VyOS Platform Blog

Building an open source network OS for the people, together.

VyOS 1.2.6 maintenance release

Posted 18 Sep, 2020 by Daniil Baturin

VyOS 1.2.6 release is now available to our customers and contributors.  VyOS 1.2.6 remains a fully supported branch and will not enter an extended support phase until we have a stable 1.3 release—this means we will keep making feature backports when feasible, rather than limit support to emergency fixes. The biggest highlight of this release is PIM-SM support, and it also includes about 70 resolved tasks, more than 30 of them are bug fixes. However, another highlight is our new automated release procedure that we'll soon start using to make long-promised rolling release snapshots too.

Verifying release images

Historically, we’ve used GnuPG for image signing, like most other projects. GPG signature verification is built into the image upgrade process, so an upgrade is secure by default. However, for initial installation, GnuPG makes the process harder than it should be since you need to locate and import our release key first.

Starting from the 1.2.5 release, we are also signing images with minisign. For an introduction, you should read signify: Securing OpenBSD From Us To You. Minisign uses elliptic curve cryptography that allows better security despite smaller keys. The keys are small enough to pass in command line options, so there’s no need to import key files like in GPG: just paste the command from this post and run it.

So apart from the usual .asc file there’s also a .minisgn file stored next to every image.

$ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso
$ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso.minisign
$ minisign -VP RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m ./vyos-1.2.6-amd64.iso

Internally, the add system image command is still using GPG, but we are planning to phase out GPG by the 1.3 release and use minisign exclusively for both manual and automated signature checks.

PIM-SM is here

Multicast routing has been one of the most frequently requested features. It’s been in the rolling release since this summer, and we are grateful to everyone who helped us test it. Now it’s available in the LTS release as well.

set protocols igmp interface eth1
set protocols pim interface eth1
set protocols pim interface eth2
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'

You can find the details in the documentation. We believe it's now stable enough to use, but if you run into any issues, let us know.

More new features

PIM-SM is the biggest highlight of this release, but there are smaller features too.

  • Systems booted from a live CD now properly warn that configuration cannot be saved there.
  • There's now a CLI for Wake-on-LAN.
  • A command for viewing transceiver information: "show interfaces ethernet ethX transceiver"

Bug fixes

Just a few of them:

  • Default net.ipv6.route.max_size value it set to 262144 (as opposed to 32768 that is too low for modern full feeds)
  • DHCP server will not prepend shared network name to host names anymore
  • Fixed a spurious error when deleting policy routes

Package updates

  • Linux kernel 4.19.142
  • FRR 7.3.1

Automated release procedure

The number of supported image flavors is growing, and in fact there's demand for new flavors. The good thing about it is that it makes VyOS easier to deploy and use on a wider range of virtual and bare metal platforms, but the downside is that our release procedure has become time-consuming and error-prone. With the 1.2.5 release, there were messed up links and other issues. The need for an automated procedure is obvious.

However, it's not just customers and contributors with access to prebuilt LTS images who will benefit from that procedure. We also promised that we will start making rolling release snapshots to make it easier to use and test for a wider audience (we understand that not everyone is ready to install nightly builds even on a lab router).

Soon we'll adapt that procedure for the rolling release and start making snapshots—stay tuned for updates!

Changelog

Here's the complete list of tasks resolved in this release:

103 DHCP server prepends shared network name to hostnames
125 Missing PPPoE interfaces in l2tp configuration
1194 cronjob is being setup even if not saved
1205 module pcspkr missing
1219 Redundant active-active configuration, asymmetric routing and conntrack-sync cache
1220 Show transceiver information from plugin modules, e.g SFP+, QSFP
1221 BGP - Default route injection is not processed by the specific route-map
1241 Remove of policy route throws CLI error
1291 Under certain conditions the VTI will stay forever down
1463 Missing command `show ip bgp scan` appears in command completion
1575 `show snmp mib ifmib` crashes with IndexError
1699 Default net.ipv6.route.max_size 32768 is too low
1729 PIM (Protocol Independent Multicast) implementation
1901 Semicolon in values is interpreted as a part of the shell command by validators
1934 Change default hostname when deploy from OVA without params.
1938 syslog doesn't start automatically
1949 Multihop IPv6 BFD is unconfigurable
1953 DDNS service name validation rejects valid service names
1956 PPPoE server: support PADO-delay
1973 Allow route-map to match on BGP local preference value
1974 Allow route-map to set administrative distance
1982 Increase rotation for atop.acct
1983 Expose route-map when BGP routes are programmed in to FIB
1985 pppoe: Enable ipv6 modules without configured ipv6 pools
2000 strongSwan does not install routes to table 220 in certain cases
2021 OSPFv3 doesn't support decimal area syntax
2062 Wrong dhcp-server static route subnet bytes
2091 swanctl.conf file is not generated properly is more than one IPsec profile is used
2131 Improve syslog remote host CLI definition
2224 Update Linux Kernel to v4.19.114
2286 IPoE server vulnerability
2303 Unable to delete the image version that came from OVA
2305 Add release name to "show version" command
2311 Statically configured name servers may not take precedence over ones from DHCP
2327 Unable to create syslog server entry with different port
2332 Backport node option for a syslog server
2342 Bridge l2tpv3 + ethX errors
2344 PPPoE server client static IP assignment silently fails
2385 salt-minion: improve completion helpers
2389 BGP community-list unknown command
2398 op-mode "dhcp client leases interface" completion helper misses interfaces
2402 Live ISO should warn when configuring that changes won't persist
2443 NHRP: Add debugging information to syslog
2448 `monitor protocol bgp` subcommands fail with 'command incomplete'
2458 Update FRR to 7.3.1
2476 Bond member description change leads to network outage
2478 login radius: use NAS-IP-Address if defined source address
2482 Update PowerDNS recursor to 4.3.1 for CVE-2020-10995
2517 vyos-container: link_filter: No such file or directory
2526 Wake-On-Lan CLI implementation
2528 "update dns dynamic" throws FileNotFoundError excepton
2536 "show log dns forwarding" still refers to dnsmasq
2538 Update Intel NIC drivers to recent release (preparation for Kernel >=5.4)
2545 Show physical device offloading capabilities for specified ethernet interface
2563 Wrong interface binding for Dell VEP 1445
2605 SNMP service is not disabled by default
2625 Provide generic Library for package builds
2686 FRR: BGP: large-community configuration is not applied properly after upgrading FRR to 7.3.x series
2701 `vpn ipsec pfs enable` doesn't work with IKE groups
2728 Protocol option ignored for IPSec peers in transport mode
2734 WireGuard: fwmark CLI definition is inconsistent
2757 "show system image version" contains additional new-line character breaking output
2797 Update Linux Kernel to v4.19.139
2822 Update Linux Kernel to v4.19.141
2829 PPPoE server: mppe setting is implemented as node instead of leafNode
2831 Update Linux Kernel to v4.19.142
2852 rename dynamic dns interface breaks ddclient.cache permissions
2853 Intel QAT acceleration does not work

Comments