diff options
21 files changed, 191 insertions, 158 deletions
diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl index d3145a500..cf33eec4e 100644 --- a/data/templates/monitoring/telegraf.tmpl +++ b/data/templates/monitoring/telegraf.tmpl @@ -1,12 +1,12 @@ # Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py [agent] - interval = "10s" + interval = "15s" round_interval = true metric_batch_size = 1000 metric_buffer_limit = 10000 - collection_jitter = "0s" - flush_interval = "10s" + collection_jitter = "5s" + flush_interval = "15s" flush_jitter = "0s" precision = "" debug = false diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.j2 index 218121062..218121062 100644 --- a/data/templates/openvpn/auth.pw.tmpl +++ b/data/templates/openvpn/auth.pw.j2 diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.j2 index 98c8b0273..2e327e4d3 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.j2 @@ -1,30 +1,30 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip %} +{% if ip is vyos_defined %} ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} {% endif %} {% if push_route is vyos_defined %} -{% for route in push_route %} +{% for route in push_route %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" -{% endfor %} +{% endfor %} {% endif %} {% if subnet is vyos_defined %} -{% for network in subnet %} +{% for network in subnet %} iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} -{% endfor %} +{% endfor %} {% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote %} +{% if ipv6_remote is vyos_defined %} # IPv6 -{% if ipv6_ip %} +{% if ipv6_ip is vyos_defined %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{% endif %} -{% for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{% endfor %} -{% for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute-ipv6 {{ net6 }} -{% endfor %} +{% endfor %} {% endif %} {% if disable is vyos_defined %} disable diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.j2 index f26680fa3..6dd4ef88d 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.j2 @@ -10,9 +10,9 @@ verb 3 dev-type {{ device_type }} dev {{ ifname }} persist-key -{% if protocol == 'tcp-active' %} +{% if protocol is vyos_defined('tcp-active') %} proto tcp-client -{% elif protocol == 'tcp-passive' %} +{% elif protocol is vyos_defined('tcp-passive') %} proto tcp-server {% else %} proto udp @@ -30,9 +30,9 @@ lport {{ local_port }} rport {{ remote_port }} {% endif %} {% if remote_host is vyos_defined %} -{% for remote in remote_host %} +{% for remote in remote_host %} remote {{ remote }} -{% endfor %} +{% endfor %} {% endif %} {% if shared_secret_key is vyos_defined %} secret /run/openvpn/{{ ifname }}_shared.key @@ -49,88 +49,88 @@ push "redirect-gateway def1" compress lzo {% endif %} -{% if mode == 'client' %} +{% if mode is vyos_defined('client') %} # # OpenVPN Client mode # client nobind -{% elif mode == 'server' %} +{% elif mode is vyos_defined('server') %} # # OpenVPN Server mode # mode server tls-server -{% if server is vyos_defined %} -{% if server.subnet is vyos_defined %} -{% if server.topology is vyos_defined('point-to-point') %} +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} topology p2p -{% elif server.topology is vyos_defined %} +{% elif server.topology is vyos_defined %} topology {{ server.topology }} -{% endif %} -{% for subnet in server.subnet %} -{% if subnet | is_ipv4 %} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is vyos_defined %} -{% for route, route_config in server.push_route.items() %} -{% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" -{% elif route | is_ipv6 %} +{% if server.push_route is vyos_defined %} +{% for route, route_config in server.push_route.items() %} +{% if route | is_ipv4 %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +{% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" -{% endif %} -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} +{% endif %} {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is vyos_defined('net30') %} +{% if server.topology is vyos_defined('net30') %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} -{% else %} +{% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} {# start from the second address and end on the last address #} ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} -{% endif %} -{% elif subnet | is_ipv6 %} +{% endif %} +{% elif subnet | is_ipv6 %} server-ipv6 {{ subnet }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} -{% endif %} -{% if server.max_connections is vyos_defined %} +{% endif %} +{% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} -{% endif %} -{% if server.client is vyos_defined %} +{% endif %} +{% if server.client is vyos_defined %} client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} {% endif %} -{% endif %} -keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} +keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }} management /run/openvpn/openvpn-mgmt-intf unix -{% if server is vyos_defined %} -{% if server.reject_unconfigured_clients is vyos_defined %} +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} ccd-exclusive -{% endif %} +{% endif %} -{% if server.name_server is vyos_defined %} -{% for nameserver in server.name_server %} -{% if nameserver | is_ipv4 %} +{% if server.name_server is vyos_defined %} +{% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" -{% elif nameserver | is_ipv6 %} +{% elif nameserver | is_ipv6 %} push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.domain_name is vyos_defined %} +{% if server.domain_name is vyos_defined %} push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" +{% endif %} {% endif %} -{% if server.mfa.totp is vyos_defined %} -{% set totp_config = server.mfa.totp %} -plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} -{% endif %} {% else %} # # OpenVPN site-2-site mode @@ -138,80 +138,80 @@ plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifn ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} -{% if device_type == 'tap' %} -{% if local_address is vyos_defined %} -{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf.subnet_mask is vyos_defined %} +{% if device_type == 'tap' %} +{% if local_address is vyos_defined %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf.subnet_mask is vyos_defined %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% else %} -{% for laddr in local_address if laddr | is_ipv4 %} -{% for raddr in remote_address if raddr | is_ipv4 %} +{% else %} +{% for laddr in local_address if laddr | is_ipv4 %} +{% for raddr in remote_address if raddr | is_ipv4 %} ifconfig {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% for laddr in local_address if laddr | is_ipv6 %} -{% for raddr in remote_address if raddr | is_ipv6 %} +{% endfor %} +{% endfor %} +{% for laddr in local_address if laddr | is_ipv6 %} +{% for raddr in remote_address if raddr | is_ipv6 %} ifconfig-ipv6 {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% endif %} +{% endfor %} +{% endfor %} +{% endif %} {% endif %} {% if tls is vyos_defined %} # TLS options -{% if tls.ca_certificate is vyos_defined %} +{% if tls.ca_certificate is vyos_defined %} ca /run/openvpn/{{ ifname }}_ca.pem -{% endif %} -{% if tls.certificate is vyos_defined %} +{% endif %} +{% if tls.certificate is vyos_defined %} cert /run/openvpn/{{ ifname }}_cert.pem -{% endif %} -{% if tls.private_key is vyos_defined %} +{% endif %} +{% if tls.private_key is vyos_defined %} key /run/openvpn/{{ ifname }}_cert.key -{% endif %} -{% if tls.crypt_key is vyos_defined %} +{% endif %} +{% if tls.crypt_key is vyos_defined %} tls-crypt /run/openvpn/{{ ifname }}_crypt.key -{% endif %} -{% if tls.crl is vyos_defined %} +{% endif %} +{% if tls.crl is vyos_defined %} crl-verify /run/openvpn/{{ ifname }}_crl.pem -{% endif %} -{% if tls.tls_version_min is vyos_defined %} +{% endif %} +{% if tls.tls_version_min is vyos_defined %} tls-version-min {{ tls.tls_version_min }} -{% endif %} -{% if tls.dh_params is vyos_defined %} +{% endif %} +{% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} dh none -{% endif %} -{% if tls.auth_key is vyos_defined %} -{% if mode == 'client' %} +{% endif %} +{% if tls.auth_key is vyos_defined %} +{% if mode == 'client' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 1 -{% elif mode == 'server' %} +{% elif mode == 'server' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 0 +{% endif %} {% endif %} -{% endif %} -{% if tls.role is vyos_defined('active') %} +{% if tls.role is vyos_defined('active') %} tls-client -{% elif tls.role is vyos_defined('passive') %} +{% elif tls.role is vyos_defined('passive') %} tls-server -{% endif %} +{% endif %} {% endif %} # Encryption options {% if encryption is vyos_defined %} -{% if encryption.cipher is vyos_defined %} +{% if encryption.cipher is vyos_defined %} cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher is vyos_defined('bf128') %} +{% if encryption.cipher is vyos_defined('bf128') %} keysize 128 -{% elif encryption.cipher is vyos_defined('bf256') %} +{% elif encryption.cipher is vyos_defined('bf256') %} keysize 256 +{% endif %} {% endif %} -{% endif %} -{% if encryption.ncp_ciphers is vyos_defined %} +{% if encryption.ncp_ciphers is vyos_defined %} data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} -{% endif %} +{% endif %} {% endif %} {% if hash is vyos_defined %} diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2 new file mode 100644 index 000000000..616ba3bfc --- /dev/null +++ b/data/templates/openvpn/service-override.conf.j2 @@ -0,0 +1,21 @@ +{% set options = namespace(value='') %} +{% if openvpn_option is vyos_defined %} +{% for option in openvpn_option %} +{# Remove the '--' prefix from variable if it is presented #} +{% if option.startswith('--') %} +{% set option = option.split('--', maxsplit=1)[1] %} +{% endif %} +{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} +{# But now it stopped doing this, so we need to add them for compatibility #} +{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} +{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} +{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} +{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %} +{% endif %} +{% set options.value = options.value ~ ' --' ~ option %} +{% endfor %} +{% endif %} +[Service] +ExecStart= +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }} + diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl deleted file mode 100644 index cba652223..000000000 --- a/data/templates/openvpn/service-override.conf.tmpl +++ /dev/null @@ -1,20 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid -{%- if openvpn_option is vyos_defined %} -{% for option in openvpn_option %} -{# Remove the '--' prefix from variable if it is presented #} -{% if option.startswith('--') %} -{% set option = option.split('--', maxsplit=1)[1] %} -{% endif %} -{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} -{# But now it stopped doing this, so we need to add them for compatibility #} -{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} -{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} -{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} -{% set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %} -{% endif %} - --{{ option }} -{%- endfor %} -{% endif %} - diff --git a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i index f3fc4444c..a56745380 100644 --- a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i +++ b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i @@ -69,7 +69,7 @@ #include <include/bgp/afi-allowas-in.xml.i> <leafNode name="as-override"> <properties> - <help>AS for routes sent to this peer to be the local AS</help> + <help>Override ASN in outbound updates to configured neighbor local-as</help> <valueless/> </properties> </leafNode> diff --git a/interface-definitions/include/interface/parameters-df.xml.i b/interface-definitions/include/interface/parameters-df.xml.i new file mode 100644 index 000000000..82436b5e4 --- /dev/null +++ b/interface-definitions/include/interface/parameters-df.xml.i @@ -0,0 +1,26 @@ +<!-- include start from interface/parameters-df.xml.i --> +<leafNode name="df"> + <properties> + <help>Usage of the DF (don't Fragment) bit in outgoing packets</help> + <completionHelp> + <list>set unset inherit</list> + </completionHelp> + <valueHelp> + <format>set</format> + <description>Always set DF (don't fragment) bit</description> + </valueHelp> + <valueHelp> + <format>unset</format> + <description>Always unset DF (don't fragment) bit</description> + </valueHelp> + <valueHelp> + <format>inherit</format> + <description>Copy from the original IP header</description> + </valueHelp> + <constraint> + <regex>(set|unset|inherit)</regex> + </constraint> + </properties> + <defaultValue>unset</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/parameters-dont-fragment.xml.i b/interface-definitions/include/interface/parameters-dont-fragment.xml.i deleted file mode 100644 index 6165184f8..000000000 --- a/interface-definitions/include/interface/parameters-dont-fragment.xml.i +++ /dev/null @@ -1,8 +0,0 @@ -<!-- include start from interface/parameters-dont-fragment.xml.i --> -<leafNode name="dont-fragment"> - <properties> - <help>Always set the DF (don't fragment) bit</help> - <valueless/> - </properties> -</leafNode> -<!-- include end --> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index fa5a78be5..9143ba6be 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -35,7 +35,7 @@ <help>IPv4 specific tunnel parameters</help> </properties> <children> - #include <include/interface/parameters-dont-fragment.xml.i> + #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> </children> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 9747b1816..8b50fe1b7 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -69,7 +69,7 @@ <help>IPv4 specific tunnel parameters</help> </properties> <children> - #include <include/interface/parameters-dont-fragment.xml.i> + #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> <leafNode name="ttl"> diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 551c27b67..f50db0c99 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -133,6 +133,9 @@ def leaf_node_changed(conf, path): elif isinstance(new, type(None)): new = [] return list_diff(old, new) + if old is None and new is not None: + # node was added to the CLI + return True return None diff --git a/python/vyos/ifconfig/geneve.py b/python/vyos/ifconfig/geneve.py index 7cb3968df..276c34cd7 100644 --- a/python/vyos/ifconfig/geneve.py +++ b/python/vyos/ifconfig/geneve.py @@ -42,7 +42,7 @@ class GeneveIf(Interface): # arguments used by iproute2. For more information please refer to: # - https://man7.org/linux/man-pages/man8/ip-link.8.html mapping = { - 'parameters.ip.dont_fragment': 'df set', + 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.ipv6.flowlabel' : 'flowlabel', diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index 516a19f24..5baff10a9 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -57,7 +57,7 @@ class VXLANIf(Interface): 'group' : 'group', 'external' : 'external', 'gpe' : 'gpe', - 'parameters.ip.dont_fragment': 'df set', + 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.ipv6.flowlabel' : 'flowlabel', diff --git a/smoketest/scripts/cli/test_interfaces_geneve.py b/smoketest/scripts/cli/test_interfaces_geneve.py index 6233ade6e..430085e7f 100755 --- a/smoketest/scripts/cli/test_interfaces_geneve.py +++ b/smoketest/scripts/cli/test_interfaces_geneve.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2021 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -43,7 +43,7 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase): for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) - self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'dont-fragment']) + self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py index f34b99ea4..bb85f1936 100755 --- a/smoketest/scripts/cli/test_interfaces_vxlan.py +++ b/smoketest/scripts/cli/test_interfaces_vxlan.py @@ -48,7 +48,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) - self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'dont-fragment']) + self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 diff --git a/smoketest/scripts/cli/test_service_salt.py b/smoketest/scripts/cli/test_service_salt.py index 68f97acb1..d89861342 100755 --- a/smoketest/scripts/cli/test_service_salt.py +++ b/smoketest/scripts/cli/test_service_salt.py @@ -21,6 +21,7 @@ from base_vyostest_shim import VyOSUnitTestSHIM from vyos.util import process_named_running from vyos.util import read_file +from vyos.util import cmd PROCESS_NAME = 'salt-minion' SALT_CONF = '/etc/salt/minion' @@ -52,7 +53,11 @@ class TestServiceSALT(VyOSUnitTestSHIM.TestCase): self.cli_delete(base_path) self.cli_commit() - self.assertFalse(process_named_running(PROCESS_NAME)) + # For an unknown reason on QEMU systems (e.g. where smoketests are executed + # from the CI) salt-minion process is not killed by systemd. Apparently + # no issue on VMWare. + if cmd('systemd-detect-virt') != 'kvm': + self.assertFalse(process_named_running(PROCESS_NAME)) def test_default(self): servers = ['192.0.2.1', '192.0.2.2'] diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 83d1c6d9b..a9be093c2 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -608,7 +608,7 @@ def generate(openvpn): # Generate User/Password authentication file if 'authentication' in openvpn: - render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.tmpl', openvpn, + render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.j2', openvpn, user=user, group=group, permission=0o600) else: # delete old auth file if present @@ -624,16 +624,16 @@ def generate(openvpn): # Our client need's to know its subnet mask ... client_config['server_subnet'] = dict_search('server.subnet', openvpn) - render(client_file, 'openvpn/client.conf.tmpl', client_config, + render(client_file, 'openvpn/client.conf.j2', client_config, user=user, group=group) # we need to support quoting of raw parameters from OpenVPN CLI # see https://phabricator.vyos.net/T1632 - render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn, + render(cfg_file.format(**openvpn), 'openvpn/server.conf.j2', openvpn, formater=lambda _: _.replace(""", '"'), user=user, group=group) # Render 20-override.conf for OpenVPN service - render(service_file.format(**openvpn), 'openvpn/service-override.conf.tmpl', openvpn, + render(service_file.format(**openvpn), 'openvpn/service-override.conf.j2', openvpn, formater=lambda _: _.replace(""", '"'), user=user, group=group) # Reload systemd services config to apply an override call(f'systemctl daemon-reload') diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 848112c17..53704827e 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -23,6 +23,7 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import leaf_node_changed +from vyos.configdict import node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 @@ -51,12 +52,13 @@ def get_config(config=None): # change. But a VXLAN interface should - of course - not be re-created if # it's description or IP address is adjusted. Feels somehow logic doesn't it? for cli_option in ['external', 'gpe', 'group', 'port', 'remote', - 'source-address', 'source-interface', 'vni', - 'parameters ip dont-fragment', 'parameters ip tos', - 'parameters ip ttl']: - if leaf_node_changed(conf, cli_option.split()): + 'source-address', 'source-interface', 'vni']: + if leaf_node_changed(conf, cli_option): vxlan.update({'rebuild_required': {}}) + if node_changed(conf, ['parameters'], recursive=True): + vxlan.update({'rebuild_required': {}}) + # We need to verify that no other VXLAN tunnel is configured when external # mode is in use - Linux Kernel limitation conf.set_level(base) diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index f6d5071c2..8d9d3e99a 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -138,13 +138,20 @@ def verify(bgp): if asn == bgp['local_as']: raise ConfigError('Cannot have local-as same as BGP AS number') + # Neighbor AS specified for local-as and remote-as can not be the same + if dict_search('remote_as', peer_config) == asn: + raise ConfigError(f'Neighbor "{peer}" has local-as specified which is '\ + 'the same as remote-as, this is not allowed!') + # ttl-security and ebgp-multihop can't be used in the same configration if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config: raise ConfigError('You can not set both ebgp-multihop and ttl-security hops') - # Check if neighbor has both override capability and strict capability match configured at the same time. + # Check if neighbor has both override capability and strict capability match + # configured at the same time. if 'override_capability' in peer_config and 'strict_capability_match' in peer_config: - raise ConfigError(f'Neighbor "{peer}" cannot have both override-capability and strict-capability-match configured at the same time!') + raise ConfigError(f'Neighbor "{peer}" cannot have both override-capability and '\ + 'strict-capability-match configured at the same time!') # Check spaces in the password if 'password' in peer_config and ' ' in peer_config['password']: diff --git a/src/etc/systemd/system/salt-minion.service.d/override.conf b/src/etc/systemd/system/salt-minion.service.d/override.conf deleted file mode 100644 index b0e00550f..000000000 --- a/src/etc/systemd/system/salt-minion.service.d/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -SendSIGKILL=yes -FinalKillSignal=SIGQUIT |