From 71237a31c41ce0cf9aa2c1b13a976dcc8906079f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 17 Oct 2018 20:15:21 +0200 Subject: vyos-1x now depends on isc-dhcp-relay --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index 4cd852687..580c929bf 100644 --- a/debian/control +++ b/debian/control @@ -40,6 +40,7 @@ Depends: python3, libvyosconfig0, beep, isc-dhcp-server, + isc-dhcp-relay, keepalived (>=2.0.5), wireguard, tftpd-hpa, -- cgit v1.2.3 From 06d4635eba6a8d11d92d13c41f09d2ade254f770 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Fri, 19 Oct 2018 00:33:55 +0200 Subject: Add Client keepalive option for use with cloud-init Add option to specify multiple listening ports Clean up template generation layout --- debian/control | 4 ++- interface-definitions/ssh.xml | 9 +++++++ src/conf_mode/ssh.py | 57 +++++++++++++++++++++++++++++++++---------- 3 files changed, 56 insertions(+), 14 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 4cd852687..c0ce26c86 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,9 @@ Build-Depends: debhelper (>= 9), quilt, python3-lxml, python3-nose, - python3-coverage + python3-coverage, + whois, + libvyosconfig0 Standards-Version: 3.9.6 Package: vyos-1x diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index 35fe79214..422e6d64d 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -167,11 +167,20 @@ 1-65535 Numeric IP port + + + + how often send keep alives in seconds + + + + + diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index beca7bb9a..b681acea3 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -67,7 +67,13 @@ UseDNS {{ host_validation }} # Specifies the port number that sshd listens on. The default is 22. # Multiple options of this type are permitted. +{% if mport|length != 0 %} +{% for p in mport %} +Port {{ p }} +{% endfor %} +{% else %} Port {{ port }} +{% endif %} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ log_level }} @@ -78,64 +84,80 @@ PermitRootLogin {{ allow_root }} # Specifies whether password authentication is allowed PasswordAuthentication {{ password_authentication }} -{% if listen_on -%} +{% if listen_on %} # Specifies the local addresses sshd should listen on -{% for a in listen_on -%} +{% for a in listen_on %} ListenAddress {{ a }} -{% endfor -%} +{% endfor %} +{{ "\n" }} {% endif %} -{% if ciphers -%} +{%- if ciphers %} # Specifies the ciphers allowed. Multiple ciphers must be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/ Ciphers {{ ciphers | join(",") }} +{{ "\n" }} {% endif %} -{% if mac -%} +{%- if mac %} # Specifies the available MAC (message authentication code) algorithms. The MAC # algorithm is used for data integrity protection. Multiple algorithms must be # comma-separated. # # NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/ MACs {{ mac | join(",") }} +{{ "\n" }} {% endif %} -{% if key_exchange -%} +{%- if key_exchange %} # Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must # be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/ KexAlgorithms {{ key_exchange | join(",") }} +{{ "\n" }} {% endif %} -{% if allow_users -%} +{%- if allow_users %} # This keyword can be followed by a list of user name patterns, separated by spaces. # If specified, login is allowed only for user names that match one of the patterns. # Only user names are valid, a numerical user ID is not recognized. AllowUsers {{ allow_users | join(" ") }} +{{ "\n" }} {% endif %} -{% if allow_groups -%} +{%- if allow_groups %} # This keyword can be followed by a list of group name patterns, separated by spaces. # If specified, login is allowed only for users whose primary group or supplementary # group list matches one of the patterns. Only group names are valid, a numerical group # ID is not recognized. AllowGroups {{ allow_groups | join(" ") }} +{{ "\n" }} {% endif %} -{% if deny_users -%} +{%- if deny_users %} # This keyword can be followed by a list of user name patterns, separated by spaces. # Login is disallowed for user names that match one of the patterns. Only user names # are valid, a numerical user ID is not recognized. DenyUsers {{ deny_users | join(" ") }} +{{ "\n" }} {% endif %} -{% if deny_groups -%} +{%- if deny_groups %} # This keyword can be followed by a list of group name patterns, separated by spaces. # Login is disallowed for users whose primary group or supplementary group list matches # one of the patterns. Only group names are valid, a numerical group ID is not recognized. DenyGroups {{ deny_groups | join(" ") }} +{{ "\n" }} +{% endif %} + +{%- if client_keepalive %} +# Sets a timeout interval in seconds after which if no data has been received from the client, +# sshd will send a message through the encrypted channel to request a response from the client. +# The default is 0, indicating that these messages will not be sent to the client. +# This option applies to protocol version 2 only. +ClientAliveInterval {{ client_keepalive }} {% endif %} """ @@ -208,8 +230,17 @@ def get_config(): ssh['mac'] = mac if conf.exists('port'): - port = conf.return_value('port') - ssh['port'] = port + ports = conf.return_values('port') + mport = [] + + for prt in ports: + mport.append(prt) + + ssh['mport'] = mport + + if conf.exists('client-keepalive-interval'): + client_keepalive = conf.return_value('client-keepalive-interval') + ssh['client_keepalive'] = client_keepalive return ssh @@ -228,7 +259,7 @@ def generate(ssh): if ssh is None: return None - tmpl = jinja2.Template(config_tmpl) + tmpl = jinja2.Template(config_tmpl, trim_blocks=True) config_text = tmpl.render(ssh) with open(config_file, 'w') as f: f.write(config_text) -- cgit v1.2.3 From 4029814a1ee22d02748ab92e01c357c66a9f9137 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 25 Oct 2018 11:34:24 -0700 Subject: T933: vrrp split brain while using unicast mode and virtual mac address - adding vmac_xmit_base to keepalived.conf when use_vmac is being used otherwise both nodes will become master --- debian/changelog | 7 +++++++ src/conf_mode/vrrp.py | 1 + 2 files changed, 8 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a7c428cda..1d0d37d51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyos-1x (1.2.0-3) unstable; urgency=medium + + * T933: adding vmac_xmit_base if use_vmac has been chosen + to avoid split-brain + + -- hagbard Thu, 25 Oct 2018 11:14:44 -0700 + vyos-1x (1.2.0-2) unstable; urgency=medium * T773: adding wireguard support diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py index 0480a886a..c458e3b04 100755 --- a/src/conf_mode/vrrp.py +++ b/src/conf_mode/vrrp.py @@ -78,6 +78,7 @@ vrrp_instance {{ group.name }} { {% if group.use_vmac -%} use_vmac {{group.interface}}v{{group.vrid}} + vmac_xmit_base {% endif -%} {% if group.auth_password -%} -- cgit v1.2.3