Age | Commit message (Collapse) | Author |
|
This fixes a priority inversion when doing initial certificate commits.
* pki subsystem is executed with priority 300
* vti uses priority 381
* ipsec uses priority 901
On commit pki.py will be executed first, detecting a change in dependencies
for vpn_ipsec.py which will be executed second. The VTI interface was yet not
created leading to ConfigError('VTI interface XX for site-to-site peer YY does
not exist!')
The issue is caused by this new line of code in commit b8db1a9d7ba ("pki:
T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py
line 139 which triggers the dependency update even if a key is newly added.
This commit changes the "detection" based on the cerbot configuration on disk.
|
|
|
|
|
|
pki: T5886: add support for ACME protocol (LetsEncrypt)
|
|
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command
|
|
T5195: add timeout argument to process_named_running()
|
|
We've always had a command to display discrete IPv6 routes/prefixes within the
global VRF. This commit also adds support for a discrete VRF.
vyos@vyos:~$ show ipv6 route vrf <name>
Possible completions:
<Enter> Execute the current command
<h:h:h:h:h:h:h:h> Show IPv6 routes of given address or prefix
<h:h:h:h:h:h:h:h/x>
|
|
Smoketests heavily rely on process_named_running() so in order to "relax"
system constraints during a test we will add a timeout of 10 seconds for
every testcase provided by base_interfaces_test.py
|
|
dns: T5900: fix smoketests for serve-stale-extension and exclude-throttle-address
|
|
exclude-throttle-address
This fixes commit 199ceb1f0a ("dns: T5900: add dont-throttle-netmasks and
serve-stale-extensions powerdns features") where after the latest review round
the Jinja2 template was inconsitently changed and smoketests were not re-run.
|
|
features
|
|
|
|
* show log certbot
* monitor log certbot
* renew certbot
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
|
smoketests: T5887: remove IXGB driver
|
|
deployments in cgnat. (#2694)
|
|
T5897: frr should be stopped before vyos-router
|
|
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
|
|
configdict: T5894: add get_config_dict() flag with_pki
|
|
VyOS has several services relaying on the PKI CLI tree to retrieve certificates.
Consuming services like ethernet, openvpn or ipsec all re-implemented the same
code to retrieve the certificates from the CLI.
This commit extends the signature of get_config_dict() with a new option with_pki
that defaults to false. If this option is set, the PKI CLI tree will be blended
into the resulting dictionary.
|
|
From Kernel commit e485f3a6eae0 ("ixgb: Remove ixgb driver")
There are likely no users of this driver as the hardware has been discontinued
since 2010. Remove the driver and all references to it in documentation.
|
|
This extends commit 4ee406470 ("configdict: T5837: add support to return added
nodes when calling node_changed()") so no duplicate list elements get returned.
|
|
underscore and dot
|
|
op-mode: T5890: Fix arguments passed to generate_system_login_user.py
|
|
|
|
|
|
T5888: fix migration script in order to fit new type-names for icmp and icmpv6
|
|
|
|
vyos-configd: extend list of included scripts
|
|
T3642: add missing base64 CLI validators
|
|
|
|
|
|
image-tools: T5885: relax restriction on image-name len from 32 to 64
|
|
|
|
|
|
|
|
|
|
|
|
image-tools: T5883: preserve file owner in /config on add system update
|
|
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces
|
|
login: T5875: restore home directory permissions only when needed
|
|
T3476: Add option latest to add system image
|
|
|
|
A tunnel interface can not properly be sourced from a pppoe0 interface when
such interface is not (yet) connected to the BRAS. It might work on a running
system, but subsequent reboots will fail as the source-interface most likely
does not yet exist.
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
|
|
This improves commit 3c990f49e ("login: T5875: restore home directory
permissions when re-adding user account") in a way that the home directory
owner is only altered if it differs from the expected owner.
Without this change on every boot we would alter the owner which could increase
the boot time if the home of a user is cluttered.
|
|
T5474: establish common file name pattern for XML conf mode commands
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
dhcp: T3316: Adjust kea lease files' location and permissions
|
|
T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.
|