summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28Merge pull request #2965 from lucasec/t5872Daniil Baturin
T5872: ipsec remote access VPN: support dhcp-interface.
2024-03-28Merge pull request #3201 from dmbaturin/T4516-format-string-fixChristian Breunig
grub: T4516: correct a format string
2024-03-28grub: T4516: correct a format stringDaniil Baturin
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-28Merge pull request #3194 from c-po/dhclient-T6175Christian Breunig
op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interface
2024-03-28Merge pull request #3192 from jestabro/compat-update-serial-consoleChristian Breunig
image-tools: T6168: compat mode update should preserve console type
2024-03-28Merge pull request #3193 from sever-sever/T6121Christian Breunig
T6121: Extend config-sync for QoS and system options
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API.
2024-03-27T6121: Extend config-sync for QoS and system optionsViacheslav Hletenko
Extent the service config-sync for sections: - qos interface - qos policy - system conntrack - system flow-accounting - system option - system sflow - system static-host-mapping - system sysctl
2024-03-26image-tools: T6168: compat mode update should preserve console typeJohn Estabrook
Add system image in compatibility mode would set the default boot without reference to console_type; fix the translation of default to the correct index in compat grub.cfg.
2024-03-26Merge pull request #3190 from HollyGurza/T6106Christian Breunig
bgp: T6106: fix test and verify()
2024-03-26Merge pull request #3189 from nicolas-fort/T6171-fix-smoketestChristian Breunig
T6171: dhcp-server: add fix for smoketest
2024-03-26bgp: T6106: fix test and verify()khramshinr
2024-03-26T6171: dhcp-server: add fix for smoketestNicolas Fort
2024-03-25Merge pull request #3188 from nicolas-fort/T6171Daniil Baturin
T6171: migrate <set service dhcp-server failover> to <set service dhcp-server high-availability>
2024-03-25T6171: migrate <set service dhcp-server failover> to <set service ↵Nicolas Fort
dhcp-server high-availability>.
2024-03-24Merge pull request #3185 from c-po/ospf-T6066Christian Breunig
ospf: T6066: can not define the same network in different areas
2024-03-24ospf: T6066: can not define the same network in different areasChristian Breunig
Users can not (FRR fails) commit the same network belonging to different OSPF areas. Add verify() check to prevent this.
2024-03-24Merge pull request #3182 from c-po/container-T6062Christian Breunig
container: T6062: add image name completion helper
2024-03-24container: T6062: add image name completion helperChristian Breunig
2024-03-24Merge pull request #3181 from c-po/xml-T5738-containerChristian Breunig
xml: T5738: use common constraint include for container network
2024-03-24xml: T5738: use common constraint include for container networkChristian Breunig
2024-03-24Merge pull request #3179 from c-po/grub-T6165John Estabrook
grub: T6165: increase service TimeoutSec from 5 -> 60
2024-03-24grub: T6165: increase service TimeoutSec from 5 -> 60Christian Breunig
The PCEngines APU2 systems with mSATA disks tend to be very slow. This results in a service startup error: $ systemctl status vyos-grub-update × vyos-grub-update.service - Update GRUB loader configuration structure Loaded: loaded (/lib/systemd/system/vyos-grub-update.service; enabled; preset: enabled) Active: failed (Result: timeout) since Sun 2024-03-24 08:48:10 UTC; 14min ago Main PID: 779 (code=killed, signal=TERM) CPU: 869ms Mar 24 08:48:05 LR4.wue3 systemd[1]: Starting vyos-grub-update.service - Update GRUB loader configuration structure... Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: start operation timed out. Terminating. Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Main process exited, code=killed, status=15/TERM Mar 24 08:48:10 LR4.wue3 systemd[1]: vyos-grub-update.service: Failed with result 'timeout'. Mar 24 08:48:10 LR4.wue3 systemd[1]: Failed to start vyos-grub-update.service - Update GRUB loader configuration structure. Measunring on an APU2 system after boot and memory is "hot", it still needs almost 17 seconds to complete the job cpo@LR4.wue3:~$ time sudo /usr/libexec/vyos/system/grub_update.py real 0m16.803s user 0m0.018s sys 0m0.028s
2024-03-24Merge pull request #3177 from c-po/eee-T6152Christian Breunig
Revert "ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces"
2024-03-24Revert "ethernet: T5566: disable energy efficient ethernet (EEE) for interfaces"Christian Breunig
This reverts commit ab30509b25d54dac99294b76ba03fd49c3d2c946. As in T6152 there seem to be some NICs that have a non working implementation of reading the EEE registers. Remove this feature in the meantime until there is a less exploding solution hindering boards to boot. Return to Kernel defaults by removing this code path.
2024-03-23Merge pull request #3151 from HollyGurza/T6106Daniil Baturin
bgp: T6106: Valid commit error for route-reflector-client option defi…
2024-03-23Merge pull request #3171 from p3lim/T6161Daniil Baturin
op-mode: T6161: Show container details in JSON format
2024-03-23Merge pull request #3172 from jestabro/config-sync-priorityJohn Estabrook
config-sync: T6145: batch section requests for commit by priority
2024-03-23Merge pull request #3173 from c-po/configverify-T6131Christian Breunig
vyos.configverify: T6131: verify_interface_exists() checks CLI interfaces, too
2024-03-23vyos.configverify: T6131: verify_interface_exists() checks CLI interfaces, tooChristian Breunig
Extend the way how we determine if interfaces exist in VyOS. In the past we only validated if the interface in question really exists at the OS level. This has some drawbacks as services (like OSPF or OSPFv3) can also handle interfaces dynamically which appear or leaf the OS. This commit not only checks for OS interfaces but also if the interface in question was configured at the CLI level, this is proof enough to pass the check. If it does not exist at the CLI level, we continue searching it it's maybe a Kernel interface - useful for container networks. In addition we can now not only raise() an error but simply show a warning if an interface does not exist.
2024-03-22config-sync: T6145: batch section requests for commit by priorityJohn Estabrook
2024-03-23op-mode: T6161: Show container details in JSON formatAdrian L Lange
I made some assumptions about node types, and I expanded the initial request to also work for networks and containers. I found that the "raw" versions of these commands already existed in the python scripts, so I just used the existing flags.
2024-03-22Merge pull request #3169 from c-po/isis-T6160Christian Breunig
isis: T6160: NameError: name 'process' is not defined
2024-03-22isis: T6160: NameError: name 'process' is not definedChristian Breunig
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain" node identifying the IS-IS process name). Drop all references to "process" variable. Specifying: set protocols isis interface eth1 set protocols isis net '49.0001.1921.6825.5255.00' set protocols isis redistribute ipv4 bgp Triggered an exception Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify f'"protocols isis {process} redistribute {afi} {proto}"!') ^^^^^^^ NameError: name 'process' is not defined
2024-03-22Merge pull request #3164 from jestabro/priorityDaniil Baturin
xml: T6146: add utils and helper to provide priority data
2024-03-22Merge pull request #3165 from rebortg/patch-2Daniil Baturin
Github: PR Template: make related tasks optional
2024-03-21xml: T6146: add utils and helper to provide priority dataJohn Estabrook
2024-03-21make related tasks optionalRobert Göhler
2024-03-21Merge pull request #3157 from c-po/vti-T6085Daniil Baturin
vti: T6085: interface is always down and only enabled by IPSec daemon
2024-03-21Merge pull request #3153 from aapostoliuk/T6130-circinusChristian Breunig
policy: T6130: Revert commit 960cace
2024-03-21Merge pull request #3158 from c-po/bridge-T6125Daniil Baturin
bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filtering
2024-03-21Merge pull request #3159 from sarthurdev/T6147Daniil Baturin
conntrack: T6147: Enable conntrack when firewall state-policy is defined
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-20bridge: T6125: support 802.1ad (ethertype 0x88a8) VLAN filteringChristian Breunig
Linux bridge uses EtherType 0x8100 by default. In some scenarios, an EtherType value of 0x88A8 is required. Reusing CLI command from VIF-S (QinQ) interfaces: set interfaces bridge br0 protocol 802.1ad
2024-03-20vti: T6085: interface is always down and only enabled by IPSec daemonChristian Breunig
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle.
2024-03-20Merge pull request #3155 from sever-sever/T6143Daniil Baturin
T6143: Increase configuratble timeout range for service config-sync
2024-03-20T6143: Increase configuratble timeout range for service config-syncViacheslav Hletenko
The maximum timeout for the `service config-sync` is 300 seconds (Connection API timeout). It could not be enough for the real massive configurations. Increase the maximum value to 3600 ``` set service config-sync secondary address 192.0.2.1 set service config-sync secondary timeout 3600 ```
2024-03-20bgp: T6106: Valid commit error for route-reflector-client option defined in ↵khramshinr
peer-group handle vtysh bgp error