Releases: kernelkit/infix
Infix v24.11.1
Changes
- Upgrade Frr to 9.1.2, fixes an OSPF issue where Zebra lost netlink
messages and drifted out of sync with the kernel's view of addresses
and interfaces available in the system - Allow setting IP address directly on VLAN filtering bridges. This
only works when the bridge is an untagged member of a (single) VLAN. - cli: usability -- showing log files now automatically jump to the end
of the file, where the latest events are - cli: usability -- showing container status, or other status that
overflows the terminal horizontally, now wrap the lines and exit the
pager immediately if the contents fit on the first screen - The default log level of the mDNS responder,
avahi-daemon
, has been
adjusted to make it less verbose. Now onlyLOG_NOTICE
and higher
severity is logged -- making it very quiet
Fixes
- Fix #685: DSA conduit interface not always detected. Previous
attempt at a fix (v24.10.2) mitigated the issue, but did not
completely solve it. - Fix #835: redesign how the system creates/deletes containers from the
running-config
. Prior to this change, all removal and creation was
handled by a separate queue that ran asynchronously from theconfd
process. This could lead to situations where new configurations are
applied before the queue had been fully processed. After this change
containers are deleted synchronously and new containers are created
in the same flow as during normal runtime operation (start/upgrade) - Fix start of containers with
manual=True
option should now work
again, regression in v24.11.0 - Fix loss of writable volumes when temporarily disabling a container
in the configuration, now the container remains dormant with all its
volumes still available - Fix presentation bug in CLI
show interfaces
where all line-drawing
characters showed up as hexadecimal values. Regression in v24.11.0 - Fix missing log messages from Frr Zebra daemon
- Stop the zeroconf (IPv4LL) agent,
avahi-autoipd
, when removing an
interface, e.g.,br0
- Creating more than one container trigger restarts of previously set
up containers. Which in some cases may cause these earlier ones to
end up in an inconsistent state - Prevent traffic assigned to locally terminated VLANs from being
forwarded, when the underlying ports are simultaneously attached to
a VLAN filtering bridge.
Infix v24.11.1-rc1
Changes
- Upgrade Frr to 9.1.2, fixes an OSPF issue where Zebra lost netlink
messages and drifted out of sync with the kernel's view of addresses
and interfaces available in the system - Allow setting IP address directly on VLAN filtering bridges. This
only works when the bridge is an untagged member of a (single) VLAN. - cli: usability -- showing log files now automatically jump to the end
of the file, where the latest events are - cli: usability -- showing container status, or other status that
overflows the terminal horizontally, now wrap the lines and exit the
pager immediately if the contents fit on the first screen - The default log level of the mDNS responder,
avahi-daemon
, has been
adjusted to make it less verbose. Now onlyLOG_NOTICE
and higher
severity is logged -- making it very quiet
Fixes
- Fix #685: DSA conduit interface not always detected. Previous
attempt at a fix (v24.10.2) mitigated the issue, but did not
completely solve it. - Fix #835: redesign how the system creates/deletes containers from the
running-config
. Prior to this change, all removal and creation was
handled by a separate queue that ran asynchronously from theconfd
process. This could lead to situations where new configurations are
applied before the queue had been fully processed. After this change
containers are deleted synchronously and new containers are created
in the same flow as during normal runtime operation (start/upgrade) - Fix start of containers with
manual=True
option should now work
again, regression in v24.11.0 - Fix loss of writable volumes when temporarily disabling a container
in the configuration, now the container remains dormant with all its
volumes still available - Fix presentation bug in CLI
show interfaces
where all line-drawing
characters showed up as hexadecimal values. Regression in v24.11.0 - Fix missing log messages from Frr Zebra daemon
- Stop the zeroconf (IPv4LL) agent,
avahi-autoipd
, when removing an
interface, e.g.,br0
- Creating more than one container trigger restarts of previously set
up containers. Which in some cases may cause these earlier ones to
end up in an inconsistent state - Prevent traffic assigned to locally terminated VLANs from being
forwarded, when the underlying ports are simultaneously attached to
a VLAN filtering bridge.
Infix v24.11.0
Caution
This release contains breaking changes for container users! As of v24.11.0, all persistent1 containers always run in read-only
mode and the setting itself is deprecated (kept only for compatibility reasons). The main reason for this change is to better serve users with embedded container images in their builds of Infix. I.e., they can now upgrade the OCI image in their build and rely on the container being automatically upgraded when Infix is upgraded, issue #823. For other users, the benefit is that all container configuration changes take when activated, issue #822, without having to perform any tricks.
Changes
- Add validation of interface name lengths, (1..15), Linux limit
- Add support for ftp/http/https URI:s in container image, with a new
checksum
setting for MD5/SHA256/SHA512 verification, issue #801 - Add a retry timer to the background container create service. This will ensure failing
docker pull
operations from remote images are retrying after 60 seconds, or quicker - CLI base component,
klish
, has been updated with better support for raw terminal mode and alternate quotes (' in addition to ") - Log silenced from container activation messages, only the very bare necessities are now logged, e.g.,
podman create
command + status - Factory reset no longer calls
shred
to "securely erase" any files from writable data partitions. This will speed up the next boot considerably
Fixes
- Fix #659: paged output in CLI accessed via console port sometimes causes lost lines, e.g. missing interfaces. With updated
klish
and the terminal in raw mode, the pager (less) can now control both the horizontal and vertical - Fix #822: adding, or changing, an environment variable to a running container does not take without the
container upgrade NAME
trick - Fix #823: with an OCI image embedded in the Infix image, an existing container in the configuration is not upgraded to the new OCI image with the Infix upgrade.
- Frr leaves log files in
/var/tmp/frr
on unclean shutdowns. This has now been fixed with a "tmpfiles" cleanup of that path at boot
-
I.e., set up in the configuration, as opposed to temporary ones started with
container run
from the CLI admin-exec context. ↩
Infix v24.11.0-rc1
Caution
This release contains breaking changes for container users! As of
v24.11.0, all persistent1 containers always run in read-only
mode
and the setting itself is deprecated (kept only for compatibility
reasons). The main reason for this change is to better serve users
with embedded container images in their builds of Infix. I.e., they
can now upgrade the OCI image in their build and rely on the container
being automatically upgraded when Infix is upgraded, issue #823. For
other users, the benefit is that all container configuration changes
take when activated, issue #822, without having to perform any tricks.
Changes
- Add validation of interface name lengths, (1..15), Linux limit
- Add support for ftp/http/https URI:s in container image, with a new
checksum
setting for MD5/SHA256/SHA512 verification, issue #801 - Add a retry timer to the background container create service. This
will ensure failingdocker pull
operations from remote images are
retrying after 60 seconds, or quicker - CLI base component,
klish
, has been updated with better support for
raw terminal mode and alternate quotes (' in addition to ") - Log silenced from container activation messages, only the very bare
necessities are now logged, e.g.,podman create
command + status - Factory reset no longer calls
shred
to "securely erase" any files
from writable data partitions. This will speed up the next boot
considerably
Fixes
- Fix #659: paged output in CLI accessed via console port sometimes
causes lost lines, e.g. missing interfaces. With updatedklish
and the terminal in raw mode, the pager (less) can now control both
the horizontal and vertical - Fix #822: adding, or changing, an environment variable to a running
container does not take without thecontainer upgrade NAME
trick - Fix #823: with an OCI image embedded in the Infix image, an existing
container in the configuration is not upgraded to the new OCI image
with the Infix upgrade. - Frr leaves log files in
/var/tmp/frr
on unclean shutdowns. This
has now been fixed with a "tmpfiles" cleanup of that path at boot
-
I.e., set up in the configuration, as opposed to temporary ones
started withcontainer run
from the CLI admin-exec context. ↩
Infix v24.10.2
Changes
- Support for showing interfaces owned by running containers in the CLI command
show interfaces
. This also adds support for showing the peer interface of VETH pairs. Issue #626 - Reboot system on kernel "oops", on "oops" the kernel now panics and reboots after 20 seconds. Issue #740
- Update static factory-config for NanoPi R2S: enable NACM, securing all passwords, and enabling
iburst
for the NTP client. Issue #750 - Updated QoS documentation with pictures and more information on VLAN interface ingress/egress priority handling, issue #759
- Disable RTC device in Styx device tree, issue #794
- Support for saving and restoring system clock from a disk file. This allows restoring the system clock to a sane date in case the RTC is disabled or does not have a valid time, issue #794
- Update device discovery chapter with information on
infix.local
mDNS alias,netbrowse
support to discover all local units, and command examples for disabling LLDP and mDNS services, issue #786 - Updated OSPF documentation to include information on global OSPF settings (
redistribution
,explicit-router-id
, etc.), issue #812 - Added information on forwarding of IEEE reserved group addresses to bridge section of networking documentation, issue #788
- Add support for bootstrap conditions and early init product overrides
- Styx: enable second Ethernet port LED in device tree, again, rename it: yellow -> aux, and make sure it is turned off at boot
- Styx: disable second port LED for the 4xSFP slots, does not work
- Styx: override iitod (LED daemon) with a product specific LED script
Fixes
- Fix #685: DSA conduit interface not always detected, randomly causing major issues configuring systems with multiple switch cores
- Fix #778: reactivate OpenSSL backend for libssh/libssh2 for NanoPI R2S. This fixes a regression in v24.10.0 causing loss of NETCONF support
- Fix #809: enable syslog logging for RAUC
- Fix harmless bootstrap log error message on systems without USB ports:
jq: error (at <stdin>:0): Cannot iterate over null (null)
- Change confusing
tc
log error message:Error: does not support hardware offload
toSkipping $iface, hardware offload not supported.
Infix v24.10.2-rc2
Changes
- Support for showing interfaces owned by running containers in the CLI
commandshow interfaces
. This also adds support for showing the
peer interface of VETH pairs. Issue #626 - Reboot system on kernel "oops", on "oops" the kernel now panics and
reboots after 20 seconds. Issue #740 - Update static factory-config for NanoPi R2S: enable NACM, securing all
passwords, and enablingiburst
for the NTP client. Issue #750 - Updated QoS documentation with pictures and more information on VLAN
interface ingress/egress priority handling, issue #759 - Disable RTC device in Styx device tree, issue #794
- Support for saving and restoring system clock from a disk file. This
allows restoring the system clock to a sane date in case the RTC is
disabled or does not have a valid time, issue #794 - Update device discovery chapter with information on
infix.local
mDNS
alias,netbrowse
support to discover all local units, and command
examples for disabling LLDP and mDNS services, issue #786 - Updated OSPF documentation to include information on global OSPF
settings (redistribution
,explicit-router-id
, etc.), issue #812 - Added information on forwarding of IEEE reserved group addresses
to bridge section of networking documentation, issue #788 - Add support for bootstrap conditions and early init product overrides
- Styx: enable second Ethernet port LED in device tree, again, rename
it: yellow -> aux, and make sure it is turned off at boot - Styx: disable second port LED for the 4xSFP slots, does not work
- Styx: override iitod (LED daemon) with a product specific LED script
Fixes
- Fix #685: DSA conduit interface not always detected, randomly causing
major issues configuring systems with multiple switch cores - Fix #778: reactivate OpenSSL backend for libssh/libssh2 for NanoPI R2S.
This fixes a regression in v24.10.0 causing loss of NETCONF support - Fix #809: enable syslog logging for RAUC
- Fix harmless bootstrap log error message on systems without USB ports:
jq: error (at <stdin>:0): Cannot iterate over null (null)
- Change confusing
tc
log error message:Error: does not support hardware offload
toSkipping $iface, hardware offload not supported.
Infix v24.10.2-rc1
Changes
- Support for showing interfaces owned by running containers in the CLI
commandshow interfaces
. This also adds support for showing the
peer interface of VETH pairs. Issue #626 - Reboot system on kernel "oops", on "oops" the kernel now panics and
reboots after 20 seconds. Issue #740 - Update static factory-config for NanoPi R2S: enable NACM, securing all
passwords, and enablingiburst
for the NTP client. Issue #750 - Updated QoS documentation with pictures and more information on VLAN
interface ingress/egress priority handling, issue #759 - Disable RTC device in Styx device tree, issue #794
- Support for saving and restoring system clock from a disk file. This
allows restoring the system clock to a sane date in case the RTC is
disabled or does not have a valid time, issue #794
Fixes
Infix v24.10.1
News: this release contains breaking YANG changes in custom MAC addresses for interfaces! For details, see below issue #680.
Also, heads-up to all downstream users of Infix. YANG models have been renamed to ease maintenance, more info below.
Changes
- Software control of port LEDs on the Styx platform has been disabled. Default driver behavior, green link and green traffic blink, is kept as-is, which should mitigate issues reported in #670
- Correcting documentation on QoS. For packets containing both a VLAN tag and an IP header, PCP priority takes precedence over DSCP priority (not vice versa).
- Update CONTRIBUTING.md for scaling core team and helping external contributors understand the development process, issue #672
- Updated branding documentation with more information on how dynamic and static factory-config work, including examples
- Updated container documentation, improved images, detail how to set interface name inside the container, and some syntax fixes
- Updated networking documentation, new General settings section, and more details added to initial section on network building blocks
- As of this release, all Infix YANG models have dropped the
@DATE
suffix from the name, this type of versioning is not handled using symlinks instead. - Update Infix
provision
script, used to install Infix on eMMC, add example of how to erase partition table to be able to re-run the script on already provisioned devices, issue #671 - OSPF: Add limitation to allow an interface to be in one area only
- Add support for "dummy" interfaces, mostly useful for testing
- Add support for container hostname format specifiers, just like it already works for the host's hostname setting
- Hide all
status obsolete
YANG nodes in CLI - Add YANG
units
, if available, to CLI help text (default value) - The CLI commands
copy
anderase
are now available also from Bash - Greatly reduced size of bundled curiOS httpd OCI container image, reduced from 1.8 MiB to 281 KiB
- Add deviation to ietf-interfaces.yang,
link-up-down-trap-enable
is not supported (yet) in Infix, issue #709 - The default builds now include the curiOS nftables container image, which can be used for advanced firewall setups. For an introduction see https://kernelkit.org/posts/firewall-container/
Fixes
- Fix #499: add an NACM rule to factory-config, which by default deny everyone to read user password hash(es)
- Fix #663: internal Ethernet interfaces shown in CLI tab completion
- Fix #674: CLI
show interfaces
display internal Ethernet interfaces, regression introduced late in v24.09 release cycle - Fix #676: port dropped from bridge when changing its VLAN membership from tagged to untagged
- Fix #680: replace deviation for
phys-address
in ietf-interfaces.yang withcustom-phys-address
to allow for constructing more free-form MAC addresses based on the chassis MAC (a.k.a., base MAC) address. For more information, see the YANG model, a few examples are listed in the updated documentation. The syntax will be automatically updated in thestartup-config
andfactory-config
-- make sure to verify the changes and update any staticfactory-config
used for your products - Fix #690: CLI
show ip route
command stops working after 24 hours, this includes all operational data in ietf-routing:/routing/ribs. - Fix #697: password is not always set for new users, bug introduced in v24.06.0 when replacing Augeas with native user handling
- Fix #700: add missing
admin-status
to interface operational data - Fix #701: make sure CLI (and Bash)
copy
command use same sysrepo timeout as other operations that load sysrepo. Was 10 second timeout, which caused some (really big) configurations not to apply from the CLI, but worked at boot, for instance. New timeout is 60 seconds - Fix #708: allow all container networks to set interface name inside container, not just auto-generated veth-pair ends for
docker0
bridge - Fix
show interfaces
on platforms like the NanoPi R2S, which does not support reading RMON counters in JSON format usingethtool
- Fix #730: CLI command
show ntp [sources]
stopped working in v24.08. Missing access rights after massive CLI lock-down - Fix #735:
copy
anderase
commands missing from CLI, regression in Infix v24.10.0 defconfigs, now added as dep. in klish package - Fix BFD in OSPF, previously you could not enable BFD on a single interface without enabling it on all interfaces
Infix v24.10.0
PLEASE NOTE, THIS RELEASE HAS BEEN PULLED BECAUSE OF ISSUE #735
News: this release contains breaking YANG changes in custom MAC addresses for interfaces! For details, see below issue #680.
Also, heads-up to all downstream users of Infix. YANG models have been renamed to ease maintenance, more info below.
Changes
- Software control of port LEDs on the Styx platform has been disabled. Default driver behavior, green link and green traffic blink, is kept as-is, which should mitigate issues reported in #670
- Correcting documentation on QoS. For packets containing both a VLAN tag and an IP header, PCP priority takes precedence over DSCP priority (not vice versa).
- Update CONTRIBUTING.md for scaling core team and helping external contributors understand the development process, issue #672
- Updated branding documentation with more information on how dynamic and static factory-config work, including examples
- Updated container documentation, improved images, detail how to set interface name inside the container, and some syntax fixes
- Updated networking documentation, new General settings section, and more details added to initial section on network building blocks
- As of this release, all Infix YANG models have dropped the
@DATE
suffix from the name, this type of versioning is not handled using symlinks instead. - Update Infix
provision
script, used to install Infix on eMMC, add example of how to erase partition table to be able to re-run the script on already provisioned devices, issue #671 - OSPF: Add limitation to allow an interface to be in one area only
- Add support for "dummy" interfaces, mostly useful for testing
- Add support for container hostname format specifiers, just like it already works for the host's hostname setting
- Hide all
status obsolete
YANG nodes in CLI - Add YANG
units
, if available, to CLI help text (default value) - The CLI commands
copy
anderase
are now available also from Bash - Greatly reduced size of bundled curiOS httpd OCI container image, reduced from 1.8 MiB to 281 KiB
- Add deviation to ietf-interfaces.yang,
link-up-down-trap-enable
is not supported (yet) in Infix, issue #709 - The default builds now include the curiOS nftables container image, which can be used for advanced firewall setups. For an introduction see https://kernelkit.org/posts/firewall-container/
Fixes
- Fix #499: add an NACM rule to factory-config, which by default deny everyone to read user password hash(es)
- Fix #663: internal Ethernet interfaces shown in CLI tab completion
- Fix #674: CLI
show interfaces
display internal Ethernet interfaces, regression introduced late in v24.09 release cycle - Fix #676: port dropped from bridge when changing its VLAN membership from tagged to untagged
- Fix #680: replace deviation for
phys-address
in ietf-interfaces.yang withcustom-phys-address
to allow for constructing more free-form MAC addresses based on the chassis MAC (a.k.a., base MAC) address. For more information, see the YANG model, a few examples are listed in the updated documentation. The syntax will be automatically updated in thestartup-config
andfactory-config
-- make sure to verify the changes and update any staticfactory-config
used for your products - Fix #690: CLI
show ip route
command stops working after 24 hours, this includes all operational data in ietf-routing:/routing/ribs. - Fix #697: password is not always set for new users, bug introduced in v24.06.0 when replacing Augeas with native user handling
- Fix #700: add missing
admin-status
to interface operational data - Fix #701: make sure CLI (and Bash)
copy
command use same sysrepo timeout as other operations that load sysrepo. Was 10 second timeout, which caused some (really big) configurations not to apply from the CLI, but worked at boot, for instance. New timeout is 60 seconds - Fix #708: allow all container networks to set interface name inside container, not just auto-generated veth-pair ends for
docker0
bridge - Fix
show interfaces
on platforms like the NanoPi R2S, which does not support reading RMON counters in JSON format usingethtool
- Fix #730: CLI command
show ntp [sources]
stopped working in v24.08. Missing access rights after massive CLI lock-down - Fix BFD in OSPF, previously you could not enable BFD on a single interface without enabling it on all interfaces
Infix v24.09.0
News: this release enhances the integration of all types of static routes with FRRouting (Frr), including all routes that can be set by DHCP and IPvLL (ZeroConf) clients. Due to this fundamental change, the system routing table is now primarily read from Frr, which increases the amount of relevant routing information available to the user. E.g., in the CLI exec command show ip route
and show ipv6 route
. Support for adjusting the administrative distance of all types of static routes has also been added to facilitate site specific adaptations. Please see the documentation for details.
Known Issues
- The CLI command
show interfaces
may for some terminal resolutions not display all interfaces (on systems with >20 interfaces). This problem is limited to the console port and only occurs for smaller terminals (30-50 rows height). Callingshow ifaces
from the shell, dumping/ietf-interfaces:interfaces
XPath usingsysrepocfg
, or using the CLI from an SSH session, is not affected. Issue #659
Changes
- Upgrade Buildroot to 2024.02.6 (LTS)
- Upgrade Linux kernel to 6.6.52 (LTS)
- Upgrade libyang to 3.4.2
- Upgrade sysrepo to 2.11.7
- Upgrade netopeer2 (NETCONF) to 2.2.31
- Updated
infix-routing.yang
to declare deviations for unsupported OSPF RPCs and Notifications inietf-ospf.yang
- The CLI admin-exec command
show dns
now also shows any configured name servers, not just ones acquired via DHCP. Issue #510 - Add support for IPv4 (autoconf)
request-address
. This instructs the ZeroConf client to start with the requested address. If this is not successful the client falls back to its default behavior. Issue #628 - Major speedup (10x) in operational data, in particular when querying interface status. Very noticeable in the CLI
show interfaces
command on devices with large port counts. Issue #651 - Silence
yanger
log warnings for failingmctl
command. Caused bymctl
reporting no multicast filtering enabled on bridge
Fixes
- Fix #357: EUI-64 based IPv6 autoconf address on bridges seem to be randomized. Problem caused by kernel setting a random MAC before any bridge port is added. Fixed by using the device's base MAC address on bridge interfaces. Possible to override using
phys-address
option - Fix #601: CLI regression in
show ospf
family of commands causing authorized users, likeadmin
, to not being able to query status of OSPF or BFD. Workaround by using the UNIX shellsudo vtysh
. Regression introduced in v24.08.0 - Fix #603: regression in GNS3 image, starts in test mode by default. Introduced in v24.08.
- Fix #613: CLI regression in tab completion of container commands, e.g.,
container shell <TAB>
. Regression introduced in v24.08.0 - Fix #616: Silent failure when selecting bash as login shell for non-admin user, this silent lock has been removed
- Fix #618: CLI command
show interfaces
does not show bridges and bridge ports, regression introduced in v24.08.0 -- only affects bridges without multicast snooping - Fix #623: CLI command
container upgrade NAME
does not work, regression introduced in v24.06.0 - Fix #625: initialize sysrepo startup datastore at boot. Improves usability when working directly against the sysrepo datastores from the shell with
sysrepocfg
andsysrepoctl
tools - Fix #635: OSPF: all router neighbors reported as neighbor on every interface
- Fix #638: Disabling IPv4LL (autoconf) on an interface does not clean up 169.254/16 addresses
- Fix #640: unable to set static default route due to priority inversion from DHCP or IPv4LL (ZeroConf) clients setting their routes directly in the kernel. This has resulted in a complete overhaul of route management, using FRRouting for all routes, including DHCP and IPv4LL routes, presentation in the CLI, and also support for custom route preference for static routes
- Fix #658: deleting VETH pairs does not work unless rebooting first. Creating a VETH pair, followed by at least one other reconfiguration before removing the pair, causes
confd
to fail when applying the interface changes (tries to delete both ends of the pair) - Spellcheck path to
/var/lib/containers
when unpacking OCI archives on container upgrade - cli: restore
tcpdump
permissions for administrator level users, regression introduced in v24.08.0 - The timeout before giving up on loading the
startup-config
at boot is now 1 minute, just like operations via other front-ends (NETCONF and RESTCONF). This was previously (incorrectly) set to 10 seconds