diff options
| -rw-r--r-- | .github/workflows/repo-sync.yml | 1 | ||||
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 2 | ||||
| -rw-r--r-- | interface-definitions/system_domain-name.xml.in | 1 | ||||
| -rw-r--r-- | interface-definitions/system_host-name.xml.in | 1 | ||||
| -rw-r--r-- | op-mode-definitions/reverse-proxy.xml.in | 23 | ||||
| -rw-r--r-- | op-mode-definitions/show-reverse-proxy.xml.in | 13 | ||||
| -rw-r--r-- | python/vyos/ifconfig/interface.py | 12 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_load-balancing_reverse-proxy.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/container.py | 3 | ||||
| -rwxr-xr-x | src/conf_mode/load-balancing_reverse-proxy.py | 65 |
10 files changed, 74 insertions, 51 deletions
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index 84fd0d7da..a2bf54f74 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -6,6 +6,7 @@ on: - closed branches: - current + workflow_dispatch: jobs: trigger-sync: diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 797bf17e7..b786a58f8 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -62,7 +62,7 @@ frontend {{ front }} bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }} {% endfor %} {% else %} - bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }} + bind [::]:{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }} {% endif %} {% if front_config.redirect_http_to_https is vyos_defined %} http-request redirect scheme https unless { ssl_fc } diff --git a/interface-definitions/system_domain-name.xml.in b/interface-definitions/system_domain-name.xml.in index bfca9b8ce..695af29d9 100644 --- a/interface-definitions/system_domain-name.xml.in +++ b/interface-definitions/system_domain-name.xml.in @@ -5,6 +5,7 @@ <leafNode name="domain-name" owner="${vyos_conf_scripts_dir}/system_host-name.py"> <properties> <help>System domain name</help> + <priority>6</priority> <constraint> <validator name="fqdn"/> </constraint> diff --git a/interface-definitions/system_host-name.xml.in b/interface-definitions/system_host-name.xml.in index 423531a68..f74baab48 100644 --- a/interface-definitions/system_host-name.xml.in +++ b/interface-definitions/system_host-name.xml.in @@ -6,6 +6,7 @@ <leafNode name="host-name" owner="${vyos_conf_scripts_dir}/system_host-name.py"> <properties> <help>System host name (default: vyos)</help> + <priority>5</priority> <constraint> #include <include/constraint/host-name.xml.i> </constraint> diff --git a/op-mode-definitions/reverse-proxy.xml.in b/op-mode-definitions/reverse-proxy.xml.in new file mode 100644 index 000000000..4af24880b --- /dev/null +++ b/op-mode-definitions/reverse-proxy.xml.in @@ -0,0 +1,23 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="restart"> + <children> + <node name="reverse-proxy"> + <properties> + <help>Restart reverse-proxy service</help> + </properties> + <command>if cli-shell-api existsActive load-balancing reverse-proxy; then sudo systemctl restart haproxy.service; else echo "Reverse-Proxy not configured"; fi</command> + </node> + </children> + </node> + <node name="show"> + <children> + <node name="reverse-proxy"> + <properties> + <help>Show load-balancing reverse-proxy</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/reverseproxy.py show</command> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-reverse-proxy.xml.in b/op-mode-definitions/show-reverse-proxy.xml.in deleted file mode 100644 index ed0fee843..000000000 --- a/op-mode-definitions/show-reverse-proxy.xml.in +++ /dev/null @@ -1,13 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="show"> - <children> - <node name="reverse-proxy"> - <properties> - <help>Show load-balancing reverse-proxy</help> - </properties> - <command>sudo ${vyos_op_scripts_dir}/reverseproxy.py show</command> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index f0897bc21..117479ade 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -42,6 +42,7 @@ from vyos.utils.process import is_systemd_service_active from vyos.utils.process import run from vyos.template import is_ipv4 from vyos.template import is_ipv6 +from vyos.utils.file import read_file from vyos.utils.network import is_intf_addr_assigned from vyos.utils.network import is_ipv6_link_local from vyos.utils.assertion import assert_boolean @@ -1356,12 +1357,13 @@ class Interface(Control): if enable and 'disable' not in self.config: if dict_search('dhcp_options.host_name', self.config) == None: # read configured system hostname. - # maybe change to vyos hostd client ??? + # maybe change to vyos-hostsd client ??? hostname = 'vyos' - with open('/etc/hostname', 'r') as f: - hostname = f.read().rstrip('\n') - tmp = {'dhcp_options' : { 'host_name' : hostname}} - self.config = dict_merge(tmp, self.config) + hostname_file = '/etc/hostname' + if os.path.isfile(hostname_file): + hostname = read_file(hostname_file) + tmp = {'dhcp_options' : { 'host_name' : hostname}} + self.config = dict_merge(tmp, self.config) render(systemd_override_file, 'dhcp-client/override.conf.j2', self.config) render(dhclient_config_file, 'dhcp-client/ipv4.j2', self.config) diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 370a9276a..2b2f93cdf 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -218,7 +218,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): # Frontend self.assertIn(f'frontend {frontend}', config) - self.assertIn(f'bind :::{front_port} v4v6', config) + self.assertIn(f'bind [::]:{front_port} v4v6', config) self.assertIn(f'mode {mode}', config) for domain in domains_bk_first: self.assertIn(f'acl {rule_ten} hdr(host) -i {domain}', config) @@ -371,7 +371,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): # Frontend self.assertIn(f'frontend {frontend}', config) - self.assertIn(f'bind :::{front_port} v4v6', config) + self.assertIn(f'bind [::]:{front_port} v4v6', config) self.assertIn(f'mode {mode}', config) self.assertIn(f'tcp-request inspect-delay {tcp_request_delay}', config) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index ca09dff9f..3efeb9b40 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -29,6 +29,7 @@ from vyos.configdict import node_changed from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.ifconfig import Interface +from vyos.cpu import get_core_count from vyos.utils.file import write_file from vyos.utils.process import call from vyos.utils.process import cmd @@ -129,7 +130,7 @@ def verify(container): f'to the system! Container "{name}" will not be started!') if 'cpu_quota' in container_config: - cores = vyos.cpu.get_core_count() + cores = get_core_count() if Decimal(container_config['cpu_quota']) > cores: raise ConfigError(f'Cannot set limit to more cores than available "{name}"!') diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py index b6db110ae..1c1252df0 100755 --- a/src/conf_mode/load-balancing_reverse-proxy.py +++ b/src/conf_mode/load-balancing_reverse-proxy.py @@ -26,9 +26,13 @@ from vyos.utils.dict import dict_search from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.network import is_listen_port_bind_service -from vyos.pki import wrap_certificate -from vyos.pki import wrap_private_key +from vyos.pki import find_chain +from vyos.pki import load_certificate +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key from vyos.template import render +from vyos.utils.file import write_file from vyos import ConfigError from vyos import airbag airbag.enable() @@ -124,51 +128,54 @@ def generate(lb): if not os.path.isdir(load_balancing_dir): os.mkdir(load_balancing_dir) + loaded_ca_certs = {load_certificate(c['certificate']) + for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {} + # SSL Certificates for frontend for front, front_config in lb['service'].items(): - if 'ssl' in front_config: - - if 'certificate' in front_config['ssl']: - cert_names = front_config['ssl']['certificate'] + if 'ssl' not in front_config: + continue - for cert_name in cert_names: - pki_cert = lb['pki']['certificate'][cert_name] - cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem') - cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key') + if 'certificate' in front_config['ssl']: + cert_names = front_config['ssl']['certificate'] - with open(cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_cert['certificate'])) + for cert_name in cert_names: + pki_cert = lb['pki']['certificate'][cert_name] + cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem') + cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key') - if 'private' in pki_cert and 'key' in pki_cert['private']: - with open(cert_key_path, 'w') as f: - f.write(wrap_private_key(pki_cert['private']['key'])) + loaded_pki_cert = load_certificate(pki_cert['certificate']) + cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) - if 'ca_certificate' in front_config['ssl']: - ca_name = front_config['ssl']['ca_certificate'] - pki_ca_cert = lb['pki']['ca'][ca_name] - ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') + write_file(cert_file_path, + '\n'.join(encode_certificate(c) for c in cert_full_chain)) - with open(ca_cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_ca_cert['certificate'])) + if 'private' in pki_cert and 'key' in pki_cert['private']: + loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True) + key_pem = encode_private_key(loaded_key, passphrase=None) + write_file(cert_key_path, key_pem) # SSL Certificates for backend for back, back_config in lb['backend'].items(): - if 'ssl' in back_config: + if 'ssl' not in back_config: + continue - if 'ca_certificate' in back_config['ssl']: - ca_name = back_config['ssl']['ca_certificate'] - pki_ca_cert = lb['pki']['ca'][ca_name] - ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') + if 'ca_certificate' in back_config['ssl']: + ca_name = back_config['ssl']['ca_certificate'] + ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') + ca_chains = [] - with open(ca_cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_ca_cert['certificate'])) + pki_ca_cert = lb['pki']['ca'][ca_name] + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + ca_chains.append('\n'.join(encode_certificate(c) for c in ca_full_chain)) + write_file(ca_cert_file_path, '\n'.join(ca_chains)) render(load_balancing_conf_file, 'load-balancing/haproxy.cfg.j2', lb) render(systemd_override, 'load-balancing/override_haproxy.conf.j2', lb) return None - def apply(lb): call('systemctl daemon-reload') if not lb: |