diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/container.py | 13 | ||||
| -rwxr-xr-x | src/conf_mode/service_dhcp-server.py | 1 | ||||
| -rwxr-xr-x | src/conf_mode/service_ipoe-server.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 26 | ||||
| -rwxr-xr-x | src/migration-scripts/container/1-to-2 | 50 | ||||
| -rwxr-xr-x | src/migration-scripts/ipoe-server/0-to-1 | 74 | ||||
| -rwxr-xr-x | src/migration-scripts/ipoe-server/1-to-2 | 99 | 
7 files changed, 137 insertions, 130 deletions
| diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 910a92a7c..0b57221b2 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -262,12 +262,11 @@ def generate_run_arguments(name, container_config):      restart = container_config['restart']      # Add capability options. Should be in uppercase -    cap_add = '' -    if 'cap_add' in container_config: -        for c in container_config['cap_add']: -            c = c.upper() -            c = c.replace('-', '_') -            cap_add += f' --cap-add={c}' +    capabilities = '' +    if 'capability' in container_config: +        for cap in container_config['capability']: +            cap = cap.upper().replace('-', '_') +            capabilities += f' --cap-add={cap}'      # Add a host device to the container /dev/x:/dev/x      device = '' @@ -330,7 +329,7 @@ def generate_run_arguments(name, container_config):              prop = vol_config['propagation']              volume += f' --volume {svol}:{dvol}:{mode},{prop}' -    container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \ +    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} ' \                           f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \                           f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}' diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py index f4fb78f57..3b9198ed0 100755 --- a/src/conf_mode/service_dhcp-server.py +++ b/src/conf_mode/service_dhcp-server.py @@ -165,7 +165,6 @@ def verify(dhcp):      # Inspect shared-network/subnet      listen_ok = False      subnets = [] -    failover_ok = False      shared_networks =  len(dhcp['shared_network_name'])      disabled_shared_networks = 0 diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 852b714eb..11e950782 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -68,8 +68,8 @@ def verify(ipoe):      for interface, iface_config in ipoe['interface'].items():          verify_interface_exists(interface)          if 'client_subnet' in iface_config and 'vlan' in iface_config: -            raise ConfigError('Option "client-subnet" incompatible with "vlan"!' -                              'Use "ipoe client-ip-pool" instead.') +            raise ConfigError('Option "client-subnet" and "vlan" are mutually exclusive, ' +                              'use "client-ip-pool" instead!')      verify_accel_ppp_authentication(ipoe, local_users=False)      verify_accel_ppp_ip_pool(ipoe) diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 49306c894..20121f170 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -336,27 +336,31 @@ def apply(login):              command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea {user}'              try:                  cmd(command) -                # we should not rely on the value stored in -                # user_config['home_directory'], as a crazy user will choose -                # username root or any other system user which will fail. +                # we should not rely on the value stored in user_config['home_directory'], as a +                # crazy user will choose username root or any other system user which will fail.                  #                  # XXX: Should we deny using root at all?                  home_dir = getpwnam(user).pw_dir -                # T5875: ensure UID is properly set on home directory if user is re-added -                # the home directory will always exist, as it's created above by --create-home, -                # retrieve current owner of home directory and adjust it on demand -                dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name -                if dir_owner != user: -                     chown(home_dir, user=user, recursive=True) - +                # always re-render SSH keys with appropriate permissions                  render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2',                         user_config, permission=0o600,                         formater=lambda _: _.replace(""", '"'),                         user=user, group='users') -              except Exception as e:                  raise ConfigError(f'Adding user "{user}" raised exception: "{e}"') +            # T5875: ensure UID is properly set on home directory if user is re-added +            # the home directory will always exist, as it's created above by --create-home, +            # retrieve current owner of home directory and adjust on demand +            dir_owner = None +            try: +                dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name +            except: +                pass + +            if dir_owner != user: +                    chown(home_dir, user=user, recursive=True) +              # Generate 2FA/MFA One-Time-Pad configuration              if dict_search('authentication.otp.key', user_config):                  enable_otp = True diff --git a/src/migration-scripts/container/1-to-2 b/src/migration-scripts/container/1-to-2 new file mode 100755 index 000000000..408faf978 --- /dev/null +++ b/src/migration-scripts/container/1-to-2 @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. + +# T6208: container: rename "cap-add" CLI node to "capability" + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + +if len(argv) < 2: +    print("Must specify file name!") +    exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: +    config_file = f.read() + +base = ['container', 'name'] +config = ConfigTree(config_file) + +# Check if containers exist and we need to perform image manipulation +if not config.exists(base): +    # Nothing to do +    exit(0) + +for container in config.list_nodes(base): +    cap_path = base + [container, 'cap-add'] +    if config.exists(cap_path): +        config.rename(cap_path, 'capability') + +try: +    with open(file_name, 'w') as f: +        f.write(config.to_string()) +except OSError as e: +    print(f'Failed to save the modified config: {e}') +    exit(1) diff --git a/src/migration-scripts/ipoe-server/0-to-1 b/src/migration-scripts/ipoe-server/0-to-1 deleted file mode 100755 index ac9d13abc..000000000 --- a/src/migration-scripts/ipoe-server/0-to-1 +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. - -# - T4703: merge vlan-id and vlan-range to vlan CLI node - -# L2|L3 -> l2|l3 -# mac-address -> mac -# network-mode -> mode - -import os -import sys - -from sys import argv, exit -from vyos.configtree import ConfigTree - -if len(argv) < 2: -    print("Must specify file name!") -    exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: -    config_file = f.read() - -config = ConfigTree(config_file) -base = ['service', 'ipoe-server'] -if not config.exists(base): -    # Nothing to do -    exit(0) - -if config.exists(base + ['authentication', 'interface']): -    for interface in config.list_nodes(base + ['authentication', 'interface']): -        config.rename(base + ['authentication', 'interface', interface, 'mac-address'], 'mac') - -        mac_base = base + ['authentication', 'interface', interface, 'mac'] -        for mac in config.list_nodes(mac_base): -            vlan_config = mac_base + [mac, 'vlan-id'] -            if config.exists(vlan_config): -                config.rename(vlan_config, 'vlan') - -for interface in config.list_nodes(base + ['interface']): -    base_path = base + ['interface', interface] -    for vlan in ['vlan-id', 'vlan-range']: -        if config.exists(base_path + [vlan]): -            print(interface, vlan) -            for tmp in config.return_values(base_path + [vlan]): -                config.set(base_path + ['vlan'], value=tmp, replace=False) -            config.delete(base_path + [vlan]) - -    if config.exists(base_path + ['network-mode']): -        tmp = config.return_value(base_path + ['network-mode']) -        config.delete(base_path + ['network-mode']) -        # Change L2|L3 to lower case l2|l3 -        config.set(base_path + ['mode'], value=tmp.lower()) - -try: -    with open(file_name, 'w') as f: -        f.write(config.to_string()) -except OSError as e: -    print("Failed to save the modified config: {}".format(e)) -    exit(1) diff --git a/src/migration-scripts/ipoe-server/1-to-2 b/src/migration-scripts/ipoe-server/1-to-2 index 378702693..6a7111541 100755 --- a/src/migration-scripts/ipoe-server/1-to-2 +++ b/src/migration-scripts/ipoe-server/1-to-2 @@ -1,6 +1,6 @@  #!/usr/bin/env python3  # -# Copyright (C) 2023 VyOS maintainers and contributors +# Copyright (C) 2023-2024 VyOS maintainers and contributors  #  # This program is free software; you can redistribute it and/or modify  # it under the terms of the GNU General Public License version 2 or later as @@ -14,6 +14,11 @@  # You should have received a copy of the GNU General Public License  # along with this program.  If not, see <http://www.gnu.org/licenses/>. +# - T4703: merge vlan-id and vlan-range to vlan CLI node +# L2|L3 -> l2|l3 +# mac-address -> mac +# network-mode -> mode +  # - changed cli of all named pools  # - moved gateway-address from pool to global configuration with / netmask  #   gateway can exist without pool if radius is used @@ -39,43 +44,67 @@ with open(file_name, 'r') as f:  config = ConfigTree(config_file)  base = ['service', 'ipoe-server'] -pool_base = base + ['client-ip-pool'] +  if not config.exists(base):      exit(0) -if not config.exists(pool_base): -    exit(0) -default_pool = '' -gateway = '' - -#named pool migration -namedpools_base = pool_base + ['name'] - -for pool_name in config.list_nodes(namedpools_base): -    pool_path = namedpools_base + [pool_name] -    if config.exists(pool_path + ['subnet']): -        subnet = config.return_value(pool_path + ['subnet']) -        config.set(pool_base + [pool_name, 'range'], value=subnet, replace=False) -        # Get netmask from subnet -        mask = subnet.split("/")[1] -    if config.exists(pool_path + ['next-pool']): -        next_pool = config.return_value(pool_path + ['next-pool']) -        config.set(pool_base + [pool_name, 'next-pool'], value=next_pool) -        if not default_pool: -            default_pool = pool_name -    if config.exists(pool_path + ['gateway-address']) and mask: -        gateway = f'{config.return_value(pool_path + ["gateway-address"])}/{mask}' -        config.set(base + ['gateway-address'], value=gateway, replace=False) - -if not default_pool and config.list_nodes(namedpools_base): -    default_pool = config.list_nodes(namedpools_base)[0] - -config.delete(namedpools_base) - -if default_pool: -    config.set(base + ['default-pool'], value=default_pool) -# format as tag node -config.set_tag(pool_base) +if config.exists(base + ['authentication', 'interface']): +    for interface in config.list_nodes(base + ['authentication', 'interface']): +        config.rename(base + ['authentication', 'interface', interface, 'mac-address'], 'mac') + +        mac_base = base + ['authentication', 'interface', interface, 'mac'] +        for mac in config.list_nodes(mac_base): +            vlan_config = mac_base + [mac, 'vlan-id'] +            if config.exists(vlan_config): +                config.rename(vlan_config, 'vlan') + +for interface in config.list_nodes(base + ['interface']): +    base_path = base + ['interface', interface] +    for vlan in ['vlan-id', 'vlan-range']: +        if config.exists(base_path + [vlan]): +            for tmp in config.return_values(base_path + [vlan]): +                config.set(base_path + ['vlan'], value=tmp, replace=False) +            config.delete(base_path + [vlan]) + +    if config.exists(base_path + ['network-mode']): +        tmp = config.return_value(base_path + ['network-mode']) +        config.delete(base_path + ['network-mode']) +        # Change L2|L3 to lower case l2|l3 +        config.set(base_path + ['mode'], value=tmp.lower()) + +pool_base = base + ['client-ip-pool'] +if config.exists(pool_base): +    default_pool = '' +    gateway = '' + +    #named pool migration +    namedpools_base = pool_base + ['name'] + +    for pool_name in config.list_nodes(namedpools_base): +        pool_path = namedpools_base + [pool_name] +        if config.exists(pool_path + ['subnet']): +            subnet = config.return_value(pool_path + ['subnet']) +            config.set(pool_base + [pool_name, 'range'], value=subnet, replace=False) +            # Get netmask from subnet +            mask = subnet.split("/")[1] +        if config.exists(pool_path + ['next-pool']): +            next_pool = config.return_value(pool_path + ['next-pool']) +            config.set(pool_base + [pool_name, 'next-pool'], value=next_pool) +            if not default_pool: +                default_pool = pool_name +        if config.exists(pool_path + ['gateway-address']) and mask: +            gateway = f'{config.return_value(pool_path + ["gateway-address"])}/{mask}' +            config.set(base + ['gateway-address'], value=gateway, replace=False) + +    if not default_pool and config.list_nodes(namedpools_base): +        default_pool = config.list_nodes(namedpools_base)[0] + +    config.delete(namedpools_base) + +    if default_pool: +        config.set(base + ['default-pool'], value=default_pool) +    # format as tag node +    config.set_tag(pool_base)  try:      with open(file_name, 'w') as f: | 
