diff --git a/debian/control b/debian/control
index 726a083f2..dddc4e14c 100644
--- a/debian/control
+++ b/debian/control
@@ -1,332 +1,336 @@
Source: vyos-1x
Section: contrib/net
Priority: extra
Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
Build-Depends:
debhelper (>= 9),
dh-python,
fakeroot,
gcc,
iproute2,
libvyosconfig0 (>= 0.0.7),
libzmq3-dev,
python3 (>= 3.10),
# For generating command definitions
python3-lxml,
python3-xmltodict,
# For running tests
python3-coverage,
python3-netifaces,
python3-nose,
python3-jinja2,
python3-psutil,
python3-setuptools,
python3-sphinx,
quilt,
whois
Standards-Version: 3.9.6
Package: vyos-1x
Architecture: amd64 arm64
Pre-Depends:
libnss-tacplus [amd64],
libpam-tacplus [amd64],
libpam-radius-auth [amd64]
Depends:
## Fundamentals
${python3:Depends} (>= 3.10),
libvyosconfig0,
vyatta-bash,
vyatta-cfg,
vyos-http-api-tools,
vyos-utils,
## End of Fundamentals
## Python libraries used in multiple modules and scripts
python3,
python3-cryptography,
python3-hurry.filesize,
python3-inotify,
python3-jinja2,
python3-jmespath,
python3-netaddr,
python3-netifaces,
python3-paramiko,
python3-passlib,
python3-psutil,
python3-pyhumps,
python3-pystache,
python3-pyudev,
python3-six,
python3-tabulate,
python3-voluptuous,
python3-xmltodict,
python3-zmq,
## End of Python libraries
## Basic System services and utilities
sudo,
systemd,
bsdmainutils,
openssl,
curl,
dbus,
file,
iproute2 (>= 6.0.0),
linux-cpupower,
# ipaddrcheck is widely used in IP value validators
ipaddrcheck,
ethtool,
fdisk,
lm-sensors,
procps,
netplug,
sed,
ssl-cert,
tuned,
beep,
wide-dhcpv6-client,
# Generic colorizer
grc,
## End of System services and utilities
## For the installer
# Image signature verification tool
minisign,
# Live filesystem tools
squashfs-tools,
fuse-overlayfs,
## End installer
auditd,
iputils-arping,
isc-dhcp-client,
# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
accel-ppp,
# End "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
avahi-daemon,
conntrack,
conntrackd,
## Conf mode features
# For "interfaces wireless"
hostapd,
hsflowd,
iw,
wireless-regdb,
wpasupplicant (>= 0.6.7),
# End "interfaces wireless"
# For "interfaces wwan"
modemmanager,
usb-modeswitch,
libqmi-utils,
# End "interfaces wwan"
# For "interfaces openvpn"
openvpn,
openvpn-auth-ldap,
openvpn-auth-radius,
openvpn-otp,
libpam-google-authenticator,
# End "interfaces openvpn"
# For "interfaces wireguard"
wireguard-tools,
qrencode,
# End "interfaces wireguard"
# For "interfaces pppoe"
pppoe,
# End "interfaces pppoe"
# For "interfaces sstpc"
sstp-client,
# End "interfaces sstpc"
# For "protocols *"
frr (>= 7.5),
frr-pythontools,
frr-rpki-rtrlib,
frr-snmp,
# End "protocols *"
# For "protocols nhrp" (part of DMVPN)
opennhrp,
# End "protocols nhrp"
# For "protocols igmp-proxy"
igmpproxy,
# End "protocols igmp-proxy"
# For "pki"
certbot,
# End "pki"
# For "service console-server"
conserver-client,
conserver-server,
console-data,
dropbear,
# End "service console-server"
# For "service aws glb"
aws-gwlbtun,
# For "service dns dynamic"
ddclient (>= 3.11.1),
# End "service dns dynamic"
# # For "service ids"
fastnetmon [amd64],
# End "service ids"
# # For "service ndp-proxy"
ndppd,
# End "service ndp-proxy"
# For "service router-advert"
radvd,
# End "service route-advert"
# For "high-availability reverse-proxy"
haproxy,
# End "high-availability reverse-proxy"
# For "service dhcp-relay"
isc-dhcp-relay,
# For "service dhcp-server"
kea,
# End "service dhcp-server"
# For "service lldp"
lldpd,
# End "service lldp"
# For "service https"
nginx-light,
# End "service https"
# For "service ssh"
openssh-server,
sshguard,
# End "service ssh"
# For "service salt-minion"
salt-minion,
# End "service salt-minion"
# For "service snmp"
snmp,
snmpd,
# End "service snmp"
# For "service upnp"
miniupnpd-nftables,
# End "service upnp"
# For "service webproxy"
squid,
squidclient,
squidguard,
# End "service webproxy"
# For "service monitoring telegraf"
telegraf (>= 1.20),
# End "service monitoring telegraf"
# For "service monitoring zabbix-agent"
zabbix-agent2,
# End "service monitoring zabbix-agent"
# For "service tftp-server"
tftpd-hpa,
# End "service tftp-server"
# For "service dns forwarding"
pdns-recursor,
# End "service dns forwarding"
# For "service sla owamp"
owamp-client,
owamp-server,
# End "service sla owamp"
# For "service sla twamp"
twamp-client,
twamp-server,
# End "service sla twamp"
# For "service broadcast-relay"
udp-broadcast-relay,
# End "service broadcast-relay"
# For "high-availability vrrp"
keepalived (>=2.0.5),
# End "high-availability-vrrp"
# For "system task-scheduler"
cron,
# End "system task-scheduler"
# For "system lcd"
lcdproc,
lcdproc-extra-drivers,
# End "system lcd"
# For "system config-management commit-archive"
git,
# End "system config-management commit-archive"
# For firewall
libndp-tools,
libnetfilter-conntrack3,
libnfnetlink0,
nfct,
nftables (>= 0.9.3),
# For "vpn ipsec"
strongswan (>= 5.9),
strongswan-swanctl (>= 5.9),
charon-systemd,
libcharon-extra-plugins (>=5.9),
libcharon-extauth-plugins (>=5.9),
libstrongswan-extra-plugins (>=5.9),
libstrongswan-standard-plugins (>=5.9),
python3-vici (>= 5.7.2),
# End "vpn ipsec"
# For "nat64"
jool,
# End "nat64"
# For "system ntp"
chrony,
# End "system ntp"
# For "vpn openconnect"
ocserv,
# End "vpn openconnect"
# For "system flow-accounting"
pmacct (>= 1.6.0),
# End "system flow-accounting"
# For container
podman,
netavark,
aardvark-dns,
# iptables is only used for containers now, not the the firewall CLI
iptables,
# End container
## End Configuration mode
## Operational mode
# Used for hypervisor model in "run show version"
hvinfo,
# For "run traceroute"
traceroute,
# For "run monitor traffic"
tcpdump,
# End "run monitor traffic"
# For "show hardware dmi"
dmidecode,
# For "run show hardware storage smart"
smartmontools,
# For "run show hardware scsi"
lsscsi,
# For "run show hardware pci"
pciutils,
# For "show hardware usb"
usbutils,
# For "run show hardware storage nvme"
nvme-cli,
# For "run monitor bandwidth-test"
iperf,
iperf3,
# End "run monitor bandwidth-test"
# For "run wake-on-lan"
etherwake,
# For "run force ipv6-nd"
ndisc6,
# For "run monitor bandwidth"
bmon,
# End Operational mode
+## TPM tools
+ cryptsetup,
+ tpm2-tools,
+## End TPM tools
## Optional utilities
easy-rsa,
tcptraceroute,
mtr-tiny,
telnet,
stunnel4,
uidmap
## End optional utilities
Description: VyOS configuration scripts and data
VyOS configuration scripts, interface definitions, and everything
Package: vyos-1x-vmware
Architecture: amd64
Depends:
vyos-1x,
open-vm-tools
Description: VyOS configuration scripts and data for VMware
Adds configuration files required for VyOS running on VMware hosts.
Package: vyos-1x-smoketest
Architecture: all
Depends:
skopeo,
snmp,
vyos-1x
Description: VyOS build sanity checking toolkit
diff --git a/op-mode-definitions/crypt.xml.in b/op-mode-definitions/crypt.xml.in
new file mode 100644
index 000000000..105592a1a
--- /dev/null
+++ b/op-mode-definitions/crypt.xml.in
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="encryption">
+ <properties>
+ <help>Manage config encryption</help>
+ </properties>
+ <children>
+ <node name="disable">
+ <properties>
+ <help>Disable config encryption using TPM or recovery key</help>
+ </properties>
+ <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --disable</command>
+ </node>
+ <node name="enable">
+ <properties>
+ <help>Enable config encryption using TPM</help>
+ </properties>
+ <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --enable</command>
+ </node>
+ <node name="load">
+ <properties>
+ <help>Load encrypted config volume using TPM or recovery key</help>
+ </properties>
+ <command>sudo ${vyos_libexec_dir}/vyos-config-encrypt.py --load</command>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/python/vyos/tpm.py b/python/vyos/tpm.py
new file mode 100644
index 000000000..f120e10c4
--- /dev/null
+++ b/python/vyos/tpm.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import tempfile
+
+from vyos.util import rc_cmd
+
+default_pcrs = ['0','2','4','7']
+tpm_handle = 0x81000000
+
+def init_tpm(clear=False):
+ """
+ Initialize TPM
+ """
+ code, output = rc_cmd('tpm2_startup' + (' -c' if clear else ''))
+ if code != 0:
+ raise Exception('init_tpm: Failed to initialize TPM')
+
+def clear_tpm_key():
+ """
+ Clear existing key on TPM
+ """
+ code, output = rc_cmd(f'tpm2_evictcontrol -C o -c {tpm_handle}')
+ if code != 0:
+ raise Exception('clear_tpm_key: Failed to clear TPM key')
+
+def read_tpm_key(index=0, pcrs=default_pcrs):
+ """
+ Read existing key on TPM
+ """
+ with tempfile.TemporaryDirectory() as tpm_dir:
+ pcr_str = ",".join(pcrs)
+
+ tpm_key_file = os.path.join(tpm_dir, 'tpm_key.key')
+ code, output = rc_cmd(f'tpm2_unseal -c {tpm_handle + index} -p pcr:sha256:{pcr_str} -o {tpm_key_file}')
+ if code != 0:
+ raise Exception('read_tpm_key: Failed to read key from TPM')
+
+ with open(tpm_key_file, 'rb') as f:
+ tpm_key = f.read()
+
+ return tpm_key
+
+def write_tpm_key(key, index=0, pcrs=default_pcrs):
+ """
+ Saves key to TPM
+ """
+ with tempfile.TemporaryDirectory() as tpm_dir:
+ pcr_str = ",".join(pcrs)
+
+ policy_file = os.path.join(tpm_dir, 'policy.digest')
+ code, output = rc_cmd(f'tpm2_createpolicy --policy-pcr -l sha256:{pcr_str} -L {policy_file}')
+ if code != 0:
+ raise Exception('write_tpm_key: Failed to create policy digest')
+
+ primary_context_file = os.path.join(tpm_dir, 'primary.ctx')
+ code, output = rc_cmd(f'tpm2_createprimary -C e -g sha256 -G rsa -c {primary_context_file}')
+ if code != 0:
+ raise Exception('write_tpm_key: Failed to create primary key')
+
+ key_file = os.path.join(tpm_dir, 'crypt.key')
+ with open(key_file, 'wb') as f:
+ f.write(key)
+
+ public_obj = os.path.join(tpm_dir, 'obj.pub')
+ private_obj = os.path.join(tpm_dir, 'obj.key')
+ code, output = rc_cmd(
+ f'tpm2_create -g sha256 \
+ -u {public_obj} -r {private_obj} \
+ -C {primary_context_file} -L {policy_file} -i {key_file}')
+
+ if code != 0:
+ raise Exception('write_tpm_key: Failed to create object')
+
+ load_context_file = os.path.join(tpm_dir, 'load.ctx')
+ code, output = rc_cmd(f'tpm2_load -C {primary_context_file} -u {public_obj} -r {private_obj} -c {load_context_file}')
+
+ if code != 0:
+ raise Exception('write_tpm_key: Failed to load object')
+
+ code, output = rc_cmd(f'tpm2_evictcontrol -c {load_context_file} -C o {tpm_handle + index}')
+
+ if code != 0:
+ raise Exception('write_tpm_key: Failed to write object to TPM')
diff --git a/src/helpers/vyos-config-encrypt.py b/src/helpers/vyos-config-encrypt.py
new file mode 100755
index 000000000..8f7359767
--- /dev/null
+++ b/src/helpers/vyos-config-encrypt.py
@@ -0,0 +1,276 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+import shutil
+import sys
+
+from argparse import ArgumentParser
+from cryptography.fernet import Fernet
+from tempfile import NamedTemporaryFile
+from tempfile import TemporaryDirectory
+
+from vyos.tpm import clear_tpm_key
+from vyos.tpm import init_tpm
+from vyos.tpm import read_tpm_key
+from vyos.tpm import write_tpm_key
+from vyos.util import ask_input
+from vyos.util import ask_yes_no
+from vyos.util import cmd
+
+persistpath_cmd = '/opt/vyatta/sbin/vyos-persistpath'
+mount_paths = ['/config', '/opt/vyatta/etc/config']
+dm_device = '/dev/mapper/vyos_config'
+
+def is_opened():
+ return os.path.exists(dm_device)
+
+def get_current_image():
+ with open('/proc/cmdline', 'r') as f:
+ args = f.read().split(" ")
+ for arg in args:
+ if 'vyos-union' in arg:
+ k, v = arg.split("=")
+ path_split = v.split("/")
+ return path_split[-1]
+ return None
+
+def load_config(key):
+ if not key:
+ return
+
+ persist_path = cmd(persistpath_cmd).strip()
+ image_name = get_current_image()
+ image_path = os.path.join(persist_path, 'luks', image_name)
+
+ if not os.path.exists(image_path):
+ raise Exception("Encrypted config volume doesn't exist")
+
+ if is_opened():
+ print('Encrypted config volume is already mounted')
+ return
+
+ with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
+ f.write(key)
+ key_file = f.name
+
+ cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')
+
+ for path in mount_paths:
+ cmd(f'mount /dev/mapper/vyos_config {path}')
+ cmd(f'chgrp -R vyattacfg {path}')
+
+ os.unlink(key_file)
+
+ return True
+
+def encrypt_config(key, recovery_key):
+ if is_opened():
+ raise Exception('An encrypted config volume is already mapped')
+
+ # Clear and write key to TPM
+ try:
+ clear_tpm_key()
+ except:
+ pass
+ write_tpm_key(key)
+
+ persist_path = cmd(persistpath_cmd).strip()
+ size = ask_input('Enter size of encrypted config partition (MB): ', numeric_only=True, default=512)
+
+ luks_folder = os.path.join(persist_path, 'luks')
+
+ if not os.path.isdir(luks_folder):
+ os.mkdir(luks_folder)
+
+ image_name = get_current_image()
+ image_path = os.path.join(luks_folder, image_name)
+
+ # Create file for encrypted config
+ cmd(f'fallocate -l {size}M {image_path}')
+
+ # Write TPM key for slot #1
+ with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
+ f.write(key)
+ key_file = f.name
+
+ # Format and add main key to volume
+ cmd(f'cryptsetup -q luksFormat {image_path} {key_file}')
+
+ if recovery_key:
+ # Write recovery key for slot 2
+ with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
+ f.write(recovery_key)
+ recovery_key_file = f.name
+
+ cmd(f'cryptsetup -q luksAddKey {image_path} {recovery_key_file} --key-file={key_file}')
+
+ # Open encrypted volume and format with ext4
+ cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')
+ cmd('mkfs.ext4 /dev/mapper/vyos_config')
+
+ with TemporaryDirectory() as d:
+ cmd(f'mount /dev/mapper/vyos_config {d}')
+
+ # Move /config to encrypted volume
+ shutil.copytree('/config', d, copy_function=shutil.move, dirs_exist_ok=True)
+
+ cmd(f'umount {d}')
+
+ os.unlink(key_file)
+
+ if recovery_key:
+ os.unlink(recovery_key_file)
+
+ for path in mount_paths:
+ cmd(f'mount /dev/mapper/vyos_config {path}')
+ cmd(f'chgrp vyattacfg {path}')
+
+ return True
+
+def decrypt_config(key):
+ if not key:
+ return
+
+ persist_path = cmd(persistpath_cmd).strip()
+ image_name = get_current_image()
+ image_path = os.path.join(persist_path, 'luks', image_name)
+
+ if not os.path.exists(image_path):
+ raise Exception("Encrypted config volume doesn't exist")
+
+ key_file = None
+
+ if not is_opened():
+ with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
+ f.write(key)
+ key_file = f.name
+
+ cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')
+
+ # unmount encrypted volume mount points
+ for path in mount_paths:
+ if os.path.ismount(path):
+ cmd(f'umount {path}')
+
+ # If /config is populated, move to /config.old
+ if len(os.listdir('/config')) > 0:
+ print('Moving existing /config folder to /config.old')
+ shutil.move('/config', '/config.old')
+
+ # Temporarily mount encrypted volume and migrate files to /config on rootfs
+ with TemporaryDirectory() as d:
+ cmd(f'mount /dev/mapper/vyos_config {d}')
+
+ # Move encrypted volume to /config
+ shutil.copytree(d, '/config', copy_function=shutil.move, dirs_exist_ok=True)
+ cmd(f'chgrp -R vyattacfg /config')
+
+ cmd(f'umount {d}')
+
+ # Close encrypted volume
+ cmd('cryptsetup -q close vyos_config')
+
+ # Remove encrypted volume image file and key
+ if key_file:
+ os.unlink(key_file)
+ os.unlink(image_path)
+
+ try:
+ clear_tpm_key()
+ except:
+ pass
+
+ return True
+
+if __name__ == '__main__':
+ if len(sys.argv) < 2:
+ print("Must specify action.")
+ sys.exit(1)
+
+ parser = ArgumentParser(description='Config encryption')
+ parser.add_argument('--disable', help='Disable encryption', action="store_true")
+ parser.add_argument('--enable', help='Enable encryption', action="store_true")
+ parser.add_argument('--load', help='Load encrypted config volume', action="store_true")
+ args = parser.parse_args()
+
+ tpm_exists = os.path.exists('/sys/class/tpm/tpm0')
+
+ key = None
+ recovery_key = None
+ need_recovery = False
+
+ question_key_str = 'recovery key' if tpm_exists else 'key'
+
+ if tpm_exists:
+ if args.enable:
+ key = Fernet.generate_key()
+ elif args.disable or args.load:
+ try:
+ key = read_tpm_key()
+ need_recovery = False
+ except:
+ print('Failed to read key from TPM, recovery key required')
+ need_recovery = True
+ else:
+ need_recovery = True
+
+ if args.enable and not tpm_exists:
+ print('WARNING: VyOS will boot into a default config when encrypted without a TPM')
+ print('You will need to manually login with default credentials and use "encryption load"')
+ print('to mount the encrypted volume and use "load /config/config.boot"')
+
+ if not ask_yes_no('Are you sure you want to proceed?'):
+ sys.exit(0)
+
+ if need_recovery or (args.enable and not ask_yes_no(f'Automatically generate a {question_key_str}?', default=True)):
+ while True:
+ recovery_key = ask_input(f'Enter {question_key_str}:', default=None).encode()
+
+ if len(recovery_key) >= 32:
+ break
+
+ print('Invalid key - must be at least 32 characters, try again.')
+ else:
+ recovery_key = Fernet.generate_key()
+
+ try:
+ if args.disable:
+ decrypt_config(key or recovery_key)
+
+ print('Encrypted config volume has been disabled')
+ print('Contents have been migrated to /config on rootfs')
+ elif args.load:
+ load_config(key or recovery_key)
+
+ print('Encrypted config volume has been mounted')
+ print('Use "load /config/config.boot" to load configuration')
+ elif args.enable and tpm_exists:
+ encrypt_config(key, recovery_key)
+
+ print('Encrypted config volume has been enabled with TPM')
+ print('Backup the recovery key in a safe place!')
+ print('Recovery key: ' + recovery_key.decode())
+ elif args.enable:
+ encrypt_config(recovery_key)
+
+ print('Encrypted config volume has been enabled without TPM')
+ print('Backup the key in a safe place!')
+ print('Key: ' + recovery_key.decode())
+ except Exception as e:
+ word = 'decrypt' if args.disable or args.load else 'encrypt'
+ print(f'Failed to {word} config: {e}')
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 912a9ef3b..adf892371 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -1,488 +1,555 @@
#!/bin/bash
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /lib/lsb/init-functions
: ${vyatta_env:=/etc/default/vyatta}
source $vyatta_env
declare progname=${0##*/}
declare action=$1; shift
declare -x BOOTFILE=$vyatta_sysconfdir/config/config.boot
# If vyos-config= boot option is present, use that file instead
for x in $(cat /proc/cmdline); do
[[ $x = vyos-config=* ]] || continue
VYOS_CONFIG="${x#vyos-config=}"
done
if [ ! -z "$VYOS_CONFIG" ]; then
if [ -r "$VYOS_CONFIG" ]; then
echo "Config selected manually: $VYOS_CONFIG"
declare -x BOOTFILE="$VYOS_CONFIG"
else
echo "WARNING: Could not read selected config file, using default!"
fi
fi
declare -a subinit
declare -a all_subinits=( firewall )
if [ $# -gt 0 ] ; then
for s in $@ ; do
[ -x ${vyatta_sbindir}/${s}.init ] && subinit[${#subinit}]=$s
done
else
for s in ${all_subinits[@]} ; do
[ -x ${vyatta_sbindir}/${s}.init ] && subinit[${#subinit}]=$s
done
fi
GROUP=vyattacfg
# easy way to make empty file without any command
empty()
{
>$1
}
# check if bootup of this portion is disabled
disabled () {
grep -q -w no-vyos-$1 /proc/cmdline
}
+# Load encrypted config volume
+mount_encrypted_config() {
+ persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
+ if [ $? == 0 ]; then
+ if [ -e $persist_path/boot ]; then
+ image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
+
+ if [ -z "$image_name" ]; then
+ return
+ fi
+
+ if [ ! -f $persist_path/luks/$image_name ]; then
+ return
+ fi
+
+ vyos_tpm_key=$(python3 -c 'from vyos.tpm import read_tpm_key; print(read_tpm_key().decode())' 2>/dev/null)
+
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Failed to fetch encryption key from TPM. Encrypted config volume has not been mounted"
+ echo "Use 'encryption load' to load volume with recovery key"
+ echo "or 'encryption disable' to decrypt volume with recovery key"
+ return
+ fi
+
+ echo $vyos_tpm_key | tr -d '\r\n' | cryptsetup open $persist_path/luks/$image_name vyos_config --key-file=-
+
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Failed to decrypt config volume. Encrypted config volume has not been mounted"
+ echo "Use 'encryption load' to load volume with recovery key"
+ echo "or 'encryption disable' to decrypt volume with recovery key"
+ return
+ fi
+
+ mount /dev/mapper/vyos_config /config
+ mount /dev/mapper/vyos_config $vyatta_sysconfdir/config
+
+ echo "Mounted encrypted config volume"
+ fi
+ fi
+}
+
+unmount_encrypted_config() {
+ persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
+ if [ $? == 0 ]; then
+ if [ -e $persist_path/boot ]; then
+ image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
+
+ if [ -z "$image_name" ]; then
+ return
+ fi
+
+ if [ ! -f $persist_path/luks/$image_name ]; then
+ return
+ fi
+
+ umount /config
+ umount $vyatta_sysconfdir/config
+
+ cryptsetup close vyos_config
+ fi
+ fi
+}
+
# if necessary, provide initial config
init_bootfile () {
if [ ! -r $BOOTFILE ] ; then
if [ -f $vyatta_sysconfdir/config.boot.default ]; then
cp $vyatta_sysconfdir/config.boot.default $BOOTFILE
else
$vyos_libexec_dir/system-versions-foot.py > $BOOTFILE
fi
chgrp ${GROUP} $BOOTFILE
chmod 660 $BOOTFILE
fi
}
# if necessary, migrate initial config
migrate_bootfile ()
{
if [ -x $vyos_libexec_dir/run-config-migration.py ]; then
log_progress_msg migrate
sg ${GROUP} -c "$vyos_libexec_dir/run-config-migration.py $BOOTFILE"
fi
}
# load the initial config
load_bootfile ()
{
log_progress_msg configure
(
if [ -f /etc/default/vyatta-load-boot ]; then
# build-specific environment for boot-time config loading
source /etc/default/vyatta-load-boot
fi
if [ -x $vyos_libexec_dir/vyos-boot-config-loader.py ]; then
sg ${GROUP} -c "$vyos_libexec_dir/vyos-boot-config-loader.py $BOOTFILE"
fi
)
}
# restore if missing pre-config script
restore_if_missing_preconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then
mkdir -p ${vyatta_sysconfdir}/config/scripts
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
chmod 775 ${vyatta_sysconfdir}/config/scripts
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
fi
}
# execute the pre-config script
run_preconfig_script ()
{
if [ -x $vyatta_sysconfdir/config/scripts/vyos-preconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyos-preconfig-bootup.script
fi
}
# restore if missing post-config script
restore_if_missing_postconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then
mkdir -p ${vyatta_sysconfdir}/config/scripts
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
chmod 775 ${vyatta_sysconfdir}/config/scripts
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
fi
}
# execute the post-config scripts
run_postconfig_scripts ()
{
if [ -x $vyatta_sysconfdir/config/scripts/vyatta-postconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyatta-postconfig-bootup.script
fi
if [ -x $vyatta_sysconfdir/config/scripts/vyos-postconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyos-postconfig-bootup.script
fi
}
run_postupgrade_script ()
{
if [ -f $vyatta_sysconfdir/config/.upgraded ]; then
# Run the system script
/usr/libexec/vyos/system/post-upgrade
# Run user scripts
if [ -d $vyatta_sysconfdir/config/scripts/post-upgrade.d ]; then
run-parts $vyatta_sysconfdir/config/scripts/post-upgrade.d
fi
rm -f $vyatta_sysconfdir/config/.upgraded
fi
}
#
# On image booted machines, we need to mount /boot from the image-specific
# boot directory so that kernel package installation will put the
# files in the right place. We also have to mount /boot/grub from the
# system-wide grub directory so that tools that edit the grub.cfg
# file will find it in the expected location.
#
bind_mount_boot ()
{
persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
if [ $? == 0 ]; then
if [ -e $persist_path/boot ]; then
image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
if [ -n "$image_name" ]; then
mount --bind $persist_path/boot/$image_name /boot
if [ $? -ne 0 ]; then
echo "Couldn't bind mount /boot"
fi
if [ ! -d /boot/grub ]; then
mkdir /boot/grub
fi
mount --bind $persist_path/boot/grub /boot/grub
if [ $? -ne 0 ]; then
echo "Couldn't bind mount /boot/grub"
fi
fi
fi
fi
}
clear_or_override_config_files ()
{
for conf in snmp/snmpd.conf snmp/snmptrapd.conf snmp/snmp.conf \
keepalived/keepalived.conf cron.d/vyos-crontab \
ipvsadm.rules default/ipvsadm resolv.conf
do
if [ -s /etc/$conf ] ; then
empty /etc/$conf
chmod 0644 /etc/$conf
fi
done
}
update_interface_config ()
{
if [ -d /run/udev/vyos ]; then
$vyos_libexec_dir/vyos-interface-rescan.py $BOOTFILE
fi
}
cleanup_post_commit_hooks () {
# Remove links from the post-commit hooks directory.
# note that this approach only supports hooks that are "configured",
# i.e., it does not support hooks that need to always be present.
cpostdir=$(cli-shell-api getPostCommitHookDir)
# exclude commit hooks that need to always be present
excluded="00vyos-sync 10vyatta-log-commit.pl 99vyos-user-postcommit-hooks"
if [ -d "$cpostdir" ]; then
for f in $cpostdir/*; do
if [[ ! $excluded =~ $(basename $f) ]]; then
rm -f $cpostdir/$(basename $f)
fi
done
fi
}
# These are all the default security setting which are later
# overridden when configuration is read. These are the values the
# system defaults.
security_reset ()
{
# restore NSS cofniguration back to sane system defaults
# will be overwritten later when configuration is loaded
cat <<EOF >/etc/nsswitch.conf
passwd: files
group: files
shadow: files
gshadow: files
# Per T2678, commenting out myhostname
hosts: files dns #myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
EOF
# restore PAM back to virgin state (no radius/tacacs services)
pam-auth-update --disable radius-mandatory radius-optional
rm -f /etc/pam_radius_auth.conf
pam-auth-update --disable tacplus-mandatory tacplus-optional
rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
# and no Google authenticator for 2FA/MFA
pam-auth-update --disable mfa-google-authenticator
# Certain configuration files are re-generated by the configuration
# subsystem and must reside under /etc and can not easily be moved to /run.
# So on every boot we simply delete any remaining files and let the CLI
# regenearte them.
# PPPoE
rm -f /etc/ppp/peers/pppoe* /etc/ppp/peers/wlm*
# IPSec
rm -rf /etc/ipsec.conf /etc/ipsec.secrets
find /etc/swanctl -type f | xargs rm -f
# limit cleanup
rm -f /etc/security/limits.d/10-vyos.conf
# iproute2 cleanup
rm -f /etc/iproute2/rt_tables.d/vyos-*.conf
# Container
rm -f /etc/containers/storage.conf /etc/containers/registries.conf /etc/containers/containers.conf
# Clean all networks and re-create them from our CLI
rm -f /etc/containers/networks/*
# System Options (SSH/cURL)
rm -f /etc/ssh/ssh_config.d/*vyos*.conf
rm -f /etc/curlrc
}
# XXX: T3885 - generate persistend DHCPv6 DUID (Type4 - UUID based)
gen_duid ()
{
DUID_FILE="/var/lib/dhcpv6/dhcp6c_duid"
UUID_FILE="/sys/class/dmi/id/product_uuid"
UUID_FILE_ALT="/sys/class/dmi/id/product_serial"
if [ ! -f ${UUID_FILE} ] && [ ! -f ${UUID_FILE_ALT} ]; then
return 1
fi
# DUID is based on the BIOS/EFI UUID. We omit additional - characters
if [ -f ${UUID_FILE} ]; then
UUID=$(cat ${UUID_FILE} | tr -d -)
fi
if [ -z ${UUID} ]; then
UUID=$(uuidgen --sha1 --namespace @dns --name $(cat ${UUID_FILE_ALT}) | tr -d -)
fi
# Add DUID type4 (UUID) information
DUID_TYPE="0004"
# The length-information (as per RFC6355 UUID is 128 bits long) is in big-endian
# format - beware when porting to ARM64. The length field consists out of the
# UUID (128 bit + 16 bits DUID type) resulting in hex 12.
DUID_LEN="0012"
if [ "$(echo -n I | od -to2 | head -n1 | cut -f2 -d" " | cut -c6 )" -eq 1 ]; then
# true on little-endian (x86) systems
DUID_LEN="1200"
fi
for i in $(echo -n ${DUID_LEN}${DUID_TYPE}${UUID} | sed 's/../& /g'); do
echo -ne "\x$i"
done > ${DUID_FILE}
}
start ()
{
# reset and clean config files
security_reset || log_failure_msg "security reset failed"
# some legacy directories migrated over from old rl-system.init
mkdir -p /var/run/vyatta /var/log/vyatta
chgrp vyattacfg /var/run/vyatta /var/log/vyatta
chmod 775 /var/run/vyatta /var/log/vyatta
log_daemon_msg "Waiting for NICs to settle down"
# On boot time udev migth take a long time to reorder nic's, this will ensure that
# all udev activity is completed and all nics presented at boot-time will have their
# final name before continuing with vyos-router initialization.
SECONDS=0
udevadm settle
STATUS=$?
log_progress_msg "settled in ${SECONDS}sec."
log_end_msg ${STATUS}
# mountpoint for bpf maps required by xdp
mount -t bpf none /sys/fs/bpf
# Clear out Debian APT source config file
empty /etc/apt/sources.list
# Generate DHCPv6 DUID
gen_duid || log_failure_msg "could not generate DUID"
# Mount a temporary filesystem for container networks.
# Configuration should be loaded from VyOS cli.
cni_dir="/etc/cni/net.d"
[ ! -d ${cni_dir} ] && mkdir -p ${cni_dir}
mount -t tmpfs none ${cni_dir}
# Init firewall
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
nfct helper add tns inet tcp
nfct helper add rpc inet6 tcp
nfct helper add rpc inet6 udp
nfct helper add tns inet6 tcp
nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
# As VyOS does not execute commands that are not present in the CLI we call
# the script by hand to have a single source for the login banner and MOTD
${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
${vyos_conf_scripts_dir}/system_login_banner.py || log_failure_msg "could not reset motd and issue files"
${vyos_conf_scripts_dir}/system_option.py || log_failure_msg "could not reset system option files"
${vyos_conf_scripts_dir}/system_ip.py || log_failure_msg "could not reset system IPv4 options"
${vyos_conf_scripts_dir}/system_ipv6.py || log_failure_msg "could not reset system IPv6 options"
${vyos_conf_scripts_dir}/system_conntrack.py || log_failure_msg "could not reset conntrack subsystem"
${vyos_conf_scripts_dir}/container.py || log_failure_msg "could not reset container subsystem"
clear_or_override_config_files || log_failure_msg "could not reset config files"
# enable some debugging before loading the configuration
if grep -q vyos-debug /proc/cmdline; then
log_action_begin_msg "Enable runtime debugging options"
touch /tmp/vyos.container.debug
touch /tmp/vyos.ifconfig.debug
touch /tmp/vyos.frr.debug
touch /tmp/vyos.container.debug
fi
log_action_begin_msg "Mounting VyOS Config"
# ensure the vyatta_configdir supports a large number of inodes since
# the config hierarchy is often inode-bound (instead of size).
# impose a minimum and then scale up dynamically with the actual size
# of the system memory.
local tmem=$(sed -n 's/^MemTotal: \+\([0-9]\+\) kB$/\1/p' /proc/meminfo)
local tpages
local tmpfs_opts="nosuid,nodev,mode=775,nr_inodes=0" #automatically allocate inodes
mount -o $tmpfs_opts -t tmpfs none ${vyatta_configdir} \
&& chgrp ${GROUP} ${vyatta_configdir}
log_action_end_msg $?
+ mount_encrypted_config
+
# T5239: early read of system hostname as this value is read-only once during
# FRR initialisation
tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name")
hostnamectl set-hostname --static "$tmp"
${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config"
# If for any reason FRR was not started by system_frr.py - start it anyways.
# This is a safety net!
systemctl start frr.service
disabled bootfile || init_bootfile
cleanup_post_commit_hooks
log_daemon_msg "Starting VyOS router"
disabled migrate || migrate_bootfile
restore_if_missing_preconfig_script
run_preconfig_script
run_postupgrade_script
update_interface_config
for s in ${subinit[@]} ; do
if ! disabled $s; then
log_progress_msg $s
if ! ${vyatta_sbindir}/${s}.init start
then log_failure_msg
exit 1
fi
fi
done
bind_mount_boot
disabled configure || load_bootfile
log_end_msg $?
telinit q
chmod g-w,o-w /
restore_if_missing_postconfig_script
run_postconfig_scripts
tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "protocols rpki cache")
if [[ ! -z "$tmp" ]]; then
vtysh -c "rpki start"
fi
}
stop()
{
local -i status=0
log_daemon_msg "Stopping VyOS router"
for ((i=${#sub_inits[@]} - 1; i >= 0; i--)) ; do
s=${subinit[$i]}
log_progress_msg $s
${vyatta_sbindir}/${s}.init stop
let status\|=$?
done
log_end_msg $status
log_action_begin_msg "Un-mounting VyOS Config"
umount ${vyatta_configdir}
log_action_end_msg $?
systemctl stop frr.service
+
+ unmount_encrypted_config
}
case "$action" in
start) start ;;
stop) stop ;;
restart|force-reload) stop && start ;;
*) log_failure_msg "usage: $progname [ start|stop|restart ] [ subinit ... ]" ;
false ;;
esac
exit $?
# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End:
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index d677c2cf8..85ebd19ba 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -1,929 +1,972 @@
#!/usr/bin/env python3
#
-# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This file is part of VyOS.
#
# VyOS is free software: you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later
# version.
#
# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with
# VyOS. If not, see <https://www.gnu.org/licenses/>.
from argparse import ArgumentParser, Namespace
from pathlib import Path
from shutil import copy, chown, rmtree, copytree
from glob import glob
from sys import exit
from os import environ
from time import sleep
from typing import Union
from urllib.parse import urlparse
from passlib.hosts import linux_context
from psutil import disk_partitions
from vyos.configtree import ConfigTree
from vyos.configquery import ConfigTreeQuery
from vyos.remote import download
from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
from vyos.template import render
from vyos.utils.io import ask_input, ask_yes_no, select_entry
from vyos.utils.file import chmod_2775
from vyos.utils.process import cmd, run
from vyos.version import get_remote_version
# define text messages
MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
MSG_ERR_LIVE: str = 'The system is in live-boot mode. Please use "install image" instead.'
MSG_ERR_NO_DISK: str = 'No suitable disk was found. There must be at least one disk of 2GB or greater size.'
MSG_ERR_IMPROPER_IMAGE: str = 'Missing sha256sum.txt.\nEither this image is corrupted, or of era 1.2.x (md5sum) and would downgrade image tools;\ndisallowed in either case.'
MSG_INFO_INSTALL_WELCOME: str = 'Welcome to VyOS installation!\nThis command will install VyOS to your permanent storage.'
MSG_INFO_INSTALL_EXIT: str = 'Exiting from VyOS installation'
MSG_INFO_INSTALL_SUCCESS: str = 'The image installed successfully; please reboot now.'
MSG_INFO_INSTALL_DISKS_LIST: str = 'The following disks were found:'
MSG_INFO_INSTALL_DISK_SELECT: str = 'Which one should be used for installation?'
MSG_INFO_INSTALL_RAID_CONFIGURE: str = 'Would you like to configure RAID-1 mirroring?'
MSG_INFO_INSTALL_RAID_FOUND_DISKS: str = 'Would you like to configure RAID-1 mirroring on them?'
MSG_INFO_INSTALL_RAID_CHOOSE_DISKS: str = 'Would you like to choose two disks for RAID-1 mirroring?'
MSG_INFO_INSTALL_DISK_CONFIRM: str = 'Installation will delete all data on the drive. Continue?'
MSG_INFO_INSTALL_RAID_CONFIRM: str = 'Installation will delete all data on both drives. Continue?'
MSG_INFO_INSTALL_PARTITONING: str = 'Creating partition table...'
MSG_INPUT_CONFIG_FOUND: str = 'An active configuration was found. Would you like to copy it to the new image?'
MSG_INPUT_IMAGE_NAME: str = 'What would you like to name this image?'
MSG_INPUT_IMAGE_DEFAULT: str = 'Would you like to set the new image as the default one for boot?'
MSG_INPUT_PASSWORD: str = 'Please enter a password for the "vyos" user'
MSG_INPUT_ROOT_SIZE_ALL: str = 'Would you like to use all the free space on the drive?'
MSG_INPUT_ROOT_SIZE_SET: str = 'Please specify the size (in GB) of the root partition (min is 1.5 GB)?'
MSG_INPUT_CONSOLE_TYPE: str = 'What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)?'
MSG_INPUT_COPY_DATA: str = 'Would you like to copy data to the new image?'
MSG_INPUT_CHOOSE_COPY_DATA: str = 'From which image would you like to save config information?'
+MSG_INPUT_COPY_ENC_DATA: str = 'Would you like to copy the encrypted config to the new image?'
+MSG_INPUT_CHOOSE_COPY_ENC_DATA: str = 'From which image would you like to copy the encrypted config?'
MSG_WARN_ISO_SIGN_INVALID: str = 'Signature is not valid. Do you want to continue with installation?'
MSG_WARN_ISO_SIGN_UNAVAL: str = 'Signature is not available. Do you want to continue with installation?'
MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.'
MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
CONST_MIN_DISK_SIZE: int = 2147483648 # 2 GB
CONST_MIN_ROOT_SIZE: int = 1610612736 # 1.5 GB
# a reserved space: 2MB for header, 1 MB for BIOS partition, 256 MB for EFI
CONST_RESERVED_SPACE: int = (2 + 1 + 256) * 1024**2
# define directories and paths
DIR_INSTALLATION: str = '/mnt/installation'
DIR_ROOTFS_SRC: str = f'{DIR_INSTALLATION}/root_src'
DIR_ROOTFS_DST: str = f'{DIR_INSTALLATION}/root_dst'
DIR_ISO_MOUNT: str = f'{DIR_INSTALLATION}/iso_src'
DIR_DST_ROOT: str = f'{DIR_INSTALLATION}/disk_dst'
DIR_KERNEL_SRC: str = '/boot/'
FILE_ROOTFS_SRC: str = '/usr/lib/live/mount/medium/live/filesystem.squashfs'
ISO_DOWNLOAD_PATH: str = '/tmp/vyos_installation.iso'
external_download_script = '/usr/libexec/vyos/simple-download.py'
# default boot variables
DEFAULT_BOOT_VARS: dict[str, str] = {
'timeout': '5',
'console_type': 'tty',
'console_num': '0',
'console_speed': '115200',
'bootmode': 'normal'
}
def bytes_to_gb(size: int) -> float:
"""Convert Bytes to GBytes, rounded to 1 decimal number
Args:
size (int): input size in bytes
Returns:
float: size in GB
"""
return round(size / 1024**3, 1)
def gb_to_bytes(size: float) -> int:
"""Convert GBytes to Bytes
Args:
size (float): input size in GBytes
Returns:
int: size in bytes
"""
return int(size * 1024**3)
def find_disks() -> dict[str, int]:
"""Find a target disk for installation
Returns:
dict[str, int]: a list of available disks by name and size
"""
# check for available disks
print('Probing disks')
disks_available: dict[str, int] = disk.disks_size()
for disk_name, disk_size in disks_available.copy().items():
if disk_size < CONST_MIN_DISK_SIZE:
del disks_available[disk_name]
if not disks_available:
print(MSG_ERR_NO_DISK)
exit(MSG_INFO_INSTALL_EXIT)
num_disks: int = len(disks_available)
print(f'{num_disks} disk(s) found')
return disks_available
def ask_root_size(available_space: int) -> int:
"""Define a size of root partition
Args:
available_space (int): available space in bytes for a root partition
Returns:
int: defined size
"""
if ask_yes_no(MSG_INPUT_ROOT_SIZE_ALL, default=True):
return available_space
while True:
root_size_gb: str = ask_input(MSG_INPUT_ROOT_SIZE_SET)
root_size_kbytes: int = (gb_to_bytes(float(root_size_gb))) // 1024
if root_size_kbytes > available_space:
print(MSG_WARN_ROOT_SIZE_TOOBIG)
continue
if root_size_kbytes < CONST_MIN_ROOT_SIZE / 1024:
print(MSG_WARN_ROOT_SIZE_TOOSMALL)
continue
return root_size_kbytes
def create_partitions(target_disk: str, target_size: int,
prompt: bool = True) -> None:
"""Create partitions on a target disk
Args:
target_disk (str): a target disk
target_size (int): size of disk in bytes
"""
# define target rootfs size in KB (smallest unit acceptable by sgdisk)
available_size: int = (target_size - CONST_RESERVED_SPACE) // 1024
if prompt:
rootfs_size: int = ask_root_size(available_size)
else:
rootfs_size: int = available_size
print(MSG_INFO_INSTALL_PARTITONING)
raid.clear()
disk.disk_cleanup(target_disk)
disk_details: disk.DiskDetails = disk.parttable_create(target_disk,
rootfs_size)
return disk_details
def search_format_selection(image: tuple[str, str]) -> str:
"""Format a string for selection of image
Args:
image (tuple[str, str]): a tuple of image name and drive
Returns:
str: formatted string
"""
return f'{image[0]} on {image[1]}'
def search_previous_installation(disks: list[str]) -> None:
"""Search disks for previous installation config and SSH keys
Args:
disks (list[str]): a list of available disks
"""
mnt_config = '/mnt/config'
+ mnt_encrypted_config = '/mnt/encrypted_config'
mnt_ssh = '/mnt/ssh'
mnt_tmp = '/mnt/tmp'
rmtree(Path(mnt_config), ignore_errors=True)
rmtree(Path(mnt_ssh), ignore_errors=True)
Path(mnt_tmp).mkdir(exist_ok=True)
+ Path(mnt_encrypted_config).unlink(missing_ok=True)
print('Searching for data from previous installations')
image_data = []
+ encrypted_configs = []
for disk_name in disks:
for partition in disk.partition_list(disk_name):
if disk.partition_mount(partition, mnt_tmp):
if Path(mnt_tmp + '/boot').exists():
for path in Path(mnt_tmp + '/boot').iterdir():
if path.joinpath('rw/config/.vyatta_config').exists():
image_data.append((path.name, partition))
+ if Path(mnt_tmp + '/luks').exists():
+ for path in Path(mnt_tmp + '/luks').iterdir():
+ encrypted_configs.append((path.name, partition))
disk.partition_umount(partition)
- if len(image_data) == 1:
- image_name, image_drive = image_data[0]
- print('Found data from previous installation:')
- print(f'\t{image_name} on {image_drive}')
- if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
- return
-
- elif len(image_data) > 1:
- print('Found data from previous installations')
- if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
- return
-
- image_name, image_drive = select_entry(image_data,
- 'Available versions:',
- MSG_INPUT_CHOOSE_COPY_DATA,
- search_format_selection)
+ image_name = None
+ image_drive = None
+ encrypted = False
+
+ if len(image_data) > 0:
+ if len(image_data) == 1:
+ print('Found data from previous installation:')
+ print(f'\t{" on ".join(image_data[0])}')
+ if ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
+ image_name, image_drive = image_data[0]
+
+ elif len(image_data) > 1:
+ print('Found data from previous installations')
+ if ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
+ image_name, image_drive = select_entry(image_data,
+ 'Available versions:',
+ MSG_INPUT_CHOOSE_COPY_DATA,
+ search_format_selection)
+ elif len(encrypted_configs) > 0:
+ if len(encrypted_configs) == 1:
+ print('Found encrypted config from previous installation:')
+ print(f'\t{" on ".join(encrypted_configs[0])}')
+ if ask_yes_no(MSG_INPUT_COPY_ENC_DATA, default=True):
+ image_name, image_drive = encrypted_configs[0]
+ encrypted = True
+
+ elif len(encrypted_configs) > 1:
+ print('Found encrypted configs from previous installations')
+ if ask_yes_no(MSG_INPUT_COPY_ENC_DATA, default=True):
+ image_name, image_drive = select_entry(encrypted_configs,
+ 'Available versions:',
+ MSG_INPUT_CHOOSE_COPY_ENC_DATA,
+ search_format_selection)
+ encrypted = True
+
else:
print('No previous installation found')
return
+ if not image_name:
+ return
+
disk.partition_mount(image_drive, mnt_tmp)
- copytree(f'{mnt_tmp}/boot/{image_name}/rw/config', mnt_config)
+ if not encrypted:
+ copytree(f'{mnt_tmp}/boot/{image_name}/rw/config', mnt_config)
+ else:
+ copy(f'{mnt_tmp}/luks/{image_name}', mnt_encrypted_config)
+
Path(mnt_ssh).mkdir()
host_keys: list[str] = glob(f'{mnt_tmp}/boot/{image_name}/rw/etc/ssh/ssh_host*')
for host_key in host_keys:
copy(host_key, mnt_ssh)
disk.partition_umount(image_drive)
def copy_preserve_owner(src: str, dst: str, *, follow_symlinks=True):
if not Path(src).is_file():
return
if Path(dst).is_dir():
dst = Path(dst).joinpath(Path(src).name)
st = Path(src).stat()
copy(src, dst, follow_symlinks=follow_symlinks)
chown(dst, user=st.st_uid)
def copy_previous_installation_data(target_dir: str) -> None:
if Path('/mnt/config').exists():
copytree('/mnt/config', f'{target_dir}/opt/vyatta/etc/config',
dirs_exist_ok=True)
if Path('/mnt/ssh').exists():
copytree('/mnt/ssh', f'{target_dir}/etc/ssh',
dirs_exist_ok=True)
+def copy_previous_encrypted_config(target_dir: str, image_name: str) -> None:
+ if Path('/mnt/encrypted_config').exists():
+ Path(target_dir).mkdir(exist_ok=True)
+ copy('/mnt/encrypted_config', Path(target_dir).joinpath(image_name))
+
+
def ask_single_disk(disks_available: dict[str, int]) -> str:
"""Ask user to select a disk for installation
Args:
disks_available (dict[str, int]): a list of available disks
"""
print(MSG_INFO_INSTALL_DISKS_LIST)
default_disk: str = list(disks_available)[0]
for disk_name, disk_size in disks_available.items():
disk_size_human: str = bytes_to_gb(disk_size)
print(f'Drive: {disk_name} ({disk_size_human} GB)')
disk_selected: str = ask_input(MSG_INFO_INSTALL_DISK_SELECT,
default=default_disk,
valid_responses=list(disks_available))
# create partitions
if not ask_yes_no(MSG_INFO_INSTALL_DISK_CONFIRM):
print(MSG_INFO_INSTALL_EXIT)
exit()
search_previous_installation(list(disks_available))
disk_details: disk.DiskDetails = create_partitions(disk_selected,
disks_available[disk_selected])
disk.filesystem_create(disk_details.partition['efi'], 'efi')
disk.filesystem_create(disk_details.partition['root'], 'ext4')
return disk_details
def check_raid_install(disks_available: dict[str, int]) -> Union[str, None]:
"""Ask user to select disks for RAID installation
Args:
disks_available (dict[str, int]): a list of available disks
"""
if len(disks_available) < 2:
return None
if not ask_yes_no(MSG_INFO_INSTALL_RAID_CONFIGURE, default=True):
return None
def format_selection(disk_name: str) -> str:
return f'{disk_name}\t({bytes_to_gb(disks_available[disk_name])} GB)'
disk0, disk1 = list(disks_available)[0], list(disks_available)[1]
disks_selected: dict[str, int] = { disk0: disks_available[disk0],
disk1: disks_available[disk1] }
target_size: int = min(disks_selected[disk0], disks_selected[disk1])
print(MSG_INFO_INSTALL_DISKS_LIST)
for disk_name, disk_size in disks_selected.items():
disk_size_human: str = bytes_to_gb(disk_size)
print(f'\t{disk_name} ({disk_size_human} GB)')
if not ask_yes_no(MSG_INFO_INSTALL_RAID_FOUND_DISKS, default=True):
if not ask_yes_no(MSG_INFO_INSTALL_RAID_CHOOSE_DISKS, default=True):
return None
else:
disks_selected = {}
disk0 = select_entry(list(disks_available), 'Disks available:',
'Select first disk:', format_selection)
disks_selected[disk0] = disks_available[disk0]
del disks_available[disk0]
disk1 = select_entry(list(disks_available), 'Remaining disks:',
'Select second disk:', format_selection)
disks_selected[disk1] = disks_available[disk1]
target_size: int = min(disks_selected[disk0],
disks_selected[disk1])
# create partitions
if not ask_yes_no(MSG_INFO_INSTALL_RAID_CONFIRM):
print(MSG_INFO_INSTALL_EXIT)
exit()
search_previous_installation(list(disks_available))
disks: list[disk.DiskDetails] = []
for disk_selected in list(disks_selected):
print(f'Creating partitions on {disk_selected}')
disk_details = create_partitions(disk_selected, target_size,
prompt=False)
disk.filesystem_create(disk_details.partition['efi'], 'efi')
disks.append(disk_details)
print('Creating RAID array')
members = [disk.partition['root'] for disk in disks]
raid_details: raid.RaidDetails = raid.raid_create(members)
# raid init stuff
print('Updating initramfs')
raid.update_initramfs()
# end init
print('Creating filesystem on RAID array')
disk.filesystem_create(raid_details.name, 'ext4')
return raid_details
def prepare_tmp_disr() -> None:
"""Create temporary directories for installation
"""
print('Creating temporary directories')
for dir in [DIR_ROOTFS_SRC, DIR_ROOTFS_DST, DIR_DST_ROOT]:
dirpath = Path(dir)
dirpath.mkdir(mode=0o755, parents=True)
def setup_grub(root_dir: str) -> None:
"""Install GRUB configurations
Args:
root_dir (str): a path to the root of target filesystem
"""
print('Installing GRUB configuration files')
grub_cfg_main = f'{root_dir}/{grub.GRUB_DIR_MAIN}/grub.cfg'
grub_cfg_vars = f'{root_dir}/{grub.CFG_VYOS_VARS}'
grub_cfg_modules = f'{root_dir}/{grub.CFG_VYOS_MODULES}'
grub_cfg_menu = f'{root_dir}/{grub.CFG_VYOS_MENU}'
grub_cfg_options = f'{root_dir}/{grub.CFG_VYOS_OPTIONS}'
# create new files
render(grub_cfg_main, grub.TMPL_GRUB_MAIN, {})
grub.common_write(root_dir)
grub.vars_write(grub_cfg_vars, DEFAULT_BOOT_VARS)
grub.modules_write(grub_cfg_modules, [])
grub.write_cfg_ver(1, root_dir)
render(grub_cfg_menu, grub.TMPL_GRUB_MENU, {})
render(grub_cfg_options, grub.TMPL_GRUB_OPTS, {})
def configure_authentication(config_file: str, password: str) -> None:
"""Write encrypted password to config file
Args:
config_file (str): path of target config file
password (str): plaintext password
N.B. this can not be deferred by simply setting the plaintext password
and relying on the config mode script to process at boot, as the config
will not automatically be saved in that case, thus leaving the
plaintext exposed
"""
encrypted_password = linux_context.hash(password)
with open(config_file) as f:
config_string = f.read()
config = ConfigTree(config_string)
config.set([
'system', 'login', 'user', 'vyos', 'authentication',
'encrypted-password'
],
value=encrypted_password,
replace=True)
config.set_tag(['system', 'login', 'user'])
with open(config_file, 'w') as f:
f.write(config.to_string())
def validate_signature(file_path: str, sign_type: str) -> None:
"""Validate a file by signature and delete a signature file
Args:
file_path (str): a path to file
sign_type (str): a signature type
"""
print('Validating signature')
signature_valid: bool = False
# validate with minisig
if sign_type == 'minisig':
pub_key_list = glob('/usr/share/vyos/keys/*.minisign.pub')
for pubkey in pub_key_list:
if run(f'minisign -V -q -p {pubkey} -m {file_path} -x {file_path}.minisig'
) == 0:
signature_valid = True
break
Path(f'{file_path}.minisig').unlink()
# validate with GPG
if sign_type == 'asc':
if run(f'gpg --verify ${file_path}.asc ${file_path}') == 0:
signature_valid = True
Path(f'{file_path}.asc').unlink()
# warn or pass
if not signature_valid:
if not ask_yes_no(MSG_WARN_ISO_SIGN_INVALID, default=False):
exit(MSG_INFO_INSTALL_EXIT)
else:
print('Signature is valid')
def download_file(local_file: str, remote_path: str, vrf: str,
username: str, password: str,
progressbar: bool = False, check_space: bool = False):
environ['REMOTE_USERNAME'] = username
environ['REMOTE_PASSWORD'] = password
if vrf is None:
download(local_file, remote_path, progressbar=progressbar,
check_space=check_space, raise_error=True)
else:
vrf_cmd = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \
ip vrf exec {vrf} {external_download_script} \
--local-file {local_file} --remote-path {remote_path}'
cmd(vrf_cmd)
def image_fetch(image_path: str, vrf: str = None,
username: str = '', password: str = '',
no_prompt: bool = False) -> Path:
"""Fetch an ISO image
Args:
image_path (str): a path, remote or local
Returns:
Path: a path to a local file
"""
# Latest version gets url from configured "system update-check url"
if image_path == 'latest':
config = ConfigTreeQuery()
if config.exists('system update-check url'):
configured_url_version = config.value('system update-check url')
remote_url_list = get_remote_version(configured_url_version)
image_path = remote_url_list[0].get('url')
try:
# check a type of path
if urlparse(image_path).scheme:
# download an image
download_file(ISO_DOWNLOAD_PATH, image_path, vrf,
username, password,
progressbar=True, check_space=True)
# download a signature
sign_file = (False, '')
for sign_type in ['minisig', 'asc']:
try:
download_file(f'{ISO_DOWNLOAD_PATH}.{sign_type}',
f'{image_path}.{sign_type}', vrf,
username, password)
sign_file = (True, sign_type)
break
except Exception:
print(f'{sign_type} signature is not available')
# validate a signature if it is available
if sign_file[0]:
validate_signature(ISO_DOWNLOAD_PATH, sign_file[1])
else:
if (not no_prompt and
not ask_yes_no(MSG_WARN_ISO_SIGN_UNAVAL, default=False)):
cleanup()
exit(MSG_INFO_INSTALL_EXIT)
return Path(ISO_DOWNLOAD_PATH)
else:
local_path: Path = Path(image_path)
if local_path.is_file():
return local_path
else:
raise FileNotFoundError
except Exception as e:
print(f'The image cannot be fetched from: {image_path} {e}')
exit(1)
def migrate_config() -> bool:
"""Check for active config and ask user for migration
Returns:
bool: user's decision
"""
active_config_path: Path = Path('/opt/vyatta/etc/config/config.boot')
if active_config_path.exists():
if ask_yes_no(MSG_INPUT_CONFIG_FOUND, default=True):
return True
return False
def copy_ssh_host_keys() -> bool:
"""Ask user to copy SSH host keys
Returns:
bool: user's decision
"""
if ask_yes_no('Would you like to copy SSH host keys?', default=True):
return True
return False
def cleanup(mounts: list[str] = [], remove_items: list[str] = []) -> None:
"""Clean up after installation
Args:
mounts (list[str], optional): List of mounts to unmount.
Defaults to [].
remove_items (list[str], optional): List of files or directories
to remove. Defaults to [].
"""
print('Cleaning up')
# clean up installation directory by default
mounts_all = disk_partitions(all=True)
for mounted_device in mounts_all:
if mounted_device.mountpoint.startswith(DIR_INSTALLATION) and not (
mounted_device.device in mounts or
mounted_device.mountpoint in mounts):
mounts.append(mounted_device.mountpoint)
# add installation dir to cleanup list
if DIR_INSTALLATION not in remove_items:
remove_items.append(DIR_INSTALLATION)
# also delete an ISO file
if Path(ISO_DOWNLOAD_PATH).exists(
) and ISO_DOWNLOAD_PATH not in remove_items:
remove_items.append(ISO_DOWNLOAD_PATH)
if mounts:
print('Unmounting target filesystems')
for mountpoint in mounts:
disk.partition_umount(mountpoint)
for mountpoint in mounts:
disk.wait_for_umount(mountpoint)
if remove_items:
print('Removing temporary files')
for remove_item in remove_items:
if Path(remove_item).exists():
if Path(remove_item).is_file():
Path(remove_item).unlink()
if Path(remove_item).is_dir():
rmtree(remove_item, ignore_errors=True)
def cleanup_raid(details: raid.RaidDetails) -> None:
efiparts = []
for raid_disk in details.disks:
efiparts.append(raid_disk.partition['efi'])
cleanup([details.name, *efiparts],
['/mnt/installation'])
def is_raid_install(install_object: Union[disk.DiskDetails, raid.RaidDetails]) -> bool:
"""Check if installation target is a RAID array
Args:
install_object (Union[disk.DiskDetails, raid.RaidDetails]): a target disk
Returns:
bool: True if it is a RAID array
"""
if isinstance(install_object, raid.RaidDetails):
return True
return False
def install_image() -> None:
"""Install an image to a disk
"""
if not image.is_live_boot():
exit(MSG_ERR_NOT_LIVE)
print(MSG_INFO_INSTALL_WELCOME)
if not ask_yes_no('Would you like to continue?'):
print(MSG_INFO_INSTALL_EXIT)
exit()
# configure image name
running_image_name: str = image.get_running_image()
while True:
image_name: str = ask_input(MSG_INPUT_IMAGE_NAME,
running_image_name)
if image.validate_name(image_name):
break
print(MSG_WARN_IMAGE_NAME_WRONG)
# ask for password
user_password: str = ask_input(MSG_INPUT_PASSWORD, default='vyos',
no_echo=True)
# ask for default console
console_type: str = ask_input(MSG_INPUT_CONSOLE_TYPE,
default='K',
valid_responses=['K', 'S', 'U'])
console_dict: dict[str, str] = {'K': 'tty', 'S': 'ttyS', 'U': 'ttyUSB'}
disks: dict[str, int] = find_disks()
install_target: Union[disk.DiskDetails, raid.RaidDetails, None] = None
try:
install_target = check_raid_install(disks)
if install_target is None:
install_target = ask_single_disk(disks)
# create directories for installation media
prepare_tmp_disr()
# mount target filesystem and create required dirs inside
print('Mounting new partitions')
if is_raid_install(install_target):
disk.partition_mount(install_target.name, DIR_DST_ROOT)
Path(f'{DIR_DST_ROOT}/boot/efi').mkdir(parents=True)
else:
disk.partition_mount(install_target.partition['root'], DIR_DST_ROOT)
Path(f'{DIR_DST_ROOT}/boot/efi').mkdir(parents=True)
disk.partition_mount(install_target.partition['efi'], f'{DIR_DST_ROOT}/boot/efi')
# a config dir. It is the deepest one, so the comand will
# create all the rest in a single step
print('Creating a configuration file')
target_config_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw/opt/vyatta/etc/config/'
Path(target_config_dir).mkdir(parents=True)
chown(target_config_dir, group='vyattacfg')
chmod_2775(target_config_dir)
# copy config
copy('/opt/vyatta/etc/config/config.boot', target_config_dir)
configure_authentication(f'{target_config_dir}/config.boot',
user_password)
Path(f'{target_config_dir}/.vyatta_config').touch()
# create a persistence.conf
Path(f'{DIR_DST_ROOT}/persistence.conf').write_text('/ union\n')
# copy system image and kernel files
print('Copying system image files')
for file in Path(DIR_KERNEL_SRC).iterdir():
if file.is_file():
copy(file, f'{DIR_DST_ROOT}/boot/{image_name}/')
copy(FILE_ROOTFS_SRC,
f'{DIR_DST_ROOT}/boot/{image_name}/{image_name}.squashfs')
# copy saved config data and SSH keys
# owner restored on copy of config data by chmod_2775, above
copy_previous_installation_data(f'{DIR_DST_ROOT}/boot/{image_name}/rw')
+ # copy saved encrypted config volume
+ copy_previous_encrypted_config(f'{DIR_DST_ROOT}/luks', image_name)
+
if is_raid_install(install_target):
write_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw'
raid.update_default(write_dir)
setup_grub(DIR_DST_ROOT)
# add information about version
grub.create_structure()
grub.version_add(image_name, DIR_DST_ROOT)
grub.set_default(image_name, DIR_DST_ROOT)
grub.set_console_type(console_dict[console_type], DIR_DST_ROOT)
if is_raid_install(install_target):
# add RAID specific modules
grub.modules_write(f'{DIR_DST_ROOT}/{grub.CFG_VYOS_MODULES}',
['part_msdos', 'part_gpt', 'diskfilter',
'ext2','mdraid1x'])
# install GRUB
if is_raid_install(install_target):
print('Installing GRUB to the drives')
l = install_target.disks
for disk_target in l:
disk.partition_mount(disk_target.partition['efi'], f'{DIR_DST_ROOT}/boot/efi')
grub.install(disk_target.name, f'{DIR_DST_ROOT}/boot/',
f'{DIR_DST_ROOT}/boot/efi',
id=f'VyOS (RAID disk {l.index(disk_target) + 1})')
disk.partition_umount(disk_target.partition['efi'])
else:
print('Installing GRUB to the drive')
grub.install(install_target.name, f'{DIR_DST_ROOT}/boot/',
f'{DIR_DST_ROOT}/boot/efi')
# umount filesystems and remove temporary files
if is_raid_install(install_target):
cleanup([install_target.name],
['/mnt/installation'])
else:
cleanup([install_target.partition['efi'],
install_target.partition['root']],
['/mnt/installation'])
# we are done
print(MSG_INFO_INSTALL_SUCCESS)
exit()
except Exception as err:
print(f'Unable to install VyOS: {err}')
# unmount filesystems and clenup
try:
if install_target is not None:
if is_raid_install(install_target):
cleanup_raid(install_target)
else:
cleanup([install_target.partition['efi'],
install_target.partition['root']],
['/mnt/installation'])
except Exception as err:
print(f'Cleanup failed: {err}')
exit(1)
@compat.grub_cfg_update
def add_image(image_path: str, vrf: str = None, username: str = '',
password: str = '', no_prompt: bool = False) -> None:
"""Add a new image
Args:
image_path (str): a path to an ISO image
"""
if image.is_live_boot():
exit(MSG_ERR_LIVE)
# fetch an image
iso_path: Path = image_fetch(image_path, vrf, username, password, no_prompt)
try:
# mount an ISO
Path(DIR_ISO_MOUNT).mkdir(mode=0o755, parents=True)
disk.partition_mount(iso_path, DIR_ISO_MOUNT, 'iso9660')
# check sums
print('Validating image checksums')
if not Path(DIR_ISO_MOUNT).joinpath('sha256sum.txt').exists():
cleanup()
exit(MSG_ERR_IMPROPER_IMAGE)
if run(f'cd {DIR_ISO_MOUNT} && sha256sum --status -c sha256sum.txt'):
cleanup()
exit('Image checksum verification failed.')
# mount rootfs (to get a system version)
Path(DIR_ROOTFS_SRC).mkdir(mode=0o755, parents=True)
disk.partition_mount(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs',
DIR_ROOTFS_SRC, 'squashfs')
cfg_ver: str = image.get_image_tools_version(DIR_ROOTFS_SRC)
version_name: str = image.get_image_version(DIR_ROOTFS_SRC)
disk.partition_umount(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs')
if cfg_ver < SYSTEM_CFG_VER:
raise compat.DowngradingImageTools(
f'Adding image would downgrade image tools to v.{cfg_ver}; disallowed')
if not no_prompt:
while True:
image_name: str = ask_input(MSG_INPUT_IMAGE_NAME, version_name)
if image.validate_name(image_name):
break
print(MSG_WARN_IMAGE_NAME_WRONG)
set_as_default: bool = ask_yes_no(MSG_INPUT_IMAGE_DEFAULT, default=True)
else:
image_name: str = version_name
set_as_default: bool = True
# find target directory
root_dir: str = disk.find_persistence()
# a config dir. It is the deepest one, so the comand will
# create all the rest in a single step
target_config_dir: str = f'{root_dir}/boot/{image_name}/rw/opt/vyatta/etc/config/'
# copy config
if no_prompt or migrate_config():
print('Copying configuration directory')
# copytree preserves perms but not ownership:
Path(target_config_dir).mkdir(parents=True)
chown(target_config_dir, group='vyattacfg')
chmod_2775(target_config_dir)
copytree('/opt/vyatta/etc/config/', target_config_dir,
copy_function=copy_preserve_owner, dirs_exist_ok=True)
else:
Path(target_config_dir).mkdir(parents=True)
chown(target_config_dir, group='vyattacfg')
chmod_2775(target_config_dir)
Path(f'{target_config_dir}/.vyatta_config').touch()
target_ssh_dir: str = f'{root_dir}/boot/{image_name}/rw/etc/ssh/'
if no_prompt or copy_ssh_host_keys():
print('Copying SSH host keys')
Path(target_ssh_dir).mkdir(parents=True)
host_keys: list[str] = glob('/etc/ssh/ssh_host*')
for host_key in host_keys:
copy(host_key, target_ssh_dir)
# copy system image and kernel files
print('Copying system image files')
for file in Path(f'{DIR_ISO_MOUNT}/live').iterdir():
if file.is_file() and (file.match('initrd*') or
file.match('vmlinuz*')):
copy(file, f'{root_dir}/boot/{image_name}/')
copy(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs',
f'{root_dir}/boot/{image_name}/{image_name}.squashfs')
# unmount an ISO and cleanup
cleanup([str(iso_path)])
# add information about version
grub.version_add(image_name, root_dir)
if set_as_default:
grub.set_default(image_name, root_dir)
except Exception as err:
# unmount an ISO and cleanup
cleanup([str(iso_path)])
exit(f'Error: {err}')
def parse_arguments() -> Namespace:
"""Parse arguments
Returns:
Namespace: a namespace with parsed arguments
"""
parser: ArgumentParser = ArgumentParser(
description='Install new system images')
parser.add_argument('--action',
choices=['install', 'add'],
required=True,
help='action to perform with an image')
parser.add_argument('--vrf',
help='vrf name for image download')
parser.add_argument('--no-prompt', action='store_true',
help='perform action non-interactively')
parser.add_argument('--username', default='',
help='username for image download')
parser.add_argument('--password', default='',
help='password for image download')
parser.add_argument('--image-path',
help='a path (HTTP or local file) to an image that needs to be installed'
)
# parser.add_argument('--image_new_name', help='a new name for image')
args: Namespace = parser.parse_args()
# Validate arguments
if args.action == 'add' and not args.image_path:
exit('A path to image is required for add action')
return args
if __name__ == '__main__':
try:
args: Namespace = parse_arguments()
if args.action == 'install':
install_image()
if args.action == 'add':
add_image(args.image_path, args.vrf,
args.username, args.password, args.no_prompt)
exit()
except KeyboardInterrupt:
print('Stopped by Ctrl+C')
cleanup()
exit()
except Exception as err:
exit(f'{err}')
diff --git a/src/op_mode/image_manager.py b/src/op_mode/image_manager.py
index e64a85b95..1510a667c 100755
--- a/src/op_mode/image_manager.py
+++ b/src/op_mode/image_manager.py
@@ -1,231 +1,250 @@
#!/usr/bin/env python3
#
-# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This file is part of VyOS.
#
# VyOS is free software: you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later
# version.
#
# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with
# VyOS. If not, see <https://www.gnu.org/licenses/>.
from argparse import ArgumentParser, Namespace
from pathlib import Path
from shutil import rmtree
from sys import exit
from typing import Optional
from vyos.system import disk, grub, image, compat
from vyos.utils.io import ask_yes_no, select_entry
SET_IMAGE_LIST_MSG: str = 'The following images are available:'
SET_IMAGE_PROMPT_MSG: str = 'Select an image to set as default:'
DELETE_IMAGE_LIST_MSG: str = 'The following images are installed:'
DELETE_IMAGE_PROMPT_MSG: str = 'Select an image to delete:'
MSG_DELETE_IMAGE_RUNNING: str = 'Currently running image cannot be deleted; reboot into another image first'
MSG_DELETE_IMAGE_DEFAULT: str = 'Default image cannot be deleted; set another image as default first'
def annotated_list(images_list: list[str]) -> list[str]:
"""Annotate list of images with additional info
Args:
images_list (list[str]): a list of image names
Returns:
list[str]: a list of image names with additional info
"""
index_running: int = None
index_default: int = None
try:
index_running = images_list.index(image.get_running_image())
index_default = images_list.index(image.get_default_image())
except ValueError:
pass
if index_running is not None:
images_list[index_running] += ' (running)'
if index_default is not None:
images_list[index_default] += ' (default boot)'
return images_list
@compat.grub_cfg_update
def delete_image(image_name: Optional[str] = None,
no_prompt: bool = False) -> None:
"""Remove installed image files and boot entry
Args:
image_name (str): a name of image to delete
"""
available_images: list[str] = annotated_list(grub.version_list())
if image_name is None:
if no_prompt:
exit('An image name is required for delete action')
else:
image_name = select_entry(available_images,
DELETE_IMAGE_LIST_MSG,
DELETE_IMAGE_PROMPT_MSG)
if image_name == image.get_running_image():
exit(MSG_DELETE_IMAGE_RUNNING)
if image_name == image.get_default_image():
exit(MSG_DELETE_IMAGE_DEFAULT)
if image_name not in available_images:
exit(f'The image "{image_name}" cannot be found')
persistence_storage: str = disk.find_persistence()
if not persistence_storage:
exit('Persistence storage cannot be found')
if (not no_prompt and
not ask_yes_no(f'Do you really want to delete the image {image_name}?',
default=False)):
exit()
# remove files and menu entry
version_path: Path = Path(f'{persistence_storage}/boot/{image_name}')
try:
rmtree(version_path)
grub.version_del(image_name, persistence_storage)
print(f'The image "{image_name}" was successfully deleted')
except Exception as err:
exit(f'Unable to remove the image "{image_name}": {err}')
+ # remove LUKS volume if it exists
+ luks_path: Path = Path(f'{persistence_storage}/luks/{image_name}')
+ if luks_path.is_file():
+ try:
+ luks_path.unlink()
+ print(f'The encrypted config for "{image_name}" was successfully deleted')
+ except Exception as err:
+ exit(f'Unable to remove the encrypted config for "{image_name}": {err}')
+
@compat.grub_cfg_update
def set_image(image_name: Optional[str] = None,
prompt: bool = True) -> None:
"""Set default boot image
Args:
image_name (str): an image name
"""
available_images: list[str] = annotated_list(grub.version_list())
if image_name is None:
if not prompt:
exit('An image name is required for set action')
else:
image_name = select_entry(available_images,
SET_IMAGE_LIST_MSG,
SET_IMAGE_PROMPT_MSG)
if image_name == image.get_default_image():
exit(f'The image "{image_name}" already configured as default')
if image_name not in available_images:
exit(f'The image "{image_name}" cannot be found')
persistence_storage: str = disk.find_persistence()
if not persistence_storage:
exit('Persistence storage cannot be found')
# set default boot image
try:
grub.set_default(image_name, persistence_storage)
print(f'The image "{image_name}" is now default boot image')
except Exception as err:
exit(f'Unable to set default image "{image_name}": {err}')
@compat.grub_cfg_update
def rename_image(name_old: str, name_new: str) -> None:
"""Rename installed image
Args:
name_old (str): old name
name_new (str): new name
"""
if name_old == image.get_running_image():
exit('Currently running image cannot be renamed')
available_images: list[str] = grub.version_list()
if name_old not in available_images:
exit(f'The image "{name_old}" cannot be found')
if name_new in available_images:
exit(f'The image "{name_new}" already exists')
if not image.validate_name(name_new):
exit(f'The image name "{name_new}" is not allowed')
persistence_storage: str = disk.find_persistence()
if not persistence_storage:
exit('Persistence storage cannot be found')
if not ask_yes_no(
f'Do you really want to rename the image {name_old} '
f'to the {name_new}?',
default=False):
exit()
try:
# replace default boot item
if name_old == image.get_default_image():
grub.set_default(name_new, persistence_storage)
# rename files and dirs
old_path: Path = Path(f'{persistence_storage}/boot/{name_old}')
new_path: Path = Path(f'{persistence_storage}/boot/{name_new}')
old_path.rename(new_path)
# replace boot item
grub.version_del(name_old, persistence_storage)
grub.version_add(name_new, persistence_storage)
print(f'The image "{name_old}" was renamed to "{name_new}"')
except Exception as err:
exit(f'Unable to rename image "{name_old}" to "{name_new}": {err}')
+ # rename LUKS volume if it exists
+ old_luks_path: Path = Path(f'{persistence_storage}/luks/{name_old}')
+ if old_luks_path.is_file():
+ try:
+ new_luks_path: Path = Path(f'{persistence_storage}/luks/{name_new}')
+ old_luks_path.rename(new_luks_path)
+ print(f'The encrypted config for "{name_old}" was successfully renamed to "{name_new}"')
+ except Exception as err:
+ exit(f'Unable to rename the encrypted config for "{name_old}" to "{name_new}": {err}')
+
def list_images() -> None:
"""Print list of available images for CLI hints"""
images_list: list[str] = grub.version_list()
for image_name in images_list:
print(image_name)
def parse_arguments() -> Namespace:
"""Parse arguments
Returns:
Namespace: a namespace with parsed arguments
"""
parser: ArgumentParser = ArgumentParser(description='Manage system images')
parser.add_argument('--action',
choices=['delete', 'set', 'rename', 'list'],
required=True,
help='action to perform with an image')
parser.add_argument('--no-prompt', action='store_true',
help='perform action non-interactively')
parser.add_argument(
'--image-name',
help=
'a name of an image to add, delete, install, rename, or set as default')
parser.add_argument('--image-new-name', help='a new name for image')
args: Namespace = parser.parse_args()
# Validate arguments
if args.action == 'rename' and (not args.image_name or
not args.image_new_name):
exit('Both old and new image names are required for rename action')
return args
if __name__ == '__main__':
try:
args: Namespace = parse_arguments()
if args.action == 'delete':
delete_image(args.image_name, args.no_prompt)
if args.action == 'set':
set_image(args.image_name)
if args.action == 'rename':
rename_image(args.image_name, args.image_new_name)
if args.action == 'list':
list_images()
exit()
except KeyboardInterrupt:
print('Stopped by Ctrl+C')
exit()
except Exception as err:
exit(f'{err}')