From 5e55ab28a732d0082c803f1e473936a3d9c92f22 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 26 Apr 2010 14:49:14 -0700 Subject: Ignore comments in level file Standard practice to ignore lines starting with # --- lib/Vyatta/Login/User.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 419a882d..fa0cca7d 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -47,7 +47,9 @@ sub _level_groups { while (<$f>) { chomp; + # Ignore blank lines and comments next unless $_; + next if /^#/; my ( $l, $g ) = split /:/; if ( $l eq $level ) { -- cgit v1.2.3 From 59cae244d055a7b5ba9de460d3ebbb5700d6ab17 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 26 Apr 2010 14:55:46 -0700 Subject: Set capabilities on standard utilities This sets extended capablities on some common utilities --- debian/control | 1 + debian/vyatta-cfg-system.postinst.in | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/debian/control b/debian/control index c1d19a95..57fdb2c7 100644 --- a/debian/control +++ b/debian/control @@ -28,6 +28,7 @@ Depends: acpid, vyatta-keepalived (>= 1.1.15-1-vyatta-5), bridge-utils, ethtool, + libcap2-bin, ssh (>= 1:5.1p1-5), openssh-server (>= 1:5.1p1-5), ed, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index b2719bc5..288ea7c5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -154,6 +154,17 @@ dpkg-reconfigure -f noninteractive openssh-server rm -f /etc/ssh/*.broken update-rc.d -f ssh remove >/dev/null +# +# Set extended capabilities on some files +setcap cap_net_admin+e /usr/sbin/ethtool +setcap cap_sys_admin+e /sbin/sysctl +setcap cap_audit_write+e /bin/vbash +setcap cap_net_admin+e /sbin/ip +setcap cap_net_admin+e /sbin/tc cap_net_admin+e /sbin/ip +setcap cap_net_admin+e /usr/sbin/arp +setcap cap_net_admin+e /sbin/iptables cap_net_admin+e /sbin/ip6tables +setcap cap_net_admin+e /usr/sbin/conntrack + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -- cgit v1.2.3 From 845d1bd87be28deb65db22e47e29ba7a89c37b4b Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 27 Apr 2010 15:20:38 -0700 Subject: Make interface help completion strings consistent Use same format/syntax over all interface types. Bug 5257 --- templates/interfaces/bonding/node.def | 4 ++-- templates/interfaces/bridge/node.def | 4 ++-- templates/interfaces/ethernet/node.def | 4 +++- templates/interfaces/input/node.def | 3 ++- templates/interfaces/loopback/node.def | 3 ++- templates/interfaces/pseudo-ethernet/node.def | 4 ++-- templates/interfaces/tunnel/node.def | 4 ++-- 7 files changed, 15 insertions(+), 11 deletions(-) diff --git a/templates/interfaces/bonding/node.def b/templates/interfaces/bonding/node.def index bb1b9ae3..9e27ebad 100644 --- a/templates/interfaces/bonding/node.def +++ b/templates/interfaces/bonding/node.def @@ -1,7 +1,8 @@ tag: priority: 315 type: txt -help: Set bonding interface +help: Set bonding interface name +comp_help: Enter bonding interface name (bond0 - bond99) syntax:expression: pattern $VAR(@) "^bond[0-9]+$" \ ; "bonding must be (bond0-bond99)" begin: if [ ! -f /sys/class/net/bonding_masters ]; then @@ -18,4 +19,3 @@ delete: SLAVES=`cat /sys/class/net/$VAR(@)/bonding/slaves`; echo "bonded interface $VAR(@) still has slaves: $SLAVES" exit 1; fi -comp_help: Enter bond interface name (bond0 - bond99) diff --git a/templates/interfaces/bridge/node.def b/templates/interfaces/bridge/node.def index 55c961ba..343cf984 100644 --- a/templates/interfaces/bridge/node.def +++ b/templates/interfaces/bridge/node.def @@ -1,7 +1,8 @@ tag: priority: 310 type: txt -help: Set bridge interface +help: Set bridge interface name +comp_help: "Enter bridge interface name (br0 - br999)" syntax:expression: pattern $VAR(@) "^br[0-9]+$" ; "Must be (br0 - br999)" @@ -16,4 +17,3 @@ delete: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ sudo ip link set $VAR(@) down; sudo brctl delbr $VAR(@); -comp_help: "Enter bridge interface name (br0 - br999)" diff --git a/templates/interfaces/ethernet/node.def b/templates/interfaces/ethernet/node.def index 081cabb5..0b67836b 100644 --- a/templates/interfaces/ethernet/node.def +++ b/templates/interfaces/ethernet/node.def @@ -1,7 +1,9 @@ tag: priority: 318 type: txt -help: Set ethernet interface +help: Set Ethernet interface name +comp_help: Enter Ethernet interface name (eth0 - eth999) + allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=ethernet syntax:expression: pattern $VAR(@) "^eth[0-9]+$" \ ; "interface ethernet $VAR(@): not a valid name" diff --git a/templates/interfaces/input/node.def b/templates/interfaces/input/node.def index 2695b8a6..b90cb0b3 100644 --- a/templates/interfaces/input/node.def +++ b/templates/interfaces/input/node.def @@ -2,9 +2,10 @@ tag: priority: 310 # before real devices that redirect type: txt help: Set input functional block (IFB) interface +comp_help: Enter input functional block interface name (ifb0 - ifb999) + syntax:expression: pattern $VAR(@) "^ifb[0-9]+$" ; "name must be (ifb0-ifb999)" begin: [ -d /sys/module/ifb ] || sudo modprobe ifb numifbs=0 create: sudo ip link add $VAR(@) type ifb && sudo ip link set $VAR(@) up delete: sudo ip link delete dev $VAR(@) -comp_help: Enter input functional block interface name (ifb0 - ifb999) diff --git a/templates/interfaces/loopback/node.def b/templates/interfaces/loopback/node.def index 8312aafe..ae166e7b 100644 --- a/templates/interfaces/loopback/node.def +++ b/templates/interfaces/loopback/node.def @@ -1,7 +1,8 @@ tag: priority: 300 type: txt -help: Set loopback interface +help: Set loopback interface name +comp_help: Enter looback interface name (lo) syntax:expression: exec \ "/opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --check=loopback" allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=loopback diff --git a/templates/interfaces/pseudo-ethernet/node.def b/templates/interfaces/pseudo-ethernet/node.def index cdbff5c8..14ee0a34 100644 --- a/templates/interfaces/pseudo-ethernet/node.def +++ b/templates/interfaces/pseudo-ethernet/node.def @@ -1,7 +1,8 @@ tag: priority: 390 type: txt -help: Set Virtual Ethernet device +help: Set Pseudo Ethernet device name +comp_help: Enter Pseudo Ethernet interface name (peth0 - peth999) syntax:expression: pattern $VAR(@) "^peth[0-9]+$" \ ; "name must be (peth0-peth999)" commit:expression: $VAR(link) != "" @@ -10,4 +11,3 @@ create: sudo ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 sudo ip link set $VAR(@) up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on delete: sudo ip link delete dev $VAR(@) type macvlan -comp_help: Enter virtual ethernet interface name (peth0 - peth999) diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index ba3fa49a..c4446163 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -1,7 +1,8 @@ tag: priority: 380 type: txt -help: Set tunnel interface +help: Set tunnel interface name +comp_help: Enter tunnel interface name (tun0 - tun999) syntax:expression: pattern $VAR(@) "^tun[0-9]+$" \ ; "tunnel must be (tun0-tun999)" @@ -28,4 +29,3 @@ create:expression: "\ delete:expression: "sudo ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" -comp_help: Enter tunnel interface name (tun0 - tun999) -- cgit v1.2.3 From fddfbe9ca26b542ee31ba7b281f892708fa1459f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 27 Apr 2010 15:26:01 -0700 Subject: Revert "Set capabilities on standard utilities" This reverts commit 59cae244d055a7b5ba9de460d3ebbb5700d6ab17. Don't want to do this this way. --- debian/control | 1 - debian/vyatta-cfg-system.postinst.in | 11 ----------- 2 files changed, 12 deletions(-) diff --git a/debian/control b/debian/control index 57fdb2c7..c1d19a95 100644 --- a/debian/control +++ b/debian/control @@ -28,7 +28,6 @@ Depends: acpid, vyatta-keepalived (>= 1.1.15-1-vyatta-5), bridge-utils, ethtool, - libcap2-bin, ssh (>= 1:5.1p1-5), openssh-server (>= 1:5.1p1-5), ed, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 288ea7c5..b2719bc5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -154,17 +154,6 @@ dpkg-reconfigure -f noninteractive openssh-server rm -f /etc/ssh/*.broken update-rc.d -f ssh remove >/dev/null -# -# Set extended capabilities on some files -setcap cap_net_admin+e /usr/sbin/ethtool -setcap cap_sys_admin+e /sbin/sysctl -setcap cap_audit_write+e /bin/vbash -setcap cap_net_admin+e /sbin/ip -setcap cap_net_admin+e /sbin/tc cap_net_admin+e /sbin/ip -setcap cap_net_admin+e /usr/sbin/arp -setcap cap_net_admin+e /sbin/iptables cap_net_admin+e /sbin/ip6tables -setcap cap_net_admin+e /usr/sbin/conntrack - # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -- cgit v1.2.3 From ccbcc2939853cfc877970b3750a625d536fe219f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 27 Apr 2010 15:27:49 -0700 Subject: 0.17.36 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index e64453c1..85a6476d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +vyatta-cfg-system (0.17.36) unstable; urgency=low + + * Ignore comments in level file + * Set capabilities on standard utilities + * Make interface help completion strings consistent + * Revert "Set capabilities on standard utilities" + + -- Stephen Hemminger Tue, 27 Apr 2010 15:27:49 -0700 + vyatta-cfg-system (0.17.35) unstable; urgency=low * Configure IFB devices earlier in boot -- cgit v1.2.3 From c634b7d41c241a9b033e16ff32ba26a6d99bc227 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Fri, 30 Apr 2010 15:45:44 -0700 Subject: Allow user to name system images when installing them. Now we ask the user what they would like to name an image when they are installing. The default answer is the same string used previously: The Vyatta version string. --- scripts/install/install-image-existing | 49 +++++++++++++++++++++++++--------- scripts/install/install-image-new | 31 +++++++++++++++++---- scripts/install/install-postinst-new | 6 ++++- 3 files changed, 67 insertions(+), 19 deletions(-) diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index ce0e502d..bad2be58 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -54,16 +54,27 @@ fi # get new version string. this is from the squashfs image. NEWVER=`dpkg -l --root=${CD_SQUASH_ROOT} | grep "^.. vyatta-version " | awk '{print $3}'` +NEWNAME=$NEWVER -if [ -z "$NEWVER" ]; then - failure_exit 'Cannot find new release version.' +echo -n "What would you like to name this image? [$NEWNAME]: " +read response +if [ -n "$response" ]; then + NEWNAME=$response fi -if [ "$CURVER" == "$NEWVER" ]; then - echo "Image version $NEWVER is the same as the running system." - echo "Cannot install the same release version as the running system." - exit 1 + +# Validate image name +if [ "$NEWNAME" = "grub" -o "${NEWNAME:0:7}" = "vmlinuz" -o \ + "${NEWNAME:0:6}" = "initrd" -o "${NEWNAME:0:10}" = "System.map" -o \ + "$NEWNAME" = "Old-non-image-installation" ]; then + echo "Can't use $NEWNAME. It is a reserved image name." + exit 1; +fi + +if [ -z "$NEWNAME" ]; then + failure_exit 'Invalid image name.' fi +echo "OK. This image will be named: $NEWNAME" # this is the default if current install is union BOOT_DIR=/live/image/boot @@ -74,24 +85,30 @@ elif [ "$CUR_INSTALL" != 'union' ]; then exit 1 fi -if [ -d $BOOT_DIR/$NEWVER ]; then - echo "Version $NEWVER is already installed on this system." +if [ -d $BOOT_DIR/$NEWNAME ]; then + if [ "$CURVER" = "$NEWNAME" ]; then + echo "$NEWNAME is the image you are currently running. Can't" + echo "Re-install over the running image." + exit 1 + fi + + echo "An image named $NEWNAME is already installed on this system." echo "Proceeding with this installation will delete this copy of" - echo "$NEWVER and replace it with a new copy." + echo "$NEWNAME and replace it with a new copy." echo -n "Do you want to replace it? (Yes/No) [No]: " resp=$(get_response "No" "Yes No Y N") if [ "$resp" != 'yes' ] && [ "$resp" != 'y' ]; then - echo "OK. Will not replace $NEWVER" + echo "OK. Will not replace $NEWNAME" echo "Exiting..." exit 1 fi fi # start the install -echo "Installing \"$NEWVER\" release." +echo "Installing \"$NEWNAME\" image." # create the new release directories -REL_ROOT=$BOOT_DIR/$NEWVER +REL_ROOT=$BOOT_DIR/$NEWNAME RW_DIR="$REL_ROOT/live-rw" if ! mkdir -p "$RW_DIR"; then failure_exit 'Cannot create directory for new release.' @@ -163,10 +180,16 @@ if [ -e "$DEF_GRUB" ]; then echo "Setting up grub configuration..." new_index=$(get_grub_index) + def_grub_vers=/tmp/def_grub.$$ + cp $DEF_GRUB $def_grub_vers + sed -i "s/menuentry \"Vyatta.*(/menuentry \"Vyatta image $NEWNAME (/" $def_grub_vers + sed -i "s/menuentry \"Lost password change.*(/menuentry \"Lost password change $NEWNAME (/" $def_grub_vers + sed -i "sX/boot/[A-Za-z0-9\.]*X/boot/${NEWNAME}Xg" $def_grub_vers + old_grub_cfg=$BOOT_DIR/grub/grub.cfg new_grub_cfg=/tmp/grub.cfg.$$ sed -n '/^menuentry/q;p' $old_grub_cfg >$new_grub_cfg - cat $DEF_GRUB >>$new_grub_cfg + cat $def_grub_vers >> $new_grub_cfg sed -n '/^menuentry/,${p}' $old_grub_cfg >>$new_grub_cfg sed -i "s/^set default=[0-9]\+$/set default=$new_index/" $new_grub_cfg mv $new_grub_cfg $old_grub_cfg diff --git a/scripts/install/install-image-new b/scripts/install/install-image-new index 7294fc35..5726fa03 100755 --- a/scripts/install/install-image-new +++ b/scripts/install/install-image-new @@ -24,15 +24,36 @@ if ! try_mount "/dev/$ROOT_PARTITION $WRITE_ROOT"; then fi version=$(get_new_version) -if [ -z "$version" ]; then +image_name=$version +if [ -z "$image_name" ]; then echo 'Cannot find new version. Exiting...' exit 1 fi +echo -n "What would you like to name this image? [$image_name]: " +read response +if [ -n "$response" ]; then + image_name=$response +fi + +# Validate image name +if [ "$image_name" = "grub" -o "${image_name:0:7}" = "vmlinuz" -o \ + "${image_name:0:6}" = "initrd" -o "${image_name:0:10}" = "System.map" -o \ + "$image_name" = "Old-non-image-installation" ]; then + echo "Can't use $image_name. It is a reserved image name." + exit 1; +fi + +if [ -z "$image_name" ]; then + failure_exit 'Invalid image name.' +fi + +echo "OK. This image will be named: $image_name" + # make the dir for the new version -mkdir -p $WRITE_ROOT/boot/$version +mkdir -p $WRITE_ROOT/boot/$image_name # make dir for backing store -rw_dir=$WRITE_ROOT/boot/$version/live-rw +rw_dir=$WRITE_ROOT/boot/$image_name/live-rw mkdir -p $rw_dir echo Copying squashfs image... @@ -53,10 +74,10 @@ if [ ! -f "$squash_img" ] || [ -z "$boot_files" ]; then fi fi -target_squash=$WRITE_ROOT/boot/$version/$version.squashfs +target_squash=$WRITE_ROOT/boot/$image_name/$version.squashfs cp -p $squash_img $target_squash echo Copying kernel and initrd images... -cp -dp $boot_files $WRITE_ROOT/boot/$version/ +cp -dp $boot_files $WRITE_ROOT/boot/$image_name/ # set up union root for postinst mkdir -p $INST_ROOT $READ_ROOT diff --git a/scripts/install/install-postinst-new b/scripts/install/install-postinst-new index 65c6cd7f..c96f5657 100755 --- a/scripts/install/install-postinst-new +++ b/scripts/install/install-postinst-new @@ -133,9 +133,13 @@ if [ -z "$version" ]; then exit 1 fi +array=( $WRITE_ROOT/boot/* ) +image_name=${array[0]} +image_name=${image_name#$WRITE_ROOT/boot/} + # these are the defaults for "union" grub_root=$WRITE_ROOT -grub_setup_args="-u $version" +grub_setup_args="-u $image_name" if [ "$INSTALL_TYPE" == 'old' ]; then grub_root=$INST_ROOT grub_setup_args="-v $version" -- cgit v1.2.3 From 763e6473a0ec3a96fdd83d574c44cb689f4c7a36 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Fri, 30 Apr 2010 15:48:58 -0700 Subject: 0.17.37 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 85a6476d..7cc9a17d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.37) unstable; urgency=low + + * Allow user to name system images when installing them. + + -- Bob Gilligan Fri, 30 Apr 2010 15:48:57 -0700 + vyatta-cfg-system (0.17.36) unstable; urgency=low * Ignore comments in level file -- cgit v1.2.3 From 83cca7053bba3181b451609fee641271b3b7adf3 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Mon, 3 May 2010 17:19:15 -0700 Subject: Add code to check digital signature of image files. In URL mode, we now check for a digital signature file. If one exists, we'll try to download it and check the signature. --- scripts/install/install-image | 33 +++++++++++++++++++++++++++++++++ scripts/install/install-image-existing | 2 +- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/scripts/install/install-image b/scripts/install/install-image index 607dcc98..c4bf3800 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -69,6 +69,39 @@ fetch_iso_by_url () fi echo "ISO download suceeded." + + echo "Checking for digital signature file..." + curl -f -o ${filename}.asc ${NEW_ISO}.asc + if [ $? -ne 0 ]; then + echo "Unable to fetch digital signature file." + echo -n "Do you want to continue without signature check? (yes/no) [yes] " + + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + # In case signature file was partially downloaded... + rm -f ${filename}.asc + fi + + if [ -e ${filename}.asc ]; then + echo "Found it. Checking digital signature..." + gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc + if [ $? -ne 0 ]; then + echo "Signature check FAILED." + echo -n "Do you want to continue anyway? (yes/no) [no] " + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + echo "OK. Proceding with installation anyway." + else + echo "Digital signature is valid." + fi + fi + NEW_ISO=$filename } diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index bad2be58..d35437ba 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -184,7 +184,7 @@ if [ -e "$DEF_GRUB" ]; then cp $DEF_GRUB $def_grub_vers sed -i "s/menuentry \"Vyatta.*(/menuentry \"Vyatta image $NEWNAME (/" $def_grub_vers sed -i "s/menuentry \"Lost password change.*(/menuentry \"Lost password change $NEWNAME (/" $def_grub_vers - sed -i "sX/boot/[A-Za-z0-9\.]*X/boot/${NEWNAME}Xg" $def_grub_vers + sed -i "sX/boot/[A-Za-z0-9\.\-]*X/boot/${NEWNAME}Xg" $def_grub_vers old_grub_cfg=$BOOT_DIR/grub/grub.cfg new_grub_cfg=/tmp/grub.cfg.$$ -- cgit v1.2.3 From 660d14965683fed85c6548316de8a10dc430a3ab Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Mon, 3 May 2010 17:21:10 -0700 Subject: 0.17.38 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7cc9a17d..c2a364b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.38) unstable; urgency=low + + * Add code to check digital signature of image files. + + -- Bob Gilligan Mon, 03 May 2010 17:21:10 -0700 + vyatta-cfg-system (0.17.37) unstable; urgency=low * Allow user to name system images when installing them. -- cgit v1.2.3 From c5fc79c7f9149bd81254c0b4826f78b1c7e02008 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 7 May 2010 15:00:38 -0700 Subject: Preserve file capablities and attributes during install-system --- scripts/install-system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install-system b/scripts/install-system index d17f0c2e..06deb0a3 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -936,7 +936,7 @@ install_root_filesystem () { exit 1 fi - output=$(cp -pR /mnt/squashfs/* $rootfsdir/) + output=$(cp --preserve=all -R /mnt/squashfs/* $rootfsdir/) status=$? if [ "$status" != 0 ]; then -- cgit v1.2.3 From 427ab38e9d8144b185e53f29504df36d48277ac4 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 7 May 2010 15:03:46 -0700 Subject: Preserve file attributes of root files Want to preserve labels and other attributes --- scripts/install/install-image-existing | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index ce0e502d..c243fda6 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -108,7 +108,7 @@ if [ ! -f "$squash_img" ] || [ -z "$boot_files" ]; then fi target_squash=$REL_ROOT/$NEWVER.squashfs cp -p $squash_img $target_squash >&/dev/null -cp -dp $boot_files $REL_ROOT/ >&/dev/null +cp --no-dereference --preserve=all $boot_files $REL_ROOT/ >&/dev/null # mount copied squashfs if ! try_mount "-o loop,ro $target_squash $READ_ROOT"; then -- cgit v1.2.3 From 027071f891316b3c9dd2aa5dec2f119b5ffbd158 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 7 May 2010 15:25:23 -0700 Subject: 0.17.39 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index c2a364b5..67a5bc06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.39) unstable; urgency=low + + * Preserve file capablities and attributes during install-system + * Preserve file attributes of root files + + -- Stephen Hemminger Fri, 07 May 2010 15:25:22 -0700 + vyatta-cfg-system (0.17.38) unstable; urgency=low * Add code to check digital signature of image files. -- cgit v1.2.3 From 5aafb72b269d409500258f0b65f3e635d99712b7 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 11 May 2010 17:44:21 -0700 Subject: Snmp Ipv6 support Simple change to allow ipv6 or ipv4 address in configuration. --- templates/service/snmp/community/node.tag/client/node.def | 2 +- templates/service/snmp/community/node.tag/network/node.def | 2 +- templates/service/snmp/trap-source/node.def | 2 +- templates/service/snmp/trap-target/node.def | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/service/snmp/community/node.tag/client/node.def b/templates/service/snmp/community/node.tag/client/node.def index 828faa97..427a9939 100644 --- a/templates/service/snmp/community/node.tag/client/node.def +++ b/templates/service/snmp/community/node.tag/client/node.def @@ -1,3 +1,3 @@ multi: -type: ipv4 +type: ipv4,ipv6 help: Set IP address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community/node.tag/network/node.def b/templates/service/snmp/community/node.tag/network/node.def index 00a77d4b..4b80a51b 100644 --- a/templates/service/snmp/community/node.tag/network/node.def +++ b/templates/service/snmp/community/node.tag/network/node.def @@ -1,4 +1,4 @@ multi: -type: ipv4net +type: ipv4net,ipv6net help: Set subnet of SNMP client(s) allowed to contact system syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/trap-source/node.def b/templates/service/snmp/trap-source/node.def index d8add72c..61a8cd6a 100644 --- a/templates/service/snmp/trap-source/node.def +++ b/templates/service/snmp/trap-source/node.def @@ -1,2 +1,2 @@ -type: ipv4 +type: ipv4,ipv6 help: Set SNMP trap source address diff --git a/templates/service/snmp/trap-target/node.def b/templates/service/snmp/trap-target/node.def index 493484b7..cb13f1d6 100644 --- a/templates/service/snmp/trap-target/node.def +++ b/templates/service/snmp/trap-target/node.def @@ -1,3 +1,3 @@ tag: -type: ipv4 +type: ipv4,ipv6 help: Set IP address of trap target -- cgit v1.2.3 From 7d02fa70ca8207ebd6111827691735cd9d980c30 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 13:36:16 -0700 Subject: Show progress bar when copying filesystem Better to show real progress than simple spinning wheel. --- scripts/install-system | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/scripts/install-system b/scripts/install-system index 06deb0a3..4f92ca37 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -890,6 +890,23 @@ create_partitions() { fi } +# Copy directory with pretty progress bar +copy_filesystem() { + cp -r -v --preserve=all "$@" | awk '{ + ++files + if ((files % 10) == 0) { + percent = files / total_files * 100 + printf "%3d%% [", percent + for (i=0;i" + for (;i<100;i+=2) + printf " " + printf "]\r" + } + }' total_files=$(find "$@" | wc -l) +} + # Install the root filesystem # $1 is the partition to install on install_root_filesystem () { @@ -914,8 +931,7 @@ install_root_filesystem () { fi if [ -z $UNION ]; then - echo -n "Copying system image files to /dev/$ROOT_PARTITION: " - progress_indicator start + echo "Copying system files to /dev/$ROOT_PARTITION: " # Mount the squashfs for copying output=$(mkdir -p /mnt/squashfs) if [ -f /live/image/live/filesystem.squashfs ]; then @@ -936,12 +952,13 @@ install_root_filesystem () { exit 1 fi - output=$(cp --preserve=all -R /mnt/squashfs/* $rootfsdir/) + echo "Copying /mnt/squashfs/* to $rootfsddir" >>$INSTALL_LOG + copy_filesystem /mnt/squashfs/* $rootfsdir 2>>$INSTALL_LOG status=$? - + echo + if [ "$status" != 0 ]; then echo -e "Error trying to copy the rootfs.\nPlease see install log for more details.\nExiting..." - echo -e "Error trying to copy the rootfs.\ncp -pR /mnt/squashfs/* $rootfsdir/\n$output" >> $INSTALL_LOG exit 1 fi -- cgit v1.2.3 From 018d5920edca7c54e80f70d1e3883cbe075991e5 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 14:34:54 -0700 Subject: 0.17.40 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 67a5bc06..6ba7f2f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.40) unstable; urgency=low + + * Snmp Ipv6 support + * Show progress bar when copying filesystem + + -- Stephen Hemminger Wed, 12 May 2010 14:34:54 -0700 + vyatta-cfg-system (0.17.39) unstable; urgency=low * Preserve file capablities and attributes during install-system -- cgit v1.2.3 From 8f2edd81ecdbfa74beff7f54deac1d83dab82416 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 17:50:14 -0700 Subject: Revert "Snmp Ipv6 support" This reverts commit 5aafb72b269d409500258f0b65f3e635d99712b7. --- templates/service/snmp/community/node.tag/client/node.def | 2 +- templates/service/snmp/community/node.tag/network/node.def | 2 +- templates/service/snmp/trap-source/node.def | 2 +- templates/service/snmp/trap-target/node.def | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/service/snmp/community/node.tag/client/node.def b/templates/service/snmp/community/node.tag/client/node.def index 427a9939..828faa97 100644 --- a/templates/service/snmp/community/node.tag/client/node.def +++ b/templates/service/snmp/community/node.tag/client/node.def @@ -1,3 +1,3 @@ multi: -type: ipv4,ipv6 +type: ipv4 help: Set IP address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community/node.tag/network/node.def b/templates/service/snmp/community/node.tag/network/node.def index 4b80a51b..00a77d4b 100644 --- a/templates/service/snmp/community/node.tag/network/node.def +++ b/templates/service/snmp/community/node.tag/network/node.def @@ -1,4 +1,4 @@ multi: -type: ipv4net,ipv6net +type: ipv4net help: Set subnet of SNMP client(s) allowed to contact system syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/trap-source/node.def b/templates/service/snmp/trap-source/node.def index 61a8cd6a..d8add72c 100644 --- a/templates/service/snmp/trap-source/node.def +++ b/templates/service/snmp/trap-source/node.def @@ -1,2 +1,2 @@ -type: ipv4,ipv6 +type: ipv4 help: Set SNMP trap source address diff --git a/templates/service/snmp/trap-target/node.def b/templates/service/snmp/trap-target/node.def index cb13f1d6..493484b7 100644 --- a/templates/service/snmp/trap-target/node.def +++ b/templates/service/snmp/trap-target/node.def @@ -1,3 +1,3 @@ tag: -type: ipv4,ipv6 +type: ipv4 help: Set IP address of trap target -- cgit v1.2.3 From ab587ce0c92b5aeeb26eb678946a7e1faa6f9db1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 18:38:48 -0700 Subject: Better version of SNMP IPv6 support Need to use different syntax for community values on IPv6 versus IPv4 --- scripts/snmp/vyatta-snmp.pl | 64 ++++++++++------------ templates/service/snmp/community6/node.def | 5 ++ .../community6/node.tag/authorization/node.def | 7 +++ .../snmp/community6/node.tag/client/node.def | 3 + .../snmp/community6/node.tag/network/node.def | 4 ++ templates/service/snmp/node.def | 3 +- templates/service/snmp/trap-source/node.def | 2 +- templates/service/snmp/trap-target/node.def | 4 +- 8 files changed, 54 insertions(+), 38 deletions(-) create mode 100644 templates/service/snmp/community6/node.def create mode 100644 templates/service/snmp/community6/node.tag/authorization/node.def create mode 100644 templates/service/snmp/community6/node.tag/client/node.def create mode 100644 templates/service/snmp/community6/node.tag/network/node.def diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 3adb37b7..e3aa3fc1 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -93,6 +93,8 @@ sub snmp_get_constants { print "sysDescr Vyatta $version\n"; print "sysObjectID 1.3.6.1.4.1.30803\n"; print "sysServices 14\n"; + print "agentaddress unix:/var/run/snmpd.socket,udp:161,udp6:161\n"; + print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd @@ -106,44 +108,38 @@ sub randhex { return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); } +# output snmpd.conf file syntax for community +sub print_community { + my ($config, $community, $type) = @_; + $config->setLevel("service snmp $type $community"); + + my $auth = $config->returnValue('authorization'); + $auth = 'ro' unless $auth; + $auth .= $type; # rocommunity + + my @address = $config->returnValues('client'); + push @address, $config->returnValues('network'); + + if (@address) { + foreach my $addr (@address) { + print "$auth $community $addr\n"; + } + } else { + print "$auth $community\n"; + } +} + sub snmp_get_values { my $config = new Vyatta::Config; - $config->setLevel("service snmp community"); - my @communities = $config->listNodes(); - + my @communities = $config->listNodes("service snmp community"); + foreach my $community (@communities) { + print_community($config, $community, 'community'); + } + + @communities = $config->listNodes("service snmp community6"); foreach my $community (@communities) { - my $authorization = $config->returnValue("$community authorization"); - my @clients = $config->returnValues("$community client"); - my @networks = $config->returnValues("$community network"); - - if (scalar(@clients) == 0 and scalar(@networks) == 0){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community\n"; - } else { - print "rocommunity $community\n"; - } - } else { - if (scalar(@clients) != 0) { - foreach my $client (@clients){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $client\n"; - } else { - print "rocommunity $community $client\n"; - } - } - } - if (scalar(@networks) != 0){ - foreach my $network (@networks){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $network\n"; - } else { - print "rocommunity $community $network\n"; - } - - } - } - } + print_community($config, $community, 'community6'); } $config->setLevel($snmp_level); diff --git a/templates/service/snmp/community6/node.def b/templates/service/snmp/community6/node.def new file mode 100644 index 00000000..32eb4800 --- /dev/null +++ b/templates/service/snmp/community6/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: Set community name [REQUIRED] +syntax:expression: pattern $VAR(@) "^[^%]+$" ; \ + "Community string may not contain %" diff --git a/templates/service/snmp/community6/node.tag/authorization/node.def b/templates/service/snmp/community6/node.tag/authorization/node.def new file mode 100644 index 00000000..c8918d43 --- /dev/null +++ b/templates/service/snmp/community6/node.tag/authorization/node.def @@ -0,0 +1,7 @@ +type: txt +default: "ro" +help: Set authorization type (rw or ro) (default: ro) +syntax:expression: $VAR(@) in "ro", "rw"; "Authorization type must be either rw or ro" + + + diff --git a/templates/service/snmp/community6/node.tag/client/node.def b/templates/service/snmp/community6/node.tag/client/node.def new file mode 100644 index 00000000..fddbcb91 --- /dev/null +++ b/templates/service/snmp/community6/node.tag/client/node.def @@ -0,0 +1,3 @@ +multi: +type: ipv6 +help: Set IPv6 address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community6/node.tag/network/node.def b/templates/service/snmp/community6/node.tag/network/node.def new file mode 100644 index 00000000..266a1bce --- /dev/null +++ b/templates/service/snmp/community6/node.tag/network/node.def @@ -0,0 +1,4 @@ +multi: +type: ipv6net +help: Set subnet of SNMP client(s) allowed to contact system +syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 13b39fa7..2952eb34 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -1,6 +1,7 @@ priority: 980 help: Configure Simple Network Management Protocol (SNMP) -commit:expression: $VAR(community/) != ""; "must configure a community" +commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" \ + ; "must configure a community or community6" delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] diff --git a/templates/service/snmp/trap-source/node.def b/templates/service/snmp/trap-source/node.def index d8add72c..61a8cd6a 100644 --- a/templates/service/snmp/trap-source/node.def +++ b/templates/service/snmp/trap-source/node.def @@ -1,2 +1,2 @@ -type: ipv4 +type: ipv4,ipv6 help: Set SNMP trap source address diff --git a/templates/service/snmp/trap-target/node.def b/templates/service/snmp/trap-target/node.def index 493484b7..561bc1ac 100644 --- a/templates/service/snmp/trap-target/node.def +++ b/templates/service/snmp/trap-target/node.def @@ -1,3 +1,3 @@ tag: -type: ipv4 -help: Set IP address of trap target +type: ipv4,ipv6 +help: Set address of trap target -- cgit v1.2.3 From 496c5f68ebdeb33ca75fac65f0c6f0ae29b781bb Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 20:02:10 -0700 Subject: Allow configuring/restricting SNMP listen address Add: service snmp listen-address AAAA [port NNN] --- scripts/snmp/vyatta-snmp.pl | 50 ++++++++++++++++++++-- templates/service/snmp/listen-address/node.def | 3 ++ .../snmp/listen-address/node.tag/port/node.def | 3 ++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 templates/service/snmp/listen-address/node.def create mode 100644 templates/service/snmp/listen-address/node.tag/port/node.def diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index e3aa3fc1..f80a68fd 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -26,6 +26,7 @@ use lib "/opt/vyatta/share/perl5/"; use Vyatta::Config; use Vyatta::Misc; +use NetAddr::IP; use Getopt::Long; use File::Copy; @@ -40,6 +41,7 @@ my $snmp_tmp = "/tmp/snmpd.conf.$$"; my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $snmp_level = 'service snmp'; @@ -60,7 +62,7 @@ sub snmp_start { snmp_get_values(); close $fh; select STDOUT; - + snmp_client_config(); move($snmp_tmp, $snmp_conf) @@ -85,15 +87,57 @@ sub get_version { return $version; } +# convert address to snmpd transport syntac +sub transport_syntax { + my ($addr, $port) = @_; + my $ip = new NetAddr::IP $addr; + + return "udp:$addr:$port" if ($ip->version == 4); + return "udp6:[$addr]:$port" if ($ip->version == 6); + die "$addr: unknown protocol address"; +} + +sub ipv6_disabled { + my $config = new Vyatta::Config; + return $config->exists("system ipv6 disable"); +} + +# Find SNMP agent listening addresses +sub get_listen_address { + my $config = new Vyatta::Config; + my @listen; + + $config->setLevel('service snmp listen-address'); + my @address = $config->listNodes(); + + if(@address) { + foreach my $addr (@address) { + my $port = $config->returnValue("$addr port"); + push @listen, transport_syntax($addr, $port); + } + } else { + # default if no address specified + @listen = ( 'udp:' ); + push @listen, 'udp6:' unless ipv6_disabled(); + return @listen; + } + + return @listen; +} + sub snmp_get_constants { my $version = get_version(); my $now = localtime; + my @addr = get_listen_address(); + + # add local unix domain target for use by operational commands + unshift @addr, $local_agent; print "# autogenerated by vyatta-snmp.pl on $now\n"; print "sysDescr Vyatta $version\n"; print "sysObjectID 1.3.6.1.4.1.30803\n"; print "sysServices 14\n"; - print "agentaddress unix:/var/run/snmpd.socket,udp:161,udp6:161\n"; + print "agentaddress ", join(',',@addr), "\n"; print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd @@ -119,7 +163,7 @@ sub print_community { my @address = $config->returnValues('client'); push @address, $config->returnValues('network'); - + if (@address) { foreach my $addr (@address) { print "$auth $community $addr\n"; diff --git a/templates/service/snmp/listen-address/node.def b/templates/service/snmp/listen-address/node.def new file mode 100644 index 00000000..f234edc8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.def @@ -0,0 +1,3 @@ +tag: +type: ipv4,ipv6 +help: Set IP address to listen for incoming SNMP requests diff --git a/templates/service/snmp/listen-address/node.tag/port/node.def b/templates/service/snmp/listen-address/node.tag/port/node.def new file mode 100644 index 00000000..5a21b1d8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.tag/port/node.def @@ -0,0 +1,3 @@ +type: u32 +default: 161 +help: Set port for SNMP service -- cgit v1.2.3 From 6ca482900c0be69068968fc033ad27fd0ab24c18 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 21:02:35 -0700 Subject: 0.17.41 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6ba7f2f4..2b7a853b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +vyatta-cfg-system (0.17.41) unstable; urgency=low + + * Revert "Snmp Ipv6 support" + * Better version of SNMP IPv6 support + * Allow configuring/restricting SNMP listen address + + -- Stephen Hemminger Wed, 12 May 2010 21:02:35 -0700 + vyatta-cfg-system (0.17.40) unstable; urgency=low * Snmp Ipv6 support -- cgit v1.2.3 From ebc6b3916c76ff66f46f708d15194cb28829d066 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 14 May 2010 10:39:13 -0700 Subject: Change SNMP community handling Allow combination of IPv4 and IPv6 address in community setting. Use script to generate necessary community values in snmpd.conf --- scripts/snmp/vyatta-snmp.pl | 55 ++++++++++++---------- .../snmp/community/node.tag/client/node.def | 2 +- .../snmp/community/node.tag/network/node.def | 2 +- templates/service/snmp/community6/node.def | 5 -- .../community6/node.tag/authorization/node.def | 7 --- .../snmp/community6/node.tag/client/node.def | 3 -- .../snmp/community6/node.tag/network/node.def | 4 -- 7 files changed, 33 insertions(+), 45 deletions(-) delete mode 100644 templates/service/snmp/community6/node.def delete mode 100644 templates/service/snmp/community6/node.tag/authorization/node.def delete mode 100644 templates/service/snmp/community6/node.tag/client/node.def delete mode 100644 templates/service/snmp/community6/node.tag/network/node.def diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index f80a68fd..1c86321b 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -87,14 +87,16 @@ sub get_version { return $version; } -# convert address to snmpd transport syntac +# convert address to snmpd transport syntax sub transport_syntax { my ($addr, $port) = @_; my $ip = new NetAddr::IP $addr; + die "$addr: not a valid IP address" unless $ip; - return "udp:$addr:$port" if ($ip->version == 4); - return "udp6:[$addr]:$port" if ($ip->version == 6); - die "$addr: unknown protocol address"; + my $version = $ip->version(); + return "udp:$addr:$port" if ($version == 4); + return "udp6:[$addr]:$port" if ($version == 6); + die "$addr: unknown IP version $version"; } sub ipv6_disabled { @@ -154,22 +156,31 @@ sub randhex { # output snmpd.conf file syntax for community sub print_community { - my ($config, $community, $type) = @_; - $config->setLevel("service snmp $type $community"); - - my $auth = $config->returnValue('authorization'); - $auth = 'ro' unless $auth; - $auth .= $type; # rocommunity - - my @address = $config->returnValues('client'); - push @address, $config->returnValues('network'); + my ($config, $community) = @_; + my $ro = $config->returnValue('authorization'); + $ro = 'ro' unless $ro; + + my @clients = $config->returnValues('client'); + my @networks = $config->returnValues('network'); + + my @restriction = (@clients, @networks); + if (!@restriction) { + print $ro . "community $community\n"; + print $ro . "community6 $community\n" unless ipv6_disabled(); + return; + } - if (@address) { - foreach my $addr (@address) { - print "$auth $community $addr\n"; + foreach my $addr (@restriction) { + my $ip = new NetAddr::IP $addr; + die "$addr: Not a valid IP address" unless $ip; + + if ($ip->version() == 4) { + print $ro . "community $community $addr\n"; + } elsif ($ip->version() == 6) { + print $ro . "community6 $community $addr\n"; + } else { + die "$addr: bad IP version ", $ip->version(); } - } else { - print "$auth $community\n"; } } @@ -178,12 +189,8 @@ sub snmp_get_values { my @communities = $config->listNodes("service snmp community"); foreach my $community (@communities) { - print_community($config, $community, 'community'); - } - - @communities = $config->listNodes("service snmp community6"); - foreach my $community (@communities) { - print_community($config, $community, 'community6'); + $config->setLevel("service snmp community $community"); + print_community($config, $community); } $config->setLevel($snmp_level); diff --git a/templates/service/snmp/community/node.tag/client/node.def b/templates/service/snmp/community/node.tag/client/node.def index 828faa97..427a9939 100644 --- a/templates/service/snmp/community/node.tag/client/node.def +++ b/templates/service/snmp/community/node.tag/client/node.def @@ -1,3 +1,3 @@ multi: -type: ipv4 +type: ipv4,ipv6 help: Set IP address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community/node.tag/network/node.def b/templates/service/snmp/community/node.tag/network/node.def index 00a77d4b..4b80a51b 100644 --- a/templates/service/snmp/community/node.tag/network/node.def +++ b/templates/service/snmp/community/node.tag/network/node.def @@ -1,4 +1,4 @@ multi: -type: ipv4net +type: ipv4net,ipv6net help: Set subnet of SNMP client(s) allowed to contact system syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/community6/node.def b/templates/service/snmp/community6/node.def deleted file mode 100644 index 32eb4800..00000000 --- a/templates/service/snmp/community6/node.def +++ /dev/null @@ -1,5 +0,0 @@ -tag: -type: txt -help: Set community name [REQUIRED] -syntax:expression: pattern $VAR(@) "^[^%]+$" ; \ - "Community string may not contain %" diff --git a/templates/service/snmp/community6/node.tag/authorization/node.def b/templates/service/snmp/community6/node.tag/authorization/node.def deleted file mode 100644 index c8918d43..00000000 --- a/templates/service/snmp/community6/node.tag/authorization/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -default: "ro" -help: Set authorization type (rw or ro) (default: ro) -syntax:expression: $VAR(@) in "ro", "rw"; "Authorization type must be either rw or ro" - - - diff --git a/templates/service/snmp/community6/node.tag/client/node.def b/templates/service/snmp/community6/node.tag/client/node.def deleted file mode 100644 index fddbcb91..00000000 --- a/templates/service/snmp/community6/node.tag/client/node.def +++ /dev/null @@ -1,3 +0,0 @@ -multi: -type: ipv6 -help: Set IPv6 address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community6/node.tag/network/node.def b/templates/service/snmp/community6/node.tag/network/node.def deleted file mode 100644 index 266a1bce..00000000 --- a/templates/service/snmp/community6/node.tag/network/node.def +++ /dev/null @@ -1,4 +0,0 @@ -multi: -type: ipv6net -help: Set subnet of SNMP client(s) allowed to contact system -syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" -- cgit v1.2.3 From 6a88206597a871be376554c010730218bb71dcf9 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 14 May 2010 10:54:29 -0700 Subject: Fix syntax of default listen address Despite documentation, udp6: is not a valid listen address, need to use udp6:161 --- scripts/snmp/vyatta-snmp.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 1c86321b..a3be64ad 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -119,8 +119,8 @@ sub get_listen_address { } } else { # default if no address specified - @listen = ( 'udp:' ); - push @listen, 'udp6:' unless ipv6_disabled(); + @listen = ( 'udp:161' ); + push @listen, 'udp6:161' unless ipv6_disabled(); return @listen; } -- cgit v1.2.3 From 078bc252414a5fdf87d4259b091554d45278a119 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 14 May 2010 11:01:48 -0700 Subject: 0.17.42 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 2b7a853b..def74523 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.42) unstable; urgency=low + + * Change SNMP community handling + * Fix syntax of default listen address + + -- Stephen Hemminger Fri, 14 May 2010 11:01:48 -0700 + vyatta-cfg-system (0.17.41) unstable; urgency=low * Revert "Snmp Ipv6 support" -- cgit v1.2.3 From 79230bfaff3c687ef7d2ec729cd7b710b459b5b2 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Wed, 19 May 2010 20:15:48 -0700 Subject: Add enable-proxy-arp to vif interface. --- .../ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def new file mode 100644 index 00000000..a45d4129 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def @@ -0,0 +1,3 @@ +help: Set to enable proxy-arp on this interface +create:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/$VAR(../../../@).$VAR(../../@)/proxy_arp\" " +delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/$VAR(../../../@).$VAR(../../@)/proxy_arp\" " -- cgit v1.2.3 From e2ee7a12ac0fbb4003a6fcd84cb1918842df5178 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Wed, 19 May 2010 20:16:12 -0700 Subject: 0.17.43 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index def74523..4d02a613 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.43) unstable; urgency=low + + * Add enable-proxy-arp to vif interface. + + -- Stig Thormodsrud Wed, 19 May 2010 20:16:12 -0700 + vyatta-cfg-system (0.17.42) unstable; urgency=low * Change SNMP community handling -- cgit v1.2.3 From c939f107d8ee7af00234a51fb4688ad06a2e2eac Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 20 May 2010 19:26:33 -0700 Subject: don't start conntrackd itself --- debian/vyatta-cfg-system.postinst.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index b2719bc5..fbf53739 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -8,7 +8,7 @@ sbindir=@sbindir@ # remove init of daemons that are controlled by Vyatta configuration process for init in ntp ssh snmpd openhpid \ - vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd + vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd conntrackd do update-rc.d -f ${init} remove >/dev/null done -- cgit v1.2.3 From a056148b106c7c5e175833b3ef2525034107261a Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 20 May 2010 19:29:10 -0700 Subject: 0.17.44 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4d02a613..07fa2448 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.44) unstable; urgency=low + + * don't start conntrackd itself + + -- Mohit Mehta Thu, 20 May 2010 19:29:10 -0700 + vyatta-cfg-system (0.17.43) unstable; urgency=low * Add enable-proxy-arp to vif interface. -- cgit v1.2.3 From f37b24ae59372da6361b4acf9755270061bdc857 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 24 May 2010 10:10:35 -0700 Subject: Don't enable PAM Radius by default The pam-config mechanism will insert Radius pam module if it is in /usr/share/pam-configs. Therefore hold off installing file until Radius really needed. --- debian/vyatta-cfg-system.postinst.in | 3 --- lib/Vyatta/Login/RadiusServer.pm | 29 ++++++++++++++++++++--------- scripts/rl-system.init | 4 +++- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index fbf53739..4265d14b 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -132,9 +132,6 @@ EOF fi done - # Install pamradius config (should come with radius client eventually) - cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius - cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf fi diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index d60f2baa..0de9bd28 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -20,18 +20,30 @@ use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; use File::Compare; +use File::Copy; my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; +my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; +my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; + sub remove_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update --remove radius") == 0; + system("DEBIAN_FRONTEND=noninteractive " . + " pam-auth-update --package --remove radius") == 0 + or die "pam-auth-update remove failed"; + + unlink($PAM_RAD_AUTH) + or die "Can't remove $PAM_RAD_AUTH"; } sub add_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update radius") == 0; + copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) + or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; + + system("DEBIAN_FRONTEND=noninteractive " . + "pam-auth-update --package radius") == 0 + or die "pam-auth-update add failed" } sub update { @@ -58,16 +70,15 @@ sub update { close($cfg); if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { - system("sudo cp $PAM_RAD_TMP $PAM_RAD_CFG") == 0 + copy ($PAM_RAD_TMP, $PAM_RAD_CFG) or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; } unlink($PAM_RAD_TMP); if ( $count > 0 ) { - exit 1 unless add_pam_radius(); - } - else { - exit 1 unless remove_pam_radius(); + add_pam_radius(); + } else { + remove_pam_radius(); } } diff --git a/scripts/rl-system.init b/scripts/rl-system.init index e7eaed14..ca51166a 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -173,7 +173,9 @@ security_reset () { # restore PAM back to virgin state (no radius other services) rm -f /etc/pam_radius_auth.conf if grep -q radius /etc/pam.d/common-auth - then pam-auth-update --remove radius + then + pam-auth-update --package --remove radius + rm /usr/share/pam-configs/radius fi # Disable root login with ssh -- cgit v1.2.3 From fcc3a7c4d5465022a9f7092fc5d335a44e4211e4 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 24 May 2010 10:46:08 -0700 Subject: 0.17.45 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 07fa2448..bdf5d5cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.45) unstable; urgency=low + + * Don't enable PAM Radius by default + + -- Stephen Hemminger Mon, 24 May 2010 10:46:08 -0700 + vyatta-cfg-system (0.17.44) unstable; urgency=low * don't start conntrackd itself -- cgit v1.2.3 From 74105f39b3646c12c0dfed647c7fd9922cdd864e Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Wed, 26 May 2010 16:11:36 -0700 Subject: Move DHCPv6 client configuration to this package and restructre parameters. --- Makefile.am | 1 + scripts/vyatta-dhcpv6-client.pl | 157 +++++++++++++++++++++ scripts/vyatta-interfaces.pl | 9 +- .../interfaces/ethernet/node.tag/address/node.def | 43 ++++-- .../ethernet/node.tag/dhcpv6-options/node.def | 49 +++++++ .../dhcpv6-options/parameters-only/node.def | 3 + .../node.tag/dhcpv6-options/temporary/node.def | 3 + 7 files changed, 256 insertions(+), 9 deletions(-) create mode 100644 scripts/vyatta-dhcpv6-client.pl create mode 100644 templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def create mode 100644 templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def create mode 100644 templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def diff --git a/Makefile.am b/Makefile.am index ac8374a3..e4025c5b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -56,6 +56,7 @@ sbin_SCRIPTS += scripts/install/install-image-existing sbin_SCRIPTS += scripts/install/install-postinst-new sbin_SCRIPTS += scripts/install/install-image sbin_SCRIPTS += scripts/vyatta-bridgegroup-depedency.pl +sbin_SCRIPTS += scripts/vyatta-dhcpv6-client.pl share_perl5_DATA = lib/Vyatta/Login/User.pm share_perl5_DATA += lib/Vyatta/Login/RadiusServer.pm diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl new file mode 100644 index 00000000..c1a0dbd3 --- /dev/null +++ b/scripts/vyatta-dhcpv6-client.pl @@ -0,0 +1,157 @@ +#!/usr/bin/perl +# +# Module: vyatta-dhcpv6-client.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2005-2009 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan +# Date: April 2010 +# Description: Start and stop DHCPv6 client daemon for an interface. +# +# **** End License **** +# +# + +use strict; +use lib "/opt/vyatta/share/perl5/"; +use FileHandle; +use Vyatta::Config; +use Getopt::Long; + +my $start_flag; # Start the daemon +my $stop_flag; # Stop the daemon and delete all config files +my $release_flag; # Stop the daemon, but leave config file +my $renew_flag; # Re-start the daemon. Functionally same as start_flag +my $temp_flag; +my $params_only_flag; +my $ifname; + + +sub gen_conf_file { + my ($conffile, $ifname) = @_; + + my $FD_WR = new FileHandle; + + if (!open($FD_WR, ">$conffile")) { + printf("Can't write config file: $conffile\n"); + exit 1; + } + my $date = `date`; + my $user = `id -un`; + my $hostname = `hostname`; + chomp($date); + chomp($user); + chomp($hostname); + + print $FD_WR "# This file was auto-generated by the Vyatta\n"; + print $FD_WR "# configuration sub-system. Do not edit it.\n"; + print $FD_WR "\n"; + print $FD_WR "# Generated on $date by $user\n"; + print $FD_WR "#\n"; + print $FD_WR "interface \"$ifname\" {\n"; + print $FD_WR " send host-name \"$hostname\";\n"; + print $FD_WR " send dhcp6.oro 1, 2, 7, 12, 13, 23, 24, 39;\n"; + print $FD_WR "}\n"; +} + + +# +# Main Section +# + +GetOptions("start" => \$start_flag, + "stop" => \$stop_flag, + "release" => \$release_flag, + "renew" => \$renew_flag, + "temporary" => \$temp_flag, + "parameters-only" => \$params_only_flag, + "ifname=s" => \$ifname, + ); + +if ((defined $temp_flag) && (defined $params_only_flag)) { + printf("Error: --temporary and --parameters-only flags are mutually exclusive.\n"); + exit 1; +} + +if (!defined $ifname) { + printf("Error: Interface name must be specified with --ifname parameter.\n"); + exit 1; +} + +my $pidfile = "/var/lib/dhcp3/dhclient_v6_$ifname.pid"; +my $leasefile = "/var/lib/dhcp3/dhclient_v6_$ifname.leases"; +my $conffile = "/var/lib/dhcp3/dhclient_v6_$ifname.conf"; +my $cmdname = "/sbin/dhclient"; + +if (defined $release_flag) { + if (! -e $conffile) { + printf("DHCPv6 client is not configured on interface $ifname.\n"); + exit 1; + } + + if (! -e $pidfile) { + printf("DHCPv6 client is already released on interface $ifname.\n"); + exit 1; + } +} + +if (defined $renew_flag) { + if (! -e $conffile) { + printf("DHCPv6 client is not configured on interface $ifname.\n"); + exit 1; + } +} + +if (defined $stop_flag || defined $release_flag) { + # Stop dhclient -6 on $ifname + + printf("Stopping daemon...\n"); + my $output=`$cmdname -6 -nw -cf $conffile -pf $pidfile -lf $leasefile -r $ifname`; + printf($output); + + # Delete files it leaves behind... + printf("Deleting related files...\n"); + unlink($pidfile); + if (defined $stop_flag) { + # If just releasing, leave the config file around as a flag that + # DHCPv6 remains configured on this interface. + unlink($conffile); + } +} + +if (defined $start_flag || defined $renew_flag) { + # Generate the DHCP client config file... + gen_conf_file($conffile, $ifname); + + # First, kill any previous instance of dhclient running on this interface + # + printf("Stopping old daemon...\n"); + my $output = `$cmdname -6 -pf $pidfile -x $ifname`; + printf($output); + + # start "dhclient -6" on $ifname + + my $args = ""; + if (defined $temp_flag) { + $args .= " -T"; + } + if (defined $params_only_flag) { + $args .= " -S"; + } + + printf("Starting new daemon...\n"); + my $output=`$cmdname -6 -nw -cf $conffile -pf $pidfile -lf $leasefile $args $ifname`; + printf($output); +} diff --git a/scripts/vyatta-interfaces.pl b/scripts/vyatta-interfaces.pl index 90d8dfc7..42ffc7d8 100755 --- a/scripts/vyatta-interfaces.pl +++ b/scripts/vyatta-interfaces.pl @@ -356,6 +356,13 @@ sub is_valid_addr_set { exit 0; } + if ($addr_net eq "dhcpv6") { + die "Error: can't use dhcpv6 client on loopback interface\n" + if ($intf eq "lo"); + + exit 0; + } + my ($addr, $net); if ($addr_net =~ m/^([0-9a-fA-F\.\:]+)\/(\d+)$/) { $addr = $1; @@ -423,7 +430,7 @@ sub is_valid_addr_commit { $dhcp = 1; } else { my $version = is_ip_v4_or_v6($addr); - if ($version == 4) { + if (defined($version) && $version == 4) { $static_v4 = 1; } } diff --git a/templates/interfaces/ethernet/node.tag/address/node.def b/templates/interfaces/ethernet/node.tag/address/node.def index db87ff05..7ed12bba 100644 --- a/templates/interfaces/ethernet/node.tag/address/node.def +++ b/templates/interfaces/ethernet/node.tag/address/node.def @@ -15,14 +15,41 @@ syntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr-set # commit:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr-commit $VAR(@@) --dev $VAR(../@)" -create:sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) - -delete:sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) - -allowed: echo "dhcp <>" +create: + ifname=$VAR(../@) + param=$VAR(@) + if [ "$param" = "dhcpv6" ]; then + if [ -n "$VAR(../dhcpv6-options/parameters-only)" ]; then + echo "parameters-only is set" + arg1="--parameters-only" + fi + if [ -n "$VAR(../dhcpv6-options/temporary)" ]; then + echo "temporary is set" + arg2="--temporary" + fi + + echo "Starting DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --start \ + --ifname $ifname $arg1 $arg2 + else + sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) + fi + +delete: + ifname=$VAR(../@) + param=$VAR(@) + if [ "$param" = "dhcpv6" ]; then + echo "Stopping DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --stop --ifname \ + $ifname + else + sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) + fi + +allowed: echo "dhcp dhcpv6 <>" comp_help:Possible completions: - Set the IP address and prefix length + Set the IPv4 address and prefix length Set the IPv6 address and prefix length - dhcp Set the IP address and prefix length via DHCP - + dhcp Set the IPv4 address and prefix length via DHCP + dhcpv6 Set the IPv6 address and prefix length via DHCPv6 diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def new file mode 100644 index 00000000..aaeca067 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def @@ -0,0 +1,49 @@ +# This node is run before the rest of the interface is configured. +# We first check to see if DHCPv6 is still configured on the interface by +# looking over at the interface address parameters. Then we check to see +# if the DHCPv6 client program is still running on this interface. If both +# of those are true, then any change to this tree means that the user +# has changed this tree ONLY, and that we are going to have to re-start +# the DHCPv6 client using the new parameters. + + +priority: 317 # Run before interface has been configured + +help: Set options for DHCPv6 + +end: + ifname="$VAR(../@)" + echo "dhcpv6-options: ifname is $ifname" + + dhcpv6_set=0 + for param in $VAR(../address/@@); do + if [ "$param" = "dhcpv6" ]; then + dhcpv6_set=1 + fi + done + + if [ $dhcpv6_set -eq 0 ]; then + echo "DHCPv6 is not configured on this interface" + exit 0 + fi + + conffile=/var/lib/dhcp3/dhclient_v6_$VAR(../@).conf + if [ ! -e $conffile ]; then + echo "Conf file $conffile doesn't exist" + exit 0 + fi + + if [ -n "$VAR(./parameters-only)" ]; then + arg1="--parameters-only" + fi + + if [ -n "$VAR(./temporary)" ]; then + arg2="--temporary" + fi + + echo "Re-starting DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --stop --start \ + --ifname $ifname $arg1 $arg2 + + echo "Done." + exit 0 \ No newline at end of file diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def new file mode 100644 index 00000000..0178c469 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def @@ -0,0 +1,3 @@ + +help: Acquire only config parameters, not address, via DHCPv6 + diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def new file mode 100644 index 00000000..afb9de9c --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def @@ -0,0 +1,3 @@ + +help: Acquire a "temporary" IPv6 address + -- cgit v1.2.3 From 2bee5dd004864e2b996021242e900162b41eeecc Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Wed, 26 May 2010 16:12:45 -0700 Subject: 0.17.46 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index bdf5d5cc..b63f7977 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.46) unstable; urgency=low + + * Move DHCPv6 client configuration to this package and restructre + parameters. + + -- Bob Gilligan Wed, 26 May 2010 16:12:45 -0700 + vyatta-cfg-system (0.17.45) unstable; urgency=low * Don't enable PAM Radius by default -- cgit v1.2.3 From 481e7ac37759e4fc061d7e56a630eb16ea9b0f1c Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Fri, 28 May 2010 14:31:38 -0700 Subject: Fix 5521: Cannot Delete vif with vrrp configured. --- scripts/keepalived/vyatta-keepalived.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index e87c9f64..2c84f252 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -212,6 +212,7 @@ sub vrrp_get_sync_groups { sub vrrp_read_changes { my @lines = (); + return @lines if ! -e $changes_file; open(my $FILE, "<", $changes_file) or die "Error: read $!"; @lines = <$FILE>; close($FILE); -- cgit v1.2.3 From 4153b008bac2d286a3c463edf44bf2e7ad062d39 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Tue, 1 Jun 2010 15:24:47 -0700 Subject: 0.17.47 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index b63f7977..be0b1982 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.47) unstable; urgency=low + + * Fix 5521: Cannot Delete vif with vrrp configured. + + -- Stig Thormodsrud Tue, 01 Jun 2010 15:24:45 -0700 + vyatta-cfg-system (0.17.46) unstable; urgency=low * Move DHCPv6 client configuration to this package and restructre -- cgit v1.2.3 From 3661e4d67c0ea0a0ccc774ca38c031500335e0ee Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Thu, 3 Jun 2010 14:55:13 -0700 Subject: fix for bug 5656 * add package dependency for apt https access. --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index c1d19a95..6c169390 100644 --- a/debian/control +++ b/debian/control @@ -47,6 +47,7 @@ Depends: acpid, vyatta-biosdevname, ipvsadm (>= 1:1.24-2.1), radvd (>= 1:1.1-3), + apt-transport-https, hostapd (>= 1:0.6.9-3) Pre-Depends: bash-completion Suggests: util-linux (>= 2.13-5), -- cgit v1.2.3 From f2028e6a105b3136f881635c2bbe64216dffa7e3 Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Thu, 3 Jun 2010 14:55:46 -0700 Subject: 0.17.48 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index be0b1982..912f4f13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.48) unstable; urgency=low + + * fix for bug 5656 + + -- An-Cheng Huang Thu, 03 Jun 2010 14:55:46 -0700 + vyatta-cfg-system (0.17.47) unstable; urgency=low * Fix 5521: Cannot Delete vif with vrrp configured. -- cgit v1.2.3 From fa76fb6b1d99218cfd3a181b8dcc718d83906f93 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 3 Jun 2010 16:29:20 -0700 Subject: move list functions to vrrp perl module so other scripts can use it as well --- scripts/keepalived/vyatta-keepalived.pl | 34 +++------------------------------ 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index 2c84f252..b891bdf7 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -205,7 +205,9 @@ sub vrrp_get_sync_groups { foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; } - $output .= "\t\}\n\}\n"; + $output .= "\t\}\n"; + ## add conntrack-sync part here if configured ## + $output .= "\}\n"; } return $output; } @@ -354,36 +356,6 @@ sub keepalived_write_file { close $fh; } -sub list_vrrp_intf { - my $config = new Vyatta::Config; - my @intfs = (); - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - push @intfs, $name if $config->existsOrig("vrrp"); - } - - return @intfs; -} - -sub list_vrrp_group { - my ($name) = @_; - my $config = new Vyatta::Config; - my $path; - - my $intf = new Vyatta::Interface($name); - next unless $intf; - $path = $intf->path(); - $path .= " vrrp vrrp-group"; - $config->setLevel($path); - my @groups = $config->listOrigNodes(); - return @groups; -} - - # # main # -- cgit v1.2.3 From 8345a0455dbb20963263a6e82354a488f100d587 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 3 Jun 2010 16:32:05 -0700 Subject: 0.17.49 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 912f4f13..760a30ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.49) unstable; urgency=low + + * move list functions to vrrp perl module so other scripts can use it + as well + + -- Mohit Mehta Thu, 03 Jun 2010 16:32:05 -0700 + vyatta-cfg-system (0.17.48) unstable; urgency=low * fix for bug 5656 -- cgit v1.2.3 From 67151d699de7c046c9bd557bbadc5fe12950228e Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 26 May 2010 17:18:49 -0700 Subject: Fix use of bareword file handles Rather than using BAREWORD file handles, use 3 arg open and local variable. --- scripts/system/vyatta_update_resolv.pl | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/scripts/system/vyatta_update_resolv.pl b/scripts/system/vyatta_update_resolv.pl index 7f2b84b2..a4e2b9ba 100755 --- a/scripts/system/vyatta_update_resolv.pl +++ b/scripts/system/vyatta_update_resolv.pl @@ -134,10 +134,11 @@ if ($dhclient_script == 1) { } } if ($ns_in_resolvconf == 0) { - open (APPEND, ">>/etc/resolv.conf") or die "$! error trying to overwrite"; - print APPEND "nameserver\t$ns\t\t#nameserver written by $0\n"; - close (APPEND); - $restart_ntp = 1; + open (my $rf, '>>', '/etc/resolv.conf') + or die "$! error trying to overwrite"; + print $rf "nameserver\t$ns\t\t#nameserver written by $0\n"; + close $rf; + $restart_ntp = 1; } } } @@ -190,37 +191,40 @@ if ($dhclient_script == 1) { my @resolv; if (-e '/etc/resolv.conf') { - open (RESOLV, '; - close (RESOLV); + open (my $f, '<', '/etc/resolv.conf') + or die("$0: Error! Unable to open '/etc/resolv.conf' for input: $!\n"); + @resolv = <$f>; + close ($f); } my $foundSearch = 0; my $foundDomain = 0; -open (RESOLV, '>/etc/resolv.conf') or die("$0: Error! Unable to open '/etc/resolv.conf' for output: $!\n"); +open (my $r, '>', '/etc/resolv.conf') + or die("$0: Error! Unable to open '/etc/resolv.conf' for output: $!\n"); + foreach my $line (@resolv) { if ($line =~ /^search\s/) { $foundSearch = 1; if (length($search) > 0) { - print RESOLV $search; + print $r $search; } } elsif ($line =~ /^domain\s/) { $foundDomain = 1; if (length($domain) > 0) { - print RESOLV $domain; + print $r $domain; } } else { - print RESOLV $line; + print $r $line; } } if ($foundSearch == 0 && length($search) > 0) { - print RESOLV $search; + print $r $search; } if ($foundDomain == 0 && length($domain) > 0) { - print RESOLV $domain; + print $r $domain; } -close (RESOLV); +close ($r); -- cgit v1.2.3 From 379c2618cfbc337625f809f63fd4cb22793eccf8 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 25 May 2010 08:56:10 -0700 Subject: Set file capability attributes This sets file capability attributes during package installation (and build) to allow better security models. --- Makefile.am | 1 + debian/vyatta-cfg-system.postinst.in | 4 ++++ sysconf/filecaps | 31 +++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 sysconf/filecaps diff --git a/Makefile.am b/Makefile.am index e4025c5b..e57021f1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -80,6 +80,7 @@ sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg +sysconf_DATA += sysconf/filecaps libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 4265d14b..7778ea87 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -133,6 +133,10 @@ EOF done cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf + + # Set file capabilities + sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \ + | xargs -i sh -c "setcap {}" fi # create needed directories diff --git a/sysconf/filecaps b/sysconf/filecaps new file mode 100644 index 00000000..80730334 --- /dev/null +++ b/sysconf/filecaps @@ -0,0 +1,31 @@ +# List of files that get special attribute labeling + +# Network related utilities +cap_net_admin=pe /usr/sbin/ethtool +cap_net_admin=pe /sbin/tc +cap_net_admin=pe /bin/ip +cap_net_admin=pe /sbin/iptables +cap_net_admin=pe /sbin/ip6tables +cap_net_admin=pe /sbin/ipset +cap_net_admin=pe /usr/sbin/conntrack +cap_net_admin=pe /usr/sbin/arp +cap_net_admin=pe /usr/sbin/brctl + +# Raw sockets +cap_net_raw=pe /usr/bin/tshark +cap_net_raw=pe /usr/sbin/tcpdump +cap_net_raw=pe /bin/ping +cap_net_raw=pe /bin/ping6 + +# Special case to allow command login +cap_audit_write=pe /bin/vbash + +# Allow changes to system settings +cap_sys_admin=pe /sbin/sysctl + +# Module install +cap_sys_module=pe /sbin/modprobe + +# Set time +cap_sys_time=pe /bin/date +cap_sys_time=pe /usr/sbin/ntpdate -- cgit v1.2.3 From e902973f24c75b24576e914d44a68beaaf2aff5b Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 25 May 2010 10:21:03 -0700 Subject: Add pam_cap capability configuration --- Makefile.am | 1 + debian/vyatta-cfg-system.postinst.in | 3 +++ sysconf/capability.conf | 10 ++++++++++ 3 files changed, 14 insertions(+) create mode 100644 sysconf/capability.conf diff --git a/Makefile.am b/Makefile.am index e57021f1..3157173c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -81,6 +81,7 @@ sysconf_DATA += sysconf/blacklist.RSA-2048 sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg sysconf_DATA += sysconf/filecaps +sysconf_DATA += sysconf/capability.conf libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 7778ea87..dee13d4f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -137,6 +137,9 @@ EOF # Set file capabilities sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \ | xargs -i sh -c "setcap {}" + + # Install pam_cap config + cp $sysconfdir/capability.conf /etc/security/capability.conf fi # create needed directories diff --git a/sysconf/capability.conf b/sysconf/capability.conf new file mode 100644 index 00000000..0a7235f1 --- /dev/null +++ b/sysconf/capability.conf @@ -0,0 +1,10 @@ +# this is a capability file (used in conjunction with the pam_cap.so module) + +# Special capability for Vyatta admin +all %vyattacfg + +# Vyatta Operator +cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop + +## 'everyone else' gets no inheritable capabilities +none * -- cgit v1.2.3 From 601107d11f53d17a1d433c5a67b491532e84ed89 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 4 Jun 2010 14:10:09 -0700 Subject: 0.17.50 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 760a30ea..fbb86309 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +vyatta-cfg-system (0.17.50) unstable; urgency=low + + * Fix use of bareword file handles + * Set file capability attributes + * Add pam_cap capability configuration + + -- Stephen Hemminger Fri, 04 Jun 2010 14:10:09 -0700 + vyatta-cfg-system (0.17.49) unstable; urgency=low * move list functions to vrrp perl module so other scripts can use it -- cgit v1.2.3 From 62d85a7cd7db7a45733d3d265760c3616879ef15 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Sun, 30 May 2010 07:13:51 -0700 Subject: Using "send dhcp6.oro" is no longer required in config file. --- scripts/vyatta-dhcpv6-client.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl index c1a0dbd3..b23d1700 100644 --- a/scripts/vyatta-dhcpv6-client.pl +++ b/scripts/vyatta-dhcpv6-client.pl @@ -61,8 +61,8 @@ sub gen_conf_file { print $FD_WR "# Generated on $date by $user\n"; print $FD_WR "#\n"; print $FD_WR "interface \"$ifname\" {\n"; - print $FD_WR " send host-name \"$hostname\";\n"; - print $FD_WR " send dhcp6.oro 1, 2, 7, 12, 13, 23, 24, 39;\n"; +# print $FD_WR " send host-name \"$hostname\";\n"; +# print $FD_WR " send dhcp6.oro 1, 2, 7, 12, 13, 23, 24, 39;\n"; print $FD_WR "}\n"; } -- cgit v1.2.3 From fa7d9a1c503bb53b2512c56030d4778f641cd2dc Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Sun, 30 May 2010 07:14:32 -0700 Subject: 0.17.51 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index fbb86309..7ca3c50b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.51) unstable; urgency=low + + * Using "send dhcp6.oro" is no longer required in config file. + + -- Bob Gilligan Sun, 30 May 2010 07:14:32 -0700 + vyatta-cfg-system (0.17.50) unstable; urgency=low * Fix use of bareword file handles -- cgit v1.2.3 From e131104a11915b19478cf4a46cd2a18cade05ab3 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 7 Jun 2010 16:20:47 -0700 Subject: Add skip option to vyatta-interfaces Used to skip the existing interface name when doing mirror/redirect --- scripts/vyatta-interfaces.pl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/vyatta-interfaces.pl b/scripts/vyatta-interfaces.pl index 42ffc7d8..d5abaa36 100755 --- a/scripts/vyatta-interfaces.pl +++ b/scripts/vyatta-interfaces.pl @@ -47,10 +47,11 @@ use warnings; my $dhcp_daemon = '/sbin/dhclient'; -my ($eth_update, $eth_delete, $addr_set, @addr_commit, $dev, $mac, $mac_update); +my ($eth_update, $eth_delete, $addr_set, $dev, $mac, $mac_update); +my %skip_interface; my ($check_name, $show_names, $intf_cli_path, $vif_name, $warn_name); my ($check_up, $show_path, $dhcp_command); -my @speed_duplex; +my (@speed_duplex, @addr_commit); sub usage { print < \$eth_update, "dhcp=s" => \$dhcp_command, "check=s" => \$check_name, "show=s" => \$show_names, + "skip=s" => sub { $skip_interface{$_[1]} = 1 }, "vif=s" => \$vif_name, "warn" => \$warn_name, "path" => \$show_path, @@ -523,6 +525,7 @@ sub show_interfaces { foreach my $name (@interfaces) { my $intf = new Vyatta::Interface($name); next unless $intf; # skip unknown types + next if $skip_interface{$name}; next unless ($type eq 'all' || $type eq $intf->type()); if ($vif_name) { -- cgit v1.2.3 From 90371b9355e45554ddb21e8c98d6ea0c0b8f2adb Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 7 Jun 2010 16:28:13 -0700 Subject: 0.17.52 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7ca3c50b..40e9dd42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.52) unstable; urgency=low + + * Add skip option to vyatta-interfaces + + -- Stephen Hemminger Mon, 07 Jun 2010 16:28:13 -0700 + vyatta-cfg-system (0.17.51) unstable; urgency=low * Using "send dhcp6.oro" is no longer required in config file. -- cgit v1.2.3 From 5f95547ba4d6f4762ff286ddc4421b27367cdf56 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 9 Jun 2010 14:46:57 -0700 Subject: * make vrrp work with conntrack-sync --- scripts/keepalived/vyatta-keepalived.pl | 102 ++++++++++++++++++++++++++++---- 1 file changed, 90 insertions(+), 12 deletions(-) diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index b891bdf7..4ade0394 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -28,15 +28,17 @@ use Vyatta::Config; use Vyatta::Keepalived; use Vyatta::TypeChecker; use Vyatta::Interface; +use Vyatta::ConntrackSync; use Vyatta::Misc; use Getopt::Long; use strict; use warnings; -my ($action, $vrrp_intf, $vrrp_group, $vrrp_vip); +my ($action, $vrrp_intf, $vrrp_group, $vrrp_vip, $ctsync); my ($conf_file, $changes_file); my %HoA_sync_groups; +my $ctsync_script = "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh"; sub validate_source_addr { my ($ifname, $source_addr) = @_; @@ -69,6 +71,28 @@ sub validate_source_addr { return; } +sub get_ctsync_syncgrp { + my ($origfunc) = @_; + my $failover_sync_grp = undef; + + my $listnodesfunc = "listNodes"; + my $returnvalfunc = "returnValue"; + if (defined $origfunc) { + $listnodesfunc = "listOrigNodes"; + $returnvalfunc = "returnOrigValue"; + } + + my @failover_mechanism = Vyatta::ConntrackSync::get_conntracksync_val( + $listnodesfunc, "failover-mechanism" ); + + if (defined $failover_mechanism[0] && $failover_mechanism[0] eq 'vrrp') { + $failover_sync_grp = Vyatta::ConntrackSync::get_conntracksync_val( + $returnvalfunc, + "failover-mechanism $failover_mechanism[0] vrrp-sync-group" ); + } + return $failover_sync_grp; +} + sub keepalived_get_values { my ($intf, $path) = @_; @@ -159,7 +183,21 @@ sub keepalived_get_values { $output .= "vrrp_instance $vrrp_instance \{\n"; my $init_state; - $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); + if (defined $ctsync) { + # check if this group is part of conntrack-sync vrrp-sync-group + my $ctsync_syncgrp = get_ctsync_syncgrp(); + my $vrrpsyncgrp = list_vrrp_sync_group($intf, $group, 'returnOrigPlusComValue'); + if ( defined $ctsync_syncgrp && + defined $vrrpsyncgrp && + ($ctsync_syncgrp eq $vrrpsyncgrp) + ) { + $init_state = 'BACKUP'; + } else { + $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); + } + } else { + $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); + } $output .= "\tstate $init_state\n"; $output .= "\tinterface $intf\n"; $output .= "\tvirtual_router_id $group\n"; @@ -203,10 +241,19 @@ sub vrrp_get_sync_groups { foreach my $sync_group ( keys %HoA_sync_groups) { $output .= "vrrp_sync_group $sync_group \{\n\tgroup \{\n"; foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { - $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; + $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; } $output .= "\t\}\n"; + ## add conntrack-sync part here if configured ## + my $origfunc = undef; + $origfunc = 'true' if ! defined $ctsync; + my $failover_sync_grp = get_ctsync_syncgrp($origfunc); + if (defined $failover_sync_grp && $failover_sync_grp eq $sync_group) { + $output .= "\tnotify_master \"$ctsync_script master $sync_group\"\n"; + $output .= "\tnotify_backup \"$ctsync_script backup $sync_group\"\n"; + $output .= "\tnotify_fault \"$ctsync_script fault $sync_group\"\n"; + } $output .= "\}\n"; } return $output; @@ -303,7 +350,6 @@ sub remove_from_changes { } sub vrrp_update_config { - my ($intf) = @_; my @errs = (); my $date = localtime(); @@ -359,31 +405,63 @@ sub keepalived_write_file { # # main # -GetOptions("vrrp-action=s" => \$action, - "intf=s" => \$vrrp_intf, - "group=s" => \$vrrp_group, - "vip=s" => \$vrrp_vip); +GetOptions("vrrp-action=s" => \$action, + "intf=s" => \$vrrp_intf, + "group=s" => \$vrrp_group, + "vip=s" => \$vrrp_vip, + "ctsync=s" => \$ctsync,); if (! defined $action) { print "no action\n"; exit 1; } +if (! defined $ctsync) { + # make sure sync-group used by ctsync has not been deleted + + my $failover_sync_grp = get_ctsync_syncgrp(); + if (defined $failover_sync_grp) { + # make sure vrrp-sync-group exists + my $sync_grp_exists = 'false'; + my @vrrp_intfs = list_vrrp_intf('exists'); + foreach my $vrrp_intf (@vrrp_intfs) { + my @vrrp_groups = list_vrrp_group($vrrp_intf, 'listNodes'); + foreach my $vrrp_group (@vrrp_groups) { + my $sync_grp = list_vrrp_sync_group($vrrp_intf, $vrrp_group, 'returnValue'); + if (defined $sync_grp && $sync_grp eq "$failover_sync_grp") { + $sync_grp_exists = 'true'; + last; + } + } + last if $sync_grp_exists eq 'true'; + } + + if ($sync_grp_exists eq 'false') { + print "sync-group $failover_sync_grp used for conntrack-sync" . + " is either deleted or undefined\n"; + exit 1; + } + } + +} + if ($action eq "update") { $changes_file = get_changes_file(); $conf_file = get_conf_file(); - vrrp_log("vrrp update $vrrp_intf"); + vrrp_log("vrrp update $vrrp_intf") if defined $vrrp_intf; + vrrp_log("vrrp update conntrack-sync") if defined $ctsync; if ( ! -e $changes_file) { my $num_changes = vrrp_find_changes(); if ($num_changes == 0) { # # Shouldn't happen, but ... # - vrrp_log("unexpected 0 changes"); + vrrp_log("unexpected 0 changes"); } } - my ($vrrp_instances, @errs) = vrrp_update_config($vrrp_intf); - my $more_changes = remove_from_changes($vrrp_intf); + my ($vrrp_instances, @errs) = vrrp_update_config(); + my $more_changes = 0; + $more_changes = remove_from_changes($vrrp_intf) if ! defined $ctsync; vrrp_log(" instances $vrrp_instances, $more_changes"); if ($vrrp_instances > 0 and $more_changes == 0) { restart_daemon($conf_file); -- cgit v1.2.3 From 159b91093c5665e6962954e83d15c31d97d26b94 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 9 Jun 2010 14:48:27 -0700 Subject: * perltidy vyatta-keepalived.pl --- scripts/keepalived/vyatta-keepalived.pl | 792 ++++++++++++++++---------------- 1 file changed, 401 insertions(+), 391 deletions(-) diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index 4ade0394..d06b9e36 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -1,12 +1,12 @@ #!/usr/bin/perl # # Module: vyatta-keepalived.pl -# +# # **** License **** # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU @@ -15,11 +15,11 @@ # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2007-2009 Vyatta, Inc. # All Rights Reserved. -# +# # Author: Stig Thormodsrud # Date: October 2007 # Description: Script to glue vyatta cli to keepalived daemon -# +# # **** End License **** # @@ -35,40 +35,41 @@ use Getopt::Long; use strict; use warnings; -my ($action, $vrrp_intf, $vrrp_group, $vrrp_vip, $ctsync); -my ($conf_file, $changes_file); +my ( $action, $vrrp_intf, $vrrp_group, $vrrp_vip, $ctsync ); +my ( $conf_file, $changes_file ); my %HoA_sync_groups; my $ctsync_script = "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh"; sub validate_source_addr { - my ($ifname, $source_addr) = @_; - - my @ipaddrs; - if (defined $source_addr) { - my %config_ipaddrs; - my @ipaddrs = Vyatta::Misc::getInterfacesIPadresses('all'); - foreach my $ip (@ipaddrs) { - if ($ip =~ /^([\d.]+)\/([\d.]+)$/) { # strip /mask - $config_ipaddrs{$1} = 1; - } - } - if (!defined $config_ipaddrs{$source_addr}) { - vrrp_log("no hello-source"); - return "hello-source-address [$source_addr] must be " . - "configured on the interface\n"; - } - return; + my ( $ifname, $source_addr ) = @_; + + my @ipaddrs; + if ( defined $source_addr ) { + my %config_ipaddrs; + my @ipaddrs = Vyatta::Misc::getInterfacesIPadresses('all'); + foreach my $ip (@ipaddrs) { + if ( $ip =~ /^([\d.]+)\/([\d.]+)$/ ) { # strip /mask + $config_ipaddrs{$1} = 1; + } } - # if the hello-source-address wasn't configured, check that the - # interface has an IPv4 address configured on it. - my $intf = new Vyatta::Interface($ifname); - @ipaddrs = $intf->address(4); - if (scalar(@ipaddrs) < 1) { - vrrp_log("no primary or hello-source"); - return "must configure either a primary address on [$ifname] or" . - " a hello-source-address\n"; + if ( !defined $config_ipaddrs{$source_addr} ) { + vrrp_log("no hello-source"); + return "hello-source-address [$source_addr] must be " + . "configured on the interface\n"; } return; + } + + # if the hello-source-address wasn't configured, check that the + # interface has an IPv4 address configured on it. + my $intf = new Vyatta::Interface($ifname); + @ipaddrs = $intf->address(4); + if ( scalar(@ipaddrs) < 1 ) { + vrrp_log("no primary or hello-source"); + return "must configure either a primary address on [$ifname] or" + . " a hello-source-address\n"; + } + return; } sub get_ctsync_syncgrp { @@ -77,358 +78,366 @@ sub get_ctsync_syncgrp { my $listnodesfunc = "listNodes"; my $returnvalfunc = "returnValue"; - if (defined $origfunc) { + if ( defined $origfunc ) { $listnodesfunc = "listOrigNodes"; $returnvalfunc = "returnOrigValue"; } - my @failover_mechanism = Vyatta::ConntrackSync::get_conntracksync_val( - $listnodesfunc, "failover-mechanism" ); + my @failover_mechanism = + Vyatta::ConntrackSync::get_conntracksync_val( $listnodesfunc, + "failover-mechanism" ); - if (defined $failover_mechanism[0] && $failover_mechanism[0] eq 'vrrp') { - $failover_sync_grp = Vyatta::ConntrackSync::get_conntracksync_val( - $returnvalfunc, - "failover-mechanism $failover_mechanism[0] vrrp-sync-group" ); + if ( defined $failover_mechanism[0] && $failover_mechanism[0] eq 'vrrp' ) { + $failover_sync_grp = + Vyatta::ConntrackSync::get_conntracksync_val( $returnvalfunc, + "failover-mechanism $failover_mechanism[0] vrrp-sync-group" ); } return $failover_sync_grp; } sub keepalived_get_values { - my ($intf, $path) = @_; - - my @errs = (); - my $output = ''; - my $config = new Vyatta::Config; - - my $state_transition_script = get_state_script(); - - vrrp_log("keepalived_get_values [$intf][$path]"); - $config->setLevel("$path vrrp vrrp-group"); - my @groups = $config->listNodes(); - foreach my $group (@groups) { - my $vrrp_instance = "vyatta-$intf-$group"; - $config->setLevel("$path vrrp vrrp-group $group"); - if ($config->exists("disable")) { - vrrp_log("$vrrp_instance disabled - skipping"); - my $state_file = get_state_file($intf, $group); - system("rm -f $state_file"); - next; - } - my @vips = $config->returnValues("virtual-address"); - my $num_vips = scalar(@vips); - if ($num_vips == 0) { - push @errs, "must define a virtual-address for vrrp-group $group\n"; - next; - } - if ($num_vips > 20) { - push @errs, "can not set more than 20 VIPs per group\n"; - next - } - my $priority = $config->returnValue("priority"); - if (!defined $priority) { - $priority = 1; - } - my $preempt = $config->returnValue("preempt"); - if (!defined $preempt) { - $preempt = "true"; - } - my $preempt_delay = $config->returnValue("preempt-delay"); - if (defined $preempt_delay and $preempt eq "false") { - print "Warning: preempt delay is ignored when preempt=false\n"; - } - my $advert_int = $config->returnValue("advertise-interval"); - if (!defined $advert_int) { - $advert_int = 1; - } - my $sync_group = $config->returnValue("sync-group"); - if (defined $sync_group && $sync_group ne "") { - push @{ $HoA_sync_groups{$sync_group} }, $vrrp_instance; - } - my $hello_source_addr = $config->returnValue("hello-source-address"); - my $err = validate_source_addr($intf, $hello_source_addr); - if (defined $err) { - push @errs, $err; - next; - } - - $config->setLevel("$path vrrp vrrp-group $group authentication"); - my $auth_type = $config->returnValue("type"); - my $auth_pass; - if (defined $auth_type) { - $auth_type = "PASS" if $auth_type eq "simple"; - $auth_type = uc($auth_type); - $auth_pass = $config->returnValue("password"); - if (! defined $auth_pass) { - push @errs, "vrrp authentication password not set\n"; - next; - } - } - - $config->setLevel("$path vrrp vrrp-group $group run-transition-scripts"); - my $run_backup_script = $config->returnValue("backup"); - if(!defined $run_backup_script){ - $run_backup_script = "null"; - } - my $run_fault_script = $config->returnValue("fault"); - if(!defined $run_fault_script){ - $run_fault_script = "null"; - } - my $run_master_script = $config->returnValue("master"); - if(!defined $run_master_script){ - $run_master_script = "null"; - } + my ( $intf, $path ) = @_; + + my @errs = (); + my $output = ''; + my $config = new Vyatta::Config; + + my $state_transition_script = get_state_script(); + + vrrp_log("keepalived_get_values [$intf][$path]"); + $config->setLevel("$path vrrp vrrp-group"); + my @groups = $config->listNodes(); + foreach my $group (@groups) { + my $vrrp_instance = "vyatta-$intf-$group"; + $config->setLevel("$path vrrp vrrp-group $group"); + if ( $config->exists("disable") ) { + vrrp_log("$vrrp_instance disabled - skipping"); + my $state_file = get_state_file( $intf, $group ); + system("rm -f $state_file"); + next; + } + my @vips = $config->returnValues("virtual-address"); + my $num_vips = scalar(@vips); + if ( $num_vips == 0 ) { + push @errs, "must define a virtual-address for vrrp-group $group\n"; + next; + } + if ( $num_vips > 20 ) { + push @errs, "can not set more than 20 VIPs per group\n"; + next; + } + my $priority = $config->returnValue("priority"); + if ( !defined $priority ) { + $priority = 1; + } + my $preempt = $config->returnValue("preempt"); + if ( !defined $preempt ) { + $preempt = "true"; + } + my $preempt_delay = $config->returnValue("preempt-delay"); + if ( defined $preempt_delay and $preempt eq "false" ) { + print "Warning: preempt delay is ignored when preempt=false\n"; + } + my $advert_int = $config->returnValue("advertise-interval"); + if ( !defined $advert_int ) { + $advert_int = 1; + } + my $sync_group = $config->returnValue("sync-group"); + if ( defined $sync_group && $sync_group ne "" ) { + push @{ $HoA_sync_groups{$sync_group} }, $vrrp_instance; + } + my $hello_source_addr = $config->returnValue("hello-source-address"); + my $err = validate_source_addr( $intf, $hello_source_addr ); + if ( defined $err ) { + push @errs, $err; + next; + } - # We now have the values and have validated them, so - # generate the config. - - $output .= "vrrp_instance $vrrp_instance \{\n"; - my $init_state; - if (defined $ctsync) { - # check if this group is part of conntrack-sync vrrp-sync-group - my $ctsync_syncgrp = get_ctsync_syncgrp(); - my $vrrpsyncgrp = list_vrrp_sync_group($intf, $group, 'returnOrigPlusComValue'); - if ( defined $ctsync_syncgrp && - defined $vrrpsyncgrp && - ($ctsync_syncgrp eq $vrrpsyncgrp) - ) { - $init_state = 'BACKUP'; - } else { - $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); - } - } else { - $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); - } - $output .= "\tstate $init_state\n"; - $output .= "\tinterface $intf\n"; - $output .= "\tvirtual_router_id $group\n"; - $output .= "\tpriority $priority\n"; - if ($preempt eq "false") { - $output .= "\tnopreempt\n"; - } - if (defined $preempt_delay) { - $output .= "\tpreempt_delay $preempt_delay\n"; - } - $output .= "\tadvert_int $advert_int\n"; - if (defined $auth_type) { - $output .= "\tauthentication {\n"; - $output .= "\t\tauth_type $auth_type\n"; - $output .= "\t\tauth_pass $auth_pass\n\t}\n"; - } - if (defined $hello_source_addr) { - $output .= "\tmcast_src_ip $hello_source_addr\n"; - } - $output .= "\tvirtual_ipaddress \{\n"; - foreach my $vip (@vips) { - $output .= "\t\t$vip\n"; - } - $output .= "\t\}\n"; - $output .= "\tnotify_master \"$state_transition_script master "; - $output .= "$intf $group $run_master_script @vips\" \n"; - $output .= "\tnotify_backup \"$state_transition_script backup "; - $output .= "$intf $group $run_backup_script @vips\" \n"; - $output .= "\tnotify_fault \"$state_transition_script fault "; - $output .= "$intf $group $run_fault_script @vips\" \n"; - $output .= "\}\n\n"; + $config->setLevel("$path vrrp vrrp-group $group authentication"); + my $auth_type = $config->returnValue("type"); + my $auth_pass; + if ( defined $auth_type ) { + $auth_type = "PASS" if $auth_type eq "simple"; + $auth_type = uc($auth_type); + $auth_pass = $config->returnValue("password"); + if ( !defined $auth_pass ) { + push @errs, "vrrp authentication password not set\n"; + next; + } } - return ($output, @errs); + $config->setLevel("$path vrrp vrrp-group $group run-transition-scripts"); + my $run_backup_script = $config->returnValue("backup"); + if ( !defined $run_backup_script ) { + $run_backup_script = "null"; + } + my $run_fault_script = $config->returnValue("fault"); + if ( !defined $run_fault_script ) { + $run_fault_script = "null"; + } + my $run_master_script = $config->returnValue("master"); + if ( !defined $run_master_script ) { + $run_master_script = "null"; + } + + # We now have the values and have validated them, so + # generate the config. + + $output .= "vrrp_instance $vrrp_instance \{\n"; + my $init_state; + if ( defined $ctsync ) { + + # check if this group is part of conntrack-sync vrrp-sync-group + my $ctsync_syncgrp = get_ctsync_syncgrp(); + my $vrrpsyncgrp = + list_vrrp_sync_group( $intf, $group, 'returnOrigPlusComValue' ); + if ( defined $ctsync_syncgrp + && defined $vrrpsyncgrp + && ( $ctsync_syncgrp eq $vrrpsyncgrp ) ) + { + $init_state = 'BACKUP'; + } else { + $init_state = vrrp_get_init_state( $intf, $group, $vips[0], $preempt ); + } + } else { + $init_state = vrrp_get_init_state( $intf, $group, $vips[0], $preempt ); + } + $output .= "\tstate $init_state\n"; + $output .= "\tinterface $intf\n"; + $output .= "\tvirtual_router_id $group\n"; + $output .= "\tpriority $priority\n"; + if ( $preempt eq "false" ) { + $output .= "\tnopreempt\n"; + } + if ( defined $preempt_delay ) { + $output .= "\tpreempt_delay $preempt_delay\n"; + } + $output .= "\tadvert_int $advert_int\n"; + if ( defined $auth_type ) { + $output .= "\tauthentication {\n"; + $output .= "\t\tauth_type $auth_type\n"; + $output .= "\t\tauth_pass $auth_pass\n\t}\n"; + } + if ( defined $hello_source_addr ) { + $output .= "\tmcast_src_ip $hello_source_addr\n"; + } + $output .= "\tvirtual_ipaddress \{\n"; + foreach my $vip (@vips) { + $output .= "\t\t$vip\n"; + } + $output .= "\t\}\n"; + $output .= "\tnotify_master \"$state_transition_script master "; + $output .= "$intf $group $run_master_script @vips\" \n"; + $output .= "\tnotify_backup \"$state_transition_script backup "; + $output .= "$intf $group $run_backup_script @vips\" \n"; + $output .= "\tnotify_fault \"$state_transition_script fault "; + $output .= "$intf $group $run_fault_script @vips\" \n"; + $output .= "\}\n\n"; + } + + return ( $output, @errs ); } sub vrrp_get_sync_groups { - - my $output = ""; - - foreach my $sync_group ( keys %HoA_sync_groups) { - $output .= "vrrp_sync_group $sync_group \{\n\tgroup \{\n"; - foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { - $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; - } - $output .= "\t\}\n"; - - ## add conntrack-sync part here if configured ## - my $origfunc = undef; - $origfunc = 'true' if ! defined $ctsync; - my $failover_sync_grp = get_ctsync_syncgrp($origfunc); - if (defined $failover_sync_grp && $failover_sync_grp eq $sync_group) { - $output .= "\tnotify_master \"$ctsync_script master $sync_group\"\n"; - $output .= "\tnotify_backup \"$ctsync_script backup $sync_group\"\n"; - $output .= "\tnotify_fault \"$ctsync_script fault $sync_group\"\n"; - } - $output .= "\}\n"; + + my $output = ""; + + foreach my $sync_group ( keys %HoA_sync_groups ) { + $output .= "vrrp_sync_group $sync_group \{\n\tgroup \{\n"; + foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { + $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; + } + $output .= "\t\}\n"; + + ## add conntrack-sync part here if configured ## + my $origfunc = undef; + $origfunc = 'true' if !defined $ctsync; + my $failover_sync_grp = get_ctsync_syncgrp($origfunc); + if ( defined $failover_sync_grp && $failover_sync_grp eq $sync_group ) { + $output .= "\tnotify_master \"$ctsync_script master $sync_group\"\n"; + $output .= "\tnotify_backup \"$ctsync_script backup $sync_group\"\n"; + $output .= "\tnotify_fault \"$ctsync_script fault $sync_group\"\n"; } - return $output; + $output .= "\}\n"; + } + return $output; } sub vrrp_read_changes { - my @lines = (); - return @lines if ! -e $changes_file; - open(my $FILE, "<", $changes_file) or die "Error: read $!"; - @lines = <$FILE>; - close($FILE); - chomp @lines; - return @lines; + my @lines = (); + return @lines if !-e $changes_file; + open( my $FILE, "<", $changes_file ) or die "Error: read $!"; + @lines = <$FILE>; + close($FILE); + chomp @lines; + return @lines; } sub vrrp_save_changes { - my @list = @_; + my @list = @_; - my $num_changes = scalar(@list); - vrrp_log("saving changes file $num_changes"); - open(my $FILE, ">", $changes_file) or die "Error: write $!"; - print $FILE join("\n", @list), "\n"; - close($FILE); + my $num_changes = scalar(@list); + vrrp_log("saving changes file $num_changes"); + open( my $FILE, ">", $changes_file ) or die "Error: write $!"; + print $FILE join( "\n", @list ), "\n"; + close($FILE); } sub vrrp_find_changes { - my @list = (); - my $config = new Vyatta::Config; - my $vrrp_instances = 0; - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - if ($config->exists("vrrp")) { - my %vrrp_status_hash = $config->listNodeStatus("vrrp"); - my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); - if ($vrrp_status ne "static") { - push @list, $name; - vrrp_log("$vrrp_status found $name"); - } - } - - # - # Now look for deleted from the origin tree - # - $config->setLevel($path); - if ($config->isDeleted("vrrp")) { - push @list, $name; - vrrp_log("Delete found $name"); - } - - + my @list = (); + my $config = new Vyatta::Config; + my $vrrp_instances = 0; + + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); + $config->setLevel($path); + if ( $config->exists("vrrp") ) { + my %vrrp_status_hash = $config->listNodeStatus("vrrp"); + my ( $vrrp, $vrrp_status ) = each(%vrrp_status_hash); + if ( $vrrp_status ne "static" ) { + push @list, $name; + vrrp_log("$vrrp_status found $name"); + } } - my $num = scalar(@list); - vrrp_log("Start transation: $num changes"); - if ($num) { - vrrp_save_changes(@list); + # + # Now look for deleted from the origin tree + # + $config->setLevel($path); + if ( $config->isDeleted("vrrp") ) { + push @list, $name; + vrrp_log("Delete found $name"); } - return $num; + + } + + my $num = scalar(@list); + vrrp_log("Start transation: $num changes"); + if ($num) { + vrrp_save_changes(@list); + } + return $num; } sub remove_from_changes { - my $intf = shift; - - my @lines = vrrp_read_changes(); - if (scalar(@lines) < 1) { - # - # we shouldn't get to this point, but try to handle it if we do - # - vrrp_log("unexpected remove_from_changes()"); - system("rm -f $changes_file"); - return 0; - } - my @new_lines = (); - foreach my $line (@lines) { - if ($line =~ /$intf$/) { - vrrp_log("remove_from_changes [$line]"); - } else { - push @new_lines, $line; - } - } + my $intf = shift; + + my @lines = vrrp_read_changes(); + if ( scalar(@lines) < 1 ) { - my $num_changes = scalar(@new_lines); - if ($num_changes > 0) { - vrrp_save_changes(@new_lines); + # + # we shouldn't get to this point, but try to handle it if we do + # + vrrp_log("unexpected remove_from_changes()"); + system("rm -f $changes_file"); + return 0; + } + my @new_lines = (); + foreach my $line (@lines) { + if ( $line =~ /$intf$/ ) { + vrrp_log("remove_from_changes [$line]"); } else { - system("rm -f $changes_file"); + push @new_lines, $line; } - return $num_changes; + } + + my $num_changes = scalar(@new_lines); + if ( $num_changes > 0 ) { + vrrp_save_changes(@new_lines); + } else { + system("rm -f $changes_file"); + } + return $num_changes; } sub vrrp_update_config { - my @errs = (); - my $date = localtime(); - my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; - - my $config = new Vyatta::Config; - my $vrrp_instances = 0; - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - if ($config->exists("vrrp")) { - # - # keepalived gets real grumpy with interfaces that - # don't exist, so skip vlans that haven't been - # instantiated yet (typically occurs at boot up). - # - if (!(-d "/sys/class/net/$name")) { - push @errs, "$name doesn't exist"; - next; - } - my ($inst_output, @inst_errs) = - keepalived_get_values($name, $path); - if (scalar(@inst_errs)) { - push @errs, @inst_errs; - } else { - $output .= $inst_output; - $vrrp_instances++; - } - } + my @errs = (); + my $date = localtime(); + my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; + + my $config = new Vyatta::Config; + my $vrrp_instances = 0; + + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); + $config->setLevel($path); + if ( $config->exists("vrrp") ) { + + # + # keepalived gets real grumpy with interfaces that + # don't exist, so skip vlans that haven't been + # instantiated yet (typically occurs at boot up). + # + if ( !( -d "/sys/class/net/$name" ) ) { + push @errs, "$name doesn't exist"; + next; + } + my ( $inst_output, @inst_errs ) = keepalived_get_values( $name, $path ); + if ( scalar(@inst_errs) ) { + push @errs, @inst_errs; + } else { + $output .= $inst_output; + $vrrp_instances++; + } + } + } + + if ( $vrrp_instances > 0 ) { + my $sync_groups = vrrp_get_sync_groups(); + if ( defined $sync_groups && $sync_groups ne "" ) { + $output = $sync_groups . $output; } - - if ($vrrp_instances > 0) { - my $sync_groups = vrrp_get_sync_groups(); - if (defined $sync_groups && $sync_groups ne "") { - $output = $sync_groups . $output; - } - keepalived_write_file($conf_file, $output); - } - return ($vrrp_instances, @errs); + keepalived_write_file( $conf_file, $output ); + } + return ( $vrrp_instances, @errs ); } sub keepalived_write_file { - my ($file, $data) = @_; + my ( $file, $data ) = @_; - open(my $fh, '>', $file) || die "Couldn't open $file - $!"; - print $fh $data; - close $fh; + open( my $fh, '>', $file ) || die "Couldn't open $file - $!"; + print $fh $data; + close $fh; } # # main # -GetOptions("vrrp-action=s" => \$action, - "intf=s" => \$vrrp_intf, - "group=s" => \$vrrp_group, - "vip=s" => \$vrrp_vip, - "ctsync=s" => \$ctsync,); - -if (! defined $action) { - print "no action\n"; - exit 1; +GetOptions( + "vrrp-action=s" => \$action, + "intf=s" => \$vrrp_intf, + "group=s" => \$vrrp_group, + "vip=s" => \$vrrp_vip, + "ctsync=s" => \$ctsync, +); + +if ( !defined $action ) { + print "no action\n"; + exit 1; } -if (! defined $ctsync) { +if ( !defined $ctsync ) { + # make sure sync-group used by ctsync has not been deleted my $failover_sync_grp = get_ctsync_syncgrp(); - if (defined $failover_sync_grp) { + if ( defined $failover_sync_grp ) { + # make sure vrrp-sync-group exists my $sync_grp_exists = 'false'; - my @vrrp_intfs = list_vrrp_intf('exists'); + my @vrrp_intfs = list_vrrp_intf('exists'); foreach my $vrrp_intf (@vrrp_intfs) { - my @vrrp_groups = list_vrrp_group($vrrp_intf, 'listNodes'); + my @vrrp_groups = list_vrrp_group( $vrrp_intf, 'listNodes' ); foreach my $vrrp_group (@vrrp_groups) { - my $sync_grp = list_vrrp_sync_group($vrrp_intf, $vrrp_group, 'returnValue'); - if (defined $sync_grp && $sync_grp eq "$failover_sync_grp") { + my $sync_grp = + list_vrrp_sync_group( $vrrp_intf, $vrrp_group, 'returnValue' ); + if ( defined $sync_grp && $sync_grp eq "$failover_sync_grp" ) { $sync_grp_exists = 'true'; last; } @@ -436,88 +445,89 @@ if (! defined $ctsync) { last if $sync_grp_exists eq 'true'; } - if ($sync_grp_exists eq 'false') { - print "sync-group $failover_sync_grp used for conntrack-sync" . - " is either deleted or undefined\n"; + if ( $sync_grp_exists eq 'false' ) { + print "sync-group $failover_sync_grp used for conntrack-sync" + . " is either deleted or undefined\n"; exit 1; - } + } } } -if ($action eq "update") { - $changes_file = get_changes_file(); - $conf_file = get_conf_file(); - vrrp_log("vrrp update $vrrp_intf") if defined $vrrp_intf; - vrrp_log("vrrp update conntrack-sync") if defined $ctsync; - if ( ! -e $changes_file) { - my $num_changes = vrrp_find_changes(); - if ($num_changes == 0) { - # - # Shouldn't happen, but ... - # - vrrp_log("unexpected 0 changes"); - } - } - my ($vrrp_instances, @errs) = vrrp_update_config(); - my $more_changes = 0; - $more_changes = remove_from_changes($vrrp_intf) if ! defined $ctsync; - vrrp_log(" instances $vrrp_instances, $more_changes"); - if ($vrrp_instances > 0 and $more_changes == 0) { - restart_daemon($conf_file); - } - if ($vrrp_instances == 0) { - stop_daemon(); - system("rm -f $conf_file"); - } - if (scalar(@errs)) { - print join("\n", @errs); - vrrp_log(join("\n", @errs)); - exit 1 +if ( $action eq "update" ) { + $changes_file = get_changes_file(); + $conf_file = get_conf_file(); + vrrp_log("vrrp update $vrrp_intf") if defined $vrrp_intf; + vrrp_log("vrrp update conntrack-sync") if defined $ctsync; + if ( !-e $changes_file ) { + my $num_changes = vrrp_find_changes(); + if ( $num_changes == 0 ) { + + # + # Shouldn't happen, but ... + # + vrrp_log("unexpected 0 changes"); } - exit 0; + } + my ( $vrrp_instances, @errs ) = vrrp_update_config(); + my $more_changes = 0; + $more_changes = remove_from_changes($vrrp_intf) if !defined $ctsync; + vrrp_log(" instances $vrrp_instances, $more_changes"); + if ( $vrrp_instances > 0 and $more_changes == 0 ) { + restart_daemon($conf_file); + } + if ( $vrrp_instances == 0 ) { + stop_daemon(); + system("rm -f $conf_file"); + } + if ( scalar(@errs) ) { + print join( "\n", @errs ); + vrrp_log( join( "\n", @errs ) ); + exit 1; + } + exit 0; } -if ($action eq "delete") { - if (! defined $vrrp_intf || ! defined $vrrp_group) { - print "must include interface & group"; - exit 1; - } - vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); - my $state_file = get_state_file($vrrp_intf, $vrrp_group); - system("rm -f $state_file"); - exit 0; +if ( $action eq "delete" ) { + if ( !defined $vrrp_intf || !defined $vrrp_group ) { + print "must include interface & group"; + exit 1; + } + vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); + my $state_file = get_state_file( $vrrp_intf, $vrrp_group ); + system("rm -f $state_file"); + exit 0; } -if ($action eq "check-vip") { - if (! defined $vrrp_vip) { - print "must include the virtual-address to check"; - exit 1; - } - my $rc = 1; - if ($vrrp_vip =~ /\//) { - $rc = Vyatta::TypeChecker::validateType('ipv4net', $vrrp_vip, 1); - } else { - $rc = Vyatta::TypeChecker::validateType('ipv4', $vrrp_vip, 1); - } - exit 1 if ! $rc; - exit 0; +if ( $action eq "check-vip" ) { + if ( !defined $vrrp_vip ) { + print "must include the virtual-address to check"; + exit 1; + } + my $rc = 1; + if ( $vrrp_vip =~ /\// ) { + $rc = Vyatta::TypeChecker::validateType( 'ipv4net', $vrrp_vip, 1 ); + } else { + $rc = Vyatta::TypeChecker::validateType( 'ipv4', $vrrp_vip, 1 ); + } + exit 1 if !$rc; + exit 0; } -if ($action eq "list-vrrp-intf") { - my @intfs = list_vrrp_intf(); - print join(' ', @intfs); - exit 0; +if ( $action eq "list-vrrp-intf" ) { + my @intfs = list_vrrp_intf(); + print join( ' ', @intfs ); + exit 0; } -if ($action eq "list-vrrp-group") { - if (! defined $vrrp_intf) { - print "must include interface\n"; - exit 1; - } - my @groups = list_vrrp_group($vrrp_intf); - print join(' ', @groups); - exit 0; +if ( $action eq "list-vrrp-group" ) { + if ( !defined $vrrp_intf ) { + print "must include interface\n"; + exit 1; + } + my @groups = list_vrrp_group($vrrp_intf); + print join( ' ', @groups ); + exit 0; } exit 0; -- cgit v1.2.3 From 094222202c56bff9ddabf591a9429fea19e3d185 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 9 Jun 2010 15:01:48 -0700 Subject: 0.17.53 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 40e9dd42..ed6d4d3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.17.53) unstable; urgency=low + + * * make vrrp work with conntrack-sync + * * perltidy vyatta-keepalived.pl + + -- Mohit Mehta Wed, 09 Jun 2010 15:01:47 -0700 + vyatta-cfg-system (0.17.52) unstable; urgency=low * Add skip option to vyatta-interfaces -- cgit v1.2.3 From e24523cda77d3277844bfe638c086bcf85348f7d Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 15 Jun 2010 10:08:16 -0700 Subject: Remove sudo from ip command No longer need sudo on ip because of cap_net_admin --- scripts/vyatta-interfaces.pl | 8 ++++---- templates/interfaces/bonding/node.def | 2 +- templates/interfaces/bonding/node.tag/disable/node.def | 4 ++-- templates/interfaces/bonding/node.tag/mtu/node.def | 4 ++-- templates/interfaces/bonding/node.tag/vif/node.def | 6 +++--- .../interfaces/bonding/node.tag/vif/node.tag/disable/node.def | 4 ++-- templates/interfaces/bridge/node.def | 4 ++-- templates/interfaces/bridge/node.tag/disable/node.def | 4 ++-- templates/interfaces/ethernet/node.def | 4 ++-- templates/interfaces/ethernet/node.tag/disable/node.def | 4 ++-- templates/interfaces/ethernet/node.tag/mtu/node.def | 4 ++-- templates/interfaces/ethernet/node.tag/vif/node.def | 6 +++--- .../interfaces/ethernet/node.tag/vif/node.tag/disable/node.def | 4 ++-- templates/interfaces/input/node.def | 4 ++-- templates/interfaces/loopback/node.def | 2 +- templates/interfaces/pseudo-ethernet/node.def | 6 +++--- templates/interfaces/pseudo-ethernet/node.tag/disable/node.def | 4 ++-- templates/interfaces/tunnel/node.def | 6 +++--- templates/interfaces/tunnel/node.tag/disable/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/key/node.def | 2 +- templates/interfaces/tunnel/node.tag/mtu/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/tos/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/ttl/node.def | 4 ++-- 23 files changed, 49 insertions(+), 49 deletions(-) diff --git a/scripts/vyatta-interfaces.pl b/scripts/vyatta-interfaces.pl index d5abaa36..a303c82c 100755 --- a/scripts/vyatta-interfaces.pl +++ b/scripts/vyatta-interfaces.pl @@ -314,14 +314,14 @@ sub update_mac { if (POSIX::strtoul($flags) & 1) { # NB: Perl 5 system return value is bass-ackwards - system "sudo ip link set $intf down" + system "ip link set $intf down" and die "Could not set $intf down ($!)\n"; - system "sudo ip link set $intf address $mac" + system "ip link set $intf address $mac" and die "Could not set $intf address ($!)\n"; - system "sudo ip link set $intf up" + system "ip link set $intf up" and die "Could not set $intf up ($!)\n"; } else { - system "sudo ip link set $intf address $mac" + system "ip link set $intf address $mac" and die "Could not set $intf address ($!)\n"; } exit 0; diff --git a/templates/interfaces/bonding/node.def b/templates/interfaces/bonding/node.def index 9e27ebad..4a944970 100644 --- a/templates/interfaces/bonding/node.def +++ b/templates/interfaces/bonding/node.def @@ -9,7 +9,7 @@ begin: if [ ! -f /sys/class/net/bonding_masters ]; then sudo modprobe bonding max_bonds=0 miimon=250 fi create: sudo sh -c "echo +$VAR(@) > /sys/class/net/bonding_masters" || exit 1 - sudo ip link set "$VAR(@)" up + ip link set "$VAR(@)" up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on delete: SLAVES=`cat /sys/class/net/$VAR(@)/bonding/slaves`; if [ -z "$SLAVES" ] diff --git a/templates/interfaces/bonding/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/disable/node.def index ad033365..96325d72 100644 --- a/templates/interfaces/bonding/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled create: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/bonding/node.tag/mtu/node.def b/templates/interfaces/bonding/node.tag/mtu/node.def index 07c102ac..8be06dc3 100644 --- a/templates/interfaces/bonding/node.tag/mtu/node.def +++ b/templates/interfaces/bonding/node.tag/mtu/node.def @@ -1,5 +1,5 @@ type: u32 help: Set the Maximum Transmission Unit (MTU) for this interface syntax:expression: $VAR(@) >= 68 && $VAR(@) <= 9000; "MTU must be between 68 and 9000" -update:expression: "sudo ip link set $VAR(../@) mtu $VAR(@)"; "Error setting MTU on dev $VAR(../@)" -delete:expression: "sudo ip link set $VAR(../@) mtu 1500"; "Error deleting MTU on dev $VAR(../@)" +update:expression: "ip link set $VAR(../@) mtu $VAR(@)"; "Error setting MTU on dev $VAR(../@)" +delete:expression: "ip link set $VAR(../@) mtu 1500"; "Error deleting MTU on dev $VAR(../@)" diff --git a/templates/interfaces/bonding/node.tag/vif/node.def b/templates/interfaces/bonding/node.tag/vif/node.def index 2e718f41..62e7ab95 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.def @@ -8,9 +8,9 @@ create: read -a SLAVES Set VLAN ID diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def index 78b24870..b2119c9c 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled update: /etc/netplug/linkdown.d/dhclient $VAR(../../@).$VAR(../@) - if ! sudo ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../../@).$VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../../@).$VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../../@).$VAR(../@) up; then +delete: if ! ip link set $VAR(../../@).$VAR(../@) up; then echo "Error enabling dev $VAR(../../@).$VAR(../@)" exit 1 fi diff --git a/templates/interfaces/bridge/node.def b/templates/interfaces/bridge/node.def index 343cf984..786bc825 100644 --- a/templates/interfaces/bridge/node.def +++ b/templates/interfaces/bridge/node.def @@ -7,13 +7,13 @@ comp_help: "Enter bridge interface name (br0 - br999)" syntax:expression: pattern $VAR(@) "^br[0-9]+$" ; "Must be (br0 - br999)" create: sudo brctl addbr $VAR(@) - sudo ip link set $VAR(@) up + ip link set $VAR(@) up delete: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --no-interfaces-assigned \ --bridge-interface="$VAR(@)"; then \ exit 1 fi - sudo ip link set $VAR(@) down; + ip link set $VAR(@) down; sudo brctl delbr $VAR(@); diff --git a/templates/interfaces/bridge/node.tag/disable/node.def b/templates/interfaces/bridge/node.tag/disable/node.def index 3f37a6d6..2e20be3b 100644 --- a/templates/interfaces/bridge/node.tag/disable/node.def +++ b/templates/interfaces/bridge/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Disable the bridge interface update: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/ethernet/node.def b/templates/interfaces/ethernet/node.def index 0b67836b..05b2e03c 100644 --- a/templates/interfaces/ethernet/node.def +++ b/templates/interfaces/ethernet/node.def @@ -12,7 +12,7 @@ syntax:expression: exec \ echo \"interface ethernet $VAR(@): does not exist\"; exit 1; \ fi" -create: sudo ip link set "$VAR(@)" up +create: ip link set "$VAR(@)" up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link set $VAR(@) down + ip link set $VAR(@) down diff --git a/templates/interfaces/ethernet/node.tag/disable/node.def b/templates/interfaces/ethernet/node.tag/disable/node.def index fbfb155a..5fe2b748 100644 --- a/templates/interfaces/ethernet/node.tag/disable/node.def +++ b/templates/interfaces/ethernet/node.tag/disable/node.def @@ -1,12 +1,12 @@ help: Set interface disabled create: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - if ! sudo ip link set $VAR(../@) up; then + if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/ethernet/node.tag/mtu/node.def b/templates/interfaces/ethernet/node.tag/mtu/node.def index dc03ae16..f33158f8 100644 --- a/templates/interfaces/ethernet/node.tag/mtu/node.def +++ b/templates/interfaces/ethernet/node.tag/mtu/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the Maximum Transmission Unit (MTU) for this interface syntax:expression: $VAR(@) >= 68 && $VAR(@) <= 9000; "MTU must be between 68 and 9000" -update: if ! sudo ip link set $VAR(../@) mtu $VAR(@) +update: if ! ip link set $VAR(../@) mtu $VAR(@) then echo "Error setting MTU on dev $VAR(../@)"; exit 1 fi delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link set $VAR(../@) mtu 1500 + ip link set $VAR(../@) mtu 1500 diff --git a/templates/interfaces/ethernet/node.tag/vif/node.def b/templates/interfaces/ethernet/node.tag/vif/node.def index b6b8abc7..c14ed002 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.def @@ -5,17 +5,17 @@ help: Set Virtual Local Area Network (VLAN) ID syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 4094; "VLAN ID must be between 0 and 4094" -create: if ! sudo ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) +create: if ! ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) then echo "Error creating VLAN device $VAR(../@).$VAR(@)" exit 1 fi # if parent is up, then bring VLAN up if [ $(( $(cat /sys/class/net/$VAR(../@)/flags) & 1 )) -eq 1 ]; then - sudo ip link set "$VAR(../@).$VAR(@)" up + ip link set "$VAR(../@).$VAR(@)" up fi /opt/vyatta/sbin/vyatta-link-detect "$VAR(../@).$VAR(@)" on delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) + ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) comp_help: possible completions: <0-4094> Set VLAN ID diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def index 78b24870..b2119c9c 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled update: /etc/netplug/linkdown.d/dhclient $VAR(../../@).$VAR(../@) - if ! sudo ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../../@).$VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../../@).$VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../../@).$VAR(../@) up; then +delete: if ! ip link set $VAR(../../@).$VAR(../@) up; then echo "Error enabling dev $VAR(../../@).$VAR(../@)" exit 1 fi diff --git a/templates/interfaces/input/node.def b/templates/interfaces/input/node.def index b90cb0b3..1873190c 100644 --- a/templates/interfaces/input/node.def +++ b/templates/interfaces/input/node.def @@ -7,5 +7,5 @@ comp_help: Enter input functional block interface name (ifb0 - ifb999) syntax:expression: pattern $VAR(@) "^ifb[0-9]+$" ; "name must be (ifb0-ifb999)" begin: [ -d /sys/module/ifb ] || sudo modprobe ifb numifbs=0 -create: sudo ip link add $VAR(@) type ifb && sudo ip link set $VAR(@) up -delete: sudo ip link delete dev $VAR(@) +create: ip link add $VAR(@) type ifb && ip link set $VAR(@) up +delete: ip link delete dev $VAR(@) diff --git a/templates/interfaces/loopback/node.def b/templates/interfaces/loopback/node.def index ae166e7b..b78cf10b 100644 --- a/templates/interfaces/loopback/node.def +++ b/templates/interfaces/loopback/node.def @@ -6,4 +6,4 @@ comp_help: Enter looback interface name (lo) syntax:expression: exec \ "/opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --check=loopback" allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=loopback -create: sudo ip link set $VAR(@) up +create: ip link set $VAR(@) up diff --git a/templates/interfaces/pseudo-ethernet/node.def b/templates/interfaces/pseudo-ethernet/node.def index 14ee0a34..bf88b047 100644 --- a/templates/interfaces/pseudo-ethernet/node.def +++ b/templates/interfaces/pseudo-ethernet/node.def @@ -7,7 +7,7 @@ syntax:expression: pattern $VAR(@) "^peth[0-9]+$" \ ; "name must be (peth0-peth999)" commit:expression: $VAR(link) != "" ; "link device must be set for virtual ethernet $VAR(@)" -create: sudo ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 - sudo ip link set $VAR(@) up +create: ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 + ip link set $VAR(@) up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on -delete: sudo ip link delete dev $VAR(@) type macvlan +delete: ip link delete dev $VAR(@) type macvlan diff --git a/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def b/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def index 3d3ffef9..9dafeacf 100644 --- a/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def +++ b/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def @@ -5,12 +5,12 @@ create: vif=`/opt/vyatta/sbin/vyatta-interfaces.pl --vif=$VAR(../@) --show=all` exit 1 fi /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index c4446163..34ef1ad6 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -21,11 +21,11 @@ create:expression: "\ if [ x$VAR(./multicast/@) == xenable ]; then \ MC=\"multicast on allmulticast on\"; \ fi; \ - sudo ip tunnel add $VAR(@) \ + ip tunnel add $VAR(@) \ local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) \ mode $VAR(./encapsulation/@) $KEY; \ - sudo ip link set $VAR(@) $MC up;" ; \ + ip link set $VAR(@) $MC up;" ; \ "Error creating $VAR(@)" -delete:expression: "sudo ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" +delete:expression: "ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" diff --git a/templates/interfaces/tunnel/node.tag/disable/node.def b/templates/interfaces/tunnel/node.tag/disable/node.def index cd3c019a..23fb46e7 100644 --- a/templates/interfaces/tunnel/node.tag/disable/node.def +++ b/templates/interfaces/tunnel/node.tag/disable/node.def @@ -1,6 +1,6 @@ help: Disable interface -update:expression: "sudo ip link set $VAR(../@) down"; \ +update:expression: "ip link set $VAR(../@) down"; \ "Error disabling dev $VAR(../@)" -delete:expression: "sudo ip link set $VAR(../@) up"; \ +delete:expression: "ip link set $VAR(../@) up"; \ "Error enabling dev $VAR(../@)" diff --git a/templates/interfaces/tunnel/node.tag/key/node.def b/templates/interfaces/tunnel/node.tag/key/node.def index 1ece7642..c137107c 100644 --- a/templates/interfaces/tunnel/node.tag/key/node.def +++ b/templates/interfaces/tunnel/node.tag/key/node.def @@ -3,7 +3,7 @@ help: Set the tunnel key syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 999999; \ "Must be between 0-999999 for $VAR(../@)" syntax:expression: exec " \ - if [ -n \"`sudo ip tunnel show $VAR(../@) | grep $VAR(../@) `\" ]; then \ + if [ -n \"`ip tunnel show $VAR(../@) | grep $VAR(../@) `\" ]; then \ echo Key can only be set at tunnel creation for $VAR(../@); \ exit 1 ; \ fi ; " diff --git a/templates/interfaces/tunnel/node.tag/mtu/node.def b/templates/interfaces/tunnel/node.tag/mtu/node.def index f1fdf39b..8076cacd 100644 --- a/templates/interfaces/tunnel/node.tag/mtu/node.def +++ b/templates/interfaces/tunnel/node.tag/mtu/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Maximum Transmission Unit (MTU) syntax:expression: $VAR(@) >= 64 && $VAR(@) <= 8024; "Must be between 64-8024" -update:expression: "sudo ip link set $VAR(../@) mtu $VAR(@)" -delete:expression: "sudo ip link set $VAR(../@) mtu 1476" +update:expression: "ip link set $VAR(../@) mtu $VAR(@)" +delete:expression: "ip link set $VAR(../@) mtu 1476" comp_help: possible completions: <64-8024> Set MTU diff --git a/templates/interfaces/tunnel/node.tag/tos/node.def b/templates/interfaces/tunnel/node.tag/tos/node.def index 1f739966..9492d7aa 100644 --- a/templates/interfaces/tunnel/node.tag/tos/node.def +++ b/templates/interfaces/tunnel/node.tag/tos/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Type of Service (TOS) syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 99; "Must be between 0-99" -update:expression: "sudo ip tunnel change $VAR(../@) tos $VAR(@)" -delete:expression: "sudo ip tunnel change $VAR(../@) tos inherit" +update:expression: "ip tunnel change $VAR(../@) tos $VAR(@)" +delete:expression: "ip tunnel change $VAR(../@) tos inherit" comp_help: possible completions <0-99> Set type of service diff --git a/templates/interfaces/tunnel/node.tag/ttl/node.def b/templates/interfaces/tunnel/node.tag/ttl/node.def index 298c4d61..29bc4ced 100644 --- a/templates/interfaces/tunnel/node.tag/ttl/node.def +++ b/templates/interfaces/tunnel/node.tag/ttl/node.def @@ -2,7 +2,7 @@ type: u32 help: Set the tunnel time to live field default: 255 syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" -update:expression: "sudo ip tunnel change $VAR(../@) ttl $VAR(@)" -delete:expression: "sudo ip tunnel change $VAR(../@) ttl inherit" +update:expression: "ip tunnel change $VAR(../@) ttl $VAR(@)" +delete:expression: "ip tunnel change $VAR(../@) ttl inherit" comp_help: possible completions: <0-255> Set time to live (default 255) -- cgit v1.2.3 From 85b19a9b420d0ee0682b4376c9a0428d52866473 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 15 Jun 2010 10:14:03 -0700 Subject: Remove unnecessary :expression: syntax Several templates can use simplified non-expression syntax --- templates/interfaces/bonding/node.tag/mtu/node.def | 4 ++-- templates/interfaces/bridge/node.tag/aging/node.def | 4 ++-- templates/interfaces/bridge/node.tag/hello-time/node.def | 4 ++-- templates/interfaces/bridge/node.tag/max-age/node.def | 4 ++-- templates/interfaces/bridge/node.tag/priority/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/disable/node.def | 6 ++---- templates/interfaces/tunnel/node.tag/mtu/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/tos/node.def | 4 ++-- templates/interfaces/tunnel/node.tag/ttl/node.def | 4 ++-- templates/system/domain-name/node.def | 4 ++-- 10 files changed, 20 insertions(+), 22 deletions(-) diff --git a/templates/interfaces/bonding/node.tag/mtu/node.def b/templates/interfaces/bonding/node.tag/mtu/node.def index 8be06dc3..cd244402 100644 --- a/templates/interfaces/bonding/node.tag/mtu/node.def +++ b/templates/interfaces/bonding/node.tag/mtu/node.def @@ -1,5 +1,5 @@ type: u32 help: Set the Maximum Transmission Unit (MTU) for this interface syntax:expression: $VAR(@) >= 68 && $VAR(@) <= 9000; "MTU must be between 68 and 9000" -update:expression: "ip link set $VAR(../@) mtu $VAR(@)"; "Error setting MTU on dev $VAR(../@)" -delete:expression: "ip link set $VAR(../@) mtu 1500"; "Error deleting MTU on dev $VAR(../@)" +update: ip link set $VAR(../@) mtu $VAR(@) +delete: ip link set $VAR(../@) mtu 1500 diff --git a/templates/interfaces/bridge/node.tag/aging/node.def b/templates/interfaces/bridge/node.tag/aging/node.def index 533a8ed5..b78f53bf 100644 --- a/templates/interfaces/bridge/node.tag/aging/node.def +++ b/templates/interfaces/bridge/node.tag/aging/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the number of seconds a MAC address will be kept in the forwarding database default: 300 -update:expression: "sudo brctl setageing $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setageing $VAR(../@) 300" +update: sudo brctl setageing $VAR(../@) $VAR(@) +delete: sudo brctl setageing $VAR(../@) 300 comp_help: possible completions: Set the number of seconds for ageing (default 300) diff --git a/templates/interfaces/bridge/node.tag/hello-time/node.def b/templates/interfaces/bridge/node.tag/hello-time/node.def index 19324a65..a2472720 100644 --- a/templates/interfaces/bridge/node.tag/hello-time/node.def +++ b/templates/interfaces/bridge/node.tag/hello-time/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the hello packet advertisment interval default: 2 -update:expression: "sudo brctl sethello $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl sethello $VAR(../@) 2" +update: sudo brctl sethello $VAR(../@) $VAR(@) +delete: sudo brctl sethello $VAR(../@) 2 comp_help: possible completions: Set the hello packet advertisment interval (default 2) diff --git a/templates/interfaces/bridge/node.tag/max-age/node.def b/templates/interfaces/bridge/node.tag/max-age/node.def index ddfdf129..e69b273c 100644 --- a/templates/interfaces/bridge/node.tag/max-age/node.def +++ b/templates/interfaces/bridge/node.tag/max-age/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the interval at which neighbor bridges are removed default: 20 -update:expression: "sudo brctl setmaxage $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setmaxage $VAR(../@) 20" +update: sudo brctl setmaxage $VAR(../@) $VAR(@) +delete: sudo brctl setmaxage $VAR(../@) 20 comp_help: possible completions: Set the max age (default 20) diff --git a/templates/interfaces/bridge/node.tag/priority/node.def b/templates/interfaces/bridge/node.tag/priority/node.def index 1084dbf3..d731f49a 100644 --- a/templates/interfaces/bridge/node.tag/priority/node.def +++ b/templates/interfaces/bridge/node.tag/priority/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the priority for this bridge default: 0 -update:expression: "sudo brctl setbridgeprio $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setbridgeprio $VAR(../@) 0" +update: sudo brctl setbridgeprio $VAR(../@) $VAR(@) +delete: sudo brctl setbridgeprio $VAR(../@) 0 comp_help: possible completions: Set bridge priority (default 0) diff --git a/templates/interfaces/tunnel/node.tag/disable/node.def b/templates/interfaces/tunnel/node.tag/disable/node.def index 23fb46e7..26199646 100644 --- a/templates/interfaces/tunnel/node.tag/disable/node.def +++ b/templates/interfaces/tunnel/node.tag/disable/node.def @@ -1,6 +1,4 @@ help: Disable interface -update:expression: "ip link set $VAR(../@) down"; \ - "Error disabling dev $VAR(../@)" +update: ip link set $VAR(../@) down -delete:expression: "ip link set $VAR(../@) up"; \ - "Error enabling dev $VAR(../@)" +delete: ip link set $VAR(../@) up diff --git a/templates/interfaces/tunnel/node.tag/mtu/node.def b/templates/interfaces/tunnel/node.tag/mtu/node.def index 8076cacd..400533f9 100644 --- a/templates/interfaces/tunnel/node.tag/mtu/node.def +++ b/templates/interfaces/tunnel/node.tag/mtu/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Maximum Transmission Unit (MTU) syntax:expression: $VAR(@) >= 64 && $VAR(@) <= 8024; "Must be between 64-8024" -update:expression: "ip link set $VAR(../@) mtu $VAR(@)" -delete:expression: "ip link set $VAR(../@) mtu 1476" +update: ip link set $VAR(../@) mtu $VAR(@) +delete: ip link set $VAR(../@) mtu 1476 comp_help: possible completions: <64-8024> Set MTU diff --git a/templates/interfaces/tunnel/node.tag/tos/node.def b/templates/interfaces/tunnel/node.tag/tos/node.def index 9492d7aa..58a4cee0 100644 --- a/templates/interfaces/tunnel/node.tag/tos/node.def +++ b/templates/interfaces/tunnel/node.tag/tos/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Type of Service (TOS) syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 99; "Must be between 0-99" -update:expression: "ip tunnel change $VAR(../@) tos $VAR(@)" -delete:expression: "ip tunnel change $VAR(../@) tos inherit" +update: ip tunnel change $VAR(../@) tos $VAR(@) +delete: ip tunnel change $VAR(../@) tos inherit comp_help: possible completions <0-99> Set type of service diff --git a/templates/interfaces/tunnel/node.tag/ttl/node.def b/templates/interfaces/tunnel/node.tag/ttl/node.def index 29bc4ced..a42a199f 100644 --- a/templates/interfaces/tunnel/node.tag/ttl/node.def +++ b/templates/interfaces/tunnel/node.tag/ttl/node.def @@ -2,7 +2,7 @@ type: u32 help: Set the tunnel time to live field default: 255 syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" -update:expression: "ip tunnel change $VAR(../@) ttl $VAR(@)" -delete:expression: "ip tunnel change $VAR(../@) ttl inherit" +update: ip tunnel change $VAR(../@) ttl $VAR(@) +delete: ip tunnel change $VAR(../@) ttl inherit comp_help: possible completions: <0-255> Set time to live (default 255) diff --git a/templates/system/domain-name/node.def b/templates/system/domain-name/node.def index 96ccc7ae..fa8527d9 100644 --- a/templates/system/domain-name/node.def +++ b/templates/system/domain-name/node.def @@ -4,7 +4,7 @@ help: Set system domain name syntax:expression: pattern $VAR(@) "^[-a-zA-Z0-9.]{0,63}$" ; "invalid domain name $VAR(@)" # also add localhost line into /etc/hosts (see host-name template)? -update:expression: "sudo /opt/vyatta/sbin/vyatta_update_resolv.pl" +update: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl # also update localhost line in /etc/hosts (see host-name template)? -delete:expression: "sudo /opt/vyatta/sbin/vyatta_update_resolv.pl" +delete: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl -- cgit v1.2.3 From 478766574f13b3fcfb934d7da161b5ac7238934a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 15 Jun 2010 10:16:40 -0700 Subject: Remove sudo from brctl Since brctl has cap_net_admin, don't need to use sudo --- .../interfaces/bonding/node.tag/bridge-group/node.def | 16 ++++++++-------- .../bonding/node.tag/vif/node.tag/bridge-group/node.def | 16 ++++++++-------- templates/interfaces/bridge/node.def | 4 ++-- templates/interfaces/bridge/node.tag/aging/node.def | 4 ++-- .../interfaces/bridge/node.tag/forwarding-delay/node.def | 2 +- templates/interfaces/bridge/node.tag/hello-time/node.def | 4 ++-- templates/interfaces/bridge/node.tag/max-age/node.def | 4 ++-- templates/interfaces/bridge/node.tag/priority/node.def | 4 ++-- templates/interfaces/bridge/node.tag/stp/node.def | 12 ++++++------ .../interfaces/ethernet/node.tag/bridge-group/node.def | 16 ++++++++-------- .../ethernet/node.tag/vif/node.tag/bridge-group/node.def | 16 ++++++++-------- 11 files changed, 49 insertions(+), 49 deletions(-) diff --git a/templates/interfaces/bonding/node.tag/bridge-group/node.def b/templates/interfaces/bonding/node.tag/bridge-group/node.def index 940295fa..9ce97b1b 100644 --- a/templates/interfaces/bonding/node.tag/bridge-group/node.def +++ b/templates/interfaces/bonding/node.tag/bridge-group/node.def @@ -12,13 +12,13 @@ end: exit 1 else echo "Adding interface $bondif to bridge $newbridge." - sudo brctl addif $newbridge $bondif; + /usr/sbin/brctl addif $newbridge $bondif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -32,7 +32,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi else if [ -z "$newbridge" ]; then @@ -46,15 +46,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi - sudo brctl addif $newbridge $bondif + /usr/sbin/brctl addif $newbridge $bondif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def index 04dc957b..42234106 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def @@ -13,13 +13,13 @@ end: exit 1 else echo "Adding interface $bondif to bridge $newbridge." - sudo brctl addif $newbridge $bondif; + /usr/sbin/brctl addif $newbridge $bondif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -33,7 +33,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi else if [ -z "$newbridge" ]; then @@ -47,15 +47,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi - sudo brctl addif $newbridge $bondif + /usr/sbin/brctl addif $newbridge $bondif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/bridge/node.def b/templates/interfaces/bridge/node.def index 786bc825..60af4bc0 100644 --- a/templates/interfaces/bridge/node.def +++ b/templates/interfaces/bridge/node.def @@ -6,7 +6,7 @@ comp_help: "Enter bridge interface name (br0 - br999)" syntax:expression: pattern $VAR(@) "^br[0-9]+$" ; "Must be (br0 - br999)" -create: sudo brctl addbr $VAR(@) +create: /usr/sbin/brctl addbr $VAR(@) ip link set $VAR(@) up delete: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ @@ -15,5 +15,5 @@ delete: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ exit 1 fi ip link set $VAR(@) down; - sudo brctl delbr $VAR(@); + /usr/sbin/brctl delbr $VAR(@); diff --git a/templates/interfaces/bridge/node.tag/aging/node.def b/templates/interfaces/bridge/node.tag/aging/node.def index b78f53bf..cd2e5d1a 100644 --- a/templates/interfaces/bridge/node.tag/aging/node.def +++ b/templates/interfaces/bridge/node.tag/aging/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the number of seconds a MAC address will be kept in the forwarding database default: 300 -update: sudo brctl setageing $VAR(../@) $VAR(@) -delete: sudo brctl setageing $VAR(../@) 300 +update: /usr/sbin/brctl setageing $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setageing $VAR(../@) 300 comp_help: possible completions: Set the number of seconds for ageing (default 300) diff --git a/templates/interfaces/bridge/node.tag/forwarding-delay/node.def b/templates/interfaces/bridge/node.tag/forwarding-delay/node.def index 458eb320..c273c648 100644 --- a/templates/interfaces/bridge/node.tag/forwarding-delay/node.def +++ b/templates/interfaces/bridge/node.tag/forwarding-delay/node.def @@ -1,5 +1,5 @@ type: u32 help: Set the forwarding delay -update: sudo brctl setfd $VAR(../@) $VAR(@) +update: /usr/sbin/brctl setfd $VAR(../@) $VAR(@) comp_help: possible completions: Set the folwarding delay (default 15) diff --git a/templates/interfaces/bridge/node.tag/hello-time/node.def b/templates/interfaces/bridge/node.tag/hello-time/node.def index a2472720..8c6ad277 100644 --- a/templates/interfaces/bridge/node.tag/hello-time/node.def +++ b/templates/interfaces/bridge/node.tag/hello-time/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the hello packet advertisment interval default: 2 -update: sudo brctl sethello $VAR(../@) $VAR(@) -delete: sudo brctl sethello $VAR(../@) 2 +update: /usr/sbin/brctl sethello $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl sethello $VAR(../@) 2 comp_help: possible completions: Set the hello packet advertisment interval (default 2) diff --git a/templates/interfaces/bridge/node.tag/max-age/node.def b/templates/interfaces/bridge/node.tag/max-age/node.def index e69b273c..43a9ad04 100644 --- a/templates/interfaces/bridge/node.tag/max-age/node.def +++ b/templates/interfaces/bridge/node.tag/max-age/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the interval at which neighbor bridges are removed default: 20 -update: sudo brctl setmaxage $VAR(../@) $VAR(@) -delete: sudo brctl setmaxage $VAR(../@) 20 +update: /usr/sbin/brctl setmaxage $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setmaxage $VAR(../@) 20 comp_help: possible completions: Set the max age (default 20) diff --git a/templates/interfaces/bridge/node.tag/priority/node.def b/templates/interfaces/bridge/node.tag/priority/node.def index d731f49a..63548d1e 100644 --- a/templates/interfaces/bridge/node.tag/priority/node.def +++ b/templates/interfaces/bridge/node.tag/priority/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the priority for this bridge default: 0 -update: sudo brctl setbridgeprio $VAR(../@) $VAR(@) -delete: sudo brctl setbridgeprio $VAR(../@) 0 +update: /usr/sbin/brctl setbridgeprio $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setbridgeprio $VAR(../@) 0 comp_help: possible completions: Set bridge priority (default 0) diff --git a/templates/interfaces/bridge/node.tag/stp/node.def b/templates/interfaces/bridge/node.tag/stp/node.def index 6f25f0cc..f3095b26 100644 --- a/templates/interfaces/bridge/node.tag/stp/node.def +++ b/templates/interfaces/bridge/node.tag/stp/node.def @@ -3,16 +3,16 @@ help: Enable spanning tree protocol default: false update: if [ "$VAR(@)" == "true" ]; then if [ -z "$VAR(../../forwarding-delay)" ]; then - sudo brctl setfd $VAR(../@) 15 + /usr/sbin/brctl setfd $VAR(../@) 15 else - sudo brctl setfd $VAR(../@) $VAR(../../forwarding-delay) + /usr/sbin/brctl setfd $VAR(../@) $VAR(../../forwarding-delay) fi - sudo brctl stp $VAR(../@) on + /usr/sbin/brctl stp $VAR(../@) on else - sudo brctl stp $VAR(../@) off - sudo brctl setfd $VAR(../@) 0 + /usr/sbin/brctl stp $VAR(../@) off + /usr/sbin/brctl setfd $VAR(../@) 0 fi -delete:sudo brctl stp $VAR(../@) off +delete:/usr/sbin/brctl stp $VAR(../@) off comp_help: possible completions: true Enable Spanning Tree Protocol false Disable Spanning Tree Protocol (default false) diff --git a/templates/interfaces/ethernet/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/bridge-group/node.def index 7590dc96..c56c31cc 100644 --- a/templates/interfaces/ethernet/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/bridge-group/node.def @@ -11,13 +11,13 @@ end: exit 1 else echo "Adding interface $ethif to bridge $newbridge." - sudo brctl addif $newbridge $ethif; + /usr/sbin/brctl addif $newbridge $ethif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -31,7 +31,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi else if [ -z "$newbridge" ]; then @@ -45,15 +45,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi - sudo brctl addif $newbridge $ethif + /usr/sbin/brctl addif $newbridge $ethif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def index dd3863a0..84fa14f1 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def @@ -14,13 +14,13 @@ end: exit 1 else echo "Adding interface $ethif to bridge $newbridge." - sudo brctl addif $newbridge $ethif; + /usr/sbin/brctl addif $newbridge $ethif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -34,7 +34,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi else if [ -z "$newbridge" ]; then @@ -48,15 +48,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi - sudo brctl addif $newbridge $ethif + /usr/sbin/brctl addif $newbridge $ethif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@) fi fi fi -- cgit v1.2.3 From e7fa981b7038cca5df8c1e57a3d21f3745bd2697 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 16 Jun 2010 10:43:45 -0700 Subject: Remove capability from ping Ping is already setuid root. --- sysconf/filecaps | 2 -- 1 file changed, 2 deletions(-) diff --git a/sysconf/filecaps b/sysconf/filecaps index 80730334..c1d0ec1d 100644 --- a/sysconf/filecaps +++ b/sysconf/filecaps @@ -14,8 +14,6 @@ cap_net_admin=pe /usr/sbin/brctl # Raw sockets cap_net_raw=pe /usr/bin/tshark cap_net_raw=pe /usr/sbin/tcpdump -cap_net_raw=pe /bin/ping -cap_net_raw=pe /bin/ping6 # Special case to allow command login cap_audit_write=pe /bin/vbash -- cgit v1.2.3 From f14c3c03a4c6cf4734272d370159dc904043ca2c Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 17 Jun 2010 14:45:17 -0700 Subject: Don't need audit write on vbash Not using auditing for command logging. --- sysconf/filecaps | 3 --- 1 file changed, 3 deletions(-) diff --git a/sysconf/filecaps b/sysconf/filecaps index c1d0ec1d..e7900632 100644 --- a/sysconf/filecaps +++ b/sysconf/filecaps @@ -15,9 +15,6 @@ cap_net_admin=pe /usr/sbin/brctl cap_net_raw=pe /usr/bin/tshark cap_net_raw=pe /usr/sbin/tcpdump -# Special case to allow command login -cap_audit_write=pe /bin/vbash - # Allow changes to system settings cap_sys_admin=pe /sbin/sysctl -- cgit v1.2.3 From 26f0b004bf39bce9e8e0cd2f5d318b28b9bec6bc Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 17 Jun 2010 14:46:35 -0700 Subject: 0.17.54 --- debian/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/changelog b/debian/changelog index ed6d4d3a..232bb10d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +vyatta-cfg-system (0.17.54) unstable; urgency=low + + * Remove sudo from ip command + * Remove unnecessary :expression: syntax + * Remove sudo from brctl + * Remove capability from ping + * Don't need audit write on vbash + + -- Stephen Hemminger Thu, 17 Jun 2010 14:46:35 -0700 + vyatta-cfg-system (0.17.53) unstable; urgency=low * * make vrrp work with conntrack-sync -- cgit v1.2.3 From 5c971f8ddcfff0f8e2bb29261f52586d2701aea8 Mon Sep 17 00:00:00 2001 From: Robert Bays Date: Thu, 17 Jun 2010 23:32:43 -0700 Subject: initial support for gre-bridge tunnels. --- templates/interfaces/tunnel/node.def | 41 +++++++++++++--------- .../tunnel/node.tag/bridge-group/bridge/node.def | 16 +++++++++ .../tunnel/node.tag/bridge-group/cost/node.def | 9 +++++ .../tunnel/node.tag/bridge-group/node.def | 1 + .../tunnel/node.tag/bridge-group/priority/node.def | 8 +++++ .../tunnel/node.tag/encapsulation/node.def | 6 ++-- templates/interfaces/tunnel/node.tag/ttl/node.def | 8 ++--- 7 files changed, 67 insertions(+), 22 deletions(-) create mode 100644 templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def create mode 100644 templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def create mode 100644 templates/interfaces/tunnel/node.tag/bridge-group/node.def create mode 100644 templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index 34ef1ad6..2a80592e 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -1,9 +1,8 @@ tag: priority: 380 type: txt -help: Set tunnel interface name +help: Set tunnel interface comp_help: Enter tunnel interface name (tun0 - tun999) - syntax:expression: pattern $VAR(@) "^tun[0-9]+$" \ ; "tunnel must be (tun0-tun999)" @@ -14,18 +13,28 @@ commit:expression: $VAR(./remote-ip/) != "" ; \ commit:expression: $VAR(./encapsulation/) != "" ; \ "Must configure the tunnel encapsulation for $VAR(@)" -create:expression: "\ - if [ -n \"$VAR(./key/@)\" ]; then \ - KEY=\"key $VAR(./key/@)\"; \ - fi; \ - if [ x$VAR(./multicast/@) == xenable ]; then \ - MC=\"multicast on allmulticast on\"; \ - fi; \ - ip tunnel add $VAR(@) \ - local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) \ - mode $VAR(./encapsulation/@) $KEY; \ - ip link set $VAR(@) $MC up;" ; \ - "Error creating $VAR(@)" - -delete:expression: "ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" +create:if [ -n "$VAR(./key/@)" ]; then + KEY="key $VAR(./key/@)"; + fi + if [ x$VAR(./multicast/@) == xenable ]; then + MC="multicast on allmulticast on"; + fi + if [ -n "$VAR(./bridge-group/)" ] && [ "$VAR(./encapsulation/@)" != "gre-bridge" ]; then + echo "interfaces tunnel $VAR(@): Tunnel encapsulation type must be gre-bridge if a bridge group is defined"; + exit 1; + fi + if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then + sudo ip link add $VAR(@) type gretap local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) || + echo "interfaces tunnel $VAR(@): error creating tunnel interface" + else + sudo ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY || + echo "interfaces tunnel $VAR(@): error creating tunnel interface" + fi + sudo ip link set $VAR(@) $MC up || + echo "interfaces tunnel $VAR(@): error setting tunnel interface active" +delete:if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then + sudo ip link delete $VAR(@) + else + sudo ip tunnel del $VAR(@) + fi diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def new file mode 100644 index 00000000..9c28ed63 --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def @@ -0,0 +1,16 @@ +type: txt +help: Set this interface to a bridge-group +allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=bridge +commit:expression: exec \ + "/opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --check=bridge" +commit:expression: $VAR(../../encapsulation/@) == "gre-bridge"; "tunnel encapsulation type must be gre-bridge" +create: + # TODO: need to add logic for update as we need to remove the interface first. + if [ "$(ip link show $VAR(../../@) | grep ether)" ]; then + sudo brctl addif $VAR(@) $VAR(../../@) || + echo interfaces tunnel $VAR(../../@) bridge-group bridge $VAR(@): error adding interface to bridge + else + echo interfaces tunnel $VAR(../../@) bridge-group bridge $VAR(@): tunnel encapsulation type must be gre-bridge + exit 1 + fi +delete: sudo brctl delif $VAR(@) $VAR(../../@) diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def new file mode 100644 index 00000000..ed3bee26 --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def @@ -0,0 +1,9 @@ +type: u32 +help: Set the path cost for this port +comp_help: possible completions: + <0-2147483647> Set port cost +commit:expression: $VAR(../bridge/@) != ""; "interface must first be assigned to a bridge" +create: sudo brctl setpathcost $VAR(../bridge/@) $VAR(../../@) $VAR(@) || + echo interfaces tunnel $VAR(../../@) bridge-group cost: error setting bridge cost +delete: if [ -n "$( sudo brctl show | egrep $VAR(../../@) )" ]; then sudo brctl setpathcost $VAR(../bridge/@) $VAR(../../@) 0; fi; + diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/node.def new file mode 100644 index 00000000..663979dd --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/node.def @@ -0,0 +1 @@ +help: Add this interface to a bridge group diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def new file mode 100644 index 00000000..fe174f1f --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def @@ -0,0 +1,8 @@ +type: u32 +help: Set the path priority for this port +comp_help: possible completions: + <0-255> Set port priority +commit:expression: $VAR(../bridge/@) != ""; "interface must first be assigned to a bridge" +create: sudo brctl setportprio $VAR(../bridge/@) $VAR(../../@) $VAR(@) || + echo interfaces tunnel $VAR(../../@) bridge-group priority: error setting bridge priority +delete: if [ -n "$( sudo brctl show | egrep "$VAR(../../@)" )" ]; then sudo brctl setportprio $VAR(../bridge/@) $VAR(../../@) 0; fi; diff --git a/templates/interfaces/tunnel/node.tag/encapsulation/node.def b/templates/interfaces/tunnel/node.tag/encapsulation/node.def index 6b97b190..5374568c 100644 --- a/templates/interfaces/tunnel/node.tag/encapsulation/node.def +++ b/templates/interfaces/tunnel/node.tag/encapsulation/node.def @@ -1,13 +1,15 @@ type: txt help: Set the encapsulation of this tunnel interface [REQUIRED] -syntax:expression: $VAR(@) in "ipip", "gre", "sit"; "Must be (ipip, gre, sit)" +syntax:expression: $VAR(@) in "ipip", "gre", "sit", "gre-bridge"; "Must be (ipip, gre, gre-bridge, sit)" create:expression: "true" update:expression: "false" ; \ "Encapsulation can only be set at tunnel creation for $VAR(../@)" -comp_help: "possible completions: +comp_help: possible completions: gre Set Generic Routing Encapsulation + gre-bridge Set Generic Routing Encapsulation bridge interface ipip Set IP in IP encapsulation sit Set Simple Internet Transition encapsulation + diff --git a/templates/interfaces/tunnel/node.tag/ttl/node.def b/templates/interfaces/tunnel/node.tag/ttl/node.def index a42a199f..cfab7264 100644 --- a/templates/interfaces/tunnel/node.tag/ttl/node.def +++ b/templates/interfaces/tunnel/node.tag/ttl/node.def @@ -1,8 +1,8 @@ type: u32 -help: Set the tunnel time to live field default: 255 -syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" -update: ip tunnel change $VAR(../@) ttl $VAR(@) -delete: ip tunnel change $VAR(../@) ttl inherit +help: Set the tunnel time to live field comp_help: possible completions: <0-255> Set time to live (default 255) +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" +update:if [ "$VAR(../encapsulation/@)" != "gre-bridge" ]; then sudo ip tunnel change $VAR(../@) ttl $VAR(@); fi; +delete:if [ "$VAR(../encapsulation/@)" != "gre-bridge" ]; then sudo ip tunnel change $VAR(../@) ttl inherit; fi; -- cgit v1.2.3 From 2ff1761686108fb85f8ce1e779cd2adfaed7f58e Mon Sep 17 00:00:00 2001 From: Robert Bays Date: Thu, 17 Jun 2010 23:33:45 -0700 Subject: 0.17.55 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 232bb10d..da82d0f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.17.55) unstable; urgency=low + + * initial support for gre-bridge tunnels. + + -- Robert Bays Thu, 17 Jun 2010 23:33:45 -0700 + vyatta-cfg-system (0.17.54) unstable; urgency=low * Remove sudo from ip command -- cgit v1.2.3 From 2f35b555a1fb51935a14d25e175c936b7ceb9d82 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 18 Jun 2010 10:29:03 -0700 Subject: Remove sudo from tunnel command Don't need sudo for ip command anymore. --- templates/interfaces/tunnel/node.def | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index 2a80592e..a90c01f9 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -24,17 +24,17 @@ create:if [ -n "$VAR(./key/@)" ]; then exit 1; fi if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then - sudo ip link add $VAR(@) type gretap local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) || + ip link add $VAR(@) type gretap local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) || echo "interfaces tunnel $VAR(@): error creating tunnel interface" else - sudo ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY || + ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY || echo "interfaces tunnel $VAR(@): error creating tunnel interface" fi - sudo ip link set $VAR(@) $MC up || + ip link set $VAR(@) $MC up || echo "interfaces tunnel $VAR(@): error setting tunnel interface active" delete:if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then - sudo ip link delete $VAR(@) + ip link delete $VAR(@) else - sudo ip tunnel del $VAR(@) + ip tunnel del $VAR(@) fi -- cgit v1.2.3 From 7369bf61abd3eed1fdd17a56908cf2c0ffc9843f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Sun, 20 Jun 2010 21:18:49 -0700 Subject: Fix path to ipset --- sysconf/filecaps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysconf/filecaps b/sysconf/filecaps index e7900632..1e06c0e8 100644 --- a/sysconf/filecaps +++ b/sysconf/filecaps @@ -6,7 +6,7 @@ cap_net_admin=pe /sbin/tc cap_net_admin=pe /bin/ip cap_net_admin=pe /sbin/iptables cap_net_admin=pe /sbin/ip6tables -cap_net_admin=pe /sbin/ipset +cap_net_admin=pe/ /usr/sbin/ipset cap_net_admin=pe /usr/sbin/conntrack cap_net_admin=pe /usr/sbin/arp cap_net_admin=pe /usr/sbin/brctl -- cgit v1.2.3