VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=1.4.0-rc2 2024-01-11T15:18:19+00:00 2024-01-11T15:18:19+00:00 Christian Breunig christian@breunig.cc 2024-01-11T07:18:21+00:00 urn:sha1:900289cf5d94cfc2dbb59cad548efb126389bbf9 This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained. (cherry picked from commit e5ce4222c6e9b24d276625678db7339ada0c54ef) 2024-01-11T05:41:17+00:00 Christian Breunig christian@breunig.cc 2024-01-11T05:41:17+00:00 urn:sha1:68bacdc20c10566671ce809e9668ca27666bca22 interface: T5550: Interface source-validation priority over global value (backport) 2024-01-10T07:11:39+00:00 Christian Breunig christian@breunig.cc 2024-01-06T09:55:42+00:00 urn:sha1:34eadcf2f74ae57342997bed77ce64bddd34219b We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887) 2024-01-08T20:11:13+00:00 Christian Breunig christian@breunig.cc 2024-01-05T21:27:45+00:00 urn:sha1:f8f51939ae5ad852563cc69c4e2c8c2717318c9c The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control 2024-01-08T17:51:02+00:00 Matt Clauson mec@dotorg.org 2024-01-06T15:22:56+00:00 urn:sha1:aa5c0e666851448850adae164cb83bb83f24b23f This fix moves from partprobe to partx to rescan the partition table on an affected disk. (cherry picked from commit f883455d9a3081780c43426ab26de9d26f24c9aa) 2024-01-07T21:00:34+00:00 Christian Breunig christian@breunig.cc 2024-01-07T20:37:30+00:00 urn:sha1:8d16ec73841a0b48c7f685a5073d5afa5f82b82f Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup. (cherry picked from commit 041db49533d57cabfccd319492b85ee0bafdd40c) 2024-01-07T06:13:12+00:00 Christian Breunig christian@breunig.cc 2024-01-06T21:06:09+00:00 urn:sha1:368ff14787d6a021d105055f3dd5e0e0870b0dfc Smoketests heavily rely on process_named_running() so in order to "relax" system constraints during a test we will add a timeout of 10 seconds for every testcase provided by base_interfaces_test.py (cherry picked from commit ad9bdfc248cf47b3361bd0e5d7371d56131160a0) 2024-01-04T17:46:12+00:00 Nicolás Fort 95703796+nicolas-fort@users.noreply.github.com 2024-01-04T15:49:39+00:00 urn:sha1:76109e22d03a18286fc5d4b2b5ed879030f9222c (cherry picked from commit 3fc76505d0642c32a3eae9c0ce6ab3dd2ec32dbd) 2024-01-04T06:58:41+00:00 Christian Breunig christian@breunig.cc 2024-01-03T20:57:00+00:00 urn:sha1:706fdbb234202723e02f93ad8eb724649181a60a VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary. (cherry picked from commit b152b52023ba0cf0d4919eae39e92de28a458917) 2024-01-04T06:58:41+00:00 Christian Breunig christian@breunig.cc 2024-01-03T16:21:13+00:00 urn:sha1:4b06cac36c8ca4d63926871885e8ac52a5a899f1 This extends commit 4ee406470 ("configdict: T5837: add support to return added nodes when calling node_changed()") so no duplicate list elements get returned. (cherry picked from commit 301312b293238d3041c8912af6fdb86b506d7ab4)