7 files changed, 29 insertions, 22 deletions

diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in
index 573a7963f..d969613b1 100644
--- a/interface-definitions/policy-local-route.xml.in
+++ b/interface-definitions/policy-local-route.xml.in
@@ -146,11 +146,11 @@
                 <properties>
                   <help>Source address or prefix</help>
                   <valueHelp>
-                    <format>ipv4</format>
+                    <format>ipv6</format>
                     <description>Address to match against</description>
                   </valueHelp>
                   <valueHelp>
-                    <format>ipv4net</format>
+                    <format>ipv6net</format>
                     <description>Prefix to match against</description>
                   </valueHelp>
                   <constraint>
diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in
index 32efa7323..6fa6fc5f9 100644
--- a/interface-definitions/service_conntrack-sync.xml.in
+++ b/interface-definitions/service_conntrack-sync.xml.in
@@ -5,7 +5,8 @@
       <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/conntrack_sync.py">
         <properties>
           <help>Connection tracking synchronization</help>
-          <priority>995</priority>
+          <!-- before VRRP / HA -->
+          <priority>799</priority>
         </properties>
         <children>
           <leafNode name="accept-protocol">
diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py
index 311e01529..c4b2bb488 100755
--- a/src/conf_mode/conntrack_sync.py
+++ b/src/conf_mode/conntrack_sync.py
@@ -116,6 +116,7 @@ def generate(conntrack):
     return None
 
 def apply(conntrack):
+    systemd_service = 'conntrackd.service'
     if not conntrack:
         # Failover mechanism daemon should be indicated that it no longer needs
         # to execute conntrackd actions on transition. This is only required
@@ -123,7 +124,7 @@ def apply(conntrack):
         if process_named_running('conntrackd'):
             resync_vrrp()
 
-        call('systemctl stop conntrackd.service')
+        call(f'systemctl stop {systemd_service}')
         return None
 
     # Failover mechanism daemon should be indicated that it needs to execute
@@ -132,7 +133,7 @@ def apply(conntrack):
     if not process_named_running('conntrackd'):
         resync_vrrp()
 
-    call('systemctl restart conntrackd.service')
+    call(f'systemctl reload-or-restart {systemd_service}')
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 7e1dc5911..2110fd9e0 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -15,13 +15,13 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import json
 
 from ipaddress import ip_address
 from ipaddress import ip_network
 from time import sleep
 from json import dumps as json_write
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configdict import node_changed
@@ -110,15 +110,21 @@ def verify(container):
             if 'image' not in container_config:
                 raise ConfigError(f'Container image for "{name}" is mandatory!')
 
-            # verify container image exists locally
-            image = container_config['image']
-
             # Check if requested container image exists locally. If it does not
-            # exist locally - inform the user.
+            # exist locally - inform the user. This is required as there is a
+            # shared container image storage accross all VyOS images. A user can
+            # delete a container image from the system, boot into another version
+            # of VyOS and then it would fail to boot. This is to prevent any
+            # configuration error when container images are deleted from the
+            # global storage. A per image local storage would be a super waste
+            # of diskspace as there will be a full copy (up tu several GB/image)
+            # on upgrade. This is the "cheapest" and fastest solution in terms
+            # of image upgrade and deletion.
+            image = container_config['image']
             if run(f'podman image exists {image}') != 0:
-                raise ConfigError(f'Image "{image}" used in contianer "{name}" does not exist '\
-                                  f'locally.\nPlease use "add container image {image}" to add it '\
-                                  'to the system!')
+                Warning(f'Image "{image}" used in contianer "{name}" does not exist '\
+                        f'locally. Please use "add container image {image}" to add it '\
+                        f'to the system! Container "{name}" will not be started!')
 
             if 'network' in container_config:
                 if len(container_config['network']) > 1:
@@ -279,6 +285,11 @@ def apply(container):
         for name, container_config in container['name'].items():
             image = container_config['image']
 
+            if run(f'podman image exists {image}') != 0:
+                # container image does not exist locally - user already got
+                # informed by a WARNING in verfiy() - bail out early
+                continue
+
             if 'disable' in container_config:
                 # check if there is a container by that name running
                 tmp = _cmd('podman ps -a --format "{{.Names}}"')
diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py
index f939f9469..e14050dd3 100755
--- a/src/conf_mode/high-availability.py
+++ b/src/conf_mode/high-availability.py
@@ -28,7 +28,6 @@ from vyos.template import render
 from vyos.template import is_ipv4
 from vyos.template import is_ipv6
 from vyos.util import call
-from vyos.util import is_systemd_service_running
 from vyos.xml import defaults
 from vyos import ConfigError
 from vyos import airbag
@@ -161,12 +160,7 @@ def apply(ha):
         call(f'systemctl stop {service_name}')
         return None
 
-    # XXX: T3944 - reload keepalived configuration if service is already running
-    # to not cause any service disruption when applying changes.
-    if is_systemd_service_running(service_name):
-        call(f'systemctl reload {service_name}')
-    else:
-        call(f'systemctl restart {service_name}')
+    call(f'systemctl reload-or-restart {service_name}')
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py
index 92b335085..b6371d09f 100755
--- a/src/conf_mode/protocols_nhrp.py
+++ b/src/conf_mode/protocols_nhrp.py
@@ -104,7 +104,7 @@ def apply(nhrp):
         if rule_handle:
             remove_nftables_rule('ip filter', 'VYOS_FW_OUTPUT', rule_handle)
 
-    action = 'reload-or-restart' if nhrp and 'tunnel' in nhrp else 'stop'
+    action = 'restart' if nhrp and 'tunnel' in nhrp else 'stop'
     run(f'systemctl {action} opennhrp')
     return None
 
diff --git a/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper b/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
index 74a7e83bf..5d879471d 100644
--- a/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
+++ b/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
@@ -26,7 +26,7 @@ function iptovtysh () {
     local VTYSH_GATEWAY=""
     local VTYSH_DEV=""
     local VTYSH_TAG="210"
-    local VTYSH_DISTANCE=""
+    local VTYSH_DISTANCE=$IF_METRIC
     # convert default route to 0.0.0.0/0
     if [ "$4" == "default" ] ; then
         VTYSH_NETADDR="0.0.0.0/0"