| Age | Commit message (Collapse) | Author |
|---|
|
to ensure that the JSON cache is usable for command lookup
|
|
T7561: simplify op-mode-definitions XML cache generation
|
|
pki: T7574: add optional force argument to renew certbot-issued certificates
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
|
|
|
|
|
|
|
|
|
|
The original implementation of the op-mode XML cache generation resulted
in a structure that was difficult to use, for example, in documentation
generation. The source of complication is that, unlike the XML of
interface-definitions, path names are not unique: the same path may
occur as both a regular node and as a tag node. Here we simplify the
underlying structure by enriching path names with type information, thus
disambiguating paths. An interface to the cache is provided by explicit
generator and lookup functions.
|
|
T7554: fix wireguard fwmark parsing
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
|
|
firewalls should always accept
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
|
|
|
|
|
|
http-api: T3955: add commit-confirm to endpoints /configure /config-file
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
config-mgmt: T7500: fix typo preventing commit-confirm hard rollback
|
|
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
|
|
|
|
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
We maintain compatibility with the legacy commit lock file until all
other references are resolved; this requires a POSIX-type lock instead
of the BSD-type lock of vyos.utils.locking.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the absence of Cstore, the env var remains as the sole indication of
config mode for the legacy CLI, and its emulation here.
|
|
The environment variable _OFR_CONFIGURE is used by bash completion to
setup the config mode environment. We check this setting to coordinate
vyconf config mode and CLI config mode, independent of the legacy
backend Cstore check.
|
|
|
|
ipoe_server: T6997: Do not require to create client ip pool when dhcp-relay is used
|
|
is used
|
|
T7348: Add config CPU thread-count for accel-ppp services
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
Accel-ppp services should not use all CPU cores to process requests.
At the moment accel-ppp services use all available CPU cores
to process requests from the subscribers (establish/update session/etc).
During mass connection of sessions, this can lead to the fact that it
utilizes all CPU, and for other services like FRR, there is not enough
CPU time to process their own stable work.
services:
- L2TP
- SSTP
- PPPoE
- IPoE
- PPtP
Add this option configurable and use all cores if not set:
```
set service pppoe-server thread-count < all | half | x >
```
The defaultValue `all`
|
