| Age | Commit message (Collapse) | Author |
|
ethernet: T8142: do not raise ValueError for non-existing interfaces
|
|
|
|
T7635: OpenConnect Certificate Authentication
|
|
T8145: LUKS Encryption Passphrase Observable
|
|
transport mode tunnels
When ESP was configured in transport mode for GRE-based site-to-site tunnels,
the default value `dynamic` was automatically injected into the configuration,
even though prefixes must not be set in transport mode. This led to error
"Local/remote prefix cannot be used with ESP transport mode" and commit failures.
This fix updates configuration logic to skip default prefix assignment
for site-to-site peers using ESP transport mode tunnels.
|
|
Call verify_interface_exists() with state_required=True to ensure the interface
exists physically and is recognized by the kernel, rather than relying on its
presence in the CLI configuration. Unlike bridge or bond interfaces, Ethernet
interfaces are not virtual and must be physically present.
Ethtool() instance can only be created when the physical interface exists,
otherwise a ValueError is raised.
|
|
|
|
|
|
Copy the support for NAT66 destination groups (commit f96733dd and
commit 43554efc) over to NAT66 source groups as well.
Change the existing smoketest for NAT66 groups to also cover a source
group use-case example.
|
|
|
|
config: T8124: make get_config_dict() pki={} node purely optional
|
|
bond: T2416: support hot-add/remove of bond member interfaces
|
|
|
|
Automatic parsing and integration of the PKI subsystem into the resulting
config dict is now enabled by passing with_pki=True to get_config_dict().
However, when no PKI configuration is present, the resulting dictionary still
includes an empty PKI key. This is undesirable; we should only include keys in
the dictionary when they contain relevant data.
|
|
Previously, adding or removing a bond member interface would force the entire
bond into an admin-down state, removing and re-adding all member interfaces.
This caused unnecessary link up/down events and excessive log noise on partner
devices.
This change refactors the code to allow hot-adding and removal of bond member
interfaces without disrupting existing members, minimizing link state changes
and log entries.
|
|
|
|
vpp: T7203: Add op-mode to show bridge-domain
|
|
vpp: T8080: Fix handling of configuration system lock after vpp commit failure
|
|
|
|
|
|
Building on commit ba60266ab1896 (“ethernet: T8084: prevent MAC changes on
ENA interfaces (AWS EC2)”), add safeguards to prevent interfaces from being used
as bond members if they:
* do not support MAC address changes, or
* appear on a denylist of interfaces invalid for bonding (currently empty)
|
|
Add a safeguard to block MAC address changes when the underlying driver is ENA
(used on AWS EC2), and display a clear error message instead of raising
"OSError: [Errno 95] Operation not supported."
|
|
Consolidate repeated helper function calls used for both bonded and non-bonded
Ethernet interfaces, resulting in cleaner and more maintainable code.
|
|
Aggregated / bonded interfaces do only work with ethernet interfaces as
underlaying link. There is no need to "dynamically" detect that eth0, eth1 or
any other interface starting with eth is an ethernet interface.
Remove calls to vyos.ifconfig.Section().
|
|
Inspired by the regex used for "set interfaces ethernet" adjust the regex to
match for interfaces acting as a bond member interface. This has been changed
to also include (in addition to eth) lan, eno, ens prefixed physical interfaces.
|
|
|
|
ssh: T8098: migrate "rijndael-cbc@lysator.liu.se" to "aes256-cbc" cipher
|
|
T7995: Add capability to start VPP dataplane during system deployment
|
|
vpp: T7954: Add op-mode commands to show LACP
|
|
Kernel command-line change detection and automatic system reboot via
kexec during initial deployment
|
|
T8026: Fixed session commit for the generate router
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
The previous implementation of "system login" relied on Python's pwd.getpwall()
to enumerate user accounts. This forces a full walk through the NSS stack,
which is acceptable in general but problematic for our use-case. VyOS only
needs information about locally created accounts and not remote accounts
provided via AAA backends such as TACACS or RADIUS.
When TACACS servers are unreachable, NSS lookups become extremely slow due to
repeated timeouts. As a result, any operation triggering pwd.getpwall()
(including configuration commits) can stall for several minutes.
This change introduces a dedicated helper, get_local_passwd_entries(), which
reads /etc/passwd directly and avoids NSS entirely. Since only local UIDs are
relevant, this provides all required data with no external dependencies.
Performance improvement on VyOS 1.4.3 with two unreachable TACACS servers:
# set system login tacacs server 192.168.1.50 key test123
# set system login tacacs server 192.168.1.51 key test123
# time commit
Before:
real 3m29.825s
user 0m0.329s
sys 0m0.246s
After:
real 0m1.464s
user 0m0.337s
sys 0m0.195s
This significantly improves commit performance and removes sensitivity to AAA
server outages.
|
|
|
|
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which
was standardized in RFC4253 (2006).
This changes the migrator implementation to not only delete the old
"rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized
aes256-cbc SSH cipher.
1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
T8103: add root to those allowed to call op-run commands directly
|
|
|
|
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
Add a safety-net for development to check if the rendered sshd(8) configuration
can be applied at all. If it can't be applied - throw an error.
From https://linux.die.net/man/8/sshd:
-t Test mode. Only check the validity of the configuration file and sanity
of the keys. This is useful for updating sshd reliably as configuration
options may change.
Explicitly forcing a broken config now results in:
vyos@vyos# commit
[ service ssh ]
Unexpected error with SSH configuration! /run/sshd/sshd_config line 21:
X11DisplayOffset integer value invalid.
[[service ssh]] failed
Commit failed
|
|
While producing all configtest assert files for VyOS 1.4 it was noted that
the the isis-small testcase from fails. This config fragment is not properly
migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS.
protocols {
isis FOO {
interface eth1 {
bfd
}
net 49.0001.1921.6800.1002.00
redistribute {
ipv4 {
connected {
level-2 {
route-map EXPORT-ISIS
}
}
}
}
}
}
and results in loosing IS-IS connectivity. This is due the fact that
config.rename() does not work when only using the base tagNode.
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
T8078: dhcpv6: allow lease renew for pd & parameters
|
|
The upstream VPP code already writes the ena device ID to new_id
So we can remove `ena` from `override_driver()`
The kernel does not provide a reliable way to check whether an ID has already been
registered, so we simply attempt the write and ignore the FileExistsError.
Any other failure is treated as a warning.
Fixes this case:
Traceback (most recent call last):
File "/usr/libexec/vyos/services/vyos-configd", line 156, in run_script
script.apply(c)
File "/usr/libexec/vyos/conf_mode/vpp.py", line 613, in apply
control_host.override_driver(
File "/usr/lib/python3/dist-packages/vyos/vpp/control_host.py", line 138, in override_driver
Path('/sys/module/vfio_pci/drivers/pci:vfio-pci/new_id').write_text(
File "/usr/lib/python3.11/pathlib.py", line 1079, in write_text
with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f:
FileExistsError: [Errno 17] File exists
|
|
The renew command will refuse to restart the dhcp6c process for an
interface unless it is configured to request an address, but the
client may also be running to manage parameters and/or prefix
delegations.
|
|
This enhances diagnostic capabilities by providing hardware topology
visuals within support archives.
|
|
salt: T8056: add a deprecation warning
|
|
op-mode: T7810: fix broken 'reset connection' command
|