summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-09pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible.
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-07Merge pull request #2768 from c-po/pki-ipsec-T5905Christian Breunig
pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()
2024-01-07Merge pull request #2769 from c-po/T5195-penaltyChristian Breunig
smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penalty
2024-01-07smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penaltyChristian Breunig
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup.
2024-01-07Merge pull request #2760 from bluknight/currentChristian Breunig
image: T5898: fix kernel-level partition rescan
2024-01-07pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk.
2024-01-07ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
2024-01-07smoketest: T5905: always delete pki in ipsec test startupChristian Breunig
2024-01-07Merge pull request #2758 from c-po/certbot-T5886Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt)
2024-01-07Merge pull request #2765 from c-po/op-mode-ipv6-vrfChristian Breunig
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command
2024-01-07Merge pull request #2764 from c-po/T5195-processChristian Breunig
T5195: add timeout argument to process_named_running()
2024-01-06op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" commandChristian Breunig
We've always had a command to display discrete IPv6 routes/prefixes within the global VRF. This commit also adds support for a discrete VRF. vyos@vyos:~$ show ipv6 route vrf <name> Possible completions: <Enter> Execute the current command <h:h:h:h:h:h:h:h> Show IPv6 routes of given address or prefix <h:h:h:h:h:h:h:h/x>
2024-01-06T5195: add timeout argument to process_named_running()Christian Breunig
Smoketests heavily rely on process_named_running() so in order to "relax" system constraints during a test we will add a timeout of 10 seconds for every testcase provided by base_interfaces_test.py
2024-01-06Merge pull request #2761 from c-po/t5900-fixupChristian Breunig
dns: T5900: fix smoketests for serve-stale-extension and exclude-throttle-address
2024-01-06dns: T5900: fix smoketests for serve-stale-extension and ↵Christian Breunig
exclude-throttle-address This fixes commit 199ceb1f0a ("dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns features") where after the latest review round the Jinja2 template was inconsitently changed and smoketests were not re-run.
2024-01-06image: T5898: fix kernel-level partition rescanMatt Clauson
This fix moves from partprobe to partx to rescan the partition table on an affected disk.
2024-01-06dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns ↵fvlaicu
features
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-06pki: T5886: add op-mode commands for log and renewalChristian Breunig
* show log certbot * monitor log certbot * renew certbot
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-04Merge pull request #2749 from c-po/kernel-6.6Christian Breunig
smoketests: T5887: remove IXGB driver
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694)
2024-01-04Merge pull request #2752 from tjjh89017/T5897Viacheslav Hletenko
T5897: frr should be stopped before vyos-router
2024-01-04T5897: frr should be stopped before vyos-routerDate Huang
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
2024-01-04Merge pull request #2750 from c-po/configdict-T5894Christian Breunig
configdict: T5894: add get_config_dict() flag with_pki
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2024-01-03smoketests: T5887: remove IXGB driverChristian Breunig
From Kernel commit e485f3a6eae0 ("ixgb: Remove ixgb driver") There are likely no users of this driver as the hardware has been discontinued since 2010. Remove the driver and all references to it in documentation.
2024-01-03configdict: T5837: node_changed() shall not return duplicate list itemsChristian Breunig
This extends commit 4ee406470 ("configdict: T5837: add support to return added nodes when calling node_changed()") so no duplicate list elements get returned.
2024-01-03xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot
2024-01-03Merge pull request #2746 from MattKobayashi/t5890Christian Breunig
op-mode: T5890: Fix arguments passed to generate_system_login_user.py
2024-01-03op-mode: T5890: Fix arguments passed to generate_system_login_user.pyMatthew Kobayashi
2024-01-02op-mode: T5884: correct "generate wireguard" help stringhwlnx
2024-01-02Merge pull request #2743 from nicolas-fort/T5888Christian Breunig
T5888: fix migration script in order to fit new type-names for icmp and icmpv6
2024-01-02T5888: fix migration script in order to fit new type-names for icmp and icmpv6.Nicolas Fort
2024-01-02Merge pull request #2736 from c-po/configd-includeChristian Breunig
vyos-configd: extend list of included scripts
2024-01-02Merge pull request #2739 from c-po/cli-validators-base64Daniil Baturin
T3642: add missing base64 CLI validators
2024-01-02pki: T3642: add missing base64 constraint on PEM keysChristian Breunig
2024-01-01wireguard: T3642: use base64 validatorChristian Breunig
2024-01-01Merge pull request #2737 from jestabro/len-image-nameChristian Breunig
image-tools: T5885: relax restriction on image-name len from 32 to 64
2024-01-01image-tools: T5885: relax restriction on image-name len from 32 to 64John Estabrook
2024-01-01vyos-configd: T4942: include config-management scriptChristian Breunig
2024-01-01vyos-configd: T563: include webproxy scriptChristian Breunig
2024-01-01vyos-configd: T4222: include SLA (OWAMP and TWAMP) scriptChristian Breunig
2024-01-01vyos-configd: T5261: include AWS GLB scriptChristian Breunig
2024-01-01Merge pull request #2731 from jestabro/copy-preserve-ownerJohn Estabrook
image-tools: T5883: preserve file owner in /config on add system update
2024-01-01Merge pull request #2728 from c-po/verify-T5880Viacheslav Hletenko
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces
2024-01-01Merge pull request #2726 from c-po/login-T5875-part2Christian Breunig
login: T5875: restore home directory permissions only when needed
2024-01-01Merge pull request #2724 from sever-sever/T3476Christian Breunig
T3476: Add option latest to add system image
2023-12-31image-tools: T5883: preserve file owner in /config on add system updateJohn Estabrook