Merge pull request #494 from sever-sever/T6014-eq

T6014: Bump keepalived version to v2.2.8

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,12 +1,15 @@
 <!-- All PR should follow this template to allow a clean and transparent review -->
-<!-- Text placed between these delimiters is considered a commend and is not rendered -->
+<!-- Text placed between these delimiters is considered a comment and is not rendered -->
 
 ## Change Summary
 <!--- Provide a general summary of your changes in the Title above -->
 
 ## Types of changes
-<!--- What types of changes does your code introduce? Put an 'x' in all the boxes that apply. -->
-<!--- NOTE: Markdown requires no leading or trailing whitespace inside the [ ] for checking the box, please use [x] --> 
+<!---
+What types of changes does your code introduce? Put an 'x' in all the boxes that apply.
+NOTE: Markdown requires no leading or trailing whitespace inside the [ ] for checking
+the box, please use [x]
+-->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Code style update (formatting, renaming)
@@ -16,6 +19,7 @@
 
 ## Related Task(s)
 <!-- All submitted PRs must be linked to a Task on Phabricator. -->
+* https://vyos.dev/Txxxx
 
 ## Component(s) name
 <!-- A rather incomplete list of components: ethernet, wireguard, bgp, mpls, ldp, l2tp, dhcp ... -->
@@ -24,8 +28,14 @@
 <!--- Describe your changes in detail -->
 
 ## How to test
-<!--- Please describe in detail how you tested your changes. -->
-<!--- Include details of your testing environment, and the tests you ran to -->
+<!---
+Please describe in detail how you tested your changes. Include details of your testing
+environment, and the tests you ran. When pasting configs, logs, shell output, backtraces,
+and other large chunks of text, surround this text with triple backtics
+```
+like this
+```
+-->
 
 ## Checklist:
 <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->

.github/reviewers.yml

@@ -0,0 +1,3 @@
+---
+"**/*":
+  - team: reviewers

.github/workflows/auto-author-assign.yml

@@ -0,0 +1,27 @@
+name: "PR Triage"
+on:
+  pull_request_target:
+    types: [opened, reopened, ready_for_review, locked]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  # https://github.com/marketplace/actions/auto-author-assign
+  assign-author:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Assign Author to PR"
+        uses: toshimaru/auto-author-assign@v1.3.5
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+  # https://github.com/shufo/auto-assign-reviewer-by-files
+  assign_reviewer:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Request review based on files changes and/or groups the author belongs to
+        uses: shufo/auto-assign-reviewer-by-files@v1.1.4
+        with:
+          token: ${{ secrets.PR_ACTION_ASSIGN_REVIEWERS }}
+          config: .github/reviewers.yml

.github/workflows/pr-conflicts.yml

@@ -0,0 +1,18 @@
+name: "PR Conflicts checker"
+on:
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  Conflict_Check:
+    name: 'Check PR status: conflicts and resolution'
+    runs-on: ubuntu-18.04
+    steps:
+      - name: check if PRs are dirty
+        uses: eps1lon/actions-label-merge-conflict@releases/2.x
+        with:
+          dirtyLabel: "state: conflict"
+          removeOnDirtyLabel: "state: conflict resolved"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
+          commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly."

CONTRIBUTING.md

@@ -8,6 +8,81 @@ review this contribution guideline.
 
 The following paragraphs are an excerpt from our Documentation.
 
+## Submit a Patch
+
+Patches are always more than welcome. To have a clean and easy to maintain
+repository we have some guidelines when working with Git. A clean repository
+eases the automatic generation of a changelog file.
+
+A good approach for writing commit messages is actually to have a look at the
+file(s) history by invoking git log path/to/file.txt.
+
+### Prepare patch/commit
+
+In a big system, such as VyOS, that is comprised of multiple components, it’s
+impossible to keep track of all the changes and bugs/feature requests in one’s
+head. We use a bugtracker known as Phabricator for it (“issue tracker” would
+be a better term, but this one stuck).
+
+The information is used in three ways:
+
+* Keep track of the progress (what we have already done in this branch and
+  what  we still need to do).
+* Prepare automatic release notes for upcoming releases
+* Help future maintainers of VyOS (it could be you!) to find out why certain
+  things have been changed in the codebase or why certain features have been
+  added
+
+To make this approach work, every change must be associated with a task number
+(prefixed with **T**) and a component. If there is no bug report/feature
+request for the changes you are going to make, you have to create a Phabricator
+task first. Once there is an entry in Phabricator, you should reference its id
+in your commit message, as shown below:
+
+* `ddclient: T1030: auto create runtime directories`
+* `Jenkins: add current Git commit ID to build description`
+
+If there is no [Phabricator](https://vyos.dev) reference in the
+commits of your pull request, we have to ask you to amend the commit message.
+Otherwise we will have to reject it.
+
+## Writing good commit messages
+
+The format should be and is inspired by this very good and detailed
+[Git documentation](https://git-scm.com/book/ch5-2.html), it is also worth
+reading https://chris.beams.io/posts/git-commit/.
+
+This is nothing VyOS specific - it is more a general topic for distributed
+development environments.
+
+* A single, short, summary of the commit (recommended 50 characters or less,
+  not exceeding 80 characters) containing a prefix of the changed component
+  and the corresponding Phabricator reference e.g. `snmp: T1111:` or
+  `ethernet: T2222:` - multiple components could be concatenated as in `snmp:
+  ethernet: T3333`
+* In some contexts, the first line is treated as the subject of an email and
+  the rest of the text as the body. The blank line separating the summary from
+  the body is critical (unless you omit the body entirely); tools like rebase
+  can get confused if you run the two together.
+* Followed by a message which describes all the details like:
+  * What/why/how something has been changed, makes everyone’s life easier when
+    working with `git bisect`
+  * All text of the commit message should be wrapped at 72 characters if
+    possible which makes reading commit logs easier with git log on a standard
+	terminal (which happens to be 80x25)
+  * If applicable a reference to a previous commit should be made linking those
+    commits nicely when browsing the history: `After commit abcd12ef ("snmp:
+	this is a headline") a Python import statement is missing, throwing the
+	following exception: ABCDEF`
+* Always use the `-x` option to the `git cherry-pick` command when back or
+  forward porting an individual commit. This automatically appends the line:
+  `(cherry picked from commit <ID>)` to the original authors commit message
+  making it easier when bisecting problems.
+* Every change set must be consistent (self containing)! Do not fix multiple
+  bugs in a single commit. If you already worked on multiple fixes in the same
+  file use git add –patch to only add the parts related to the one issue into
+  your upcoming commit.
+  
 ## Bug Report/Issue
 Issues or bugs are found in any software project. VyOS is not an exception.
 
@@ -51,7 +126,7 @@ also contain information that is helpful for the development team.
 ### Reporting
 
 In order to open up a bug-report/feature request you need to create yourself
-an account on [Phabricator](https://phabricator.vyos.net). On the left
+an account on [Phabricator](https://vyos.dev). On the left
 side of the specific project (VyOS 1.2 or VyOS 1.3) you will find quick-links
 for opening a bug-report/feature request.
 
@@ -66,7 +141,7 @@ for opening a bug-report/feature request.
 
 You have an idea of how to make VyOS better or you are in need of a specific
 feature which all users of VyOS would benefit from? To send a feature request
-please search [Phabricator](https://phabricator.vyos.net) if there is already a
+please search [Phabricator](https://vyos.dev) if there is already a
 request pending. You can enhance it or if you don't find one, create a new one
 by use the quick link in the left side under the specific project.
 

Jenkinsfile

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-// Copyright (C) 2019 VyOS maintainers and contributors
+// Copyright (C) 2019-2021 VyOS maintainers and contributors
 //
 // This program is free software; you can redistribute it and/or modify
 // in order to easy exprort images built to "external" world
@@ -13,118 +13,69 @@
 //
 // You should have received a copy of the GNU General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
 @NonCPS
 
 // Using a version specifier library, use 'current' branch. The underscore (_)
 // is not a typo! You need this underscore if the line immediately after the
 // @Library annotation is not an import statement!
-@Library('vyos-build@current')_
-
-
-// Only keep the 10 most recent builds
-def projectProperties = [
-    [$class: 'BuildDiscarderProperty',strategy: [$class: 'LogRotator', numToKeepStr: '10']],
-]
-
-properties(projectProperties)
+@Library('vyos-build@equuleus')_
 setDescription()
 
-// Due to long build times on DockerHub we rather build the container by ourself
-// and publish it later on.
-
-// create container names on demand
-env.DOCKER_IMAGE =       "vyos/vyos-build:" + getGitBranchName()
-env.DOCKER_IMAGE_ARM =   "vyos/vyos-build:" + getGitBranchName() + "-armhf"
-env.DOCKER_IMAGE_ARM64 = "vyos/vyos-build:" + getGitBranchName() + "-arm64"
-
 node('Docker') {
-    stage('Fetch') {
-        git branch: getGitBranchName(),
-            url: getGitRepoURL()
-    }
-    stage('Build Docker container') {
-        parallel (
-            'x86-64': {
-                script {
-                    dir('docker') {
-                        sh """
-                            docker build -t ${env.DOCKER_IMAGE} .
-                        """
-                        if ( ! isCustomBuild()) {
-                            withDockerRegistry([credentialsId: "DockerHub"]) {
-                                sh "docker push ${env.DOCKER_IMAGE}"
-                            }
+    stage('Setup Container') {
+        script {
+            // create container name on demand
+            def branchName = getGitBranchName()
+            // Adjust PR target branch name so we can re-map it to the proper Docker image.
+            if (isPullRequest())
+                branchName = env.CHANGE_TARGET.toLowerCase()
+            if (branchName.equals('master'))
+                branchName = 'current'
 
-                        }
-                    }
-                }
-            },
-//          'armhf': {
-//              script {
-//                  dir('docker') {
-//                      sh """
-//                          cp Dockerfile armhf/Dockerfile
-//                          cp entrypoint.sh armhf/entrypoint.sh
-//                          sed -i 's#^FROM.*#FROM multiarch/debian-debootstrap:armhf-buster-slim#' armhf/Dockerfile
-//                          docker build -t ${env.DOCKER_IMAGE_ARM} armhf
-//                      """
-//                      if ( ! isCustomBuild()) {
-//                          withDockerRegistry([credentialsId: "DockerHub"]) {
-//                              sh "docker push ${env.DOCKER_IMAGE_ARM}"
-//                          }
-//                      }
-//                  }
-//              }
-//          },
-          'arm64': {
-              script {
-                  dir('docker') {
-                      sh """
-                          docker build -t ${env.DOCKER_IMAGE_ARM64} --build-arg ARCH=arm64v8/ .
+            env.DOCKER_IMAGE = 'vyos/vyos-build:' + branchName
 
-                      """
-
-                      if ( ! isCustomBuild()) {
-                          withDockerRegistry([credentialsId: "DockerHub"]) {
-                              sh "docker push ${env.DOCKER_IMAGE_ARM64}"
-
-                          }
-                      }
-                  }
-              }
-          }
-        )
+            // Get the current UID and GID from the jenkins agent to allow use of the same UID inside Docker
+            env.USR_ID = sh(returnStdout: true, script: 'id -u').toString().trim()
+            env.GRP_ID = sh(returnStdout: true, script: 'id -g').toString().trim()
+            env.DOCKER_ARGS = '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=' + env.USR_ID + ' -e GOSU_GID=' + env.GRP_ID
+            env.BASE_VERSION = '1.3-stable-'
+        }
     }
 }
 
 pipeline {
-    options {
-        disableConcurrentBuilds()
-        timeout(time: 120, unit: 'MINUTES')
-        parallelsAlwaysFailFast()
-        timestamps()
+    agent {
+        docker {
+            label "Docker"
+            args "${env.DOCKER_ARGS}"
+            image "${env.DOCKER_IMAGE}"
+            alwaysPull true
+            reuseNode true
+        }
     }
     triggers {
-        cron('H 2 * * *')
+        cron('H 4 * * *')
     }
-    agent {
-        dockerfile {
-            filename 'Dockerfile'
-            dir 'docker'
-            args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006'
-        }
+    parameters {
+        string(name: 'BUILD_BY', defaultValue: 'autobuild@vyos.net', description: 'Builder identifier (e.g. jrandomhacker@example.net)')
+        string(name: 'BUILD_VERSION', defaultValue: env.BASE_VERSION + 'ISO8601-TIMESTAMP', description: 'Version number (release builds only)')
+        booleanParam(name: 'BUILD_PUBLISH', defaultValue: false, description: 'Publish this build to downloads.vyos.io and AWS S3')
+        booleanParam(name: 'BUILD_SMOKETESTS', defaultValue: true, description: 'Include Smoketests in ISO image')
+        booleanParam(name: 'BUILD_SNAPSHOT', defaultValue: false, description: 'Upload image to AWS S3 snapshot bucket')
+    }
+    options {
+        disableConcurrentBuilds()
+        timeout(time: 180, unit: 'MINUTES')
+        timestamps()
+        buildDiscarder(logRotator(numToKeepStr: '20'))
     }
     stages {
         stage('Build ISO') {
             when {
                 beforeOptions true
                 beforeAgent true
-                // Do not run ISO build when the Docker container definition or the build pipeline
-                // library changes as this has no direct impact on the ISO image.
-                not { changeset "**/docker/*" }
-                not { changeset "**/vars/*" }
-                not { changeset "**/packages/*" }
+                // Only run ISO image build process of explicit user request or
+                // once a night triggered by the timer.
                 anyOf {
                     triggeredBy 'TimerTrigger'
                     triggeredBy cause: "UserIdCause"
@@ -136,13 +87,20 @@ pipeline {
                     def commitId = sh(returnStdout: true, script: 'git rev-parse --short=11 HEAD').trim()
                     currentBuild.description = sprintf('Git SHA1: %s', commitId[-11..-1])
 
+                    def CUSTOM_PACKAGES = ''
+                    if (params.BUILD_SMOKETESTS)
+                        CUSTOM_PACKAGES = '--custom-package vyos-1x-smoketest'
+
+                    def VYOS_VERSION = params.BUILD_BY
+                    if (params.BUILD_VERSION == env.BASE_VERSION + 'ISO8601-TIMESTAMP')
+                        VYOS_VERSION = env.BASE_VERSION + sh(returnStdout: true, script: 'date -u +%Y%m%d%H%M').toString().trim()
+
                     sh """
                         ./configure \
-                            --build-by autobuild@vyos.net \
-                            --debian-mirror http://ftp.us.debian.org/debian/ \
+                            --build-by "${params.BUILD_BY}" \
+                            --debian-mirror http://deb.debian.org/debian/ \
                             --build-type release \
-                            --version 1.3-rolling-\$(date +%Y%m%d%H%M) \
-                            --custom-package "vyos-1x-smoketest"
+                            --version "${VYOS_VERSION}" ${CUSTOM_PACKAGES}
                         sudo make iso
                     """
 
@@ -152,9 +110,12 @@ pipeline {
                 }
             }
         }
-        stage('QEMU') {
+        stage('Test') {
+            when {
+                expression { return params.BUILD_SMOKETESTS }
+            }
             parallel {
-                stage('Smoketests without vyos-configd') {
+                stage('Smoketests') {
                     when {
                         expression { fileExists 'build/live-image-amd64.hybrid.iso' }
                     }
@@ -162,14 +123,6 @@ pipeline {
                         sh "sudo make test"
                     }
                 }
-                stage('Smoketests with vyos-configd') {
-                    when {
-                        expression { fileExists 'build/live-image-amd64.hybrid.iso' }
-                    }
-                    steps {
-                        sh "sudo make testd"
-                    }
-                }
                 stage('Smoketests with vyos-configd and arbitrary config loader') {
                     when {
                         expression { fileExists 'build/live-image-amd64.hybrid.iso' }
@@ -178,63 +131,70 @@ pipeline {
                         sh "sudo make testc"
                     }
                 }
-                stage('Build QEMU image') {
+                stage('Smoketests for RAID-1 system installation') {
                     when {
                         expression { fileExists 'build/live-image-amd64.hybrid.iso' }
                     }
                     steps {
-                        sh "sudo make qemu"
+                        sh "sudo make testraid"
                     }
                 }
             }
         }
     }
     post {
+        always {
+            archiveArtifacts artifacts: '**/build/vyos-*.iso, **/build/vyos-*.qcow2',
+                allowEmptyArchive: true
+        }
         success {
             script {
                 // only deploy ISO if build from official repository
                 if (isCustomBuild())
                     return
 
-                files = findFiles(glob: 'build/vyos*.iso')
-                if (files) {
-                    // publish build result, using SSH-dev.packages.vyos.net Jenkins Credentials
-                    sshagent(['SSH-dev.packages.vyos.net']) {
-                        dir('build') {
-                            // build up some fancy groovy variables so we do not need to write/copy
-                            // every option over and over again!
-                            def ARCH = sh(returnStdout: true, script: "dpkg --print-architecture").trim()
-                            def ISO = sh(returnStdout: true, script: "ls vyos-*.iso").trim()
-                            def SSH_DIR = '/home/sentrium/web/downloads.vyos.io/public_html/rolling/' + getGitBranchName() + '/' + ARCH
-                            def SSH_OPTS = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
-                            def SSH_REMOTE = 'khagen@10.217.48.113'
+                // only deploy ISO if requested via parameter
+                if (! params.BUILD_PUBLISH)
+                    return
 
-                            // No need to explicitly check the return code. The pipeline
-                            // will fail if sh returns a non 0 exit code
-                            sh """
-                                sha256sum ${ISO} > ${ISO}.sha256
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c 'mkdir -p ${SSH_DIR}'"
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c 'find ${SSH_DIR} -type f -mtime +28 -exec rm -f {} \\;'"
-                                scp ${SSH_OPTS} -r ${ISO} ${ISO}.sha256 ${SSH_REMOTE}:${SSH_DIR}/
-                                ssh ${SSH_OPTS} ${SSH_REMOTE} -t "bash --login -c '/usr/bin/make-latest-rolling-symlink.sh'"
-                            """
+                files = findFiles(glob: 'build/vyos*.iso')
+                // Publish ISO image to daily builds bucket
+                if (files) {
+                    // Publish ISO image to snapshot bucket
+                    if (files && params.BUILD_SNAPSHOT) {
+                        withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
+                            s3Upload(bucket: 's3-us.vyos.io', path: 'snapshot/' + params.BUILD_VERSION + '/', workingDir: 'build', includePathPattern: 'vyos*.iso')
+                        }
+                    } else {
+                        // Publish build result to AWS S3 rolling bucket
+                        withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
+                            s3Upload(bucket: 's3-us.vyos.io', path: 'rolling/' + getGitBranchName() + '/',
+                                     workingDir: 'build', includePathPattern: 'vyos*.iso')
+                            s3Copy(fromBucket: 's3-us.vyos.io', fromPath: 'rolling/' + getGitBranchName() + '/' + files[0].name,
+                                   toBucket: 's3-us.vyos.io', toPath: getGitBranchName() + '/vyos-rolling-latest.iso')
                         }
                     }
 
-                    // Upload to Amazon S3 storage
+                    // Trigger GitHub action which will re-build the static community website which
+                    // also holds the AWS download links to the generated ISO images
+                    withCredentials([string(credentialsId: 'GitHub-API-Token', variable: 'TOKEN')]) {
+                        sh '''
+                            curl -X POST --header "Accept: application/vnd.github.v3+json" \
+                            --header "authorization: Bearer $TOKEN" --data '{"ref": "production"}' \
+                            https://api.github.com/repos/vyos/community.vyos.net/actions/workflows/main.yml/dispatches
+                        '''
+                    }
+                }
+
+                // Publish ISO image to snapshot bucket
+                if (files && params.BUILD_SNAPSHOT) {
                     withAWS(region: 'us-east-1', credentials: 's3-vyos-downloads-rolling-rw') {
-                        s3Upload(bucket: 's3-us.vyos.io', path: 'rolling/',
+                        s3Upload(bucket: 's3-us.vyos.io', path: 'snapshot/',
                                  workingDir: 'build', includePathPattern: 'vyos*.iso')
-                        s3Copy(fromBucket: 's3-us.vyos.io', fromPath: 'rolling/' + files[0].name,
-                               toBucket: 's3-us.vyos.io', toPath: 'rolling/vyos-rolling-latest.iso')
                     }
                 }
             }
         }
-        failure {
-            archiveArtifacts artifacts: '**/live-image-amd64.hybrid.iso',
-                allowEmptyArchive: true
-        }
         cleanup {
             echo 'One way or another, I have finished'
             // the 'build' directory got elevated permissions during the build

Jenkinsfile.docker

@@ -0,0 +1,65 @@
+#!/usr/bin/env groovy
+// Copyright (C) 2019-2021 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+setDescription()
+
+pipeline {
+    agent none
+    options {
+        disableConcurrentBuilds()
+        timeout(time: 240, unit: 'MINUTES')
+        timestamps()
+        buildDiscarder(logRotator(numToKeepStr: '20'))
+    }
+    stages {
+        stage('Build containers') {
+            when {
+                beforeOptions true
+                beforeAgent true
+                // Only run ISO image build process of explicit user request or
+                // once a night triggered by the timer.
+                anyOf {
+                    changeset pattern: "**/docker/*"
+                    changeset pattern: "**/Jenkinsfile.docker"
+                    triggeredBy cause: "UserIdCause"
+                }
+            }
+            parallel {
+                stage('x86_64') {
+                    agent {
+                        label "ec2_amd64"
+                    }
+                    steps {
+                        script {
+                            DOCKER_IMAGE = "vyos/vyos-build:" + getGitBranchName()
+                            sh "docker build --no-cache --tag ${DOCKER_IMAGE} docker"
+                            if (! isCustomBuild()) {
+                                withDockerRegistry([credentialsId: "DockerHub"]) {
+                                    sh "docker push ${DOCKER_IMAGE}"
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

LICENSE.artwork

@@ -0,0 +1,32 @@
+# The spirit
+
+VyOS is free (as in freedom) software. We keep the source code and the build tools freely-licensed
+and available to everyone to inspect, modify, and distribute.
+The goal of VyOS is to create a network operating system available to everyone who needs it.
+We welcome contributions from all community members and we are happy to share our work on LTS releases
+with contributors. We also don't require contributors to give us exclusive rights to their contributions,
+and VyOS source code belongs to the entire community.
+
+However, success of a project and its ability to receive funding through commercial services
+rests on the reputation of its maintainers.
+And the "pay for binaries" LTS release model only works if access to images is actually restricted
+to those who support the project by purchasing a subscription or contributing.
+
+We cannot let other people and organizations exploit our reputation for gain or put it at risk
+by distributing modified images with VyOS branding, or compromise the LTS business model
+by redistributing pre-built images meant for subscription holders.
+
+We enforce that through trademarks and copyrighted artwork.
+
+Use and distribution of pre-built LTS images is governed by a EULA you can find in /usr/share/doc/vyos/EULA
+on the live image and in installed systems. 
+
+Self-built images can be freely distributed, but only if you replace the branding with yourn own,
+that is, replace all artwork files that contain the VyOS logo and all end-user-visible mentions of the VyOS name.
+
+# The letter
+
+VyOS is a registered trademarks in the United States, countries of the European Union, and other countries.
+
+The copyright to the artwork files that contain the VyOS logo, such as data/live-build-config/includes.binary/isolinux/splash.png
+belongs to Sentrium S.L. and affiliated, all rights reserved.

Makefile

@@ -1,5 +1,7 @@
 build_dir := build
 
+SHELL := /bin/bash
+
 .PHONY: all
 all:
 	@echo "Make what specifically?"
@@ -221,33 +223,77 @@ vep1400: check_build_config clean prepare
 	cd ..
 	@scripts/copy-image
 
-.PHONY: test
+.PHONY: edgecore
 .ONESHELL:
-test:
+edgecore: check_build_config clean prepare
+	@set -e
+	@echo "It's not like I'm building this specially for you or anything!"
+	mkdir -p build/config/includes.chroot/lib/udev/rules.d/
+	cp tools/vendors_udev/64-vyos-SAF51015I-net.rules build/config/includes.chroot/lib/udev/rules.d/
+	cp tools/vendors_udev/64-vyos-SAF51003I-net.rules build/config/includes.chroot/lib/udev/rules.d/
+	cd $(build_dir)
+	lb build 2>&1 | tee build.log
+	cd ..
+	@scripts/copy-image
+
+.PHONY: aaeon
+.ONESHELL:
+aaeon: check_build_config clean prepare
+	@set -e
+	@echo "It's not like I'm building this specially for you or anything!"
+	mkdir -p build/config/includes.chroot/lib/udev/rules.d/
+	cp tools/vendors/aaeon/64-vyos-aaeon*net.rules build/config/includes.chroot/lib/udev/rules.d/
+	cd $(build_dir)
+	lb build 2>&1 | tee build.log
+	cd ..
+	@scripts/copy-image
+
+.PHONY: xcp-ng-iso
+.ONESHELL:
+xcp-ng-iso: check_build_config clean prepare
+	@set -e
+	@echo "It's not like I'm building this specially for you or anything!"
+	sed -i 's/vyos-xe-guest-utilities/xe-guest-utilities/g' $(build_dir)/config/package-lists/vyos-x86.list.chroot
+	cd $(build_dir)
+	set -o pipefail
+	lb build 2>&1 | tee build.log; if [ $$? -ne 0 ]; then exit 1; fi
+	cd ..
+	@scripts/copy-image
+	exit 0
+
+.PHONY: checkiso
+.ONESHELL:
+checkiso:
 	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
 		echo "Could not find build/live-image-amd64.hybrid.iso"
 		exit 1
 	fi
-	scripts/check-qemu-install --debug build/live-image-amd64.hybrid.iso
+
+.PHONY: test
+.ONESHELL:
+test: checkiso
+	scripts/check-qemu-install --debug --uefi build/live-image-amd64.hybrid.iso
+
+.PHONY: test-no-interfaces
+.ONESHELL:
+test-no-interfaces: checkiso
+	scripts/check-qemu-install --debug --no-interfaces build/live-image-amd64.hybrid.iso
 
 .PHONY: testd
 .ONESHELL:
-testd:
-	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
-		echo "Could not find build/live-image-amd64.hybrid.iso"
-		exit 1
-	fi
+testd: checkiso
 	scripts/check-qemu-install --debug --configd build/live-image-amd64.hybrid.iso
 
 .PHONY: testc
 .ONESHELL:
-testc:
-	if [ ! -f build/live-image-amd64.hybrid.iso ]; then
-		echo "Could not find build/live-image-amd64.hybrid.iso"
-		exit 1
-	fi
+testc: checkiso
 	scripts/check-qemu-install --debug --configd --configtest build/live-image-amd64.hybrid.iso
 
+.PHONY: testraid
+.ONESHELL:
+testraid: checkiso
+	scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso
+
 .PHONY: clean
 .ONESHELL:
 clean:

README.md

@@ -72,7 +72,7 @@ In packages that originate from VyOS the master branch is kept in sync with
 last legacy package is gone, we will switch to using the `master` branch and
 retire `current`.
 
-Post-1.2.0 branches are named after constellations sorted by from smallest to largest.
+Post-1.2.0 branches are named after constellations sorted by area from smallest to largest.
 There are 88 of them, here's the [complete list](https://en.wikipedia.org/wiki/IAU_designated_constellations_by_area).
 
 * 1.2.x: `crux` (Southern Cross)

data/defaults.json

@@ -3,14 +3,14 @@
   "debian_mirror": "http://deb.debian.org/debian",
   "debian_security_mirror": "http://deb.debian.org/debian-security",
   "debian_distribution": "buster",
-  "vyos_mirror": "http://dev.packages.vyos.net/repositories/current",
-  "vyos_branch": "current",
-  "kernel_version": "5.4.86",
+  "vyos_mirror": "http://dev.packages.vyos.net/repositories/equuleus",
+  "vyos_branch": "equuleus",
+  "kernel_version": "5.4.268",
   "kernel_flavor": "amd64-vyos",
   "release_train": "equuleus",
   "additional_repositories": [
-    "deb http://repo.saltstack.com/py3/debian/10/amd64/archive/3002.2 buster main",
-    "deb http://repo.powerdns.com/debian buster-rec-43 main"
+    "deb [arch=amd64] https://repo.saltproject.io/py3/debian/10/amd64/3003 buster main",
+    "deb [arch=amd64] http://repo.powerdns.com/debian buster-rec-48 main"
   ],
   "custom_packages": []
 }

data/live-build-config/archives/bullseye.pref.chroot

@@ -6,6 +6,50 @@ Package: ddclient
 Pin: release n=bullseye
 Pin-Priority: 600
 
+Package: podman
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: libseccomp2
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: conmon
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: containernetworking-plugins
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: runc
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: golang-github-containers-common
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: golang-github-containers-image
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: skopeo
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: initramfs-tools-core
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: initramfs-tools
+Pin: release n=bullseye
+Pin-Priority: 600
+
+Package: squashfs-tools
+Pin: release n=bullseye
+Pin-Priority: -10
+
 Package: *
 Pin: release n=bullseye
 Pin-Priority: -10

data/live-build-config/archives/buster-backports.pref.chroot

@@ -22,6 +22,38 @@ Package: wireguard-tools
 Pin: release n=buster-backports
 Pin-Priority: 600
 
+Package: openvpn
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: modemmanager
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libmbim-glib4
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libmm-glib0
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libqmi-glib5
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libmbim-proxy
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libqmi-glib5
+Pin: release n=buster-backports
+Pin-Priority: 600
+
+Package: libqmi-proxy
+Pin: release n=buster-backports
+Pin-Priority: 600
+
 Package: *
 Pin: release n=buster-backports
 Pin-Priority: -10

data/live-build-config/archives/pdns.key.chroot

@@ -1,5 +1,4 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
 
 mQINBFV2/GwBEADD4oJuwcLkYZD6R+PM0zKdZ04owicJ9e1nTbBb8OA+92TI0cJY
 8XGpjEJBRECOMJi9Gr6p3QxgZX1IQbiB/RJgRN0BYTZJ6BKobJAlSNsZBVH4wt/F
@@ -13,18 +12,18 @@ yt1K0ow4M54woB/68cMy0UB6cA8uOHscRObau3T3UB0ohsEPF7KYAqOKfKP0irV+
 Ys6tR0KI/TeHqrqKhCA9PGOpOmqJaibt5GqFTc3Dp4U19njMmh4eboki8EwS6DNy
 4HD76dFz2jkSQ74uB/X+nxuFEVRKS54q4aeg83NL5lnsD8TWdhTui4mURQARAQAB
 tDxQb3dlckROUyBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwb3dlcmRucy5zdXBwb3J0
-QHBvd2VyZG5zLmNvbT6JAj4EEwECACgFAlV2/GwCGwMFCQ8JnAAGCwkIBwMCBhUI
-AgkKCwQWAgMBAh4BAheAAAoJEBsMYgX9OA+75QYQAJ7a3rZiTmBJkYfDYbZGOcJj
-tIgWj5ieyIHjaG1kR3setK1GbYrd7dkeHuWIT8FCO/mQwrKTlxEd+Vj5a79Bpu0D
-de1MRi7jTIb/Qrge532Pnk5T7qFjJWfvTWhpSV9XDwHR216aByuHZ9gAJt92hgo5
-eSXHPpwbi+qAdymndUswFBHY0kLNpIYAa2mZcSNbaI/RFNYPOM/aqDMcpQ2s1Rf1
-c8iTPewf04jlNd75M59AAbnpdoFiCKbV+Q8oeUNxRGhHCQgcTaWhT5vdF2pXP1jb
-rVykPxN7U5zTu03m/qbUCKg9Pqkhr79a2XNIpcGHhsp58B6dJdBPhXT/tFXnVpY0
-wZHGGlBVhZzC1Qdq58ilyQ2qfIci2sjMoS62lAffemb88CyoQ2UadhNKZTn93Ogo
-lmW1txqN7UU7hUBxwdztw+Pgf7V+ADwkPHnSsNLupkZ7QUOl2i1kPwgcnwHLPFoD
-bYDteCtqcVVCY5v3OC95jGJ4bqwgIIeQ5kloKY2pRLeNedbCHbGc6rVjX5X0K2zt
-F7/dWOklI1Ox4Y+Vv0Ln7u3BvSyl5jWXWzH2V6q3ff7NKVro3keZmgTzcBwJEv/z
-p40ds9f2LTKJX4DajyAF2Z+j79obMYwKo0w+Vy36QrO8TlKk+ZU/6vcFfVdEoCtv
-d5a03QgyYgMX0WW8Smam
-=BY4B
+QHBvd2VyZG5zLmNvbT6JAlUEEwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
+AheAFiEEn6qlV36Pz2IJPQNsGwxiBf04D7sFAmSBbicFCRSuDDsACgkQGwxiBf04
+D7s/HRAAooP+NzYZnxr8pynTZxCK2yGTwb8kuDVLfBYNibtHHXdHQZ5qhxhGfmI/
+rtnAjQS3SCzwwvAyK6Y5XU7z5ahctnEKaN+J43ve/nP5e9Aq15ioE72gLawg9IEU
+I8e+7FL/WF+feQQo/8dhmqx4inOlOSb+kx9CCbSvA9Mxb+dDvf9dKBmTj/22uxQG
+oeVBnj5TK4XCSmIiNZC3phHJWuL38pFUKYsOMDpRg1VUkgRPqc/9n1iWod2QkblU
+ynpL74SAag2HG5zzbvknqWlgrNAqjMZjx2V/DKTdTTEeqo2jq1eWinoOv79vZlH7
+L8kOyVPKMotQQdnp7n+Hs/FEHdyBV8OApGb62lF2xElDXnX+EertforubqloE46k
+KcAzlylJKqIr1DGb/2VbpZUOllr8Y4aFB6yU1CL9S7MF5GTjsG9LmmUDbhHw8v4b
+v3r7EmRN5AzBMhIDpNb3cDi8a83IztcfrUQlbzu4h4YU670t1+OTJ5KgwL6Mdr+1
+TMiPJg5Y2ZfTVhi82hJDBCHzaOunyjXcU+pgMEl4YBNUsnFrkvBV2S7lLCJi5aDA
+scFMb1hGMVeDFvd9sZg520PekP1Tejj+KjKXdWGi5xAT8M3MlIHJKV2mVLGuirx4
+aOLHBOKR3n/8SGXuUuVIxmeF5mzdZuyfxn4lz4EXTTQ6J5fFX78=
+=/3of
 -----END PGP PUBLIC KEY BLOCK-----

data/live-build-config/archives/pdns.pref.chroot

@@ -0,0 +1,3 @@
+Package: pdns-*
+Pin: origin repo.powerdns.com
+Pin-Priority: 600

data/live-build-config/archives/vyos-release.key.chroot

@@ -1,53 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-mQINBF0/MrsBEADLSj4PdgHsr4FblWqQmmZD32J3EVlXrBIwi0zT1RN6V6vA81xx
-Qe8XNm6LXVB9kjH9Qv+MwIWWOkTYGCDg2oiIAKPRnJfKisDo4Ax3a1j2YOF6Ud2n
-t1bdDfSvnMnEITnMwa+BHKx3QeBoVG/8zhMeHjXy0QwHUIdKMyrX8M0JWY/sqLlv
-HvzEaB3PEMFGFhuJ3Dh/ZxquVVuSS2GPRyTpLTqrPSH9jG8hf8YFWBE+CHbnclZc
-4NKlI5Q5yrqrUE7zGWgg3O75o6xlJpjI2TJXPPYU6llCNQi/AUIB3R34okMdyYmP
-dzaHBXeA+a5glikv5i0ysJgfZ/hvZgayZdAvqIxQxjzvKebmqUutay7LhgjKGRnC
-vdAAQ1LbkqPvbBN1oaElRiTUR6bekTFd/M8x3DWPHc0xkNps6f4sEoiFkujpsl26
-uGlBhf59yFzI/XhjT/04pUWa3myFhGWT4WSw8cf3o/47/CiL4TefOBTY2vSSub7V
-nekDG6H75i9szMMQGzry71+RzYMOWkUnnnQ6wjpHuce42zU7wKUdl2+Wrr+g2/cK
-NKFvHRmGLVOpcabDawWi08hHr+J6Gje9PCePfY4x0p6Idjz5YW4Q1D/XSDZZ3nni
-akhMO1onHLolY7jstdexhSSi7nS9bDAdnHlL7e/hJemF5G0IvLlkaXYIpQARAQAB
-tDJWeU9TIG1haW50YWluZXJzIChwYWNrYWdlIHNpZ25pbmcpIDxwa2dzQHZ5b3Mu
-bmV0PokCOQQTAQIAIwUCXT8yuwIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheA
-AAoJELK9zt4uv5wGFk4P/3MUhejAJrkMy8EC21P74yCxpZ8RfahML/hIy8+13mWd
-480eSGrZr+mEk7pN4T+5cOV4gO9gsKlZ+9zvP8PjRqrHhdDWnA+6GZSMmwvV5C+s
-DDop3Wa5z6u5SXwultAEzssNtmVreXhGrB/gkpx6NsAZz9TbwVCOyfFu5di2Oued
-ItL6IhkLBIbOmJX1X5CD3AvXIKcRwp7L3mFYP+UE5/c3OFmIK5P1J3vvHRPQqHls
-BOPs7dMowfCQfNTUyUWTG74gPo9wHCnuE6QnO5b/j1dPKgz5058bK+NMFgLLdw6X
-pb8Z7CvQPSLr5o2KfP+LsC7Nyz4tFQukJvidZdQ/uYQ38SDXsLbmlqnQWDCtYMzu
-j225frdkvymwvLrroVWGfbJI2Bd+u3VoQmLdMdddnSe/+oKoh2/xBueWH/O6d4F4
-br+HNbhxaxhhM2JuPXB7mQTDyzl4RhD8JixV6YgjWo1/X8wfpJdB/utTbiwLdhIH
-q2gdI3sxDCikapQWEhHWAgW4azhzXXvo8RTwNWXtck2DBsQxsn4lANvcWwJ7fRD5
-FDgIcJJ+rZrA9NT1sihSjxvUWAmByOSWwdWQRm8O86tFjqm9mJ5ppIYLX5weMa6L
-przxbm85y5DZeeuxo297YHGbrfeRm7ko/yB+DFdnLirnblK5JI4RL94AwZjad879
-uQINBF0/MrsBEACmKylWG6GC+EPn+x01vA3tVDyyDcOxaRevCvCYEINv7yn7Ajc3
-ZaWqqNRfZheOU5hUVJjW6cv7xqaWIn9J/7vatmdeX8H1cVWpSk/e1QT1Fop7I71e
-4skDn8YI6JIZgFBrqe1O3YHOQDZbMO9zR5jNpVD7XXLyGsRvjnkH/ybugBeiVCqt
-7x2I8OnDQggFnBrishMjVrEmBAduE3JICC1IbCCtVG67h07E/BC7XJVgME8Hvfwl
-EBTo8Y6CWcrsJZfAQKU+3wi5feFVLIbhNceiGcxmi7uJML+hGoSf92Pmn7i9p5su
-ywy4XF+aWvd4R3CMYywOiukB3rItic7gp0tpcMK7AwessGqvD/luz2cNY1IqDKak
-w7jGbGUT54zKO3tpt73dYGyf3SUHQ9aNAaGuSxjq/c9v9X4KpzmAi82rt4wSkDVa
-/5SkxsU9aP6lql2MrZm//Pj3hjyipTLUFhndbjeJDgBRROMJdokNkFIIaweJGAg2
-wNwBC6HRIYXLyOsV+Azf1gqSpCEqdKVLJkBduuChtd7N9xoUahag2yya+ujwpcN6
-nlmnhZt+yfgi0uO2cPmsof9PkJi+cb44IAgkvG96Zj2JbLHSlGipyYTHLYS46RC4
-CkaF3DSwDXVU+lBqJz+WkOywpMGUKtZwPbpy7ZJVf2JL8Rf0D95sIaeICwARAQAB
-iQIfBBgBAgAJBQJdPzK7AhsMAAoJELK9zt4uv5wG45IP/2YEQzyn2qiqHInLEmXE
-R7fefmkiTy925juASQiR/LGOCSfCOnMKBMkyi63XvQuhAALU6RxgK69yLZJYWQ+a
-gh+vrrndCzprCM4PohuupknA8nAY+FvC5xoOZVkZ/+vUP344ukxN9Fz1d9oU3G5a
-luoA23G1qs7kHJw/xzN1BFNqie2mIzMAOI0Wu0BZxmYmD3Ph0KMbUD08jX6ImDF6
-EnqS0VhCgXfWhPBqh5TOG35Fi5ZCmupbgqBJQZg5fLIWS3Hk2qBm70FR3iLdjiYu
-w165hBlqcJ2YfvVBKVvMNRVB9BtF7BfzCM3/y/4V82EZ7qQJ+jE30N+/vwrAOrUd
-QVlFsC5eYDOkRb3XXhijXZhoKoeXTwY7TGNntavVMYZ2W4EFoX2OH8/2A7KEYhqc
-3cjEJ7EoM6hkmm6xmU82oQ8Moll1SgQbkNKlZYDPMs7Ppr4zBJjnVYVcP9e1RLFO
-0POJbtG7CCAstcvMu/3Yw7Il/TOGvc3TNBPrkYtriDj+B900W5sEc33iUV9VRAAi
-Bkfs0XMSQVIcMdquu2LGfNWBjd/YCZVQ8OzFYoZJeq18oxeZ9/tE4NE3KyUBmqil
-5/WicCYtxgxByAvhN5dFn+nPfoEMQ/e9Zhs2ImrrSy12Ehg1swRjAK39NrjySDFT
-FhyPysWJ4aNKtAYgVuQguPTt
-=rJUC
------END PGP PUBLIC KEY BLOCK-----
-

data/live-build-config/bootloaders/grub-pc/grub.cfg

@@ -1,59 +1,36 @@
 set default=0
 set timeout=10
 
-loadfont $prefix/dejavu-bold-16.pf2
-loadfont $prefix/dejavu-bold-14.pf2
-loadfont $prefix/unicode.pf2
-set gfxmode=auto
-insmod all_video
-insmod gfxterm
+insmod serial
+serial --unit=0 --speed=115200
+
+insmod part_msdos
+insmod ext2
+insmod efi_gop
+insmod efi_uga
 insmod png
 
+loadfont /boot/grub/dejavu-bold-16.pf2
+loadfont /boot/grub/dejavu-bold-14.pf2
+loadfont /boot/grub/unicode.pf2
+
+set gfxmode="640x480x16"
+set gfxpayload="640x480x16"
+terminal_output gfxterm
+
+set splash_img="/isolinux/splash.png"
+if [ -e ${splash_img} ]; then
+    background_image ${splash_img}
+fi
+
+terminal_output --append serial
+terminal_input serial console
+
 set color_normal=light-gray/black
 set color_highlight=white/black
 
-if [ -e /isolinux/splash.png ]; then
-    # binary_syslinux modifies the theme file to point to the correct
-    # background picture
-    set theme=/boot/grub/live-theme/theme.txt
-elif [ -e /boot/grub/splash.png ]; then
-    set theme=/boot/grub/live-theme/theme.txt
-else
-    set menu_color_normal=cyan/blue
-    set menu_color_highlight=white/blue
-fi
-
-terminal_output gfxterm
-
-insmod play
-play 960 440 1 0 4 440 1
-
 # Live boot
 LINUX_LIVE
 
-# You can add more entries like this
-# menuentry "Alternate live boot" {
-# linux KERNEL_LIVE APPEND_LIVE custom options here
-# initrd INITRD_LIVE
-# }
-# menuentry "Alternate graphical installer" {
-# linux KERNEL_GI APPEND_GI custom options here
-# initrd INITRD_GI
-# }
-# menuentry "Alternate textual installer" {
-# linux KERNEL_DI APPEND_DI custom options here
-# initrd INITRD_DI
-# }
-
 # Installer (if any)
 LINUX_INSTALL
-
-submenu 'Advanced options...' {
-
-# More installer entries (if any)
-LINUX_ADVANCED_INSTALL
-
-# Memtest (if any)
-MEMTEST
-
-}

data/live-build-config/hooks/live/02-issue.chroot

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-echo I: Rewriting /etc/issue and /etc/issue.net
-cat <<EOF > etc/issue
-Welcome to VyOS - \n \l
-
-EOF
-cat <<EOF > etc/issue.net
-Welcome to VyOS
-EOF

data/live-build-config/hooks/live/11-busybox.chroot

@@ -139,6 +139,7 @@ bb_alternative /usr/bin/renice
 bb_alternative /usr/bin/reset
 bb_alternative /usr/bin/setkeycodes
 bb_alternative /usr/bin/sha1sum
+bb_alternative /usr/bin/sha256sum
 bb_alternative /usr/bin/sort
 bb_alternative /usr/bin/strings
 bb_alternative /usr/bin/tail

data/live-build-config/hooks/live/18-enable-disable_services.chroot

@@ -1,15 +1,16 @@
 #!/bin/sh
 
 echo I: Disabling services
-systemctl disable exim4.service
+systemctl disable sendmail.service
+systemctl disable smartd.service
 systemctl disable isc-dhcp-server.service
 systemctl disable isc-dhcp-relay.service
 systemctl disable nfacctd.service
 systemctl disable pmacctd.service
 systemctl disable sfacctd.service
 systemctl disable uacctd.service
-systemctl disable lighttpd.service
 systemctl disable ssh.service
+systemctl disable sshguard.service
 systemctl disable openvpn.service
 systemctl disable lldpd.service
 systemctl disable LCDd.service
@@ -55,6 +56,8 @@ systemctl disable hostapd.service
 systemctl disable keepalived.service
 systemctl disable ipvsadm.service
 systemctl disable telegraf.service
+systemctl disable ModemManager.service
+systemctl disable pppd-dns.service
 
 echo I: Enabling services
 systemctl enable ssh-session-cleanup.service

data/live-build-config/hooks/live/23-config_mkdir.chroot

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo I: Create config directory.
+
+mkdir -p /config

data/live-build-config/hooks/live/30-openvmtools-configs.chroot

@@ -2,6 +2,7 @@
 
 # open-vm-tools settings
 
+import os
 import re
 
 vmtools_config = """
@@ -10,5 +11,8 @@ vmtools_config = """
 
 """
 
-with open('/etc/vmware-tools/tools.conf', 'w') as f:
-    f.write(vmtools_config)
+if os.path.isdir('/etc/vmware-tools'):
+    with open('/etc/vmware-tools/tools.conf', 'w') as f:
+        f.write(vmtools_config)
+else:
+    print('Open VM Tools not found. Skipping its configuration.')

data/live-build-config/hooks/live/30-remove-debian-version.chroot

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# The /etc/debian_version file contains the Debian release version number.
+#Since VyOS uses image-based upgrade, that file serves no useful purpose for us.
+#
+# However, security scanners love to jump to conclusions
+# and declare an "old Debian version" vulnerable
+# without checking if there may not be any packages from that version at all.
+# Removing that file is an easy way to get fewer false positives.
+
+echo "I: Deleting the Debian version file"
+
+rm -f /etc/debian_version

data/live-build-config/hooks/live/30-strongswan-configs.chroot

@@ -36,3 +36,22 @@ with open('/etc/strongswan.d/charon/farp.conf', 'r') as f:
 
 with open('/etc/strongswan.d/charon/farp.conf', 'w') as f:
     f.write(farp_conf)
+
+
+# Add ike-name to logging
+charon_logging = """
+charon {
+    syslog {
+        # prefix for each log message
+        identifier = charon
+        # use default settings to log to the LOG_DAEMON facility
+        daemon {
+            default = 1
+            ike_name = yes
+        }
+    }
+}
+"""
+
+with open('/etc/strongswan.d/charon-logging.conf', 'w') as f:
+    f.write(charon_logging)

data/live-build-config/hooks/live/80-delete-docs.chroot

@@ -1,4 +1,10 @@
 #!/bin/bash
 
-# We do not need any documentation on the system. This frees 43MB.
-rm -rf /usr/share/doc /usr/share/doc-base /usr/share/docutils
+# We do not need any documentation on the system. This frees some space.
+# Copyright/licenses files are ignored for deletion
+shopt -s extglob
+rm -rf /usr/share/doc/*/!(copyright*|README*) /usr/share/doc-base
+
+# We also do not need any manpages on the system since man-binary is missing.
+# This also frees some space.
+rm -rf /usr/share/man

data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if ! command -v gpg &> /dev/null; then
+    echo "gpg binary could not be found"
+    exit 1
+fi
+
+GPG_KEY="/usr/share/vyos/keys/vyos-release.pub.asc"
+
+echo I: Import GPG key
+gpg --import ${GPG_KEY}
+exit $?

data/live-build-config/hooks/live/83-cleanup-etc-motd-d.chroot

@@ -0,0 +1,4 @@
+#!/bin/sh
+if [ -f /etc/update-motd.d/10-uname ]; then
+    rm -f /etc/update-motd.d/10-uname
+fi

data/live-build-config/includes.chroot/etc/initramfs-tools/hooks/10-vyos-addons

@@ -14,7 +14,7 @@ esac
 # Begin real processing below this line
 
 # include listed modules to initramfs but not load them without the necessity
-manual_add_modules igb ixgbe ixgbevf i40e i40evf
+manual_add_modules igb ixgbe ixgbevf i40e i40evf ice
 
 # include modules from file (one per line) to initramfs but not load them without the necessity
 # add_modules_from_file /tmp/modlist
@@ -33,3 +33,4 @@ copy_exec /usr/sbin/fsck.ext4
 
 # copy other files ("other" here is a file type, so do not delete this keyword)
 copy_file other /etc/ssl/certs/ca-certificates.crt
+copy_file other /etc/ssl/openssl.cnf

data/live-build-config/includes.chroot/etc/modprobe.d/igb-options.conf

@@ -1 +0,0 @@
-options igb RSS=0,0,0,0,0,0,0,0

data/live-build-config/includes.chroot/etc/modprobe.d/ixgbe-options.conf

@@ -1 +1 @@
-options ixgbe allow_unsupported_sfp=1 RSS=0,0,0,0,0,0,0,0
+options ixgbe allow_unsupported_sfp=1

data/live-build-config/includes.chroot/etc/systemd/system.conf

@@ -46,7 +46,7 @@ ShowStatus=yes
 #DefaultLimitNOFILE=
 #DefaultLimitAS=
 #DefaultLimitNPROC=
-#DefaultLimitMEMLOCK=
+DefaultLimitMEMLOCK=8M
 #DefaultLimitLOCKS=
 #DefaultLimitSIGPENDING=
 #DefaultLimitMSGQUEUE=

data/live-build-config/includes.chroot/opt/vyatta/etc/config.boot.default

@@ -19,9 +19,9 @@ system {
         }
     }
     ntp {
-        server "0.pool.ntp.org"
-        server "1.pool.ntp.org"
-        server "2.pool.ntp.org"
+        server "time1.vyos.net"
+        server "time2.vyos.net"
+        server "time3.vyos.net"
     }
     console {
         device ttyS0 {

data/live-build-config/includes.chroot/usr/share/vyos/default_motd

@@ -0,0 +1,9 @@
+Welcome to VyOS!
+
+Check out project news at https://blog.vyos.io
+and feel free to report bugs at https://vyos.dev
+
+You can change this banner using "set system login banner post-login" command.
+
+VyOS is a free software distribution that includes multiple components,
+you can check individual component licenses under /usr/share/doc/*/copyright

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-backup.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: VyOS release signing key
+RWSw63o24QvCadaeW21Vqv6+/uzXUsNOpLlRoLRQd2NJgdOm1k1zdAb3

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.minisign.pub

@@ -0,0 +1,2 @@
+untrusted comment: VyOS release signing key
+RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP

data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBFXKsiIBEACyid9PR/v56pSRG8VgQyRwvzoI7rLErZ8BCQA2WFxA6+zNy+6G
++0E/6XAOzE+VHli+wtJpiVJwAh+wWuqzOmv9css2fdJxpMW87pJAS2i3EVVVf6ab
+wU848JYLGzc9y7gZrnT1m2fNh4MXkZBNDp780WpOZx8roZq5X+j+Y5hk5KcLiBn/
+lh9Zoh8yzrWDSXQsz0BGoAbVnLUEWyo0tcRcHuC0eLx6oNG/IHvd/+kxWB1uULHU
+SlB/6vcx56lLqgzywkmhP01050ZDyTqrFRIfrvw6gLQaWlgR3lB93txvF/sz87Il
+VblV7e6HEyVUQxedDS8ikOyzdb5r9a6Zt/j8ZPSntFNM6OcKAI7U1nDD3FVOhlVn
+7lhUiNc+/qjC+pR9CrZjr/BTWE7Zpi6/kzeH4eAkfjyALj18oC5udJDjXE5daTL3
+k9difHf74VkZm29Cy9M3zPckOZpsGiBl8YQsf+RXSBMDVYRKZ1BNNLDofm4ZGijK
+mriXcaY+VIeVB26J8m8y0zN4/ZdioJXRcy72c1KusRt8e/TsqtC9UFK05YpzRm5R
+/nwxDFYb7EdY/vHUFOmfwXLaRvyZtRJ9LwvRUAqgRbbRZg3ET/tn6JZk8hqx3e1M
+IxuskOB19t5vWyAo/TLGIFw44SErrq9jnpqgclTSRgFjcjHEm061r4vjoQARAQAB
+tDZWeU9TIE1haW50YWluZXJzIChWeU9TIFJlbGVhc2UpIDxtYWludGFpbmVyc0B2
+eW9zLm5ldD6JAjgEEwECACIFAlXKsiICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
+AheAAAoJEP0iAoWg/m1+xbgP+QEDYZi5dA4IPY+vU1L95Bavju2m2o35TSUDPg5B
+jfAGuhbsNUceU+l/yUlxjpKEmvshyW3GHR5QzUaKGup/ZDBo1CBxZNhpSlFida2E
+KAYTx4vHk3MRXcntiAj/hIJwRtzCUp5UQIqHoU8dmHoHOkKEP+zhJuR6E2s+WwDr
+nTwE6eRa0g/AHY+chj2Je6flpPm2CKoTfUE7a2yBBU3wPq3rGtsQgVxPAxHRZz7A
+w4AjH3NM1Uo3etuiDnGkJAuoKKb1J4X3w2QlbwlR4cODLKhJXHIufwaGtRwEin9S
+1l2bL8V3gy2Hv3D2t9TQZuR5NUHsibJRXLSa8WnSCcc6Bij5aqfdpYB+YvKH/rIm
+GvYPmLZDfKGkx0JE4/qtfFjiPJ5VE7BxNyliEw/rnQsxWAGPqLlL61SD8w5jGkw3
+CinwO3sccTVcPz9b6A1RsbBVhTJJX5lcPn1lkOEVwQ7l8bRhOKCMe0P53qEDcLCd
+KcXNnAFbVes9u+kfUQ4oxS0G2JS9ISVNmune+uv+JR7KqSdOuRYlyXA9uTjgWz4y
+Cs7RS+CpkJFqrqOtS1rmuDW9Ea4PA8ygGlisM5d/AlVkniHz/2JYtgetiLCj9mfE
+MzQpgnldNSPumKqJ3wwmCNisE+lXQ5UXCaoaeqF/qX1ykybQn41LQ+0xT5Uvy7sL
+9IwGuQINBFXKsiIBEACg2mP3QYkXdgWTK5JyTGyttE6bDC9uqsK8dc1J66Tjd5Ly
+Be0amO+88GHXa0o5Smwk2QNoxsRR41G/D/eAeGsuOEYnePROEr3tcLnDjo4KLgQ+
+H69zRPn77sdP3A34Jgp+QIzByJWM7Cnim31quQP3qal2QdpGJcT/jDJWdticN76a
+Biaz+HN13LyvZM+DWhUDttbjAJc+TEwF9YzIrU+3AzkTRDWkRh4kNIQxjlpNzvho
+9V75riVqg2vtgPwttPEhOLb0oMzy4ADdfezrfVvvMb4M4kY9npu4MlSkNTM97F/I
+QKy90JuSUIjE05AO+PDXJF4Fd5dcpmukLV/2nV0WM2LAERpJUuAgkZN6pNUFVISR
++nSfgR7wvqeDY9NigHrJqJbSEgaBUs6RTk5hait2wnNKLJajlu3aQ2/QfRT/kG3h
+ClKUz3Ju7NCURmFE6mfsdsVrlIsEjHr/dPbXRswXgC9FLlXpWgAEDYi9Wdxxz8o9
+JDWrVYdKRGG+OpLFh8AP6QL3YnZF+p1oxGUQ5ugXauAJ9YS55pbzaUFP8oOO2P1Q
+BeYnKRs1GcMI8KWtE/fze9C9gZ7Dqju7ZFEyllM4v3lzjhT8muMSAhw41J22mSx6
+VRkQVRIAvPDFES45IbB6EEGhDDg4pD2az8Q7i7Uc6/olEmpVONSOZEEPsQe/2wAR
+AQABiQIfBBgBAgAJBQJVyrIiAhsMAAoJEP0iAoWg/m1+niUQAKTxwJ9PTAfB+XDk
+3qH3n+T49O2wP3fhBI0EGhJp9Xbx29G7qfEeqcQm69/qSq2/0HQOc+w/g8yy71jA
+6rPuozCraoN7Im09rQ2NqIhPK/1w5ZvgNVC0NtcMigX9MiSARePKygAHOPHtrhyO
+rJQyu8E3cV3VRT4qhqIqXs8Ydc9vL3ZrJbhcHQuSLdZxM1k+DahCJgwWabDCUizm
+sVP3epAP19FP8sNtHi0P1LC0kq6/0qJot+4iBiRwXMervCD5ExdOm2ugvSgghdYN
+BikFHvmsCxbZAQjykQ6TMn+vkmcEz4fGAn4L7Nx4paKEtXaAFO8TJmFjOlGUthEm
+CtHDKjCTh9WV4pwG2WnXuACjnJcs6LcK377EjWU25H4y1ff+NDIUg/DWfSS85iIc
+UgkOlQO6HJy0O96L5uxn7VJpXNYFa20lpfTVZv7uu3BC3RW/FyOYsGtSiUKYq6cb
+CMxGTfFxGeynwIlPRlH68BqH6ctR/mVdo+5UIWsChSnNd1GreIEI6p2nBk3mc7jZ
+7pTEHpjarwOjs/S/lK+vLW53CSFimmW4lw3MwqiyAkxl0tHAT7QMHH9Rgw2HF/g6
+XD76fpFdMT856dsuf+j2uuJFlFe5B1fERBzeU18MxML0VpDmGFEaxxypfACeI/iu
+8vzPzaWHhkOkU8/J/Ci7+vNtUOZb
+=Ld8S
+-----END PGP PUBLIC KEY BLOCK-----

data/live-build-config/package-lists/vyos-base.list.chroot

@@ -2,3 +2,4 @@ debconf
 gpgv
 gnupg
 vyos-world
+vyos-user-utils

data/live-build-config/package-lists/vyos-utils.list.chroot

@@ -1,26 +1,4 @@
-nmap
-dnsutils
-ipcalc
-whois
-netcat-openbsd
-socat
-nano
-screen
-minicom
-iftop
-lsof
-openssh-client
-haveged
-htop
-atop
-iotop
-aptitude
-localepurge
-bgpq3
-libnss-myhostname
-ssl-cert
-nginx-light
-ndisc6
 systemd-sysv
 systemd-bootchart
 ncurses-term
+kitty-terminfo

data/package-lists/vyos-x86.list.chroot

@@ -5,11 +5,7 @@ hyperv-daemons
 vyos-xe-guest-utilities
 vyos-1x-vmware
 vyos-linux-firmware
-vyos-intel-i40e
-vyos-intel-igb
-vyos-intel-ixgbe
-vyos-intel-ixgbevf
-vyos-intel-iavf
 vyos-intel-qat
 wireguard-modules
-telegraf
+vyos-drivers-intel-ice
+vyos-drivers-realtek-r8152

data/versions

@@ -1,3 +1,3 @@
 {
-    "current": "1.3"
+    "equuleus": "1.3"
 }

docker-vyos/vyos_install_common.sh

@@ -36,7 +36,7 @@ function prepare_apt() {
         echo -e "deb ${APT_VYOS_MIRROR}/vyos ${APT_VYOS_BRANCH} main\ndeb ${APT_VYOS_MIRROR}/debian ${APT_VYOS_BRANCH} main\n${APT_ADDITIONAL_REPOS}" > /etc/apt/sources.list.d/vyos.list
     fi
 
-    if [[ "${RELEASE_TRAIN}" == "equuleus" ]]; then
+    if [[ "${RELEASE_TRAIN}" == "equuleus" || "${RELEASE_TRAIN}" == "sagitta" ]]; then
         echo -e "deb ${APT_VYOS_MIRROR} ${APT_VYOS_BRANCH} main\n${APT_ADDITIONAL_REPOS}" > /etc/apt/sources.list.d/vyos.list
         # Add backports repository
         echo -e "deb http://deb.debian.org/debian buster-backports main\ndeb http://deb.debian.org/debian buster-backports non-free" >> /etc/apt/sources.list.d/vyos.list
@@ -47,7 +47,10 @@ function prepare_apt() {
         cat /tmp/*list.chroot >> /etc/apt/sources.list.d/vyos.list
     fi
     if grep -sq Package /tmp/*.pref.chroot; then
-        cat /tmp/*pref.chroot >> /etc/apt/preferences.d/10vyos
+        for pref_file in /tmp/*.pref.chroot; do
+            cat $pref_file >> /etc/apt/preferences.d/10vyos
+            echo -e "\n" >> /etc/apt/preferences.d/10vyos
+        done
     fi
 
     # Add GPG keys

docker/Dockerfile

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # in order to easy exprort images built to "external" world
@@ -50,6 +50,9 @@ RUN echo "dash dash/sh boolean false" | debconf-set-selections && \
 
 RUN echo -e 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";' > /etc/apt/apt.conf.d/01norecommends
 
+# We now have Debian Bullseye (11) so cached images require the permit to
+# change the releaseinfo from stable -> oldstable
+RUN apt-get update --allow-releaseinfo-change
 RUN apt-get update && apt-get install -y \
       dialog \
       apt-utils \
@@ -59,6 +62,8 @@ RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen
 ENV LANG en_US.utf8
 
 RUN apt-get update && apt-get install -y \
+      bash \
+      bash-completion \
       vim \
       vim-autopep8 \
       nano \
@@ -66,27 +71,12 @@ RUN apt-get update && apt-get install -y \
       curl \
       sudo \
       mc \
-      build-essential \
       pbuilder \
       devscripts \
-      squashfs-tools \
-      genisoimage \
+      equivs \
       lsb-release \
-      fakechroot \
       libtool \
       libapt-pkg-dev \
-      quilt \
-      python3-lxml \
-      python3-setuptools \
-      python3-nose \
-      python3-coverage \
-      python3-sphinx \
-      python3-pystache \
-      python3-git \
-      python3-pip \
-      python3-psutil \
-      python3-flake8 \
-      python3-autopep8 \
       flake8 \
       pkg-config \
       debhelper \
@@ -95,6 +85,18 @@ RUN apt-get update && apt-get install -y \
       openssh-client \
       jq
 
+# Packages needed for vyos-build
+RUN apt-get update && apt-get install -y \
+      build-essential \
+      python3-pystache \
+      squashfs-tools \
+      genisoimage \
+      fakechroot \
+      python3-git \
+      python3-pip \
+      python3-flake8 \
+      python3-autopep8
+
 # Syslinux and Grub2 is only supported on x86 and x64 systems
 RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
       apt-get update && apt-get install -y \
@@ -102,14 +104,11 @@ RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
         grub2; \
     fi
 
-# Package needed for mdns-repeater
-RUN apt-get update && apt-get install -y \
-      dh-systemd
-
 #
 # Building libvyosconf requires a full configured OPAM/OCaml setup
 #
 RUN apt-get update && apt-get install -y \
+      debhelper \
       libffi-dev \
       libpcre3-dev \
       unzip
@@ -126,24 +125,36 @@ RUN dpkg-reconfigure ca-certificates; \
 RUN curl https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh \
       --output /tmp/opam_install.sh --retry 10 --retry-delay 5 && \
     sed -i 's/read BINDIR/BINDIR=""/' /tmp/opam_install.sh && sh /tmp/opam_install.sh && \
-    opam init --root=/opt/opam --comp=4.09.0 --disable-sandboxing
+    opam init --root=/opt/opam --comp=4.12.0 --disable-sandboxing
+
+RUN eval $(opam env --root=/opt/opam --set-root) && \
+    opam pin add pcre https://github.com/mmottl/pcre-ocaml.git#0c4ca03a -y
 
 RUN eval $(opam env --root=/opt/opam --set-root) && opam install -y \
-      pcre re
+      re
 
 RUN eval $(opam env --root=/opt/opam --set-root) && opam install -y \
+      num \
       ctypes.0.16.0 \
       ctypes-foreign \
-      ctypes-build
+      ctypes-build \
+      containers \
+      fileutils
 
 # Build VyConf which is required to build libvyosconfig
 RUN eval $(opam env --root=/opt/opam --set-root) && \
-    opam pin add vyos1x-config https://github.com/vyos/vyos1x-config.git#550048b3 -y
+    opam pin add vyos1x-config https://github.com/vyos/vyos1x-config.git#51f6402a -y
+
+# Packages needed for libvyosconfig
+RUN apt-get update && apt-get install -y \
+      quilt \
+      libpcre3-dev \
+      libffi-dev
 
 # Build libvyosconfig
 RUN eval $(opam env --root=/opt/opam --set-root) && \
     git clone https://github.com/vyos/libvyosconfig.git /tmp/libvyosconfig && \
-    cd /tmp/libvyosconfig && git checkout 5138b5eb && \
+    cd /tmp/libvyosconfig && git checkout f2da09a9 && \
     dpkg-buildpackage -uc -us -tc -b && \
     dpkg -i /tmp/libvyosconfig0_*_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 
@@ -166,7 +177,7 @@ RUN wget https://salsa.debian.org/jestabro-guest/live-build/commit/63425b3e4f7ad
     patch -p1 < /tmp/63425b3e4f7ad3712ced4c9a3584ef9851c0355a.patch && \
     dch -n "Applying fix for missing archive keys" && \
     dpkg-buildpackage -us -uc && \
-    sudo dpkg -i ../live-build*.deb
+    dpkg -i ../live-build*.deb
 
 #
 # live-build: building in docker fails with mounting /proc | /sys
@@ -182,7 +193,7 @@ RUN wget https://salsa.debian.org/klausenbusk-guest/debootstrap/commit/a9a603b17
     patch -p1 < /tmp/a9a603b17cadbf52cb98cde0843dc9f23a08b0da.patch && \
     dch -n "Applying fix for docker image compile" && \
     dpkg-buildpackage -us -uc && \
-    sudo dpkg -i ../debootstrap*.deb
+    dpkg -i ../debootstrap*.deb
 
 #
 # Install Packer
@@ -217,65 +228,103 @@ RUN apt-get update && apt-get install -y \
       automake \
       cpio
 
-# Packages needed for kernel
+# Packages needed for Linux Kernel
+# gnupg2 is required by Jenkins for the TAR verification
 RUN apt-get update && apt-get install -y \
+      gnupg2 \
       rsync \
-      libmnl-dev \
       libncurses5-dev \
       flex \
       bison \
-      libelf-dev \
       bc \
       kmod \
+      cpio
+
+# Packages needed for Accel-PPP
+RUN apt-get update && apt-get install -y \
+      liblua5.3-dev \
+      libssl1.1 \
+      libssl-dev \
+      libpcre3-dev
+
+# Packages needed for Wireguard
+RUN apt-get update && apt-get install -y \
+      debhelper-compat \
       dkms \
-      cdbs \
-      cmake \
-      elfutils \
-      libdw-dev \
-      systemtap-sdt-dev \
-      libunwind-dev \
-      libslang2-dev \
-      python-dev \
-      libiberty-dev \
-      binutils-dev \
-      libnuma-dev \
-      libbabeltrace-dev \
-      liblua5.3-dev
+      pkg-config \
+      systemd
+
+# Packages needed for iproute2
+RUN apt-get update && apt-get install -y \
+      bison \
+      debhelper \
+      flex \
+      iptables-dev \
+      libatm1-dev \
+      libcap-dev \
+      libdb-dev \
+      libbsd-dev \
+      libelf-dev \
+      libmnl-dev \
+      libselinux1-dev \
+      linux-libc-dev \
+      pkg-config \
+      po-debconf \
+      zlib1g-dev
 
 # Prerequisites for building rtrlib
 # see http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-debian8.html
 RUN apt-get update && apt-get install -y \
-      graphviz \
-      doxygen \
+      cmake \
+      dpkg-dev \
+      debhelper \
       libssh-dev \
-      libssl-dev
+      doxygen
 
 # Build rtrlib release 0.6.3
-RUN export RTRLIB_VERSION="0.6.3" && \
+RUN export RTRLIB_VERSION="0.6.3" && export ARCH=$(dpkg-architecture -qDEB_HOST_ARCH) && \
     wget -P /tmp https://github.com/rtrlib/rtrlib/archive/v${RTRLIB_VERSION}.tar.gz && \
     tar xf /tmp/v${RTRLIB_VERSION}.tar.gz -C /tmp && \
     cd /tmp/rtrlib-${RTRLIB_VERSION} && dpkg-buildpackage -uc -us -tc -b && \
-    dpkg -i ../librtr*_$(dpkg-architecture -qDEB_HOST_ARCH).deb ../librtr*_all.deb
+    dpkg -i ../librtr0*_${ARCH}.deb ../librtr-dev*_${ARCH}.deb ../rtr-tools*_${ARCH}.deb
 
 # Upgrading to FRR 7.5 requires a more recent version of libyang which is only
 # available from Debian Bullseye
 RUN echo "deb http://deb.debian.org/debian/ bullseye main" \
-      > /etc/apt/sources.list.d/bullseye-backports.list && \
+      > /etc/apt/sources.list.d/bullseye.list && \
     apt-get update && apt-get install -y -t bullseye \
       libyang-dev \
       libyang1; \
-    rm -f /etc/apt/sources.list.d/bullseye-backports.list
+    rm -f /etc/apt/sources.list.d/bullseye.list
 
 # Packages needed to build FRR itself
 # https://github.com/FRRouting/frr/blob/master/doc/developer/building-libyang.rst
 # for more info
 RUN apt-get update && apt-get install -y \
+      bison \
       chrpath \
+      debhelper \
+      flex \
+      gawk \
       install-info \
+      libc-ares-dev \
+      libcap-dev \
       libjson-c-dev \
+      libpam0g-dev \
+      libpcre3-dev \
       libpython3-dev \
+      libreadline-dev \
+      librtr-dev \
+      libsnmp-dev \
+      libssh-dev \
+      libsystemd-dev \
+      libyang-dev \
+      lsb-base \
+      pkg-config \
+      python3 \
       python3-dev \
       python3-pytest \
+      python3-sphinx \
       texinfo
 
 # Packages needed for hvinfo
@@ -289,10 +338,13 @@ RUN apt-get update && apt-get install -y \
       libzmq3-dev \
       python3 \
       python3-setuptools \
+      python3-sphinx \
       python3-xmltodict \
       python3-lxml \
       python3-nose \
       python3-netifaces \
+      python3-jinja2 \
+      python3-psutil \
       python3-coverage \
       quilt \
       whois
@@ -311,9 +363,12 @@ RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
         cd /tmp/libbpf && git checkout b91f53ec5f1aba2 && cd src && make install; \
     fi
 
-# Packages needed for vyos-xe-guest-utilities
-RUN apt-get update && apt-get install -y \
-      golang
+# Go required for validators and vyos-xe-guest-utilities
+RUN GO_VERSION_INSTALL="1.18.3" ; \
+    wget -O /tmp/go${GO_VERSION_INSTALL}.linux-$(dpkg-architecture -qDEB_HOST_ARCH).tar.gz https://go.dev/dl/go${GO_VERSION_INSTALL}.linux-$(dpkg-architecture -qDEB_HOST_ARCH).tar.gz ; \
+    tar -C /opt -xzf /tmp/go*.tar.gz && \
+    rm /tmp/go*.tar.gz
+RUN echo "export PATH=/opt/go/bin:$PATH" >> /etc/bash.bashrc
 
 # Packages needed for ipaddrcheck
 RUN apt-get update && apt-get install -y \
@@ -362,29 +417,12 @@ RUN apt-get update && apt-get install -y \
 RUN apt-get update && apt-get install -y \
       libc-ares-dev
 
-# Packages needed for keepalived
-RUN apt-get update && apt-get install -y \
-      autoconf \
-      debhelper \
-      libglib2.0-dev \
-      libjson-c-dev \
-      libnl-3-dev \
-      libnl-genl-3-dev \
-      libpopt-dev \
-      libsnmp-dev \
-      libssl-dev \
-      libnl-nf-3-dev \
-      libnfnetlink-dev \
-      libipset-dev \
-      iptables-dev \
-      linux-libc-dev \
-      pkg-config
-
 # Packages needed for Qemu test-suite
 # This is for now only supported on i386 and amd64 platforms
 RUN if dpkg-architecture -ii386 || dpkg-architecture -iamd64; then \
       apt-get update && apt-get install -y \
         python3-pexpect \
+        ovmf \
         qemu-system-x86 \
         qemu-utils \
         qemu-kvm; \
@@ -437,14 +475,35 @@ RUN if dpkg-architecture -iarm64; then \
       grub-efi-arm; \
     fi
 
+# Packages needed for libnftnl
+RUN apt-get update && apt-get install -y \
+      debhelper-compat \
+      libmnl-dev \
+      libtool \
+      pkg-config
+
 # Packages needed for nftables
 RUN apt-get update && apt-get install -y \
       asciidoc-base \
+      automake \
+      bison \
+      debhelper-compat \
+      dh-python \
+      docbook-xsl \
+      flex \
+      libgmp-dev \
       libjansson-dev \
-      python3-all
+      libmnl-dev \
+      libreadline-dev \
+      libtool \
+      libxtables-dev \
+      python3-all \
+      python3-setuptools \
+      xsltproc
 
 # Packages needed for libnetfilter-conntrack
 RUN apt-get update && apt-get install -y \
+      debhelper-compat \
       libmnl-dev \
       libnfnetlink-dev \
       libtool
@@ -452,6 +511,7 @@ RUN apt-get update && apt-get install -y \
 # Packages needed for conntrack-tools
 RUN apt-get update && apt-get install -y \
       bison \
+      debhelper \
       flex \
       libmnl-dev \
       libnetfilter-cthelper0-dev \
@@ -463,6 +523,122 @@ RUN apt-get update && apt-get install -y \
       automake \
       libtool
 
+# Packages needed for wide-dhcpv6
+RUN apt-get update && apt-get install -y \
+      bison \
+      debhelper \
+      flex \
+      libfl-dev \
+      rsync
+
+# Packages needed for vyos-http-api-tools
+RUN apt-get update && apt-get install -y \
+      dh-virtualenv \
+      python3-venv
+
+# Packages needed for ocserv
+RUN apt-get update && apt-get install -y \
+      autogen \
+      libev-dev \
+      libgnutls28-dev \
+      libhttp-parser-dev \
+      liblz4-dev \
+      libnl-route-3-dev \
+      liboath-dev \
+      liboauth-dev \
+      libopts25-dev \
+      libpcl1-dev \
+      libprotobuf-c-dev \
+      libradcli-dev \
+      libseccomp-dev \
+      libtalloc-dev \
+      nettle-dev \
+      protobuf-c-compiler \
+      libgeoip-dev
+
+# Packages needed for keepalived
+RUN apt-get update && apt-get install -y \
+      autoconf \
+      libglib2.0-dev \
+      libip4tc-dev \
+      libipset-dev \
+      libjson-c-dev \
+      libnfnetlink-dev \
+      libnftnl-dev \
+      libnl-3-dev \
+      libnl-genl-3-dev \
+      libnl-nf-3-dev \
+      libpcre2-dev \
+      libpopt-dev \
+      libsnmp-dev \
+      libssl-dev \
+      libsystemd-dev \
+      linux-libc-dev \
+      pkg-config
+
+# Packages needed for dropbear
+RUN apt-get update && apt-get install -y \
+      debhelper-compat \
+      dh-exec \
+      libtomcrypt-dev \
+      libtommath-dev \
+      libz-dev
+
+# Packages needed for hostapd (wpa_supplicant)
+RUN apt-get update && apt-get install -y \
+      libdbus-1-dev \
+      libssl-dev \
+      libncurses5-dev \
+      libpcsclite-dev \
+      libnl-3-dev \
+      libnl-genl-3-dev \
+      libnl-route-3-dev  \
+      libreadline-dev \
+      pkg-config \
+      docbook-to-man \
+      docbook-utils
+
+# Packages needed for ocserv
+RUN apt-get update && apt-get install -y \
+      autogen \
+      debhelper \
+      freeradius \
+      gawk \
+      gnutls-bin \
+      gperf \
+      gss-ntlmssp \
+      haproxy \
+      iproute2 \
+      iputils-ping \
+      libcjose-dev \
+      libcurl4-gnutls-dev \
+      libev-dev \
+      libgnutls28-dev \
+      libhttp-parser-dev \
+      libjansson-dev \
+      libkrb5-dev \
+      liblz4-dev \
+      libmaxminddb-dev \
+      libnl-route-3-dev \
+      libnss-wrapper \
+      liboath-dev \
+      libpam-wrapper \
+      libpam0g-dev \
+      libprotobuf-c-dev \
+      libradcli-dev \
+      libreadline-dev \
+      libseccomp-dev \
+      libsocket-wrapper \
+      libtalloc-dev \
+      libuid-wrapper \
+      nettle-dev \
+      nuttcp \
+      pkg-config \
+      protobuf-c-compiler \
+      ronn \
+      tcpdump \
+      yajl-tools
+
 #
 # fpm: a command-line program designed to help you build packages (e.g. deb)
 #
@@ -471,14 +647,21 @@ RUN apt-get update && apt-get install -y \
       ruby-dev \
       rubygems \
       build-essential
+RUN gem install public_suffix -v 4.0.7
 RUN gem install --no-document fpm
 
-# Allow password-less 'sudo' for all users in group 'sudo'
-RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \
-    chmod a+s /usr/sbin/useradd /usr/sbin/groupadd /usr/sbin/gosu /usr/sbin/usermod
+# debmake: a native Debian tool for preparing sources for packaging
+RUN apt-get update && apt-get install -y \
+      debmake \
+      python3-debian
 
-# Ensure sure all users have access to our OCAM installation
-RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc
+# Allow password-less 'sudo' for all users in group 'sudo'
+RUN echo -e "vyos_bld\tALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/vyos_bld && \
+    chmod a+s /usr/sbin/useradd /usr/sbin/groupadd
+
+# Ensure sure all users have access to our OCAM and Go installation
+RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \
+    echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
 
 # Cleanup
 RUN rm -rf /tmp/*

docker/entrypoint.sh

@@ -24,9 +24,12 @@ if ! grep -q $NEW_GID /etc/group; then
 fi
 
 useradd --shell /bin/bash --uid $NEW_UID --gid $NEW_GID --non-unique --create-home $USER_NAME
-usermod --append --groups sudo $USER_NAME
 sudo chown $NEW_UID:$NEW_GID /home/$USER_NAME
 export HOME=/home/$USER_NAME
 
+if [ "$(id -u)" == "0" ]; then
+    exec gosu $USER_NAME "$@"
+fi
+
 # Execute process
-exec /usr/sbin/gosu $USER_NAME "$@"
+exec "$@"

packages/.gitignore

@@ -0,0 +1,6 @@
+*.udeb
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/dropbear/.gitignore

@@ -0,0 +1,6 @@
+dropbear/
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/dropbear/Jenkinsfile

@@ -0,0 +1,30 @@
+// Copyright (C) 2022 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+def pkgList = [
+    ['name': 'dropbear',
+     'scmCommit': 'debian/2019.78-2',
+     'scmUrl': 'https://salsa.debian.org/debian/dropbear.git',
+     'buildCmd': 'cd ..; ./build.sh'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('dropbear', pkgList, null, "**/packages/dropbear/*")

packages/dropbear/build.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+CWD=$(pwd)
+set -e
+
+SRC=dropbear
+if [ ! -d ${SRC} ]; then
+    echo "Source directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+cd ${SRC}
+PATCH_DIR=${CWD}/patches
+if [ -d $PATCH_DIR ]; then
+    for patch in $(ls ${PATCH_DIR})
+    do
+        echo "I: Apply patch: ${patch} to main repository"
+        patch -p1 < ${PATCH_DIR}/${patch}
+    done
+fi
+
+echo "I: Build Debian Package"
+dpkg-buildpackage -uc -us -tc -b

packages/dropbear/patches/0001-Enable-PAM-support.patch

@@ -0,0 +1,47 @@
+From 23f4e8789b1bdcc0442b6d57216e5184c1bd97c8 Mon Sep 17 00:00:00 2001
+From: Christian Poessinger <christian@poessinger.com>
+Date: Mon, 17 Jan 2022 06:43:26 +0000
+Subject: [PATCH] Enable PAM support
+
+---
+ debian/rules      | 2 +-
+ default_options.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/debian/rules b/debian/rules
+index 3e944d8..3a9f7a7 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -28,7 +28,7 @@ override_dh_installinit:
+	dh_installinit -R --name dropbear
+
+ override_dh_auto_configure:
+-	dh_auto_configure -- --disable-bundled-libtom \
++	dh_auto_configure -- --disable-bundled-libtom --enable-pam \
+	  CC='$(CC)' CFLAGS='$(CFLAGS)' $(CONFFLAGS)
+
+ override_dh_install:
+diff --git a/default_options.h b/default_options.h
+index 9000fcc..0db7366 100644
+--- a/default_options.h
++++ b/default_options.h
+@@ -179,7 +179,7 @@ group1 in Dropbear server too */
+
+ /* Authentication Types - at least one required.
+    RFC Draft requires pubkey auth, and recommends password */
+-#define DROPBEAR_SVR_PASSWORD_AUTH 1
++#define DROPBEAR_SVR_PASSWORD_AUTH 0
+
+ /* Note: PAM auth is quite simple and only works for PAM modules which just do
+  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
+@@ -187,7 +187,7 @@ group1 in Dropbear server too */
+  * but there's an interface via a PAM module. It won't work for more complex
+  * PAM challenge/response.
+  * You can't enable both PASSWORD and PAM. */
+-#define DROPBEAR_SVR_PAM_AUTH 0
++#define DROPBEAR_SVR_PAM_AUTH 1
+
+ /* ~/.ssh/authorized_keys authentication */
+ #define DROPBEAR_SVR_PUBKEY_AUTH 1
+--
+2.20.1

packages/frr/Jenkinsfile

@@ -15,17 +15,17 @@
 
 @NonCPS
 
-// Using a version specifier library, use 'current' branch. The underscore (_)
+// Using a version specifier library, use 'equuleus' branch. The underscore (_)
 // is not a typo! You need this underscore if the line immediately after the
 // @Library annotation is not an import statement!
-@Library('vyos-build@current')_
+@Library('vyos-build@equuleus')_
 
 def pkgList = [
     ['name': 'frr',
-     'scmCommit': 'stable/7.3',
+     'scmCommit': 'stable/7.5',
      'scmUrl': 'https://github.com/FRRouting/frr.git',
      'buildCmd': '''cd ..; ./build-frr.sh'''],
 ]
 
 // Start package build using library function from https://github.com/vyos/vyos-build
-buildPackage('FRRouting', pkgList)
+buildPackage('FRRouting', pkgList, null, "**/packages/frr/*")

packages/frr/patches/0001-frr-reload-rpki-context-exiting-uses-exit-and-not-en.patch

@@ -0,0 +1,41 @@
+From 258409cfa05aaa378e4f120dc67fb226465fa829 Mon Sep 17 00:00:00 2001
+From: Runar Borge <runar@borge.nu>
+Date: Sat, 23 Jan 2021 00:15:41 +0100
+Subject: [PATCH] frr-reload: rpki context exiting uses exit and not end
+
+Issue:
+The rpki subcontext uses exit instead of end to exit.
+This makes issues with frr-reload in the way that frr-reload never exits
+rpki context until it reaches the next end statement. this also happens when
+parsing the configuration from vtysh.
+
+Signed-off-by: Runar Borge <runar@borge.nu>
+---
+ tools/frr-reload.py | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/frr-reload.py b/tools/frr-reload.py
+index 412cde091..33c4ef5e5 100755
+--- a/tools/frr-reload.py
++++ b/tools/frr-reload.py
+@@ -452,6 +452,17 @@ end
+                 ctx_keys = []
+                 current_context_lines = []
+ 
++            elif (line == "exit" and
++                  ctx_keys[0].startswith('rpki')):
++                self.save_contexts(ctx_keys, current_context_lines)
++                log.debug('LINE %-50s: exiting old context, %-50s', line, ctx_keys)
++
++                # Start a new context
++                new_ctx = True
++                main_ctx_key = []
++                ctx_keys = []
++                current_context_lines = []
++
+             elif line == "exit-vrf":
+                 self.save_contexts(ctx_keys, current_context_lines)
+                 current_context_lines.append(line)
+-- 
+2.20.1
+

packages/frr/patches/0002-zebra-Fixes-for-connected-routes.patch

@@ -0,0 +1,176 @@
+From 18b1c3c06eb69c8d10666c40f55be4926f888042 Mon Sep 17 00:00:00 2001
+From: zsdc <taras@vyos.io>
+Date: Wed, 24 May 2023 20:43:27 +0300
+Subject: [PATCH] zebra: Fixes for connected routes
+
+This is a cumulative backport of:
+92980561382fc04380414a6e2f6ca6746c2fe5e9
+7fb9825cf7e762add68f5108df4eddda1247f198
+e3d901f8638dec32eac4c2690912138963ae5a05
+---
+ lib/if.h          |  3 ++
+ zebra/connected.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 75 insertions(+), 1 deletion(-)
+
+diff --git a/lib/if.h b/lib/if.h
+index a2a40d095..0c73ab63a 100644
+--- a/lib/if.h
++++ b/lib/if.h
+@@ -393,6 +393,7 @@ struct connected {
+ #define ZEBRA_IFC_REAL         (1 << 0)
+ #define ZEBRA_IFC_CONFIGURED   (1 << 1)
+ #define ZEBRA_IFC_QUEUED       (1 << 2)
++#define ZEBRA_IFC_DOWN         (1 << 3)
+ 	/*
+ 	   The ZEBRA_IFC_REAL flag should be set if and only if this address
+ 	   exists in the kernel and is actually usable. (A case where it exists
+@@ -406,6 +407,8 @@ struct connected {
+ 	   in the kernel. It may and should be set although the address might
+ 	   not be
+ 	   usable yet. (compare with ZEBRA_IFC_REAL)
++	   The ZEBRA_IFC_DOWN flag is used to record that an address is
++	   present, but down/unavailable.
+ 	 */
+ 
+ 	/* Flags for connected address. */
+diff --git a/zebra/connected.c b/zebra/connected.c
+index 8c4ba163b..fd3fefdd2 100644
+--- a/zebra/connected.c
++++ b/zebra/connected.c
+@@ -207,6 +207,9 @@ void connected_up(struct interface *ifp, struct connected *ifc)
+ 	};
+ 	struct zebra_vrf *zvrf;
+ 	uint32_t metric;
++	uint32_t count = 0;
++	struct listnode *cnode;
++	struct connected *c;
+ 
+ 	zvrf = zebra_vrf_lookup_by_id(ifp->vrf_id);
+ 	if (!zvrf) {
+@@ -219,6 +222,9 @@ void connected_up(struct interface *ifp, struct connected *ifc)
+ 	if (!CHECK_FLAG(ifc->conf, ZEBRA_IFC_REAL))
+ 		return;
+ 
++	/* Ensure 'down' flag is cleared */
++	UNSET_FLAG(ifc->conf, ZEBRA_IFC_DOWN);
++
+ 	PREFIX_COPY(&p, CONNECTED_PREFIX(ifc));
+ 
+ 	/* Apply mask to the network. */
+@@ -251,6 +257,29 @@ void connected_up(struct interface *ifp, struct connected *ifc)
+ 
+ 	metric = (ifc->metric < (uint32_t)METRIC_MAX) ?
+ 				ifc->metric : ifp->metric;
++
++	/*
++	 * It's possible to add the same network and mask
++	 * to an interface over and over.  This would
++	 * result in an equivalent number of connected
++	 * routes.  Just add one connected route in
++	 * for all the addresses on an interface that
++	 * resolve to the same network and mask
++	 */
++	for (ALL_LIST_ELEMENTS_RO(ifp->connected, cnode, c)) {
++		struct prefix cp;
++
++		PREFIX_COPY(&cp, CONNECTED_PREFIX(c));
++		apply_mask(&cp);
++
++		if (prefix_same(&cp, &p) &&
++		    !CHECK_FLAG(c->conf, ZEBRA_IFC_DOWN))
++			count++;
++
++		if (count >= 2)
++			return;
++	}
++
+ 	rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT,
+ 		0, 0, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0);
+ 
+@@ -290,6 +319,8 @@ void connected_add_ipv4(struct interface *ifp, int flags, struct in_addr *addr,
+ 	/* If we get a notification from the kernel,
+ 	 * we can safely assume the address is known to the kernel */
+ 	SET_FLAG(ifc->conf, ZEBRA_IFC_QUEUED);
++	if (!if_is_operative(ifp))
++		SET_FLAG(ifc->conf, ZEBRA_IFC_DOWN);
+ 
+ 	/* Allocate new connected address. */
+ 	p = prefix_ipv4_new();
+@@ -350,12 +381,15 @@ void connected_down(struct interface *ifp, struct connected *ifc)
+ 		.vrf_id = ifp->vrf_id,
+ 	};
+ 	struct zebra_vrf *zvrf;
++	uint32_t count = 0;
++	struct listnode *cnode;
++	struct connected *c;
+ 
+ 	zvrf = zebra_vrf_lookup_by_id(ifp->vrf_id);
+ 	if (!zvrf) {
+ 		flog_err(
+ 			EC_ZEBRA_VRF_NOT_FOUND,
+-			"%s: Received Up for interface but no associated zvrf: %d",
++			"%s: Received Down for interface but no associated zvrf: %d",
+ 			__func__, ifp->vrf_id);
+ 		return;
+ 	}
+@@ -363,6 +397,17 @@ void connected_down(struct interface *ifp, struct connected *ifc)
+ 	if (!CHECK_FLAG(ifc->conf, ZEBRA_IFC_REAL))
+ 		return;
+ 
++	/* Skip if we've already done this; this can happen if we have a
++	 * config change that takes an interface down, then we receive kernel
++	 * notifications about the downed interface and its addresses.
++	 */
++	if (CHECK_FLAG(ifc->conf, ZEBRA_IFC_DOWN)) {
++		if (IS_ZEBRA_DEBUG_RIB)
++			zlog_debug("%s: ifc %p, %pFX already DOWN",
++				   __func__, ifc, ifc->address);
++		return;
++	}
++
+ 	PREFIX_COPY(&p, CONNECTED_PREFIX(ifc));
+ 
+ 	/* Apply mask to the network. */
+@@ -388,6 +433,30 @@ void connected_down(struct interface *ifp, struct connected *ifc)
+ 		break;
+ 	}
+ 
++	/* Mark the address as 'down' */
++	SET_FLAG(ifc->conf, ZEBRA_IFC_DOWN);
++
++	/*
++	 * It's possible to have X number of addresses
++	 * on a interface that all resolve to the same
++	 * network and mask.  Find them and just
++	 * allow the deletion when are removing the last
++	 * one.
++	 */
++	for (ALL_LIST_ELEMENTS_RO(ifp->connected, cnode, c)) {
++		struct prefix cp;
++
++		PREFIX_COPY(&cp, CONNECTED_PREFIX(c));
++		apply_mask(&cp);
++
++		if (prefix_same(&p, &cp) &&
++		    !CHECK_FLAG(c->conf, ZEBRA_IFC_DOWN))
++			count++;
++
++		if (count >= 1)
++			return;
++	}
++
+ 	/*
+ 	 * Same logic as for connected_up(): push the changes into the
+ 	 * head.
+@@ -481,6 +550,8 @@ void connected_add_ipv6(struct interface *ifp, int flags, struct in6_addr *addr,
+ 	/* If we get a notification from the kernel,
+ 	 * we can safely assume the address is known to the kernel */
+ 	SET_FLAG(ifc->conf, ZEBRA_IFC_QUEUED);
++	if (!if_is_operative(ifp))
++		SET_FLAG(ifc->conf, ZEBRA_IFC_DOWN);
+ 
+ 	/* Allocate new connected address. */
+ 	p = prefix_ipv6_new();
+-- 
+2.34.1
+

packages/frr/patches/0003-Fix-as-override-behavior.patch

@@ -0,0 +1,77 @@
+From 6320d4941777d317989209f26ca513379f729c30 Mon Sep 17 00:00:00 2001
+From: zsdc <taras@vyos.io>
+Date: Fri, 12 May 2023 13:56:20 +0300
+Subject: [PATCH] Fix as-override behavior
+
+Backported 9bbdb4572d3bb255211fecf1c756452ab27e91c2 from FRR 8.5
+---
+ bgpd/bgp_aspath.c | 22 ----------------------
+ bgpd/bgp_aspath.h |  1 -
+ bgpd/bgp_route.c  |  4 +---
+ 3 files changed, 1 insertion(+), 26 deletions(-)
+
+diff --git a/bgpd/bgp_aspath.c b/bgpd/bgp_aspath.c
+index 5cf3c60fa..9595bae5f 100644
+--- a/bgpd/bgp_aspath.c
++++ b/bgpd/bgp_aspath.c
+@@ -1215,28 +1215,6 @@ bool aspath_private_as_check(struct aspath *aspath)
+ 	return true;
+ }
+ 
+-/* Return True if the entire ASPATH consist of the specified ASN */
+-bool aspath_single_asn_check(struct aspath *aspath, as_t asn)
+-{
+-	struct assegment *seg;
+-
+-	if (!(aspath && aspath->segments))
+-		return false;
+-
+-	seg = aspath->segments;
+-
+-	while (seg) {
+-		int i;
+-
+-		for (i = 0; i < seg->length; i++) {
+-			if (seg->as[i] != asn)
+-				return false;
+-		}
+-		seg = seg->next;
+-	}
+-	return true;
+-}
+-
+ /* Replace all instances of the target ASN with our own ASN */
+ struct aspath *aspath_replace_specific_asn(struct aspath *aspath,
+ 					   as_t target_asn, as_t our_asn)
+diff --git a/bgpd/bgp_aspath.h b/bgpd/bgp_aspath.h
+index 9df352fcd..9bab5bb7b 100644
+--- a/bgpd/bgp_aspath.h
++++ b/bgpd/bgp_aspath.h
+@@ -108,7 +108,6 @@ extern unsigned int aspath_get_first_as(struct aspath *);
+ extern unsigned int aspath_get_last_as(struct aspath *);
+ extern int aspath_loop_check(struct aspath *, as_t);
+ extern bool aspath_private_as_check(struct aspath *);
+-extern bool aspath_single_asn_check(struct aspath *, as_t asn);
+ extern struct aspath *aspath_replace_specific_asn(struct aspath *aspath,
+ 						  as_t target_asn,
+ 						  as_t our_asn);
+diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
+index 48ccb669b..6de3e2a7f 100644
+--- a/bgpd/bgp_route.c
++++ b/bgpd/bgp_route.c
+@@ -1571,11 +1571,9 @@ static void bgp_peer_as_override(struct bgp *bgp, afi_t afi, safi_t safi,
+ 				 struct peer *peer, struct attr *attr)
+ {
+ 	if (peer->sort == BGP_PEER_EBGP
+-	    && peer_af_flag_check(peer, afi, safi, PEER_FLAG_AS_OVERRIDE)) {
+-		if (aspath_single_asn_check(attr->aspath, peer->as))
++	    && peer_af_flag_check(peer, afi, safi, PEER_FLAG_AS_OVERRIDE))
+ 			attr->aspath = aspath_replace_specific_asn(
+ 				attr->aspath, peer->as, bgp->as);
+-	}
+ }
+ 
+ void bgp_attr_add_gshut_community(struct attr *attr)
+-- 
+2.34.1
+

packages/hostap/.gitignore

@@ -0,0 +1,2 @@
+hostap/
+wpa/

packages/hostap/Jenkinsfile

@@ -0,0 +1,34 @@
+// Copyright (C) 2022 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+def pkgList = [
+    ['name': 'wpa',
+     'scmCommit': 'debian/2%2.10-7',
+     'scmUrl': 'https://salsa.debian.org/debian/wpa',
+     'buildCmd': '/bin/true'],
+    ['name': 'hostap',
+     'scmCommit': 'b704dc72ef824dfdd96674b90179b274d1d38105',
+     'scmUrl': 'git://w1.fi/srv/git/hostap.git',
+     'buildCmd': 'cd ..; ./build.sh'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('hostap', pkgList, null, "**/packages/hostap/*")

packages/hostap/build.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+CWD=$(pwd)
+set -e
+
+SRC=hostap
+SRC_DEB=wpa
+
+if [ ! -d ${SRC} ]; then
+    echo "${SRC} directory does not exists, please 'git clone'"
+    exit 1
+fi
+if [ ! -d ${SRC_DEB} ]; then
+    echo "${SRC_DEB} directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+echo "I: Copy Debian build instructions"
+cp -a ${SRC_DEB}/debian ${SRC}
+# Preserve Debian's default of allowing TLSv1.0 for compatibility
+find ${SRC}/debian/patches -mindepth 1 ! -name allow-tlsv1.patch -delete
+echo 'allow-tlsv1.patch' > ${SRC}/debian/patches/series
+
+# Build Debian package
+cd ${SRC}
+echo "I: Create new Debian Package version"
+version="$(git describe --tags | tr _ .)"
+dch -v ${version:7} "New version to support AES-GCM-256 for MACsec" -b
+
+echo "I: Build Debian hostap Package"
+dpkg-buildpackage -us -uc -tc -b -Ppkg.wpa.nogui -d

packages/iproute2/Jenkinsfile

@@ -15,10 +15,10 @@
 
 @NonCPS
 
-// Using a version specifier library, use 'current' branch. The underscore (_)
+// Using a version specifier library, use 'equuleus' branch. The underscore (_)
 // is not a typo! You need this underscore if the line immediately after the
 // @Library annotation is not an import statement!
-@Library('vyos-build@current')_
+@Library('vyos-build@equuleus')_
 
 def pkgList = [
     ['name': 'iproute2',
@@ -28,4 +28,4 @@ def pkgList = [
 ]
 
 // Start package build using library function from https://github.com/vyos/vyos-build
-buildPackage('iproute2', pkgList)
+buildPackage('iproute2', pkgList, null, "**/packages/iproute2/*")

packages/iproute2/iproute2

@@ -1 +0,0 @@
-Subproject commit ae0b22e5a74391df3d6064f2f57ed31e222180bc

packages/keepalived/.gitignore

@@ -0,0 +1,6 @@
+keepalived/
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/keepalived/Jenkinsfile

@@ -0,0 +1,32 @@
+// Copyright (C) 2022 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+// NOTE: we can build with -d as the libbpf dependency is installed manually
+// and not via a DEB package
+def pkgList = [
+    ['name': 'keepalived',
+     'scmCommit': 'v2.2.8',
+     'scmUrl': 'https://github.com/acassen/keepalived',
+     'buildCmd': 'cd ..; ./build.sh'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('keepalived', pkgList, null, "**/packages/keepalived/*")

packages/keepalived/build.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -x
+CWD=$(pwd)
+set -e
+
+SRC=keepalived
+
+if [ ! -d ${SRC} ]; then
+    echo "source directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+echo "I: Copy Debian build system"
+cp -a debian ${SRC}
+
+cd ${SRC}
+echo "I: Retrieve version information from Git"
+dch -v "1:$(git describe --tags | cut -c2-)" "VyOS build"
+
+# Build Debian FRR package
+echo "I: Build VyOS keepalived Package"
+dpkg-buildpackage -us -uc -tc -b

packages/keepalived/debian/changelog

@@ -0,0 +1,500 @@
+keepalived (1:2.2.1-1) UNRELEASED; urgency=medium
+
+  * [61cbc18] New upstream version 2.2.1
+  * [ecf662d] Keepalived has now support for systemd notify
+
+ -- Alexander Wirt <formorer@debian.org>  Mon, 25 Jan 2021 09:04:08 +0100
+
+keepalived (1:2.1.5-0.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * [17cfc9a] d/control:
+    - Add B-depends: libpcre2-dev
+
+ -- Michal Arbet <michal.arbet@ultimum.io>  Mon, 12 Oct 2020 17:45:14 +0200
+
+keepalived (1:2.1.5-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * [efada46] New upstream version 2.1.5 (Closes: #964855)
+    - fixes segfault when SMTP notifications are enabled (Closes: #958898)
+  * [0f2ffa3] Fix d/watch: 403 Forbidden
+
+ -- Michal Arbet <michal.arbet@ultimum.io>  Wed, 07 Oct 2020 16:54:33 +0200
+
+keepalived (1:2.0.19-2) unstable; urgency=medium
+
+  [ Thomas Goirand ]
+  * Drop build-depends on iptables-dev (Closes: #946150).
+
+ -- Alexander Wirt <formorer@debian.org>  Thu, 20 Feb 2020 12:16:19 +0100
+
+keepalived (1:2.0.19-1) unstable; urgency=medium
+
+  * [3e69686] New upstream version 2.0.19 (Closes: #947472)
+    - fixes execution of scripts with /bin/sh (Closes: #931617)
+    - fixes configuration parsing for SMTP sections (Closes: #859142)
+    - fixes stuck in receive queue (Closes: #942182)
+    - close netlink in checker (Closes: #775868)
+    - fix infinite loop when tracker script times out (Closes: #940036)
+    - fix loading of libipset (Closes: #878241)
+  * [6a81734] Move to debhelper(-compat) 12
+  * [02d9f5d] Bump standards version
+  * [239c70f] Fix location of the ip_vs header file
+  * [495b6e5] Disable dbus create instance feature
+  * [ec5c22c] Enable iptc support
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 05 Jan 2020 18:45:43 +0100
+
+keepalived (1:2.0.10-1) unstable; urgency=medium
+
+  * [3b99bf9] Update vcs headers to salsa
+  * [f697779] New upstream version 2.0.2
+  * [c97cc19] Enable dbus instance and json output support
+  * [27c6d55] syslog is now socket activated
+  * [7e2267b] Move to dh11
+  * [d0bf9db] there is not systemd sequence in dh11
+  * [903a5a0] dh-autoreconf dep is not needed anymore with dh11
+  * [c4996bd] Priority extra got replaced by optional
+  * [822da17] Remove obsolete patches
+  * [1c36cdc] New upstream version 2.0.10
+    - Fix overflow in extract_status_code (CVE-2018-19115)
+      Closes: #914393, #900260
+    - Improve garp refresh handling (Closes: #810347)
+    - Improve config parser (Closes: #909697)
+  * [990c014] Improve keepalived service (Closes: #902978, #830196)
+
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 05 Jan 2020 18:21:34 +0100
+
+keepalived (1:1.3.9-1) unstable; urgency=medium
+
+  * [e95b710] New upstream version 1.3.9
+    - Fix netlink error message truncated problems
+      (Closes: #846292)
+  * [0547153] New upstream version 1.3.5
+  * [4cf471c] Bump standards version
+  * [2dfa271] New upstream version 1.3.6 (Closes: #872331)
+    - Fix strange pid handling on restart
+      (Closes: #860527)
+  * [d1ddcaf] Enable dbus interface (Closes: #873803)
+  * [9a969d1] Adapt some changes from the upstream service file
+    (Closes: #857618)
+
+ -- Alexander Wirt <alexander.wirt@credativ.de>  Thu, 16 Nov 2017 09:23:16 +0100
+
+keepalived (1:1.3.2-1) unstable; urgency=medium
+
+  * [488ee92] New upstream version 1.3.2
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 03 Dec 2016 22:25:31 +0100
+
+keepalived (1:1.2.24-1) unstable; urgency=medium
+
+  * [d378a6f] New upstream version 1.2.24
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 19 Nov 2016 08:20:39 +0100
+
+keepalived (1:1.2.23-1) unstable; urgency=medium
+
+  * [94beb84] Imported Upstream version 1.2.23
+    (Closes: #821941)
+    - fix some segfaults (Closes: #830955)
+
+ -- Alexander Wirt <formorer@debian.org>  Thu, 21 Jul 2016 10:12:06 +0200
+
+keepalived (1:1.2.20-1) unstable; urgency=medium
+
+  * [2a22d69] Imported Upstream version 1.2.20
+    enable support for:
+     - nfnetlink
+     - ipset
+     - iptc
+     - snmp rfcv2 and rfcv3 
+
+ -- Alexander Wirt <alexander.wirt@credativ.de>  Tue, 17 May 2016 13:25:05 +0200
+
+keepalived (1:1.2.19-1) unstable; urgency=medium
+
+  * [3594525] Imported Upstream version 1.2.19
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 15 Aug 2015 15:18:41 +0200
+
+keepalived (1:1.2.16-1) experimental; urgency=medium
+
+  * [3cc1f17] Depend on ipvsadm2 instead of ipvsadm
+  * [e09b760] Move ipvsadm to recommends 
+              (Closes: #755771)
+  * [afa7293] Imported Upstream version 1.2.16
+  * [e86c672] Add systemd unitfile (Closes: #779347)
+  * [81fac5f] Remove syslog dependency in service file
+  * [40a44f0] Bump standards version
+
+ -- Alexander Wirt <formorer@debian.org>  Tue, 31 Mar 2015 17:52:42 +0200
+
+keepalived (1:1.2.13-1) unstable; urgency=medium
+
+  * [1e9c32b] Imported Upstream version 1.2.11
+  * [bac64d6] Imported Upstream version 1.2.13
+    - keep retry in case of early TCP failures in checks
+      (Closes: #626466 #504069)
+    - Add To header for SMTP alerts. 
+      (Closes: #627169)
+    - handle passwords up to 8 characters
+      (Closes: #614562)
+    - modprobe handling fixed
+      (Closes: #714377)
+    - Support more than 31 interfaces
+      (Closes: #723106)
+    - Fix ipv6 realserver handling
+      (Closes: #740258)
+    - extend ip parser to support default and default6
+      (Closes: #740573)
+
+  * [65d5b11] Add pkg-config to build-deps
+  * [af497e7] Disable obsolete patches
+  * [4761254] Bump standards version (no changes)
+
+ -- Alexander Wirt <formorer@debian.org>  Wed, 28 May 2014 09:01:38 +0200
+
+keepalived (1:1.2.9-1) unstable; urgency=low
+
+  * [8cd7bad] Imported Upstream version 1.2.9
+
+ -- Alexander Wirt <formorer@debian.org>  Mon, 11 Nov 2013 22:45:58 +0100
+
+keepalived (1:1.2.8-1) unstable; urgency=low
+
+  * [b25f231] Patch configure.in instead of configure
+  * [aa70432] Fix configure
+  * [3a728cd] Enable sha1 support
+  * [e257779] Add Homepage field
+  * Allow providing of daemon args via /etc/defaul/keepalived
+    Closes: #693877
+  * Import upstream version 1.2.8 (Closes: #721966)
+    - Fix reload handling (Closes: #652260)
+
+ -- Alexander Wirt <formorer@debian.org>  Fri, 13 Sep 2013 08:54:19 +0200
+
+keepalived (1:1.2.7-1) unstable; urgency=low
+
+  * [b46efb0] Imported Upstream version 1.2.7
+    - Don't use bind() with AF_UNSPEC
+      (Closes: #699540)
+    - new upstream version (Closes: #703085) 
+  * [6058efd] wrap-and-sort
+  * [a128718] Build with snmp support
+  * [d9783f9] Remove obsolete patches
+  * [2deaa4e] Move to dh and 3.0(quilt)
+  * [cd5a314] Use libnl3 (Closes: #688164)
+  * [d6493e1] Convert package to dh and quilt(3.0)
+  * [e7f5489] Bump dh compat to dh9
+  * [f6ca92d] Bump standards version
+  * [525415b] Fix errors in manpage
+  * [35dbfe3] Remove unneeded files
+
+ -- Alexander Wirt <formorer@debian.org>  Mon, 01 Jul 2013 22:02:02 +0200
+
+keepalived (1:1.2.6-1) experimental; urgency=low
+
+  * [b72cd7a] Remove obsolete patches
+  * [0cadef0] Enable snmp support
+  * [7442e85] Build-depend against libsnmp-dev
+  * [b84e381] Imported Upstream version 1.2.4
+  * [9f29e62] Imported Upstream version 1.2.6
+
+ -- Alexander Wirt <formorer@debian.org>  Tue, 21 Aug 2012 18:14:42 +0200
+
+keepalived (1:1.2.2-3) unstable; urgency=low
+
+  * [c28d5f0] Readd ip_vs.h - this reenables ipvs (Closes: #649778)
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 18 Dec 2011 16:18:06 +0100
+
+keepalived (1:1.2.2-2) unstable; urgency=low
+
+  * [9db4134] Fix override disparity
+  * [8f0c721] Remove obsolete patch
+  * [897c0a0] Set correct permissions on pid file.
+    This is a fix for CVE-2011-1784.
+    (Closes: #626281)
+  * [5ab4b8d] Don't use modprobe -k.
+    Thanks to Sven Ulland for the patch
+  * [c87fe40] Add vcs headers to control file
+  * [8107104] Bump standards version - no changes
+
+ -- Alexander Wirt <formorer@debian.org>  Thu, 10 Nov 2011 08:38:47 +0100
+
+keepalived (1:1.2.2-1) unstable; urgency=low
+
+  * New upstream version
+  * Don't remove configure in clean target
+  * Refresh 95_use_linux_ip_vs_h.patch for 1.2
+  * Build depend on libnl-dev
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 06 Mar 2011 17:43:35 +0100
+
+keepalived (1:1.1.20-1) unstable; urgency=low
+
+  * Go back to 1.1.20 since 1.2.0 is not ready for release
+  * Bump standards version (no changes)
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 14 Aug 2010 10:17:10 +0200
+
+keepalived (1.2.0-1) unstable; urgency=low
+
+  * New upstream release (Closes: #580607)
+  * Bump standards version (no changes)
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 04 Jul 2010 11:02:13 +0200
+
+keepalived (1.1.20-1) unstable; urgency=low
+
+  * New upstream release (Closes: #580607)
+  * Bump standards version (no changes)
+  * Raise debhelper dep to v5
+  * Refresh 95_use_linux_ip_vs_h.patch
+  * Fix typo in description
+  * Declare debsource v1.0
+  * Fix restart if daemon doesn't run (Closes: #561357)
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 08 May 2010 20:56:58 +0200
+
+keepalived (1.1.19-1) unstable; urgency=low
+
+  * New upstream version (Closes: #557814, #548254)
+    - Fix gigabit status interface support (Closes: #555634)
+  * Fix error reporting and manpage of genhash (Closes: #575399)
+
+ -- Alexander Wirt <formorer@debian.org>  Fri, 23 Apr 2010 13:17:53 +0200
+
+keepalived (1.1.17-2) unstable; urgency=low
+
+  * Reenable ipvs support thanks to Vincent Bernat for the hint 
+    (Closes: #530738)
+
+ -- Alexander Wirt <formorer@debian.org>  Thu, 28 May 2009 09:55:52 +0200
+
+keepalived (1.1.17-1) unstable; urgency=low
+
+  * New upstream release (Closes: #516102). 
+    Thanks to Vincent Bernat for the help
+  * Bump standards version (no changes)
+  * Remove outdated README.Debian (Closes: #470626)
+  * support nostrip option (Closes: #478261)
+    Thanks to Vincent Bernat for the patch
+  * Extract the patch for 336885 into debian/patches (Closes: #510092)
+
+ -- Alexander Wirt <formorer@debian.org>  Sun, 26 Apr 2009 19:41:12 +0200
+
+keepalived (1.1.15-1) unstable; urgency=low
+
+  * New upstream release (Closes: #401827)
+  * Remove 00_fix-manpagepath.patch and
+    01_fix-genhash-manpagepath.patch(obsolete)
+  * Bump standards version
+
+ -- Alexander Wirt <formorer@debian.org>  Tue, 18 Dec 2007 18:44:55 +0100
+
+keepalived (1.1.13-1) unstable; urgency=low
+
+  * New upstream release (Closes: #401827)
+  * Add patch to compile with libc6-dev. Thanks to Cyril Brulebois 
+    for the original patch (Closes: #428927)
+
+ -- Alexander Wirt <formorer@debian.org>  Tue, 24 Jul 2007 22:24:08 +0200
+
+keepalived (1.1.12-1) unstable; urgency=low
+
+  * New upstream release (Closes: #365220)
+  * Call notification for every failure. Thanks to Len Sorenson for
+    the patch (Closes: #336885)
+  * delete /tmp/.vrrp and /tmp/.healthcheckers if they exists before
+    starting keepalived (Closes: #333102)
+  * bumped standard version
+
+ -- Alexander Wirt <formorer@debian.org>  Wed, 28 Jun 2006 20:01:56 +0200
+
+keepalived (1.1.11-3) unstable; urgency=low
+
+  * Added a warning about sarge kernels to README.Debian and 
+    the package description 
+
+ -- Alexander Wirt <formorer@debian.org>  Fri, 29 Apr 2005 23:22:40 +0200
+
+keepalived (1.1.11-2) unstable; urgency=low
+
+  * Added iproute to dependency (Closes: #303421)
+
+ -- Alexander Wirt <formorer@debian.org>  Fri,  8 Apr 2005 21:45:33 +0200
+
+keepalived (1.1.11-1) unstable; urgency=low
+
+  * New upstream release (Closes: #297067)
+    - Fixes several bugs with his childs which
+      should fix restart und fork bugs 
+      (Closes: #296516)
+  * Updated to iv_vs.h 0x010201 (2.6.11)
+
+ -- Alexander Wirt <formorer@debian.org>  Wed,  2 Mar 2005 21:41:29 +0100
+
+keepalived (1.1.7-3) unstable; urgency=low
+
+  * No longer install the config per default (Closes: #261615)
+
+ -- Alexander Wirt <formorer@debian.org>  Sat, 14 Aug 2004 20:36:43 +0200
+
+keepalived (1.1.7-2) unstable; urgency=low
+
+  * New Maintainer: Alexander Wirt <formorer@debian.org>
+    No Bugs, no problems with this package. Thanks for the good 
+    work Andres, I'm happy to take this package
+
+ -- Alexander Wirt <formorer@debian.org>  Wed, 19 May 2004 20:32:03 +0200
+
+keepalived (1.1.7-1) unstable; urgency=low
+
+  * New upstream release.
+  * 003-genhash_8.patch: drop genhash manpage, as it's been merged upstream.
+  * 001-genhash_1.patch: add new manpage location fix; should be genhash(1).
+
+ -- Andres Salomon <dilinger@voxel.net>  Sun, 02 May 2004 23:44:39 -0400
+
+keepalived (1.1.6-1) unstable; urgency=low
+
+  * New upstream release.
+  * Drop 001-really_distclean.patch and 002-use_destdir.patch; merged 
+    upstream.
+  * 003-genhash_8.patch: add genhash manpage.
+  * Update ip_vs.h to version from 2.6.4-1.  Keepalived now compiles
+    using 2.6 headers.  Update description accordingly.
+  * Update copyright file.
+  * Make init script not check if kernel has IPVS support (closes: #237141).
+
+ -- Andres Salomon <dilinger@voxel.net>  Tue, 30 Mar 2004 22:05:24 -0500
+
+keepalived (1.1.5-2) unstable; urgency=low
+
+  * Can't use kernel-headers package, not all arch have it.  Revert
+    back to storing headers in debian/ subdir.
+
+ -- Andres Salomon <dilinger@voxel.net>  Tue, 10 Feb 2004 02:38:14 -0500
+
+keepalived (1.1.5-1) unstable; urgency=low
+
+  * New upstream release.  (Closes: #231418)
+  * Now that ipvs is in 2.4, use kernel-headers package instead of storing
+    kernel headers in debian/ subdir.  Add appropriate build-dep.
+  * Convert buildsys to cdbs and update standards-version.
+  * 001-really_distclean.patch: clean binaries out of ./bin.
+  * 002-use_destdir.patch: add DESTDIR to makefiles.
+  * Upstream now has manpages for keepalived and keepalived.conf.
+
+ -- Andres Salomon <dilinger@voxel.net>  Fri, 30 Jan 2004 02:51:47 -0500
+
+keepalived (1.0.3-1) unstable; urgency=low
+
+  * New upstream release; I'm going to wait for this release to enter
+    testing before allowing the 1.1.x series into unstable.  (Closes: #199437)
+  * Update maintainer email address.
+  * Update standards-version.
+  * Update kernel headers and scripts.
+
+ -- Andres Salomon <dilinger@voxel.net>  Sat, 26 Jul 2003 01:03:19 -0400
+
+keepalived (1.0.2-1) unstable; urgency=low
+
+  * New upstream release.
+  * Fixed previous changelog entry's year (2002 -> 2003), so it doesn's appear
+    that I time travel.  At the very least, I wouldn't want people discovering
+    my secret, and risk my time machine falling into the wrong hands.
+  * Upstream docs changed location; updated.
+  * Dropped dh_undocumented usage.
+  * Added reload support to the init script.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu, 17 Apr 2003 00:38:48 -0500
+
+keepalived (1.0.0-1) unstable; urgency=low
+
+  * New upstream release.
+  * Update standards-version to 3.5.8.0.
+  * Update kernel headers for ipvs-1.0.7.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Fri, 17 Jan 2003 15:26:38 -0400
+
+keepalived (0.7.6-1) unstable; urgency=low
+
+  * New upstream release.
+  * Several minor description/copyright changes to make new lintian happy.
+  * Add removal of config.log to clean target in debian/rules.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Sun,  8 Dec 2002 23:59:17 -0400
+
+keepalived (0.7.1-1) unstable; urgency=low
+
+  * New upstream release.
+  * Update kernel headers for ipvs-1.0.6.
+  * Remove dependance upon gcc-3.0; upstream says 2.95 works fine now,
+    and we should be transitioning to gcc-3.2 soon, anyways (hopefully).
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Sat, 21 Sep 2002 16:05:52 -0400
+
+keepalived (0.6.10-2) unstable; urgency=low
+
+  * Add OpenSSL exception clause to the copyright file.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu, 22 Aug 2002 11:48:16 -0400
+
+keepalived (0.6.10-1) unstable; urgency=low
+
+  * New upstream release.
+  * Update kernel headers to 2.4.19 and ipvs-1.0.4.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Wed, 14 Aug 2002 23:42:48 -0400
+
+keepalived (0.6.8-1) unstable; urgency=low
+
+  * New upstream release.
+  * Updated description to mention VRRPv2.
+  * Depend upon gcc-3.0, since gcc-2.95 and keepalived have, uh, issues.
+  * Updated various paths to reflect changed build system/layout.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu, 18 Jul 2002 01:47:42 -0500
+
+keepalived (0.6.2-1) unstable; urgency=low
+
+  * New upstream release, upload to archive.  (Closes: #144100)
+  * Autoconf sanity upstream, remove configure.in/Makefile.in patches.
+  * Fix typo in top level Makefile.in.
+  * Updated URL for keepalived (keepalived.sf.net -> www.keepalived.org).
+  * For easier maintenance of kernel header files, grab scripts from my
+    devmapper package.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Sun, 16 Jun 2002 15:47:39 -0500
+
+keepalived (0.5.8-1) unstable; urgency=low
+
+  * New upstream release.
+  * Note the OpenSSL exception clause in the README.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Tue, 21 May 2002 15:18:02 -0500
+
+keepalived (0.5.7-1) unstable; urgency=low
+
+  * New upstream release (w/ SSL_GET fixes!).
+  * Moved sample configs to doc directory.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu,  2 May 2002 20:14:38 -0500
+
+keepalived (0.5.6-1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu, 11 Apr 2002 01:38:19 -0500
+
+keepalived (0.5.5-1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Andres Salomon <dilinger@mp3revolution.net>  Thu, 11 Apr 2002 01:38:19 -0500
+

packages/keepalived/debian/control

@@ -0,0 +1,46 @@
+Source: keepalived
+Section: admin
+Priority: optional
+Maintainer: Alexander Wirt <formorer@debian.org>
+Build-Depends: autoconf,
+               debhelper-compat (=12),
+               libglib2.0-dev,
+               libip4tc-dev,
+               libipset-dev,
+               libjson-c-dev,
+               libnfnetlink-dev,
+               libnftnl-dev,
+               libnl-3-dev,
+               libnl-genl-3-dev,
+               libnl-nf-3-dev,
+               libpcre2-dev,
+               libpopt-dev,
+               libsnmp-dev,
+               libssl-dev,
+               libsystemd-dev,
+               linux-libc-dev,
+               pkg-config
+Standards-Version: 4.4.1
+Vcs-Browser: https://salsa.debian.org/ipvs-team/pkg-keepalived
+Vcs-Git: https://salsa.debian.org/ipvs-team/pkg-keepalived.git
+Homepage: http://keepalived.org
+
+Package: keepalived
+Section: admin
+Architecture: any
+Depends: iproute2, ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Recommends: ipvsadm
+Description: Failover and monitoring daemon for LVS clusters
+ keepalived is used for monitoring real servers within a Linux
+ Virtual Server (LVS) cluster.  keepalived can be configured to
+ remove real servers from the cluster pool if it stops responding,
+ as well as send a notification email to make the admin aware of
+ the service failure.
+ .
+ In addition, keepalived implements an independent Virtual Router
+ Redundancy Protocol (VRRPv2; see rfc2338 for additional info)
+ framework for director failover.
+ .
+ You need a kernel >= 2.4.28 or >= 2.6.11 for keepalived.
+ See README.Debian for more information.

packages/keepalived/debian/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch

@@ -0,0 +1,129 @@
+From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Sat, 14 Oct 2023 15:37:19 +0100
+Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs
+
+Setting arp_ignore to 1 ensures that the VMAC interface does not respond
+to ARP requests for IPv4 addresses not configured on the VMAC.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/include/vrrp_if_config.h |  2 +-
+ keepalived/vrrp/vrrp_if_config.c    | 28 ++++++++++++++++++++--------
+ keepalived/vrrp/vrrp_vmac.c         |  5 ++---
+ 3 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h
+index 35465cd..c35e56e 100644
+--- a/keepalived/include/vrrp_if_config.h
++++ b/keepalived/include/vrrp_if_config.h
+@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*);
+ extern void reset_promote_secondaries(interface_t*);
+ #ifdef _HAVE_VRRP_VMAC_
+ extern void restore_rp_filter(void);
+-extern void set_interface_parameters(const interface_t*, interface_t*);
++extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t);
+ extern void reset_interface_parameters(interface_t*);
+ extern void link_set_ipv6(const interface_t*, bool);
+ #endif
+diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c
+index cfce7e2..fbfd34c 100644
+--- a/keepalived/vrrp/vrrp_if_config.c
++++ b/keepalived/vrrp/vrrp_if_config.c
+@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = {
+ 	{ 0, 0}
+ };
+ 
++static sysctl_opts_t vmac_sysctl_6[] = {
++	{ IPV4_DEVCONF_ARP_IGNORE, 1 },
++	{ 0, 0}
++};
++
+ #endif
+ #endif
+ 
+@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts)
+ 
+ #ifdef _HAVE_VRRP_VMAC_
+ static inline int
+-netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
++netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+-	if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl))
++	if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl))
+ 		return -1;
+ 
++	if (family == AF_INET6)
++		return 0;
++
+ 	/* If the underlying interface is a MACVLAN that has been moved into
+ 	 * a separate network namespace from the parent, we can't access the
+ 	 * parent. */
+@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp)
+ }
+ 
+ static inline void
+-set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+-	if (netlink_set_interface_parameters(ifp, base_ifp))
++	if (netlink_set_interface_parameters(ifp, base_ifp, family))
+ 		log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname);
+ }
+ 
+@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp)
+ 
+ #ifdef _HAVE_VRRP_VMAC_
+ static inline void
+-set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+ 	unsigned val;
+ 
+ 	set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1);
++
++	if (family == AF_INET6)
++		return;
++
+ 	set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1);
+ 	set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0);
+ 
+@@ -524,15 +536,15 @@ restore_rp_filter(void)
+ }
+ 
+ void
+-set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+ 	if (all_rp_filter == UINT_MAX)
+ 		clear_rp_filter();
+ 
+ #ifdef _HAVE_IPV4_DEVCONF_
+-	set_interface_parameters_devconf(ifp, base_ifp);
++	set_interface_parameters_devconf(ifp, base_ifp, family);
+ #else
+-	set_interface_parameters_sysctl(ifp, base_ifp);
++	set_interface_parameters_sysctl(ifp, base_ifp, family);
+ #endif
+ }
+ 
+diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c
+index e5ff0e9..021953a 100644
+--- a/keepalived/vrrp/vrrp_vmac.c
++++ b/keepalived/vrrp/vrrp_vmac.c
+@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface)
+ 	if (!ifp->ifindex)
+ 		return false;
+ 
+-	if (vrrp->family == AF_INET && create_interface) {
++	if (create_interface) {
+ 		/* Set the necessary kernel parameters to make macvlans work for us */
+-// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f
+-		set_interface_parameters(ifp, ifp->base_ifp);
++		set_interface_parameters(ifp, ifp->base_ifp, vrrp->family);
+ 	}
+ 
+ #ifdef _WITH_FIREWALL_
+-- 
+2.34.1
+

packages/keepalived/debian/patches/series

@@ -0,0 +1 @@
+0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch

packages/keepalived/debian/rules

@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+#export DH_OPTIONS=-v
+
+%:
+	dh  $@ --with autoreconf
+
+override_dh_auto_configure:
+	dh_auto_configure -- --enable-snmp --enable-sha1 --enable-snmp-rfcv2 --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex
+
+
+override_dh_auto_install:
+	dh_auto_install
+	rm -rf debian/keepalived/etc/keepalived/samples/
+	rm -rf debian/keepalived/etc/rc.d
+	rm -rf debian/keepalived/etc/keepalived/keepalived.conf
+	rm -rf debian/keepalived/etc/sysconfig
+	rm -rf debian/keepalived/usr/man

packages/keepalived/debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

packages/linux-kernel/.gitignore

@@ -8,6 +8,9 @@
 *.deb
 *.changes
 *.buildinfo
+*.build
+*.tar.xz
+*.tar.bz2
 /*.postinst
 
 # Intel Driver source
@@ -17,5 +20,6 @@ igb-*/
 ixgbe-*/
 ixgbevf-*/
 vyos-intel-*/
+vyos-drivers-realtek-*/
 vyos-linux-firmware*/
 kernel-vars

packages/linux-kernel/Jenkinsfile

@@ -15,10 +15,10 @@
 
 @NonCPS
 
-// Using a version specifier library, use 'current' branch. The underscore (_)
+// Using a version specifier library, use 'equuleus' branch. The underscore (_)
 // is not a typo! You need this underscore if the line immediately after the
 // @Library annotation is not an import statement!
-@Library('vyos-build@current')_
+@Library('vyos-build@equuleus')_
 
 /* Only keep the most recent builds. */
 def projectProperties = [
@@ -50,6 +50,7 @@ node('Docker') {
 pipeline {
     agent {
         docker {
+            reuseNode true
             args "--sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006"
             image "${env.DOCKER_IMAGE}"
             alwaysPull true
@@ -63,14 +64,12 @@ pipeline {
     environment {
         DEBIAN_ARCH = sh(returnStdout: true, script: 'dpkg --print-architecture').trim()
         BASE_DIR = getJenkinsfilePath()
-        CHANGESET_DIR = getChangeSetPath()
     }
     stages {
         stage('Fetch') {
             steps {
                 script {
                     checkout scm
-                    echo env.CHANGESET_DIR
                 }
             }
         }
@@ -81,19 +80,27 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
                     steps {
-                        dir(env.BASE_DIR + '/linux') {
-                            checkout([$class: 'GitSCM',
-                                doGenerateSubmoduleConfigurations: false,
-                                extensions: [[$class: 'CleanCheckout'],
-                                             [$class: 'CloneOption', depth: 1, noTags: false, reference: '', shallow: true]],
-                                branches: [[name: 'v5.4.86' ]],
-                                userRemoteConfigs: [[credentialsId: 'GitHub-vyosbot', url: 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git']]])
+                        script {
+                            dir(env.BASE_DIR) {
+                                sh '''
+                                    KERNEL_VER=\$(cat ../../data/defaults.json | jq -r .kernel_version)
+                                    gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
+                                    curl -OL https://www.kernel.org/pub/linux/kernel/v5.x/linux-${KERNEL_VER}.tar.xz
+                                    curl -OL https://www.kernel.org/pub/linux/kernel/v5.x/linux-${KERNEL_VER}.tar.sign
+                                    xz -cd linux-${KERNEL_VER}.tar.xz | gpg2 --verify linux-${KERNEL_VER}.tar.sign -
+                                    if [ $? -ne 0 ]; then
+                                        exit 1
+                                    fi
+                                    tar xf linux-${KERNEL_VER}.tar.xz
+                                    ln -s linux-${KERNEL_VER} linux
+                                '''
+                            }
                         }
                     }
                 }
@@ -102,8 +109,8 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -113,7 +120,7 @@ pipeline {
                                 doGenerateSubmoduleConfigurations: false,
                                 extensions: [[$class: 'CleanCheckout'],
                                              [$class: 'CloneOption', depth: 1, noTags: false, reference: '', shallow: true]],
-                                branches: [[name: '20201022' ]],
+                                branches: [[name: '20201218' ]],
                                 userRemoteConfigs: [[credentialsId: 'GitHub-vyosbot', url: 'https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git']]])
                         }
                     }
@@ -123,8 +130,8 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -143,8 +150,8 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -153,7 +160,7 @@ pipeline {
                             checkout([$class: 'GitSCM',
                                 doGenerateSubmoduleConfigurations: false,
                                 extensions: [[$class: 'CleanCheckout']],
-                                branches: [[name: '59f8e1bc3f199c8d0d985253e19a74ad87130179' ]],
+                                branches: [[name: '0b4ef9862c65bf' ]],
                                 userRemoteConfigs: [[credentialsId: 'GitHub-vyosbot', url: 'https://github.com/accel-ppp/accel-ppp.git']]])
                         }
                     }
@@ -165,8 +172,8 @@ pipeline {
                 beforeOptions true
                 beforeAgent true
                 anyOf {
-                    changeset pattern: "${env.CHANGESET_DIR}"
-                    triggeredBy 'TimerTrigger'
+                    changeset pattern: "**/packages/linux-kernel/*"
+                    changeset pattern: "**/data/defaults.json"
                     triggeredBy cause: "UserIdCause"
                 }
             }
@@ -184,8 +191,8 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -202,8 +209,8 @@ pipeline {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -213,29 +220,13 @@ pipeline {
                         }
                     }
                 }
-                stage('Intel Driver(s)') {
-                    when {
-                        beforeOptions true
-                        beforeAgent true
-                        anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
-                            triggeredBy cause: "UserIdCause"
-                        }
-                    }
-                    steps {
-                        dir(env.BASE_DIR) {
-                            sh "./build-intel-drivers.sh"
-                        }
-                    }
-                }
                 stage('Intel QuickAssist Technology') {
                     when {
                         beforeOptions true
                         beforeAgent true
                         anyOf {
-                            changeset pattern: "${env.CHANGESET_DIR}"
-                            triggeredBy 'TimerTrigger'
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
                             triggeredBy cause: "UserIdCause"
                         }
                     }
@@ -245,18 +236,50 @@ pipeline {
                         }
                     }
                 }
+                stage('Intel ICE driver') {
+                    when {
+                        beforeOptions true
+                        beforeAgent true
+                        anyOf {
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
+                            triggeredBy cause: "UserIdCause"
+                        }
+                    }
+                    steps {
+                        dir(env.BASE_DIR) {
+                            sh "./build-intel-ice.py"
+                        }
+                    }
+                }
+                stage('Realtek r8152 driver') {
+                    when {
+                        beforeOptions true
+                        beforeAgent true
+                        anyOf {
+                            changeset pattern: "**/packages/linux-kernel/*"
+                            changeset pattern: "**/data/defaults.json"
+                            triggeredBy cause: "UserIdCause"
+                        }
+                    }
+                    steps {
+                        dir(env.BASE_DIR) {
+                            sh "./build-driver-realtek-r8152.py"
+                        }
+                    }
+                }
             }
         }
         // This stage should not be run in the parallel section as it will call "make"
         // again on the kernel source and this could confuse other build systems
-        // like generating Intel or Accel-PPP drivers. Better safe then sorry!
+        // like Accel-PPP. Better safe then sorry!
         stage('Linux Firmware') {
             when {
                 beforeOptions true
                 beforeAgent true
                 anyOf {
-                    changeset pattern: "${env.CHANGESET_DIR}"
-                    triggeredBy 'TimerTrigger'
+                    changeset pattern: "**/packages/linux-kernel/*"
+                    changeset pattern: "**/data/defaults.json"
                     triggeredBy cause: "UserIdCause"
                 }
             }
@@ -293,7 +316,7 @@ pipeline {
                                 VYOS_REPO_PATH += 'vyos/'
 
                             def SSH_OPTS = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=ERROR'
-                            def SSH_REMOTE = 'khagen@10.217.48.113'
+                            def SSH_REMOTE = env.DEV_PACKAGES_VYOS_NET_HOST // defined as global variable
 
                             echo "Uploading package(s) and updating package(s) in the repository ..."
 

packages/linux-kernel/build-driver-realtek-r8152.py

@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+
+from json import loads as json_loads
+from requests import get
+from pathlib import Path
+from shutil import copy as copy_file
+from subprocess import run
+
+
+# dependency modifier
+def add_depends(package_dir: str, package_name: str, depends) -> None:
+    """Add dependencies to a package
+
+    Args:
+        package_dir (str): a directory where package sources are located
+        package_name (str): a name of package
+        depends (list[str]): a list of dependencies to add
+    """
+    depends_list: str = ', '.join(depends)
+    depends_line: str = f'misc:Depends={depends_list}\n'
+
+    substvars_file = Path(f'{package_dir}/debian/{package_name}.substvars')
+    substvars_file.write_text(depends_line)
+
+
+# copy patches
+def apply_deb_patches(package_name: str, sources_dir: str):
+    """Apply patches to sources directory
+
+    Args:
+        package_name (str): package name
+        sources_dir (str): sources dir
+    """
+    patches_dir = Path(f'patches/{package_name}')
+    if patches_dir.exists():
+        patches_list = list(patches_dir.iterdir())
+        patches_list.sort()
+        series_file = Path(f'{sources_dir}/debian/patches/series')
+        series_data = ''
+        for patch_file in patches_list:
+            print(f'Applying patch: {patch_file.name}')
+            copy_file(patch_file, f'{sources_dir}/debian/patches/')
+            if series_file.exists():
+                series_data = series_file.read_text()
+            series_data = f'{series_data}\n{patch_file.name}'
+            series_file.write_text(series_data)
+
+
+# find kernel version and source path
+defaults_file: str = Path('../../data/defaults.json').read_text()
+KERNEL_VER: str = json_loads(defaults_file).get('kernel_version')
+KERNEL_FLAVOR: str = json_loads(defaults_file).get('kernel_flavor')
+KERNEL_SRC: str = Path.cwd().as_posix() + '/linux'
+
+# define variables
+PACKAGE_NAME: str = 'vyos-drivers-realtek-r8152'
+PACKAGE_VERSION: str = '2.17.1'
+PACKAGE_DIR: str = f'{PACKAGE_NAME}-{PACKAGE_VERSION}'
+SOURCES_ARCHIVE: str = 'r8152-2.17.1.tar.bz2'
+SOURCES_URL: str = f'https://dev.packages.vyos.net/source-mirror/{SOURCES_ARCHIVE}'
+
+# download sources
+sources_archive = Path(SOURCES_ARCHIVE)
+sources_archive.write_bytes(get(SOURCES_URL).content)
+
+# prepare sources
+debmake_cmd = [
+    'debmake', '-e', 'support@vyos.io', '-f', 'VyOS Support', '-p',
+    PACKAGE_NAME, '-u', PACKAGE_VERSION, '-a', SOURCES_ARCHIVE
+]
+run(debmake_cmd)
+
+# add kernel to dependencies
+add_depends(PACKAGE_DIR, PACKAGE_NAME,
+            [f'linux-image-{KERNEL_VER}-{KERNEL_FLAVOR}'])
+
+# configure build rules
+build_rules_text: str = f'''#!/usr/bin/make -f
+# config
+export KERNELDIR := {KERNEL_SRC}
+PACKAGE_BUILD_DIR := debian/{PACKAGE_NAME}
+KVER := {KERNEL_VER}-{KERNEL_FLAVOR}
+MODULES_DIR := updates/drivers/net/usb
+
+# main packaging script based on dh7 syntax
+%:
+	dh $@  
+
+override_dh_clean:
+	dh_clean --exclude=debian/{PACKAGE_NAME}.substvars
+
+override_dh_prep:
+	dh_prep --exclude=debian/{PACKAGE_NAME}.substvars
+
+override_dh_auto_clean:
+	make clean
+
+override_dh_auto_build:
+	make modules
+
+override_dh_auto_install:
+	install -D -m 644 r8152.ko ${{PACKAGE_BUILD_DIR}}/lib/modules/${{KVER}}/${{MODULES_DIR}}/r8152.ko
+	install -D -m 644 50-usb-realtek-net.rules ${{PACKAGE_BUILD_DIR}}/etc/udev/rules.d/50-usb-realtek-net.rules
+'''
+bild_rules = Path(f'{PACKAGE_DIR}/debian/rules')
+bild_rules.write_text(build_rules_text)
+
+# apply patches
+apply_deb_patches(PACKAGE_NAME, PACKAGE_DIR)
+
+# build a package
+debuild_cmd = ['debuild']
+run(debuild_cmd, cwd=PACKAGE_DIR)

packages/linux-kernel/build-intel-drivers.sh

@@ -1,93 +0,0 @@
-#!/bin/sh
-CWD=$(pwd)
-KERNEL_VAR_FILE=${CWD}/kernel-vars
-
-if [ ! -f ${KERNEL_VAR_FILE} ]; then
-    echo "Kernel variable file '${KERNEL_VAR_FILE}' does not exist, run ./build_kernel.sh first"
-    exit 1
-fi
-
-. ${KERNEL_VAR_FILE}
-
-declare -a intel=(
-    "http://dev.packages.vyos.net/source-mirror/ixgbe-5.9.4.tar.gz"
-    "http://dev.packages.vyos.net/source-mirror/ixgbevf-4.9.3.tar.gz"
-    "http://dev.packages.vyos.net/source-mirror/igb-5.4.6.tar.gz"
-    "http://dev.packages.vyos.net/source-mirror/i40e-2.13.10.tar.gz"
-    "http://dev.packages.vyos.net/source-mirror/iavf-4.0.1.tar.gz"
-)
-
-for url in "${intel[@]}"
-do
-    cd ${CWD}
-
-    DRIVER_FILE="$(basename ${url})"
-    DRIVER_DIR="${DRIVER_FILE%.tar.gz}"
-    DRIVER_NAME="${DRIVER_DIR%-*}"
-    DRIVER_VERSION="${DRIVER_DIR##*-}"
-    DRIVER_VERSION_EXTRA="-0"
-
-    # Build up Debian related variables required for packaging
-    DEBIAN_ARCH=$(dpkg --print-architecture)
-    DEBIAN_DIR="${CWD}/vyos-intel-${DRIVER_NAME}_${DRIVER_VERSION}${DRIVER_VERSION_EXTRA}_${DEBIAN_ARCH}"
-    DEBIAN_CONTROL="${DEBIAN_DIR}/DEBIAN/control"
-    DEBIAN_POSTINST="${CWD}/vyos-intel-driver.postinst"
-
-    # Fetch Intel driver source from SourceForge
-    if [ -e ${DRIVER_FILE} ]; then
-        rm -f ${DRIVER_FILE}
-    fi
-    curl -L -o ${DRIVER_FILE} ${url}
-    if [ "$?" -ne "0" ]; then
-        exit 1
-    fi
-
-    # Unpack archive
-    if [ -d ${DRIVER_DIR} ]; then
-        rm -rf ${DRIVER_DIR}
-    fi
-    tar xf ${DRIVER_FILE}
-
-    cd ${DRIVER_DIR}/src
-    if [ -z $KERNEL_DIR ]; then
-        echo "KERNEL_DIR not defined"
-        exit 1
-    fi
-    echo "I: Compile Kernel module for Intel ${DRIVER_NAME} driver"
-    KSRC=${KERNEL_DIR} \
-        INSTALL_MOD_PATH=${DEBIAN_DIR} \
-        make -j $(getconf _NPROCESSORS_ONLN) install
-
-    # delete non required files which are also present in the kernel package
-    # und thus lead to duplicated files
-    find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
-
-    echo "#!/bin/sh" > ${DEBIAN_POSTINST}
-    echo "/sbin/depmod -a ${KERNEL_VERSION}${KERNEL_SUFFIX}" >> ${DEBIAN_POSTINST}
-
-    # build Debian package
-    echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
-    cd ${CWD}
-    if [ -f ${DEBIAN_DIR}.deb ]; then
-        rm ${DEBIAN_DIR}.deb
-    fi
-    fpm --input-type dir --output-type deb --name vyos-intel-${DRIVER_NAME} \
-        --version ${DRIVER_VERSION}${DRIVER_VERSION_EXTRA} --deb-compression gz \
-        --maintainer "VyOS Package Maintainers <maintainers@vyos.net>" \
-        --description "Vendor based driver for Intel ${DRIVER_NAME} NIC" \
-	--depends linux-image-${KERNEL_VERSION}${KERNEL_SUFFIX} \
-	--license "GPL2" \
-        -C ${DEBIAN_DIR} --after-install ${DEBIAN_POSTINST}
-
-    echo "I: Cleanup ${DRIVER_NAME} source"
-    cd ${CWD}
-    if [ -e ${DRIVER_FILE} ]; then
-        rm -f ${DRIVER_FILE}
-    fi
-    if [ -d ${DRIVER_DIR} ]; then
-        rm -rf ${DRIVER_DIR}
-    fi
-    if [ -d ${DEBIAN_DIR} ]; then
-        rm -rf ${DEBIAN_DIR}
-    fi
-done

packages/linux-kernel/build-intel-ice.py

@@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+
+from json import loads as json_loads
+from requests import get
+from pathlib import Path
+from subprocess import run
+
+# define variables
+DRIVER_VERSION: str = '1.11.14'
+DRIVER_URL: str = f'https://downloads.sourceforge.net/project/e1000/ice%20stable/{DRIVER_VERSION}/ice-{DRIVER_VERSION}.tar.gz'
+DRIVER_ARCHIVE: str = f'ice-{DRIVER_VERSION}.tar.gz'
+DRIVER_DIR: str = f'vyos-drivers-intel-ice-{DRIVER_VERSION}'
+
+# find kernel version ans source path
+default_file: str = Path('../../data/defaults.json').read_text()
+KERNEL_VER: str = json_loads(default_file).get('kernel_version')
+KERNEL_SRC: str = Path.cwd().as_posix() + '/linux'
+
+# download driver
+driver_archive = Path(DRIVER_ARCHIVE)
+driver_archive.write_bytes(get(DRIVER_URL).content)
+
+# prepare sources
+debmake_cmd = [
+    'debmake', '-e', 'support@vyos.io', '-f', 'VyOS Support', '-p',
+    'vyos-drivers-intel-ice', '-a', DRIVER_ARCHIVE
+]
+run(debmake_cmd)
+
+# fix build rules
+build_rules_text = f'''#!/usr/bin/make -f
+# config
+export KSRC := {KERNEL_SRC}
+INSTALL_DIR := debian/vyos-drivers-intel-ice
+DRIVER := ice
+KVER := {KERNEL_VER}-amd64-vyos
+KSRC_INSTALL := /lib/modules/${{KVER}}/build/
+INTEL_DIR := updates/drivers/net/ethernet/intel
+# DDP variables
+DDP_PKG_ORIGIN := $(shell ls ddp/${{DRIVER}}-[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.pkg 2>/dev/null)
+DDP_PKG_NAME := $(shell basename ${{DDP_PKG_ORIGIN}} 2>/dev/null)
+DDP_PKG_DEST_PATH := ${{INSTALL_DIR}}/lib/firmware/updates/intel/${{DRIVER}}/ddp
+DDP_PKG_DEST := ${{DDP_PKG_DEST_PATH}}/${{DDP_PKG_NAME}}
+DDP_PKG_LINK := ${{DRIVER}}.pkg
+
+# main packaging script based on dh7 syntax
+%:
+	dh $@  
+
+override_dh_auto_clean:
+	cd src && \
+	make clean
+
+override_dh_auto_build:
+	cd src && sed -e 's/#define NEED_ETH_HW_ADDR_SET/#undef NEED_ETH_HW_ADDR_SET/' -i kcompat_std_defs.h && make all
+
+override_dh_auto_install:
+	# DDP
+	install -D -m 644 ${{DDP_PKG_ORIGIN}} ${{DDP_PKG_DEST}}
+	(cd ${{DDP_PKG_DEST_PATH}} && ln -sf ${{DDP_PKG_NAME}} ${{DDP_PKG_LINK}})
+	install -D -m 644 ddp/LICENSE ${{DDP_PKG_DEST_PATH}}/LICENSE
+	# module
+	install -D -m 644 src/${{DRIVER}}.ko ${{INSTALL_DIR}}/lib/modules/${{KVER}}/${{INTEL_DIR}}/ice/${{DRIVER}}.ko
+	# AUX
+	install -D -m 644 src/intel_auxiliary.ko ${{INSTALL_DIR}}/lib/modules/${{KVER}}/${{INTEL_DIR}}/auxiliary/intel_auxiliary.ko
+	install -D -m 644 src/Module.symvers ${{INSTALL_DIR}}/lib/modules/${{KVER}}/extern-symvers/intel_auxiliary.symvers
+	install -D -m 644 src/linux/auxiliary_bus.h ${{INSTALL_DIR}}/${{KSRC_INSTALL}}/include/linux/auxiliary_bus.h
+
+'''
+bild_rules = Path(f'{DRIVER_DIR}/debian/rules')
+bild_rules.write_text(build_rules_text)
+
+# build a package
+debuild_cmd = ['debuild']
+run(debuild_cmd, cwd=DRIVER_DIR)

packages/linux-kernel/build-intel-qat.sh

@@ -2,6 +2,11 @@
 CWD=$(pwd)
 KERNEL_VAR_FILE=${CWD}/kernel-vars
 
+if ! dpkg-architecture -iamd64; then
+    echo "Intel-QAT is only buildable on amd64 platforms"
+    exit 0
+fi
+
 if [ ! -f ${KERNEL_VAR_FILE} ]; then
     echo "Kernel variable file '${KERNEL_VAR_FILE}' does not exist, run ./build_kernel.sh first"
     exit 1
@@ -9,98 +14,99 @@ fi
 
 . ${KERNEL_VAR_FILE}
 
-declare -a intel=(
-    "https://01.org/sites/default/files/downloads/qat1.7.l.4.9.0-00008.tar_0.gz"
-)
+url="https://dev.packages.vyos.net/source-mirror/QAT1.7.l.4.9.0-00008.tar.gz"
 
-for url in "${intel[@]}"
-do
-    cd ${CWD}
+cd ${CWD}
 
-    DRIVER_FILE=$(basename ${url} | sed -e s/tar_0/tar/)
-    DRIVER_DIR="${DRIVER_FILE%.tar.gz}"
-    DRIVER_NAME="qat"
-    DRIVER_VERSION=$(echo ${DRIVER_DIR} | awk -F${DRIVER_NAME} '{print $2}')
-    DRIVER_VERSION_EXTRA="-0"
+DRIVER_FILE=$(basename ${url} | sed -e s/tar_0/tar/)
+DRIVER_DIR="${DRIVER_FILE%.tar.gz}"
+DRIVER_NAME="QAT"
+DRIVER_VERSION=$(echo ${DRIVER_DIR} | awk -F${DRIVER_NAME} '{print $2}')
+DRIVER_VERSION_EXTRA="-0"
 
-    # Build up Debian related variables required for packaging
-    DEBIAN_ARCH=$(dpkg --print-architecture)
-    DEBIAN_DIR="${CWD}/vyos-intel-${DRIVER_NAME}_${DRIVER_VERSION}${DRIVER_VERSION_EXTRA}_${DEBIAN_ARCH}"
-    DEBIAN_CONTROL="${DEBIAN_DIR}/DEBIAN/control"
-    DEBIAN_POSTINST="${CWD}/vyos-intel-qat.postinst"
+# Build up Debian related variables required for packaging
+DEBIAN_ARCH=$(dpkg --print-architecture)
+DEBIAN_DIR="${CWD}/vyos-intel-${DRIVER_NAME}_${DRIVER_VERSION}${DRIVER_VERSION_EXTRA}_${DEBIAN_ARCH}"
+DEBIAN_CONTROL="${DEBIAN_DIR}/DEBIAN/control"
+DEBIAN_POSTINST="${CWD}/vyos-intel-qat.postinst"
 
-    # Fetch Intel driver source from SourceForge
-    if [ -e ${DRIVER_FILE} ]; then
-        rm -f ${DRIVER_FILE}
-    fi
-    curl -L -o ${DRIVER_FILE} ${url}
-    if [ "$?" -ne "0" ]; then
-        exit 1
-    fi
+# Fetch Intel driver source from SourceForge
+if [ -e ${DRIVER_FILE} ]; then
+    rm -f ${DRIVER_FILE}
+fi
+curl -L -o ${DRIVER_FILE} ${url}
+if [ "$?" -ne "0" ]; then
+    exit 1
+fi
 
-    # Unpack archive
-    if [ -d ${DRIVER_DIR} ]; then
-        rm -rf ${DRIVER_DIR}
-    fi
-    mkdir -p ${DRIVER_DIR}
-    tar -C ${DRIVER_DIR} -xf ${DRIVER_FILE}
+# Unpack archive
+if [ -d ${DRIVER_DIR} ]; then
+    rm -rf ${DRIVER_DIR}
+fi
+mkdir -p ${DRIVER_DIR}
+tar -C ${DRIVER_DIR} -xf ${DRIVER_FILE}
 
-    cd ${DRIVER_DIR}
-    if [ -z $KERNEL_DIR ]; then
-        echo "KERNEL_DIR not defined"
-        exit 1
-    fi
+cd ${DRIVER_DIR}
+if [ -z $KERNEL_DIR ]; then
+    echo "KERNEL_DIR not defined"
+    exit 1
+fi
 
-    echo "I: Compile Kernel module for Intel ${DRIVER_NAME} driver"
-    mkdir -p ${DEBIAN_DIR}/lib/firmware ${DEBIAN_DIR}/usr/local/bin ${DEBIAN_DIR}/usr/lib/x86_64-linux-gnu ${DEBIAN_DIR}/etc/init.d
-    KERNEL_SOURCE_ROOT=${KERNEL_DIR} ./configure --enable-kapi --enable-qat-lkcf
-    make -j $(getconf _NPROCESSORS_ONLN) all
-    make INSTALL_MOD_PATH=${DEBIAN_DIR} INSTALL_FW_PATH=${DEBIAN_DIR} \
-        qat-driver-install
+echo "I: Compile Kernel module for Intel ${DRIVER_NAME} driver"
+mkdir -p \
+    ${DEBIAN_DIR}/lib/firmware \
+    ${DEBIAN_DIR}/usr/sbin \
+    ${DEBIAN_DIR}/usr/lib/x86_64-linux-gnu \
+    ${DEBIAN_DIR}/etc/init.d
 
-    if [ "x$?" != "x0" ]; then
-        exit 1
-    fi
+KERNEL_SOURCE_ROOT=${KERNEL_DIR} ./configure --enable-kapi --enable-qat-lkcf
+make -j $(getconf _NPROCESSORS_ONLN) all
+make INSTALL_MOD_PATH=${DEBIAN_DIR} INSTALL_FW_PATH=${DEBIAN_DIR} \
+    qat-driver-install adf-ctl-all
 
-    cp build/*.bin ${DEBIAN_DIR}/lib/firmware
-    cp build/*.so ${DEBIAN_DIR}/usr/lib/x86_64-linux-gnu
-    cp build/qat_service ${DEBIAN_DIR}/etc/init.d
-    cp build/adf_ctl ${DEBIAN_DIR}/usr/local/bin
-    cp build/usdm_drv.ko ${DEBIAN_DIR}/lib/modules/${KERNEL_VERSION}${KERNEL_SUFFIX}/updates/drivers
-    chmod 644 ${DEBIAN_DIR}/lib/firmware/*
-    chmod 755 ${DEBIAN_DIR}/etc/init.d/* ${DEBIAN_DIR}/usr/local/bin/*
+if [ "x$?" != "x0" ]; then
+    exit 1
+fi
 
-    if [ -f ${DEBIAN_DIR}.deb ]; then
-        rm ${DEBIAN_DIR}.deb
-    fi
+cp quickassist/qat/fw/*.bin ${DEBIAN_DIR}/lib/firmware
+cp build/*.so ${DEBIAN_DIR}/usr/lib/x86_64-linux-gnu
+cp build/adf_ctl ${DEBIAN_DIR}/usr/sbin
+cp quickassist/build_system/build_files/qat_service ${DEBIAN_DIR}/etc/init.d
+cp build/usdm_drv.ko ${DEBIAN_DIR}/lib/modules/${KERNEL_VERSION}${KERNEL_SUFFIX}/updates/drivers
 
-    # build Debian package
-    echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
-    cd ${CWD}
+chmod 644 ${DEBIAN_DIR}/lib/firmware/*
+chmod 755 ${DEBIAN_DIR}/etc/init.d/* ${DEBIAN_DIR}/usr/local/bin/*
 
-    # delete non required files which are also present in the kernel package
-    # und thus lead to duplicated files
-    find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
+if [ -f ${DEBIAN_DIR}.deb ]; then
+    rm ${DEBIAN_DIR}.deb
+fi
 
-    echo "#!/bin/sh" > ${DEBIAN_POSTINST}
-    echo "/sbin/depmod -a ${KERNEL_VERSION}${KERNEL_SUFFIX}" >> ${DEBIAN_POSTINST}
+# build Debian package
+echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
+cd ${CWD}
 
-    fpm --input-type dir --output-type deb --name vyos-intel-${DRIVER_NAME} \
-        --version ${DRIVER_VERSION}${DRIVER_VERSION_EXTRA} --deb-compression gz \
-        --maintainer "VyOS Package Maintainers <maintainers@vyos.net>" \
-        --description "Vendor based driver for Intel ${DRIVER_NAME}" \
-        --depends linux-image-${KERNEL_VERSION}${KERNEL_SUFFIX} \
-        --license "GPL2" -C ${DEBIAN_DIR} --after-install ${DEBIAN_POSTINST}
+# delete non required files which are also present in the kernel package
+# und thus lead to duplicated files
+find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
 
-    echo "I: Cleanup ${DRIVER_NAME} source"
-    cd ${CWD}
-    if [ -e ${DRIVER_FILE} ]; then
-        rm -f ${DRIVER_FILE}
-    fi
-    if [ -d ${DRIVER_DIR} ]; then
-        rm -rf ${DRIVER_DIR}
-    fi
-    if [ -d ${DEBIAN_DIR} ]; then
-        rm -rf ${DEBIAN_DIR}
-    fi
-done
+echo "#!/bin/sh" > ${DEBIAN_POSTINST}
+echo "/sbin/depmod -a ${KERNEL_VERSION}${KERNEL_SUFFIX}" >> ${DEBIAN_POSTINST}
+
+fpm --input-type dir --output-type deb --name vyos-intel-${DRIVER_NAME} \
+    --version ${DRIVER_VERSION}${DRIVER_VERSION_EXTRA} --deb-compression gz \
+    --maintainer "VyOS Package Maintainers <maintainers@vyos.net>" \
+    --description "Vendor based driver for Intel ${DRIVER_NAME}" \
+    --depends linux-image-${KERNEL_VERSION}${KERNEL_SUFFIX} \
+    --license "GPL2" -C ${DEBIAN_DIR} --after-install ${DEBIAN_POSTINST}
+
+echo "I: Cleanup ${DRIVER_NAME} source"
+cd ${CWD}
+if [ -e ${DRIVER_FILE} ]; then
+    rm -f ${DRIVER_FILE}
+fi
+if [ -d ${DRIVER_DIR} ]; then
+    rm -rf ${DRIVER_DIR}
+fi
+if [ -d ${DEBIAN_DIR} ]; then
+    rm -rf ${DEBIAN_DIR}
+fi

packages/linux-kernel/build-linux-firmware.sh

@@ -12,10 +12,6 @@ LINUX_SRC="linux"
 LINUX_FIRMWARE="linux-firmware"
 KERNEL_VAR_FILE=${CWD}/kernel-vars
 
-# Some firmware files might not be easy to extract (e.g. Intel iwlwifi drivers)
-# thus we simply ammend them "manually"
-ADD_FW_FILES="iwlwifi*"
-
 if [ ! -d ${LINUX_SRC} ]; then
     echo "Kernel source missing"
     exit 1
@@ -30,52 +26,69 @@ fi
 
 result=()
 # Retrieve firmware blobs from source files
-cd ${LINUX_SRC}
-FW_FILES=$(../list-required-firmware.py -c ../x86_64_vyos_defconfig -s drivers/net 2>/dev/null)
+FW_FILES=$(find ${LINUX_SRC}/debian/tmp/lib/modules/${KERNEL_VERSION}${KERNEL_SUFFIX}/kernel/drivers/net -name *.ko | xargs modinfo | grep "^firmware:" | awk '{print $2}')
 
 # Debian package will use the descriptive Git commit as version
 GIT_COMMIT=$(cd ${CWD}/${LINUX_FIRMWARE}; git describe --always)
 VYOS_FIRMWARE_NAME="vyos-linux-firmware"
-VYOS_FIRMWARE_DIR="${CWD}/${VYOS_FIRMWARE_NAME}_${GIT_COMMIT}-0_all"
+VYOS_FIRMWARE_DIR="${VYOS_FIRMWARE_NAME}_${GIT_COMMIT}-0_all"
 if [ -d ${VYOS_FIRMWARE_DIR} ]; then
     # remove Debian package folder and deb file from previous runs
     rm -rf ${VYOS_FIRMWARE_DIR}*
 fi
 mkdir -p ${VYOS_FIRMWARE_DIR}
 
-# Copy firmware file from linux firmware repository into
+# Install firmware files to build directory
+LINUX_FIRMWARE_BUILD_DIR="${LINUX_FIRMWARE}_${GIT_COMMIT}"
+
+if [ -d ${LINUX_FIRMWARE_BUILD_DIR} ]; then
+    rm -rf "${LINUX_FIRMWARE_BUILD_DIR}"
+fi
+
+mkdir -p "${LINUX_FIRMWARE_BUILD_DIR}"
+
+(
+    cd ${LINUX_FIRMWARE}
+    ./copy-firmware.sh "${CWD}/${LINUX_FIRMWARE_BUILD_DIR}"
+)
+
+# Copy firmware file from linux firmware build directory into
 # assembly folder for the vyos-firmware package
 SED_REPLACE="s@${CWD}/${LINUX_FIRMWARE}/@@"
-for FW_PATH in ${FW_FILES}; do
-    FW_FILE=$(basename $FW_PATH)
-    res=()
-    for tmp in $(find ${CWD}/linux-firmware -type f -name ${FW_FILE} | sed -e ${SED_REPLACE})
-    do
-        res+=( "$tmp" )
-    done
+for FILE in ${FW_FILES}; do
+    # If file is a symlink install the symlink target as well
+    if [ -h "${LINUX_FIRMWARE_BUILD_DIR}/${FILE}" ]; then
+        TARGET="$(realpath --relative-to="${LINUX_FIRMWARE_BUILD_DIR}" "${LINUX_FIRMWARE_BUILD_DIR}/${FILE}")"
+        TARGET_DIR="${VYOS_FIRMWARE_DIR}/lib/firmware/$(dirname "${TARGET}")"
 
-    for FILE in ${res[@]}; do
+        if [ ! -f "${TARGET_DIR}/$(basename "${TARGET}")" ]; then
+            if [ -f "${LINUX_FIRMWARE_BUILD_DIR}/${TARGET}" ]; then
+                mkdir -p "${TARGET_DIR}"
+
+                echo "I: install firmware: ${TARGET}"
+                cp "${CWD}/${LINUX_FIRMWARE_BUILD_DIR}/${TARGET}" "${TARGET_DIR}"
+            else
+                echo "I: firmware file not found: ${TARGET}"
+            fi
+        fi
+    fi
+
+    if [ -f ${LINUX_FIRMWARE_BUILD_DIR}/${FILE} ]; then
         FW_DIR="${VYOS_FIRMWARE_DIR}/lib/firmware/$(dirname ${FILE})"
-        mkdir -p ${FW_DIR}
+        mkdir -p "${FW_DIR}"
         echo "I: install firmware: ${FILE}"
-        cp ${CWD}/linux-firmware/${FILE} ${FW_DIR}
-    done
-done
-
-# Install additional firmware files that could not be autodiscovered
-for FW in ${ADD_FW_FILES}
-do
-    FW_DIR="${VYOS_FIRMWARE_DIR}/lib/firmware/$(dirname ${FW})"
-    mkdir -p ${FW_DIR}
-    echo "I: install firmware: ${FW}"
-    cp ${CWD}/linux-firmware/${FW} ${FW_DIR}
+        cp -P "${CWD}/${LINUX_FIRMWARE_BUILD_DIR}/${FILE}" "${FW_DIR}"
+    else
+        echo "I: firmware file not found: ${FILE}"
+    fi
 done
 
 echo "I: Create linux-firmware package"
-cd ${CWD}
+rm -f ${VYOS_FIRMWARE_NAME}_*.deb
 fpm --input-type dir --output-type deb --name ${VYOS_FIRMWARE_NAME} \
     --maintainer "VyOS Package Maintainers <maintainers@vyos.net>" \
     --description "Binary firmware for various drivers in the Linux kernel" \
-    --version ${GIT_COMMIT} --deb-compression gz -C ${VYOS_FIRMWARE_DIR}
+    --architecture all --version ${GIT_COMMIT} --deb-compression gz -C ${VYOS_FIRMWARE_DIR}
 
+rm -rf "${LINUX_FIRMWARE_BUILD_DIR}"
 rm -rf ${VYOS_FIRMWARE_DIR}

packages/linux-kernel/list-required-firmware.py

@@ -1,133 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 Daniil Baturin
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-import re
-import os
-import sys
-import glob
-import argparse
-import subprocess
-
-# Loads the kernel config -- only options set to y or m
-def load_config(path):
-    with open(path, 'r') as f:
-        config = f.read()
-    targets = re.findall(r'(.*)=(?:y|m)', config)
-    return targets
-
-# Finds subdir targets from the Makefile
-# that are enabled by the kernel build config
-def find_enabled_subdirs(config, makefile_path):
-    try:
-        with open(makefile_path, 'r') as f:
-            makefile = f.read()
-    except OSError:
-        # Shouldn't happen due to the way collect_source_files()
-        # calls this function.
-        return []
-
-    dir_stmts = re.findall(r'obj-\$\((.*)\)\s+\+=\s+(.*)/(?:\n|$)', makefile)
-    subdirs = []
-
-    for ds in dir_stmts:
-        config_key, src_dir = ds
-
-        if args.debug:
-            print("Processing make targets from {0} ({1})".format(ds[1], ds[0]), file=sys.stderr)
-        if config_key in config:
-            subdirs.append(src_dir)
-        elif args.debug:
-            print("{0} is disabled in the config, ignoring {1}".format(ds[0], ds[1]), file=sys.stderr)
-
-    return subdirs
-
-# For filtering
-def file_loads_firmware(file):
-    with open(file, 'r') as f:
-        source = f.read()
-    if re.search(r'MODULE_FIRMWARE\((.*)\)', source):
-        return True
-
-# Find all source files that reference firmware
-def collect_source_files(config, path):
-    files = []
-
-    makefile = os.path.join(path, "Makefile")
-
-    # Find and process all C files in this directory
-    # This is a compromise: sometimes there are single-file modules,
-    # that in fact may be disabled in the config,
-    # so this approach can create occasional false positives.
-    c_files = glob.glob("{0}/*.c".format(path))
-    files = list(filter(file_loads_firmware, c_files))
-
-    # Now walk the subdirectories
-    enabled_subdirs = find_enabled_subdirs(config, makefile)
-    subdirs = glob.glob("{0}/*/".format(path))
-    for d in subdirs:
-        dir_name = d.rstrip("/")
-
-        if os.path.exists(os.path.join(d, "Makefile")):
-            # If there's a makefile, it's an independent module
-            # or a high level dir
-            if os.path.basename(dir_name) in enabled_subdirs:
-                files = files + collect_source_files(config, d)
-        else:
-            # It's simply a subdirectory of the current module
-            # Some modules, like iwlwifi, keep their firmware-loading files
-            # in subdirs, so we have to handle this case
-            c_files = glob.iglob("{0}/**/*.c".format(d), recursive=True)
-            files += list(filter(file_loads_firmware, c_files))
-
-    return files
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser()
-    parser.add_argument("-s", "--source-dir", action="append", help="Kernel source directory to process", required=True)
-    parser.add_argument("-c", "--kernel-config", action="store", help="Kernel configuration")
-    parser.add_argument("-d", "--debug", action="store_true", help="Enable Debug output")
-    parser.add_argument("-f", "--list-source-files", action="store_true", help="List source files that reference firmware and exit")
-    args = parser.parse_args()
-
-    if not args.kernel_config:
-        args.kernel_config = ".config"
-
-    config = load_config(args.kernel_config)
-
-    # Collect source files that reference firmware
-    for directory in args.source_dir:
-        source_files = collect_source_files(config, directory)
-
-    if args.list_source_files:
-        for sf in source_files:
-            print(sf)
-    else:
-        fw_files = []
-        for sf in source_files:
-            i_file = re.sub(r'\.c', r'.i', sf)
-            res = subprocess.run(["make {0} 2>&1".format(i_file)], shell=True, capture_output=True)
-            if res.returncode != 0:
-                print("Failed to preprocess file {0}".format(sf), file=sys.stderr)
-                print(res.stdout.decode(), file=sys.stderr)
-            else:
-                with open(i_file, 'r') as f:
-                    source = f.read()
-                    fw_statements = re.findall(r'__UNIQUE_ID_firmware.*"firmware"\s+"="\s+(.*);', source)
-                    fw_files += list(map(lambda s: re.sub(r'(\s|")', r'', s), fw_statements))
-
-        for fw in fw_files:
-            print(fw)

packages/linux-kernel/patches/kernel/0001-linkstate-ip-device-attribute.patch

@@ -6,7 +6,6 @@ Subject: [PATCH] VyOS: Add linkstate IP device attribute
 Backport of earlier Vyatta patch.
 
 (cherry picked from commit 7c5a851086686be14ae937c80d6cee34814dbefc)
-
 ---
  Documentation/networking/ip-sysctl.txt | 13 +++++++++++++
  include/linux/inetdevice.h             |  1 +
@@ -19,7 +18,7 @@ Backport of earlier Vyatta patch.
  8 files changed, 39 insertions(+)
 
 diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
-index 8af3771a3ebf..93408cc52991 100644
+index 5cf601c94e35..12457ee20f22 100644
 --- a/Documentation/networking/ip-sysctl.txt
 +++ b/Documentation/networking/ip-sysctl.txt
 @@ -1245,6 +1245,19 @@ rp_filter - INTEGER
@@ -43,7 +42,7 @@ index 8af3771a3ebf..93408cc52991 100644
  	1 - Allows you to have multiple network interfaces on the same
  	subnet, and have the ARPs for each interface be answered
 diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
-index 3515ca64e638..dcae58193580 100644
+index b68fca08be27..9cdfccdbb9fb 100644
 --- a/include/linux/inetdevice.h
 +++ b/include/linux/inetdevice.h
 @@ -133,6 +133,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
@@ -55,7 +54,7 @@ index 3515ca64e638..dcae58193580 100644
  struct in_ifaddr {
  	struct hlist_node	hash;
 diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
-index ea7c7906591e..57f656ea2783 100644
+index d5c507311efb..066ad20f2b39 100644
 --- a/include/linux/ipv6.h
 +++ b/include/linux/ipv6.h
 @@ -76,6 +76,7 @@ struct ipv6_devconf {
@@ -91,7 +90,7 @@ index 9c0f4a92bcff..619edd130cfd 100644
  };
  
 diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
-index a27d034c85cc..b62b62abe907 100644
+index 4c013f8800f0..409050b2bc44 100644
 --- a/net/ipv4/devinet.c
 +++ b/net/ipv4/devinet.c
 @@ -2550,6 +2550,8 @@ static struct devinet_sysctl_table {
@@ -104,10 +103,10 @@ index a27d034c85cc..b62b62abe907 100644
  };
  
 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 635b2482fa20..ce1405ecf6f6 100644
+index 4bec4c061741..3762e74d0f10 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
-@@ -5477,6 +5477,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
+@@ -5507,6 +5507,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
  	array[DEVCONF_ADDR_GEN_MODE] = cnf->addr_gen_mode;
  	array[DEVCONF_DISABLE_POLICY] = cnf->disable_policy;
  	array[DEVCONF_NDISC_TCLASS] = cnf->ndisc_tclass;
@@ -115,7 +114,7 @@ index 635b2482fa20..ce1405ecf6f6 100644
  }
  
  static inline size_t inet6_ifla6_size(void)
-@@ -6849,6 +6850,14 @@ static const struct ctl_table addrconf_sysctl[] = {
+@@ -6875,6 +6876,14 @@ static const struct ctl_table addrconf_sysctl[] = {
  		.mode           = 0644,
  		.proc_handler   = addrconf_sysctl_disable_policy,
  	},
@@ -131,10 +130,10 @@ index 635b2482fa20..ce1405ecf6f6 100644
  		.procname	= "ndisc_tclass",
  		.data		= &ipv6_devconf.ndisc_tclass,
 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 46df6345bb99..2b930a2c4fdb 100644
+index c26e832fddb7..1ae8b6f76cbb 100644
 --- a/net/ipv6/route.c
 +++ b/net/ipv6/route.c
-@@ -686,6 +686,15 @@ static inline void rt6_probe(struct fib6_nh *fib6_nh)
+@@ -687,6 +687,15 @@ static inline void rt6_probe(struct fib6_nh *fib6_nh)
  }
  #endif
  
@@ -150,7 +149,7 @@ index 46df6345bb99..2b930a2c4fdb 100644
  /*
   * Default Router Selection (RFC 2461 6.3.6)
   */
-@@ -727,6 +736,8 @@ static int rt6_score_route(const struct fib6_nh *nh, u32 fib6_flags, int oif,
+@@ -728,6 +737,8 @@ static int rt6_score_route(const struct fib6_nh *nh, u32 fib6_flags, int oif,
  
  	if (!m && (strict & RT6_LOOKUP_F_IFACE))
  		return RT6_NUD_FAIL_HARD;

packages/linux-kernel/patches/kernel/0002-inotify-support-for-stackable-filesystems.patch

@@ -44,7 +44,7 @@ index 6736e47d94d8..84d9b31300c0 100644
 +
 +	  If unsure, say N.
 diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
-index 81ffc8629fc4..cacedffa6534 100644
+index b949b2c02f4b..5bbb53db64a4 100644
 --- a/fs/notify/inotify/inotify_user.c
 +++ b/fs/notify/inotify/inotify_user.c
 @@ -15,6 +15,7 @@
@@ -186,7 +186,7 @@ index 81ffc8629fc4..cacedffa6534 100644
  			      struct inotify_inode_mark *i_mark)
  {
 diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index d6b724beb304..380ac598f2e4 100644
+index fcf453f7f4ae..76d32d1cb952 100644
 --- a/fs/overlayfs/super.c
 +++ b/fs/overlayfs/super.c
 @@ -15,6 +15,7 @@
@@ -197,7 +197,7 @@ index d6b724beb304..380ac598f2e4 100644
  #include "overlayfs.h"
  
  MODULE_AUTHOR("Miklos Szeredi <miklos@szeredi.hu>");
-@@ -1758,6 +1759,18 @@ static void ovl_inode_init_once(void *foo)
+@@ -1768,6 +1769,18 @@ static void ovl_inode_init_once(void *foo)
  	inode_init_once(&oi->vfs_inode);
  }
  
@@ -216,7 +216,7 @@ index d6b724beb304..380ac598f2e4 100644
  static int __init ovl_init(void)
  {
  	int err;
-@@ -1772,13 +1785,21 @@ static int __init ovl_init(void)
+@@ -1782,13 +1795,21 @@ static int __init ovl_init(void)
  
  	err = register_filesystem(&ovl_fs_type);
  	if (err)
@@ -239,7 +239,7 @@ index d6b724beb304..380ac598f2e4 100644
  	unregister_filesystem(&ovl_fs_type);
  
  	/*
-@@ -1787,7 +1808,6 @@ static void __exit ovl_exit(void)
+@@ -1797,7 +1818,6 @@ static void __exit ovl_exit(void)
  	 */
  	rcu_barrier();
  	kmem_cache_destroy(ovl_inode_cachep);

packages/linux-kernel/patches/kernel/0004-revert-net-sched-retire-tcindex-classifier.patch

@@ -0,0 +1,786 @@
+From 58559e68b5a93bebf630c5ac99981ec054612583 Mon Sep 17 00:00:00 2001
+From: Christian Breunig <christian@breunig.cc>
+Date: Fri, 24 Nov 2023 09:28:56 +0100
+Subject: [PATCH] Revert "net/sched: Retire tcindex classifier"
+
+This reverts commit 7a6fb69bbcb21e9ce13bdf18c008c268874f0480.
+---
+ net/sched/Kconfig       |  11 +
+ net/sched/Makefile      |   1 +
+ net/sched/cls_tcindex.c | 730 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 742 insertions(+)
+ create mode 100644 net/sched/cls_tcindex.c
+
+diff --git a/net/sched/Kconfig b/net/sched/Kconfig
+index 46f2847a071e..131e653e9945 100644
+--- a/net/sched/Kconfig
++++ b/net/sched/Kconfig
+@@ -469,6 +469,17 @@ config NET_CLS_BASIC
+ 	  To compile this code as a module, choose M here: the
+ 	  module will be called cls_basic.
+ 
++config NET_CLS_TCINDEX
++	tristate "Traffic-Control Index (TCINDEX)"
++	select NET_CLS
++	---help---
++	  Say Y here if you want to be able to classify packets based on
++	  traffic control indices. You will want this feature if you want
++	  to implement Differentiated Services together with DSMARK.
++
++	  To compile this code as a module, choose M here: the
++	  module will be called cls_tcindex.
++
+ config NET_CLS_ROUTE4
+ 	tristate "Routing decision (ROUTE)"
+ 	depends on INET
+diff --git a/net/sched/Makefile b/net/sched/Makefile
+index fb2b90648a20..b2dcc40d92da 100644
+--- a/net/sched/Makefile
++++ b/net/sched/Makefile
+@@ -65,6 +65,7 @@ obj-$(CONFIG_NET_SCH_TAPRIO)	+= sch_taprio.o
+ obj-$(CONFIG_NET_CLS_U32)	+= cls_u32.o
+ obj-$(CONFIG_NET_CLS_ROUTE4)	+= cls_route.o
+ obj-$(CONFIG_NET_CLS_FW)	+= cls_fw.o
++obj-$(CONFIG_NET_CLS_TCINDEX)	+= cls_tcindex.o
+ obj-$(CONFIG_NET_CLS_BASIC)	+= cls_basic.o
+ obj-$(CONFIG_NET_CLS_FLOW)	+= cls_flow.o
+ obj-$(CONFIG_NET_CLS_CGROUP)	+= cls_cgroup.o
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+new file mode 100644
+index 000000000000..768cf7cf65b4
+--- /dev/null
++++ b/net/sched/cls_tcindex.c
+@@ -0,0 +1,730 @@
++// SPDX-License-Identifier: GPL-2.0-only
++/*
++ * net/sched/cls_tcindex.c	Packet classifier for skb->tc_index
++ *
++ * Written 1998,1999 by Werner Almesberger, EPFL ICA
++ */
++
++#include <linux/module.h>
++#include <linux/types.h>
++#include <linux/kernel.h>
++#include <linux/skbuff.h>
++#include <linux/errno.h>
++#include <linux/slab.h>
++#include <linux/refcount.h>
++#include <net/act_api.h>
++#include <net/netlink.h>
++#include <net/pkt_cls.h>
++#include <net/sch_generic.h>
++
++/*
++ * Passing parameters to the root seems to be done more awkwardly than really
++ * necessary. At least, u32 doesn't seem to use such dirty hacks. To be
++ * verified. FIXME.
++ */
++
++#define PERFECT_HASH_THRESHOLD	64	/* use perfect hash if not bigger */
++#define DEFAULT_HASH_SIZE	64	/* optimized for diffserv */
++
++
++struct tcindex_data;
++
++struct tcindex_filter_result {
++	struct tcf_exts		exts;
++	struct tcf_result	res;
++	struct tcindex_data	*p;
++	struct rcu_work		rwork;
++};
++
++struct tcindex_filter {
++	u16 key;
++	struct tcindex_filter_result result;
++	struct tcindex_filter __rcu *next;
++	struct rcu_work rwork;
++};
++
++
++struct tcindex_data {
++	struct tcindex_filter_result *perfect; /* perfect hash; NULL if none */
++	struct tcindex_filter __rcu **h; /* imperfect hash; */
++	struct tcf_proto *tp;
++	u16 mask;		/* AND key with mask */
++	u32 shift;		/* shift ANDed key to the right */
++	u32 hash;		/* hash table size; 0 if undefined */
++	u32 alloc_hash;		/* allocated size */
++	u32 fall_through;	/* 0: only classify if explicit match */
++	refcount_t refcnt;	/* a temporary refcnt for perfect hash */
++	struct rcu_work rwork;
++};
++
++static inline int tcindex_filter_is_set(struct tcindex_filter_result *r)
++{
++	return tcf_exts_has_actions(&r->exts) || r->res.classid;
++}
++
++static void tcindex_data_get(struct tcindex_data *p)
++{
++	refcount_inc(&p->refcnt);
++}
++
++static void tcindex_data_put(struct tcindex_data *p)
++{
++	if (refcount_dec_and_test(&p->refcnt)) {
++		kfree(p->perfect);
++		kfree(p->h);
++		kfree(p);
++	}
++}
++
++static struct tcindex_filter_result *tcindex_lookup(struct tcindex_data *p,
++						    u16 key)
++{
++	if (p->perfect) {
++		struct tcindex_filter_result *f = p->perfect + key;
++
++		return tcindex_filter_is_set(f) ? f : NULL;
++	} else if (p->h) {
++		struct tcindex_filter __rcu **fp;
++		struct tcindex_filter *f;
++
++		fp = &p->h[key % p->hash];
++		for (f = rcu_dereference_bh_rtnl(*fp);
++		     f;
++		     fp = &f->next, f = rcu_dereference_bh_rtnl(*fp))
++			if (f->key == key)
++				return &f->result;
++	}
++
++	return NULL;
++}
++
++
++static int tcindex_classify(struct sk_buff *skb, const struct tcf_proto *tp,
++			    struct tcf_result *res)
++{
++	struct tcindex_data *p = rcu_dereference_bh(tp->root);
++	struct tcindex_filter_result *f;
++	int key = (skb->tc_index & p->mask) >> p->shift;
++
++	pr_debug("tcindex_classify(skb %p,tp %p,res %p),p %p\n",
++		 skb, tp, res, p);
++
++	f = tcindex_lookup(p, key);
++	if (!f) {
++		struct Qdisc *q = tcf_block_q(tp->chain->block);
++
++		if (!p->fall_through)
++			return -1;
++		res->classid = TC_H_MAKE(TC_H_MAJ(q->handle), key);
++		res->class = 0;
++		pr_debug("alg 0x%x\n", res->classid);
++		return 0;
++	}
++	*res = f->res;
++	pr_debug("map 0x%x\n", res->classid);
++
++	return tcf_exts_exec(skb, &f->exts, res);
++}
++
++
++static void *tcindex_get(struct tcf_proto *tp, u32 handle)
++{
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	struct tcindex_filter_result *r;
++
++	pr_debug("tcindex_get(tp %p,handle 0x%08x)\n", tp, handle);
++	if (p->perfect && handle >= p->alloc_hash)
++		return NULL;
++	r = tcindex_lookup(p, handle);
++	return r && tcindex_filter_is_set(r) ? r : NULL;
++}
++
++static int tcindex_init(struct tcf_proto *tp)
++{
++	struct tcindex_data *p;
++
++	pr_debug("tcindex_init(tp %p)\n", tp);
++	p = kzalloc(sizeof(struct tcindex_data), GFP_KERNEL);
++	if (!p)
++		return -ENOMEM;
++
++	p->mask = 0xffff;
++	p->hash = DEFAULT_HASH_SIZE;
++	p->fall_through = 1;
++	refcount_set(&p->refcnt, 1); /* Paired with tcindex_destroy_work() */
++
++	rcu_assign_pointer(tp->root, p);
++	return 0;
++}
++
++static void __tcindex_destroy_rexts(struct tcindex_filter_result *r)
++{
++	tcf_exts_destroy(&r->exts);
++	tcf_exts_put_net(&r->exts);
++	tcindex_data_put(r->p);
++}
++
++static void tcindex_destroy_rexts_work(struct work_struct *work)
++{
++	struct tcindex_filter_result *r;
++
++	r = container_of(to_rcu_work(work),
++			 struct tcindex_filter_result,
++			 rwork);
++	rtnl_lock();
++	__tcindex_destroy_rexts(r);
++	rtnl_unlock();
++}
++
++static void __tcindex_destroy_fexts(struct tcindex_filter *f)
++{
++	tcf_exts_destroy(&f->result.exts);
++	tcf_exts_put_net(&f->result.exts);
++	kfree(f);
++}
++
++static void tcindex_destroy_fexts_work(struct work_struct *work)
++{
++	struct tcindex_filter *f = container_of(to_rcu_work(work),
++						struct tcindex_filter,
++						rwork);
++
++	rtnl_lock();
++	__tcindex_destroy_fexts(f);
++	rtnl_unlock();
++}
++
++static int tcindex_delete(struct tcf_proto *tp, void *arg, bool *last,
++			  bool rtnl_held, struct netlink_ext_ack *extack)
++{
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	struct tcindex_filter_result *r = arg;
++	struct tcindex_filter __rcu **walk;
++	struct tcindex_filter *f = NULL;
++
++	pr_debug("tcindex_delete(tp %p,arg %p),p %p\n", tp, arg, p);
++	if (p->perfect) {
++		if (!r->res.class)
++			return -ENOENT;
++	} else {
++		int i;
++
++		for (i = 0; i < p->hash; i++) {
++			walk = p->h + i;
++			for (f = rtnl_dereference(*walk); f;
++			     walk = &f->next, f = rtnl_dereference(*walk)) {
++				if (&f->result == r)
++					goto found;
++			}
++		}
++		return -ENOENT;
++
++found:
++		rcu_assign_pointer(*walk, rtnl_dereference(f->next));
++	}
++	tcf_unbind_filter(tp, &r->res);
++	/* all classifiers are required to call tcf_exts_destroy() after rcu
++	 * grace period, since converted-to-rcu actions are relying on that
++	 * in cleanup() callback
++	 */
++	if (f) {
++		if (tcf_exts_get_net(&f->result.exts))
++			tcf_queue_work(&f->rwork, tcindex_destroy_fexts_work);
++		else
++			__tcindex_destroy_fexts(f);
++	} else {
++		tcindex_data_get(p);
++
++		if (tcf_exts_get_net(&r->exts))
++			tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work);
++		else
++			__tcindex_destroy_rexts(r);
++	}
++
++	*last = false;
++	return 0;
++}
++
++static void tcindex_destroy_work(struct work_struct *work)
++{
++	struct tcindex_data *p = container_of(to_rcu_work(work),
++					      struct tcindex_data,
++					      rwork);
++
++	tcindex_data_put(p);
++}
++
++static inline int
++valid_perfect_hash(struct tcindex_data *p)
++{
++	return  p->hash > (p->mask >> p->shift);
++}
++
++static const struct nla_policy tcindex_policy[TCA_TCINDEX_MAX + 1] = {
++	[TCA_TCINDEX_HASH]		= { .type = NLA_U32 },
++	[TCA_TCINDEX_MASK]		= { .type = NLA_U16 },
++	[TCA_TCINDEX_SHIFT]		= { .type = NLA_U32 },
++	[TCA_TCINDEX_FALL_THROUGH]	= { .type = NLA_U32 },
++	[TCA_TCINDEX_CLASSID]		= { .type = NLA_U32 },
++};
++
++static int tcindex_filter_result_init(struct tcindex_filter_result *r,
++				      struct tcindex_data *p,
++				      struct net *net)
++{
++	memset(r, 0, sizeof(*r));
++	r->p = p;
++	return tcf_exts_init(&r->exts, net, TCA_TCINDEX_ACT,
++			     TCA_TCINDEX_POLICE);
++}
++
++static void tcindex_free_perfect_hash(struct tcindex_data *cp);
++
++static void tcindex_partial_destroy_work(struct work_struct *work)
++{
++	struct tcindex_data *p = container_of(to_rcu_work(work),
++					      struct tcindex_data,
++					      rwork);
++
++	rtnl_lock();
++	if (p->perfect)
++		tcindex_free_perfect_hash(p);
++	kfree(p);
++	rtnl_unlock();
++}
++
++static void tcindex_free_perfect_hash(struct tcindex_data *cp)
++{
++	int i;
++
++	for (i = 0; i < cp->hash; i++)
++		tcf_exts_destroy(&cp->perfect[i].exts);
++	kfree(cp->perfect);
++}
++
++static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp)
++{
++	int i, err = 0;
++
++	cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result),
++			      GFP_KERNEL | __GFP_NOWARN);
++	if (!cp->perfect)
++		return -ENOMEM;
++
++	for (i = 0; i < cp->hash; i++) {
++		err = tcf_exts_init(&cp->perfect[i].exts, net,
++				    TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
++		if (err < 0)
++			goto errout;
++		cp->perfect[i].p = cp;
++	}
++
++	return 0;
++
++errout:
++	tcindex_free_perfect_hash(cp);
++	return err;
++}
++
++static int
++tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
++		  u32 handle, struct tcindex_data *p,
++		  struct tcindex_filter_result *r, struct nlattr **tb,
++		  struct nlattr *est, bool ovr, struct netlink_ext_ack *extack)
++{
++	struct tcindex_filter_result new_filter_result;
++	struct tcindex_data *cp = NULL, *oldp;
++	struct tcindex_filter *f = NULL; /* make gcc behave */
++	struct tcf_result cr = {};
++	int err, balloc = 0;
++	struct tcf_exts e;
++
++	err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
++	if (err < 0)
++		return err;
++	err = tcf_exts_validate(net, tp, tb, est, &e, ovr, true, extack);
++	if (err < 0)
++		goto errout;
++
++	err = -ENOMEM;
++	/* tcindex_data attributes must look atomic to classifier/lookup so
++	 * allocate new tcindex data and RCU assign it onto root. Keeping
++	 * perfect hash and hash pointers from old data.
++	 */
++	cp = kzalloc(sizeof(*cp), GFP_KERNEL);
++	if (!cp)
++		goto errout;
++
++	cp->mask = p->mask;
++	cp->shift = p->shift;
++	cp->hash = p->hash;
++	cp->alloc_hash = p->alloc_hash;
++	cp->fall_through = p->fall_through;
++	cp->tp = tp;
++	refcount_set(&cp->refcnt, 1); /* Paired with tcindex_destroy_work() */
++
++	if (tb[TCA_TCINDEX_HASH])
++		cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
++
++	if (tb[TCA_TCINDEX_MASK])
++		cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
++
++	if (tb[TCA_TCINDEX_SHIFT]) {
++		cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
++		if (cp->shift > 16) {
++			err = -EINVAL;
++			goto errout;
++		}
++	}
++	if (!cp->hash) {
++		/* Hash not specified, use perfect hash if the upper limit
++		 * of the hashing index is below the threshold.
++		 */
++		if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
++			cp->hash = (cp->mask >> cp->shift) + 1;
++		else
++			cp->hash = DEFAULT_HASH_SIZE;
++	}
++
++	if (p->perfect) {
++		int i;
++
++		if (tcindex_alloc_perfect_hash(net, cp) < 0)
++			goto errout;
++		cp->alloc_hash = cp->hash;
++		for (i = 0; i < min(cp->hash, p->hash); i++)
++			cp->perfect[i].res = p->perfect[i].res;
++		balloc = 1;
++	}
++	cp->h = p->h;
++
++	err = tcindex_filter_result_init(&new_filter_result, cp, net);
++	if (err < 0)
++		goto errout_alloc;
++	if (r)
++		cr = r->res;
++
++	err = -EBUSY;
++
++	/* Hash already allocated, make sure that we still meet the
++	 * requirements for the allocated hash.
++	 */
++	if (cp->perfect) {
++		if (!valid_perfect_hash(cp) ||
++		    cp->hash > cp->alloc_hash)
++			goto errout_alloc;
++	} else if (cp->h && cp->hash != cp->alloc_hash) {
++		goto errout_alloc;
++	}
++
++	err = -EINVAL;
++	if (tb[TCA_TCINDEX_FALL_THROUGH])
++		cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
++
++	if (!cp->perfect && !cp->h)
++		cp->alloc_hash = cp->hash;
++
++	/* Note: this could be as restrictive as if (handle & ~(mask >> shift))
++	 * but then, we'd fail handles that may become valid after some future
++	 * mask change. While this is extremely unlikely to ever matter,
++	 * the check below is safer (and also more backwards-compatible).
++	 */
++	if (cp->perfect || valid_perfect_hash(cp))
++		if (handle >= cp->alloc_hash)
++			goto errout_alloc;
++
++
++	err = -ENOMEM;
++	if (!cp->perfect && !cp->h) {
++		if (valid_perfect_hash(cp)) {
++			if (tcindex_alloc_perfect_hash(net, cp) < 0)
++				goto errout_alloc;
++			balloc = 1;
++		} else {
++			struct tcindex_filter __rcu **hash;
++
++			hash = kcalloc(cp->hash,
++				       sizeof(struct tcindex_filter *),
++				       GFP_KERNEL);
++
++			if (!hash)
++				goto errout_alloc;
++
++			cp->h = hash;
++			balloc = 2;
++		}
++	}
++
++	if (cp->perfect)
++		r = cp->perfect + handle;
++	else
++		r = tcindex_lookup(cp, handle) ? : &new_filter_result;
++
++	if (r == &new_filter_result) {
++		f = kzalloc(sizeof(*f), GFP_KERNEL);
++		if (!f)
++			goto errout_alloc;
++		f->key = handle;
++		f->next = NULL;
++		err = tcindex_filter_result_init(&f->result, cp, net);
++		if (err < 0) {
++			kfree(f);
++			goto errout_alloc;
++		}
++	}
++
++	if (tb[TCA_TCINDEX_CLASSID]) {
++		cr.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]);
++		tcf_bind_filter(tp, &cr, base);
++	}
++
++	oldp = p;
++	r->res = cr;
++	tcf_exts_change(&r->exts, &e);
++
++	rcu_assign_pointer(tp->root, cp);
++
++	if (r == &new_filter_result) {
++		struct tcindex_filter *nfp;
++		struct tcindex_filter __rcu **fp;
++
++		f->result.res = r->res;
++		tcf_exts_change(&f->result.exts, &r->exts);
++
++		fp = cp->h + (handle % cp->hash);
++		for (nfp = rtnl_dereference(*fp);
++		     nfp;
++		     fp = &nfp->next, nfp = rtnl_dereference(*fp))
++				; /* nothing */
++
++		rcu_assign_pointer(*fp, f);
++	} else {
++		tcf_exts_destroy(&new_filter_result.exts);
++	}
++
++	if (oldp)
++		tcf_queue_work(&oldp->rwork, tcindex_partial_destroy_work);
++	return 0;
++
++errout_alloc:
++	if (balloc == 1)
++		tcindex_free_perfect_hash(cp);
++	else if (balloc == 2)
++		kfree(cp->h);
++	tcf_exts_destroy(&new_filter_result.exts);
++errout:
++	kfree(cp);
++	tcf_exts_destroy(&e);
++	return err;
++}
++
++static int
++tcindex_change(struct net *net, struct sk_buff *in_skb,
++	       struct tcf_proto *tp, unsigned long base, u32 handle,
++	       struct nlattr **tca, void **arg, bool ovr,
++	       bool rtnl_held, struct netlink_ext_ack *extack)
++{
++	struct nlattr *opt = tca[TCA_OPTIONS];
++	struct nlattr *tb[TCA_TCINDEX_MAX + 1];
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	struct tcindex_filter_result *r = *arg;
++	int err;
++
++	pr_debug("tcindex_change(tp %p,handle 0x%08x,tca %p,arg %p),opt %p,"
++	    "p %p,r %p,*arg %p\n",
++	    tp, handle, tca, arg, opt, p, r, arg ? *arg : NULL);
++
++	if (!opt)
++		return 0;
++
++	err = nla_parse_nested_deprecated(tb, TCA_TCINDEX_MAX, opt,
++					  tcindex_policy, NULL);
++	if (err < 0)
++		return err;
++
++	return tcindex_set_parms(net, tp, base, handle, p, r, tb,
++				 tca[TCA_RATE], ovr, extack);
++}
++
++static void tcindex_walk(struct tcf_proto *tp, struct tcf_walker *walker,
++			 bool rtnl_held)
++{
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	struct tcindex_filter *f, *next;
++	int i;
++
++	pr_debug("tcindex_walk(tp %p,walker %p),p %p\n", tp, walker, p);
++	if (p->perfect) {
++		for (i = 0; i < p->hash; i++) {
++			if (!p->perfect[i].res.class)
++				continue;
++			if (walker->count >= walker->skip) {
++				if (walker->fn(tp, p->perfect + i, walker) < 0) {
++					walker->stop = 1;
++					return;
++				}
++			}
++			walker->count++;
++		}
++	}
++	if (!p->h)
++		return;
++	for (i = 0; i < p->hash; i++) {
++		for (f = rtnl_dereference(p->h[i]); f; f = next) {
++			next = rtnl_dereference(f->next);
++			if (walker->count >= walker->skip) {
++				if (walker->fn(tp, &f->result, walker) < 0) {
++					walker->stop = 1;
++					return;
++				}
++			}
++			walker->count++;
++		}
++	}
++}
++
++static void tcindex_destroy(struct tcf_proto *tp, bool rtnl_held,
++			    struct netlink_ext_ack *extack)
++{
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	int i;
++
++	pr_debug("tcindex_destroy(tp %p),p %p\n", tp, p);
++
++	if (p->perfect) {
++		for (i = 0; i < p->hash; i++) {
++			struct tcindex_filter_result *r = p->perfect + i;
++
++			/* tcf_queue_work() does not guarantee the ordering we
++			 * want, so we have to take this refcnt temporarily to
++			 * ensure 'p' is freed after all tcindex_filter_result
++			 * here. Imperfect hash does not need this, because it
++			 * uses linked lists rather than an array.
++			 */
++			tcindex_data_get(p);
++
++			tcf_unbind_filter(tp, &r->res);
++			if (tcf_exts_get_net(&r->exts))
++				tcf_queue_work(&r->rwork,
++					       tcindex_destroy_rexts_work);
++			else
++				__tcindex_destroy_rexts(r);
++		}
++	}
++
++	for (i = 0; p->h && i < p->hash; i++) {
++		struct tcindex_filter *f, *next;
++		bool last;
++
++		for (f = rtnl_dereference(p->h[i]); f; f = next) {
++			next = rtnl_dereference(f->next);
++			tcindex_delete(tp, &f->result, &last, rtnl_held, NULL);
++		}
++	}
++
++	tcf_queue_work(&p->rwork, tcindex_destroy_work);
++}
++
++
++static int tcindex_dump(struct net *net, struct tcf_proto *tp, void *fh,
++			struct sk_buff *skb, struct tcmsg *t, bool rtnl_held)
++{
++	struct tcindex_data *p = rtnl_dereference(tp->root);
++	struct tcindex_filter_result *r = fh;
++	struct nlattr *nest;
++
++	pr_debug("tcindex_dump(tp %p,fh %p,skb %p,t %p),p %p,r %p\n",
++		 tp, fh, skb, t, p, r);
++	pr_debug("p->perfect %p p->h %p\n", p->perfect, p->h);
++
++	nest = nla_nest_start_noflag(skb, TCA_OPTIONS);
++	if (nest == NULL)
++		goto nla_put_failure;
++
++	if (!fh) {
++		t->tcm_handle = ~0; /* whatever ... */
++		if (nla_put_u32(skb, TCA_TCINDEX_HASH, p->hash) ||
++		    nla_put_u16(skb, TCA_TCINDEX_MASK, p->mask) ||
++		    nla_put_u32(skb, TCA_TCINDEX_SHIFT, p->shift) ||
++		    nla_put_u32(skb, TCA_TCINDEX_FALL_THROUGH, p->fall_through))
++			goto nla_put_failure;
++		nla_nest_end(skb, nest);
++	} else {
++		if (p->perfect) {
++			t->tcm_handle = r - p->perfect;
++		} else {
++			struct tcindex_filter *f;
++			struct tcindex_filter __rcu **fp;
++			int i;
++
++			t->tcm_handle = 0;
++			for (i = 0; !t->tcm_handle && i < p->hash; i++) {
++				fp = &p->h[i];
++				for (f = rtnl_dereference(*fp);
++				     !t->tcm_handle && f;
++				     fp = &f->next, f = rtnl_dereference(*fp)) {
++					if (&f->result == r)
++						t->tcm_handle = f->key;
++				}
++			}
++		}
++		pr_debug("handle = %d\n", t->tcm_handle);
++		if (r->res.class &&
++		    nla_put_u32(skb, TCA_TCINDEX_CLASSID, r->res.classid))
++			goto nla_put_failure;
++
++		if (tcf_exts_dump(skb, &r->exts) < 0)
++			goto nla_put_failure;
++		nla_nest_end(skb, nest);
++
++		if (tcf_exts_dump_stats(skb, &r->exts) < 0)
++			goto nla_put_failure;
++	}
++
++	return skb->len;
++
++nla_put_failure:
++	nla_nest_cancel(skb, nest);
++	return -1;
++}
++
++static void tcindex_bind_class(void *fh, u32 classid, unsigned long cl,
++			       void *q, unsigned long base)
++{
++	struct tcindex_filter_result *r = fh;
++
++	if (r && r->res.classid == classid) {
++		if (cl)
++			__tcf_bind_filter(q, &r->res, base);
++		else
++			__tcf_unbind_filter(q, &r->res);
++	}
++}
++
++static struct tcf_proto_ops cls_tcindex_ops __read_mostly = {
++	.kind		=	"tcindex",
++	.classify	=	tcindex_classify,
++	.init		=	tcindex_init,
++	.destroy	=	tcindex_destroy,
++	.get		=	tcindex_get,
++	.change		=	tcindex_change,
++	.delete		=	tcindex_delete,
++	.walk		=	tcindex_walk,
++	.dump		=	tcindex_dump,
++	.bind_class	=	tcindex_bind_class,
++	.owner		=	THIS_MODULE,
++};
++
++static int __init init_tcindex(void)
++{
++	return register_tcf_proto_ops(&cls_tcindex_ops);
++}
++
++static void __exit exit_tcindex(void)
++{
++	unregister_tcf_proto_ops(&cls_tcindex_ops);
++}
++
++module_init(init_tcindex)
++module_exit(exit_tcindex)
++MODULE_LICENSE("GPL");
+-- 
+2.39.2
+

packages/linux-kernel/patches/vyos-drivers-realtek-r8152/0001-Fixed-compatibility-with-kernel-5.4.254.patch

@@ -0,0 +1,27 @@
+From 65e00ae524f82cffb57abf3fa3f8dbac8a2bda7a Mon Sep 17 00:00:00 2001
+From: Taras Pudiak <taras@vyos.io>
+Date: Wed, 30 Aug 2023 14:59:38 +0300
+Subject: [PATCH] Fixed compatibility with kernel 5.4.254
+
+---
+ compatibility.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/compatibility.h b/compatibility.h
+index d1e044d..9eee6a9 100644
+--- a/compatibility.h
++++ b/compatibility.h
+@@ -612,10 +612,6 @@
+ #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5,8,0) */
+ #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0) */
+ #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5,12,0) */
+-	static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr)
+-	{
+-		memcpy(dev->dev_addr, addr, 6);
+-	}
+ #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0) */
+ #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5,19,0) */
+ 
+-- 
+2.34.1
+

packages/linux-kernel/x86_64_vyos_defconfig

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.4.83 Kernel Configuration
+# Linux/x86 5.4.173 Kernel Configuration
 #
 
 #
@@ -139,6 +139,8 @@ CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
 CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_NUMA_BALANCING=y
+CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
 CONFIG_CGROUPS=y
 CONFIG_PAGE_COUNTER=y
 CONFIG_MEMCG=y
@@ -287,7 +289,7 @@ CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
 #
 # Processor type and features
 #
-CONFIG_ZONE_DMA=y
+# CONFIG_ZONE_DMA is not set
 CONFIG_SMP=y
 CONFIG_X86_FEATURE_NAMES=y
 CONFIG_X86_X2APIC=y
@@ -392,7 +394,12 @@ CONFIG_X86_CPUID=m
 CONFIG_X86_DIRECT_GBPAGES=y
 # CONFIG_X86_CPA_STATISTICS is not set
 # CONFIG_AMD_MEM_ENCRYPT is not set
-# CONFIG_NUMA is not set
+CONFIG_NUMA=y
+CONFIG_AMD_NUMA=y
+CONFIG_X86_64_ACPI_NUMA=y
+CONFIG_NODES_SPAN_OTHER_NODES=y
+# CONFIG_NUMA_EMU is not set
+CONFIG_NODES_SHIFT=6
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
 CONFIG_ARCH_SPARSEMEM_DEFAULT=y
 CONFIG_ARCH_SELECT_MEMORY_MODEL=y
@@ -422,10 +429,10 @@ CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
-CONFIG_HZ_250=y
+# CONFIG_HZ_250 is not set
 # CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=250
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
 CONFIG_SCHED_HRTICK=y
 # CONFIG_KEXEC is not set
 # CONFIG_KEXEC_FILE is not set
@@ -453,6 +460,7 @@ CONFIG_HAVE_LIVEPATCH=y
 CONFIG_ARCH_HAS_ADD_PAGES=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
 
@@ -499,6 +507,7 @@ CONFIG_ACPI_IPMI=m
 CONFIG_ACPI_HOTPLUG_CPU=y
 CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
 CONFIG_ACPI_THERMAL=m
+CONFIG_ACPI_NUMA=y
 CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
 CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
@@ -513,6 +522,7 @@ CONFIG_ACPI_BGRT=y
 # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
 CONFIG_ACPI_NFIT=m
 # CONFIG_NFIT_SECURITY_DEBUG is not set
+# CONFIG_ACPI_HMAT is not set
 CONFIG_HAVE_ACPI_APEI=y
 CONFIG_HAVE_ACPI_APEI_NMI=y
 CONFIG_ACPI_APEI=y
@@ -867,6 +877,7 @@ CONFIG_COREDUMP=y
 CONFIG_SELECT_MEMORY_MODEL=y
 CONFIG_SPARSEMEM_MANUAL=y
 CONFIG_SPARSEMEM=y
+CONFIG_NEED_MULTIPLE_NODES=y
 CONFIG_HAVE_MEMORY_PRESENT=y
 CONFIG_SPARSEMEM_EXTREME=y
 CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
@@ -886,7 +897,6 @@ CONFIG_COMPACTION=y
 CONFIG_MIGRATION=y
 CONFIG_CONTIG_ALLOC=y
 CONFIG_PHYS_ADDR_T_64BIT=y
-CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -932,7 +942,8 @@ CONFIG_PACKET_DIAG=m
 CONFIG_UNIX=y
 CONFIG_UNIX_SCM=y
 CONFIG_UNIX_DIAG=m
-# CONFIG_TLS is not set
+CONFIG_TLS=y
+CONFIG_TLS_DEVICE=y
 CONFIG_XFRM=y
 CONFIG_XFRM_OFFLOAD=y
 CONFIG_XFRM_ALGO=m
@@ -1568,6 +1579,7 @@ CONFIG_NET_FLOW_LIMIT=y
 # CONFIG_BT is not set
 # CONFIG_AF_RXRPC is not set
 # CONFIG_AF_KCM is not set
+CONFIG_STREAM_PARSER=y
 CONFIG_FIB_RULES=y
 CONFIG_WIRELESS=y
 CONFIG_WIRELESS_EXT=y
@@ -1617,6 +1629,8 @@ CONFIG_LWTUNNEL=y
 CONFIG_LWTUNNEL_BPF=y
 CONFIG_DST_CACHE=y
 CONFIG_GRO_CELLS=y
+CONFIG_SOCK_VALIDATE_XMIT=y
+CONFIG_NET_SOCK_MSG=y
 CONFIG_NET_DEVLINK=y
 CONFIG_PAGE_POOL=y
 CONFIG_FAILOVER=m
@@ -1927,7 +1941,7 @@ CONFIG_SCSI_NETLINK=y
 CONFIG_BLK_DEV_SD=m
 # CONFIG_CHR_DEV_ST is not set
 CONFIG_BLK_DEV_SR=m
-# CONFIG_CHR_DEV_SG is not set
+CONFIG_CHR_DEV_SG=m
 # CONFIG_CHR_DEV_SCH is not set
 # CONFIG_SCSI_ENCLOSURE is not set
 CONFIG_SCSI_CONSTANTS=y
@@ -2280,9 +2294,8 @@ CONFIG_CHELSIO_T3=m
 CONFIG_CHELSIO_T4=m
 CONFIG_CHELSIO_T4VF=m
 CONFIG_CHELSIO_LIB=m
-CONFIG_NET_VENDOR_CISCO=y
-CONFIG_ENIC=m
-CONFIG_NET_VENDOR_CORTINA=y
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_NET_VENDOR_CORTINA is not set
 # CONFIG_CX_ECAT is not set
 # CONFIG_DNET is not set
 # CONFIG_NET_VENDOR_DEC is not set
@@ -2299,7 +2312,7 @@ CONFIG_BE2NET_LANCER=y
 CONFIG_BE2NET_SKYHAWK=y
 CONFIG_NET_VENDOR_EZCHIP=y
 CONFIG_NET_VENDOR_GOOGLE=y
-# CONFIG_GVE is not set
+CONFIG_GVE=m
 CONFIG_NET_VENDOR_HP=y
 CONFIG_HP100=m
 CONFIG_NET_VENDOR_HUAWEI=y
@@ -2310,17 +2323,23 @@ CONFIG_E100=m
 CONFIG_E1000=m
 CONFIG_E1000E=m
 CONFIG_E1000E_HWTS=y
-# CONFIG_IGB is not set
+CONFIG_IGB=m
+CONFIG_IGB_HWMON=y
+CONFIG_IGB_DCA=y
 CONFIG_IGBVF=m
 CONFIG_IXGB=m
-# CONFIG_IXGBE is not set
-# CONFIG_IXGBEVF is not set
-# CONFIG_I40E is not set
+CONFIG_IXGBE=m
+CONFIG_IXGBE_HWMON=y
+CONFIG_IXGBE_DCA=y
+CONFIG_IXGBE_IPSEC=y
+CONFIG_IXGBEVF=m
+CONFIG_IXGBEVF_IPSEC=y
+CONFIG_I40E=m
 CONFIG_IAVF=m
 CONFIG_I40EVF=m
 CONFIG_ICE=m
 # CONFIG_FM10K is not set
-# CONFIG_IGC is not set
+CONFIG_IGC=m
 CONFIG_JME=m
 CONFIG_NET_VENDOR_MARVELL=y
 # CONFIG_MVMDIO is not set
@@ -2341,6 +2360,7 @@ CONFIG_MLX5_EN_ARFS=y
 CONFIG_MLX5_EN_RXNFC=y
 CONFIG_MLX5_MPFS=y
 # CONFIG_MLX5_CORE_IPOIB is not set
+# CONFIG_MLX5_TLS is not set
 # CONFIG_MLXSW_CORE is not set
 # CONFIG_MLXFW is not set
 CONFIG_NET_VENDOR_MICREL=y
@@ -2361,13 +2381,9 @@ CONFIG_NET_VENDOR_NETERION=y
 CONFIG_S2IO=m
 CONFIG_VXGE=m
 # CONFIG_VXGE_DEBUG_TRACE_ALL is not set
-CONFIG_NET_VENDOR_NETRONOME=y
-CONFIG_NFP=m
-# CONFIG_NFP_DEBUG is not set
-CONFIG_NET_VENDOR_NI=y
-# CONFIG_NI_XGE_MANAGEMENT_ENET is not set
-CONFIG_NET_VENDOR_8390=y
-CONFIG_NE2K_PCI=m
+# CONFIG_NET_VENDOR_NETRONOME is not set
+# CONFIG_NET_VENDOR_NI is not set
+# CONFIG_NET_VENDOR_8390 is not set
 CONFIG_NET_VENDOR_NVIDIA=y
 CONFIG_FORCEDETH=m
 CONFIG_NET_VENDOR_OKI=y
@@ -2375,8 +2391,7 @@ CONFIG_NET_VENDOR_OKI=y
 CONFIG_NET_VENDOR_PACKET_ENGINES=y
 CONFIG_HAMACHI=m
 CONFIG_YELLOWFIN=m
-CONFIG_NET_VENDOR_PENSANDO=y
-# CONFIG_IONIC is not set
+# CONFIG_NET_VENDOR_PENSANDO is not set
 CONFIG_NET_VENDOR_QLOGIC=y
 CONFIG_QLA3XXX=m
 CONFIG_QLCNIC=m
@@ -2386,11 +2401,8 @@ CONFIG_NETXEN_NIC=m
 CONFIG_QED=m
 CONFIG_QED_SRIOV=y
 CONFIG_QEDE=m
-CONFIG_NET_VENDOR_QUALCOMM=y
-# CONFIG_QCOM_EMAC is not set
-# CONFIG_RMNET is not set
-CONFIG_NET_VENDOR_RDC=y
-CONFIG_R6040=m
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+# CONFIG_NET_VENDOR_RDC is not set
 CONFIG_NET_VENDOR_REALTEK=y
 CONFIG_8139CP=m
 CONFIG_8139TOO=m
@@ -2401,8 +2413,7 @@ CONFIG_8139TOO_8129=y
 CONFIG_R8169=m
 CONFIG_NET_VENDOR_RENESAS=y
 CONFIG_NET_VENDOR_ROCKER=y
-CONFIG_NET_VENDOR_SAMSUNG=y
-# CONFIG_SXGBE_ETH is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
 # CONFIG_NET_VENDOR_SEEQ is not set
 CONFIG_NET_VENDOR_SOLARFLARE=y
 CONFIG_SFC=m
@@ -2416,7 +2427,7 @@ CONFIG_NET_VENDOR_SIS=y
 CONFIG_SIS900=m
 CONFIG_SIS190=m
 # CONFIG_NET_VENDOR_SMSC is not set
-CONFIG_NET_VENDOR_SOCIONEXT=y
+# CONFIG_NET_VENDOR_SOCIONEXT is not set
 # CONFIG_NET_VENDOR_STMICRO is not set
 # CONFIG_NET_VENDOR_SUN is not set
 CONFIG_NET_VENDOR_SYNOPSYS=y
@@ -2431,9 +2442,7 @@ CONFIG_VIA_RHINE=m
 # CONFIG_VIA_RHINE_MMIO is not set
 CONFIG_VIA_VELOCITY=m
 # CONFIG_NET_VENDOR_WIZNET is not set
-CONFIG_NET_VENDOR_XILINX=y
-# CONFIG_XILINX_AXI_EMAC is not set
-# CONFIG_XILINX_LL_TEMAC is not set
+# CONFIG_NET_VENDOR_XILINX is not set
 # CONFIG_FDDI is not set
 # CONFIG_HIPPI is not set
 # CONFIG_NET_SB1000 is not set
@@ -2513,9 +2522,9 @@ CONFIG_USB_NET_AX8817X=m
 CONFIG_USB_NET_AX88179_178A=m
 CONFIG_USB_NET_CDCETHER=m
 CONFIG_USB_NET_CDC_EEM=m
-# CONFIG_USB_NET_CDC_NCM is not set
-# CONFIG_USB_NET_HUAWEI_CDC_NCM is not set
-# CONFIG_USB_NET_CDC_MBIM is not set
+CONFIG_USB_NET_CDC_NCM=m
+CONFIG_USB_NET_HUAWEI_CDC_NCM=m
+CONFIG_USB_NET_CDC_MBIM=m
 # CONFIG_USB_NET_DM9601 is not set
 # CONFIG_USB_NET_SR9700 is not set
 # CONFIG_USB_NET_SR9800 is not set
@@ -2530,10 +2539,10 @@ CONFIG_USB_NET_SMSC95XX=m
 # CONFIG_USB_NET_ZAURUS is not set
 # CONFIG_USB_NET_CX82310_ETH is not set
 # CONFIG_USB_NET_KALMIA is not set
-# CONFIG_USB_NET_QMI_WWAN is not set
+CONFIG_USB_NET_QMI_WWAN=m
 # CONFIG_USB_NET_INT51X1 is not set
 # CONFIG_USB_IPHETH is not set
-# CONFIG_USB_SIERRA_NET is not set
+CONFIG_USB_SIERRA_NET=m
 # CONFIG_USB_VL600 is not set
 # CONFIG_USB_NET_CH9200 is not set
 # CONFIG_USB_NET_AQC111 is not set
@@ -2560,7 +2569,7 @@ CONFIG_ATH9K_PCI=y
 # CONFIG_ATH9K_DFS_CERTIFIED is not set
 # CONFIG_ATH9K_DYNACK is not set
 # CONFIG_ATH9K_WOW is not set
-# CONFIG_ATH9K_CHANNEL_CONTEXT is not set
+CONFIG_ATH9K_CHANNEL_CONTEXT=y
 CONFIG_ATH9K_PCOEM=y
 # CONFIG_ATH9K_PCI_NO_EEPROM is not set
 CONFIG_ATH9K_HTC=m
@@ -2633,7 +2642,11 @@ CONFIG_LIBIPW=m
 CONFIG_IWLEGACY=m
 CONFIG_IWL4965=m
 CONFIG_IWL3945=m
-
+# stmicro driver
+CONFIG_NET_VENDOR_STMICRO=y
+CONFIG_STMMAC_ETH=m
+CONFIG_DWMAC_INTEL=m
+CONFIG_STMMAC_PCI=m
 #
 # iwl3945 / iwl4965 Debugging Options
 #
@@ -3287,6 +3300,7 @@ CONFIG_BATTERY_MAX17042=m
 # CONFIG_CHARGER_BQ25890 is not set
 # CONFIG_CHARGER_SMB347 is not set
 # CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_BATTERY_RT5033 is not set
 # CONFIG_CHARGER_RT9455 is not set
 CONFIG_HWMON=y
 CONFIG_HWMON_VID=m
@@ -4787,7 +4801,6 @@ CONFIG_MANDATORY_FILE_LOCKING=y
 CONFIG_FSNOTIFY=y
 CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
-CONFIG_INOTIFY_STACKFS=y
 # CONFIG_FANOTIFY is not set
 # CONFIG_QUOTA is not set
 # CONFIG_AUTOFS4_FS is not set
@@ -5003,15 +5016,15 @@ CONFIG_CRYPTO=y
 #
 CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
-CONFIG_CRYPTO_AEAD=m
+CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
-CONFIG_CRYPTO_BLKCIPHER=m
+CONFIG_CRYPTO_BLKCIPHER=y
 CONFIG_CRYPTO_BLKCIPHER2=y
 CONFIG_CRYPTO_HASH=y
 CONFIG_CRYPTO_HASH2=y
-CONFIG_CRYPTO_RNG=m
+CONFIG_CRYPTO_RNG=y
 CONFIG_CRYPTO_RNG2=y
-CONFIG_CRYPTO_RNG_DEFAULT=m
+CONFIG_CRYPTO_RNG_DEFAULT=y
 CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_AKCIPHER=y
 CONFIG_CRYPTO_KPP2=y
@@ -5021,8 +5034,8 @@ CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_USER=m
 CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
-CONFIG_CRYPTO_GF128MUL=m
-CONFIG_CRYPTO_NULL=m
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_PCRYPT=m
 CONFIG_CRYPTO_CRYPTD=m
@@ -5045,11 +5058,11 @@ CONFIG_CRYPTO_ECRDSA=m
 # Authenticated Encryption with Associated Data
 #
 CONFIG_CRYPTO_CCM=m
-CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_GCM=y
 CONFIG_CRYPTO_CHACHA20POLY1305=m
 CONFIG_CRYPTO_AEGIS128=m
 CONFIG_CRYPTO_AEGIS128_AESNI_SSE2=m
-CONFIG_CRYPTO_SEQIV=m
+CONFIG_CRYPTO_SEQIV=y
 CONFIG_CRYPTO_ECHAINIV=m
 
 #
@@ -5057,7 +5070,7 @@ CONFIG_CRYPTO_ECHAINIV=m
 #
 CONFIG_CRYPTO_CBC=m
 CONFIG_CRYPTO_CFB=m
-CONFIG_CRYPTO_CTR=m
+CONFIG_CRYPTO_CTR=y
 CONFIG_CRYPTO_CTS=m
 CONFIG_CRYPTO_ECB=m
 CONFIG_CRYPTO_LRW=m
@@ -5089,7 +5102,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
 CONFIG_CRYPTO_XXHASH=m
 CONFIG_CRYPTO_CRCT10DIF=y
 CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
-CONFIG_CRYPTO_GHASH=m
+CONFIG_CRYPTO_GHASH=y
 CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_X86_64=m
 CONFIG_CRYPTO_MD4=m
@@ -5170,12 +5183,12 @@ CONFIG_CRYPTO_ZSTD=m
 # Random Number Generation
 #
 CONFIG_CRYPTO_ANSI_CPRNG=m
-CONFIG_CRYPTO_DRBG_MENU=m
+CONFIG_CRYPTO_DRBG_MENU=y
 CONFIG_CRYPTO_DRBG_HMAC=y
 # CONFIG_CRYPTO_DRBG_HASH is not set
 # CONFIG_CRYPTO_DRBG_CTR is not set
-CONFIG_CRYPTO_DRBG=m
-CONFIG_CRYPTO_JITTERENTROPY=m
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
 CONFIG_CRYPTO_USER_API=m
 CONFIG_CRYPTO_USER_API_HASH=m
 CONFIG_CRYPTO_USER_API_SKCIPHER=m
@@ -5204,6 +5217,7 @@ CONFIG_CRYPTO_DEV_SP_PSP=y
 # CONFIG_CRYPTO_DEV_QAT_C62XVF is not set
 # CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set
 # CONFIG_CRYPTO_DEV_CHELSIO is not set
+# CONFIG_CRYPTO_DEV_CHELSIO_TLS is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 # CONFIG_CRYPTO_DEV_SAFEXCEL is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y

packages/minisign/.gitignore

@@ -0,0 +1,6 @@
+minisign/
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/minisign/Jenkinsfile

@@ -0,0 +1,31 @@
+// Copyright (C) 2020-2021 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+// NOTE: we can build with -d as the libbpf dependency is installed manually
+// and not via a DEB package
+def pkgList = [
+    ['name': 'minisign',
+     'scmCommit': '0.9',
+     'scmUrl': 'https://github.com/jedisct1/minisign',
+     'buildCmd': 'cd ..; ./build-minisign.sh'],
+]
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('minisign', pkgList, null, "**/packages/minisign/*")

packages/minisign/build-minisign.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+CWD=$(pwd)
+set -e
+
+SRC=minisign
+
+if [ ! -d ${SRC} ]; then
+    echo "source directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+# Build instructions as per https://github.com/jedisct1/minisign/blob/master/README.md
+BUILD_DIR="${SRC}/build"
+mkdir -p ${BUILD_DIR}
+cd ${BUILD_DIR}
+cmake ..
+make
+
+# install
+mkdir -p usr/bin
+cp minisign usr/bin
+
+fpm --input-type dir --output-type deb --name minisign \
+    --maintainer "VyOS Package Maintainers <maintainers@vyos.net>" \
+    --description "A dead simple tool to sign files and verify signatures." \
+    --depends libsodium23 --architecture $(dpkg --print-architecture) \
+    --version $(git describe --always) --license ISC --deb-compression gz usr
+
+cp *.deb ${CWD}
+
+# do not confuse Jenkins by providing multiple minisign deb files
+cd ${CWD}
+rm -rf ${BUILD_DIR}

packages/netfilter/Jenkinsfile

@@ -15,10 +15,10 @@
 
 @NonCPS
 
-// Using a version specifier library, use 'current' branch. The underscore (_)
+// Using a version specifier library, use 'equuleus' branch. The underscore (_)
 // is not a typo! You need this underscore if the line immediately after the
 // @Library annotation is not an import statement!
-@Library('vyos-build@current')_
+@Library('vyos-build@equuleus')_
 
 def pkgList = [
     // libnftnl

packages/ocserv/.gitignore

@@ -0,0 +1,6 @@
+ocserv/
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/ocserv/Jenkinsfile

@@ -0,0 +1,31 @@
+// Copyright (C) 2020 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+@NonCPS
+
+// Using a version specifier library, use 'equuleus' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+def pkgList = [
+    ['name': 'ocserv',
+     'scmCommit': 'debian/1.1.6-3',
+     'scmUrl': 'https://salsa.debian.org/debian/ocserv/',
+     'buildCmd': 'dpkg-buildpackage -uc -us -tc -b -d'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('ocserv', pkgList, null, "**/packages/ocserv/*")

packages/telegraf/.gitignore

@@ -0,0 +1 @@
+telegraf/

packages/telegraf/Jenkinsfile

@@ -0,0 +1,32 @@
+// Copyright (C) 2020-2021 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+// NOTE: we can build with -d as the libbpf dependency is installed manually
+// and not via a DEB package
+def pkgList = [
+    ['name': 'telegraf',
+     'scmCommit': 'v1.23.1',
+     'scmUrl': 'https://github.com/influxdata/telegraf.git',
+     'buildCmd': 'cd ..; ./build.sh'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('telegraf', pkgList, null, "**/packages/telegraf/*")

packages/telegraf/build.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+CWD=$(pwd)
+set -e
+
+SRC=telegraf
+if [ ! -d ${SRC} ]; then
+    echo "Source directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+PLUGIN_DIR=${CWD}/plugins
+
+echo "I: Selecting Input plugins"
+cp ${PLUGIN_DIR}/inputs/all/all.go ${SRC}/plugins/inputs/all/all.go
+
+echo "I: Selecting Output plugins"
+cp ${PLUGIN_DIR}/outputs/all/all.go ${SRC}/plugins/outputs/all/all.go
+
+echo "I: Build Debian amd64 package"
+cd ${SRC}
+export PATH=/opt/go/bin:$PATH
+LDFLAGS=-w make amd64.deb

packages/telegraf/plugins/inputs/all/all.go

@@ -0,0 +1,72 @@
+package all
+
+import (
+	//Blank imports for plugins to register themselves
+	_ "github.com/influxdata/telegraf/plugins/inputs/azure_storage_queue"
+	_ "github.com/influxdata/telegraf/plugins/inputs/bond"
+	_ "github.com/influxdata/telegraf/plugins/inputs/cgroup"
+	_ "github.com/influxdata/telegraf/plugins/inputs/conntrack"
+	_ "github.com/influxdata/telegraf/plugins/inputs/cpu"
+	_ "github.com/influxdata/telegraf/plugins/inputs/disk"
+	_ "github.com/influxdata/telegraf/plugins/inputs/diskio"
+	_ "github.com/influxdata/telegraf/plugins/inputs/disque"
+	_ "github.com/influxdata/telegraf/plugins/inputs/dmcache"
+	_ "github.com/influxdata/telegraf/plugins/inputs/dns_query"
+	_ "github.com/influxdata/telegraf/plugins/inputs/docker"
+	_ "github.com/influxdata/telegraf/plugins/inputs/docker_log"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ethtool"
+	_ "github.com/influxdata/telegraf/plugins/inputs/exec"
+	_ "github.com/influxdata/telegraf/plugins/inputs/execd"
+	_ "github.com/influxdata/telegraf/plugins/inputs/file"
+	_ "github.com/influxdata/telegraf/plugins/inputs/filecount"
+	_ "github.com/influxdata/telegraf/plugins/inputs/filestat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/fireboard"
+	_ "github.com/influxdata/telegraf/plugins/inputs/hddtemp"
+	_ "github.com/influxdata/telegraf/plugins/inputs/hugepages"
+	_ "github.com/influxdata/telegraf/plugins/inputs/influxdb"
+	_ "github.com/influxdata/telegraf/plugins/inputs/influxdb_listener"
+	_ "github.com/influxdata/telegraf/plugins/inputs/influxdb_v2_listener"
+	_ "github.com/influxdata/telegraf/plugins/inputs/intel_pmu"
+	_ "github.com/influxdata/telegraf/plugins/inputs/intel_powerstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/intel_rdt"
+	_ "github.com/influxdata/telegraf/plugins/inputs/internal"
+	_ "github.com/influxdata/telegraf/plugins/inputs/internet_speed"
+	_ "github.com/influxdata/telegraf/plugins/inputs/interrupts"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ipmi_sensor"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ipset"
+	_ "github.com/influxdata/telegraf/plugins/inputs/iptables"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ipvs"
+	_ "github.com/influxdata/telegraf/plugins/inputs/kernel"
+	_ "github.com/influxdata/telegraf/plugins/inputs/kernel_vmstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/mdstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/mem"
+	_ "github.com/influxdata/telegraf/plugins/inputs/net"
+	_ "github.com/influxdata/telegraf/plugins/inputs/netstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/nstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ntpq"
+	_ "github.com/influxdata/telegraf/plugins/inputs/ping"
+	_ "github.com/influxdata/telegraf/plugins/inputs/powerdns_recursor"
+	_ "github.com/influxdata/telegraf/plugins/inputs/processes"
+	_ "github.com/influxdata/telegraf/plugins/inputs/procstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/sensors"
+	_ "github.com/influxdata/telegraf/plugins/inputs/sflow"
+	_ "github.com/influxdata/telegraf/plugins/inputs/slab"
+	_ "github.com/influxdata/telegraf/plugins/inputs/smart"
+	_ "github.com/influxdata/telegraf/plugins/inputs/snmp"
+	_ "github.com/influxdata/telegraf/plugins/inputs/snmp_legacy"
+	_ "github.com/influxdata/telegraf/plugins/inputs/snmp_trap"
+	_ "github.com/influxdata/telegraf/plugins/inputs/socket_listener"
+	_ "github.com/influxdata/telegraf/plugins/inputs/socketstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/syslog"
+	_ "github.com/influxdata/telegraf/plugins/inputs/sysstat"
+	_ "github.com/influxdata/telegraf/plugins/inputs/system"
+	_ "github.com/influxdata/telegraf/plugins/inputs/systemd_units"
+	_ "github.com/influxdata/telegraf/plugins/inputs/tail"
+	_ "github.com/influxdata/telegraf/plugins/inputs/tcp_listener"
+	_ "github.com/influxdata/telegraf/plugins/inputs/temp"
+	_ "github.com/influxdata/telegraf/plugins/inputs/twemproxy"
+	_ "github.com/influxdata/telegraf/plugins/inputs/udp_listener"
+	_ "github.com/influxdata/telegraf/plugins/inputs/wireguard"
+	_ "github.com/influxdata/telegraf/plugins/inputs/wireless"
+	_ "github.com/influxdata/telegraf/plugins/inputs/x509_cert"
+)

packages/telegraf/plugins/outputs/all/all.go

@@ -0,0 +1,9 @@
+package all
+
+import (
+	//Blank imports for plugins to register themselves
+	_ "github.com/influxdata/telegraf/plugins/outputs/azure_data_explorer"
+	_ "github.com/influxdata/telegraf/plugins/outputs/http"
+	_ "github.com/influxdata/telegraf/plugins/outputs/influxdb_v2"
+	_ "github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
+)

packages/wide-dhcpv6/.gitignore

@@ -0,0 +1,6 @@
+wide-dhcpv6/
+*.deb
+*.dsc
+*.buildinfo
+*.changes
+*.git

packages/wide-dhcpv6/Jenkinsfile

@@ -0,0 +1,30 @@
+// Copyright (C) 2020-2021 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@equuleus')_
+
+def pkgList = [
+    ['name': 'wide-dhcpv6',
+     'scmCommit': 'debian/20080615-23',
+     'scmUrl': 'https://salsa.debian.org/debian/wide-dhcpv6',
+     'buildCmd': '''cd ..; ./build-wide.sh'''],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage('wide-dhcpv6', pkgList, null, "**/packages/wide-dhcpv6/*")

packages/wide-dhcpv6/build-wide.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+CWD=$(pwd)
+set -e
+
+WIDE_SRC=wide-dhcpv6
+
+if [ ! -d ${WIDE_SRC} ]; then
+    echo "Source directory does not exists, please 'git clone'"
+    exit 1
+fi
+
+
+PATCH_DIR=${CWD}/patches
+if [ -d $PATCH_DIR ]; then
+    for patch in $(ls ${PATCH_DIR})
+    do
+        echo "I: Apply patch: ${patch} to main repository"
+        cp ${PATCH_DIR}/${patch} ${WIDE_SRC}/debian/patches/
+        echo ${patch} >> ${WIDE_SRC}/debian/patches/series
+    done
+fi
+
+cd ${WIDE_SRC}
+echo "I: Build Debian Package"
+dpkg-buildpackage -uc -us -tc -b

packages/wide-dhcpv6/patches/0023-dhcpc6-support-per-interface-client-DUIDs.patch

@@ -0,0 +1,230 @@
+From 1e4a9a7b61090043924f2aa9359dcbc9f5e11bfc Mon Sep 17 00:00:00 2001
+From: Brandon Stepler <brandon@stepler.net>
+Date: Mon, 25 Jan 2021 14:18:57 +0000
+Subject: [PATCH] dhcpc6: support per-interface client DUIDs
+
+---
+ cfparse.y     | 13 +++++++++++--
+ cftoken.l     | 10 ++++++++++
+ config.c      | 27 +++++++++++++++++++++++++++
+ config.h      |  3 ++-
+ dhcp6c.c      | 11 ++++++++---
+ dhcp6c.conf.5 |  6 ++++++
+ 6 files changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/cfparse.y b/cfparse.y
+index 9e685f4..244987c 100644
+--- a/cfparse.y
++++ b/cfparse.y
+@@ -116,6 +116,7 @@ static void cleanup_cflist __P((struct cf_list *));
+ %token BCMCS_SERVERS BCMCS_NAME
+ %token INFO_ONLY
+ %token SCRIPT DELAYEDKEY
++%token CLIENT_ID CLIENT_ID_DUID
+ %token AUTHENTICATION PROTOCOL ALGORITHM DELAYED RECONFIG HMACMD5 MONOCOUNTER
+ %token AUTHNAME RDM KEY
+ %token KEYINFO REALM KEYID SECRET KEYNAME EXPIRE
+@@ -134,8 +135,8 @@ static void cleanup_cflist __P((struct cf_list *));
+ 	struct dhcp6_poolspec *pool;
+ }
+ 
+-%type <str> IFNAME HOSTNAME AUTHNAME KEYNAME DUID_ID STRING QSTRING IAID
+-%type <str> POOLNAME PROFILENAME
++%type <str> IFNAME HOSTNAME CLIENT_ID_DUID AUTHNAME KEYNAME DUID_ID
++%type <str> STRING QSTRING IAID POOLNAME PROFILENAME
+ %type <num> NUMBER duration authproto authalg authrdm
+ %type <list> declaration declarations dhcpoption ifparam ifparams
+ %type <list> address_list address_list_ent dhcpoption_list
+@@ -639,6 +640,14 @@ dhcpoption:
+ 			/* no value */
+ 			$$ = l;
+ 		}
++	|	CLIENT_ID CLIENT_ID_DUID
++		{
++			struct cf_list *l;
++
++			MAKE_CFLIST(l, DHCPOPT_CLIENT_ID, NULL, NULL);
++			l->ptr = $2;
++			$$ = l;
++		}
+ 	|	AUTHENTICATION AUTHNAME
+ 		{
+ 			struct cf_list *l;
+diff --git a/cftoken.l b/cftoken.l
+index e266ac2..d7edd1f 100644
+--- a/cftoken.l
++++ b/cftoken.l
+@@ -119,6 +119,7 @@ ecl		\}
+ %s S_HOST
+ %s S_DUID
+ %s S_IA
++%s S_CID
+ %s S_AUTH
+ %s S_KEY
+ %s S_SECRET
+@@ -249,6 +250,15 @@ ecl		\}
+ 	/* duration */
+ <S_CNF>infinity { DECHO; return (INFINITY); }
+ 
++	/* client-id option */
++<S_CNF>client-id { DECHO; BEGIN S_CID; return (CLIENT_ID); }
++<S_CID>{duid} {
++	DECHO;
++	yylval.str = strdup(yytext);
++	BEGIN S_CNF;
++	return (CLIENT_ID_DUID);
++}
++
+ 	/* authentication option */
+ <S_CNF>authentication { DECHO; BEGIN S_AUTH; return (AUTHENTICATION); }
+ <S_AUTH>{string} {
+diff --git a/config.c b/config.c
+index 70f6287..0cbe631 100644
+--- a/config.c
++++ b/config.c
+@@ -100,6 +100,7 @@ struct dhcp6_ifconf {
+ 	struct dhcp6_ifconf *next;
+ 
+ 	char *ifname;
++	struct duid duid;
+ 
+ 	/* configuration flags */
+ 	u_long send_flags;
+@@ -1366,6 +1367,7 @@ configure_commit()
+ 	/* commit interface configuration */
+ 	for (ifp = dhcp6_if; ifp; ifp = ifp->next) {
+ 		/* re-initialization */
++		duidfree(&ifp->duid);
+ 		ifp->send_flags = 0;
+ 		ifp->allow_flags = 0;
+ 		dhcp6_clear_list(&ifp->reqopt_list);
+@@ -1395,6 +1397,8 @@ configure_commit()
+ 		}
+ 
+ 		/* copy new configuration */
++		ifp->duid = ifc->duid;
++		ifc->duid.duid_id = NULL;
+ 		ifp->send_flags = ifc->send_flags;
+ 		ifp->allow_flags = ifc->allow_flags;
+ 		dhcp6_copy_list(&ifp->reqopt_list, &ifc->reqopt_list);
+@@ -1505,6 +1509,7 @@ clear_ifconf(iflist)
+ 		ifc_next = ifc->next;
+ 
+ 		free(ifc->ifname);
++		duidfree(&ifc->duid);
+ 		dhcp6_clear_list(&ifc->reqopt_list);
+ 
+ 		clear_iaconf(&ifc->iaconf_list);
+@@ -1635,6 +1640,28 @@ add_options(opcode, ifc, cfl0)
+ 				return (-1);
+ 			}
+ 			break;
++		case DHCPOPT_CLIENT_ID:
++			if (opcode != DHCPOPTCODE_SEND) {
++				debug_printf(LOG_ERR, FNAME,
++				    "invalid operation (%d) "
++				    "for option type (%d)",
++				    opcode, cfl->type);
++				return (-1);
++			}
++			if (ifc->duid.duid_id != NULL) {
++				debug_printf(LOG_ERR, FNAME, "%s:%d "
++				    "client-id is doubly specified on %s",
++				    configfilename, cfl->line, ifc->ifname);
++				return (-1);
++			}
++			if ((configure_duid((char *)cfl->ptr,
++					    &ifc->duid)) != 0) {
++				debug_printf(LOG_ERR, FNAME, "%s:%d "
++				    "failed to configure DUID for %s",
++				    configfilename, cfl->line, ifc->ifname);
++				return (-1);
++			}
++			break;			
+ 		case DHCPOPT_AUTHINFO:
+ 			if (opcode != DHCPOPTCODE_SEND) {
+ 				debug_printf(LOG_ERR, FNAME,
+diff --git a/config.h b/config.h
+index 36a5aa3..cfcfdd5 100644
+--- a/config.h
++++ b/config.h
+@@ -69,6 +69,7 @@ struct dhcp6_if {
+ 	u_int32_t linkid;	/* to send link-local packets */
+ 	/* multiple global address configuration is not supported now */
+ 	struct in6_addr addr; 	/* global address */
++	struct duid duid;
+ 
+ 	/* configuration parameters */
+ 	u_long send_flags;
+@@ -267,7 +268,7 @@ enum { DECL_SEND, DECL_ALLOW, DECL_INFO_ONLY, DECL_REQUEST, DECL_DUID,
+        DECL_ADDRESS,
+        DECL_RANGE, DECL_ADDRESSPOOL,
+        IFPARAM_SLA_ID, IFPARAM_SLA_LEN, IFPARAM_IFID, IFPARAM_IFID_RAND,
+-       DHCPOPT_RAPID_COMMIT, DHCPOPT_AUTHINFO,
++       DHCPOPT_RAPID_COMMIT, DHCPOPT_CLIENT_ID, DHCPOPT_AUTHINFO,
+        DHCPOPT_DNS, DHCPOPT_DNSNAME,
+        DHCPOPT_IA_PD, DHCPOPT_IA_NA, DHCPOPT_NTP,
+        DHCPOPT_REFRESHTIME,
+diff --git a/dhcp6c.c b/dhcp6c.c
+index 849835e..875a147 100644
+--- a/dhcp6c.c
++++ b/dhcp6c.c
+@@ -433,6 +433,11 @@ client6_start(ifp)
+ 	}
+ 	dhcp6_reset_timer(ev);
+ 
++	if (!ifp->duid.duid_id && duidcpy(&ifp->duid, &client_duid)) {
++		debug_printf(LOG_ERR, FNAME, "failed to copy client DUID");
++		return (-1);
++	}	
++
+ 	return (0);
+ }
+ 
+@@ -1249,7 +1254,7 @@ client6_send(ev)
+ 	}
+ 
+ 	/* client ID */
+-	if (duidcpy(&optinfo.clientID, &client_duid)) {
++	if (duidcpy(&optinfo.clientID, &ifp->duid)) {
+ 		debug_printf(LOG_ERR, FNAME, "failed to copy client ID");
+ 		goto end;
+ 	}
+@@ -1533,7 +1538,7 @@ client6_recvadvert(ifp, dh6, len, optinfo)
+ 		debug_printf(LOG_INFO, FNAME, "no client ID option");
+ 		return (-1);
+ 	}
+-	if (duidcmp(&optinfo->clientID, &client_duid)) {
++	if (duidcmp(&optinfo->clientID, &ifp->duid)) {
+ 		debug_printf(LOG_INFO, FNAME, "client DUID mismatch");
+ 		return (-1);
+ 	}
+@@ -1805,7 +1810,7 @@ client6_recvreply(ifp, dh6, len, optinfo)
+ 		debug_printf(LOG_INFO, FNAME, "no client ID option");
+ 		return (-1);
+ 	}
+-	if (duidcmp(&optinfo->clientID, &client_duid)) {
++	if (duidcmp(&optinfo->clientID, &ifp->duid)) {
+ 		debug_printf(LOG_INFO, FNAME, "client DUID mismatch");
+ 		return (-1);
+ 	}
+diff --git a/dhcp6c.conf.5 b/dhcp6c.conf.5
+index 5693fb8..589510a 100644
+--- a/dhcp6c.conf.5
++++ b/dhcp6c.conf.5
+@@ -139,6 +139,12 @@ An
+ statement for
+ .Ar authname
+ must be provided.
++.It Ic client-id Ar ID
++means the client's DHCP unique identifier
++.Pq DUID .
++.Ar ID
++is a colon-separated hexadecimal sequence where each separated part
++must be composed of two hexadecimal values.
+ .El
+ .\"
+ .Sh Interface statement
+-- 
+2.20.1
+

packages/wide-dhcpv6/patches/0024-bind-to-single-socket.patch

@@ -0,0 +1,17 @@
+diff --git a/dhcp6c.c b/dhcp6c.c
+index 1caaaa5..04ce9c5 100644
+--- a/dhcp6c.c
++++ b/dhcp6c.c
+@@ -217,6 +217,12 @@ main(argc, argv)
+ 			    argv[0]);
+ 			exit(1);
+ 		}
++
++        if (setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, argv[0], strlen(argv[0])) != 0) {
++            debug_printf(LOG_ERR, FNAME, "failed to bind %s", argv[0]);
++            exit(1);
++        }
++
+ 		argv++;
+ 	}
+ 

scripts/build-qemu-image

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2016 VyOS maintainers and contributors
+# Copyright (C) 2016-2021 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -31,3 +31,4 @@ export PACKER_LOG=1
 mkdir -p "${PACKER_BUILD_DIR}"
 
 packer build -only=qemu-image scripts/packer.json
+cp "${PACKER_BUILD_DIR}/qemu/vyos_qemu_image.img" "$BUILD_DIR/vyos-$VERSION-$BUILD_ARCH.qcow2"

scripts/check-qemu-install

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019, VyOS maintainers and contributors
+# Copyright (C) 2019-2021, VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -42,8 +42,10 @@ import random
 import traceback
 import logging
 import re
+import json
 
-from io import BytesIO, StringIO
+from io import BytesIO
+from io import StringIO
 from datetime import datetime
 
 EXCEPTION = 0
@@ -51,32 +53,31 @@ now = datetime.now()
 
 parser = argparse.ArgumentParser(description='Install and start a test VyOS vm.')
 parser.add_argument('iso', help='ISO file to install')
-parser.add_argument('disk', help='name of disk image file',
-                            nargs='?',
+parser.add_argument('disk', help='name of disk image file', nargs='?',
                             default='testinstall-{}-{}.img'.format(now.strftime('%Y%m%d-%H%M%S'),
                                                                    "%04x" % random.randint(0,65535)))
 parser.add_argument('--keep', help='Do not remove disk-image after installation',
-                              action='store_true',
-                              default=False)
+                              action='store_true', default=False)
 parser.add_argument('--silent', help='Do not show output on stdout unless an error has occured',
-                              action='store_true',
-                              default=False)
+                              action='store_true', default=False)
 parser.add_argument('--debug', help='Send all debug output to stdout',
-                               action='store_true',
-                               default=False)
+                               action='store_true', default=False)
 parser.add_argument('--logfile', help='Log to file')
-parser.add_argument('--no-kvm', help='Disable use of kvm',
-				action='store_true',
-				default=False)
-parser.add_argument('--configd', help='Execute testsuite with config daemon',
-				action='store_true',
+parser.add_argument('--uefi', help='Boot using UEFI', action='store_true', default=False)
+parser.add_argument('--raid', help='Perform a RAID-1 install', action='store_true', default=False)
+parser.add_argument('--no-kvm', help='Disable use of kvm', action='store_true', default=False)
+parser.add_argument('--configd', help='Execute testsuite with config daemon', action='store_true',
 				default=False)
+parser.add_argument('--no-interfaces', help='Execute testsuite without interface tests to save time',
+                action='store_true', default=False)
 parser.add_argument('--configtest', help='Execute load/commit config tests',
-				action='store_true',
-				default=False)
+				action='store_true', default=False)
 
 args = parser.parse_args()
 
+with open('data/defaults.json') as f:
+    vyos_defaults = json.load(f)
+
 class StreamToLogger(object):
     """
     Fake file-like stream object that redirects writes to a logger instance.
@@ -108,37 +109,96 @@ def get_half_cpus():
         cpu /= 2
     return int(cpu)
 
-def get_qemu_cmd(name, enable_kvm, disk_img, iso_img=None):
-    kvm = ""
+def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=None):
+    kvm = "-enable-kvm"
     cpu = "-cpu host"
     if not enable_kvm:
         kvm = "--no-kvm"
         cpu = ""
 
+    uefi = ""
+    uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52"
+    if enable_uefi:
+        uefi = '-bios /usr/share/OVMF/OVMF_CODE.fd'
+        name = f'{name}-UEFI'
+        uuid = 'd27cf29e-4419-4407-8f82-dc73d1acd184'
+
+    bootindex = '1'
     cdrom = ""
     if iso_img:
-        cdrom = "-boot d -cdrom {}".format(iso_img)
+        cdrom = f' -boot d' \
+                f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \
+                f' -device ahci,id=achi0' \
+                f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex={bootindex}'
+
+        # Set regular harddisk bootindex to 2 as we boot from a CDROM drive
+        bootindex = '2'
 
     # test using half of the available CPUs on the system
     cpucount = get_half_cpus()
 
+    macbase = '52:54:00:00:00'
     cmd = f'qemu-system-x86_64 \
         -name "{name}" \
-        -smp {cpucount} \
-        -m 2G \
-        -nic user,model=virtio,mac=52:54:99:12:34:56 \
-        -nic user,model=virtio,mac=52:54:99:12:34:57 \
-        -nic user,model=virtio,mac=52:54:99:12:34:58 \
-        -nic user,model=virtio,mac=52:54:99:12:34:59 \
-        -machine accel=kvm \
+        -smp sockets=1,cpus={cpucount},cores=1 \
+        -cpu host \
+        {uefi} \
+        -m 1G \
+        -vga none \
         -nographic \
+        -machine accel=kvm \
+        -uuid {uuid} \
         {cpu} \
         {cdrom} \
         {kvm} \
-        -drive format=raw,file={disk_img}'
+        -netdev user,id=n0 -device virtio-net-pci,netdev=n0,mac={macbase}:00,romfile="" \
+        -netdev user,id=n1 -device virtio-net-pci,netdev=n1,mac={macbase}:01,romfile="" \
+        -netdev user,id=n2 -device virtio-net-pci,netdev=n2,mac={macbase}:02,romfile="" \
+        -netdev user,id=n3 -device virtio-net-pci,netdev=n3,mac={macbase}:03,romfile="" \
+        -netdev user,id=n4 -device virtio-net-pci,netdev=n4,mac={macbase}:04,romfile="" \
+        -netdev user,id=n5 -device virtio-net-pci,netdev=n5,mac={macbase}:05,romfile="" \
+        -netdev user,id=n6 -device virtio-net-pci,netdev=n6,mac={macbase}:06,romfile="" \
+        -netdev user,id=n7 -device virtio-net-pci,netdev=n7,mac={macbase}:07,romfile="" \
+        -device virtio-scsi-pci,id=scsi0 \
+        -drive format=raw,file={disk_img},if=none,media=disk,id=drive-hd1,readonly=off \
+        -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex={bootindex}'
+
+    # dynamically increment bootindex - required for RAID system
+    bootindex = str(int(bootindex) + 1)
+    if raid:
+        cmd += f' -drive format=raw,file={raid},if=none,media=disk,id=drive-hd2,readonly=off' \
+               f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex={bootindex}'
 
     return cmd
 
+def shutdownVM(c, log, message=''):
+    #################################################
+    # Powering off system
+    #################################################
+    if message:
+        log.info(message)
+
+    c.sendline('poweroff now')
+    log.info('Shutting down virtual machine')
+    for i in range(30):
+        log.info('Waiting for shutdown...')
+        if not c.isalive():
+            log.info('VM is shut down!')
+            break
+        time.sleep(10)
+    else:
+        tmp = 'VM Did not shut down after 300sec'
+        log.error(tmp)
+        raise Exception(tmp)
+
+def loginVM(c, log):
+    log.info('Waiting for login prompt')
+    c.expect('[Ll]ogin:', timeout=600)
+    c.sendline(default_user)
+    c.expect('[Pp]assword:')
+    c.sendline(default_password)
+    c.expect(op_mode_prompt)
+    log.info('Logged in!')
 
 # Setting up logger
 log = logging.getLogger()
@@ -170,107 +230,120 @@ else:
     output = sys.stdout.buffer
 
 if not os.path.isfile(args.iso):
-    log.error("Unable to find iso image to install")
+    log.error('Unable to find iso image to install')
     sys.exit(1)
 
 if args.no_kvm:
-    log.error("KVM forced off by command line")
+    log.error('KVM forced off by command line')
     kvm=False
-elif not os.path.exists("/dev/kvm"):
-    log.error("KVM is not enabled on host, proceeding with software emulation")
+elif not os.path.exists('/dev/kvm'):
+    log.error('KVM not enabled on host, proceeding with software emulation')
     kvm=False
 else:
     kvm=True
 
 # Creating diskimage!!
-if not os.path.isfile(args.disk):
-    log.info("Creating Disk image {}".format(args.disk))
-    c = subprocess.check_output(["qemu-img", "create", args.disk, "2G"])
-    log.debug(c.decode())
-else:
-    log.info("Diskimage already exists, using the existing one")
+diskname_raid = None
+def gen_disk(name):
+    if not os.path.isfile(name):
+        log.info(f'Creating Disk image {name}')
+        c = subprocess.check_output(['qemu-img', 'create', name, '2G'])
+        log.debug(c.decode())
+    else:
+        log.info(f'Diskimage "{name}" already exists, using the existing one.')
 
+if args.raid:
+    filename, ext = os.path.splitext(args.disk)
+    diskname_raid = f'{filename}_disk1{ext}'
+    # change primary diskname, too
+    args.disk = f'{filename}_disk0{ext}'
+    gen_disk(diskname_raid)
+
+# must be called after the raid disk as args.disk name is altered in the RAID path
+gen_disk(args.disk)
+
+test_timeout = 3 *3600 # 3 hours (in seconds)
 try:
     #################################################
     # Installing image to disk
     #################################################
-    log.info("Installing system")
-    cmd = get_qemu_cmd("TESTVM", kvm, args.disk, args.iso)
-    log.debug("Executing command: {}".format(cmd))
-    c = pexpect.spawn(cmd, logfile=stl)
+    log.info('Installing system')
+    cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso)
+    log.debug(f'Executing command: {cmd}')
+    c = pexpect.spawn(cmd, logfile=stl, timeout=60)
 
     #################################################
     # Logging into VyOS system
     #################################################
+    op_mode_prompt = r'vyos@vyos:~\$'
+    cfg_mode_prompt = r'vyos@vyos#'
+    default_user = 'vyos'
+    default_password = 'vyos'
+
     try:
         c.expect('Automatic boot in', timeout=10)
         c.sendline('')
     except pexpect.TIMEOUT:
-        log.warning("Did not find grub countdown window, ignoring")
+        log.warning('Did not find GRUB countdown window, ignoring')
 
-    log.info('Waiting for login prompt')
-    c.expect('[Ll]ogin:', timeout=300)
-    c.sendline('vyos')
-    c.expect('[Pp]assword:', timeout=10)
-    c.sendline('vyos')
-    c.expect(r'vyos@vyos:~\$')
-    log.info('Logged in!')
+    loginVM(c, log)
 
     #################################################
     # Installing into VyOS system
     #################################################
-    log.info("Starting installer")
+    log.info('Starting installer')
     c.sendline('install image')
     c.expect('\nWould you like to continue?.*:')
     c.sendline('yes')
-    log.info("Partitioning disk")
-    c.expect('\nPartition.*:')
-    c.sendline('')
-    c.expect('\nInstall the image on.*:')
-    c.sendline('')
-    c.expect(r'\nContinue\?.*:')
-    c.sendline('Yes')
-    c.expect('\nHow big of a root partition should I create?.*:')
-    c.sendline('')
-    log.info('Disk partitioned, installing')
-    c.expect('\nWhat would you like to name this image?.*:')
+
+    if args.raid:
+        c.expect('\nWould you like to configure RAID-1 mirroring on them?.*:')
+        c.sendline('yes')
+        # Erase all data on disks
+        c.expect('\nAre you sure you want to do this?.*:')
+        c.sendline('yes')
+    else:
+        log.info('Partitioning disk')
+        c.expect('\nPartition.*:')
+        c.sendline('')
+        c.expect('\nInstall the image on.*:')
+        c.sendline('')
+        c.expect(r'\nContinue\?.*:')
+        c.sendline('Yes')
+        c.expect('\nHow big of a root partition should I create?.*:')
+        c.sendline('')
+
+    log.info('Disk(s) partitioned, installing...')
+    c.expect('\nWhat would you like to name this image?.*:', timeout=600)
     c.sendline('')
     log.info('Copying files')
-    c.expect('\nWhich one should I copy to.*:', timeout=300)
+    c.expect('\nWhich one should I copy to.*:', timeout=600)
     c.sendline('')
     log.info('Files Copied!')
     c.expect('\nEnter password for user.*:')
-    c.sendline('vyos')
+    c.sendline(default_user)
     c.expect('\nRetype password for user.*:')
-    c.sendline('vyos')
-    c.expect('\nWhich drive should GRUB modify the boot partition on.*:')
-    c.sendline('')
-    c.expect(r'\nvyos@vyos:~\$')
+    c.sendline(default_password)
+
+    if not args.raid:
+        c.expect('\nWhich drive should GRUB modify the boot partition on.*:')
+        c.sendline('')
+        c.expect(op_mode_prompt)
+
     log.info('system installed, shutting down')
 
     #################################################
     # Powering down installer
     #################################################
-    log.info("Shutting down installation system")
-    c.sendline('poweroff')
-    c.expect(r'\nAre you sure you want to poweroff this system.*\]')
-    c.sendline('Y')
-    for i in range(30):
-        log.info("Waiting for shutdown...")
-        if not c.isalive():
-            log.info("VM is shut down!")
-            break
-        time.sleep(10)
-    else:
-        log.error("VM Did not shut down after 300sec, killing")
+    shutdownVM(c, log, 'Shutting down installation system')
     c.close()
 
     #################################################
     # Booting installed system
     #################################################
-    log.info("Booting installed system")
-    cmd = get_qemu_cmd("TESTVM", kvm, args.disk)
-    log.debug('Executing command: {}'.format(cmd))
+    log.info('Booting installed system')
+    cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+    log.debug(f'Executing command: {cmd}')
     c = pexpect.spawn(cmd, logfile=stl)
 
     #################################################
@@ -280,133 +353,230 @@ try:
         c.expect('The highlighted entry will be executed automatically in', timeout=10)
         c.sendline('')
     except pexpect.TIMEOUT:
-        log.warning("Did not find grub countdown window, ignoring")
+        log.warning('Did not find GRUB countdown window, ignoring')
 
-    log.info('Waiting for login prompt')
-    c.expect('[Ll]ogin:', timeout=300)
-    c.sendline('vyos')
-    c.expect('[Pp]assword:', timeout=10)
-    c.sendline('vyos')
-    c.expect(r'vyos@vyos:~\$')
-    log.info('Logged in!')
-
-    # additional settling time
-    time.sleep(20)
+    loginVM(c, log)
 
     ################################################
     # Always load the WiFi simulation module
     ################################################
     c.sendline('sudo modprobe mac80211_hwsim')
-    c.expect(r'vyos@vyos:~\$')
+    c.expect(op_mode_prompt)
 
     #################################################
     # Start/stop config daemon
     #################################################
     if args.configd:
         c.sendline('sudo systemctl start vyos-configd.service &> /dev/null')
-        c.expect(r'vyos@vyos:~\$')
     else:
         c.sendline('sudo systemctl stop vyos-configd.service &> /dev/null')
-        c.expect(r'vyos@vyos:~\$')
+    c.expect(op_mode_prompt)
 
     #################################################
     # Basic Configmode/Opmode switch
     #################################################
-    log.info("Basic CLI configuration mode test")
+    log.info('Basic CLI configuration mode test')
     c.sendline('configure')
-    c.expect(r'vyos@vyos#')
-    c.sendline('run show version')
+    c.expect(cfg_mode_prompt)
     c.sendline('exit')
-    c.expect(r'vyos@vyos:~\$')
+    c.expect(op_mode_prompt)
+    c.sendline('show version')
+    c.expect(op_mode_prompt)
+    c.sendline('show version kernel')
+    c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["kernel_flavor"]}')
+    c.expect(op_mode_prompt)
+    c.sendline('show version frr')
+    c.expect(op_mode_prompt)
+    c.sendline('show interfaces')
+    c.expect(op_mode_prompt)
 
     #################################################
     # Executing test-suite
     #################################################
-    log.info("Executing test-suite ")
+    if args.raid:
+        # Verify RAID subsystem - by deleting a disk and re-create the array
+        # from scratch
+        c.sendline('cat /proc/mdstat')
+        c.expect(op_mode_prompt)
 
-    # run default smoketest suite
-    if not args.configtest:
+        shutdownVM(c, log, f'Shutdown VM and start with empty RAID member "{args.disk}"')
+
+        if os.path.exists(args.disk):
+            os.unlink(args.disk)
+
+        gen_disk(args.disk)
+
+        #################################################
+        # Booting RAID-1 system with one missing disk
+        #################################################
+        log.info('Booting RAID-1 system')
+        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+
+        # We need to swap boot indexes to boot from second harddisk so we can
+        # recreate the RAID on the first disk
+        cmd = cmd.replace('bootindex=1', 'bootindex=X')
+        cmd = cmd.replace('bootindex=2', 'bootindex=1')
+        cmd = cmd.replace('bootindex=X', 'bootindex=2')
+
+        log.debug(f'Executing command: {cmd}')
+        c = pexpect.spawn(cmd, logfile=stl)
+
+
+        #################################################
+        # Logging into VyOS system
+        #################################################
+        try:
+            c.expect('The highlighted entry will be executed automatically in', timeout=10)
+            c.sendline('')
+        except pexpect.TIMEOUT:
+            log.warning('Did not find GRUB countdown window, ignoring')
+
+        loginVM(c, log)
+
+        c.sendline('cat /proc/mdstat')
+        c.expect(op_mode_prompt)
+
+        log.info('Re-format new RAID member')
+        c.sendline('format disk sda like sdb')
+        c.sendline('yes')
+        c.expect(op_mode_prompt)
+
+        log.info('Add member to RAID1 (md0)')
+        c.sendline('add raid md0 member sda1')
+        c.expect(op_mode_prompt)
+
+        log.info('Now we need to wait for re-sync to complete')
+
+        start_time = time.time()
+        timeout = 60
+        while True:
+            if (start_time + timeout) < time.time():
+                break
+            c.sendline('cat /proc/mdstat')
+            c.expect(op_mode_prompt)
+            time.sleep(20)
+
+        # Reboot system with new primary RAID1 disk
+        shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"')
+
+        log.info('Booting RAID-1 system')
+        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+        log.debug(f'Executing command: {cmd}')
+        c = pexpect.spawn(cmd, logfile=stl)
+
+        loginVM(c, log)
+
+        c.sendline('cat /proc/mdstat')
+        c.expect(op_mode_prompt)
+
+    elif not args.configtest:
+        # run default smoketest suite
+        if args.no_interfaces:
+            # remove interface tests as they consume a lot of time
+            c.sendline('sudo rm -f /usr/libexec/vyos/tests/smoke/cli/test_interfaces_*')
+            c.expect(op_mode_prompt)
+
+        log.info('Executing VyOS smoketests')
         c.sendline('/usr/bin/vyos-smoketest')
-        i = c.expect(['\n +Invalid command:',
-                          '\n +Set failed',
-                          'No such file or directory',
-                          r'\n\S+@\S+[$#]'], timeout=3600)
+        i = c.expect(['\n +Invalid command:', '\n +Set failed',
+                      'No such file or directory', r'\n\S+@\S+[$#]'], timeout=test_timeout)
 
-        if i==0:
+        if i == 0:
             raise Exception('Invalid command detected')
-        elif i==1:
+        elif i == 1:
             raise Exception('Set syntax failed :/')
-        elif i==2:
-            log.error("Did not find VyOS smoketest, this should be an exception")
-            raise Exception("WTF? did not find VyOS smoketest, this should be an exception")
+        elif i == 2:
+            tmp = '(W)hy (T)he (F)ace? VyOS smoketest not found!'
+            log.error(tmp)
+            raise Exception(tmp)
 
         c.sendline('echo EXITCODE:$\x16?')
-        i = c.expect(['EXITCODE:0', 'EXITCODE:\d+'], timeout=10)
-        if i==0:
+        i = c.expect(['EXITCODE:0', 'EXITCODE:\d+'])
+        if i == 0:
             log.info('Smoketest finished successfully!')
             pass
-        if i==1:
+        elif i == 1:
             log.error('Smoketest failed :/')
             raise Exception("Smoketest-failed, please look into debug output")
 
-        #log.info("Smoke test status")
-        #data = c.before.decode()
-
     # else, run configtest suite
     else:
-        log.info("Executing load config tests")
+        log.info('Adding a legacy WireGuard default keypair for migrations')
+        c.sendline('sudo mkdir -p /config/auth/wireguard/default')
+        c.expect(op_mode_prompt)
+        c.sendline('echo "aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0=" | sudo tee /config/auth/wireguard/default/private.key')
+        c.expect(op_mode_prompt)
+        c.sendline('echo "x39C77eavJNpvYbNzPSG3n1D68rHYei6q3AEBEyL1z8=" | sudo tee /config/auth/wireguard/default/public.key')
+        c.expect(op_mode_prompt)
+
+        log.info('Generating some OpenVPN keys')
+        subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \
+                  'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
+        ca_cert  = '/config/auth/ovpn_test_ca.pem'
+        ssl_cert = '/config/auth/ovpn_test_server.pem'
+        ssl_key  = '/config/auth/ovpn_test_server.key'
+        dh_pem   = '/config/auth/ovpn_test_dh.pem'
+        s2s_key  = '/config/auth/ovpn_test_site2site.key'
+        auth_key = '/config/auth/ovpn_test_tls_auth.key'
+
+        c.sendline(f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\
+                   f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}')
+        c.expect(op_mode_prompt, timeout=600)
+        c.sendline(f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}')
+        c.expect(op_mode_prompt, timeout=600)
+        c.sendline(f'openssl dhparam -out {dh_pem} 2048')
+        c.expect(op_mode_prompt, timeout=600)
+        c.sendline(f'openvpn --genkey secret {s2s_key}')
+        c.expect(op_mode_prompt)
+        c.sendline(f'openvpn --genkey secret {auth_key}')
+        c.expect(op_mode_prompt)
+
+        script_file = '/config/scripts/vyos-foo-update.script'
+        c.sendline(f'echo "#!/bin/sh" > {script_file}; chmod 775 {script_file}')
+        c.expect(op_mode_prompt)
+
+        for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]:
+            c.sendline(f'sudo chown openvpn:openvpn {file}')
+            c.expect(op_mode_prompt)
+
+        log.info('Executing load config tests')
         c.sendline('/usr/bin/vyos-configtest')
-        i = c.expect(['\n +Invalid command:',
-                          'No such file or directory',
-                          r'\n\S+@\S+[$#]'], timeout=3600)
+        i = c.expect(['\n +Invalid command:', 'No such file or directory',
+                     r'\n\S+@\S+[$#]'], timeout=test_timeout)
 
         if i==0:
             raise Exception('Invalid command detected')
         elif i==1:
-            log.error("Did not find VyOS configtest, this should be an exception")
-            raise Exception("WTF? did not find VyOS configtest, this should be an exception")
+            tmp = '(W)hy (T)he (F)ace? VyOS smoketest not found!'
+            log.error(tmp)
+            raise Exception(tmp)
 
         c.sendline('echo EXITCODE:$\x16?')
-        i = c.expect(['EXITCODE:0', 'EXITCODE:\d+'], timeout=10)
-        if i==0:
+        i = c.expect(['EXITCODE:0', 'EXITCODE:\d+'])
+        if i == 0:
             log.info('Configtest finished successfully!')
             pass
-        if i==1:
-            log.error('Configtest failed :/')
-            raise Exception("Configtest failed, please look into debug output")
+        elif i == 1:
+            tmp = 'Configtest failed :/ - check debug output'
+            log.error(tmp)
+            raise Exception(tmp)
 
-    #################################################
-    # Powering off system
-    #################################################
-    log.info("Powering off system ")
-    c.sendline('poweroff')
-    c.expect(r'\nAre you sure you want to poweroff this system.*\]')
-    c.sendline('Y')
-    log.info("Shutting down virtual machine")
-    for i in range(30):
-        log.info("Waiting for shutdown...")
-        if not c.isalive():
-            log.info("VM is shut down!")
-            break
-        time.sleep(10)
-    else:
-        log.error("VM Did not shut down after 300sec")
-        raise Exception("VM Did not shut down after 300sec")
+    shutdownVM(c, log, 'Powering off system')
     c.close()
 
 except pexpect.exceptions.TIMEOUT:
-    log.error("Timeout waiting for VyOS system")
+    log.error('Timeout waiting for VyOS system')
     log.error(traceback.format_exc())
     EXCEPTION = 1
 
 except pexpect.exceptions.ExceptionPexpect:
-    log.error("Exeption while executing QEMU")
-    log.error("Is qemu working on this system?")
+    log.error('Exeption while executing QEMU')
+    log.error('Is qemu working on this system?')
     log.error(traceback.format_exc())
     EXCEPTION = 1
 
 except Exception:
-    log.error("An unknown error occured when installing the VyOS system")
+    log.error('Unknown error occured while VyOS!')
     traceback.print_exc()
     EXCEPTION = 1
 
@@ -416,15 +586,17 @@ except Exception:
 log.info("Cleaning up")
 
 if not args.keep:
-    log.info("Removing disk file: {}".format(args.disk))
+    log.info(f'Removing disk file: {args.disk}')
     try:
         os.remove(args.disk)
+        if diskname_raid:
+            os.remove(diskname_raid)
     except Exception:
-        log.error("Exception while removing diskimage")
+        log.error('Exception while removing diskimage!')
         log.error(traceback.format_exc())
         EXCEPTION = 1
 
 if EXCEPTION:
-    log.error("Hmm... System got an exception while processing")
-    log.error("The ISO is not considered usable")
+    log.error('Hmm... system got an exception while processing.')
+    log.error('The ISO image is not considered usable!')
     sys.exit(1)

scripts/copy-image

@@ -4,6 +4,4 @@ BUILD_DIR="$(scripts/query-json build/build-config.json build_dir)"
 BUILD_ARCH="$(scripts/query-json build/build-config.json architecture)"
 VERSION="$(cat $BUILD_DIR/version)"
 
-ln -rnsf "$BUILD_DIR/live-image-$BUILD_ARCH.hybrid.iso" "$BUILD_DIR/vyos-$VERSION-$BUILD_ARCH.iso"
-
-
+cp "$BUILD_DIR/live-image-$BUILD_ARCH.hybrid.iso" "$BUILD_DIR/vyos-$VERSION-$BUILD_ARCH.iso"

scripts/live-build-config

@@ -41,12 +41,13 @@ lb config noauto \
         --linux-packages linux-image-{{kernel_version}} \
         --bootloader syslinux,grub-efi \
         --binary-images iso-hybrid \
+        --checksums 'sha256 md5' \
         --debian-installer false \
         --distribution {{distribution}} \
         --iso-application "VyOS" \
         --iso-publisher "{{build_by}}" \
         --iso-volume "VyOS" \
-        --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,apt-transport-https,gnupg2" \
+        --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2" \
         --mirror-bootstrap {{debian_mirror}} \
         --mirror-chroot {{debian_mirror}} \
         --mirror-chroot-security {{debian_security_mirror}} \
@@ -59,7 +60,7 @@ lb config noauto \
         --security true \
         --backports true \
         --apt-recommends false \
-        --apt-options "--yes -oAPT::Default-Release="current" -oAPT::Get::allow-downgrades=true" \
+        --apt-options "--yes -oAPT::Default-Release="equuleus" -oAPT::Get::allow-downgrades=true" \
         --apt-indices false
         "${@}"
 """