From 1ee415d4070b0c9b70de86805e27f5c12abadce5 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Fri, 24 Jul 2015 14:51:54 +0200 Subject: Remove fuse group, not needed in debian jessie --- sysconf/filecaps | 5 ++--- sysconf/level | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) (limited to 'sysconf') diff --git a/sysconf/filecaps b/sysconf/filecaps index 98ada7a3..85e83668 100644 --- a/sysconf/filecaps +++ b/sysconf/filecaps @@ -9,7 +9,7 @@ cap_net_admin=pe /sbin/xtables-multi cap_net_admin=pe /usr/sbin/ipset cap_net_admin=pe /usr/sbin/conntrack cap_net_admin=pe /usr/sbin/arp -cap_net_admin=pe /usr/sbin/brctl +cap_net_admin=pe /sbin/brctl # Raw sockets cap_net_raw=pe /usr/bin/tshark @@ -20,8 +20,7 @@ cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl # Module install -cap_sys_module=pe /sbin/modprobe -cap_sys_module=pe /sbin/rmmod +cap_sys_module=pe /bin/kmod # Set time cap_sys_time=pe /bin/date diff --git a/sysconf/level b/sysconf/level index 83c60e05..9da13bf5 100644 --- a/sysconf/level +++ b/sysconf/level @@ -1,2 +1,2 @@ -admin:quaggavty,vyattacfg,sudo,adm,dip,disk,fuse +admin:quaggavty,vyattacfg,sudo,adm,dip,disk operator:quaggavty,vyattaop,operator,adm,dip -- cgit v1.2.3 From 08ec1c93a80be4b4dcec5d4fa4723133225b1367 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Fri, 5 Feb 2016 14:24:07 -0500 Subject: fix: "action '*' treated as ':omusrmsg:*' - please change syntax" --- sysconf/rsyslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sysconf') diff --git a/sysconf/rsyslog.conf b/sysconf/rsyslog.conf index 56c7e15c..961806dc 100644 --- a/sysconf/rsyslog.conf +++ b/sysconf/rsyslog.conf @@ -58,4 +58,4 @@ $IncludeConfig /etc/rsyslog.d/*.conf auth,authpriv.* /var/log/auth.log # Emergencies are sent to everybody logged in. -*.emerg * +*.emerg :omusrmsg:* -- cgit v1.2.3 From 250ce3efbd6b8a56c40cd329d43531ebf45e117d Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Tue, 6 Sep 2016 15:25:59 +0200 Subject: Some devices use ethernet switch chips which use 'lan' interfaces, this will add the option to also configure these in VyOS. --- sysconf/netdevice | 1 + templates/interfaces/ethernet/node.def | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'sysconf') diff --git a/sysconf/netdevice b/sysconf/netdevice index 71fc310d..43634748 100644 --- a/sysconf/netdevice +++ b/sysconf/netdevice @@ -1,6 +1,7 @@ # device name to CLI path matching lo loopback eth ethernet +lan ethernet ifb input peth pseudo-ethernet br bridge diff --git a/templates/interfaces/ethernet/node.def b/templates/interfaces/ethernet/node.def index bdbdb0d5..2af57e0a 100644 --- a/templates/interfaces/ethernet/node.def +++ b/templates/interfaces/ethernet/node.def @@ -4,13 +4,18 @@ type: txt help: Ethernet interface name allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=ethernet val_help: ; Ethernet interface name -syntax:expression: pattern $VAR(@) "^eth[0-9]+$" \ +syntax:expression: pattern $VAR(@) "^(eth|lan)[0-9]+$" \ ; "interface ethernet $VAR(@): not a valid name" syntax:expression: exec \ "if [ ! -d /sys/class/net/$VAR(@) ]; then \ echo \"interface ethernet $VAR(@): does not exist\"; exit 1; \ + fi + + if ip link show | awk '{print $2 }' | grep -ao \"lan[0-9]@$VAR(@)\" > /dev/null 2>&1 ; then \ + echo \"interface ethernet $VAR(@): is a switch master interface and not configurable, please use 'lan' interfaces\"; + exit 1; \ fi" begin: rm -f /tmp/speed-duplex.$VAR(@) @@ -26,7 +31,14 @@ begin: rm -f /tmp/speed-duplex.$VAR(@) create: if ! cli-shell-api exists interfaces ethernet $VAR(@) disable; - then ip link set $VAR(@) up + then + case "$VAR(@)" in + *lan*) + masterint=$(ip link show $VAR(@) | awk 'NR==1{print $2 }' | grep -ao "eth[0-9]") + ip link set $masterint up + ;; + esac + ip link set $VAR(@) up fi /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on -- cgit v1.2.3 From a3d11e6c039b9c3226325ce01e39f6affa56a46a Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 19 Feb 2018 15:00:36 +0100 Subject: Adjust rsyslog.conf to use the journald forwarding (T552). --- sysconf/rsyslog.conf | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'sysconf') diff --git a/sysconf/rsyslog.conf b/sysconf/rsyslog.conf index 961806dc..7db872bf 100644 --- a/sysconf/rsyslog.conf +++ b/sysconf/rsyslog.conf @@ -12,6 +12,9 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability +$OmitLocalLogging no +$SystemLogSocketName /run/systemd/journal/syslog + $KLogPath /proc/kmsg # provides UDP syslog reception @@ -54,8 +57,11 @@ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### ############### +daemon.* /var/log/messages + # Log authorization failure messages auth,authpriv.* /var/log/auth.log # Emergencies are sent to everybody logged in. *.emerg :omusrmsg:* + -- cgit v1.2.3 From 413d89862ad9bea7d31200eb7a29bd0dd7fca214 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 14 May 2018 23:42:01 +0200 Subject: T637: remove dependency on tshark. --- debian/control | 1 - sysconf/filecaps | 1 - sysconf/sudoers | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) (limited to 'sysconf') diff --git a/debian/control b/debian/control index 1b6d08a6..1fff96c0 100644 --- a/debian/control +++ b/debian/control @@ -33,7 +33,6 @@ Depends: adduser, openssh-server, ed, ifupdown, - tshark, iputils-arping, installation-report, laptop-detect, diff --git a/sysconf/filecaps b/sysconf/filecaps index 85e83668..96eadff4 100644 --- a/sysconf/filecaps +++ b/sysconf/filecaps @@ -12,7 +12,6 @@ cap_net_admin=pe /usr/sbin/arp cap_net_admin=pe /sbin/brctl # Raw sockets -cap_net_raw=pe /usr/bin/tshark cap_net_raw=pe /usr/sbin/tcpdump cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap diff --git a/sysconf/sudoers b/sysconf/sudoers index b6c50423..998e7083 100644 --- a/sysconf/sudoers +++ b/sysconf/sudoers @@ -36,7 +36,7 @@ Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats -Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump +Cmnd_Alias PCAPTURE = /usr/bin/tcpdump Cmnd_Alias HWINFO = /usr/bin/lspci Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ /usr/share/heartbeat/hb_standby -- cgit v1.2.3 From bddf0251f100450b57d8e3eb868f021a77a9af35 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Sat, 19 May 2018 00:53:58 +0200 Subject: Updata pam radius settings --- sysconf/pam_radius.cfg | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'sysconf') diff --git a/sysconf/pam_radius.cfg b/sysconf/pam_radius.cfg index 02ffc1c8..0d9fbbb0 100644 --- a/sysconf/pam_radius.cfg +++ b/sysconf/pam_radius.cfg @@ -1,11 +1,14 @@ -Name: Radius client +Name: RADIUS authentication Default: yes -Priority: 512 +Priority: 257 Auth-Type: Primary Auth: - sufficient pam_radius_auth.so try_first_pass -Auth-Initial: - sufficient pam_radius_auth.so + [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so + Account-Type: Primary Account: - sufficient pam_radius_auth.so + [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so + +Session-Type: Additional +Session: + [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so -- cgit v1.2.3 From f9b87471ee07789930da4905bc9d66ebd9d8f632 Mon Sep 17 00:00:00 2001 From: Kim Date: Thu, 24 May 2018 15:36:47 +0200 Subject: add path to library --- sysconf/pam_radius.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sysconf') diff --git a/sysconf/pam_radius.cfg b/sysconf/pam_radius.cfg index 0d9fbbb0..ba3037ea 100644 --- a/sysconf/pam_radius.cfg +++ b/sysconf/pam_radius.cfg @@ -3,12 +3,12 @@ Default: yes Priority: 257 Auth-Type: Primary Auth: - [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so + [authinfo_unavail=ignore success=end default=ignore] /lib/security/pam_radius_auth.so Account-Type: Primary Account: - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so + [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] /lib/security/pam_radius_auth.so Session-Type: Additional Session: - [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so + [authinfo_unavail=ignore success=ok default=ignore] /lib/security/pam_radius_auth.so -- cgit v1.2.3 From bf1313bd0fe4aad4d5c4f24e04f87eab69204bae Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 30 May 2018 04:24:22 +0200 Subject: T669: set IPv6 keep_addr_on_down sysctl options to 1 and get rid of intfwatchd. --- Makefile.am | 2 - etc/init.d/vyos-intfwatchd | 87 ------------------------ scripts/vyos-intfwatchd | 160 --------------------------------------------- sysconf/vyatta-sysctl.conf | 4 ++ 4 files changed, 4 insertions(+), 249 deletions(-) delete mode 100755 etc/init.d/vyos-intfwatchd delete mode 100644 scripts/vyos-intfwatchd (limited to 'sysconf') diff --git a/Makefile.am b/Makefile.am index 593f83d0..3e70ca59 100644 --- a/Makefile.am +++ b/Makefile.am @@ -22,7 +22,6 @@ checkparamsonreboot_DATA += scripts/check-params-on-reboot.d/README initd_SCRIPTS += etc/init.d/ec2-vyos-init initd_SCRIPTS += etc/init.d/vyatta-config-reboot-params -initd_SCRIPTS += etc/init.d/vyos-intfwatchd checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/ipv6_disable_blacklist @@ -79,7 +78,6 @@ sbin_SCRIPTS += scripts/vyatta-bridge.pl sbin_SCRIPTS += scripts/vyatta-bridgegroup-depedency.pl sbin_SCRIPTS += scripts/vyatta-dhcpv6-client.pl sbin_SCRIPTS += scripts/vyatta-update-grub.pl -sbin_SCRIPTS += scripts/vyos-intfwatchd sbin_SCRIPTS += scripts/ec2-check.pl sbin_SCRIPTS += scripts/is_port_available.pl sbin_SCRIPTS += scripts/vyos-persistpath diff --git a/etc/init.d/vyos-intfwatchd b/etc/init.d/vyos-intfwatchd deleted file mode 100755 index 6c5907a5..00000000 --- a/etc/init.d/vyos-intfwatchd +++ /dev/null @@ -1,87 +0,0 @@ -#! /bin/sh - -### BEGIN INIT INFO -# Provides: vyos-intfwatchd -# Required-Start: vyatta-router -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: -# Short-Description: Interface status monitoring daemon -### END INIT INFO - -set -e - -# /etc/init.d/vyos-intfwatchd: start and stop the event watching daemon - -test -x /opt/vyatta/sbin/vyos-intfwatchd || exit 0 - -umask 022 - -. /lib/lsb/init-functions - -if [ -n "$2" ]; then - EWD_OPTS="$EWD_OPTS $2" -fi - -# Are we running from init? -run_by_init() { - ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ] -} - -check_dev_null() { - if [ ! -c /dev/null ]; then - if [ "$1" = log_end_msg ]; then - log_end_msg 1 || true - fi - if ! run_by_init; then - log_action_msg "/dev/null is not a character device!" - fi - exit 1 - fi -} - -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/usr/bin:/opt/vyatta/sbin" - -case "$1" in - start) - check_dev_null - log_daemon_msg "Starting vyos-intfwatchd" "vyos-intfwatchd" - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/vyos-intfwatchd.pid --exec /opt/vyatta/sbin/vyos-intfwatchd -- $EWD_OPTS; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - stop) - log_daemon_msg "Stopping vyos-intfwatchd" "vyos-intfwatchd" - VI_PID=`cat /var/run/vyos-intfwatchd.pid` - for p in `pgrep -P $VI_PID`; do - kill $p - done - if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/vyos-intfwatchd.pid; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - restart) - log_daemon_msg "Restarting vyos-intfwatchd" "vyos-intfwatchd" - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/vyos-intfwatchd.pid - check_for_no_start log_end_msg - check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/vyos-intfwatchd.pid --exec /opt/vyatta/sbin/vyos-intfwatchd -- $EWD_OPTS; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - status) - status_of_proc -p /var/run/vyos-intfwatchd.pid /opt/vyatta/sbin/vyos-intfwatchd vyos-intfwatchd && exit 0 || exit $? - ;; - - *) - log_action_msg "Usage: /etc/init.d/vyos-intfwatchd {start|stop|restart|status}" - exit 1 -esac - -exit 0 diff --git a/scripts/vyos-intfwatchd b/scripts/vyos-intfwatchd deleted file mode 100644 index b8bde3f3..00000000 --- a/scripts/vyos-intfwatchd +++ /dev/null @@ -1,160 +0,0 @@ -#!/usr/bin/perl -# -# Module: vyos-restore-static-ipv6.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# Copyright (C) 2014 VyOS Development Group -# -# **** End License **** - -use lib "/opt/vyatta/share/perl5"; -use strict; -use warnings; -use POSIX; -use Fcntl; -use Sys::Syslog; -use Vyatta::Config; -use Vyatta::Interface; -use Data::Dumper; - -use constant -{ - # Program settings - PROGRAM_NAME => "vyos-intfwatchd", - PROGRAM_VERSION => "1.0", - PID_FILE => "/var/run/vyos-intfwatchd.pid", - - # Program exit codes - SUCCESS => 0, - ERROR => 1, - - # Subroutine error codes - SUB_ERROR => 0, - SUB_SUCCESS => 1, - - # Fcntl file lock/unlock constants - SET_EXCLUSIVE_LOCK => 2, - UNLOCK => 8 -}; - -my $debug = 0; - -sub daemonize -{ - syslog("info", "%s", "Starting in daemon mode"); - - my $pid = fork(); - if (!defined($pid)) - { - # Fork failed - die "Could not spawn child process: $!, exiting"; - } - elsif ($pid > 0) - { - # Child has been spawned succefully, - # parent should terminate now - exit(SUCCESS); - } - chdir("/"); - umask(0); - setsid(); - - # Close standard i/o stream descriptors - open STDIN, "/dev/null" or die "Can't read /dev/null: $!"; - open STDOUT, ">>/dev/null" or die "Can't write to /dev/null: $!"; - open STDERR, ">>/dev/null" or die "Can't write to /dev/null: $!"; -} - -sub writePid -{ - my ($pid, $fh) = @_; - - unless (flock($fh, SET_EXCLUSIVE_LOCK)) - { - syslog("err", "%s", "Could not lock PID file: $!"); - exit(ERROR); - } - - print($fh $pid); -} - -sub releasePid -{ - my $fh = shift; - flock($fh, UNLOCK); - close($fh); - unlink(PID_FILE); -} - - -daemonize(); -my $pidFile = PID_FILE; -unless (open PID_HANDLE, ">$pidFile") -{ - syslog("err", "%s", "Could not create PID file: $!"); - exit(1); -} -writePid($$, \*PID_HANDLE); - -my $config = new Vyatta::Config(); - -my $ip_monitor = "ip monitor link"; -unless (open(HANDLE, "$ip_monitor|")) -{ - syslog("err", "%s", qq{Could not start IP monitor: $!\n}); - exit(1); -} - -sub terminate -{ - my $error = shift; - syslog("notice", "%s", PROGRAM_NAME." is terminating"); - releasePid(\*PID_HANDLE); - exit(0); -} - -$SIG{'INT'} = \&terminate; -$SIG{'TERM'} = \&terminate; -$SIG{'KILL'} = sub { exit(0); }; - -# This solution should be bad enough to be fixed immediately -# when feasible. - -while() -{ - if( $_ =~ /^[0-9]+:\s+([^@]+)(@.*)*:\s+<.*UP,.*>/ ) - { - my $intf_name = $1; - my $intf = new Vyatta::Interface($intf_name); - my $intf_addr_path = $intf->path() . " address"; - - # Get IPv6 addresses - my @addresses = grep /:/, $config->returnEffectiveValues($intf_addr_path); - print Dumper(@addresses) if $debug; - - foreach my $address (@addresses) - { - system("ip address add $address dev $intf_name"); - if( $? != 0 ) - { - syslog("err", "%s", "Could not add address $address: $!"); - } - else - { - syslog("notice", "%s", "Restoring address $address on interface $intf_name"); - } - } - - $intf = undef; - } -} - diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf index 3fe560b6..3e5717f1 100644 --- a/sysconf/vyatta-sysctl.conf +++ b/sysconf/vyatta-sysctl.conf @@ -67,3 +67,7 @@ net.ipv4.conf.all.send_redirects=1 # Increase size of buffer for netlink net.core.rmem_max=2097152 + +# Do not forget IPv6 addresses when a link goes down +net.ipv6.conf.default.keep_addr_on_down=1 +net.ipv6.conf.all.keep_addr_on_down=1 -- cgit v1.2.3