Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 115e99630a317cab62c6f99e0461f6ce2c1edaf3)
|
|
by TuneD (#3863)
(cherry picked from commit 7b82e4005724683c6311fab22358746f2cca4c1b)
Co-authored-by: Nataliia Solomko <natalirs1985@gmail.com>
|
|
Only some (e.g. ethernet or wireguard) interfaces validate if the supplied VRF
actually exists. If this is not validated, one can pass an invalid VRF to the
system which generates an OSError exception.
To reproduce
set interfaces vxlan vxlan1 vni 1000
set interfaces vxlan vxlan1 remote 1.2.3.4
set interfaces vxlan vxlan1 vrf smoketest
results in
OSError: [Errno 255] failed to run command: ip link set dev vxlan1 master smoketest_mgmt
This commit adds the missing verify_vrf() call to the missing interface types
and an appropriate smoketest for all interfaces supporting VRF assignment.
(cherry picked from commit dd0ebffa33728e452ac6e11737c2283f0e390359)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit 79407cd5bbec3194a9b6542418229b33eab05121)
|
|
This was found during smoketesting as thoase started to repeadingly fail in the last weeks
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py", line 534, in test_wireless_security_station_address
self.assertTrue(process_named_running('hostapd'))
AssertionError: None is not true
Digging into this revealed that this is NOT related to the smoketest coding but
to hostapd/systemd instead. With a configured WIFI interface and calling:
"sudo systemctl reload-or-restart hostapd@wlan1" multiple times in a short
period caused systemd to report:
"Jul 18 16:15:32 systemd[1]: hostapd@wlan1.service: Deactivated successfully."
According to the internal systemd logic used in our version this is explained by:
/* If there's a stop job queued before we enter the DEAD state, we shouldn't act on Restart=, in order to not
* undo what has already been enqueued. */
if (unit_stop_pending(UNIT(s)))
allow_restart = false;
if (s->result == SERVICE_SUCCESS)
s->result = f;
if (s->result == SERVICE_SUCCESS) {
unit_log_success(UNIT(s));
end_state = SERVICE_DEAD;`
Where unit_log_success() generates the log message in question.
Improve the restart login in the wireless interface script and an upgrade to
hostapd solved the issue.
(cherry picked from commit a67f49d99eda00998c425f9a663e138dbd0f7755)
|
|
Authored-By: Alain Lamar <alain_lamar@yahoo.de>
(cherry picked from commit d5e988ba2d0fa0189feff22374c9b46eb49e2e79)
|
|
Commit e3c71af1466 ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.
This commit moves the code path to the appropriate generate() function.
(cherry picked from commit 40c835992db9217f48e54dbbf15a7fbf1dcba482)
|
|
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
|
|
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new
get_vrf_tableid() helper")
(cherry picked from commit b551f542c5c906c901e3be37ad3fd68c8248473d)
|
|
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances
failed") introduced a new helper to retrieve the VRF table ID from the Kernel.
This commit migrates the old code path where the individual fields got queried
to the new helper vyos.utils.network.get_vrf_tableid().
(cherry picked from commit 36f3791e0c15267483d59a3bb74465811d08df88)
|
|
(cherry picked from commit e858d96a3fbc1ae4719a50ee67df02b2f256b40f)
Co-authored-by: khramshinr <khramshinr@gmail.com>
|
|
(cherry picked from commit e2b05343b30d2f989968532106e792cbaf75ecf6)
|
|
configdep: T6559: fix regression in dependent script error under configd (backport #3813)
|
|
Right now we have multiple restart helpers (e.g. dhcp server, ssh, ntp) that
all do the same (more or less):
* Check if service is configured on CLI
* Restart if configured
* Error out if unconfigured
This is not available via the op-mode API. Create a new restart.py op-mode
helper that takes the service name and possible VRF as argument so it's also
exposed via API.
(cherry picked from commit c74ae852152b0c3c3f00a1847d081d28f500e178)
|
|
(cherry picked from commit 52d08b1ec5b2943744daac7123e35fd415f85db2)
|
|
(cherry picked from commit 7249d10f1fbb3f90a4bdbcd0223926d0380ddd3a)
|
|
Commit dc60fe99350 ("op-mode: T6537: include hostname in the reboot/shutdown
warning message") added a more local import of vyos.utils.process.cmd() that
made the fglobal import obsolete and trigger a linter warning.
$ make unused-imports
--------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 10.00/10, +0.00)
(cherry picked from commit 6b2e45c073eeef62bbb5905e1bff98e20199b6b0)
|
|
T6527: add legacy Vyatta interpreter files still in use (backport #3745)
|
|
(cherry picked from commit dc60fe993505d1adca60f9b6e0f47f565c459331)
|
|
defined in zone policy.
(cherry picked from commit 66ec278393dbabe71f320c543816f27797d51140)
|
|
(cherry picked from commit 72a704d2e2b06bfedc4f1ee841814f983fc34baa)
|
|
in 1.3 <+> with character supported in latest version <*>
(cherry picked from commit 148af29b68416a5b8d0e025a16aef252fdf31e67)
# Conflicts:
# src/migration-scripts/nat/6-to-7
|
|
(cherry picked from commit 804efa2ef6bfee84d13f633d863f6f22f9eec273)
Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
|
|
If a firewall is not configured there is no reason to get and
execute telegraf firewall custom scripts as there are no nft
chain in the firewall nftables configuration
(cherry picked from commit ebff0c481907ac0c2c0be9981c3c3d87caf3003b)
|
|
(cherry picked from commit 96c993ec5e850b8ca7056f70df9c6459840e6af7)
|
|
(cherry picked from commit 5ade35255b3d8438aa6082fe56ae459d50cdc0a5)
|
|
Add Loki plugin to telegraf
set service monitoring telegraf loki url xxx
(cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
|
|
new cli syntax (#3731)
(cherry picked from commit a095a3c7b3dd4459dc8626f0e5adecda855580e0)
|
|
T751: Remove ids suricata
|
|
During a corner case where the configuration is migrated to a different system
with fewer ethernet interfaces, migration will fail during an image upgrade.
vyos.ethtool.Ethtool() is instantiated with an invalid interface leading to an
exception that kills the migrator
(cherry picked from commit e47d4fd385631236da6882233b09f6364cbb077b)
|
|
T3202: Enable wireguard debug messages (backport #3679)
|
|
snmp: T6489: use new Python wrapper to interact with config filesystem (backport #3694)
|
|
The environment variable SUDO_USER is checked by system_login.py so as
to prevent deleting the current user. Provide from config session and
set within configd environment.
(cherry picked from commit 7016f840f1193399f6ac59fab7faa721049229e8)
|
|
filesystem
(cherry picked from commit d7a18a3da949bfa3df89661cc0871e8f23b18a10)
|
|
(cherry picked from commit e1a34e661d3e5f0090550796ac266dac15e1e337)
|
|
my_set/my_delete
(cherry picked from commit da29c9b3ab7b0cc23d64c8b033fc5a79c1b09174)
|
|
Do no longer use my_set and my_delete as this prevents scripts beeing run under
supervision of vyos-configd.
(cherry picked from commit 7e0e8101998a6c8de6cb93c42bfbf1278c13f226)
|
|
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
|
|
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
|
|
T5949: Add option to disable USB autosuspend (backport #3677)
|
|
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
|
|
deleted
* Added flag to vyos.config_mgmt.unsaved_commits() that will tolerate missing config.boot for specific circumstances
* Shutdown/reboot uses this flag; config will regenerate from defaults after a reboot
(cherry picked from commit 8281383a09f12da20a1c9b4864b38ac3f541b48f)
|
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
* install_certificate() code path handles private_key=None &
key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
where having a null private key is possible
* Self-signing and CA creation always generate a private key
* Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
private key
(cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37)
Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
|
|
Migration script introduced in commit 0f669a226 ("openvpn: T5487: Remove
eprecated option --cipher for server and client mode") lacked executable
permission.
|
|
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required
|
|
required
If the requested certificate to generate an Apple IOS profile was based on an
ACME certificate, we also need to mangle in the ACME certs content to retrieve
the certificates issuer name.
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|