| Age | Commit message (Collapse) | Author |
|
When trying to configure the VPP interface using `set vpp settings interface eth0`
and `commit`, user first see a success. Upon repeating the configuration after
deleting and re-adding it, the commit fails with an error:
- `FileExistsError: Cannot open locked storage: /run/vpp/vpp_conf.json`
This indicates that another process is using the file or a previous operation did not
release the lock, preventing new changes from being written.
The commit adds context manager support and safe close to `JSONStorage`
and refactor VPP config handling.
|
|
The igmpproxy service was started via a SysV init script, causing
systemd-sysv-generator to create a transient unit without restart policies.
When igmpproxy failed on first start, systemd did not retry, leading to
intermittent service availability.
This change replaces the auto‑generated unit with a native systemd service file
that defines proper restart settings.
|
|
|
|
Remove `dpdk-options` under `set vpp settings interface <ethN>`
and move its child options to the interface level:
- `num-rx-desc`
- `num-rx-queues`
- `num-tx-desc`
- `num-tx-queues`
Also remove `set vpp settings interface <ethN> dpdk-options promisc`.
|
|
'resource-allocation'
Replace legacy VPP CPU settings (main-core, skip-cores, workers, corelist-workers) with a single resource-allocation cpu-cores option.
CPU assignment is now handled automatically: two cores are reserved for the system, the VPP main thread is placed on the first available core, and the remaining allocated cores are used as workers.
This simplifies configuration and ensures consistent CPU allocation.
|
|
|
|
|
|
As a needed argument to the internal config_dict function, reify for
caching under vyos-configd or other running process.
|
|
|
|
|
|
vpp: T7811: Add rebind_gve_driver function for correct gve device handling
|
|
|
|
During early boot not all resources are ready for HTTP request, so
`vyos.version.get_remote_version` may fail once and the update check is then
delayed for 12 hours, leaving the router unaware of updates.
Fix by adding retries/backoff and improved error handling so transient startup
network failures don't suppress update checks for the next interval.
|
|
|
|
geoip: T7926: T8049: Refactor geoip code and add MaxMind support
|
|
interfaces: T7730: Add interrupt coalescing settings for Ethernet interfaces
|
|
vpp: T8207: Enable ip6-icmp-ra-punt feature on interfaces with DHCPv6 address configured
|
|
address configured
|
|
Instead of executing the command passed to popen() and waiting for it to
finish before printing its output, add a function argument to disable
buffered mode.
When buffered mode (the default) is turned off, each line emitted by the
process is flushed immediately to the calling TTY.
|
|
vpp: T8202: Remove XDP driver and options from CLI and config
|
|
op-mode: T8154: fix tcpdump KeyboardInterrupt on Ctrl+C
|
|
- Migration script removes 'driver' and 'xdp-options' nodes.
- XDP logic is commented out in config verification and CLI tests, preserving code for future use.
- The rest of XDP-related code remains untouched
|
|
vpp: T8125: Enable ip4-dhcp-client-detect feature if interface address is configured as DHCP
|
|
This adds the capability to make it re-usable in other code paths.
|
|
This change introduces CLI support for configuring network interface
interrupt coalescing parameters via `netlink`.
Note: Not all NIC drivers support interrupt coalescing. On unsupported interfaces,
`netlink` returns an error and the VyOS commit will fail.
|
|
configured as DHCP
DHCP address cannot be assigned on VPP interfaces without enabling the 'ip4-dhcp-client-detect' feature
|
|
|
|
* Move core logic to separate vyos.geoip module
* Use a sqlite database for storing and querying address ranges by country
* Remove downloaded geoip ranges once loaded into sqlite db
* No longer rebuild geoip sets on each commit unless necessary
* Allows for extensibility using other geoip data vendors
|
|
ssh: T7483: Add fido2 PubkeyAuthOptions
|
|
T7101: Add hardware watchdog support via systemd
|
|
|
|
|
|
- Introduced new CLI option 'data-ciphers-fallback' for OpenVPN interfaces
(used as fallback cipher in site-to-site mode)
- Adjust migration 1‑to‑2 to skip migrating 'cipher' for site‑to‑site interfaces
|
|
T8046: traffic-engineering: support link-params
|
|
Add 'traffic-engineering' commands under 'protocols'.
set protocols traffic-engineering admin-group ADMINGROUP bit-position 1
set protocols traffic-engineering interface INTERFACE admin-group ADMINGROUP
set protocols traffic-engineering interface INTERFACE max-bandwidth 1280
set protocols traffic-engineering interface INTERFACE max-reservable-bandwidth 1280
Also add
set protocols isis traffic-engineering export
|
|
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
config: T8124: make get_config_dict() pki={} node purely optional
|
|
bond: T2416: support hot-add/remove of bond member interfaces
|
|
Automatic parsing and integration of the PKI subsystem into the resulting
config dict is now enabled by passing with_pki=True to get_config_dict().
However, when no PKI configuration is present, the resulting dictionary still
includes an empty PKI key. This is undesirable; we should only include keys in
the dictionary when they contain relevant data.
|
|
Previously, adding or removing a bond member interface would force the entire
bond into an admin-down state, removing and re-adding all member interfaces.
This caused unnecessary link up/down events and excessive log noise on partner
devices.
This change refactors the code to allow hot-adding and removal of bond member
interfaces without disrupting existing members, minimizing link state changes
and log entries.
|
|
|
|
|
|
vpp: T8080: Fix handling of configuration system lock after vpp commit failure
|
|
bond: T8084: disallow bond members that do not support MAC changes
|
|
|
|
Building on commit ba60266ab1896 (“ethernet: T8084: prevent MAC changes on
ENA interfaces (AWS EC2)”), add safeguards to prevent interfaces from being used
as bond members if they:
* do not support MAC address changes, or
* appear on a denylist of interfaces invalid for bonding (currently empty)
|
|
Add a safeguard to block MAC address changes when the underlying driver is ENA
(used on AWS EC2), and display a clear error message instead of raising
"OSError: [Errno 95] Operation not supported."
|
|
Add requests reference_tree_exists, get_path_type, get_completion_env.
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
The previous implementation of "system login" relied on Python's pwd.getpwall()
to enumerate user accounts. This forces a full walk through the NSS stack,
which is acceptable in general but problematic for our use-case. VyOS only
needs information about locally created accounts and not remote accounts
provided via AAA backends such as TACACS or RADIUS.
When TACACS servers are unreachable, NSS lookups become extremely slow due to
repeated timeouts. As a result, any operation triggering pwd.getpwall()
(including configuration commits) can stall for several minutes.
This change introduces a dedicated helper, get_local_passwd_entries(), which
reads /etc/passwd directly and avoids NSS entirely. Since only local UIDs are
relevant, this provides all required data with no external dependencies.
Performance improvement on VyOS 1.4.3 with two unreachable TACACS servers:
# set system login tacacs server 192.168.1.50 key test123
# set system login tacacs server 192.168.1.51 key test123
# time commit
Before:
real 3m29.825s
user 0m0.329s
sys 0m0.246s
After:
real 0m1.464s
user 0m0.337s
sys 0m0.195s
This significantly improves commit performance and removes sensitivity to AAA
server outages.
|