Merge pull request #1047 from kumvijaya/current

T7878: Using mergify rule to handle conflict checks for private repo

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,7 @@
 <!-- All PR should follow this template to allow a clean and transparent review -->
 <!-- Text placed between these delimiters is considered a comment and is not rendered -->
 
-## Change Summary
+## Change summary
 <!--- Provide a general summary of your changes in the Title above -->
 
 ## Types of changes
@@ -18,24 +18,11 @@ the box, please use [x]
 - [ ] Other (please describe):
 
 ## Related Task(s)
-<!-- All submitted PRs must be linked to a Task on Phabricator. -->
-* https://vyos.dev/Txxxx
+<!-- optional: Link to related other tasks on Phabricator. -->
+<!-- * https://vyos.dev/Txxxx -->
 
-## Component(s) name
-<!-- A rather incomplete list of components: ethernet, wireguard, bgp, mpls, ldp, l2tp, dhcp ... -->
-
-## Proposed changes
-<!--- Describe your changes in detail -->
-
-## How to test
-<!---
-Please describe in detail how you tested your changes. Include details of your testing
-environment, and the tests you ran. When pasting configs, logs, shell output, backtraces,
-and other large chunks of text, surround this text with triple backtics
-```
-like this
-```
--->
+## Related PR(s)
+<!-- Link here any PRs in other repositories that are required by this PR -->
 
 ## Checklist:
 <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->

.github/mergify.yml

@@ -0,0 +1,10 @@
+pull_request_rules:
+  - name: Label conflicting pull requests
+    description: Add a label to a pull request with conflict to spot it easily
+    conditions:
+      - conflict
+      - '-closed'
+    actions:
+      label:
+        toggle:
+          - conflict

.github/reviewers.yml

@@ -1,3 +0,0 @@
----
-"**/*":
-  - team: reviewers

.github/workflows/add-pr-labels.yml

@@ -0,0 +1,18 @@
+---
+name: Add pull request labels
+
+on:
+  pull_request_target:
+    branches:
+      - current
+      - equuleus
+      - sagitta
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  add-pr-label:
+    uses: vyos/.github/.github/workflows/add-pr-labels.yml@current
+    secrets: inherit

.github/workflows/auto-author-assign.yml

@@ -3,25 +3,12 @@ on:
   pull_request_target:
     types: [opened, reopened, ready_for_review, locked]
 
+
 permissions:
   pull-requests: write
+  contents: read
 
 jobs:
-  # https://github.com/marketplace/actions/auto-author-assign
   assign-author:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Assign Author to PR"
-        uses: toshimaru/auto-author-assign@v1.3.5
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-  # https://github.com/shufo/auto-assign-reviewer-by-files
-  assign_reviewer:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Request review based on files changes and/or groups the author belongs to
-        uses: shufo/auto-assign-reviewer-by-files@v1.1.4
-        with:
-          token: ${{ secrets.PR_ACTION_ASSIGN_REVIEWERS }}
-          config: .github/reviewers.yml
+    uses: vyos/.github/.github/workflows/assign-author.yml@current
+    secrets: inherit

.github/workflows/check-pr-conflicts.yml

@@ -0,0 +1,15 @@
+
+name: "PR Conflicts checker"
+on:
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-pr-conflict:
+    if: github.repository_owner == 'vyos'
+    uses: vyos/.github/.github/workflows/check-pr-merge-conflict.yml@current
+    secrets: inherit

.github/workflows/check-pr-message.yml

@@ -0,0 +1,18 @@
+---
+name: Check pull request message format
+
+on:
+  pull_request_target:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-pr-title:
+    uses: vyos/.github/.github/workflows/check-pr-message.yml@current
+    secrets: inherit

.github/workflows/check-stale.yml

@@ -0,0 +1,14 @@
+name: "Issue and PR stale management"
+on:
+  schedule:
+  - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  stale:
+    uses: vyos/.github/.github/workflows/check-stale.yml@current
+    secrets: inherit

.github/workflows/check-unused-imports.yml

@@ -0,0 +1,17 @@
+name: Check for unused imports using Pylint
+on:
+  pull_request:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  check-unused-imports:
+    uses: vyos/.github/.github/workflows/check-unused-imports.yml@current
+    secrets: inherit

.github/workflows/cla-check.yml

@@ -0,0 +1,18 @@
+name: "CLA Check"
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, closed]
+  issue_comment:
+    types: [created]
+
+jobs:
+  call-cla-assistant:
+    uses: vyos/vyos-cla-signatures/.github/workflows/cla-reusable.yml@current
+    secrets: inherit

.github/workflows/codeql.yml

@@ -0,0 +1,23 @@
+name: "Perform CodeQL Analysis"
+
+on:
+  push:
+    branches: [ "current", "sagitta", "equuleus" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "current" ]
+  schedule:
+    - cron: '22 10 * * 0'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  codeql-analysis-call:
+    uses: vyos/.github/.github/workflows/codeql-analysis.yml@current
+    secrets: inherit
+    with:
+      languages: "['python']"

.github/workflows/label-backport.yml

@@ -0,0 +1,12 @@
+name: Mergifyio backport
+
+on: [issue_comment]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  mergifyio-backport:
+    uses: vyos/.github/.github/workflows/label-backport.yml@current
+    secrets: inherit

.github/workflows/linit-j2.yml

@@ -0,0 +1,19 @@
+---
+name: J2 Lint
+
+on:
+  pull_request:
+    branches:
+      - current
+      - sagitta
+      - equuleus
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  j2lint:
+    uses: vyos/.github/.github/workflows/lint-j2.yml@current
+    secrets: inherit

.github/workflows/pr-conflicts.yml

@@ -1,18 +0,0 @@
-name: "PR Conflicts checker"
-on:
-  pull_request_target:
-    types: [synchronize]
-
-jobs:
-  Conflict_Check:
-    name: 'Check PR status: conflicts and resolution'
-    runs-on: ubuntu-22.04
-    steps:
-      - name: check if PRs are dirty
-        uses: eps1lon/actions-label-merge-conflict@releases/2.x
-        with:
-          dirtyLabel: "state: conflict"
-          removeOnDirtyLabel: "state: conflict resolved"
-          repoToken: "${{ secrets.GITHUB_TOKEN }}"
-          commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
-          commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly."

.github/workflows/pr-mirror-repo-sync.yml

@@ -0,0 +1,35 @@
+name: PR Mirror and Repo Sync
+
+on:
+  pull_request_target:
+    types: [closed]
+    branches: [current]
+  workflow_dispatch:
+    inputs:
+      sync_branch:
+        description: 'Branch to mirror'
+        required: true
+        default: 'current'
+        type: choice
+        options:
+          - current
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+  call-pr-mirror-repo-sync:
+    if: |
+      github.repository_owner == 'vyos' &&
+      (
+        github.event_name == 'workflow_dispatch' ||
+        (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true)
+      )
+    uses: vyos/.github/.github/workflows/pr-mirror-repo-sync.yml@current
+    with:
+      sync_branch: ${{ github.event.inputs.sync_branch || 'current' }}
+    secrets:
+      PAT: ${{ secrets.PAT }}
+      REMOTE_OWNER: ${{ secrets.REMOTE_OWNER }}

.github/workflows/trigger-docker-image-build.yml

@@ -0,0 +1,47 @@
+name: Trigger Docker image build
+
+on:
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - current
+
+permissions:
+  packages: write
+  contents: read
+  attestations: write
+  id-token: write
+  pull-requests: read
+
+jobs:
+  track-changes:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    
+    env:
+      REF: main  # Used for curl to trigger image build
+
+    steps:
+      - name: Checkout vyos/vyos-build repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            docker-dir:
+              - 'docker/**'
+
+      - name: "Trigger Docker image build for ${{ github.ref_name }}"
+        if: ${{ steps.changes.outputs.docker-dir == 'true' }}
+        run: |
+          curl -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ secrets.REMOTE_OWNER }}/${{ secrets.REMOTE_REUSE_REPO }}/actions/workflows/build-docker-image.yml/dispatches \
+            -d '{"ref": "${{ env.REF }}", "inputs":{"branch":"${{ github.ref_name }}", "environment":"production"}}'

.github/workflows/trigger_rebuild_packages.yml

@@ -0,0 +1,264 @@
+name: Trigger to build package
+
+on:
+  push:
+    branches:
+      - current
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+
+    env:
+      REF: main  # Used for curl to trigger build package
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          base: ${{ github.ref_name }}
+          filters: |
+            amazon-cloudwatch-agent:
+              - 'scripts/package-build/amazon-cloudwatch-agent/**'
+            amazon-ssm-agent:
+              - 'scripts/package-build/amazon-ssm-agent/**'
+            aws-gwlbtun:
+              - 'scripts/package-build/aws-gwlbtun/**'
+            blackbox_exporter:
+              - 'scripts/package-build/blackbox_exporter/**'
+            bash-completion:
+              - 'scripts/package-build/bash-completion/**'
+            ddclient:
+              - 'scripts/package-build/ddclient/**'
+            dropbear:
+              - 'scripts/package-build/dropbear/**'
+            ethtool:
+              - 'scripts/package-build/ethtool/**'
+            frr:
+              - 'scripts/package-build/frr/**'
+            frr_exporter:
+              - 'scripts/package-build/frr_exporter/**'
+            hostap:
+              - 'scripts/package-build/hostap/**'
+            hsflowd:
+              - 'scripts/package-build/hsflowd/**'
+            isc-dhcp:
+              - 'scripts/package-build/isc-dhcp/**'
+            keepalived:
+              - 'scripts/package-build/keepalived/**'
+            libnss-mapuser:
+              - 'scripts/package-build/libnss-mapuser/**'
+            libpam-radius-auth:
+              - 'scripts/package-build/libpam-radius-auth/**'
+            linux-kernel:
+              - 'data/defaults.toml'
+              - 'scripts/package-build/linux-kernel/**'
+            ndppd:
+              - 'scripts/package-build/ndppd/**'
+            net-snmp:
+              - 'scripts/package-build/net-snmp/**'
+            netfilter:
+              - 'scripts/package-build/netfilter/**'
+            node_exporter:
+              - 'scripts/package-build/node_exporter/**'
+            openvpn-otp:
+              - 'scripts/package-build/openvpn-otp/**'
+            owamp:
+              - 'scripts/package-build/owamp/**'
+            pam_tacplus:
+              - 'scripts/package-build/pam_tacplus/**'
+            podman:
+              - 'scripts/package-build/podman/**'
+            pyhumps:
+              - 'scripts/package-build/pyhumps/**'
+            radvd:
+              - 'scripts/package-build/radvd/**'
+            strongswan:
+              - 'scripts/package-build/strongswan/**'
+            tacacs:
+              - 'scripts/package-build/tacacs/**'
+            telegraf:
+              - 'scripts/package-build/telegraf/**'
+            udp-broadcast-relay:
+              - 'scripts/package-build/udp-broadcast-relay/**'
+            unionfs-fuse:
+              - 'scripts/package-build/unionfs-fuse/**'
+            vpp:
+              - 'scripts/package-build/vpp/**'
+            waagent:
+              - 'scripts/package-build/waagent/**'
+            wide-dhcpv6:
+              - 'scripts/package-build/wide-dhcpv6/**'
+            xen-guest-agent:
+              - 'scripts/package-build/xen-guest-agent/**'
+            zerotier-one:
+              - 'scripts/package-build/zerotier-one/**'
+
+      - name: Trigger builds for changed packages
+        run: |
+          set -eux
+          function trigger_build() {
+            PACKAGE_NAME=$1
+            echo "${PACKAGE_NAME} change detected!"
+            curl -L \
+              -X POST \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              https://api.github.com/repos/${{ secrets.REMOTE_OWNER }}/${{ secrets.REMOTE_REUSE_REPO }}/actions/workflows/build-package.yml/dispatches \
+              -d '{"ref": "${{ env.REF }}", "inputs":{"package_name":"'"$PACKAGE_NAME"'", "gpg_key_id": "${{ secrets.GPG_KEY_ID }}", "package_branch": "${{ github.ref_name }}", "pat": "${{ secrets.PAT }}"}}'
+          }
+
+          # Trigger builds based on detected changes
+          if [ "${{ steps.changes.outputs.amazon-cloudwatch-agent }}" == "true" ]; then
+            trigger_build "amazon-cloudwatch-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.amazon-ssm-agent }}" == "true" ]; then
+            trigger_build "amazon-ssm-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.aws-gwlbtun }}" == "true" ]; then
+            trigger_build "aws-gwlbtun"
+          fi
+
+          if [ "${{ steps.changes.outputs.bash-completion }}" == "true" ]; then
+            trigger_build "bash-completion"
+          fi
+
+          if [ "${{ steps.changes.outputs.blackbox_exporter }}" == "true" ]; then
+            trigger_build "blackbox_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.ddclient }}" == "true" ]; then
+            trigger_build "ddclient"
+          fi
+
+          if [ "${{ steps.changes.outputs.dropbear }}" == "true" ]; then
+            trigger_build "dropbear"
+          fi
+
+          if [ "${{ steps.changes.outputs.ethtool }}" == "true" ]; then
+            trigger_build "ethtool"
+          fi
+
+          if [ "${{ steps.changes.outputs.frr }}" == "true" ]; then
+            trigger_build "frr"
+          fi
+
+          if [ "${{ steps.changes.outputs.frr_exporter }}" == "true" ]; then
+            trigger_build "frr_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.hostap }}" == "true" ]; then
+            trigger_build "hostap"
+          fi
+
+          if [ "${{ steps.changes.outputs.hsflowd }}" == "true" ]; then
+            trigger_build "hsflowd"
+          fi
+
+          if [ "${{ steps.changes.outputs.isc-dhcp }}" == "true" ]; then
+            trigger_build "isc-dhcp"
+          fi
+
+          if [ "${{ steps.changes.outputs.keepalived }}" == "true" ]; then
+            trigger_build "keepalived"
+          fi
+
+          if [ "${{ steps.changes.outputs.libnss-mapuser }}" == "true" ]; then
+            trigger_build "libnss-mapuser"
+          fi
+
+          if [ "${{ steps.changes.outputs.libpam-radius-auth }}" == "true" ]; then
+            trigger_build "libpam-radius-auth"
+          fi
+
+          if [ "${{ steps.changes.outputs.linux-kernel }}" == "true" ]; then
+            trigger_build "linux-kernel"
+          fi
+
+          if [ "${{ steps.changes.outputs.ndppd }}" == "true" ]; then
+            trigger_build "ndppd"
+          fi
+
+          if [ "${{ steps.changes.outputs.net-snmp }}" == "true" ]; then
+            trigger_build "net-snmp"
+          fi
+
+          if [ "${{ steps.changes.outputs.netfilter }}" == "true" ]; then
+            trigger_build "netfilter"
+          fi
+
+          if [ "${{ steps.changes.outputs.node_exporter }}" == "true" ]; then
+            trigger_build "node_exporter"
+          fi
+
+          if [ "${{ steps.changes.outputs.openvpn-otp }}" == "true" ]; then
+            trigger_build "openvpn-otp"
+          fi
+
+          if [ "${{ steps.changes.outputs.owamp }}" == "true" ]; then
+            trigger_build "owamp"
+          fi
+
+          if [ "${{ steps.changes.outputs.pam_tacplus }}" == "true" ]; then
+            trigger_build "pam_tacplus"
+          fi
+
+          if [ "${{ steps.changes.outputs.podman }}" == "true" ]; then
+            trigger_build "podman"
+          fi
+
+          if [ "${{ steps.changes.outputs.pyhumps }}" == "true" ]; then
+            trigger_build "pyhumps"
+          fi
+
+          if [ "${{ steps.changes.outputs.radvd }}" == "true" ]; then
+            trigger_build "radvd"
+          fi
+
+          if [ "${{ steps.changes.outputs.strongswan }}" == "true" ]; then
+            trigger_build "strongswan"
+          fi
+
+          if [ "${{ steps.changes.outputs.tacacs }}" == "true" ]; then
+            trigger_build "tacacs"
+          fi
+
+          if [ "${{ steps.changes.outputs.telegraf }}" == "true" ]; then
+            trigger_build "telegraf"
+          fi
+
+          if [ "${{ steps.changes.outputs.udp-broadcast-relay }}" == "true" ]; then
+            trigger_build "udp-broadcast-relay"
+          fi
+
+          if [ "${{ steps.changes.outputs.unionfs-fuse }}" == "true" ]; then
+            trigger_build "unionfs-fuse"
+          fi
+
+          if [ "${{ steps.changes.outputs.vpp }}" == "true" ]; then
+            trigger_build "vpp"
+          fi
+
+          if [ "${{ steps.changes.outputs.waagent }}" == "true" ]; then
+            trigger_build "waagent"
+          fi
+
+          if [ "${{ steps.changes.outputs.wide-dhcpv6 }}" == "true" ]; then
+            trigger_build "ethtool"
+          fi
+
+          if [ "${{ steps.changes.outputs.xen-guest-agent }}" == "true" ]; then
+            trigger_build "xen-guest-agent"
+          fi
+
+          if [ "${{ steps.changes.outputs.zerotier-one }}" == "true" ]; then
+            trigger_build "zerotier-one"
+          fi

.gitignore

@@ -1,9 +1,15 @@
+.build/config
 build/*
+config/*
 *.pyc
 packer_build/*
 packer_cache/*
 key/*
 packages/*
 !packages/*/
-testinstall*.img
-*.qcow2
+/testinstall*.img
+/testinstall*.efivars
+/*.qcow2
+/*.tar
+.DS_Store
+._.DS_Store

CODEOWNERS

@@ -0,0 +1,2 @@
+# Users from reviewers github team
+# * @vyos/reviewers

CONTRIBUTING.md

@@ -40,7 +40,7 @@ task first. Once there is an entry in Phabricator, you should reference its id
 in your commit message, as shown below:
 
 * `ddclient: T1030: auto create runtime directories`
-* `Jenkins: add current Git commit ID to build description`
+* `keepalived: T1234: do not autostart service, will be done by CLI`
 
 If there is no [Phabricator](https://vyos.dev) reference in the
 commits of your pull request, we have to ask you to amend the commit message.

Jenkinsfile

@@ -1,215 +0,0 @@
-#!/usr/bin/env groovy
-// Copyright (C) 2019-2021 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-setDescription()
-
-node('Docker') {
-    stage('Setup Container') {
-        script {
-            // create container name on demand
-            def branchName = getGitBranchName()
-            // Adjust PR target branch name so we can re-map it to the proper Docker image.
-            if (isPullRequest())
-                branchName = env.CHANGE_TARGET.toLowerCase()
-            if (branchName.equals('master'))
-                branchName = 'current'
-
-            env.DOCKER_IMAGE = 'vyos/vyos-build:' + branchName
-
-            // Get the current UID and GID from the jenkins agent to allow use of the same UID inside Docker
-            env.USR_ID = sh(returnStdout: true, script: 'id -u').toString().trim()
-            env.GRP_ID = sh(returnStdout: true, script: 'id -g').toString().trim()
-            env.DOCKER_ARGS = '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=' + env.USR_ID + ' -e GOSU_GID=' + env.GRP_ID
-            env.BASE_VERSION = '1.4-rolling-'
-        }
-    }
-}
-
-pipeline {
-    agent {
-        docker {
-            label "Docker"
-            args "${env.DOCKER_ARGS}"
-            image "${env.DOCKER_IMAGE}"
-            alwaysPull true
-            reuseNode true
-        }
-    }
-    triggers {
-        cron('H 3 * * *')
-    }
-    parameters {
-        string(name: 'BUILD_BY', defaultValue: 'autobuild@vyos.net', description: 'Builder identifier (e.g. jrandomhacker@example.net)')
-        string(name: 'BUILD_VERSION', defaultValue: env.BASE_VERSION + 'ISO8601-TIMESTAMP', description: 'Version number (release builds only)')
-        booleanParam(name: 'BUILD_PUBLISH', defaultValue: false, description: 'Publish this build AWS S3')
-        booleanParam(name: 'BUILD_SNAPSHOT', defaultValue: false, description: 'Upload image to AWS S3 snapshot bucket')
-        booleanParam(name: 'TEST_SMOKETESTS', defaultValue: true, description: 'Run Smoketests after ISO build')
-        booleanParam(name: 'TEST_RAID1', defaultValue: true, description: 'Perform RAID1 installation tests')
-    }
-    options {
-        disableConcurrentBuilds()
-        timeout(time: 240, unit: 'MINUTES')
-        timestamps()
-        buildDiscarder(logRotator(numToKeepStr: '20'))
-    }
-    stages {
-        stage('Build ISO') {
-            when {
-                beforeOptions true
-                beforeAgent true
-                // Only run ISO image build process of explicit user request or
-                // once a night triggered by the timer.
-                anyOf {
-                    triggeredBy 'TimerTrigger'
-                    triggeredBy cause: "UserIdCause"
-                }
-            }
-            environment {
-                PYTHONDONTWRITEBYTECODE = 1
-            }
-            steps {
-                script {
-                    // Display Git commit Id used with the Jenkinsfile on the Job "Build History" pane
-                    def commitId = sh(returnStdout: true, script: 'git rev-parse --short=11 HEAD').trim()
-                    currentBuild.description = sprintf('Git SHA1: %s', commitId[-11..-1])
-
-                    def CUSTOM_PACKAGES = ''
-                    if (params.TEST_SMOKETESTS)
-                        CUSTOM_PACKAGES = '--custom-package vyos-1x-smoketest'
-
-                    def VYOS_VERSION = params.BUILD_BY
-                    if (params.BUILD_VERSION == env.BASE_VERSION + 'ISO8601-TIMESTAMP')
-                        VYOS_VERSION = env.BASE_VERSION + sh(returnStdout: true, script: 'date -u +%Y%m%d%H%M').toString().trim()
-
-                    sh """
-                        sudo --preserve-env ./build-vyos-image \
-                            --build-by "${params.BUILD_BY}" \
-                            --debian-mirror http://deb.debian.org/debian/ \
-                            --build-type release \
-                            --version "${VYOS_VERSION}" ${CUSTOM_PACKAGES} iso
-                    """
-
-                    if (fileExists('build/live-image-amd64.hybrid.iso') == false) {
-                        error('ISO build error')
-                    }
-                }
-            }
-        }
-        stage('Smoketests for RAID-1 system installation') {
-            when {
-                expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                expression { return params.TEST_RAID1 }
-            }
-            steps {
-                sh "sudo make testraid"
-            }
-        }
-        stage('Smoketests') {
-            when {
-                expression { return params.TEST_SMOKETESTS }
-            }
-            parallel {
-                stage('CLI validation') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make test"
-                    }
-                }
-                stage('vyos-configd and arbitrary config loader') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make testc"
-                    }
-                }
-            }
-        }
-    }
-    post {
-        success {
-            script {
-                // only deploy ISO if build from official repository
-                if (isCustomBuild())
-                    return
-
-                // always store local artifacts
-                archiveArtifacts artifacts: '**/build/vyos-*.iso, **/build/vyos-*.qcow2',
-                    allowEmptyArchive: true
-
-                // only deploy ISO if requested via parameter
-                if (!params.BUILD_PUBLISH)
-                    return
-
-                files = findFiles(glob: 'build/vyos*.iso')
-                // Publish ISO image to daily builds bucket
-                if (files) {
-                    // Publish ISO image to snapshot bucket
-                    if (files && params.BUILD_SNAPSHOT) {
-                        withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
-                            s3Upload(bucket: 's3-us.vyos.io', path: 'snapshot/' + params.BUILD_VERSION + '/', workingDir: 'build', includePathPattern: 'vyos*.iso',
-                            cacheControl: "public, max-age=2592000")
-                        }
-                    } else {
-                        // Publish build result to AWS S3 rolling bucket
-                        withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
-                            s3Upload(bucket: 's3-us.vyos.io', path: 'rolling/' + getGitBranchName() + '/',
-                                     workingDir: 'build', includePathPattern: 'vyos*.iso')
-                            s3Copy(fromBucket: 's3-us.vyos.io', fromPath: 'rolling/' + getGitBranchName() + '/' + files[0].name,
-                                   toBucket: 's3-us.vyos.io', toPath: 'rolling/' + getGitBranchName() + '/vyos-rolling-latest.iso')
-                        }
-                    }
-
-                    // Trigger GitHub action which will re-build the static community website which
-                    // also holds the AWS download links to the generated ISO images
-                    withCredentials([string(credentialsId: 'vyos.net-build-trigger-token', variable: 'TOKEN')]) {
-                        sh '''
-                            curl -X POST --header "Accept: application/vnd.github.v3+json" \
-                            --header "authorization: Bearer $TOKEN" --data '{"ref": "production"}' \
-                            https://api.github.com/repos/vyos/community.vyos.net/actions/workflows/main.yml/dispatches
-                        '''
-                    }
-                }
-
-                // Publish ISO image to snapshot bucket
-                if (files && params.BUILD_SNAPSHOT) {
-                    withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
-                        s3Upload(bucket: 's3-us.vyos.io', path: 'snapshot/',
-                                 workingDir: 'build', includePathPattern: 'vyos*.iso')
-                    }
-                }
-            }
-        }
-        failure {
-            archiveArtifacts artifacts: '**/build/vyos-*.iso, **/build/vyos-*.qcow2',
-                allowEmptyArchive: true
-        }
-        cleanup {
-            echo 'One way or another, I have finished'
-            // the 'build' directory got elevated permissions during the build
-            // cdjust permissions so it can be cleaned up by the regular user
-            sh 'sudo make purge'
-            deleteDir() /* cleanup our workspace */
-        }
-    }
-}

Jenkinsfile.docker

@@ -1,84 +0,0 @@
-#!/usr/bin/env groovy
-// Copyright (C) 2019-2021 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-setDescription()
-
-pipeline {
-    agent none
-    environment {
-        GIT_BRANCH_NAME = getGitBranchName()
-    }
-    options {
-        disableConcurrentBuilds()
-        timeout(time: 240, unit: 'MINUTES')
-        timestamps()
-        buildDiscarder(logRotator(numToKeepStr: '20'))
-    }
-    stages {
-        stage('Build containers') {
-            when {
-                beforeOptions true
-                beforeAgent true
-                // Only run ISO image build process of explicit user request or
-                // once a night triggered by the timer.
-                anyOf {
-                    changeset pattern: "**/docker/*"
-                    changeset pattern: "**/Jenkinsfile.docker"
-                    triggeredBy cause: "UserIdCause"
-                }
-            }
-            parallel {
-                stage('x86_64') {
-                    agent {
-                        label "ec2_amd64"
-                    }
-                    steps {
-                        script {
-                            DOCKER_IMAGE_AMD64 = "vyos/vyos-build:" + env.GIT_BRANCH_NAME
-                            sh "docker build --no-cache --tag ${DOCKER_IMAGE_AMD64} docker"
-                            if (! isCustomBuild()) {
-                                withDockerRegistry([credentialsId: "DockerHub"]) {
-                                    sh "docker push ${DOCKER_IMAGE_AMD64}"
-                                }
-                            }
-                        }
-                    }
-                }
-                stage('arm64') {
-                    agent {
-                        label "ec2_arm64"
-                    }
-                    steps {
-                        script {
-                            DOCKER_IMAGE_ARM64 = "vyos/vyos-build:" + env.GIT_BRANCH_NAME + "-arm64"
-                            sh "docker build --no-cache --tag ${DOCKER_IMAGE_ARM64} --build-arg ARCH=arm64v8/ docker"
-                            if (! isCustomBuild()) {
-                                withDockerRegistry([credentialsId: "DockerHub"]) {
-                                    sh "docker push ${DOCKER_IMAGE_ARM64}"
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-}

Makefile

@@ -5,21 +5,10 @@ build_dir := build
 .PHONY: all
 all:
 	@echo "Make what specifically?"
-	@echo "The most common target is 'iso'"
+	@echo "The most common target is 'generic'"
 
-.PHONY: iso
-.ONESHELL:
-iso: clean
-	set -o pipefail
-	@./build-vyos-image iso
-	exit 0
-
-.PHONY: prepare-package-env
-.ONESHELL:
-prepare-package-env:
-	@set -e
-	@scripts/pbuilder-config
-	@scripts/pbuilder-setup
+%:
+	./build-vyos-image $*
 
 .PHONY: checkiso
 .ONESHELL:
@@ -32,27 +21,62 @@ checkiso:
 .PHONY: test
 .ONESHELL:
 test: checkiso
-	scripts/check-qemu-install --debug --uefi build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --cpu 4 --memory 8 build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: test-no-interfaces
 .ONESHELL:
 test-no-interfaces: checkiso
-	scripts/check-qemu-install --debug --no-interfaces build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --smoketest --uefi --no-interfaces --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 build/live-image-amd64.hybrid.iso
 
-.PHONY: testd
+.PHONY: test-no-interfaces-no-vpp
 .ONESHELL:
-testd: checkiso
-	scripts/check-qemu-install --debug --configd build/live-image-amd64.hybrid.iso
+test-no-interfaces-no-vpp: checkiso
+	scripts/check-qemu-install --debug --configd --smoketest --uefi --no-interfaces --no-vpp build/live-image-amd64.hybrid.iso
+
+.PHONY: test-interfaces
+.ONESHELL:
+test-interfaces: checkiso
+	scripts/check-qemu-install --debug --configd --match="interfaces_" --smoketest --uefi build/live-image-amd64.hybrid.iso
+
+.PHONY: test-vpp
+.ONESHELL:
+test-vpp: checkiso
+	scripts/check-qemu-install --debug --configd --match="vpp" --smoketest --uefi --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 build/live-image-amd64.hybrid.iso
 
 .PHONY: testc
 .ONESHELL:
 testc: checkiso
-	scripts/check-qemu-install --debug --configd --configtest build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --match="!vpp" --cpu 2 --memory 7 --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testcvpp
+.ONESHELL:
+testcvpp: checkiso
+	scripts/check-qemu-install --debug --configd --match="vpp" --cpu 4 --memory 8 --huge-page-size 2M --huge-page-count 1800 --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: testraid
 .ONESHELL:
 testraid: checkiso
-	scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testsb
+.ONESHELL:
+testsb: checkiso
+	scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testtpm
+.ONESHELL:
+testtpm: checkiso
+	scripts/check-qemu-install --debug --tpmtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: qemu-live
+.ONESHELL:
+qemu-live: checkiso
+	scripts/check-qemu-install --qemu-cmd --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: oci
+.ONESHELL:
+oci: checkiso
+	scripts/iso-to-oci build/live-image-amd64.hybrid.iso
 
 .PHONY: clean
 .ONESHELL:
@@ -65,7 +89,7 @@ clean:
 	rm -f config/binary config/bootstrap config/chroot config/common config/source
 	rm -f build.log
 	rm -f vyos-*.iso
-	rm -f *.img
+	rm -f *.img *.efivars
 	rm -f *.xz
 	rm -f *.vhd
 	rm -f *.raw

README.md

@@ -33,15 +33,13 @@ There are several directories with their own purpose:
 
  * `build/`    Used for temporary files used for the build and for build artifacts
  * `data/`     Data required for building the ISO (e.g. boot splash/configs)
- * `packages/` This directory has two meanings. First it can hold arbitrary *.deb
-               packages which will be embeded into the resulting ISO, but it also
-                holds Jenkins Pipeline definitions for required VyOS packages.
+ * `packages/` This directory can hold arbitrary *.deb
+               packages which will be embeded into the resulting ISO.
                Among other things those packages will be: Linux Kernel, FRR,
                Netfiler...
  * `scripts/`  Scripts that are used for the build process
  * `tools/`    Scripts that are used for maintainer's tasks automation and other
                purposes, but not during ISO build process
- * `vars/`     Jenkins Pipeline library for reusable functions
 
 # Building VyOS
 
@@ -51,28 +49,21 @@ be found in our [Documentation - Build VyOS](https://docs.vyos.io/en/latest/cont
 
 # Development Branches
 
-The default branch that contains the most recent VyOS code is called `current`
-rather than `master`. We know it's confusing, but it's not easy to fix. In a
-nutshell, the code we inherited from Vyatta Core had its `master` branch so out
-of sync with everything it was beyond any repair. Vyatta developers used to create
-a new branch not when a release is ready for code freeze, but rather before
-starting to work on a new release. This is hard to change in existing code, so
-this is just the way it is, for now.
+The default branch that contains the most recent VyOS code is called `current`.
+We may or may not eventually switch to `main`.
 
-All new code goes to the `current` branch. When it's time for a code freeze, a
+All new code goes to the `current` branch. When a new LTS release is ready for feature freeze, a
 new branch is created for the release, and new code from `current` is backported
 to the release branch as needed.
 
-In packages that originate from VyOS the master branch is kept in sync with
-`current`, but we still use `current` as default branch for uniformity. When the
-last legacy package is gone, we will switch to using the `master` branch and
-retire `current`.
-
 Post-1.2.0 branches are named after constellations sorted by area from smallest
 to largest. There are 88 of them, here's the
 [complete list](https://en.wikipedia.org/wiki/IAU_designated_constellations_by_area).
 
-* VyOS 1.2: `crux` (Southern Cross)
-* VyOS 1.3: `equuleus` (Little Horse)
-* VyOS 1.4: `sagitta` (Arrow)
-* ...
+Existing branches:
+
+* VyOS 1.4: `sagitta` (Arrow) [LTS]
+* VyOS 1.3: `equuleus` (Little Horse) [LTS]
+* VyOS 1.2: `crux` (Southern Cross) [Unsupported]
+
+The next LTS release will be VyOS 1.5 `circinus` (Compasses).

build-vyos-image

@@ -1 +1 @@
-scripts/build-vyos-image
+scripts/image-build/build-vyos-image

data/architectures/amd64.toml

@@ -1,15 +1,26 @@
-additional_repositories = [
-  "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3004 bullseye main"
-]
-
-kernel_flavor = "amd64-vyos"
-
 # Packages added to images for x86 by default
 packages = [
   "grub2",
   "grub-pc",
+  "vyos-drivers-realtek-r8152",
   "vyos-linux-firmware",
   "vyos-intel-qat",
-  "openvpn-dco",
-  "telegraf"
+  "vyos-intel-ixgbe",
+  "vyos-intel-ixgbevf",
+  "vyos-ipt-netflow",
+  "intel-microcode",
+  "amd64-microcode"
 ]
+
+[additional_repositories.salt]
+  architecture = "amd64"
+  url = "https://packages.vyos.net/saltproject/debian/11/amd64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian"
+
+[additional_repositories.kea]
+  architecture = "amd64"
+  url = "https://dl.cloudsmith.io/public/isc/kea-3-0/deb/debian"
+  distribution = "bookworm"

data/architectures/arm64.toml

@@ -1,9 +1,19 @@
-additional_repositories = [
-  "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3004 bullseye main"
-]
-
-kernel_flavor = "arm64-vyos"
-
 # Packages included in ARM64 images by default
-packages = ["grub-efi-arm64", "openvpn-dco"]
+packages = [
+  "grub-efi-arm64",
+]
 bootloaders = "grub-efi"
+squashfs_compression_type = "xz -b 256k -always-use-fragments -no-recovery"
+
+[additional_repositories.salt]
+  architecture = "arm64"
+  url =	"https://packages.vyos.net/saltproject/debian/11/arm64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian-arm64"
+
+[additional_repositories.kea]
+  architecture = "arm64"
+  url = "https://dl.cloudsmith.io/public/isc/kea-3-0/deb/debian"
+  distribution = "bookworm"

data/architectures/armhf.toml

@@ -1,2 +1,6 @@
+additional_repositories = [
+  "deb [arch=armhf] https://packages.vyos.net/saltproject/debian/11/arm64/3005 bullseye main"
+]
+
 # Packages included in armhf images by default
 packages = ["grub-efi-arm"]

data/build-flavors/README.md

@@ -1,76 +0,0 @@
-# VyOS build flavors
-
-VyOS supports multiple different hardware and virtual platforms.
-Those platforms often need custom packages and may require custom
-configs. To make maintenance of existing flavors simpler
-and to allow everyone to make and maintain their own flavors,
-the build scripts support storing flavor configuration in [TOML](https://toml.io) files.
-
-Flavor files must be in `data/build-flavors`. Here's an example:
-
-```toml
-# Generic (aka "universal") ISO image
-
-image_format = "iso"
-
-# Include these packages in the image regardless of the architecture
-packages = [
-  # QEMU and Xen guest tools exist for multiple architectures
-  "qemu-guest-agent",
-  "vyos-xe-guest-utilities",
-]
-
-[architectures.amd64]
-  # Hyper-V and VMware guest tools are x86-only
-  packages = ["hyperv-daemons", "vyos-1x-vmware"]
-```
-
-## Image format
-
-The `image_format` option specifies the default format to build.
-
-```toml
-image_format = "iso"
-```
-
-**Note:** currently, ISO is the only supported format,
-support for different flavors is in progress.
-
-## Including custom packages
-
-If you want the build scripts to include custom packages from repositories
-in the image, you can list them in the `packages` field.
-
-For example, this is how to include the GNU Hello package:
-
-```toml
-packages = ['hello']
-```
-
-It's possible to include packages only in images with certain build architectures
-by placing them in a subtable.
-
-If you want to include GNU Hello only in AMD64 images, do this:
-
-```toml
-[architectures.amd64]
-  packages = ['hello']
-```
-
-## Including custom files
-
-You can include files inside the SquashFS filesystem by adding entries
-to the `includes_chroot` array. 
-
-```toml
-[[includes_chroot]]
-  path = "etc/question.txt"
-  data = '''
-Can you guess how this file ended up in the image?
-  '''
-
-  path = "etc/answer.txt"
-  data = '''
-It was in the flavor file!
-  '''
-```

data/build-flavors/aws-iso.toml

@@ -1,3 +0,0 @@
-image_format = "iso"
-
-packages = ["amazon-cloudwatch-agent"]

data/build-flavors/azure-iso.toml

@@ -1,5 +0,0 @@
-image_format = "iso"
-
-packages = ["waagent"]
-
-

data/build-flavors/edgecore.toml

@@ -1,46 +0,0 @@
-# ISO image for EdgeCore routers
-
-image_format = "iso"
-
-# udev rules for correct ordering of onboard NICs
-[[includes_chroot]]
-  path = "lib/udev/rules.d/64-vyos-SAF51015I-net.rules"
-  data = '''
-ATTR{[dmi/id]board_name}!="SAF51015I-0318-EC", GOTO="end_ec_nic"
-
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:02:00.0", ENV{VYOS_IFNAME}="eth1"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:03:00.0", ENV{VYOS_IFNAME}="eth2"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:04:00.0", ENV{VYOS_IFNAME}="eth3"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:05:00.0", ENV{VYOS_IFNAME}="eth4"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:06:00.0", ENV{VYOS_IFNAME}="eth5"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:06:00.1", ENV{VYOS_IFNAME}="eth6"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:06:00.2", ENV{VYOS_IFNAME}="eth7"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:06:00.3", ENV{VYOS_IFNAME}="eth8"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:0a:00.0", ENV{VYOS_IFNAME}="eth9"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:0a:00.1", ENV{VYOS_IFNAME}="eth10"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:0b:00.0", ENV{VYOS_IFNAME}="eth11"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:0b:00.1", ENV{VYOS_IFNAME}="eth12"
-
-LABEL="end_ec_nic"
-
-'''
-
-[[includes_chroot]]
-  path = "lib/udev/rules.d/64-vyos-SAF51003I-net.rules"
-  data = '''
-ATTR{[dmi/id]board_name}!="SAF51003I", GOTO="end_ec_nic"
-
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:02:00.0", ENV{VYOS_IFNAME}="eth1",  ATTR{ifalias}="LAN1"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:02:00.1", ENV{VYOS_IFNAME}="eth2",  ATTR{ifalias}="LAN2"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:02:00.2", ENV{VYOS_IFNAME}="eth3",  ATTR{ifalias}="LAN3"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:02:00.3", ENV{VYOS_IFNAME}="eth4",  ATTR{ifalias}="LAN4"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:05:00.0", ENV{VYOS_IFNAME}="eth5",  ATTR{ifalias}="LAN5"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:05:00.1", ENV{VYOS_IFNAME}="eth6",  ATTR{ifalias}="LAN6"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:05:00.2", ENV{VYOS_IFNAME}="eth7",  ATTR{ifalias}="LAN7"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:05:00.3", ENV{VYOS_IFNAME}="eth8",  ATTR{ifalias}="LAN8"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:08:00.0", ENV{VYOS_IFNAME}="eth9",  ATTR{ifalias}="DMZ"
-ACTION=="add", SUBSYSTEM=="net", KERNELS=="0000:08:00.1", ENV{VYOS_IFNAME}="eth10", ATTR{ifalias}="WAN"
-
-LABEL="end_ec_nic"
-
-'''

data/build-flavors/generic.toml

@@ -0,0 +1,3 @@
+# Generic (aka "universal") ISO image
+
+image_format = "iso"

data/build-flavors/iso.toml

@@ -1,14 +0,0 @@
-# Generic (aka "universal") ISO image
-
-image_format = "iso"
-
-# Include these packages in the image regardless of the architecture
-packages = [
-  # QEMU and Xen guest tools exist for multiple architectures
-  "qemu-guest-agent",
-  "vyos-xe-guest-utilities",
-]
-
-[architectures.amd64]
-  # Hyper-V and VMware guest tools are x86-only
-  packages = ["hyperv-daemons", "vyos-1x-vmware"]

data/build-flavors/xcpng.toml

@@ -1,6 +0,0 @@
-# Installation ISO for the XCP-ng virtualization platform
-
-image_formats = "iso"
-
-# Include these packages in the image
-packages = ["xe-guest-utilities"]

data/build-types/development.toml

@@ -6,3 +6,73 @@ packages = [
   "vim",
   "vyos-1x-smoketest"
 ]
+
+[[includes_chroot]]
+  path = 'usr/share/vyos/EULA'
+  data = '''
+VyOS ROLLING RELEASE END USER LICENSE AGREEMENT
+
+PLEASE READ THIS AGREEMENT CAREFULLY BEFORE INSTALLING AND/OR USING VyOS ROLLING RELEASE.
+IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN YOU MUST NOT USE VyOS ROLLING RELEASE.
+
+I. This End-User License Agreement (“Agreement”) is a legal document between you and VyOS Inc.
+(a company organized and existing under the laws of California,
+having its registered office at 12585 Kirkham Ct, Suite 1, Poway, California 92604)
+that governs your use of VyOS Rolling Release, available at vyos.io website.
+
+II. By downloading, installing and using VyOS Rolling Release you:
+- irrevocably agree to comply with all applicable laws, restrictions,
+  regulations, rules, the GNU GPL and other applicable licenses, and with this Agreement;
+- confirm you have all legal rights to enter into this Agreement
+  and your authority is not limited by any legal means;
+- obligate to certainly, indisputably and immediately
+  (but in any case at the first request of the VyOS Inc.)
+  compensate for any damage, if such is caused to the VyOS Inc. by your actions;
+- assure and enforce any third party you grant access to Rolling Release
+  will bear the same amount of obligations.
+  For the purpose of this Agreement such third party will be referred to also as “you”.
+
+III. VyOS Rolling Release (“Rolling Release”) are copyrighted works
+released under the terms of the GNU General Public License (GPL)
+and other licenses  approved by the Open Source Initiative (www.opensource.org),
+(hereinafter, the “Public Licenses”).
+Verbatim copies of such works may be made and distributed, by anyone,
+in accordance with the terms of the GPL and the Public Licenses.
+The GPL and the Public Licenses also grant you certain rights
+to make and distribute derivative works based on the source code to Rolling Release.
+
+You can redistribute and/or modify the Rolling Release under the terms of the GPL and the Public Licenses.
+You may obtain a copy of the source code corresponding to the binaries for the Rolling Release
+from public Git repositories as https://github.com/vyos
+
+The GPL and the Public Licenses do not grant you any right, license or interest to use “VyOS” trademarks and logos,
+that are trademarks or registered trademarks in the US, EU and other countries,
+in connection with these derivative works.
+VyOS trademarks may not be used in connection with any such derivative works
+unless that usage is explicitly and specifically permitted, in writing.
+Otherwise, You must modify the files identifiable as VyOS logos and VyOS trademarks
+so as to remove all use of images containing them.
+Note that mere deletion of these files may corrupt the Rolling Release.
+
+IV. Under no circumstances VyOS Inc. will be liable to you for any damages,
+however caused or arising in any way out of the use of
+or of inability to use the Rolling Release.
+VyOS Inc. provides no warranty for Rolling Release.
+
+V. This Agreement comes into force upon your acceptance in the form of downloading,
+installing or using Rolling Release (whatever happens first) and remains valid until termination.
+This Agreement shall terminate immediately if you violate any applicable law,
+restriction, regulation, rule, GPL or other applicable license, or any provision of this Agreement.
+Upon termination of this Agreement you shall discontinue to use Rolling Release
+and delete it as well as all copies you made from all storage devices.
+
+VI. This Agreement may be amended by VyOS Inc. at any time and brought to your attention
+by publication on vyos.io website with enter into force immediately after such publication.
+
+VII. This Agreement, and any dispute or claim arising out of or in connection with it,
+shall be governed by, and construed in accordance with the laws of California.
+The courts of California shall have exclusive jurisdiction to settle any dispute or claim.
+
+For more information or any other query please contact VyOS Inc. at: legal@vyos.io
+
+'''

data/build-types/release.toml

@@ -0,0 +1,441 @@
+[[includes_chroot]]
+  path = 'usr/share/vyos/EULA'
+  data = '''
+VyOS END USER LICENSE AGREEMENT
+
+PLEASE READ THIS END USER LICENSE AGREEMENT (EULA, THIS ‘AGREEMENT') CAREFULLY
+BEFORE USING VYOS FROM US. BY USING VYOS, YOU ("YOU", "LICENSEE", "CUSTOMER")
+SIGNIFY YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT AND
+ACKNOWLEDGE YOU HAVE READ AND UNDERSTAND THE TERMS. THIS AGREEMENT IS
+ENFORCEABLE AGAINST ANY PERSON OR ENTITY THAT USES THE SOFTWARE AND ANY PERSON
+OR ENTITY (E.G., SYSTEMS INTEGRATOR, CONSULTANT OR CONTRACTOR) THAT USES THE
+SOFTWARE ON ANOTHER PERSON'S OR ENTITY'S BEHALF. IF YOU DO NOT ACCEPT THE TERMS
+OF THIS AGREEMENT, THEN YOU MUST NOT USE THE SOFTWARE. THE EFFECTIVE DATE OF
+THIS AGREEMENT IS THE EARLIEST OF THE START DATE OF SERVICES STATED IN OUR
+INVOICE, PREVIOUS ACCEPTANCE OF THIS AGREEMENT (OR OUR BUSINESS PARTNER'S ORDER
+OR/AND INVOICE, PREVIOUS ACCEPTANCE OF THIS AGREEMENT) OR THE DATE THAT
+CUSTOMER HAS ACCESS AND IS ABLE TO USE OUR PRODUCTS OR SERVICES. THIS END USER
+LICENSE AGREEMENT DOES NOT COVER ANY SERVICES FROM US, OR THROUGH OUR BUSINESS
+PARTNER, OTHER THAN ACCESS TO THE SOFTWARE, SUCH AS TECHNICAL SUPPORT, UPGRADES
+OR SUPPORT SERVICES. PLEASE REVIEW YOUR SERVICES OR SUBSCRIPTION AGREEMENT(S)
+THAT YOU MAY HAVE WITH US OR OTHER AUTHORIZED VYOS SERVICES PROVIDER OR
+BUSINESS PARTNER REGARDING THE SOFTWARE AND SERVICES AND ASSOCIATED PAYMENTS.
+
+1. Definitions
+
+1.1 "We, Our, Us" means VyOS Contracting Entity  defined in Section 13.
+
+1.2 "VyOS" or "Software" means VyOS software provided by Us (or authorized
+services provider or  business partner) and consisting of VyOS software
+application (exclusively or along with any third-party software included
+therein or therewith) that includes or refers to this Agreement and any related
+documentation (including, without limitation, user and technical documentation,
+further explanatory written materials related to the Software, etc.), services
+(including, without limitation, SaaS, internet-based service, etc.), tool,
+application, component, object code, source code, appearance (including,
+without limitation, images, designs, fonts, etc.), structure as well as any
+modification
+and update thereof, regardless of the delivery mechanism.
+
+"Services" means software support services and any other services provided by
+Us, or through Our Business Partner, on a subscription basis.
+
+1.3 "Authorized Users" means employees or individual contractors to whom,
+pursuant to this Agreement, the Licensee has granted a right to access and use
+the Software with your credentials, provided that such access shall be for your
+sole benefit and in full compliance with this EULA.
+
+All Authorized Users are bound by the terms of this Agreement.
+
+1.4 "Cloud Provider" means authorized hosting partner's cloud marketplace
+platform, a company that delivers cloud computing based services, resources and
+solutions to businesses and/or offers solutions via the cloud marketplace.
+
+1.5 "Business Partner" shall mean Our authorized sales agent, partner, Cloud
+Provider reseller or distributor of the Software and Our Services authorized to
+sell Software and Services via our subscriptions. Purchases through or by a
+Business Partner. In instances where Customer purchases through a Business
+Partner, final prices and terms and conditions of sale will be as agreed
+between Customer and the Business Partner from which Customer makes such
+purchases; however, the terms set forth in this EULA are applicable to
+Customer's use and the performance of VyOS. Customer acknowledges that:
+(a) We may share information with the Business Partner related to Customer's
+    use and consumption of VyOS, and vice versa, for account management and
+    billing purposes;
+(b) the termination provisions below will also apply if Customer's Business
+    Partner fails to pay Us applicable fees; and
+(c) Business Partner is not authorized to make any changes to this EULA or
+    otherwise authorized to make any warranties, representations, promises or
+    commitments on Our behalf or in any way concerning the VyOS.
+
+"Business Partner's order" means the ordering document(s), issued during Your
+purchasing process by Our Business Partner in a way and manner as defined by
+Our Business Partner. Business Partner's order may describe specific Software
+and Services, Subscription(s), associated fees, payment terms, and shall be
+subject to the terms of this Agreement  and EULA.
+
+1.6 "Customer", "You", "Licensee", "Your" - user of VyOS and its heirs, agents,
+successors, assigns and - for the purpose of Global subscription - its
+Affiliates.
+
+2. License Grant
+
+Subject to the following terms, We grant to You a perpetual, worldwide license
+to the Software (most of which includes multiple software components) pursuant
+to different open sourced and public licenses. The license agreement for each
+software component is located in the software component's source code and
+permits you to run, copy, modify, and redistribute the software component
+(subject to certain obligations in some cases), both in source code and binary
+code forms, with the exception of the images identified in Section 4 below. You
+shall either agree to the terms of each applicable public license or You must
+not install/use those components or exercise such licensed rights.
+
+This EULA pertains solely to the Software and does not limit your rights under,
+or grant you rights that supersede, the license terms of any particular
+component.
+
+2.1 Limited Modifications. For the avoidance of doubt, Licensee is permitted to
+use VyOS from Us in accordance with VyOS terms and conditions and on the
+specific quotation, purchase order and/or the subscription or customized
+agreements, if any. Any other modifications of VyOS terms and conditions won't
+be allowed, except as expressly authorized through a separate custom agreement,
+unless otherwise defined by this Agreement, specific quotation, purchase order
+and/or the subscription or customized agreements.
+
+2.2 No Unbundling. Nonetheless, the Software is designed and provided to
+Licensee solely as permitted herein. Licensee shall not unbundle or repackage
+the Software for distribution, transfer or other disposition, unless otherwise
+specified by this Agreement.
+
+3. Prohibited Use and Allowed Use
+
+3.1 Except as expressly authorized through a separate custom agreement,
+Licensee and the Authorized Users are prohibited from:
+(a) using the Software on behalf of third parties;
+(b) sublicensing, licensing, renting, leasing, lending or granting other rights
+    in the Software including rights on a membership or subscription basis;
+(c) providing use of the Software in a service bureau arrangement, outsourcing
+    or on a time sharing basis;
+(d) interfere with or disrupt the Software or systems used to provide the VyOS
+    or other equipment or networks connected;
+(e) circumvent or disclose the user authentication or security of the Software
+    or any host, network, or account related thereto or attempt to gain
+    unauthorized access;
+(f) store or transmit SPAM or malicious code;
+(g) duplicate the Software or publish the Software for others to copy;
+(h) infringe the intellectual property rights of any entity or person; or
+(i) make any use of the Software that violates any applicable local, state,
+    national, international or foreign law or regulation.
+
+For more information about how to obtain a custom agreement, please contact us
+at: sales@vyos.io.
+
+3.2 The following uses of the Software shall be allowed:
+(a) any lab setup within the Licensee or on an Authorized User's personal
+    device, for the purpose of learning, testing, or debugging company network
+    configs, and
+(b) any use in Authorized User's personal home networks, including but not
+    limited to Internet access, corporate VPN access, learning and
+    experimentation.
+
+4. Intellectual Property Rights
+
+The Software and each of their components are owned by Us and other licensors
+and are protected under copyright law and other laws as applicable. Title to
+the Software and any component and systems, or to any copy or modification
+shall remain with Us and other licensors, subject to the applicable license.
+The "VyOS" mark, the individual Software marks, and the "VyOS" logo are
+trademarks or registered trademarks in the EU, US and other countries. Artwork
+files that feature the VyOS logo, including but not limited to boot splash
+images and user interface elements, are Our property, distributed on the "all
+rights reserved" basis. You cannot redistribute those files separately or as
+part of Software without an express permission from the copyright holder. By
+accepting this Agreement You commit not to register or request registration of
+any commercial name, domain name, email, trademark, symbol or distinctive;
+sign, with similar characteristics, color, typography, style or appearance or
+that includes the word "VyOS" or/and VyOS logo.
+
+This EULA does not permit you to distribute the Software using VyOS trademarks,
+regardless of whether the Software has been modified. You may make a commercial
+redistribution of the Software only if
+(a) permitted under a separate written agreement with Us authorizing such
+    commercial redistribution or
+(b) you remove and replace all Our occurrences and VyOS trademarks and logos.
+
+Modifications to the software may corrupt the Software.
+
+4.1 The Licensee grants Us a right to use its logos and trademarks for the
+purpose of displaying their Licensee status on the VyOS website, and for the
+purposes specified in VyOS Subscription Agreement. We will not claim that the
+Licensee endorses VyOS and will not publicize any details of Licensee's VyOS
+usage, network setup, or any other information not explicitly provided by the
+Licensee for public release.
+
+4.1.1 The Licensee can revoke Our right to use Licensee's trademarks and logos
+at any time, unless otherwise agreed in VyOS Subscription Agreement, or Our
+Quotation.
+
+5. Updates
+
+Along with all software update subscriptions, We provide security updates,
+hot-fixes and security advisory notifications before public disclosure
+(herein after collectively referred to as the "Updates"). You expressly
+acknowledge and agree that We have no obligation to make available and/or
+provide any Updates. All upgrades and Updates are provided by Us or through
+Our Business Partners to Licensee at Our sole discretion and are subject to
+the terms of this Agreement on a license exchange basis. Any obligations that
+We may have to support previous versions during the license term may end upon
+the availability of this update. Upgrades and Updates may be licensed to
+Licensee by Us with additional or different terms.
+
+6. Support
+
+This agreement does not automatically entitle the Licensee to any support for
+the Software provided by Us or through Our Business Partners unless otherwise
+specified in the subscription terms. For the avoidance of doubt, We have no
+liability and provide no support for any hardware or any cloud marketplace
+services provided by any Business Partner or Cloud Provider. Where available,
+maintenance and support may be purchased separately subject to a separate
+VyOS's support services included subscriptions.
+
+Support for software built from source code by a party other than Us, with or
+without modifications made by the Licensee or a third party, is provided only
+through separate agreements.
+
+For more information about how to obtain a VyOS's software and support services
+included subscriptions, please contact us at: sales@vyos.io.
+
+7. Term and Termination.
+
+This Agreement begins on the Effective Date and shall remain in effect until
+terminated due to
+(a) Licensee fails to pay the fees amounts associated to Our subscriptions
+    when due or otherwise materially breaches this Agreement, specific
+    quotation, purchase order and/or the subscription or customized agreements
+    and fails to remedy the breach within ten (10) days from the receipt of a
+    notification sent in writing or electronically,
+(b) Licensee's deactivation or subscription cancellation of the Software,
+(c) Licensee fails to pay the Business Partner, or terminate the agreement with
+    a Business Partner, or Business Partner fails to pay Us the applicable fees
+    of your Software and/or Services, or
+(d) We change, cease to provide or discontinue the Software at any time.
+
+Upon the occurrence of (a), (b), (c) or (d), above, We are entitled to
+terminate this Agreement. Upon termination of this Agreement for any reason,
+Licensee shall discontinue use of the Software. If you have copies of the
+Software obtained when You still had an active subscription, you can keep using
+them indefinitely as long as you comply with this Agreement and VyOS
+Subscription Agreement, in particular - with Section 4 above and provided this
+is not intended to interfere with any rights you may have from other public
+and open source licenses.Termination shall not, however, relieve either party
+of obligations incurred prior to the termination. The following Sections shall
+survive termination of this Agreement: Definitions, Intellectual Property
+Rights, Limited Warranty, Limitation of Remedies and Liability, General, Term
+and Termination, and others which by their nature are intended to survive.
+
+8. Limited Warranty
+
+Except as specifically stated in this Section 8, a separate agreement with Us,
+or a license for a particular component, to the maximum extent permitted under
+applicable law, the Software and the components are provided and licensed
+"as is" without warranty of any kind, express or implied, including the
+implied warranties of merchantability, non-infringement, integration, quiet
+enjoyment, satisfactory quality or fitness for a particular purpose. Neither
+Us nor Our affiliates and Business Partners warrant that the Software will
+meet your requirements, will be uninterrupted, timely, secure; that the
+operation of the Software will be entirely error-free, appear or perform
+precisely as described in the accompanying documentation, or comply with
+regulatory requirements; that the results that may be obtained from the use of
+the Software will be effective, accurate or reliable; the quality of the
+Software will meet your expectations; or that any errors or defects in the
+Software will be corrected. This warranty extends only to the party that
+purchases subscription services for the Software from Us and/or Our affiliates
+or a Our authorized Business Partner.
+
+We and Our affiliates specifically disclaim any liability with regard to any
+actions resulting from your use of the Software. Any material downloaded or
+otherwise obtained through use of the Software is accessed at your own
+discretion and risk, and you will be solely responsible for any damage to your
+computer system or loss of data that results from use of the Software. We and
+Our affiliates assume no liability for any malicious software that may be
+downloaded to your computer as a result of your use of the Software.
+
+We will not be liable for any loss that you may incur as a result of a third
+party using your password or account or account information in connection with
+the Software, either with or without your knowledge.
+
+Licensee assumes the entire cost of all necessary servicing, repair, or
+correction of problems caused by viruses or other harmful components; We
+disclaim and makes no warranties or representations as to the accuracy,
+quality, reliability, suitability, completeness, truthfulness, usefulness, or
+effectiveness of the outputs, logs, reports, data, results or other information
+obtained, generated or otherwise received by Licensee from accessing and/or
+using the Software or otherwise resulting from this Agreement; and Licensee
+shall use the Software at its own risk and in no event shall We be liable to
+Licensee for any loss or damage of any kind (except personal injury or death
+resulting from Our negligence, fraud or fraudulent misrepresentation and any
+other liability that cannot be excluded by law) arising from Licensee's use of
+or inability to use the Software or from faults or defects in the Software
+whether caused by negligence or otherwise.
+
+Licensee agrees to defend, indemnify and hold Us harmless from any losses,
+liabilities, damages, actions, claims or expenses (including legal fees and
+court costs) arising or resulting from Licensee's breach of any term of this
+agreement or caused by acts or omissions performed by licensee.
+
+Some jurisdictions do not allow the exclusion of certain warranties, the
+limitation or exclusion of implied warranties, or limitations on how long an
+implied warranty may last, so the above limitations may not apply to you.
+
+9. Limitation of Remedies and Liability
+
+To the maximum extent permitted under applicable law, under no circumstances
+will We, Our affiliates, any of Our authorized Business Partner, or the
+licensor of any component provided to you under this EULA be liable to you for
+any direct, indirect, incidental, special, exemplary, punitive, or
+consequential damages (including, but not limited to, procurement of substitute
+goods or services, computer failure or malfunction, loss of data or profits,
+business interruption, etc.) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence or
+otherwise) arising in any way out of the use of the software or inability to
+use the software, even if We, Our affiliates, an authorized Business Partner,
+and/or licensor are aware of or have been advised of the possibility of such
+damage. To the extent permitted by law and as the maximum aggregate liability,
+Our or Our affiliates' liability, an authorized Business Partner's liability
+or the liability of the licensor of a component provided to you under or in
+connection with this EULA will be limited to the lesser of either five hundred
+United States dollars ($500) or the fees paid by the Licensee or by Business
+Partner and received by Us for the Software and attributable to the 6 month
+period immediately preceding the first event giving rise to such liability. The
+limitations and exclusions in this section  apply to the maximum extent
+permitted by applicable law in your jurisdiction. Some jurisdictions prohibit
+the exclusion or limitation of liability for incidental, consequential or
+punitive damages. Accordingly, the limitations and exclusions set forth above
+may not apply to you.
+
+10. Compliance and Export Control
+
+You understand that countries may restrict the import, use, export, re-export
+or transfer of encryption products and other controlled materials (which may
+include the Software or related technical information licensed hereunder). You
+agree to comply with export regulations by the Bureau of Industry and Security
+of the U.S. Department of Commerce and all applicable laws, restrictions and
+regulations in Your use of the Software, including but not limited to export
+restrictions of various countries that the Software may be subject to, and
+personal data protection regulations. You should comply with and oblige to
+secure Us from any breach of any law and regulation, from any claim or
+litigation arising as a result of such breach and to reimburse Us any loss,
+resulting from such breach. You will not use the Software for a prohibited use.
+10.1 Sanctions compliance. You undertake to follow that You and any person,
+allowed to use the Software and the Services by You, is not a subject or the
+target of sanctions, embargoes and restrictive measures ("Sanctions"),
+administered by the Office of Foreign Assets Control of the U.S. Department of
+the Treasury or the U.S. Department of State, the United Nations Security
+Council, the European Union, Her Majesty's Treasury of the United Kingdom,
+Department of Foreign Affairs and Trade of the Australian Federal Government,
+or other relevant sanctions authority ("Sanctioning Authorities").
+
+You undertake to comply with all the abovementioned Sanctions in all possible
+ways to keep Us harmless and oblige to immediately terminate  relations with
+any person that becomes (or is) subject or target of any of the abovementioned
+Sanctions, or assists anybody to evade or violate the above mentioned Sanctions.
+
+11. Third-Party Beneficiary
+
+Licensee acknowledges and agrees that Our licensors (and/or Us if Licensee
+obtained the Software from any party other than Us) are third party
+beneficiaries of this Agreement, with the right to enforce the obligations set
+forth herein with respect to the respective technology of such licensors and/or
+Ours.
+
+12. Third-party components, contributions and software programs
+
+We do not assert any Intellectual Property Rights over:
+(a) components created by third parties that may be taken from upstream
+    sources in binary form compiled by Us from the source code;
+(b) source code and documentation of the Software, which is develope
+    ollaboratively and is open to contributions by parties not affiliated with
+    Us (to such purpose, contributors give Us non-exclusive rights according
+    to the licenses of the Software and documentation);
+(c) third parties software or programs included therein or therewith the
+    Software.
+
+13. General
+
+If any provision of this EULA is held to be unenforceable, the enforceability
+of the remaining provisions shall not be affected.
+
+Updates and upgrades may be licensed to Licensee by Us with additional or
+different terms.
+
+You are not allowed to transfer or assign this EULA or any rights hereunder,
+unless with Our previous written consent. Please inform Us of Your intention
+to transfer or assign in advance so We can respond accordingly. Conversely, We
+may transfer, assign, sublicense or delegate the EULA or any portions thereof,
+without restriction. We also may subcontract any performance associated with
+the Software to third parties, provided that such subcontract does not relieve
+Us of any of Our obligations under this EULA.
+
+Licensee may not sublicense, transfer or assign, whether voluntarily or by
+operation of law, any right or license in or to the Software. Any attempted
+sublicense, transfer or assignment shall be void.
+
+We may, from time-to-time modify this agreement.
+
+Licensee shall comply with all applicable laws and regulations pertaining to
+this Agreement
+
+This Agreement, along with a VyOS Subscription Agreement, Privacy Policy and
+Terms and Conditions, any quotation, purchase order and services level
+agreement, if applicable, and any other documents deemed to be incorporated by
+reference in it, constitutes the entire agreement between the parties with
+respect to its subject matter and it supersedes all prior or contemporaneous
+agreements concerning such matter. If you order VyOS from a Business Partner,
+then any agreement that you enter into with a Business Partner is solely
+between you and a Business Partner and will not be binding on Us.
+
+In the table below, "Customer Location" refers to where Customer is located
+(as determined by Customer's business address on the invoice) and determines
+which table row applies to Customer:
+
+Customer Location*         VyOS Contracting Entity  Governing Law  Venue/Courts
+==================         =======================  =============  ============
+North & South America      VyOS Inc                  California    Poway
+
+EEA & UK                   VyOS EMEA Operations      Ireland       Cork
+(except Spain & Portugal)  Limited
+
+Spain, Andorra & Portugal  VyOS Networks Iberia SLU  Spain         Madrid
+
+Asia & Oceania             VyOS APAC Pty Ltd         Australia     Sydney
+
+Non-EEA parts of Europe,   VyOS Networks Cyprus      Cyprus        Limassol
+Middle East, & Africa      Limited
+(except Andorra)
+
+*all sales via Cloud Providers are generally done by VyOS Inc., unless
+otherwise decided by Us regardless of Customer location.
+
+References to "We", "Our", "Us" are references to the applicable VyOS
+Contracting Entity specified in the Contracting Entity Table, unless otherwise
+has been decided for operational purposes, in the Quotation and in the invoice.
+The Services are provided by that VyOS Contracting Entity.
+
+This Agreement, and any disputes arising out of or related hereto, will be
+governed exclusively by the applicable governing law above, without giving
+effect to any of its conflicts of laws, rules or principles. The courts located
+in the applicable venue above will have exclusive jurisdiction to adjudicate
+any dispute arising out of or relating to this Agreement or its formation,
+interpretation, or enforcement. Each party hereby consents and submits to the
+exclusive jurisdiction of such courts. Before resorting to any external dispute
+resolution mechanisms, the parties agree to use their best efforts in good
+faith to settle any dispute in relation to the Agreement.
+
+We may, in our sole discretion, amend this EULA at any time by posting a
+revised version thereof on Our website and, by updating the "last updated"
+date on the applicable page, or by providing reasonable notice. Your continued
+use of the Software following changes to the Agreement after the effective
+date of a revised version thereof constitutes Your expressed acceptance of and
+the agreement to be bound by the Agreement and its future versions or updates.
+
+'''

data/build-types/stream.toml

@@ -0,0 +1,8 @@
+packages = [
+  "gdb",
+  "strace",
+  "apt-rdepends",
+  "tshark",
+  "vim",
+  "vyos-1x-smoketest"
+]

data/certificates/.gitignore

@@ -0,0 +1 @@
+*.key

data/defaults.toml

@@ -7,14 +7,15 @@ debian_distribution = "bookworm"
 debian_mirror = "http://deb.debian.org/debian"
 debian_security_mirror = "http://deb.debian.org/debian-security"
 
-debian_archive_areas = "main contrib non-free"
+debian_archive_areas = "main contrib non-free non-free-firmware"
 
-vyos_mirror = "https://rolling-packages.vyos.net/current"
+vyos_mirror = "https://packages.vyos.net/repositories/current"
 
 vyos_branch = "current"
 release_train = "current"
 
-kernel_version = "6.1.51"
+kernel_version = "6.6.108"
+kernel_flavor = "vyos"
 bootloaders = "syslinux,grub-efi"
 
 squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"
@@ -22,3 +23,5 @@ squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-reco
 website_url = "https://vyos.io"
 support_url = "https://support.vyos.io"
 bugtracker_url = "https://vyos.dev"
+documentation_url = "https://docs.vyos.io/en/latest"
+project_news_url = "https://blog.vyos.io"

data/live-build-config/archives/bookworm-backports.pref.chroot

@@ -0,0 +1,11 @@
+Package: iproute2
+Pin: release n=bookworm-backports
+Pin-Priority: 600
+
+Package: suricata libhtp2
+Pin: release n=bookworm-backports
+Pin-Priority: 600
+
+Package: *
+Pin: release n=bookworm-backports
+Pin-Priority: -100

data/live-build-config/archives/buster.list.chroot

@@ -1,3 +0,0 @@
-deb http://deb.debian.org/debian/ buster main non-free
-deb http://deb.debian.org/debian/ buster-updates main non-free
-deb http://security.debian.org/debian-security buster/updates main non-free

data/live-build-config/archives/buster.pref.chroot

@@ -1,11 +0,0 @@
-Package: bash
-Pin: release n=buster
-Pin-Priority: 600
-
-Package: bash-completion
-Pin: release n=buster
-Pin-Priority: 600
-
-Package: *
-Pin: release n=buster
-Pin-Priority: -10

data/live-build-config/archives/isc-kea.key.chroot

@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGhVJw8BDACXwlMdVKg40L87xcyG6fuo1KAOdk3cqx0jcojtYXYo16R5A1xD
+ILW/Nw/b9qWkoXAjCOL8xgspSYx8Cqg73o+Jy2tzBNSzXGYmh/8sDicJmTGBt9n7
+AhwlhW7ztzYYNaJeyyGvWR+JMqGtPWuc/LixtCu/SzA6siMKCTZfUp/3nqiWQiYV
+zyYCuUI9MTaS0/LCfEclORE2GU5cED4LJli5iZFcJ8RXXTfaCncIeYFFvJTPf9TP
+mbKS8QGPYMPdtwsvqBEpej3pDXHetWuIIchPokq/rSa3QX7NmBhvh14ptaIu0usn
+i+5XvExH4a5RC0qgHFdLeYskzlRqw3dLwGHYZZ8geLaSrLSdla2rjQFzZhEcIDKI
+FnGaoAj0B3WtpJPvhmWW/1Ecryq0iOgtdNXdYxnun8eCEW6Bo5ebAW7NAI9kmWto
+i+YFsVUYAZF+gP856BSaiDMFi7LV4bOu9p78o0s6DGmBe+yVPW1Lo7Vi0X8dcLnZ
+07Cy0JoN+QRlqgMAEQEAAbQ4Q2xvdWRzbWl0aCBQYWNrYWdlIChpc2Mva2VhLTMt
+MCkgPHN1cHBvcnRAY2xvdWRzbWl0aC5pbz6JAc4EEwEIADgWIQSdpXC7GSIRiF5O
+soCxbETNRVFMPAUCaFUnDwIbLwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCx
+bETNRVFMPPxAC/0eSSK+2Z4AOsyGun2zBDLPp3qEFrAl5KjAeZCgtYJs3UiQ65DX
+0iuvdq39SRWkSRw5w5og+nZbPdDzhw3KFSVgdCsQBv83DUH0Zlmn5Wf6eTh72T5F
+lmaaE02picOD3/9L0RdxZOEns/19f2OtSzRHxRMKuv7crcAsnJlkWYP2w96AM0ln
+QqmpVDbI8XWtQclJUkPPU+I/m6nG7Z+tc8miJ1uBfA0wP22Zj6HzRTWf9patcfTy
+IDr9rO5KmiAlO+f3YbVsKGNcuxdbMusDwpe13BRfKFDlwLKbdrSeSIw1JQc2uhhX
+/u1QTAXfLSoP4VAYwbfotgG9a/LKRJGG/M9mMtroOQYO15y+Vo2uSN4q5krv589h
+l6MAPFr2sDiedibMl9SGAPtT83afCrSZ6BgobytsdtV3u2WOqxrVUXDpvhZKjxX6
+pXrrSV9tPhZlq5pZvnDCS392FlMfHmjR4BUxzwD4Wnax8G7uQfEUWMkTaqQAZfuN
+EsbY2TeLjn3ZojI=
+=+igW
+-----END PGP PUBLIC KEY BLOCK-----

data/live-build-config/bootloaders/grub-pc/grub.cfg

@@ -4,6 +4,7 @@ set timeout=10
 insmod serial
 serial --unit=0 --speed=115200
 
+insmod gzio
 insmod part_msdos
 insmod ext2
 insmod efi_gop

data/live-build-config/hooks/live/01-live-serial.binary

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+GRUB_PATH=boot/grub/grub.cfg
+ISOLINUX_PATH=isolinux/live.cfg
+
+KVM_CONSOLE="console=ttyS0,115200 console=tty0"
+SERIAL_CONSOLE="console=tty0 console=ttyS0,115200"
+
+# Grub.cfg Update
+GRUB_MENUENTRY=$(sed -e '/menuentry.*hotkey.*/,/^}/!d' -e 's/--hotkey=l//g' $GRUB_PATH)
+
+# Update KVM menuentry name
+sed -i 's/"Live system \((.*vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
+
+# Insert serial menuentry
+echo "$GRUB_MENUENTRY" | sed \
+    -e 's/"Live system \((.*vyos)\)"/"Live system \1 - Serial console"/' \
+    -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $GRUB_PATH
+
+# Live.cfg Update
+ISOLINUX_MENUENTRY=$(sed -e '/label live-\(.*\)-vyos$/,/^\tappend.*/!d' $ISOLINUX_PATH)
+
+# Update KVM menuentry name
+sed -i 's/Live system \((.*vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
+
+# Insert serial menuentry
+echo "\n$ISOLINUX_MENUENTRY" | sed \
+    -e 's/live-\(.*\)-vyos/live-\1-vyos-serial/' \
+    -e '/^\tmenu default/d' \
+    -e 's/Live system \((.*vyos)\)/Live system \1 - Serial console/' \
+    -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $ISOLINUX_PATH

data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Delete Dropbear SSH keys that might be generated
+# by postinst scripts
+# to prevent non-unique keys from appearing in images
+
+rm -f /etc/dropbear/dropbear_*_host_key

data/live-build-config/hooks/live/18-enable-disable_services.chroot

@@ -1,11 +1,15 @@
 #!/bin/sh
 
 echo I: Disabling services
+systemctl disable syslog.service
+systemctl disable rsyslog.service
+systemctl disable arpwatch.service
 systemctl disable smartd.service
-systemctl disable isc-dhcp-server.service
+systemctl disable isc-kea-dhcp4-server.service
+systemctl disable isc-kea-dhcp6-server.service
+systemctl disable isc-kea-dhcp-ddns-server.service
 systemctl disable isc-dhcp-relay.service
 systemctl disable nfacctd.service
-systemctl disable pmacctd.service
 systemctl disable sfacctd.service
 systemctl disable uacctd.service
 systemctl disable ssh.service
@@ -18,7 +22,6 @@ systemctl disable conntrackd.service
 systemctl disable 'udp-broadcast-relay@*.service'
 systemctl disable pdns-recursor.service
 systemctl disable tftpd-hpa.service
-systemctl disable logd.service
 systemctl disable frr.service
 systemctl disable salt-minion.service
 systemctl disable certbot.service
@@ -26,7 +29,6 @@ systemctl disable certbot.timer
 systemctl disable nginx.service
 systemctl disable wpa_supplicant.service
 systemctl disable squid.service
-systemctl disable heartbeat.service
 systemctl disable apt-daily.service
 systemctl disable apt-daily.timer
 systemctl disable apt-daily-upgrade.timer
@@ -39,7 +41,6 @@ systemctl disable snmpd.service
 systemctl disable conserver-server.service
 systemctl disable dropbear.service
 systemctl disable fancontrol.service
-systemctl disable fastnetmon.service
 systemctl disable ddclient.service
 systemctl disable ocserv.service
 systemctl disable tuned.service
@@ -59,25 +60,25 @@ systemctl disable atop-rotate.timer
 systemctl disable ModemManager.service
 systemctl disable dnsdist.service
 systemctl disable haproxy.service
-systemctl disable miniupnpd.service
 systemctl disable owamp-server.service
 systemctl disable twamp-server.service
-systemctl disable podman-auto-update.service
-systemctl disable podman-auto-update.timer
-systemctl disable podman-restart.service
 systemctl disable vyos-wan-load-balance.service
 systemctl disable nvmf-autoconnect.service
-systemctl disable vpp.service
 systemctl disable dpkg-db-backup.timer
 systemctl disable dpkg-db-backup.service
 systemctl disable zabbix-agent2.service
+systemctl disable suricata.service
+systemctl disable vyconfd.service
+systemctl disable vpp.service
+systemctl disable netplug.service
 
 echo I: Enabling services
-systemctl enable ssh-session-cleanup.service
 systemctl enable vyos-hostsd.service
 systemctl enable acpid.service
 systemctl enable vyos-router.service
 systemctl enable vyos-configd.service
+systemctl enable vyos-grub-update.service
+systemctl enable vyos-commitd.service
 
 echo I: Masking services
 systemctl mask systemd-journald-audit.socket

data/live-build-config/hooks/live/19-kernel_symlinks.chroot

@@ -1,6 +1,9 @@
 #!/bin/sh
 
-echo I: Creating kernel symlinks.
+echo I: Creating Linux Kernel symbolic links
 cd /boot
 ln -s initrd.img-* initrd.img
 ln -s vmlinuz-* vmlinuz
+
+echo I: Remove Linux Kernel symbolic link to source folder
+rm -rf /lib/modules/*/build

data/live-build-config/hooks/live/20-rm_ddclient_hook.chroot

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-if [ -f /etc/dhcp/dhclient-exit-hooks.d/ddclient ]; then
-  rm -f /etc/dhcp/dhclient-exit-hooks.d/ddclient
-fi
-
-if [ -f /etc/ddclient.conf ]; then
-  rm -f /etc/ddclient.conf
-fi

data/live-build-config/hooks/live/20-systemd_target.chroot

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo I: Choose systemd multi-user.target over graphical.target
+systemctl set-default -f multi-user.target

data/live-build-config/hooks/live/22-rm_cron_atop.chroot

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-if [ -f /etc/cron.d/atop ]; then
-  rm -f /etc/cron.d/atop
-fi
-

data/live-build-config/hooks/live/30-frr-configs.chroot

@@ -1,72 +0,0 @@
-#!/usr/bin/env python3
-
-# For FRR to work in VyOS as expected we need a few fixups
-#
-# 1. Enable daemons we use in /etc/frr/daemons
-# 2. Set the VRF backend of Zebra to netns (-n option) in /etc/frr/daemons.conf
-#    Otherwise multiple routing tables for PBR won't work
-# 3. Create empty configs for daemons with use
-#    That is to make them possible to start on boot before config is loaded
-#
-
-import os
-
-daemons = """
-zebra=yes
-bgpd=yes
-ospfd=yes
-ospf6d=yes
-ripd=yes
-ripngd=yes
-isisd=yes
-pimd=no
-pim6d=yes
-ldpd=yes
-nhrpd=no
-eigrpd=yes
-babeld=yes
-sharpd=no
-pbrd=no
-bfdd=yes
-staticd=yes
-
-vtysh_enable=yes
-zebra_options="-s 90000000 --daemon -A 127.0.0.1 -M snmp"
-bgpd_options="--daemon -A 127.0.0.1 -M snmp -M rpki -M bmp"
-ospfd_options="--daemon -A 127.0.0.1 -M snmp"
-ospf6d_options="--daemon -A ::1 -M snmp"
-ripd_options="--daemon -A 127.0.0.1 -M snmp"
-ripngd_options="--daemon -A ::1"
-isisd_options="--daemon -A 127.0.0.1 -M snmp"
-pimd_options="--daemon -A 127.0.0.1"
-pim6d_options=""--daemon -A ::1"
-ldpd_options="--daemon -A 127.0.0.1"
-nhrpd_options="--daemon -A 127.0.0.1"
-mgmtd_options=" --daemon -A 127.0.0.1"
-eigrpd_options="--daemon -A 127.0.0.1"
-babeld_options="--daemon -A 127.0.0.1"
-sharpd_options="--daemon -A 127.0.0.1"
-pbrd_options="--daemon -A 127.0.0.1"
-staticd_options="--daemon -A 127.0.0.1"
-bfdd_options="--daemon -A 127.0.0.1"
-
-watchfrr_enable=no
-valgrind_enable=no
-"""
-
-frr_conf = """
-log syslog
-log facility local7
-"""
-
-frr_log = ''
-
-with open("/etc/frr/daemons", "w") as f:
-    f.write(daemons)
-
-with open("/etc/frr/frr.conf", "w") as f:
-    f.write(frr_conf)
-
-# Prevent writing logs to /var/log/frr/frr.log. T2061
-with open("/etc/rsyslog.d/45-frr.conf", "w") as f:
-    f.write(frr_log)

data/live-build-config/hooks/live/40-init-cracklib-db.chroot

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CRACKLIB_DIR=/var/cache/cracklib
+CRACKLIB_DB=cracklib_dict
+
+if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
+  echo "I: Creating the cracklib database ${CRACKLIB_DIR}/${CRACKLIB_DB}"
+  mkdir -p $CRACKLIB_DIR
+
+  /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
+    /usr/share/dict/cracklib-small
+fi
+

data/live-build-config/hooks/live/80-delete-docs.chroot

@@ -1,42 +0,0 @@
-#!/bin/bash
-
-# Delete various unused files and directories in order free some space and shrink imagesize.
-
-# We do not need any documentation on the system.
-# Copyright/licenses files are ignored for deletion.
-shopt -s extglob
-rm -rf /usr/share/doc/*/!(copyright*|README*) /usr/share/doc-base
-
-# We do not need any manpages on the system since man-binary is missing.
-rm -rf /usr/local/man
-rm -rf /usr/local/share/man
-rm -rf /usr/share/man
-
-# We do not need any games on the system.
-rm -rf /usr/games
-rm -rf /usr/local/games
-
-# We do not need any caches on the system (will be recreated when needed).
-rm -rf /var/cache/*
-
-# We do not need any log-files on the system (will be recreated when needed).
-rm -rf /var/log/alternatives.log
-rm -rf /var/log/bootstrap.log
-rm -rf /var/log/dpkg.log
-rm -rf /var/log/apt/history.log
-rm -rf /var/log/apt/term.log
-rm -rf /var/log/nginx/access.log
-rm -rf /var/log/nginx/error.log
-rm -rf /var/log/squidguard/squidGuard.log
-rm -rf /var/log/stunnel4/stunnel.log
-
-# We do not need any backup-files on the system.
-rm -rf /etc/sudoers.bak
-rm -rf /etc/xml/catalog.old
-rm -rf /etc/xml/polkitd.xml.old
-rm -rf /etc/xml/xml-core.xml.old
-rm -rf /root/.gnupg/pubring.kbx~
-rm -rf /var/lib/dpkg/diversions-old
-rm -rf /var/lib/dpkg/status-old
-rm -rf /var/lib/sgml-base/supercatalog.old
-

data/live-build-config/hooks/live/81-cleanup-etc-defaults.chroot

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# we use systemd to control ISC daemons from within vyos-1x
-FILES="/etc/default/isc-dhcp-server /etc/default/isc-dhcp-relay"
-
-for FILE in ${FILES}
-do
-    if [ -f ${FILE} ]; then
-        rm -f ${FILE}
-    fi
-done

data/live-build-config/hooks/live/82-cleanup-udev-rules.chroot

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# 99-default.link rule always calls link_config that trying to set
-# autonegotiation and duplex even for PPP interfaces.
-# Need to delete this rule to prevent overhead on interface creation stage
-
-rm /lib/systemd/network/99-default.link

data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-if ! command -v gpg &> /dev/null; then
-    echo "gpg binary could not be found"
-    exit 1
-fi
-
-GPG_KEY="/usr/share/vyos/keys/vyos-release.pub.asc"
-
-echo I: Import GPG key
-gpg --import ${GPG_KEY}
-exit $?

data/live-build-config/hooks/live/83-cleanup-etc-motd-d.chroot

@@ -1,4 +0,0 @@
-#!/bin/sh
-if [ -f /etc/update-motd.d/10-uname ]; then
-    rm -f /etc/update-motd.d/10-uname
-fi

data/live-build-config/hooks/live/92-strip-symbols.chroot

@@ -0,0 +1,75 @@
+#!/bin/sh
+
+#
+# Discard symbols and other data from object files.
+#
+# Reference:
+# https://www.linuxfromscratch.org/lfs/view/systemd/chapter08/stripping.html
+# https://www.debian.org/doc/debian-policy/ch-files.html
+#
+
+# Set variables.
+STRIPCMD_REGULAR="strip --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_DEBUG="strip --strip-debug --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPDIR_REGULAR="
+"
+STRIPDIR_DEBUG="
+"
+STRIPDIR_UNNEEDED="
+/etc/hsflowd/modules
+/usr/bin
+/usr/lib/openvpn
+/usr/lib/x86_64-linux-gnu
+/usr/lib32
+/usr/lib64
+/usr/libx32
+/usr/sbin
+"
+STRIP_EXCLUDE=`dpkg-query -L libbinutils | grep '.so'`
+
+# Perform stuff.
+echo "Stripping symbols..."
+
+# List excluded files.
+echo "Exclude files: ${STRIP_EXCLUDE}"
+
+# CMD: strip
+for DIR in ${STRIPDIR_REGULAR}; do
+  echo "Parse dir (strip): ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip): ${FILE}"
+      ${STRIPCMD_REGULAR} ${FILE}
+    fi
+  done
+done
+
+# CMD: strip --strip-debug
+for DIR in ${STRIPDIR_DEBUG}; do
+  echo "Parse dir (strip-debug): ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip-debug): ${FILE}"
+      ${STRIPCMD_DEBUG} ${FILE}
+    fi
+  done
+done
+
+# CMD: strip --strip-unneeded
+for DIR in ${STRIPDIR_UNNEEDED}; do
+  echo "Parse dir (strip-unneeded: ${DIR}"
+  find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+    echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+    if [ $? -ne 0 ]; then
+      echo "Strip file (strip-unneeded): ${FILE}"
+      ${STRIPCMD_UNNEEDED} ${FILE}
+    fi
+  done
+done
+
+# Remove binutils package.
+apt-get -y purge --autoremove binutils
+

data/live-build-config/hooks/live/93-sb-sign-kernel.chroot

@@ -0,0 +1,31 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+    modinfo ${MODULE} | grep -q "signer:"
+    if [ $? != 0 ]; then
+        echo "E: Module ${MODULE} is not signed!"
+        read -n 1 -s -r -p "Press any key to continue"
+    fi
+done
+
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
+fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+

data/live-build-config/includes.binary/compat

@@ -0,0 +1,10 @@
+# VyOS 1.3.x image upgrade scipt checked if an image file was a valid ISO file
+# by grepping it for "ISO9660".
+# (The correct way to do that would be to use file/libmagic,
+#  but we cannot change the past).
+# At some point something has changed in xorriso or some other tool
+# and images no longer include that string.
+# so the image validity check fails.
+# To allow direct upgrades from older versions,
+# we artificially include that string to make the old check pass.
+ISO9660

data/live-build-config/includes.chroot/etc/initramfs-tools/hooks/10-vyos-addons

@@ -33,3 +33,4 @@ copy_exec /usr/sbin/fsck.ext4
 
 # copy other files ("other" here is a file type, so do not delete this keyword)
 copy_file other /etc/ssl/certs/ca-certificates.crt
+copy_file other /etc/ssl/openssl.cnf

data/live-build-config/includes.chroot/etc/modprobe.d/ixgbe-options.conf

@@ -1 +0,0 @@
-options ixgbe allow_unsupported_sfp=1

data/live-build-config/includes.chroot/etc/systemd/system.conf

@@ -53,3 +53,4 @@ ShowStatus=yes
 #DefaultLimitNICE=
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
+StatusUnitFormat=description

data/live-build-config/includes.chroot/lib/systemd/system/ssh-session-cleanup.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=OpenBSD Secure Shell session cleanup
-Wants=network.target
-After=network.target
-
-[Service]
-ExecStart=/bin/true
-ExecStop=/usr/lib/openssh/ssh-session-cleanup
-RemainAfterExit=yes
-Type=oneshot
-
-[Install]
-WantedBy=multi-user.target

data/live-build-config/includes.chroot/usr/lib/openssh/ssh-session-cleanup

@@ -1,11 +0,0 @@
-#! /bin/sh
-
-ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
-
-IFS="$IFS@"
-pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty; do
-	echo "Found ${daemon%:} session $pid on $pty; sending SIGTERM"
-	kill "$pid" || true
-done
-
-exit 0

data/live-build-config/includes.chroot/usr/share/vyos/default_motd

@@ -1,9 +0,0 @@
-Welcome to VyOS!
-
-Check out project news at https://blog.vyos.io
-and feel free to report bugs at https://vyos.dev
-
-You can change this banner using "set system login banner post-login" command.
-
-VyOS is a free software distribution that includes multiple components,
-you can check individual component licenses under /usr/share/doc/*/copyright

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc

@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-mQINBFXKsiIBEACyid9PR/v56pSRG8VgQyRwvzoI7rLErZ8BCQA2WFxA6+zNy+6G
-+0E/6XAOzE+VHli+wtJpiVJwAh+wWuqzOmv9css2fdJxpMW87pJAS2i3EVVVf6ab
-wU848JYLGzc9y7gZrnT1m2fNh4MXkZBNDp780WpOZx8roZq5X+j+Y5hk5KcLiBn/
-lh9Zoh8yzrWDSXQsz0BGoAbVnLUEWyo0tcRcHuC0eLx6oNG/IHvd/+kxWB1uULHU
-SlB/6vcx56lLqgzywkmhP01050ZDyTqrFRIfrvw6gLQaWlgR3lB93txvF/sz87Il
-VblV7e6HEyVUQxedDS8ikOyzdb5r9a6Zt/j8ZPSntFNM6OcKAI7U1nDD3FVOhlVn
-7lhUiNc+/qjC+pR9CrZjr/BTWE7Zpi6/kzeH4eAkfjyALj18oC5udJDjXE5daTL3
-k9difHf74VkZm29Cy9M3zPckOZpsGiBl8YQsf+RXSBMDVYRKZ1BNNLDofm4ZGijK
-mriXcaY+VIeVB26J8m8y0zN4/ZdioJXRcy72c1KusRt8e/TsqtC9UFK05YpzRm5R
-/nwxDFYb7EdY/vHUFOmfwXLaRvyZtRJ9LwvRUAqgRbbRZg3ET/tn6JZk8hqx3e1M
-IxuskOB19t5vWyAo/TLGIFw44SErrq9jnpqgclTSRgFjcjHEm061r4vjoQARAQAB
-tDZWeU9TIE1haW50YWluZXJzIChWeU9TIFJlbGVhc2UpIDxtYWludGFpbmVyc0B2
-eW9zLm5ldD6JAjgEEwECACIFAlXKsiICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
-AheAAAoJEP0iAoWg/m1+xbgP+QEDYZi5dA4IPY+vU1L95Bavju2m2o35TSUDPg5B
-jfAGuhbsNUceU+l/yUlxjpKEmvshyW3GHR5QzUaKGup/ZDBo1CBxZNhpSlFida2E
-KAYTx4vHk3MRXcntiAj/hIJwRtzCUp5UQIqHoU8dmHoHOkKEP+zhJuR6E2s+WwDr
-nTwE6eRa0g/AHY+chj2Je6flpPm2CKoTfUE7a2yBBU3wPq3rGtsQgVxPAxHRZz7A
-w4AjH3NM1Uo3etuiDnGkJAuoKKb1J4X3w2QlbwlR4cODLKhJXHIufwaGtRwEin9S
-1l2bL8V3gy2Hv3D2t9TQZuR5NUHsibJRXLSa8WnSCcc6Bij5aqfdpYB+YvKH/rIm
-GvYPmLZDfKGkx0JE4/qtfFjiPJ5VE7BxNyliEw/rnQsxWAGPqLlL61SD8w5jGkw3
-CinwO3sccTVcPz9b6A1RsbBVhTJJX5lcPn1lkOEVwQ7l8bRhOKCMe0P53qEDcLCd
-KcXNnAFbVes9u+kfUQ4oxS0G2JS9ISVNmune+uv+JR7KqSdOuRYlyXA9uTjgWz4y
-Cs7RS+CpkJFqrqOtS1rmuDW9Ea4PA8ygGlisM5d/AlVkniHz/2JYtgetiLCj9mfE
-MzQpgnldNSPumKqJ3wwmCNisE+lXQ5UXCaoaeqF/qX1ykybQn41LQ+0xT5Uvy7sL
-9IwGuQINBFXKsiIBEACg2mP3QYkXdgWTK5JyTGyttE6bDC9uqsK8dc1J66Tjd5Ly
-Be0amO+88GHXa0o5Smwk2QNoxsRR41G/D/eAeGsuOEYnePROEr3tcLnDjo4KLgQ+
-H69zRPn77sdP3A34Jgp+QIzByJWM7Cnim31quQP3qal2QdpGJcT/jDJWdticN76a
-Biaz+HN13LyvZM+DWhUDttbjAJc+TEwF9YzIrU+3AzkTRDWkRh4kNIQxjlpNzvho
-9V75riVqg2vtgPwttPEhOLb0oMzy4ADdfezrfVvvMb4M4kY9npu4MlSkNTM97F/I
-QKy90JuSUIjE05AO+PDXJF4Fd5dcpmukLV/2nV0WM2LAERpJUuAgkZN6pNUFVISR
-+nSfgR7wvqeDY9NigHrJqJbSEgaBUs6RTk5hait2wnNKLJajlu3aQ2/QfRT/kG3h
-ClKUz3Ju7NCURmFE6mfsdsVrlIsEjHr/dPbXRswXgC9FLlXpWgAEDYi9Wdxxz8o9
-JDWrVYdKRGG+OpLFh8AP6QL3YnZF+p1oxGUQ5ugXauAJ9YS55pbzaUFP8oOO2P1Q
-BeYnKRs1GcMI8KWtE/fze9C9gZ7Dqju7ZFEyllM4v3lzjhT8muMSAhw41J22mSx6
-VRkQVRIAvPDFES45IbB6EEGhDDg4pD2az8Q7i7Uc6/olEmpVONSOZEEPsQe/2wAR
-AQABiQIfBBgBAgAJBQJVyrIiAhsMAAoJEP0iAoWg/m1+niUQAKTxwJ9PTAfB+XDk
-3qH3n+T49O2wP3fhBI0EGhJp9Xbx29G7qfEeqcQm69/qSq2/0HQOc+w/g8yy71jA
-6rPuozCraoN7Im09rQ2NqIhPK/1w5ZvgNVC0NtcMigX9MiSARePKygAHOPHtrhyO
-rJQyu8E3cV3VRT4qhqIqXs8Ydc9vL3ZrJbhcHQuSLdZxM1k+DahCJgwWabDCUizm
-sVP3epAP19FP8sNtHi0P1LC0kq6/0qJot+4iBiRwXMervCD5ExdOm2ugvSgghdYN
-BikFHvmsCxbZAQjykQ6TMn+vkmcEz4fGAn4L7Nx4paKEtXaAFO8TJmFjOlGUthEm
-CtHDKjCTh9WV4pwG2WnXuACjnJcs6LcK377EjWU25H4y1ff+NDIUg/DWfSS85iIc
-UgkOlQO6HJy0O96L5uxn7VJpXNYFa20lpfTVZv7uu3BC3RW/FyOYsGtSiUKYq6cb
-CMxGTfFxGeynwIlPRlH68BqH6ctR/mVdo+5UIWsChSnNd1GreIEI6p2nBk3mc7jZ
-7pTEHpjarwOjs/S/lK+vLW53CSFimmW4lw3MwqiyAkxl0tHAT7QMHH9Rgw2HF/g6
-XD76fpFdMT856dsuf+j2uuJFlFe5B1fERBzeU18MxML0VpDmGFEaxxypfACeI/iu
-8vzPzaWHhkOkU8/J/Ci7+vNtUOZb
-=Ld8S
------END PGP PUBLIC KEY BLOCK-----

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-rolling-release.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: minisign public key D3643767F448688
+RWSIhkR/dkM2DSaBRniv/bbbAf8hmDqdbOEmgXkf1RxRoxzodgKcDyGq

data/live-build-config/package-lists/vyos-base.list.chroot

@@ -1,6 +1,4 @@
 debconf
-gpgv
-gnupg
-vyos-world
+vyos-1x
 vyos-user-utils
 zstd

data/live-build-config/package-lists/vyos-utils.list.chroot

@@ -2,3 +2,4 @@ systemd-sysv
 systemd-bootchart
 ncurses-term
 kitty-terminfo
+binutils

data/live-build-config/rootfs/excludes

@@ -0,0 +1,63 @@
+# Exclude various unused files and directories in order to free some space and shrink imagesize.
+#
+# For information on how to use wildcards properly (Anchored and Non-anchored excludes):
+#
+# https://github.com/plougher/squashfs-tools/blob/master/RELEASE-READMEs/README-3.3
+#
+# Note:
+#
+# - root starts without leading '/'.
+#
+
+# Txxx: Drop isc-dhcp helper files from /etc/default.
+# We use systemd to control ISC daemons from within vyos-1x.
+etc/default/isc-dhcp-server
+etc/default/isc-dhcp-relay
+
+# T2185: Clean leftover files (ddclient) from base package.
+etc/dhcp/dhclient-exit-hooks.d/ddclient
+etc/ddclient.conf
+
+# T3242: Add hook to prevent link_config redundancy call in systemd-udev.
+# 99-default.link rule always calls link_config thats trying to set autonegotiation and duplex even for PPP interfaces.
+# Need to delete this rule to prevent overhead on interface creation stage.
+lib/systemd/network/99-default.link
+
+# T3774: Disabled atop services.
+etc/cron.d/atop
+
+# T3912: Remove superfluous motd.d kernel version shell script.
+etc/update-motd.d/10-uname
+
+# T4415: We do not need any documentation on the system.
+# Copyright/licenses files are ignored for deletion.
+usr/share/doc/*/!(copyright*|README*)
+usr/share/doc-base
+
+# T5468: We do not need any manpages on the system since man-binary is missing.
+usr/local/man/*
+usr/local/share/man/*
+usr/share/man/*
+
+# T5511: We do not need any games on the system.
+usr/games/*
+usr/local/games/*
+
+# T5511: We do not need any caches on the system (will be recreated when needed).
+# T7278: We need directory created by python3-cracklib for password checks
+var/cache/!(cracklib)
+
+# T5511: We do not need any log-files on the system (will be recreated when needed).
+var/log/*.log
+var/log/*/*.log
+var/log/*/*.log.xz
+
+# T5511: We do not need any backup-files on the system (will be recreated when needed).
+... *.bak
+... *.old
+... *.kbx~
+var/lib/dpkg/*-old
+
+# T5624: Remove the Debian version file to avoid false positives from security scanners.
+etc/debian_version
+

data/versions

@@ -1,3 +1,3 @@
 {
-    "current": "1.4"
+    "current": "1.5"
 }

docker-vyos/Dockerfile

@@ -1,6 +1,6 @@
 # syntax = docker/dockerfile:1
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,37 +17,63 @@
 # Define arguments for VyOS image
 ARG VYOS_VERSION
 ARG BUILD_DATE
-ARG DEBIAN_VERSION
 
 # Use Debian as base layer
-FROM debian:${DEBIAN_VERSION}-slim
-# Copy installer script and default build settings
-COPY [ "data/defaults.json", "data/live-build-config/archives/*", "docker-vyos/vyos_install_common.sh", "docker-vyos/vyos_install_stage_01.sh", "/tmp/" ]
-COPY [ "data/live-build-config/hooks/live/*", "/tmp/hooks/" ]
+FROM debian:bookworm-slim
 
+LABEL authors="VyOS Maintainers <maintainers@vyos.io>"
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN /bin/echo -e 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";' > /etc/apt/apt.conf.d/01norecommends
+# Clean cache after each apt-get install command so that it is not stored in the image
+RUN /bin/echo -e 'DPkg::Post-Invoke {"/bin/rm -f /var/cache/apt/archives/*.deb /var/lib/apt/lists/* || true";};' > /etc/apt/apt.conf.d/clean
+
+# Base packaged needed to build packages and their package dependencies
+RUN apt-get update && apt-get install -y \
+      ca-certificates \
+      gnupg \
+      curl \
+      fuse-overlayfs \
+      jq \
+      yq
+
+# Copy installer script and default build settings
+COPY [ "data/defaults.toml", \
+       "data/live-build-config/archives/*", \
+       "docker-vyos/vyos_install_common.sh", \
+       "docker-vyos/vyos_install_stage_01.sh", \
+       "/tmp/"]
+COPY [ "data/architectures/*", "/tmp/architectures_triage/" ]
+COPY [ "data/live-build-config/hooks/live/*", "/tmp/hooks/" ]
 
 # Install VyOS dependencies
 WORKDIR /tmp
+RUN bash -c 'mv /tmp/architectures_triage/$(dpkg --print-architecture).toml /tmp && rm -rf /tmp/architectures_triage'
 RUN bash /tmp/vyos_install_stage_01.sh
 
 
 # Install VyOS specific software
-COPY [ "data/defaults.json", "docker-vyos/vyos_install_common.sh", "docker-vyos/vyos_install_stage_02.sh", "/tmp/" ]
+COPY [ "data/defaults.toml", \
+       "docker-vyos/vyos_install_common.sh", \
+       "docker-vyos/vyos_install_stage_02.sh", "/tmp/" ]
+COPY [ "data/architectures/*", "/tmp/architectures_triage/" ]
+RUN bash -c 'mv /tmp/architectures_triage/$(dpkg --print-architecture).toml /tmp && rm -rf /tmp/architectures_triage'
 RUN bash /tmp/vyos_install_stage_02.sh
 
 
 # Tune system for VyOS
 COPY [ "docker-vyos/vyos_install_common.sh", "docker-vyos/vyos_install_stage_03.sh", "/tmp/" ]
-# Copy skel for bash profile
-COPY data/live-build-config/includes.chroot/etc/skel/.bashrc /etc/skel/.bashrc
 # Copy default config
-COPY data/live-build-config/includes.chroot/opt/vyatta/etc/config.boot.default /opt/vyatta/etc/
+COPY tools/container/config.boot.default /opt/vyatta/etc/
 
 RUN bash /tmp/vyos_install_stage_03.sh
 
 # Delete installer scripts
 RUN rm -rf /tmp/*
 
+# Remove cleanup script so that in-container apt-get install uses cache
+RUN rm /etc/apt/apt.conf.d/clean
+
 
 # Make changes specific to the container environment
 
@@ -65,4 +91,15 @@ LABEL maintainer="support@vyos.io" \
       description="VyOS for Docker" \
       vendor="Sentrium S.L." \
       version=${VYOS_VERSION} \
-      io.vyos.build-date=${BUILD_DATE}
+      io.vyos.build-date=${BUILD_DATE} \
+      org.opencontainers.image.authors="support@vyos.io" \
+      org.opencontainers.image.created=${BUILD_DATE} \
+      org.opencontainers.image.version=${VYOS_VERSION} \
+      org.opencontainers.image.url="https://github.com/vyos/vyos-build" \
+      org.opencontainers.image.documentation="https://docs.vyos.io/en/latest/contributing/build-vyos.html" \
+      org.opencontainers.image.source="https://github.com/vyos/vyos-build" \
+      org.opencontainers.image.vendor="Sentrium S.L." \
+      org.opencontainers.image.licenses="GNU" \
+      org.opencontainers.image.title="vyos-build" \
+      org.opencontainers.image.description="VyOS for Docker" \
+      org.opencontainers.image.base.name="docker.io/debian/debian:${DEBIAN_VERSION}-slim"

docker-vyos/README.md

@@ -2,58 +2,81 @@
 
 VyOS can be run as a Docker container on a Linux host with a compatible kernel.
 
+## Build Container
 
-## Building Docker image
+To build a Docker image you need to have the whole `vyos-build` repository, not
+only a folder with Dockerfile, because some files from this repository are
+required for building.
 
-To build a Docker image you need to have the whole `vyos-build` repository, not only a folder with Dockerfile, because some files from this repository are required for building.
 Docker image with VyOS can be built on Linux host with the next command:
 
-```
-docker build --compress -f Dockerfile -t vyos:version-`date -u +%Y%m%d%H%M%S` --build-arg BUILD_DATE="`date -u --rfc-3339=seconds`" --build-arg VYOS_VERSION=version --build-arg DEBIAN_VERSION=debian --progress plain ..
+```console
+docker build --compress --file Dockerfile \
+  --tag vyos:version-`date -u +%Y%m%d%H%M%S` \
+  --build-arg BUILD_DATE="`date -u --rfc-3339=seconds`" \
+  --build-arg VYOS_VERSION=version \
+  --build-arg DEBIAN_VERSION=debian \
+  --progress plain ..
 ```
 
 Or, if you want to rebuild completely from the scratch (without cache):
 
-```
-docker build --no-cache --pull --compress -f Dockerfile -t vyos:version-`date -u +%Y%m%d%H%M%S` --build-arg BUILD_DATE="`date -u --rfc-3339=seconds`" --build-arg VYOS_VERSION=version --build-arg DEBIAN_VERSION=debian --progress plain ..
+```console
+docker build --no-cache --pull --compress --file Dockerfile \
+  --tag vyos:version-`date -u +%Y%m%d%H%M%S` \
+  --build-arg BUILD_DATE="`date -u --rfc-3339=seconds`" \
+  --build-arg VYOS_VERSION=version \
+  --build-arg DEBIAN_VERSION=debian \
+  --progress plain ..
 ```
 
-> **NOTE:** You must use proper version value for `DEBIAN_VERSION` variable. It can be only `jessie` (for VyOS 1.2) or `buster` (for VyOS 1.3).
+> **_NOTE:_** You must use proper version value for `DEBIAN_VERSION` variable.
+  It can be only `jessie` (for VyOS 1.2) or `buster` (for VyOS 1.3).
 
-## Running Docker image
+## Run Container
 
 Docker container with VyOS can be running with the next command:
 
-```
-docker run -v /lib/modules:/lib/modules --privileged --name vyos_inside_docker -d vyos:version
+```console
+docker run --privileged --detach \
+  --volume /lib/modules:/lib/modules \
+  --name vyos_inside_docker vyos:version
 ```
 
-You need to use the `--privileged` flag because the system actively interacts with a host kernel to perform routing operations and tune networking options.
-
+You need to use the `--privileged` flag because the system actively interacts
+with a host kernel to perform routing operations and tune networking options.
 
 **Experimantal:** You can limit access to some system resources with:
 
-```
-docker run --tmpfs /tmp --tmpfs /run --tmpfs /run/lock -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /lib/modules:/lib/modules --privileged --name vyos_inside_docker -d vyos:version
+```console
+docker run --privileged --detach \
+   --tmpfs /tmp \
+   --tmpfs /run \
+   --tmpfs /run/lock \
+   --volume /lib/modules:/lib/modules:ro \
+   --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
+   --name vyos_inside_docker vyos:version
 ```
 
-## Logging into a VyOS container
+### Log into container
 
-To open VyOS CLI, you can use SSH connection to the Docker container or run on host:
+To open VyOS CLI, you can use SSH connection to the Docker container or run
+on host:
 
-```
+```console
 docker exec -it vyos_inside_docker su vyos
 ```
 
-
 ## Troubleshooting
 
-If in VyOS appears IPv6-related errors, for example, it cannot assign an IPv6 for an interface, it is necessary to enable IPv6 support in Docker. This can be done, by editing `/etc/docker/daemon.json`:
+If in VyOS appears IPv6-related errors, for example, it cannot assign an IPv6
+address for an interface, it is necessary to enable IPv6 support in Docker.
 
-```
+This can be done, by editing `/etc/docker/daemon.json`:
+
+```console
 {
     "ipv6": true,
     "fixed-cidr-v6": "fe80::/64"
 }
-
 ```

docker-vyos/vyos_install_common.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,7 +14,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-
 # Set environment variables
 export DEBIAN_FRONTEND="noninteractive"
 
@@ -23,21 +22,21 @@ function prepare_apt() {
     # Update packages list
     apt-get update
 
-    # Install jq (required to easily extract variables from defaults.json)
-    apt-get install -y --no-install-recommends jq gnupg
-
     # Add VyOS repository to the system
-    local APT_VYOS_MIRROR=`jq --raw-output .vyos_mirror /tmp/defaults.json`
-    local APT_VYOS_BRANCH=`jq --raw-output .vyos_branch /tmp/defaults.json`
-    local APT_ADDITIONAL_REPOS=`jq --raw-output .additional_repositories[] /tmp/defaults.json`
-    local RELEASE_TRAIN=`jq --raw-output .release_train /tmp/defaults.json`
+    local APT_VYOS_MIRROR=$(tomlq --raw-output .vyos_mirror /tmp/defaults.toml)
+    local APT_VYOS_BRANCH=$(tomlq --raw-output .vyos_branch /tmp/defaults.toml)
+    local APT_ADDITIONAL_REPOS=$(tomlq --raw-output .additional_repositories[] /tmp/$(dpkg --print-architecture).toml)
+    local RELEASE_TRAIN=$(tomlq --raw-output .release_train /tmp/defaults.toml)
 
-    if [[ "${RELEASE_TRAIN}" == "crux" ]]; then
-        echo -e "deb ${APT_VYOS_MIRROR}/vyos ${APT_VYOS_BRANCH} main\ndeb ${APT_VYOS_MIRROR}/debian ${APT_VYOS_BRANCH} main\n${APT_ADDITIONAL_REPOS}" > /etc/apt/sources.list.d/vyos.list
-    fi
+    echo "APT_VYOS_MIRROR      : $APT_VYOS_MIRROR"
+    echo "APT_VYOS_BRANCH      : $APT_VYOS_BRANCH"
+    echo "APT_ADDITIONAL_REPOS : $APT_ADDITIONAL_REPOS"
+    echo "RELEASE_TRAIN        : $RELEASE_TRAIN"
 
-    if [[ "${RELEASE_TRAIN}" == "equuleus" || "${RELEASE_TRAIN}" == "sagitta" ]]; then
-        echo -e "deb ${APT_VYOS_MIRROR} ${APT_VYOS_BRANCH} main\n${APT_ADDITIONAL_REPOS}" > /etc/apt/sources.list.d/vyos.list
+    echo -e "deb ${APT_VYOS_MIRROR} ${APT_VYOS_BRANCH} main\n${APT_ADDITIONAL_REPOS}" > /etc/apt/sources.list.d/vyos.list
+    cat /etc/apt/sources.list.d/vyos.list
+
+    if [ ${RELEASE_TRAIN} == "equuleus" ]; then
         # Add backports repository
         echo -e "deb http://deb.debian.org/debian buster-backports main\ndeb http://deb.debian.org/debian buster-backports non-free" >> /etc/apt/sources.list.d/vyos.list
     fi
@@ -65,8 +64,6 @@ function prepare_apt() {
 
 # Cleanup APT after finish
 function cleanup_apt() {
-    # delete jq tool
-    dpkg -P jq
     # Clear APT cache
     apt-get clean
     rm -rf /var/lib/apt/lists/*

docker-vyos/vyos_install_stage_01.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -23,7 +23,9 @@ echo "Configuring APT repositories"
 prepare_apt
 
 # Get list of VyOS packages
-vyos_packages=(`apt-cache -i depends vyos-world | awk '/Depends:/ { printf("%s ", $2) }'`)
+vyos_packages=(
+    "vyos-1x"
+    )
 
 # Do not analyze packages, which we do not need in Docker
 vyos_packages_filter=(
@@ -58,6 +60,7 @@ ignore_list=(
     "cluster-glue"
     "resource-agents"
     "heartbeat"
+    "podman"
     )
 
 # Get list of packages from VYOS repository

docker-vyos/vyos_install_stage_02.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -23,7 +23,9 @@ echo "Configuring APT repositories"
 prepare_apt
 
 # Get list of VyOS packages
-vyos_packages=(`apt-cache -i depends vyos-world | awk '/Depends:/ { printf("%s ", $2) }'`)
+vyos_packages=(
+    "vyos-1x"
+    )
 
 # Do not analyze packages, which we do not need in Docker
 vyos_packages_filter=(
@@ -35,6 +37,8 @@ vyos_packages_filtered=("$(filter_list vyos_packages[@] vyos_packages_filter[@])
 vyos_packages_filtered+=(
     "uuid"
     "jq"
+    "yq"
+    "systemd"
     )
 
 echo "Packages for installing: ${vyos_packages_filtered[@]}"
@@ -43,12 +47,12 @@ echo "Installing VyOS packages"
 apt-get install -y --no-install-recommends ${vyos_packages_filtered[@]}
 
 # Create VyOS version file
-RELEASAE_TRAIN=`jq --raw-output .release_train /tmp/defaults.json`
+RELEASAE_TRAIN=$(tomlq --raw-output .release_train /tmp/defaults.toml)
 apt-cache show vyos-1x | awk -v release_train=${RELEASAE_TRAIN} '{ if ($1 == "Version:") version = $2 } END { build_git = "unknown" ; built_by = "Sentrium S.L." ; built_on = strftime("%F %T UTC", systime(), utc) ; "uuid -v 4" | getline build_uuid ; printf("{\"version\": \"%s\", \"build_git\": \"%s\", \"built_on\": \"%s\", \"built_by\": \"%s\", \"build_uuid\": \"%s\", \"release_train\": \"%s\"}", version, build_git, built_on, built_by, build_uuid, release_train) }' | json_pp > /usr/share/vyos/version.json
 
 # Delete what we do not need inside Docker image (this step makes packages database inconsistent)
 echo "Deleting what is needless in containers"
-dpkg -P --force-depends dosfstools efibootmgr jq gdisk grub-common grub-efi-amd64-bin initscripts installation-report laptop-detect libossp-uuid16 libparted2 libwireshark-data libwireshark5 mdadm parted tshark uuid vyos-qat-kernel-modules wireguard-modules
+dpkg -P --force-depends dosfstools efibootmgr yq jq gdisk grub-common grub-efi-amd64-bin initscripts installation-report laptop-detect libossp-uuid16 libparted2 libwireshark-data libwireshark5 mdadm parted tshark uuid
 dpkg -l | awk '/linux-image-/ { system("dpkg -P --force-depends " $2) }'
 
 # Delete documentation

docker-vyos/vyos_install_stage_03.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -20,6 +20,7 @@
 . vyos_install_common.sh
 
 # Add config partition marker
+mkdir -p /opt/vyatta/etc/config
 touch /opt/vyatta/etc/config/.vyatta_config
 
 # create folder for configuration mounting
@@ -54,10 +55,9 @@ for hook in ${hooks_list[@]}; do
 done
 
 # Delete needless options from CLI
-# CLI_DELETION=(
-#     "/opt/vyatta/share/vyatta-cfg/templates/system/host-name/"
-#     )
-# rm -rf ${CLI_DELETION[@]}
-
+ CLI_DELETION=(
+     "/opt/vyatta/share/vyatta-cfg/templates/container/"
+     )
+ rm -rf ${CLI_DELETION[@]}
 
 exit 0

docker/Dockerfile

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # in order to easy exprort images built to "external" world
@@ -18,7 +18,7 @@
 
 # This Dockerfile is installable on both x86, x86-64, armhf and arm64 systems
 ARG ARCH=
-FROM ${ARCH}debian:bookworm
+FROM ${ARCH}debian:bookworm-slim
 
 RUN grep "VERSION_ID" /etc/os-release || (echo 'VERSION_ID="12"' >> /etc/os-release)
 
@@ -40,10 +40,21 @@ RUN grep "VERSION_ID" /etc/os-release || (echo 'VERSION_ID="12"' >> /etc/os-rele
 # On some versions of docker the emulation framework is not installed by default and
 # you need to install qemu, qemu-user-static and register qemu inside docker manually using:
 # `docker run --rm --privileged multiarch/qemu-user-static:register --reset`
-LABEL authors="VyOS Maintainers <maintainers@vyos.io>"
-ENV DEBIAN_FRONTEND noninteractive
+LABEL authors="VyOS Maintainers <maintainers@vyos.io>" \
+      org.opencontainers.image.authors="VyOS Maintainers <maintainers@vyos.io>" \
+      org.opencontainers.image.url="https://github.com/vyos/vyos-build" \
+      org.opencontainers.image.documentation="https://docs.vyos.io/en/latest/contributing/build-vyos.html" \
+      org.opencontainers.image.source="https://github.com/vyos/vyos-build" \
+      org.opencontainers.image.vendor="Sentrium S.L." \
+      org.opencontainers.image.licenses="GNU" \
+      org.opencontainers.image.title="vyos-build" \
+      org.opencontainers.image.description="Container to build VyOS ISO" \
+      org.opencontainers.image.base.name="docker.io/debian/debian:bookworm"
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN /bin/echo -e 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";' > /etc/apt/apt.conf.d/01norecommends
+# Clean cache after each apt-get install command so that it is not stored in the image
+RUN /bin/echo -e 'DPkg::Post-Invoke {"/bin/rm -f /var/cache/apt/archives/*.deb /var/lib/apt/lists/* || true";};' > /etc/apt/apt.conf.d/clean
 
 RUN apt-get update && apt-get install -y \
       dialog \
@@ -51,9 +62,9 @@ RUN apt-get update && apt-get install -y \
       locales
 
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen
-ENV LANG en_US.utf8
+ENV LANG=en_US.utf8
 
-ENV OCAML_VERSION 4.12.0
+ENV OCAML_VERSION=4.14.2
 
 # Base packaged needed to build packages and their package dependencies
 RUN apt-get update && apt-get install -y \
@@ -78,7 +89,10 @@ RUN apt-get update && apt-get install -y \
       gosu \
       po4a \
       openssh-client \
-      jq
+      jq \
+      socat \
+      python-is-python3 \
+      apt-transport-https
 
 # Packages needed for vyos-build
 RUN apt-get update && apt-get install -y \
@@ -92,9 +106,18 @@ RUN apt-get update && apt-get install -y \
       python3-pip \
       python3-flake8 \
       python3-autopep8 \
+      python3-tomli \
+      python3-tomli-w \
       yq \
       debootstrap \
-      live-build
+      live-build \
+      gdisk \
+      sbsigntool \
+      dosfstools \
+      kpartx
+
+# Packages for TPM test
+RUN apt-get update && apt-get install -y swtpm
 
 # Syslinux and Grub2 is only supported on x86 and x64 systems
 RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
@@ -105,9 +128,10 @@ RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
 
 # Building libvyosconf requires a full configured OPAM/OCaml setup
 RUN apt-get update && apt-get install -y \
+      quilt \
       debhelper \
       libffi-dev \
-      libpcre3-dev \
+      libpcre2-dev \
       unzip
 
 # Update certificate store to not crash ocaml package install
@@ -117,41 +141,27 @@ RUN dpkg-reconfigure ca-certificates; \
       echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc; \
     fi
 
-# Installing OCAML needed to compile libvyosconfig
+# Installing OCaml needed to compile libvyosconfig
 RUN curl https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh \
       --output /tmp/opam_install.sh --retry 10 --retry-delay 5 && \
-    sed -i 's/read BINDIR/BINDIR=""/' /tmp/opam_install.sh && sh /tmp/opam_install.sh && \
-    opam init --root=/opt/opam --comp=${OCAML_VERSION} --disable-sandboxing --no-setup
-
-RUN eval $(opam env --root=/opt/opam --set-root) && \
-    opam pin add pcre https://github.com/mmottl/pcre-ocaml.git#0c4ca03a -y
+    sed -i 's/read_tty BINDIR/BINDIR=""/' /tmp/opam_install.sh && sh /tmp/opam_install.sh && \
+    opam init --root=/opt/opam --comp=${OCAML_VERSION} --disable-sandboxing --no-setup \
+    && rm /tmp/opam_install.sh
 
 RUN eval $(opam env --root=/opt/opam --set-root) && opam install -y \
       re \
+      pcre2 \
       num \
       ctypes \
       ctypes-foreign \
       ctypes-build \
       containers \
       fileutils \
-      xml-light
-
-# Build VyConf which is required to build libvyosconfig
-RUN eval $(opam env --root=/opt/opam --set-root) && \
-    opam pin add vyos1x-config https://github.com/vyos/vyos1x-config.git#f11f0148 -y
-
-# Packages needed for libvyosconfig
-RUN apt-get update && apt-get install -y \
-      quilt \
-      libpcre3-dev \
-      libffi-dev
-
-# Build libvyosconfig
-RUN eval $(opam env --root=/opt/opam --set-root) && \
-    git clone https://github.com/vyos/libvyosconfig.git /tmp/libvyosconfig && \
-    cd /tmp/libvyosconfig && git checkout 63175de4 && \
-    dpkg-buildpackage -uc -us -tc -b && \
-    dpkg -i /tmp/libvyosconfig0_*_$(dpkg-architecture -qDEB_HOST_ARCH).deb
+      xml-light \
+      mustache \
+      yojson \
+      fmt \
+      logs
 
 # Packages needed for open-vmdk
 RUN apt-get update && apt-get install -y \
@@ -160,7 +170,22 @@ RUN apt-get update && apt-get install -y \
 # Install open-vmdk
 RUN wget -O /tmp/open-vmdk-master.zip https://github.com/vmware/open-vmdk/archive/master.zip && \
     unzip -d /tmp/ /tmp/open-vmdk-master.zip && \
-    cd /tmp/open-vmdk-master/ && make && make install
+    cd /tmp/open-vmdk-master/ && make && make install && \
+    cd /tmp && rm -rf /tmp/open-vmdk-master/ && rm /tmp/open-vmdk-master.zip
+
+# Packages need for build live-build
+RUN apt-get update && apt-get install -y \
+      cpio
+
+COPY patches/live-build/0001-save-package-info.patch /tmp/0001-save-package-info.patch
+
+RUN git clone https://salsa.debian.org/live-team/live-build.git /tmp/live-build && \
+    cd /tmp/live-build && git checkout debian/1%20240810 && \
+    patch -p1 < /tmp/0001-save-package-info.patch && \
+    dch -n "Applying fix for save package info" && \
+    dpkg-buildpackage -us -uc && \
+    dpkg -i ../live-build*.deb && \
+    rm -rf /tmp/live-build
 
 #
 # live-build: building in docker fails with mounting /proc | /sys
@@ -176,63 +201,36 @@ RUN wget https://salsa.debian.org/klausenbusk-guest/debootstrap/commit/a9a603b17
     patch -p1 < /tmp/a9a603b17cadbf52cb98cde0843dc9f23a08b0da.patch && \
     dch -n "Applying fix for docker image compile" && \
     dpkg-buildpackage -us -uc && \
-    sudo dpkg -i ../debootstrap*.deb
+    sudo dpkg -i ../debootstrap*.deb \
+    && rm /tmp/a9a603b17cadbf52cb98cde0843dc9f23a08b0da.patch \
+    && rm -rf /tmp/debootstrap
 
-# Packages needed for Linux Kernel
-# gnupg2 is required by Jenkins for the TAR verification
-RUN apt-get update && apt-get install -y \
-      gnupg2 \
-      rsync \
-      libelf-dev \
-      libncurses5-dev \
-      flex \
-      bison \
-      bc \
-      kmod \
-      cpio \
-      python-is-python3 \
-      dwarves
-
-# Packages needed for Intel QAT out-of-tree drivers
 # FPM is used when generation Debian pckages for e.g. Intel QAT drivers
-RUN apt-get update && apt-get install -y \
-      pciutils \
-      yasm \
-      ruby \
-      libudev-dev \
-      ruby-dev \
-      rubygems \
-      build-essential
 RUN gem install --no-document fpm
 
-# Build rtrlib release 0.8.0
-RUN export RTRLIB_VERSION="0.8.0" export ARCH=$(dpkg-architecture -qDEB_HOST_ARCH) && \
-    git clone https://github.com/rtrlib/rtrlib.git /tmp/rtrlib && cd /tmp/rtrlib && \
-    mk-build-deps --install --tool "apt-get --yes --no-install-recommends" && \
-    dpkg-buildpackage -uc -us -tc -b && \
-    dpkg -i ../librtr0*_${ARCH}.deb ../librtr-dev*_${ARCH}.deb ../rtr-tools*_${ARCH}.deb
-
-RUN export LIBYANG_VERSION="v2.1.80" export ARCH=$(dpkg-architecture -qDEB_HOST_ARCH) && \
-    git clone https://github.com/CESNET/libyang.git /tmp/libyang && cd /tmp/libyang && \
-    pipx run apkg build -i && find pkg/pkgs -type f -name *.deb -exec mv -t .. {} + && \
-    dpkg -i ../libyang*.deb
+# Add vyos package repo
+COPY vyos-dev.list /etc/apt/sources.list.d/vyos-dev.list
+COPY vyos-dev.key /usr/share/keyrings/vyos-dev-archive-keyring.gpg
+RUN apt-key add /usr/share/keyrings/vyos-dev-archive-keyring.gpg
 
 # Packages needed for vyos-1x
-RUN pip install --break-system-packages \
+RUN pip --no-cache --no-cache-dir install --break-system-packages \
       git+https://github.com/aristanetworks/j2lint.git@341b5d5db86 \
       pyhumps==3.8.0; \
     apt-get update && apt-get install -y \
+      build-essential \
       dh-python \
       fakeroot \
       iproute2 \
       libzmq3-dev \
+      procps \
+      protobuf-compiler \
       python3 \
       python3-setuptools \
       python3-inotify \
-      python3-sphinx \
       python3-xmltodict \
       python3-lxml \
-      python3-nose \
+      python3-nose2 \
       python3-netifaces \
       python3-jinja2 \
       python3-jmespath \
@@ -240,21 +238,34 @@ RUN pip install --break-system-packages \
       python3-stdeb \
       python3-all \
       python3-coverage \
+      python3-hurry.filesize \
+      python3-netaddr \
+      python3-paramiko \
+      python3-passlib \
+      python3-protobuf \
+      python3-tabulate \
+      python3-zmq \
+      python3-vici \
+      python3-fastapi \
+      python3-pyudev \
+      python3-systemd \
+      python3-certbot-nginx \
+      python3-pam \
+      python3-dbus \
+      python3-pyroute2 \
+      python3-voluptuous \
+      pylint \
       quilt \
-      whois
+      whois \
+      python3-cracklib
 
-# Go required for validators and vyos-xe-guest-utilities
-RUN GO_VERSION_INSTALL="1.18.3" ; \
+# Go required for telegraf and prometheus exporters build
+RUN GO_VERSION_INSTALL="1.23.2" ; \
     wget -O /tmp/go${GO_VERSION_INSTALL}.linux-amd64.tar.gz https://go.dev/dl/go${GO_VERSION_INSTALL}.linux-$(dpkg-architecture -qDEB_HOST_ARCH).tar.gz ; \
     tar -C /opt -xzf /tmp/go*.tar.gz && \
     rm /tmp/go*.tar.gz
 RUN echo "export PATH=/opt/go/bin:$PATH" >> /etc/bash.bashrc
 
-# Packages needed for opennhrp
-RUN apt-get update && apt-get install -y \
-      libc-ares-dev \
-      libev-dev
-
 # Packages needed for Qemu test-suite
 # This is for now only supported on i386 and amd64 platforms
 RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
@@ -270,7 +281,6 @@ RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
 # This is only supported on i386 and amd64 platforms
 RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
      apt-get update && apt-get install -y \
-      kpartx \
       parted \
       udev \
       grub-pc \
@@ -307,12 +317,6 @@ RUN if dpkg-architecture -iarm64; then \
       grub-efi-arm; \
     fi
 
-# Packages needed for openvpn-otp
-RUN apt-get update && apt-get install -y \
-      debhelper \
-      libssl-dev \
-      openvpn
-
 # Packages needed for OWAMP/TWAMP (service sla)
 RUN git clone -b 4.4.6 https://github.com/perfsonar/i2util.git /tmp/i2util && \
       cd /tmp/i2util && \
@@ -325,38 +329,33 @@ RUN apt-get update && apt-get install -y \
       udev \
       zip
 
-# Packages needed for Accel-PPP
-# XXX: please note that this must be installed after nftable dependencies - otherwise
-# APT will remove liblua5.3-dev which breaks the Accel-PPP build
-# With bookworm, updated to libssl3 (Note: https://github.com/accel-ppp/accel-ppp/issues/68)
-RUN apt-get update && apt-get install -y \
-      liblua5.3-dev \
-      libssl3 \
-      libssl-dev \
-      libpcre3-dev
-
 # debmake: a native Debian tool for preparing sources for packaging
 RUN apt-get update && apt-get install -y \
       debmake \
       python3-debian
 
-# Packages for jool
-RUN apt-get update && apt-get install -y \
-      libnl-genl-3-dev \
-      libxtables-dev
-
 # Allow password-less 'sudo' for all users in group 'sudo'
 RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \
     echo "vyos_bld\tALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
     chmod a+s /usr/sbin/useradd /usr/sbin/groupadd
 
-# Ensure sure all users have access to our OCAM and Go installation
-RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \
-    echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
+# Ensure sure all users have access to Go
+RUN echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
+
+# Rise upper limit for UID when working in an Active Direcotry integrated
+# environment. This solves the warning: vyos_bld's uid 1632000007 outside of the
+# UID_MIN 1000 and UID_MAX 60000 range.
+RUN sed -i 's/UID_MAX\t\t\t60000/UID_MAX\t\t\t2000000000/g' /etc/login.defs
 
 # Cleanup
 RUN rm -rf /tmp/*
 
+# Remove cleanup script so that in-container apt-get install uses cache
+RUN rm /etc/apt/apt.conf.d/clean
+
+# Add cache once as it is needed by some builds in GitHub Actions
+RUN apt-get update
+
 # Disable mouse in vim
 RUN printf "set mouse=\nset ttymouse=\n" > /etc/vim/vimrc.local
 

docker/patches/live-build/0001-save-package-info.patch

@@ -0,0 +1,64 @@
+From 9dacc8bf99310b2216be24a42f2c0475080cf039 Mon Sep 17 00:00:00 2001
+From: khramshinr <khramshinr@gmail.com>
+Date: Thu, 24 Oct 2024 14:22:57 +0600
+Subject: [PATCH] T6684: new Debian package repo snapshot logic
+
+Save information about all installed packages and teir source repo, including temporary packages
+Added functionality to store version information for temporarily installed packages.
+---
+ functions/packages.sh | 9 +++++++++
+ scripts/build/chroot  | 6 ++++++
+ scripts/build/clean   | 2 +-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/functions/packages.sh b/functions/packages.sh
+index 2481edc25..a6c2c1e8d 100755
+--- a/functions/packages.sh
++++ b/functions/packages.sh
+@@ -60,6 +60,15 @@ Install_packages ()
+ 			Chroot chroot "aptitude install --without-recommends ${APTITUDE_OPTIONS} ${_LB_PACKAGES}"
+ 			;;
+ 	esac
++
++  # save information about all temporary installed packages and source repos
++	for PACKAGE in ${_LB_PACKAGES}; do
++		INSTALLED_VERSION=$(Chroot chroot "apt-cache policy ${PACKAGE}" | grep 'Installed:' | awk '{print $2}')
++		Chroot chroot "apt-cache policy ${PACKAGE}"  | sed -n '/\*\*\*/,$p' | grep -P 'http:|https:' -m 1 | \
++		awk -v pkg="${PACKAGE}" -v version="${INSTALLED_VERSION}" '{print $2" "$3" "pkg" "version}' >> chroot.packages.all.info
++
++	done
++
+ 	unset _LB_PACKAGES # Can clear this now
+ }
+ 
+diff --git a/scripts/build/chroot b/scripts/build/chroot
+index a0aa10be0..700762e78 100755
+--- a/scripts/build/chroot
++++ b/scripts/build/chroot
+@@ -48,6 +48,12 @@ for _PASS in install live; do
+ 	fi
+ done
+ 
++# save information about all installed packages and source repos
++Chroot chroot "dpkg-query -W" | while read PACKAGE; do
++  Chroot chroot "apt-cache policy ${PACKAGE}"  | sed -n '/\*\*\*/,$p' | grep -P 'http:|https:' -m 1 | awk -v pkg="${PACKAGE}" '{print $2" "$3" "pkg}' >> chroot.packages.all.info
++done
++
++
+ lb chroot_includes_after_packages "${@}"
+ lb chroot_hooks "${@}"
+ lb chroot_hacks "${@}"
+diff --git a/scripts/build/clean b/scripts/build/clean
+index 6549fc635..4376d7525 100755
+--- a/scripts/build/clean
++++ b/scripts/build/clean
+@@ -159,7 +159,7 @@ if [ "${RM_CHROOT}" = "true" ]; then
+ 
+ 	rm -rf chroot chroot.tmp
+ 
+-	rm -f chroot.packages.live chroot.packages.install
++	rm -f chroot.packages.live chroot.packages.install chroot.packages.all.info
+ 	rm -f chroot.files
+ 
+ 	rm -f "$(Installed_tmp_packages_file)"
+

docker/vyos-dev.key

@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBF0/MrsBEADLSj4PdgHsr4FblWqQmmZD32J3EVlXrBIwi0zT1RN6V6vA81xx
+Qe8XNm6LXVB9kjH9Qv+MwIWWOkTYGCDg2oiIAKPRnJfKisDo4Ax3a1j2YOF6Ud2n
+t1bdDfSvnMnEITnMwa+BHKx3QeBoVG/8zhMeHjXy0QwHUIdKMyrX8M0JWY/sqLlv
+HvzEaB3PEMFGFhuJ3Dh/ZxquVVuSS2GPRyTpLTqrPSH9jG8hf8YFWBE+CHbnclZc
+4NKlI5Q5yrqrUE7zGWgg3O75o6xlJpjI2TJXPPYU6llCNQi/AUIB3R34okMdyYmP
+dzaHBXeA+a5glikv5i0ysJgfZ/hvZgayZdAvqIxQxjzvKebmqUutay7LhgjKGRnC
+vdAAQ1LbkqPvbBN1oaElRiTUR6bekTFd/M8x3DWPHc0xkNps6f4sEoiFkujpsl26
+uGlBhf59yFzI/XhjT/04pUWa3myFhGWT4WSw8cf3o/47/CiL4TefOBTY2vSSub7V
+nekDG6H75i9szMMQGzry71+RzYMOWkUnnnQ6wjpHuce42zU7wKUdl2+Wrr+g2/cK
+NKFvHRmGLVOpcabDawWi08hHr+J6Gje9PCePfY4x0p6Idjz5YW4Q1D/XSDZZ3nni
+akhMO1onHLolY7jstdexhSSi7nS9bDAdnHlL7e/hJemF5G0IvLlkaXYIpQARAQAB
+tDJWeU9TIG1haW50YWluZXJzIChwYWNrYWdlIHNpZ25pbmcpIDxwa2dzQHZ5b3Mu
+bmV0PokCOQQTAQIAIwUCXT8yuwIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheA
+AAoJELK9zt4uv5wGFk4P/3MUhejAJrkMy8EC21P74yCxpZ8RfahML/hIy8+13mWd
+480eSGrZr+mEk7pN4T+5cOV4gO9gsKlZ+9zvP8PjRqrHhdDWnA+6GZSMmwvV5C+s
+DDop3Wa5z6u5SXwultAEzssNtmVreXhGrB/gkpx6NsAZz9TbwVCOyfFu5di2Oued
+ItL6IhkLBIbOmJX1X5CD3AvXIKcRwp7L3mFYP+UE5/c3OFmIK5P1J3vvHRPQqHls
+BOPs7dMowfCQfNTUyUWTG74gPo9wHCnuE6QnO5b/j1dPKgz5058bK+NMFgLLdw6X
+pb8Z7CvQPSLr5o2KfP+LsC7Nyz4tFQukJvidZdQ/uYQ38SDXsLbmlqnQWDCtYMzu
+j225frdkvymwvLrroVWGfbJI2Bd+u3VoQmLdMdddnSe/+oKoh2/xBueWH/O6d4F4
+br+HNbhxaxhhM2JuPXB7mQTDyzl4RhD8JixV6YgjWo1/X8wfpJdB/utTbiwLdhIH
+q2gdI3sxDCikapQWEhHWAgW4azhzXXvo8RTwNWXtck2DBsQxsn4lANvcWwJ7fRD5
+FDgIcJJ+rZrA9NT1sihSjxvUWAmByOSWwdWQRm8O86tFjqm9mJ5ppIYLX5weMa6L
+przxbm85y5DZeeuxo297YHGbrfeRm7ko/yB+DFdnLirnblK5JI4RL94AwZjad879
+uQINBF0/MrsBEACmKylWG6GC+EPn+x01vA3tVDyyDcOxaRevCvCYEINv7yn7Ajc3
+ZaWqqNRfZheOU5hUVJjW6cv7xqaWIn9J/7vatmdeX8H1cVWpSk/e1QT1Fop7I71e
+4skDn8YI6JIZgFBrqe1O3YHOQDZbMO9zR5jNpVD7XXLyGsRvjnkH/ybugBeiVCqt
+7x2I8OnDQggFnBrishMjVrEmBAduE3JICC1IbCCtVG67h07E/BC7XJVgME8Hvfwl
+EBTo8Y6CWcrsJZfAQKU+3wi5feFVLIbhNceiGcxmi7uJML+hGoSf92Pmn7i9p5su
+ywy4XF+aWvd4R3CMYywOiukB3rItic7gp0tpcMK7AwessGqvD/luz2cNY1IqDKak
+w7jGbGUT54zKO3tpt73dYGyf3SUHQ9aNAaGuSxjq/c9v9X4KpzmAi82rt4wSkDVa
+/5SkxsU9aP6lql2MrZm//Pj3hjyipTLUFhndbjeJDgBRROMJdokNkFIIaweJGAg2
+wNwBC6HRIYXLyOsV+Azf1gqSpCEqdKVLJkBduuChtd7N9xoUahag2yya+ujwpcN6
+nlmnhZt+yfgi0uO2cPmsof9PkJi+cb44IAgkvG96Zj2JbLHSlGipyYTHLYS46RC4
+CkaF3DSwDXVU+lBqJz+WkOywpMGUKtZwPbpy7ZJVf2JL8Rf0D95sIaeICwARAQAB
+iQIfBBgBAgAJBQJdPzK7AhsMAAoJELK9zt4uv5wG45IP/2YEQzyn2qiqHInLEmXE
+R7fefmkiTy925juASQiR/LGOCSfCOnMKBMkyi63XvQuhAALU6RxgK69yLZJYWQ+a
+gh+vrrndCzprCM4PohuupknA8nAY+FvC5xoOZVkZ/+vUP344ukxN9Fz1d9oU3G5a
+luoA23G1qs7kHJw/xzN1BFNqie2mIzMAOI0Wu0BZxmYmD3Ph0KMbUD08jX6ImDF6
+EnqS0VhCgXfWhPBqh5TOG35Fi5ZCmupbgqBJQZg5fLIWS3Hk2qBm70FR3iLdjiYu
+w165hBlqcJ2YfvVBKVvMNRVB9BtF7BfzCM3/y/4V82EZ7qQJ+jE30N+/vwrAOrUd
+QVlFsC5eYDOkRb3XXhijXZhoKoeXTwY7TGNntavVMYZ2W4EFoX2OH8/2A7KEYhqc
+3cjEJ7EoM6hkmm6xmU82oQ8Moll1SgQbkNKlZYDPMs7Ppr4zBJjnVYVcP9e1RLFO
+0POJbtG7CCAstcvMu/3Yw7Il/TOGvc3TNBPrkYtriDj+B900W5sEc33iUV9VRAAi
+Bkfs0XMSQVIcMdquu2LGfNWBjd/YCZVQ8OzFYoZJeq18oxeZ9/tE4NE3KyUBmqil
+5/WicCYtxgxByAvhN5dFn+nPfoEMQ/e9Zhs2ImrrSy12Ehg1swRjAK39NrjySDFT
+FhyPysWJ4aNKtAYgVuQguPTt
+=rJUC
+-----END PGP PUBLIC KEY BLOCK-----
+

docker/vyos-dev.list

@@ -0,0 +1 @@
+deb https://packages.vyos.net/repositories/current current main

packages/.gitignore

@@ -1,6 +1 @@
-*.tar.gz
-*.deb
-*.dsc
-*.buildinfo
-*.changes
-*.git
+/*

packages/aws-gateway-load-balancer-tunnel-handler/.gitignore

@@ -1 +0,0 @@
-aws-gwlbtun/

packages/aws-gateway-load-balancer-tunnel-handler/Jenkinsfile

@@ -1,30 +0,0 @@
-// Copyright (C) 2023 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-
-def pkgList = [
-    ['name': 'aws-gateway-load-balancer-tunnel-handler',
-     'scmCommit': 'f78058a',
-     'scmUrl': 'https://github.com/aws-samples/aws-gateway-load-balancer-tunnel-handler',
-     'buildCmd': 'cd ..; ./build.sh'],
-]
-
-// Start package build using library function from https://github.com/vyos/vyos-build
-buildPackage('aws-gateway-load-balancer-tunnel-handler', pkgList, null, true, "**/packages/aws-gateway-load-balancer-tunnel-handler/**")

packages/aws-gateway-load-balancer-tunnel-handler/build.sh

@@ -1,38 +0,0 @@
-#!/bin/bash
-CWD=$(pwd)
-set -e
-
-SRC=aws-gateway-load-balancer-tunnel-handler
-
-if [ ! -d ${SRC} ]; then
-    echo "${SRC} directory does not exists, please 'git clone'"
-    exit 1
-fi
-
-# Navigate to the repository directory
-cd ${SRC}
-
-# Build the binary
-cmake .
-make
-
-# Create the Debian package directory structure
-mkdir -p aws-gwlbtun/DEBIAN
-mkdir -p aws-gwlbtun/usr/bin
-
-# Move the binary to the package directory
-cp gwlbtun aws-gwlbtun/usr/bin
-
-# Create the control file
-cat <<EOL > aws-gwlbtun/DEBIAN/control
-Package: aws-gwlbtun
-Version: 1-eb51d33
-Architecture: amd64
-Maintainer: VyOS Maintainers autobuild@vyos.net
-Description: AWS Gateway Load Balancer Tunnel Handler
-EOL
-
-# Build the Debian package
-dpkg-deb --build aws-gwlbtun
-
-cp *.deb ${CWD}

packages/ddclient/.gitignore

@@ -1 +0,0 @@
-ddclient/

packages/ddclient/Jenkinsfile

@@ -1,30 +0,0 @@
-// Copyright (C) 2023 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-
-def pkgList = [
-    ['name': 'ddclient',
-     'scmCommit': 'debian/3.10.0-3',
-     'scmUrl': 'https://salsa.debian.org/debian/ddclient',
-     'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; cd ..; ./build.sh'],
-]
-
-// Start package build using library function from https://github.com/vyos/vyos-build
-buildPackage('ddclient', pkgList, null, null, "**/packages/ddclient/**")

packages/ddclient/build.sh

@@ -1,26 +0,0 @@
-#!/bin/sh
-CWD=$(pwd)
-set -e
-
-SRC=ddclient
-if [ ! -d ${SRC} ]; then
-    echo "Source directory does not exists, please 'git clone'"
-    exit 1
-fi
-
-PATCH_DIR=${CWD}/patches
-if [ -d $PATCH_DIR ]; then
-    for patch in $(ls ${PATCH_DIR})
-    do
-        echo "I: Apply patch: ${patch} to main repository"
-        cp ${PATCH_DIR}/${patch} ${SRC}/debian/patches/
-        echo ${patch} >> ${SRC}/debian/patches/series
-    done
-fi
-
-cd ${SRC}
-echo "I: bump version"
-dch -v "3.10.0-3+vyos0" "Patchset for miscellaneous fixes"
-
-echo "I: Build Debian Package"
-dpkg-buildpackage -uc -us -tc -b

packages/ddclient/patches/z1_perhost-variable-new-style.patch

@@ -1,47 +0,0 @@
-From 11a5bd5e7ef0d199c754947e24c0c8a736d18c48 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Thomas=20du=20Bo=C3=BFs?= <thomas@duboys.info>
-Date: Sat, 28 Jan 2023 11:34:41 +0100
-Subject: [PATCH] define usev4, usev6 and dependancies as per-host config
-
-Ref: ddclient/ddclient#505
----
- ddclient.in | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/ddclient.in b/ddclient.in
-index eff10fb4..ad7dee52 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -490,17 +490,32 @@ my %variables = (
-         'host'                => setv(T_STRING,1, 1, '',                   undef),
-
-         'use'                 => setv(T_USE,   0, 0, 'ip',                 undef),
-+        'usev4'               => setv(T_USEV4, 0, 0, 'disabled',           undef),
-+        'usev6'               => setv(T_USEV6, 0, 0, 'disabled',           undef),
-         'if'                  => setv(T_IF,    0, 0, 'ppp0',               undef),
-+        'ifv4'                => setv(T_IF,    0, 0, 'default',            undef),
-+        'ifv6'                => setv(T_IF,    0, 0, 'default',            undef),
-         'web'                 => setv(T_STRING,0, 0, 'dyndns',             undef),
-         'web-skip'            => setv(T_STRING,0, 0, '',                   undef),
-         'web-ssl-validate'    => setv(T_BOOL,  0, 0, 1,                    undef),
-+        'webv4'               => setv(T_STRING,0, 0, 'googledomains',      undef),
-+        'webv4-skip'          => setv(T_STRING,1, 0, '',                   undef),
-+        'webv6'               => setv(T_STRING,0, 0, 'googledomains',      undef),
-+        'webv6-skip'          => setv(T_STRING,1, 0, '',                   undef),
-         'fw'                  => setv(T_ANY,   0, 0, '',                   undef),
-         'fw-skip'             => setv(T_STRING,0, 0, '',                   undef),
-         'fw-login'            => setv(T_LOGIN, 0, 0, '',                   undef),
-         'fw-password'         => setv(T_PASSWD,0, 0, '',                   undef),
-         'fw-ssl-validate'     => setv(T_BOOL,  0, 0, 1,                    undef),
-+        'fwv4'                => setv(T_ANY,   0, 0, '',                   undef),
-+        'fwv4-skip'           => setv(T_STRING,1, 0, '',                   undef),
-+        'fwv6'                => setv(T_ANY,   0, 0, '',                   undef),
-+        'fwv6-skip'           => setv(T_STRING,1, 0, '',                   undef),
-         'cmd'                 => setv(T_PROG,  0, 0, '',                   undef),
-         'cmd-skip'            => setv(T_STRING,0, 0, '',                   undef),
-+        'cmdv4'               => setv(T_PROG,  0, 0, '',                   undef),
-+        'cmdv6'               => setv(T_PROG,  0, 0, '',                   undef),
-+
-         'ip'                  => setv(T_IP,    0, 1, undef,                undef),  #TODO remove from cache?
-         'ipv4'                => setv(T_IPV4,  0, 1, undef,                undef),
-         'ipv6'                => setv(T_IPV6,  0, 1, undef,                undef),

packages/ddclient/patches/z2_dyndns2-ipv4-ipv6.patch

@@ -1,114 +0,0 @@
-From fa6c95f5110455b6e1ad80d1147086619ddbf7df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Thomas=20du=20Bo=C3=BFs?= <thomas@duboys.info>
-Date: Fri, 27 Jan 2023 17:58:26 +0100
-Subject: [PATCH 1/2] Update dyndns2 client to use new IPv4/IPv6 logic
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Thomas du Boÿs <thomas@duboys.info>
-
-Ref: ddclient/ddclient#502
----
- ddclient.in | 32 ++++++++++++++++++++++----------
- 1 file changed, 22 insertions(+), 10 deletions(-)
-
-diff --git a/ddclient.in b/ddclient.in
-index eff10fb4..744d63ed 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -4069,10 +4069,13 @@ sub nic_dyndns2_update {
-         my @hosts = @{$groups{$sig}};
-         my $hosts = join(',', @hosts);
-         my $h     = $hosts[0];
--        my $ip    = $config{$h}{'wantip'};
--        delete $config{$_}{'wantip'} foreach @hosts;
-+        my $ipv4  = $config{$h}{'wantipv4'};
-+        my $ipv6  = $config{$h}{'wantipv6'};
-+        delete $config{$_}{'wantipv4'} foreach @hosts;
-+        delete $config{$_}{'wantipv6'} foreach @hosts;
-
--        info("setting IP address to %s for %s", $ip, $hosts);
-+        info("setting IPv4 address to %s for %s", $ipv4, $hosts) if $ipv4;
-+        info("setting IPv6 address to %s for %s", $ipv6, $hosts) if $ipv6;
-         verbose("UPDATE:", "updating %s", $hosts);
-
-         ## Select the DynDNS system to update
-@@ -4091,7 +4094,11 @@ sub nic_dyndns2_update {
-
-         $url .= "&hostname=$hosts";
-         $url .= "&myip=";
--        $url .= $ip if $ip;
-+        $url .= $ipv4 if $ipv4;
-+        if ($ipv6) {
-+            $url .= "," if $ipv4;
-+            $url .= $ipv6;
-+        }
-
-         ## some args are not valid for a custom domain.
-         $url .= "&wildcard=ON" if ynu($config{$h}{'wildcard'}, 1, 0, 0);
-@@ -4114,7 +4121,6 @@ sub nic_dyndns2_update {
-
-         my @reply      = split /\n/, $reply;
-         my $state      = 'header';
--        my $returnedip = $ip;
-
-         foreach my $line (@reply) {
-             if ($state eq 'header') {
-@@ -4128,22 +4134,28 @@ sub nic_dyndns2_update {
-
-                 # bug #10: some dyndns providers does not return the IP so
-                 # we can't use the returned IP
--                my ($status, $returnedip) = split / /, lc $line;
--                $ip = $returnedip if (not $ip);
-+                my ($status, $returnedips) = split / /, lc $line;
-                 my $h = shift @hosts;
-
-                 $config{$h}{'status'} = $status;
-+                $config{$h}{'status-ipv4'} = $status if $ipv4;
-+                $config{$h}{'status-ipv6'} = $status if $ipv6;
-                 if ($status eq 'good') {
--                    $config{$h}{'ip'}    = $ip;
-+                    $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
-+                    $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
-                     $config{$h}{'mtime'} = $now;
--                    success("updating %s: %s: IP address set to %s", $h, $status, $ip);
-+                    success("updating %s: %s: IPv4 address set to %s", $h, $status, $ipv4) if $ipv4;
-+                    success("updating %s: %s: IPv6 address set to %s", $h, $status, $ipv6) if $ipv6;
-
-                 } elsif (exists $errors{$status}) {
-                     if ($status eq 'nochg') {
-                         warning("updating %s: %s: %s", $h, $status, $errors{$status});
--                        $config{$h}{'ip'}     = $ip;
-+                        $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
-+                        $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
-                         $config{$h}{'mtime'}  = $now;
-                         $config{$h}{'status'} = 'good';
-+                        $config{$h}{'status-ipv4'} = 'good' if $ipv4;
-+                        $config{$h}{'status-ipv6'} = 'good' if $ipv6;
-
-                     } else {
-                         failed("updating %s: %s: %s", $h, $status, $errors{$status});
-
-From cca4291360ce31aff1ab0d877d2622c11510c1f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Thomas=20du=20Bo=C3=BFs?= <thomas@duboys.info>
-Date: Sat, 28 Jan 2023 10:46:43 +0100
-Subject: [PATCH 2/2] fix ipv4 address on message log when address already set
-
----
- ddclient.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ddclient.in b/ddclient.in
-index 744d63ed..a5e9c68c 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -3820,7 +3820,7 @@ sub nic_updateable {
-                 success("%s: skipped: IP address was already set to %s.", $host, $ip);
-             }
-             if ($usev4 ne 'disabled') {
--                success("%s: skipped: IPv4 address was already set to %s.", $host, $ipv6);
-+                success("%s: skipped: IPv4 address was already set to %s.", $host, $ipv4);
-             }
-             if ($usev6 ne 'disabled') {
-                 success("%s: skipped: IPv6 address was already set to %s.", $host, $ipv6);

packages/ddclient/patches/z3_duckdns-reply-fix.patch

@@ -1,74 +0,0 @@
-From d35d62f3e753ffe15b151f7b7c5dea96bfa3ca7a Mon Sep 17 00:00:00 2001
-From: drinn <drinn@users.noreply.github.com>
-Date: Sat, 28 Jan 2023 09:48:51 -0600
-Subject: [PATCH 1/2] updated nic_duckdns_update to account for extra lines in
- duckdns reply
-
-Ref: ddclient/ddclient#506
----
- ddclient.in | 30 +++++++++++++++++++++---------
- 1 file changed, 21 insertions(+), 9 deletions(-)
-
-diff --git a/ddclient.in b/ddclient.in
-index eff10fb4..8797d7d4 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -6559,16 +6559,28 @@ sub nic_duckdns_update {
-         next if !header_ok($h, $reply);
-
-         my @reply = split /\n/, $reply;
--        my $returned = pop(@reply);
--        if ($returned =~ /OK/) {
--            $config{$h}{'ip'}     = $ip;
--            $config{$h}{'mtime'}  = $now;
--            $config{$h}{'status'} = 'good';
--            success("updating %s: good: IP address set to %s", $h, $ip);
--        } else {
--            $config{$h}{'status'} = 'failed';
--            failed("updating %s: Server said: '%s'", $h, $returned);
-+        my $state = 'noresult';
-+        my $line = '';
-+
-+        foreach $line (@reply) {
-+            if ($line eq 'OK') {
-+                $config{$h}{'ip'}     = $ip;
-+                $config{$h}{'mtime'}  = $now;
-+                $config{$h}{'status'} = 'good';
-+                $state = 'result';
-+                success("updating %s: good: IP address set to %s", $h, $ip);
-+
-+            } elsif ($line eq 'KO') {
-+                $config{$h}{'status'} = 'failed';
-+                $state = 'result';
-+                failed("updating %s: Server said: '%s'", $h, $line);
-+            }
-+        }
-+
-+        if ($state eq 'noresult') {
-+            failed("updating %s: Server said: '%s'", $h, $line);
-         }
-+
-     }
- }
-
-
-From dbc40557d22b36a6847d0cd11e59185647516f7b Mon Sep 17 00:00:00 2001
-From: drinn <drinn@users.noreply.github.com>
-Date: Sat, 28 Jan 2023 09:59:58 -0600
-Subject: [PATCH 2/2] removed empty space
-
----
- ddclient.in | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/ddclient.in b/ddclient.in
-index 8797d7d4..b818ea6e 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -6580,7 +6580,6 @@ sub nic_duckdns_update {
-         if ($state eq 'noresult') {
-             failed("updating %s: Server said: '%s'", $h, $line);
-         }
--
-     }
- }

packages/ddclient/patches/z4_dyndns2-multiline-multihost-fix.patch

@@ -1,111 +0,0 @@
-From 69347bd2a27cfb517d0749f1293ad5acdfcf34ad Mon Sep 17 00:00:00 2001
-From: Franco Fichtner <franco@opnsense.org>
-Date: Thu, 1 Jun 2023 09:06:27 +0200
-Subject: [PATCH] dyndns2: fix multiline parsing and multiple host handling
-
-As seen in the wild with DynDNS.com -- status '14' is being stored
-for the first host which is removed from @hosts ending up reading
-empty host for next line causing 'nochg' to be misplaced in an empty
-host.  The same likely applies for multi-host handling so expand to
-loop where writing to config and use $hosts when logging to catch all.
-
-RECEIVE:  HTTP/1.1 200 OK
-RECEIVE:  Date: Thu, 01 Jun 2023 06:59:38 GMT
-RECEIVE:  Server: Apache/2.4.18 (Ubuntu)
-RECEIVE:  Strict-Transport-Security: max-age=31536000
-RECEIVE:  X-UpdateCode: n
-RECEIVE:  Vary: Accept-Encoding
-RECEIVE:  Content-Type: text/plain
-RECEIVE:  Accept-Ranges: none
-RECEIVE:  X-User-Status: vip
-RECEIVE:  Connection: close
-RECEIVE:  Transfer-Encoding: chunked
-RECEIVE:
-RECEIVE:  14
-RECEIVE:  nochg 192.168.178.20
-RECEIVE:  0
-RECEIVE:
-
-Ref: ddclient/ddclient#542
----
- ddclient.in | 51 +++++++++++++++++++++++++++++++--------------------
- 1 file changed, 31 insertions(+), 20 deletions(-)
-
-diff --git a/ddclient.in b/ddclient.in
-index a4464e2c..43eb3b15 100755
---- a/ddclient.in
-+++ b/ddclient.in
-@@ -4194,30 +4194,38 @@ sub nic_dyndns2_update {
-                 # bug #10: some dyndns providers does not return the IP so
-                 # we can't use the returned IP
-                 my ($status, $returnedips) = split / /, lc $line;
--                my $h = shift @hosts;
-
--                $config{$h}{'status'} = $status;
--                $config{$h}{'status-ipv4'} = $status if $ipv4;
--                $config{$h}{'status-ipv6'} = $status if $ipv6;
-+                foreach my $h (@hosts) {
-+                    $config{$h}{'status'} = $status;
-+                    $config{$h}{'status-ipv4'} = $status if $ipv4;
-+                    $config{$h}{'status-ipv6'} = $status if $ipv6;
-+                }
-+
-                 if ($status eq 'good') {
--                    $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
--                    $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
--                    $config{$h}{'mtime'} = $now;
--                    success("updating %s: %s: IPv4 address set to %s", $h, $status, $ipv4) if $ipv4;
--                    success("updating %s: %s: IPv6 address set to %s", $h, $status, $ipv6) if $ipv6;
-+                    foreach my $h (@hosts) {
-+                        $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
-+                        $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
-+                        $config{$h}{'mtime'} = $now;
-+                    }
-+
-+                    success("updating %s: %s: IPv4 address set to %s", $hosts, $status, $ipv4) if $ipv4;
-+                    success("updating %s: %s: IPv6 address set to %s", $hosts, $status, $ipv6) if $ipv6;
-
-                 } elsif (exists $errors{$status}) {
-                     if ($status eq 'nochg') {
--                        warning("updating %s: %s: %s", $h, $status, $errors{$status});
--                        $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
--                        $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
--                        $config{$h}{'mtime'}  = $now;
--                        $config{$h}{'status'} = 'good';
--                        $config{$h}{'status-ipv4'} = 'good' if $ipv4;
--                        $config{$h}{'status-ipv6'} = 'good' if $ipv6;
-+                        warning("updating %s: %s: %s", $hosts, $status, $errors{$status});
-+
-+                        foreach my $h (@hosts) {
-+                            $config{$h}{'ipv4'}  = $ipv4 if $ipv4;
-+                            $config{$h}{'ipv6'}  = $ipv6 if $ipv6;
-+                            $config{$h}{'mtime'}  = $now;
-+                            $config{$h}{'status'} = 'good';
-+                            $config{$h}{'status-ipv4'} = 'good' if $ipv4;
-+                            $config{$h}{'status-ipv6'} = 'good' if $ipv6;
-+                        }
-
-                     } else {
--                        failed("updating %s: %s: %s", $h, $status, $errors{$status});
-+                        failed("updating %s: %s: %s", $hosts, $status, $errors{$status});
-                     }
-
-                 } elsif ($status =~ /w(\d+)(.)/) {
-@@ -4229,11 +4237,14 @@ sub nic_dyndns2_update {
-                     ($scale, $units) = (60*60, 'hours') if $units eq 'h';
-
-                     $sec = $wait * $scale;
--                    $config{$h}{'wtime'} = $now + $sec;
--                    warning("updating %s: %s: wait %s %s before further updates", $h, $status, $wait, $units);
-+                    foreach my $h (@hosts) {
-+                        $config{$h}{'wtime'} = $now + $sec;
-+                    }
-+
-+                    warning("updating %s: %s: wait %s %s before further updates", $hosts, $status, $wait, $units);
-
-                 } else {
--                    failed("updating %s: unexpected status (%s)", $h, $line);
-+                    failed("updating %s: unexpected status (%s)", $hosts, $line);
-                 }
-             }
-         }

packages/dropbear/.gitignore

@@ -1 +0,0 @@
-dropbear/

packages/dropbear/Jenkinsfile

@@ -1,30 +0,0 @@
-// Copyright (C) 2022-2023 VyOS maintainers and contributors
-//
-// This program is free software; you can redistribute it and/or modify
-// in order to easy exprort images built to "external" world
-// it under the terms of the GNU General Public License version 2 or later as
-// published by the Free Software Foundation.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-@NonCPS
-
-// Using a version specifier library, use 'current' branch. The underscore (_)
-// is not a typo! You need this underscore if the line immediately after the
-// @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-
-def pkgList = [
-    ['name': 'dropbear',
-     'scmCommit': 'debian/2022.83-1',
-     'scmUrl': 'https://salsa.debian.org/debian/dropbear.git',
-     'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; cd ..; ./build.sh'],
-]
-
-// Start package build using library function from https://github.com/vyos/vyos-build
-buildPackage('dropbear', pkgList, null, true, "**/packages/dropbear/**")

packages/dropbear/build.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-CWD=$(pwd)
-set -e
-
-SRC=dropbear
-if [ ! -d ${SRC} ]; then
-    echo "Source directory does not exists, please 'git clone'"
-    exit 1
-fi
-
-PATCH_DIR=${CWD}/patches
-if [ -d $PATCH_DIR ]; then
-    for patch in $(ls ${PATCH_DIR})
-    do
-        echo "I: Apply patch: ${patch} to main repository"
-        cp ${PATCH_DIR}/${patch} ${SRC}/debian/patches/
-        echo ${patch} >> ${SRC}/debian/patches/series
-    done
-fi
-
-cd ${SRC}
-echo "I: Build Debian Package"
-dpkg-buildpackage -uc -us -tc -b