November 13, 2017 5:46:15 PM CET By Daniil Baturin
1.1.8, the major minor release, is available for download from https://downloads.vyos.io/?dir=release/1.1.8 (mirrors are syncing up).
It breaks the semantic versioning convention, while the version number implies a bugfix-only release, it actually includes a number of new features. This is because 1.2.0 number is already assigned to the Jessie-based release that is still in beta, but not including those features that have been in the codebase for a while and a few of them have already been in production for some users would feel quite wrong, especially considering the long delay between the releases. Overall it's pretty close in scope to the original 1.2.0 release plan before Debian Squeeze was EOLd and we had to switch the effort to getting rid of the legacy that was keeping us from moving to a newer base distro.
You can find the full changelog here.
The release is available for both 64-bit and 32-bit machines. The i586-virt flavour, however, was discontinued since a) according to web server logs and user comments, there is no demand for it, unlike a release for 32-bit physical machines b) hypervisors capable of running on 32-bit hardware went extinct years ago. The current 32-bit image is built with paravirtual drivers for KVM/Xen, VMware, and Hyper-V, but without PAE, so you shouldn't have any problem running it on small x86 boards and testing it on virtual machines.
We've also made a 64-bit OVA that works with VMware and VirtualBox.
Multiple vulnerabilities in OpenSSL, dnsmasq, and hostapd were patched, including the recently found remote code execution in dnsmasq.
Some notable bugs that were fixed include:
- Protocol negation in NAT not working correctly (it had exactly opposite effect and made the rule match the negated protocol instead)
- Inability to reconfigure L2TPv3 interface tunnel and session ID after interface creation
- GRUB not getting installed on RAID1 members
- Lack of USB autosuspend causing excessive CPU load in KVM guests
- VTI interfaces not coming back after tunnel reset
- Cluster failing to start on boot if network links take too long to get up
User/password authentication for OpenVPN client mode
A number of VPN providers (and some corporate VPNs) require that you use user/password authentication and do not support x.509-only authentication. Now this is supported by VyOS:
set interfaces openvpn vtun0 authentication username jrandomhacker
set interfaces openvpn vtun0 authentication password qwerty
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 remote-host 192.0.2.1
Bridged OpenVPN servers no longer require subnet settings
Before this release, OpenVPN would always require subnet settings, so if one wanted to setup an L2 OpenVPN bridged to another interface, they'd have to specify a mock subnet. Not anymore, now if the device-type is set to "tap" and bridge-group is configured, subnet settings are not required.
New OpenVPN options exposed in the CLI
A few OpenVPN options that formerly would have to be configured through openvpn-option are now available in the CLI:
set interfaces openvpn vtun0 use-lzo-compression
set interfaces openvpn vtun0 keepalive interval 10
set interfaces openvpn vtun0 keepalive failure-count 5
Point to point VXLAN tunnels are now supported
In earlier releases, it was only possible to create multicast, point to multipoint VXLAN interfaces. Now the option to create point to point interfaces is also available:
set interfaces vxlan vxlan0 address 10.1.1.1/24
set interfaces vxlan vxlan0 remote 203.0.113.50
set interfaces vxlan vxlan0 vni 10
AS-override option for BGP
The as-override option that is often used as an alternative to allow-as-in is now available in the CLI:
set protocols bgp 64512 neighbor 192.0.2.10 as-override
as-path-exclude option for route-maps
The option for removing selected ASNs from AS paths is available now:
set policy route-map Foo rule 10 action permit
set policy route-map Foo rule 10 set as-path-exclude 64600
Buffer size option for NetFlow/sFlow
The default buffer size was often insufficient for high-traffic installations, which caused pmacct to crash. Now it is possible to specify the buffer size option:
set system flow-accounting buffer-size 512 # megabytes
There are a few more options for NetFlow: source address (can be either IPv4 or IPv6) and maximum number of concurrenct flows (on high traffic machines setting it too low can cause netflow data loss):
set system flow-accounting netflow source-ip 192.0.2.55
set system flow-accounting netflow max-flows 2097152
VLAN QoS mapping options
It is now possible to specify VLAN QoS values:
set interfaces ethernet eth0 vif 42 egress-qos 1:6
set interfaces ethernet eth0 vif 42 ingress-qos 1:6
Ability to set custom sysctl options
There are lots of sysctl options in the Linux kernel and it would be impractical to expose them all in the CLI, since most of them only need to be modified under special circumstances. Now you can set a custom option is you need to:
set system sysctl custom $key value $value
Custom client ID for DHCPv6
It is now possible to specify custom client ID for DHCPv6 client:
set interfaces ethernet eth0 dhcpv6-options duid foobar
Ethernet offload options
Under "set interfaces ethernet ethX offload-options" you can find a number of options that control NIC offload.
Syslog level "all"
Now you can specify options for the *.* syslog pattern, for example:
set system syslog global facility all level notice
Unresolved or partially resolved issues
Latest ixgbe driver updates are not included in this release.
The issue with VyOS losing parts of its BGP config when update-source is set to an address belonging to a dynamic interface such as VTI and the interface takes long to get up and acquire its address was resolved in its literal wording, but it's not guaranteed that the BGP session will get up on its own in this case. It's recommended to set the update-source to an address of an interface available right away on boot, for example, a loopback or dummy interface.
The issue with changing the routing table number in PBR rules is not yet resolved. The recommended workaround is to delete the rule and re-create it with the new table number, e.g. by copying its commands from 'run show configuration commands | match "policy route "'.
I would like to say thanks to everyone who contributed and made this
release possible, namely: Kim Hagen, Alex Harpin, Yuya Kusakabe, Yuriy
Andamasov, Ray Soucy, Nikolay Krasnoyarski, Jason Hendry, Kevin
Blackham, kouak, upa, Logan Attwood, Panagiotis Moustafellos, Thomas
Courbon, and Ildar Ibragimov (hope I didn't forget anyone).
A note on the downloads server
The original packages.vyos.net server is still having IO performance problems and won't handle a traffic spike associated with release well. We've setup the https://downloads.vyos.io server on our new host specially for release images and will later migrate the rest of the old server including package repositories and the rsync setup.