8 files changed, 104 insertions, 22 deletions

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index ffbd915a2..10d389d73 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -43,7 +43,6 @@ airbag.enable()
 
 nftables_conf = '/run/nftables.conf'
 domain_resolver_usage = '/run/use-vyos-domain-resolver-firewall'
-domain_resolver_usage_nat = '/run/use-vyos-domain-resolver-nat'
 
 sysctl_file = r'/run/sysctl/10-vyos-firewall.conf'
 
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 8c1213e2b..a9b4e570d 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -32,6 +32,7 @@ from vyos.base import DeprecationWarning
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
+from vyos.configdiff import get_config_diff
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mirror_redirect
@@ -94,6 +95,23 @@ def get_config(config=None):
     if 'deleted' in openvpn:
         return openvpn
 
+    if not is_node_changed(conf, base) and dict_search_args(openvpn, 'tls'):
+        diff = get_config_diff(conf)
+        if diff.get_child_nodes_diff(['pki'], recursive=True).get('add') == ['ca', 'certificate']:
+            crl_path = os.path.join(cfg_dir, f'{ifname}_crl.pem')
+            if os.path.exists(crl_path):
+                # do not restart service when changed only CRL and crl file already exist
+                openvpn.update({'no_restart_crl': True})
+            for rec in diff.get_child_nodes_diff(['pki', 'ca'], recursive=True).get('add'):
+                if diff.get_child_nodes_diff(['pki', 'ca', rec], recursive=True).get('add') != ['crl']:
+                    openvpn.update({'no_restart_crl': False})
+                    break
+            if openvpn.get('no_restart_crl'):
+                for rec in diff.get_child_nodes_diff(['pki', 'certificate'], recursive=True).get('add'):
+                    if diff.get_child_nodes_diff(['pki', 'certificate', rec], recursive=True).get('add') != ['revoke']:
+                        openvpn.update({'no_restart_crl': False})
+                        break
+
     if is_node_changed(conf, base + [ifname, 'openvpn-option']):
         openvpn.update({'restart_required': {}})
     if is_node_changed(conf, base + [ifname, 'enable-dco']):
@@ -786,10 +804,12 @@ def apply(openvpn):
 
     # No matching OpenVPN process running - maybe it got killed or none
     # existed - nevertheless, spawn new OpenVPN process
-    action = 'reload-or-restart'
-    if 'restart_required' in openvpn:
-        action = 'restart'
-    call(f'systemctl {action} openvpn@{interface}.service')
+
+    if not openvpn.get('no_restart_crl'):
+        action = 'reload-or-restart'
+        if 'restart_required' in openvpn:
+            action = 'restart'
+        call(f'systemctl {action} openvpn@{interface}.service')
 
     o = VTunIf(**openvpn)
     o.update(openvpn)
diff --git a/src/conf_mode/service_monitoring_prometheus.py b/src/conf_mode/service_monitoring_prometheus.py
index e0a9fc4ef..42628b05c 100755
--- a/src/conf_mode/service_monitoring_prometheus.py
+++ b/src/conf_mode/service_monitoring_prometheus.py
@@ -35,6 +35,9 @@ node_exporter_systemd_service = 'node_exporter.service'
 frr_exporter_service_file = '/etc/systemd/system/frr_exporter.service'
 frr_exporter_systemd_service = 'frr_exporter.service'
 
+blackbox_exporter_service_file = '/etc/systemd/system/blackbox_exporter.service'
+blackbox_exporter_systemd_service = 'blackbox_exporter.service'
+
 
 def get_config(config=None):
     if config:
@@ -57,6 +60,12 @@ def get_config(config=None):
     if tmp:
         monitoring.update({'frr_exporter_restart_required': {}})
 
+    tmp = False
+    for node in ['vrf', 'config-file']:
+        tmp = tmp or is_node_changed(conf, base + ['blackbox-exporter', node])
+    if tmp:
+        monitoring.update({'blackbox_exporter_restart_required': {}})
+
     return monitoring
 
 
@@ -70,6 +79,22 @@ def verify(monitoring):
     if 'frr_exporter' in monitoring:
         verify_vrf(monitoring['frr_exporter'])
 
+    if 'blackbox_exporter' in monitoring:
+        verify_vrf(monitoring['blackbox_exporter'])
+
+        if (
+            'modules' in monitoring['blackbox_exporter']
+            and 'dns' in monitoring['blackbox_exporter']['modules']
+            and 'name' in monitoring['blackbox_exporter']['modules']['dns']
+        ):
+            for mod_name, mod_config in monitoring['blackbox_exporter']['modules'][
+                'dns'
+            ]['name'].items():
+                if 'query_name' not in mod_config:
+                    raise ConfigError(
+                        f'query name not specified in dns module {mod_name}'
+                    )
+
     return None
 
 
@@ -84,6 +109,11 @@ def generate(monitoring):
         if os.path.isfile(frr_exporter_service_file):
             os.unlink(frr_exporter_service_file)
 
+    if not monitoring or 'blackbox_exporter' not in monitoring:
+        # Delete systemd files
+        if os.path.isfile(blackbox_exporter_service_file):
+            os.unlink(blackbox_exporter_service_file)
+
     if not monitoring:
         return None
 
@@ -103,6 +133,20 @@ def generate(monitoring):
             monitoring['frr_exporter'],
         )
 
+    if 'blackbox_exporter' in monitoring:
+        # Render blackbox_exporter service_file
+        render(
+            blackbox_exporter_service_file,
+            'prometheus/blackbox_exporter.service.j2',
+            monitoring['blackbox_exporter'],
+        )
+        # Render blackbox_exporter config file
+        render(
+            '/run/blackbox_exporter/config.yml',
+            'prometheus/blackbox_exporter.yml.j2',
+            monitoring['blackbox_exporter'],
+        )
+
     return None
 
 
@@ -113,6 +157,8 @@ def apply(monitoring):
         call(f'systemctl stop {node_exporter_systemd_service}')
     if not monitoring or 'frr_exporter' not in monitoring:
         call(f'systemctl stop {frr_exporter_systemd_service}')
+    if not monitoring or 'blackbox_exporter' not in monitoring:
+        call(f'systemctl stop {blackbox_exporter_systemd_service}')
 
     if not monitoring:
         return
@@ -133,6 +179,14 @@ def apply(monitoring):
 
         call(f'systemctl {systemd_action} {frr_exporter_systemd_service}')
 
+    if 'blackbox_exporter' in monitoring:
+        # we need to restart the service if e.g. the VRF name changed
+        systemd_action = 'reload-or-restart'
+        if 'blackbox_exporter_restart_required' in monitoring:
+            systemd_action = 'restart'
+
+        call(f'systemctl {systemd_action} {blackbox_exporter_systemd_service}')
+
 
 if __name__ == '__main__':
     try:
diff --git a/src/etc/udev/rules.d/90-vyos-serial.rules b/src/etc/udev/rules.d/90-vyos-serial.rules
index 30c1d3170..f86b2258f 100644
--- a/src/etc/udev/rules.d/90-vyos-serial.rules
+++ b/src/etc/udev/rules.d/90-vyos-serial.rules
@@ -8,7 +8,7 @@ SUBSYSTEMS=="pci", IMPORT{builtin}="hwdb --subsystem=pci"
 SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb"
 
 # /dev/serial/by-path/, /dev/serial/by-id/ for USB devices
-KERNEL!="ttyUSB[0-9]*", GOTO="serial_end"
+KERNEL!="ttyUSB[0-9]*|ttyACM[0-9]*", GOTO="serial_end"
 
 SUBSYSTEMS=="usb-serial", ENV{.ID_PORT}="$attr{port_number}"
 
diff --git a/src/op_mode/tech_support.py b/src/op_mode/tech_support.py
index f60bb87ff..24ac0af1b 100644
--- a/src/op_mode/tech_support.py
+++ b/src/op_mode/tech_support.py
@@ -97,21 +97,22 @@ def _get_boot_config():
     return strip_config_source(config)
 
 def _get_config_scripts():
-    from os import listdir
+    from os import walk
     from os.path import join
     from vyos.utils.file import read_file
 
     scripts = []
 
     dir = '/config/scripts'
-    for f in listdir(dir):
-        script = {}
-        path = join(dir, f)
-        data = read_file(path)
-        script["path"] = path
-        script["data"] = data
-
-        scripts.append(script)
+    for dirpath, _, filenames in walk(dir):
+        for filename in filenames:
+            script = {}
+            path = join(dirpath, filename)
+            data = read_file(path)
+            script["path"] = path
+            script["data"] = data
+
+            scripts.append(script)
 
     return scripts
 
diff --git a/src/services/vyos-configd b/src/services/vyos-configd
index d558e8c26..e4655fdf7 100755
--- a/src/services/vyos-configd
+++ b/src/services/vyos-configd
@@ -335,7 +335,7 @@ if __name__ == '__main__':
                 if hasattr(config, 'frrender_cls') and res == R_SUCCESS:
                     frrender_cls = getattr(config, 'frrender_cls')
                     tmp = get_frrender_dict(config)
-                    frrender_cls.generate(tmp)
-                    frrender_cls.apply()
+                    if frrender_cls.generate(tmp):
+                        frrender_cls.apply()
         else:
             logger.critical(f'Unexpected message: {message}')
diff --git a/src/helpers/vyos-domain-resolver.py b/src/services/vyos-domain-resolver
index f5a1d9297..bc74a05d1 100755
--- a/src/helpers/vyos-domain-resolver.py
+++ b/src/services/vyos-domain-resolver
@@ -16,6 +16,7 @@
 
 import json
 import time
+import logging
 
 from vyos.configdict import dict_merge
 from vyos.configquery import ConfigTreeQuery
@@ -48,6 +49,11 @@ ipv6_tables = {
     'ip6 raw'
 }
 
+logger = logging.getLogger(__name__)
+logs_handler = logging.StreamHandler()
+logger.addHandler(logs_handler)
+logger.setLevel(logging.INFO)
+
 def get_config(conf, node):
     node_config = conf.get_config_dict(node, key_mangling=('-', '_'), get_first_key=True,
                                     no_tag_node_value_mangle=True)
@@ -163,15 +169,15 @@ def update_fqdn(config, node):
     nft_conf_str = "\n".join(conf_lines) + "\n"
     code = run(f'nft --file -', input=nft_conf_str)
 
-    print(f'Updated {count} sets in {node} - result: {code}')
+    logger.info(f'Updated {count} sets in {node} - result: {code}')
 
 if __name__ == '__main__':
-    print(f'VyOS domain resolver')
+    logger.info(f'VyOS domain resolver')
 
     count = 1
     while commit_in_progress():
         if ( count % 60 == 0 ):
-            print(f'Commit still in progress after {count}s - waiting')
+            logger.info(f'Commit still in progress after {count}s - waiting')
         count += 1
         time.sleep(1)
 
@@ -179,7 +185,7 @@ if __name__ == '__main__':
     firewall = get_config(conf, base_firewall)
     nat = get_config(conf, base_nat)
 
-    print(f'interval: {timeout}s - cache: {cache}')
+    logger.info(f'interval: {timeout}s - cache: {cache}')
 
     while True:
         update_fqdn(firewall, 'firewall')
diff --git a/src/systemd/vyos-domain-resolver.service b/src/systemd/vyos-domain-resolver.service
index e63ae5e34..87a4748f4 100644
--- a/src/systemd/vyos-domain-resolver.service
+++ b/src/systemd/vyos-domain-resolver.service
@@ -6,7 +6,9 @@ ConditionPathExistsGlob=/run/use-vyos-domain-resolver*
 [Service]
 Type=simple
 Restart=always
-ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/vyos-domain-resolver.py
+ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/services/vyos-domain-resolver
+SyslogIdentifier=vyos-domain-resolver
+SyslogFacility=daemon
 StandardError=journal
 StandardOutput=journal