http: T5762: api: make API socket backend communication the one and only default

Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.

https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.

While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections

vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -

As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.

4 files changed, 65 insertions, 14 deletions

diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 010490c7e..028a5007a 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -215,14 +215,9 @@ def generate(https):
         api_data = vyos.defaults.api_data
     api_settings = https.get('api', {})
     if api_settings:
-        port = api_settings.get('port', '')
-        if port:
-            api_data['port'] = port
         vhosts = https.get('api-restrict', {}).get('virtual-host', [])
         if vhosts:
             api_data['vhost'] = vhosts[:]
-        if 'socket' in list(api_settings):
-            api_data['socket'] = True
 
     if api_data:
         vhost_list = api_data.get('vhost', [])
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index 1c9b8999f..67d96969e 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -105,3 +105,11 @@ net.core.rps_sock_flow_entries = 32768
 net.core.default_qdisc=fq_codel
 net.ipv4.tcp_congestion_control=bbr
 
+# VRF - Virtual routing and forwarding
+# When net.vrf.strict_mode=0 (default) it is possible to associate multiple
+# VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a
+# table can be associated to a single VRF device.
+#
+# A VRF table can be used by the VyOS CLI only once (ensured by verify()),
+# this simply adds an additional Kernel safety net
+net.vrf.strict_mode=1
diff --git a/src/migration-scripts/https/4-to-5 b/src/migration-scripts/https/4-to-5
new file mode 100755
index 000000000..a503e0cb7
--- /dev/null
+++ b/src/migration-scripts/https/4-to-5
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5762: http: api: smoketests fail as they can not establish IPv6 connection
+#        to uvicorn backend server, always make the UNIX domain socket the
+#        default way of communication
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['service', 'https']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+
+# Delete "socket" CLI option - we always use UNIX domain sockets for
+# NGINX <-> API server communication
+if config.exists(base + ['api', 'socket']):
+    config.delete(base + ['api', 'socket'])
+
+# There is no need for an API service port, as UNIX domain sockets
+# are used
+if config.exists(base + ['api', 'port']):
+    config.delete(base + ['api', 'port'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 3a9efb73e..daee24257 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -825,15 +825,7 @@ def initialization(session: ConfigSession, app: FastAPI = app):
     if app.state.vyos_graphql:
         graphql_init(app)
 
-    if not server_config['socket']:
-        config = ApiServerConfig(app,
-                                 host=server_config["listen_address"],
-                                 port=int(server_config["port"]),
-                                 proxy_headers=True)
-    else:
-        config = ApiServerConfig(app,
-                                 uds="/run/api.sock",
-                                 proxy_headers=True)
+    config = ApiServerConfig(app, uds="/run/api.sock", proxy_headers=True)
     server = ApiServer(config)
 
 def run_server():