Infix v24.10.2-rc2

Changes

• Support for showing interfaces owned by running containers in the CLI
  command show interfaces. This also adds support for showing the
  peer interface of VETH pairs. Issue #626
• Reboot system on kernel "oops", on "oops" the kernel now panics and
  reboots after 20 seconds. Issue #740
• Update static factory-config for NanoPi R2S: enable NACM, securing all
  passwords, and enabling iburst for the NTP client. Issue #750
• Updated QoS documentation with pictures and more information on VLAN
  interface ingress/egress priority handling, issue #759
• Disable RTC device in Styx device tree, issue #794
• Support for saving and restoring system clock from a disk file. This
  allows restoring the system clock to a sane date in case the RTC is
  disabled or does not have a valid time, issue #794
• Update device discovery chapter with information on infix.local mDNS
  alias, netbrowse support to discover all local units, and command
  examples for disabling LLDP and mDNS services, issue #786
• Updated OSPF documentation to include information on global OSPF
  settings (redistribution, explicit-router-id, etc.), issue #812
• Added information on forwarding of IEEE reserved group addresses
  to bridge section of networking documentation, issue #788
• Add support for bootstrap conditions and early init product overrides
• Styx: enable second Ethernet port LED in device tree, again, rename
  it: yellow -> aux, and make sure it is turned off at boot
• Styx: disable second port LED for the 4xSFP slots, does not work
• Styx: override iitod (LED daemon) with a product specific LED script

Fixes

• Fix #685: DSA conduit interface not always detected, randomly causing
  major issues configuring systems with multiple switch cores
• Fix #778: reactivate OpenSSL backend for libssh/libssh2 for NanoPI R2S.
  This fixes a regression in v24.10.0 causing loss of NETCONF support
• Fix #809: enable syslog logging for RAUC
• Fix harmless bootstrap log error message on systems without USB ports:
  jq: error (at <stdin>:0): Cannot iterate over null (null)
• Change confusing tc log error message: Error: does not support hardware offload to Skipping $iface, hardware offload not supported.

Infix v24.10.2-rc1

Changes

• Support for showing interfaces owned by running containers in the CLI
  command show interfaces. This also adds support for showing the
  peer interface of VETH pairs. Issue #626
• Reboot system on kernel "oops", on "oops" the kernel now panics and
  reboots after 20 seconds. Issue #740
• Update static factory-config for NanoPi R2S: enable NACM, securing all
  passwords, and enabling iburst for the NTP client. Issue #750
• Updated QoS documentation with pictures and more information on VLAN
  interface ingress/egress priority handling, issue #759
• Disable RTC device in Styx device tree, issue #794
• Support for saving and restoring system clock from a disk file. This
  allows restoring the system clock to a sane date in case the RTC is
  disabled or does not have a valid time, issue #794

Fixes

• Fix #685: DSA conduit interface not always detected, randomly causing
  major issues configuring systems with multiple switch cores
• Fix #778: reactivate OpenSSL backend for libssh/libssh2 for NanoPI R2S.
  This fixes a regression in v24.10.0 causing loss of NETCONF supprt

Infix v24.10.1

News: this release contains breaking YANG changes in custom MAC addresses for interfaces! For details, see below issue #680.
Also, heads-up to all downstream users of Infix. YANG models have been renamed to ease maintenance, more info below.

Changes

• Software control of port LEDs on the Styx platform has been disabled. Default driver behavior, green link and green traffic blink, is kept as-is, which should mitigate issues reported in #670
• Correcting documentation on QoS. For packets containing both a VLAN tag and an IP header, PCP priority takes precedence over DSCP priority (not vice versa).
• Update CONTRIBUTING.md for scaling core team and helping external contributors understand the development process, issue #672
• Updated branding documentation with more information on how dynamic and static factory-config work, including examples
• Updated container documentation, improved images, detail how to set interface name inside the container, and some syntax fixes
• Updated networking documentation, new General settings section, and more details added to initial section on network building blocks
• As of this release, all Infix YANG models have dropped the @DATE suffix from the name, this type of versioning is not handled using symlinks instead.
• Update Infix provision script, used to install Infix on eMMC, add example of how to erase partition table to be able to re-run the script on already provisioned devices, issue #671
• OSPF: Add limitation to allow an interface to be in one area only
• Add support for "dummy" interfaces, mostly useful for testing
• Add support for container hostname format specifiers, just like it already works for the host's hostname setting
• Hide all status obsolete YANG nodes in CLI
• Add YANG units, if available, to CLI help text (default value)
• The CLI commands copy and erase are now available also from Bash
• Greatly reduced size of bundled curiOS httpd OCI container image, reduced from 1.8 MiB to 281 KiB
• Add deviation to ietf-interfaces.yang, link-up-down-trap-enable is not supported (yet) in Infix, issue #709
• The default builds now include the curiOS nftables container image, which can be used for advanced firewall setups. For an introduction see https://kernelkit.org/posts/firewall-container/

Fixes

• Fix #499: add an NACM rule to factory-config, which by default deny everyone to read user password hash(es)
• Fix #663: internal Ethernet interfaces shown in CLI tab completion
• Fix #674: CLI show interfaces display internal Ethernet interfaces, regression introduced late in v24.09 release cycle
• Fix #676: port dropped from bridge when changing its VLAN membership from tagged to untagged
• Fix #680: replace deviation for phys-address in ietf-interfaces.yang with custom-phys-address to allow for constructing more free-form MAC addresses based on the chassis MAC (a.k.a., base MAC) address. For more information, see the YANG model, a few examples are listed in the updated documentation. The syntax will be automatically updated in the startup-config and factory-config -- make sure to verify the changes and update any static factory-config used for your products
• Fix #690: CLI show ip route command stops working after 24 hours, this includes all operational data in ietf-routing:/routing/ribs.
• Fix #697: password is not always set for new users, bug introduced in v24.06.0 when replacing Augeas with native user handling
• Fix #700: add missing admin-status to interface operational data
• Fix #701: make sure CLI (and Bash) copy command use same sysrepo timeout as other operations that load sysrepo. Was 10 second timeout, which caused some (really big) configurations not to apply from the CLI, but worked at boot, for instance. New timeout is 60 seconds
• Fix #708: allow all container networks to set interface name inside container, not just auto-generated veth-pair ends for docker0 bridge
• Fix show interfaces on platforms like the NanoPi R2S, which does not support reading RMON counters in JSON format using ethtool
• Fix #730: CLI command show ntp [sources] stopped working in v24.08. Missing access rights after massive CLI lock-down
• Fix #735: copy and erase commands missing from CLI, regression in Infix v24.10.0 defconfigs, now added as dep. in klish package
• Fix BFD in OSPF, previously you could not enable BFD on a single interface without enabling it on all interfaces

Infix v24.10.0

---

PLEASE NOTE, THIS RELEASE HAS BEEN PULLED BECAUSE OF ISSUE #735

---

News: this release contains breaking YANG changes in custom MAC addresses for interfaces! For details, see below issue #680.
Also, heads-up to all downstream users of Infix. YANG models have been renamed to ease maintenance, more info below.

Changes

• Software control of port LEDs on the Styx platform has been disabled. Default driver behavior, green link and green traffic blink, is kept as-is, which should mitigate issues reported in #670
• Correcting documentation on QoS. For packets containing both a VLAN tag and an IP header, PCP priority takes precedence over DSCP priority (not vice versa).
• Update CONTRIBUTING.md for scaling core team and helping external contributors understand the development process, issue #672
• Updated branding documentation with more information on how dynamic and static factory-config work, including examples
• Updated container documentation, improved images, detail how to set interface name inside the container, and some syntax fixes
• Updated networking documentation, new General settings section, and more details added to initial section on network building blocks
• As of this release, all Infix YANG models have dropped the @DATE suffix from the name, this type of versioning is not handled using symlinks instead.
• Update Infix provision script, used to install Infix on eMMC, add example of how to erase partition table to be able to re-run the script on already provisioned devices, issue #671
• OSPF: Add limitation to allow an interface to be in one area only
• Add support for "dummy" interfaces, mostly useful for testing
• Add support for container hostname format specifiers, just like it already works for the host's hostname setting
• Hide all status obsolete YANG nodes in CLI
• Add YANG units, if available, to CLI help text (default value)
• The CLI commands copy and erase are now available also from Bash
• Greatly reduced size of bundled curiOS httpd OCI container image, reduced from 1.8 MiB to 281 KiB
• Add deviation to ietf-interfaces.yang, link-up-down-trap-enable is not supported (yet) in Infix, issue #709
• The default builds now include the curiOS nftables container image, which can be used for advanced firewall setups. For an introduction see https://kernelkit.org/posts/firewall-container/

Fixes

• Fix #499: add an NACM rule to factory-config, which by default deny everyone to read user password hash(es)
• Fix #663: internal Ethernet interfaces shown in CLI tab completion
• Fix #674: CLI show interfaces display internal Ethernet interfaces, regression introduced late in v24.09 release cycle
• Fix #676: port dropped from bridge when changing its VLAN membership from tagged to untagged
• Fix #680: replace deviation for phys-address in ietf-interfaces.yang with custom-phys-address to allow for constructing more free-form MAC addresses based on the chassis MAC (a.k.a., base MAC) address. For more information, see the YANG model, a few examples are listed in the updated documentation. The syntax will be automatically updated in the startup-config and factory-config -- make sure to verify the changes and update any static factory-config used for your products
• Fix #690: CLI show ip route command stops working after 24 hours, this includes all operational data in ietf-routing:/routing/ribs.
• Fix #697: password is not always set for new users, bug introduced in v24.06.0 when replacing Augeas with native user handling
• Fix #700: add missing admin-status to interface operational data
• Fix #701: make sure CLI (and Bash) copy command use same sysrepo timeout as other operations that load sysrepo. Was 10 second timeout, which caused some (really big) configurations not to apply from the CLI, but worked at boot, for instance. New timeout is 60 seconds
• Fix #708: allow all container networks to set interface name inside container, not just auto-generated veth-pair ends for docker0 bridge
• Fix show interfaces on platforms like the NanoPi R2S, which does not support reading RMON counters in JSON format using ethtool
• Fix #730: CLI command show ntp [sources] stopped working in v24.08. Missing access rights after massive CLI lock-down
• Fix BFD in OSPF, previously you could not enable BFD on a single interface without enabling it on all interfaces

Infix v24.09.0

News: this release enhances the integration of all types of static routes with FRRouting (Frr), including all routes that can be set by DHCP and IPvLL (ZeroConf) clients. Due to this fundamental change, the system routing table is now primarily read from Frr, which increases the amount of relevant routing information available to the user. E.g., in the CLI exec command show ip route and show ipv6 route. Support for adjusting the administrative distance of all types of static routes has also been added to facilitate site specific adaptations. Please see the documentation for details.

Known Issues

• The CLI command show interfaces may for some terminal resolutions not display all interfaces (on systems with >20 interfaces). This problem is limited to the console port and only occurs for smaller terminals (30-50 rows height). Calling show ifaces from the shell, dumping /ietf-interfaces:interfaces XPath using sysrepocfg, or using the CLI from an SSH session, is not affected. Issue #659

Changes

• Upgrade Buildroot to 2024.02.6 (LTS)
• Upgrade Linux kernel to 6.6.52 (LTS)
• Upgrade libyang to 3.4.2
• Upgrade sysrepo to 2.11.7
• Upgrade netopeer2 (NETCONF) to 2.2.31
• Updated infix-routing.yang to declare deviations for unsupported OSPF RPCs and Notifications in ietf-ospf.yang
• The CLI admin-exec command show dns now also shows any configured name servers, not just ones acquired via DHCP. Issue #510
• Add support for IPv4 (autoconf) request-address. This instructs the ZeroConf client to start with the requested address. If this is not successful the client falls back to its default behavior. Issue #628
• Major speedup (10x) in operational data, in particular when querying interface status. Very noticeable in the CLI show interfaces command on devices with large port counts. Issue #651
• Silence yanger log warnings for failing mctl command. Caused by mctl reporting no multicast filtering enabled on bridge

Fixes

• Fix #357: EUI-64 based IPv6 autoconf address on bridges seem to be randomized. Problem caused by kernel setting a random MAC before any bridge port is added. Fixed by using the device's base MAC address on bridge interfaces. Possible to override using phys-address option
• Fix #601: CLI regression in show ospf family of commands causing authorized users, like admin, to not being able to query status of OSPF or BFD. Workaround by using the UNIX shell sudo vtysh. Regression introduced in v24.08.0
• Fix #603: regression in GNS3 image, starts in test mode by default. Introduced in v24.08.
• Fix #613: CLI regression in tab completion of container commands, e.g., container shell <TAB>. Regression introduced in v24.08.0
• Fix #616: Silent failure when selecting bash as login shell for non-admin user, this silent lock has been removed
• Fix #618: CLI command show interfaces does not show bridges and bridge ports, regression introduced in v24.08.0 -- only affects bridges without multicast snooping
• Fix #623: CLI command container upgrade NAME does not work, regression introduced in v24.06.0
• Fix #625: initialize sysrepo startup datastore at boot. Improves usability when working directly against the sysrepo datastores from the shell with sysrepocfg and sysrepoctl tools
• Fix #635: OSPF: all router neighbors reported as neighbor on every interface
• Fix #638: Disabling IPv4LL (autoconf) on an interface does not clean up 169.254/16 addresses
• Fix #640: unable to set static default route due to priority inversion from DHCP or IPv4LL (ZeroConf) clients setting their routes directly in the kernel. This has resulted in a complete overhaul of route management, using FRRouting for all routes, including DHCP and IPv4LL routes, presentation in the CLI, and also support for custom route preference for static routes
• Fix #658: deleting VETH pairs does not work unless rebooting first. Creating a VETH pair, followed by at least one other reconfiguration before removing the pair, causes confd to fail when applying the interface changes (tries to delete both ends of the pair)
• Spellcheck path to /var/lib/containers when unpacking OCI archives on container upgrade
• cli: restore tcpdump permissions for administrator level users, regression introduced in v24.08.0
• The timeout before giving up on loading the startup-config at boot is now 1 minute, just like operations via other front-ends (NETCONF and RESTCONF). This was previously (incorrectly) set to 10 seconds

Infix v24.09.0-rc1

News: this release enhances the integration of all types of static
routes with FRRouting (Frr), including all routes that can be set by
DHCP and IPvLL (ZeroConf) clients. Due to this fundamental change, the
system routing table is now primarily read from Frr, which increases the
amount of relevant routing information available to the user. E.g., in
the CLI exec command show ip route and show ipv6 route. Support for
adjusting the administrative distance of all types of static routes has
also been added to facilitate site specific adaptations. Please see the
documentation for details.

Changes

• Upgrade Buildroot to 2024.02.6 (LTS)
• Upgrade Linux kernel to 6.6.52 (LTS)
• Upgrade libyang to 3.4.2
• Upgrade sysrepo to 2.11.7
• Upgrade netopeer2 (NETCONF) to 2.2.31
• Updated infix-routing.yang to declare deviations for unsupported
  OSPF RPCs and Notifications in ietf-ospf.yang
• The CLI admin-exec command show dns now also shows any configured
  name servers, not just ones acquired via DHCP. Issue #510
• Add support for IPv4 (autoconf) request-address. This instructs the
  ZeroConf client to start with the requested address. If this is not
  successful the client falls back to its default behavior. Issue #628
• Major speedup (10x) in operational data, in particular when querying
  interface status. Very noticeable in the CLI show interfaces
  command on devices with large port counts. Issue #651
• Silence yanger log warnings for failing mctl command. Caused
  by mctl reporting no multicast filtering enabled on bridge

Fixes

• Fix #357: EUI-64 based IPv6 autoconf address on bridges seem to be
  randomized. Problem caused by kernel setting a random MAC before any
  bridge port is added. Fixed by using the device's base MAC address on
  bridge interfaces. Possible to override using phys-address option
• Fix #601: CLI regression in show ospf family of commands causing
  authorized users, like admin, to not being able to query status
  of OSPF or BFD. Workaround by using the UNIX shell sudo vtysh.
  Regression introduced in v24.08.0
• Fix #603: regression in GNS3 image, starts in test mode by default.
  Introduced in v24.08.
• Fix #613: CLI regression in tab completion of container commands,
  e.g., container shell <TAB>. Regression introduced in v24.08.0
• Fix #616: Silent failure when selecting bash as login shell for
  non-admin user, this silent lock has been removed
• Fix #618: CLI command show interfaces does not show bridges and
  bridge ports, regression introduced in v24.08.0 -- only affects
  bridges without multicast snooping
• Fix #623: CLI command container upgrade NAME does not work,
  regression introduced in v24.06.0
• Fix #625: initialize sysrepo startup datastore at boot. Improves
  usability when working directly against the sysrepo datastores from
  the shell with sysrepocfg and sysrepoctl tools
• Fix #635: OSPF: all router neighbors reported as neighbor on every
  interface
• Fix #638: Disabling IPv4LL (autoconf) on an interface does not clean
  up 169.254/16 addresses
• Fix #640: unable to set static default route due to priority inversion
  from DHCP or IPv4LL (ZeroConf) clients setting their routes directly
  in the kernel. This has resulted in a complete overhaul of route
  management, using FRRouting for all routes, including DHCP and IPv4LL
  routes, presentation in the CLI, and also support for custom route
  preference for static routes.
• Spellcheck path to /var/lib/containers when unpacking OCI archives
  on container upgrade
• The timeout before giving up on loading the startup-config at boot
  is now 1 minute, just like operations via other front-ends (NETCONF
  and RESTCONF). This was previously (incorrectly) set to 10 seconds.

Infix v24.08.0

News: this release adds full configuration support for syslog, with logging to local files, external media, remote log server, as well as support for acting as a log sink/server. External media can now be mounted automatically, very useful, not only for logging, but also for upgrading and container images.

Finally, the following consumer boards are now fully supported:

• NanoPi R2S (ARM)
• StarFive VisionFive2 (RISC-V)

Changes

• Upgrade Buildroot to 2024.02.5 (LTS)
• Upgrade Linux kernel to 6.6.46 (LTS)
• Issue #158: enhance security of factory reset. All file content is now overwritten x3, the last time with zeroes, then removed.
  Example, on the NanoPi R2S this process takes ~30 seconds, but may take longer in setups with bigger configurations, e.g., containers
• Issue #497: support for auto-mounting USB media. Useful for logging, upgrade, and container images. Mounted under /media/<LABEL>, where <LABEL> is the partition label(s) available on the USB media
• Issue #503: configurable syslog support, based on IETF Syslog config draft model, includes file based logging (built-in or external media) and remote logging, as well as acting as a log sink (remote server) for syslog clients (Infix extension). Documentation available in Syslog Support
• Issue #521: audit trail support. Logs changes to configuration, both running-config and startup-config, as well as RPCs, e.g., setting system date-time. Logs contain name of user and the action taken. Supported for CLI, NETCONF, and RESTCONF
• Issue #545: sort loopback interface first in CLI show interfaces
• New documentation for Ethernet interfaces: how to set speed, duplex, query status and statistics
• Issue #587: add YANG must expressions for bridge multicast filters
• Initial RISC-V (riscv64) support: StarFive VisionFive2
• Massive updates to the NanoPi R2S:
  • Update Linux kernel to v6.10.3 and sync defconfig with aarch64
  • Workaround reboot command "hang" on NanoPi R2S (failure to reboot) by replacing the Rockchip watchdog driver with "softdog"
  • Update U-Boot to v2024.07, enable secure boot loading of images
  • Rename interfaces to LAN + WAN to match case and LEDs
  • Rename images to infix-r2s$ver.ext, not same as other aarch64
  • Change rootfs to squashfs for enhanced security
  • Add RAUC support to simplify device maintenance/upgrade
  • Add support for saving unique interface MAC addresses in U-Boot
  • Add support for system LEDs, see product's README
  • Add support for reset button from U-Boot, to trigger factory reset, and from Linux, to trigger reboot
  • Add static factory-config as an example
  • Full LED control, including WAN LED (link up and DHCP lease)
• Password login can now be disabled by removing the password. Before this change only empty password disabled password login (in favor of SSH key login), removing the password locked the user completely out
• Add LED indication on factory reset, all LEDs available in Linux /sys/class/leds are turned on while clearing writable partitions
• CLI: improve dir and show log command user experience. List files also in user's home directory and allow displaying gzipped log files
• Lock down CLI admin-exec to prevent unprivileged users from managing system configuration or state.
• The local log file /var/log/syslog no longer contains debug level log messages. See /var/log/debug for all log messages

Fixes

• Fix #274: add missing link/traffic LEDs on NanoPi R2S LAN port
• Fix #489: ensure all patches are versioned, including Linux kernel
• Fix #531: creating a new VLAN interface named vlanN should not set lower-layer-if to vlanN. With the vlanN pattern, only C-VLAN and VID can be inferred
• Fix #541: make sure Frr OSPF logs are sent to syslogd and filtered to /var/log/routing for easy access from the CLI
• Fix #542: warning message from login, cannot find pam_lastlog.so
• Fix #570: the CLI change password command does not work
• Fix #576: the CLI tab completion for startup-config does not work
• Fix #585: on internal configuration database error, restart internal service sysrepo-plugind to attempt to get remote access over NETCONF and RESTCONF back to the user
• Silence bogus sysctl warnings at boot (syslog)
• Silence output from user group member check (sys-cli in syslog)
• Fix annoying CLI freeze if pressing any key before initial prompt

Infix v24.08.0-rc1

News: this release adds full configuration support for syslog, with
logging to local files, external media, remote log server, as well as
support for acting as a log sink/server. External media can now be
mounted automatically, very useful, not only for logging, but also for
upgrading and container images.

Finally, the following consumer boards are now fully supported:

• NanoPi R2S (ARM)
• StarFive VisionFive2 (RISC-V)

Changes

• Upgrade Buildroot to 2024.02.5 (LTS)
• Upgrade Linux kernel to 6.6.46 (LTS)
• Issue #158: enhance security of factory reset. All file content
  is now overwritten x3, the last time with zeroes, then removed.
  Example, on the NanoPi R2S this process takes ~30 seconds, but may
  take longer in setups with bigger configurations, e.g., containers
• Issue #497: support for auto-mounting USB media. Useful for logging,
  upgrade, and container images. Mounted under /media/<LABEL>, where
  <LABEL> is the partition label(s) available on the USB media
• Issue #503: configurable syslog support, based on IETF Syslog config
  draft model, includes file based logging (built-in or
  external media) and remote logging, as well as acting as a log sink
  (remote server) for syslog clients (Infix extension). Documentation
  available in Syslog Support
• Issue #521: audit trail support. Logs changes to configuration, both
  running-config and startup-config, as well as RPCs, e.g., setting
  system date-time. Logs contain name of user and the action taken.
  Supported for CLI, NETCONF, and RESTCONF
• Issue #545: sort loopback interface first in CLI show interfaces
• New documentation for Ethernet interfaces: how to set speed, duplex,
  query status and statistics
• Issue #587: add YANG must expressions for bridge multicast filters
• Initial RISC-V (riscv64) support: StarFive VisionFive2
• Massive updates to the NanoPi R2S:
  • Update Linux kernel to v6.10.3 and sync defconfig with aarch64
  • Workaround reboot command "hang" on NanoPi R2S (failure to reboot)
    by replacing the Rockchip watchdog driver with "softdog"
  • Update U-Boot to v2024.07, enable secure boot loading of images
  • Rename interfaces to LAN + WAN to match case and LEDs
  • Rename images to infix-r2s$ver.ext, not same as other aarch64
  • Change rootfs to squashfs for enhanced security
  • Add RAUC support to simplify device maintenance/upgrade
  • Add support for saving unique interface MAC addresses in U-Boot
  • Add support for system LEDs, see product's README
  • Add support for reset button from U-Boot, to trigger factory reset,
    and from Linux, to trigger reboot
  • Add static factory-config as an example
  • Full LED control, including WAN LED (link up and DHCP lease)
• Password login can now be disabled by removing the password. Before
  this change only empty password disabled password login (in favor of
  SSH key login), removing the password locked the user completely out
• Add LED indication on factory reset, all LEDs available in Linux
  /sys/class/leds are turned on while clearing writable partitions
• CLI: improve dir and show log command user experience. List files
  also in user's home directory and allow displaying gzipped log files
• Lock down CLI admin-exec to prevent unprivileged users from managing
  system configuration or state.
• The local log file /var/log/syslog no longer contains debug level
  log messages. See /var/log/debug for all log messages

Fixes

• Fix #274: add missing link/traffic LEDs on NanoPi R2S LAN port
• Fix #489: ensure all patches are versioned, including Linux kernel
• Fix #531: creating a new VLAN interface named vlanN should not set
  lower-layer-if to vlanN. With the vlanN pattern, only C-VLAN
  and VID can be inferred
• Fix #541: make sure Frr OSPF logs are sent to syslogd and filtered
  to /var/log/routing for easy access from the CLI
• Fix #542: warning message from login, cannot find pam_lastlog.so
• Fix #570: the CLI change password command does not work
• Fix #576: the CLI tab completion for startup-config does not work
• Fix #585: on internal configuration database error, restart internal
  service sysrepo-plugind to attempt to get remote access over NETCONF
  and RESTCONF back to the user
• Silence bogus sysctl warnings at boot (syslog)
• Silence output from user group member check (sys-cli in syslog)
• Fix annoying CLI freeze if pressing any key before initial prompt

Infix v24.06.0

Note: this release contains breaking changes in YANG models
that are incompatible with existing configuration files. So, after
upgrade, but before reboot, a factory reset is required!

Changes

• Upgrade Buildroot to 2024.02.3 (LTS)
• Upgrade Linux kernel to 6.6.34 (LTS)
• Upgrade bundled curiOS httpd container to v24.05.0
• Default web landing page refactored into a Buildroot package to make it possible to overload from customer repos.
• Enable DCB support in aarch64 kernel (for EtherType prio override)
• Topology mapper improvements, including option for deterministic reproduction of logical to physical mappings
• New version of gencert tool, for self signed HTTPS certificates. This allows dropping dependency on building a host rust toolchain
• Issue #374: add timestamps to dagger .log files
• Add small delay in U-Boot to allow stopping boot on reference boards
• Document how to provision the bootloader and Infix on a blank board
• Use initial hostname from /etc/os-release as configuration fallback
• Update documentation for use of VETH pairs in containers
• Issue #454: create bridges in factory-config with IGMP/MLD snooping enabled by default
• The following YANG models have been updated to newer draft versions: ietf-crypto-types, ietf-keystore, ietf-netconf-server, ietf-ssh-common, ietf-ssh-server, ietf-tcp-client, ietf-tcp-common, ietf-tcp-server, ietf-tcp-server, ietf-tcp-server, ietf-tcp-server. In these there are a lot of breaking changes, so you need to redo your configuration from factory-config!
• The Augeas package has been dropped, so augtool is no longer available
• VLAN interfaces can now map the incoming PCP value to the kernel-internal priority on ingress, and perform the reverse mapping on egress.
• mv88e6xxx ports can now use Linux's priority information to select the appropriate egress queue, via the mqprio queuing discipline
• Add logging of output from container start/stop action
• Clean up stale directories after OCI container archive import
• Add support for show leaf-node in CLI configure context
• Allow non-admin users to use the CLI. NACM rules still apply
• Ensure filesystem is sync'ed properly after a CLI copy command
• Issue #178: add early boot script to migrate configuration files of older version to new syntax. Initial, rudimentary support, for the change in shell types
• Issue #308: add version field to configuration file using a new model, infix-meta.yang. Used to trigger migration from older formats to newer on future breaking changes
• Issue #432: extract YANG documentation at build time. Part of the release tarballs is now yangdoc.html for the complete tree of all YANG configuration, operational data, RPCs, and notification nodes
• Issue #435: add support for $factory$ password hash. This allows backing up configuration files with device specific passwords. Upon restore to another device this ensures the replacement's password is used instead of the originals'
• Issue #435: add support for hostname format specifiers. The default hostname configuration is now %h-%m to encode, infix-c0-ff-ee
• Issue #435: support for "empty" NETCONF host keys. Primarily used in static factory-config setups. When a configuration is detected with this, the automatically generated, device specific 2048 bit RSA host key pair is used. With this, vendor/product specific factory-config is now fully supported. See src/confd/README.md
• Issue #447: add support for yescrypt, $y$ hashes. This also adds support for $0$cleartext password according to ietf-system.yang
• Issue #455: split CLI tutorial into multiple files for easy access from the CLI admin-exec context using the help command
• Issue #478: add operational support for ietf-system.yang, reading actual hostname and passwords after issue #435
• Merge infix-shell-types.yang with infix-system.yang
• cli: improved error/warning message on missing or incomplete command

Fixes

• Fix #424: regression, root user can log in without password
• Fix build regressions in cn9130_crb_boot_defconfig caused by upgrade to Buildroot v2024.02 and recent multi-key support in RAUC and U-Boot
• Fix provisioning script after changes to make GRUB loading more robust
• Fix missing /etc/resolv.conf, as noticed by avahi-daemon, when a user calls no system from the CLI
• Fix #428: loss of admin account after upgrade to v24.04
• Fix #429: failing to load startup-config does not trigger the fail secure mode, causing the system to end up in an undefined state
• Fix #453: fix inconsistent behavior of custom MAC address (interface phys-address for VETH pairs. Allows fixed MAC in containers
• Fix #462: increase port column width for CLI show bridge mdb
• Fix #468: non-admin users can get a POSIX shell as login shell, root cause was buggy Augeas library, replaced with plain C API.
• Fix #469: non-admin users added to any group get administrator privileges (added to UNIX wheel group)
• Fix #473: bridge interface with IPv6 SLAAC never get global prefix
• Fix #476: Custom command for containers not working
• Fix #479: timeout from underlying datastore when disabling containers in configuration. Only disabling (stopping) container now done in the configuration change, removal of container done in the background
• Fix locking issue with standard counter groups on mv88e6xxx
• Add missing LICENSE hash for factory reset tool
• Fix timeout handling in container restart command
• Fix MDB/ATU synchronization issue from IGMPv3/MLDv2 reports on mv88e6xxx systems

Infix v24.06.0-rc2

Note: this release contains breaking changes in YANG models
that are incompatible with existing configuration files. So, after
upgrade, but before reboot, a factory reset is required!

Changes

• Upgrade Buildroot to 2024.02.3 (LTS)
• Upgrade Linux kernel to 6.6.34 (LTS)
• Upgrade bundled curiOS httpd container to v24.05.0
• Default web landing page refactored into a Buildroot package to make
  it possible to overload from customer repos.
• Enable DCB support in aarch64 kernel (for EtherType prio override)
• Topology mapper improvements, including option for deterministic
  reproduction of logical to physical mappings
• New version of gencert tool, for self signed HTTPS certificates.
  This allows dropping dependency on building a host rust toolchain
• Issue #374: add timestamps to dagger .log files
• Add small delay in U-Boot to allow stopping boot on reference boards
• Document how to provision the bootloader and Infix on a blank board
• Use initial hostname from /etc/os-release as configuration fallback
• Update documentation for use of VETH pairs in containers
• Issue #454: create bridges in factory-config with IGMP/MLD snooping
  enabled by default
• The following YANG models have been updated to newer draft versions:
  ietf-crypto-types, ietf-keystore, ietf-netconf-server, ietf-ssh-common,
  ietf-ssh-server, ietf-tcp-client, ietf-tcp-common, ietf-tcp-server,
  ietf-tcp-server, ietf-tcp-server, ietf-tcp-server.
  In these there are a lot of breaking changes, most likely
  you will need to redo your configuration from factory-config.
• The Augeas package has been dropped, so augtool is no longer available
• VLAN interfaces can now map the incoming PCP value to the
  kernel-internal priority on ingress, and perform the reverse mapping
  on egress.
• mv88e6xxx ports can now use Linux's priority information to select
  the appropriate egress queue, via the mqprio queuing discipline.
• Add logging of output from container start/stop action
• Clean up stale directories after OCI container archive import
• Add support for show leaf-node in CLI configure context
• Allow non-admin users to use the CLI. NACM rules still apply
• Ensure filesystem is sync'ed properly after a CLI copy command
• Issue #178: add early boot script to migrate configuration files of
  older version to new syntax. Initial, rudimentary support, for the
  change in shell types
• Issue #308: add version field to configuration file using a new
  model, infix-meta.yang. Used to trigger migration from older formats
  to newer on future breaking changes
• Issue #432: extract YANG documentation at build time. Part of the
  release tarballs is now yangdoc.html for the complete tree of all
  YANG configuration, operational data, RPCs, and notification nodes
• Issue #435: add support for $factory$ password hash. This allows
  backing up configuration files with device specific passwords. Upon
  restore to another device this ensures the replacement's password is
  used instead of the originals'
• Issue #435: add support for hostname format specifiers. The default
  hostname configuration is now %h-%m to encode, infix-c0-ff-ee
• Issue #435: support for "empty" NETCONF host keys. Primarily used in
  static factory-config setups. When a configuration is detected with
  this, the automatically generated, device specific 2048 bit RSA host
  key pair is used. With this, vendor/product specific factory-config
  is now fully supported. See src/confd/README.md
• Issue #447: add support for [yescrypt][], $y$ hashes. This also
  adds support for $0$cleartext password according to ietf-system.yang
• Issue #455: split CLI tutorial into multiple files for easy access
  from the CLI admin-exec context using the help command
• Issue #478: add operational support for ietf-system.yang, reading
  actual hostname and passwords after issue #435
• Merge infix-shell-types.yang with infix-system.yang
• cli: improved error/warning message on missing or incomplete command

[yescrypt]: https://en.wikipedia.org/wiki/Yescrypt)

Fixes

• Fix #424: regression, root user can log in without password
• Fix build regressions in cn9130_crb_boot_defconfig caused by upgrade
  to Buildroot v2024.02 and recent multi-key support in RAUC and U-Boot
• Fix provisioning script after changes to make GRUB loading more robust
• Fix missing /etc/resolv.conf, as noticed by avahi-daemon, when a
  user calls no system from the CLI
• Fix #428: loss of admin account after upgrade to v24.04
• Fix #429: failing to load startup-config does not trigger the fail
  secure mode, causing the system to end up in an undefined state
• Fix #453: fix inconsistent behavior of custom MAC address (interface
  phys-address for VETH pairs. Allows fixed MAC in containers
• Fix #462: increase port column width for CLI show bridge mdb
• Fix #468: non-admin users can get a POSIX shell as login shell, root
  cause was buggy Augeas library, replaced with plain C API.
• Fix #469: non-admin users added to any group get administrator
  privileges (added to UNIX wheel group)
• Fix #473: bridge interface with IPv6 SLAAC never get global prefix
• Fix #476: Custom command for containers not working
• Fix #479: timeout from underlying datastore when disabling containers
  in configuration. Only disabling (stopping) container now done in the
  configuration change, removal of container done in the background
• Fix locking issue with standard counter groups on mv88e6xxx
• Add missing LICENSE hash for factory reset tool
• Fix timeout handling in container restart command
• Fix MDB/ATU synchronization issue from IGMPv3/MLDv2 reports on
  mv88e6xxx systems