| Age | Commit message (Collapse) | Author |
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
Fix typos and mistakes
No functional changes
|
|
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
While working on task T7664 (FRR 10.4 upgrade), I identified the need for
additional validation and safeguards around the FRR management daemon. The
most appropriate place for this logic is in the setUp() and tearDown() methods
of the smoketest base class, VyOSUnitTestSHIM.
However, during implementation, it became apparent that test cases do not
consistently invoke the base class's setup and teardown methods. This
inconsistency complicates the process of capturing the FRR mgmtd PID at the
start of a test and verifying that it remains unchanged by the end - a key step
in detecting crashes or unexpected terminations (e.g., SIGSEGV) of the FRR
management daemon during tests.
|
|
When smoketest debugging is enabled (by creating the file
/tmp/vyos.smoketest.debug), all available smoketests will fail fast instead
of running to completion. This helps reduce test time when something is
broken or undergoing refactoring, as it avoids waiting for the full test suite
to finish.
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
local and remote CA keys
|
|
|
|
Use vyos.xml_ref.default_value to query XML default values and take them into
account when validating properly applied defaults in individual smoketests
instead of using hardcoded values like 443 for https port.
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
|
|
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
|
|
In order to test for proper system authentication and security setup a new
testcase is added which performs an SSH login and command execution with a
predefined user. The result (output of uname -a) must match the output if the
command is run natively.
We also try to login as an invalid user - this is not allowed to work.
|
|
|
|
... minor change to speed-up test time
|
|
Currently every smoketest does the setup and destruction of the configsession
on its own durin setUp(). This creates a lot of overhead and one configsession
should be re-used during execution of every smoketest script.
In addiion a test that failed will leaf the system in an unconsistent state.
For this reason before the test is executed we will save the running config
to /tmp and the will re-load the config after the test has passed, always
ensuring a clean environment for the next test.
|
|
|
|
|
|
|
|
|
|
This is for better readability during testruns
|
|
|
|
Bind sshd to given VRF and check if it really runs in the VRF context.
|
|
|
|
|
|
|
|
vyos-smoketest-integration (T2832)
* 'master' of github.com:vyos/vyos-smoketest: (153 commits)
pppoe-server: test some more values
lcd: adjust to cli changes
lcd: adapt test to new CLI design
pppoe-server: initial smoketest with local and radius auth
pppoe: validate dhcpv6 client will be started
wireless: validate hostapd/wpa_supplicant is running
pppoe: sync to new dhcpv6-pd cli
anyconnect: T2812: add basic testing
ethernet: check interface disable state
router-advert: check 'infinity' option in script logic
ssh: config file is now volatile (moved to /run)
ipv6: link-local: test address assignment on interfaces
router-advert: add initial test
mdns-repeater: add basic test
pseudo-ethernet: extend smoketests with VIFs
l2tpv3: add initial interface test
wireless: use library function for loading kernel modules
ethernet: test "ip" subtree of interface for e.g. ARP settings
pppoe: use assertEqual()
service: bcast-relay: add initial tests
...
|