summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
9 hoursci: T9082: scan C code with CodeQL (add c-cpp, build-mode none)feature/T9082-codeql-cppYuriy Andamasov
The caller previously scanned only Python, leaving the repo's C sources unanalyzed. build-mode 'none' (codeql-action v4) extracts C/C++ without a build; final mode subject to the ipaddrcheck canary coverage comparison under T9082. 🤖 Generated by [robots](https://vyos.io)
4 daysMerge pull request #5322 from c-po/udev-rules-fixChristian Breunig
udev: T9071: fix invalid ATTR key assignment
5 daysT9071: rename 40-usb_modeswitch.rules to 41-usb_modeswitch_wwan.rulesChristian Breunig
Prefent ISO build issue: Skipping overridden file '/usr/lib/udev/rules.d/40-usb_modeswitch.rules'. Reading rules file: /etc/udev/rules.d/40-usb_modeswitch.rules
5 daysudev: T9071: fix invalid ATTR key assignmentChristian Breunig
This fixes a (cosmetic) error which pops up in the logfiles: 40-usb_modeswitch.rules:4 ATTR key takes '==', '!=', or '=' operator, assuming '='. It was introduced in commit 93406237d ("wwan: T8924: add UDEV configuration for USB modeswitch")
5 daysMerge pull request #5314 from natali-rs1985/T9018Viacheslav Hletenko
vpp: T9018: Auto-enable promiscuous mode for interfaces with VLANs
5 daysMerge pull request #5317 from natali-rs1985/T9062Daniil Baturin
vpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfaces
5 daysvpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfacesNataliia Solomko
The 'ip4-dhcp-client-detect' and 'ip6-icmp-ra-punt' VPP features were only ever enabled on the base ethernet interface, so DHCP and DHCPv6 clients never worked on VLAN sub-interfaces (vif/vif-s) of a VPP-managed interface. Apply the same feature toggles to each vif/vif-s using its own address configuration. vif-c is intentionally excluded, as Q-in-Q sub-interfaces are not currently functional under VPP.
7 daysMerge pull request #5310 from vyos/T9048-smoketest-dhclient-racesChristian Breunig
smoketest: T9048: harden DHCP client process checks against CI timing races
7 daysMerge pull request #5275 from BradKollmyer/remote-T8829-head-fallbackJohn Estabrook
remote: T8829: fall back to GET when HEAD is not supported
7 daysMerge pull request #5313 from c-po/pppoe-default-routeViacheslav Hletenko
frrender: T9054: keep PPPoE/DHCP default route when "protocols static" is deleted
8 daysvpp: T9018: Auto-enable promiscuous mode for interfaces with VLANsNataliia Solomko
VPP drops VLAN-tagged frames unless the parent interface has promiscuous mode enabled, causing VLAN sub-interfaces to lose connectivity. Automatically enable promiscuous mode on VPP interfaces that have VLAN sub-interfaces (vif/vif-s) configured.
8 daysfrrender: T9054: keep PPPoE/DHCP default route when "protocols static" is ↵Christian Breunig
deleted Deleting "protocols static" set config_dict['static'] to a dict object shared by reference across every deleted protocol. Merging the PPPoE/DHCP default-route data into it left the "deleted" marker in place, so the entire staticd section - including the just-merged default route - was skipped during FRR rendering, dropping the default route from the RIB/FIB. Copy the shared deleted-protocol marker before mutating it, and clear the marker once DHCP/PPPoE content has been merged in so the section is still rendered.
8 daysMerge pull request #5308 from natali-rs1985/T8344Viacheslav Hletenko
T8344: Preserve symlinks when copying config to/from TPM encrypted volume
9 daysMerge pull request #5312 from alexk37/T8940-hyperv-vtl-modeChristian Breunig
smoketest: T8940: HYPERV_VTL_MODE must not be enabled; require vPCI
9 dayssmoketest: T8940: HYPERV_VTL_MODE must not be enabled; require vPCIAlex Kudentsov
11 dayssmoketest: T9048: keep VRF and cmdline assertions on the same PIDYuriy Andamasov
Adversarial review findings on the previous head: * get_process_cmdline() could re-resolve a NEW PID after the 'ip vrf pids' membership assertion had already run against the old one, so the two assertions could validate different processes. The helper now returns the (pid, cmdline) pair it actually validated and the VRF checks moved after it, targeting the returned PID. * The one-shot retry left a residual double-race window. The helper now polls PID discovery and the /proc read together under the same PROCESS_WAIT_TIMEOUT deadline. 🤖 Generated by [robots](https://vyos.io)
11 dayssmoketest: T9048: guard the retry read in get_process_cmdline() tooYuriy Andamasov
The re-resolve path read /proc/<pid>/cmdline without defaultonfailure, so a repeated PID race raised an unhandled exception (test ERROR) instead of failing with a clear assertion message. 🤖 Generated by [robots](https://vyos.io)
11 daysci: T9047: grant issues: write to stale workflow token (#5309)Yuriy Andamasov
11 dayssmoketest: T9048: harden DHCP client process checks against CI timing racesYuriy Andamasov
Interface smoketests fail intermittently in CI on DHCP-related assertions (test_interfaces_cli job pass rate 42-55% over the last 30 workflow runs). Three timing hazards in the interface test base class: * process_named_running() was polled with a 10 second window at all dhclient/dhcp6c call sites - too short on a loaded runner. Raise to a shared PROCESS_WAIT_TIMEOUT of 60 seconds; the poll returns as soon as the process appears, so this only delays the failure path. * /proc/<pid>/cmdline was read unguarded after PID discovery. dhclient re-executes itself while daemonizing, so the discovered PID can be gone by the time /proc is read - read_file() then raises and the test errors out instead of failing cleanly. New get_process_cmdline() helper re-resolves the PID once when the read fails. * tearDown() asserted daemon absence immediately after the config was removed, reporting daemons still in their shutdown path as leaks. Use the existing wait_for_result() shim helper with the same 60s bound to grant a grace period before declaring a leak; the poll returns on first observation of a clean state, so passing runs pay no extra wall clock. 🤖 Generated by [robots](https://vyos.io)
11 daysMerge pull request #5307 from natali-rs1985/T9002Daniil Baturin
T9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configured
11 daysT8344: Preserve symlinks when copying config to/from TPM encrypted volumeNataliia Solomko
shutil.copytree() defaults to symlinks=False, so it recurses into symlinked directories and recreates them as real directories instead of preserving the symlink. cloud-init creates /opt/vyatta/etc/config/cloud/instance as a symlink to instances/i-<id>. Enabling/disabling config encryption copied this tree with copytree() and silently turned that symlink into a real directory, causing cloud-init to fail on later runs with: IsADirectoryError: [Errno 21] Is a directory: '.../cloud/instance' Pass symlinks=True to preserve symlinks during the copy.
12 daysMerge pull request #5306 from asklymenko/rollingChristian Breunig
T9037: Could not build ISO image for integration tests
12 daysMerge pull request #5299 from c-po/journalctl-priorityViacheslav Hletenko
op-mode: T9009: add "show log priority <level>" command
12 daysMerge pull request #5167 from davi2367/zbf-vrfViacheslav Hletenko
firewall: T8761: Reintroduce VRF-interface names in generated config
12 daysT9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configuredNataliia Solomko
The blackbox-exporter runs as node_exporter user which cannot create ICMP sockets due to restricted ping_group_range. Add CAP_NET_RAW capability to the systemd service when ICMP modules are configured. In non-VRF mode, use systemd AmbientCapabilities/CapabilityBoundingSet. In VRF mode, replace runuser with setpriv to preserve the capability across the UID change.
13 daysfirewall: T8761: re-introduce VRF interface names in generated firewall configDavid Vølker
This change re-implements the intended behaviour from T4180 aswell as from T4506, it ensures that both the vrf-member interface aswell as the vrf itself is added as an oifname -> meaning that traffic traversing and originating from withing VyOS is matches outbound. Changes done by c-po: * re-sort dependency list to keep diff low * vyos.configdict.is_vrf_changed() should return early and not carry over the to-be return value * keep common coding style (dict by . separation) in nftables-zone.j2 Co-authored-by: Christian Breunig <christian@breunig.cc>
13 daysop-mode: T9009: add "show log priority <level>" commandChristian Breunig
13 daysop-mode: T9009: rename "monitor log level" to priority to match journalctlChristian Breunig
13 daysMerge pull request #5300 from c-po/journalctl-facilityDaniil Baturin
op-mode: T8372: add "show log facility <name>" command
13 daysT9037: Could not build ISO image for integration testsAndrii Klymenko
Added a step to clone vyos-1x source code into the build directory. It is necessary to have these files in this directory in cases where we perform the build process during a backport. We use vyos-build scripts from the original branch during integration tests for this process.
2026-06-30Merge pull request #5301 from c-po/claude-gitinoreViacheslav Hletenko
T9028: add .claude folder to .gitignore
2026-06-30Merge pull request #5304 from c-po/fix-catch-broken-pipe-decoratorDaniil Baturin
vyos.utils: T8981: catch_broken_pipe() decorator must return func(*args, **kwargs)
2026-06-30vyos.utils: T8981: catch_broken_pipe() decorator must return func(*args, ↵Christian Breunig
**kwargs) "show system commit diff <rev>" produces no output (exit 0) for any revision, regardless of how much the revisions differ. The revision store and diff engine are intact - "show system commit file <rev>" works, and so does ConfigMgmt().compare(rev1=0, rev2=1) which returns the correct diff when called directly. Commit a29d73d00 ("op-mode: T8362: "compare" command lacks catch_broken_pipe decorator") added @catch_broken_pipe to ConfigMgmt.show_commit_diff to suppress BrokenPipeError tracebacks when piping output, but the decorator calls the wrapped function without returning its value. Thus the op-mode framework will receive None and prints nothing.
2026-06-30Merge pull request #5254 from jd82k/domain-groupChristian Breunig
T8963: policy-route: trigger domain resolver for domain groups
2026-06-30Merge pull request #5303 from hedrok/T9031-fix-pppoe-server-auth-protocol-changeViacheslav Hletenko
T9031: Fix updating pppoe server protocols
2026-06-30T9031: Fix updating pppoe server protocolsKyrylo Yatsenko
Authentication protocols are implemented as modules in accel-ppp-ng. The CLI setting configures which modules need to be loaded, for this change to take effect pppoe server must be restarted.
2026-06-29Merge pull request #5286 from c-po/ifconfig-refactoringChristian Breunig
ifconfig: T9008: refactor vyos.ifconfig to use cmdl() for safer subprocess execution
2026-06-29Merge pull request #5296 from statio/https-full-ca-chainChristian Breunig
https: T9022: serve the full CA certificate chain
2026-06-29Merge pull request #5295 from c-po/bgp-limitChristian Breunig
bgp: T6573: add input/output queue limit CLI commands
2026-06-29ci: T8490: drop legacy per-repo typos caller (now provided by org ruleset) ↵Yuriy Andamasov
(#5302) The typos check is now enforced fleet-wide via the vyos-org repository ruleset `require-typos-pilot-2026-06-18` (active), which injects the standalone `typos.yml` from vyos/.github. The per-repo `check-typos.yml` caller (the lone remaining consumer of the old workflow_call reusable) is redundant — remove it. 🤖 Generated by [robots](https://vyos.io)
2026-06-29bgp: T6573: add missing newline in afi-route-server-client.xml.iChristian Breunig
This is needed for debugging the concatenated XML include blocks, otherwise two XML comments will show up on one line due to the missing newline which is annoying.
2026-06-29bgp: T6573: fix template indention for "bgp route-reflector"Christian Breunig
2026-06-29bgp: T6573: add input/output queue limit CLI commandsChristian Breunig
Add input-queue-limit and output-queue-limit CLI nodes to expose global FRR "bgp input-queue-limit" and "bgp output-queue-limit" commands via our CLI. Parameters control the maximum number of queued messages for all BGP peers during message parsing. FRR default is 10000 which we honor. Note that this is a global option and can only be set for the global/default BGP instance.
2026-06-29T9028: add .claude folder to .gitignoreChristian Breunig
2026-06-29op-mode: T8372: add "show log facility <name>" commandChristian Breunig
2026-06-29op-mode: T8372: improve authentication logging journalctl commandChristian Breunig
Instead of passing environment variables now pass proper CLI arguments.
2026-06-29Merge pull request #5298 from vyos/ci/T8490-typos-vyos-1xDaniil Baturin
ci: T8490: fix typos in comments, strings, and local identifiers
2026-06-29Merge pull request #5285 from c-po/cmdlDaniil Baturin
utils: T9003: add list-argument variant of cmd() for safer subprocess execution
2026-06-29ci: T8490: fix typos in comments, strings, and local identifiersYuriy Andamasov
Reaches a clean typos baseline for the T8490 ruleset pilot. Categories: - Comments/docs: recursivly, taret, passsed, characted, arhive, AtrributeError; "ned" -> "new" (migration comments). - Messages/strings: writeable -> writable (x5); OCaml log "Commandis" -> "Command is". - Local variables (all refs in-function): commited, formating, presistent; inpt_range -> input_range; tz_datas -> tz_data_raw (avoids the tz_data collision). - Self-contained renames (definition + all references in-file): formated_stats, _get_formatted_output_conections -> ..._connections, expension_failure -> expansion_failure (ping + traceroute), snmpd_restart_reqired -> ..._required. False positives are allowlisted centrally (vyos/.github, separate PR), NOT changed here: mke2fs, Maya-calendar "Mak", RFC 4122 "IDentifier" (hostapd), and VPP's "U-Forwrd" bridge-domain column header (op_mode/vpp.py + the VPP smoketest assert the real upstream `vppctl` output). Verified: typos clean, py_compile of every edited .py, zero remaining old-identifier references. 🤖 Generated by [robots](https://vyos.io)
2026-06-27https: T9022: serve the full CA certificate chainLee Clements
When a certificate is assigned to the HTTPS service, nginx was only sent the leaf certificate. An intermediate CA was included only when an operator manually configured "ca-certificate", and even then just that single CA - the rest of the issuer chain was never followed. As a result, clients that do not already trust the issuing intermediate CA (for example Let's Encrypt's newer E- and R-series intermediates) could not build a path to a trusted root and rejected the connection. Build the complete chain from the CA certificates present in the PKI using find_chain(), the same helper already used by HAProxy, OpenConnect, stunnel and the other PKI consumers. The intermediate chain is now discovered automatically, so configuring "ca-certificate" is no longer required; it remains accepted for backwards compatibility.