VyOS 1.2.6 maintenance release
VyOS 1.2.6 release is now available to our customers and contributors. VyOS 1.2.6 remains a fully supported branch and will not enter an extended support phase until we have a stable 1.3 release—this means we will keep making feature backports when feasible, rather than limit support to emergency fixes. The biggest highlight of this release is PIM-SM support, and it also includes about 70 resolved tasks, more than 30 of them are bug fixes. However, another highlight is our new automated release procedure that we'll soon start using to make long-promised rolling release snapshots too.
Verifying release images
Historically, we’ve used GnuPG for image signing, like most other projects. GPG signature verification is built into the image upgrade process, so an upgrade is secure by default. However, for initial installation, GnuPG makes the process harder than it should be since you need to locate and import our release key first.
Starting from the 1.2.5 release, we are also signing images with minisign. For an introduction, you should read signify: Securing OpenBSD From Us To You. Minisign uses elliptic curve cryptography that allows better security despite smaller keys. The keys are small enough to pass in command line options, so there’s no need to import key files like in GPG: just paste the command from this post and run it.
So apart from the usual .asc file there’s also a .minisgn file stored next to every image.
$ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso $ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso.minisign $ minisign -VP RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m ./vyos-1.2.6-amd64.iso
add system image command is still using GPG, but we are planning to phase out GPG by the 1.3 release and use minisign exclusively for both manual and automated signature checks.
PIM-SM is here
Multicast routing has been one of the most frequently requested features. It’s been in the rolling release since this summer, and we are grateful to everyone who helped us test it. Now it’s available in the LTS release as well.
set protocols igmp interface eth1 set protocols pim interface eth1 set protocols pim interface eth2 set protocols pim rp address 172.16.255.1 group '18.104.22.168/4'
You can find the details in the documentation. We believe it's now stable enough to use, but if you run into any issues, let us know.
More new features
PIM-SM is the biggest highlight of this release, but there are smaller features too.
- Systems booted from a live CD now properly warn that configuration cannot be saved there.
- There's now a CLI for Wake-on-LAN.
- A command for viewing transceiver information: "show interfaces ethernet ethX transceiver"
Just a few of them:
- Default net.ipv6.route.max_size value it set to 262144 (as opposed to 32768 that is too low for modern full feeds)
- DHCP server will not prepend shared network name to host names anymore
- Fixed a spurious error when deleting policy routes
- Linux kernel 4.19.142
- FRR 7.3.1
Automated release procedure
The number of supported image flavors is growing, and in fact there's demand for new flavors. The good thing about it is that it makes VyOS easier to deploy and use on a wider range of virtual and bare metal platforms, but the downside is that our release procedure has become time-consuming and error-prone. With the 1.2.5 release, there were messed up links and other issues. The need for an automated procedure is obvious.
However, it's not just customers and contributors with access to prebuilt LTS images who will benefit from that procedure. We also promised that we will start making rolling release snapshots to make it easier to use and test for a wider audience (we understand that not everyone is ready to install nightly builds even on a lab router).
Soon we'll adapt that procedure for the rolling release and start making snapshots—stay tuned for updates!
Here's the complete list of tasks resolved in this release:
|103||DHCP server prepends shared network name to hostnames|
|125||Missing PPPoE interfaces in l2tp configuration|
|1194||cronjob is being setup even if not saved|
|1205||module pcspkr missing|
|1219||Redundant active-active configuration, asymmetric routing and conntrack-sync cache|
|1220||Show transceiver information from plugin modules, e.g SFP+, QSFP|
|1221||BGP - Default route injection is not processed by the specific route-map|
|1241||Remove of policy route throws CLI error|
|1291||Under certain conditions the VTI will stay forever down|
|1463||Missing command `show ip bgp scan` appears in command completion|
|1575||`show snmp mib ifmib` crashes with IndexError|
|1699||Default net.ipv6.route.max_size 32768 is too low|
|1729||PIM (Protocol Independent Multicast) implementation|
|1901||Semicolon in values is interpreted as a part of the shell command by validators|
|1934||Change default hostname when deploy from OVA without params.|
|1938||syslog doesn't start automatically|
|1949||Multihop IPv6 BFD is unconfigurable|
|1953||DDNS service name validation rejects valid service names|
|1956||PPPoE server: support PADO-delay|
|1973||Allow route-map to match on BGP local preference value|
|1974||Allow route-map to set administrative distance|
|1982||Increase rotation for atop.acct|
|1983||Expose route-map when BGP routes are programmed in to FIB|
|1985||pppoe: Enable ipv6 modules without configured ipv6 pools|
|2000||strongSwan does not install routes to table 220 in certain cases|
|2021||OSPFv3 doesn't support decimal area syntax|
|2062||Wrong dhcp-server static route subnet bytes|
|2091||swanctl.conf file is not generated properly is more than one IPsec profile is used|
|2131||Improve syslog remote host CLI definition|
|2224||Update Linux Kernel to v4.19.114|
|2286||IPoE server vulnerability|
|2303||Unable to delete the image version that came from OVA|
|2305||Add release name to "show version" command|
|2311||Statically configured name servers may not take precedence over ones from DHCP|
|2327||Unable to create syslog server entry with different port|
|2332||Backport node option for a syslog server|
|2342||Bridge l2tpv3 + ethX errors|
|2344||PPPoE server client static IP assignment silently fails|
|2385||salt-minion: improve completion helpers|
|2389||BGP community-list unknown command|
|2398||op-mode "dhcp client leases interface" completion helper misses interfaces|
|2402||Live ISO should warn when configuring that changes won't persist|
|2443||NHRP: Add debugging information to syslog|
|2448||`monitor protocol bgp` subcommands fail with 'command incomplete'|
|2458||Update FRR to 7.3.1|
|2476||Bond member description change leads to network outage|
|2478||login radius: use NAS-IP-Address if defined source address|
|2482||Update PowerDNS recursor to 4.3.1 for CVE-2020-10995|
|2517||vyos-container: link_filter: No such file or directory|
|2526||Wake-On-Lan CLI implementation|
|2528||"update dns dynamic" throws FileNotFoundError excepton|
|2536||"show log dns forwarding" still refers to dnsmasq|
|2538||Update Intel NIC drivers to recent release (preparation for Kernel >=5.4)|
|2545||Show physical device offloading capabilities for specified ethernet interface|
|2563||Wrong interface binding for Dell VEP 1445|
|2605||SNMP service is not disabled by default|
|2625||Provide generic Library for package builds|
|2686||FRR: BGP: large-community configuration is not applied properly after upgrading FRR to 7.3.x series|
|2701||`vpn ipsec pfs enable` doesn't work with IKE groups|
|2728||Protocol option ignored for IPSec peers in transport mode|
|2734||WireGuard: fwmark CLI definition is inconsistent|
|2757||"show system image version" contains additional new-line character breaking output|
|2797||Update Linux Kernel to v4.19.139|
|2822||Update Linux Kernel to v4.19.141|
|2829||PPPoE server: mppe setting is implemented as node instead of leafNode|
|2831||Update Linux Kernel to v4.19.142|
|2852||rename dynamic dns interface breaks ddclient.cache permissions|
|2853||Intel QAT acceleration does not work|