Age | Commit message (Collapse) | Author |
|
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".
This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.
ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
(cherry picked from commit 875764b07f937fc599e2e62c667e7b811ddc2ed3)
|
|
T6687: add fqdn support to nat rules. (backport #4024)
|
|
(cherry picked from commit 4c3d037f036e84c77333a400b35bb1a628a1a118)
|
|
syslog: T5367: add format option to include timezone in message (backport #4061)
|
|
Add CLI option to include the systems timezone in the syslog message sent to
a collector. This can be enabled using:
set system syslog host <hostname> format include-timezone
(cherry picked from commit 042be39ccabb43a766e04a447207610ff017bd7d)
|
|
To increase the chance for dhclient to configure routes in FRR, added a
workaround. Now 10 attempts are performed with 1 second delay and only after
this dhclient gives up.
(cherry picked from commit da64a7246e9b12d5bd84287517cfbfa59e364c28)
|
|
bridge: T6675: VXLAN Interface configuration lost due to improper bridge detachment (backport #4086)
|
|
(cherry picked from commit c196c6d9207ef112e478f44923b2d0bc8a15b3c9)
|
|
detachment
(cherry picked from commit 7dbd07657c914d5a46eed101ae44d73ba3b4c6f0)
|
|
fix: attempt to fix indentation on `wpa_supplicant.conf.j2`
fix: attempt to fix indentation on `wpa_supplicant.conf.j2`
fix: incorrect bssid mapping
fix: use the correct jinja templating (I think)
fix: “remote blank space
fix: attempt to fix the formatting in j2
fix: attempt to fix the formatting in j2
feat: rename enterprise username and password + add checks in conf mode.
fix: move around `bssid` config option on `wpa_supplicant.conf.j2` and fix the security config part
fix: fix indentation on `wpa_supplicant.conf.j2`
(cherry picked from commit fc4263021acb72d2d8afb165922d9cb7e11b2bf1)
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers (backport #3823)
|
|
(cherry picked from commit b62b2f5f8a9c4f0a7dc26bce1f15843651119256)
|
|
In the PR https://github.com/vyos/vyos-1x/pull/3823 the ncp-ciphers
were replaced with `data-ciphers`
fix template for "generate openvpn client-config"
(cherry picked from commit ffbc04c591b534188cb08bf3991fadac4aa386a8)
|
|
Remove the lines of code that checked if the kernel had offloading
enabled and was then forcing the config to set it to "on." The
behavior now mirrors the config and offloading will only be enabled
if the config is explicitly set to enabled.
Note: the code is still present to disable the offloading, in the
config, if the kernel doesn't support it.
Note(2): Allow the previous behavior where the offload settings get set,
based on the Kernel, if the boot is a live boot.
(cherry picked from commit b6c2a7476bbd20bebc3e901cc55c17965ebfc423)
Co-authored-by: Dave Vogel <dvogel@greylogic.com>
|
|
* ethernet: T6709: move EAPoL support to common framework
Instead of having EAPoL (Extensible Authentication Protocol over Local Area
Network) support only available for ethernet interfaces, move this to common
ground at vyos.ifconfig.interface making it available for all sorts of
interfaces by simply including the XML portion
#include <include/interface/eapol.xml.i>
(cherry picked from commit 0ee8d5e35044e7480dac6a23e92d43744b8c5d36)
* bond: T6709: add EAPoL support
(cherry picked from commit 8eeb1bdcdfc104ffa77531f270a38cda2aee7f82)
---------
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit 8c6a57124af37ba410dd01797e9242b3a79f171a)
|
|
T6703: Adds option to configure AMD pstate driver (backport #4046)
|
|
T6711: Fix restart vrrp missed comma between services (backport #4054)
|
|
(cherry picked from commit 595f35bbdda732883ce0b8b0721061bb3a40a715)
|
|
(cherry picked from commit f00d43381516326061db5287d841ad52e79d6271)
|
|
(cherry picked from commit 333672bee041f0f2b8e1b698a8eb2108694ad812)
|
|
T6007: revise migration system
|
|
Missing comma in the list between services
'ssh', 'suricata' 'vrrp', 'webproxy'
Fix it
(cherry picked from commit a3ddd2cb8994deefd378951806b5dc35067d06a7)
|
|
Add ability to set the container network with a disable-dns setting to disable
the DNS plugin that is on be default.
set container network <network> no-name-server
(cherry picked from commit 1d5625d572cc25a9d53247b7c41177f17845b052)
|
|
(cherry picked from commit 08d4fcbc6243022cda0e889d99817d8e4e0ead78)
|
|
(cherry picked from commit 51865448599ec40283fffe4dc15729f88f389886)
|
|
(cherry picked from commit cd347713196cc8b48ea394365501e54a04d5e6e4)
|
|
(cherry picked from commit f67753bf10ac217040aa7d86117fb44c7b743327)
|
|
(cherry picked from commit 271fcff986c11e3300f3abd66c603a125abd8dd1)
|
|
(cherry picked from commit 26740a8d583f64dc0a27b59dd4ae303056972c0b)
|
|
(cherry picked from commit 7d20a52e02bec76474ca060fcb1eaeca52c52001)
|
|
During podman upgrade and a build from the original source the UNIX socket
definition for systemd got lost in translation.
This commit re-adds the UNIX socket which is started on boot to interact with
Podman.
Example:
curl --unix-socket /run/podman/podman.sock -H 'content-type: application/json' \
-sf http://localhost/containers/json
(cherry picked from commit f67e217f2716937115a3bdf6d316b172bbec75e5)
|
|
(cherry picked from commit d4b6bed84e5ac4214f2eae0e6ee7c1f4e0852222)
|
|
(cherry picked from commit 8500e8658ff10f52739143fd7814cf60c9195f16)
|
|
T6672: Fix system option ssh-client source-interface (backport #4000)
|
|
wireless: T6318: move country-code to a system wide configuration (backport #3656)
|
|
Wireless devices are subject to regulations issued by authorities. For any
given AP or router, there will most likely be no case where one wireless NIC is
located in one country and another wireless NIC in the same device is located
in another country, resulting in different regulatory domains to apply to the
same box.
Currently, wireless regulatory domains in VyOS need to be configured per-NIC:
set interfaces wireless wlan0 country-code us
This leads to several side-effects:
* When operating multiple WiFi NICs, they all can have different regulatory
domains configured which might offend legislation.
* Some NICs need additional entries to /etc/modprobe.d/cfg80211.conf to apply
regulatory domain settings, such as: "options cfg80211 ieee80211_regdom=US"
This is true for the Compex WLE600VX. This setting cannot be done
per-interface.
Migrate the first found wireless module country-code from the wireless
interface CLI to: "system wireless country-code"
(cherry picked from commit 9e22ab6b2aee48029d3455f65880e45c558cf1da)
|
|
(cherry picked from commit 5f780ebb7f1799eb9a93218bb83561db509c7e56)
Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
|
|
Fix for system option ssh-client source-interface
For the `verify_source_interface` the key `ifname` if required
(cherry picked from commit f453b33a6056de8fc5145ca9e680361fbce68348)
# Conflicts:
# smoketest/scripts/cli/test_system_option.py
|
|
(cherry picked from commit 71d6d0fe31db13f4ddf5c75209b9bba88a1e0a32)
|
|
(cherry picked from commit 663e468de2b431f771534b4e3a2d00a5924b98fe)
|
|
(cherry picked from commit 69ab44309d56d73d92c2f8a7b0b4ca3016e61ff6)
|
|
configd: T6633: inject missing env vars for configfs utility (backport #3937)
|
|
configverify: T6642: verify_interface_exists requires config_dict arg (backport #3961)
|
|
(cherry picked from commit a9024f302fd9657a0e6ef274cfc1dedccaf9d1a3)
|
|
configd: T6640: enforce in_session returns False under configd (backport #3955)
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
(cherry picked from commit 5f23b7275564cfaa7c178d320868b5f5e86ae606)
|
|
(cherry picked from commit ed63c9d1896a218715e13e1799fc059f4561f75e)
|
|
The CStore in_session check is a false positive outside of a config
session if a specific environment variable is set with an existing
referent in unionfs. To allow extensions when running under configd and
avoid confusion, enforce in_session returns False.
(cherry picked from commit 6543f444c42ff45e8115366256643186bf1dd567)
|
|
(cherry picked from commit 9979afa15650bd609399030da1751488baaac70b)
|