Age | Commit message (Collapse) | Author |
|
Add initial configuration mode for VPP (PoC)
set vpp cpu corelist-workers '2'
set vpp cpu main-core '1'
set vpp interface eth1 num-rx-desc '256'
set vpp interface eth1 num-rx-queues '512'
set vpp interface eth1 num-tx-desc '256'
set vpp interface eth1 num-tx-queues '512'
set vpp interface eth1 pci '0000:02:00.0'
set vpp interface eth1 rx-mode 'polling'
set vpp interface eth2 pci '0000:08:00.0'
Limitation:
- 'set vpp interface ethX pci auto' works only per first
commit, then interface detached from default stack and creates
tun interface 'ethX' to communicate with default stack. In this
case we can't get PCI address via ethtool for 'tun' interfaces.
But we can set pci address manualy.
- Interface sync between default stack and VPP-DPDK stack
After vpp change it doesn't trigger iproute2 for changes
(should be written later)
I.e. if we change something in vpp per each commit it restarts
vpp.service it gets empty interface config as we don't configure vpp
directly and it should be configured via iproute2
But then if we do any change on interface (for example description)
it gets IP address, MTU, state, etc.
|
|
|
|
... this is a step towards a new and better implementation that will utilize
VPP.
|
|
|
|
|
|
cloud-init: T5190: Added Cloud-init pre-configurator
|
|
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
since it's required for match statements
and for op mode introspection
|
|
With commit 0ea3e1420 ("container: T5082: switch to netavark network stack")
moving to a new network stack we should also enable the new DNS plugin provided
by default.
TODO: add CLI nodes to manually disable DNS and/or supply external DNS servers
to the container.
|
|
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
With FRR 8.5 there is exists file /etc/pam.d/frr
With this file by default we have cosmtetic error for any op-mode
command
$ show ip bgp
vtysh_pam: Failed in account validation: Success(0)No BGP prefixes displayed, 0 exist
Fix it
|
|
Add sFlow feature based on hsflowd
According to user reviews, it works more stable and more productive
than pmacct
I haven't deleted 'pmacct' 'system flow-accounting sflow' yet
It could be migrated or deprecated later
set system sflow agent-address '192.0.2.14'
set system sflow interface 'eth0'
set system sflow interface 'eth1'
set system sflow polling '30'
set system sflow sampling-rate '100'
set system sflow server 192.0.2.1 port '6343'
set system sflow server 192.0.2.11 port '6343'
|
|
|
|
This reverts commit 9ed4113d6c4809a0126d04c99d60eaa76a7b6b15.
|
|
Fix podman error about invalid storage:
[graphdriver] prior storage driver overlay failed: 'overlay' is not supported
over overlayfs, a mount_program is required: backing file system is unsupported
for this graph driver" Error: 'overlay' is not supported over overlayfs, a
mount_program is required: backing file system is unsupported for this graph
driver.
|
|
|
|
container
|
|
|
|
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
|
|
login: T4943: Fixed 2FA + RADIUS compatibility
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
|
|
debian: T5003: Upgrade base system to Debian 12 "Bookworm"
|
|
|
|
|
|
Kernel now performs this function internally
|
|
|
|
|
|
|
|
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
This reverts commit 36d16f531236a62b5afc6cdd5f04d20c2b1883e6.
|
|
|
|
|
|
|
|
skopeo does not support overwriting an image - simply remove and readd it.
|
|
1. When a PPPoE session is connected, `pppd` will update
`/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set.
This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`,
which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection.
This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead.
2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`.
This causes IPv6 name server entries in `vyos-hostsd` not updated
when dhclient receives nameservers from DHCPv6.
3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and
`/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those
IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6
reason (like `BOUND6`) is given.
|
|
|
|
Using humps.decamelize in vyos.opmode requires python3-pyhumps to be a
build dependency for the nosetest test_op_mode.py.
|
|
humps Convert strings (and dictionary keys) between snake case,
camel case and pascal case in Python
% decamelize('superTCPOption')
'super_tcp_option'
%
% decamelize({'ParamOption': 'one', 'fooBarBaz': True})
{'param_option': 'one', 'foo_bar_baz': True}
%
|
|
|
|
Turns out a local installation of a package using "dpkg -i" differs when
assembling an ISO using live-build. The previous version worked when using
"dpkg -i" but it failed hard (no login possible) during ISO build.
This has been fixed by using double quotes.
|
|
|
|
In order to properly retrieve JSON information in the Smoketests for the new
QoS implementation we need a recent (>6.0) version of iproute2. This requires
the libbpf-dev package and this small source-code change.
|
|
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used
different strings for grep and sed resulting in the same line beeing added on
every installation of the package.
This is only disturbing during development not during ISO build.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
system login: T874: add 2FA support for local and ssh authentication
|