summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-04Merge pull request #2749 from c-po/kernel-6.6Christian Breunig
smoketests: T5887: remove IXGB driver
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694)
2024-01-04Merge pull request #2752 from tjjh89017/T5897Viacheslav Hletenko
T5897: frr should be stopped before vyos-router
2024-01-04T5897: frr should be stopped before vyos-routerDate Huang
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
2024-01-04Merge pull request #2750 from c-po/configdict-T5894Christian Breunig
configdict: T5894: add get_config_dict() flag with_pki
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2024-01-03smoketests: T5887: remove IXGB driverChristian Breunig
From Kernel commit e485f3a6eae0 ("ixgb: Remove ixgb driver") There are likely no users of this driver as the hardware has been discontinued since 2010. Remove the driver and all references to it in documentation.
2024-01-03configdict: T5837: node_changed() shall not return duplicate list itemsChristian Breunig
This extends commit 4ee406470 ("configdict: T5837: add support to return added nodes when calling node_changed()") so no duplicate list elements get returned.
2024-01-03xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot
2024-01-03Merge pull request #2746 from MattKobayashi/t5890Christian Breunig
op-mode: T5890: Fix arguments passed to generate_system_login_user.py
2024-01-03op-mode: T5890: Fix arguments passed to generate_system_login_user.pyMatthew Kobayashi
2024-01-02op-mode: T5884: correct "generate wireguard" help stringhwlnx
2024-01-02Merge pull request #2743 from nicolas-fort/T5888Christian Breunig
T5888: fix migration script in order to fit new type-names for icmp and icmpv6
2024-01-02T5888: fix migration script in order to fit new type-names for icmp and icmpv6.Nicolas Fort
2024-01-02Merge pull request #2736 from c-po/configd-includeChristian Breunig
vyos-configd: extend list of included scripts
2024-01-02Merge pull request #2739 from c-po/cli-validators-base64Daniil Baturin
T3642: add missing base64 CLI validators
2024-01-02pki: T3642: add missing base64 constraint on PEM keysChristian Breunig
2024-01-01wireguard: T3642: use base64 validatorChristian Breunig
2024-01-01Merge pull request #2737 from jestabro/len-image-nameChristian Breunig
image-tools: T5885: relax restriction on image-name len from 32 to 64
2024-01-01image-tools: T5885: relax restriction on image-name len from 32 to 64John Estabrook
2024-01-01vyos-configd: T4942: include config-management scriptChristian Breunig
2024-01-01vyos-configd: T563: include webproxy scriptChristian Breunig
2024-01-01vyos-configd: T4222: include SLA (OWAMP and TWAMP) scriptChristian Breunig
2024-01-01vyos-configd: T5261: include AWS GLB scriptChristian Breunig
2024-01-01Merge pull request #2731 from jestabro/copy-preserve-ownerJohn Estabrook
image-tools: T5883: preserve file owner in /config on add system update
2024-01-01Merge pull request #2728 from c-po/verify-T5880Viacheslav Hletenko
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces
2024-01-01Merge pull request #2726 from c-po/login-T5875-part2Christian Breunig
login: T5875: restore home directory permissions only when needed
2024-01-01Merge pull request #2724 from sever-sever/T3476Christian Breunig
T3476: Add option latest to add system image
2023-12-31image-tools: T5883: preserve file owner in /config on add system updateJohn Estabrook
2024-01-01tunnel: T5879: properly verify source-interface used for tunnelsChristian Breunig
A tunnel interface can not properly be sourced from a pppoe0 interface when such interface is not (yet) connected to the BRAS. It might work on a running system, but subsequent reboots will fail as the source-interface most likely does not yet exist.
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them.
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered.
2024-01-01Merge pull request #2729 from c-po/rename-T5474Christian Breunig
T5474: establish common file name pattern for XML conf mode commands
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in
2023-12-31Merge pull request #2696 from indrajitr/kea-lfc-fixChristian Breunig
dhcp: T3316: Adjust kea lease files' location and permissions
2023-12-30Merge pull request #2707 from lucasec/t5870Christian Breunig
T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
2023-12-30T3476: Add option latest to add system imageViacheslav Hletenko
Add option `latest` for op-mode command `add system image` If the update check is configured we can get the remote `latest` version from conrfgure URL ``` set system update-check url 'https://example.com/version.json' ``` This way we can use "latest" option for image update: ``` add system image latest ```
2023-12-30ipsec: T1210: extend remote-access smoketest with IP pool configurationChristian Breunig
This extends commit 1a84c4d0e ("ipsec: T1210: add smoketest for remote-access (road-warrior) users") in a way that also the IPv4 pool and its DNS servers get validated. There is no separate IPv6 test, as both address families behave the same way when configuring these.
2023-12-30Merge pull request #2722 from c-po/t1210-ipsec-smoketestViacheslav Hletenko
ipsec: T1210: add smoketest for remote-access (road-warrior) users
2023-12-30ipsec: T1210: add smoketest for remote-access (road-warrior) usersChristian Breunig
2023-12-30Merge pull request #2716 from c-po/login-t5875Christian Breunig
login: T5875: restore home directory permissions when re-adding user account
2023-12-30Merge pull request #2718 from indrajitr/shorten-domain-search-pathChristian Breunig
system: T5877: Shorten system domain-search config path
2023-12-30smoketest: remove base accel-ppp testcase function commentsChristian Breunig
Python unittest framework treads the comments as test names during execution: Example: test_accel_ipv4_pool (__main__.TestVPNPPTPServer.test_accel_ipv4_pool) Test accel-ppp IPv4 pool ... ok
2023-12-30Merge pull request #2711 from aapostoliuk/T5688-fixes-2Christian Breunig
T5688: Fixed ip pool migration scripts for l2tp, sstp, pppoe
2023-12-29system: T5877: Update smoketests for domain-search and related configIndrajit Raychaudhuri
In addition to testing for shortening the domain-search path, add and improve tests for other resolv.conf entries.
2023-12-29system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`).
2023-12-29login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID.
2023-12-29Merge pull request #2715 from indrajitr/shell-quote-fixChristian Breunig
tacacs: T141: Wrap string in double quotes to allow expansion