Merge remote-tracking branch 'vyos/current' into feature/dhcpv4-ddns

Author: abukharov

Diff for: .github/workflows/package-smoketest.yml

@@ -17,7 +17,7 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed for PR comments
   BUILD_BY: [email protected]
   DEBIAN_MIRROR: http://deb.debian.org/debian/
-  VYOS_MIRROR: https://rolling-packages.vyos.net/current/
+  VYOS_MIRROR: https://packages.vyos.net/repositories/current/
 
 jobs:
   build_iso:
@@ -83,12 +83,43 @@ jobs:
         with:
           name: vyos-${{ needs.build_iso.outputs.build_version }}
           path: build
-      - name: VyOS CLI smoketests
+      - name: VyOS CLI smoketests (no interfaces)
         id: test
         shell: bash
         run: |
           set -e
-          sudo make test
+          sudo make test-no-interfaces
+          if [[ $? == 0 ]]; then
+            echo "exit_code=success" >> $GITHUB_OUTPUT
+          else
+            echo "exit_code=fail" >> $GITHUB_OUTPUT
+          fi
+
+  test_interfaces_cli:
+    needs: build_iso
+    runs-on: ubuntu-24.04
+    timeout-minutes: 180
+    container:
+      image: vyos/vyos-build:current
+      options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
+    outputs:
+      exit_code: ${{ steps.test.outputs.exit_code }}
+    steps:
+      # We need the test script from vyos-build repo
+      - name: Clone vyos-build source code
+        uses: actions/checkout@v4
+        with:
+          repository: vyos/vyos-build
+      - uses: actions/download-artifact@v4
+        with:
+          name: vyos-${{ needs.build_iso.outputs.build_version }}
+          path: build
+      - name: VyOS CLI smoketests (interfaces only)
+        id: test
+        shell: bash
+        run: |
+          set -e
+          sudo make test-interfaces
           if [[ $? == 0 ]]; then
             echo "exit_code=success" >> $GITHUB_OUTPUT
           else
@@ -191,6 +222,7 @@ jobs:
   result:
     needs:
       - test_smoketest_cli
+      - test_interfaces_cli
       - test_config_load
       - test_raid1_install
       - test_encrypted_config_tpm
@@ -203,13 +235,14 @@ jobs:
         uses: mshick/add-pr-comment@v2
         with:
           message: |
-            CI integration ${{ needs.test_smoketest_cli.outputs.exit_code == 'success' && needs.test_config_load.outputs.exit_code == 'success' && needs.test_raid1_install.outputs.exit_code == 'success' && '👍 passed!' || '❌ failed!' }}
+            CI integration ${{ needs.test_smoketest_cli.outputs.exit_code == 'success' && needs.test_interfaces_cli.outputs.exit_code == 'success' && needs.test_config_load.outputs.exit_code == 'success' && needs.test_raid1_install.outputs.exit_code == 'success' && '👍 passed!' || '❌ failed!' }}
 
             ### Details
 
             [CI logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
-            * CLI Smoketests ${{ needs.test_smoketest_cli.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
+            * CLI Smoketests (no interfaces) ${{ needs.test_smoketest_cli.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
+            * CLI Smoketests (interfaces only) ${{ needs.test_interfaces_cli.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
             * Config tests ${{ needs.test_config_load.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
             * RAID1 tests ${{ needs.test_raid1_install.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
             * TPM tests ${{ needs.test_encrypted_config_tpm.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}

Diff for: .github/workflows/repo-sync.yml

@@ -6,6 +6,7 @@ on:
         - closed
       branches:
         - current
+        - equuleus
     workflow_dispatch:
 
 jobs:

Diff for: Jenkinsfile

@@ -26,10 +26,10 @@
     "pki": {
         "ethernet": ["interfaces_ethernet"],
         "openvpn": ["interfaces_openvpn"],
+        "haproxy": ["load-balancing_haproxy"],
         "https": ["service_https"],
         "ipsec": ["vpn_ipsec"],
         "openconnect": ["vpn_openconnect"],
-        "reverse_proxy": ["load-balancing_reverse-proxy"],
         "rpki": ["protocols_rpki"],
         "sstp": ["vpn_sstp"],
         "sstpc": ["interfaces_sstpc"],

Diff for: data/config-mode-dependencies/vyos-1x.json

@@ -25,7 +25,7 @@
 "otp.py",
 "qos.py",
 "reset_vpn.py",
-"reverseproxy.py",
+"load-balancing_haproxy.py",
 "route.py",
 "storage.py",
 "system.py",

Diff for: data/op-mode-standardized.json

@@ -38,6 +38,9 @@ level={{ log.level }}
 
 [ipoe]
 verbose=1
+{% if lua_file is vyos_defined %}
+lua-file={{ lua_file }}
+{% endif %}
 {% if interface is vyos_defined %}
 {%     for iface, iface_config in interface.items() %}
 {%         set tmp = 'interface=' %}
@@ -55,7 +58,8 @@ verbose=1
 {%         set range = 'range=' ~ iface_config.client_subnet ~ ',' if iface_config.client_subnet is vyos_defined else '' %}
 {%         set relay = ',' ~ 'relay=' ~ iface_config.external_dhcp.dhcp_relay  if iface_config.external_dhcp.dhcp_relay is vyos_defined else '' %}
 {%         set giaddr = ',' ~ 'giaddr=' ~ iface_config.external_dhcp.giaddr if iface_config.external_dhcp.giaddr is vyos_defined else '' %}
-{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1{{ relay }}{{ giaddr }}
+{%         set username = ',' ~ 'username=lua:' ~ iface_config.lua_username if iface_config.lua_username is vyos_defined else '' %}
+{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1{{ relay }}{{ giaddr }}{{ username }}
 {%         if iface_config.vlan_mon is vyos_defined %}
 vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
 {%         endif %}

Diff for: data/templates/accel-ppp/ipoe.config.j2

@@ -11,7 +11,7 @@
             "interfaces": [ "*" ],
             "dhcp-socket-type": "raw",
 {% endif %}
-            "service-sockets-max-retries": 5,
+            "service-sockets-max-retries": 60,
             "service-sockets-retry-wait-time": 5000
         },
         "control-socket": {
@@ -29,14 +29,14 @@
                 "code": 121,
                 "type": "record",
                 "array": true,
-                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8"
+                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8"
             },
             {
                 "name": "windows-static-route",
                 "code": 249,
                 "type": "record",
                 "array": true,
-                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8"
+                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8"
             },
             {
                 "name": "wpad-url",

Diff for: data/templates/dhcp-server/kea-dhcp4.conf.j2

@@ -6,7 +6,7 @@
 {% else %}
             "interfaces": [ "*" ],
 {% endif %}
-            "service-sockets-max-retries": 5,
+            "service-sockets-max-retries": 60,
             "service-sockets-retry-wait-time": 5000
         },
         "control-socket": {

Diff for: data/templates/dhcp-server/kea-dhcp6.conf.j2

@@ -19,6 +19,12 @@ table ip vyos_nat {
 {%         endfor %}
 {%     endif %}
     }
+{%     for set_name in ip_fqdn %}
+    set FQDN_nat_{{ set_name }} {
+        type ipv4_addr
+        flags interval
+    }
+{%     endfor %}
 
     #
     # Source NAT rules build up here
@@ -31,7 +37,14 @@ table ip vyos_nat {
         {{ config | nat_rule(rule, 'source') }}
 {%         endfor %}
 {%     endif %}
+
+    }
+{%     for set_name in ip_fqdn %}
+    set FQDN_nat_{{ set_name }} {
+        type ipv4_addr
+        flags interval
     }
+{%     endfor %}
 
     chain VYOS_PRE_DNAT_HOOK {
         return

Diff for: data/templates/firewall/nftables-nat.j2

@@ -0,0 +1,20 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' runuser -u frr -- ' if vrf is vyos_defined else '' %}
+[Unit]
+Description=FRR Exporter
+Documentation=https://github.com/tynany/frr_exporter
+After=network.target
+
+[Service]
+{% if vrf is not vyos_defined %}
+User=frr
+{% endif %}
+ExecStart={{ vrf_command }}/usr/sbin/frr_exporter \
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+        --web.listen-address={{ address }}:{{ port }}
+{%     endfor %}
+{% else %}
+        --web.listen-address=:{{ port }}
+{% endif %}
+[Install]
+WantedBy=multi-user.target

Diff for: data/templates/frr_exporter/frr_exporter.service.j2

@@ -22,7 +22,7 @@ Before=rescue.service
 # The '-o' option value tells agetty to replace 'login' arguments with an
 # option to preserve environment (-p), followed by '--' for safety, and then
 # the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud {{ speed }} %I $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' %I {{ speed }} $TERM
 Type=idle
 Restart=always
 UtmpIdentifier=%I

Diff for: data/templates/getty/serial-getty.service.j2

@@ -48,7 +48,7 @@ server {
     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
     # proxy settings for HTTP API, if enabled; 503, if not
-    location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+    location ~ ^/(retrieve|configure|config-file|image|import-pki|container-image|generate|show|reboot|reset|poweroff|traceroute|docs|openapi.json|redoc|graphql) {
 {% if api is vyos_defined %}
         proxy_pass http://unix:/run/api.sock;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Diff for: data/templates/https/nginx.default.j2

@@ -87,7 +87,11 @@ secrets {
         id-{{ gen_uuid }} = "{{ id }}"
 {%             endfor %}
 {%         endif %}
+{%         if psk_config.secret_type is vyos_defined('base64') %}
+        secret = 0s{{ psk_config.secret }}
+{%         elif psk_config.secret_type is vyos_defined('plaintext') %}
         secret = "{{ psk_config.secret }}"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}

Diff for: data/templates/ipsec/swanctl.conf.j2

@@ -1,4 +1,4 @@
-### Autogenerated by load-balancing_reverse-proxy.py ###
+### Autogenerated by load-balancing_haproxy.py ###
 
 global
     chroot /var/lib/haproxy

Diff for: data/templates/load-balancing/haproxy.cfg.j2

@@ -0,0 +1,4 @@
+
+---
+WARNING: This VyOS system is not a stable long-term support version and
+         is not intended for production use.

Diff for: data/templates/login/motd_vyos_nonproduction.j2

@@ -6,6 +6,9 @@ allow-interfaces={{ interface | join(', ') }}
 {% if browse_domain is vyos_defined and browse_domain | length %}
 browse-domains={{ browse_domain | join(', ') }}
 {% endif %}
+{% if cache_entries is vyos_defined %}
+cache-entries-max={{ cache_entries }}
+{% endif %}
 disallow-other-stacks=no
 
 [wide-area]

Diff for: data/templates/mdns-repeater/avahi-daemon.conf.j2

@@ -0,0 +1,20 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' runuser -u node_exporter -- ' if vrf is vyos_defined else '' %}
+[Unit]
+Description=Node Exporter
+Documentation=https://github.com/prometheus/node_exporter
+After=network.target
+
+[Service]
+{% if vrf is not vyos_defined %}
+User=node_exporter
+{% endif %}
+ExecStart={{ vrf_command }}/usr/sbin/node_exporter \
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+        --web.listen-address={{ address }}:{{ port }}
+{%     endfor %}
+{% else %}
+        --web.listen-address=:{{ port }}
+{% endif %}
+[Install]
+WantedBy=multi-user.target

Diff for: data/templates/node_exporter/node_exporter.service.j2

@@ -22,7 +22,7 @@ authserver {{ authsrv }}
 {%         endif %}
 {%     endfor %}
 radius_timeout {{ authentication['radius']['timeout'] }}
-{%     if source_address %}
+{%     if authentication.radius.source_address is vyos_defined %}
 bindaddr {{ authentication['radius']['source_address'] }}
 {%     else %}
 bindaddr *

Diff for: data/templates/ocserv/radius_conf.j2

@@ -57,9 +57,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%             endfor %}
 {%         endif %}
 {%         if host_options.protocol is vyos_defined('tcp') %}
-{%             if host_options.format.octet_counted is vyos_defined %}
 {{ tmp | join(';') }} @@{{ '(o)' if host_options.format.octet_counted is vyos_defined }}{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.format.include_timezone is vyos_defined }}
-{%             endif %}
 {%         else %}
 {{ tmp | join(';') }} @{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.format.include_timezone is vyos_defined }}
 {%         endif %}

Diff for: data/templates/rsyslog/rsyslog.conf.j2

@@ -202,9 +202,9 @@ Depends:
 # For "service router-advert"
   radvd,
 # End "service route-advert"
-# For "load-balancing reverse-proxy"
+# For "load-balancing haproxy"
   haproxy,
-# End "load-balancing reverse-proxy"
+# End "load-balancing haproxy"
 # For "load-balancing wan"
   vyatta-wanloadbalance,
 # End "load-balancing wan"
@@ -235,6 +235,12 @@ Depends:
   squidclient,
   squidguard,
 # End "service webproxy"
+# For "service monitoring node-exporter"
+  node-exporter,
+# End "service monitoring node-exporter"
+# For "service monitoring frr-exporter"
+  frr-exporter,
+# End "service monitoring frr-exporter"
 # For "service monitoring telegraf"
   telegraf (>= 1.20),
 # End "service monitoring telegraf"

Diff for: debian/control

@@ -25,9 +25,11 @@ srv/localui
 usr/sbin
 usr/bin/config-mgmt
 usr/bin/initial-setup
+usr/bin/vyos-show-config
 usr/bin/vyos-config-file-query
 usr/bin/vyos-config-to-commands
 usr/bin/vyos-config-to-json
+usr/bin/vyos-commands-to-config
 usr/bin/vyos-hostsd-client
 usr/lib
 usr/libexec/vyos/activate

Diff for: debian/vyos-1x.install

@@ -21,6 +21,11 @@ if ! grep -q '^openvpn' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
 fi
 
+# node_exporter should get its own user
+if ! grep -q '^node_exporter' /etc/passwd; then
+    adduser --quiet --firstuid 100 --system --group --shell /bin/false node_exporter
+fi
+
 # We need to have a group for RADIUS service users to use it inside PAM rules
 if ! grep -q '^radius' /etc/group; then
     addgroup --firstgid 1000 --quiet radius

Diff for: debian/vyos-1x.postinst

@@ -501,6 +501,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
+          #include <include/interface/mtu-68-16000.xml.i>
           <leafNode name="prefix">
             <properties>
               <help>Prefix which allocated to that network</help>