11 files changed, 105 insertions, 58 deletions

diff --git a/Makefile.am b/Makefile.am
index 0bfd2c4f..7a7559f7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -107,6 +107,7 @@ sysconf_DATA += sysconf/pam_radius.cfg
 sysconf_DATA += sysconf/filecaps
 sysconf_DATA += sysconf/capability.conf
 sysconf_DATA += sysconf/cpufrequtils
+sysconf_DATA += sysconf/sudoers
 
 libudevdir = /lib/udev
 udevrulesdir = /lib/udev/rules.d
diff --git a/debian/changelog b/debian/changelog
index 40916f0b..20f0f40b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,35 @@
+vyatta-cfg-system (0.19.132) unstable; urgency=low
+
+  * Move vyatta changes to sudoers to separate file
+  * change mode of /etc/sudoers.d/vyatta
+  * sudoers: expand ${bindir}
+
+ -- Stephen Hemminger <shemminger@vyatta.com>  Tue, 29 Nov 2011 13:57:50 -0800
+
+vyatta-cfg-system (0.19.131) unstable; urgency=low
+
+  * Display vmac interface name in "show vrrp interfaces ..." command
+
+ -- Bob Gilligan <gilligan@vyatta.com>  Mon, 28 Nov 2011 18:06:04 -0800
+
+vyatta-cfg-system (0.19.130) unstable; urgency=low
+
+  * Support VRRP virtual MAC interfaces above bond and bond vif
+    interfaces
+
+ -- Bob Gilligan <gilligan@vyatta.com>  Mon, 28 Nov 2011 15:41:39 -0800
+
+vyatta-cfg-system (0.19.129) unstable; urgency=low
+
+  [ Stephen Hemminger ]
+  * Remove unnecessary sudo on ethtool
+  * Fix perl deprecated warning with 5.14
+
+  [ Bob Gilligan ]
+  * Use new naming convention for VRRP virtual mac interfaces.
+
+ -- Bob Gilligan <gilligan@vyatta.com>  Mon, 28 Nov 2011 15:15:13 -0800
+
 vyatta-cfg-system (0.19.128) unstable; urgency=low
 
   * Fix dyndns failure caused by commit:
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index a95b7bcc..6ce0a870 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -62,65 +62,19 @@ if [ "$sysconfdir" != "/etc" ]; then
     sed -i '/^UseDNS/d' /etc/ssh/sshd_config
     echo 'UseDNS yes' >>/etc/ssh/sshd_config
 
-    # for "admin" level
-    sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
-    if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
-	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
-    fi
-
-    # cleanup any old entries from previous versions
+    # cleanup any old entries in /etc/sudoers from previous versions
     sed -i /etc/sudoers \
 	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
 	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
 	-e '/sudo-users/d' \
 	-e '/env_keep+=VYATTA/d' || true
 
-    # Add Vyatta entries
-    cat <<"EOF" >>/etc/sudoers
-### BEGIN VYATTA 
-Defaults syslog_goodpri=info
-Defaults env_keep+=VYATTA_*
-
-Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
-		      /sbin/iptables -L -vn,\
-                      /sbin/iptables -L * -vn,\
-		      /sbin/iptables -t * -L *, \
-                      /sbin/iptables -Z *,\
-		      /sbin/iptables -Z -t nat, \
-                      /sbin/iptables -t * -Z *
-Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
-                       /sbin/ip6tables -t * -L *
-Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
-                       /usr/sbin/conntrack -G *, \
-		       /usr/sbin/conntrack -E *
-Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
-		     /sbin/ip route flush cache *,\
-		     /sbin/ip neigh flush to *, \
-		     /sbin/ip neigh flush dev *, \
-                     /sbin/ip -f inet6 route flush cache, \
-		     /sbin/ip -f inet6 route flush cache *,\
-		     /sbin/ip -f inet6 neigh flush to *, \
-		     /sbin/ip -f inet6 neigh flush dev * 
-Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
-                     /sbin/ethtool -S *, \
-                     /sbin/ethtool -a *, \
-                     /sbin/ethtool -c *, \
-                     /sbin/ethtool -i *
-Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
-Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
-Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
-Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
-Cmnd_Alias HWINFO   = /usr/bin/lspci
-Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
-                           /usr/share/heartbeat/hb_standby
-%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
-			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
-                        DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER
-EOF
-    cat <<EOF >>/etc/sudoers
-%users ALL=NOPASSWD: ${bindir}/sudo-users/
-### END VYATTA
-EOF
+    # Turn off Debian default for %sudo
+    sed -i -e '/^%sudo/d' /etc/sudoers || true
+
+    # Add Vyatta entries for sudoers
+    cp $sysconfdir/sudoers /etc/sudoers.d/vyatta
+    chmod 0440 /etc/sudoers.d/vyatta
 
     # set up blacklists
     for f in blacklist.DSA-1024 blacklist.RSA-2048; do
diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm
index 413780b5..752265e2 100644
--- a/debian/vyatta-cfg-system.postrm
+++ b/debian/vyatta-cfg-system.postrm
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 if [ "$1" = "purge" ]; then
-    sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
     sed -i -e 'g/^password/d' /etc/pam.d/password
     update-rc.d vyatta-config-reboot-params remove
 fi
diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl
index e834745b..f419ac41 100755
--- a/scripts/keepalived/vyatta-keepalived.pl
+++ b/scripts/keepalived/vyatta-keepalived.pl
@@ -247,7 +247,9 @@ sub keepalived_get_values {
     $output .= "\tinterface $intf\n";
     $output .= "\tvirtual_router_id $group\n";
     if ($use_vmac) {
-	$output .= "\tuse_vmac\n";
+	$output .= "\tuse_vmac $intf";
+	$output .= "v";
+	$output .= "$group\n";
     }
     $output .= "\tpriority $priority\n";
     if ( $preempt eq "false" ) {
diff --git a/scripts/keepalived/vyatta-show-vrrp.pl b/scripts/keepalived/vyatta-show-vrrp.pl
index 28a9970c..68a98390 100755
--- a/scripts/keepalived/vyatta-show-vrrp.pl
+++ b/scripts/keepalived/vyatta-show-vrrp.pl
@@ -188,6 +188,7 @@ sub vrrp_showsummary {
     my ($interface_state, $link) = get_state_link($intf);
     if ($state eq "master" || $state eq "backup" || $state eq "fault") {
         my ($primary_addr, $priority, $preempt, $advert_int, $auth_type,
+	    $vmac_interface,
             @vips) = Vyatta::Keepalived::vrrp_get_config($intf, $group);
 	my $format = "\n%-16s%-8s%-8s%-16s%-16s%-16s";
 	my $vip = shift @vips;
@@ -210,9 +211,14 @@ sub vrrp_show {
     my $first_vip = '';
     if ($state eq "master" || $state eq "backup" || $state eq "fault") {
 	my ($primary_addr, $priority, $preempt, $advert_int, $auth_type, 
+	    $vmac_interface,
 	    @vips) = Vyatta::Keepalived::vrrp_get_config($intf, $group);
         my $sync = list_vrrp_sync_group($intf, $group);
 	print "Physical interface: $intf, Source Address $primary_addr\n";
+	if ($vmac_interface) {
+	    my $vma = "$intf" . "v" . "$group";
+	    print "  Virtual MAC interface: $vma\n";
+	}
 	print "  Interface state: $link, Group $group, State: $state\n";
 	print "  Priority: $priority, Advertisement interval: $advert_int, ";
 	print "Authentication type: $auth_type\n";
diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl
index 3cb19804..4619b3bc 100755
--- a/scripts/system/vyatta_update_ntp.pl
+++ b/scripts/system/vyatta_update_ntp.pl
@@ -32,7 +32,7 @@ $cfg->setLevel("system ntp");
 
 foreach my $server ($cfg->listNodes("server")) {
     print "server $server iburst";
-    for my $property qw(dynamic noselect preempt prefer) {
+    for my $property (qw(dynamic noselect preempt prefer)) {
 	print " $property" if ($cfg->exists("$server $property"));
     }
     print "\n";
diff --git a/sysconf/sudoers b/sysconf/sudoers
new file mode 100644
index 00000000..766e64f2
--- /dev/null
+++ b/sysconf/sudoers
@@ -0,0 +1,51 @@
+#
+# Vyatta modifications to sudo configuration
+#
+Defaults syslog_goodpri=info
+Defaults env_keep+=VYATTA_*
+
+#
+# Command groups allowed for operator users
+#
+Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
+		      /sbin/iptables -L -vn,\
+                      /sbin/iptables -L * -vn,\
+		      /sbin/iptables -t * -L *, \
+                      /sbin/iptables -Z *,\
+		      /sbin/iptables -Z -t nat, \
+                      /sbin/iptables -t * -Z *
+Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
+                       /sbin/ip6tables -t * -L *
+Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
+                       /usr/sbin/conntrack -G *, \
+		       /usr/sbin/conntrack -E *
+Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
+		     /sbin/ip route flush cache *,\
+		     /sbin/ip neigh flush to *, \
+		     /sbin/ip neigh flush dev *, \
+                     /sbin/ip -f inet6 route flush cache, \
+		     /sbin/ip -f inet6 route flush cache *,\
+		     /sbin/ip -f inet6 neigh flush to *, \
+		     /sbin/ip -f inet6 neigh flush dev * 
+Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
+                     /sbin/ethtool -S *, \
+                     /sbin/ethtool -a *, \
+                     /sbin/ethtool -c *, \
+                     /sbin/ethtool -i *
+Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
+Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
+Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
+Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
+Cmnd_Alias HWINFO   = /usr/bin/lspci
+Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
+                           /usr/share/heartbeat/hb_standby
+%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
+			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
+                        DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER
+
+# Allow any user to run files in sudo-users
+%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/
+
+# Allow members of group sudo to execute any command
+%sudo ALL=NOPASSWD: ALL
+
diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/interface/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/interface/node.def
new file mode 100644
index 00000000..03f22d28
--- /dev/null
+++ b/templates/interfaces/bonding/node.tag/vif/node.tag/vrrp/vrrp-group/node.tag/interface/node.def
@@ -0,0 +1 @@
+help: Configure a virtual MAC interface
diff --git a/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/interface/node.def b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/interface/node.def
new file mode 100644
index 00000000..03f22d28
--- /dev/null
+++ b/templates/interfaces/bonding/node.tag/vrrp/vrrp-group/node.tag/interface/node.def
@@ -0,0 +1 @@
+help: Configure a virtual MAC interface
diff --git a/templates/interfaces/ethernet/node.tag/disable-flow-control/node.def b/templates/interfaces/ethernet/node.tag/disable-flow-control/node.def
index 702e1d29..ef62b4e1 100644
--- a/templates/interfaces/ethernet/node.tag/disable-flow-control/node.def
+++ b/templates/interfaces/ethernet/node.tag/disable-flow-control/node.def
@@ -2,7 +2,7 @@ priority: 320 # Must run after interface is configured.
 
 help: Disable Ethernet flow control (pause frames)
 
-create: sudo ethtool --pause $VAR(../@) autoneg off tx off rx off
+create: ethtool --pause $VAR(../@) autoneg off tx off rx off
 
 delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0
-	sudo ethtool --pause $VAR(../@) autoneg on tx on rx on
+	ethtool --pause $VAR(../@) autoneg on tx on rx on