diff options
| -rw-r--r-- | data/templates/ntp/override.conf.tmpl | 13 | ||||
| -rw-r--r-- | data/templates/snmp/override.conf.tmpl | 14 | ||||
| -rw-r--r-- | data/templates/ssh/override.conf.tmpl | 12 | ||||
| -rw-r--r-- | interface-definitions/vrf.xml.in | 2 | ||||
| -rwxr-xr-x | src/conf_mode/flow_accounting_conf.py | 6 | ||||
| -rwxr-xr-x | src/conf_mode/intel_qat.py | 10 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_igmp.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_mpls.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_rip.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_static_multicast.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/snmp.py | 21 | ||||
| -rwxr-xr-x | src/conf_mode/vrf.py | 4 |
12 files changed, 53 insertions, 37 deletions
diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl index 69a73b128..466638e5a 100644 --- a/data/templates/ntp/override.conf.tmpl +++ b/data/templates/ntp/override.conf.tmpl @@ -1,8 +1,11 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/lib/ntp/ntp-systemd-wrapper -{% else %} -ExecStart=/usr/lib/ntp/ntp-systemd-wrapper -{% endif %} +ExecStart={{vrf_command}}/usr/lib/ntp/ntp-systemd-wrapper +Restart=on-failure +RestartSec=10 diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 1eb8f20a9..e6302a9e1 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,9 +1,13 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] Environment= Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp" ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% else %} -ExecStart=/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid +Restart=on-failure +RestartSec=10 + diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl index 1013d4b48..4276366ae 100644 --- a/data/templates/ssh/override.conf.tmpl +++ b/data/templates/ssh/override.conf.tmpl @@ -1,8 +1,10 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/sshd -D $SSHD_OPTS -{% else %} -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/sshd -D $SSHD_OPTS +RestartSec=10 diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 9b9828ddd..159f4ea3e 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -4,7 +4,7 @@ <properties> <help>Virtual Routing and Forwarding</help> <!-- must be before any interface creation --> - <priority>210</priority> + <priority>60</priority> </properties> <children> <leafNode name="bind-to-all"> diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index a9ebab53e..b7e73eaeb 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -84,7 +84,7 @@ def _iptables_get_nflog(): for iptables_variant in ['iptables', 'ip6tables']: # run iptables, save output and split it by lines - iptables_command = "sudo {0} -t {1} -S {2}".format(iptables_variant, iptables_nflog_table, iptables_nflog_chain) + iptables_command = f'{iptables_variant} -t {iptables_nflog_table} -S {iptables_nflog_chain}' tmp = cmd(iptables_command, message='Failed to get flows list') # parse each line and add information to list @@ -118,7 +118,7 @@ def _iptables_config(configured_ifaces): if interface not in configured_ifaces: table = rule['table'] rule = rule['rule_definition'] - iptable_commands.append(f'sudo {iptables} -t {table} -D {rule}') + iptable_commands.append(f'{iptables} -t {table} -D {rule}') else: active_nflog_ifaces.append({ 'iface': interface, @@ -135,7 +135,7 @@ def _iptables_config(configured_ifaces): iface = iface_extended['iface'] iptables = iface_extended['iptables_variant'] rule_definition = f'{iptables_nflog_chain} -i {iface} -m comment --comment FLOW_ACCOUNTING_RULE -j NFLOG --nflog-group 2 --nflog-size {default_captured_packet_size} --nflog-threshold 100' - iptable_commands.append(f'sudo {iptables} -t {iptables_nflog_table} -I {rule_definition}') + iptable_commands.append(f'{iptables} -t {iptables_nflog_table} -I {rule_definition}') # change iptables for command in iptable_commands: diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py index 0b2d318fd..742f09a54 100755 --- a/src/conf_mode/intel_qat.py +++ b/src/conf_mode/intel_qat.py @@ -54,8 +54,8 @@ def get_config(): def vpn_control(action): # XXX: Should these commands report failure if action == 'restore' and gl_ipsec_conf: - return run('sudo ipsec start') - return run(f'sudo ipsec {action}') + return run('ipsec start') + return run(f'ipsec {action}') def verify(c): # Check if QAT service installed @@ -66,7 +66,7 @@ def verify(c): return # Check if QAT device exist - output, err = popen('sudo lspci -nn', decode='utf-8') + output, err = popen('lspci -nn', decode='utf-8') if not err: data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output) #If QAT devices found @@ -81,13 +81,13 @@ def apply(c): # Disable QAT service if c['qat_conf'] == None: - run('sudo /etc/init.d/qat_service stop') + run('/etc/init.d/qat_service stop') if c['ipsec_conf']: vpn_control('start') return # Run qat init.d script - run('sudo /etc/init.d/qat_service start') + run('/etc/init.d/qat_service start') if c['ipsec_conf']: # Recovery VPN service vpn_control('start') diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py index 6f0e2010f..ca148fd6a 100755 --- a/src/conf_mode/protocols_igmp.py +++ b/src/conf_mode/protocols_igmp.py @@ -97,7 +97,7 @@ def apply(igmp): return None if os.path.exists(config_file): - call("sudo vtysh -d pimd -f " + config_file) + call(f'vtysh -d pimd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py index 15785a801..72208ffa1 100755 --- a/src/conf_mode/protocols_mpls.py +++ b/src/conf_mode/protocols_mpls.py @@ -153,7 +153,7 @@ def apply(mpls): operate_mpls_on_intfc(diactive_ifaces, 0) if os.path.exists(config_file): - call("sudo vtysh -d ldpd -f " + config_file) + call(f'vtysh -d ldpd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index c5ac26806..4f8816d61 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -297,7 +297,7 @@ def apply(rip): return None if os.path.exists(config_file): - call("sudo vtysh -d ripd -f " + config_file) + call(f'vtysh -d ripd -f {config_file}') os.remove(config_file) else: print("File {0} not found".format(config_file)) diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py index eeab26d4d..232d1e181 100755 --- a/src/conf_mode/protocols_static_multicast.py +++ b/src/conf_mode/protocols_static_multicast.py @@ -101,7 +101,7 @@ def apply(mroute): return None if os.path.exists(config_file): - call("sudo vtysh -d staticd -f " + config_file) + call(f'vtysh -d staticd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index eb0d20654..bafd26edc 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -22,6 +22,7 @@ from time import sleep from sys import exit from vyos.config import Config +from vyos.configverify import verify_vrf from vyos.validate import is_ipv4, is_addr_assigned from vyos.version import get_version_data from vyos import ConfigError @@ -67,8 +68,7 @@ default_config_data = { 'v3_traps': [], 'v3_users': [], 'v3_views': [], - 'script_ext': [], - 'vrf': '' + 'script_ext': [] } def rmfile(file): @@ -191,6 +191,9 @@ def get_config(): snmp['script_ext'].append(extension) if conf.exists('vrf'): + # Append key to dict but don't place it in the default dictionary. + # This is required to make the override.conf.tmpl work until we + # migrate to get_config_dict(). snmp['vrf'] = conf.return_value('vrf') @@ -416,8 +419,7 @@ def verify(snmp): else: print('WARNING: SNMP listen address {0} not configured!'.format(addr)) - if snmp['vrf'] and snmp['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**snmp)) + verify_vrf(snmp) # bail out early if SNMP v3 is not configured if not snmp['v3_enabled']: @@ -550,15 +552,20 @@ def apply(snmp): # start SNMP daemon call("systemctl restart snmpd.service") - while (call('systemctl -q is-active snmpd.service') != 0): - print("service not yet started") - sleep(0.5) + if 'vrf' not in snmp.keys(): + # service will be restarted multiple times later on + while (call('systemctl -q is-active snmpd.service') != 0): + sleep(0.5) # net-snmp is now regenerating the configuration file in the background # thus we need to re-open and re-read the file as the content changed. # After that we can no read the encrypted password from the config and # replace the CLI plaintext password with its encrypted version. os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" + + # XXX: actually this whole logic makes less sense - why not calculate the + # password hashed on our own and write them back into the config? I see + # no valid reason in waiting for a third party process to do so. with open(config_file_user, 'r') as f: engineID = '' for line in f: diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index d3327b3c7..56ca813ff 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -201,8 +201,8 @@ def apply(vrf_config): for vrf in vrf_config['vrf_remove']: name = vrf['name'] if os.path.isdir(f'/sys/class/net/{name}'): - _cmd(f'sudo ip -4 route del vrf {name} unreachable default metric 4278198272') - _cmd(f'sudo ip -6 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -4 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -6 route del vrf {name} unreachable default metric 4278198272') _cmd(f'ip link delete dev {name}') for vrf in vrf_config['vrf_add']: |