| Age | Commit message (Collapse) | Author |
|---|
|
remote: T7048: merge git environment with the os environment
|
|
nhrp: T2326: Fixed network-id migration
|
|
Fixed network-id migration.
Every tunnel should have its own nhrp network-id.
|
|
allows utilizing ssh-agent and other environment-variable-based behavior
customizations
|
|
T7038: T7039: fix broken RADIUS IPv6 source address and add smoketests
|
|
kea: T7041: Check lease hostname string is not empty
|
|
nhrp: T2326: NHRP migration to FRR
|
|
|
|
T7042: drop use of inspect module in favor of ast for source analysis
|
|
When configuring RADIUS to use IPv6 as connection to the server with an
optional source-address
set system login radius server 2001:db8::4 key '9LMVCtPYpG'
set system login radius source-address '2001:db8::1'
It will error out:
pam_radius_auth(sshd:auth): Failed looking up source IP address [2001:db8::1]
for server [2001:db8::4]:1812 (error=System error)
The source address is not allowed to be in [] - thus the brackets need to be
removed.
|
|
RADIUS is pretty sensible to its configuration. Instead of manual testing,
extend the smoketest platform to ship a freeradius container and perform logins
against a locally running freeradius server in a container.
|
|
This avoids importing the config mode script as a module, with requisite
dependencies, which may be inconvenient.
|
|
Debian: T7023: download smoketest container images only once
|
|
ddclient: T5791: Relocate process params to ExecStart
|
|
NHRP migration to FRR
|
|
Pull up all the global parameters controlling
process behavior to systemd service.
Also remove `syslog=yes`` as it is not needed with
`exec` type service.
|
|
xml: T5738: reuse existing alpha-numeric-hyphen-underscore building block
|
|
|
|
haproxy: T5222: Enable backend completion in service ruleset
|
|
xml: T5738: Reuse predefined regex constraint
|
|
smoketest: T7033: nat source group test should use an existing interface
|
|
|
|
|
|
Enable completion for backend in haproxy service ruleset like so:
```
set load-balancing haproxy service NAME rule 10 set backend
```
|
|
xml: T7029: allow wildcard in include directive
|
|
When setting up vyos-1x-smoketest package, the required container images will
be fetched from the appropriate registry. During development one will re-install
the vyos-1x generated packages periodically. In the past this triggered a
re-download of the container images for every set-up of the package.
Getting image source signatures
Copying blob sha256:d3a4026919f923f4e0bb9a23a1e5c2d3c5593d31cbac8d2d6d032285b4852945
Copying config sha256:c1f39daffdeffeb97987901406e2ecef0fb2c2ca236fdfaf570d088426294d91
Writing manifest to image destination
Storing signatures
Getting image source signatures
Copying blob sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e
Copying blob sha256:064e2154c8ec1ddeb114ebc9db9a3876ee8883e9a14fe8622c31cb6f17b759f6
Copying blob sha256:7e3fbb46165bc5a98b12c136087a13992e30fe00ab4fab2bbe6c7edd657d8c5b
Copying blob sha256:80a416511ac029206f3f824a15b1c94845c410242a1e463c466a1b3081f7e20f
Copying blob sha256:339be6688c410f9851f6f09cf0c9d63819f8ca5f2bb09d93ce8c42714842f5ed
Copying config sha256:6950ba3bd4492642b6c6c0c5f5bb88a5f2a48f700974a2bdba74333a65d9324e
Writing manifest to image destination
Storing signatures
This change will download the container images only if the image is not present
on the system.
|
|
vrf: T7024: instance name "up" and "down" are reserved and should not be used
|
|
|
|
T7016: Simplify logic for force deleting dynamic IPv4 address from interface
|
|
This complements commit dda428fc4 ("T6841: firewall: migrate existing VRF in
zone based firewall") which provides the new configuration files after CLI
was migrated.
|
|
This complements commit dda428fc4 ("T6841: firewall: migrate existing VRF in
zone based firewall") which provides the new configuration files after CLI
was migrated.
|
|
|
|
Deprecated as per https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: TypeError: can't subtract offset-naive and offset-aware datetimes
Co-authored-by: Erkki Eilonen <erkki@bearmetal.eu>
|
|
Under very rare cases we can run into a race condition where interfaces are
still in creation phase but are already referenced..
This can trigger:
File "/usr/libexec/vyos/conf_mode/system_conntrack.py", line 270, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/system_conntrack.py", line 249, in apply
call_dependents()
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 147, in call_dependents
f()
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 118, in func_impl
run_config_mode_script(script, config)
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 106, in run_config_mode_script
mod.verify(c)
File "/usr/libexec/vyos//conf_mode/service_conntrack-sync.py", line 72, in verify
if len(get_ipv4(interface)) < 1:
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/template.py", line 458, in get_ipv4
return Interface(interface).get_addr_v4()
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/ifconfig/interface.py", line 334, in __init__
if not self.iftype:
^^^^^^^^^^^
AttributeError: 'Interface' object has no attribute 'iftype'
This commit removes the code path in question and the class attribute check.
The reason for the iftype attribute in the past was a common _create() method
serving for all interface types. As we already have a lot of derived
implementations and not all honor the classes iftype/type member - or even
worse honor it only in 50% of the occurrences it's time to drop it.
|
|
* smoketest: T7023: unify container image loading
* smoketest: T7023: add tac_plus container to live validate login
TACACS is pretty sensible to its configuration. Instead of manual testing,
extend the smoketest platform to ship a tac_plus container and perform logins
against a locally running tac_plus server in a container.
The login username/password and TACACS shared secret is generated randomly on
the fly for every testcase.
|
|
utils: T6975: Add 'vrf' and 'netns' arguments to functions in 'vyos.utils.process'
|
|
on libnss-mapuser (#4281)
Upstream 2.0.0 version from Debian has issues
|
|
|
|
* smoketest: T6747: call wait after commit() only for FRR related tests
Commit 702a60a8de28 ("smoketest: T6746: wait after commit() until frr-reload
is no longer running") added a guard timeout for every commit executed via CLI
smoketests. This commit changes the bahavior to only add the guard timeout
for FRR related testscases.
This improves the overall smoketest time.
* configd: T6747: use one long-lived instance of FRRender
Previously there was one FRRender() instance per config session. This resulted
in re-rendering the FRR configuration every time a new config session was
created.
Example:
vyos@vyos:~$ configure
vyos@vyos# set interfaces dummy dum0 description foo
vyos@vyos# commit
vyos@vyos# exit
vyos@vyos:~$ configure
vyos@vyos# set interfaces dummy dum0 description bar
vyos@vyos# commit
vyos@vyos# exit
In the past this caused a re-render of the FRR configuration as the delta check
added in commit ec80c75d6776 ("frrender: T6746: only re-render FRR config if
config_dict did change") evaluated to false, as it operated on a new instance
of the FRRender class.
With this change there is no FRR re-render, as there is nothing to update
in FRR.
|
|
ddclient: T5791: Keep ddclient.service in foreground
|
|
'vyos.utils.process'
|
|
T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
|
|
VRF support was introduced in VyOS 1.4.0. If a VRF is added as an interface in
the zone based firewall, it will be migrated to the new syntax.
OLD:
set firewall zone FOO interface RED
set firewall zone FOO interface eth0
NEW:
set firewall zone FOO member vrf RED
set firewall zone FOO member interface eth0
|
|
block
|
|
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
|
|
interfaces attached to VRFs
|
|
|
|
Since the distributed ddclient.service is of type 'exec' now, avoid using
process forking and let systemd manage the process directly.
|
|
T7016: force delete only dynamic IPv4 address from interface
|
|
|
