summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-12T5925: Containers change systemd KillModeViacheslav Hletenko
By default we use mode `none` for containers Unit uses KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
2024-01-12Merge pull request #2809 from c-po/bgp-t5306Daniil Baturin
bgp: T5306: fix verify_remote_as() to support v6only interface with peer-group
2024-01-12bgp: T5306: fix verify_remote_as() to support v6only interface with peer-groupChristian Breunig
To test: set protocols bgp neighbor eth0 interface v6only peer-group 'fabric' set protocols bgp peer-group fabric address-family ipv4-unicast set protocols bgp peer-group fabric address-family ipv6-unicast set protocols bgp peer-group fabric capability extended-nexthop set protocols bgp peer-group fabric remote-as 'external' set protocols bgp system-as 64496
2024-01-12Merge pull request #2807 from nicolas-fort/T5922Christian Breunig
T5922: firewall: fix intra-zone filtering parsing rules; update firew…
2024-01-12Merge pull request #2806 from jestabro/serial-consoleDaniil Baturin
image-tools: T5910: explicitly set transmission speed of serial console
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest
2024-01-12Revert "syslog: T1487: store all journalctl log files also in syslog"Christian Breunig
This reverts commit 800c85a20a00278ab07bbcccd85b753b1ca31e21.
2024-01-11image-tools: T5910: explicitly set transmission speed of serial consoleJohn Estabrook
GRUB defaults to 9600 in case of serial console; explicitly set to 115200.
2024-01-11Merge pull request #2798 from c-po/ipsec-T5918Christian Breunig
T5791: T5918: use genetic pattern to detect dynamic interfaces for ipsec and dynamic dns
2024-01-11Merge pull request #2797 from c-po/syslog-t1487Christian Breunig
syslog: T1487: store all journald log files also in syslog
2024-01-11Merge pull request #2799 from nicolas-fort/T5919Christian Breunig
T5919: firewall: fix <show firewall ipv6 ..> command
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS.
2024-01-11T5919: firewall: fix <show firewall ipv6 ..> commandNicolas Fort
2024-01-11dns: T5791: use common pattern for exclude check of dynamic interfacesChristian Breunig
This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained.
2024-01-11syslog: T1487: store all journalctl log files also in syslogChristian Breunig
This is useful to send the journal logs to external syslog servers
2024-01-11Merge pull request #2790 from sarthurdev/T5814Christian Breunig
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration
2024-01-11dhcp: dhcpv6: T3316: Add `subnet-id` so leases remain mapped to entries in ↵Simon
the lease file (#2796)
2024-01-10Merge pull request #2791 from sever-sever/T5918Christian Breunig
T5918: Fix typo in verify vpn ipsec interface
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ```
2024-01-10Merge pull request #2777 from aapostoliuk/T5688-multirangeChristian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp
2024-01-10Merge pull request #2787 from c-po/bgp-5913Viacheslav Hletenko
bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFI
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
2024-01-10Merge pull request #2784 from nicolas-fort/T5915Christian Breunig
T5915: firewall: re-add opmode command for zone based firewall
2024-01-10Merge pull request #2785 from sarthurdev/kea-optionsChristian Breunig
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
2024-01-10Merge pull request #2786 from jestabro/image-annotationsChristian Breunig
image-tools: T5917: annotate image list with (running)/(default boot)
2024-01-10firewall: T5814: Retain legacy 'accept' behaviour and re-order migrationsarthurdev
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour. This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface.
2024-01-10image-tools: T5917: annotate image list with (running)/(default boot)John Estabrook
2024-01-10T5915:firewall: re-add opmode command for zone based firewallNicolas Fort
2024-01-10Merge pull request #2780 from Cheeze-It/currentChristian Breunig
T5916: Added segment routing check for index size and SRGB size
2024-01-09T5916: Added segment routing check for index base size and SRGB base sizeCheeze_It
2024-01-10dhcp: T5787: Prevent duplicate IP addresses on static mappingssarthurdev
2024-01-10dhcp: T3316: Workaround to append domain suffix to hostfile entriessarthurdev
2024-01-10dhcp: T5912: Fix hostfile not written for new leasessarthurdev
2024-01-10dhcp: T3316: Fix `listen-address` handling and add `listen-interface` as ↵sarthurdev
supported by Kea
2024-01-10dhcp: T3316: Move options to separate node and extend scopessarthurdev
2024-01-09Merge pull request #2773 from c-po/https-rework-t5766Christian Breunig
https: T5902: remove virtual-host configuration
2024-01-09T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script.
2024-01-09boot-config-loader: T1622: add missing groups to failsafe userChristian Breunig
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe and back trace") and adds missing groups to the vyos user. Without this change the vyos user will only have operator (vyos@vyos>) privileges, even if this level is discontinued. One could hack himself up as the user has sudo rights, but rather place the user in the right groups from the beginning. NOTE: This user is only added if booted with "vyos-config-debug" and an error when the configuration can not be loaded at all.
2024-01-09pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible.
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-07Merge pull request #2768 from c-po/pki-ipsec-T5905Christian Breunig
pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()
2024-01-07Merge pull request #2769 from c-po/T5195-penaltyChristian Breunig
smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penalty
2024-01-07smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penaltyChristian Breunig
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()") added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6). This leads to long runs of "make test" after an ISO build. There is no need to wait 10 seconds for a test that checks for a process not running. The timeout is there to give the process some time to startup.
2024-01-07Merge pull request #2760 from bluknight/currentChristian Breunig
image: T5898: fix kernel-level partition rescan
2024-01-07pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk.
2024-01-07ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
2024-01-07smoketest: T5905: always delete pki in ipsec test startupChristian Breunig
2024-01-07Merge pull request #2758 from c-po/certbot-T5886Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt)
2024-01-07Merge pull request #2765 from c-po/op-mode-ipv6-vrfChristian Breunig
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command
2024-01-07Merge pull request #2764 from c-po/T5195-processChristian Breunig
T5195: add timeout argument to process_named_running()