diff --git a/data/templates/system/cloud_init_networking.j2 b/data/templates/system/cloud_init_networking.j2
new file mode 100644
index 000000000..52cce72f8
--- /dev/null
+++ b/data/templates/system/cloud_init_networking.j2
@@ -0,0 +1,9 @@
+network:
+ version: 2
+ ethernets:
+{% for iface in ifaces_list %}
+ {{ iface['name'] }}:
+ dhcp4: true
+ match:
+ macaddress: "{{ iface['mac'] }}"
+{% endfor %}
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index ddc189508..6653cd585 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -1,126 +1,129 @@
#!/bin/sh -e
# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true
# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
--gecos "salt minion user" --shell /bin/vbash minion
adduser --quiet minion frrvty
adduser --quiet minion sudo
adduser --quiet minion adm
adduser --quiet minion dip
adduser --quiet minion disk
adduser --quiet minion users
adduser --quiet minion frr
fi
# OpenVPN should get its own user
if ! grep -q '^openvpn' /etc/passwd; then
adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi
# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n"
grep -qF -- "pam_google_authenticator.so" $file || \
sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
--no-create-home --gecos "radius user" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
adduser --quiet radius_user vyattaop
adduser --quiet radius_user operator
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
--no-create-home --gecos "radius privileged user" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
adduser --quiet radius_priv_user vyattacfg
adduser --quiet radius_priv_user sudo
adduser --quiet radius_priv_user adm
adduser --quiet radius_priv_user dip
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
fi
# add hostsd group for vyos-hostsd
if ! grep -q '^hostsd' /etc/group; then
addgroup --quiet --system hostsd
fi
# add dhcpd user for dhcp-server
if ! grep -q '^dhcpd' /etc/passwd; then
adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
adduser --quiet dhcpd hostsd
fi
# ensure hte proxy user has a proper shell
chsh -s /bin/sh proxy
# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
mkdir -p $(dirname $POSTCONFIG_SCRIPT)
touch $POSTCONFIG_SCRIPT
chmod 755 $POSTCONFIG_SCRIPT
cat <<EOF >>$POSTCONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.
EOF
fi
# symlink destination is deleted during ISO assembly - this generates some noise
# when the system boots: systemd-sysv-generator[1881]: stat() failed on
# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
# the file.
if [ -L /etc/init.d/README ]; then
rm -f /etc/init.d/README
fi
# Remove unwanted daemon files from /etc
# conntackd
# pmacct
# fastnetmon
# ntp
DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
/etc/default/pmacctd /etc/pmacct
/etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
/etc/ntp.conf /etc/default/ssh
/etc/powerdns /etc/default/pdns-recursor
/etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
if [ -e ${tmp} ]; then
rm -rf ${tmp}
fi
done
# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog
# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
if test -f /etc/pam.d/frr; then
if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
sed -i -re 's/rootok/permit/' /etc/pam.d/frr
fi
fi
+# Enable Cloud-init pre-configuration service
+systemctl enable vyos-config-cloud-init.service
+
# Generate API GraphQL schema
/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py
diff --git a/src/system/vyos-config-cloud-init.py b/src/system/vyos-config-cloud-init.py
new file mode 100755
index 000000000..0a6c1f9bc
--- /dev/null
+++ b/src/system/vyos-config-cloud-init.py
@@ -0,0 +1,169 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+from concurrent.futures import ProcessPoolExecutor
+from pathlib import Path
+from subprocess import run, TimeoutExpired
+from sys import exit
+
+from psutil import net_if_addrs, AF_LINK
+from systemd.journal import JournalHandler
+from yaml import safe_load
+
+from vyos.template import render
+
+# define a path to the configuration file and template
+config_file = '/etc/cloud/cloud.cfg.d/20_vyos_network.cfg'
+template_file = 'system/cloud_init_networking.j2'
+
+
+def check_interface_dhcp(iface_name: str) -> bool:
+ """Check DHCP client can work on an interface
+
+ Args:
+ iface_name (str): interface name
+
+ Returns:
+ bool: check result
+ """
+ dhclient_command: list[str] = [
+ 'dhclient', '-4', '-1', '-q', '--no-pid', '-sf', '/bin/true', iface_name
+ ]
+ check_result = False
+ # try to get an IP address
+ # we use dhclient behavior here to speedup detection
+ # if dhclient receives a configuration and configure an interface
+ # it switch to background
+ # If no - it will keep running in foreground
+ try:
+ run(['ip', 'l', 'set', iface_name, 'up'])
+ run(dhclient_command, timeout=5)
+ check_result = True
+ except TimeoutExpired:
+ pass
+ finally:
+ run(['ip', 'l', 'set', iface_name, 'down'])
+
+ logger.info(f'DHCP server was found on {iface_name}: {check_result}')
+ return check_result
+
+
+def dhclient_cleanup() -> None:
+ """Clean up after dhclients
+ """
+ run(['killall', 'dhclient'])
+ leases_file: Path = Path('/var/lib/dhcp/dhclient.leases')
+ leases_file.unlink(missing_ok=True)
+ logger.debug('cleaned up after dhclients')
+
+
+def dict_interfaces() -> dict[str, str]:
+ """Return list of available network interfaces except loopback
+
+ Returns:
+ list[str]: a list of interfaces
+ """
+ interfaces_dict: dict[str, str] = {}
+ ifaces = net_if_addrs()
+ for iface_name, iface_addresses in ifaces.items():
+ # we do not need loopback interface
+ if iface_name == 'lo':
+ continue
+ # check other interfaces for MAC addresses
+ for iface_addr in iface_addresses:
+ if iface_addr.family == AF_LINK and iface_addr.address:
+ interfaces_dict[iface_name] = iface_addr.address
+ continue
+
+ logger.debug(f'found interfaces: {interfaces_dict}')
+ return interfaces_dict
+
+
+def need_to_check() -> bool:
+ """Check if we need to perform DHCP checks
+
+ Returns:
+ bool: check result
+ """
+ # if cloud-init config does not exist, we do not need to do anything
+ ci_config_vyos = Path('/etc/cloud/cloud.cfg.d/20_vyos_custom.cfg')
+ if not ci_config_vyos.exists():
+ logger.info(
+ 'No need to check interfaces: Cloud-init config file was not found')
+ return False
+
+ # load configuration file
+ try:
+ config = safe_load(ci_config_vyos.read_text())
+ except:
+ logger.error('Cloud-init config file has a wrong format')
+ return False
+
+ # check if we have in config configured option
+ # vyos_config_options:
+ # network_preconfigure: true
+ if not config.get('vyos_config_options', {}).get('network_preconfigure'):
+ logger.info(
+ 'No need to check interfaces: Cloud-init config option "network_preconfigure" is not set'
+ )
+ return False
+
+ return True
+
+
+if __name__ == '__main__':
+ # prepare logger
+ logger = logging.getLogger(__name__)
+ logger.addHandler(JournalHandler(SYSLOG_IDENTIFIER=Path(__file__).name))
+ logger.setLevel(logging.INFO)
+
+ # we need to give udev some time to rename all interfaces
+ # this is placed before need_to_check() call, because we are not always
+ # need to preconfigure cloud-init, but udev always need to finish its work
+ # before cloud-init start
+ run(['udevadm', 'settle'])
+ logger.info('udev finished its work, we continue')
+
+ # do not perform any checks if this is not required
+ if not need_to_check():
+ exit()
+
+ # get list of interfaces and check them
+ interfaces_dhcp: list[dict[str, str]] = []
+ interfaces_dict: dict[str, str] = dict_interfaces()
+
+ with ProcessPoolExecutor(max_workers=len(interfaces_dict)) as executor:
+ iface_check_results = [{
+ 'dhcp': executor.submit(check_interface_dhcp, iface_name),
+ 'append': {
+ 'name': iface_name,
+ 'mac': iface_mac
+ }
+ } for iface_name, iface_mac in interfaces_dict.items()]
+
+ dhclient_cleanup()
+
+ for iface_check_result in iface_check_results:
+ if iface_check_result.get('dhcp').result():
+ interfaces_dhcp.append(iface_check_result.get('append'))
+
+ # render cloud-init config
+ if interfaces_dhcp:
+ logger.debug('rendering cloud-init network configuration')
+ render(config_file, template_file, {'ifaces_list': interfaces_dhcp})
+
+ exit()
diff --git a/src/systemd/vyos-config-cloud-init.service b/src/systemd/vyos-config-cloud-init.service
new file mode 100644
index 000000000..ba6f90e6d
--- /dev/null
+++ b/src/systemd/vyos-config-cloud-init.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Pre-configure Cloud-init
+DefaultDependencies=no
+Requires=systemd-remount-fs.service
+Requires=systemd-udevd.service
+Wants=network-pre.target
+After=systemd-remount-fs.service
+After=systemd-udevd.service
+Before=cloud-init-local.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/vyos/system/vyos-config-cloud-init.py
+TimeoutSec=120
+KillMode=process
+StandardOutput=journal+console
+
+[Install]
+WantedBy=cloud-init-local.service