T6815:Fix compatibility with 1.3-1.5 of VyOS (Step 1)

gaige commented 3 months ago

Change Summary

This set of changes enables compatibility with a variety of parameters that were previously only compatible with version 1.2 of VyOS. Wherever possible, configuration is backward compatible.

Types of changes

[ ] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Code style update (formatting, renaming)
[ ] Refactoring (no functional changes)
[x] Other (please describe): Breaking change for certain configurations

Related Task(s)

https://vyos.dev/T6815

Related PR(s)

Proposed changes

There are a couple of things I’m interested in comments on:

There are multiple changes in here for support of 1.3 and 1.4 of vyos (and 1.5 effectively), as such it’s sizeable. I can theoretically break it up by command if we desire, although it’ll be additional work.
There were configuration parameters that were moved in substantial ways between versions. I’m looking to see if we should add a version parameter to override situations where you need to do things like operate on non-live configurations (and because the ResourceModule doesn’t really deal easily with multiple overlapping templates). I don’t want to put these as new modules, as the configs are nearly identical.
From the previous paragraph, there are a couple of small breaking changes. I tried to heed the configuration as much as possible, but there were versions that I could make backward-compatible, but not effectively forward-compatible. I have done so in these cases, and the firewall rules have changes around the tcp flags that are not backward-compatible, which is noted.

How to test

Tested against 1.3, and 1.5 of VyOS manually using --dry-run for both ingestion and change. Updated and tested unit tests Ran Sanity tests

Checklist:

[x] I have read the CONTRIBUTING document
[x] I have linked this PR to one or more Phabricator Task(s)
[ ] My commit headlines contain a valid Task id
[x] My change requires a change to the documentation
[x] I have updated the documentation accordingly

sdwilsh commented 1 month ago

Another two things that doesn't work well with 1.5-rolling right now is pretty much every part of vyos_firewall_global (the only thing that I'm seeing work is group, alas) and I'm having issues with vyos_ntp_global as well.

gaige commented 1 month ago

Another two things that doesn't work well with 1.5-rolling right now is pretty much every part of vyos_firewall_global (the only thing that I'm seeing work is group, alas) and I'm having issues with vyos_ntp_global as well.

appreciate the heads up. More detail on what commands you are using and seeing problems with would be helpful. Right now I’m testing on 3 virtual and 3 hardware vyos systems using a real-world configuration. However, my production systems don’t use all commands or capabilities.

thanks

sdwilsh commented 1 month ago

For vyos_firewall_global: https://github.com/sdwilsh/ansible-playbooks/blob/main/plays/vyos.yml#L53-L76 (group is fine, but the default there would work for testing) For vyos_ntp_global: https://github.com/sdwilsh/ansible-playbooks/blob/main/plays/vyos.yml#L30-L37

vyos / vyos.vyos