Merge pull request #1047 from kumvijaya/current

T7878: Using mergify rule to handle conflict checks for private repo

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,12 +1,15 @@
 <!-- All PR should follow this template to allow a clean and transparent review -->
-<!-- Text placed between these delimiters is considered a commend and is not rendered -->
+<!-- Text placed between these delimiters is considered a comment and is not rendered -->
 
-## Change Summary
+## Change summary
 <!--- Provide a general summary of your changes in the Title above -->
 
 ## Types of changes
-<!--- What types of changes does your code introduce? Put an 'x' in all the boxes that apply. -->
-<!--- NOTE: Markdown requires no leading or trailing whitespace inside the [ ] for checking the box, please use [x] --> 
+<!---
+What types of changes does your code introduce? Put an 'x' in all the boxes that apply.
+NOTE: Markdown requires no leading or trailing whitespace inside the [ ] for checking
+the box, please use [x]
+-->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Code style update (formatting, renaming)
@@ -15,17 +18,11 @@
 - [ ] Other (please describe):
 
 ## Related Task(s)
-<!-- All submitted PRs must be linked to a Task on Phabricator. -->
+<!-- optional: Link to related other tasks on Phabricator. -->
+<!-- * https://vyos.dev/Txxxx -->
 
-## Component(s) name
-<!-- A rather incomplete list of components: ethernet, wireguard, bgp, mpls, ldp, l2tp, dhcp ... -->
-
-## Proposed changes
-<!--- Describe your changes in detail -->
-
-## How to test
-<!--- Please describe in detail how you tested your changes. -->
-<!--- Include details of your testing environment, and the tests you ran to -->
+## Related PR(s)
+<!-- Link here any PRs in other repositories that are required by this PR -->
 
 ## Checklist:
 <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->

.github/mergify.yml

@@ -0,0 +1,10 @@
+pull_request_rules:
+  - name: Label conflicting pull requests
+    description: Add a label to a pull request with conflict to spot it easily
+    conditions:
+      - conflict
+      - '-closed'
+    actions:
+      label:
+        toggle:
+          - conflict

.github/workflows/add-pr-labels.yml

@@ -0,0 +1,18 @@
+---
+name: Add pull request labels
+
+on:
+  pull_request_target:
+    branches:
+      - current
+      - equuleus
+      - sagitta
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  add-pr-label:
+    uses: vyos/.github/.github/workflows/add-pr-labels.yml@current
+    secrets: inherit

.github/workflows/auto-author-assign.yml

@@ -0,0 +1,14 @@
+name: "PR Triage"
+on:
+  pull_request_target:
+    types: [opened, reopened, ready_for_review, locked]
+
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  assign-author:
+    uses: vyos/.github/.github/workflows/assign-author.yml@current
+    secrets: inherit

.github/workflows/check-pr-conflicts.yml

@@ -0,0 +1,15 @@
+
+name: "PR Conflicts checker"
+on:
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-pr-conflict:
+    if: github.repository_owner == 'vyos'
+    uses: vyos/.github/.github/workflows/check-pr-merge-conflict.yml@current
+    secrets: inherit

.github/workflows/check-pr-message.yml

@@ -0,0 +1,18 @@
+---
+name: Check pull request message format
+
+on:
+  pull_request_target:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-pr-title:
+    uses: vyos/.github/.github/workflows/check-pr-message.yml@current
+    secrets: inherit

.github/workflows/check-stale.yml

@@ -0,0 +1,14 @@
+name: "Issue and PR stale management"
+on:
+  schedule:
+  - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  stale:
+    uses: vyos/.github/.github/workflows/check-stale.yml@current
+    secrets: inherit

.github/workflows/check-unused-imports.yml

@@ -0,0 +1,17 @@
+name: Check for unused imports using Pylint
+on:
+  pull_request:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-unused-imports:
+    uses: vyos/.github/.github/workflows/check-unused-imports.yml@current
+    secrets: inherit

.github/workflows/cla-check.yml

@@ -0,0 +1,18 @@
+name: "CLA Check"
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, closed]
+  issue_comment:
+    types: [created]
+
+jobs:
+  call-cla-assistant:
+    uses: vyos/vyos-cla-signatures/.github/workflows/cla-reusable.yml@current
+    secrets: inherit

.github/workflows/codeql.yml

@@ -0,0 +1,23 @@
+name: "Perform CodeQL Analysis"
+
+on:
+  push:
+    branches: [ "current", "sagitta", "equuleus" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "current" ]
+  schedule:
+    - cron: '22 10 * * 0'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  codeql-analysis-call:
+    uses: vyos/.github/.github/workflows/codeql-analysis.yml@current
+    secrets: inherit
+    with:
+      languages: "['python']"

.github/workflows/label-backport.yml

@@ -0,0 +1,12 @@
+name: Mergifyio backport
+
+on: [issue_comment]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  mergifyio-backport:
+    uses: vyos/.github/.github/workflows/label-backport.yml@current
+    secrets: inherit

.github/workflows/linit-j2.yml

@@ -0,0 +1,19 @@
+---
+name: J2 Lint
+
+on:
+  pull_request:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  j2lint:
+    uses: vyos/.github/.github/workflows/lint-j2.yml@current
+    secrets: inherit

.github/workflows/pr-mirror-repo-sync.yml

@@ -0,0 +1,35 @@
+name: PR Mirror and Repo Sync
+
+on:
+  pull_request_target:
+    types: [closed]
+    branches: [current]
+  workflow_dispatch:
+    inputs:
+      sync_branch:
+        description: 'Branch to mirror'
+        required: true
+        default: 'current'
+        type: choice
+        options:
+          - current
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+  call-pr-mirror-repo-sync:
+    if: |
+      github.repository_owner == 'vyos' &&
+      (
+        github.event_name == 'workflow_dispatch' ||
+        (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true)
+      )
+    uses: vyos/.github/.github/workflows/pr-mirror-repo-sync.yml@current
+    with:
+      sync_branch: ${{ github.event.inputs.sync_branch || 'current' }}
+    secrets:
+      PAT: ${{ secrets.PAT }}
+      REMOTE_OWNER: ${{ secrets.REMOTE_OWNER }}

.github/workflows/trigger-docker-image-build.yml

@@ -0,0 +1,47 @@
+name: Trigger Docker image build
+
+on:
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - current
+
+permissions:
+  packages: write
+  contents: read
+  attestations: write
+  id-token: write
+  pull-requests: read
+
+jobs:
+  track-changes:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    
+    env:
+      REF: main  # Used for curl to trigger image build
+
+    steps:
+      - name: Checkout vyos/vyos-build repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            docker-dir:
+              - 'docker/**'
+
+      - name: "Trigger Docker image build for ${{ github.ref_name }}"
+        if: ${{ steps.changes.outputs.docker-dir == 'true' }}
+        run: |
+          curl -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ secrets.REMOTE_OWNER }}/${{ secrets.REMOTE_REUSE_REPO }}/actions/workflows/build-docker-image.yml/dispatches \
+            -d '{"ref": "${{ env.REF }}", "inputs":{"branch":"${{ github.ref_name }}", "environment":"production"}}'

.github/workflows/trigger_rebuild_packages.yml

@@ -0,0 +1,264 @@
+name: Trigger to build package
+
+on:
+  push:
+    branches:
+      - current
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+
+    env:
+      REF: main  # Used for curl to trigger build package
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          base: ${{ github.ref_name }}
+          filters: |
+            amazon-cloudwatch-agent:
+              - 'scripts/package-build/amazon-cloudwatch-agent/**'
+            amazon-ssm-agent:
+              - 'scripts/package-build/amazon-ssm-agent/**'
+            aws-gwlbtun:
+              - 'scripts/package-build/aws-gwlbtun/**'
+            blackbox_exporter:
+              - 'scripts/package-build/blackbox_exporter/**'
+            bash-completion:
+              - 'scripts/package-build/bash-completion/**'
+            ddclient:
+              - 'scripts/package-build/ddclient/**'
+            dropbear:
+              - 'scripts/package-build/dropbear/**'
+            ethtool:
+              - 'scripts/package-build/ethtool/**'
+            frr:
+              - 'scripts/package-build/frr/**'
+            frr_exporter:
+              - 'scripts/package-build/frr_exporter/**'
+            hostap:
+              - 'scripts/package-build/hostap/**'
+            hsflowd:
+              - 'scripts/package-build/hsflowd/**'
+            isc-dhcp:
+              - 'scripts/package-build/isc-dhcp/**'
+            keepalived:
+              - 'scripts/package-build/keepalived/**'
+            libnss-mapuser:
+              - 'scripts/package-build/libnss-mapuser/**'
+            libpam-radius-auth:
+              - 'scripts/package-build/libpam-radius-auth/**'
+            linux-kernel:
+              - 'data/defaults.toml'
+              - 'scripts/package-build/linux-kernel/**'
+            ndppd:
+              - 'scripts/package-build/ndppd/**'
+            net-snmp:
+              - 'scripts/package-build/net-snmp/**'
+            netfilter:
+              - 'scripts/package-build/netfilter/**'
+            node_exporter:
+              - 'scripts/package-build/node_exporter/**'
+            openvpn-otp:
+              - 'scripts/package-build/openvpn-otp/**'
+            owamp:
+              - 'scripts/package-build/owamp/**'
+            pam_tacplus:
+              - 'scripts/package-build/pam_tacplus/**'
+            podman:
+              - 'scripts/package-build/podman/**'
+            pyhumps:
+              - 'scripts/package-build/pyhumps/**'
+            radvd:
+              - 'scripts/package-build/radvd/**'
+            strongswan:
+              - 'scripts/package-build/strongswan/**'
+            tacacs:
+              - 'scripts/package-build/tacacs/**'
+            telegraf:
+              - 'scripts/package-build/telegraf/**'
+            udp-broadcast-relay:
+              - 'scripts/package-build/udp-broadcast-relay/**'
+            unionfs-fuse:
+              - 'scripts/package-build/unionfs-fuse/**'
+            vpp:
+              - 'scripts/package-build/vpp/**'
+            waagent:
+              - 'scripts/package-build/waagent/**'
+            wide-dhcpv6:
+              - 'scripts/package-build/wide-dhcpv6/**'
+            xen-guest-agent:
+              - 'scripts/package-build/xen-guest-agent/**'
+            zerotier-one:
+              - 'scripts/package-build/zerotier-one/**'
+
+      - name: Trigger builds for changed packages
+        run: |
+          set -eux
+          function trigger_build() {
+            PACKAGE_NAME=$1
+            echo "${PACKAGE_NAME} change detected!"
+            curl -L \
+              -X POST \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              https://api.github.com/repos/${{ secrets.REMOTE_OWNER }}/${{ secrets.REMOTE_REUSE_REPO }}/actions/workflows/build-package.yml/dispatches \
+              -d '{"ref": "${{ env.REF }}", "inputs":{"package_name":"'"$PACKAGE_NAME"'", "gpg_key_id": "${{ secrets.GPG_KEY_ID }}", "package_branch": "${{ github.ref_name }}", "pat": "${{ secrets.PAT }}"}}'
+          }
+
+          # Trigger builds based on detected changes
+          if [ "${{ steps.changes.outputs.amazon-cloudwatch-agent }}" == "true" ]; then
+            trigger_build "amazon-cloudwatch-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.amazon-ssm-agent }}" == "true" ]; then
+            trigger_build "amazon-ssm-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.aws-gwlbtun }}" == "true" ]; then
+            trigger_build "aws-gwlbtun"
+          fi
+
+          if [ "${{ steps.changes.outputs.bash-completion }}" == "true" ]; then
+            trigger_build "bash-completion"
+          fi
+
+          if [ "${{ steps.changes.outputs.blackbox_exporter }}" == "true" ]; then
+            trigger_build "blackbox_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.ddclient }}" == "true" ]; then
+            trigger_build "ddclient"
+          fi
+
+          if [ "${{ steps.changes.outputs.dropbear }}" == "true" ]; then
+            trigger_build "dropbear"
+          fi
+
+          if [ "${{ steps.changes.outputs.ethtool }}" == "true" ]; then
+            trigger_build "ethtool"
+          fi
+
+          if [ "${{ steps.changes.outputs.frr }}" == "true" ]; then
+            trigger_build "frr"
+          fi
+
+          if [ "${{ steps.changes.outputs.frr_exporter }}" == "true" ]; then
+            trigger_build "frr_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.hostap }}" == "true" ]; then
+            trigger_build "hostap"
+          fi
+
+          if [ "${{ steps.changes.outputs.hsflowd }}" == "true" ]; then
+            trigger_build "hsflowd"
+          fi
+
+          if [ "${{ steps.changes.outputs.isc-dhcp }}" == "true" ]; then
+            trigger_build "isc-dhcp"
+          fi
+
+          if [ "${{ steps.changes.outputs.keepalived }}" == "true" ]; then
+            trigger_build "keepalived"
+          fi
+
+          if [ "${{ steps.changes.outputs.libnss-mapuser }}" == "true" ]; then
+            trigger_build "libnss-mapuser"
+          fi
+
+          if [ "${{ steps.changes.outputs.libpam-radius-auth }}" == "true" ]; then
+            trigger_build "libpam-radius-auth"
+          fi
+
+          if [ "${{ steps.changes.outputs.linux-kernel }}" == "true" ]; then
+            trigger_build "linux-kernel"
+          fi
+
+          if [ "${{ steps.changes.outputs.ndppd }}" == "true" ]; then
+            trigger_build "ndppd"
+          fi
+
+          if [ "${{ steps.changes.outputs.net-snmp }}" == "true" ]; then
+            trigger_build "net-snmp"
+          fi
+
+          if [ "${{ steps.changes.outputs.netfilter }}" == "true" ]; then
+            trigger_build "netfilter"
+          fi
+
+          if [ "${{ steps.changes.outputs.node_exporter }}" == "true" ]; then
+            trigger_build "node_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.openvpn-otp }}" == "true" ]; then
+            trigger_build "openvpn-otp"
+          fi
+
+          if [ "${{ steps.changes.outputs.owamp }}" == "true" ]; then
+            trigger_build "owamp"
+          fi
+
+          if [ "${{ steps.changes.outputs.pam_tacplus }}" == "true" ]; then
+            trigger_build "pam_tacplus"
+          fi
+
+          if [ "${{ steps.changes.outputs.podman }}" == "true" ]; then
+            trigger_build "podman"
+          fi
+
+          if [ "${{ steps.changes.outputs.pyhumps }}" == "true" ]; then
+            trigger_build "pyhumps"
+          fi
+
+          if [ "${{ steps.changes.outputs.radvd }}" == "true" ]; then
+            trigger_build "radvd"
+          fi
+
+          if [ "${{ steps.changes.outputs.strongswan }}" == "true" ]; then
+            trigger_build "strongswan"
+          fi
+
+          if [ "${{ steps.changes.outputs.tacacs }}" == "true" ]; then
+            trigger_build "tacacs"
+          fi
+
+          if [ "${{ steps.changes.outputs.telegraf }}" == "true" ]; then
+            trigger_build "telegraf"
+          fi
+
+          if [ "${{ steps.changes.outputs.udp-broadcast-relay }}" == "true" ]; then
+            trigger_build "udp-broadcast-relay"
+          fi
+
+          if [ "${{ steps.changes.outputs.unionfs-fuse }}" == "true" ]; then
+            trigger_build "unionfs-fuse"
+          fi
+
+          if [ "${{ steps.changes.outputs.vpp }}" == "true" ]; then
+            trigger_build "vpp"
+          fi
+
+          if [ "${{ steps.changes.outputs.waagent }}" == "true" ]; then
+            trigger_build "waagent"
+          fi
+
+          if [ "${{ steps.changes.outputs.wide-dhcpv6 }}" == "true" ]; then
+            trigger_build "ethtool"
+          fi
+
+          if [ "${{ steps.changes.outputs.xen-guest-agent }}" == "true" ]; then
+            trigger_build "xen-guest-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.zerotier-one }}" == "true" ]; then
+            trigger_build "zerotier-one"
+          fi

.gitignore

@@ -1,8 +1,15 @@
+.build/config
 build/*
+config/*
 *.pyc
 packer_build/*
 packer_cache/*
 key/*
 packages/*
 !packages/*/
-testinstall*.img
+/testinstall*.img
+/testinstall*.efivars
+/*.qcow2
+/*.tar
+.DS_Store
+._.DS_Store

CODEOWNERS

@@ -0,0 +1,2 @@
+# Users from reviewers github team
+# * @vyos/reviewers

CONTRIBUTING.md

@@ -8,6 +8,81 @@ review this contribution guideline.
 
 The following paragraphs are an excerpt from our Documentation.
 
+## Submit a Patch
+
+Patches are always more than welcome. To have a clean and easy to maintain
+repository we have some guidelines when working with Git. A clean repository
+eases the automatic generation of a changelog file.
+
+A good approach for writing commit messages is actually to have a look at the
+file(s) history by invoking git log path/to/file.txt.
+
+### Prepare patch/commit
+
+In a big system, such as VyOS, that is comprised of multiple components, it’s
+impossible to keep track of all the changes and bugs/feature requests in one’s
+head. We use a bugtracker known as Phabricator for it (“issue tracker” would
+be a better term, but this one stuck).
+
+The information is used in three ways:
+
+* Keep track of the progress (what we have already done in this branch and
+  what  we still need to do).
+* Prepare automatic release notes for upcoming releases
+* Help future maintainers of VyOS (it could be you!) to find out why certain
+  things have been changed in the codebase or why certain features have been
+  added
+
+To make this approach work, every change must be associated with a task number
+(prefixed with **T**) and a component. If there is no bug report/feature
+request for the changes you are going to make, you have to create a Phabricator
+task first. Once there is an entry in Phabricator, you should reference its id
+in your commit message, as shown below:
+
+* `ddclient: T1030: auto create runtime directories`
+* `keepalived: T1234: do not autostart service, will be done by CLI`
+
+If there is no [Phabricator](https://vyos.dev) reference in the
+commits of your pull request, we have to ask you to amend the commit message.
+Otherwise we will have to reject it.
+
+## Writing good commit messages
+
+The format should be and is inspired by this very good and detailed
+[Git documentation](https://git-scm.com/book/ch5-2.html), it is also worth
+reading https://chris.beams.io/posts/git-commit/.
+
+This is nothing VyOS specific - it is more a general topic for distributed
+development environments.
+
+* A single, short, summary of the commit (recommended 50 characters or less,
+  not exceeding 80 characters) containing a prefix of the changed component
+  and the corresponding Phabricator reference e.g. `snmp: T1111:` or
+  `ethernet: T2222:` - multiple components could be concatenated as in `snmp:
+  ethernet: T3333`
+* In some contexts, the first line is treated as the subject of an email and
+  the rest of the text as the body. The blank line separating the summary from
+  the body is critical (unless you omit the body entirely); tools like rebase
+  can get confused if you run the two together.
+* Followed by a message which describes all the details like:
+  * What/why/how something has been changed, makes everyone’s life easier when
+    working with `git bisect`
+  * All text of the commit message should be wrapped at 72 characters if
+    possible which makes reading commit logs easier with git log on a standard
+	terminal (which happens to be 80x25)
+  * If applicable a reference to a previous commit should be made linking those
+    commits nicely when browsing the history: `After commit abcd12ef ("snmp:
+	this is a headline") a Python import statement is missing, throwing the
+	following exception: ABCDEF`
+* Always use the `-x` option to the `git cherry-pick` command when back or
+  forward porting an individual commit. This automatically appends the line:
+  `(cherry picked from commit <ID>)` to the original authors commit message
+  making it easier when bisecting problems.
+* Every change set must be consistent (self containing)! Do not fix multiple
+  bugs in a single commit. If you already worked on multiple fixes in the same
+  file use git add –patch to only add the parts related to the one issue into
+  your upcoming commit.
+  
 ## Bug Report/Issue
 Issues or bugs are found in any software project. VyOS is not an exception.
 
@@ -51,7 +126,7 @@ also contain information that is helpful for the development team.
 ### Reporting
 
 In order to open up a bug-report/feature request you need to create yourself
-an account on [Phabricator](https://phabricator.vyos.net). On the left
+an account on [Phabricator](https://vyos.dev). On the left
 side of the specific project (VyOS 1.2 or VyOS 1.3) you will find quick-links
 for opening a bug-report/feature request.
 
@@ -66,7 +141,7 @@ for opening a bug-report/feature request.
 
 You have an idea of how to make VyOS better or you are in need of a specific
 feature which all users of VyOS would benefit from? To send a feature request
-please search [Phabricator](https://phabricator.vyos.net) if there is already a
+please search [Phabricator](https://vyos.dev) if there is already a
 request pending. You can enhance it or if you don't find one, create a new one
 by use the quick link in the left side under the specific project.
 

Jenkinsfile

@@ -1,246 +0,0 @@
-#!/usr/bin/env groovy
-// Copyright (C) 2019 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-
-
-// Only keep the 10 most recent builds
-def projectProperties = [
-    [$class: 'BuildDiscarderProperty',strategy: [$class: 'LogRotator', numToKeepStr: '10']],
-]
-
-properties(projectProperties)
-setDescription()
-
-// Due to long build times on DockerHub we rather build the container by ourself
-// and publish it later on.
-
-// create container names on demand
-env.DOCKER_IMAGE =       "vyos/vyos-build:" + getGitBranchName()
-env.DOCKER_IMAGE_ARM =   "vyos/vyos-build:" + getGitBranchName() + "-armhf"
-env.DOCKER_IMAGE_ARM64 = "vyos/vyos-build:" + getGitBranchName() + "-arm64"
-
-node('Docker') {
-    stage('Fetch') {
-        git branch: getGitBranchName(),
-            url: getGitRepoURL()
-    }
-    stage('Build Docker container') {
-        parallel (
-            'x86-64': {
-                script {
-                    dir('docker') {
-                        sh """
-                            docker build -t ${env.DOCKER_IMAGE} .
-                        """
-                        if ( ! isCustomBuild()) {
-                            withDockerRegistry([credentialsId: "DockerHub"]) {
-                                sh "docker push ${env.DOCKER_IMAGE}"
-                            }
-
-                        }
-                    }
-                }
-            },
-//          'armhf': {
-//              script {
-//                  dir('docker') {
-//                      sh """
-//                          cp Dockerfile armhf/Dockerfile
-//                          cp entrypoint.sh armhf/entrypoint.sh
-//                          sed -i 's#^FROM.*#FROM multiarch/debian-debootstrap:armhf-buster-slim#' armhf/Dockerfile
-//                          docker build -t ${env.DOCKER_IMAGE_ARM} armhf
-//                      """
-//                      if ( ! isCustomBuild()) {
-//                          withDockerRegistry([credentialsId: "DockerHub"]) {
-//                              sh "docker push ${env.DOCKER_IMAGE_ARM}"
-//                          }
-//                      }
-//                  }
-//              }
-//          },
-          'arm64': {
-              script {
-                  dir('docker') {
-                      sh """
-                          docker build -t ${env.DOCKER_IMAGE_ARM64} --build-arg ARCH=arm64v8/ .
-
-                      """
-
-                      if ( ! isCustomBuild()) {
-                          withDockerRegistry([credentialsId: "DockerHub"]) {
-                              sh "docker push ${env.DOCKER_IMAGE_ARM64}"
-
-                          }
-                      }
-                  }
-              }
-          }
-        )
-    }
-}
-
-pipeline {
-    options {
-        disableConcurrentBuilds()
-        timeout(time: 120, unit: 'MINUTES')
-        parallelsAlwaysFailFast()
-        timestamps()
-    }
-    triggers {
-        cron('H 2 * * *')
-    }
-    agent {
-        dockerfile {
-            filename 'Dockerfile'
-            dir 'docker'
-            args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006'
-        }
-    }
-    stages {
-        stage('Build ISO') {
-            when {
-                beforeOptions true
-                beforeAgent true
-                // Do not run ISO build when the Docker container definition or the build pipeline
-                // library changes as this has no direct impact on the ISO image.
-                not { changeset "**/docker/*" }
-                not { changeset "**/vars/*" }
-                not { changeset "**/packages/*" }
-                anyOf {
-                    triggeredBy 'TimerTrigger'
-                    triggeredBy cause: "UserIdCause"
-                }
-            }
-            steps {
-                script {
-                    // Display Git commit Id used with the Jenkinsfile on the Job "Build History" pane
-                    def commitId = sh(returnStdout: true, script: 'git rev-parse --short=11 HEAD').trim()
-                    currentBuild.description = sprintf('Git SHA1: %s', commitId[-11..-1])
-
-                    sh """
-                        ./configure \
-                            --build-by autobuild@vyos.net \
-                            --debian-mirror http://ftp.us.debian.org/debian/ \
-                            --build-type release \
-                            --version 1.3-rolling-\$(date +%Y%m%d%H%M) \
-                            --custom-package "vyos-1x-smoketest"
-                        sudo make iso
-                    """
-
-                    if (fileExists('build/live-image-amd64.hybrid.iso') == false) {
-                        error('ISO build error')
-                    }
-                }
-            }
-        }
-        stage('QEMU') {
-            parallel {
-                stage('Smoketests without vyos-configd') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make test"
-                    }
-                }
-                stage('Smoketests with vyos-configd') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make testd"
-                    }
-                }
-                stage('Smoketests with vyos-configd and arbitrary config loader') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make testc"
-                    }
-                }
-                stage('Build QEMU image') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make qemu"
-                    }
-                }
-            }
-        }
-    }
-    post {
-        success {
-            script {
-                // only deploy ISO if build from official repository
-                if (isCustomBuild())
-                    return
-
-                files = findFiles(glob: 'build/vyos*.iso')
-                if (files) {
-                    // publish build result, using SSH-dev.packages.vyos.net Jenkins Credentials
-                    sshagent(['SSH-dev.packages.vyos.net']) {
-                        dir('build') {
-                            // build up some fancy groovy variables so we do not need to write/copy
-                            // every option over and over again!
-                            def ARCH = sh(returnStdout: true, script: "dpkg --print-architecture").trim()
-                            def ISO = sh(returnStdout: true, script: "ls vyos-*.iso").trim()
-                            def SSH_DIR = '/home/sentrium/web/downloads.vyos.io/public_html/rolling/' + getGitBranchName() + '/' + ARCH
-                            def SSH_OPTS = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
-                            def SSH_REMOTE = 'khagen@10.217.48.113'
-
-                            // No need to explicitly check the return code. The pipeline
-                            // will fail if sh returns a non 0 exit code
-                            sh """
-                                sha256sum ${ISO} > ${ISO}.sha256
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c 'mkdir -p ${SSH_DIR}'"
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c 'find ${SSH_DIR} -type f -mtime +28 -exec rm -f {} \\;'"
-                                scp ${SSH_OPTS} -r ${ISO} ${ISO}.sha256 ${SSH_REMOTE}:${SSH_DIR}/
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c '/usr/bin/make-latest-rolling-symlink.sh'"
-                            """
-                        }
-                    }
-
-                    // Upload to Amazon S3 storage
-                    withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
-                        s3Upload(bucket: 's3-us.vyos.io', path: 'rolling/',
-                                 workingDir: 'build', includePathPattern: 'vyos*.iso')
-                        s3Copy(fromBucket: 's3-us.vyos.io', fromPath: 'rolling/' + files[0].name,
-                               toBucket: 's3-us.vyos.io', toPath: 'rolling/vyos-rolling-latest.iso')
-                    }
-                }
-            }
-        }
-        failure {
-            archiveArtifacts artifacts: '**/live-image-amd64.hybrid.iso',
-                allowEmptyArchive: true
-        }
-        cleanup {
-            echo 'One way or another, I have finished'
-            // the 'build' directory got elevated permissions during the build
-            // cdjust permissions so it can be cleaned up by the regular user
-            sh 'sudo make purge'
-            deleteDir() /* cleanup our workspace */
-        }
-    }
-}

LICENSE.artwork

@@ -0,0 +1,32 @@
+# The spirit
+
+VyOS is free (as in freedom) software. We keep the source code and the build tools freely-licensed
+and available to everyone to inspect, modify, and distribute.
+The goal of VyOS is to create a network operating system available to everyone who needs it.
+We welcome contributions from all community members and we are happy to share our work on LTS releases
+with contributors. We also don't require contributors to give us exclusive rights to their contributions,
+and VyOS source code belongs to the entire community.
+
+However, success of a project and its ability to receive funding through commercial services
+rests on the reputation of its maintainers.
+And the "pay for binaries" LTS release model only works if access to images is actually restricted
+to those who support the project by purchasing a subscription or contributing.
+
+We cannot let other people and organizations exploit our reputation for gain or put it at risk
+by distributing modified images with VyOS branding, or compromise the LTS business model
+by redistributing pre-built images meant for subscription holders.
+
+We enforce that through trademarks and copyrighted artwork.
+
+Use and distribution of pre-built LTS images is governed by a EULA you can find in /usr/share/doc/vyos/EULA
+on the live image and in installed systems. 
+
+Self-built images can be freely distributed, but only if you replace the branding with yourn own,
+that is, replace all artwork files that contain the VyOS logo and all end-user-visible mentions of the VyOS name.
+
+# The letter
+
+VyOS is a registered trademarks in the United States, countries of the European Union, and other countries.
+
+The copyright to the artwork files that contain the VyOS logo, such as data/live-build-config/includes.binary/isolinux/splash.png
+belongs to Sentrium S.L. and affiliated, all rights reserved. 

Makefile

@@ -1,264 +1,95 @@
+SHELL := /bin/bash
+
 build_dir := build
 
 .PHONY: all
 all:
 	@echo "Make what specifically?"
-	@echo "The most common target is 'iso'"
+	@echo "The most common target is 'generic'"
 
-.PHONY: check_build_config
-check_build_config:
-	@scripts/check-config
+%:
+	./build-vyos-image $*
 
-.PHONY: prepare
-prepare:
-	@set -e
-	@echo "Starting VyOS ISO image build"
-
-	rm -rf build/config/*
-	mkdir -p build/config
-	cp -r data/live-build-config/* build/config/
-	@scripts/live-build-config
-	@scripts/import-local-packages
-
-	@scripts/make-version-file
-
-	@scripts/build-flavour
-
-.PHONY: iso
+.PHONY: checkiso
 .ONESHELL:
-iso: check_build_config clean prepare
-	@echo "It's not like I'm building this specially for you or anything!"
-	cd $(build_dir)
-	set -o pipefail
-	lb build 2>&1 | tee build.log; if [ $$? -ne 0 ]; then exit 1; fi
-	cd ..
-	@scripts/copy-image
-	exit 0
-
-.PHONY: prepare-package-env
-.ONESHELL:
-prepare-package-env:
-	@set -e
-	@scripts/pbuilder-config
-	@scripts/pbuilder-setup
-
-.PHONY: qemu
-.ONESHELL:
-qemu:
-	@set -e
-	@scripts/check-vm-build-env
-	@scripts/build-qemu-image
-
-.PHONY: vagrant-libvirt
-.ONESHELL:
-vagrant-libvirt:
-	@set -e
-	@scripts/check-vm-build-env
-	@scripts/build-vagrant-libvirt-box
-
-.PHONY: vmware
-.ONESHELL:
-vmware: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/vmware/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/vmware/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	@../scripts/build-vmware-image
-
-.PHONY: hyperv
-.ONESHELL:
-hyperv:
-	@set -e
-	@scripts/check-vm-build-env
-	@scripts/build-hyperv-image
-
-.PHONY: clearfog
-.ONESHELL:
-clearfog: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	cd $(build_dir)
-	@../scripts/build-clearfog-image
-
-.PHONY: azure
-.ONESHELL:
-azure: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	cp tools/cloud-init/azure/99-walinuxagent.chroot build/config/hooks/live/
-	cp tools/cloud-init/azure/vyos-azure.list.chroot build/config/package-lists/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/azure/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	@../scripts/build-azure-image
-
-.PHONY: GCE
-.ONESHELL:
-GCE: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/GCE/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/GCE/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	@../scripts/build-GCE-image
-
-.PHONY: GCE-debug
-.ONESHELL:
-GCE-debug: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/99-debug-user.chroot build/config/hooks/live/
-	cp tools/cloud-init/GCE/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/GCE/config.boot.default-debug build/config/includes.chroot/opt/vyatta/etc/config.boot.default
-	cd $(build_dir)
-	@../scripts/build-GCE-image
-
-.PHONY: AWS
-.ONESHELL:
-AWS: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/AWS/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/AWS/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/AWS/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
-
-.PHONY: openstack
-.ONESHELL:
-openstack: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/openstack/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/openstack/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
-
-.PHONY: oracle
-.ONESHELL:
-oracle: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/OCI/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/OCI/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	@../scripts/build-oracle-image
-
-.PHONY: PACKET
-.ONESHELL:
-PACKET: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/99-disable-networking.chroot build/config/hooks/live/
-	cp tools/cloud-init/PACKET/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/PACKET/config.boot.default build/config/includes.chroot/opt/vyatta/etc/
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
-
-.PHONY: PACKET-debug
-.ONESHELL:
-PACKET-debug: clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/cloud/cloud.cfg.d
-	cp tools/cloud-init/99-debug-user.chroot build/config/hooks/live/
-	cp tools/cloud-init/99-disable-networking.chroot build/config/hooks/live/
-	cp tools/cloud-init/PACKET/90_dpkg.cfg build/config/includes.chroot/etc/cloud/cloud.cfg.d/
-	cp tools/cloud-init/cloud-init.list.chroot build/config/package-lists/
-	cp -f tools/cloud-init/PACKET/config.boot.default-debug build/config/includes.chroot/opt/vyatta/etc/config.boot.default
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
-
-.PHONY: vep4600
-.ONESHELL:
-vep4600: check_build_config clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/systemd/network
-	mkdir -p build/config/includes.chroot/usr/share/initramfs-tools/hooks
-	cp tools/dell/90-vep.chroot build/config/hooks/live/
-	cp tools/dell/vep4600/*.link build/config/includes.chroot/etc/systemd/network/
-	cp tools/dell/vep-hook build/config/includes.chroot/usr/share/initramfs-tools/hooks/
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
-
-.PHONY: vep1400
-.ONESHELL:
-vep1400: check_build_config clean prepare
-	@set -e
-	@echo "It's not like I'm building this specially for you or anything!"
-	mkdir -p build/config/includes.chroot/etc/systemd/network
-	mkdir -p build/config/includes.chroot/usr/share/initramfs-tools/hooks
-	cp tools/dell/90-vep.chroot build/config/hooks/live/
-	cp tools/dell/vep1400/*.link build/config/includes.chroot/etc/systemd/network/
-	cp tools/dell/vep-hook build/config/includes.chroot/usr/share/initramfs-tools/hooks/
-	cd $(build_dir)
-	lb build 2>&1 | tee build.log
-	cd ..
-	@scripts/copy-image
+checkiso:
+	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
+		echo "Could not find build/live-image-amd64.hybrid.iso"
+		exit 1
+	fi
 
 .PHONY: test
 .ONESHELL:
-test:
-	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
-		echo "Could not find build/live-image-amd64.hybrid.iso"
-		exit 1
-	fi
-	scripts/check-qemu-install --debug build/live-image-amd64.hybrid.iso
+test: checkiso
+	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --cpu 4 --memory 8 build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
-.PHONY: testd
+.PHONY: test-no-interfaces
 .ONESHELL:
-testd:
-	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
-		echo "Could not find build/live-image-amd64.hybrid.iso"
-		exit 1
-	fi
-	scripts/check-qemu-install --debug --configd build/live-image-amd64.hybrid.iso
+test-no-interfaces: checkiso
+	scripts/check-qemu-install --debug --configd --smoketest --uefi --no-interfaces --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 build/live-image-amd64.hybrid.iso
+
+.PHONY: test-no-interfaces-no-vpp
+.ONESHELL:
+test-no-interfaces-no-vpp: checkiso
+	scripts/check-qemu-install --debug --configd --smoketest --uefi --no-interfaces --no-vpp build/live-image-amd64.hybrid.iso
+
+.PHONY: test-interfaces
+.ONESHELL:
+test-interfaces: checkiso
+	scripts/check-qemu-install --debug --configd --match="interfaces_" --smoketest --uefi build/live-image-amd64.hybrid.iso
+
+.PHONY: test-vpp
+.ONESHELL:
+test-vpp: checkiso
+	scripts/check-qemu-install --debug --configd --match="vpp" --smoketest --uefi --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 build/live-image-amd64.hybrid.iso
 
 .PHONY: testc
 .ONESHELL:
-testc:
-	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
-		echo "Could not find build/live-image-amd64.hybrid.iso"
-		exit 1
-	fi
-	scripts/check-qemu-install --debug --configd --configtest build/live-image-amd64.hybrid.iso
+testc: checkiso
+	scripts/check-qemu-install --debug --configd --match="!vpp" --cpu 2 --memory 7 --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testcvpp
+.ONESHELL:
+testcvpp: checkiso
+	scripts/check-qemu-install --debug --configd --match="vpp" --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testraid
+.ONESHELL:
+testraid: checkiso
+	scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testsb
+.ONESHELL:
+testsb: checkiso
+	scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testtpm
+.ONESHELL:
+testtpm: checkiso
+	scripts/check-qemu-install --debug --tpmtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: qemu-live
+.ONESHELL:
+qemu-live: checkiso
+	scripts/check-qemu-install --qemu-cmd --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: oci
+.ONESHELL:
+oci: checkiso
+	scripts/iso-to-oci build/live-image-amd64.hybrid.iso
 
 .PHONY: clean
 .ONESHELL:
 clean:
 	@set -e
+	mkdir -p $(build_dir)
 	cd $(build_dir)
 	lb clean
 
 	rm -f config/binary config/bootstrap config/chroot config/common config/source
 	rm -f build.log
 	rm -f vyos-*.iso
-	rm -f *.img
+	rm -f *.img *.efivars
 	rm -f *.xz
 	rm -f *.vhd
 	rm -f *.raw
@@ -267,7 +98,6 @@ clean:
 	rm -f *.mf
 	rm -f *.ovf
 	rm -f *.ova
-	rm -f *.vmdk
 
 .PHONY: purge
 purge:

README.md

@@ -8,14 +8,10 @@ For the most up-to-date documentation, please read the online build guide at
 
 VyOS is an open source operating system for network devices (routers, firewalls
 and so on). If you want to use it in your network, check out download and
-installation instructions at https://vyos.io
+installation instructions at https://docs.vyos.io/en/latest/installation/index.html
 
 If you want to modify VyOS and/or join its development, read on.
 
-VyOS is not new. It is a fork of Vyatta Core that was created when the open
-source version of it was discontinued. If you are a Vyatta Core user, you can
-upgrade your installation to VyOS.
-
 # About this repository
 
 VyOS is a GNU/Linux distribution based on Debian. Just like any other
@@ -37,15 +33,13 @@ There are several directories with their own purpose:
 
  * `build/`    Used for temporary files used for the build and for build artifacts
  * `data/`     Data required for building the ISO (e.g. boot splash/configs)
- * `packages/` This directory has two meanings. First it can hold arbitrary *.deb
-               packages which will be embeded into the resulting ISO, but it also
-                holds Jenkins Pipeline definitions for required VyOS packages.
+ * `packages/` This directory can hold arbitrary *.deb
+               packages which will be embeded into the resulting ISO.
                Among other things those packages will be: Linux Kernel, FRR,
                Netfiler...
  * `scripts/`  Scripts that are used for the build process
  * `tools/`    Scripts that are used for maintainer's tasks automation and other
                purposes, but not during ISO build process
- * `vars/`     Jenkins Pipeline library for reusable functions
 
 # Building VyOS
 
@@ -55,27 +49,21 @@ be found in our [Documentation - Build VyOS](https://docs.vyos.io/en/latest/cont
 
 # Development Branches
 
-The default branch that contains the most recent VyOS code is called `current`
-rather than `master`. We know it's confusing, but it's not easy to fix. In a
-nutshell, the code we inherited from Vyatta Core had its `master` branch so out
-of sync with everything it was beyond any repair. Vyatta developers used to create
-a new branch not when a release is ready for code freeze, but rather before
-starting to work on a new release. This is hard to change in existing code, so
-this is just the way it is, for now.
+The default branch that contains the most recent VyOS code is called `current`.
+We may or may not eventually switch to `main`.
 
-All new code goes to the `current` branch. When it's time for a code freeze, a
+All new code goes to the `current` branch. When a new LTS release is ready for feature freeze, a
 new branch is created for the release, and new code from `current` is backported
 to the release branch as needed.
 
-In packages that originate from VyOS the master branch is kept in sync with
-`current`, but we still use `current` as default branch for uniformity. When the
-last legacy package is gone, we will switch to using the `master` branch and
-retire `current`.
+Post-1.2.0 branches are named after constellations sorted by area from smallest
+to largest. There are 88 of them, here's the
+[complete list](https://en.wikipedia.org/wiki/IAU_designated_constellations_by_area).
 
-Post-1.2.0 branches are named after constellations sorted by from smallest to largest.
-There are 88 of them, here's the [complete list](https://en.wikipedia.org/wiki/IAU_designated_constellations_by_area).
+Existing branches:
 
-* 1.2.x: `crux` (Southern Cross)
-* 1.3.x: `equuleus` (Little Horse)
-* 1.4.x: `sagitta` (Arrow)
-* ...
+* VyOS 1.4: `sagitta` (Arrow) [LTS]
+* VyOS 1.3: `equuleus` (Little Horse) [LTS]
+* VyOS 1.2: `crux` (Southern Cross) [Unsupported]
+
+The next LTS release will be VyOS 1.5 `circinus` (Compasses).

build-vyos-image

@@ -0,0 +1 @@
+scripts/image-build/build-vyos-image

configure

@@ -1 +0,0 @@
-scripts/build-config

data/architectures/amd64.toml

@@ -0,0 +1,26 @@
+# Packages added to images for x86 by default
+packages = [
+  "grub2",
+  "grub-pc",
+  "vyos-drivers-realtek-r8152",
+  "vyos-linux-firmware",
+  "vyos-intel-qat",
+  "vyos-intel-ixgbe",
+  "vyos-intel-ixgbevf",
+  "vyos-ipt-netflow",
+  "intel-microcode",
+  "amd64-microcode"
+]
+
+[additional_repositories.salt]
+  architecture = "amd64"
+  url = "https://packages.vyos.net/saltproject/debian/11/amd64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian"
+
+[additional_repositories.kea]
+  architecture = "amd64"
+  url = "https://dl.cloudsmith.io/public/isc/kea-3-0/deb/debian"
+  distribution = "bookworm"

data/architectures/arm64.toml

@@ -0,0 +1,19 @@
+# Packages included in ARM64 images by default
+packages = [
+  "grub-efi-arm64",
+]
+bootloaders = "grub-efi"
+squashfs_compression_type = "xz -b 256k -always-use-fragments -no-recovery"
+
+[additional_repositories.salt]
+  architecture = "arm64"
+  url =	"https://packages.vyos.net/saltproject/debian/11/arm64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian-arm64"
+
+[additional_repositories.kea]
+  architecture = "arm64"
+  url = "https://dl.cloudsmith.io/public/isc/kea-3-0/deb/debian"
+  distribution = "bookworm"

data/architectures/armhf.toml

@@ -0,0 +1,6 @@
+additional_repositories = [
+  "deb [arch=armhf] https://packages.vyos.net/saltproject/debian/11/arm64/3005 bullseye main"
+]
+
+# Packages included in armhf images by default
+packages = ["grub-efi-arm"]

data/build-flavors/generic.toml

@@ -0,0 +1,3 @@
+# Generic (aka "universal") ISO image
+
+image_format = "iso"

data/build-types/development.toml

@@ -0,0 +1,78 @@
+packages = [
+  "gdb",
+  "strace",
+  "apt-rdepends",
+  "tshark",
+  "vim",
+  "vyos-1x-smoketest"
+]
+
+[[includes_chroot]]
+  path = 'usr/share/vyos/EULA'
+  data = '''
+VyOS ROLLING RELEASE END USER LICENSE AGREEMENT
+
+PLEASE READ THIS AGREEMENT CAREFULLY BEFORE INSTALLING AND/OR USING VyOS ROLLING RELEASE.
+IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN YOU MUST NOT USE VyOS ROLLING RELEASE.
+
+I. This End-User License Agreement (“Agreement”) is a legal document between you and VyOS Inc.
+(a company organized and existing under the laws of California,
+having its registered office at 12585 Kirkham Ct, Suite 1, Poway, California 92604)
+that governs your use of VyOS Rolling Release, available at vyos.io website.
+
+II. By downloading, installing and using VyOS Rolling Release you:
+- irrevocably agree to comply with all applicable laws, restrictions,
+  regulations, rules, the GNU GPL and other applicable licenses, and with this Agreement;
+- confirm you have all legal rights to enter into this Agreement
+  and your authority is not limited by any legal means;
+- obligate to certainly, indisputably and immediately
+  (but in any case at the first request of the VyOS Inc.)
+  compensate for any damage, if such is caused to the VyOS Inc. by your actions;
+- assure and enforce any third party you grant access to Rolling Release
+  will bear the same amount of obligations.
+  For the purpose of this Agreement such third party will be referred to also as “you”.
+
+III. VyOS Rolling Release (“Rolling Release”) are copyrighted works
+released under the terms of the GNU General Public License (GPL)
+and other licenses  approved by the Open Source Initiative (www.opensource.org),
+(hereinafter, the “Public Licenses”).
+Verbatim copies of such works may be made and distributed, by anyone,
+in accordance with the terms of the GPL and the Public Licenses.
+The GPL and the Public Licenses also grant you certain rights
+to make and distribute derivative works based on the source code to Rolling Release.
+
+You can redistribute and/or modify the Rolling Release under the terms of the GPL and the Public Licenses.
+You may obtain a copy of the source code corresponding to the binaries for the Rolling Release
+from public Git repositories as https://github.com/vyos
+
+The GPL and the Public Licenses do not grant you any right, license or interest to use “VyOS” trademarks and logos,
+that are trademarks or registered trademarks in the US, EU and other countries,
+in connection with these derivative works.
+VyOS trademarks may not be used in connection with any such derivative works
+unless that usage is explicitly and specifically permitted, in writing.
+Otherwise, You must modify the files identifiable as VyOS logos and VyOS trademarks
+so as to remove all use of images containing them.
+Note that mere deletion of these files may corrupt the Rolling Release.
+
+IV. Under no circumstances VyOS Inc. will be liable to you for any damages,
+however caused or arising in any way out of the use of
+or of inability to use the Rolling Release.
+VyOS Inc. provides no warranty for Rolling Release.
+
+V. This Agreement comes into force upon your acceptance in the form of downloading,
+installing or using Rolling Release (whatever happens first) and remains valid until termination.
+This Agreement shall terminate immediately if you violate any applicable law,
+restriction, regulation, rule, GPL or other applicable license, or any provision of this Agreement.
+Upon termination of this Agreement you shall discontinue to use Rolling Release
+and delete it as well as all copies you made from all storage devices.
+
+VI. This Agreement may be amended by VyOS Inc. at any time and brought to your attention
+by publication on vyos.io website with enter into force immediately after such publication.
+
+VII. This Agreement, and any dispute or claim arising out of or in connection with it,
+shall be governed by, and construed in accordance with the laws of California.
+The courts of California shall have exclusive jurisdiction to settle any dispute or claim.
+
+For more information or any other query please contact VyOS Inc. at: legal@vyos.io
+
+'''

data/build-types/release.toml

@@ -0,0 +1,441 @@
+[[includes_chroot]]
+  path = 'usr/share/vyos/EULA'
+  data = '''
+VyOS END USER LICENSE AGREEMENT
+
+PLEASE READ THIS END USER LICENSE AGREEMENT (EULA, THIS ‘AGREEMENT') CAREFULLY
+BEFORE USING VYOS FROM US. BY USING VYOS, YOU ("YOU", "LICENSEE", "CUSTOMER")
+SIGNIFY YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT AND
+ACKNOWLEDGE YOU HAVE READ AND UNDERSTAND THE TERMS. THIS AGREEMENT IS
+ENFORCEABLE AGAINST ANY PERSON OR ENTITY THAT USES THE SOFTWARE AND ANY PERSON
+OR ENTITY (E.G., SYSTEMS INTEGRATOR, CONSULTANT OR CONTRACTOR) THAT USES THE
+SOFTWARE ON ANOTHER PERSON'S OR ENTITY'S BEHALF. IF YOU DO NOT ACCEPT THE TERMS
+OF THIS AGREEMENT, THEN YOU MUST NOT USE THE SOFTWARE. THE EFFECTIVE DATE OF
+THIS AGREEMENT IS THE EARLIEST OF THE START DATE OF SERVICES STATED IN OUR
+INVOICE, PREVIOUS ACCEPTANCE OF THIS AGREEMENT (OR OUR BUSINESS PARTNER'S ORDER
+OR/AND INVOICE, PREVIOUS ACCEPTANCE OF THIS AGREEMENT) OR THE DATE THAT
+CUSTOMER HAS ACCESS AND IS ABLE TO USE OUR PRODUCTS OR SERVICES. THIS END USER
+LICENSE AGREEMENT DOES NOT COVER ANY SERVICES FROM US, OR THROUGH OUR BUSINESS
+PARTNER, OTHER THAN ACCESS TO THE SOFTWARE, SUCH AS TECHNICAL SUPPORT, UPGRADES
+OR SUPPORT SERVICES. PLEASE REVIEW YOUR SERVICES OR SUBSCRIPTION AGREEMENT(S)
+THAT YOU MAY HAVE WITH US OR OTHER AUTHORIZED VYOS SERVICES PROVIDER OR
+BUSINESS PARTNER REGARDING THE SOFTWARE AND SERVICES AND ASSOCIATED PAYMENTS.
+
+1. Definitions
+
+1.1 "We, Our, Us" means VyOS Contracting Entity  defined in Section 13.
+
+1.2 "VyOS" or "Software" means VyOS software provided by Us (or authorized
+services provider or  business partner) and consisting of VyOS software
+application (exclusively or along with any third-party software included
+therein or therewith) that includes or refers to this Agreement and any related
+documentation (including, without limitation, user and technical documentation,
+further explanatory written materials related to the Software, etc.), services
+(including, without limitation, SaaS, internet-based service, etc.), tool,
+application, component, object code, source code, appearance (including,
+without limitation, images, designs, fonts, etc.), structure as well as any
+modification
+and update thereof, regardless of the delivery mechanism.
+
+"Services" means software support services and any other services provided by
+Us, or through Our Business Partner, on a subscription basis.
+
+1.3 "Authorized Users" means employees or individual contractors to whom,
+pursuant to this Agreement, the Licensee has granted a right to access and use
+the Software with your credentials, provided that such access shall be for your
+sole benefit and in full compliance with this EULA.
+
+All Authorized Users are bound by the terms of this Agreement.
+
+1.4 "Cloud Provider" means authorized hosting partner's cloud marketplace
+platform, a company that delivers cloud computing based services, resources and
+solutions to businesses and/or offers solutions via the cloud marketplace.
+
+1.5 "Business Partner" shall mean Our authorized sales agent, partner, Cloud
+Provider reseller or distributor of the Software and Our Services authorized to
+sell Software and Services via our subscriptions. Purchases through or by a
+Business Partner. In instances where Customer purchases through a Business
+Partner, final prices and terms and conditions of sale will be as agreed
+between Customer and the Business Partner from which Customer makes such
+purchases; however, the terms set forth in this EULA are applicable to
+Customer's use and the performance of VyOS. Customer acknowledges that:
+(a) We may share information with the Business Partner related to Customer's
+    use and consumption of VyOS, and vice versa, for account management and
+    billing purposes;
+(b) the termination provisions below will also apply if Customer's Business
+    Partner fails to pay Us applicable fees; and
+(c) Business Partner is not authorized to make any changes to this EULA or
+    otherwise authorized to make any warranties, representations, promises or
+    commitments on Our behalf or in any way concerning the VyOS.
+
+"Business Partner's order" means the ordering document(s), issued during Your
+purchasing process by Our Business Partner in a way and manner as defined by
+Our Business Partner. Business Partner's order may describe specific Software
+and Services, Subscription(s), associated fees, payment terms, and shall be
+subject to the terms of this Agreement  and EULA.
+
+1.6 "Customer", "You", "Licensee", "Your" - user of VyOS and its heirs, agents,
+successors, assigns and - for the purpose of Global subscription - its
+Affiliates.
+
+2. License Grant
+
+Subject to the following terms, We grant to You a perpetual, worldwide license
+to the Software (most of which includes multiple software components) pursuant
+to different open sourced and public licenses. The license agreement for each
+software component is located in the software component's source code and
+permits you to run, copy, modify, and redistribute the software component
+(subject to certain obligations in some cases), both in source code and binary
+code forms, with the exception of the images identified in Section 4 below. You
+shall either agree to the terms of each applicable public license or You must
+not install/use those components or exercise such licensed rights.
+
+This EULA pertains solely to the Software and does not limit your rights under,
+or grant you rights that supersede, the license terms of any particular
+component.
+
+2.1 Limited Modifications. For the avoidance of doubt, Licensee is permitted to
+use VyOS from Us in accordance with VyOS terms and conditions and on the
+specific quotation, purchase order and/or the subscription or customized
+agreements, if any. Any other modifications of VyOS terms and conditions won't
+be allowed, except as expressly authorized through a separate custom agreement,
+unless otherwise defined by this Agreement, specific quotation, purchase order
+and/or the subscription or customized agreements.
+
+2.2 No Unbundling. Nonetheless, the Software is designed and provided to
+Licensee solely as permitted herein. Licensee shall not unbundle or repackage
+the Software for distribution, transfer or other disposition, unless otherwise
+specified by this Agreement.
+
+3. Prohibited Use and Allowed Use
+
+3.1 Except as expressly authorized through a separate custom agreement,
+Licensee and the Authorized Users are prohibited from:
+(a) using the Software on behalf of third parties;
+(b) sublicensing, licensing, renting, leasing, lending or granting other rights
+    in the Software including rights on a membership or subscription basis;
+(c) providing use of the Software in a service bureau arrangement, outsourcing
+    or on a time sharing basis;
+(d) interfere with or disrupt the Software or systems used to provide the VyOS
+    or other equipment or networks connected;
+(e) circumvent or disclose the user authentication or security of the Software
+    or any host, network, or account related thereto or attempt to gain
+    unauthorized access;
+(f) store or transmit SPAM or malicious code;
+(g) duplicate the Software or publish the Software for others to copy;
+(h) infringe the intellectual property rights of any entity or person; or
+(i) make any use of the Software that violates any applicable local, state,
+    national, international or foreign law or regulation.
+
+For more information about how to obtain a custom agreement, please contact us
+at: sales@vyos.io.
+
+3.2 The following uses of the Software shall be allowed:
+(a) any lab setup within the Licensee or on an Authorized User's personal
+    device, for the purpose of learning, testing, or debugging company network
+    configs, and
+(b) any use in Authorized User's personal home networks, including but not
+    limited to Internet access, corporate VPN access, learning and
+    experimentation.
+
+4. Intellectual Property Rights
+
+The Software and each of their components are owned by Us and other licensors
+and are protected under copyright law and other laws as applicable. Title to
+the Software and any component and systems, or to any copy or modification
+shall remain with Us and other licensors, subject to the applicable license.
+The "VyOS" mark, the individual Software marks, and the "VyOS" logo are
+trademarks or registered trademarks in the EU, US and other countries. Artwork
+files that feature the VyOS logo, including but not limited to boot splash
+images and user interface elements, are Our property, distributed on the "all
+rights reserved" basis. You cannot redistribute those files separately or as
+part of Software without an express permission from the copyright holder. By
+accepting this Agreement You commit not to register or request registration of
+any commercial name, domain name, email, trademark, symbol or distinctive;
+sign, with similar characteristics, color, typography, style or appearance or
+that includes the word "VyOS" or/and VyOS logo.
+
+This EULA does not permit you to distribute the Software using VyOS trademarks,
+regardless of whether the Software has been modified. You may make a commercial
+redistribution of the Software only if
+(a) permitted under a separate written agreement with Us authorizing such
+    commercial redistribution or
+(b) you remove and replace all Our occurrences and VyOS trademarks and logos.
+
+Modifications to the software may corrupt the Software.
+
+4.1 The Licensee grants Us a right to use its logos and trademarks for the
+purpose of displaying their Licensee status on the VyOS website, and for the
+purposes specified in VyOS Subscription Agreement. We will not claim that the
+Licensee endorses VyOS and will not publicize any details of Licensee's VyOS
+usage, network setup, or any other information not explicitly provided by the
+Licensee for public release.
+
+4.1.1 The Licensee can revoke Our right to use Licensee's trademarks and logos
+at any time, unless otherwise agreed in VyOS Subscription Agreement, or Our
+Quotation.
+
+5. Updates
+
+Along with all software update subscriptions, We provide security updates,
+hot-fixes and security advisory notifications before public disclosure
+(herein after collectively referred to as the "Updates"). You expressly
+acknowledge and agree that We have no obligation to make available and/or
+provide any Updates. All upgrades and Updates are provided by Us or through
+Our Business Partners to Licensee at Our sole discretion and are subject to
+the terms of this Agreement on a license exchange basis. Any obligations that
+We may have to support previous versions during the license term may end upon
+the availability of this update. Upgrades and Updates may be licensed to
+Licensee by Us with additional or different terms.
+
+6. Support
+
+This agreement does not automatically entitle the Licensee to any support for
+the Software provided by Us or through Our Business Partners unless otherwise
+specified in the subscription terms. For the avoidance of doubt, We have no
+liability and provide no support for any hardware or any cloud marketplace
+services provided by any Business Partner or Cloud Provider. Where available,
+maintenance and support may be purchased separately subject to a separate
+VyOS's support services included subscriptions.
+
+Support for software built from source code by a party other than Us, with or
+without modifications made by the Licensee or a third party, is provided only
+through separate agreements.
+
+For more information about how to obtain a VyOS's software and support services
+included subscriptions, please contact us at: sales@vyos.io.
+
+7. Term and Termination.
+
+This Agreement begins on the Effective Date and shall remain in effect until
+terminated due to
+(a) Licensee fails to pay the fees amounts associated to Our subscriptions
+    when due or otherwise materially breaches this Agreement, specific
+    quotation, purchase order and/or the subscription or customized agreements
+    and fails to remedy the breach within ten (10) days from the receipt of a
+    notification sent in writing or electronically,
+(b) Licensee's deactivation or subscription cancellation of the Software,
+(c) Licensee fails to pay the Business Partner, or terminate the agreement with
+    a Business Partner, or Business Partner fails to pay Us the applicable fees
+    of your Software and/or Services, or
+(d) We change, cease to provide or discontinue the Software at any time.
+
+Upon the occurrence of (a), (b), (c) or (d), above, We are entitled to
+terminate this Agreement. Upon termination of this Agreement for any reason,
+Licensee shall discontinue use of the Software. If you have copies of the
+Software obtained when You still had an active subscription, you can keep using
+them indefinitely as long as you comply with this Agreement and VyOS
+Subscription Agreement, in particular - with Section 4 above and provided this
+is not intended to interfere with any rights you may have from other public
+and open source licenses.Termination shall not, however, relieve either party
+of obligations incurred prior to the termination. The following Sections shall
+survive termination of this Agreement: Definitions, Intellectual Property
+Rights, Limited Warranty, Limitation of Remedies and Liability, General, Term
+and Termination, and others which by their nature are intended to survive.
+
+8. Limited Warranty
+
+Except as specifically stated in this Section 8, a separate agreement with Us,
+or a license for a particular component, to the maximum extent permitted under
+applicable law, the Software and the components are provided and licensed
+"as is" without warranty of any kind, express or implied, including the
+implied warranties of merchantability, non-infringement, integration, quiet
+enjoyment, satisfactory quality or fitness for a particular purpose. Neither
+Us nor Our affiliates and Business Partners warrant that the Software will
+meet your requirements, will be uninterrupted, timely, secure; that the
+operation of the Software will be entirely error-free, appear or perform
+precisely as described in the accompanying documentation, or comply with
+regulatory requirements; that the results that may be obtained from the use of
+the Software will be effective, accurate or reliable; the quality of the
+Software will meet your expectations; or that any errors or defects in the
+Software will be corrected. This warranty extends only to the party that
+purchases subscription services for the Software from Us and/or Our affiliates
+or a Our authorized Business Partner.
+
+We and Our affiliates specifically disclaim any liability with regard to any
+actions resulting from your use of the Software. Any material downloaded or
+otherwise obtained through use of the Software is accessed at your own
+discretion and risk, and you will be solely responsible for any damage to your
+computer system or loss of data that results from use of the Software. We and
+Our affiliates assume no liability for any malicious software that may be
+downloaded to your computer as a result of your use of the Software.
+
+We will not be liable for any loss that you may incur as a result of a third
+party using your password or account or account information in connection with
+the Software, either with or without your knowledge.
+
+Licensee assumes the entire cost of all necessary servicing, repair, or
+correction of problems caused by viruses or other harmful components; We
+disclaim and makes no warranties or representations as to the accuracy,
+quality, reliability, suitability, completeness, truthfulness, usefulness, or
+effectiveness of the outputs, logs, reports, data, results or other information
+obtained, generated or otherwise received by Licensee from accessing and/or
+using the Software or otherwise resulting from this Agreement; and Licensee
+shall use the Software at its own risk and in no event shall We be liable to
+Licensee for any loss or damage of any kind (except personal injury or death
+resulting from Our negligence, fraud or fraudulent misrepresentation and any
+other liability that cannot be excluded by law) arising from Licensee's use of
+or inability to use the Software or from faults or defects in the Software
+whether caused by negligence or otherwise.
+
+Licensee agrees to defend, indemnify and hold Us harmless from any losses,
+liabilities, damages, actions, claims or expenses (including legal fees and
+court costs) arising or resulting from Licensee's breach of any term of this
+agreement or caused by acts or omissions performed by licensee.
+
+Some jurisdictions do not allow the exclusion of certain warranties, the
+limitation or exclusion of implied warranties, or limitations on how long an
+implied warranty may last, so the above limitations may not apply to you.
+
+9. Limitation of Remedies and Liability
+
+To the maximum extent permitted under applicable law, under no circumstances
+will We, Our affiliates, any of Our authorized Business Partner, or the
+licensor of any component provided to you under this EULA be liable to you for
+any direct, indirect, incidental, special, exemplary, punitive, or
+consequential damages (including, but not limited to, procurement of substitute
+goods or services, computer failure or malfunction, loss of data or profits,
+business interruption, etc.) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence or
+otherwise) arising in any way out of the use of the software or inability to
+use the software, even if We, Our affiliates, an authorized Business Partner,
+and/or licensor are aware of or have been advised of the possibility of such
+damage. To the extent permitted by law and as the maximum aggregate liability,
+Our or Our affiliates' liability, an authorized Business Partner's liability
+or the liability of the licensor of a component provided to you under or in
+connection with this EULA will be limited to the lesser of either five hundred
+United States dollars ($500) or the fees paid by the Licensee or by Business
+Partner and received by Us for the Software and attributable to the 6 month
+period immediately preceding the first event giving rise to such liability. The
+limitations and exclusions in this section  apply to the maximum extent
+permitted by applicable law in your jurisdiction. Some jurisdictions prohibit
+the exclusion or limitation of liability for incidental, consequential or
+punitive damages. Accordingly, the limitations and exclusions set forth above
+may not apply to you.
+
+10. Compliance and Export Control
+
+You understand that countries may restrict the import, use, export, re-export
+or transfer of encryption products and other controlled materials (which may
+include the Software or related technical information licensed hereunder). You
+agree to comply with export regulations by the Bureau of Industry and Security
+of the U.S. Department of Commerce and all applicable laws, restrictions and
+regulations in Your use of the Software, including but not limited to export
+restrictions of various countries that the Software may be subject to, and
+personal data protection regulations. You should comply with and oblige to
+secure Us from any breach of any law and regulation, from any claim or
+litigation arising as a result of such breach and to reimburse Us any loss,
+resulting from such breach. You will not use the Software for a prohibited use.
+10.1 Sanctions compliance. You undertake to follow that You and any person,
+allowed to use the Software and the Services by You, is not a subject or the
+target of sanctions, embargoes and restrictive measures ("Sanctions"),
+administered by the Office of Foreign Assets Control of the U.S. Department of
+the Treasury or the U.S. Department of State, the United Nations Security
+Council, the European Union, Her Majesty's Treasury of the United Kingdom,
+Department of Foreign Affairs and Trade of the Australian Federal Government,
+or other relevant sanctions authority ("Sanctioning Authorities").
+
+You undertake to comply with all the abovementioned Sanctions in all possible
+ways to keep Us harmless and oblige to immediately terminate  relations with
+any person that becomes (or is) subject or target of any of the abovementioned
+Sanctions, or assists anybody to evade or violate the above mentioned Sanctions.
+
+11. Third-Party Beneficiary
+
+Licensee acknowledges and agrees that Our licensors (and/or Us if Licensee
+obtained the Software from any party other than Us) are third party
+beneficiaries of this Agreement, with the right to enforce the obligations set
+forth herein with respect to the respective technology of such licensors and/or
+Ours.
+
+12. Third-party components, contributions and software programs
+
+We do not assert any Intellectual Property Rights over:
+(a) components created by third parties that may be taken from upstream
+    sources in binary form compiled by Us from the source code;
+(b) source code and documentation of the Software, which is develope
+    ollaboratively and is open to contributions by parties not affiliated with
+    Us (to such purpose, contributors give Us non-exclusive rights according
+    to the licenses of the Software and documentation);
+(c) third parties software or programs included therein or therewith the
+    Software.
+
+13. General
+
+If any provision of this EULA is held to be unenforceable, the enforceability
+of the remaining provisions shall not be affected.
+
+Updates and upgrades may be licensed to Licensee by Us with additional or
+different terms.
+
+You are not allowed to transfer or assign this EULA or any rights hereunder,
+unless with Our previous written consent. Please inform Us of Your intention
+to transfer or assign in advance so We can respond accordingly. Conversely, We
+may transfer, assign, sublicense or delegate the EULA or any portions thereof,
+without restriction. We also may subcontract any performance associated with
+the Software to third parties, provided that such subcontract does not relieve
+Us of any of Our obligations under this EULA.
+
+Licensee may not sublicense, transfer or assign, whether voluntarily or by
+operation of law, any right or license in or to the Software. Any attempted
+sublicense, transfer or assignment shall be void.
+
+We may, from time-to-time modify this agreement.
+
+Licensee shall comply with all applicable laws and regulations pertaining to
+this Agreement
+
+This Agreement, along with a VyOS Subscription Agreement, Privacy Policy and
+Terms and Conditions, any quotation, purchase order and services level
+agreement, if applicable, and any other documents deemed to be incorporated by
+reference in it, constitutes the entire agreement between the parties with
+respect to its subject matter and it supersedes all prior or contemporaneous
+agreements concerning such matter. If you order VyOS from a Business Partner,
+then any agreement that you enter into with a Business Partner is solely
+between you and a Business Partner and will not be binding on Us.
+
+In the table below, "Customer Location" refers to where Customer is located
+(as determined by Customer's business address on the invoice) and determines
+which table row applies to Customer:
+
+Customer Location*         VyOS Contracting Entity  Governing Law  Venue/Courts
+==================         =======================  =============  ============
+North & South America      VyOS Inc                  California    Poway
+
+EEA & UK                   VyOS EMEA Operations      Ireland       Cork
+(except Spain & Portugal)  Limited
+
+Spain, Andorra & Portugal  VyOS Networks Iberia SLU  Spain         Madrid
+
+Asia & Oceania             VyOS APAC Pty Ltd         Australia     Sydney
+
+Non-EEA parts of Europe,   VyOS Networks Cyprus      Cyprus        Limassol
+Middle East, & Africa      Limited
+(except Andorra)
+
+*all sales via Cloud Providers are generally done by VyOS Inc., unless
+otherwise decided by Us regardless of Customer location.
+
+References to "We", "Our", "Us" are references to the applicable VyOS
+Contracting Entity specified in the Contracting Entity Table, unless otherwise
+has been decided for operational purposes, in the Quotation and in the invoice.
+The Services are provided by that VyOS Contracting Entity.
+
+This Agreement, and any disputes arising out of or related hereto, will be
+governed exclusively by the applicable governing law above, without giving
+effect to any of its conflicts of laws, rules or principles. The courts located
+in the applicable venue above will have exclusive jurisdiction to adjudicate
+any dispute arising out of or relating to this Agreement or its formation,
+interpretation, or enforcement. Each party hereby consents and submits to the
+exclusive jurisdiction of such courts. Before resorting to any external dispute
+resolution mechanisms, the parties agree to use their best efforts in good
+faith to settle any dispute in relation to the Agreement.
+
+We may, in our sole discretion, amend this EULA at any time by posting a
+revised version thereof on Our website and, by updating the "last updated"
+date on the applicable page, or by providing reasonable notice. Your continued
+use of the Software following changes to the Agreement after the effective
+date of a revised version thereof constitutes Your expressed acceptance of and
+the agreement to be bound by the Agreement and its future versions or updates.
+
+'''

data/build-types/stream.toml

@@ -0,0 +1,8 @@
+packages = [
+  "gdb",
+  "strace",
+  "apt-rdepends",
+  "tshark",
+  "vim",
+  "vyos-1x-smoketest"
+]

data/certificates/.gitignore

@@ -0,0 +1 @@
+*.key

data/defaults.json

@@ -1,16 +0,0 @@
-{
-  "architecture": "amd64",
-  "debian_mirror": "http://deb.debian.org/debian",
-  "debian_security_mirror": "http://deb.debian.org/debian-security",
-  "debian_distribution": "buster",
-  "vyos_mirror": "http://dev.packages.vyos.net/repositories/current",
-  "vyos_branch": "current",
-  "kernel_version": "5.4.86",
-  "kernel_flavor": "amd64-vyos",
-  "release_train": "equuleus",
-  "additional_repositories": [
-    "deb http://repo.saltstack.com/py3/debian/10/amd64/archive/3002.2 buster main",
-    "deb http://repo.powerdns.com/debian buster-rec-43 main"
-  ],
-  "custom_packages": []
-}

data/defaults.toml

@@ -0,0 +1,27 @@
+build_type = "development"
+
+architecture = "amd64"
+
+debian_distribution = "bookworm"
+
+debian_mirror = "http://deb.debian.org/debian"
+debian_security_mirror = "http://deb.debian.org/debian-security"
+
+debian_archive_areas = "main contrib non-free non-free-firmware"
+
+vyos_mirror = "https://packages.vyos.net/repositories/current"
+
+vyos_branch = "current"
+release_train = "current"
+
+kernel_version = "6.6.108"
+kernel_flavor = "vyos"
+bootloaders = "syslinux,grub-efi"
+
+squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"
+
+website_url = "https://vyos.io"
+support_url = "https://support.vyos.io"
+bugtracker_url = "https://vyos.dev"
+documentation_url = "https://docs.vyos.io/en/latest"
+project_news_url = "https://blog.vyos.io"

data/live-build-config/archives/bookworm-backports.pref.chroot

@@ -0,0 +1,11 @@
+Package: iproute2
+Pin: release n=bookworm-backports
+Pin-Priority: 600
+
+Package: suricata libhtp2
+Pin: release n=bookworm-backports
+Pin-Priority: 600
+
+Package: *
+Pin: release n=bookworm-backports
+Pin-Priority: -100

data/live-build-config/archives/bullseye.list.chroot

@@ -1 +0,0 @@
-deb http://deb.debian.org/debian/ bullseye main

data/live-build-config/archives/bullseye.pref.chroot

@@ -1,11 +0,0 @@
-Package: libyang1
-Pin: release n=bullseye
-Pin-Priority: 600
-
-Package: ddclient
-Pin: release n=bullseye
-Pin-Priority: 600
-
-Package: *
-Pin: release n=bullseye
-Pin-Priority: -10

data/live-build-config/archives/buster-backports.pref.chroot

@@ -1,27 +0,0 @@
-Package: nftables
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: libnftables1
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: libnftnl11
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: conserver-server
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: conserver-client
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: wireguard-tools
-Pin: release n=buster-backports
-Pin-Priority: 600
-
-Package: *
-Pin: release n=buster-backports
-Pin-Priority: -10

data/live-build-config/archives/isc-kea.key.chroot

@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGhVJw8BDACXwlMdVKg40L87xcyG6fuo1KAOdk3cqx0jcojtYXYo16R5A1xD
+ILW/Nw/b9qWkoXAjCOL8xgspSYx8Cqg73o+Jy2tzBNSzXGYmh/8sDicJmTGBt9n7
+AhwlhW7ztzYYNaJeyyGvWR+JMqGtPWuc/LixtCu/SzA6siMKCTZfUp/3nqiWQiYV
+zyYCuUI9MTaS0/LCfEclORE2GU5cED4LJli5iZFcJ8RXXTfaCncIeYFFvJTPf9TP
+mbKS8QGPYMPdtwsvqBEpej3pDXHetWuIIchPokq/rSa3QX7NmBhvh14ptaIu0usn
+i+5XvExH4a5RC0qgHFdLeYskzlRqw3dLwGHYZZ8geLaSrLSdla2rjQFzZhEcIDKI
+FnGaoAj0B3WtpJPvhmWW/1Ecryq0iOgtdNXdYxnun8eCEW6Bo5ebAW7NAI9kmWto
+i+YFsVUYAZF+gP856BSaiDMFi7LV4bOu9p78o0s6DGmBe+yVPW1Lo7Vi0X8dcLnZ
+07Cy0JoN+QRlqgMAEQEAAbQ4Q2xvdWRzbWl0aCBQYWNrYWdlIChpc2Mva2VhLTMt
+MCkgPHN1cHBvcnRAY2xvdWRzbWl0aC5pbz6JAc4EEwEIADgWIQSdpXC7GSIRiF5O
+soCxbETNRVFMPAUCaFUnDwIbLwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCx
+bETNRVFMPPxAC/0eSSK+2Z4AOsyGun2zBDLPp3qEFrAl5KjAeZCgtYJs3UiQ65DX
+0iuvdq39SRWkSRw5w5og+nZbPdDzhw3KFSVgdCsQBv83DUH0Zlmn5Wf6eTh72T5F
+lmaaE02picOD3/9L0RdxZOEns/19f2OtSzRHxRMKuv7crcAsnJlkWYP2w96AM0ln
+QqmpVDbI8XWtQclJUkPPU+I/m6nG7Z+tc8miJ1uBfA0wP22Zj6HzRTWf9patcfTy
+IDr9rO5KmiAlO+f3YbVsKGNcuxdbMusDwpe13BRfKFDlwLKbdrSeSIw1JQc2uhhX
+/u1QTAXfLSoP4VAYwbfotgG9a/LKRJGG/M9mMtroOQYO15y+Vo2uSN4q5krv589h
+l6MAPFr2sDiedibMl9SGAPtT83afCrSZ6BgobytsdtV3u2WOqxrVUXDpvhZKjxX6
+pXrrSV9tPhZlq5pZvnDCS392FlMfHmjR4BUxzwD4Wnax8G7uQfEUWMkTaqQAZfuN
+EsbY2TeLjn3ZojI=
+=+igW
+-----END PGP PUBLIC KEY BLOCK-----

data/live-build-config/archives/pdns.key.chroot

@@ -1,30 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mQINBFV2/GwBEADD4oJuwcLkYZD6R+PM0zKdZ04owicJ9e1nTbBb8OA+92TI0cJY
-8XGpjEJBRECOMJi9Gr6p3QxgZX1IQbiB/RJgRN0BYTZJ6BKobJAlSNsZBVH4wt/F
-Xg8IFXi8O8XNwrhhTHVLyhZxB5WIqd8Xgdb39t7qcKLLuhdzH+hTWtGNaC3UJ1xz
-3KMx79U/U71XRtvloiZF1ef0XUNvDZ/2DdTNWavdJzVeDq+whD0/ThvP0LsJzzCQ
-cgfRUljfxtWHOYVqHspfFg03ofDODodzq+yT5ElIQNWL71fRQ5lX8cPAVrX6v3Rs
-h2tBsWV3xjMscG36E7nKbgSXWxDInr4Xw056Mx/JO6If8vnCOYOhXcv3fdZ5Lqpr
-qr6uniBTcRi1q97JI1+KDoHU6MfJ7I17wU/bTPFgy6Yck4Ropmwd5dvbwRVTdQHx
-n08XYEZyNdq8zskbj8MI83jvDdvdd7b95SiBO6X3qIYKebk8rg1CfYFxBIyRd2ll
-yt1K0ow4M54woB/68cMy0UB6cA8uOHscRObau3T3UB0ohsEPF7KYAqOKfKP0irV+
-Ys6tR0KI/TeHqrqKhCA9PGOpOmqJaibt5GqFTc3Dp4U19njMmh4eboki8EwS6DNy
-4HD76dFz2jkSQ74uB/X+nxuFEVRKS54q4aeg83NL5lnsD8TWdhTui4mURQARAQAB
-tDxQb3dlckROUyBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwb3dlcmRucy5zdXBwb3J0
-QHBvd2VyZG5zLmNvbT6JAj4EEwECACgFAlV2/GwCGwMFCQ8JnAAGCwkIBwMCBhUI
-AgkKCwQWAgMBAh4BAheAAAoJEBsMYgX9OA+75QYQAJ7a3rZiTmBJkYfDYbZGOcJj
-tIgWj5ieyIHjaG1kR3setK1GbYrd7dkeHuWIT8FCO/mQwrKTlxEd+Vj5a79Bpu0D
-de1MRi7jTIb/Qrge532Pnk5T7qFjJWfvTWhpSV9XDwHR216aByuHZ9gAJt92hgo5
-eSXHPpwbi+qAdymndUswFBHY0kLNpIYAa2mZcSNbaI/RFNYPOM/aqDMcpQ2s1Rf1
-c8iTPewf04jlNd75M59AAbnpdoFiCKbV+Q8oeUNxRGhHCQgcTaWhT5vdF2pXP1jb
-rVykPxN7U5zTu03m/qbUCKg9Pqkhr79a2XNIpcGHhsp58B6dJdBPhXT/tFXnVpY0
-wZHGGlBVhZzC1Qdq58ilyQ2qfIci2sjMoS62lAffemb88CyoQ2UadhNKZTn93Ogo
-lmW1txqN7UU7hUBxwdztw+Pgf7V+ADwkPHnSsNLupkZ7QUOl2i1kPwgcnwHLPFoD
-bYDteCtqcVVCY5v3OC95jGJ4bqwgIIeQ5kloKY2pRLeNedbCHbGc6rVjX5X0K2zt
-F7/dWOklI1Ox4Y+Vv0Ln7u3BvSyl5jWXWzH2V6q3ff7NKVro3keZmgTzcBwJEv/z
-p40ds9f2LTKJX4DajyAF2Z+j79obMYwKo0w+Vy36QrO8TlKk+ZU/6vcFfVdEoCtv
-d5a03QgyYgMX0WW8Smam
-=BY4B
------END PGP PUBLIC KEY BLOCK-----

data/live-build-config/archives/vyos-dev.pref.chroot

@@ -0,0 +1,3 @@
+Package: *
+Pin: release n=current
+Pin-Priority: 999

data/live-build-config/bootloaders/grub-pc/grub.cfg

@@ -1,59 +1,37 @@
 set default=0
 set timeout=10
 
-loadfont $prefix/dejavu-bold-16.pf2
-loadfont $prefix/dejavu-bold-14.pf2
-loadfont $prefix/unicode.pf2
-set gfxmode=auto
-insmod all_video
-insmod gfxterm
+insmod serial
+serial --unit=0 --speed=115200
+
+insmod gzio
+insmod part_msdos
+insmod ext2
+insmod efi_gop
+insmod efi_uga
 insmod png
 
+loadfont /boot/grub/dejavu-bold-16.pf2
+loadfont /boot/grub/dejavu-bold-14.pf2
+loadfont /boot/grub/unicode.pf2
+
+set gfxmode="640x480x16"
+set gfxpayload="640x480x16"
+terminal_output gfxterm
+
+set splash_img="/isolinux/splash.png"
+if [ -e ${splash_img} ]; then
+    background_image ${splash_img}
+fi
+
+terminal_output --append serial
+terminal_input serial console
+
 set color_normal=light-gray/black
 set color_highlight=white/black
 
-if [ -e /isolinux/splash.png ]; then
-    # binary_syslinux modifies the theme file to point to the correct
-    # background picture
-    set theme=/boot/grub/live-theme/theme.txt
-elif [ -e /boot/grub/splash.png ]; then
-    set theme=/boot/grub/live-theme/theme.txt
-else
-    set menu_color_normal=cyan/blue
-    set menu_color_highlight=white/blue
-fi
-
-terminal_output gfxterm
-
-insmod play
-play 960 440 1 0 4 440 1
-
 # Live boot
 LINUX_LIVE
 
-# You can add more entries like this
-# menuentry "Alternate live boot" {
-# linux KERNEL_LIVE APPEND_LIVE custom options here
-# initrd INITRD_LIVE
-# }
-# menuentry "Alternate graphical installer" {
-# linux KERNEL_GI APPEND_GI custom options here
-# initrd INITRD_GI
-# }
-# menuentry "Alternate textual installer" {
-# linux KERNEL_DI APPEND_DI custom options here
-# initrd INITRD_DI
-# }
-
 # Installer (if any)
 LINUX_INSTALL
-
-submenu 'Advanced options...' {
-
-# More installer entries (if any)
-LINUX_ADVANCED_INSTALL
-
-# Memtest (if any)
-MEMTEST
-
-}

data/live-build-config/hooks/live/01-live-serial.binary

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+GRUB_PATH=boot/grub/grub.cfg
+ISOLINUX_PATH=isolinux/live.cfg
+
+KVM_CONSOLE="console=ttyS0,115200 console=tty0"
+SERIAL_CONSOLE="console=tty0 console=ttyS0,115200"
+
+# Grub.cfg Update
+GRUB_MENUENTRY=$(sed -e '/menuentry.*hotkey.*/,/^}/!d' -e 's/--hotkey=l//g' $GRUB_PATH)
+
+# Update KVM menuentry name
+sed -i 's/"Live system \((.*vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
+
+# Insert serial menuentry
+echo "$GRUB_MENUENTRY" | sed \
+    -e 's/"Live system \((.*vyos)\)"/"Live system \1 - Serial console"/' \
+    -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $GRUB_PATH
+
+# Live.cfg Update
+ISOLINUX_MENUENTRY=$(sed -e '/label live-\(.*\)-vyos$/,/^\tappend.*/!d' $ISOLINUX_PATH)
+
+# Update KVM menuentry name
+sed -i 's/Live system \((.*vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
+
+# Insert serial menuentry
+echo "\n$ISOLINUX_MENUENTRY" | sed \
+    -e 's/live-\(.*\)-vyos/live-\1-vyos-serial/' \
+    -e '/^\tmenu default/d' \
+    -e 's/Live system \((.*vyos)\)/Live system \1 - Serial console/' \
+    -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $ISOLINUX_PATH

data/live-build-config/hooks/live/02-issue.chroot

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-echo I: Rewriting /etc/issue and /etc/issue.net
-cat <<EOF > etc/issue
-Welcome to VyOS - \n \l
-
-EOF
-cat <<EOF > etc/issue.net
-Welcome to VyOS
-EOF

data/live-build-config/hooks/live/04-locale.chroot

@@ -5,5 +5,3 @@ cat <<EOF >etc/default/locale
 LANG=en_US.UTF-8
 LC_ALL=C
 EOF
-
-sed -i 's/AcceptEnv LANG LC_\*/# AcceptEnv LANG LC_\*/g' /etc/ssh/sshd_config

data/live-build-config/hooks/live/08-sysconf.chroot

@@ -25,19 +25,6 @@ update_sysctl_conf ()
 
 update_sysctl_conf kernel.printk "4 4 1 7" \
     "the following stops low-level messages on console"
-update_sysctl_conf net.ipv4.conf.all.promote_secondaries 1 \
-    "promote secondaries with removal of primary address"
-update_sysctl_conf net.ipv4.ip_forward 1 \
-    "enable ipv4 forwarding"
-# FIXME! need to load or staticly link ipv6 module before adding this.
-# update_sysctl_conf net.ipv6.conf.all.forwarding 1 \
-#    "enable ipv6 forwarding"
-update_sysctl_conf net.core.rmem_max 223232 \
-    "maximize netlink buffers"
-update_sysctl_conf net.ipv4.conf.all.send_redirects 0 \
-    "disable IPv4 ICMP redirects"
-update_sysctl_conf net.ipv4.conf.default.send_redirects 0 \
-    "disable IPv4 ICMP redirects"
 
 # Local Variables:
 # mode: shell-script

data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Delete Dropbear SSH keys that might be generated
+# by postinst scripts
+# to prevent non-unique keys from appearing in images
+
+rm -f /etc/dropbear/dropbear_*_host_key

data/live-build-config/hooks/live/11-busybox.chroot

@@ -139,6 +139,7 @@ bb_alternative /usr/bin/renice
 bb_alternative /usr/bin/reset
 bb_alternative /usr/bin/setkeycodes
 bb_alternative /usr/bin/sha1sum
+bb_alternative /usr/bin/sha256sum
 bb_alternative /usr/bin/sort
 bb_alternative /usr/bin/strings
 bb_alternative /usr/bin/tail

data/live-build-config/hooks/live/17-gen_initramfs.chroot

@@ -9,4 +9,15 @@ if [ -e /boot/initrd.img-* ]; then
 	rm -f /boot/initrd.img-*
 fi
 
-update-initramfs -c -k `ls /boot | grep vmlinuz- | sed 's/vmlinuz-//g'`
+KERNEL_COUNT=$(find /boot/ -type f -name vmlinuz* | wc -l)
+if [ "$KERNEL_COUNT" -gt 1 ]; then
+    echo "E: there is more than one kernel image file installed!"
+    echo "E: please make sure that kernel_version in data/defaults.toml is up to date"
+    echo "E: if your repository is up to date, then there is a bug"
+fi
+
+kernel=`ls /boot | grep vmlinuz- | sed 's/vmlinuz-//g'`
+
+echo "I: Executing update-initramfs -c -k $kernel"
+
+update-initramfs -c -k $kernel

data/live-build-config/hooks/live/18-enable-disable_services.chroot

@@ -1,63 +1,85 @@
 #!/bin/sh
 
 echo I: Disabling services
-systemctl disable exim4.service
-systemctl disable isc-dhcp-server.service
+systemctl disable syslog.service
+systemctl disable rsyslog.service
+systemctl disable arpwatch.service
+systemctl disable smartd.service
+systemctl disable isc-kea-dhcp4-server.service
+systemctl disable isc-kea-dhcp6-server.service
+systemctl disable isc-kea-dhcp-ddns-server.service
 systemctl disable isc-dhcp-relay.service
 systemctl disable nfacctd.service
-systemctl disable pmacctd.service
 systemctl disable sfacctd.service
 systemctl disable uacctd.service
-systemctl disable lighttpd.service
 systemctl disable ssh.service
+systemctl disable sshguard.service
 systemctl disable openvpn.service
 systemctl disable lldpd.service
 systemctl disable LCDd.service
 systemctl disable lcdproc.service
 systemctl disable conntrackd.service
-systemctl disable mdns-repeater.service
 systemctl disable 'udp-broadcast-relay@*.service'
 systemctl disable pdns-recursor.service
 systemctl disable tftpd-hpa.service
-systemctl disable strongswan.service
-systemctl disable logd.service
 systemctl disable frr.service
 systemctl disable salt-minion.service
 systemctl disable certbot.service
 systemctl disable certbot.timer
 systemctl disable nginx.service
-systemctl disable pacemaker.service
-systemctl disable corosync.service
 systemctl disable wpa_supplicant.service
 systemctl disable squid.service
-systemctl disable heartbeat.service
 systemctl disable apt-daily.service
 systemctl disable apt-daily.timer
 systemctl disable apt-daily-upgrade.timer
 systemctl disable apt-daily-upgrade.service
-systemctl disable pcscd.service
-systemctl disable man-db.timer
-systemctl disable ntp.service
+systemctl disable chrony.service
 systemctl disable igmpproxy.service
-systemctl disable cryptsetup.service
-systemctl disable live-tools.service
 systemctl disable wide-dhcpv6-client.service
 systemctl disable lm-sensors.service
 systemctl disable snmpd.service
 systemctl disable conserver-server.service
 systemctl disable dropbear.service
-systemctl disable fastnetmon.service
+systemctl disable fancontrol.service
 systemctl disable ddclient.service
 systemctl disable ocserv.service
 systemctl disable tuned.service
 systemctl disable radvd.service
 systemctl disable hostapd.service
+systemctl disable hsflowd.service
 systemctl disable keepalived.service
 systemctl disable ipvsadm.service
 systemctl disable telegraf.service
+systemctl disable ndppd.service
+systemctl disable ipsec.service
+systemctl disable strongswan.service
+systemctl disable strongswan-starter.service
+systemctl disable strongswan.service
+systemctl disable avahi-daemon.service
+systemctl disable atop-rotate.timer
+systemctl disable ModemManager.service
+systemctl disable dnsdist.service
+systemctl disable haproxy.service
+systemctl disable owamp-server.service
+systemctl disable twamp-server.service
+systemctl disable vyos-wan-load-balance.service
+systemctl disable nvmf-autoconnect.service
+systemctl disable dpkg-db-backup.timer
+systemctl disable dpkg-db-backup.service
+systemctl disable zabbix-agent2.service
+systemctl disable suricata.service
+systemctl disable vyconfd.service
+systemctl disable vpp.service
+systemctl disable netplug.service
 
 echo I: Enabling services
-systemctl enable ssh-session-cleanup.service
 systemctl enable vyos-hostsd.service
 systemctl enable acpid.service
+systemctl enable vyos-router.service
 systemctl enable vyos-configd.service
+systemctl enable vyos-grub-update.service
+systemctl enable vyos-commitd.service
+
+echo I: Masking services
+systemctl mask systemd-journald-audit.socket
+systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket dirmngr.socket

data/live-build-config/hooks/live/19-kernel_symlinks.chroot

@@ -1,6 +1,9 @@
 #!/bin/sh
 
-echo I: Creating kernel symlinks.
+echo I: Creating Linux Kernel symbolic links
 cd /boot
 ln -s initrd.img-* initrd.img
 ln -s vmlinuz-* vmlinuz
+
+echo I: Remove Linux Kernel symbolic link to source folder
+rm -rf /lib/modules/*/build

data/live-build-config/hooks/live/20-rm_ddclient_hook.chroot

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-if [ -f /etc/dhcp/dhclient-exit-hooks.d/ddclient ]; then
-  rm -f /etc/dhcp/dhclient-exit-hooks.d/ddclient
-fi
-
-if [ -f /etc/ddclient.conf ]; then
-  rm -f /etc/ddclient.conf
-fi

data/live-build-config/hooks/live/20-systemd_target.chroot

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo I: Choose systemd multi-user.target over graphical.target
+systemctl set-default -f multi-user.target

data/live-build-config/hooks/live/23-config_mkdir.chroot

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo I: Create config directory.
+
+mkdir -p /config

data/live-build-config/hooks/live/30-frr-configs.chroot

@@ -1,73 +0,0 @@
-#!/usr/bin/env python
-
-# For FRR to work in VyOS as expected we need a few fixups
-#
-# 1. Enable daemons we use in /etc/frr/daemons
-# 2. Set the VRF backend of Zebra to netns (-n option) in /etc/frr/daemons.conf
-#    Otherwise multiple routing tables for PBR won't work
-# 3. Create empty configs for daemons with use
-#    That is to make them possible to start on boot before config is loaded
-#
-
-import os
-
-daemons = """
-zebra=yes
-bgpd=yes
-ospfd=yes
-ospf6d=yes
-ripd=yes
-ripngd=yes
-isisd=yes
-pimd=no
-ldpd=yes
-nhrpd=no
-eigrpd=no
-babeld=no
-sharpd=no
-pbrd=no
-bfdd=yes
-staticd=yes
-
-vtysh_enable=yes
-zebra_options="  -s 90000000 --daemon -A 127.0.0.1 -M snmp"
-bgpd_options="   --daemon -A 127.0.0.1 -M snmp -M rpki"
-ospfd_options="  --daemon -A 127.0.0.1 -M snmp"
-ospf6d_options=" --daemon -A ::1 -M snmp"
-ripd_options="   --daemon -A 127.0.0.1 -M snmp"
-ripngd_options=" --daemon -A ::1"
-isisd_options="  --daemon -A 127.0.0.1"
-pimd_options="  --daemon -A 127.0.0.1"
-ldpd_options="  --daemon -A 127.0.0.1"
-nhrpd_options="  --daemon -A 127.0.0.1"
-eigrpd_options="  --daemon -A 127.0.0.1"
-babeld_options="  --daemon -A 127.0.0.1"
-sharpd_options="  --daemon -A 127.0.0.1"
-pbrd_options="  --daemon -A 127.0.0.1"
-staticd_options="  --daemon -A 127.0.0.1"
-bfdd_options="  --daemon -A 127.0.0.1"
-
-watchfrr_enable=no
-valgrind_enable=no
-"""
-
-frr_conf = """
-log syslog
-log facility local7
-"""
-
-frr_log = ''
-
-with open("/etc/frr/daemons", "w") as f:
-    f.write(daemons)
-
-with open("/etc/frr/frr.conf", "w") as f:
-    f.write(frr_conf)
-
-# Prevent writing logs to /var/log/frr/frr.log. T2061
-with open("/etc/rsyslog.d/45-frr.conf", "w") as f:
-    f.write(frr_log)
-
-# Create empty daemon configs so that they start properly
-for name in ["zebra.conf", "bgpd.conf", "ospfd.conf", "ospf6d.conf", "ripd.conf", "ripngd.conf"]:
-    open(os.path.join("/etc/frr", name), 'a').close()

data/live-build-config/hooks/live/30-openvmtools-configs.chroot

@@ -1,14 +0,0 @@
-#!/usr/bin/env python
-
-# open-vm-tools settings
-
-import re
-
-vmtools_config = """
-[guestinfo]
-    poll-interval=30
-
-"""
-
-with open('/etc/vmware-tools/tools.conf', 'w') as f:
-    f.write(vmtools_config)

data/live-build-config/hooks/live/30-strongswan-configs.chroot

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 # The Cisco Unity plugin, that implements a proprietary extension
 # for IPsec split tunneling, interfers with DMVPN
@@ -36,3 +36,22 @@ with open('/etc/strongswan.d/charon/farp.conf', 'r') as f:
 
 with open('/etc/strongswan.d/charon/farp.conf', 'w') as f:
     f.write(farp_conf)
+
+
+# Add ike-name to logging
+charon_logging = """
+charon {
+    syslog {
+        # prefix for each log message
+        identifier = charon
+        # use default settings to log to the LOG_DAEMON facility
+        daemon {
+            default = 1
+            ike_name = yes
+        }
+    }
+}
+"""
+
+with open('/etc/strongswan.d/charon-logging.conf', 'w') as f:
+    f.write(charon_logging)

data/live-build-config/hooks/live/40-init-cracklib-db.chroot

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CRACKLIB_DIR=/var/cache/cracklib
+CRACKLIB_DB=cracklib_dict
+
+if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
+  echo "I: Creating the cracklib database ${CRACKLIB_DIR}/${CRACKLIB_DB}"
+  mkdir -p $CRACKLIB_DIR
+
+  /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
+    /usr/share/dict/cracklib-small
+fi
+

data/live-build-config/hooks/live/40-init-geoip-database.chroot

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Geolocation data provided by DB-IP.com
+# License: https://creativecommons.org/licenses/by/4.0/ (CC BY 4.0)
+
+DATE_SUFFIX=$(date +%Y-%m)
+URL="https://download.db-ip.com/free/dbip-country-lite-${DATE_SUFFIX}.csv.gz"
+OUT_PATH="/usr/share/vyos-geoip/dbip-country-lite.csv.gz"
+
+mkdir -p $(dirname $OUT_PATH)
+wget -O - $URL > $OUT_PATH
+
+if [ $? -ne 0 ]; then
+    echo "Failed to download GeoIP database"
+    rm $OUT_PATH
+fi

data/live-build-config/hooks/live/80-delete-docs.chroot

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-# We do not need any documentation on the system. This frees 43MB.
-rm -rf /usr/share/doc /usr/share/doc-base /usr/share/docutils

data/live-build-config/hooks/live/81-cleanup-etc-defaults.chroot

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# we use systemd to control ISC daemons from within vyos-1x
-FILES="/etc/default/isc-dhcp-server /etc/default/isc-dhcp-relay"
-
-for FILE in ${FILES}
-do
-    if [ -f ${FILE} ]; then
-        rm -f ${FILE}
-    fi
-done

data/live-build-config/hooks/live/92-strip-symbols.chroot

@@ -0,0 +1,75 @@
+#!/bin/sh
+
+#
+# Discard symbols and other data from object files.
+#
+# Reference:
+# https://www.linuxfromscratch.org/lfs/view/systemd/chapter08/stripping.html
+# https://www.debian.org/doc/debian-policy/ch-files.html
+#
+
+# Set variables.
+STRIPCMD_REGULAR="strip --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_DEBUG="strip --strip-debug --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPDIR_REGULAR="
+"
+STRIPDIR_DEBUG="
+"
+STRIPDIR_UNNEEDED="
+/etc/hsflowd/modules
+/usr/bin
+/usr/lib/openvpn
+/usr/lib/x86_64-linux-gnu
+/usr/lib32
+/usr/lib64
+/usr/libx32
+/usr/sbin
+"
+STRIP_EXCLUDE=`dpkg-query -L libbinutils | grep '.so'`
+
+# Perform stuff.
+echo "Stripping symbols..."
+
+# List excluded files.
+echo "Exclude files: ${STRIP_EXCLUDE}"
+
+# CMD: strip
+for DIR in ${STRIPDIR_REGULAR}; do
+  echo "Parse dir (strip): ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip): ${FILE}"
+      ${STRIPCMD_REGULAR} ${FILE}
+    fi
+  done
+done
+
+# CMD: strip --strip-debug
+for DIR in ${STRIPDIR_DEBUG}; do
+  echo "Parse dir (strip-debug): ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip-debug): ${FILE}"
+      ${STRIPCMD_DEBUG} ${FILE}
+    fi
+  done
+done
+
+# CMD: strip --strip-unneeded
+for DIR in ${STRIPDIR_UNNEEDED}; do
+  echo "Parse dir (strip-unneeded: ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip-unneeded): ${FILE}"
+      ${STRIPCMD_UNNEEDED} ${FILE}
+    fi
+  done
+done
+
+# Remove binutils package.
+apt-get -y purge --autoremove binutils
+

data/live-build-config/hooks/live/93-sb-sign-kernel.chroot

@@ -0,0 +1,31 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+    modinfo ${MODULE} | grep -q "signer:"
+    if [ $? != 0 ]; then
+        echo "E: Module ${MODULE} is not signed!"
+        read -n 1 -s -r -p "Press any key to continue"
+    fi
+done
+
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
+fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+

data/live-build-config/includes.binary/compat

@@ -0,0 +1,10 @@
+# VyOS 1.3.x image upgrade scipt checked if an image file was a valid ISO file
+# by grepping it for "ISO9660".
+# (The correct way to do that would be to use file/libmagic,
+#  but we cannot change the past).
+# At some point something has changed in xorriso or some other tool
+# and images no longer include that string.
+# so the image validity check fails.
+# To allow direct upgrades from older versions,
+# we artificially include that string to make the old check pass.
+ISO9660

data/live-build-config/includes.chroot/etc/initramfs-tools/hooks/10-vyos-addons

@@ -33,3 +33,4 @@ copy_exec /usr/sbin/fsck.ext4
 
 # copy other files ("other" here is a file type, so do not delete this keyword)
 copy_file other /etc/ssl/certs/ca-certificates.crt
+copy_file other /etc/ssl/openssl.cnf

data/live-build-config/includes.chroot/etc/modprobe.d/igb-options.conf

@@ -1 +0,0 @@
-options igb RSS=0,0,0,0,0,0,0,0

data/live-build-config/includes.chroot/etc/modprobe.d/ixgbe-options.conf

@@ -1 +0,0 @@
-options ixgbe allow_unsupported_sfp=1 RSS=0,0,0,0,0,0,0,0

data/live-build-config/includes.chroot/etc/modprobe.d/no-copybreak.conf

@@ -0,0 +1,60 @@
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
+# All Rights Reserved.
+# **** End License ****
+#
+# Author:  Bob Gilligan <gilligan@vyatta.com>
+#
+# Some network interface drivers employ a scheme known as "copybreak"
+# in which they make a copy of a received skb if the size of the
+# buffer is below a particular threshold, then return the original
+# receive skb back to the pool.  Since these drivers initially
+# allocate a buffer size that is larger than the largest possible
+# packet, this scheme returns that large buffer to the pool quickly,
+# and uses a smaller one.
+#
+# The primary benefit of copybreak is better memory utilization.  On
+# systems where the data is ultimately going to be copied out to user
+# space, the copybreak scheme is "low cost" because it has the side
+# benefit of priming the cache for that later copy.  But on a router
+# that only touches the header fields of a received packet, the cost
+# can be relatively higher.  And on modern systems the memory savings
+# is rarely an important consideration.
+#
+# Some of the drivers that employ copybreak make the feature
+# configurable via a module parameter.  This file disables copybreak
+# in some of those drivers.  Generally this results in an improvement
+# in forwarding performance for traffic using these drivers.
+
+options 3c515 rx_copybreak=0
+options 3c59x rx_copybreak=0
+options bcm63xx copybreak=0
+options cxgb copybreak=0
+options e1000 copybreak=0
+options e1000e copybreak=0
+options epic100 rx_copybreak=0
+options fealnx rx_copybreak=0
+options hamachi rx_copybreak=0
+options ixgb copybreak=0
+options natsemi rx_copybreak=0
+options pch_gbe copybreak=0
+options pcnet32 rx_copybreak=0
+options sis190 rx_copybreak=0
+options sky2 copybreak=0
+options starfire rx_copybreak=0
+options sundance rx_copybreak=0
+options typhoon rx_copybreak=0
+options via-rhine rx_copybreak=0
+options via-velocity rx_copybreak=0
+options yellowfin rx_copybreak=0

data/live-build-config/includes.chroot/etc/netplug/netplug

@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# vyos policy agent for netplugd
-#
-
-dev="$1"
-action="$2"
-
-case "$action" in
-in)
-   run-parts -a $dev /etc/netplug/linkup.d
-    ;;
-out)
-   run-parts -a $dev /etc/netplug/linkdown.d
-    ;;
-
-# probe loads and initialises the driver for the interface and brings the
-# interface into the "up" state, so that it can generate netlink(7) events.
-# This interferes with "admin down" for an interface. Thus, commented out. An
-# "admin up" is treated as a "link up" and thus, "link up" action is executed.
-# To execute "link down" action on "admin down", run appropriate script in
-# /etc/netplug/linkdown.d
-#probe)
-#    ;;
-
-*)
-    exit 1
-    ;;
-esac

data/live-build-config/includes.chroot/etc/netplug/netplugd.conf

@@ -1,3 +0,0 @@
-eth*
-br*
-bond*

data/live-build-config/includes.chroot/etc/skel/.bashrc

@@ -1,119 +0,0 @@
-# ~/.bashrc: executed by bash(1) for non-login shells.
-# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
-# for examples
-
-# If not running interactively, don't do anything
-case $- in
-    *i*) ;;
-      *) return;;
-esac
-
-# don't put duplicate lines or lines starting with space in the history.
-# See bash(1) for more options
-HISTCONTROL=ignoreboth
-
-# append to the history file, don't overwrite it
-shopt -s histappend
-
-# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
-HISTSIZE=1000
-HISTFILESIZE=2000
-
-# check the window size after each command and, if necessary,
-# update the values of LINES and COLUMNS.
-shopt -s checkwinsize
-
-# If set, the pattern "**" used in a pathname expansion context will
-# match all files and zero or more directories and subdirectories.
-#shopt -s globstar
-
-# make less more friendly for non-text input files, see lesspipe(1)
-#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
-
-# set variable identifying the chroot you work in (used in the prompt below)
-if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
-    debian_chroot=$(cat /etc/debian_chroot)
-fi
-
-# set a fancy prompt (non-color, unless we know we "want" color)
-case "$TERM" in
-    xterm-color) color_prompt=yes;;
-esac
-
-# uncomment for a colored prompt, if the terminal has the capability; turned
-# off by default to not distract the user: the focus in a terminal window
-# should be on the output of commands, not on the prompt
-#force_color_prompt=yes
-
-if [ -n "$force_color_prompt" ]; then
-    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
-	# We have color support; assume it's compliant with Ecma-48
-	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
-	# a case would tend to support setf rather than setaf.)
-	color_prompt=yes
-    else
-	color_prompt=
-    fi
-fi
-
-if [ "$color_prompt" = yes ]; then
-    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
-else
-    PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ '
-fi
-unset color_prompt force_color_prompt
-
-# If this is an xterm set the title to user@host:dir
-case "$TERM" in
-xterm*|rxvt*)
-    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1"
-    ;;
-*)
-    ;;
-esac
-
-# enable color support of ls and also add handy aliases
-if [ -x /usr/bin/dircolors ]; then
-    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
-    alias ls='ls --color=auto'
-    #alias dir='dir --color=auto'
-    #alias vdir='vdir --color=auto'
-
-    #alias grep='grep --color=auto'
-    #alias fgrep='fgrep --color=auto'
-    #alias egrep='egrep --color=auto'
-fi
-
-# colored GCC warnings and errors
-#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
-
-# some more ls aliases
-#alias ll='ls -l'
-#alias la='ls -A'
-#alias l='ls -CF'
-
-# Alias definitions.
-# You may want to put all your additions into a separate file like
-# ~/.bash_aliases, instead of adding them here directly.
-# See /usr/share/doc/bash-doc/examples in the bash-doc package.
-
-if [ -f ~/.bash_aliases ]; then
-    . ~/.bash_aliases
-fi
-
-# enable programmable completion features (you don't need to enable
-# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
-# sources /etc/bash.bashrc).
-if ! shopt -oq posix; then
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
-  elif [ -f /etc/bash_completion ]; then
-    . /etc/bash_completion
-  fi
-fi
-OPAMROOT='/opt/opam'; export OPAMROOT;
-OPAM_SWITCH_PREFIX='/opt/opam/4.07.0'; export OPAM_SWITCH_PREFIX;
-CAML_LD_LIBRARY_PATH='/opt/opam/4.07.0/lib/stublibs:/opt/opam/4.07.0/lib/ocaml/stublibs:/opt/opam/4.07.0/lib/ocaml'; export CAML_LD_LIBRARY_PATH;
-OCAML_TOPLEVEL_PATH='/opt/opam/4.07.0/lib/toplevel'; export OCAML_TOPLEVEL_PATH;
-MANPATH=':/opt/opam/4.07.0/man'; export MANPATH;
-PATH='/opt/opam/4.07.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'; export PATH;

data/live-build-config/includes.chroot/etc/skel/.profile

@@ -1,22 +0,0 @@
-# ~/.profile: executed by the command interpreter for login shells.
-# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
-# exists.
-# see /usr/share/doc/bash/examples/startup-files for examples.
-# the files are located in the bash-doc package.
-
-# the default umask is set in /etc/profile; for setting the umask
-# for ssh logins, install and configure the libpam-umask package.
-#umask 022
-
-# if running bash
-if [ -n "$BASH_VERSION" ]; then
-    # include .bashrc if it exists
-    if [ -f "$HOME/.bashrc" ]; then
-	. "$HOME/.bashrc"
-    fi
-fi
-
-# set PATH so it includes user's private bin if it exists
-if [ -d "$HOME/bin" ] ; then
-    PATH="$HOME/bin:$PATH"
-fi

data/live-build-config/includes.chroot/etc/systemd/system.conf

@@ -53,3 +53,4 @@ ShowStatus=yes
 #DefaultLimitNICE=
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
+StatusUnitFormat=description

data/live-build-config/includes.chroot/lib/systemd/system/ssh-session-cleanup.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=OpenBSD Secure Shell session cleanup
-Wants=network.target
-After=network.target
-
-[Service]
-ExecStart=/bin/true
-ExecStop=/usr/lib/openssh/ssh-session-cleanup
-RemainAfterExit=yes
-Type=oneshot
-
-[Install]
-WantedBy=multi-user.target

data/live-build-config/includes.chroot/opt/vyatta/etc/config.boot.default

@@ -1,39 +0,0 @@
-system {
-    host-name vyos
-    login {
-        user vyos {
-            authentication {
-                encrypted-password $6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/
-                plaintext-password ""
-            }
-        }
-    }
-    syslog {
-        global {
-            facility all {
-                level info
-            }
-            facility protocols {
-                level debug
-            }
-        }
-    }
-    ntp {
-        server "0.pool.ntp.org"
-        server "1.pool.ntp.org"
-        server "2.pool.ntp.org"
-    }
-    console {
-        device ttyS0 {
-            speed 115200
-        }
-    }
-    config-management {
-        commit-revisions 100
-    }
-}
-
-interfaces {
-    loopback lo {
-    }
-}

data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry

@@ -1,20 +1,20 @@
 menuentry "VyOS  (KVM console)" {
-        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/ console=ttyS0,115200 console=tty0
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0
         initrd /boot//initrd.img
 }
 
 menuentry "VyOS  (Serial console)" {
-        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/ console=tty0 console=ttyS0,115200
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200
         initrd /boot//initrd.img
 }
 
 menuentry "Lost password change  (KVM console)" {
-        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/ console=ttyS0,115200 console=tty0 init=/opt/vyatta/sbin/standalone_root_pw_reset
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0 init=/opt/vyatta/sbin/standalone_root_pw_reset
         initrd /boot//initrd.img
 }
 
 menuentry "Lost password change  (Serial console)" {
-        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/ console=tty0 console=ttyS0,115200 init=/opt/vyatta/sbin/standalone_root_pw_reset
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200 init=/opt/vyatta/sbin/standalone_root_pw_reset
         initrd /boot//initrd.img
 }
 

data/live-build-config/includes.chroot/usr/lib/openssh/ssh-session-cleanup

@@ -1,11 +0,0 @@
-#! /bin/sh
-
-ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
-
-IFS="$IFS@"
-pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty; do
-	echo "Found ${daemon%:} session $pid on $pty; sending SIGTERM"
-	kill "$pid" || true
-done
-
-exit 0

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-backup.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: VyOS release signing key
+RWSw63o24QvCadaeW21Vqv6+/uzXUsNOpLlRoLRQd2NJgdOm1k1zdAb3

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: VyOS release signing key
+RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-rolling-release.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: minisign public key D3643767F448688
+RWSIhkR/dkM2DSaBRniv/bbbAf8hmDqdbOEmgXkf1RxRoxzodgKcDyGq

data/live-build-config/package-lists/vyos-base.list.chroot

@@ -1,4 +1,4 @@
 debconf
-gpgv
-gnupg
-vyos-world
+vyos-1x
+vyos-user-utils
+zstd

data/live-build-config/package-lists/vyos-utils.list.chroot

@@ -1,26 +1,5 @@
-nmap
-dnsutils
-ipcalc
-whois
-netcat-openbsd
-socat
-nano
-screen
-minicom
-iftop
-lsof
-openssh-client
-haveged
-htop
-atop
-iotop
-aptitude
-localepurge
-bgpq3
-libnss-myhostname
-ssl-cert
-nginx-light
-ndisc6
 systemd-sysv
 systemd-bootchart
 ncurses-term
+kitty-terminfo
+binutils

data/live-build-config/rootfs/excludes

@@ -0,0 +1,63 @@
+# Exclude various unused files and directories in order to free some space and shrink imagesize.
+#
+# For information on how to use wildcards properly (Anchored and Non-anchored excludes):
+#
+# https://github.com/plougher/squashfs-tools/blob/master/RELEASE-READMEs/README-3.3
+#
+# Note:
+#
+# - root starts without leading '/'.
+#
+
+# Txxx: Drop isc-dhcp helper files from /etc/default.
+# We use systemd to control ISC daemons from within vyos-1x.
+etc/default/isc-dhcp-server
+etc/default/isc-dhcp-relay
+
+# T2185: Clean leftover files (ddclient) from base package.
+etc/dhcp/dhclient-exit-hooks.d/ddclient
+etc/ddclient.conf
+
+# T3242: Add hook to prevent link_config redundancy call in systemd-udev.
+# 99-default.link rule always calls link_config thats trying to set autonegotiation and duplex even for PPP interfaces.
+# Need to delete this rule to prevent overhead on interface creation stage.
+lib/systemd/network/99-default.link
+
+# T3774: Disabled atop services.
+etc/cron.d/atop
+
+# T3912: Remove superfluous motd.d kernel version shell script.
+etc/update-motd.d/10-uname
+
+# T4415: We do not need any documentation on the system.
+# Copyright/licenses files are ignored for deletion.
+usr/share/doc/*/!(copyright*|README*)
+usr/share/doc-base
+
+# T5468: We do not need any manpages on the system since man-binary is missing.
+usr/local/man/*
+usr/local/share/man/*
+usr/share/man/*
+
+# T5511: We do not need any games on the system.
+usr/games/*
+usr/local/games/*
+
+# T5511: We do not need any caches on the system (will be recreated when needed).
+# T7278: We need directory created by python3-cracklib for password checks
+var/cache/!(cracklib)
+
+# T5511: We do not need any log-files on the system (will be recreated when needed).
+var/log/*.log
+var/log/*/*.log
+var/log/*/*.log.xz
+
+# T5511: We do not need any backup-files on the system (will be recreated when needed).
+... *.bak
+... *.old
+... *.kbx~
+var/lib/dpkg/*-old
+
+# T5624: Remove the Debian version file to avoid false positives from security scanners.
+etc/debian_version
+

data/package-lists/vyos-arm.list.chroot

@@ -1 +0,0 @@
-grub-efi-arm

data/package-lists/vyos-dev.list.chroot

@@ -1,6 +0,0 @@
-gdb
-strace
-apt-rdepends
-tshark
-vim
-vyos-1x-smoketest

data/package-lists/vyos-x86.list.chroot

@@ -1,15 +0,0 @@
-grub2
-grub-pc
-qemu-guest-agent
-hyperv-daemons
-vyos-xe-guest-utilities
-vyos-1x-vmware
-vyos-linux-firmware
-vyos-intel-i40e
-vyos-intel-igb
-vyos-intel-ixgbe
-vyos-intel-ixgbevf
-vyos-intel-iavf
-vyos-intel-qat
-wireguard-modules
-telegraf