summaryrefslogtreecommitdiff
path: root/debian
AgeCommit message (Collapse)Author
2023-12-31Merge pull request #2696 from indrajitr/kea-lfc-fixChristian Breunig
dhcp: T3316: Adjust kea lease files' location and permissions
2023-12-29tacacs: T141: Wrap string in double quotes to allow expansionIndrajit Raychaudhuri
2023-12-29dhcp: T3316: Add `_kea` user as vyattacfg group memberIndrajit Raychaudhuri
Allowing `_kea` to be a member of `vyattacfg` group allows kea-dhcp{4,6}-server to have access to DHCP lease directory under `/config/` and thus have ability to manipupate the leases files.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-14T5826: ensure dmidecode is installed as a dependency of vyos-1xMathew McBride
dmicode is used in the "show hardware dmi" and to derive synthetic MAC addresses (see python/vyos/ifconfig/interface.py). On non-x86 platforms like arm64 it may not be pulled in explictly by other packages (like libparted2) so add it as an explicit dependency.
2023-12-09Merge pull request #1960 from sarthurdev/keaChristian Breunig
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
2023-12-08Merge pull request #2584 from c-po/T4943-google-authenticatorChristian Breunig
login: T4943: use pam-auth-update to enable/disable Google authenticator
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details.
2023-12-08dhcp: T3316: Migrate dhcp/dhcpv6 server to Keasarthurdev
2023-12-06nat64: T160: Implement Jool-based NAT64 translatorJoe Groocock
Signed-off-by: Joe Groocock <me@frebib.net>
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` technically can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. But we still need to keep `/etc/avahi/services` because avahi-daemon `chroot` to that location at startup. This is setup at build time via `AVAHI_CONFIG_DIR` and there is no way to change it at runtime.
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`.
2023-11-18T2405: fix debian/control syntaxChristian Breunig
2023-11-18T2405: add Git support to commit-archiveYun Zheng Hu
T2405: add Git support to commit-archive
2023-11-16image: T4516: use copy of pw_reset script for install, link for compatJohn Estabrook
Note that this was updated for the fix in T5739.
2023-11-09T1797: Remove vpp packages and mentionsViacheslav Hletenko
2023-11-07Merge pull request #2436 from sever-sever/T5706Daniil Baturin
T5706: Add custom systemd udev rules to exclude dynamic interfaces
2023-11-05ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-04T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces
2023-10-17T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
2023-10-07debian: T5639: group dependencies and add commentsDaniil Baturin
2023-09-29Merge pull request #2256 from zdc/T5577-circinusChristian Breunig
T5577: Optimized PAM configs for RADIUS/TACACS+
2023-09-15Merge pull request #2185 from sever-sever/T5261-newViacheslav Hletenko
T5261: Add AWS load-balancing tunnel handler
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-09-12frr: T5239: T2061: prevent writing logs to /var/log/frr/frr.logChristian Breunig
2023-09-10Debian: bump package version to 1.5dev0Christian Breunig
2023-09-07smoketest: T5558: Extend configtest to allow checking of migration script ↵sarthurdev
results
2023-09-01T5261: Add AWS load-balancing tunnel handlerViacheslav Hletenko
Add AWS load-balancing tunnel handler https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-integrate-linux-instances-with-aws-gateway-load-balancer/ set service aws glb script on-create '/config/scripts/tmp.sh' set service aws glb script on-destroy '/config/scripts/tmp.sh' set service aws glb status format 'simple' set service aws glb status port '8282' set service aws glb threads tunnel '4' set service aws glb threads tunnel-affinity '1-2' set service aws glb threads udp '4' set service aws glb threads udp-affinity '0-3'
2023-08-29Debian: T5521: remove unused tacacs UNIX groupChristian Breunig
2023-08-29Debian: T5521: use bash over dash for postinstall scriptChristian Breunig
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig
2023-08-28Debian: T5521: both RADIUS and TACACS users belong to aaa group, add group firstChristian Breunig
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-10T5434: drop unneeded cache generation from old libJohn Estabrook
2023-08-09T5448: Add service zabbix-agent version 2Viacheslav Hletenko
Add service zabbix-agent set service zabbix-agent directory '/config/zabbix/' set service zabbix-agent limits buffer-flush-interval '8' set service zabbix-agent limits buffer-size '120' set service zabbix-agent log debug-level 'warning' set service zabbix-agent log size '1' set service zabbix-agent server '192.0.2.5' set service zabbix-agent server-active 192.0.2.5 port '10051' set service zabbix-agent server-active 2001:db8::123
2023-08-04T5436: Add missing preconfig-scriptApachez
2023-08-01xml: T5403: drop unnecessary copy of xml_cacheJohn Estabrook
2023-07-29xml: T5403: fix installation of xml cacheJohn Estabrook
2023-07-29vpp: T1797: change dependency to amd64 builds onlyChristian Breunig
2023-07-27xml: T5403: add support for supplemental xml cacheJohn Estabrook
2023-07-22Revert "Debian: T4974: add openvpn-dco dependency"Christian Breunig
This reverts commit 9f7b51370732606611253e2e6a16692bf706659b.
2023-07-15Debian: T4974: add openvpn-dco dependencyChristian Breunig
2023-07-12debian: T5003: add power management userspace toolsChristian Breunig
2023-07-12container: T5352: Fix missing dependency for netavarkYouyuan
There is a missing dependency iptables for netavark . Debian marked it as optional but should be a dependency. If not installed, container cannot be created with assigned network. The rolling release is built with package iptables so there is no bug. But if users build iso on their own, container will not work if container network is assigned.
2023-07-09T3355: import startup scripts from vyatta-cfg repo for vyos-routerChristian Breunig
2023-07-08vpp: T1797:: support re-installation of vyos-1x packageChristian Breunig
2023-07-01T1797: Divert sysctl 80-vpp.confViacheslav Hletenko