summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2023-07-07Merge pull request #2042 from sever-sever/T775Viacheslav Hletenko
T775: Add service config-sync between 2 routers
2023-07-06Merge pull request #2074 from zdc/T1797-sagittaChristian Breunig
VPP: T1797: Optimizations for VPP memory allocation during startup
2023-07-06VPP: T1797: Optimized memory allocation during startupzsdc
- changed memory requirement from total to available. This allows to start on systems with less total memory and protects from startup on systems with overloaded memory. - prevent startup if sysctl settings were not applied. This protects from situations when the system cannot allocate enough hugepages or apply other sysctl settings.
2023-07-05T5340: snmp: add checks while configuring snmp listen-address with and ↵Nicolas Fort
without vrf
2023-07-03ospf: T5334: add support for external route summarisation Type-5 and Type-7 LSAsChristian Breunig
* set protocols ospf aggregation timer <seconds> * set protocols ospf summary-address x.x.x.x/x [tag 1-4294967295] * set protocols ospf summary-address x.x.x.x/x no-advertise
2023-07-03VPP: T1797: Added interfaces reinitializationzsdc
After an interface is added/removed from VPP, it will be reinitialized, which allows reconfiguring IP addresses on it. Also modified VPP load priority to start before interfaces, and avoid reconfiguration during boot.
2023-07-01Merge pull request #2064 from sever-sever/T1797Christian Breunig
T1797: VPP verify minimal installed memory and apply sysctl
2023-07-01T1797: VPP verify minimal installed memory and apply sysctlViacheslav Hletenko
Do not allow configure VPP if on the systems with low amount installed memory Add sysctl VPP parameters (hugepages, kernel.shmmax)
2023-06-30bcast-relay: T5313: capitalize UDP protocol nameChristian Breunig
2023-06-30T775: Add service config-sync between 2 routersViacheslav Hletenko
Service config-sync allows synchronizing a section of the configuration. As PoC allow only nat, nat66 and firewall sections Rertreive the configuration for a section from self node and send this configuration to the section of the 'secondary' node. This feature adds a symlink from helper 'vyos_config_sync.py' to '/config/scripts/commit/post-hooks.d' and config that is located in '/run/config_sync_conf.conf' It will synchronyze the config only if the setcion was changed. set service config-sync secondary address 192.0.2.11 set service config-sync secondary key xxx set service config-sync section nat set service config-sync section nat66 set service config-sync section firewall set service config-sync mode load
2023-06-29Merge pull request #2059 from sever-sever/T1797-vppChristian Breunig
T1797: Add initial vpp configuration
2023-06-29VPP: T1797: Optimized interfaces add/removezsdc
- added extra renaming operation to be sure that interface has the same name as before in the system after it was moved from VPP to kernel - added extra check after PCI device removal/adding - added check for proper `retval` for CPI calls where it is available - replaced empty return with an error in `_get_pci_address_by_interface()` because not resolved address will lead to inconsistency of the system later
2023-06-28VPP: T1797: Improved VPP supportzsdc
- added ability to add/remove interfaces without system reboot - added `attempts` and `interval` to the VPP API connection. This is helpful in case of high system load or when VPP was just started and API is not yet available. - added exceptions to API calls. This allows handling errors in communication with API properly in conf-mode scripts. - fixed PCI address search in VPP to match Linux kernel and ethtool style - fixed systemd daemons control - first reload, then restart - removed debug prints - removed `vm.nr_hugepages` configuration. It is not required now but increases RAM requirements a lot.
2023-06-27VPP: T1797: Improved PCI address searchzsdc
Use info from both ethtool and VPP to find PCI address for an interface.
2023-06-27Merge pull request #2051 from sever-sever/T5304Christian Breunig
T5304: Container add volume bind propagation option
2023-06-27VPP: T1797: Replaced CLI with APIzsdc
Replaced CLI commands with API calls. CLI commands still can be used via: ``` vpp_control = VPPControl() vpp_control.cli_cmd('command_here') ```
2023-06-27T5304: Container add volume bind propagation optionViacheslav Hletenko
set container name c1 volume myvlm propagation rshared
2023-06-27T1797: Add initial vpp configurationViacheslav Hletenko
Add initial configuration mode for VPP (PoC) set vpp cpu corelist-workers '2' set vpp cpu main-core '1' set vpp interface eth1 num-rx-desc '256' set vpp interface eth1 num-rx-queues '512' set vpp interface eth1 num-tx-desc '256' set vpp interface eth1 num-tx-queues '512' set vpp interface eth1 pci '0000:02:00.0' set vpp interface eth1 rx-mode 'polling' set vpp interface eth2 pci '0000:08:00.0' Limitation: - 'set vpp interface ethX pci auto' works only per first commit, then interface detached from default stack and creates tun interface 'ethX' to communicate with default stack. In this case we can't get PCI address via ethtool for 'tun' interfaces. But we can set pci address manualy. - Interface sync between default stack and VPP-DPDK stack After vpp change it doesn't trigger iproute2 for changes (should be written later) I.e. if we change something in vpp per each commit it restarts vpp.service it gets empty interface config as we don't configure vpp directly and it should be configured via iproute2 But then if we do any change on interface (for example description) it gets IP address, MTU, state, etc.
2023-06-25bcast-relay: T5313: verify() relay interfaces have IPv4 address configuredChristian Breunig
2023-06-24tacacs: T141: check upper bound on dynamically allocated user accountsJohn Estabrook
Check upper bound as defined in Debian Policy Manual. Without this check, user 'nobody' will not be available.
2023-06-22tacacs: T141: initial implementationChristian Breunig
2023-06-21tacacs: T141: support calling system-login.py from vyos-router startup scriptChristian Breunig
2023-06-12T5286: drop XDP support for ethernet and bonding interfacesChristian Breunig
... this is a step towards a new and better implementation that will utilize VPP.
2023-06-09dns: T5144: Force systemd daemon-reload on ddclient config changeIndrajit Raychaudhuri
2023-06-06dns: T5144: Handle partial conf mode CLI gracefullyIndrajit Raychaudhuri
Prevent failure when the user enters a partial CLI command without any address specified. Also, apply some minor formatting changes.
2023-06-06Merge pull request #2027 from cuongdt1994/patch-1Daniil Baturin
T5260: Do not use deprecated python crypt module
2023-06-06T5260: Do not use deprecated python crypt modulecuongdt1994
Remove the quotes, this will always return the hash for string "password".
2023-06-06Don't use deprecated crypt module.cuongdt1994
2023-06-04dns: T5144: Streamline ddclient systemd service overrideIndrajit Raychaudhuri
Templatize systemd override for ddclient service and move the generated override files in /run. This ensures that the override files are always generated afresh after boot. Additionally, simplify the systemd override file by removing the redundant/superfluous overrides.
2023-06-04dns: T5144: Add pid and cache config as ddclient globalIndrajit Raychaudhuri
2023-06-04dns: T5144: Relocate ddclient template path for consistency with config pathIndrajit Raychaudhuri
2023-06-04dns: T5144: Restrict dualstack for dyndns2 protocol to dyn.comIndrajit Raychaudhuri
ddclient implementation of dualstack for dyndns2 protocol is targeted for dyn.com (dyndns.org) only. Dualstack won't work for other servers supporting dyndns2 protocol (for example, dyn.dns.he.net).
2023-06-03dns: T5144: Modernize dynamic dns operationIndrajit Raychaudhuri
Apply next round of configuration tree updates to 'service dns dynamic' with the following changes: - Migrate `service dns dynamic interface <interface> [use-web]` to `service dns dynamic address <interface>` or `service dns dynamic address web [web-options]` This communicates the intent that dynamic dns IP address is detected in only one way - using the `<interface>` or using an external web request, not both. - When using external web request, (`service dns dynamic address web`), external url is optional (`web-options url`). Ddclient defaults are used when unspecified, - Rename all config `login` to `username` for consistency and also to align better with alternative ddclient backends in consideration. - Apply global 'ipv6-enable' to per service 'ip-version: ipv6'. Selecting usage of IPv4 or IPv6 (or both simultaneously) is now at per service (protocol) level instead of global level. This allows more control on the ability to select IPv4 in some cases and IPv6 in some other cases wherever supported by the underlying ddclient protocol. - While the IP address (and by extension, the detection mechanism) is global, the way it is applied to a particular ddclient protocol depends on whether it supports IPv4 or IPv6 or both. - Related to the above, this also prevents generating incorrect config file (`ddclient.conf`) with multiple global sections leading to an unpredictable behavior of ddclient. - Implement provider (protocol) specific custom tweaks whenever possible (e.g., `zone`, `username`, `server` are not necessary in all cases). - Move service name from a combination of 'protocol' (with protocol config autodetected) and custom (with protocol config specified) to a single 'service' key. This allows for consisent setup of multiple config for the same ddclient protocol (with different options and credentials). This also avoid ambiguity with usual networking term 'protocol' and ddclient specific term 'protocol' (and can change with a move to a different backend). - Apply upfront XML constraints and validations consistently wherever applicable. - RFC2136 specific change: Rename rfc2136 config `record` to `host-name` for consistency. - Cloudflare specific change: While ddclient still supports authenticating with email and global auth key, skipping `username` in config will indicate the intent to use API token authentication (with special 'token' literal as `username`).
2023-06-03T5257: add verify_vrf() check for flow-accountingChristian Breunig
2023-06-03T5257: import cleanup for flow-accountingChristian Breunig
2023-06-03T5257: Fix netflow VRF and bracketize v6 source addresses for netflow/sflowWered
2023-05-31Merge pull request #2021 from blank0608/T5210Christian Breunig
T5210:VPN:Fix typo in Warning
2023-05-31T5210: VPN: Fix typo in WarningJohn Landicho
2023-05-29netns: T3829: remove debug print() statemementChristian Breunig
2023-05-28router-advert: T5240: verify() that no more then 3 IPv6 name-servers configuredChristian Breunig
This is a radvd limitation.
2023-05-26bridge: T4579: fix error message for bridge and bond membershipChristian Breunig
2023-05-19T5222: reverse-proxy add send-proxy option for backend serverViacheslav Hletenko
To accept a Proxy Protocol header on incoming TCP connections, add an accept-proxy parameter to the bind line in a frontend section. This parameter detects both Proxy Protocol version 1 (text format) and Proxy Protocol version 2 (binary format). set load-balancing reverse-proxy backend <tag> server <tag> send-proxy
2023-05-19T5222: Refactoring load-balancing reverse-proxyViacheslav Hletenko
Improve and refactoring "load-balancing reverse-proxy" - replace 'reverse-proxy server <tag>' => 'reverse-proxy service <tag>' - replace 'reverse-proxy global-parameters tls <xxx>' => 'reverse-proxy global-parameters tls-version-min xxx' => 'reverse-proxy global-parameters ssl-bind-ciphers xxx' - replace 'reverse-proxy service https rule <tag> set server 'xxx' => 'reverse-proxy service https rule <tag> set backend 'xxx' 'service https rule <tag> domain-name xxx' set as multinode
2023-05-17Merge pull request #2004 from sever-sever/T5222Christian Breunig
T5222: Add load-balancing for web traffic
2023-05-17T5222: Add load-balancing for web trafficViacheslav Hletenko
2023-05-14T5224: Stop syslog.socket alongside syslog.serviceJoe Groocock
Avoids the following warning, and any external service from re-activating syslog via systemd socket activation: frebib@vyos# commit [ system syslog ] DEBUG/COMMAND returned (err): Warning: Stopping syslog.service, but it can still be activated by: syslog.socket DEBUG/COMMAND cmd 'systemctl stop syslog.service' Signed-off-by: Joe Groocock <me@frebib.net>
2023-05-14T5224: Fix `del system syslog`Joe Groocock
os.unlink() is the correct function: Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 146, in <module> generate(c) File "/usr/libexec/vyos/conf_mode/system-syslog.py", line 114, in generate os.path.unlink(rsyslog_conf) ^^^^^^^^^^^^^^ AttributeError: module 'posixpath' has no attribute 'unlink' Signed-off-by: Joe Groocock <me@frebib.net>
2023-05-12ethernet: T3891: add conditional code-path when doing speed/duplex changesChristian Breunig
There is no need for the backend code to call ethtool and try to change speed or duplex settings every time there is a change in the interface configuration, but no change for the speed/duplex subnodes. This also makes the commit itself faster when working with ethernet interfaces. Bonus: no repeating CLI messages that the driver does not support speed/duplex changes, as we do not change anything here. Extension to commit f2ecc9710 ("ethernet: T3891: honor auto-negotiation support per NIC")
2023-05-12ocserv: T3896: improve XML definition and add warning about 3rd party configsChristian Breunig
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
2023-05-12Merge pull request #1783 from PeppyH/T3896-ocserv-config-per-xChristian Breunig
ocserv: T3896: add CLI options to configure ocserv config-per-user/group