diff options
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | interface-definitions/dhcp-relay.xml | 13 | ||||
| -rw-r--r-- | interface-definitions/dhcpv6-relay.xml | 13 | ||||
| -rw-r--r-- | interface-definitions/wireguard.xml | 4 | ||||
| -rw-r--r-- | op-mode-definitions/show-systemintegrity.xml | 14 | ||||
| -rw-r--r-- | python/vyos/component_versions.py | 57 | ||||
| -rwxr-xr-x | src/conf_mode/dhcp_relay.py | 8 | ||||
| -rwxr-xr-x | src/conf_mode/dhcpv6_relay.py | 8 | ||||
| -rwxr-xr-x | src/conf_mode/wireguard.py | 11 | ||||
| -rwxr-xr-x | src/migration-scripts/dhcp-relay/1-to-2 | 35 | ||||
| -rwxr-xr-x | src/op_mode/system_integrity.py | 69 |
11 files changed, 187 insertions, 50 deletions
diff --git a/debian/changelog b/debian/changelog index 1d0d37d51..d60c36316 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,8 @@ +vyos-1x (1.2.0-4) unstable; urgency=medium + + * T240 adds feature system integrity check + + -- hagbard <vyosdev@derith.de> Mon, 29 Oct 2018 11:10:18 -0700 vyos-1x (1.2.0-3) unstable; urgency=medium * T933: adding vmac_xmit_base if use_vmac has been chosen diff --git a/interface-definitions/dhcp-relay.xml b/interface-definitions/dhcp-relay.xml index c918d25a3..f4cb36eea 100644 --- a/interface-definitions/dhcp-relay.xml +++ b/interface-definitions/dhcp-relay.xml @@ -49,19 +49,6 @@ <constraintErrorMessage>max-size must be a value between 64 and 1400</constraintErrorMessage> </properties> </leafNode> - <leafNode name="port"> - <properties> - <help>Port number to listen on</help> - <valueHelp> - <format>1-65535</format> - <description>Port to listen on</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - <constraintErrorMessage>port must be a value between 1 and 65535</constraintErrorMessage> - </properties> - </leafNode> <leafNode name="relay-agents-packets"> <properties> <help>Policy to handle incoming DHCPv4 packets which already contain relay agent options (default: forward)</help> diff --git a/interface-definitions/dhcpv6-relay.xml b/interface-definitions/dhcpv6-relay.xml index d6e6daf51..15c76a098 100644 --- a/interface-definitions/dhcpv6-relay.xml +++ b/interface-definitions/dhcpv6-relay.xml @@ -31,19 +31,6 @@ </leafNode> </children> </tagNode> - <leafNode name="listen-port"> - <properties> - <help>UDP port to listen for requests on</help> - <valueHelp> - <format>1-65535</format> - <description>Port to listen on</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - <constraintErrorMessage>port must be a value between 1 and 65535</constraintErrorMessage> - </properties> - </leafNode> <leafNode name="max-hop-count"> <properties> <help>Maximum hop count for which requests will be processed</help> diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 575637ac9..3bf7bcd33 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -34,7 +34,7 @@ <properties> <help>description</help> <constraint> - <regex>.[^ ]{1,100}$</regex> + <regex>[^ ]{1,100}$</regex> </constraint> <constraintErrorMessage>interface description is too long (limit 100 characters)</constraintErrorMessage> </properties> @@ -71,7 +71,7 @@ <properties> <help>peer alias</help> <constraint> - <regex>.[^ ]{1,100}$</regex> + <regex>[^ ]{1,100}$</regex> </constraint> <constraintErrorMessage>peer alias too long (limit 100 characters)</constraintErrorMessage> </properties> diff --git a/op-mode-definitions/show-systemintegrity.xml b/op-mode-definitions/show-systemintegrity.xml new file mode 100644 index 000000000..44b5faf68 --- /dev/null +++ b/op-mode-definitions/show-systemintegrity.xml @@ -0,0 +1,14 @@ +<?xml version="1.0"?> + +<interfaceDefinition> + <node name="show"> + <children> + <leafNode name= "system-integrity"> + <properties> + <help>checks the integrity of the system</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/system_integrity.py</command> + </leafNode> + </children> + </node> +</interfaceDefinition> diff --git a/python/vyos/component_versions.py b/python/vyos/component_versions.py new file mode 100644 index 000000000..ec54a1576 --- /dev/null +++ b/python/vyos/component_versions.py @@ -0,0 +1,57 @@ +# Copyright 2017 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +""" +The version data looks like: + +/* Warning: Do not remove the following line. */ +/* === vyatta-config-version: +"cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@8:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" +=== */ +/* Release version: 1.2.0-rolling+201806131737 */ +""" + +import re + +def get_component_version(string_line): + """ + Get component version dictionary from string + return empty dictionary if string contains no config information + or raise error if component version string malformed + """ + return_value = {} + if re.match(r'/\* === vyatta-config-version:.+=== \*/$', string_line): + + if not re.match(r'/\* === vyatta-config-version:\s+"([\w,-]+@\d+:)+([\w,-]+@\d+)"\s+=== \*/$', string_line): + raise ValueError("malformed configuration string: " + str(string_line)) + + for pair in re.findall(r'([\w,-]+)@(\d+)', string_line): + if pair[0] in return_value.keys(): + raise ValueError("duplicate unit name: \"" + str(pair[0]) + "\" in string: \"" + string_line + "\"") + return_value[pair[0]] = int(pair[1]) + + return return_value + + +def get_component_versions_from_file(config_file_name='/opt/vyatta/etc/config/config.boot'): + """ + Get component version dictionary parsing config file line by line + """ + f = open(config_file_name, 'r') + for line_in_config in f: + component_version = return_version(line_in_config) + if component_version: + return component_version + raise ValueError("no config string in file:", config_file_name) diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py index 61b494b7e..1b2abed9e 100755 --- a/src/conf_mode/dhcp_relay.py +++ b/src/conf_mode/dhcp_relay.py @@ -43,14 +43,13 @@ SERVERS="{{ server | join(' ') }}" INTERFACES="{{ interface | join(' ') }}" # Additional options that are passed to the DHCP relay daemon? -OPTIONS="-4 {% if port -%} -p {{ port }}{%- endif %} {{ options | join(' ') }}" +OPTIONS="-4 {{ options | join(' ') }}" """ default_config_data = { 'interface': [], 'server': [], 'options': [], - 'port': '', 'hop_count': '10', 'relay_agent_packets': 'forward' } @@ -86,11 +85,6 @@ def get_config(): size = '-A ' + conf.return_value('max-size') relay['options'].append(size) - # Listen and transmit on port <xy>. This is mostly useful for debugging - # purposes. Default is port 67 for DHCPv4/BOOTP, or port 547 for DHCPv6. - if conf.exists('port'): - relay['port'] = conf.return_value('port') - # Control the handling of incoming DHCPv4 packets which already contain # relay agent options. If such a packet does not have giaddr set in its # header, the DHCP standard requires that the packet be discarded. However, diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py index 959bf0496..86e3f8265 100755 --- a/src/conf_mode/dhcpv6_relay.py +++ b/src/conf_mode/dhcpv6_relay.py @@ -31,13 +31,12 @@ config_tmpl = """ # Defaults for isc-dhcpv6-relay initscript sourced by /etc/init.d/isc-dhcpv6-relay -OPTIONS="-6 -l {{ listen_addr | join('-l ') }} {% if port -%} -p {{ port }}{%- endif %} {{ options | join(' ') }} -u {{ upstream_addr | join('-u ') }}" +OPTIONS="-6 -l {{ listen_addr | join('-l ') }} {{ options | join(' ') }} -u {{ upstream_addr | join('-u ') }}" """ default_config_data = { 'listen_addr': [], 'upstream_addr': [], - 'port': '', 'options': [], } @@ -65,11 +64,6 @@ def get_config(): server = addr + '%' + intf relay['upstream_addr'].append(server) - # Listen and transmit on port <xy>. This is mostly useful for debugging - # purposes. Default is port 67 for DHCPv4/BOOTP, or port 547 for DHCPv6. - if conf.exists('listen-port'): - relay['port'] = conf.return_value('listen-port') - # Maximum hop count. When forwarding packets, dhcrelay discards packets # which have reached a hop count of COUNT. Default is 10. Maximum is 255. if conf.exists('max-hop-count'): diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index c6440ad81..3c8ade1db 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -295,18 +295,13 @@ def configure_interface(c, intf): os.remove(psk_file) def add_addr(intf, addr): + # see https://phabricator.vyos.net/T949 ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) - if ret != 0: - raise ConfigError('Can\'t set IP ' + addr + ' on ' + intf) - else: - sl.syslog(sl.LOG_NOTICE, "ip a a dev " + intf + " " + addr) + sl.syslog(sl.LOG_NOTICE, "ip a a dev " + intf + " " + addr) def del_addr(intf, addr): ret = subprocess.call(['ip a d dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) - if ret != 0: - raise ConfigError('Can\'t delete IP ' + addr + ' on ' + intf) - else: - sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr) + sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr) if __name__ == '__main__': try: diff --git a/src/migration-scripts/dhcp-relay/1-to-2 b/src/migration-scripts/dhcp-relay/1-to-2 new file mode 100755 index 000000000..b72da1028 --- /dev/null +++ b/src/migration-scripts/dhcp-relay/1-to-2 @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 + +# Delete "set service dhcp-relay relay-options port" option +# Delete "set service dhcpv6-relay listen-port" option + +import sys + +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +if not (config.exists(['service', 'dhcp-relay', 'relay-options', 'port']) or config.exists(['service', 'dhcpv6-relay', 'listen-port'])): + # Nothing to do + sys.exit(0) +else: + # Delete abandoned node + config.delete(['service', 'dhcp-relay', 'relay-options', 'port']) + # Delete abandoned node + config.delete(['service', 'dhcpv6-relay', 'listen-port']) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/op_mode/system_integrity.py b/src/op_mode/system_integrity.py new file mode 100755 index 000000000..886d94f16 --- /dev/null +++ b/src/op_mode/system_integrity.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import sys +import os +import subprocess +import re +import itertools +from datetime import datetime, timedelta + +verf = r'/usr/libexec/vyos/op_mode/version.py' + +def get_sys_build_version(): + if not os.path.exists(verf): + return None + + a = subprocess.check_output(['/usr/libexec/vyos/op_mode/version.py']).decode() + if re.search('^Built on:.+',a, re.M) == None: + return None + + dt = ( re.sub('Built on: +','', re.search('^Built on:.+',a, re.M).group(0)) ) + return datetime.strptime(dt,'%a %d %b %Y %H:%M %Z') + +def check_pkgs(dt): + pkg_diffs = { + 'buildtime' : str(dt), + 'pkg' : {} + } + + pkg_info = os.listdir('/var/lib/dpkg/info/') + for file in pkg_info: + if re.search('\.list$', file): + fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime + dt_str = (datetime.utcfromtimestamp(fts).strftime('%Y-%m-%d %H:%M:%S')) + fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S') + if fdt > dt: + pkg_diffs['pkg'].update( { str(re.sub('\.list','',file)) : str(fdt)}) + + if len(pkg_diffs['pkg']) != 0: + return pkg_diffs + else: + return None + +def main(): + dt = get_sys_build_version() + pkgs = check_pkgs(dt) + if pkgs != None: + print ("The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime']) + for k, v in pkgs['pkg'].items(): + print ("installed: " + v + '\t' + k) + +if __name__ == '__main__': + sys.exit( main() ) + |