summaryrefslogtreecommitdiff
path: root/data/live-build-config
AgeCommit message (Collapse)Author
2024-12-06Merge pull request #824 from jestabro/vyconf-minimalDaniil Baturin
T6718: use the vyconf daemon for validation of set commands
2024-11-13image-tools: T6864: keep file necessary for compat add imageJohn Estabrook
Revert "T1416: remove deprecated default-union-grub-entry" This reverts commit d50707bb295dbd4bc50e3d0301fc8be605448429. The file grub/default-union-grub-entry and its companion install-image/postinst are needed for 'compatibility-mode' upgrades: when upgrading from a system with legacy image-tools, those two files are expected to exist in the mounted image of the target iso.
2024-10-25T6718: vyconfd.service is started by vyos-routerJohn Estabrook
2024-10-25live: T5568: Fix live grub menu entriessarthurdev
2024-10-17build: T6776: use the official Zabbix repo for zabbix-agent2Daniil Baturin
2024-09-25T861: sign all Kernel modules with an ephemeral keyChristian Breunig
The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key.
2024-09-22T861: stripping Kernel modules would also remove module signaturesChristian Breunig
As the VyOS Linux Kernel will be compiled with CONFIG_MODULE_SIG_FORCE all driver modules need to be cryptographically signed. This happens during build of the Kernel and it's 3rd party modules. Stripping the objects would remove said signature and the system will be unable to boot b/c of CONFIG_MODULE_SIG_FORCE.
2024-09-14T861: add UEFI Secure Boot supportChristian Breunig
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
2024-09-05T1416: remove deprecated default-union-grub-entryChristian Breunig
2024-07-23podman: T6598: add custom podman build for version 4.9.5Christian Breunig
2024-07-08container: T5867: pin specific podman versionChristian Breunig
As of Debian version 4.9.5+ds1-1 podman increased the dependency on libc6 and libgpgme11t64. podman : Depends: libc6 (>= 2.38) but 2.36-9+deb12u7 is to be installed Depends: libgpgme11t64 (>= 1.4.1) but it is not going to be installed Pin the version to a prior one that requires the old libc.
2024-06-30T6527: remove legacy packagesChristian Breunig
2024-06-22T6507: remove references to vyos-world packageChristian Breunig
As we got rid of most of the old vyatta packages we can now also discontinue vyos-world. It only served the purpose of keeping the package list during ISO build small.
2024-06-05migration: T6006: move config.boot.default to vyos-1xJohn Estabrook
2024-05-16T6356: normalize '.., ntp, server' path syntax in config.boot.defaultJohn Estabrook
2024-05-16Merge pull request #624 from c-po/targetChristian Breunig
hooks: T6346: set default boot target to multi-user.target
2024-05-16hooks: T6346: set default boot target to multi-user.targetChristian Breunig
2024-05-16Merge pull request #614 from aidan-gibson/currentChristian Breunig
T6333 non-free-firmware to trixie
2024-05-16T6333: drop reference to non-free of trixie as it's not usedAidan Gibson
2024-05-14Merge pull request #582 from 0xThiebaut/suricataChristian Breunig
suricata: T751: Disable suricata.service by default
2024-05-14T3420: Remove service upnpViacheslav Hletenko
2024-05-03container: T5867: podman depends on libgpgme11t64 from trixieChristian Breunig
2024-05-03suricata: T751: Disable suricata.service by defaultMaxime THIEBAUT
2024-04-23iso: T6262: update the boot splash for 1.5/CircinusDaniil Baturin
Picture courtesy of Oleg Gorobets
2024-04-11Enhance config.boot.default NTP allow-clients for T5694 and T6123Ginko
Adds ipv4/ipv6 localhost, link-local and private address as allowed-clients to NTP service.
2024-04-11Merge pull request #556 from sever-sever/T6228Christian Breunig
T6228: Cleanup of not existing systemd units
2024-04-11T6228: Cleanup of not existing systemd unitsViacheslav Hletenko
Delete not existing units: ``` 06:12:51 Failed to disable unit, unit logd.service does not exist. 06:12:51 Failed to disable unit, unit heartbeat.service does not exist. ```
2024-04-11T1797: Delete not exist disable vpp serviceViacheslav Hletenko
The builder log: ``` 06:12:53 Failed to disable unit, unit vpp.service does not exist. ```
2024-04-02Update the rolling release signing keyDaniil Baturin
2024-03-22ixgbe: T6155: remove modprobe.d option fileChristian Breunig
2024-02-28banner: T6077: implement ASCII contest winner default logoChristian Breunig
2024-01-14T5945: add minisign public key for rolling releasegreenpsi
2024-01-04Kernel: T5887: update Linux Kernel to v6.6.9Christian Breunig
2023-12-28container: T5867: upgrade podman to 4.7.2 (Debian Trixie)Christian Breunig
2023-12-20ssh: T5841: Remove ssh-session-cleanup.serviceIndrajit Raychaudhuri
With libpam-systemd >= 230-2, ssh-session-cleanup.service is no longer necessary because when `UsePAM yes` in `/etc/ssh/sshd_config` (which is the default), SSH sessions are cleaned up automatically when ssh-server is shutdown or the system is rebooted.
2023-12-14initramfs: T5824: Added `openssl.cnf` to initramfszsdc
Without `openssl.cnf` software that uses `libssl` (for example busybox) has issues with connections to some HTTPS servers.
2023-12-09Merge pull request #336 from sarthurdev/keaChristian Breunig
dhcp: T3316: Disable Kea services
2023-12-08T5809: live-build-config: insmod gzio for vmlinuz kernels on arm64Mathew McBride
Without this, GRUB will report a 'invalid magic' or 'missing UEFI stub' error when loading kernels on arm64. This change has no effect on x86-64 systems.
2023-12-03T4426: disable arpwatch.service by defaultChristian Breunig
2023-11-15image: T4516: enable vyos-grub-update serviceJohn Estabrook
2023-10-05dhcp: T3316: Disable Kea servicessarthurdev
2023-10-04T5589: Nonstripped binaries exists in VyOSApachez
2023-10-03Merge pull request #426 from Apachez-/T5589Daniil Baturin
T5589: Nonstripped binaries exists in VyOS
2023-09-30T5624: Remove /etc/debian_version from the imageApachez
2023-09-26T5589: Nonstripped binaries exists in VyOSApachez
2023-09-26T5589: Nonstripped binaries exists in VyOSApachez
2023-09-16T5511: Cleanup of unused directories (and files) in order to shrink image-sizeApachez
2023-09-16T5511: drop empty hooksChristian Breunig
This is a roundup commit to 0be277647 ("T5511: Cleanup of unused directories (and files) in order to shrink image-size") that dropy empty/commented out live-build hook scripts.
2023-09-16T5511: Cleanup of unused directories (and files) in order to shrink image-sizeApachez
2023-09-14live: T5568: Add serial boot option to live ISOsarthurdev
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-24 13:34:07 +0000