ); # -# These should move to VyattaConfig.pm?? +# These should move to Vyatta::Config.pm?? # sub add_node { @@ -123,7 +123,7 @@ sub system_vyatta_users { } sub listOrigUsers { - my $config = new VyattaConfig; + my $config = new Vyatta::Config; my %users = (); foreach my $name ( $config->listOrigNodes('system login user') ) { @@ -181,7 +181,7 @@ sub check_config { } sub listUsers { - my $config = new VyattaConfig; + my $config = new Vyatta::Config; my %users = (); foreach my $name ( $config->listOrigNodes('system login user') ) { @@ -203,7 +203,7 @@ sub listUsers { sub resync_config { my %system_users = system_vyatta_users(); my %vyatta_users = listUsers(); - my $config = new VyattaConfig; + my $config = new Vyatta::Config; $config->setLevel('system login user'); diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index ff8b9bf5..54f91f04 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -78,12 +78,14 @@ declare -a cfg_net_hwid=( $( sed -ne ' /^interfaces {/,/^}/ { /^ *ethernet eth[0-9]* {/,/^ $/ { /^ *ethernet/ { + s/\r// s/.* eth\([0-9]\+\) {$/ eth\1=/ # hold interface name h } /^.*hw-id:\?/ { # translate field name + s/\r// s/.*hw-id:\? *// # tolower hex mac address y/ABCDEF/abcdef/ diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf index a021c42a..736a7965 100644 --- a/sysconf/vyatta-sysctl.conf +++ b/sysconf/vyatta-sysctl.conf @@ -3,6 +3,12 @@ # See sysctl.conf (5) for information. # +# Panic on OOPS +kernel.panic_on_oops=1 + +# Timeout before rebooting on panic +kernel.panic=60 + # Only answer ARP requests on same subnet net.ipv4.conf.default.arp_filter=1 diff --git a/templates/interfaces/bonding/node.tag/address/node.def b/templates/interfaces/bonding/node.tag/address/node.def index d5237934..3bfd99bb 100644 --- a/templates/interfaces/bonding/node.tag/address/node.def +++ b/templates/interfaces/bonding/node.tag/address/node.def @@ -2,8 +2,10 @@ multi: type: txt help: Set an IP address for this interface syntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr $VAR(@) --dev $VAR(../@)"; "Invalid IP address/prefix [$VAR(@)] for interface $VAR(../@)" -update:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@)"; "Error setting address $VAR(@) on interface $VAR(../@)" -delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@)"; "Error deleting address $VAR(@) on interface $VAR(../@)" +update:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) \ +--intf-cli-path \"interfaces bonding $VAR(../@)\""; "Error setting address $VAR(@) on interface $VAR(../@)" +delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) \ +--intf-cli-path \"interfaces bonding $VAR(../@)\""; "Error deleting address $VAR(@) on interface $VAR(../@)" allowed: echo "dhcp <>" comp_help:Possible completions: <x.x.x.x/x> Set the IP address and prefix length diff --git a/templates/interfaces/bonding/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/disable/node.def index 54090cc4..90dd5825 100644 --- a/templates/interfaces/bonding/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/disable/node.def @@ -1,3 +1,11 @@ help: Set interface disabled -update:expression: "sudo ip link set $VAR(../@) down"; "Error disabling dev $VAR(../@)" -delete:expression: "sudo ip link set $VAR(../@) up"; "Error enabling dev $VAR(../@)" +update: /etc/netplug/linkdown.d/dhclient $VAR(../@) + if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + echo "Error disabling dev $VAR(../@)" + /etc/netplug/linkup.d/dhclient $VAR(../@) + exit 1 + fi +delete: if ! sudo ip link set $VAR(../@) up; then + echo "Error enabling dev $VAR(../@)" + exit 1 + fi diff --git a/templates/interfaces/bonding/node.tag/vif/node.def b/templates/interfaces/bonding/node.tag/vif/node.def index d37b045e..1aa35123 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.def @@ -5,8 +5,7 @@ syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 4094; "VLAN ID must be between 0 a create: sudo modprobe 8021q sudo vconfig add "$VAR(../@)" "$VAR(@)" sudo ip link set "$VAR(../@).$VAR(@)" up - vyatta-vtysh -c "configure terminal" \ - -c "interface $VAR(../@).$VAR(@)" -c "link-detect" + vyatta-link-detect $VAR(../@).$VAR(@) on delete: sudo vconfig rem "$VAR(../@).$VAR(@)" comp_help: possible completions: <0-4094> Set VLAN ID diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/address/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/address/node.def index 625130af..33ba57d8 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/address/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/address/node.def @@ -2,8 +2,10 @@ multi: type: txt help: Set an IP address for this interface syntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr $VAR(@) --dev $VAR(../../@).$VAR(../@) "; "Invalid IP address/prefix [$VAR(@)] for interface $VAR(../../@).$VAR(../@)" -create:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../../@).$VAR(../@) "; "Error setting address $VAR(@) on dev $VAR(../../@).$VAR(../@) " -delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../../@).$VAR(../@) "; "Error deleting address $VAR(@) on dev $VAR(../../@).$VAR(../@) " +create:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../../@).$VAR(../@) \ +--intf-cli-path \"interfaces bonding $VAR(../../@) vif $VAR(../@)\""; "Error setting address $VAR(@) on dev $VAR(../../@).$VAR(../@) " +delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../../@).$VAR(../@) \ +--intf-cli-path \"interfaces bonding $VAR(../../@) vif $VAR(../@)\""; "Error deleting address $VAR(@) on dev $VAR(../../@).$VAR(../@) " allowed: echo "dhcp <>" comp_help:Possible completions: <x.x.x.x/x> Set the IP address and prefix length diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def index 66efddcc..78b24870 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def @@ -1,3 +1,11 @@ help: Set interface disabled -update:sudo ip link set $VAR(../../@).$VAR(../@) down -delete:sudo ip link set $VAR(../../@).$VAR(../@) up +update: /etc/netplug/linkdown.d/dhclient $VAR(../../@).$VAR(../@) + if ! sudo ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then + echo "Error disabling dev $VAR(../../@).$VAR(../@)" + /etc/netplug/linkup.d/dhclient $VAR(../../@).$VAR(../@) + exit 1 + fi +delete: if ! sudo ip link set $VAR(../../@).$VAR(../@) up; then + echo "Error enabling dev $VAR(../../@).$VAR(../@)" + exit 1 + fi diff --git a/templates/interfaces/bridge/node.tag/address/node.def b/templates/interfaces/bridge/node.tag/address/node.def index 3f04ec06..6e07ea7f 100644 --- a/templates/interfaces/bridge/node.tag/address/node.def +++ b/templates/interfaces/bridge/node.tag/address/node.def @@ -2,8 +2,10 @@ multi: type: txt help: Set an IP address for this interface syntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr $VAR(@) --dev $VAR(../@)"; "Invalid IP address/prefix [$VAR(@)] for interface $VAR(../@)" -update:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@)"; "Error setting address $VAR(@) on interface $VAR(../@)" -delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@)"; "Error deleting address $VAR(@) on interface $VAR(../@)" +update:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) \ +--intf-cli-path \"interfaces bridge $VAR(../@)\""; "Error setting address $VAR(@) on interface $VAR(../@)" +delete:expression: "sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) \ +--intf-cli-path \"interfaces bridge $VAR(../@)\""; "Error deleting address $VAR(@) on interface $VAR(../@)" allowed: echo "dhcp <>" comp_help:Possible completions: <x.x.x.x/x> Set the IP address and prefix length diff --git a/templates/interfaces/bridge/node.tag/disable/node.def b/templates/interfaces/bridge/node.tag/disable/node.def index 3aa26012..f4495164 100644 --- a/templates/interfaces/bridge/node.tag/disable/node.def +++ b/templates/interfaces/bridge/node.tag/disable/node.def @@ -1,11 +1,19 @@ type: bool help: Disable the bridge interface default: false -update:expression: "if [ x$VAR(@) == xtrue ]; then \ - sudo ip link set $VAR(../@) down; \ - else \ - sudo ip link set $VAR(../@) up; \ - fi; " +update: if [ x$VAR(@) == xtrue ]; then + /etc/netplug/linkdown.d/dhclient $VAR(../@) + if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + echo "Error disabling dev $VAR(../@)" + /etc/netplug/linkup.d/dhclient $VAR(../@) + exit 1 + fi + else + if ! sudo ip link set $VAR(../@) up; then + echo "Error enabling dev $VAR(../@)" + exit 1 + fi + fi comp_help: possible completions: true Disable the bridge interface false Enable the bridge interface (default) diff --git a/templates/service/ssh/node.def b/templates/service/ssh/node.def index fbb29687..dbe32a6f 100644 --- a/templates/service/ssh/node.def +++ b/templates/service/ssh/node.def @@ -1,17 +1,16 @@ help: Enable/disable Secure SHell (SSH) protocol -delete:expression: "sudo /usr/sbin/invoke-rc.d ssh stop && \ - sudo sh -c \"echo 'SSHD_OPTS=' > /etc/default/ssh\" " -end:expression: "if [ -z \"$VAR(port/@)\" ]; then exit 0; fi; \ - sudo sh -c \ - \"[ -f /etc/ssh/ssh_host_key ] \ - || sudo ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key\"; \ - case \"$VAR(protocol-version/@)\" in \ - v2) VER=2;; \ - v1) VER=1;; \ - all) VER=\"1,2\";; \ - *) VER=2;; \ - esac; \ - STR=\"SSHD_OPTS=\\\"-p $VAR(port/@) -o HostKey=/etc/ssh/ssh_host_key \ --o Protocol=${VER}\\\"\"; \ - sudo sh -c \"echo '$STR' > /etc/default/ssh\"; \ - sudo /usr/sbin/invoke-rc.d ssh restart" +delete:sudo /usr/sbin/invoke-rc.d ssh stop + sudo sh -c "echo 'SSHD_OPTS=' > /etc/default/ssh" +end: if [ -z "$VAR(port/@)" ]; then exit 0; fi; + if [ ! -f /etc/ssh/ssh_host_key ]; then + sudo ssh-keygen -q -t rsa1 -N '' -f /etc/ssh/ssh_host_key + fi + case $VAR(protocol-version/@) in + v2) VER=2;; + v1) VER=1;; + all) VER="1,2";; + *) VER=2;; + esac; + STR="SSHD_OPTS=\"-p $VAR(port/@) -o Hostkey=/etc/ssh/ssh_host_key -o Protocol=${VER}\"" + sudo sh -c "echo '$STR' > /etc/default/ssh" + sudo /usr/sbin/invoke-rc.d ssh restart diff --git a/templates/service/ssh/protocol-version/node.def b/templates/service/ssh/protocol-version/node.def index 051ea062..d025015b 100644 --- a/templates/service/ssh/protocol-version/node.def +++ b/templates/service/ssh/protocol-version/node.def @@ -1,3 +1,4 @@ type: txt +allowed: echo "v1 v2 all" default: "v2" help: Set SSH version (default: v2) diff --git a/templates/system/login/tacacs-plus/acct-all/node.def b/templates/system/login/tacacs-plus/acct-all/node.def new file mode 100644 index 00000000..22522f17 --- /dev/null +++ b/templates/system/login/tacacs-plus/acct-all/node.def @@ -0,0 +1 @@ +help: Send TACACS+ accounting requests to all servers diff --git a/templates/system/login/tacacs-plus/debug/node.def b/templates/system/login/tacacs-plus/debug/node.def new file mode 100644 index 00000000..10aa10b1 --- /dev/null +++ b/templates/system/login/tacacs-plus/debug/node.def @@ -0,0 +1 @@ +help: Enable TACACS+ debugging diff --git a/templates/system/login/tacacs-plus/first-hit/node.def b/templates/system/login/tacacs-plus/first-hit/node.def new file mode 100644 index 00000000..18f2fdf6 --- /dev/null +++ b/templates/system/login/tacacs-plus/first-hit/node.def @@ -0,0 +1 @@ +help: Set TACACS+ to try multiple servers if a negative auth is returned diff --git a/templates/system/login/tacacs-plus/no-encrypt/node.def b/templates/system/login/tacacs-plus/no-encrypt/node.def new file mode 100644 index 00000000..7aa90dfb --- /dev/null +++ b/templates/system/login/tacacs-plus/no-encrypt/node.def @@ -0,0 +1 @@ +help: Set TACACS+ to not encrypt communications diff --git a/templates/system/login/tacacs-plus/node.def b/templates/system/login/tacacs-plus/node.def new file mode 100644 index 00000000..d8eab559 --- /dev/null +++ b/templates/system/login/tacacs-plus/node.def @@ -0,0 +1,3 @@ +help: Set TACACS+ server authentication +commit:expression: $VAR(server) != "" && $VAR(secret) != "" + ; "One server and a secret must be specified for TACACS+" diff --git a/templates/system/login/tacacs-plus/protocol/node.def b/templates/system/login/tacacs-plus/protocol/node.def new file mode 100644 index 00000000..6a5c739d --- /dev/null +++ b/templates/system/login/tacacs-plus/protocol/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ protocol for authentication and accounting diff --git a/templates/system/login/tacacs-plus/secret/node.def b/templates/system/login/tacacs-plus/secret/node.def new file mode 100644 index 00000000..0f673ae2 --- /dev/null +++ b/templates/system/login/tacacs-plus/secret/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ secret diff --git a/templates/system/login/tacacs-plus/server/node.def b/templates/system/login/tacacs-plus/server/node.def new file mode 100644 index 00000000..dc1b1e94 --- /dev/null +++ b/templates/system/login/tacacs-plus/server/node.def @@ -0,0 +1,3 @@ +multi: +type: ipv4 +help: Set TACACS+ server IP addresses diff --git a/templates/system/login/tacacs-plus/service/node.def b/templates/system/login/tacacs-plus/service/node.def new file mode 100644 index 00000000..10d1729b --- /dev/null +++ b/templates/system/login/tacacs-plus/service/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set TACACS+ service for authentication and accounting diff --git a/templates/system/ntp-server/node.def b/templates/system/ntp-server/node.def index 485cf774..a063431f 100644 --- a/templates/system/ntp-server/node.def +++ b/templates/system/ntp-server/node.def @@ -2,9 +2,12 @@ multi: type: txt help: Set name or IP address of Network Time Protocol (NTP) server update:sudo sh -c \ - "touch /etc/ntp.conf - if ! grep -q 'server.*$VAR(@)' /etc/ntp.conf; then + "if ! grep -q 'server.*$VAR(@)' /etc/ntp.conf; then echo \"server $VAR(@) iburst dynamic\" >> /etc/ntp.conf + fi + if [ $(pgrep -c ntpd) -eq 0 ]; then + /usr/sbin/invoke-rc.d ntp start + else /usr/sbin/invoke-rc.d ntp restart fi" delete:sudo sh -c \ |