Hello, Community!
This month's update looks small but there are quite a few big things happening. Expect a few release posts in the coming weeks! But apart from that, there are big ongoing developments inside the rolling release. First, we are ironing out the remaining issues in the VPP-based accelerated dataplane and we welcome everyone to test them.
In other areas, we are making steady progress at replacing the old configuration backend. Currently the focus is on the commit algorithm, that will make commits much faster and enable long-awaited features such as commit dry run (T7427). The other big things is the operational mode command system rework that will allow us to reintroduce operator level users and improve operational command documentation. Read on for details!
add system image now requires at least 2GB of free space (T6144)Upgrading VyOS systems with not enough space to store the new image can break the system completely in some cases. The risk to break the system and have to redeploy it is much worse than the inconvenience of having to clean up or add some drive space, so we added a check and made the add system image script exit with an error if there's less than 2GB of free space.
If you see an error, delete some old images or add more space to the partition. It's unlikely that there are physical systems with onboard flash drives smaller than 2GB so we hope it didn't make anyone's device un-upgradable.
set protocols bgp parameters no-ipv6-auto-ra (T7531).renew certbot) now supports force option (T7574).set firewall global-options apply-to-bridged-traffic accept-invalid ethernet-type 'dhcp' (T6951).run show/monitor log container commands now work correctly when the driver is set to journald (T7473).run show interfaces wireguard no longer fails on interfaces with fwmark option (T7554).next-hop-interface static route option (T6968).run show wan-load-balance command works correctly again (T7567).vni no longer leads to commit errors (T7544).The ability to create operator-level users that can run operational mode commands but cannot change the configuration is one of our most long-standing feature requests. To make it happen, we have to get rid of the legacy operational command runner and replace it with a completely different design.
The bad part is that it's a very time consuming work that also reveals issues that can break existing commands — it did break a lot of commands in rolling releases images and we are grateful to all community members who helped us spot and fix those (T7527)!
Tangentially, the old command show login level is now removed (T7538) — it does nothing and the new permissions CLI will be different so it will need its own commands.
The good part is that having a properly machine-readable operational command tree will make other nice things possible, such as embedded command help.
The new approach also requires that every operational mode path must be unique. We already added a uniqueness check to fail the vyos-1x package build if any non-unique nodes are found. How can nodes be non-unique?
The thing is that many old command definitions used nodes with duplicate names or a child node called node.tag as a hack to allow some commands to be executed either with or without child arguments, such as show interfaces ethernet (show all Ethernet interfaces) or show interfaces ethernet eth0. The XML-based format did not support that use case natively, so people came to use hacks that were not disallowed by the schema or the convertor script to generate correct data for the legacy runner. Now there's native support for that use case: you can do it by including a <standalone> tag in a <tagNode> if you just want to allow executing a tag node command with no arguments (T7542) or use a <virtualTagNode> child if you need a command tree with keyword arguments and variable child node names at the same level, like in show interfaces ethernet detail and show interfaces ethernet eth0 physical (T7560).
That's all for now, but stay tuned for updates!