| Age | Commit message (Collapse) | Author |
|
udev: T9071: fix invalid ATTR key assignment
|
|
Prefent ISO build issue:
Skipping overridden file '/usr/lib/udev/rules.d/40-usb_modeswitch.rules'.
Reading rules file: /etc/udev/rules.d/40-usb_modeswitch.rules
|
|
This fixes a (cosmetic) error which pops up in the logfiles:
40-usb_modeswitch.rules:4 ATTR key takes '==', '!=', or '=' operator, assuming '='.
It was introduced in commit 93406237d ("wwan: T8924: add UDEV configuration for
USB modeswitch")
|
|
vpp: T9018: Auto-enable promiscuous mode for interfaces with VLANs
|
|
vpp: T9062: Enable DHCP/DHCPv6 client detection on VLAN sub-interfaces
|
|
The 'ip4-dhcp-client-detect' and 'ip6-icmp-ra-punt' VPP features were only
ever enabled on the base ethernet interface, so DHCP and DHCPv6 clients
never worked on VLAN sub-interfaces (vif/vif-s) of a VPP-managed interface.
Apply the same feature toggles to each vif/vif-s using its own address
configuration. vif-c is intentionally excluded, as Q-in-Q sub-interfaces
are not currently functional under VPP.
|
|
smoketest: T9048: harden DHCP client process checks against CI timing races
|
|
remote: T8829: fall back to GET when HEAD is not supported
|
|
frrender: T9054: keep PPPoE/DHCP default route when "protocols static" is deleted
|
|
VPP drops VLAN-tagged frames unless the parent interface has promiscuous
mode enabled, causing VLAN sub-interfaces to lose connectivity.
Automatically enable promiscuous mode on VPP interfaces that have VLAN
sub-interfaces (vif/vif-s) configured.
|
|
deleted
Deleting "protocols static" set config_dict['static'] to a dict object shared
by reference across every deleted protocol. Merging the PPPoE/DHCP default-route
data into it left the "deleted" marker in place, so the entire staticd section -
including the just-merged default route - was skipped during FRR rendering,
dropping the default route from the RIB/FIB.
Copy the shared deleted-protocol marker before mutating it, and clear the marker
once DHCP/PPPoE content has been merged in so the section is still rendered.
|
|
T8344: Preserve symlinks when copying config to/from TPM encrypted volume
|
|
smoketest: T8940: HYPERV_VTL_MODE must not be enabled; require vPCI
|
|
|
|
Adversarial review findings on the previous head:
* get_process_cmdline() could re-resolve a NEW PID after the
'ip vrf pids' membership assertion had already run against the old
one, so the two assertions could validate different processes. The
helper now returns the (pid, cmdline) pair it actually validated and
the VRF checks moved after it, targeting the returned PID.
* The one-shot retry left a residual double-race window. The helper
now polls PID discovery and the /proc read together under the same
PROCESS_WAIT_TIMEOUT deadline.
🤖 Generated by [robots](https://vyos.io)
|
|
The re-resolve path read /proc/<pid>/cmdline without defaultonfailure,
so a repeated PID race raised an unhandled exception (test ERROR)
instead of failing with a clear assertion message.
🤖 Generated by [robots](https://vyos.io)
|
|
|
|
Interface smoketests fail intermittently in CI on DHCP-related
assertions (test_interfaces_cli job pass rate 42-55% over the last 30
workflow runs). Three timing hazards in the interface test base class:
* process_named_running() was polled with a 10 second window at all
dhclient/dhcp6c call sites - too short on a loaded runner. Raise to a
shared PROCESS_WAIT_TIMEOUT of 60 seconds; the poll returns as soon
as the process appears, so this only delays the failure path.
* /proc/<pid>/cmdline was read unguarded after PID discovery. dhclient
re-executes itself while daemonizing, so the discovered PID can be
gone by the time /proc is read - read_file() then raises and the test
errors out instead of failing cleanly. New get_process_cmdline()
helper re-resolves the PID once when the read fails.
* tearDown() asserted daemon absence immediately after the config was
removed, reporting daemons still in their shutdown path as leaks.
Use the existing wait_for_result() shim helper with the same 60s
bound to grant a grace period before declaring a leak; the poll
returns on first observation of a clean state, so passing runs pay
no extra wall clock.
🤖 Generated by [robots](https://vyos.io)
|
|
T9002: grant CAP_NET_RAW to blackbox-exporter when ICMP modules are configured
|
|
shutil.copytree() defaults to symlinks=False, so it recurses into
symlinked directories and recreates them as real directories instead
of preserving the symlink.
cloud-init creates /opt/vyatta/etc/config/cloud/instance as a symlink
to instances/i-<id>. Enabling/disabling config encryption copied this
tree with copytree() and silently turned that symlink into a real
directory, causing cloud-init to fail on later runs with:
IsADirectoryError: [Errno 21] Is a directory: '.../cloud/instance'
Pass symlinks=True to preserve symlinks during the copy.
|
|
T9037: Could not build ISO image for integration tests
|
|
op-mode: T9009: add "show log priority <level>" command
|
|
firewall: T8761: Reintroduce VRF-interface names in generated config
|
|
The blackbox-exporter runs as node_exporter user which cannot create
ICMP sockets due to restricted ping_group_range. Add CAP_NET_RAW
capability to the systemd service when ICMP modules are configured.
In non-VRF mode, use systemd AmbientCapabilities/CapabilityBoundingSet.
In VRF mode, replace runuser with setpriv to preserve the capability
across the UID change.
|
|
This change re-implements the intended behaviour from T4180 aswell as from
T4506, it ensures that both the vrf-member interface aswell as the vrf itself
is added as an oifname -> meaning that traffic traversing and originating from
withing VyOS is matches outbound.
Changes done by c-po:
* re-sort dependency list to keep diff low
* vyos.configdict.is_vrf_changed() should return early and not carry
over the to-be return value
* keep common coding style (dict by . separation) in nftables-zone.j2
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
|
|
|
op-mode: T8372: add "show log facility <name>" command
|
|
Added a step to clone vyos-1x source code into the build directory. It is necessary to have these files in this directory in cases where we perform the build process during a backport. We use vyos-build scripts from the original branch during integration tests for this process.
|
|
T9028: add .claude folder to .gitignore
|
|
vyos.utils: T8981: catch_broken_pipe() decorator must return func(*args, **kwargs)
|
|
**kwargs)
"show system commit diff <rev>" produces no output (exit 0) for any revision,
regardless of how much the revisions differ. The revision store and diff engine
are intact - "show system commit file <rev>" works, and so does
ConfigMgmt().compare(rev1=0, rev2=1) which returns the correct diff when called
directly.
Commit a29d73d00 ("op-mode: T8362: "compare" command lacks catch_broken_pipe
decorator") added @catch_broken_pipe to ConfigMgmt.show_commit_diff to suppress
BrokenPipeError tracebacks when piping output, but the decorator calls the
wrapped function without returning its value. Thus the op-mode framework will
receive None and prints nothing.
|
|
T8963: policy-route: trigger domain resolver for domain groups
|
|
T9031: Fix updating pppoe server protocols
|
|
Authentication protocols are implemented as modules in accel-ppp-ng.
The CLI setting configures which modules need to be loaded, for this
change to take effect pppoe server must be restarted.
|
|
ifconfig: T9008: refactor vyos.ifconfig to use cmdl() for safer subprocess execution
|
|
https: T9022: serve the full CA certificate chain
|
|
bgp: T6573: add input/output queue limit CLI commands
|
|
(#5302)
The typos check is now enforced fleet-wide via the vyos-org repository ruleset
`require-typos-pilot-2026-06-18` (active), which injects the standalone
`typos.yml` from vyos/.github. The per-repo `check-typos.yml` caller (the lone
remaining consumer of the old workflow_call reusable) is redundant — remove it.
🤖 Generated by [robots](https://vyos.io)
|
|
This is needed for debugging the concatenated XML include blocks, otherwise two
XML comments will show up on one line due to the missing newline which is
annoying.
|
|
|
|
Add input-queue-limit and output-queue-limit CLI nodes to expose global FRR
"bgp input-queue-limit" and "bgp output-queue-limit" commands via our CLI.
Parameters control the maximum number of queued messages for all BGP peers
during message parsing. FRR default is 10000 which we honor.
Note that this is a global option and can only be set for the global/default
BGP instance.
|
|
|
|
|
|
Instead of passing environment variables now pass proper CLI arguments.
|
|
ci: T8490: fix typos in comments, strings, and local identifiers
|
|
utils: T9003: add list-argument variant of cmd() for safer subprocess execution
|
|
Reaches a clean typos baseline for the T8490 ruleset pilot. Categories:
- Comments/docs: recursivly, taret, passsed, characted, arhive, AtrributeError;
"ned" -> "new" (migration comments).
- Messages/strings: writeable -> writable (x5); OCaml log "Commandis" -> "Command is".
- Local variables (all refs in-function): commited, formating, presistent;
inpt_range -> input_range; tz_datas -> tz_data_raw (avoids the tz_data collision).
- Self-contained renames (definition + all references in-file): formated_stats,
_get_formatted_output_conections -> ..._connections, expension_failure ->
expansion_failure (ping + traceroute), snmpd_restart_reqired -> ..._required.
False positives are allowlisted centrally (vyos/.github, separate PR), NOT changed
here: mke2fs, Maya-calendar "Mak", RFC 4122 "IDentifier" (hostapd), and VPP's
"U-Forwrd" bridge-domain column header (op_mode/vpp.py + the VPP smoketest assert
the real upstream `vppctl` output). Verified: typos clean, py_compile of every
edited .py, zero remaining old-identifier references.
🤖 Generated by [robots](https://vyos.io)
|
|
When a certificate is assigned to the HTTPS service, nginx was only
sent the leaf certificate. An intermediate CA was included only when
an operator manually configured "ca-certificate", and even then just
that single CA - the rest of the issuer chain was never followed.
As a result, clients that do not already trust the issuing intermediate
CA (for example Let's Encrypt's newer E- and R-series intermediates)
could not build a path to a trusted root and rejected the connection.
Build the complete chain from the CA certificates present in the PKI
using find_chain(), the same helper already used by HAProxy, OpenConnect,
stunnel and the other PKI consumers. The intermediate chain is now
discovered automatically, so configuring "ca-certificate" is no longer
required; it remains accepted for backwards compatibility.
|
|
bgp: T8865: Reject `vni` sub-block in VRF l2vpn-evpn when `advertise-all-vni` is globally active
|