| Age | Commit message (Collapse) | Author |
|---|
|
is used
|
|
T1771: automatic reboot of system into previous image
|
|
T7445: added open prs conflict checker caller workflow
|
|
|
|
pppoe: T7463: Added restart if CoA is changed
|
|
Added a restart if CoA is changed
Added a restart if the authentication mode is changed
|
|
prometheus: T7435: Ensure only configured exporters are started
|
|
opennhrp: T7462: Removed unused opennhrp files and configurations
|
|
T7348: Add config CPU thread-count for accel-ppp services
|
|
T7335: Fix typo for HAproxy help redirect-location path
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
xml: T7467: remove ^/$ wrapping from validation regexes
|
|
policy: T5069: large-community-list regex validator disallows whitespace
|
|
openconnect: T7287: VPN Openconnect does not check dictionary key se…
|
|
since the validation utility adds them implicitly
|
|
Removed unused opennhrp files and configurations
|
|
snmp: T7464: fix the community string validation regex for compatibility with PCRE2
|
|
bonding: T7466: fix the 802.3ad regex
|
|
|
|
for compatibility with PCRE2
|
|
T7458: Fix VPN IPsec unexpected passthrough logic bug
|
|
T7414: Fix conntrack ignore rules for using several ports
|
|
with authentication mode RADIUS
|
|
|
|
If any part of the system boot fails, we set overall_status=1 in the vyos-router
startup script. When an error during the image upgrade is detected, the system
will automatically revert the default boot image to the previously used version,
if the CLI option "system option reboot-on-upgrade-failure" is set.
The user is informed via console messages:
Booting failed, reverting to previous image
Automatic reboot in 5 minutes
Use "reboot cancel" to cancel
The user has time to log in and run reboot cancel to remain in the faulty image
for troubleshooting. Reboot timeout is defined by CLI: "system option
reboot-on-upgrade-failure"
Once the system boots into the previous image, the MOTD will display a
persistent warning message - cleared during next reboot.
WARNING: Image update to "VyOS 1.5.xxxx" failed
Please check the logs:
/usr/lib/live/mount/persistence/boot/NAME/rw/var/log
Message is cleared on next reboot!
Upgrade failure can be synthetically injected by booting with Kernel command
line option: vyos-fail-migration
|
|
When performing an image upgrade we will create a file named /config/first_boot
with JSON data inside the new images persistent storage. The content of the file
will look like: {"previous_image": "1.5-stream-2025-Q3"}
The previous image name can be easily queried using "jq -r '.previous_image'".
This is the base work required for an adjusted version of the vyos-router init
script to support an automatic rollback to a previous image if things go
sideways.
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
Accel-ppp services should not use all CPU cores to process requests.
At the moment accel-ppp services use all available CPU cores
to process requests from the subscribers (establish/update session/etc).
During mass connection of sessions, this can lead to the fact that it
utilizes all CPU, and for other services like FRR, there is not enough
CPU time to process their own stable work.
services:
- L2TP
- SSTP
- PPPoE
- IPoE
- PPtP
Add this option configurable and use all cores if not set:
```
set service pppoe-server thread-count < all | half | x >
```
The defaultValue `all`
|
|
|
|
|
|
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`
This way, the passthrough option is used every time when networks overlap.
```
>>> from ipaddress import ip_network
>>>
>>> a = ip_network('192.0.2.0/24')
>>> b = ip_network('192.0.2.100/30')
>>>
>>> a.overlaps(b)
True
>>>
>>> b.overlaps(a)
True
>>>
```
But there should be `subnet_of`:
```
>>> a.subnet_of(b)
False
>>>
>>> b.subnet_of(a)
True
>>>
```
In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
RIGHT-tunnel-0-passthrough {
local_ts = 192.0.2.0/24
remote_ts = 192.0.2.0/24
start_action = trap
mode = pass
}
```
So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA
Use `subnet_of` to fix this
|
|
T7450: update commit hash for Use PCRE2 instead of PCRE
|
|
|
|
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
|
|
T7157: bgp: Added verification of the route-map existence in vrf import
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
Added verification of the route-map existence in the vrf
route-leaking.
|
|
frr: T7411: preserve FRR config on service restart if it exists
|
|
haproxy: T7429: remove unsupported logging facility and log level
|
|
pam_nologin
When using reboot in, reboot at, or shutdown in, non-root users are prevented
from logging in via SSH or console starting 5 minutes before the scheduled
shutdown or reboot time.
This behavior is intended by pam_nologin.so, which is included in the SSH and
login PAM stack (default on Debian). While expected, it may be inconvenient
and could be reconsidered.
|
|
T7423: Add kernel boot options isolcpus, hugepages, numa_balancing
|
|
* Re-introduce the whitespace/pattern matches ' ' and '_' as allowed
* Perform a general Python regex validity check (not 100% 1003.2, but in combination
with allowedChars, pretty close)
* Introduce a warning against potentially malformed or over-complex patterns,
but leave it up to the user to resolve - there are plenty of useful
expressions we cannot validate easily
|
|
VyOS 1.4.1 implemented support for logging facilities for HAProxy. The
facilities got included from the syslog XML definition, which also added
"virtual" or non existing facilities in HAProxy, namely: all, authpriv and mark.
If any of the above facilities is set, HAProxy will not start.
The XML definition for syslog also came with an arbitrary log-level "all" that
is also unsupported in HAProxy.
This commit adds a migration script removing the illegal CLI nodes.
|
|
|
|
Add kernel options which apply during the boot:
- isolcpus
- nohz_full
- rcu_nocbs
- default_hugepagesz
- hugepages
- hugepagesz
- numa_balancing
- hpet
- mce
- nosoftlockup
- nmi_watchdog
CLI:
```
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '1,2,4-5'
set system option kernel cpu nohz-full '1,2,4-5'
set system option kernel cpu rcu-no-cbs '1,2,4-5'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-softlockup
set system option kernel memory default-hugepage-size '2M'
set system option kernel memory disable-numa-balancing
set system option kernel memory hugepage-size 1G hugepage-count '2'
set system option kernel memory hugepage-size 2M hugepage-count '512'
```
|
|
nat66: T7051: snat group as destination
|
|
utils: T7095: make `vrf` and `netns` arguments aware of the shell
|
|
large output
|
|
remote groups
|
|
|
