VyOS Networks Blog

VyOS 1.2.6 release is now available to our customers and contributors.  VyOS 1.2.6 remains a fully supported branch and will not enter an extended support phase until we have a stable 1.3 release—this means we will keep making feature backports when feasible, rather than limit support to emergency fixes. The biggest highlight of this release is PIM-SM support, and it also includes about 70 resolved tasks, more than 30 of them are bug fixes. However, another highlight is our new automated release procedure that we'll soon start using to make long-promised rolling release snapshots too.

Verifying release images

Historically, we’ve used GnuPG for image signing, like most other projects. GPG signature verification is built into the image upgrade process, so an upgrade is secure by default. However, for initial installation, GnuPG makes the process harder than it should be since you need to locate and import our release key first.

Starting from the 1.2.5 release, we are also signing images with minisign. For an introduction, you should read signify: Securing OpenBSD From Us To You. Minisign uses elliptic curve cryptography that allows better security despite smaller keys. The keys are small enough to pass in command line options, so there’s no need to import key files like in GPG: just paste the command from this post and run it.

So apart from the usual .asc file there’s also a .minisgn file stored next to every image.

$ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso
$ wget https://cdn.vyos.io/.../vyos-1.2.6-amd64.iso.minisign
$ minisign -VP RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m ./vyos-1.2.6-amd64.iso

Internally, the add system image command is still using GPG, but we are planning to phase out GPG by the 1.3 release and use minisign exclusively for both manual and automated signature checks.

PIM-SM is here

Multicast routing has been one of the most frequently requested features. It’s been in the rolling release since this summer, and we are grateful to everyone who helped us test it. Now it’s available in the LTS release as well.

set protocols igmp interface eth1
set protocols pim interface eth1
set protocols pim interface eth2
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'

You can find the details in the documentation. We believe it's now stable enough to use, but if you run into any issues, let us know.

More new features

PIM-SM is the biggest highlight of this release, but there are smaller features too.

• Systems booted from a live CD now properly warn that configuration cannot be saved there.
• There's now a CLI for Wake-on-LAN.
• A command for viewing transceiver information: "show interfaces ethernet ethX transceiver"

Bug fixes

Just a few of them:

• Default net.ipv6.route.max_size value it set to 262144 (as opposed to 32768 that is too low for modern full feeds)
• DHCP server will not prepend shared network name to host names anymore
• Fixed a spurious error when deleting policy routes

Package updates

• Linux kernel 4.19.142
• FRR 7.3.1

Automated release procedure

The number of supported image flavors is growing, and in fact there's demand for new flavors. The good thing about it is that it makes VyOS easier to deploy and use on a wider range of virtual and bare metal platforms, but the downside is that our release procedure has become time-consuming and error-prone. With the 1.2.5 release, there were messed up links and other issues. The need for an automated procedure is obvious.

However, it's not just customers and contributors with access to prebuilt LTS images who will benefit from that procedure. We also promised that we will start making rolling release snapshots to make it easier to use and test for a wider audience (we understand that not everyone is ready to install nightly builds even on a lab router).

Soon we'll adapt that procedure for the rolling release and start making snapshots—stay tuned for updates!

Changelog

Here's the complete list of tasks resolved in this release: