diff options
| -rw-r--r-- | CODEOWNERS | 2 | ||||
| -rw-r--r-- | docs/cli.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/container/index.rst | 14 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 42 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 101 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/protocols/failover.rst | 9 | ||||
| -rw-r--r-- | docs/configuration/protocols/ospf.rst | 13 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 212 | ||||
| -rw-r--r-- | docs/configuration/service/ids.rst | 179 | ||||
| -rw-r--r-- | docs/configuration/service/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 5 | ||||
| -rw-r--r-- | docs/configuration/system/option.rst | 5 | ||||
| -rw-r--r-- | docs/configuration/vrf/index.rst | 6 | ||||
| -rw-r--r-- | docs/contributing/build-vyos.rst | 2 | ||||
| -rw-r--r-- | docs/installation/index.rst | 1 | ||||
| -rw-r--r-- | docs/installation/migrate-from-vyatta.rst | 164 | ||||
| -rw-r--r-- | docs/installation/secure-boot.rst | 20 |
18 files changed, 359 insertions, 422 deletions
@@ -1,2 +1,2 @@ -* @vyos/reviewers +# * @vyos/reviewers * @rebortg
\ No newline at end of file diff --git a/docs/cli.rst b/docs/cli.rst index 74e803dc..550494fa 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -116,6 +116,7 @@ impact on a particular users in the network. 192.0.2.54. - ``reset vpn ipsec site-to-site peer vpn.example.com`` — terminates IPsec tunnels to ``vpn.example.com``. +- ``reset session tty1`` — terminates the TTY user session ``tty1`` restart ''''''' diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index 5882f6db..8d5ca3de 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -282,6 +282,20 @@ Container Registry set container registry 192.168.1.1:8080 insecure +Log Configuration +==================== + +.. cfgcmd:: set container log-driver [k8s-file | journald] + + Set the default log driver for containers. + + - **k8s-file**: Logs to a plain text new line deliminated json file + - **journald**: Logs to the systems journal + + Current default is k8s-file. Using journald will result in the logs + not showing up in the container log operation command but the global log command. + + ****************** Operation Commands ****************** diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index b7364154..b1accca5 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -37,6 +37,38 @@ In an **address group** a single IP address or IP address range is defined. Provide a IPv4 or IPv6 address group description +Remote Groups +============== + +A **remote-group** takes an argument of a URL hosting a linebreak-deliminated +list of IPv4 and/or IPv6 addresses, CIDRs and ranges. VyOS will pull this list periodicity +according to the frequency defined in the firewall **resolver-interval** and load +matching entries into the group for use in rules. The list will be cached in +persistent storage, so in cases of update failure rules will still function. + +.. cfgcmd:: set firewall group remote-group <name> url <http(s) url> + + Define remote list of IPv4 and/or IPv6 addresses/ranges/CIDRs to fetch + +.. cfgcmd:: set firewall group remote-group <name> description <text> + + Set a description for a remote group + +The format of the remote list is very flexible. VyOS will attempt to parse the +first word of each line as an entry, and will skip if it cannot find a valid +match. Lines that begin with an alphanumeric character but do not match valid IPv4 +or IPv6 addresses, ranges, or CIDRs will be logged to the system log. Below is a +list of acceptable matches that would be parsed correctly: + +.. code-block:: none + + 127.0.0.1 + 127.0.0.0/24 + 127.0.0.1-127.0.0.254 + 2001:db8::1 + 2001:db8:cafe::/48 + 2001:db8:cafe::1-2001:db8:cafe::ffff + Network Groups ============== @@ -231,7 +263,7 @@ As any other firewall group, dynamic firewall groups can be used in firewall rules as matching options. For example: .. code-block:: none - + set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR @@ -245,10 +277,10 @@ General example As said before, once firewall groups are created, they can be referenced either in firewall, nat, nat66 and/or policy-route rules. -Here is an example were multiple groups are created: +Here is an example were multiple groups are created: .. code-block:: none - + set firewall group address-group SERVERS address 198.51.100.101 set firewall group address-group SERVERS address 198.51.100.102 set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 @@ -263,7 +295,7 @@ Here is an example were multiple groups are created: And next, some configuration example where groups are used: .. code-block:: none - + set firewall ipv4 output filter rule 10 action accept set firewall ipv4 output filter rule 10 outbound-interface group !LAN set firewall ipv4 forward filter rule 20 action accept @@ -426,4 +458,4 @@ Here is an example of such command: PORT-SERVERS port_group route-PBR-201 443 route-PBR-201 5000-5010 nat-destination-101 http - vyos@vyos:~$
\ No newline at end of file + vyos@vyos:~$ diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 0e659247..836d29fc 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -65,60 +65,94 @@ Configuration As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, -they are applied to source zone-destination zone pairs. +they are applied to source-destination zone pairs. A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`. +The following steps are required to create a zone-based firewall: + +1. Define both the source and destination zones +2. Define the rule-set +3. Apply the rule-set to the zones + Define a Zone ============= -To define a zone setup either one with interfaces or a local zone. +To define a zone setup either one with interfaces or the local zone. .. cfgcmd:: set firewall zone <name> interface <interface> - Set interfaces to a zone. A zone can have multiple interfaces. - But an interface can only be a member in one zone. + Assign interfaces as a member of a zone. + + .. note:: + + * An interface can only be a member of one zone. + * A zone can have multiple interfaces, with traffic between interfaces in + the same zone subject to the intra-zone-filtering policy (allowed by + default). .. cfgcmd:: set firewall zone <name> local-zone - Define the zone as a local zone. A local zone has no interfaces and - will be applied to the router itself. + Define the zone as the local zone, for traffic originating from and destined + to the router itself. + + .. note:: + + * A local zone cannot have any member interfaces + * There cannot be multiple local zones .. cfgcmd:: set firewall zone <name> default-action [drop | reject] - Change the default-action with this setting. + Change the zone default-action, which applies to traffic destined to this + zone that doesn't match any of the source zone rulesets applied. + +.. cfgcmd:: set firewall zone <name> default-log + + Enable logging of packets that hit this zone's default-action (disabled by + default). .. cfgcmd:: set firewall zone <name> description Set a meaningful description. -Applying a Rule-Set to a Zone +Defining a Rule-Set ============================= -Before you are able to apply a rule-set to a zone you have to create the zones -first. +Zone-based firewall rule-sets are for traffic from a *Source Zone* to a +*Destination Zone*. -It helps to think of the syntax as: (see below). The 'rule-set' should be -written from the perspective of: *Source Zone*-to->*Destination Zone* +The rule-sets are created as a custom firewall chain using the commands below +(refer to the firewall IPv4/IPv6 sections for the full syntax): -.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> - firewall name <rule-set> +* For :ref:`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`: + ``set firewall ipv4 name <name> ...`` +* For :ref:`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`: + ``set firewall ipv6 name <name> ...`` -.. cfgcmd:: set firewall zone <name> from <name> firewall name - <rule-set> +It can be helpful to name the rule-sets in the format +``<Sourze Zone>-<Destination Zone>-<v4 | v6>`` to make them easily identifiable. -.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name - <rule-set> +Applying a Rule-Set to a Zone +============================= - You apply a rule-set always to a zone from an other zone, it is recommended - to create one rule-set for each zone pair. +Once a rule-set has been defined, it can then be applied to the source and +destination zones. The configuration syntax is anchored on the destination +zone, with each of the source zone rulesets listed against the destination. - .. code-block:: none +.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> + firewall name <ipv4-rule-set-name> + +.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> + firewall ipv6-name <ipv6-rule-set-name> + +It is recommended to create two rule-sets for each source-destination zone pair. - set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 - set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 +.. code-block:: none + + set firewall zone DMZ from LAN firewall name LAN-DMZ-v4 + set firewall zone LAN from DMZ firewall name DMZ-LAN-v4 ************** Operation-mode @@ -133,13 +167,12 @@ Operation-mode vyos@vyos:~$ show firewall zone-policy Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 ------ ------------ ----------- --------------- --------------- - LAN eth1 WAN WAN_to_LAN + LAN eth1 WAN WAN-LAN-v4 eth2 - LOCAL LOCAL LAN LAN_to_LOCAL - WAN WAN_to_LOCAL WAN_to_LOCAL_v6 - WAN eth3 LAN LAN_to_WAN - eth0 LOCAL LOCAL_to_WAN - vyos@vyos:~$ + LOCAL LOCAL LAN LAN-LOCAL-v4 + WAN WAN-LOCAL-v4 WAN-LOCAL-v6 + WAN eth3 LAN LAN-WAN-v4 + eth0 LOCAL LOCAL-WAN-v4 .. opcmd:: show firewall zone-policy zone <zone> @@ -150,11 +183,11 @@ Operation-mode vyos@vyos:~$ show firewall zone-policy zone WAN Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 ------ ------------ ----------- --------------- --------------- - WAN eth3 LAN LAN_to_WAN - eth0 LOCAL LOCAL_to_WAN + WAN eth3 LAN LAN-WAN-v4 + eth0 LOCAL LOCAL-WAN-v4 + vyos@vyos:~$ show firewall zone-policy zone LOCAL Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 ------ ------------ ----------- --------------- --------------- - LOCAL LOCAL LAN LAN_to_LOCAL - WAN WAN_to_LOCAL WAN_to_LOCAL_v6 - vyos@vyos:~$ + LOCAL LOCAL LAN LAN-LOCAL-v4 + WAN WAN-LOCAL-v4 WAN-LOCAL-v6 diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 03cdb99b..a2313466 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -179,6 +179,10 @@ Route Map Match RPKI validation result. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match source-vrf <text> + + Source VRF to match. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535> Route tag to match. diff --git a/docs/configuration/protocols/failover.rst b/docs/configuration/protocols/failover.rst index 8088e104..651fc5c3 100644 --- a/docs/configuration/protocols/failover.rst +++ b/docs/configuration/protocols/failover.rst @@ -3,7 +3,7 @@ Failover ######## Failover routes are manually configured routes, but they only install -to the routing table if the health-check target is alive. +to the routing table as kernel routes if the health-check target is alive. If the target is not alive the route is removed from the routing table until the target becomes available. @@ -28,7 +28,12 @@ Failover Routes .. cfgcmd:: set protocols failover route <subnet> next-hop <address> check type <protocol> - Defines protocols for checking ARP, ICMP, TCP + Defines protocols for checking ARP, ICMP, TCP. +* ICMP probe sends 2 ICMP request packets with a response timeout of 1 second. + If one ICMP response is received, the health check is successful. +* ARP probe sends 2 ARP requests with a response timeout of 1 second. + If one response is received, the health check is successful. +* TCP probe checks whether the destination port is open. Default is ``icmp``. diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 9891c77d..ac0ed160 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -1341,9 +1341,8 @@ A typical configuration using 2 nodes. show ipv6 ospfv3 redistribute -.. note:: You cannot easily redistribute IPv6 routes via OSPFv3 on a - WireGuard interface link. This requires you to configure link-local - addresses manually on the WireGuard interfaces, see :vytask:`T1483`. +Cost calculation wireguard interfaces is unreliable as ospfv3 uses the link speed to calculate the link cost. +You might therefore want to set the link cost to a fixed value on WireGuard tunnels. Example configuration for WireGuard interfaces: @@ -1351,30 +1350,26 @@ Example configuration for WireGuard interfaces: .. code-block:: none - set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' - set interfaces wireguard wg01 address '192.168.0.1/24' set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.1 set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' cost 10 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Node 2** .. code-block:: none - set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' - set interfaces wireguard wg01 address '192.168.0.2/24' set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.2 set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' cost 10 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Status** diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index eaa6a9f2..502d1e1b 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -49,15 +49,15 @@ Configuration Inform client that the DNS server can be found at `<address>`. This is the configuration parameter for the entire shared network definition. - All subnets will inherit this configuration item if not specified locally. + All subnets will inherit this configuration item if not specified locally. Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name <name> option +.. cfgcmd:: set service dhcp-server shared-network-name <name> option vendor-option <option-name> - This configuration parameter lets you specify a vendor-option for the - entire shared network definition. All subnets will inherit this - configuration item if not specified locally. An example for Ubiquiti is + This configuration parameter lets you specify a vendor-option for the + entire shared network definition. All subnets will inherit this + configuration item if not specified locally. An example for Ubiquiti is shown below: **Example:** @@ -66,14 +66,14 @@ Pass address of Unifi controller at ``172.16.100.1`` to all clients of ``NET1`` .. code-block:: none - set service dhcp-server shared-network-name 'NET1' option vendor-option + set service dhcp-server shared-network-name 'NET1' option vendor-option ubiquiti '172.16.100.1' .. cfgcmd:: set service dhcp-server listen-address <address> - This configuration parameter lets the DHCP server to listen for DHCP - requests sent to the specified address, it is only realistically useful for - a server whose only clients are reached via unicasts, such as via DHCP relay + This configuration parameter lets the DHCP server to listen for DHCP + requests sent to the specified address, it is only realistically useful for + a server whose only clients are reached via unicasts, such as via DHCP relay agents. Individual Client Subnet @@ -148,24 +148,205 @@ Individual Client Subnet request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> option vendor-option <option-name> This configuration parameter lets you specify a vendor-option for the - subnet specified within the shared network definition. An example for + subnet specified within the shared network definition. An example for Ubiquiti is shown below: **Example:** -Create ``172.18.201.0/24`` as a subnet within ``NET1`` and pass address of +Create ``172.18.201.0/24`` as a subnet within ``NET1`` and pass address of Unifi controller at ``172.16.100.1`` to clients of that subnet. .. code-block:: none - set service dhcp-server shared-network-name 'NET1' subnet + set service dhcp-server shared-network-name 'NET1' subnet '172.18.201.0/24' option vendor-option ubiquiti '172.16.100.1' +Dynamic DNS Update (RFC 2136) +----------------------------- + +VyOS DHCP service supports RFC-2136 DDNS protocol. Based on DHCP lease change +events, DHCP server generates DDNS update requests (defines as NameChangeRequests +or NCRs) and posts them to a compliant DNS server, that will update its name +database accordingly. + +VyOS built-in DNS Forwarder does not support DDNS, you will need an external DNS +server with RFC-2136 DDNS support. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update + + Enables DDNS globally. + +**Behavioral settings** + +These settings can be configured on the global level and overridden on the scope +level, i.e. for individual shared networks or subnets. See examples below. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update send-updates [ enable + | disable ] + + If set to ``enable`` on global level, updates for all scopes will be enabled, + except if explicitly set to ``disable`` on the scope level. If set to ``disable``, + updates will only be sent for scopes, where ``send-updates`` is explicity + set to ``enable``. + + This model is followed for a few behavioral settings below: if the option is + not set, the setting is inherited from the parent scope. You can override the + parent scope setting by setting the option explicitly. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update override-no-update [ enable + | disable ] + + VyOS will ignore client request not to update DNS records and send DDNS + update requests regardless. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update override-client-update [ enable + | disable ] + + VyOS will override client DDNS request settings and always update both + forward and reverse DNS records. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update update-on-renew [ enable + | disable ] + + Issue DDNS update requests on DHCP lease renew. In busy networks this may + generate a lot of traffic. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update conflict-resolution [ enable + | disable ] + + Use RFC-4703 conflict resolution. This algorithm helps in situation when + multiple clients reserve same IP addresses or advertise identical hostnames. + Should be used in most situations. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update replace-client-name [ never + | always | when-present | when-not-present ] + + * **never**: use the name sent by the client. If the client didn't provide any, + do not generate one. This is the default behavior + + * **always**: always generate a name for the client + + * **when-present**: replace the name the client sent with a generated one, if + the client didn't send any, do not generate one + + * **when-not-present**: use the name sent by the client. If the client didn't + send any, generate one for the client + + The names are generated using ``generated-prefix``, ``qualifying-suffix`` and the + client's IP address string. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update generated-prefix <prefix> + + Prefix used in client name generation. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update qualifying-suffix <suffix> + + DNS suffix used in client name generation. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update ttl-percent <0-100> + + TTL of the DNS record as a percentage of the DHCP lease time. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update hostname-char-set + <character string> + + Characters, that are considered invalid in the client name. They will be replaced + with ``hostname-char-replacement`` string. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update hostname-char-replacement + <character string> + + Replacement string for the invalid characters defined by ``hostname-char-set``. + +**TSIG keys definition** + +This is the global list of TSIG keys for DDNS updates. They need to be specified by +the name in the DNS domain definitions. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update tsig-key <key-name> + algorithm <algorithm> + + Sets the algorithm for the TSIG key. Supported algorithms are ``hmac-md5``, + ``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, ``hmac-sha512`` + +.. cfgcmd:: set service dhcp-server dynamic-dns-update tsig-key <key-name> + secret <key-secret> + + base64-encoded TSIG key secret value + +**DNS domains definition** + +This is global configuration of DNS servers for the updatable forward and reverse +DNS domains. For every domain multiple DNS servers can be specified. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain + <domain-name> key-name <tsig-key-name> + + TSIG key used for the domain. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain + <domain-name> dns-server <number> address <ip-address> + + IP address of the DNS server. + +.. cfgcmd:: set service dhcp-server dynamic-dns-update [forward|reverse]-domain + <domain-name> dns-server <number> port <port> + + UDP port of the DNS server. ``53`` is the default. + +**Example:** + +Global configuration you will most likely want: + +.. code-block:: none + + set service dhcp-server dynamic-dns-update send-updates enable + set service dhcp-server dynamic-dns-update conflict-resolution enable + +Override the above configuration for a shared network NET1: + +.. code-block:: none + + set service dhcp-server shared-network-name 'NET1' dynamic-dns-update replace-client-name when-not-present + set service dhcp-server shared-network-name 'NET1' dynamic-dns-update generated-prefix ip + set service dhcp-server shared-network-name 'NET1' dynamic-dns-update qualifying-suffix mybigdomain.net + +And in a subnet within the same shared network: + +.. code-block:: none + + set service dhcp-server shared-network-name 'NET1' subnet '172.18.201.0/24' dynamic-dns-update qualifying-suffix mydomain.net + +Configure TSIG keys: + +.. code-block:: none + + set service dhcp-server dynamic-dns-update tsig-key mydomain-net algorithm hmac-sha256 + set service dhcp-server dynamic-dns-update tsig-key mydomain-net secret eWF5YW15bGl0dGxla2V5IQ== + set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 algorithm hmac-sha256 + set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 secret eWF5YW15YW5vdGhlcmxpdHRsZWtleSE= + +Configure DDNS domains: + +.. code-block:: none + + set service dhcp-server dynamic-dns-update forward-domain mydomain.net key-name mydomain-net + set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 address '172.18.0.254' + set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 port 1053 + set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 address '192.168.124.254' + set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 port 53 + set service dhcp-server dynamic-dns-update forward-domain 201.18.172.in-addr.arpa key-name reverse-172-18-201 + set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 address '172.18.0.254' + set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 port 1053 + set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 address '192.168.124.254' + set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 port 53 + + High Availability ----------------- @@ -645,7 +826,7 @@ used: .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> prefix-delegation prefix <pd-prefix> excluded-prefix-length <length> + <prefix> prefix-delegation prefix <pd-prefix> excluded-prefix-length <length> Define lenght of exclude prefix in `<pd-prefix>`. @@ -663,8 +844,7 @@ used: set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 range 1 stop 2001:db8::199 set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 prefix-delegation prefix 2001:db8:0:10:: delegated-length '64' set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 prefix-delegation prefix 2001:db8:0:10:: prefix-length '60' - - + set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 subnet-id 1 Address pools ------------- diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst deleted file mode 100644 index 8a64467f..00000000 --- a/docs/configuration/service/ids.rst +++ /dev/null @@ -1,179 +0,0 @@ -.. _ids: - -############### -DDoS Protection -############### - -********** -FastNetMon -********** - -FastNetMon is a high-performance DDoS detector/sensor built on top of multiple -packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can -detect hosts in the deployed network sending or receiving large volumes of -traffic, packets/bytes/flows per second and perform a configurable action to -handle that event, such as calling a custom script. - -VyOS includes the FastNetMon Community Edition. - -Configuration -============= - -.. cfgcmd:: set service ids ddos-protection alert-script <text> - - Configure alert script that will be executed when an attack is detected. - -.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> - - Configure how long an IP (attacker) should be kept in blocked state. - Default value is 1900. - -.. cfgcmd:: set service ids ddos-protection direction [in | out] - - Configure direction for processing traffic. - -.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x> -.. cfgcmd:: set service ids ddos-protection exclude-network <h:h:h:h:h:h:h:h/x> - - Specify IPv4 and/or IPv6 networks which are going to be excluded. - -.. cfgcmd:: set service ids ddos-protection listen-interface <text> - - Configure listen interface for mirroring traffic. - -.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] - - Configure traffic capture mode. - -.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x> -.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x> - - Specify IPv4 and/or IPv6 networks that should be protected/monitored. - -.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x> - - Configure local IPv4 address to listen for sflow. - -.. cfgcmd:: set service ids ddos-protection sflow port <1-65535> - - Configure port number to be used for sflow connection. Default port is 6343. - -.. cfgcmd:: set service ids ddos-protection threshold general - [fps | mbps | pps] <0-4294967294> - - Configure general threshold parameters. - -.. cfgcmd:: set service ids ddos-protection threshold icmp - [fps | mbps | pps] <0-4294967294> - - Configure ICMP threshold parameters. - -.. cfgcmd:: set service ids ddos-protection threshold tcp - [fps | mbps | pps] <0-4294967294> - - Configure TCP threshold parameters - -.. cfgcmd:: set service ids ddos-protection threshold udp - [fps | mbps | pps] <0-4294967294> - - Configure UDP threshold parameters - -Example -======= - -A configuration example can be found in this section. -In this simplified scenario, main things to be considered are: - - * Network to be protected: 192.0.2.0/24 (public IPs use by - customers) - - * **ban-time** and **threshold**: these values are kept very low in order - to easily identify and generate and attack. - - * Direction: **in** and **out**. Protect public network from external - attacks, and identify internal attacks towards internet. - - * Interface **eth0** used to connect to upstream. - -Since we are analyzing attacks to and from our internal network, two types -of attacks can be identified, and different actions are needed: - - * External attack: an attack from the internet towards an internal IP - is identify. In this case, all connections towards such IP will be - blocked - - * Internal attack: an attack from the internal network (generated by a - customer) towards the internet is identify. In this case, all connections - from this particular IP/Customer will be blocked. - - -So, firewall configuration needed for this setup: - -.. code-block:: none - - set firewall group address-group FNMS-DST-Block - set firewall group address-group FNMS-SRC-Block - - set firewall ipv4 forward filter rule 10 action 'drop' - set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' - set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' - - set firewall ipv4 forward filter rule 20 action 'drop' - set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' - set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' - -Then, FastNetMon configuration: - -.. code-block:: none - - set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' - set service ids ddos-protection ban-time '10' - set service ids ddos-protection direction 'in' - set service ids ddos-protection direction 'out' - set service ids ddos-protection listen-interface 'eth0' - set service ids ddos-protection mode 'mirror' - set service ids ddos-protection network '192.0.2.0/24' - set service ids ddos-protection threshold general pps '100' - -And content of the script: - -.. code-block:: none - - #!/bin/bash - - # alert-script is called twice. - # When an attack occurs, the program calls a bash script twice: - # 1st time when threshold exceed - # 2nd when we collect 100 packets for detailed audit of what happened. - - # Do nothing if “attack_details” is passed as an argument - if [ "${4}" == "attack_details" ]; then - # Do nothing - exit - fi - # Arguments: - ip=$1 - direction=$2 - pps_rate=$3 - action=$4 - - logger -t FNMS "** Start - Running alert script **" - - if [ "${direction}" == "incoming" ] ; then - group="FNMS-DST-Block" - origin="external" - else - group="FNMS-SRC-Block" - origin="internal" - fi - - if [ "${action}" == "ban" ] ; then - logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." - logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." - sudo nft add element ip vyos_filter A_${group} { ${ip} } - else - logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." - sudo nft delete element ip vyos_filter A_${group} { ${ip} } - fi - logger -t FNMS "** End - Running alert script **" - exit diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index f5c97d14..fb6f8413 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -16,7 +16,6 @@ Service dns eventhandler https - ids ipoe-server lldp mdns diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index 365017dd..cb9a6037 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -46,6 +46,7 @@ Configuration "Interval", "interval", "Min and max intervals between unsolicited multicast RAs" "DNSSL", "dnssl", "DNS search list to advertise" "Name Server", "name-server", "Advertise DNS server per https://tools.ietf.org/html/rfc6106" + "Auto Ignore Prefix", "auto-ignore", "Exclude a prefix from being advertised when the wildcard ::/64 prefix is used" .. start_vyoslinter @@ -56,8 +57,8 @@ Advertising a Prefix .. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router - Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface, - which comes in handy when using DHCPv6-PD. + Advertisements)`. This is a special wildcard prefix that will emit :abbr:`RAs (Router Advertisements)` for every prefix assigned to the interface. + This comes in handy when using dynamically obtained prefixes from DHCPv6-PD. .. stop_vyoslinter diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index b5ebaaee..c7b1d757 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -72,6 +72,11 @@ Kernel .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html +.. cfgcmd:: set system option kernel quiet + + Suppress most kernel messages during boot. This is useful for systems with + embedded serial console interfaces to speed up the boot process. + *********** HTTP client *********** diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index e9115458..9082e8d4 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -505,6 +505,12 @@ address-family. derived and should not be specified explicitly for either the source or destination VRF’s. +.. cfgcmd:: set vrf name <name> protocols bgp address-family + <ipv4-unicast|ipv6-unicast> route-map vrf import + [route-map <name>] + + Specifies an optional route-map to be applied to routes imported from VRFs. + .. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls forwarding diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 623cba78..3226def6 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -702,7 +702,7 @@ needs. We first need to clone the repository from GitHub. .. code-block:: none - $ git clone https://github.com/vyos/vyos-1x + $ git clone --recurse-submodules https://github.com/vyos/vyos-1x Build ===== diff --git a/docs/installation/index.rst b/docs/installation/index.rst index 7cdd9c29..c1e50a1f 100644 --- a/docs/installation/index.rst +++ b/docs/installation/index.rst @@ -24,4 +24,3 @@ Installation and Image Management update image secure-boot - migrate-from-vyatta diff --git a/docs/installation/migrate-from-vyatta.rst b/docs/installation/migrate-from-vyatta.rst deleted file mode 100644 index f15c3d5a..00000000 --- a/docs/installation/migrate-from-vyatta.rst +++ /dev/null @@ -1,164 +0,0 @@ -.. _migrate_from_vyatta: - -Migrate from Vyatta Core -======================== - -VyOS 1.x line aims to preserve backward compatibility and provide a safe -upgrade path for existing Vyatta Core users. You may think of VyOS 1.0.0 as -VC7.0. - -Vyatta release compatibility ----------------------------- - -Vyatta Core releases from 6.5 to 6.6 should be 100% compatible. - -Vyatta Core 6.4 and earlier may have incompatibilities. In Vyatta 6.5 the -"modify" firewall was removed and replaced with the ``set policy route`` -command family, old configs can not be automatically converted. You will have -to adapt it to post-6.5 Vyatta syntax manually. - -.. note:: Also, in Vyatta Core 6.5 remote access VPN interfaces have been - renamed from ``pppX`` to ``l2tpX`` and ``pptpX``. If you are using - zone based firewalling in Vyatta Core pre-6.5 versions, make sure to change - interface names in rules for remote access VPN. - -Upgrade procedure ------------------ - -You just use ``add system image``, as if it was a new VC release (see -:ref:`update_vyos` for additional information). The only thing you want to do -is to verify the new images digital signature. You will have to add the public -key manually once as it is not shipped the first time. - -.. code-block:: none - - vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key - Connecting to vyos.net (x.x.x.x:80) - so3group_maintainers 100% |*************************| 3125 --:--:-- ETA - vyatta@vyatta:~$ sudo apt-key add so3group_maintainers.key - OK - vyatta@vyatta:~$ - -For completion the key below corresponds to the key listed in the URL above. - -.. code-block:: none - - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: GnuPG v1.4.12 (GNU/Linux) - - mQINBFIIUZwBEADGl+wkZpYytQxd6LnjDZZScziBKYJbjInetYeS0SUrgpqnPkzL - 2CiGfPczLwpYY0zWxpUhTvqjFsE5yDpgs0sPXIgUTFE1qfZQE+WD1I1EUM6sp/38 - 2xKQ9QaNc8oHuYINLYYmNYra6ZjIGtQP9WOX//IDYB3fhdwlmiW2z0hux2OnPWdh - hPZAmSrx5AiXFEEREJ1cAQyvYk7hgIRvM/rdQMUm+u4/z+S4mxCHE10KzlqOGhRv - hA8WQxHCVusMFGwXoKHxYf9OQpV7lsfOCODfXOMP/L9kHQ5/gBsLL5hHst+o/3VG - ec0QuVrVkBBehgrqhfJW2noq+9gTooURGImQHEOyE0xpJdFrrgk5Ii9RqQwdVRzI - ZPbqbo8uuldZIRJRGnfx+vAR9812yo38NVZ/X0P/hkkrx+UeGVgpC/ao5XLRiOzL - 7ZBMWLA6FVmZ7mkpqdzuMXX5548ApACm6EKErULIhTYDGDzFxA3cf6gr5VVi4usD - wglVs+FHuiLehmuuPTMoVcT2R6+Ht44hG3BmQmKzh/SSEa1g9gKgrhZrMdIyK4hu - GvMqLw9z9BgJbWB3BgXOUdlkXLDwBvVpEcWsPJgxSjAvjAbLLE4YkKAdYU8bQ0Pd - JuN485tcXxgQCadFZB0gcipQAvVf4b810HrY88g6FldfauHxiACOlXscZwARAQAB - tDBTTzMgR3JvdXAgTWFpbnRhaW5lcnMgPG1haW50YWluZXJzQHNvM2dyb3VwLm5l - dD6JAjgEEwECACIFAlIIUZwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ - ELdE4lqkQubp8GsQAKntoRFG6bWX/4WPw7Vo7kIF5kWcmv3lVb0AQkacscWope7T - Iq0VcgpAycJue2bSS9LAsvNtpVkQmFawbwFjqB3CC5NbPNQ4Kf+gswKa+yaHwejo - 7dkslAwxgXHe5g76DG7CVLMsMg6zVDFYuzeksPywls/OJBIpkuGqeXy9tAHjQzjA - SlZV3Gsx7azESjiVQ73EUBt2OXkwN4TN9TEHAnVsrNIXHwFl1VfFsSG1Q6uZDtkk - CB4DZJKN4RzCY2QSwMAqRRC2OXdwk5IAk8wwCGoFpp0UV6CO9YCeOaqJderEcBA4 - MGHqdiPDIbH5wvckjZzFznU/Paz3MwPwBdtN+WSKvwf+JItSiUqm8Dy2Pl/1cnux - 1g1I4WQlXUVaS/MDusqL7tbS8k5A5a2+YVMxShWH9BhXZwNXzEihl4sm8Hrg5SvZ - givJj2y93WoL69Wq0/86wkkH2xcrz4gsiUcQf5YXU/RHXOLnPR29/pg8TS0L7sST - dv0X23C2IpfqYoqN7YZ3K0Wczhi0yLPCrc27IczuHgjt/8ICda11xhB1t/pUbvnX - oksehaLp8O3uU8GyAsTfUgpijZFc/3jIadOl0L9NGUbYYgPzFeaZTa/njeEbz3wX - PZMn278sbL9UhupI5Hx7eREbKzV4VPVKz81ndKNMXyuJHXv2R0xou3nvuo1WuQIN - BFIIUZwBEADAhoYPDCSogG41Naq+wFkG+IPszqe0dW/UWg0xrZDT0UblwDSd4OGY - 7FATMIhjOUyFxk6+XKA5CDCWP8Npkl0modTL59uVWNxU1vUKincc/j4ipHQeAhE6 - fvZkrprvADD8TYIGesl/3EGNc7bzc5ZqX71hKPHG+autRtgFSOR2PSXD9MlJXIBb - RzHAXxlh72zvsGadcxLJm4pSWXitkR/5Wc3e0IippKdzGwZnCDpNmcBGtSTFgixP - JqyRZFVCPWs7jr/oQeZnq65wJp1KD2HvhhKHJfsPrnNjLSm1SQVh8hXzE9odcv6N - mJB7tNXywuROBt6a01ojBa9J3zuMYQj3iQl2MhxtHylKVBjr7NjZ4evZbLsRMxY1 - hYk7sl+ZxCPFeOZ9D2ppU/CUDXCS095I1x+s+VuiUNf/3yd8ahCWDXVp9nsXyYjm - 2pHIxb2F6r8Vd4AjlD2MQwszECS88INF3l/9ksIHEMKuuW+JAC9FiZ7k4IGcIltv - If/V2TgE6t6qoWIlmLhMTjOyJpwnokY1nIuXHH7yp+HsuqnYnf/dgLnt4czPLeHO - +TdIDHhUym0AKlCcbdgn0C6EJVTnA8BFgFjiIOMAeT0rhATg0W/cND8KQcX4V9wM - nHSEsgSEuP9H+67xuRx5Imuh5ntecrcuCYSNuOneUXWPThDKQPO9lQARAQABiQIf - BBgBAgAJBQJSCFGcAhsMAAoJELdE4lqkQubpc+0P/0IzUx8nTpF0/ii2TA0YCOgj - tviM6PRTVPrFcxijNeXiIMHZYrALYUvXxXGp1IZBP3IcOyuZNp2WLqF/f9a3cIr1 - 9b/LJPrwopGqV3K30lormk7hH0s3IXbhd0ZYWvRj+5kQ8TFRAFfPwjlItzjYJmYX - AGJmM9PxJID/4LgWSfQ/ZfNu7MJ7+2goQLu9b6x7UC1FlE4q1lcjBvHjVPM//S9G - lGAHaysyTjVu88W2wwBpBrO1MQnDvqFRddXPOIWp0jecBMUd4E0fB36yuStsXZT3 - RN4V8vKRBYXuqHhiTwZeh153cHZk2EZBwz5A6DJubMaGdJTesHW5Qf2goph0pmjC - +XuXn8J6tc5nFDf8DP4AFVMtqa3Brj2fodWd0Zzxq3AVsbX144c1oqJUhO4t3+ie - 8fD/6/jx4iuPCQTfyhHG+zGfyUb2LQ+OVLW1WYTxH5tzHaZUmZFdV2I1kuhuvZ1t - WRlmTnHZOnEb3+t8KCRWzRMfweTzXfRRKBC0/QpeX1r5pbaMHH8zF/J5PKmL0+jg - +DS8JSbSfv7Ke6rplf7lHYaDumAFZfxXuQkajzLZbX0E5Xu5BNz4Vq6LGBj7LDXL - gswIK8FFgZB+W8zwOqUV1vjIr9wkdLifXXezKpTeYpFDGLdfsK+uNAtGyvI61TDi - Pr6fWpIruuc7Gg9rUF0L - =VQTr - -----END PGP PUBLIC KEY BLOCK----- - -Next add the VyOS image. - -This example uses VyOS 1.0.0, however, it's better to install the latest -release. - -.. code-block:: none - - vyatta@vyatta:~$ show system image - The system currently has the following image(s) installed: - 1: VC6.6R1 (default boot) (running image) - - vyatta@vyatta:~$ add system image https://downloads.vyos.io/release/legacy/1.0.0/vyos-1.0.0-amd64.iso - Trying to fetch ISO file from https://downloads.vyos.io/release/legacy/1.0.0/vyos-1.0.0-amd64.iso - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 223M 100 223M 0 0 960k 0 0:03:57 0:03:57 --:--:-- 657k - ISO download succeeded. - Checking for digital signature file... - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 836 100 836 0 0 4197 0 --:--:-- --:--:-- --:--:-- 4287 - Found it. Checking digital signature... - gpg: directory `/root/.gnupg' created - gpg: new configuration file `/root/.gnupg/gpg.conf' created - gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run - gpg: keyring `/root/.gnupg/pubring.gpg' created - gpg: Signature made Sun Dec 22 16:51:42 2013 GMT using RSA key ID A442E6E9 - gpg: /root/.gnupg/trustdb.gpg: trustdb created - gpg: Good signature from "SO3 Group Maintainers <maintainers@so3group.net>" - gpg: WARNING: This key is not certified with a trusted signature! - gpg: There is no indication that the signature belongs to the owner. - Primary key fingerprint: DD5B B405 35E7 F6E3 4278 1ABF B744 E25A A442 E6E9 - Digital signature is valid. - Checking MD5 checksums of files on the ISO image...OK. - Done! - - What would you like to name this image? [1.0.0]: [return] - OK. This image will be named: 1.0.0 - Installing "1.0.0" image. - Copying new release files... - - Would you like to save the current configuration - directory and config file? (Yes/No) [Yes]: [return] - Copying current configuration... - - Would you like to save the SSH host keys from your - current configuration? (Yes/No) [Yes]: [return] - Copying SSH keys... - Setting up grub configuration... - Done. - - vyatta@vyatta:~$ show system image - The system currently has the following image(s) installed: - - 1: 1.0.0 (default boot) - 2: VC6.6R1 (running image) - -Upon reboot, you should have a working installation of VyOS. - -You can go back to your Vyatta install using the ``set system image -default-boot`` command and selecting the your previous Vyatta Core image. - -.. note:: Future releases of VyOS will break the direct upgrade path from - Vyatta core. Please upgrade through an intermediate VyOS version e.g. VyOS - 1.2. After this you can continue upgrading to newer releases once you bootet - into VyOS 1.2 once. diff --git a/docs/installation/secure-boot.rst b/docs/installation/secure-boot.rst index 817ca663..b6685039 100644 --- a/docs/installation/secure-boot.rst +++ b/docs/installation/secure-boot.rst @@ -18,13 +18,19 @@ commands prior to your ISO image build: .. code-block:: bash cd vyos-build - openssl req -new -x509 -newkey rsa:4096 \ - -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \ - -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ - -outform DER -days 36500 -subj "/CN=MyMOK/" -nodes - openssl x509 -inform der \ - -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ - -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.pem + CA_DIR="data/certificates" + SHIM_CERT_NAME="vyos-dev-2025-shim" + VYOS_KERNEL_CERT_NAME="vyos-dev-2025-linux" + + openssl req -new -x509 -newkey rsa:4096 -keyout ${CA_DIR}/${SHIM_CERT_NAME}.key -out ${CA_DIR}/${SHIM_CERT_NAME}.der \ + -outform DER -days 36500 -subj "/CN=VyOS Networks Secure Boot CA/" -nodes + openssl x509 -inform der -in ${CA_DIR}/${SHIM_CERT_NAME}.der -out ${CA_DIR}/${SHIM_CERT_NAME}.pem + + openssl req -newkey rsa:4096 -sha256 -nodes -keyout ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.key \ + -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -outform PEM -days 3650 \ + -subj "/CN=VyOS Networks Secure Boot Signer 2025 - linux/" + openssl x509 -req -in ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -CA ${CA_DIR}/${SHIM_CERT_NAME}.pem \ + -CAkey ${CA_DIR}/${SHIM_CERT_NAME}.key -CAcreateserial -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.pem -days 3650 -sha256 ************ Installation |