| Age | Commit message (Collapse) | Author |
|
|
|
Commit 59d86826a2f ("haproxy: T7122: add ACME/certbot bootstrap support")
introduced a regression where a None value was inadvertently iterated over.
This patch prevents the invalid access by verifying that all required keys are
present in the dictionary before proceeding.
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
|
|
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
1.3.x did not disallow an ip address as value of:
protocols static route addr next-hop-interface
Consequently, the case should be checked and handled during migration.
|
|
For the XDP driver and Mellanox NIC, we create `defunct_*` interfaces to hide original
interfaces from CLI, when they are replaced with VPP-enabled pairs. But sometimes IP addresses
are not flushed from these `defunct_*` interfaces, which leads to broken routing afterward.
This commit introduces an additional flush operation for `defunct_*` interfaces to ensure that
they do not conflict with VPP interfaces.
|
|
firewalls should always accept
|
|
journald
|
|
|
|
T7488: Make VPP restartable
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
|
|
|
|
|
|
Leave hint if vyos-configd encounters an error in the generate/apply
stages: this only detects 'first-order' differences, meaning those
originating from the called config mode script, and not its
dependencies. This is useful for supporting automatic rollback for
certain cases of apply stage error.
|
|
dmbaturin/T7527-eliminate-embedded-op-mode-shell-snippets
op-mode: T7527: move assorted embedded shel snippets to script files
|
|
T7492: Fix modem connection code
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
|
|
|
|
For certain commands, notably 'commit', a python script is preferable to
the more responsive executable vyconf_cli. Criteria are (1) longer
running process, not benefiting from a compiled tool (2) convenience of
integration with the ecosystem, for example pre-/post-commit hooks.
|
|
|
|
|
|
T7532: container sysctl parameter values are quoted
|
|
To keep existing CLI behavior use a Warning() to prompt the user for an invalid
configuration. It is not possible to have more the one area-type defined per
area logically - the CLI does support it. In addition the backbone area cannot
be of type STUB or NSSA.
CLI configuration should be cleaned up using a migrator in the future.
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
|
|
|
http-api: T3955: add commit-confirm to endpoints /configure /config-file
|
|
openconnect: T7511: bugfix invalid variable name
|
|
op-mode: T7459: eliminate direct use of sudo in op mode commands
|
|
|
|
|
|
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
* zebra: T7349: Added importing routes from non to the kernel routing table
Added importing routes from non to the kernel routing table.
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
We need to establish proper dependencies on "system login" and "pki ca" for
the SSH subsystem. If the CA is updated or user principal names are modified,
we must also ensure that the SSH daemon is restarted accordingly.
|
|
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
|
|
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.
Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
|
|
|