8 files changed, 153 insertions, 68 deletions

diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 91a10e891..3efeb9b40 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -16,6 +16,7 @@
 
 import os
 
+from decimal import Decimal
 from hashlib import sha256
 from ipaddress import ip_address
 from ipaddress import ip_network
@@ -28,6 +29,7 @@ from vyos.configdict import node_changed
 from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import Interface
+from vyos.cpu import get_core_count
 from vyos.utils.file import write_file
 from vyos.utils.process import call
 from vyos.utils.process import cmd
@@ -127,6 +129,11 @@ def verify(container):
                         f'locally. Please use "add container image {image}" to add it '\
                         f'to the system! Container "{name}" will not be started!')
 
+            if 'cpu_quota' in container_config:
+                cores = get_core_count()
+                if Decimal(container_config['cpu_quota']) > cores:
+                    raise ConfigError(f'Cannot set limit to more cores than available "{name}"!')
+
             if 'network' in container_config:
                 if len(container_config['network']) > 1:
                     raise ConfigError(f'Only one network can be specified for container "{name}"!')
@@ -257,6 +264,7 @@ def verify(container):
 
 def generate_run_arguments(name, container_config):
     image = container_config['image']
+    cpu_quota = container_config['cpu_quota']
     memory = container_config['memory']
     shared_memory = container_config['shared_memory']
     restart = container_config['restart']
@@ -333,7 +341,7 @@ def generate_run_arguments(name, container_config):
     if 'allow_host_pid' in container_config:
       host_pid = '--pid host'
 
-    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} ' \
+    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} ' \
                          f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
                          f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid} {host_pid}'
 
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 0ecffd3be..627cc90ba 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -168,6 +168,14 @@ def verify_pki(openvpn):
                            'verification, consult the documentation for details.')
 
     if tls:
+        if mode == 'site-to-site':
+            # XXX: site-to-site with PSKs is the only mode that can work without TLS,
+            # so 'tls role' is not mandatory for it,
+            # but we need to check that if it uses peer certificate fingerprints rather than PSKs,
+            # then the TLS role is set
+            if ('shared_secret_key' not in tls) and ('role' not in tls):
+                raise ConfigError('"tls role" is required for site-to-site OpenVPN with TLS')
+
         if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
             raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
               it is required in server and client modes')
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index b6db110ae..1c1252df0 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -26,9 +26,13 @@ from vyos.utils.dict import dict_search
 from vyos.utils.process import call
 from vyos.utils.network import check_port_availability
 from vyos.utils.network import is_listen_port_bind_service
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_private_key
+from vyos.pki import find_chain
+from vyos.pki import load_certificate
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
 from vyos.template import render
+from vyos.utils.file import write_file
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -124,51 +128,54 @@ def generate(lb):
     if not os.path.isdir(load_balancing_dir):
         os.mkdir(load_balancing_dir)
 
+    loaded_ca_certs = {load_certificate(c['certificate'])
+        for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
+
     # SSL Certificates for frontend
     for front, front_config in lb['service'].items():
-        if 'ssl' in front_config:
-
-            if 'certificate' in front_config['ssl']:
-                cert_names = front_config['ssl']['certificate']
+        if 'ssl' not in front_config:
+            continue
 
-                for cert_name in cert_names:
-                    pki_cert = lb['pki']['certificate'][cert_name]
-                    cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
-                    cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
+        if 'certificate' in front_config['ssl']:
+            cert_names = front_config['ssl']['certificate']
 
-                    with open(cert_file_path, 'w') as f:
-                        f.write(wrap_certificate(pki_cert['certificate']))
+            for cert_name in cert_names:
+                pki_cert = lb['pki']['certificate'][cert_name]
+                cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
+                cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
 
-                    if 'private' in pki_cert and 'key' in pki_cert['private']:
-                        with open(cert_key_path, 'w') as f:
-                            f.write(wrap_private_key(pki_cert['private']['key']))
+                loaded_pki_cert = load_certificate(pki_cert['certificate'])
+                cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
 
-            if 'ca_certificate' in front_config['ssl']:
-                ca_name = front_config['ssl']['ca_certificate']
-                pki_ca_cert = lb['pki']['ca'][ca_name]
-                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
+                write_file(cert_file_path,
+                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
 
-                with open(ca_cert_file_path, 'w') as f:
-                    f.write(wrap_certificate(pki_ca_cert['certificate']))
+                if 'private' in pki_cert and 'key' in pki_cert['private']:
+                    loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True)
+                    key_pem = encode_private_key(loaded_key, passphrase=None)
+                    write_file(cert_key_path, key_pem)
 
     # SSL Certificates for backend
     for back, back_config in lb['backend'].items():
-        if 'ssl' in back_config:
+        if 'ssl' not in back_config:
+            continue
 
-            if 'ca_certificate' in back_config['ssl']:
-                ca_name = back_config['ssl']['ca_certificate']
-                pki_ca_cert = lb['pki']['ca'][ca_name]
-                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
+        if 'ca_certificate' in back_config['ssl']:
+            ca_name = back_config['ssl']['ca_certificate']
+            ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
+            ca_chains = []
 
-                with open(ca_cert_file_path, 'w') as f:
-                    f.write(wrap_certificate(pki_ca_cert['certificate']))
+            pki_ca_cert = lb['pki']['ca'][ca_name]
+            loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
+            ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+            ca_chains.append('\n'.join(encode_certificate(c) for c in ca_full_chain))
+            write_file(ca_cert_file_path, '\n'.join(ca_chains))
 
     render(load_balancing_conf_file, 'load-balancing/haproxy.cfg.j2', lb)
     render(systemd_override, 'load-balancing/override_haproxy.conf.j2', lb)
 
     return None
 
-
 def apply(lb):
     call('systemctl daemon-reload')
     if not lb:
diff --git a/src/conf_mode/nat_cgnat.py b/src/conf_mode/nat_cgnat.py
index 5ad65de80..957b12c28 100755
--- a/src/conf_mode/nat_cgnat.py
+++ b/src/conf_mode/nat_cgnat.py
@@ -252,7 +252,11 @@ def generate(config):
         ext_pool_name: str = rule_config['translation']['pool']
         int_pool_name: str = rule_config['source']['pool']
 
-        external_ranges: list = [range for range in config['pool']['external'][ext_pool_name]['range']]
+        # Sort the external ranges by sequence
+        external_ranges: list = sorted(
+            config['pool']['external'][ext_pool_name]['range'],
+            key=lambda r: int(config['pool']['external'][ext_pool_name]['range'][r].get('seq', 999999))
+        )
         internal_ranges: list = [range for range in config['pool']['internal'][int_pool_name]['range']]
         external_list_hosts_count = []
         external_list_hosts = []
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 2b29f94bf..4ac4fb14a 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -144,15 +144,22 @@ tmp = reversed(tmp)
 data['rfqdn'] = '.'.join(tmp)
 
 pki = conf.get_config_dict(pki_base, get_first_key=True)
-ca_name = data['authentication']['x509']['ca_certificate']
 cert_name = data['authentication']['x509']['certificate']
 
-ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
-cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+data['certs'] = []
+
+for ca_name in data['authentication']['x509']['ca_certificate']:
+    tmp = {}
+    ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+
+
+    tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
+
+    data['certs'].append(tmp)
 
-data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
 
 esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
                                      key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 0d2d7076c..bdc16de15 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -40,13 +40,14 @@ from vyos.template import render
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
 from vyos.utils.process import cmd, run
-from vyos.version import get_remote_version
+from vyos.version import get_remote_version, get_version_data
 
 # define text messages
 MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
 MSG_ERR_LIVE: str = 'The system is in live-boot mode. Please use "install image" instead.'
 MSG_ERR_NO_DISK: str = 'No suitable disk was found. There must be at least one disk of 2GB or greater size.'
 MSG_ERR_IMPROPER_IMAGE: str = 'Missing sha256sum.txt.\nEither this image is corrupted, or of era 1.2.x (md5sum) and would downgrade image tools;\ndisallowed in either case.'
+MSG_ERR_ARCHITECTURE_MISMATCH: str = 'Upgrading to a different image architecture will break your system.'
 MSG_INFO_INSTALL_WELCOME: str = 'Welcome to VyOS installation!\nThis command will install VyOS to your permanent storage.'
 MSG_INFO_INSTALL_EXIT: str = 'Exiting from VyOS installation'
 MSG_INFO_INSTALL_SUCCESS: str = 'The image installed successfully; please reboot now.'
@@ -79,6 +80,9 @@ MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
 MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
 'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
 MSG_WARN_PASSWORD_CONFIRM: str = 'The entered values did not match. Try again'
+MSG_WARN_FLAVOR_MISMATCH: str = 'The running image flavor is "{0}". The new image flavor is "{1}".\n' \
+'Installing a different image flavor may cause functionality degradation or break your system.\n' \
+'Do you want to continue with installation?'
 CONST_MIN_DISK_SIZE: int = 2147483648  # 2 GB
 CONST_MIN_ROOT_SIZE: int = 1610612736  # 1.5 GB
 # a reserved space: 2MB for header, 1 MB for BIOS partition, 256 MB for EFI
@@ -693,6 +697,31 @@ def is_raid_install(install_object: Union[disk.DiskDetails, raid.RaidDetails]) -
     return False
 
 
+def validate_compatibility(iso_path: str) -> None:
+    """Check architecture and flavor compatibility with the running image
+
+    Args:
+        iso_path (str): a path to the mounted ISO image
+    """
+    old_data = get_version_data()
+    old_flavor = old_data.get('flavor', '')
+    old_architecture = old_data.get('architecture') or cmd('dpkg --print-architecture')
+
+    new_data = get_version_data(f'{iso_path}/version.json')
+    new_flavor = new_data.get('flavor', '')
+    new_architecture = new_data.get('architecture', '')
+
+    if not old_architecture == new_architecture:
+        print(MSG_ERR_ARCHITECTURE_MISMATCH)
+        cleanup()
+        exit(MSG_INFO_INSTALL_EXIT)
+
+    if not old_flavor == new_flavor:
+        if not ask_yes_no(MSG_WARN_FLAVOR_MISMATCH.format(old_flavor, new_flavor), default=False):
+            cleanup()
+            exit(MSG_INFO_INSTALL_EXIT)
+
+
 def install_image() -> None:
     """Install an image to a disk
     """
@@ -876,6 +905,9 @@ def add_image(image_path: str, vrf: str = None, username: str = '',
         Path(DIR_ISO_MOUNT).mkdir(mode=0o755, parents=True)
         disk.partition_mount(iso_path, DIR_ISO_MOUNT, 'iso9660')
 
+        print('Validating image compatibility')
+        validate_compatibility(DIR_ISO_MOUNT)
+
         # check sums
         print('Validating image checksums')
         if not Path(DIR_ISO_MOUNT).joinpath('sha256sum.txt').exists():
diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py
index 4ab524fb7..16a545cda 100755
--- a/src/op_mode/nat.py
+++ b/src/op_mode/nat.py
@@ -99,6 +99,23 @@ def _get_raw_translation(direction, family, address=None):
 
 
 def _get_formatted_output_rules(data, direction, family):
+    def _get_ports_for_output(my_dict):
+        # Get and insert all configured ports or port ranges into output string
+        for index, port in enumerate(my_dict['set']):
+            if 'range' in str(my_dict['set'][index]):
+                output = my_dict['set'][index]['range']
+                output = '-'.join(map(str, output))
+            else:
+                output = str(port)
+            if index == 0:
+                output = str(output)
+            else:
+                output = ','.join([output,output])
+        # Handle case where configured ports are a negated list
+        if my_dict['op'] == '!=':
+            output = '!' + output
+        return(output)
+
     # Add default values before loop
     sport, dport, proto = 'any', 'any', 'any'
     saddr = '::/0' if family == 'inet6' else '0.0.0.0/0'
@@ -126,21 +143,9 @@ def _get_formatted_output_rules(data, direction, family):
                     elif my_dict['field'] == 'daddr':
                         daddr = f'{op}{my_dict["prefix"]["addr"]}/{my_dict["prefix"]["len"]}'
                     elif my_dict['field'] == 'sport':
-                        # Port range or single port
-                        if jmespath.search('set[*].range', my_dict):
-                            sport = my_dict['set'][0]['range']
-                            sport = '-'.join(map(str, sport))
-                        else:
-                            sport = my_dict.get('set')
-                            sport = ','.join(map(str, sport))
+                        sport = _get_ports_for_output(my_dict)
                     elif my_dict['field'] == 'dport':
-                        # Port range or single port
-                        if jmespath.search('set[*].range', my_dict):
-                            dport = my_dict["set"][0]["range"]
-                            dport = '-'.join(map(str, dport))
-                        else:
-                            dport = my_dict.get('set')
-                            dport = ','.join(map(str, dport))
+                        dport = _get_ports_for_output(my_dict)
                 else:
                     field = jmespath.search('left.payload.field', match)
                     if field == 'saddr':
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index ecbf6fcf9..7f5233c6b 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -23,16 +23,17 @@ import logging
 import signal
 import traceback
 import threading
+from enum import Enum
 
 from time import sleep
-from typing import List, Union, Callable, Dict
+from typing import List, Union, Callable, Dict, Self
 
 from fastapi import FastAPI, Depends, Request, Response, HTTPException
 from fastapi import BackgroundTasks
 from fastapi.responses import HTMLResponse
 from fastapi.exceptions import RequestValidationError
 from fastapi.routing import APIRoute
-from pydantic import BaseModel, StrictStr, validator
+from pydantic import BaseModel, StrictStr, validator, model_validator
 from starlette.middleware.cors import CORSMiddleware
 from starlette.datastructures import FormData
 from starlette.formparsers import FormParser, MultiPartParser
@@ -177,16 +178,35 @@ class ConfigFileModel(ApiModel):
             }
         }
 
+
+class ImageOp(str, Enum):
+    add = "add"
+    delete = "delete"
+    show = "show"
+    set_default = "set_default"
+
+
 class ImageModel(ApiModel):
-    op: StrictStr
+    op: ImageOp
     url: StrictStr = None
     name: StrictStr = None
 
+    @model_validator(mode='after')
+    def check_data(self) -> Self:
+        if self.op == 'add':
+            if not self.url:
+                raise ValueError("Missing required field \"url\"")
+        elif self.op in ['delete', 'set_default']:
+            if not self.name:
+                raise ValueError("Missing required field \"name\"")
+
+        return self
+
     class Config:
         schema_extra = {
             "example": {
                 "key": "id_key",
-                "op": "add | delete",
+                "op": "add | delete | show | set_default",
                 "url": "imagelocation",
                 "name": "imagename",
             }
@@ -668,19 +688,13 @@ def image_op(data: ImageModel):
 
     try:
         if op == 'add':
-            if data.url:
-                url = data.url
-            else:
-                return error(400, "Missing required field \"url\"")
-            res = session.install_image(url)
+            res = session.install_image(data.url)
         elif op == 'delete':
-            if data.name:
-                name = data.name
-            else:
-                return error(400, "Missing required field \"name\"")
-            res = session.remove_image(name)
-        else:
-            return error(400, f"'{op}' is not a valid operation")
+            res = session.remove_image(data.name)
+        elif op == 'show':
+            res = session.show(["system", "image"])
+        elif op == 'set_default':
+            res = session.set_default_image(data.name)
     except ConfigSessionError as e:
         return error(400, str(e))
     except Exception as e: