| Age | Commit message (Collapse) | Author |
|---|
|
pmacct daemons have one very important specific - they handle control signals in
the same loop as packets. And packets waiting is blocking operation.
Because of this, when systemctl sends SIGTERM to uacctd, this signal has no
effect until uacct receives at least one packet via nflog. In some cases, this
leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks.
As a result, a working folder is not cleaned properly.
This commit contains several changes to fix service issues:
- add a new nftables table for pmacct with a single rule to get the ability to
send a packet to nflog and unlock uacctd
- remove PID file options from the uacctd and a systemd service file. Systemd
can detect proper PID, and PIDfile is created by uacctd too late, which leads
to extra errors in systemd logs
- KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and
the core process exits with status 1 because it loses connection to plugins too
early. As a result, we have errors in logs, and the systemd service is in a
failed state.
- added logging to uacctd
- systemctl service modified to send packets to specific address during a service
stop which unlocks uacctd and allows systemctl to finish its work properly
(cherry picked from commit e364e9813b6833f6b108e7177ef7ea2d9e7bac33)
|
|
T5489: Change default qdisc from 'fq' to 'fq_codel' (backport #2349)
|
|
xml: T5649: catch errors from schema validation before generating cache (backport #2358)
|
|
(cherry picked from commit 126a67ade9cd045e0ff60b0b9eb9b5680e8a29d0)
|
|
http-api: T2612: correct the response message and add reload for api self-configuration (backport #2352)
|
|
(cherry picked from commit 93d2ea7d635c7aa5acf3000654393ea48b7c6405)
|
|
(cherry picked from commit 7d597a6dca15cb592230b349ef7ef565f258cf43)
|
|
(cherry picked from commit ac1bd7c2f69e058f54084decbfe6b6d329df6462)
|
|
pppoe: T5630: allow to specify MRU in addition to already configurable MTU (backport #2335)
|
|
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
config: T5631: save copy of config in JSON format on commit (backport #2339)
|
|
(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)
|
|
T4320: remove references to obsoleted legacy version files (backport #2338)
|
|
(cherry picked from commit aeb0138c9df73b57489eced152f026c0666d1ee5)
|
|
login: T5521: do not call system-login.py in vyos-router init (backport #2336)
|
|
Calling system-login.py with no mounted VyOS config has the negative effect
that the script will not detect any local useraccounts and thus assumes they
all need to be removed from the password backend.
As soon as the VyOS configuration is mounted and the CLI content is processed,
system-login.py get's invoked and re-creates the before deleted user accounts.
As the account names are sorted in alphabetical order, the name <-> UID mapping
can get mixed up during system reboot.
The intention behind calling system-login.py from vyos-router init was to
reset system services (PAM, NSS) back to sane defaults with the defaults
provided via system-login.py. As PAM is already reset in vyos-router startup
script, /etc/nsswitch.conf was the only candidate left.
This is now accomplished by simply creating a standard NSS configuration file
tailored for local system accounts.
This is the second revision after the first change via commit 64d32329958
("login: T5521: home directory owner changed during reboot") got reverted.
(cherry picked from commit 12069d5653034b46a47430353c3867b3678c196f)
|
|
This reverts commit 074870dad33d80e78128736f9e89bdfa1a0e08fd.
|
|
login: T5521: home directory owner changed during reboot (backport #2331)
|
|
During system startup the system-login.py script is invoked by vyos-router
systemd service. As there is no complete configuration available at this
point in time - and the sole purpose of this call is to reset/re-render
the system NSS/PAM configs back to default - it accidently also deleted the
local useraccounts.
Once the VyOS configuration got mounted, users got recreated in alphabetical
order and thus UIDs flipped and the /home suddenely belonged to a different
account.
This commit prevents any mangling with the local userdatabase during VyOS
bootup phase.
(cherry picked from commit 64d323299586da646ca847e78255ff2cd8464578)
|
|
T5436: Add missing preconfig-script (backport #2326)
|
|
(cherry picked from commit 646f08fc5a302e08aad90af3fa0ee32e138ee585)
|
|
login: T5628: fix spwd deprecation warning (backport #2328)
|
|
vyos@vyos:~$ show system login users
Username Type Locked Tty From Last login
---------- ------ -------- ----- ------------- ------------------------
vyos vyos False pts/0 172.16.33.139 Mon Oct 2 20:42:24 2023
(cherry picked from commit 80f08af76db0ccee4d6dc1a99b6d8d90884fa33f)
|
|
T5165: Migrate policy local-route rule x destination to address (backport #2325)
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
(cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
|
|
mdns: T5615: Allow controlling IP version to use for mDNS repeater (backport #2307)
|
|
Rename avahi-daemon config file to avahi-daemon.conf.j2 to match the
convention used by other config files.
(cherry picked from commit 3a3123485f2ea7b253caa1c49f19c82a0eaa0b37)
|
|
This commit adds a new configuration option to the mDNS repeater service
to allow controlling which IP version to use for mDNS repeater.
Additionally, publishing AAAA record over IPv4 and A record over IPv6 is
disabled as suggested.
See:
- https://github.com/lathiat/avahi/issues/117#issuecomment-1651475104
- https://bugzilla.redhat.com/show_bug.cgi?id=669627#c2
(cherry picked from commit e66f7075ee12ae3107d29efaf683442c3535e8b9)
|
|
T5165: Add option protocol for policy local-route (backport #2313)
|
|
firewall: T5614: Add support for matching on conntrack helper (backport #2306)
|
|
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
(cherry picked from commit 96b8b38a3c17aa08fa964eef9141cf89f1c1d442)
|
|
ipsec: T5606: Add support for whole CA chains (backport #2305)
|
|
Also includes an update to smoketest to verify
(cherry picked from commit 1ac230548c86d3308ff5b479b79b0e64b75a0e8a)
|
|
T5412: Add support for extending config-mode dependencies in add-on packages (backport #2216)
|
|
(cherry picked from commit 12440ea1af8e60482a6a91c1cb04dcb86d7f4a68)
|
|
(cherry picked from commit 0869b91c0b15ddedd72b4d0e1475c52eb45994f0)
|
|
Add support for defining config-mode dependencies in add-on packages.
(cherry picked from commit d9ad551816e34f38280534ad75d267697e4f096f)
|
|
firewall: T5160: Remove zone policy op-mode (backport #2308)
|
|
rpki: T2044: add to daemons Jinja2 template
|
|
T5497: op-mode: Add generate firewall rule-resequence (backport #2302)
|
|
This is a combined backport of commits:
* a4aad1120 - frr: T5591: hint about daemons that always run and can't be disabled
* d9d2b2b96 - frr: T5591: cleanup of daemons file
* 40503a9d7 - T2044: RPKI doesn't boot properly
|
|
(cherry picked from commit 9b9b37e9cbb225eaacac2ad8cb03bef735fed117)
|
|
Add op-mode command `generate firewall rule-resequence`
Generates output with new sequences for firewall rules
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Allow loopback'
$ generate firewall rule-resequence start 10 step 10
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow loopback'
(cherry picked from commit 7ad1e8c7d3440046dce2ffa7bcb70a38bfddc298)
|
|
smoketest: T5607: support getting SCSI device by drive-id (backport #2298)
|
|
(cherry picked from commit 2d3f3297b575f88662495e14a7c7324ff73b6bfc)
|
|
(cherry picked from commit 42736111facf08ac37b86e6fc3cbd395aab166bc)
|
|
(cherry picked from commit ede0b5b1a19c37547c19d875743e78b0278628d4)
|
|
bgp: T5596: add new features from FRR 9 (backport #2284)
|
