summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-01-07pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk.
2024-01-07ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694)
2024-01-04T5897: frr should be stopped before vyos-routerDate Huang
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2024-01-02T5888: fix migration script in order to fit new type-names for icmp and icmpv6.Nicolas Fort
2024-01-01Merge pull request #2731 from jestabro/copy-preserve-ownerJohn Estabrook
image-tools: T5883: preserve file owner in /config on add system update
2024-01-01Merge pull request #2728 from c-po/verify-T5880Viacheslav Hletenko
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces
2024-01-01Merge pull request #2726 from c-po/login-T5875-part2Christian Breunig
login: T5875: restore home directory permissions only when needed
2024-01-01Merge pull request #2724 from sever-sever/T3476Christian Breunig
T3476: Add option latest to add system image
2023-12-31image-tools: T5883: preserve file owner in /config on add system updateJohn Estabrook
2024-01-01tunnel: T5879: properly verify source-interface used for tunnelsChristian Breunig
A tunnel interface can not properly be sourced from a pppoe0 interface when such interface is not (yet) connected to the BRAS. It might work on a running system, but subsequent reboots will fail as the source-interface most likely does not yet exist.
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered.
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in
2023-12-31Merge pull request #2696 from indrajitr/kea-lfc-fixChristian Breunig
dhcp: T3316: Adjust kea lease files' location and permissions
2023-12-30T3476: Add option latest to add system imageViacheslav Hletenko
Add option `latest` for op-mode command `add system image` If the update check is configured we can get the remote `latest` version from conrfgure URL ``` set system update-check url 'https://example.com/version.json' ``` This way we can use "latest" option for image update: ``` add system image latest ```
2023-12-30Merge pull request #2716 from c-po/login-t5875Christian Breunig
login: T5875: restore home directory permissions when re-adding user account
2023-12-30Merge pull request #2718 from indrajitr/shorten-domain-search-pathChristian Breunig
system: T5877: Shorten system domain-search config path
2023-12-30Merge pull request #2711 from aapostoliuk/T5688-fixes-2Christian Breunig
T5688: Fixed ip pool migration scripts for l2tp, sstp, pppoe
2023-12-29system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`).
2023-12-29login: T5875: restore home directory permissions when re-adding user accountChristian Breunig
After deleting a user account and working with a newly added account, we see that after rebooting in the previously saved configuration, the user is re-added but it's home directory might have an old UID set on the filesystem. This is due to the fact that vyos config does not store UIDs. When adding a user account to the system we now check if the home directory already exists and adjust the ownership to the new UID.
2023-12-29Merge pull request #2704 from c-po/template-t5869Christian Breunig
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1
2023-12-29T5688: Fixed ip pool migration scripts for l2tp, sstp, pppoeaapostoliuk
Fixed migration 'subnet' option in l2tp, sstp, pppoe. 'subnet' option can contain several values.
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user.
2023-12-29tests: T5869: consolidate duplicated test casesChristian Breunig
We have had duplicated test cases in test_jinja_filters.py and test_template.py, They have been consolidated into test_template.py.
2023-12-29vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1Christian Breunig
The subnet router anycast address is predefined. Its format is as follows: | n bits | 128-n bits | +------------------------------------------------+----------------+ | subnet prefix | 00000000000000 | +------------------------------------------------+----------------+ The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. Our code as of now returns the subnet router anycast address as the first_host_address().
2023-12-29dhcp: T3316: Adjust kea lease files' location and permissionsIndrajit Raychaudhuri
Move the kea lease file to a separate directory `/config/dhcp` that `kea` process can write to so that subprocesses spawned by `kea` process can operate on the lease files. To allow `kea` process to write to `/config/dhcp`, add `_kea` user to `vyattacfg` group. And the lease files are owned completely by `_kea` user to play well with `kea-lfc` process. Specifically, this is necessary for `kea-lfc` which is spawned by `kea` process to clean up expired leases. Since `kea-lfc` creates additional backup lease files, it needs write access to the lease file directory. Additionally, change the extension of the lease file from `.leases` to `.csv` to reflect the actual file format.
2023-12-28container: T5867: disable healthchecks due to upstream issueChristian Breunig
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe https://github.com/containers/conmon/issues/438
2023-12-28container: T5829: fix base key "container" re-use in for loopChristian Breunig
2023-12-28container: T5829: verify container network used supports the given AFIChristian Breunig
2023-12-28Merge pull request #2658 from aapostoliuk/T5801-circinusChristian Breunig
T5801: Rewritten L2TP to get_config_dict
2023-12-28Merge pull request #2695 from aapostoliuk/T5842-circinusChristian Breunig
T5842: Rewritten PPTP to get_config_dict
2023-12-28Merge pull request #2650 from indrajitr/kea-reservation-fixChristian Breunig
dhcp: T3316: Support hostname, DUID and MAC address in reservation
2023-12-27T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config.
2023-12-26firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
2023-12-26ddclient: T5144: Warn against configuration with broken IP lookup serviceIndrajit Raychaudhuri
We always enable HTTPS in ddclient configuration, however `http://checkip.dyndns.org` is HTTP only and does not support HTTPS. Warn the user if they are using this service. Also, make `url` in `web-options` mandatory.
2023-12-26Merge pull request #2686 from indrajitr/ddclient-update-20231224-01Christian Breunig
ddclient: T5144: Migrate web-options url to stricter format
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
2023-12-25snmp: T5855: add GPL license headerChristian Breunig
2023-12-25ddclient: T5144: Migrate web-options url to stricter formatIndrajit Raychaudhuri
Legacy ddclient allowed arbitrary URLs in web-options, but the new has stricter validations. Apply migration to the old URLs. Also migrate checkip.dyndns.org to https://domains.google.com/checkip for better TLS support.
2023-12-24ddclient: T5791: Adjust migration to normalize underscore in config namesIndrajit Raychaudhuri
2023-12-24Merge pull request #2682 from c-po/node-changed-t5837Christian Breunig
configdict: T5837: add support to return added nodes when calling node_changed()
2023-12-24Merge pull request #2683 from c-po/snmp-T5865Viacheslav Hletenko
snmp: 5856: fix service removal error
2023-12-24snmp: 5856: fix service removal errorChristian Breunig
When deleting SNMP from CLI the 'delete' key was not honored in the config dictionary, leading to a false process startup causing the following error: Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
2023-12-24T5837: cleanup use of calls to vyos.configdict.node_changed()Christian Breunig
node_changed() will return a list of changed keys under "path". We are not always interested what changed, sometimes we are only interested if something changed at all, that what vyos.configdict.is_node_changed() is for.
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ```
2023-12-22T5840: Add override for systemd kea-ctrl-agent.serviceViacheslav Hletenko
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88 there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password It cause the unit `kea-ctrl-agent.service` cannot start systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password) Override systemd kea-ctrl-agent.service do not check this file
2023-12-21dhcp: T3316: Apply migration for valid hostname, and identifier (DUID)Indrajit Raychaudhuri