- User Since
- Aug 20 2020, 9:55 AM (49 w, 1 d)
Tue, Jul 13
Wed, Jul 7
@trae32566 I can't replicate this. Can you post your config?
Thu, Jul 1
Jun 23 2021
Done with generate public-key-command. loadkey is deprecated and will be removed in a future version.
Jun 22 2021
Jun 21 2021
Jun 20 2021
Now that all major instances of curl have been replaced with the in-house script, we can begin to backport these changes to v1.3 in small pieces ahead of the first stable version.
Now I see the problem. paramiko.client.SSHClient().close() calls paramiko.transport.Transport().close() which implicitly calls socket.close() regardless of whether the socket was internally created or externally provided. This is a bit counterintuitive but I'll simply remove the socket closing logic then.
Jun 18 2021
Jun 17 2021
copy file still depends on vyatta-image-tools.pl. I think it merits a rewrite, maybe a simple file transfer script that uses a couple of basic routines for file:// and running:// and remote.py for everything else.
@trae32566 Does this problem still persist in the newest rolling release?
Jun 8 2021
This is resolved for 1.4. Do you still have this problem in 1.3 as of RC4? If so, I'll need to backport the changes.
Jun 6 2021
Jun 2 2021
Waiting for T3595 to clear up before I can test this on rolling release.
I cannot replicate this bug in a clean install of 1.4-rolling-202105291042.
vyos@vyos# set interfaces dummy dum0 address 192.168.201.1/24  vyos@vyos# commit 
Either there's something in your config meddling with the interface creation or (most likely) this bug was solved in the main branch since then.
May 31 2021
Here are some kernel features we need to consider:
- Disable kexec. The user should never need to swap the kernel.
- Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
- Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
- Harden BPF JIT. Might interfere with XDP. Testing necessary.
- Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.
An easy start would be adding
export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs
to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.
May 30 2021
This is possibly a problem on curl's end but funnily enough, there's a similar problem with the native implementation over T3563. Once that's solved, this bug will be rendered moot.
install-image now calls a routine that queries the size of the remote file and aborts if there isn't enough space to download the image.
commit-archive now uses Paramiko for SSH connections instead of curl and directly reads ~/.ssh/known_hosts if it exists.
This is a consequence of using an old Paramiko version. I just sent a PR upping the version of cryptography and Paramiko.
New file transfer script parses the port field in the URL.