| Age | Commit message (Collapse) | Author |
|
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally
silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by
default. The sole consumer, src/op_mode/config_sync.py, builds the client
without passing verify_tls and therefore connected to a *remote* secondary VyOS
node over HTTPS without verifying the certificate -- a MITM exposure on the
channel that carries the API key and the full configuration.
- ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str];
a string is forwarded to requests as a CA bundle path (verify=<path>).
- InsecureRequestWarning is suppressed only when verification is explicitly
disabled (verify_tls is False), not when a CA path or True is set.
- config_sync reads an optional verify_tls from the secondary runtime settings,
defaulting to False to preserve current behaviour for self-signed secondaries.
The insecurity is now explicit at the call site instead of hidden in the
library default. A first-class CLI knob (set service config-sync secondary
verify-tls / ca-certificate, with XML + migration) is the follow-up.
🤖 Generated by [robots](https://vyos.io)
|
|
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
For use in nosetests or other, allow passing ReferenceTree from an
internal cache in a non-standard location.
|
|
|
|
|
|
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
geoip: T8590: fix initialization failure and set clobbering on boot and commit
|
|
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
|
|
dhcpv6: T8862: Allow multiple addresses and prefixes for reservations
|
|
(#5186)
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.
|
|
Add a check to determine whether the NIC supports hardware
timestamp receive filters required for NTP timestamping.
Implement the query in a new python/vyos/netlink/timestamp.py module
using pyroute2 generic netlink ETHTOOL_MSG_TSINFO_GET,
avoiding ethtool output parsing.
|
|
|
|
Add support for allowing DHCPv6 to assign reservations for multiple
addresses and prefixes to a single client simultaneously.
|
|
Historically, commit_in_progress() used psutil.process_iter() to enumerate every
process on the system and inspect open file descriptors under /proc in order to
determine whether the configuration commit lock was held. That approach scales
linearly with process count and incurs substantial overhead under load.
Replace it with the shared lock-file utilities: attempt to acquire the commit
lock using a non-blocking exclusive lock. If acquisition fails, another holder
retains the lock and a commit is considered in progress; if it succeeds, no
commit was active and the lock acquired for the probe is released immediately.
|
|
* dhcpv6: T8849: Add time-zone support for Kea DHCPv6
Add DHCPv6 option support for time zone (RFC4833 options
41 and 42). This includes both the POSIX-style TZ string
(`new-posix-timezone`) and the IANA time zone name
(`new-tzdb-timezone`).
* dhcpv6: T8849: Refactor per code-review suggestion
* dhcpv6: T8849: Reformat for compliance
|
|
T8831: smoketests: irregular PermissionError caused by systemctl stop
|
|
Failures appear during PPPoEIf.remove() -> flush_addrs() -> set_dhcpv6(False),
where disable uses self._cmd(f'systemctl stop ...'), which raises on any
non-zero exit code of cmd().
PermissionError: [Errno 1] is misleading: cmd() raises OSError(exit_code,
feedback); exit code 1 maps to PermissionError in Python 3, so logs point at
"permissions" while the real signal is systemctl stop returned 1 (job failure,
timeout, restart contention with Restart=always on dhcp6c@.service.
Add a small systemd teardown helper stop_systemd_unit() validating the return
codes from the "systemctl stop" calls.
|
|
According to Kea documentation:
When a data field is a string and that string contains
the comma (`,`; U+002C) character, the comma must be escaped
with two backslashes (`\\,`; U+005C) because both the routine
splitting of CSV data into fields and JSON use the same
escape character. A single escape (`\,`) would make the JSON
invalid.
Accordingly, the pcode generated for time-zone should have
the `,` double escaped. For example, `"GMT0BST,M3.5.0/1,M10.5.0"`
should be rendered as `"GMT0BST\\,M3.5.0/1\\,M10.5.0"`.
See: https://kea.readthedocs.io/en/stable/arm/dhcp4-srv.html#standard-dhcpv4-options
|
|
|
|
A partial path is one that may or may not include intervening tag node
values. For unspecified tag node values, the matching subtree is
returned.
For example ['interfaces', 'ethernet', 'address'] will return the
subtree of the config for which ethernet tag values have defined
address.
|
|
|
|
|
|
Changes:
1. Change option space from 'ubnt' to 'vendor-encapsulated-options-space'.
2. Change option name from 'unifi-controller' to 'ubnt'.
3. Add 'vendor-encapsulated-options' option (in addition to adding unifi
controller IP address under the option name 'ubnt') if unifi-controller
is configured.
|
|
kea: T8586: Skip static mappings without match criteria
|
|
Improve config formatting for valueless leaf nodes with a new helper.
Otherwise the rendered-to-string configuration would become
device ttyS0 {
kernel {
}
}
Whereas this would be the preferred representation:
device ttyS0 {
kernel
}
Co-authored-by: John Estabrook <jestabro@vyos.io>
|
|
|
|
Introduce src/helpers/write-config-file-value.py to patch a saved config.boot
from scripts by writing a quoted CLI path with an optional value (omit --value
to create a valueless node).
Extend vyos.utils.config.write_saved_value() to safely update saved configs:
create missing parent nodes before tagging (ConfigTree.set_tag requires nodes
to exist) and then write the requested value/valueless leaf back to disk.
Remove the legacy serial console activation script which is now replaced by the
helper-based approach. The helper is run once during ISO Image assembly and will
inject the approprate serial console defintiions into config.boot.default.
|
|
vpp: T8460: Use isolated cpus for VPP cpu-cores
|
|
T8534: refactor sysctl_(read|write) to accept key parts
|
|
VPP CPU core assignment now uses kernel-isolated CPUs (from /sys/devices/system/cpu/isolated) with explicit corelist-workers instead of computing offsets from available cores with skip-cores/workers. Added validation that enough CPUs are actually isolated before VPP starts, and that isolate-cpus config only references existing CPU IDs. Moved smoketest for kernel option 'isolate-cpus' to test_vpp.py
|
|
bridge: T8411: Allow disabling MAC learning on bridge member interfaces
|
|
|
|
Interface names can contain dots (e.g. VLAN subinterfaces like eth0.10), which
conflicts with sysctl's dot-separated key syntax.
Change sysctl_read() and sysctl_write() to take key components as a list and
normalize each component by replacing . with / before invoking sysctl. This
fixes sysctl lookups/updates for VLAN subinterfaces.
Extend the SR-TE smoketest to cover a VLAN subinterface.
Previous error raising this issue:
vyos-configd: sysctl: cannot stat /proc/sys/net/ipv6/conf/eth0/10/seg6_enabled: No such file or directory
vyos-configd: sysctl: cannot stat /proc/sys/net/ipv6/conf/eth0/201/seg6_enabled: No such file or directory
|
|
T8445: T8335: Extend config activation system
|
|
vpp: T8505: Switch PPPoE bindings retrieval from CLI parsing to API call
|
|
|
|
This is necessary for images produced from a raw_image build (qcow2),
which no longer make use of the image_installer script.
|
|
Add script to leave hint of first installed boot (as, say, distinguished
from first live boot, or subsequent); this is useful as pre/post
conditions and self-modification of activation scripts.
|
|
This is useful as default value for a getattr of a function from a
module.
|
|
|
|
|
|
Op mode command `show dhcp server leases sort remaining`
should sort leases by remaining time in timedelta form,
not string form.
|
|
serial: T8375: use boot activation script to define a serial console on the CLI
|
|
config-sync: T7784: Add command to diff configuration with secondary node
|
|
Previously, VyOS hardcoded the kernel boot log console to either ttyS0 or
tty0, with no post-install CLI method to change it (manual GRUB edits
were required).
This commit adds a new CLI node:
system console device <name> kernel
When set, the selected serial console is used as the kernel boot console.
When removed, the kernel boot console falls back to tty0.
|
|
Required during first-boot of a system. We have images form amd64 and arm64
CPUs which also tend to have different serial interfaces (ttyS vs. ttyAMA).
The images which are installed have the correct serial setting for GRUB (ttyS0
or ttyAMA0) and the activation script will probe the Kernel command-line. If a
serial interface is defined, we will include it in the VyOS CLI configuration.
|
|
For the sake of nice grep lines and refactoring we have an unspoken - unwritten
rule considered as folklore to have imports one per line. This helped in the
past with refactorings.
|
|
The upload error message echoes the full urlstring, which may include embedded
credentials (e.g., https://user:pass@host/...). With this commit the information
has been redacted.
|