diff options
161 files changed, 1762 insertions, 890 deletions
diff --git a/.github/workflows/package-smoketest.yml b/.github/workflows/package-smoketest.yml index 5ed764217..8bdcc598d 100644 --- a/.github/workflows/package-smoketest.yml +++ b/.github/workflows/package-smoketest.yml @@ -49,7 +49,7 @@ jobs: - name: Generate ISO version string id: version run: | - echo "build_version=1.5-integration-$(date -u +%Y%m%d%H%M)" >> $GITHUB_OUTPUT + echo "build_version=$(date -u +%Y.%m.%d-%H%M-integration)" >> $GITHUB_OUTPUT - name: Build custom ISO image shell: bash run: | diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 7506a0908..ccfc022f4 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -34,6 +34,7 @@ "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], "rpki": ["protocols_rpki"], + "ssh": ["service_ssh"], "sstp": ["vpn_sstp"], "sstpc": ["interfaces_sstpc"], "stunnel": ["service_stunnel"] @@ -73,6 +74,9 @@ "system_ipv6": { "sysctl": ["system_sysctl"] }, + "system_login": { + "ssh": ["service_ssh"] + }, "system_option": { "ip_ipv6": ["system_ip", "system_ipv6"], "sysctl": ["system_sysctl"] diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2 index 4c566d852..e7e60dc95 100644 --- a/data/templates/aws/override_aws_gwlbtun.conf.j2 +++ b/data/templates/aws/override_aws_gwlbtun.conf.j2 @@ -30,7 +30,7 @@ After=vyos-router.service [Service] EnvironmentFile= -ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }} -CapabilityBoundingSet=CAP_NET_ADMIN +ExecStart=/usr/sbin/gwlbtun {{ args | join(' ') }} +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW Restart=always RestartSec=10 diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index cd6c34ede..8d934db9c 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -1,10 +1,11 @@ # Autogenerated by system_conntrack.py {# all values have defaults - thus no checking required #} +net.netfilter.nf_conntrack_buckets = {{ hash_size }} net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} net.netfilter.nf_conntrack_max = {{ table_size }} net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} -net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }}
\ No newline at end of file +net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 deleted file mode 100644 index 1b12fec5f..000000000 --- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# Autogenerated by system_conntrack.py -options nf_conntrack hashsize={{ hash_size }} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index a78119a80..bf051bb57 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -414,7 +414,11 @@ table bridge vyos_filter { {% if 'invalid_connections' in global_options.apply_to_bridged_traffic %} ct state invalid udp sport 67 udp dport 68 counter accept ct state invalid ether type arp counter accept + ct state invalid ether type 8021q counter accept + ct state invalid ether type 8021ad counter accept + ct state invalid ether type 0x8863 counter accept ct state invalid ether type 0x8864 counter accept + ct state invalid ether type 0x0842 counter accept {% endif %} {% endif %} {% if global_options.state_policy is vyos_defined %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index bc2c74b10..79824fb64 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -82,7 +82,7 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% for area_id, area_config in area.items() %} {% if area_config.area_type is vyos_defined %} {% for type, type_config in area_config.area_type.items() if type != 'normal' %} - area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} + area {{ area_id }} {{ type }} {{ 'translate-' + type_config.translate if type_config.translate is vyos_defined }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} {% if type_config.default_cost is vyos_defined %} area {{ area_id }} default-cost {{ type_config.default_cost }} {% endif %} diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 index 70a810f43..0d6d01930 100644 --- a/data/templates/frr/zebra.route-map.frr.j2 +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -1,6 +1,12 @@ ! {{ 'no ' if disable_forwarding is vyos_defined }}{{ afi }} forwarding ! +{% if import_table is vyos_defined %} +{% for table_num, table_config in import_table.items() %} +ip import-table {{ table_num }} {{ 'distance ' ~ table_config.distance if table_config.distance is vyos_defined }} {{ 'route-map ' ~ table_config.route_map if table_config.route_map is vyos_defined }} +{% endfor %} +{% endif %} +! {% if nht.no_resolve_via_default is vyos_defined %} no {{ afi }} nht resolve-via-default {% endif %} diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index 692ccbff7..47280c9f0 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -48,7 +48,7 @@ server { ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; # proxy settings for HTTP API, if enabled; 503, if not - location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|traceroute|info|docs|openapi.json|redoc|graphql) { + location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|traceroute|info|docs|openapi.json|redoc|graphql|renew) { {% if api is vyos_defined %} proxy_pass http://unix:/run/api.sock; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 index 695b66abe..5b15f066a 100644 --- a/data/templates/login/authorized_keys.j2 +++ b/data/templates/login/authorized_keys.j2 @@ -1,5 +1,4 @@ ### Automatically generated by system_login.py ### - {% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2 new file mode 100644 index 000000000..16525e808 --- /dev/null +++ b/data/templates/login/authorized_principals.j2 @@ -0,0 +1,4 @@ +### Automatically generated by system_login.py ### +{% if authentication.principal is vyos_defined %} +{{ '\n'.join(authentication.principal) }} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 7e44efae8..1315bf2cb 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -111,6 +111,18 @@ ClientAliveInterval {{ client_keepalive_interval }} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} -{% if trusted_user_ca_key is vyos_defined %} -TrustedUserCAKeys /etc/ssh/trusted_user_ca_key +{% if trusted_user_ca is vyos_defined %} +# Specifies a file containing public keys of certificate authorities that are +# trusted to sign user certificates for authentication +TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }} + +# The default is "none", i.e. not to use a principals file - in this case, the +# username of the user must appear in a certificate's principals list for it +# to be accepted. ".ssh/authorized_principals" means a per-user configuration, +# relative to $HOME. +{% set filename = 'none' %} +{% if has_principals is vyos_defined %} +{% set filename = '.ssh/authorized_principals' %} +{% endif %} +AuthorizedPrincipalsFile {{ filename }} {% endif %} diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links index 402c91306..aef22555c 100644 --- a/debian/vyos-1x.links +++ b/debian/vyos-1x.links @@ -1,2 +1,4 @@ /etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper /usr/libexec/vyos/system/standalone_root_pw_reset /opt/vyatta/sbin/standalone_root_pw_reset +/usr/libexec/vyos/vyconf_cli.py /usr/libexec/vyos/vyconf/bin/vy_commit +/usr/libexec/vyos/vyconf_cli.py /usr/libexec/vyos/vyconf/bin/vy_in_session diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index 7393ff5c9..794da4f9d 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -51,7 +51,7 @@ <children> <leafNode name="invalid-connections"> <properties> - <help>Accept ARP, DHCP and PPPoE despite they are marked as invalid connection</help> + <help>Accept ARP, 802.1q, 802.1ad, DHCP, PPPoE and WoL despite being marked as invalid connections</help> <valueless/> </properties> </leafNode> diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i index 6995ce119..517424034 100644 --- a/interface-definitions/include/version/conntrack-version.xml.i +++ b/interface-definitions/include/version/conntrack-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/conntrack-version.xml.i --> -<syntaxVersion component='conntrack' version='5'></syntaxVersion> +<syntaxVersion component='conntrack' version='6'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in index 14d358c78..c659a7db7 100644 --- a/interface-definitions/service_ssh.xml.in +++ b/interface-definitions/service_ssh.xml.in @@ -275,14 +275,18 @@ </constraint> </properties> </leafNode> - <node name="trusted-user-ca-key"> + <leafNode name="trusted-user-ca"> <properties> - <help>Trusted user CA key</help> + <help>OpenSSH trusted user CA</help> + <completionHelp> + <path>pki openssh</path> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>OpenSSH certificate name from PKI subsystem</description> + </valueHelp> </properties> - <children> - #include <include/pki/ca-certificate.xml.i> - </children> - </node> + </leafNode> #include <include/vrf-multi.xml.i> </children> </node> diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in index 54610b625..92c4d24cf 100644 --- a/interface-definitions/system_conntrack.xml.in +++ b/interface-definitions/system_conntrack.xml.in @@ -32,14 +32,14 @@ <properties> <help>Hash size for connection tracking table</help> <valueHelp> - <format>u32:1-50000000</format> + <format>u32:1024-50000000</format> <description>Size of hash to use for connection tracking table</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-50000000"/> + <validator name="numeric" argument="--range 1024-50000000"/> </constraint> </properties> - <defaultValue>32768</defaultValue> + <defaultValue>65536</defaultValue> </leafNode> <node name="ignore"> <properties> diff --git a/interface-definitions/system_ip.xml.in b/interface-definitions/system_ip.xml.in index b4b5092fe..f2bb5bd8a 100644 --- a/interface-definitions/system_ip.xml.in +++ b/interface-definitions/system_ip.xml.in @@ -17,6 +17,22 @@ #include <include/arp-ndp-table-size.xml.i> </children> </node> + <tagNode name="import-table"> + <properties> + <help>Routing table for import</help> + <valueHelp> + <format>u32:1-252</format> + <description>Table number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-252"/> + </constraint> + </properties> + <children> + #include <include/static/static-route-distance.xml.i> + #include <include/route-map.xml.i> + </children> + </tagNode> <leafNode name="disable-forwarding"> <properties> <help>Disable IPv4 forwarding on all interfaces</help> diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in index 9865e3d32..a13ba10ea 100644 --- a/interface-definitions/system_login.xml.in +++ b/interface-definitions/system_login.xml.in @@ -103,6 +103,15 @@ <help>Plaintext password used for encryption</help> </properties> </leafNode> + <leafNode name="principal"> + <properties> + <help>Accepted principal names for certificate authentication</help> + <constraint> + #include <include/constraint/login-username.xml.i> + </constraint> + <multi/> + </properties> + </leafNode> <tagNode name="public-keys"> <properties> <help>Remote access public keys</help> diff --git a/libvyosconfig b/libvyosconfig -Subproject 3e295c0c0256746f0811a9cb90d2489fd76a465 +Subproject f632edbc947fbcda1916ababacc5f2659cf6cfb diff --git a/op-mode-definitions/clear-interfaces.xml.in b/op-mode-definitions/clear-interfaces.xml.in index de2c3443e..31348808a 100644 --- a/op-mode-definitions/clear-interfaces.xml.in +++ b/op-mode-definitions/clear-interfaces.xml.in @@ -14,19 +14,8 @@ <properties> <help>Clear interface counters for all interfaces</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters</command> </node> - <tagNode name="connection"> - <properties> - <help>Bring connection-oriented network interface down and up</help> - <completionHelp> - <path>interfaces pppoe</path> - <path>interfaces sstpc</path> - <path>interfaces wwan</path> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect --disconnect --interface "$3"</command> - </tagNode> <node name="bonding"> <properties> <help>Clear Bonding interface information</help> @@ -36,7 +25,7 @@ <properties> <help>Clear all bonding interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -52,7 +41,7 @@ <properties> <help>Clear interface counters for a given bonding interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -65,7 +54,7 @@ <properties> <help>Clear all bridge interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -81,7 +70,7 @@ <properties> <help>Clear interface counters for a given bridge interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -94,7 +83,7 @@ <properties> <help>Clear all dummy interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -110,7 +99,7 @@ <properties> <help>Clear interface counters for a given dummy interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -123,7 +112,7 @@ <properties> <help>Clear all ethernet interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -139,7 +128,7 @@ <properties> <help>Clear interface counters for a given ethernet interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -152,7 +141,7 @@ <properties> <help>Clear all GENEVE interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -168,7 +157,7 @@ <properties> <help>Clear interface counters for a given GENEVE interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -181,7 +170,7 @@ <properties> <help>Clear all Input interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -197,7 +186,7 @@ <properties> <help>Clear interface counters for a given Input interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -210,7 +199,7 @@ <properties> <help>Clear all L2TPv3 interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -226,7 +215,7 @@ <properties> <help>Clear interface counters for a given L2TPv3 interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -239,7 +228,7 @@ <properties> <help>Clear all loopback interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -255,7 +244,7 @@ <properties> <help>Clear interface counters for a given loopback interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -268,7 +257,7 @@ <properties> <help>Clear all MACsec interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -284,7 +273,7 @@ <properties> <help>Clear interface counters for a given MACsec interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -297,7 +286,7 @@ <properties> <help>Clear all OpenVPN interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -313,7 +302,7 @@ <properties> <help>Clear interface counters for a given OpenVPN interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -326,7 +315,7 @@ <properties> <help>Clear all PPPoE interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -342,7 +331,7 @@ <properties> <help>Clear interface counters for a given PPPoE interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -355,7 +344,7 @@ <properties> <help>Clear all Pseudo-Ethernet interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -371,7 +360,7 @@ <properties> <help>Clear interface counters for a given Pseudo-Ethernet interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -384,7 +373,7 @@ <properties> <help>Clear all SSTP interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -400,7 +389,7 @@ <properties> <help>Clear interface counters for a given SSTP interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -413,7 +402,7 @@ <properties> <help>Clear all tunnel interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -429,7 +418,7 @@ <properties> <help>Clear interface counters for a given tunnel interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -442,7 +431,7 @@ <properties> <help>Clear all virtual-ethernet interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -458,7 +447,7 @@ <properties> <help>Clear interface counters for a given virtual-ethernet interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -471,7 +460,7 @@ <properties> <help>Clear all VTI interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -487,7 +476,7 @@ <properties> <help>Clear interface counters for a given VTI interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -500,7 +489,7 @@ <properties> <help>Clear all VXLAN interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -516,7 +505,7 @@ <properties> <help>Clear interface counters for a given VXLAN interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -529,7 +518,7 @@ <properties> <help>Clear all Wireguard interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </node> </children> </node> @@ -545,7 +534,7 @@ <properties> <help>Clear interface counters for a given Wireguard interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -558,7 +547,7 @@ <properties> <help>Clear all wireless interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </leafNode> </children> </node> @@ -574,7 +563,7 @@ <properties> <help>Clear counters for a given wireless interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> @@ -587,7 +576,7 @@ <properties> <help>Clear all WWAN interface counters</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-type "$3"</command> </leafNode> </children> </node> @@ -603,7 +592,7 @@ <properties> <help>Clear counters for a given WWAN interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> + <command>${vyos_op_scripts_dir}/interfaces.py clear_counters --intf-name "$4"</command> </leafNode> </children> </tagNode> diff --git a/op-mode-definitions/clear-log.xml.in b/op-mode-definitions/clear-log.xml.in index 1f4a1aacd..5457ce7d6 100644 --- a/op-mode-definitions/clear-log.xml.in +++ b/op-mode-definitions/clear-log.xml.in @@ -6,7 +6,7 @@ <properties> <help>Clear contents of current master log file</help> </properties> - <command>sudo journalctl --rotate --vacuum-time=1s</command> + <command>journalctl --rotate --vacuum-time=1s</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/connect.xml.in b/op-mode-definitions/connect.xml.in index 9027056a6..73bfb598a 100644 --- a/op-mode-definitions/connect.xml.in +++ b/op-mode-definitions/connect.xml.in @@ -24,7 +24,7 @@ <path>interfaces wwan</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect --interface "$3"</command> + <command>${vyos_op_scripts_dir}/connect_disconnect.py --connect --interface "$3"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/conntrack-sync.xml.in b/op-mode-definitions/conntrack-sync.xml.in index a66331f27..d52939bed 100644 --- a/op-mode-definitions/conntrack-sync.xml.in +++ b/op-mode-definitions/conntrack-sync.xml.in @@ -11,13 +11,13 @@ <properties> <help>Reset external cache and request resync with other systems</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py reset_external_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py reset_external_cache</command> </leafNode> <leafNode name="internal-cache"> <properties> <help>Reset internal cache and request resync with other systems</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py reset_internal_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py reset_internal_cache</command> </leafNode> </children> </node> @@ -29,7 +29,7 @@ <properties> <help>Restart the connection tracking synchronization service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py restart</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py restart</command> </leafNode> </children> </node> @@ -49,19 +49,19 @@ <properties> <help>Show external connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_external_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_external_cache</command> <children> <leafNode name="main"> <properties> <help>Show external main connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_external_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_external_cache</command> </leafNode> <leafNode name="expect"> <properties> <help>Show external expect connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_external_expect</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_external_expect</command> </leafNode> </children> </node> @@ -69,19 +69,19 @@ <properties> <help>Show internal connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_internal_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_internal_cache</command> <children> <leafNode name="main"> <properties> <help>Show internal main connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_internal_cache</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_internal_cache</command> </leafNode> <leafNode name="expect"> <properties> <help>Show internal expect connection tracking cache entries</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_internal_expect</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_internal_expect</command> </leafNode> </children> </node> @@ -91,13 +91,13 @@ <properties> <help>Show connection syncing statistics</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_statistics</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_statistics</command> </leafNode> <leafNode name="status"> <properties> <help>Show conntrack-sync status</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py show_status</command> + <command>${vyos_op_scripts_dir}/conntrack_sync.py show_status</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/container.xml.in b/op-mode-definitions/container.xml.in index bb6f97b02..df28a792c 100644 --- a/op-mode-definitions/container.xml.in +++ b/op-mode-definitions/container.xml.in @@ -11,7 +11,7 @@ <properties> <help>Pull a new image for container</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/container.py add_image --name "${4}"</command> + <command>${vyos_op_scripts_dir}/container.py add_image --name "${4}"</command> </tagNode> </children> </node> @@ -26,7 +26,7 @@ <path>container name</path> </completionHelp> </properties> - <command>sudo podman exec --interactive --tty "$3" /bin/sh</command> + <command>podman exec --interactive --tty "$3" /bin/sh</command> </tagNode> </children> </node> @@ -42,10 +42,10 @@ <help>Delete container image</help> <completionHelp> <list>all</list> - <script>sudo podman image ls -q</script> + <script>podman image ls -q</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/container.py delete_image --name "${4}"</command> + <command>${vyos_op_scripts_dir}/container.py delete_image --name "${4}"</command> </tagNode> </children> </node> @@ -70,7 +70,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo podman build --net host --layers --force-rm --tag "$4" $6</command> + <command>podman build --net host --layers --force-rm --tag "$4" $6</command> </tagNode> </children> </tagNode> @@ -89,7 +89,7 @@ <path>container name</path> </completionHelp> </properties> - <command>sudo podman logs --follow --names "$4"</command> + <command>podman logs --follow --names "$4"</command> </tagNode> </children> </node> @@ -101,27 +101,27 @@ <properties> <help>Show containers</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/container.py show_container</command> + <command>${vyos_op_scripts_dir}/container.py show_container</command> <children> <node name="json"> <properties> <help>Show containers in JSON format</help> </properties> <!-- no admin check --> - <command>sudo ${vyos_op_scripts_dir}/container.py show_container --raw</command> + <command>${vyos_op_scripts_dir}/container.py show_container --raw</command> </node> <node name="image"> <properties> <help>Show container image</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/container.py show_image</command> + <command>${vyos_op_scripts_dir}/container.py show_image</command> <children> <node name="json"> <properties> <help>Show container image in JSON format</help> </properties> <!-- no admin check --> - <command>sudo ${vyos_op_scripts_dir}/container.py show_image --raw</command> + <command>${vyos_op_scripts_dir}/container.py show_image --raw</command> </node> </children> </node> @@ -133,21 +133,21 @@ </completionHelp> </properties> <!-- no admin check --> - <command>sudo podman logs --names "$4"</command> + <command>podman logs --names "$4"</command> </tagNode> <node name="network"> <properties> <help>Show available container networks</help> </properties> <!-- no admin check --> - <command>sudo ${vyos_op_scripts_dir}/container.py show_network</command> + <command>${vyos_op_scripts_dir}/container.py show_network</command> <children> <node name="json"> <properties> <help>Show available container networks in JSON format</help> </properties> <!-- no admin check --> - <command>sudo ${vyos_op_scripts_dir}/container.py show_network --raw</command> + <command>${vyos_op_scripts_dir}/container.py show_network --raw</command> </node> </children> </node> @@ -162,7 +162,7 @@ <path>container name</path> </completionHelp> </properties> - <command>sudo podman logs --names "$4"</command> + <command>podman logs --names "$4"</command> </tagNode> </children> </node> @@ -177,7 +177,7 @@ <path>container name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/container.py restart --name="$3"</command> + <command>${vyos_op_scripts_dir}/container.py restart --name="$3"</command> </tagNode> </children> </node> @@ -198,7 +198,7 @@ <path>container name</path> </completionHelp> </properties> - <command>if cli-shell-api existsActive container name "$4"; then sudo podman pull $(cli-shell-api returnActiveValue container name "$4" image); else echo "Container $4 does not exist"; fi</command> + <command>if cli-shell-api existsActive container name "$4"; then podman pull $(cli-shell-api returnActiveValue container name "$4" image); else echo "Container $4 does not exist"; fi</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/crypt.xml.in b/op-mode-definitions/crypt.xml.in index 105592a1a..5a17cca12 100644 --- a/op-mode-definitions/crypt.xml.in +++ b/op-mode-definitions/crypt.xml.in @@ -9,19 +9,19 @@ <properties> <help>Disable config encryption using TPM or recovery key</help> </properties> - <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --disable</command> + <command>${vyos_libexec_dir}/vyos-config-encrypt.py --disable</command> </node> <node name="enable"> <properties> <help>Enable config encryption using TPM</help> </properties> - <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --enable</command> + <command>${vyos_libexec_dir}/vyos-config-encrypt.py --enable</command> </node> <node name="load"> <properties> <help>Load encrypted config volume using TPM or recovery key</help> </properties> - <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --load</command> + <command>${vyos_libexec_dir}/vyos-config-encrypt.py --load</command> </node> </children> </node> diff --git a/op-mode-definitions/date.xml.in b/op-mode-definitions/date.xml.in index 4e62a8335..90bddd7f3 100644 --- a/op-mode-definitions/date.xml.in +++ b/op-mode-definitions/date.xml.in @@ -35,7 +35,7 @@ <list><MMDDhhmm> <MMDDhhmmYY> <MMDDhhmmCCYY> <MMDDhhmmCCYY.ss></list> </completionHelp> </properties> - <command>sudo bash -c "/bin/date '$3' && hwclock --systohc --localtime"</command> + <command>bash -c "/bin/date '$3' && hwclock --systohc --localtime"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in index 4ee66a90c..2da3bb5dc 100644 --- a/op-mode-definitions/dhcp.xml.in +++ b/op-mode-definitions/dhcp.xml.in @@ -171,7 +171,7 @@ <properties> <help>Show DHCPv6 server leases</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet6</command> + <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet6</command> <children> <tagNode name="pool"> <properties> @@ -262,13 +262,13 @@ <properties> <help>Restart DHCP server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name dhcp</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name dhcp</command> </node> <node name="relay-agent"> <properties> <help>Restart DHCP relay-agent</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_dhcp_relay.py --ipv4</command> + <command>${vyos_op_scripts_dir}/restart_dhcp_relay.py --ipv4</command> </node> </children> </node> @@ -281,13 +281,13 @@ <properties> <help>Restart DHCPv6 server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name dhcpv6</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name dhcpv6</command> </node> <node name="relay-agent"> <properties> <help>Restart DHCPv6 relay-agent</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_dhcp_relay.py --ipv6</command> + <command>${vyos_op_scripts_dir}/restart_dhcp_relay.py --ipv6</command> </node> </children> </node> @@ -310,7 +310,7 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/dhcp.py renew_client_lease --family inet --interface "$4"</command> + <command>${vyos_op_scripts_dir}/dhcp.py renew_client_lease --family inet --interface "$4"</command> </tagNode> </children> </node> @@ -326,7 +326,7 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/dhcp.py renew_client_lease --family inet6 --interface "$4"</command> + <command>${vyos_op_scripts_dir}/dhcp.py renew_client_lease --family inet6 --interface "$4"</command> </tagNode> </children> </node> @@ -349,7 +349,7 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/dhcp.py release_client_lease --family inet --interface "$4"</command> + <command>${vyos_op_scripts_dir}/dhcp.py release_client_lease --family inet --interface "$4"</command> </tagNode> </children> </node> @@ -365,7 +365,7 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/dhcp.py release_client_lease --family inet6 --interface "$4"</command> + <command>${vyos_op_scripts_dir}/dhcp.py release_client_lease --family inet6 --interface "$4"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/disconnect.xml.in b/op-mode-definitions/disconnect.xml.in index f0523d9b9..7891a6488 100644 --- a/op-mode-definitions/disconnect.xml.in +++ b/op-mode-definitions/disconnect.xml.in @@ -14,7 +14,7 @@ <path>interfaces wwan</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect --interface "$3"</command> + <command>${vyos_op_scripts_dir}/connect_disconnect.py --disconnect --interface "$3"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/disks.xml.in b/op-mode-definitions/disks.xml.in index 8a1e2c86f..e3ffe8da9 100644 --- a/op-mode-definitions/disks.xml.in +++ b/op-mode-definitions/disks.xml.in @@ -19,7 +19,7 @@ <properties> <help>Format this disk the same as another disk</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/format_disk.py --by-id --target $4 --proto $6</command> + <command>${vyos_op_scripts_dir}/format_disk.py --by-id --target $4 --proto $6</command> </tagNode> </children> </tagNode> @@ -40,7 +40,7 @@ <script>${vyos_completion_dir}/list_disks.py --exclude ${COMP_WORDS[2]}</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/format_disk.py --target $3 --proto $5</command> + <command>${vyos_op_scripts_dir}/format_disk.py --target $3 --proto $5</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/dns-dynamic.xml.in b/op-mode-definitions/dns-dynamic.xml.in index ef0f03988..1a1176835 100644 --- a/op-mode-definitions/dns-dynamic.xml.in +++ b/op-mode-definitions/dns-dynamic.xml.in @@ -16,7 +16,7 @@ <properties> <help>Clear Dynamic DNS information cache (ddclient)</help> </properties> - <command>sudo rm -f /run/ddclient/ddclient.cache</command> + <command>rm -f /run/ddclient/ddclient.cache</command> </leafNode> </children> </node> @@ -78,7 +78,7 @@ <properties> <help>Show Dynamic DNS status</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/dns.py show_dynamic_status</command> + <command>${vyos_op_scripts_dir}/dns.py show_dynamic_status</command> </leafNode> </children> </node> @@ -97,7 +97,7 @@ <properties> <help>Restart Dynamic DNS service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name dns_dynamic</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name dns_dynamic</command> </node> </children> </node> @@ -114,7 +114,7 @@ <properties> <help>Reset Dynamic DNS information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/dns.py reset_dynamic</command> + <command>${vyos_op_scripts_dir}/dns.py reset_dynamic</command> </node> </children> </node> diff --git a/op-mode-definitions/dns-forwarding.xml.in b/op-mode-definitions/dns-forwarding.xml.in index fac3fc345..d25be6009 100644 --- a/op-mode-definitions/dns-forwarding.xml.in +++ b/op-mode-definitions/dns-forwarding.xml.in @@ -54,7 +54,7 @@ <properties> <help>Show DNS Forwarding statistics</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/dns.py show_forwarding_statistics</command> + <command>${vyos_op_scripts_dir}/dns.py show_forwarding_statistics</command> </leafNode> </children> </node> @@ -73,7 +73,7 @@ <properties> <help>Restart DNS Forwarding service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name dns_forwarding</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name dns_forwarding</command> </leafNode> </children> </node> @@ -92,13 +92,13 @@ </properties> <children> <tagNode name="domain"> - <command>sudo ${vyos_op_scripts_dir}/dns.py reset_forwarding --domain $5</command> + <command>${vyos_op_scripts_dir}/dns.py reset_forwarding --domain $5</command> <properties> <help>Reset DNS Forwarding cache for a domain</help> </properties> </tagNode> <leafNode name="all"> - <command>sudo ${vyos_op_scripts_dir}/dns.py reset_forwarding --all</command> + <command>${vyos_op_scripts_dir}/dns.py reset_forwarding --all</command> <properties> <help>Reset DNS Forwarding cache for all domains</help> </properties> diff --git a/op-mode-definitions/execute-shell.xml.in b/op-mode-definitions/execute-shell.xml.in index dfdc1e371..241935607 100644 --- a/op-mode-definitions/execute-shell.xml.in +++ b/op-mode-definitions/execute-shell.xml.in @@ -14,7 +14,7 @@ <path>netns name</path> </completionHelp> </properties> - <command>sudo ip netns exec $4 su - $(whoami)</command> + <command>ip netns exec $4 su - $(whoami)</command> </tagNode> <tagNode name="vrf"> <properties> @@ -23,7 +23,7 @@ <path>vrf name</path> </completionHelp> </properties> - <command>sudo ip vrf exec $4 su - $(whoami)</command> + <command>ip vrf exec $4 su - $(whoami)</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/file.xml.in b/op-mode-definitions/file.xml.in index 549b9ad92..23c92f2b3 100644 --- a/op-mode-definitions/file.xml.in +++ b/op-mode-definitions/file.xml.in @@ -7,7 +7,7 @@ <help>Show the contents of a file, a directory or an image</help> <completionHelp><imagePath/></completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/file.py --show $3</command> + <command>${vyos_op_scripts_dir}/file.py --show $3</command> </tagNode> </children> </node> @@ -27,7 +27,7 @@ <help>Destination path</help> <completionHelp><imagePath/></completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/file.py --copy $3 $5 + <command>${vyos_op_scripts_dir}/file.py --copy $3 $5 </command> </tagNode> </children> @@ -44,7 +44,7 @@ <help>Delete a local file, possibly from an image</help> <completionHelp><imagePath/></completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/file.py --delete $3</command> + <command>${vyos_op_scripts_dir}/file.py --delete $3</command> </tagNode> </children> </node> @@ -65,7 +65,7 @@ <script>${vyos_completion_dir}/list_images.py --no-running</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/file.py --clone $4</command> + <command>${vyos_op_scripts_dir}/file.py --clone $4</command> <children> <tagNode name="from"> <properties> @@ -75,7 +75,7 @@ <script>${vyos_completion_dir}/list_images.py</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/file.py --clone-from $6 $4</command> + <command>${vyos_op_scripts_dir}/file.py --clone-from $6 $4</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index 21159eb1b..f3f9d3ded 100755 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -34,10 +34,10 @@ <path>firewall group detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 --detail $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 --detail $5</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_group --name $4</command> </tagNode> <node name="group"> <properties> @@ -51,10 +51,10 @@ <path>firewall group detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --detail $4</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_group --detail $4</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_group</command> </node> <node name="bridge"> <properties> @@ -78,7 +78,7 @@ <path>firewall bridge forward filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -95,13 +95,13 @@ <path>firewall bridge forward filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -122,7 +122,7 @@ <path>firewall bridge input filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -139,13 +139,13 @@ <path>firewall bridge input filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -166,7 +166,7 @@ <path>firewall bridge output filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -183,13 +183,13 @@ <path>firewall bridge output filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -210,7 +210,7 @@ <path>firewall bridge prerouting filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -227,13 +227,13 @@ <path>firewall bridge prerouting filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -252,7 +252,7 @@ <path>firewall bridge name detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -269,16 +269,16 @@ <path>firewall bridge name ${COMP_WORDS[4]} rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> </node> <node name="ipv6"> <properties> @@ -302,7 +302,7 @@ <path>firewall ipv6 forward filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -319,13 +319,13 @@ <path>firewall ipv6 forward filter rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -346,7 +346,7 @@ <path>firewall ipv6 input filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -363,13 +363,13 @@ <path>firewall ipv6 input filter rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -390,7 +390,7 @@ <path>firewall ipv6 output filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -407,13 +407,13 @@ <path>firewall ipv6 output filter rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -434,7 +434,7 @@ <path>firewall ipv6 prerouting raw detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -451,13 +451,13 @@ <path>firewall ipv6 prerouting raw rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -476,7 +476,7 @@ <path>firewall ipv6 name detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -493,16 +493,16 @@ <path>firewall ipv6 name ${COMP_WORDS[4]} rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> </node> <node name="ipv4"> <properties> @@ -526,7 +526,7 @@ <path>firewall ipv4 forward filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -543,13 +543,13 @@ <path>firewall ipv4 forward filter rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -570,7 +570,7 @@ <path>firewall ipv4 input filter detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -587,13 +587,13 @@ <path>firewall ipv4 input filter rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -614,7 +614,7 @@ <path>firewall ipv4 input output detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -631,13 +631,13 @@ <path>firewall ipv4 input output rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -658,7 +658,7 @@ <path>firewall ipv4 prerouting raw detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -675,13 +675,13 @@ <path>firewall ipv4 prerouting raw rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </node> </children> </node> @@ -700,7 +700,7 @@ <path>firewall ipv4 name detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> </leafNode> <tagNode name="rule"> <properties> @@ -717,16 +717,16 @@ <path>firewall ipv4 name ${COMP_WORDS[4]} rule detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> </node> <node name="statistics"> <properties> @@ -740,16 +740,16 @@ <path>firewall statistics detail</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics --detail $4</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_statistics --detail $4</command> </leafNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_statistics</command> </node> <leafNode name="summary"> <properties> <help>Show summary of firewall application</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_summary</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_summary</command> </leafNode> <node name="zone-policy"> <properties> @@ -763,13 +763,13 @@ <path>firewall zone</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/zone.py show --zone $5</command> + <command>${vyos_op_scripts_dir}/zone.py show --zone $5</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/zone.py show</command> + <command>${vyos_op_scripts_dir}/zone.py show</command> </node> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_all</command> + <command>${vyos_op_scripts_dir}/firewall.py --action show_all</command> </node> </children> </node> diff --git a/op-mode-definitions/flow-accounting-op.xml.in b/op-mode-definitions/flow-accounting-op.xml.in index 46dc77d05..01686f0aa 100644 --- a/op-mode-definitions/flow-accounting-op.xml.in +++ b/op-mode-definitions/flow-accounting-op.xml.in @@ -57,7 +57,7 @@ <properties> <help>Restart (net)flow accounting process</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/flow_accounting_op.py --action restart</command> + <command>${vyos_op_scripts_dir}/flow_accounting_op.py --action restart</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/force-arp.xml.in b/op-mode-definitions/force-arp.xml.in index 05aa04e6b..368a08ac4 100644 --- a/op-mode-definitions/force-arp.xml.in +++ b/op-mode-definitions/force-arp.xml.in @@ -27,13 +27,13 @@ <properties> <help>Send gratuitous ARP reply for specified address</help> </properties> - <command>sudo /usr/bin/arping -I $5 -c 1 -A $7</command> + <command>/usr/bin/arping -I $5 -c 1 -A $7</command> <children> <tagNode name="count"> <properties> <help>Send specified number of ARP replies</help> </properties> - <command>sudo /usr/bin/arping -I $5 -c $9 -A $7</command> + <command>/usr/bin/arping -I $5 -c $9 -A $7</command> </tagNode> </children> </tagNode> @@ -58,13 +58,13 @@ <properties> <help>Send gratuitous ARP request for specified address</help> </properties> - <command>sudo /usr/bin/arping -I $5 -c 1 -U $7</command> + <command>/usr/bin/arping -I $5 -c 1 -U $7</command> <children> <tagNode name="count"> <properties> <help>Send specified number of ARP requests</help> </properties> - <command>sudo /usr/bin/arping -I $5 -c $9 -U $7</command> + <command>/usr/bin/arping -I $5 -c $9 -U $7</command> </tagNode> </children> </tagNode> @@ -89,7 +89,7 @@ <properties> <help>Send ARP for DAD detection for specified address</help> </properties> - <command>sudo /usr/bin/arping -I $5 -c 1 -D $7</command> + <command>/usr/bin/arping -I $5 -c 1 -D $7</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/force-root-partition-auto-resize.xml.in b/op-mode-definitions/force-root-partition-auto-resize.xml.in index f84c073b8..dc58a331d 100644 --- a/op-mode-definitions/force-root-partition-auto-resize.xml.in +++ b/op-mode-definitions/force-root-partition-auto-resize.xml.in @@ -6,7 +6,7 @@ <properties> <help>Resize the VyOS partition</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/force_root-partition-auto-resize.sh</command> + <command>${vyos_op_scripts_dir}/force_root-partition-auto-resize.sh</command> </node> </children> </node> diff --git a/op-mode-definitions/generate-ipsec-debug-archive.xml.in b/op-mode-definitions/generate-ipsec-debug-archive.xml.in index a9ce113d1..dcbed0c42 100644 --- a/op-mode-definitions/generate-ipsec-debug-archive.xml.in +++ b/op-mode-definitions/generate-ipsec-debug-archive.xml.in @@ -8,7 +8,7 @@ <properties> <help>Generate IPSec debug-archive</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_ipsec_debug_archive.py</command> + <command>${vyos_op_scripts_dir}/generate_ipsec_debug_archive.py</command> </node> </children> </node> diff --git a/op-mode-definitions/generate-ipsec-profile.xml.in b/op-mode-definitions/generate-ipsec-profile.xml.in index afa299da2..b7203d7d1 100644 --- a/op-mode-definitions/generate-ipsec-profile.xml.in +++ b/op-mode-definitions/generate-ipsec-profile.xml.in @@ -28,7 +28,7 @@ <script>${vyos_completion_dir}/list_local_ips.sh --both</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command> <children> <tagNode name="name"> <properties> @@ -37,7 +37,7 @@ <list><name></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command> <children> <tagNode name="profile"> <properties> @@ -46,7 +46,7 @@ <list><name></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command> </tagNode> </children> </tagNode> @@ -57,7 +57,7 @@ <list><name></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command> <children> <tagNode name="name"> <properties> @@ -66,7 +66,7 @@ <list><name></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/generate-openconnect-user-key.xml.in b/op-mode-definitions/generate-openconnect-user-key.xml.in index 80cdfb3d7..8a75b09dc 100644 --- a/op-mode-definitions/generate-openconnect-user-key.xml.in +++ b/op-mode-definitions/generate-openconnect-user-key.xml.in @@ -24,19 +24,19 @@ <properties> <help>HOTP time-based token</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits 6</command> + <command>${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits 6</command> <children> <tagNode name="interval"> <properties> <help>Duration of single time interval</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits 6</command> + <command>${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits 6</command> <children> <tagNode name="digits"> <properties> <help>The number of digits in the one-time password</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits "${10}"</command> + <command>${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits "${10}"</command> </tagNode> </children> </tagNode> @@ -44,13 +44,13 @@ <properties> <help>The number of digits in the one-time password</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits "$8"</command> + <command>${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits "$8"</command> <children> <tagNode name="interval"> <properties> <help>Duration of single time interval</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "${10}" --digits $8</command> + <command>${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "${10}" --digits $8</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/generate-openvpn-config-client.xml.in b/op-mode-definitions/generate-openvpn-config-client.xml.in index fc8bfa346..351742f1e 100644 --- a/op-mode-definitions/generate-openvpn-config-client.xml.in +++ b/op-mode-definitions/generate-openvpn-config-client.xml.in @@ -40,10 +40,10 @@ <properties> <help>Certificate key used by client</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_ovpn_client_file.py --interface "$5" --ca "$7" --cert "$9" --key "${11}"</command> + <command>${vyos_op_scripts_dir}/generate_ovpn_client_file.py --interface "$5" --ca "$7" --cert "$9" --key "${11}"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/generate_ovpn_client_file.py --interface "$5" --ca "$7" --cert "$9"</command> + <command>${vyos_op_scripts_dir}/generate_ovpn_client_file.py --interface "$5" --ca "$7" --cert "$9"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/generate-ssh-server-key.xml.in b/op-mode-definitions/generate-ssh-server-key.xml.in index ecea3e5d1..86bb1b1bd 100644 --- a/op-mode-definitions/generate-ssh-server-key.xml.in +++ b/op-mode-definitions/generate-ssh-server-key.xml.in @@ -14,7 +14,7 @@ <properties> <help>Re-generate SSH host keys and restart SSH server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_ssh_server_key.py</command> + <command>${vyos_op_scripts_dir}/generate_ssh_server_key.py</command> </node> <tagNode name="client-key"> <properties> diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in index 6f65c12b3..b93cb8beb 100644 --- a/op-mode-definitions/generate-system-login-user.xml.in +++ b/op-mode-definitions/generate-system-login-user.xml.in @@ -29,25 +29,25 @@ <properties> <help>HOTP time-based token</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command> <children> <tagNode name="rate-limit"> <properties> <help>Duration of single time interval</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command> <children> <tagNode name="rate-time"> <properties> <help>The number of digits in the one-time password</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command> <children> <tagNode name="window-size"> <properties> <help>The number of digits in the one-time password</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command> </tagNode> </children> </tagNode> @@ -57,19 +57,19 @@ <properties> <help>The number of digits in the one-time password</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command> <children> <tagNode name="rate-limit"> <properties> <help>Duration of single time interval</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command> <children> <tagNode name="rate-time"> <properties> <help>Duration of single time interval</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command> + <command>${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/generate-wireguard.xml.in b/op-mode-definitions/generate-wireguard.xml.in index 5f2463d1a..0375e6324 100644 --- a/op-mode-definitions/generate-wireguard.xml.in +++ b/op-mode-definitions/generate-wireguard.xml.in @@ -31,7 +31,7 @@ <list><hostname></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8"</command> + <command>${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8"</command> <children> <tagNode name="address"> <properties> @@ -40,7 +40,7 @@ <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}"</command> + <command>${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}"</command> <children> <tagNode name="address"> <properties> @@ -49,7 +49,7 @@ <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}" --address "${12}"</command> + <command>${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}" --address "${12}"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/generate_tech-support_archive.xml.in b/op-mode-definitions/generate_tech-support_archive.xml.in index 65c93541e..b7e025a38 100644 --- a/op-mode-definitions/generate_tech-support_archive.xml.in +++ b/op-mode-definitions/generate_tech-support_archive.xml.in @@ -11,7 +11,7 @@ <properties> <help>Generate tech support archive</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_tech-support_archive.py</command> + <command>${vyos_op_scripts_dir}/generate_tech-support_archive.py</command> </node> <tagNode name="archive"> <properties> @@ -20,13 +20,13 @@ <list> <file> <scp://user:passwd@host> <ftp://user:passwd@host></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/generate_tech-support_archive.py $4</command> + <command>${vyos_op_scripts_dir}/generate_tech-support_archive.py $4</command> </tagNode> <node name="machine-readable-archive"> <properties> <help>Generate tech support archive</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/tech_support.py show --raw | gzip> $4.json.gz</command> + <command>${vyos_op_scripts_dir}/tech_support.py show --raw | gzip> $4.json.gz</command> </node> <tagNode name="machine-readable-archive"> <properties> @@ -35,7 +35,7 @@ <list> <file> </list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/tech_support.py show --raw | gzip > $4.json.gz</command> + <command>${vyos_op_scripts_dir}/tech_support.py show --raw | gzip > $4.json.gz</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/geoip.xml.in b/op-mode-definitions/geoip.xml.in index c1b6e87b9..66ebfccca 100644 --- a/op-mode-definitions/geoip.xml.in +++ b/op-mode-definitions/geoip.xml.in @@ -6,7 +6,7 @@ <properties> <help>Update GeoIP database and firewall sets</help> </properties> - <command>sudo ${vyos_libexec_dir}/geoip-update.py --force</command> + <command>${vyos_libexec_dir}/geoip-update.py --force</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/igmp-proxy.xml.in b/op-mode-definitions/igmp-proxy.xml.in index d6ad7ed7e..699d94b3b 100644 --- a/op-mode-definitions/igmp-proxy.xml.in +++ b/op-mode-definitions/igmp-proxy.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart the IGMP proxy process</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name igmp_proxy</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name igmp_proxy</command> </node> </children> </node> diff --git a/op-mode-definitions/include/bgp/advertised-routes.xml.i b/op-mode-definitions/include/bgp/advertised-routes.xml.i new file mode 100644 index 000000000..cc3f1f9b5 --- /dev/null +++ b/op-mode-definitions/include/bgp/advertised-routes.xml.i @@ -0,0 +1,12 @@ +<!-- included start from bgp/advertised-routes.xml.i --> +<node name="advertised-routes"> + <properties> + <help>Show routes advertised to a BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-detail-wide.xml.i> + #include <include/vtysh-generic-wide.xml.i> + </children> +</node> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-common.xml.i b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-common.xml.i index 820d507fd..d5fb7f5ee 100644 --- a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-common.xml.i +++ b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-common.xml.i @@ -158,61 +158,14 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - <leafNode name="advertised-routes"> - <properties> - <help>Show routes advertised to a BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="dampened-routes"> - <properties> - <help>Show dampened routes received from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="flap-statistics"> - <properties> - <help>Show flap statistics of the routes learned from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="prefix-counts"> - <properties> - <help>Show detailed prefix count information for BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <node name="received"> - <properties> - <help>Show information received from BGP neighbor</help> - </properties> - <children> - <leafNode name="prefix-filter"> - <properties> - <help>Show prefixlist filter</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - </children> - </node> - <leafNode name="filtered-routes"> - <properties> - <help>Show filtered routes from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="received-routes"> - <properties> - <help>Show received routes from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="routes"> - <properties> - <help>Show routes learned from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> + #include <include/bgp/advertised-routes.xml.i> + #include <include/bgp/dampened-routes.xml.i> + #include <include/bgp/filtered-routes.xml.i> + #include <include/bgp/flap-statistics.xml.i> + #include <include/bgp/prefix-counts.xml.i> + #include <include/bgp/received.xml.i> + #include <include/bgp/received-routes.xml.i> + #include <include/bgp/routes.xml.i> </children> </tagNode> <tagNode name="prefix-list"> diff --git a/op-mode-definitions/include/bgp/dampened-routes.xml.i b/op-mode-definitions/include/bgp/dampened-routes.xml.i new file mode 100644 index 000000000..073ca3325 --- /dev/null +++ b/op-mode-definitions/include/bgp/dampened-routes.xml.i @@ -0,0 +1,8 @@ +<!-- included start from bgp/dampened-routes.xml.i --> +<leafNode name="dampened-routes"> + <properties> + <help>Show dampened routes received from BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/filtered-routes.xml.i b/op-mode-definitions/include/bgp/filtered-routes.xml.i new file mode 100644 index 000000000..a33e8f28f --- /dev/null +++ b/op-mode-definitions/include/bgp/filtered-routes.xml.i @@ -0,0 +1,8 @@ +<!-- included start from bgp/filtered-routes.xml.i --> +<leafNode name="filtered-routes"> + <properties> + <help>Show filtered routes from BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/flap-statistics.xml.i b/op-mode-definitions/include/bgp/flap-statistics.xml.i new file mode 100644 index 000000000..93ac110e0 --- /dev/null +++ b/op-mode-definitions/include/bgp/flap-statistics.xml.i @@ -0,0 +1,8 @@ +<!-- included start from bgp/flap-statistics.xml.i --> +<leafNode name="flap-statistics"> + <properties> + <help>Show flap statistics of the routes learned from BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/prefix-counts.xml.i b/op-mode-definitions/include/bgp/prefix-counts.xml.i new file mode 100644 index 000000000..a7131ebeb --- /dev/null +++ b/op-mode-definitions/include/bgp/prefix-counts.xml.i @@ -0,0 +1,8 @@ +<!-- included start from bgp/prefix-counts.xml.i --> +<leafNode name="prefix-counts"> + <properties> + <help>Show detailed prefix count information</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/received-routes.xml.i b/op-mode-definitions/include/bgp/received-routes.xml.i new file mode 100644 index 000000000..55bed7c77 --- /dev/null +++ b/op-mode-definitions/include/bgp/received-routes.xml.i @@ -0,0 +1,12 @@ +<!-- included start from bgp/received-routes.xml.i --> +<node name="received-routes"> + <properties> + <help>Show received routes from a BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-detail-wide.xml.i> + #include <include/vtysh-generic-wide.xml.i> + </children> +</node> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/received.xml.i b/op-mode-definitions/include/bgp/received.xml.i new file mode 100644 index 000000000..bb8dc6981 --- /dev/null +++ b/op-mode-definitions/include/bgp/received.xml.i @@ -0,0 +1,16 @@ +<!-- included start from bgp/received.xml.i --> +<node name="received"> + <properties> + <help>Show information received from BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + <leafNode name="prefix-filter"> + <properties> + <help>Show prefixlist filter</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> +</node> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/routes.xml.i b/op-mode-definitions/include/bgp/routes.xml.i new file mode 100644 index 000000000..248e8fc5c --- /dev/null +++ b/op-mode-definitions/include/bgp/routes.xml.i @@ -0,0 +1,8 @@ +<!-- included start from bgp/routes.xml.i --> +<leafNode name="routes"> + <properties> + <help>Show routes learned from BGP neighbor</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/show-bgp-common.xml.i b/op-mode-definitions/include/bgp/show-bgp-common.xml.i index d888bc3b0..003451a33 100644 --- a/op-mode-definitions/include/bgp/show-bgp-common.xml.i +++ b/op-mode-definitions/include/bgp/show-bgp-common.xml.i @@ -128,18 +128,8 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - <leafNode name="advertised-routes"> - <properties> - <help>Show routes advertised to a BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="routes"> - <properties> - <help>Show routes learned from BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> + #include <include/bgp/advertised-routes.xml.i> + #include <include/bgp/routes.xml.i> </children> </tagNode> <leafNode name="next-hops"> diff --git a/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i b/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i index db9021f3e..48475e04e 100644 --- a/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i +++ b/op-mode-definitions/include/bgp/show-ip-bgp-common.xml.i @@ -81,36 +81,14 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - <leafNode name="advertised-routes"> - <properties> - <help>Show routes advertised to a BGP neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="prefix-counts"> - <properties> - <help>Show detailed prefix count information</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="filtered-routes"> - <properties> - <help>Show the filtered routes from neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="received-routes"> - <properties> - <help>Show the received routes from neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> - <leafNode name="routes"> - <properties> - <help>Show routes learned from neighbor</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </leafNode> + #include <include/bgp/advertised-routes.xml.i> + #include <include/bgp/dampened-routes.xml.i> + #include <include/bgp/filtered-routes.xml.i> + #include <include/bgp/flap-statistics.xml.i> + #include <include/bgp/prefix-counts.xml.i> + #include <include/bgp/received.xml.i> + #include <include/bgp/received-routes.xml.i> + #include <include/bgp/routes.xml.i> </children> </tagNode> <leafNode name="paths"> diff --git a/op-mode-definitions/include/vtysh-generic-detail-wide.xml.i b/op-mode-definitions/include/vtysh-generic-detail-wide.xml.i new file mode 100644 index 000000000..98ce09948 --- /dev/null +++ b/op-mode-definitions/include/vtysh-generic-detail-wide.xml.i @@ -0,0 +1,11 @@ +<!-- included start from vtysh-generic-detail-wide.xml.i --> +<node name="detail"> + <properties> + <help>Detailed information</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-wide.xml.i> + </children> +</node> +<!-- included end --> diff --git a/op-mode-definitions/install-mok.xml.in b/op-mode-definitions/install-mok.xml.in index c7e62349a..ab8e5d3db 100644 --- a/op-mode-definitions/install-mok.xml.in +++ b/op-mode-definitions/install-mok.xml.in @@ -6,7 +6,7 @@ <properties> <help>Install Secure Boot MOK (Machine Owner Key)</help> </properties> - <command>if test -f /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; then sudo mokutil --ignore-keyring --import /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; else echo "Secure Boot Machine Owner Key not found"; fi</command> + <command>${vyos_op_scripts_dir}/install_mok.sh</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/ipv4-route.xml.in b/op-mode-definitions/ipv4-route.xml.in index 17a0a4ad9..e4dda2851 100644 --- a/op-mode-definitions/ipv4-route.xml.in +++ b/op-mode-definitions/ipv4-route.xml.in @@ -39,7 +39,7 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/neighbor.py reset --family inet --address "$5"</command> + <command>${vyos_op_scripts_dir}/neighbor.py reset --family inet --address "$5"</command> </tagNode> <tagNode name="interface"> <properties> @@ -48,13 +48,13 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/neighbor.py reset --family inet --interface "$5"</command> + <command>${vyos_op_scripts_dir}/neighbor.py reset --family inet --interface "$5"</command> </tagNode> <node name="table"> <properties> <help>Flush the ARP cache completely</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/neighbor.py reset --family inet</command> + <command>${vyos_op_scripts_dir}/neighbor.py reset --family inet</command> </node> </children> </node> @@ -67,7 +67,7 @@ <properties> <help>Flush the kernel route cache</help> </properties> - <command>sudo ip route flush cache</command> + <command>ip route flush cache</command> </leafNode> <tagNode name="cache"> <properties> @@ -76,7 +76,7 @@ <list><x.x.x.x> <x.x.x.x/x></list> </completionHelp> </properties> - <command>sudo ip route flush cache "$5"</command> + <command>ip route flush cache "$5"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/ipv6-route.xml.in b/op-mode-definitions/ipv6-route.xml.in index 5ed0b9dba..311bc6de6 100644 --- a/op-mode-definitions/ipv6-route.xml.in +++ b/op-mode-definitions/ipv6-route.xml.in @@ -65,7 +65,7 @@ <list><h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ip -f inet6 neigh flush to "$5"</command> + <command>ip -f inet6 neigh flush to "$5"</command> </tagNode> <tagNode name="interface"> <properties> @@ -74,7 +74,7 @@ <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> - <command>sudo ip -f inet6 neigh flush dev "$5"</command> + <command>ip -f inet6 neigh flush dev "$5"</command> </tagNode> </children> </node> @@ -87,7 +87,7 @@ <properties> <help>Flush the kernel IPv6 route cache</help> </properties> - <command>sudo ip -f inet6 route flush cache</command> + <command>ip -f inet6 route flush cache</command> </leafNode> <tagNode name="cache"> <properties> @@ -96,7 +96,7 @@ <list><h:h:h:h:h:h:h:h> <h:h:h:h:h:h:h:h/x></list> </completionHelp> </properties> - <command>sudo ip -f inet6 route flush cache "$5"</command> + <command>ip -f inet6 route flush cache "$5"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/load-balancing_haproxy.xml.in b/op-mode-definitions/load-balancing_haproxy.xml.in index 8de7ae97f..8692a7367 100644 --- a/op-mode-definitions/load-balancing_haproxy.xml.in +++ b/op-mode-definitions/load-balancing_haproxy.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart haproxy service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name haproxy</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name haproxy</command> </node> </children> </node> @@ -16,7 +16,7 @@ <properties> <help>Show load-balancing haproxy</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/load-balancing_haproxy.py show</command> + <command>${vyos_op_scripts_dir}/load-balancing_haproxy.py show</command> </node> </children> </node> diff --git a/op-mode-definitions/load-balancing_wan.xml.in b/op-mode-definitions/load-balancing_wan.xml.in index 91c57c1f4..652b01eda 100644 --- a/op-mode-definitions/load-balancing_wan.xml.in +++ b/op-mode-definitions/load-balancing_wan.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart Wide Area Network (WAN) load-balancing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name load-balancing_wan</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name load-balancing_wan</command> </node> </children> </node> @@ -34,4 +34,4 @@ </node> </children> </node> -</interfaceDefinition>
\ No newline at end of file +</interfaceDefinition> diff --git a/op-mode-definitions/mdns-reflector.xml.in b/op-mode-definitions/mdns-reflector.xml.in index 115b2858c..6fe412334 100644 --- a/op-mode-definitions/mdns-reflector.xml.in +++ b/op-mode-definitions/mdns-reflector.xml.in @@ -53,7 +53,7 @@ <properties> <help>Restart mDNS repeater service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name mdns_repeater</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name mdns_repeater</command> </node> </children> </node> diff --git a/op-mode-definitions/monitor-bridge.xml.in b/op-mode-definitions/monitor-bridge.xml.in index a43fa6dd9..ae98ec3ea 100644 --- a/op-mode-definitions/monitor-bridge.xml.in +++ b/op-mode-definitions/monitor-bridge.xml.in @@ -6,22 +6,22 @@ <properties> <help>Monitor bridge database changes</help> </properties> - <command>sudo bridge monitor all</command> + <command>bridge monitor all</command> <children> <node name="link"> - <command>sudo bridge monitor link</command> + <command>bridge monitor link</command> <properties> <help>Monitor bridge database generated connection interface changes</help> </properties> </node> <node name="fdb"> - <command>sudo bridge monitor fdb</command> + <command>bridge monitor fdb</command> <properties> <help>Monitor the forwarding database changes generated by the bridge database</help> </properties> </node> <node name="mdb"> - <command>sudo bridge monitor mdb</command> + <command>bridge monitor mdb</command> <properties> <help>Monitor the multicast database changes generated by the bridge database</help> </properties> diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index b6784d9ea..721460be5 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -21,7 +21,7 @@ <properties> <help>Monitor last lines of certbot log</help> </properties> - <command>if sudo test -f /var/log/letsencrypt/letsencrypt.log; then sudo tail --follow=name /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command> + <command>if test -f /var/log/letsencrypt/letsencrypt.log; then tail --follow=name /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command> </leafNode> <leafNode name="conntrack-sync"> <properties> diff --git a/op-mode-definitions/monitor-ndp.xml.in b/op-mode-definitions/monitor-ndp.xml.in index 3b08f3d73..a40c4f25c 100644 --- a/op-mode-definitions/monitor-ndp.xml.in +++ b/op-mode-definitions/monitor-ndp.xml.in @@ -6,10 +6,10 @@ <properties> <help>Monitor Neighbor Discovery Protocol (NDP) information</help> </properties> - <command>sudo ndptool monitor</command> + <command>ndptool monitor</command> <children> <tagNode name="interface"> - <command>sudo ndptool monitor --ifname=$4</command> + <command>ndptool monitor --ifname=$4</command> <properties> <help>Monitor Neighbor Discovery Protocol on specified interface</help> <completionHelp> @@ -18,7 +18,7 @@ </properties> <children> <tagNode name="type"> - <command>sudo ndptool monitor --ifname=$4 --msg-type=$6</command> + <command>ndptool monitor --ifname=$4 --msg-type=$6</command> <properties> <help>Monitor specific Neighbor Discovery Protocol type</help> <completionHelp> @@ -29,7 +29,7 @@ </children> </tagNode> <tagNode name="type"> - <command>sudo ndptool monitor --msg-type=$4</command> + <command>ndptool monitor --msg-type=$4</command> <properties> <help>Monitor specific Neighbor Discovery Protocol type</help> <completionHelp> diff --git a/op-mode-definitions/nat.xml.in b/op-mode-definitions/nat.xml.in index 13e7fd81d..bdf6324b2 100644 --- a/op-mode-definitions/nat.xml.in +++ b/op-mode-definitions/nat.xml.in @@ -24,7 +24,7 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/cgnat.py show_allocation --external-address "$6"</command> + <command>${vyos_op_scripts_dir}/cgnat.py show_allocation --external-address "$6"</command> </tagNode> <tagNode name="internal-address"> <properties> @@ -33,10 +33,10 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/cgnat.py show_allocation --internal-address "$6"</command> + <command>${vyos_op_scripts_dir}/cgnat.py show_allocation --internal-address "$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/cgnat.py show_allocation</command> + <command>${vyos_op_scripts_dir}/cgnat.py show_allocation</command> </node> </children> </node> @@ -49,13 +49,13 @@ <properties> <help>Show configured source NAT rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet</command> </node> <node name="statistics"> <properties> <help>Show statistics for configured source NAT rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet</command> </node> <node name="translations"> <properties> @@ -69,10 +69,10 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet --address "$6"</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet --address "$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet</command> </node> </children> </node> @@ -85,13 +85,13 @@ <properties> <help>Show configured destination NAT rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet</command> </node> <node name="statistics"> <properties> <help>Show statistics for configured destination NAT rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet</command> </node> <node name="translations"> <properties> @@ -105,10 +105,10 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet --address "$6"</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet --address "$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet</command> </node> </children> </node> diff --git a/op-mode-definitions/nat66.xml.in b/op-mode-definitions/nat66.xml.in index 4df20d847..435e041a3 100644 --- a/op-mode-definitions/nat66.xml.in +++ b/op-mode-definitions/nat66.xml.in @@ -16,13 +16,13 @@ <properties> <help>Show configured source NAT66 rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command> </node> <node name="statistics"> <properties> <help>Show statistics for configured source NAT66 rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet6</command> </node> <node name="translations"> <properties> @@ -36,10 +36,10 @@ <list><h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6 --address "$6"</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6 --address "$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command> </node> </children> </node> @@ -52,13 +52,13 @@ <properties> <help>Show configured destination NAT66 rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command> </node> <node name="statistics"> <properties> <help>Show statistics for configured destination NAT66 rules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet6</command> </node> <node name="translations"> <properties> @@ -72,10 +72,10 @@ <list><h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6 --address "$6"</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6 --address "$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command> + <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command> </node> </children> </node> diff --git a/op-mode-definitions/ntp.xml.in b/op-mode-definitions/ntp.xml.in index 565a5edb5..208df8259 100644 --- a/op-mode-definitions/ntp.xml.in +++ b/op-mode-definitions/ntp.xml.in @@ -6,25 +6,25 @@ <properties> <help>Show peer status of NTP daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ntp.py show_sourcestats</command> + <command>${vyos_op_scripts_dir}/ntp.py show_sourcestats</command> <children> <node name="activity"> <properties> <help>Report the number of servers and peers that are online and offline</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ntp.py show_activity</command> + <command>${vyos_op_scripts_dir}/ntp.py show_activity</command> </node> <node name="sources"> <properties> <help>Show information about the current time sources being accessed</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ntp.py show_sources</command> + <command>${vyos_op_scripts_dir}/ntp.py show_sources</command> </node> <node name="system"> <properties> <help>Show parameters about the system clock performance</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ntp.py show_tracking</command> + <command>${vyos_op_scripts_dir}/ntp.py show_tracking</command> </node> </children> </node> @@ -49,10 +49,10 @@ <path>vrf name</path> </completionHelp> </properties> - <command>sudo ip vrf exec $5 chronyc makestep</command> + <command>ip vrf exec $5 chronyc makestep</command> </tagNode> </children> - <command>sudo chronyc makestep</command> + <command>chronyc makestep</command> </node> </children> </node> diff --git a/op-mode-definitions/openconnect.xml.in b/op-mode-definitions/openconnect.xml.in index 88e1f9f15..e2c94bacb 100644 --- a/op-mode-definitions/openconnect.xml.in +++ b/op-mode-definitions/openconnect.xml.in @@ -17,7 +17,7 @@ <properties> <help>Show OpenConnect configured user settings</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_openconnect_users.py</script> + <script>${vyos_completion_dir}/list_openconnect_users.py</script> </completionHelp> </properties> <children> diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index f205b0026..63834a127 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -11,7 +11,7 @@ <properties> <help>Reset specified OpenVPN client</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_openvpn_clients.py --all</script> + <script>${vyos_completion_dir}/list_openvpn_clients.py --all</script> </completionHelp> </properties> <command>echo kill $4 | socat - UNIX-CONNECT:/run/openvpn/openvpn-mgmt-intf > /dev/null</command> @@ -20,10 +20,10 @@ <properties> <help>Reset OpenVPN process on interface</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_interfaces --type openvpn</script> + <script>${vyos_completion_dir}/list_interfaces --type openvpn</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/openvpn.py reset --interface $4</command> + <command>${vyos_op_scripts_dir}/openvpn.py reset --interface $4</command> </tagNode> </children> </node> @@ -51,7 +51,7 @@ <properties> <help>Show OpenVPN interface information</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_interfaces --type openvpn</script> + <script>${vyos_completion_dir}/list_interfaces --type openvpn</script> </completionHelp> </properties> <command>${vyos_op_scripts_dir}/interfaces.py show --intf-name=$4</command> @@ -60,7 +60,7 @@ <properties> <help>Show OpenVPN interface users</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_openvpn_users.py --interface ${COMP_WORDS[3]}</script> + <script>${vyos_completion_dir}/list_openvpn_users.py --interface ${COMP_WORDS[3]}</script> </completionHelp> </properties> <children> @@ -110,19 +110,19 @@ <properties> <help>Show tunnel status for OpenVPN client interfaces</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/openvpn.py show --mode client</command> + <command>${vyos_op_scripts_dir}/openvpn.py show --mode client</command> </leafNode> <leafNode name="server"> <properties> <help>Show tunnel status for OpenVPN server interfaces</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/openvpn.py show --mode server</command> + <command>${vyos_op_scripts_dir}/openvpn.py show --mode server</command> </leafNode> <leafNode name="site-to-site"> <properties> <help>Show tunnel status for OpenVPN site-to-site interfaces</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/openvpn.py show --mode site_to_site</command> + <command>${vyos_op_scripts_dir}/openvpn.py show --mode site_to_site</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in index 866f482bf..43fb1fe2b 100644 --- a/op-mode-definitions/pki.xml.in +++ b/op-mode-definitions/pki.xml.in @@ -27,7 +27,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ca --name "$7" --sign "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ca --name "$7" --sign "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -48,7 +48,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ca --name "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ca --name "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -79,7 +79,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$6" --self-sign --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$6" --self-sign --file</command> </tagNode> <tagNode name="install"> <properties> @@ -108,7 +108,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$7" --sign "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$7" --sign "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -129,7 +129,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type certificate --name "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -158,7 +158,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type crl --name "$4" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type crl --name "$4" --file</command> </tagNode> <leafNode name="install"> <properties> @@ -181,7 +181,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type dh --name "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type dh --name "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -207,7 +207,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type key-pair --name "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type key-pair --name "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -238,7 +238,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type openvpn --name "$6" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type openvpn --name "$6" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -266,7 +266,7 @@ <list><filename></list> </completionHelp> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ssh --name "$5" --file</command> + <command>${vyos_op_scripts_dir}/pki.py generate_pki --pki-type ssh --name "$5" --file</command> </tagNode> <tagNode name="install"> <properties> @@ -371,13 +371,13 @@ <properties> <help>Path to CA certificate file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type ca --name "$4" --filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type ca --name "$4" --filename "$6"</command> </tagNode> <tagNode name="key-file"> <properties> <help>Path to private key file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type ca --name "$4" --key-filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type ca --name "$4" --key-filename "$6"</command> </tagNode> </children> </tagNode> @@ -393,13 +393,13 @@ <properties> <help>Path to certificate file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type certificate --name "$4" --filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type certificate --name "$4" --filename "$6"</command> </tagNode> <tagNode name="key-file"> <properties> <help>Path to private key file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type certificate --name "$4" --key-filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type certificate --name "$4" --key-filename "$6"</command> </tagNode> </children> </tagNode> @@ -415,7 +415,7 @@ <properties> <help>Path to CRL file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type crl --name "$4" --filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type crl --name "$4" --filename "$6"</command> </tagNode> </children> </tagNode> @@ -431,7 +431,7 @@ <properties> <help>Path to DH parameters file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type dh --name "$4" --filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type dh --name "$4" --filename "$6"</command> </tagNode> </children> </tagNode> @@ -447,13 +447,13 @@ <properties> <help>Path to public key file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type key-pair --name "$4" --filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type key-pair --name "$4" --filename "$6"</command> </tagNode> <tagNode name="private-file"> <properties> <help>Path to private key file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type key-pair --name "$4" --key-filename "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type key-pair --name "$4" --key-filename "$6"</command> </tagNode> </children> </tagNode> @@ -474,7 +474,7 @@ <properties> <help>Path to shared secret key file</help> </properties> - <command>sudo -E ${vyos_op_scripts_dir}/pki.py import_pki --pki-type openvpn --name "$5" --filename "$7"</command> + <command>${vyos_op_scripts_dir}/pki.py import_pki --pki-type openvpn --name "$5" --filename "$7"</command> </tagNode> </children> </tagNode> @@ -490,13 +490,13 @@ <properties> <help>Show PKI x509 certificates</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_all</command> + <command>${vyos_op_scripts_dir}/pki.py show_all</command> <children> <leafNode name="ca"> <properties> <help>Show x509 CA certificates</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate_authority</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate_authority</command> </leafNode> <tagNode name="ca"> <properties> @@ -505,13 +505,13 @@ <path>pki ca</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate_authority --name "$4"</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate_authority --name "$4"</command> <children> <leafNode name="pem"> <properties> <help>Show x509 CA certificate in PEM format</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate_authority --name "$4" --pem</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate_authority --name "$4" --pem</command> </leafNode> </children> </tagNode> @@ -519,7 +519,7 @@ <properties> <help>Show x509 certificates</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate</command> </leafNode> <tagNode name="certificate"> <properties> @@ -528,13 +528,13 @@ <path>pki certificate</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate --name "$4"</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate --name "$4"</command> <children> <leafNode name="pem"> <properties> <help>Show x509 certificate in PEM format</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate --name "$4" --pem</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate --name "$4" --pem</command> </leafNode> <tagNode name="fingerprint"> <properties> @@ -543,7 +543,7 @@ <list>sha256 sha384 sha512</list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/pki.py show_certificate --name "$4" --fingerprint "$6"</command> + <command>${vyos_op_scripts_dir}/pki.py show_certificate --name "$4" --fingerprint "$6"</command> </tagNode> </children> </tagNode> @@ -580,7 +580,7 @@ <properties> <help>Start manual certbot renewal</help> </properties> - <command>sudo systemctl start certbot.service</command> + <command>systemctl start certbot.service</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/policy-route.xml.in b/op-mode-definitions/policy-route.xml.in index bd4a61dc9..6ddbb51a5 100644 --- a/op-mode-definitions/policy-route.xml.in +++ b/op-mode-definitions/policy-route.xml.in @@ -88,7 +88,7 @@ <properties> <help>Show IPv6 policy chain</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show_all --ipv6</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show_all --ipv6</command> </node> <tagNode name="route6"> <properties> @@ -105,16 +105,16 @@ <path>policy route6 ${COMP_WORDS[4]} rule</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --rule $6 --ipv6</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --rule $6 --ipv6</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --ipv6</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --ipv6</command> </tagNode> <node name="route"> <properties> <help>Show IPv4 policy chain</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show_all</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show_all</command> </node> <tagNode name="route"> <properties> @@ -131,10 +131,10 @@ <path>policy route ${COMP_WORDS[4]} rule</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --rule $6</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show --name $4 --rule $6</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/policy_route.py --action show --name $4</command> + <command>${vyos_op_scripts_dir}/policy_route.py --action show --name $4</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/poweroff.xml.in b/op-mode-definitions/poweroff.xml.in index b4163bcb9..e023e80be 100644 --- a/op-mode-definitions/poweroff.xml.in +++ b/op-mode-definitions/poweroff.xml.in @@ -4,19 +4,19 @@ <properties> <help>Poweroff the system</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --poweroff</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --poweroff</command> <children> <leafNode name="now"> <properties> <help>Poweroff the system without confirmation</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff</command> </leafNode> <leafNode name="cancel"> <properties> <help>Cancel a pending poweroff</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --cancel</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --cancel</command> </leafNode> <tagNode name="in"> <properties> @@ -25,7 +25,7 @@ <list><Minutes></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3 $4</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3 $4</command> </tagNode> <tagNode name="at"> <properties> @@ -34,7 +34,7 @@ <list><HH:MM></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3</command> <children> <tagNode name="date"> <properties> @@ -43,7 +43,7 @@ <list><DDMMYYYY> <DD/MM/YYYY> <DD.MM.YYYY> <DD:MM:YYYY></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3 $5</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --poweroff $3 $5</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/raid.xml.in b/op-mode-definitions/raid.xml.in index 85fbf4566..0733b637d 100644 --- a/op-mode-definitions/raid.xml.in +++ b/op-mode-definitions/raid.xml.in @@ -19,7 +19,7 @@ <properties> <help>Add a member to a RAID set</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --by-id --member $6</command> + <command>${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --by-id --member $6</command> </tagNode> </children> </node> @@ -27,7 +27,7 @@ <properties> <help>Add a member to a RAID set</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --member $5</command> + <command>${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --member $5</command> </tagNode> </children> </tagNode> @@ -52,7 +52,7 @@ <properties> <help>Delete a member from a RAID set</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --by-id --member $6</command> + <command>${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --by-id --member $6</command> </tagNode> </children> </node> @@ -60,7 +60,7 @@ <properties> <help>Delete a member from a RAID set</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --member $5</command> + <command>${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --member $5</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/reboot.xml.in b/op-mode-definitions/reboot.xml.in index d5a71f561..1fa79da7e 100644 --- a/op-mode-definitions/reboot.xml.in +++ b/op-mode-definitions/reboot.xml.in @@ -4,19 +4,19 @@ <properties> <help>Reboot the system</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --reboot</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --reboot</command> <children> <leafNode name="now"> <properties> <help>Reboot the system without confirmation</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --reboot</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --reboot</command> </leafNode> <leafNode name="cancel"> <properties> <help>Cancel a pending reboot</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --cancel</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --cancel</command> </leafNode> <tagNode name="in"> <properties> @@ -25,7 +25,7 @@ <list><Minutes></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --reboot-in $3 $4</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --reboot-in $3 $4</command> </tagNode> <tagNode name="at"> <properties> @@ -34,7 +34,7 @@ <list><HH:MM></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --reboot $3</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --reboot $3</command> <children> <tagNode name="date"> <properties> @@ -43,7 +43,7 @@ <list><DD/MM/YYYY> <DD.MM.YYYY> <DD:MM:YYYY></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/powerctrl.py --yes --reboot $3 $5</command> + <command>${vyos_op_scripts_dir}/powerctrl.py --yes --reboot $3 $5</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/reset-connection.xml.in b/op-mode-definitions/reset-connection.xml.in new file mode 100644 index 000000000..e41d8ed20 --- /dev/null +++ b/op-mode-definitions/reset-connection.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="reset"> + <children> + <tagNode name="connection"> + <properties> + <help>Bring connection-oriented network interface down and up</help> + <completionHelp> + <path>interfaces pppoe</path> + <path>interfaces sstpc</path> + <path>interfaces wwan</path> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/connect_disconnect.py --connect --disconnect --interface "$3"</command> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/reset-conntrack.xml.in b/op-mode-definitions/reset-conntrack.xml.in index 9c8265f77..e180b47a8 100644 --- a/op-mode-definitions/reset-conntrack.xml.in +++ b/op-mode-definitions/reset-conntrack.xml.in @@ -6,7 +6,7 @@ <properties> <help>Reset all currently tracked connections</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/clear_conntrack.py</command> + <command>${vyos_op_scripts_dir}/clear_conntrack.py</command> </node> </children> </node> diff --git a/op-mode-definitions/reset-session.xml.in b/op-mode-definitions/reset-session.xml.in index 1e52e278b..a1e8739c5 100644 --- a/op-mode-definitions/reset-session.xml.in +++ b/op-mode-definitions/reset-session.xml.in @@ -9,7 +9,7 @@ <script>who | awk '{print $2}'</script> </completionHelp> </properties> - <command>sudo pkill -9 -t $3</command> + <command>pkill -9 -t $3</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/reset-vpn.xml.in b/op-mode-definitions/reset-vpn.xml.in index 8de95d1cc..336fb1e02 100644 --- a/op-mode-definitions/reset-vpn.xml.in +++ b/op-mode-definitions/reset-vpn.xml.in @@ -16,19 +16,19 @@ <properties> <help>Reset all L2TP server VPN sessions</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp"</command> </node> <tagNode name="interface"> <properties> <help>Reset specified interface on L2TP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --interface="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --interface="$5"</command> </tagNode> <tagNode name="user"> <properties> <help>Reset specified user on L2TP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --username="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --username="$5"</command> </tagNode> </children> </node> @@ -41,19 +41,19 @@ <properties> <help>Reset all PPTP server VPN sessions</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp"</command> </node> <tagNode name="interface"> <properties> <help>Reset specified interface on PPTP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --interface="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --interface="$5"</command> </tagNode> <tagNode name="user"> <properties> <help>Reset specified user on PPTP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --username="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --username="$5"</command> </tagNode> </children> </node> @@ -66,19 +66,19 @@ <properties> <help>Reset all SSTP server VPN sessions</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp"</command> </node> <tagNode name="interface"> <properties> <help>Reset specified interface on SSTP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --interface="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --interface="$5"</command> </tagNode> <tagNode name="user"> <properties> <help>Reset specified user on SSTP VPN server</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --username="$5"</command> + <command>${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --username="$5"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/reset-wireguard.xml.in b/op-mode-definitions/reset-wireguard.xml.in index c2243f519..cb575c8c6 100644 --- a/op-mode-definitions/reset-wireguard.xml.in +++ b/op-mode-definitions/reset-wireguard.xml.in @@ -14,7 +14,7 @@ <path>interfaces wireguard</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_wireguard.py reset_peer --interface="$4"</command> + <command>${vyos_op_scripts_dir}/reset_wireguard.py reset_peer --interface="$4"</command> <children> <tagNode name="peer"> <properties> @@ -23,7 +23,7 @@ <path>interfaces wireguard ${COMP_WORDS[3]} peer</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_wireguard.py reset_peer --interface="$4" --peer="$6"</command> + <command>${vyos_op_scripts_dir}/reset_wireguard.py reset_peer --interface="$4" --peer="$6"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/restart-frr.xml.in b/op-mode-definitions/restart-frr.xml.in index 4772e8dd2..950007a50 100644 --- a/op-mode-definitions/restart-frr.xml.in +++ b/op-mode-definitions/restart-frr.xml.in @@ -6,85 +6,85 @@ <properties> <help>Restart all routing daemons</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart</command> </leafNode> <leafNode name="zebra"> <properties> <help>Restart Routing Information Base (RIB) IP manager daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon zebra</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon zebra</command> </leafNode> <leafNode name="static"> <properties> <help>Restart static routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon staticd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon staticd</command> </leafNode> <leafNode name="bgp"> <properties> <help>Restart Border Gateway Protocol (BGP) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon bgpd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon bgpd</command> </leafNode> <leafNode name="ospf"> <properties> <help>Restart Open Shortest Path First (OSPF) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ospfd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ospfd</command> </leafNode> <leafNode name="ospfv3"> <properties> <help>Restart IPv6 Open Shortest Path First (OSPFv3) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ospf6d</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ospf6d</command> </leafNode> <leafNode name="rip"> <properties> <help>Restart Routing Information Protocol (RIP) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ripd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ripd</command> </leafNode> <leafNode name="ripng"> <properties> <help>Restart IPv6 Routing Information Protocol (RIPng) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ripngd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ripngd</command> </leafNode> <leafNode name="isis"> <properties> <help>Restart Intermediate System to Intermediate System (IS-IS) routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon isisd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon isisd</command> </leafNode> <leafNode name="openfabric"> <properties> <help>Restart OpenFabric routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon fabricd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon fabricd</command> </leafNode> <leafNode name="pim6"> <properties> <help>Restart IPv6 Protocol Independent Multicast (PIM) daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon pim6d</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon pim6d</command> </leafNode> <leafNode name="ldp"> <properties> <help>Restart Label Distribution Protocol (LDP) daemon used by MPLS</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ldpd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon ldpd</command> </leafNode> <leafNode name="babel"> <properties> <help>Restart Babel routing daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon babeld</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon babeld</command> </leafNode> <leafNode name="bfd"> <properties> <help>Restart Bidirectional Forwarding Detection (BFD) daemon</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon bfdd</command> + <command>${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon bfdd</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/restart-ntp.xml.in b/op-mode-definitions/restart-ntp.xml.in index 961fae252..8713dd147 100644 --- a/op-mode-definitions/restart-ntp.xml.in +++ b/op-mode-definitions/restart-ntp.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart NTP service</help> </properties> - <command>if cli-shell-api existsActive service ntp; then sudo systemctl restart chrony.service; else echo "Service NTP not configured"; fi</command> + <command>if cli-shell-api existsActive service ntp; then systemctl restart chrony.service; else echo "Service NTP not configured"; fi</command> </node> </children> </node> diff --git a/op-mode-definitions/restart-router-advert.xml.in b/op-mode-definitions/restart-router-advert.xml.in index 9eea3dfc4..82cde9892 100644 --- a/op-mode-definitions/restart-router-advert.xml.in +++ b/op-mode-definitions/restart-router-advert.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart IPv6 Router Advertisement service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name router_advert</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name router_advert</command> </node> </children> </node> diff --git a/op-mode-definitions/restart-serial.xml.in b/op-mode-definitions/restart-serial.xml.in index 4d8a03633..27618b2f4 100644 --- a/op-mode-definitions/restart-serial.xml.in +++ b/op-mode-definitions/restart-serial.xml.in @@ -11,7 +11,7 @@ <properties> <help>Restart serial console service for login TTYs</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/serial.py restart_console</command> + <command>${vyos_op_scripts_dir}/serial.py restart_console</command> <children> <tagNode name="device"> <properties> @@ -20,7 +20,7 @@ <script>${vyos_completion_dir}/list_login_ttys.py</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/serial.py restart_console --device-name "$5"</command> + <command>${vyos_op_scripts_dir}/serial.py restart_console --device-name "$5"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/restart-snmp.xml.in b/op-mode-definitions/restart-snmp.xml.in index e9c43de01..0c1f1a2b7 100644 --- a/op-mode-definitions/restart-snmp.xml.in +++ b/op-mode-definitions/restart-snmp.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart SNMP service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name snmp</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name snmp</command> </node> </children> </node> diff --git a/op-mode-definitions/restart-ssh.xml.in b/op-mode-definitions/restart-ssh.xml.in index 914586df8..daa046dd7 100644 --- a/op-mode-definitions/restart-ssh.xml.in +++ b/op-mode-definitions/restart-ssh.xml.in @@ -6,7 +6,7 @@ <properties> <help>Restart SSH service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name ssh --vrf "*"</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name ssh --vrf "*"</command> </node> </children> </node> diff --git a/op-mode-definitions/sflow.xml.in b/op-mode-definitions/sflow.xml.in index 9f02dacda..003550304 100644 --- a/op-mode-definitions/sflow.xml.in +++ b/op-mode-definitions/sflow.xml.in @@ -7,8 +7,7 @@ <properties> <help>Show sFlow statistics</help> </properties> - <!-- requires sudo, do not remove it --> - <command>sudo ${vyos_op_scripts_dir}/sflow.py show</command> + <command>${vyos_op_scripts_dir}/sflow.py show</command> </node> </children> </node> diff --git a/op-mode-definitions/show-acceleration.xml.in b/op-mode-definitions/show-acceleration.xml.in index fccfba5e3..3f47bb1cd 100644 --- a/op-mode-definitions/show-acceleration.xml.in +++ b/op-mode-definitions/show-acceleration.xml.in @@ -29,13 +29,13 @@ <properties> <help>Intel QAT flows</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --flow --dev $6</command> + <command>${vyos_op_scripts_dir}/show_acceleration.py --flow --dev $6</command> </node> <node name="config"> <properties> <help>Intel QAT configuration</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --conf --dev $6</command> + <command>${vyos_op_scripts_dir}/show_acceleration.py --conf --dev $6</command> </node> </children> </tagNode> @@ -43,16 +43,16 @@ <properties> <help>Intel QAT status</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --status</command> + <command>${vyos_op_scripts_dir}/show_acceleration.py --status</command> </node> <node name="interrupts"> <properties> <help>Intel QAT interrupts</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --interrupts</command> + <command>${vyos_op_scripts_dir}/show_acceleration.py --interrupts</command> </node> </children> - <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --hw</command> + <command>${vyos_op_scripts_dir}/show_acceleration.py --hw</command> </node> </children> </node> diff --git a/op-mode-definitions/show-conntrack.xml.in b/op-mode-definitions/show-conntrack.xml.in index 4cdcffcdb..6212af4eb 100644 --- a/op-mode-definitions/show-conntrack.xml.in +++ b/op-mode-definitions/show-conntrack.xml.in @@ -11,7 +11,7 @@ <properties> <help>Show conntrack statistics</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack.py show_statistics</command> + <command>${vyos_op_scripts_dir}/conntrack.py show_statistics</command> </node> <node name="table"> <properties> @@ -22,13 +22,13 @@ <properties> <help>Show conntrack entries for IPv4 protocol</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack.py show --family inet</command> + <command>${vyos_op_scripts_dir}/conntrack.py show --family inet</command> </node> <node name="ipv6"> <properties> <help>Show conntrack entries for IPv6 protocol</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/conntrack.py show --family inet6</command> + <command>${vyos_op_scripts_dir}/conntrack.py show --family inet6</command> </node> </children> </node> diff --git a/op-mode-definitions/show-environment.xml.in b/op-mode-definitions/show-environment.xml.in index 95b658785..7cc9fe822 100644 --- a/op-mode-definitions/show-environment.xml.in +++ b/op-mode-definitions/show-environment.xml.in @@ -12,7 +12,7 @@ <help>Show hardware monitoring results</help> </properties> <!-- Linux always adds "hypervisor" to CPU flags --> - <command>if ! grep -q hypervisor /proc/cpuinfo; then ${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_sensors.py; else echo "VyOS running under hypervisor, no sensors available"; fi</command> + <command>if ! grep -q hypervisor /proc/cpuinfo; then ${vyos_op_scripts_dir}/show_sensors.py; else echo "VyOS running under hypervisor, no sensors available"; fi</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-hardware.xml.in b/op-mode-definitions/show-hardware.xml.in index 21079765a..84e46a22b 100644 --- a/op-mode-definitions/show-hardware.xml.in +++ b/op-mode-definitions/show-hardware.xml.in @@ -31,7 +31,7 @@ <properties> <help>Show system DMI details</help> </properties> - <command>sudo dmidecode</command> + <command>dmidecode</command> </node> <node name="mem"> <properties> @@ -62,7 +62,7 @@ <properties> <help>Show NVMe device information</help> </properties> - <command>sudo nvme list</command> + <command>nvme list</command> </leafNode> <node name="scsi"> <properties> @@ -85,7 +85,7 @@ <script>ls /dev | egrep '([hsv]d[a-z]|nvme[0-9]+n[0-9])$'</script> </completionHelp> </properties> - <command>sudo smartctl -a "/dev/$5" | sed 1,3d</command> + <command>smartctl -a "/dev/$5" | sed 1,3d</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/show-interfaces-bonding.xml.in b/op-mode-definitions/show-interfaces-bonding.xml.in index 0abb7cd5a..839a4cd91 100644 --- a/op-mode-definitions/show-interfaces-bonding.xml.in +++ b/op-mode-definitions/show-interfaces-bonding.xml.in @@ -23,7 +23,7 @@ <properties> <help>Show detailed interface information</help> </properties> - <command>if [ -f "/proc/net/bonding/$4" ]; then sudo cat "/proc/net/bonding/$4"; else echo "Interface $4 does not exist!"; fi</command> + <command>${vyos_op_scripts_dir}/show_bonding_detail.sh "$4"</command> </leafNode> <node name="lacp"> <properties> @@ -34,13 +34,13 @@ <properties> <help>Show LACP details</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/bonding.py show_lacp_detail --interface="$4" </command> + <command>${vyos_op_scripts_dir}/bonding.py show_lacp_detail --interface="$4" </command> </leafNode> <leafNode name="neighbors"> <properties> <help>Show LACP Neighbors</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/bonding.py show_lacp_neighbors --interface="$4"</command> + <command>${vyos_op_scripts_dir}/bonding.py show_lacp_neighbors --interface="$4"</command> </leafNode> </children> </node> @@ -91,7 +91,7 @@ <properties> <help>Show LACP details</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/bonding.py show_lacp_detail</command> + <command>${vyos_op_scripts_dir}/bonding.py show_lacp_detail</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-interfaces-pppoe.xml.in b/op-mode-definitions/show-interfaces-pppoe.xml.in index c1f502cb3..0904418bf 100644 --- a/op-mode-definitions/show-interfaces-pppoe.xml.in +++ b/op-mode-definitions/show-interfaces-pppoe.xml.in @@ -26,7 +26,7 @@ <path>interfaces pppoe</path> </completionHelp> </properties> - <command>if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi</command> + <command>${vyos_op_scripts_dir}/show_ppp_stats.sh "$4"</command> </leafNode> #include <include/show-interface-type-event-log.xml.i> </children> diff --git a/op-mode-definitions/show-interfaces-sstpc.xml.in b/op-mode-definitions/show-interfaces-sstpc.xml.in index 3bd7a8247..61451db93 100644 --- a/op-mode-definitions/show-interfaces-sstpc.xml.in +++ b/op-mode-definitions/show-interfaces-sstpc.xml.in @@ -26,7 +26,7 @@ <path>interfaces sstpc</path> </completionHelp> </properties> - <command>if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi</command> + <command>${vyos_op_scripts_dir}/show_ppp_stats.sh "$4"</command> </leafNode> #include <include/show-interface-type-event-log.xml.i> </children> diff --git a/op-mode-definitions/show-interfaces-wireguard.xml.in b/op-mode-definitions/show-interfaces-wireguard.xml.in index d86152a21..6abca3a27 100644 --- a/op-mode-definitions/show-interfaces-wireguard.xml.in +++ b/op-mode-definitions/show-interfaces-wireguard.xml.in @@ -17,31 +17,31 @@ <properties> <help>Show all IP addresses allowed for the specified interface</help> </properties> - <command>sudo wg show "$4" allowed-ips</command> + <command>wg show "$4" allowed-ips</command> </leafNode> <leafNode name="endpoints"> <properties> <help>Show all endpoints for the specified interface</help> </properties> - <command>sudo wg show "$4" endpoints</command> + <command>wg show "$4" endpoints</command> </leafNode> <leafNode name="peers"> <properties> <help>Show all peer IDs for the specified interface</help> </properties> - <command>sudo wg show "$4" peers</command> + <command>wg show "$4" peers</command> </leafNode> <leafNode name="public-key"> <properties> <help>Show interface public-key</help> </properties> - <command>sudo wg show "$4" public-key</command> + <command>wg show "$4" public-key</command> </leafNode> <leafNode name="summary"> <properties> <help>Shows current configuration and device information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces_wireguard.py show_summary --intf-name="$4"</command> + <command>${vyos_op_scripts_dir}/interfaces_wireguard.py show_summary --intf-name="$4"</command> </leafNode> #include <include/show-interface-type-event-log.xml.i> </children> diff --git a/op-mode-definitions/show-interfaces-wireless.xml.in b/op-mode-definitions/show-interfaces-wireless.xml.in index b0a1502de..16ea33d82 100644 --- a/op-mode-definitions/show-interfaces-wireless.xml.in +++ b/op-mode-definitions/show-interfaces-wireless.xml.in @@ -43,13 +43,13 @@ <properties> <help>Scan for networks via specified wireless interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/interfaces_wireless.py show_scan --intf-name="$4"</command> + <command>${vyos_op_scripts_dir}/interfaces_wireless.py show_scan --intf-name="$4"</command> <children> <leafNode name="detail"> <properties> <help>Show detailed scan results</help> </properties> - <command>sudo /sbin/iw dev "$4" scan ap-force</command> + <command>/sbin/iw dev "$4" scan ap-force</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-interfaces-wwan.xml.in b/op-mode-definitions/show-interfaces-wwan.xml.in index 2301b32d0..87301d6c9 100644 --- a/op-mode-definitions/show-interfaces-wwan.xml.in +++ b/op-mode-definitions/show-interfaces-wwan.xml.in @@ -18,55 +18,55 @@ <properties> <help>Show WWAN module capabilities</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --capabilities</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --capabilities</command> </leafNode> <leafNode name="firmware"> <properties> <help>Show WWAN module firmware</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --firmware</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --firmware</command> </leafNode> <leafNode name="imei"> <properties> <help>Show WWAN module IMEI/ESN/MEID</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imei</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imei</command> </leafNode> <leafNode name="imsi"> <properties> <help>Show WWAN module IMSI</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imsi</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imsi</command> </leafNode> <leafNode name="model"> <properties> <help>Show WWAN module manufacturer</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --model</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --model</command> </leafNode> <leafNode name="msisdn"> <properties> <help>Show WWAN module MSISDN</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --msisdn</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --msisdn</command> </leafNode> <leafNode name="revision"> <properties> <help>Show WWAN module revision</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --revision</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --revision</command> </leafNode> <leafNode name="signal"> <properties> <help>Show WWAN module RF signal info</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --signal</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --signal</command> </leafNode> <leafNode name="sim"> <properties> <help>Show WWAN module connected SIM card information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --sim</command> + <command>${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --sim</command> </leafNode> <leafNode name="detail"> <properties> diff --git a/op-mode-definitions/show-ip-ports.xml.in b/op-mode-definitions/show-ip-ports.xml.in index a74b68ffc..0d4eec351 100644 --- a/op-mode-definitions/show-ip-ports.xml.in +++ b/op-mode-definitions/show-ip-ports.xml.in @@ -8,7 +8,7 @@ <properties> <help>Show IP ports in use by various system services</help> </properties> - <command>sudo /usr/bin/netstat -tulnp</command> + <command>/usr/bin/netstat -tulnp</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-kernel-modules.xml.in b/op-mode-definitions/show-kernel-modules.xml.in index 28eb28212..67a0130fb 100644 --- a/op-mode-definitions/show-kernel-modules.xml.in +++ b/op-mode-definitions/show-kernel-modules.xml.in @@ -11,7 +11,7 @@ <properties> <help>Show kernel modules</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/kernel_modules.py show</command> + <command>${vyos_op_scripts_dir}/kernel_modules.py show</command> </node> </children> </node> diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index fcde76e60..d1320bc00 100755 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -30,7 +30,7 @@ <properties> <help>Show contents of all master log files</help> </properties> - <command>sudo bash -c 'eval $(lesspipe); less $_vyatta_less_options --prompt=".logm, file %i of %m., page %dt of %D" -- `printf "%s\n" /var/log/messages* | sort -nr`'</command> + <command>bash -c 'eval $(lesspipe); less $_vyatta_less_options --prompt=".logm, file %i of %m., page %dt of %D" -- `printf "%s\n" /var/log/messages* | sort -nr`'</command> </leafNode> <leafNode name="authorization"> <properties> @@ -42,7 +42,7 @@ <properties> <help>Show log for certbot</help> </properties> - <command>if sudo test -f /var/log/letsencrypt/letsencrypt.log; then sudo cat /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command> + <command>if test -f /var/log/letsencrypt/letsencrypt.log; then cat /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command> </leafNode> <leafNode name="cluster"> <properties> diff --git a/op-mode-definitions/show-login.xml.in b/op-mode-definitions/show-login.xml.in index 6d8c782c4..664677bc6 100644 --- a/op-mode-definitions/show-login.xml.in +++ b/op-mode-definitions/show-login.xml.in @@ -14,12 +14,6 @@ </properties> <command>/usr/bin/id -Gn</command> </leafNode> - <leafNode name="level"> - <properties> - <help>Show current login level</help> - </properties> - <command>if [ -n "$VYATTA_USER_LEVEL_DIR" ]; then basename $VYATTA_USER_LEVEL_DIR; fi</command> - </leafNode> <leafNode name="user"> <properties> <help>Show current login user id</help> diff --git a/op-mode-definitions/show-qos.xml.in b/op-mode-definitions/show-qos.xml.in index 8974e9541..12b215d8d 100644 --- a/op-mode-definitions/show-qos.xml.in +++ b/op-mode-definitions/show-qos.xml.in @@ -20,7 +20,7 @@ <list><interface></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_cake --ifname $5</command> + <command>${vyos_op_scripts_dir}/qos.py show_cake --ifname $5</command> </tagNode> </children> </node> @@ -28,13 +28,13 @@ <properties> <help>Show QoS shaping information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper</command> <children> <leafNode name="detail"> <properties> <help>Show QoS detailed information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper --detail</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper --detail</command> </leafNode> <tagNode name="interface"> <properties> @@ -44,7 +44,7 @@ <list><interface></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5</command> <children> <tagNode name="class"> <properties> @@ -53,13 +53,13 @@ <list><class></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --classn $7</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --classn $7</command> <children> <leafNode name="detail"> <properties> <help>Show QoS detailed information for given class</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --classn $7 --detail</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --classn $7 --detail</command> </leafNode> </children> </tagNode> @@ -67,7 +67,7 @@ <properties> <help>Show QoS detailed information for given interface</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --detail</command> + <command>${vyos_op_scripts_dir}/qos.py show_shaper --ifname $5 --detail</command> </leafNode> </children> </tagNode> diff --git a/op-mode-definitions/show-raid.xml.in b/op-mode-definitions/show-raid.xml.in index 2ae3fad6a..8bf394552 100644 --- a/op-mode-definitions/show-raid.xml.in +++ b/op-mode-definitions/show-raid.xml.in @@ -9,7 +9,7 @@ <script>${vyos_completion_dir}/list_raidset.sh</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/show_raid.sh $3</command> + <command>${vyos_op_scripts_dir}/show_raid.sh $3</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in index ca8e669b3..88faecada 100644 --- a/op-mode-definitions/show-ssh.xml.in +++ b/op-mode-definitions/show-ssh.xml.in @@ -11,7 +11,7 @@ <properties> <help>Show SSH server dynamic-protection blocked attackers</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command> + <command>${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command> </node> <node name="fingerprints"> <properties> diff --git a/op-mode-definitions/show-system.xml.in b/op-mode-definitions/show-system.xml.in index 6873b816b..c7b57893f 100644 --- a/op-mode-definitions/show-system.xml.in +++ b/op-mode-definitions/show-system.xml.in @@ -95,7 +95,7 @@ <properties> <help>Show messages in kernel ring buffer</help> </properties> - <command>sudo dmesg</command> + <command>dmesg</command> </leafNode> <node name="login"> <properties> @@ -155,31 +155,31 @@ <properties> <help>Show user account information</help> </properties> - <command>${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_users.py</command> + <command>${vyos_op_scripts_dir}/show_users.py</command> <children> <leafNode name="all"> <properties> <help>Show information about all accounts</help> </properties> - <command>${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_users.py all</command> + <command>${vyos_op_scripts_dir}/show_users.py all</command> </leafNode> <leafNode name="locked"> <properties> <help>Show information about locked accounts</help> </properties> - <command>${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_users.py locked</command> + <command>${vyos_op_scripts_dir}/show_users.py locked</command> </leafNode> <leafNode name="other"> <properties> <help>Show information about non VyOS user accounts</help> </properties> - <command>${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_users.py other</command> + <command>${vyos_op_scripts_dir}/show_users.py other</command> </leafNode> <leafNode name="vyos"> <properties> <help>Show information about VyOS user accounts</help> </properties> - <command>${vyos_libexec_dir}/vyos-sudo.py ${vyos_op_scripts_dir}/show_users.py vyos</command> + <command>${vyos_op_scripts_dir}/show_users.py vyos</command> </leafNode> </children> </node> @@ -195,7 +195,7 @@ <properties> <help>Show kernel cache information</help> </properties> - <command>sudo slabtop -o</command> + <command>slabtop -o</command> </leafNode> <leafNode name="detail"> <properties> diff --git a/op-mode-definitions/show-techsupport_report.xml.in b/op-mode-definitions/show-techsupport_report.xml.in index 4fd6e5d1e..c07cb3c7d 100644 --- a/op-mode-definitions/show-techsupport_report.xml.in +++ b/op-mode-definitions/show-techsupport_report.xml.in @@ -17,7 +17,7 @@ <properties> <help>Show consolidated tech-support report in JSON</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/tech_support.py show --raw</command> + <command>${vyos_op_scripts_dir}/tech_support.py show --raw</command> </node> </children> </node> diff --git a/op-mode-definitions/show-version.xml.in b/op-mode-definitions/show-version.xml.in index 36e68ff79..dc158673d 100644 --- a/op-mode-definitions/show-version.xml.in +++ b/op-mode-definitions/show-version.xml.in @@ -6,13 +6,13 @@ <properties> <help>Show system version information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/version.py show</command> + <command>${vyos_op_scripts_dir}/version.py show</command> <children> <leafNode name="funny"> <properties> <help>Show system version and some fun stuff</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/version.py show --funny</command> + <command>${vyos_op_scripts_dir}/version.py show --funny</command> </leafNode> <leafNode name="all"> <properties> diff --git a/op-mode-definitions/suricata.xml.in b/op-mode-definitions/suricata.xml.in index ff1f84706..74e54fb9c 100644 --- a/op-mode-definitions/suricata.xml.in +++ b/op-mode-definitions/suricata.xml.in @@ -6,7 +6,7 @@ <properties> <help>Update Suricata</help> </properties> - <command>if test -f /run/suricata/suricata.yaml; then sudo suricata-update --suricata-conf /run/suricata/suricata.yaml; sudo systemctl restart suricata; else echo "Service Suricata not configured"; fi </command> + <command>${vyos_op_scripts_dir}/update_suricata.sh</command> </node> </children> </node> @@ -16,7 +16,7 @@ <properties> <help>Restart Suricata service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name suricata</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name suricata</command> </node> </children> </node> diff --git a/op-mode-definitions/system-image.xml.in b/op-mode-definitions/system-image.xml.in index 847029dcd..acd634286 100644 --- a/op-mode-definitions/system-image.xml.in +++ b/op-mode-definitions/system-image.xml.in @@ -17,7 +17,7 @@ <list>/path/to/vyos-image.iso "http://example.com/vyos-image.iso" latest</list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}"</command> + <command>${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}"</command> <children> <tagNode name="vrf"> <properties> @@ -26,7 +26,7 @@ <path>vrf name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}"</command> + <command>${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}"</command> <children> <tagNode name="username"> <properties> @@ -37,7 +37,7 @@ <properties> <help>Password to use with authentication</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}" --username "${8}" --password "${10}"</command> + <command>${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}" --username "${8}" --password "${10}"</command> </tagNode> </children> </tagNode> @@ -52,7 +52,7 @@ <properties> <help>Password to use with authentication</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --username "${6}" --password "${8}"</command> + <command>${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --username "${6}" --password "${8}"</command> </tagNode> </children> </tagNode> @@ -76,10 +76,10 @@ <properties> <help>Set system console type at boot</help> <completionHelp> - <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list_console_types</script> + <script>${vyos_op_scripts_dir}/image_manager.py --action list_console_types</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action set_console_type --console-type "${4}"</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action set_console_type --console-type "${4}"</command> </tagNode> <node name="image"> <properties> @@ -90,16 +90,16 @@ <properties> <help>Set default image to boot.</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action set</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action set</command> </node> <tagNode name="default-boot"> <properties> <help>Set default image to boot.</help> <completionHelp> - <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script> + <script>${vyos_op_scripts_dir}/image_manager.py --action list</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action set --image-name "${5}"</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action set --image-name "${5}"</command> </tagNode> </children> </node> @@ -116,7 +116,7 @@ <properties> <help>Install new system image to hard drive</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action install</command> + <command>${vyos_op_scripts_dir}/image_installer.py --action install</command> </node> </children> </node> @@ -134,16 +134,16 @@ <properties> <help>Remove an installed image from the system</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action delete</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action delete</command> </node> <tagNode name="image"> <properties> <help>Remove an installed image from the system</help> <completionHelp> - <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script> + <script>${vyos_op_scripts_dir}/image_manager.py --action list</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action delete --image-name "${4}"</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action delete --image-name "${4}"</command> </tagNode> </children> </node> @@ -163,7 +163,7 @@ <properties> <help>System image to rename</help> <completionHelp> - <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script> + <script>${vyos_op_scripts_dir}/image_manager.py --action list</script> </completionHelp> </properties> <children> @@ -171,7 +171,7 @@ <properties> <help>A new name for an image</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action rename --image-name "${4}" --image-new-name "${6}"</command> + <command>${vyos_op_scripts_dir}/image_manager.py --action rename --image-name "${4}" --image-new-name "${6}"</command> </tagNode> </children> </tagNode> @@ -199,7 +199,7 @@ <properties> <help>Show details about installed VyOS images</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/image_info.py show_images_details</command> + <command>${vyos_op_scripts_dir}/image_info.py show_images_details</command> </node> </children> </node> diff --git a/op-mode-definitions/terminal.xml.in b/op-mode-definitions/terminal.xml.in index 2a76de146..25b0dc046 100644 --- a/op-mode-definitions/terminal.xml.in +++ b/op-mode-definitions/terminal.xml.in @@ -49,7 +49,7 @@ <properties> <help>Reconfigure console keyboard layout</help> </properties> - <command>sudo dpkg-reconfigure -f dialog keyboard-configuration && sudo systemctl restart keyboard-setup</command> + <command>dpkg-reconfigure -f dialog keyboard-configuration && systemctl restart keyboard-setup</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index 0a8671aeb..af7f12ba8 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -24,7 +24,7 @@ <properties> <help>Reset a specific tunnel for given DMVPN profile</help> <completionHelp> - <script>sudo ${vyos_completion_dir}/list_ipsec_profile_tunnels.py --profile ${COMP_WORDS[4]}</script> + <script>${vyos_completion_dir}/list_ipsec_profile_tunnels.py --profile ${COMP_WORDS[4]}</script> </completionHelp> </properties> <children> @@ -35,10 +35,10 @@ <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_dst --profile="$5" --tunnel="$7" --nbma-dst="$9"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_profile_dst --profile="$5" --tunnel="$7" --nbma-dst="$9"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_all --profile="$5" --tunnel="$7"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_profile_all --profile="$5" --tunnel="$7"</command> </tagNode> </children> </tagNode> @@ -51,13 +51,13 @@ <properties> <help>Reset all users current remote access IPSec VPN sessions</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_ra</command> </node> <tagNode name="user"> <properties> <help>Reset specified user current remote access IPsec VPN session(s)</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra --user="$6"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_ra --user="$6"</command> </tagNode> </children> </node> @@ -70,7 +70,7 @@ <properties> <help>Reset all site-to-site IPSec VPN sessions</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_all_peers</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_all_peers</command> </node> <tagNode name="peer"> <properties> @@ -87,16 +87,16 @@ <path>vpn ipsec site-to-site peer ${COMP_WORDS[5]} tunnel</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="$8"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="$8"</command> </tagNode> <node name="vti"> <properties> <help>Reset the VTI tunnel for given peer</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="vti"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="vti"</command> </node> </children> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6"</command> + <command>${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6"</command> </tagNode> </children> </node> @@ -112,7 +112,7 @@ <properties> <help>Restart the IPsec VPN process</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name ipsec</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name ipsec</command> </node> </children> </node> @@ -140,13 +140,13 @@ <properties> <help>Show debug information for peer tunnel</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="$7"</command> + <command>${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="$7"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="all"</command> + <command>${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="all"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="all"</command> + <command>${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="all"</command> </node> <node name="ike"> <properties> @@ -162,16 +162,16 @@ <properties> <help>Show all currently active IKE Security Associations (SA) that are using NAT Traversal</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --nat="yes"</command> + <command>${vyos_op_scripts_dir}/vpn_ike_sa.py --nat="yes"</command> </node> <tagNode name="peer"> <properties> <help>Show all currently active IKE Security Associations (SA) for a peer</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --peer="$6"</command> + <command>${vyos_op_scripts_dir}/vpn_ike_sa.py --peer="$6"</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py</command> + <command>${vyos_op_scripts_dir}/vpn_ike_sa.py</command> </node> <node name="secrets"> <properties> @@ -183,7 +183,7 @@ <properties> <help>Show summary of IKE process information</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then systemctl status strongswan ; else echo "Process is not running" ; fi</command> + <command>systemctl status strongswan</command> </node> </children> </node> @@ -196,13 +196,13 @@ <properties> <help>Show VPN connections</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/ipsec.py show_connections</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_connections</command> </node> <node name="policy"> <properties> <help>Show the in-kernel crypto policies</help> </properties> - <command>sudo ip xfrm policy list</command> + <command>ip xfrm policy list</command> </node> <node name="remote-access"> <properties> @@ -213,25 +213,25 @@ <properties> <help>Show detail active IKEv2 RA sessions</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_ra_detail; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail</command> </node> <tagNode name="connection-id"> <properties> <help>Show detail active IKEv2 RA sessions by connection-id</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_ra_detail --conn-id="$6"; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail --conn-id="$6"</command> </tagNode> <node name="summary"> <properties> <help>Show active IKEv2 RA sessions summary</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_ra_summary; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_summary; else echo "IPsec process not running"</command> </node> <tagNode name="username"> <properties> <help>Show detail active IKEv2 RA sessions by username</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_ra_detail --username="$6"; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail --username="$6"</command> </tagNode> </children> </node> @@ -268,24 +268,24 @@ --> <node name="detail"> <properties> - <help>Show Verbose Detail on all active IPsec Security Associations (SA)</help> + <help>Show verbose details on all active IPsec security associations (SA)</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_sa_detail ; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_sa_detail</command> </node> </children> - <command>if systemctl is-active --quiet strongswan ; then sudo ${vyos_op_scripts_dir}/ipsec.py show_sa ; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_sa</command> </node> <node name="state"> <properties> <help>Show the in-kernel crypto state</help> </properties> - <command>sudo ip xfrm state list</command> + <command>ip xfrm state list</command> </node> <node name="status"> <properties> <help>Show status of IPsec process</help> </properties> - <command>if systemctl is-active --quiet strongswan >/dev/null ; then echo -e "IPsec Process Running: $(pgrep charon)\n$(sudo /usr/sbin/ipsec status)" ; else echo "IPsec process not running" ; fi</command> + <command>/usr/sbin/ipsec status</command> </node> </children> </node> diff --git a/op-mode-definitions/vrrp.xml.in b/op-mode-definitions/vrrp.xml.in index fb777b2e4..ae204602f 100644 --- a/op-mode-definitions/vrrp.xml.in +++ b/op-mode-definitions/vrrp.xml.in @@ -11,13 +11,13 @@ <properties> <help>Show VRRP statistics</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vrrp.py show_statistics --group-name="$3"</command> + <command>${vyos_op_scripts_dir}/vrrp.py show_statistics --group-name="$3"</command> </node> <node name="detail"> <properties> <help>Show detailed VRRP state information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vrrp.py show_detail --group-name="$3"</command> + <command>${vyos_op_scripts_dir}/vrrp.py show_detail --group-name="$3"</command> </node> </children> </tagNode> @@ -25,19 +25,19 @@ <properties> <help>Show VRRP (Virtual Router Redundancy Protocol) information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vrrp.py show_summary</command> + <command>${vyos_op_scripts_dir}/vrrp.py show_summary</command> <children> <node name="statistics"> <properties> <help>Show VRRP statistics</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vrrp.py show_statistics</command> + <command>${vyos_op_scripts_dir}/vrrp.py show_statistics</command> </node> <node name="detail"> <properties> <help>Show detailed VRRP state information</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/vrrp.py show_detail</command> + <command>${vyos_op_scripts_dir}/vrrp.py show_detail</command> </node> </children> </node> @@ -49,7 +49,7 @@ <properties> <help>Restart VRRP (Virtual Router Redundancy Protocol) process</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name vrrp</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name vrrp</command> </node> </children> </node> diff --git a/op-mode-definitions/wake-on-lan.xml.in b/op-mode-definitions/wake-on-lan.xml.in index d4589c868..bec12dae6 100644 --- a/op-mode-definitions/wake-on-lan.xml.in +++ b/op-mode-definitions/wake-on-lan.xml.in @@ -19,7 +19,7 @@ <properties> <help>Station (MAC) address to wake up</help> </properties> - <command>sudo /usr/sbin/etherwake -i "$4" "$6"</command> + <command>/usr/sbin/etherwake -i "$4" "$6"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index ba13907b8..76c348f9d 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -14,13 +14,13 @@ <properties> <help>Monitor the last lines of the Webproxy access log</help> </properties> - <command>if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command> + <command>if [ -f /var/log/squid/access.log ]; then tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command> </leafNode> <leafNode name="cache-log"> <properties> <help>Monitor the last lines of the Webproxy cache log</help> </properties> - <command>if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command> + <command>if [ -f /var/log/squid/cache.log ]; then tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command> </leafNode> </children> </node> @@ -34,7 +34,7 @@ <properties> <help>Restart WebProxy service</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/restart.py restart_service --name webproxy</command> + <command>${vyos_op_scripts_dir}/restart.py restart_service --name webproxy</command> </node> </children> </node> @@ -63,7 +63,7 @@ <properties> <help>Show contents of WebProxy access log</help> </properties> - <command>if [ -e /var/log/squid/access.log ]; then sudo less $_vyatta_less_options --prompt="file %i of %m, page %dt of %D" -- `printf "%s\n" /var/log/squid/access.log* | sort -nr`; else echo "No WebProxy log"; fi</command> + <command>if [ -e /var/log/squid/access.log ]; then less $_vyatta_less_options --prompt="file %i of %m, page %dt of %D" -- `printf "%s\n" /var/log/squid/access.log* | sort -nr`; else echo "No WebProxy log"; fi</command> </node> <node name="update-log"> <properties> @@ -86,7 +86,7 @@ <properties> <help>Update the webproxy blacklist database</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist</command> + <command>${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist</command> <children> <tagNode name="vrf"> <properties> @@ -95,7 +95,7 @@ <path>vrf name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" </command> + <command>${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" </command> </tagNode> </children> </node> diff --git a/python/vyos/config_mgmt.py b/python/vyos/config_mgmt.py index dd8910afb..23eb3666e 100644 --- a/python/vyos/config_mgmt.py +++ b/python/vyos/config_mgmt.py @@ -44,6 +44,7 @@ from vyos.utils.io import ask_yes_no from vyos.utils.boot import boot_configuration_complete from vyos.utils.process import is_systemd_service_active from vyos.utils.process import rc_cmd +from vyos.defaults import DEFAULT_COMMIT_CONFIRM_MINUTES SAVE_CONFIG = '/usr/libexec/vyos/vyos-save-config.py' config_json = '/run/vyatta/config/config.json' @@ -56,7 +57,6 @@ commit_hooks = { 'commit_archive': '02vyos-commit-archive', } -DEFAULT_TIME_MINUTES = 10 timer_name = 'commit-confirm' config_file = os.path.join(directories['config'], 'config.boot') @@ -144,14 +144,16 @@ class ConfigMgmt: ['system', 'config-management'], key_mangling=('-', '_'), get_first_key=True, - with_defaults=True, + with_recursive_defaults=True, ) self.max_revisions = int(d.get('commit_revisions', 0)) self.num_revisions = 0 self.locations = d.get('commit_archive', {}).get('location', []) self.source_address = d.get('commit_archive', {}).get('source_address', '') - self.reboot_unconfirmed = bool(d.get('commit_confirm') == 'reboot') + self.reboot_unconfirmed = bool( + d.get('commit_confirm', {}).get('action') == 'reboot' + ) self.config_dict = d if config.exists(['system', 'host-name']): @@ -181,7 +183,7 @@ class ConfigMgmt: # Console script functions # def commit_confirm( - self, minutes: int = DEFAULT_TIME_MINUTES, no_prompt: bool = False + self, minutes: int = DEFAULT_COMMIT_CONFIRM_MINUTES, no_prompt: bool = False ) -> Tuple[str, int]: """Commit with reload/reboot to saved config in 'minutes' minutes if 'confirm' call is not issued. @@ -805,7 +807,7 @@ def run(): '-t', dest='minutes', type=int, - default=DEFAULT_TIME_MINUTES, + default=DEFAULT_COMMIT_CONFIRM_MINUTES, help="Minutes until reboot, unless 'confirm'", ) commit_confirm.add_argument( diff --git a/python/vyos/configsession.py b/python/vyos/configsession.py index 1b19c68b4..f0d636b89 100644 --- a/python/vyos/configsession.py +++ b/python/vyos/configsession.py @@ -25,6 +25,7 @@ from vyos.utils.boot import boot_configuration_complete from vyos.utils.backend import vyconf_backend from vyos.vyconf_session import VyconfSession from vyos.base import Warning as Warn +from vyos.defaults import DEFAULT_COMMIT_CONFIRM_MINUTES CLI_SHELL_API = '/bin/cli-shell-api' @@ -32,10 +33,13 @@ SET = '/opt/vyatta/sbin/my_set' DELETE = '/opt/vyatta/sbin/my_delete' COMMENT = '/opt/vyatta/sbin/my_comment' COMMIT = '/opt/vyatta/sbin/my_commit' +COMMIT_CONFIRM = ['/usr/bin/config-mgmt', 'commit_confirm', '-y'] +CONFIRM = ['/usr/bin/config-mgmt', 'confirm'] DISCARD = '/opt/vyatta/sbin/my_discard' SHOW_CONFIG = ['/bin/cli-shell-api', 'showConfig'] LOAD_CONFIG = ['/bin/cli-shell-api', 'loadFile'] MIGRATE_LOAD_CONFIG = ['/usr/libexec/vyos/vyos-load-config.py'] +MERGE_CONFIG = ['/usr/libexec/vyos/vyos-merge-config.py'] SAVE_CONFIG = ['/usr/libexec/vyos/vyos-save-config.py'] INSTALL_IMAGE = [ '/usr/libexec/vyos/op_mode/image_installer.py', @@ -68,6 +72,7 @@ GENERATE = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'generate'] SHOW = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'show'] RESET = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'reset'] REBOOT = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'reboot'] +RENEW = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'renew'] POWEROFF = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'poweroff'] OP_CMD_ADD = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'add'] OP_CMD_DELETE = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'delete'] @@ -298,6 +303,22 @@ class ConfigSession(object): return out + def commit_confirm(self, minutes: int = DEFAULT_COMMIT_CONFIRM_MINUTES): + if self._vyconf_session is None: + out = self.__run_command(COMMIT_CONFIRM + [f'-t {minutes}']) + else: + out = 'unimplemented' + + return out + + def confirm(self): + if self._vyconf_session is None: + out = self.__run_command(CONFIRM) + else: + out = 'unimplemented' + + return out + def discard(self): if self._vyconf_session is None: self.__run_command([DISCARD]) @@ -338,6 +359,14 @@ class ConfigSession(object): return out + def merge_config(self, file_path): + if self._vyconf_session is None: + out = self.__run_command(MERGE_CONFIG + [file_path]) + else: + out = 'unimplemented' + + return out + def save_config(self, file_path): if self._vyconf_session is None: out = self.__run_command(SAVE_CONFIG + [file_path]) @@ -384,6 +413,10 @@ class ConfigSession(object): out = self.__run_command(RESET + path) return out + def renew(self, path): + out = self.__run_command(RENEW + path) + return out + def poweroff(self, path): out = self.__run_command(POWEROFF + path) return out diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index d5f443f15..07eb29a68 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -527,6 +527,25 @@ def verify_pki_dh_parameters(config: dict, dh_name: str, min_key_size: int=0): if dh_bits < min_key_size: raise ConfigError(f'Minimum DH key-size is {min_key_size} bits!') +def verify_pki_openssh_key(config: dict, key_name: str): + """ + Common helper function user by PKI consumers to perform recurring + validation functions on OpenSSH keys + """ + if 'pki' not in config: + raise ConfigError('PKI is not configured!') + + if 'openssh' not in config['pki']: + raise ConfigError('PKI does not contain any OpenSSH keys!') + + if key_name not in config['pki']['openssh']: + raise ConfigError(f'OpenSSH key "{key_name}" not found in configuration!') + + if 'public' in config['pki']['openssh'][key_name]: + if not {'key', 'type'} <= set(config['pki']['openssh'][key_name]['public']): + raise ConfigError('Both public key and type must be defined for '\ + f'OpenSSH public key "{key_name}"!') + def verify_eapol(config: dict): """ Common helper function used by interface implementations to perform diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py index fbde0298b..f84b14040 100644 --- a/python/vyos/defaults.py +++ b/python/vyos/defaults.py @@ -53,6 +53,10 @@ internal_ports = { 'certbot_haproxy' : 65080, # Certbot running behing haproxy } +config_files = { + 'sshd_user_ca' : '/run/sshd/trusted_user_ca', +} + config_status = '/tmp/vyos-config-status' api_config_state = '/run/http-api-state' frr_debug_enable = '/tmp/vyos.frr.debug' @@ -69,8 +73,8 @@ config_default = os.path.join(directories['data'], 'config.boot.default') rt_symbolic_names = { # Standard routing tables for Linux & reserved IDs for VyOS - 'default': 253, # Confusingly, a final fallthru, not the default. - 'main': 254, # The actual global table used by iproute2 unless told otherwise. + 'default': 253, # Confusingly, a final fallthru, not the default. + 'main': 254, # The actual global table used by iproute2 unless told otherwise. 'local': 255, # Special kernel loopback table. } @@ -78,3 +82,9 @@ rt_global_vrf = rt_symbolic_names['main'] rt_global_table = rt_symbolic_names['main'] vyconfd_conf = '/etc/vyos/vyconfd.conf' + +DEFAULT_COMMIT_CONFIRM_MINUTES = 10 + +commit_hooks = {'pre': '/etc/commit/pre-hooks.d', + 'post': '/etc/commit/post-hooks.d' + } diff --git a/python/vyos/template.py b/python/vyos/template.py index aa215db95..bf7928914 100755 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -1079,7 +1079,7 @@ def vyos_defined(value, test_value=None, var_type=None): def get_default_port(service): """ Jinja2 plugin to retrieve common service port number from vyos.defaults - class form a Jinja2 template. This removes the need to hardcode, or pass in + class from a Jinja2 template. This removes the need to hardcode, or pass in the data using the general dictionary. Added to remove code complexity and make it easier to read. @@ -1092,3 +1092,21 @@ def get_default_port(service): raise RuntimeError(f'Service "{service}" not found in internal ' \ 'vyos.defaults.internal_ports dict!') return internal_ports[service] + +@register_clever_function('get_default_config_file') +def get_default_config_file(filename): + """ + Jinja2 plugin to retrieve a common configuration file path from + vyos.defaults class from a Jinja2 template. This removes the need to + hardcode, or pass in the data using the general dictionary. + + Added to remove code complexity and make it easier to read. + + Example: + {{ get_default_config_file('certbot_haproxy') }} + """ + from vyos.defaults import config_files + if filename not in config_files: + raise RuntimeError(f'Configuration file "{filename}" not found in '\ + 'internal vyos.defaults.config_files dict!') + return config_files[filename] diff --git a/python/vyos/utils/commit.py b/python/vyos/utils/commit.py index 9167c78d2..fc259dadb 100644 --- a/python/vyos/utils/commit.py +++ b/python/vyos/utils/commit.py @@ -101,3 +101,30 @@ def release_commit_lock_file(file_descr): return fcntl.lockf(file_descr, fcntl.LOCK_UN) file_descr.close() + + +def call_commit_hooks(which: str): + import re + import os + from pathlib import Path + from vyos.defaults import commit_hooks + from vyos.utils.process import rc_cmd + + if which not in list(commit_hooks): + raise ValueError(f'no entry {which} in commit_hooks') + + hook_dir = commit_hooks[which] + file_list = list(Path(hook_dir).glob('*')) + regex = re.compile('^[a-zA-Z0-9._-]+$') + hook_list = sorted([str(f) for f in file_list if regex.match(f.name)]) + err = False + out = '' + for runf in hook_list: + try: + e, o = rc_cmd(runf) + except FileNotFoundError: + continue + err = err | bool(e) + out = out + o + + return out, int(err) diff --git a/python/vyos/utils/file.py b/python/vyos/utils/file.py index eaebb57a3..cc46d77d1 100644 --- a/python/vyos/utils/file.py +++ b/python/vyos/utils/file.py @@ -28,22 +28,28 @@ def file_is_persistent(path): absolute = os.path.abspath(os.path.dirname(path)) return re.match(location,absolute) -def read_file(fname, defaultonfailure=None): +def read_file(fname, defaultonfailure=None, sudo=False): """ read the content of a file, stripping any end characters (space, newlines) should defaultonfailure be not None, it is returned on failure to read """ try: - """ Read a file to string """ - with open(fname, 'r') as f: - data = f.read().strip() - return data + # Some files can only be read by root - emulate sudo cat call + if sudo: + from vyos.utils.process import cmd + data = cmd(['sudo', 'cat', fname]) + else: + # If not sudo, just read the file + with open(fname, 'r') as f: + data = f.read() + return data.strip() except Exception as e: if defaultonfailure is not None: return defaultonfailure raise e -def write_file(fname, data, defaultonfailure=None, user=None, group=None, mode=None, append=False): +def write_file(fname, data, defaultonfailure=None, user=None, group=None, + mode=None, append=False, trailing_newline=False): """ Write content of data to given fname, should defaultonfailure be not None, it is returned on failure to read. @@ -60,6 +66,9 @@ def write_file(fname, data, defaultonfailure=None, user=None, group=None, mode=N bytes = 0 with open(fname, 'w' if not append else 'a') as f: bytes = f.write(data) + if trailing_newline and not data.endswith('\n'): + f.write('\n') + bytes += 1 chown(fname, user, group) chmod(fname, mode) return bytes diff --git a/python/vyos/vyconf_session.py b/python/vyos/vyconf_session.py index 4250f0cfb..3cf847b6c 100644 --- a/python/vyos/vyconf_session.py +++ b/python/vyos/vyconf_session.py @@ -29,6 +29,7 @@ from vyos.utils.session import in_config_session from vyos.proto.vyconf_proto import Errnum from vyos.utils.commit import acquire_commit_lock_file from vyos.utils.commit import release_commit_lock_file +from vyos.utils.commit import call_commit_hooks class VyconfSessionError(Exception): @@ -145,10 +146,14 @@ class VyconfSession: if lock_fd is None: return out, Errnum.COMMIT_IN_PROGRESS + pre_out, _ = call_commit_hooks('pre') out = vyconf_client.send_request('commit', token=self.__token) + os.environ['COMMIT_STATUS'] = 'FAILURE' if out.status else 'SUCCESS' + post_out, _ = call_commit_hooks('post') + release_commit_lock_file(lock_fd) - return self.output(out), out.status + return pre_out + self.output(out) + post_out, out.status @raise_exception @config_mode diff --git a/smoketest/config-tests/conntrack-basic b/smoketest/config-tests/conntrack-basic new file mode 100644 index 000000000..8c375d244 --- /dev/null +++ b/smoketest/config-tests/conntrack-basic @@ -0,0 +1,35 @@ +set firewall global-options timeout icmp '30' +set firewall global-options timeout other '600' +set firewall global-options timeout udp other '300' +set firewall global-options timeout udp stream '300' +set interfaces ethernet eth0 vif 5 address '192.0.2.1/24' +set interfaces ethernet eth1 vif 7 description 'FTTH-PPPoE' +set nat source rule 100 log +set nat source rule 100 outbound-interface name 'pppoe0' +set nat source rule 100 source address '192.0.2.0/24' +set nat source rule 100 translation address 'masquerade' +set service ntp allow-client address '172.16.0.0/12' +set service ntp server 0.pool.ntp.org +set service ntp server 1.pool.ntp.org +set service ntp server 2.pool.ntp.org +set system config-management commit-revisions '200' +set system conntrack expect-table-size '2048' +set system conntrack hash-size '1024' +set system conntrack modules ftp +set system conntrack modules h323 +set system conntrack modules nfs +set system conntrack modules pptp +set system conntrack modules sip +set system conntrack modules sqlnet +set system conntrack modules tftp +set system conntrack table-size '262144' +set system conntrack timeout +set system console device ttyS0 speed '115200' +set system domain-name 'vyos.net' +set system host-name 'vyos' +set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/' +set system login user vyos authentication plaintext-password '' +set system name-server '172.16.254.30' +set system syslog local facility all level 'debug' +set system syslog local facility local7 level 'debug' +set system syslog remote 172.16.100.1 facility all level 'warning' diff --git a/smoketest/configs/conntrack-basic b/smoketest/configs/conntrack-basic new file mode 100644 index 000000000..8ecb78aeb --- /dev/null +++ b/smoketest/configs/conntrack-basic @@ -0,0 +1,92 @@ +interfaces { + ethernet eth0 { + duplex auto + speed auto + vif 5 { + address 192.0.2.1/24 + } + } + ethernet eth1 { + vif 7 { + description FTTH-PPPoE + } + } +} +nat { + source { + rule 100 { + log + outbound-interface pppoe0 + source { + address 192.0.2.0/24 + } + translation { + address masquerade + } + } + } +} +system { + config-management { + commit-revisions 200 + } + conntrack { + expect-table-size 2048 + hash-size 1023 + table-size 262144 + timeout { + icmp 30 + other 600 + udp { + other 300 + stream 300 + } + } + } + console { + device ttyS0 { + speed 115200 + } + } + domain-name vyos.net + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + name-server 172.16.254.30 + ntp { + allow-clients { + address 172.16.0.0/12 + } + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level debug + } + facility protocols { + level debug + } + } + host 172.16.100.1 { + facility all { + level warning + } + } + } +} + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.3-beta-202101091250 diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py index f0674f187..9b64d5c0e 100644 --- a/smoketest/scripts/cli/base_vyostest_shim.py +++ b/smoketest/scripts/cli/base_vyostest_shim.py @@ -152,12 +152,14 @@ class VyOSUnitTestSHIM: return out @staticmethod - def ssh_send_cmd(command, username, password, hostname='localhost'): + def ssh_send_cmd(command, username, password, key_filename=None, + hostname='localhost'): """ SSH command execution helper """ # Try to login via SSH ssh_client = paramiko.SSHClient() ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - ssh_client.connect(hostname=hostname, username=username, password=password) + ssh_client.connect(hostname=hostname, username=username, + password=password, key_filename=key_filename) _, stdout, stderr = ssh_client.exec_command(command) output = stdout.read().decode().strip() error = stderr.read().decode().strip() diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index bbe4de9df..2d850dfdf 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -783,7 +783,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['type filter hook output priority filter; policy accept;'], ['ct state invalid', 'udp sport 67', 'udp dport 68', 'accept'], ['ct state invalid', 'ether type arp', 'accept'], + ['ct state invalid', 'ether type 8021q', 'accept'], + ['ct state invalid', 'ether type 8021ad', 'accept'], + ['ct state invalid', 'ether type 0x8863', 'accept'], ['ct state invalid', 'ether type 0x8864', 'accept'], + ['ct state invalid', 'ether type 0x0842', 'accept'], ['chain VYOS_PREROUTING_filter'], ['type filter hook prerouting priority filter; policy accept;'], ['ip6 daddr @A6_AGV6', 'notrack'], diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index e087b8735..42c5ba848 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -826,7 +826,6 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): gw_subnet = "192.168.0.1" self.cli_set(['interfaces', 'bridge', br_if, 'member', 'interface', vtun_if]) - self.cli_set(path + ['device-type', 'tap']) self.cli_set(path + ['encryption', 'data-ciphers', 'aes192']) self.cli_set(path + ['hash', auth_hash]) self.cli_set(path + ['mode', 'server']) @@ -840,6 +839,10 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.cli_set(path + ['device-type', 'tap']) self.cli_commit() config_file = f'/run/openvpn/{vtun_if}.conf' diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index ea55fa031..fc59171e4 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -574,5 +574,23 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertIn(f'router ospf', frrconfig) self.assertIn(f' network {network} area {area1}', frrconfig) + def test_ospf_18_area_translate_no_summary(self): + area = '11' + area_type = 'nssa' + network = '100.64.0.0/10' + + self.cli_set(base_path + ['area', area, 'area-type', area_type, 'no-summary']) + self.cli_set(base_path + ['area', area, 'area-type', area_type, 'translate', 'never']) + self.cli_set(base_path + ['area', area, 'network', network]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf', endsection='^exit') + self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' area {area} {area_type} translate-never no-summary', frrconfig) + self.assertIn(f' network {network} area {area}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_qos.py b/smoketest/scripts/cli/test_qos.py index 231743344..b3ed7f6dc 100755 --- a/smoketest/scripts/cli/test_qos.py +++ b/smoketest/scripts/cli/test_qos.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022-2023 VyOS maintainers and contributors +# Copyright (C) 2022-2025 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -355,10 +355,10 @@ class TestQoS(VyOSUnitTestSHIM.TestCase): tc_details = get_tc_filter_details(interface, 'ingress') self.assertTrue('filter parent ffff: protocol all pref 20 u32 chain 0' in tc_details) - self.assertTrue('rate 1Gbit burst 15125b mtu 2Kb action drop overhead 0b linklayer ethernet' in tc_details) + self.assertTrue('rate 1Gbit burst 15Kb mtu 2Kb action drop overhead 0b linklayer ethernet' in tc_details) self.assertTrue('filter parent ffff: protocol all pref 15 u32 chain 0' in tc_details) - self.assertTrue('rate 3Gbit burst 102000b mtu 1600b action pipe/continue overhead 0b linklayer ethernet' in tc_details) - self.assertTrue('rate 500Mbit burst 204687b mtu 3000b action drop overhead 0b linklayer ethernet' in tc_details) + self.assertTrue('rate 3Gbit burst 100Kb mtu 1600b action pipe/continue overhead 0b linklayer ethernet' in tc_details) + self.assertTrue('rate 500Mbit burst 200Kb mtu 3000b action drop overhead 0b linklayer ethernet' in tc_details) self.assertTrue('filter parent ffff: protocol all pref 255 basic chain 0' in tc_details) def test_06_network_emulator(self): @@ -773,7 +773,7 @@ class TestQoS(VyOSUnitTestSHIM.TestCase): tc_filters = cmd(f'tc filter show dev {self._interfaces[0]} ingress') # class 100 self.assertIn('filter parent ffff: protocol all pref 20 fw chain 0', tc_filters) - self.assertIn('action order 1: police 0x1 rate 20Gbit burst 3847500b mtu 2Kb action drop overhead 0b', tc_filters) + self.assertIn('action order 1: police 0x1 rate 20Gbit burst 3760Kb mtu 2Kb action drop overhead 0b', tc_filters) # default self.assertIn('filter parent ffff: protocol all pref 255 basic chain 0', tc_filters) self.assertIn('action order 1: police 0x2 rate 1Gbit burst 125000000b mtu 2Kb action drop overhead 0b', tc_filters) @@ -1232,7 +1232,7 @@ class TestQoS(VyOSUnitTestSHIM.TestCase): # class 100 self.assertIn('filter parent ffff: protocol all pref 20 basic chain 0', tc_filters) self.assertIn(f'meta(rt_iif eq {iif})', tc_filters) - self.assertIn('action order 1: police 0x1 rate 20Gbit burst 3847500b mtu 2Kb action drop overhead 0b', tc_filters) + self.assertIn('action order 1: police 0x1 rate 20Gbit burst 3760Kb mtu 2Kb action drop overhead 0b', tc_filters) # default self.assertIn('filter parent ffff: protocol all pref 255 basic chain 0', tc_filters) self.assertIn('action order 1: police 0x2 rate 1Gbit burst 125000000b mtu 2Kb action drop overhead 0b', tc_filters) diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py index fa08a5b32..551991d69 100755 --- a/smoketest/scripts/cli/test_service_ssh.py +++ b/smoketest/scripts/cli/test_service_ssh.py @@ -24,10 +24,12 @@ from pwd import getpwall from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError +from vyos.defaults import config_files from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running from vyos.utils.process import process_named_running from vyos.utils.file import read_file +from vyos.utils.file import write_file from vyos.xml_ref import default_value PROCESS_NAME = 'sshd' @@ -38,26 +40,101 @@ pki_path = ['pki'] key_rsa = '/etc/ssh/ssh_host_rsa_key' key_dsa = '/etc/ssh/ssh_host_dsa_key' key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' -trusted_user_ca_key = '/etc/ssh/trusted_user_ca_key' - +trusted_user_ca = config_files['sshd_user_ca'] +test_command = 'uname -a' def get_config_value(key): tmp = read_file(SSHD_CONF) tmp = re.findall(f'\n?{key}\s+(.*)', tmp) return tmp +trusted_user_ca_path = base_path + ['trusted-user-ca'] +# CA and signed user key generated using: +# ssh-keygen -f vyos-ssh-ca.key +# ssh-keygen -f vyos_testca -C "vyos_tesca@vyos.net" +# ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +520w vyos_testca.pub +ca_cert_data = """ +AAAAB3NzaC1yc2EAAAADAQABAAABgQCTBa7+TTefsMLTHuuLPUmmm7SGAuoK03oZEIi2/O +sww1uhCdKrm7bFvSUFpWvq3gX8TSS+yO5kNKz3BTMBu7oq01/Ewjyw0jR+fUog76x7mCzd +2iI4QmPj4lNHSUFquaELt2aBwY4f7LtjxRCCgtWgirq/Qk+P27uJKErvndyYc95v9no15z +lQFSdUid6tF8IjYljK8pXP0JshFp3XnFV2Rg80j7O66mRtVFC4tt2vluyIFeIID+5fL03v +LXbT/2zNdoH6QiI9NGWkxhS7zFYziVd/rzG5xlEB1ezs2Sz4zjMPgV3GiMINb6tjEWNJhM +KtDWIt+3UDpx+2T9PrhDBDFMlneiHCD6MxRv2sLbicevSj0PV7/fRnwoHs6hDKCU5eS2Mc +CTxXr4jaboLZ6q3sbGHCHZo/PuA8Sl9iZCM4GCxx5bgvRRmGpgZv4PfFzA2b/wTHkKnf6E +kuthoAJufmNxPaZQRQKF34SdmTKgSJTCY1gqwCH2iNg0PVKU+vN8c= +""" -ca_root_cert_data = """ -MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw -HjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjBa -Fw0zMjAyMTUxOTQxMjBaMB4xHDAaBgNVBAMME1Z5T1Mgc2VydmVyIHJvb3QgQ0Ew -WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0y24GzKQf4aM2Ir12tI9yITOIzAUj -ZXyJeCmYI6uAnyAMqc4Q4NKyfq3nBi4XP87cs1jlC1P2BZ8MsjL5MdGWozIwMDAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRwC/YaieMEnjhYa7K3Flw/o0SFuzAK -BggqhkjOPQQDAgNJADBGAiEAh3qEj8vScsjAdBy5shXzXDVVOKWCPTdGrPKnu8UW -a2cCIQDlDgkzWmn5ujc5ATKz1fj+Se/aeqwh4QyoWCVTFLIxhQ== +cert_user_key = """-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEArnIlFpMwSQax7+qH3+/gbv65mem6Ur+gepNYC8TYaE91xJxMoE5M +Pyh1s8Kr/WYNF6aN43qdDnjvGy38oFng4lEfxG475AqpTIGmP4GvEOlnNLhjCcOHrOFuzg +uRtDDvn0/TPhdqLTlbvgZ326WO7xQkCX11qmdGUUtC9Byd7p+EmnTe0oP8N6MeyYY78qa4 +HnzMd6EPb3vyWdASpPZjQE0OJCeAx6Mne2kOnKxUcW1UlczOa1PPIQMU+Rp1PWDtkdiYAd +nbTbIdxDN8Bn3mC3JXD642EcwXSJ1+kov/8u8bBuYNt3t3nf/krSebx4Ge7ObYnURj31j0 +8L8Vv3fgv+T7pY8iyMh8dYfrZPAWQGN1pe8ZkDaM1QGKJncF+8N0UB4EVFBHNLt7W8+oHt +LPMqYw13djZHg5Q1NxSxc1srOmEBZrWCBZgDGGiqtKo+lF+oVvqvBh/hncOBlDX5RFM8qw +Qt4mem9TEZZrIvC9q1dcVpQUrt8BvBOSnGnBb7yTAAAFkEdBIUlHQSFJAAAAB3NzaC1yc2 +EAAAGBAK5yJRaTMEkGse/qh9/v4G7+uZnpulK/oHqTWAvE2GhPdcScTKBOTD8odbPCq/1m +DRemjeN6nQ547xst/KBZ4OJRH8RuO+QKqUyBpj+BrxDpZzS4YwnDh6zhbs4LkbQw759P0z +4Xai05W74Gd9ulju8UJAl9dapnRlFLQvQcne6fhJp03tKD/DejHsmGO/KmuB58zHehD297 +8lnQEqT2Y0BNDiQngMejJ3tpDpysVHFtVJXMzmtTzyEDFPkadT1g7ZHYmAHZ202yHcQzfA +Z95gtyVw+uNhHMF0idfpKL//LvGwbmDbd7d53/5K0nm8eBnuzm2J1EY99Y9PC/Fb934L/k ++6WPIsjIfHWH62TwFkBjdaXvGZA2jNUBiiZ3BfvDdFAeBFRQRzS7e1vPqB7SzzKmMNd3Y2 +R4OUNTcUsXNbKzphAWa1ggWYAxhoqrSqPpRfqFb6rwYf4Z3DgZQ1+URTPKsELeJnpvUxGW +ayLwvatXXFaUFK7fAbwTkpxpwW+8kwAAAAMBAAEAAAGAEeZQe+0vyoPPWkjRwbQBbszgX9 +9QaRE/TD82N5mZLbWJkK+2WnSY9O9tNGbIncBiSNz5ji/p/FmDCgzr8SAyfRvJ4K6sTTfy +1eYvwtscYDsy2ywDAuDMrnvrPLqJ1tghSP2N4BR9ppT4yZosTkjB+TIzMxjBLB0GEBgNj1 +19rxswe2YmlFSgBVgi3pbRgT0uLfgBmvzXHUoLPL/8ScT7u4Csmh/GN7Xmuo5gcMnArcAu +1Q17g3PJZcpv1Ser2VfKnVAwrURCLW8dlji5xat/3E/PLsrLvszVS6U0hFf3MaOixprxsz +wc0n2Y4lAgkgkCZQ0Ty9TSXI/8TQWL8cPFej1TK15NWXlfElZxI+lhwcsnWmNy3mXD746/ +YZLH+OCs9isvewZWryQEkdVCU42MM/7L4Hoeqh2diGDV9wtKDW5FjHq/VRNOMVt59eCFlv +eujh89/KY6wPxHoDoY3+olhggiKDGw1wUUpEXKNQhhTjx1g0xn7AFYz+Bp2svM9EdhAAAA +wQDBq+zeOhsS/VrrVRkmOYYXnBSe0WcckjcYOly/8FLTPkq19aVY5eOmo6teegqvkWscGP +Wisl7DW+kFNolIvwc6shf/8+PXC1KlADd9S1uoXvSmVoe3wSsIKRCsUuLZiiJkv4nqQ/BK +T6ijvNG2Wu3YGsP8Tj+OcTebqk1vDItaickhKtFxCx6PBcV+RrDeK1TT6uAHd1AsGikTva +V/BDMmtoDz7qFQbj9Vj2np88MakxYfm7u4DzKu082GHDBC44sAAADBAN8ATvmmfxqk5GFg ++2rbIW+qMJ2GwWXiTFLjH7u4HEhsmHbHYsQ0v+cGu2dKfBUVWoq/N2ltDQ0QYTgkmsxKvm +I8AjVhLHhFB1DtPBMHibsF/rtBRgsItR+PveUtRYOmeY1PzJ3ygVNJpPJ87st0T4JVNQiE ++bFEhnJ/RcTHxzAAt8+gTn0PTen3+hn9Jk2YFHWFb51YDw2h00LL9XT9Enz4xkc6gTPL3M +0IKULJWnyYGOLueSsQxJiaAUcsZg8W2QAAAMEAyEJ45HtbUqZ5xd2K5ZfY8cd1dC9uAx6a +cSdENUvMW4yE3QEJ4xdonDUn9OQYR7GpseQWuXBrTO2PSsse7P6eHUsRhaUkFOvLzHSVzO +bI9HDJAq6+KCPhm2eixfBiMs2meEle8MvNiiONwaY3JnPnGdsTpEjcm6oulyC52xRvHhvc +nCuoRTqX7xcIka4jCXInYBS7GhlF5iAmIAAVkvfWjjNwZ3S0mnGUUOYgknidBhK+x0zCWt +IXOeoIfjb/C4NLAAAAE3Z5b3NfdGVzY2FAdnlvcy5uZXQBAgMEBQYH +-----END OPENSSH PRIVATE KEY----- """ +cert_user_signed = """ +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb2 +0AAAAglE+kjRPqsck/y2ywO+owv1FTeU6QFNPywFqD8aoEcA8AAAADAQABAAABgQCuciUWk +zBJBrHv6off7+Bu/rmZ6bpSv6B6k1gLxNhoT3XEnEygTkw/KHWzwqv9Zg0Xpo3jep0OeO8b +LfygWeDiUR/EbjvkCqlMgaY/ga8Q6Wc0uGMJw4es4W7OC5G0MO+fT9M+F2otOVu+BnfbpY7 +vFCQJfXWqZ0ZRS0L0HJ3un4SadN7Sg/w3ox7JhjvyprgefMx3oQ9ve/JZ0BKk9mNATQ4kJ4 +DHoyd7aQ6crFRxbVSVzM5rU88hAxT5GnU9YO2R2JgB2dtNsh3EM3wGfeYLclcPrjYRzBdIn +X6Si//y7xsG5g23e3ed/+StJ5vHgZ7s5tidRGPfWPTwvxW/d+C/5PuljyLIyHx1h+tk8BZA +Y3Wl7xmQNozVAYomdwX7w3RQHgRUUEc0u3tbz6ge0s8ypjDXd2NkeDlDU3FLFzWys6YQFmt +YIFmAMYaKq0qj6UX6hW+q8GH+Gdw4GUNflEUzyrBC3iZ6b1MRlmsi8L2rV1xWlBSu3wG8E5 +KcacFvvJMAAAAAAAAAAAAAAAEAAAAUdnlvc190ZXN0Y2FAdnlvcy5uZXQAAAAXAAAABHZ5b +3MAAAALdnlvc190ZXN0Y2EAAAAAaDg66AAAAAB69w9WAAAAAAAAAIIAAAAVcGVybWl0LVgx +MS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGV +ybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LX +VzZXItcmMAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAJMFrv5NN5+wwtMe6 +4s9SaabtIYC6grTehkQiLb86zDDW6EJ0qubtsW9JQWla+reBfxNJL7I7mQ0rPcFMwG7uirT +X8TCPLDSNH59SiDvrHuYLN3aIjhCY+PiU0dJQWq5oQu3ZoHBjh/su2PFEIKC1aCKur9CT4/ +bu4koSu+d3Jhz3m/2ejXnOVAVJ1SJ3q0XwiNiWMrylc/QmyEWndecVXZGDzSPs7rqZG1UUL +i23a+W7IgV4ggP7l8vTe8tdtP/bM12gfpCIj00ZaTGFLvMVjOJV3+vMbnGUQHV7OzZLPjOM +w+BXcaIwg1vq2MRY0mEwq0NYi37dQOnH7ZP0+uEMEMUyWd6IcIPozFG/awtuJx69KPQ9Xv9 +9GfCgezqEMoJTl5LYxwJPFeviNpugtnqrexsYcIdmj8+4DxKX2JkIzgYLHHluC9FGYamBm/ +g98XMDZv/BMeQqd/oSS62GgAm5+Y3E9plBFAoXfhJ2ZMqBIlMJjWCrAIfaI2DQ9UpT683xw +AAAZQAAAAMcnNhLXNoYTItNTEyAAABgINZAr9M9ZYWDhhf5uWNkUBKq12OlJ3ImvHg5161P +BAAL6crGS3WzyAs9LerxFcdMJ0gzMgUixR59MgGMAzfN+DjoSmgcLVT0eVoI5GMBkdiq8T5 +h3qjeXTc5BfLJiACbu7tOPhuIsIDreDnCVYmGr2z+rAPaqMETJa4L0submx4DqnahSY0ZSH +WjTrjWCSPIdySh9HUXbpq3tYdNlqmpSY5YzvDmMC46kGMF10G5ycc58asWfUMwLMGsTEt2t +R5DKRDw/iJch3r+L0xLMCSmEXnu6/Gl7Yq1XJdWm9cA1SvDyxEuB4yKIDkunXrPiuPn3zyv +z1a/bY0hvuF+fyL+tRCbmrfOLreHuYh9aFg6e22MoKhrez5wP8Eoy1T+rlQrmlgCRDShBgj +wMMhc+2fdrzTR07Ctnmv339p/SY5wBruzNM9R1mzyEuuJDE6OkKBTI8kuQu6ypGv+bLqSSt +wujcNqOI4Vz61HiOsRSTUa7tA5q4hBwFqq7FB8+N0Ylfa5A== vyos_tesca@vyos.net +""" class TestServiceSSH(VyOSUnitTestSHIM.TestCase): @classmethod @@ -207,23 +284,12 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase): # run natively. # # We also try to login as an invalid user - this is not allowed to work. - test_user = 'ssh_test' test_pass = 'v2i57DZs8idUwMN3VC92' - test_command = 'uname -a' self.cli_set(base_path) - self.cli_set( - [ - 'system', - 'login', - 'user', - test_user, - 'authentication', - 'plaintext-password', - test_pass, - ] - ) + self.cli_set(['system', 'login', 'user', test_user, 'authentication', + 'plaintext-password', test_pass]) # commit changes self.cli_commit() @@ -236,9 +302,8 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase): # Login with invalid credentials with self.assertRaises(paramiko.ssh_exception.AuthenticationException): - output, error = self.ssh_send_cmd( - test_command, 'invalid_user', 'invalid_password' - ) + output, error = self.ssh_send_cmd(test_command, 'invalid_user', + 'invalid_password') self.cli_delete(['system', 'login', 'user', test_user]) self.cli_commit() @@ -359,40 +424,74 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase): tmp_sshd_conf = read_file(SSHD_CONF) self.assertIn(expected, tmp_sshd_conf) - def test_ssh_trusted_user_ca_key(self): + def test_ssh_trusted_user_ca(self): ca_cert_name = 'test_ca' + public_key_type = 'ssh-rsa' + public_key_data = ca_cert_data.replace('\n', '') + test_user = 'vyos_testca' + principal = 'vyos' + user_auth_base = ['system', 'login', 'user', test_user] + + # create user account + self.cli_set(user_auth_base) + self.cli_set(pki_path + ['openssh', ca_cert_name, 'public', + 'key', public_key_data]) + self.cli_set(pki_path + ['openssh', ca_cert_name, 'public', + 'type', public_key_type]) + self.cli_set(trusted_user_ca_path, value=ca_cert_name) + self.cli_commit() + + trusted_user_ca_config = get_config_value('TrustedUserCAKeys') + self.assertIn(trusted_user_ca, trusted_user_ca_config) + + authorize_principals_file_config = get_config_value('AuthorizedPrincipalsFile') + self.assertIn('none', authorize_principals_file_config) + + ca_key_contents = read_file(trusted_user_ca).lstrip().rstrip() + self.assertIn(f'{public_key_type} {public_key_data}', ca_key_contents) - # set pki ca <ca_cert_name> certificate <ca_key_data> - # set service ssh trusted-user-ca-key ca-certificate <ca_cert_name> - self.cli_set( - pki_path - + [ - 'ca', - ca_cert_name, - 'certificate', - ca_root_cert_data.replace('\n', ''), - ] - ) - self.cli_set( - base_path + ['trusted-user-ca-key', 'ca-certificate', ca_cert_name] - ) + # Verify functionality by logging into the system using signed user key + key_filename = f'/tmp/{test_user}' + write_file(key_filename, cert_user_key, mode=0o600) + write_file(f'{key_filename}-cert.pub', cert_user_signed.replace('\n', '')) + + # Login with proper credentials + output, error = self.ssh_send_cmd(test_command, test_user, password=None, + key_filename=key_filename) + # Verify login + self.assertFalse(error) + self.assertEqual(output, cmd(test_command)) + + # Enable user principal name - logins only allowed if certificate contains + # said principal name + self.cli_set(user_auth_base + ['authentication', 'principal', principal]) self.cli_commit() - trusted_user_ca_key_config = get_config_value('TrustedUserCAKeys') - self.assertIn(trusted_user_ca_key, trusted_user_ca_key_config) + # Verify generated SSH principals + authorized_principals_file = f'/home/{test_user}/.ssh/authorized_principals' + authorized_principals = read_file(authorized_principals_file, sudo=True) + self.assertIn(principal, authorized_principals) - with open(trusted_user_ca_key, 'r') as file: - ca_key_contents = file.read() - self.assertIn(ca_root_cert_data, ca_key_contents) + # Login with proper credentials + output, error = self.ssh_send_cmd(test_command, test_user, password=None, + key_filename=key_filename) + # Verify login + self.assertFalse(error) + self.assertEqual(output, cmd(test_command)) - self.cli_delete(base_path + ['trusted-user-ca-key']) + self.cli_delete(trusted_user_ca_path) + self.cli_delete(user_auth_base) self.cli_delete(['pki', 'ca', ca_cert_name]) self.cli_commit() # Verify the CA key is removed - trusted_user_ca_key_config = get_config_value('TrustedUserCAKeys') - self.assertNotIn(trusted_user_ca_key, trusted_user_ca_key_config) + trusted_user_ca_config = get_config_value('TrustedUserCAKeys') + self.assertNotIn(trusted_user_ca, trusted_user_ca_config) + self.assertFalse(os.path.exists(trusted_user_ca)) + authorize_principals_file_config = get_config_value('AuthorizedPrincipalsFile') + self.assertNotIn('none', authorize_principals_file_config) + self.assertFalse(os.path.exists(f'/home/{test_user}/.ssh/authorized_principals')) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py index f6bb3cf7c..27ca28298 100755 --- a/smoketest/scripts/cli/test_system_conntrack.py +++ b/smoketest/scripts/cli/test_system_conntrack.py @@ -20,7 +20,10 @@ import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.firewall import find_nftables_rule -from vyos.utils.file import read_file, read_json +from vyos.utils.file import read_file +from vyos.utils.file import read_json +from vyos.utils.system import sysctl_read +from vyos.xml_ref import default_value base_path = ['system', 'conntrack'] @@ -168,8 +171,8 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) == None) def test_conntrack_hash_size(self): - hash_size = '65536' - hash_size_default = '32768' + hash_size = '8192' + hash_size_default = default_value(base_path + ['hash-size']) self.cli_set(base_path + ['hash-size', hash_size]) @@ -178,7 +181,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): # verify new configuration - only effective after reboot, but # a valid config file is sufficient - tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + tmp = sysctl_read('net.netfilter.nf_conntrack_buckets') self.assertIn(hash_size, tmp) # Test default value by deleting the configuration @@ -189,7 +192,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): # verify new configuration - only effective after reboot, but # a valid config file is sufficient - tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + tmp = sysctl_read('net.netfilter.nf_conntrack_buckets') self.assertIn(hash_size_default, tmp) def test_conntrack_ignore(self): diff --git a/smoketest/scripts/cli/test_system_ip.py b/smoketest/scripts/cli/test_system_ip.py index 5b6ef2046..a5d1f7743 100755 --- a/smoketest/scripts/cli/test_system_ip.py +++ b/smoketest/scripts/cli/test_system_ip.py @@ -128,5 +128,26 @@ class TestSystemIP(VyOSUnitTestSHIM.TestCase): frrconfig = self.getFRRconfig('', end='') self.assertNotIn(f'no ip nht resolve-via-default', frrconfig) + def test_system_ip_import_table(self): + table_num = '100' + distance = '200' + route_map_in = 'foo-map-in' + self.cli_set(['policy', 'route-map', route_map_in, 'rule', '10', 'action', 'permit']) + self.cli_set(base_path + ['import-table', table_num, 'distance', distance]) + self.cli_set(base_path + ['import-table', table_num, 'route-map', route_map_in]) + + self.cli_commit() + # Verify CLI config applied to FRR + frrconfig = self.getFRRconfig('', end='') + self.assertIn(f'ip import-table {table_num} distance {distance} route-map {route_map_in}', frrconfig) + + self.cli_delete(['policy', 'route-map', route_map_in]) + + self.cli_delete(base_path + ['import-table']) + self.cli_commit() + # Verify CLI config removed to FRR + frrconfig = self.getFRRconfig('', end='') + self.assertNotIn(f'ip import-table {table_num} distance {distance}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/system/test_kernel_options.py b/smoketest/scripts/system/test_kernel_options.py index 84e9c145d..8188e7678 100755 --- a/smoketest/scripts/system/test_kernel_options.py +++ b/smoketest/scripts/system/test_kernel_options.py @@ -143,5 +143,23 @@ class TestKernelModules(unittest.TestCase): tmp = re.findall(f'{option}=3', self._config_data) self.assertTrue(tmp) + def test_inotify_stackfs(self): + for option in ['CONFIG_INOTIFY_USER', 'CONFIG_INOTIFY_STACKFS']: + tmp = re.findall(f'{option}=y', self._config_data) + self.assertTrue(tmp) + + def test_wwan(self): + for option in ['CONFIG_USB_NET_DRIVERS', 'CONFIG_USB_USBNET', + 'CONFIG_USB_NET_CDCETHER', 'CONFIG_USB_NET_HUAWEI_CDC_NCM', + 'CONFIG_USB_NET_CDC_MBIM', 'CONFIG_USB_NET_QMI_WWAN', + 'CONFIG_USB_SIERRA_NET', 'CONFIG_WWAN', + 'CONFIG_USB_SERIAL', 'CONFIG_USB_SERIAL_WWAN']: + tmp = re.findall(f'{option}=y', self._config_data) + self.assertTrue(tmp) + + for option in ['CONFIG_WWAN_HWSIM', 'CONFIG_IOSM', 'CONFIG_MTK_T7XX']: + tmp = re.findall(f'{option}=m', self._config_data) + self.assertTrue(tmp) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 94882fc14..83e6dee11 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -315,7 +315,7 @@ def generate_run_arguments(name, container_config): sysctl_opt = '' if 'sysctl' in container_config and 'parameter' in container_config['sysctl']: for k, v in container_config['sysctl']['parameter'].items(): - sysctl_opt += f" --sysctl {k}={v['value']}" + sysctl_opt += f" --sysctl \"{k}={v['value']}\"" # Add capability options. Should be in uppercase capabilities = '' diff --git a/src/conf_mode/interfaces_bridge.py b/src/conf_mode/interfaces_bridge.py index c14e6a599..fce07ae0a 100755 --- a/src/conf_mode/interfaces_bridge.py +++ b/src/conf_mode/interfaces_bridge.py @@ -111,6 +111,11 @@ def get_config(config=None): elif interface.startswith('wlan') and interface_exists(interface): set_dependents('wlan', conf, interface) + if interface.startswith('vtun'): + _, tmp_config = get_interface_dict(conf, ['interfaces', 'openvpn'], interface) + tmp = tmp_config.get('device_type') == 'tap' + bridge['member']['interface'][interface].update({'valid_ovpn' : tmp}) + # delete empty dictionary keys - no need to run code paths if nothing is there to do if 'member' in bridge: if 'interface' in bridge['member'] and len(bridge['member']['interface']) == 0: @@ -178,6 +183,9 @@ def verify(bridge): if option in interface_config: raise ConfigError('Can not use VLAN options on non VLAN aware bridge') + if interface.startswith('vtun') and not interface_config['valid_ovpn']: + raise ConfigError(error_msg + 'OpenVPN device-type must be set to "tap"') + if 'enable_vlan' in bridge: if dict_search('vif.1', bridge): raise ConfigError(f'VLAN 1 sub interface cannot be set for VLAN aware bridge {ifname}, and VLAN 1 is always the parent interface') diff --git a/src/conf_mode/interfaces_wwan.py b/src/conf_mode/interfaces_wwan.py index ddbebfb4a..fb71731d8 100755 --- a/src/conf_mode/interfaces_wwan.py +++ b/src/conf_mode/interfaces_wwan.py @@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_mtu_ipv6 from vyos.ifconfig import WWANIf from vyos.utils.dict import dict_search +from vyos.utils.network import is_wwan_connected from vyos.utils.process import cmd from vyos.utils.process import call from vyos.utils.process import DEVNULL @@ -137,7 +138,7 @@ def apply(wwan): break sleep(0.250) - if 'shutdown_required' in wwan: + if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])): # we only need the modem number. wwan0 -> 0, wwan1 -> 1 modem = wwan['ifname'].lstrip('wwan') base_cmd = f'mmcli --modem {modem}' @@ -159,7 +160,7 @@ def apply(wwan): return None - if 'shutdown_required' in wwan: + if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])): ip_type = 'ipv4' slaac = dict_search('ipv6.address.autoconf', wwan) != None if 'address' in wwan: diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 6c88e5cfd..a938021ba 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -31,7 +31,6 @@ from vyos.utils.file import write_file from vyos.utils.process import cmd from vyos.utils.process import run from vyos.utils.process import call -from vyos.utils.network import is_addr_assigned from vyos.utils.network import interface_exists from vyos.firewall import fqdn_config_parse from vyos import ConfigError @@ -176,12 +175,6 @@ def verify(nat): if 'exclude' not in config and 'backend' not in config['load_balance']: raise ConfigError(f'{err_msg} translation requires address and/or port') - addr = dict_search('translation.address', config) - if addr != None and addr != 'masquerade' and not is_ip_network(addr): - for ip in addr.split('-'): - if not is_addr_assigned(ip): - Warning(f'IP address {ip} does not exist on the system!') - # common rule verification verify_rule(config, err_msg, nat['firewall_group']) diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 869518dd9..7d01b6642 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -64,6 +64,10 @@ sync_search = [ 'path': ['service', 'https'], }, { + 'keys': ['key'], + 'path': ['service', 'ssh'], + }, + { 'keys': ['certificate', 'ca_certificate'], 'path': ['interfaces', 'ethernet'], }, @@ -414,7 +418,8 @@ def verify(pki): if 'country' in default_values: country = default_values['country'] if len(country) != 2 or not country.isalpha(): - raise ConfigError(f'Invalid default country value. Value must be 2 alpha characters.') + raise ConfigError('Invalid default country value. '\ + 'Value must be 2 alpha characters.') if 'changed' in pki: # if the list is getting longer, we can move to a dict() and also embed the diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index c06c0aafc..467c9611b 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2024 VyOS maintainers and contributors +# Copyright (C) 2021-2025 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -17,6 +17,7 @@ from sys import exit from sys import argv +from vyos.base import Warning from vyos.config import Config from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_route_map @@ -62,6 +63,16 @@ def verify(config_dict): if 'area' in ospf: networks = [] for area, area_config in ospf['area'].items(): + # Implemented as warning to not break existing configurations + if area == '0' and dict_search('area_type.nssa', area_config) != None: + Warning('You cannot configure NSSA to backbone!') + # Implemented as warning to not break existing configurations + if area == '0' and dict_search('area_type.stub', area_config) != None: + Warning('You cannot configure STUB to backbone!') + # Implemented as warning to not break existing configurations + if len(area_config['area_type']) > 1: + Warning(f'Only one area-type is supported for area "{area}"!') + if 'import_list' in area_config: acl_import = area_config['import_list'] if acl_import: verify_access_list(acl_import, ospf) diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py index 759f87bb2..3d38d940a 100755 --- a/src/conf_mode/service_ssh.py +++ b/src/conf_mode/service_ssh.py @@ -23,14 +23,15 @@ from syslog import LOG_INFO from vyos.config import Config from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf -from vyos.configverify import verify_pki_ca_certificate +from vyos.configverify import verify_pki_openssh_key +from vyos.defaults import config_files from vyos.utils.process import call from vyos.template import render from vyos import ConfigError from vyos import airbag -from vyos.pki import find_chain -from vyos.pki import encode_certificate -from vyos.pki import load_certificate +from vyos.pki import encode_public_key +from vyos.pki import load_openssh_public_key +from vyos.utils.dict import dict_search_recursive from vyos.utils.file import write_file airbag.enable() @@ -44,8 +45,7 @@ key_rsa = '/etc/ssh/ssh_host_rsa_key' key_dsa = '/etc/ssh/ssh_host_dsa_key' key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' -trusted_user_ca_key = '/etc/ssh/trusted_user_ca_key' - +trusted_user_ca = config_files['sshd_user_ca'] def get_config(config=None): if config: @@ -55,10 +55,8 @@ def get_config(config=None): base = ['service', 'ssh'] if not conf.exists(base): return None - - ssh = conf.get_config_dict( - base, key_mangling=('-', '_'), get_first_key=True, with_pki=True - ) + ssh = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, with_pki=True) tmp = is_node_changed(conf, base + ['vrf']) if tmp: @@ -68,14 +66,27 @@ def get_config(config=None): # options which we need to update into the dictionary retrived. ssh = conf.merge_defaults(ssh, recursive=True) - # pass config file path - used in override template - ssh['config_file'] = config_file - # Ignore default XML values if config doesn't exists # Delete key from dict if not conf.exists(base + ['dynamic-protection']): del ssh['dynamic_protection'] + # See if any user has specified a list of principal names that are accepted + # for certificate authentication. + tmp = conf.get_config_dict(['system', 'login', 'user'], + key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True) + + for value, _ in dict_search_recursive(tmp, 'principal'): + # Only enable principal handling if SSH trusted-user-ca is set + if 'trusted_user_ca' in ssh: + ssh['has_principals'] = {} + # We do only need to execute this code path once as we need to know + # if any one of the local users has a principal set or not - this + # accounts for the entire system. + break + return ssh @@ -86,15 +97,8 @@ def verify(ssh): if 'rekey' in ssh and 'data' not in ssh['rekey']: raise ConfigError('Rekey data is required!') - if 'trusted_user_ca_key' in ssh: - if 'ca_certificate' not in ssh['trusted_user_ca_key']: - raise ConfigError('CA certificate is required for TrustedUserCAKey') - - ca_key_name = ssh['trusted_user_ca_key']['ca_certificate'] - verify_pki_ca_certificate(ssh, ca_key_name) - pki_ca_cert = ssh['pki']['ca'][ca_key_name] - if 'certificate' not in pki_ca_cert or not pki_ca_cert['certificate']: - raise ConfigError(f"CA certificate '{ca_key_name}' is not valid or missing") + if 'trusted_user_ca' in ssh: + verify_pki_openssh_key(ssh, ssh['trusted_user_ca']) verify_vrf(ssh) return None @@ -119,23 +123,17 @@ def generate(ssh): syslog(LOG_INFO, 'SSH ed25519 host key not found, generating new key!') call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}') - if 'trusted_user_ca_key' in ssh: - ca_key_name = ssh['trusted_user_ca_key']['ca_certificate'] - pki_ca_cert = ssh['pki']['ca'][ca_key_name] - - loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) - loaded_ca_certs = { - load_certificate(c['certificate']) - for c in ssh['pki']['ca'].values() - if 'certificate' in c - } - - ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) - write_file( - trusted_user_ca_key, '\n'.join(encode_certificate(c) for c in ca_full_chain) - ) - elif os.path.exists(trusted_user_ca_key): - os.unlink(trusted_user_ca_key) + if 'trusted_user_ca' in ssh: + key_name = ssh['trusted_user_ca'] + openssh_cert = ssh['pki']['openssh'][key_name] + loaded_ca_cert = load_openssh_public_key(openssh_cert['public']['key'], + openssh_cert['public']['type']) + tmp = encode_public_key(loaded_ca_cert, encoding='OpenSSH', + key_format='OpenSSH') + write_file(trusted_user_ca, tmp, trailing_newline=True) + else: + if os.path.exists(trusted_user_ca): + os.unlink(trusted_user_ca) render(config_file, 'ssh/sshd_config.j2', ssh) diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py index f25ed8d10..8909d9cba 100755 --- a/src/conf_mode/system_conntrack.py +++ b/src/conf_mode/system_conntrack.py @@ -32,7 +32,6 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' nftables_ct_file = r'/run/nftables-ct.conf' vyos_conntrack_logger_config = r'/run/vyos-conntrack-logger.conf' @@ -204,7 +203,6 @@ def generate(conntrack): elif path[0] == 'ipv6': conntrack['ipv6_firewall_action'] = 'accept' - render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack) diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py index 7f3796168..7f8b00ceb 100755 --- a/src/conf_mode/system_ip.py +++ b/src/conf_mode/system_ip.py @@ -53,6 +53,11 @@ def verify(config_dict): for protocol, protocol_options in opt['protocol'].items(): if 'route_map' in protocol_options: verify_route_map(protocol_options['route_map'], opt) + + if dict_search('import_table', opt): + for table_num, import_config in opt['import_table'].items(): + if dict_search('route_map', import_config): + verify_route_map(import_config['route_map'], opt) return def generate(config_dict): diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 4febb6494..22b6fcc98 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -26,6 +26,8 @@ from time import sleep from vyos.base import Warning from vyos.config import Config +from vyos.configdep import set_dependents +from vyos.configdep import call_dependents from vyos.configverify import verify_vrf from vyos.template import render from vyos.template import is_ipv4 @@ -129,6 +131,7 @@ def get_config(config=None): max_uid=MIN_TACACS_UID) + cli_users login['tacacs_min_uid'] = MIN_TACACS_UID + set_dependents('ssh', conf) return login def verify(login): @@ -345,6 +348,17 @@ def apply(login): user_config, permission=0o600, formater=lambda _: _.replace(""", '"'), user=user, group='users') + + principals_file = f'{home_dir}/.ssh/authorized_principals' + if dict_search('authentication.principal', user_config): + render(principals_file, 'login/authorized_principals.j2', + user_config, permission=0o600, + formater=lambda _: _.replace(""", '"'), + user=user, group='users') + else: + if os.path.exists(principals_file): + os.unlink(principals_file) + except Exception as e: raise ConfigError(f'Adding user "{user}" raised exception: "{e}"') @@ -361,14 +375,15 @@ def apply(login): chown(home_dir, user=user, recursive=True) # Generate 2FA/MFA One-Time-Pad configuration + google_auth_file = f'{home_dir}/.google_authenticator' if dict_search('authentication.otp.key', user_config): enable_otp = True - render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2', + render(google_auth_file, 'login/pam_otp_ga.conf.j2', user_config, permission=0o400, user=user, group='users') else: # delete configuration as it's not enabled for the user - if os.path.exists(f'{home_dir}/.google_authenticator'): - os.remove(f'{home_dir}/.google_authenticator') + if os.path.exists(google_auth_file): + os.unlink(google_auth_file) # Lock/Unlock local user account lock_unlock = '--unlock' @@ -382,6 +397,22 @@ def apply(login): # Disable user to prevent re-login call(f'usermod -s /sbin/nologin {user}') + home_dir = getpwnam(user).pw_dir + # Remove SSH authorized keys file + authorized_keys_file = f'{home_dir}/.ssh/authorized_keys' + if os.path.exists(authorized_keys_file): + os.unlink(authorized_keys_file) + + # Remove SSH authorized principals file + principals_file = f'{home_dir}/.ssh/authorized_principals' + if os.path.exists(principals_file): + os.unlink(principals_file) + + # Remove Google Authenticator file + google_auth_file = f'{home_dir}/.google_authenticator' + if os.path.exists(google_auth_file): + os.unlink(google_auth_file) + # Logout user if he is still logged in if user in list(set([tmp[0] for tmp in users()])): print(f'{user} is logged in, forcing logout!') @@ -420,8 +451,9 @@ def apply(login): # Enable/disable Google authenticator cmd('pam-auth-update --disable mfa-google-authenticator') if enable_otp: - cmd(f'pam-auth-update --enable mfa-google-authenticator') + cmd('pam-auth-update --enable mfa-google-authenticator') + call_dependents() return None diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 0346c7819..1708b9d26 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -37,19 +37,22 @@ from passlib.hash import sha512_crypt from time import sleep from vyos import airbag + airbag.enable() -cfg_dir = '/run/ocserv' -ocserv_conf = cfg_dir + '/ocserv.conf' -ocserv_passwd = cfg_dir + '/ocpasswd' +cfg_dir = '/run/ocserv' +ocserv_conf = cfg_dir + '/ocserv.conf' +ocserv_passwd = cfg_dir + '/ocpasswd' ocserv_otp_usr = cfg_dir + '/users.oath' -radius_cfg = cfg_dir + '/radiusclient.conf' +radius_cfg = cfg_dir + '/radiusclient.conf' radius_servers = cfg_dir + '/radius_servers' + # Generate hash from user cleartext password def get_hash(password): return sha512_crypt.hash(password) + def get_config(config=None): if config: conf = config @@ -59,78 +62,133 @@ def get_config(config=None): if not conf.exists(base): return None - ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True, - with_pki=True) + ocserv = conf.get_config_dict( + base, + key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True, + with_pki=True, + ) return ocserv + def verify(ocserv): if ocserv is None: return None # Check if listen-ports not binded other services # It can be only listen by 'ocserv-main' for proto, port in ocserv.get('listen_ports').items(): - if check_port_availability(ocserv['listen_address'], int(port), proto) is not True and \ - not is_listen_port_bind_service(int(port), 'ocserv-main'): + if check_port_availability( + ocserv['listen_address'], int(port), proto + ) is not True and not is_listen_port_bind_service(int(port), 'ocserv-main'): raise ConfigError(f'"{proto}" port "{port}" is used by another service') # Check accounting - if "accounting" in ocserv: - if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]: - if not origin["accounting"]['radius']['server']: - raise ConfigError('OpenConnect accounting mode radius requires at least one RADIUS server') - if "authentication" not in ocserv or "mode" not in ocserv["authentication"]: - raise ConfigError('Accounting depends on OpenConnect authentication configuration') - elif "radius" not in ocserv["authentication"]["mode"]: - raise ConfigError('RADIUS accounting must be used with RADIUS authentication') + if 'accounting' in ocserv: + if 'mode' in ocserv['accounting'] and 'radius' in ocserv['accounting']['mode']: + if not ocserv['accounting']['radius']['server']: + raise ConfigError( + 'OpenConnect accounting mode radius requires at least one RADIUS server' + ) + if 'authentication' not in ocserv or 'mode' not in ocserv['authentication']: + raise ConfigError( + 'Accounting depends on OpenConnect authentication configuration' + ) + elif 'radius' not in ocserv['authentication']['mode']: + raise ConfigError( + 'RADIUS accounting must be used with RADIUS authentication' + ) # Check authentication - if "authentication" in ocserv: - if "mode" in ocserv["authentication"]: - if ("local" in ocserv["authentication"]["mode"] and - "radius" in ocserv["authentication"]["mode"]): - raise ConfigError('OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration') - if "radius" in ocserv["authentication"]["mode"]: + if 'authentication' in ocserv: + if 'mode' in ocserv['authentication']: + if ( + 'local' in ocserv['authentication']['mode'] + and 'radius' in ocserv['authentication']['mode'] + ): + raise ConfigError( + 'OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration' + ) + if 'radius' in ocserv['authentication']['mode']: if 'server' not in ocserv['authentication']['radius']: - raise ConfigError('OpenConnect authentication mode radius requires at least one RADIUS server') - if "local" in ocserv["authentication"]["mode"]: - if not ocserv.get("authentication", {}).get("local_users"): - raise ConfigError('OpenConnect mode local required at least one user') - if not ocserv["authentication"]["local_users"]["username"]: - raise ConfigError('OpenConnect mode local required at least one user') + raise ConfigError( + 'OpenConnect authentication mode radius requires at least one RADIUS server' + ) + if 'local' in ocserv['authentication']['mode']: + if not ocserv.get('authentication', {}).get('local_users'): + raise ConfigError( + 'OpenConnect mode local required at least one user' + ) + if not ocserv['authentication']['local_users']['username']: + raise ConfigError( + 'OpenConnect mode local required at least one user' + ) else: # For OTP mode: verify that each local user has an OTP key - if "otp" in ocserv["authentication"]["mode"]["local"]: + if 'otp' in ocserv['authentication']['mode']['local']: users_wo_key = [] - for user, user_config in ocserv["authentication"]["local_users"]["username"].items(): + for user, user_config in ocserv['authentication'][ + 'local_users' + ]['username'].items(): # User has no OTP key defined - if dict_search('otp.key', user_config) == None: + if dict_search('otp.key', user_config) is None: users_wo_key.append(user) if users_wo_key: - raise ConfigError(f'OTP enabled, but no OTP key is configured for these users:\n{users_wo_key}') + raise ConfigError( + f'OTP enabled, but no OTP key is configured for these users:\n{users_wo_key}' + ) # For password (and default) mode: verify that each local user has password - if "password" in ocserv["authentication"]["mode"]["local"] or "otp" not in ocserv["authentication"]["mode"]["local"]: + if ( + 'password' in ocserv['authentication']['mode']['local'] + or 'otp' not in ocserv['authentication']['mode']['local'] + ): users_wo_pswd = [] - for user in ocserv["authentication"]["local_users"]["username"]: - if not "password" in ocserv["authentication"]["local_users"]["username"][user]: + for user in ocserv['authentication']['local_users']['username']: + if ( + 'password' + not in ocserv['authentication']['local_users'][ + 'username' + ][user] + ): users_wo_pswd.append(user) if users_wo_pswd: - raise ConfigError(f'password required for users:\n{users_wo_pswd}') + raise ConfigError( + f'password required for users:\n{users_wo_pswd}' + ) # Validate that if identity-based-config is configured all child config nodes are set - if 'identity_based_config' in ocserv["authentication"]: - if 'disabled' not in ocserv["authentication"]["identity_based_config"]: - Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!") - if 'mode' not in ocserv["authentication"]["identity_based_config"]: - raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') - elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: - raise ConfigError('OpenConnect config-per-group must be used with radius authentication') - if 'directory' not in ocserv["authentication"]["identity_based_config"]: - raise ConfigError('OpenConnect identity-based-config enabled but directory not set') - if 'default_config' not in ocserv["authentication"]["identity_based_config"]: - raise ConfigError('OpenConnect identity-based-config enabled but default-config not set') + if 'identity_based_config' in ocserv['authentication']: + if 'disabled' not in ocserv['authentication']['identity_based_config']: + Warning( + 'Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!' + ) + if 'mode' not in ocserv['authentication']['identity_based_config']: + raise ConfigError( + 'OpenConnect radius identity-based-config enabled but mode not selected' + ) + elif ( + 'group' + in ocserv['authentication']['identity_based_config']['mode'] + and 'radius' not in ocserv['authentication']['mode'] + ): + raise ConfigError( + 'OpenConnect config-per-group must be used with radius authentication' + ) + if ( + 'directory' + not in ocserv['authentication']['identity_based_config'] + ): + raise ConfigError( + 'OpenConnect identity-based-config enabled but directory not set' + ) + if ( + 'default_config' + not in ocserv['authentication']['identity_based_config'] + ): + raise ConfigError( + 'OpenConnect identity-based-config enabled but default-config not set' + ) else: raise ConfigError('OpenConnect authentication mode required') else: @@ -149,94 +207,162 @@ def verify(ocserv): verify_pki_ca_certificate(ocserv, ca_cert) # Check network settings - if "network_settings" in ocserv: - if "push_route" in ocserv["network_settings"]: + if 'network_settings' in ocserv: + if 'push_route' in ocserv['network_settings']: # Replace default route - if "0.0.0.0/0" in ocserv["network_settings"]["push_route"]: - ocserv["network_settings"]["push_route"].remove("0.0.0.0/0") - ocserv["network_settings"]["push_route"].append("default") + if '0.0.0.0/0' in ocserv['network_settings']['push_route']: + ocserv['network_settings']['push_route'].remove('0.0.0.0/0') + ocserv['network_settings']['push_route'].append('default') else: - ocserv["network_settings"]["push_route"] = ["default"] + ocserv['network_settings']['push_route'] = ['default'] else: raise ConfigError('OpenConnect network settings required!') + def generate(ocserv): if not ocserv: return None - if "radius" in ocserv["authentication"]["mode"]: + if 'radius' in ocserv['authentication']['mode']: if dict_search(ocserv, 'accounting.mode.radius'): # Render radius client configuration render(radius_cfg, 'ocserv/radius_conf.j2', ocserv) - merged_servers = ocserv["accounting"]["radius"]["server"] | ocserv["authentication"]["radius"]["server"] + merged_servers = ( + ocserv['accounting']['radius']['server'] + | ocserv['authentication']['radius']['server'] + ) # Render radius servers # Merge the accounting and authentication servers into a single dictionary - render(radius_servers, 'ocserv/radius_servers.j2', {'server': merged_servers}) + render( + radius_servers, 'ocserv/radius_servers.j2', {'server': merged_servers} + ) else: # Render radius client configuration render(radius_cfg, 'ocserv/radius_conf.j2', ocserv) # Render radius servers - render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"]) - elif "local" in ocserv["authentication"]["mode"]: + render( + radius_servers, + 'ocserv/radius_servers.j2', + ocserv['authentication']['radius'], + ) + elif 'local' in ocserv['authentication']['mode']: # if mode "OTP", generate OTP users file parameters - if "otp" in ocserv["authentication"]["mode"]["local"]: - if "local_users" in ocserv["authentication"]: - for user in ocserv["authentication"]["local_users"]["username"]: + if 'otp' in ocserv['authentication']['mode']['local']: + if 'local_users' in ocserv['authentication']: + for user in ocserv['authentication']['local_users']['username']: # OTP token type from CLI parameters: - otp_interval = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("interval")) - token_type = ocserv["authentication"]["local_users"]["username"][user]["otp"].get("token_type") - otp_length = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("otp_length")) - if token_type == "hotp-time": - otp_type = "HOTP/T" + otp_interval - elif token_type == "hotp-event": - otp_type = "HOTP/E" + otp_interval = str( + ocserv['authentication']['local_users']['username'][user][ + 'otp' + ].get('interval') + ) + token_type = ocserv['authentication']['local_users']['username'][ + user + ]['otp'].get('token_type') + otp_length = str( + ocserv['authentication']['local_users']['username'][user][ + 'otp' + ].get('otp_length') + ) + if token_type == 'hotp-time': + otp_type = 'HOTP/T' + otp_interval + elif token_type == 'hotp-event': + otp_type = 'HOTP/E' else: - otp_type = "HOTP/T" + otp_interval - ocserv["authentication"]["local_users"]["username"][user]["otp"]["token_tmpl"] = otp_type + "/" + otp_length + otp_type = 'HOTP/T' + otp_interval + ocserv['authentication']['local_users']['username'][user]['otp'][ + 'token_tmpl' + ] = otp_type + '/' + otp_length # if there is a password, generate hash - if "password" in ocserv["authentication"]["mode"]["local"] or not "otp" in ocserv["authentication"]["mode"]["local"]: - if "local_users" in ocserv["authentication"]: - for user in ocserv["authentication"]["local_users"]["username"]: - ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"]) - - if "password-otp" in ocserv["authentication"]["mode"]["local"]: + if ( + 'password' in ocserv['authentication']['mode']['local'] + or 'otp' not in ocserv['authentication']['mode']['local'] + ): + if 'local_users' in ocserv['authentication']: + for user in ocserv['authentication']['local_users']['username']: + ocserv['authentication']['local_users']['username'][user][ + 'hash' + ] = get_hash( + ocserv['authentication']['local_users']['username'][user][ + 'password' + ] + ) + + if 'password-otp' in ocserv['authentication']['mode']['local']: # Render local users ocpasswd - render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) + render( + ocserv_passwd, + 'ocserv/ocserv_passwd.j2', + ocserv['authentication']['local_users'], + ) # Render local users OTP keys - render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"]) - elif "password" in ocserv["authentication"]["mode"]["local"]: + render( + ocserv_otp_usr, + 'ocserv/ocserv_otp_usr.j2', + ocserv['authentication']['local_users'], + ) + elif 'password' in ocserv['authentication']['mode']['local']: # Render local users ocpasswd - render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) - elif "otp" in ocserv["authentication"]["mode"]["local"]: + render( + ocserv_passwd, + 'ocserv/ocserv_passwd.j2', + ocserv['authentication']['local_users'], + ) + elif 'otp' in ocserv['authentication']['mode']['local']: # Render local users OTP keys - render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"]) + render( + ocserv_otp_usr, + 'ocserv/ocserv_otp_usr.j2', + ocserv['authentication']['local_users'], + ) else: # Render local users ocpasswd - render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) + render( + ocserv_passwd, + 'ocserv/ocserv_passwd.j2', + ocserv['authentication']['local_users'], + ) else: - if "local_users" in ocserv["authentication"]: - for user in ocserv["authentication"]["local_users"]["username"]: - ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"]) + if 'local_users' in ocserv['authentication']: + for user in ocserv['authentication']['local_users']['username']: + ocserv['authentication']['local_users']['username'][user]['hash'] = ( + get_hash( + ocserv['authentication']['local_users']['username'][user][ + 'password' + ] + ) + ) # Render local users - render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) + render( + ocserv_passwd, + 'ocserv/ocserv_passwd.j2', + ocserv['authentication']['local_users'], + ) - if "ssl" in ocserv: + if 'ssl' in ocserv: cert_file_path = os.path.join(cfg_dir, 'cert.pem') cert_key_path = os.path.join(cfg_dir, 'cert.key') - if 'certificate' in ocserv['ssl']: cert_name = ocserv['ssl']['certificate'] pki_cert = ocserv['pki']['certificate'][cert_name] loaded_pki_cert = load_certificate(pki_cert['certificate']) - loaded_ca_certs = {load_certificate(c['certificate']) - for c in ocserv['pki']['ca'].values()} if 'ca' in ocserv['pki'] else {} + loaded_ca_certs = ( + { + load_certificate(c['certificate']) + for c in ocserv['pki']['ca'].values() + } + if 'ca' in ocserv['pki'] + else {} + ) cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) - write_file(cert_file_path, - '\n'.join(encode_certificate(c) for c in cert_full_chain)) + write_file( + cert_file_path, + '\n'.join(encode_certificate(c) for c in cert_full_chain), + ) if 'private' in pki_cert and 'key' in pki_cert['private']: write_file(cert_key_path, wrap_private_key(pki_cert['private']['key'])) @@ -250,7 +376,8 @@ def generate(ocserv): loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) ca_chains.append( - '\n'.join(encode_certificate(c) for c in ca_full_chain)) + '\n'.join(encode_certificate(c) for c in ca_full_chain) + ) write_file(ca_cert_file_path, '\n'.join(ca_chains)) @@ -269,11 +396,13 @@ def apply(ocserv): counter = 0 while True: # exit early when service runs - if is_systemd_service_running("ocserv.service"): + if is_systemd_service_running('ocserv.service'): break sleep(0.250) if counter > 5: - raise ConfigError('OpenConnect failed to start, check the logs for details') + raise ConfigError( + 'OpenConnect failed to start, check the logs for details' + ) break counter += 1 diff --git a/src/etc/default/vyatta b/src/etc/default/vyatta index e5fa3bb30..0a5129e8b 100644 --- a/src/etc/default/vyatta +++ b/src/etc/default/vyatta @@ -173,6 +173,7 @@ unset _vyatta_extglob declare -x -r vyos_bin_dir=/usr/bin declare -x -r vyos_sbin_dir=/usr/sbin declare -x -r vyos_share_dir=/usr/share + declare -x -r vyconf_bin_dir=/usr/libexec/vyos/vyconf/bin if test -z "$vyos_conf_scripts_dir" ; then declare -x -r vyos_conf_scripts_dir=$vyos_libexec_dir/conf_mode diff --git a/src/helpers/set_vyconf_backend.py b/src/helpers/set_vyconf_backend.py index 6747e51c3..816452f3b 100755 --- a/src/helpers/set_vyconf_backend.py +++ b/src/helpers/set_vyconf_backend.py @@ -19,10 +19,14 @@ # N.B. only for use within testing framework; explicit invocation will leave # system in inconsistent state. +import os +import sys from argparse import ArgumentParser from vyos.utils.backend import set_vyconf_backend +if os.getuid() != 0: + sys.exit('Requires root privileges') parser = ArgumentParser() parser.add_argument('--disable', action='store_true', diff --git a/src/helpers/vyconf_cli.py b/src/helpers/vyconf_cli.py new file mode 100755 index 000000000..a159a2678 --- /dev/null +++ b/src/helpers/vyconf_cli.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2025 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import os +import sys + +from vyos.vyconf_session import VyconfSession + + +pid = os.getppid() + +vs = VyconfSession(pid=pid) + +script_path = sys.argv[0] +script_name = os.path.basename(script_path) +# drop prefix 'vy_' if present +if script_name.startswith('vy_'): + func_name = script_name[3:] +else: + func_name = script_name + +if hasattr(vs, func_name): + func = getattr(vs, func_name) +else: + sys.exit(f'Call unimplemented: {func_name}') + +out = func() +if isinstance(out, bool): + # for use in shell scripts + sys.exit(int(not out)) + +print(out) diff --git a/src/helpers/vyos-sudo.py b/src/helpers/vyos-sudo.py deleted file mode 100755 index 75dd7f29d..000000000 --- a/src/helpers/vyos-sudo.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python3 - -# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io> -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see <http://www.gnu.org/licenses/>. - -import os -import sys - -from vyos.utils.permission import is_admin - - -if __name__ == '__main__': - if len(sys.argv) < 2: - print('Missing command argument') - sys.exit(1) - - if not is_admin(): - print('This account is not authorized to run this command') - sys.exit(1) - - os.execvp('sudo', ['sudo'] + sys.argv[1:]) diff --git a/src/migration-scripts/conntrack/5-to-6 b/src/migration-scripts/conntrack/5-to-6 new file mode 100644 index 000000000..1db2e78b4 --- /dev/null +++ b/src/migration-scripts/conntrack/5-to-6 @@ -0,0 +1,30 @@ +# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +# T7202: fix lower limit of supported conntrack hash-size to match Kernel +# lower limit. + +from vyos.configtree import ConfigTree + +base = ['system', 'conntrack'] +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + if config.exists(base + ['hash-size']): + tmp = config.return_value(base + ['hash-size']) + if int(tmp) < 1024: + config.set(base + ['hash-size'], value=1024) diff --git a/src/op_mode/install_mok.sh b/src/op_mode/install_mok.sh new file mode 100755 index 000000000..29f78cd1f --- /dev/null +++ b/src/op_mode/install_mok.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if test -f /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; then + mokutil --ignore-keyring --import /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; +else + echo "Secure Boot Machine Owner Key not found"; +fi diff --git a/src/op_mode/show_bonding_detail.sh b/src/op_mode/show_bonding_detail.sh new file mode 100755 index 000000000..62265daa2 --- /dev/null +++ b/src/op_mode/show_bonding_detail.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ -f "/proc/net/bonding/$1" ]; then + cat "/proc/net/bonding/$1"; +else + echo "Interface $1 does not exist!"; +fi diff --git a/src/op_mode/show_ppp_stats.sh b/src/op_mode/show_ppp_stats.sh new file mode 100755 index 000000000..d9c17f966 --- /dev/null +++ b/src/op_mode/show_ppp_stats.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +if [ -d "/sys/class/net/$1" ]; then + /usr/sbin/pppstats "$1"; +fi diff --git a/src/op_mode/update_suricata.sh b/src/op_mode/update_suricata.sh new file mode 100755 index 000000000..6e4e605f4 --- /dev/null +++ b/src/op_mode/update_suricata.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +if test -f /run/suricata/suricata.yaml; then + suricata-update --suricata-conf /run/suricata/suricata.yaml; + systemctl restart suricata; +else + echo "Service Suricata not configured"; +fi diff --git a/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run index f0479ae88..6bc77b61d 100644 --- a/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run +++ b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run @@ -222,10 +222,21 @@ _vyatta_op_run () local cmd_regex="^(LESSOPEN=|less|pager|tail|(sudo )?$file_cmd).*" if [ -n "$run_cmd" ]; then eval $restore_shopts - if [[ -t 1 && "${args[1]}" == "show" && ! $run_cmd =~ $cmd_regex ]] ; then - eval "($run_cmd) | ${VYATTA_PAGER:-cat}" - else + if [[ "${args[1]}" == "configure" ]]; then + # The "configure" command modifies the shell environment + # and must run in the current shell. + eval "$run_cmd" + elif [[ "${args[1]} ${args[2]}" =~ ^set[[:space:]]+(builtin|terminal) ]]; then + # Some commands like "set terminal width" + # only affect the user shell + # (so they don't need special privileges) + # and must be executed directly in the current shell + # to be able to do their job. eval "$run_cmd" + elif [[ -t 1 && "${args[1]}" == "show" && ! $run_cmd =~ $cmd_regex ]] ; then + eval "(sudo $run_cmd) | ${VYATTA_PAGER:-cat}" + else + eval "sudo $run_cmd" fi else echo -ne "\n Incomplete command: ${args[@]}\n\n" >&2 diff --git a/src/services/api/rest/models.py b/src/services/api/rest/models.py index dda50010f..c5cb4af48 100644 --- a/src/services/api/rest/models.py +++ b/src/services/api/rest/models.py @@ -26,6 +26,7 @@ from typing import Self from pydantic import BaseModel from pydantic import StrictStr +from pydantic import StrictInt from pydantic import field_validator from pydantic import model_validator from fastapi.responses import HTMLResponse @@ -71,6 +72,8 @@ class BaseConfigureModel(BasePathModel): class ConfigureModel(ApiModel, BaseConfigureModel): + confirm_time: StrictInt = 0 + class Config: json_schema_extra = { 'example': { @@ -81,8 +84,12 @@ class ConfigureModel(ApiModel, BaseConfigureModel): } +class ConfirmModel(ApiModel): + op: StrictStr + class ConfigureListModel(ApiModel): commands: List[BaseConfigureModel] + confirm_time: StrictInt = 0 class Config: json_schema_extra = { @@ -134,13 +141,16 @@ class RetrieveModel(ApiModel): class ConfigFileModel(ApiModel): op: StrictStr file: StrictStr = None + string: StrictStr = None + confirm_time: StrictInt = 0 class Config: json_schema_extra = { 'example': { 'key': 'id_key', - 'op': 'save | load', + 'op': 'save | load | merge | confirm', 'file': 'filename', + 'string': 'config_string' } } @@ -251,6 +261,20 @@ class RebootModel(ApiModel): } +class RenewModel(ApiModel): + op: StrictStr + path: List[StrictStr] + + class Config: + json_schema_extra = { + 'example': { + 'key': 'id_key', + 'op': 'renew', + 'path': ['op', 'mode', 'path'], + } + } + + class ResetModel(ApiModel): op: StrictStr path: List[StrictStr] diff --git a/src/services/api/rest/routers.py b/src/services/api/rest/routers.py index e52c77fda..a2e6b4178 100644 --- a/src/services/api/rest/routers.py +++ b/src/services/api/rest/routers.py @@ -51,6 +51,7 @@ from .models import error from .models import responses from .models import ApiModel from .models import ConfigureModel +from .models import ConfirmModel from .models import ConfigureListModel from .models import ConfigSectionModel from .models import ConfigSectionListModel @@ -66,6 +67,7 @@ from .models import GenerateModel from .models import ShowModel from .models import RebootModel from .models import ResetModel +from .models import RenewModel from .models import ImportPkiModel from .models import PoweroffModel from .models import TracerouteModel @@ -301,8 +303,24 @@ def call_commit(s: SessionState): LOG.warning(f'ConfigSessionError: {e}') +def call_commit_confirm(s: SessionState): + env = s.session.get_session_env() + env['IN_COMMIT_CONFIRM'] = 't' + try: + s.session.commit() + except ConfigSessionError as e: + s.session.discard() + if s.debug: + LOG.warning(f'ConfigSessionError:\n {traceback.format_exc()}') + else: + LOG.warning(f'ConfigSessionError: {e}') + finally: + del env['IN_COMMIT_CONFIRM'] + + def _configure_op( data: Union[ + ConfirmModel, ConfigureModel, ConfigureListModel, ConfigSectionModel, @@ -319,6 +337,11 @@ def _configure_op( session = state.session env = session.get_session_env() + # A non-zero confirm_time will start commit-confirm timer on commit + confirm_time = 0 + if isinstance(data, (ConfigureModel, ConfigureListModel, ConfigFileModel)): + confirm_time = data.confirm_time + # Allow users to pass just one command if not isinstance(data, (ConfigureListModel, ConfigSectionListModel)): data = [data] @@ -338,10 +361,16 @@ def _configure_op( try: for c in data: op = c.op - if not isinstance(c, BaseConfigSectionTreeModel): + if not isinstance(c, (ConfirmModel, BaseConfigSectionTreeModel)): path = c.path - if isinstance(c, BaseConfigureModel): + if isinstance(c, ConfirmModel): + if op == 'confirm': + msg = session.confirm() + else: + raise ConfigSessionError(f"'{op}' is not a valid operation") + + elif isinstance(c, BaseConfigureModel): if c.value: value = c.value else: @@ -387,16 +416,26 @@ def _configure_op( else: raise ConfigSessionError(f"'{op}' is not a valid operation") # end for + config = Config(session_env=env) d = get_config_diff(config) + if confirm_time: + out = session.commit_confirm(minutes=confirm_time) + msg = msg + out if msg else out + env['IN_COMMIT_CONFIRM'] = 't' + if d.is_node_changed(['service', 'https']): - background_tasks.add_task(call_commit, state) - msg = self_ref_msg + if confirm_time: + background_tasks.add_task(call_commit_confirm, state) + else: + background_tasks.add_task(call_commit, state) + out = self_ref_msg + msg = msg + out if msg else out else: # capture non-fatal warnings out = session.commit() - msg = out if out else msg + msg = msg + out if msg else out LOG.info(f"Configuration modified via HTTP API using key '{state.id}'") except ConfigSessionError as e: @@ -413,6 +452,8 @@ def _configure_op( # Don't give the details away to the outer world error_msg = 'An internal error occured. Check the logs for details.' finally: + if 'IN_COMMIT_CONFIRM' in env: + del env['IN_COMMIT_CONFIRM'] lock.release() if status != 200: @@ -432,7 +473,7 @@ def create_path_import_pki_no_prompt(path): @router.post('/configure') def configure_op( - data: Union[ConfigureModel, ConfigureListModel], + data: Union[ConfigureModel, ConfigureListModel, ConfirmModel], request: Request, background_tasks: BackgroundTasks, ): @@ -500,6 +541,8 @@ def config_file_op(data: ConfigFileModel, background_tasks: BackgroundTasks): op = data.op msg = None + lock.acquire() + try: if op == 'save': if data.file: @@ -507,22 +550,42 @@ def config_file_op(data: ConfigFileModel, background_tasks: BackgroundTasks): else: path = '/config/config.boot' msg = session.save_config(path) - elif op == 'load': + elif op in ('load', 'merge'): if data.file: path = data.file + elif data.string: + path = '/tmp/config.file' + with open(path, 'w') as f: + f.write(data.string) else: - return error(400, 'Missing required field "file"') + return error(400, 'Missing required field "file | string"') - session.migrate_and_load_config(path) + match op: + case 'load': + session.migrate_and_load_config(path) + case 'merge': + session.merge_config(path) config = Config(session_env=env) d = get_config_diff(config) + if data.confirm_time: + out = session.commit_confirm(minutes=data.confirm_time) + msg = msg + out if msg else out + env['IN_COMMIT_CONFIRM'] = 't' + if d.is_node_changed(['service', 'https']): - background_tasks.add_task(call_commit, state) - msg = self_ref_msg + if data.confirm_time: + background_tasks.add_task(call_commit_confirm, state) + else: + background_tasks.add_task(call_commit, state) + out = self_ref_msg + msg = msg + out if msg else out else: - session.commit() + out = session.commit() + msg = msg + out if msg else out + elif op == 'confirm': + msg = session.confirm() else: return error(400, f"'{op}' is not a valid operation") except ConfigSessionError as e: @@ -530,6 +593,10 @@ def config_file_op(data: ConfigFileModel, background_tasks: BackgroundTasks): except Exception: LOG.critical(traceback.format_exc()) return error(500, 'An internal error occured. Check the logs for details.') + finally: + if 'IN_COMMIT_CONFIRM' in env: + del env['IN_COMMIT_CONFIRM'] + lock.release() return success(msg) @@ -657,6 +724,26 @@ def reboot_op(data: RebootModel): return success(res) +@router.post('/renew') +def renew_op(data: RenewModel): + state = SessionState() + session = state.session + + op = data.op + path = data.path + + try: + if op == 'renew': + res = session.renew(path) + else: + return error(400, f"'{op}' is not a valid operation") + except ConfigSessionError as e: + return error(400, str(e)) + except Exception: + LOG.critical(traceback.format_exc()) + return error(500, 'An internal error occured. Check the logs for details.') + + return success(res) @router.post('/reset') def reset_op(data: ResetModel): diff --git a/src/tests/test_template.py b/src/tests/test_template.py index 7cae867a0..4660c0038 100644 --- a/src/tests/test_template.py +++ b/src/tests/test_template.py @@ -192,10 +192,15 @@ class TestVyOSTemplate(TestCase): self.assertIn(IKEv2_DEFAULT, ','.join(ciphers)) def test_get_default_port(self): + from vyos.defaults import config_files from vyos.defaults import internal_ports with self.assertRaises(RuntimeError): + vyos.template.get_default_config_file('UNKNOWN') + with self.assertRaises(RuntimeError): vyos.template.get_default_port('UNKNOWN') + self.assertEqual(vyos.template.get_default_config_file('sshd_user_ca'), + config_files['sshd_user_ca']) self.assertEqual(vyos.template.get_default_port('certbot_haproxy'), internal_ports['certbot_haproxy']) |