diff options
author | Michael Larson <slioch@slioch.vyatta.com> | 2009-11-13 13:43:40 -0800 |
---|---|---|
committer | Michael Larson <slioch@slioch.vyatta.com> | 2009-11-13 13:43:40 -0800 |
commit | bd04893b403c5979ecb6fa5d5f8b8aa215b19e82 (patch) | |
tree | 4516f67e6f20304a77116bab03958c5cb4b9d0d0 | |
parent | 41e01b6cf6993d473ac251be251e5f7489081b17 (diff) | |
parent | 3b5ccd729ad0236cfc0350035c294a4b0d395f51 (diff) | |
download | vyatta-cfg-system-bd04893b403c5979ecb6fa5d5f8b8aa215b19e82.tar.gz vyatta-cfg-system-bd04893b403c5979ecb6fa5d5f8b8aa215b19e82.zip |
dependency update
Merge branch 'kenwood' of http://git.vyatta.com/vyatta-cfg-system into kenwood
Conflicts:
debian/control
59 files changed, 487 insertions, 392 deletions
diff --git a/Makefile.am b/Makefile.am index 29619127..df8c34b5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -70,7 +70,9 @@ sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 -sysconf_DATA += sysconf/pam-radius +sysconf_DATA += sysconf/protected-user +sysconf_DATA += sysconf/level +sysconf_DATA += sysconf/pam_radius.cfg libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/changelog b/debian/changelog index fba566b7..56e21623 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,74 @@ +vyatta-cfg-system (0.15.101) unstable; urgency=low + + * Remove blank line + * Show dependency on pam version + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Wed, 11 Nov 2009 17:09:29 -0800 + +vyatta-cfg-system (0.15.100) unstable; urgency=low + + * copy the whole config directory during install + + -- An-Cheng Huang <ancheng@vyatta.com> Tue, 10 Nov 2009 14:08:59 -0800 + +vyatta-cfg-system (0.15.99) unstable; urgency=low + + [ An-Cheng Huang ] + * use new vyatta-union arg to reduce kernel cmdline length. + + [ Robert Bays ] + * Fix library include + + -- Robert Bays <rbays@roatan> Fri, 06 Nov 2009 05:53:10 -0800 + +vyatta-cfg-system (0.15.98) unstable; urgency=low + + [ Stephen Hemminger ] + * Remove blank line + * Fix pam-auth-update errors from radius + * Move user configuration information to files + * radius: only try first password if first module + + [ An-Cheng Huang ] + * move custom script to custom repo + + -- An-Cheng Huang <ancheng@vyatta.com> Thu, 05 Nov 2009 15:01:40 -0800 + +vyatta-cfg-system (0.15.97) unstable; urgency=low + + * Fix 5063: committing "set interfaces ethernet <> bridge-group bridge + <>" got "invalid variable reference (invalid format)" + + -- Stig Thormodsrud <stig@vyatta.com> Mon, 02 Nov 2009 18:31:22 -0800 + +vyatta-cfg-system (0.15.96) unstable; urgency=low + + [ An-Cheng Huang ] + * use top-level pid for progress indicator + + [ Stephen Hemminger ] + * Don't want/need --package option to pam-auth-update + * Reset PAM configuration on boot + * rename pam-radius to pam_radius.cfg + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Mon, 02 Nov 2009 17:28:17 -0800 + +vyatta-cfg-system (0.15.95) unstable; urgency=low + + [ David S. Madole ] + * Add VRRP capability to bonding interfaces and vifs of bonding + interfaces. + + [ Stig Thormodsrud ] + * Convert keepalived to use Interface infrastructure. + * Add priority for bonding vrrp nodes. + * Fix interface carrier status. + * Fix 'show vrrp summary' showing last vip 1st + * Using Interface.pm infrastructure to detect vif on eth|bond + interface. + + -- Stig Thormodsrud <stig@vyatta.com> Sun, 01 Nov 2009 14:59:29 -0800 + vyatta-cfg-system (0.15.94) unstable; urgency=low [ An-Cheng Huang ] diff --git a/debian/control b/debian/control index 5d875e70..ba8d3655 100644 --- a/debian/control +++ b/debian/control @@ -15,6 +15,7 @@ Depends: acpid, coreutils (>= 5.97-5.3), libpam-radius-auth, vyatta-cfg (>= 0.15.33), + libpam-runtime (>= 1.0.1-5), vyatta-bash | bash (>= 3.1), sysv-rc, ntp, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 95fcd1ca..4809c4fe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -118,6 +118,10 @@ EOF fi done + # Install pamradius config (should come with radius client eventually) + cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius + + cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc fi # update crontab for logrotate @@ -148,8 +152,6 @@ update-rc.d -f ssh remove >/dev/null # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -# Install pamradius config (should come with radius client eventually) -cp $sysconfdir/pam-radius /usr/share/pam-configs/radius [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index 43f78f90..f8b67830 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -29,12 +29,12 @@ my $PAM_RAD_END = '# END Vyatta Radius servers'; sub remove_pam_radius { return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update --package --remove radius") == 0; + . " pam-auth-update --remove radius") == 0; } sub add_pam_radius { return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update --package --add radius") == 0; + . " pam-auth-update radius") == 0; } sub update { diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index f5e8337f..cca84636 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -19,6 +19,7 @@ use strict; use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; +use Vyatta::Misc; # Exit codes form useradd.8 man page my %reasons = ( @@ -34,15 +35,6 @@ my %reasons = ( 13 => 'canĀ“t create mail spool', ); -# Map of level to additional groups -my %level_map = ( - 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ], - 'operator' => [ 'quaggavty', 'vyattaop', 'operator', 'adm', 'dip', ], -); - -# Users who MUST not use vbash -my @protected = ( 'root', 'www-data' ); - # Construct a map from existing users to group membership sub get_groups { my %group_map; @@ -60,28 +52,60 @@ sub get_groups { return \%group_map; } +my $levelFile = "/opt/vyatta/etc/level"; + +# Convert level to additional groups +sub _level2groups { + my $level = shift; + my @groups; + + open (my $f, '<', $levelFile) + or return; + + while (<$f>) { + chomp; + next unless $_; + + my ($l, $g) = split /:/; + if ($l eq $level) { + @groups = split(/,/, $g); + last; + } + } + close $f; + return @groups; +} + # protected users override file -my $protected_override = '/opt/vyatta/etc/protected-users'; +my $protected_users = '/opt/vyatta/etc/protected-user'; + +# Users who MUST not use vbash +sub _protected_users { + my @protected; + + open my $pfd, '<', $protected_users + or return; + + while (<$pfd>) { + chomp; + next unless $_; + + push @protected, $_; + } + close($pfd); + return @protected; +} + # make list of vyatta users (ie. users of vbash) sub _vyatta_users { my @vusers; - my %protected_override = (); - my $pfd; - if (open($pfd, '<', "$protected_override")) { - while (<$pfd>) { - next if (!defined($_)); - chomp; - $protected_override{$_} = 1; - } - close($pfd); - } + setpwent(); # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) # = getpw* while ( my ($name, undef, undef, undef, undef, undef, undef, undef, $shell) = getpwent() ) { - next if (defined($protected_override{$name})); push @vusers, $name if ($shell eq '/bin/vbash'); } endpwent(); @@ -120,7 +144,7 @@ sub update { } # map level to group membership - my @new_groups = @{ $level_map{$level} }; + my @new_groups = _level2groups($level); # add any additional groups from configuration push( @new_groups, $uconfig->returnValues('group') ); @@ -169,12 +193,12 @@ sub update { # Remove any vyatta users that do not exist in current configuration # This can happen if user added but configuration not saved - my %protected = map { $_ => 1 } @protected; + my %protected = map { $_ => 1 } _protected_users(); foreach my $user (_vyatta_users()) { if ($protected{$user}) { warn "User $user should not being using vbash - fixed\n"; system ("usermod -s /bin/bash $user") == 0 - or die "Attemp to modify user $user shell failed: $!"; + or die "Attempt to modify user $user shell failed: $!"; } elsif (! defined $users{$user}) { warn "User $user not listed in current configuration\n"; system ("userdel --remove $user") == 0 diff --git a/scripts/install-image b/scripts/install-image deleted file mode 100755 index 201500e3..00000000 --- a/scripts/install-image +++ /dev/null @@ -1,168 +0,0 @@ -#!/bin/bash - -# this script installs a new release image into a running "union-installed" -# system to the new release. the specified image is a release ISO image. -# the script sets up a new union mount for the new release. a reboot is -# then required to boot into the newly installed release. - -NEW_ISO=$1 - -PI_ROOT='' -SQUASH_MOUNT='' -ISO_MOUNT='' -TMP_DIR='' - -vyatta_sysconfdir=/opt/vyatta/etc - -failure_exit () { - echo "$*" - exit 1 -} - -clean_up () { - if [ -n "$PI_ROOT" ] && [ -d "$PI_ROOT" ]; then - umount $PI_ROOT >&/dev/null || true - fi - if [ -n "$SQUASH_MOUNT" ] && [ -d "$SQUASH_MOUNT" ]; then - umount $SQUASH_MOUNT >&/dev/null || true - fi - if [ -n "$ISO_MOUNT" ] && [ -d "$ISO_MOUNT" ]; then - umount $ISO_MOUNT >&/dev/null || true - fi - if [ -n "$TMP_DIR" ] && [ -d "$TMP_DIR" ]; then - rm -rf $TMP_DIR - fi - PI_ROOT='' - SQUASH_MOUNT='' - ISO_MOUNT='' - TMP_DIR='' -} - -sig_handler () { - echo "ERROR: Signal received. Exiting..." - clean_up - echo "Done" - trap - EXIT - exit 1 -} - -exit_handler () { - echo "Exiting..." - clean_up - echo "Done" -} - -trap sig_handler INT KILL -trap exit_handler EXIT - -if [ `whoami` != 'root' ] ; then - failure_exit 'This script must be run with root privileges.' -fi - -# make sure it's a union-installed system -CURVER=$(sed -n 's/^Version \+: \+\([^ ]\+\)$/\1/p' \ - ${vyatta_sysconfdir}/version 2>/dev/null) -if [ -z "$CURVER" ]; then - failure_exit 'Cannot find current version.' -fi -if [ ! -d "/live/image/boot/$CURVER" ] \ - || ! grep -q ' /live/image ' /proc/mounts \ - || grep -q ' /live/image iso9660 ' /proc/mounts \ - || ! grep -q " /$CURVER.squashfs " /proc/mounts; then - failure_exit 'This script can only be used on a "union-installed" system.' -fi - -# check the ISO -if [ ! -f "$NEW_ISO" ] || ! (file $NEW_ISO | grep -q 9660); then - failure_exit "\"$NEW_ISO\" is not a valid ISO image file." -fi -TMP_DIR=$(mktemp -d /tmp/install-image.XXXXXX) \ - || failure_exit 'Failed to create temporary directory.' -ISO_MOUNT=$TMP_DIR/iso-mount -if ! mkdir $ISO_MOUNT || ! mount -o loop,ro "$NEW_ISO" $ISO_MOUNT; then - failure_exit 'Failed to mount ISO image.' -fi - -# check the squashfs image -SQUASH_FILE=$ISO_MOUNT/live/filesystem.squashfs -if [ ! -f "$SQUASH_FILE" ] || ! (file $SQUASH_FILE | grep -q Squashfs) \ - || ! grep -q '^ii vyatta-version ' $ISO_MOUNT/live/packages.txt; then - failure_exit "\"$NEW_ISO\" is not a Vyatta ISO image file." -fi -SQUASH_MOUNT=$TMP_DIR/squash-mount -if ! mkdir $SQUASH_MOUNT \ - || ! mount -o loop,ro "$SQUASH_FILE" $SQUASH_MOUNT; then - failure_exit 'Failed to mount squashfs image.' -fi - -# get version string -NEWVER=$(grep '^Version ' ${SQUASH_MOUNT}${vyatta_sysconfdir}/version \ - | tr -s ' ' | cut -d ' ' -f 3) -if [ -z "$NEWVER" ]; then - failure_exit 'Cannot find new release version.' -fi -if [ "$CURVER" == "$NEWVER" ]; then - failure_exit "Cannot install the same release version \"$NEWVER\"." -fi - -# start the install -echo "Installing \"$NEWVER\" release." - -# create the new release directories -REL_ROOT="/live/image/boot/$NEWVER" -RW_DIR="$REL_ROOT/live-rw" -if ! mkdir -p "$RW_DIR"; then - failure_exit 'Cannot create directory for new release.' -fi - -# copy the squashfs image and boot files -echo -n "Copying new release files..." -cp -p $SQUASH_FILE $REL_ROOT/$NEWVER.squashfs >&/dev/null -cp -p $SQUASH_MOUNT/boot/* $REL_ROOT/ >&/dev/null -echo " Done" - -# mount copied squashfs -umount $SQUASH_MOUNT -SQUASH_FILE=$REL_ROOT/$NEWVER.squashfs -if ! mount -o loop,ro "$SQUASH_FILE" $SQUASH_MOUNT; then - failure_exit 'Failed to mount new squashfs image.' -fi - -# set up root for postinst -PI_ROOT=$TMP_DIR/pi_root -if ! mkdir $PI_ROOT \ - || ! mount -t unionfs -o noatime,dirs=$RW_DIR=rw:$SQUASH_MOUNT=ro unionfs \ - $PI_ROOT; then - failure_exit 'Failed to set up root directory for postinst.' -fi - -# set up /var/run fstab entry -PI_FSTAB=$PI_ROOT/etc/fstab -if ! grep -q 'tmpfs /var/run ' $PI_FSTAB >&/dev/null; then - # replace the fstab. the default one has header that will cause - # it to be wiped out on live boot. - echo 'tmpfs /var/run tmpfs nosuid,nodev 0 0' >$PI_FSTAB -fi - -# postinst hook -PI_SCRIPT=${PI_ROOT}${vyatta_sysconfdir}/install-image/postinst -if [ -e "$PI_SCRIPT" ]; then - echo "running post-install script" - $PI_SCRIPT $PI_ROOT -fi - -# set up grub entry (if provided) -DEF_GRUB=${PI_ROOT}${vyatta_sysconfdir}/grub/default-union-grub-entry -if [ -e "$DEF_GRUB" ]; then - old_grub_cfg=/live/image/boot/grub/grub.cfg - new_grub_cfg=$TMP_DIR/grub.cfg - sed -n '/^menuentry/q;p' $old_grub_cfg >$new_grub_cfg - cat $DEF_GRUB >>$new_grub_cfg - sed -n '/^menuentry/,${p}' $old_grub_cfg >>$new_grub_cfg - sed -i 's/^set default=[0-9]\+$/set default=0/' $new_grub_cfg - mv $new_grub_cfg $old_grub_cfg -fi - -# done -exit 0 - diff --git a/scripts/install/install-functions b/scripts/install/install-functions index 3bdc1fde..29707dff 100755 --- a/scripts/install/install-functions +++ b/scripts/install/install-functions @@ -43,18 +43,20 @@ VYATTA_CFG_DIR=${vyatta_sysconfdir}/config # the floppy config dir FD_CFG_DIR=/media/floppy/config -# Process ID for progress_indicator -SPID=$$ - +# PROGRESS_PID can be exported by top-level script progress_indicator () { + local spid=$PROGRESS_PID + if [ -z "$spid" ]; then + spid=$$ + fi case "$1" in start) - $vyatta_bindir/progress-indicator $SPID & + $vyatta_bindir/progress-indicator $spid & ;; *) - if ! rm /tmp/pi.$SPID 2>/dev/null; then + if ! rm /tmp/pi.$spid 2>/dev/null; then sleep 1 - rm /tmp/pi.$SPID 2>/dev/null + rm /tmp/pi.$spid 2>/dev/null fi sleep 1 echo -n -e "\b" diff --git a/scripts/install/install-image b/scripts/install/install-image index 0bf31a00..6ed0f732 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -5,6 +5,8 @@ source /opt/vyatta/sbin/install-functions # export INSTALL_LOG for the scripts invoked export INSTALL_LOG=/tmp/install-$$.log +# export PROGRESS_PID for the scripts invoked +export PROGRESS_PID=$$ # file for get-partition output PART_FILE='' @@ -114,12 +116,30 @@ fi trap sig_handler INT KILL trap exit_handler EXIT +cat <<EOF +Welcome to the Vyatta install program. This script +will walk you through the process of installing the +Vyatta image to a local hard drive. +EOF + +response='' +while [ -z $response ] +do + echo -n "Would you like to continue? (Yes/No) [Yes]: " + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'Ok then.' + fi +done + if is_live_cd_boot; then if [ -n "$NEW_ISO" ]; then - fail_exit 'Do not specify an image when installing from a live CD.' + echo 'You are trying to install from a live CD boot. The live CD image' + fail_exit 'will be used. Do not specify an ISO image file.' fi elif [ -z "$NEW_ISO" ]; then - fail_exit 'Must specify an image to install.' + echo 'You are trying to install from an already installed system. An ISO' + fail_exit 'image file to install must be specified.' else # installing on an installed system. set up the new image. set_up_new_iso diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index 0b5cba62..214fd2c8 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -87,19 +87,20 @@ if ! grep -q 'tmpfs /var/run ' $PI_FSTAB >&/dev/null; then echo 'tmpfs /var/run tmpfs nosuid,nodev 0 0' >$PI_FSTAB fi -# save current config if needed -def_cfg="$VYATTA_CFG_DIR/config.boot" -if [ -f "$def_cfg" ]; then +# save current config dir if needed +if [ -f "$VYATTA_CFG_DIR/config.boot" ]; then resp='' while [ -z "$resp" ]; do - echo 'Would you like to use the current configuration' + echo 'Would you like to save the current configuration ' + echo 'directory and use the current start-up configuration ' echo -n 'for the new version? (Yes/No) [Yes]: ' resp=$(get_response "Yes" "Yes No Y N") if [ "$resp" == 'yes' ] || [ "$resp" == 'y' ]; then echo 'Copying current configuration...' ndir=${INST_ROOT}${VYATTA_CFG_DIR} mkdir -p $ndir - cp -p $def_cfg $ndir/ + find $VYATTA_CFG_DIR -maxdepth 1 -mindepth 1 \ + -exec cp '-a' '{}' "$ndir/" ';' chgrp -R vyattacfg $ndir chmod -R 775 $ndir fi diff --git a/scripts/keepalived/vyatta-clear-vrrp.pl b/scripts/keepalived/vyatta-clear-vrrp.pl index 17dedc59..3a9733ed 100644 --- a/scripts/keepalived/vyatta-clear-vrrp.pl +++ b/scripts/keepalived/vyatta-clear-vrrp.pl @@ -25,6 +25,9 @@ use lib '/opt/vyatta/share/perl5/'; use Vyatta::Keepalived; +use Vyatta::Interface; +use Vyatta::Misc; + use Getopt::Long; use Sys::Syslog qw(:standard :macros); @@ -108,50 +111,25 @@ sub get_vrrp_intf_group { # # return an array of hashes that contains all the intf/group pairs # - my $config = new Vyatta::Config; - $config->setLevel('interfaces ethernet'); - my @eths = $config->listOrigNodes(); - foreach my $eth (@eths) { - my $path = "interfaces ethernet $eth"; + + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); $config->setLevel($path); - if ($config->existsOrig("vrrp")) { + if ($config->existsOrig('vrrp')) { $path = "$path vrrp vrrp-group"; $config->setLevel($path); my @groups = $config->listOrigNodes(); foreach my $group (@groups) { my %hash; - $hash{'intf'} = $eth; + $hash{'intf'} = $name; $hash{'group'} = $group; $hash{'path'} = "$path $group"; push @array, {%hash}; } } - - $path = "interfaces ethernet $eth"; - $config->setLevel($path); - if ($config->existsOrig('vif')) { - my $path = "$path vif"; - $config->setLevel($path); - my @vifs = $config->listOrigNodes(); - foreach my $vif (@vifs) { - my $vif_intf = $eth . '.' . $vif; - my $vif_path = "$path $vif"; - $config->setLevel($vif_path); - if ($config->existsOrig('vrrp')) { - $vif_path = "$vif_path vrrp vrrp-group"; - $config->setLevel($vif_path); - my @groups = $config->listOrigNodes(); - foreach my $group (@groups) { - my %hash; - $hash{'intf'} = $vif_intf; - $hash{'group'} = $group; - $hash{'path'} = "$path $group"; - push @array, {%hash}; - } - } - } - } } return @array; @@ -204,7 +182,7 @@ my $login = getlogin(); # # clear_process # -if ($action eq "clear_process") { +if ($action eq 'clear_process') { syslog('warning', "clear vrrp process requested by $login"); if (Vyatta::Keepalived::is_running()) { print "Restarting VRRP...\n"; diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index f7d3a652..e87c9f64 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -235,62 +235,30 @@ sub vrrp_find_changes { my $config = new Vyatta::Config; my $vrrp_instances = 0; - $config->setLevel("interfaces ethernet"); - my @eths = $config->listNodes(); - foreach my $eth (@eths) { - my $path = "interfaces ethernet $eth"; + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); $config->setLevel($path); if ($config->exists("vrrp")) { my %vrrp_status_hash = $config->listNodeStatus("vrrp"); my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); if ($vrrp_status ne "static") { - push @list, $eth; - vrrp_log("$vrrp_status found $eth"); + push @list, $name; + vrrp_log("$vrrp_status found $name"); } } - if ($config->exists("vif")) { - my $path = "interfaces ethernet $eth vif"; - $config->setLevel($path); - my @vifs = $config->listNodes(); - foreach my $vif (@vifs) { - my $vif_intf = $eth . "." . $vif; - my $vif_path = "$path $vif"; - $config->setLevel($vif_path); - if ($config->exists("vrrp")) { - my %vrrp_status_hash = $config->listNodeStatus("vrrp"); - my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); - if ($vrrp_status ne "static") { - push @list, "$eth.$vif"; - vrrp_log("$vrrp_status found $eth.$vif"); - } - } - } - } - } - # - # Now look for deleted from the origin tree - # - $config->setLevel("interfaces ethernet"); - @eths = $config->listOrigNodes(); - foreach my $eth (@eths) { - my $path = "interfaces ethernet $eth"; + # + # Now look for deleted from the origin tree + # $config->setLevel($path); if ($config->isDeleted("vrrp")) { - push @list, $eth; - vrrp_log("Delete found $eth"); - } - $config->setLevel("$path vif"); - my @vifs = $config->listOrigNodes(); - foreach my $vif (@vifs) { - my $vif_intf = $eth . "." . $vif; - my $vif_path = "$path vif $vif"; - $config->setLevel($vif_path); - if ($config->isDeleted("vrrp")) { - push @list, "$eth.$vif"; - vrrp_log("Delete found $eth.$vif"); - } + push @list, $name; + vrrp_log("Delete found $name"); } + + } my $num = scalar(@list); @@ -339,15 +307,25 @@ sub vrrp_update_config { my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; my $config = new Vyatta::Config; - - $config->setLevel("interfaces ethernet"); - my @eths = $config->listNodes(); my $vrrp_instances = 0; - foreach my $eth (@eths) { - my $path = "interfaces ethernet $eth"; + + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); $config->setLevel($path); if ($config->exists("vrrp")) { - my ($inst_output, @inst_errs) = keepalived_get_values($eth, $path); + # + # keepalived gets real grumpy with interfaces that + # don't exist, so skip vlans that haven't been + # instantiated yet (typically occurs at boot up). + # + if (!(-d "/sys/class/net/$name")) { + push @errs, "$name doesn't exist"; + next; + } + my ($inst_output, @inst_errs) = + keepalived_get_values($name, $path); if (scalar(@inst_errs)) { push @errs, @inst_errs; } else { @@ -355,35 +333,6 @@ sub vrrp_update_config { $vrrp_instances++; } } - if ($config->exists("vif")) { - my $path = "interfaces ethernet $eth vif"; - $config->setLevel($path); - my @vifs = $config->listNodes(); - foreach my $vif (@vifs) { - my $vif_path = "$path $vif"; - $config->setLevel($vif_path); - if ($config->exists("vrrp")) { - # - # keepalived gets real grumpy with interfaces that don't - # exist, so skip vlans that haven't been instantiated - # yet (typically occurs at boot up). - # - my $vif_intf = $eth . "." . $vif; - if (!(-d "/sys/class/net/$vif_intf")) { - push @errs, "vlan doesn't exist $vif_intf"; - next; - } - my ($inst_output, @inst_errs) = - keepalived_get_values($vif_intf, $vif_path); - if (scalar(@inst_errs)) { - push @errs, @inst_errs; - } else { - $output .= $inst_output; - $vrrp_instances++; - } - } - } - } } if ($vrrp_instances > 0) { @@ -408,35 +357,25 @@ sub list_vrrp_intf { my $config = new Vyatta::Config; my @intfs = (); - $config->setLevel("interfaces ethernet"); - my @eths = $config->listOrigNodes(); - foreach my $eth (@eths) { - my $path = "interfaces ethernet $eth"; + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); $config->setLevel($path); - push @intfs, $eth if $config->existsOrig("vrrp"); - if ($config->existsOrig("vif")) { - my $path = "interfaces ethernet $eth vif"; - $config->setLevel($path); - my @vifs = $config->listOrigNodes(); - foreach my $vif (@vifs) { - my $vif_intf = $eth . "." . $vif; - my $vif_path = "$path $vif"; - $config->setLevel($vif_path); - push @intfs, $vif_intf if $config->existsOrig("vrrp"); - } - } + push @intfs, $name if $config->existsOrig("vrrp"); } + return @intfs; } sub list_vrrp_group { my ($name) = @_; - my $config = new Vyatta::Config; - my $path = "interfaces ethernet $name"; - if ($name =~ /(eth\d+)\.(\d+)/) { - $path = "interfaces ethernet $1 vif $2"; - } + my $path; + + my $intf = new Vyatta::Interface($name); + next unless $intf; + $path = $intf->path(); $path .= " vrrp vrrp-group"; $config->setLevel($path); my @groups = $config->listOrigNodes(); diff --git a/scripts/keepalived/vyatta-show-vrrp.pl b/scripts/keepalived/vyatta-show-vrrp.pl index 3015bc92..bcc6ca29 100755 --- a/scripts/keepalived/vyatta-show-vrrp.pl +++ b/scripts/keepalived/vyatta-show-vrrp.pl @@ -24,6 +24,7 @@ # use lib "/opt/vyatta/share/perl5/"; use Vyatta::Keepalived; +use Vyatta::Interface; use strict; use warnings; @@ -65,23 +66,22 @@ sub elapse_time { } sub get_state_link { - my $intf = shift; + my $intf_name = shift; - my $IFF_UP = 0x1; + my $intf = new Vyatta::Interface($intf_name); + die "Unknown interface [$intf_name]" unless $intf; + my ($state, $link); - my $flags = `cat /sys/class/net/$intf/flags 2> /dev/null`; - my $carrier = `cat /sys/class/net/$intf/carrier 2> /dev/null`; - chomp $flags; chomp $carrier; - my $hex_flags = hex($flags); - if ($hex_flags & $IFF_UP) { - $state = "up"; + if ($intf->up()) { + $state = 'up'; } else { - $state = "admin down"; + $state = 'admin down'; } - if ($carrier eq "1") { - $link = "up"; + + if ($intf->carrier() == 1) { + $link = 'up'; } else { - $link = "down"; + $link = 'down'; } return ($state, $link); } @@ -96,7 +96,7 @@ sub parse_arping { my @lines = <$FD>; close $FD; - my $mac = ''; + my $mac = undef; foreach my $line (@lines) { # regex for xx:xx:xx:xx:xx:xx if ($line =~ /(([0-9A-Fa-f]{1,2}:){5}[0-9A-Fa-f]{1,2})/) { @@ -128,11 +128,13 @@ sub get_master_info { my $arp_file = "$master_file.arp"; my $source_ip = (vrrp_get_config($intf, $group))[0]; - # arping doesn't seem to work for vlans - if ($intf =~ /(eth\d+).\d+/) { - $intf = $1; + my $interface = new Vyatta::Interface($intf); + my $arp_intf = $intf; + if ($interface->vif()) { + $arp_intf = $interface->physicalDevice(); } - system("/usr/bin/arping -c1 -f -I $intf -s $source_ip $vip > $arp_file"); + my $cmd = "/usr/bin/arping -c1 -f -I $arp_intf -s $source_ip $vip"; + system("$cmd > $arp_file"); my $arp_mac = parse_arping($arp_file); if ( ! -f $master_file) { @@ -149,7 +151,7 @@ sub get_master_info { $master_mac =~ /show=\"(([0-9A-Fa-f]{1,2}:){5}[0-9A-Fa-f]{1,2})/) { $master_mac = uc($1); - if ($arp_mac ne $master_mac) { + if (defined($arp_mac) and ($arp_mac ne $master_mac)) { Vyatta::Keepalived::snoop_for_master($intf, $group, $vip, 2); $master_ip = `grep ip.src $master_file 2> /dev/null`; } @@ -172,7 +174,7 @@ sub get_master_info { $priority = "unknown"; } - return ($master_ip, $priority, $arp_mac); + return ($master_ip, $priority, $master_mac); } else { return ('unknown', 'unknown', ''); } @@ -188,7 +190,7 @@ sub vrrp_showsummary { my ($primary_addr, $priority, $preempt, $advert_int, $auth_type, @vips) = Vyatta::Keepalived::vrrp_get_config($intf, $group); my $format = "\n%-16s%-8s%-8s%-16s%-16s%-16s"; - my $vip = pop @vips; + my $vip = shift @vips; printf($format, $intf, $group, 'vip', $vip, $link, $state); foreach my $vip (@vips){ printf("\n%-24s%-8s%-16s", ' ', 'vip', $vip); @@ -251,7 +253,7 @@ sub vrrp_show { # # main # -my $intf = "eth"; +my @intfs = ("eth", "bond"); my $group = "all"; my $showsummary = 0; @@ -259,7 +261,7 @@ if ($#ARGV >= 0) { if ($ARGV[0] eq "summary") { $showsummary = 1; } else { - $intf = $ARGV[0]; + @intfs = ($ARGV[0]); } } @@ -284,9 +286,11 @@ if ($showsummary == 1) { $display_func = \&vrrp_show; } -my @state_files = Vyatta::Keepalived::get_state_files($intf, $group); -foreach my $state_file (@state_files) { - &$display_func($state_file); +foreach my $intf (@intfs) { + my @state_files = Vyatta::Keepalived::get_state_files($intf, $group); + foreach my $state_file (@state_files) { + &$display_func($state_file); + } } exit 0; diff --git a/scripts/keepalived/vyatta-vrrp-state.pl b/scripts/keepalived/vyatta-vrrp-state.pl index 930c7cd0..9bb54a0c 100755 --- a/scripts/keepalived/vyatta-vrrp-state.pl +++ b/scripts/keepalived/vyatta-vrrp-state.pl @@ -66,10 +66,10 @@ if (defined $old_state and $vrrp_state eq $old_state) { Vyatta::Keepalived::vrrp_log("$vrrp_intf $vrrp_group transition to $vrrp_state"); vrrp_state_log($vrrp_state, $vrrp_intf, $vrrp_group); -if ($vrrp_state eq "backup") { +if ($vrrp_state eq 'backup') { Vyatta::Keepalived::snoop_for_master($vrrp_intf, $vrrp_group, $vrrp_vips[0], 60); -} elsif ($vrrp_state eq "master") { +} elsif ($vrrp_state eq 'master') { # # keepalived will send gratuitous arp requests on master transition # but some hosts do not update their arp cache for gratuitous arp @@ -87,7 +87,7 @@ if ($vrrp_state eq "backup") { system("rm -f $mfile"); } -if (!($vrrp_transitionscript eq "null")){ +if (!($vrrp_transitionscript eq 'null')){ exec("$vrrp_transitionscript"); } diff --git a/scripts/rl-system.init b/scripts/rl-system.init index 3ca02ed2..2cca5d98 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -169,6 +169,11 @@ setup_ntp_config_file () { log_failure_msg "NTP template config file doesn\'t exist" fi } + +# restore PAM back to virgin state (no radius other services) +pam_reset () { + DEBIAN_FRONTEND=noninteractive pam-auth-update unix +} start () { udev_rescan @@ -182,6 +187,7 @@ start () { sysctl -q -e -p /opt/vyatta/etc/vyatta-sysctl.conf || log_failure_msg "can\'t configure kernel settings" set_ipv6_params + pam_reset update_version_info ## Clear out apt config file--it will be filled in by rtrmgr diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup index 817223b3..487356c4 100755 --- a/scripts/vyatta-grub-setup +++ b/scripts/vyatta-grub-setup @@ -88,7 +88,7 @@ else fi if eval "$UNION"; then - GRUB_OPTIONS="boot=live live-media-path=/boot/$livedir persistent-path=/boot/$livedir quiet persistent noautologin nonetworking nouser hostname=vyatta" + GRUB_OPTIONS="boot=live quiet vyatta-union=/boot/$livedir" union_xen_kernel_version=$(ls $ROOTFSDIR/boot/$livedir/vmlinuz*-xen* \ 2>/dev/null \ | awk -F/ '{ print $6 }' \ @@ -253,17 +253,21 @@ fi # Set options for root password reset. Offer # options for both serial and KVM console. + reset_boot_path=/boot + if eval "$UNION"; then + reset_boot_path=/boot/$livedir + fi echo echo -e "menuentry \"Lost password change (KVM console)\" {" - echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console init=$pass_reset" - echo -e "\tinitrd /boot/initrd.img" + echo -e "\tlinux $reset_boot_path/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console init=$pass_reset" + echo -e "\tinitrd $reset_boot_path/initrd.img" echo -e "}" echo echo -e "menuentry \"Lost password change (Serial console)\" {" - echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset" - echo -e "\tinitrd /boot/initrd.img" + echo -e "\tlinux $reset_boot_path/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset" + echo -e "\tinitrd $reset_boot_path/initrd.img" echo -e "}" if [ -n "$diag_drive_number" ]; then diff --git a/sysconf/level b/sysconf/level new file mode 100644 index 00000000..9da13bf5 --- /dev/null +++ b/sysconf/level @@ -0,0 +1,2 @@ +admin:quaggavty,vyattacfg,sudo,adm,dip,disk +operator:quaggavty,vyattaop,operator,adm,dip diff --git a/sysconf/pam-radius b/sysconf/pam-radius deleted file mode 100644 index 0409dd44..00000000 --- a/sysconf/pam-radius +++ /dev/null @@ -1,12 +0,0 @@ -Name: Radius authentication -Default: no -Priority: 512 -Auth-Type: Primary -Auth: - [success=end default=ignore] pam_radius_auth.so try_first_pass -Auth-Initial: - [success=end default=ignore] pam_radius_auth.so -Account-Type: Primary -Account: - [success=end new_authtok_reqd=done default=ignore] pam_radius_auth.so try_first_pass - diff --git a/sysconf/pam_radius.cfg b/sysconf/pam_radius.cfg new file mode 100644 index 00000000..02ffc1c8 --- /dev/null +++ b/sysconf/pam_radius.cfg @@ -0,0 +1,11 @@ +Name: Radius client +Default: yes +Priority: 512 +Auth-Type: Primary +Auth: + sufficient pam_radius_auth.so try_first_pass +Auth-Initial: + sufficient pam_radius_auth.so +Account-Type: Primary +Account: + sufficient pam_radius_auth.so diff --git a/sysconf/protected-user b/sysconf/protected-user new file mode 100644 index 00000000..04a60974 --- /dev/null +++ b/sysconf/protected-user @@ -0,0 +1,2 @@ +root +www-data diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/node.def new file mode 100644 index 00000000..47aceb53 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/node.def @@ -0,0 +1,5 @@ +help: Configure Virtual Router Redundancy Protocol (VRRP) parameters + +priority: 800 + +end:expression: "sudo /opt/vyatta/sbin/vyatta-keepalived.pl --vrrp-action update --intf $VAR(../../@).$VAR(../@) " diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.def new file mode 100644 index 00000000..d87ad6b7 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.def @@ -0,0 +1,8 @@ +tag: +type: u32 +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "VRRP group must be between 1-255" +commit:expression: $VAR(virtual-address/) != ""; "Must define the virtual-address for vrrp-group $VAR(@)" +help: Set VRRP group number +delete:expression: "sudo /opt/vyatta/sbin/vyatta-keepalived.pl --vrrp-action delete --intf $VAR(../../../@).$VAR(../../@) --group $VAR(@) " +comp_help: possible completions + <1-255> VRRP group number diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def new file mode 100644 index 00000000..59f2b451 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def @@ -0,0 +1,6 @@ +type: u32 +default: 1 +help: Set advertise interval +syntax:expression: $VAR(@) >= 1 && $VAR(@) <=255; "Advertise interval must be between 1-255" +comp_help: possible completions + <1-255> Set advertise interval (default 1) diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def new file mode 100644 index 00000000..adf78b3f --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def @@ -0,0 +1,3 @@ +help: Set authentication +commit:expression: $VAR(./type/@) != ""; "You must set a authentication type" +commit:expression: $VAR(./password/@) != ""; "You must set a authentication password" diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def new file mode 100644 index 00000000..9bd2e98d --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set password +syntax:expression: exec " \ + if [ `echo -n $VAR(@) | wc -c` -gt 8 ]; then \ + echo Password must be 8 characters or less ; \ + exit 1 ; \ + fi ; " +comp_help: possible completions: + <text> Password (8 characters or less) diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def new file mode 100644 index 00000000..7155495d --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set authentication type +syntax:expression: $VAR(@) in "plaintext-password", "ah"; \ + "authentication must be plaintext-password or ah" +comp_help: possible completions: + plaintext-password Set plain text password mode + ah Set IP Authentication Header mode diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/description/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/description/node.def new file mode 100644 index 00000000..aeb40f0b --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set description for this interface diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/disable/node.def new file mode 100644 index 00000000..916e313b --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Set VRRP group disabled diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def new file mode 100644 index 00000000..edb0d58a --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def @@ -0,0 +1,6 @@ +type: ipv4 + +help: Set hello-source-address + +comp_help: possible completions: + <x.x.x.x> Set source address for vrrp hello packets (optional) diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def new file mode 100644 index 00000000..1638624e --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def @@ -0,0 +1,6 @@ +type: u32 +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 1000; \ + "preempt-delay must be between 0-1000" +help: Set preempt-delay +comp_help: possible completions: + <0-1000> Set Preempt Delay in seconds diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def new file mode 100644 index 00000000..7b3b9cbd --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set preempt mode (default: true) +default: "true" +syntax:expression: $VAR(@) in "true", "false"; "preempt must be true or false" +comp_help: possible completions: + true (default) + false diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/priority/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/priority/node.def new file mode 100644 index 00000000..54de02c7 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/priority/node.def @@ -0,0 +1,5 @@ +type: u32 +syntax:expression: $VAR(@) >= 0 &&$VAR(@) <= 255; "priority must be between 1-255" +help: Set priority +comp_help: possible completions: + <1-255> Set Priority diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def new file mode 100644 index 00000000..44be2a7f --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to backup +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Backup Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def new file mode 100644 index 00000000..9f2557b3 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to fault +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Fault Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def new file mode 100644 index 00000000..7f7d8895 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to master +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Master Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def new file mode 100644 index 00000000..ed959156 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def @@ -0,0 +1,2 @@ +help: Set scripts to run on VRRP state-transitions + diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def new file mode 100644 index 00000000..9602a842 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set to add this vrrp group to a sync group diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def new file mode 100644 index 00000000..176287aa --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def @@ -0,0 +1,22 @@ +multi: +type: txt +help: Set virtual address + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-keepalived.pl \ + --vrrp-action='check-vip' --vip='$VAR(@)' "\ + ; "Invalid virtual-address [$VAR(@)] for vrrp-group $VAR(../@)" + +syntax:expression: exec " + if echo '$VAR(@)' | grep -q '/' ; then + if /opt/vyatta/sbin/vyatta-interfaces.pl \ + --valid-addr $VAR(@) --dev $VAR(../../../@) ; then + exit 0 + else + echo Invalid vrrp virtual-address [$VAR(@)] for vrrp-group $VAR(../@) + exit 1 + fi + fi" + +comp_help: possible completions: + <x.x.x.x> Virtual IP address (up to 20 per group) + <x.x.x.x/x> Virtual IP address with prefix (up to 20 per group) diff --git a/templates/interfaces/bonding/node.tag/vrrp/node.def b/templates/interfaces/bonding/node.tag/vrrp/node.def new file mode 100644 index 00000000..adeb0564 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/node.def @@ -0,0 +1,5 @@ +help: Configure Virtual Router Redundancy Protocol (VRRP) + +priority: 800 + +end:expression: "sudo /opt/vyatta/sbin/vyatta-keepalived.pl --vrrp-action update --intf $VAR(../@) " diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.def new file mode 100644 index 00000000..a3ce1395 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.def @@ -0,0 +1,8 @@ +tag: +type: u32 +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "VRRP group must be between 1-255" +commit:expression: $VAR(virtual-address/) != ""; "Must define the virtual-address for vrrp-group $VAR(@)" +help: Set VRRP group number +delete:expression: "sudo /opt/vyatta/sbin/vyatta-keepalived.pl --vrrp-action delete --intf $VAR(../../@) --group $VAR(@) " +comp_help: possible completions + <1-255> VRRP group number diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def new file mode 100644 index 00000000..59f2b451 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/advertise-interval/node.def @@ -0,0 +1,6 @@ +type: u32 +default: 1 +help: Set advertise interval +syntax:expression: $VAR(@) >= 1 && $VAR(@) <=255; "Advertise interval must be between 1-255" +comp_help: possible completions + <1-255> Set advertise interval (default 1) diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def new file mode 100644 index 00000000..adf78b3f --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/node.def @@ -0,0 +1,3 @@ +help: Set authentication +commit:expression: $VAR(./type/@) != ""; "You must set a authentication type" +commit:expression: $VAR(./password/@) != ""; "You must set a authentication password" diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def new file mode 100644 index 00000000..9bd2e98d --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/password/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set password +syntax:expression: exec " \ + if [ `echo -n $VAR(@) | wc -c` -gt 8 ]; then \ + echo Password must be 8 characters or less ; \ + exit 1 ; \ + fi ; " +comp_help: possible completions: + <text> Password (8 characters or less) diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def new file mode 100644 index 00000000..687c6af6 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/authentication/type/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set authentication type +syntax:expression: $VAR(@) in "plaintext-password", "ah"; \ + "authentication must be plaintext-password or ah" +comp_help: possible completions: + plaintext-password Set plain text password mode + ah Set IP Authentication Header mode diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/description/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/description/node.def new file mode 100644 index 00000000..aeb40f0b --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set description for this interface diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/disable/node.def new file mode 100644 index 00000000..916e313b --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Set VRRP group disabled diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def new file mode 100644 index 00000000..edb0d58a --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/hello-source-address/node.def @@ -0,0 +1,6 @@ +type: ipv4 + +help: Set hello-source-address + +comp_help: possible completions: + <x.x.x.x> Set source address for vrrp hello packets (optional) diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def new file mode 100644 index 00000000..1638624e --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt-delay/node.def @@ -0,0 +1,6 @@ +type: u32 +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 1000; \ + "preempt-delay must be between 0-1000" +help: Set preempt-delay +comp_help: possible completions: + <0-1000> Set Preempt Delay in seconds diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def new file mode 100644 index 00000000..4ed282ed --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/preempt/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set preempt mode +default: "true" +syntax:expression: $VAR(@) in "true", "false"; "preempt must be true or false" +comp_help: possible completions: + true (default) + false diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/priority/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/priority/node.def new file mode 100644 index 00000000..54de02c7 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/priority/node.def @@ -0,0 +1,5 @@ +type: u32 +syntax:expression: $VAR(@) >= 0 &&$VAR(@) <= 255; "priority must be between 1-255" +help: Set priority +comp_help: possible completions: + <1-255> Set Priority diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def new file mode 100644 index 00000000..44be2a7f --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/backup/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to backup +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Backup Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def new file mode 100644 index 00000000..9f2557b3 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/fault/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to fault +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Fault Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def new file mode 100644 index 00000000..7f7d8895 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/master/node.def @@ -0,0 +1,4 @@ +help: Set an executable script to run on VRRP state-transition to master +type: txt +syntax:expression: exec "[ -x $VAR(@) ] || exit 1"; "Master Script should be an existing executable" + diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def new file mode 100644 index 00000000..3abc1696 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/run-transition-scripts/node.def @@ -0,0 +1,2 @@ +help: Set scripts for VRRP state-transitions + diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def new file mode 100644 index 00000000..9602a842 --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/sync-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set to add this vrrp group to a sync group diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def new file mode 100644 index 00000000..176287aa --- /dev/null +++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/virtual-address/node.def @@ -0,0 +1,22 @@ +multi: +type: txt +help: Set virtual address + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-keepalived.pl \ + --vrrp-action='check-vip' --vip='$VAR(@)' "\ + ; "Invalid virtual-address [$VAR(@)] for vrrp-group $VAR(../@)" + +syntax:expression: exec " + if echo '$VAR(@)' | grep -q '/' ; then + if /opt/vyatta/sbin/vyatta-interfaces.pl \ + --valid-addr $VAR(@) --dev $VAR(../../../@) ; then + exit 0 + else + echo Invalid vrrp virtual-address [$VAR(@)] for vrrp-group $VAR(../@) + exit 1 + fi + fi" + +comp_help: possible completions: + <x.x.x.x> Virtual IP address (up to 20 per group) + <x.x.x.x/x> Virtual IP address with prefix (up to 20 per group) diff --git a/templates/interfaces/ethernet/node.tag/bond-group/node.def b/templates/interfaces/ethernet/node.tag/bond-group/node.def index 7b6df036..c173ae3f 100644 --- a/templates/interfaces/ethernet/node.tag/bond-group/node.def +++ b/templates/interfaces/ethernet/node.tag/bond-group/node.def @@ -6,7 +6,7 @@ commit:expression: exec \ allowed: ${vyatta_sbindir}/vyatta-interfaces.pl --show=bonding -update: OLDG=`${vyatta_sbindir}/vyatta-cli-expand-var.pl \$\(/interfaces/ethernet/$VAR(../@)/bond-group/@\)` +update: OLDG=`${vyatta_sbindir}/vyatta-cli-expand-var.pl \\$VAR\(/interfaces/ethernet/$VAR(../@)/bond-group/@\)` if [ -n "$OLDG" ]; then sudo ${vyatta_sbindir}/vyatta-bonding.pl --dev=$OLDG --remove=$VAR(../@) fi diff --git a/templates/interfaces/ethernet/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/bridge-group/node.def index 5ea9da19..b30a9e10 100644 --- a/templates/interfaces/ethernet/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/bridge-group/node.def @@ -2,7 +2,7 @@ help: Add this interface to a bridge group end: ethif=$VAR(../@) - oldbridge=`/opt/vyatta/sbin/vyatta-cli-expand-var.pl \$\(/interfaces/ethernet/$ethif/bridge-group/bridge/@\)` + oldbridge=`/opt/vyatta/sbin/vyatta-cli-expand-var.pl \\$VAR\(/interfaces/ethernet/$ethif/bridge-group/bridge/@\)` newbridge="$VAR(./bridge/@)" if [ ${COMMIT_ACTION} = 'SET' ]; then diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def index 0bade03a..e3645b1c 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def @@ -5,7 +5,7 @@ end: eth=$VAR(../../@) vif=$VAR(../@) ethif=$eth.$vif - oldbridge=`/opt/vyatta/sbin/vyatta-cli-expand-var.pl \$\(/interfaces/ethernet/$eth/vif/$vif/bridge-group/bridge/@\)` + oldbridge=`/opt/vyatta/sbin/vyatta-cli-expand-var.pl \\$VAR\(/interfaces/ethernet/$eth/vif/$vif/bridge-group/bridge/@\)` newbridge="$VAR(./bridge/@)" if [ ${COMMIT_ACTION} = 'SET' ]; then |