summaryrefslogtreecommitdiff
path: root/debian
AgeCommit message (Collapse)Author
2024-07-04wireless: T4287: use Debian postinst over preinst when using update-alternativesChristian Breunig
This fixes an error during ISO assembly: update-alternatives: error: no alternatives for regulatory.db dpkg: error processing archive /tmp/apt-dpkg-install-PJplR3/00-vyos-1x_1.5dev0-1880-gecaa44498_amd64.deb (--unpack): new vyos-1x package pre-installation script subprocess returned error exit status 2 (cherry picked from commit a414190447c32be0775a077cde13cef0cf2b8c54)
2024-07-04wireless: T4287: use upstream regulatory database due to kernel signingChristian Breunig
Most likely b/c of our non signed Kernel binary we do not trust the Debian signed wireless regulatory database. Fallback to the upstream database instead. (cherry picked from commit 9263965071289b6e51e22669b6d588a8d8fbcc1f)
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation. (cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
2024-05-06T6307: Add dependency procps to build vyos-1xViacheslav Hletenko
(cherry picked from commit 8041201fccffa96ca05ecd764b6d4b9d103b4c1a)
2024-04-09T6199: add missing build dependencyChristian Breunig
(cherry picked from commit 8e2330fed6480886cbce97cc1b541e54c5394564)
2024-04-06Debian: T6199: add pylint do list of build dependenciesChristian Breunig
(cherry picked from commit 71786307eed6a0ebb42755f24c19dfd46b1b9696)
2024-04-03T6199: drop unused sphinx documentation folderChristian Breunig
(cherry picked from commit 86b632874288aa5707a94a4f28ca816e543823b9)
2024-04-02ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
2024-01-19Debian: T2267: extend version tag from GIT repoChristian Breunig
This extends commit 2c3e4696b3e22 ("T2267: Versioning: Update version tag from GIT repo") to also include release tags. (cherry picked from commit 04aa70e3f75169fc592b20acfa6e0b2f37d90a6c)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2023-12-29tacacs: T141: Wrap string in double quotes to allow expansionIndrajit Raychaudhuri
(cherry picked from commit a95ee3fd38f3c1d54ea359088d0eb1a4d4582b6b)
2023-12-16image: T4516: use copy of pw_reset script for install, link for compatJohn Estabrook
Note that this was updated for the fix in T5739. (cherry picked from commit 424c9b19fd54598081e965c3364b082c5ef984de)
2023-12-14T5826: ensure dmidecode is installed as a dependency of vyos-1xMathew McBride
dmicode is used in the "show hardware dmi" and to derive synthetic MAC addresses (see python/vyos/ifconfig/interface.py). On non-x86 platforms like arm64 it may not be pulled in explictly by other packages (like libparted2) so add it as an explicit dependency. (cherry picked from commit 46c929a99b7d507451d8385b315ae7ef9e7cbed5)
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details. (cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2)
2023-12-07T160: Fix Debian control conflictsViacheslav Hletenko
2023-12-07nat64: T160: Implement Jool-based NAT64 translatorJoe Groocock
Signed-off-by: Joe Groocock <me@frebib.net> (cherry picked from commit 7d49f7079f1129c2fadc7f38ceb230804d89e177) # Conflicts: # debian/control
2023-12-02mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` technically can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. But we still need to keep `/etc/avahi/services` because avahi-daemon `chroot` to that location at startup. This is setup at build time via `AVAHI_CONFIG_DIR` and there is no way to change it at runtime. (cherry picked from commit 2b57ca6c3f9ff98cd6d4dd2a101a8b72ed2d94f4)
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. (cherry picked from commit 33c96654f485a13fe3475bb89dec3ad26107058e)
2023-11-30ddclient: T5708: Migration to 3.11.1 and related improvementsIndrajit Raychaudhuri
- Migrate to ddclient 3.11.1 and enforce debian/control dependency - Add dual stack support for additional protocols - Restrict usage of `porkbun` protocol, VyOS configuration structure isn't compatible with porkbun yet - Improve and cleanup error messages
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-11-19T2405: add Git support to commit-archiveYun Zheng Hu
(cherry picked from commit a89243cfbfc90854a8cddd53c0ffc987f75abcee)
2023-11-09T1797: Remove vpp packages and mentionsViacheslav Hletenko
2023-11-09T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
(cherry picked from commit 59c8d5febb2b1333643372f8956fa8f219d022cb)
2023-11-07T5706: Add custom systemd udev rules to exclude dynamic interfacesViacheslav Hletenko
Add custom systemd udev rules to exclude some regular and dynamic interfaces from "systemd-sysctl" calls. It fixes high CPU utilization (100%) as we have a lot of calls per interface for dynamic interfaces like ppp|ipoe|sstp etc. /lib/systemd/systemd-udevd should not be called for those interfaces (cherry picked from commit ca9cc86233520eb495c17602bf7a110094c1d8e7)
2023-09-13frr: T5239: T2061: prevent writing logs to /var/log/frr/frr.logChristian Breunig
(cherry picked from commit d4b9b2aa5f5dda6a11b7038ab0ab52653531183d)
2023-08-29Debian: T5521: remove unused tacacs UNIX groupChristian Breunig
2023-08-29Debian: T5521: use bash over dash for postinstall scriptChristian Breunig
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig
2023-08-28Debian: T5521: both RADIUS and TACACS users belong to aaa group, add group firstChristian Breunig
2023-08-16netplug: T5476: rewrite dhclient helper from Perl -> PythonChristian Breunig
There are two hooks called for bridge, ethernet and bond interfaces if the link-state changes up -> down or down -> up. The helpers are: * /etc/netplug/linkdown.d/dhclient * /etc/netplug/linkup.d/dhclient As those helpers use Linux actions to start/restart the dhclient process in Perl it's time to rewrite it. First goal is to get rid of all Perl code and the second is that we now have a Proper Python library. Instead of checking if the process is running the then restarting it without even systemd noticing (yeah we might get two processes beeing alive) we should: * Add a Python helper that can be used for both up and down (see man 8 netplugd FILES section) * Query the VyOS CLI config if the interface in question has DHCP(v6) configured and is not disabled * Add IPv6 DHCPv6 support MAN page: https://linux.die.net/man/8/netplugd
2023-08-10T5434: drop unneeded cache generation from old libJohn Estabrook
2023-08-09T5448: Add service zabbix-agent version 2Viacheslav Hletenko
Add service zabbix-agent set service zabbix-agent directory '/config/zabbix/' set service zabbix-agent limits buffer-flush-interval '8' set service zabbix-agent limits buffer-size '120' set service zabbix-agent log debug-level 'warning' set service zabbix-agent log size '1' set service zabbix-agent server '192.0.2.5' set service zabbix-agent server-active 192.0.2.5 port '10051' set service zabbix-agent server-active 2001:db8::123
2023-08-04T5436: Add missing preconfig-scriptApachez
2023-08-01xml: T5403: drop unnecessary copy of xml_cacheJohn Estabrook
2023-07-29xml: T5403: fix installation of xml cacheJohn Estabrook
2023-07-29vpp: T1797: change dependency to amd64 builds onlyChristian Breunig
2023-07-27xml: T5403: add support for supplemental xml cacheJohn Estabrook
2023-07-22Revert "Debian: T4974: add openvpn-dco dependency"Christian Breunig
This reverts commit 9f7b51370732606611253e2e6a16692bf706659b.
2023-07-15Debian: T4974: add openvpn-dco dependencyChristian Breunig
2023-07-12debian: T5003: add power management userspace toolsChristian Breunig
2023-07-12container: T5352: Fix missing dependency for netavarkYouyuan
There is a missing dependency iptables for netavark . Debian marked it as optional but should be a dependency. If not installed, container cannot be created with assigned network. The rolling release is built with package iptables so there is no bug. But if users build iso on their own, container will not work if container network is assigned.
2023-07-09T3355: import startup scripts from vyatta-cfg repo for vyos-routerChristian Breunig
2023-07-08vpp: T1797:: support re-installation of vyos-1x packageChristian Breunig
2023-07-01T1797: Divert sysctl 80-vpp.confViacheslav Hletenko
2023-06-29vpp: T1797: disable CLI in rolling releasesChristian Breunig
2023-06-29Merge pull request #2059 from sever-sever/T1797-vppChristian Breunig
T1797: Add initial vpp configuration