| Age | Commit message (Collapse) | Author |
|---|
|
The issue ONLY appears on small terminals where systemd automatically truncates
the lines to match the terminal width - so far so good. The BUG is, if
truncation happens in the service name which is BOLD you're pretty much
screwed, as truncation will not reset the color.
We can set StatusUnitFormat=description in /etc/systemd/system.conf which will
not print the service long description to avoid truncation making the boot a
little less verbose.
This actually restores the behavior of VyOS 1.3
|
|
|
|
|
|
Revert "T1416: remove deprecated default-union-grub-entry"
This reverts commit d50707bb295dbd4bc50e3d0301fc8be605448429.
The file grub/default-union-grub-entry and its companion
install-image/postinst are needed for 'compatibility-mode' upgrades:
when upgrading from a system with legacy image-tools, those two files
are expected to exist in the mounted image of the target iso.
|
|
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
|
|
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
|
|
|
|
|
|
|
|
Adds ipv4/ipv6 localhost, link-local and private address as allowed-clients to NTP service.
|
|
|
|
|
|
|
|
|
|
With libpam-systemd >= 230-2, ssh-session-cleanup.service is no longer
necessary because when `UsePAM yes` in `/etc/ssh/sshd_config` (which is
the default), SSH sessions are cleaned up automatically when ssh-server
is shutdown or the system is rebooted.
|
|
Without `openssl.cnf` software that uses `libssl` (for example busybox) has
issues with connections to some HTTPS servers.
|
|
|
|
|
|
|
|
T4966: Delay UDEV execution, avoid rename deadlock
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
|
|
UDEV will rename interfaces from whatever the kernel called them
to eX before converting them to ethX during init. In current VyOS,
the second renaming operation can run into a lock on the adapter
preventing altering its name. As a result, the adapter will remain
in the eX configuration, preventing proper execution of subsequent
scripts and configuration stanzas.
The initial renaming step has to remain as it is needed to work
around other issues, which leaves the somewhat hacky approach of
delaying the second renaming step slightly in an effort to let the
device lock holders settle, releasing it for rename to ethX. This
is accomplished by a kernel commandline paramter (3s), which can be
tweaked to reduce impact or wait longer as needed on different
devices - udev.exec_delay=3
|
|
|
|
This reverts commit c93c12d0813b276501562bc88bea68daee60b266.
|
|
|
|
(cherry picked from commit f9c89e3565037b4f60aef2577f9fdaa70da7b751)
|
|
This reverts commit c753685173a48fdc2e47694f4b896e241caa7beb, reversing
changes made to 1d3d0401eeb9e8138f606433b6bbcd8c3f76c898.
|
|
|
|
|
|
|
|
|
|
This is a roundup commit to ae2279e ("Kernel: no longer build Intel out-of-tree
NIC drivers") as the in-tree drivers do not support this option, the always use
the maximum available number.
|
|
|
|
|
|
This reverts commit b234558db422390ed4d995e9134fe91c37d6cc8f.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Included:
* libnss_dns.so.2 (required for DNS resolving from initramfs)
* ca-certificates.crt (required for fetching files via HTTPS)
|
|
The script allows include to initramfs or include and force to load any modules, listed inside.
Initially, the script replaces the trick used for intel drivers
|
|
There is no sense in having a user level when infact there is only the one
level "admin".
|
|
|
|
|
|
|
|
|
