Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
image-tools: T5883: preserve file owner in /config on add system update
|
|
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces
|
|
login: T5875: restore home directory permissions only when needed
|
|
T3476: Add option latest to add system image
|
|
|
|
A tunnel interface can not properly be sourced from a pppoe0 interface when
such interface is not (yet) connected to the BRAS. It might work on a running
system, but subsequent reboots will fail as the source-interface most likely
does not yet exist.
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
|
|
This improves commit 3c990f49e ("login: T5875: restore home directory
permissions when re-adding user account") in a way that the home directory
owner is only altered if it differs from the expected owner.
Without this change on every boot we would alter the owner which could increase
the boot time if the home of a user is cluttered.
|
|
T5474: establish common file name pattern for XML conf mode commands
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
dhcp: T3316: Adjust kea lease files' location and permissions
|
|
T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.
|
|
|
|
Add option `latest` for op-mode command `add system image`
If the update check is configured we can get the remote `latest`
version from conrfgure URL
```
set system update-check url 'https://example.com/version.json'
```
This way we can use "latest" option for image update:
```
add system image latest
```
|
|
This extends commit 1a84c4d0e ("ipsec: T1210: add smoketest for remote-access
(road-warrior) users") in a way that also the IPv4 pool and its DNS servers get
validated. There is no separate IPv6 test, as both address families behave
the same way when configuring these.
|
|
ipsec: T1210: add smoketest for remote-access (road-warrior) users
|
|
|
|
login: T5875: restore home directory permissions when re-adding user account
|
|
system: T5877: Shorten system domain-search config path
|
|
Python unittest framework treads the comments as test names during execution:
Example:
test_accel_ipv4_pool (__main__.TestVPNPPTPServer.test_accel_ipv4_pool)
Test accel-ppp IPv4 pool ... ok
|
|
T5688: Fixed ip pool migration scripts for l2tp, sstp, pppoe
|
|
In addition to testing for shortening the domain-search path, add and
improve tests for other resolv.conf entries.
|
|
Shorten and simplify `system domain-search` config path from:
```
set system domain-search domain <domain1>
```
to:
```
set system domain-search <domain1>
```
This will shorten the path and also make consistent with `domain-search`
config in other places (like `dhcp-server`).
|
|
After deleting a user account and working with a newly added account, we see
that after rebooting in the previously saved configuration, the user is
re-added but it's home directory might have an old UID set on the filesystem.
This is due to the fact that vyos config does not store UIDs. When adding a
user account to the system we now check if the home directory already exists
and adjust the ownership to the new UID.
|
|
tacacs: T141: Wrap string in double quotes to allow expansion
|
|
|
|
|
|
Allowing `_kea` to be a member of `vyattacfg` group allows
kea-dhcp{4,6}-server to have access to DHCP lease directory under
`/config/` and thus have ability to manipupate the leases files.
|
|
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1
|
|
nat: T5681: relax wording on non existing interface Warning message
|
|
smoketest: T5867: extend container tests for IPv4 and IPv6 networks
|
|
Fixed migration 'subnet' option in l2tp, sstp, pppoe.
'subnet' option can contain several values.
|
|
|
|
Remove the word "error" from a Warning only message to not irritate the user.
|
|
We have had duplicated test cases in test_jinja_filters.py and test_template.py,
They have been consolidated into test_template.py.
|
|
The subnet router anycast address is predefined. Its format is as follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that identifies a
specific link. This anycast address is syntactically the same as a unicast
address for an interface on the link with the interface identifier set to zero.
Packets sent to the Subnet-Router anycast address will be delivered to one
router on the subnet. All routers are required to support the Subnet-Router
anycast addresses for the subnets to which they have interfaces.
The Subnet-Router anycast address is intended to be used for applications where
a node needs to communicate with any one of the set of routers.
Our code as of now returns the subnet router anycast address as the
first_host_address().
|
|
|
|
Move the kea lease file to a separate directory `/config/dhcp` that `kea`
process can write to so that subprocesses spawned by `kea` process can
operate on the lease files.
To allow `kea` process to write to `/config/dhcp`, add `_kea` user to
`vyattacfg` group. And the lease files are owned completely by `_kea`
user to play well with `kea-lfc` process.
Specifically, this is necessary for `kea-lfc` which is spawned by `kea`
process to clean up expired leases. Since `kea-lfc` creates additional
backup lease files, it needs write access to the lease file directory.
Additionally, change the extension of the lease file from `.leases` to
`.csv` to reflect the actual file format.
|
|
ddclient: T5852: add missing priority
|
|
Running ddclient on a VLAN interface will fail during reboot as there is no
discrete priority to tell that the dynamic DNS service needs to be started
after the interfaces.
|
|
container: T5867: disable healthchecks due to upstream issue
|
|
op-mode: T5866: Add command to restart IPv6 RA daemon
|
|
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe
https://github.com/containers/conmon/issues/438
|
|
vyos@vyos:~$ restart router-advert
|
|
|
|
|