summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2025-06-24Fix uuidgen warning if DMI doesn't have product_serial or it emptyNobi
2025-06-23pki: T7573: fix TypeError when HAProxy is not in useChristian Breunig
Commit 59d86826a2f ("haproxy: T7122: add ACME/certbot bootstrap support") introduced a regression where a None value was inadvertently iterated over. This patch prevents the invalid access by verifying that all required keys are present in the dictionary before proceeding.
2025-06-23pki: T7574: add optional force argument to renew certbot-issued certificatesChristian Breunig
Certbot renewal command in op-mode "renew certbot" only works if any of the certificates is up for renewal. There is no CLI option to forcefully renew a certificate. This is about adding a force option to the CLI and with this addition move the entire certbot renew handling to new-style op-mode commands. vyos@vyos:~$ renew certbot force - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /config/auth/letsencrypt/renewal/vyos.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for vyos.io - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /config/auth/letsencrypt/live/vyos/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Hook 'post-hook' ran with output: Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
2025-06-23T7355: periodical cleanup of unused Python3 import statementsChristian Breunig
2025-06-23T7570: add missing list of scripts to be committed, needed for configdepJohn Estabrook
2025-06-20installer: T6144: require at least 2GB of free space for image upgradeDaniil Baturin
2025-06-19Merge pull request #4558 from natali-rs1985/T6951Daniil Baturin
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
2025-06-18migration: T6968: check for ip address as next-hop-interface in 1.3.xJohn Estabrook
1.3.x did not disallow an ip address as value of: protocols static route addr next-hop-interface Consequently, the case should be checked and handled during migration.
2025-06-18XDP/Mellanox: T7223: Fixed interfaces initializationzdc
For the XDP driver and Mellanox NIC, we create `defunct_*` interfaces to hide original interfaces from CLI, when they are replaced with VPP-enabled pairs. But sometimes IP addresses are not flushed from these `defunct_*` interfaces, which leads to broken routing afterward. This commit introduces an additional flush operation for `defunct_*` interfaces to ensure that they do not conflict with VPP interfaces.
2025-06-17firewall: T6951: Add a configuration command for ethertypes that bridge ↵Nataliia Solomko
firewalls should always accept
2025-06-17container: T7473: fix show/monitor container log failed when log-driver is ↵opswill
journald
2025-06-17vrf: T7506: Do not use default table 254 for VRFNataliia Solomko
2025-06-12Merge pull request #34 from natali-rs1985/T7488Viacheslav Hletenko
T7488: Make VPP restartable
2025-06-12Merge pull request #4552 from jestabro/reset-sectionViacheslav Hletenko
T7488: add utility for automatic rollback of section on apply stage error
2025-06-12Merge pull request #4497 from yzguy/T7432Daniil Baturin
T7432: RPKI VRF Support
2025-06-12Merge pull request #4546 from sarthurdev/T7056Daniil Baturin
openvpn: T7056: Raise error if non-TAP device is bridged
2025-06-10T7488: exit silently if path doesn't exist, unless debugJohn Estabrook
2025-06-10T7488: allow reloads outside of config sessionJohn Estabrook
2025-06-10T7488: add utility for automatic rollback of section on apply stage errJohn Estabrook
2025-06-10configd: T7488: allow distinction of first-order error verify vs applyJohn Estabrook
Leave hint if vyos-configd encounters an error in the generate/apply stages: this only detects 'first-order' differences, meaning those originating from the called config mode script, and not its dependencies. This is useful for supporting automatic rollback for certain cases of apply stage error.
2025-06-10Merge pull request #4550 from ↵Daniil Baturin
dmbaturin/T7527-eliminate-embedded-op-mode-shell-snippets op-mode: T7527: move assorted embedded shel snippets to script files
2025-06-10Merge pull request #4527 from cblackburn-igl/currentDaniil Baturin
T7492: Fix modem connection code
2025-06-10Merge pull request #4536 from ig0rb/fix/T7510-ospf-nssa-translation-errorDaniil Baturin
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
2025-06-10op-mode: T7527: move assorted embedded shel snippets to script filesDaniil Baturin
2025-06-09T7374: add environment variable vyconf_bin_dirJohn Estabrook
2025-06-09T7374: add python cli script to compliment executable vyconf_cliJohn Estabrook
For certain commands, notably 'commit', a python script is preferable to the more responsive executable vyconf_cli. Criteria are (1) longer running process, not benefiting from a compiled tool (2) convenience of integration with the ecosystem, for example pre-/post-commit hooks.
2025-06-09Merge branch 'current' into T7169Nataliia S.
2025-06-09T7352: add check for privileges in utilityJohn Estabrook
2025-06-09Merge pull request #4549 from yzguy/T7532Daniil Baturin
T7532: container sysctl parameter values are quoted
2025-06-08T7510: add commit warnings about invalid use of OSPF area-typesChristian Breunig
To keep existing CLI behavior use a Warning() to prompt the user for an invalid configuration. It is not possible to have more the one area-type defined per area logically - the CLI does support it. In addition the backbone area cannot be of type STUB or NSSA. CLI configuration should be cleaned up using a migrator in the future.
2025-06-07T7532: container sysctl parameter values are quotedAdam Smith
2025-06-07conntrack: T7208: nf_conntrack_buckets defaults and behaviorChristian Breunig
Previously, we used a lower limit of 1 and a default value of 32768 for the nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux kernel enforces an internal minimum of 1024. A configuration migrator will now adjust the lower limit to 1024 if necessary. The former default value of 32768 was passed as a kernel module option, which only took effect after the second system reboot. This was due to the option being rendered but not applied during the first boot. This behavior has been changed so that the value is now configurable at runtime and takes effect immediately. Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM, we now align the default value of nf_conntrack_buckets with the kernel's default for systems with more than 1GB of RAM to 65536 entries. Previously, we only supported half that amount.
2025-06-05openvpn: T7056: Raise error if non-TAP device is bridgedsarthurdev
2025-06-05T7515: Fix VPP NAT44 timeoutsNataliia Solomko
2025-06-04Merge pull request #4533 from jestabro/api-commit-confirmViacheslav Hletenko
http-api: T3955: add commit-confirm to endpoints /configure /config-file
2025-06-03Merge pull request #4540 from red55/currentDaniil Baturin
openconnect: T7511: bugfix invalid variable name
2025-06-03Merge pull request #4512 from dmbaturin/T7459-no-direct-sudo-in-op-modeJohn Estabrook
op-mode: T7459: eliminate direct use of sudo in op mode commands
2025-06-02openconnect: T7511: ruff formatLeonid Korokh
2025-06-02openconnect: T7511: fix ruff warningsLeonid Korokh
2025-06-02openconnect: T7511: Correct variable name in accounting checks blockLeonid Korokh
2025-05-31nat: T7237: Remove expensive NAT address checksarthurdev
2025-05-29http-api: T3955: add commit-confirm to endpoints /configure /config-fileJohn Estabrook
2025-05-29Merge pull request #4266 from takehaya/T6013-trusted-ca-keysChristian Breunig
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
2025-05-29zebra: T7349: Added importing routes from non to the kernel routing tableaapostoliuk
* zebra: T7349: Added importing routes from non to the kernel routing table Added importing routes from non to the kernel routing table. --------- Co-authored-by: Christian Breunig <christian@breunig.cc>
2025-05-29Merge pull request #4530 from jestabro/api-extend-load-mergeChristian Breunig
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
2025-05-29ssh: T6013: rename trusted-user-ca-key -> truster-user-caChristian Breunig
The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used.
2025-05-29pki: T6013: add proper dependencies for SSH CAChristian Breunig
We need to establish proper dependencies on "system login" and "pki ca" for the SSH subsystem. If the CA is updated or user principal names are modified, we must also ensure that the SSH daemon is restarted accordingly.
2025-05-29ssh: T6013: move principal name to "system login user <name> authentication"Christian Breunig
We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user <name> principal <principal> The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.
2025-05-29ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-keyTakeru Hayasaka
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces a new CLI node per user to support defining the authorized principals used by any given PKI certificate. It is now possible to associate SSH login users with their respective principals. Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
2025-05-28http-api: T7498: allow passing config string in body of 'merge' requestJohn Estabrook