Simplify defaults #480
Merged
Simplify defaults #480
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wkz
requested changes
Jun 17, 2024
troglobit
force-pushed
the
simplify-defaults
branch
2 times, most recently
from
aae5466
to
17c963c
Compare
This patch bumps klish-plugins-sysrepo to fix the annoying issue with the CLI not supporting, e.g. "show hostname" in system config context. Details: kernelkit/klish-plugin-sysrepo#3 The problem was two-fold, first we used the wrong ptype for 'show' (and 'diff') commands, so srp_show() was not even called. Then the klish-plugin-sysrepo code did not account for show being called for leaf nodes. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This patch simplifies the handling of factory default password for the admin user by overloading the ietf-system password type. The new type, $factory$, acts a system hint to use any device specific (or built-in software/device-tree) default password hash. Fixes #435 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Fixes #447 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
With this patch, users not in the NACM admin group and a login shell set to clish can now log in to the CLI. Prior to this change only members of the UNIX group 'wheel' could open the klishd socket. The patch adds another group, 'sys-cli', which acts as a capability for users. An admin user (member of the admin group) will now be member of both the UNIX 'wheel' and 'sys-cli' groups. A non-admin user that has shell set to 'clish' will only be member of the 'sys-cli' group. Other users will not be mapped to any UNIX group and have only permissions set in NACM. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
The following specifiers are currently supported: - %h default hostname from /etc/os-release - %i value of ID from /etc/os-release - %m last three octets of base MAC, e.g., c0-ff-ee Fixes #435 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
For consistency with UNKNOWN base mac address, and making it easier for the user to actually notice the fault condition. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This patch silences the previously very verbose setup.sh script, and crucially also fixes a bug in UPDATE_MODULE(). Missing closing ' Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Fixes #478 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit
force-pushed
the
simplify-defaults
branch
from
17c963c
to
71048ec
Compare
mattiaswal
requested changes
Jun 20, 2024
All typedefs and identities should be declared in the module that uses them unless other modules need them. This change also makes it easier to work with tools like yanglint and pyang. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Allow tests to fetch expected factory default password of devices. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit
force-pushed
the
simplify-defaults
branch
from
71048ec
to
3c8c109
Compare
|
There, final comments and regressions fixed! Tests pass locally. |
This was
linked to
issues
Jun 20, 2024
|
Aaand now tests also pass on the server. Best solstice |
wkz
approved these changes
Jun 25, 2024
This patch adds support for an empty "genkey" pair in the keystore for the NETCONF hostkeys. Primarily intended for static factory-config. When a configuration is loaded and confd detects a missing public or private key in the "genkey" asymmetric key, it loads generated keys from disk and store in the running datastore. Fixes #435 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Drop annoying escape characters from ixinit when logging to syslog. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
With the recent changes to confd to support: hostname format specifiers, $factory$ default keyword for password, and on-the-fly generation of the NETCONF SSH host keys, the system no longer depend on the very intricate confd gen-* scripts to create factory-config and failure-config. This patch set adds support for detecting and installing product/vendor specific static factory-config and failure-config files. See the confd README for details. To facilitate generation, e.g., of the NETCONF SSH host keys, the confd daemon must be running when bootstrapping the first startup-config from eithe generated or static factory-config. This is why the bootstrap and load helper scripts have been changed. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Finalize support for IETF System YANG incl. all IANA crypt-hash types. This patch builds on the earlier work adding yescrypt and $factory$ key word. The YANG description for the crypt-hash type override has been significantly udpated to discourage use of $0$cleartext passwords. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
First, actually remove setup.sh. No reason to have the old version lingering in the repo confusing devs. Also simplify script heading dropping previous netopeer2 text and distilling the comment before sourcing the .inc file. Silence the install/update, dropping -v -- no need to be overly verbose now that we now the new yang loader works at build time. Crucially -- fix a bug in UPDATE_MODULE(), missing closing ' Simplify naming and location of .inc files. No need for the long filenames, or the new directory, the directory name gives plenty of context. Add reminder of duplicate infix-interfaces.yang in .inc files -- this duplication is unfortunate and we should try to fix this better. We will forget to update one or the other any day ... Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
We recently dropped Augas from confd and this branch adds support for $0$cleartext passwords, which require libxcrypt. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Ubuntu 22.04 (ubuntu-latest runner on GitHub) has a slightly earlier version of libxcrypt. The only hard requirement we have is yescrypt support, so we can relax the configure check slightly to be able to run coverity scan. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit
force-pushed
the
simplify-defaults
branch
from
2b2cdf0
to
6543572
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR primarily adds support for:
%h-%m(and%i) hostname fmt, issue Format specifiers for IETF system hostname and password #435$factory$password hash, issue Format specifiers for IETF system hostname and password #435Secondary objectives:
infix-system:version, set to confd version (1.0), issue Add confd version to YANG + .cfg files #308Checklist
Tick relevant boxes, this PR is-a or has-a: