| Age | Commit message (Collapse) | Author |
|---|
|
ipsec: T7545: Fix show vpn debug peer
|
|
|
|
T7499: update config merge tools
|
|
Fix re for searching of peers in /etc/swanctl/swanctl.conf
```
search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*'
```
Changed to
```
search = rf'^[\s]*({peer}-(tunnel-[\d]+|vti))[\s]*{{'
```
Added message
```
print(f'\n### {command} ###')
```
so that output is not empty when `/usr/sbin/ipsec statusall`
shows nothing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix for service monitoring prometheus stops unconfigured services.
Check if the service is in active state before stop it.
|
|
Refactor the blocking code in config handlers (endpoints /configure,
/config-file) to run in a threadpool; this allows defining the handler
as async. Consequently, the handler itself runs in the main thread,
avoiding the need for thread registration for libvyosconfig function
calls.
|
|
T7591: remove copyright years from source files
|
|
T7587: Fix uuidgen warning if DMI doesn't have product_serial or it empty
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
Write the health-status on the very first run of the script,
without waiting for any change in status, to show the current
state to the show command. In show command use the same api
to get the now timestamp as used in state change timestamp.
|
|
T7570: add missing list of scripts to be committed, needed for configdep
|
|
pki: T7574: add optional force argument to renew certbot-issued certificates
|
|
pki: T7573: fix TypeError when HAProxy is not in use
|
|
|
|
Commit 59d86826a2f ("haproxy: T7122: add ACME/certbot bootstrap support")
introduced a regression where a None value was inadvertently iterated over.
This patch prevents the invalid access by verifying that all required keys are
present in the dictionary before proceeding.
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
|
|
|
|
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
1.3.x did not disallow an ip address as value of:
protocols static route addr next-hop-interface
Consequently, the case should be checked and handled during migration.
|
|
firewalls should always accept
|
|
journald
|
|
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
openvpn: T7056: Raise error if non-TAP device is bridged
|
|
|
|
|
|
|
|
Leave hint if vyos-configd encounters an error in the generate/apply
stages: this only detects 'first-order' differences, meaning those
originating from the called config mode script, and not its
dependencies. This is useful for supporting automatic rollback for
certain cases of apply stage error.
|
|
dmbaturin/T7527-eliminate-embedded-op-mode-shell-snippets
op-mode: T7527: move assorted embedded shel snippets to script files
|
|
T7492: Fix modem connection code
|
|
T7510: ospfd.frr.j2 ospf nssa translation error - fix template
|
|
|
|
|
|
For certain commands, notably 'commit', a python script is preferable to
the more responsive executable vyconf_cli. Criteria are (1) longer
running process, not benefiting from a compiled tool (2) convenience of
integration with the ecosystem, for example pre-/post-commit hooks.
|
|
|
|
T7532: container sysctl parameter values are quoted
|
|
To keep existing CLI behavior use a Warning() to prompt the user for an invalid
configuration. It is not possible to have more the one area-type defined per
area logically - the CLI does support it. In addition the backbone area cannot
be of type STUB or NSSA.
CLI configuration should be cleaned up using a migrator in the future.
|
|
|
|
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
|
|
|
