<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/smoketest/scripts/cli/test_service_https.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-27T05:34:17+00:00</updated>
<entry>
<title>https: T9022: serve the full CA certificate chain</title>
<updated>2026-06-27T05:34:17+00:00</updated>
<author>
<name>Lee Clements</name>
<email>lclements0@gmail.com</email>
</author>
<published>2026-06-26T14:48:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=78bec494bd6df824875ff132920f6f293d82ac0c'/>
<id>urn:sha1:78bec494bd6df824875ff132920f6f293d82ac0c</id>
<content type='text'>
When a certificate is assigned to the HTTPS service, nginx was only
sent the leaf certificate. An intermediate CA was included only when
an operator manually configured "ca-certificate", and even then just
that single CA - the rest of the issuer chain was never followed.

As a result, clients that do not already trust the issuing intermediate
CA (for example Let's Encrypt's newer E- and R-series intermediates)
could not build a path to a trusted root and rejected the connection.

Build the complete chain from the CA certificates present in the PKI
using find_chain(), the same helper already used by HAProxy, OpenConnect,
stunnel and the other PKI consumers. The intermediate chain is now
discovered automatically, so configuring "ca-certificate" is no longer
required; it remains accepted for backwards compatibility.
</content>
</entry>
<entry>
<title>T8454: fix VRF-bind port availability check in service_https</title>
<updated>2026-05-27T20:15:40+00:00</updated>
<author>
<name>Lee Clements</name>
<email>lclements0@gmail.com</email>
</author>
<published>2026-04-03T20:46:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=18e14cf71b3597112357b58e24fbe7aa9a7d7f4c'/>
<id>urn:sha1:18e14cf71b3597112357b58e24fbe7aa9a7d7f4c</id>
<content type='text'>
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.

Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.

Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.

service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.

Add smoke test for HTTPS with listen-address inside a VRF.

Co-authored-by: Christian Breunig &lt;christian@breunig.cc&gt;
</content>
</entry>
<entry>
<title>http-api: T7090: Implement background configure operations for REST API</title>
<updated>2026-01-28T06:57:55+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-01-23T13:15:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7fd4b50494d3b8865a7300e97c72df2a4fe11f14'/>
<id>urn:sha1:7fd4b50494d3b8865a7300e97c72df2a4fe11f14</id>
<content type='text'>
Large config commits (`service config-sync`) can block the REST API request
path and sometimes must be deferred (e.g., when changing `service https`).

This commit introduces an in-memory background operation manager
that queues (FIFO) full configure operations (commands + commit/commit-confirm)
as single jobs, tracks status/result, and exposes active operations
via `/retrieve/background-operations`.
</content>
</entry>
<entry>
<title>T7948: always call setUp() and tearDown() base class methods</title>
<updated>2025-10-21T19:03:16+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-20T16:52:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4995a58f998d3bdd055e49e919945bc0aa939be4'/>
<id>urn:sha1:4995a58f998d3bdd055e49e919945bc0aa939be4</id>
<content type='text'>
While working on task T7664 (FRR 10.4 upgrade), I identified the need for
additional validation and safeguards around the FRR management daemon. The
most appropriate place for this logic is in the setUp() and tearDown() methods
of the smoketest base class, VyOSUnitTestSHIM.

However, during implementation, it became apparent that test cases do not
consistently invoke the base class's setup and teardown methods. This
inconsistency complicates the process of capturing the FRR mgmtd PID at the
start of a test and verifying that it remains unchanged by the end - a key step
in detecting crashes or unexpected terminations (e.g., SIGSEGV) of the FRR
management daemon during tests.
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
<entry>
<title>https: T7393: add smoketest for https listen-address</title>
<updated>2025-04-30T02:04:52+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2025-04-29T22:06:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4fb731756e9cc7c5b2589c05f738d24b8e50c18d'/>
<id>urn:sha1:4fb731756e9cc7c5b2589c05f738d24b8e50c18d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>http-api: T6736: normalize formatting</title>
<updated>2024-10-01T02:56:06+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2024-10-01T01:40:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7e23fd9da028b3c623b69fda8a6bcfd887f1c18c'/>
<id>urn:sha1:7e23fd9da028b3c623b69fda8a6bcfd887f1c18c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>http-api: T6736: update smoketest for syntax change</title>
<updated>2024-09-30T03:21:21+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2024-09-29T21:44:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8322cc4d82067d7efe5051250c58d8cfbc895bce'/>
<id>urn:sha1:8322cc4d82067d7efe5051250c58d8cfbc895bce</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T5786: Add set/show system image to /image endpoint</title>
<updated>2024-05-27T14:34:52+00:00</updated>
<author>
<name>khramshinr</name>
<email>khramshinr@gmail.com</email>
</author>
<published>2024-05-27T14:34:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cbb61faed494381b0c655d811920413b31fd294d'/>
<id>urn:sha1:cbb61faed494381b0c655d811920413b31fd294d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T6199: start validating smoketests against real CLI defaultValues</title>
<updated>2024-04-06T10:51:18+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-04-06T10:44:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d9d2e9c8ead29c173fefd1b565d191a85baaa071'/>
<id>urn:sha1:d9d2e9c8ead29c173fefd1b565d191a85baaa071</id>
<content type='text'>
Use vyos.xml_ref.default_value to query XML default values and take them into
account when validating properly applied defaults in individual smoketests
instead of using hardcoded values like 443 for https port.
</content>
</entry>
</feed>
