Infix v24.06.0

Note: this release contains breaking changes in YANG models
that are incompatible with existing configuration files. So, after
upgrade, but before reboot, a factory reset is required!

Changes

• Upgrade Buildroot to 2024.02.3 (LTS)
• Upgrade Linux kernel to 6.6.34 (LTS)
• Upgrade bundled curiOS httpd container to v24.05.0
• Default web landing page refactored into a Buildroot package to make it possible to overload from customer repos.
• Enable DCB support in aarch64 kernel (for EtherType prio override)
• Topology mapper improvements, including option for deterministic reproduction of logical to physical mappings
• New version of gencert tool, for self signed HTTPS certificates. This allows dropping dependency on building a host rust toolchain
• Issue #374: add timestamps to dagger .log files
• Add small delay in U-Boot to allow stopping boot on reference boards
• Document how to provision the bootloader and Infix on a blank board
• Use initial hostname from /etc/os-release as configuration fallback
• Update documentation for use of VETH pairs in containers
• Issue #454: create bridges in factory-config with IGMP/MLD snooping enabled by default
• The following YANG models have been updated to newer draft versions: ietf-crypto-types, ietf-keystore, ietf-netconf-server, ietf-ssh-common, ietf-ssh-server, ietf-tcp-client, ietf-tcp-common, ietf-tcp-server, ietf-tcp-server, ietf-tcp-server, ietf-tcp-server. In these there are a lot of breaking changes, so you need to redo your configuration from factory-config!
• The Augeas package has been dropped, so augtool is no longer available
• VLAN interfaces can now map the incoming PCP value to the kernel-internal priority on ingress, and perform the reverse mapping on egress.
• mv88e6xxx ports can now use Linux's priority information to select the appropriate egress queue, via the mqprio queuing discipline
• Add logging of output from container start/stop action
• Clean up stale directories after OCI container archive import
• Add support for show leaf-node in CLI configure context
• Allow non-admin users to use the CLI. NACM rules still apply
• Ensure filesystem is sync'ed properly after a CLI copy command
• Issue #178: add early boot script to migrate configuration files of older version to new syntax. Initial, rudimentary support, for the change in shell types
• Issue #308: add version field to configuration file using a new model, infix-meta.yang. Used to trigger migration from older formats to newer on future breaking changes
• Issue #432: extract YANG documentation at build time. Part of the release tarballs is now yangdoc.html for the complete tree of all YANG configuration, operational data, RPCs, and notification nodes
• Issue #435: add support for $factory$ password hash. This allows backing up configuration files with device specific passwords. Upon restore to another device this ensures the replacement's password is used instead of the originals'
• Issue #435: add support for hostname format specifiers. The default hostname configuration is now %h-%m to encode, infix-c0-ff-ee
• Issue #435: support for "empty" NETCONF host keys. Primarily used in static factory-config setups. When a configuration is detected with this, the automatically generated, device specific 2048 bit RSA host key pair is used. With this, vendor/product specific factory-config is now fully supported. See src/confd/README.md
• Issue #447: add support for yescrypt, $y$ hashes. This also adds support for $0$cleartext password according to ietf-system.yang
• Issue #455: split CLI tutorial into multiple files for easy access from the CLI admin-exec context using the help command
• Issue #478: add operational support for ietf-system.yang, reading actual hostname and passwords after issue #435
• Merge infix-shell-types.yang with infix-system.yang
• cli: improved error/warning message on missing or incomplete command

Fixes

• Fix #424: regression, root user can log in without password
• Fix build regressions in cn9130_crb_boot_defconfig caused by upgrade to Buildroot v2024.02 and recent multi-key support in RAUC and U-Boot
• Fix provisioning script after changes to make GRUB loading more robust
• Fix missing /etc/resolv.conf, as noticed by avahi-daemon, when a user calls no system from the CLI
• Fix #428: loss of admin account after upgrade to v24.04
• Fix #429: failing to load startup-config does not trigger the fail secure mode, causing the system to end up in an undefined state
• Fix #453: fix inconsistent behavior of custom MAC address (interface phys-address for VETH pairs. Allows fixed MAC in containers
• Fix #462: increase port column width for CLI show bridge mdb
• Fix #468: non-admin users can get a POSIX shell as login shell, root cause was buggy Augeas library, replaced with plain C API.
• Fix #469: non-admin users added to any group get administrator privileges (added to UNIX wheel group)
• Fix #473: bridge interface with IPv6 SLAAC never get global prefix
• Fix #476: Custom command for containers not working
• Fix #479: timeout from underlying datastore when disabling containers in configuration. Only disabling (stopping) container now done in the configuration change, removal of container done in the background
• Fix locking issue with standard counter groups on mv88e6xxx
• Add missing LICENSE hash for factory reset tool
• Fix timeout handling in container restart command
• Fix MDB/ATU synchronization issue from IGMPv3/MLDv2 reports on mv88e6xxx systems

Infix v24.06.0-rc2

Note: this release contains breaking changes in YANG models
that are incompatible with existing configuration files. So, after
upgrade, but before reboot, a factory reset is required!

Changes

• Upgrade Buildroot to 2024.02.3 (LTS)
• Upgrade Linux kernel to 6.6.34 (LTS)
• Upgrade bundled curiOS httpd container to v24.05.0
• Default web landing page refactored into a Buildroot package to make
  it possible to overload from customer repos.
• Enable DCB support in aarch64 kernel (for EtherType prio override)
• Topology mapper improvements, including option for deterministic
  reproduction of logical to physical mappings
• New version of gencert tool, for self signed HTTPS certificates.
  This allows dropping dependency on building a host rust toolchain
• Issue #374: add timestamps to dagger .log files
• Add small delay in U-Boot to allow stopping boot on reference boards
• Document how to provision the bootloader and Infix on a blank board
• Use initial hostname from /etc/os-release as configuration fallback
• Update documentation for use of VETH pairs in containers
• Issue #454: create bridges in factory-config with IGMP/MLD snooping
  enabled by default
• The following YANG models have been updated to newer draft versions:
  ietf-crypto-types, ietf-keystore, ietf-netconf-server, ietf-ssh-common,
  ietf-ssh-server, ietf-tcp-client, ietf-tcp-common, ietf-tcp-server,
  ietf-tcp-server, ietf-tcp-server, ietf-tcp-server.
  In these there are a lot of breaking changes, most likely
  you will need to redo your configuration from factory-config.
• The Augeas package has been dropped, so augtool is no longer available
• VLAN interfaces can now map the incoming PCP value to the
  kernel-internal priority on ingress, and perform the reverse mapping
  on egress.
• mv88e6xxx ports can now use Linux's priority information to select
  the appropriate egress queue, via the mqprio queuing discipline.
• Add logging of output from container start/stop action
• Clean up stale directories after OCI container archive import
• Add support for show leaf-node in CLI configure context
• Allow non-admin users to use the CLI. NACM rules still apply
• Ensure filesystem is sync'ed properly after a CLI copy command
• Issue #178: add early boot script to migrate configuration files of
  older version to new syntax. Initial, rudimentary support, for the
  change in shell types
• Issue #308: add version field to configuration file using a new
  model, infix-meta.yang. Used to trigger migration from older formats
  to newer on future breaking changes
• Issue #432: extract YANG documentation at build time. Part of the
  release tarballs is now yangdoc.html for the complete tree of all
  YANG configuration, operational data, RPCs, and notification nodes
• Issue #435: add support for $factory$ password hash. This allows
  backing up configuration files with device specific passwords. Upon
  restore to another device this ensures the replacement's password is
  used instead of the originals'
• Issue #435: add support for hostname format specifiers. The default
  hostname configuration is now %h-%m to encode, infix-c0-ff-ee
• Issue #435: support for "empty" NETCONF host keys. Primarily used in
  static factory-config setups. When a configuration is detected with
  this, the automatically generated, device specific 2048 bit RSA host
  key pair is used. With this, vendor/product specific factory-config
  is now fully supported. See src/confd/README.md
• Issue #447: add support for [yescrypt][], $y$ hashes. This also
  adds support for $0$cleartext password according to ietf-system.yang
• Issue #455: split CLI tutorial into multiple files for easy access
  from the CLI admin-exec context using the help command
• Issue #478: add operational support for ietf-system.yang, reading
  actual hostname and passwords after issue #435
• Merge infix-shell-types.yang with infix-system.yang
• cli: improved error/warning message on missing or incomplete command

[yescrypt]: https://en.wikipedia.org/wiki/Yescrypt)

Fixes

• Fix #424: regression, root user can log in without password
• Fix build regressions in cn9130_crb_boot_defconfig caused by upgrade
  to Buildroot v2024.02 and recent multi-key support in RAUC and U-Boot
• Fix provisioning script after changes to make GRUB loading more robust
• Fix missing /etc/resolv.conf, as noticed by avahi-daemon, when a
  user calls no system from the CLI
• Fix #428: loss of admin account after upgrade to v24.04
• Fix #429: failing to load startup-config does not trigger the fail
  secure mode, causing the system to end up in an undefined state
• Fix #453: fix inconsistent behavior of custom MAC address (interface
  phys-address for VETH pairs. Allows fixed MAC in containers
• Fix #462: increase port column width for CLI show bridge mdb
• Fix #468: non-admin users can get a POSIX shell as login shell, root
  cause was buggy Augeas library, replaced with plain C API.
• Fix #469: non-admin users added to any group get administrator
  privileges (added to UNIX wheel group)
• Fix #473: bridge interface with IPv6 SLAAC never get global prefix
• Fix #476: Custom command for containers not working
• Fix #479: timeout from underlying datastore when disabling containers
  in configuration. Only disabling (stopping) container now done in the
  configuration change, removal of container done in the background
• Fix locking issue with standard counter groups on mv88e6xxx
• Add missing LICENSE hash for factory reset tool
• Fix timeout handling in container restart command
• Fix MDB/ATU synchronization issue from IGMPv3/MLDv2 reports on
  mv88e6xxx systems

Infix v24.04.2

Changes

• Add small delay in U-Boot to allow stopping boot on reference boards
• Document how to provision the bootloader and Infix on a blank board
• Use initial hostname from /etc/os-release as configuration fallback

Fixes

• Fix build regressions in cn9130_crb_boot_defconfig caused by upgrade
  to Buildroot v2024.02 and recent multi-key support in RAUC and U-Boot
• Fix provisioning script after changes to make GRUB loading more robust
• Fix missing /etc/resolv.conf, as noticed by avahi-daemon, when a
  user calls no system from the CLI
• Fix #428: loss of admin account after upgrade to v24.04
• Fix #429: failing to load startup-config does not trigger the fail
  secure mode, causing the system to end up in an undefined state

Infix v24.04.1

Changes

• Default web landing page refactored into a Buildroot package to make
  it possible to overload from customer repos.
• Enable DCB support in aarch64 kernel (for EtherType prio override)
• Topology mapper improvements, including option for deterministic
  reproduction of logical to physical mappings
• New version of gencert tool, for self signed HTTPS certificates.
  This allows dropping dependency on building a host rust toolchain
• Issue #374: add timestamps to dagger .log files

Fixes

• Add missing LICENSE hash for factory reset tool
• Fix #424: regression, root user can log in without password

Infix v24.04.0

News: this release marks the first major upgrade of the underlying Buildroot to the latest LTS release, v2024.02. This caused a few small regressions in the release cycle, all known issues have been addressed.

Also worth highlighting, as of this release the Infix Classic variant has been dropped. It was the legacy Infix with manual configuration of the system using a persistent /etc. May be resurrected later as a separate project. Going forward Infix' focus is entirely on NETCONF.

Finally, the YANG Status section has been dropped for this release, the idea is to generate supported features from the models and include in future releases.

Changes

• Bump the base Buildroot version to v2024.02 LTS
• Bump the base Linux kernel version to 6.6 LTS
• Drop Classic variant to reduce overhead, simplify build & release processes, and focus on NETCONF for Arm64 and Amd64 platforms
• Add hostname restrictions to ietf-system, and infix-dhcp-client models. Max 64 characters on Linux systems
• Add mDNS CNAME (alias) advertisement, e.g., infix.local in addition to the default infix-c0-ff-ee.local. Note: this is build-specific and does not change if system hostname is changed
• Add mDNS browser web application, https://network.local that shows all mDNS devices on the LAN. The network.local mDNS name is also a CNAME, so with multiple Infix devices, only one will act as the mDNS browser
• Add temporary landing page to web server for https://infix.local
• Add web console using ttyd, https://infix.local:7681
• Add support for disabling web services using CLI
• The bridge model now has built-in validation of port memberships, i.e., a port must be a bridge member to be used in VLAN filtering
• The bridge model only permits the bridge itself to be a tagged member of VLANs -- meaning, the only way to set an IP address on such bridges is to use a VLAN interface on top
• A VLAN filtering bridge now validates that no IP address has been set. Use a VLAN interface on top for that (see above)
• Restructure documentation, let first page in doc/ be table of contents
• Scripting Infix, new document on how to script Infix from remote, e.g., for production or from a container
• Introduction, update documentation now that the admin user's default login shell is /bin/bash
• System documentation, first outline of how to change hostname, add users, add system administrator users, changing login banner, change the system default editor, and more
• Network documentation, add section on VETH pairs
• Container documentation:
  • CLI prompts have been updated to match the examples used in other parts of the User Guide
  • Default route example for static container interfaces
  • How to upgrade a container image
• As a follow-up to port speed/duplex/autoneg support added in v24.02, this release ensures flow-control is always disabled on all Ethernet ports, as described in the IEEE Ethernet interfaces YANG model
• Add support for core dumps, saving them in /var/crash, max one dump per process, for use with future support tarballs
• Add support for multicast snooping, both IPv4 (IGMP) and IPv6 (MLD) in bridge setups, including offloading to switchdev
• Add support for acting as passive (proxy) or active IGMP querier
• Add support for static multicast filters, MAC, IPv4 and IPv6 groups are supported -- multicast snooping must be enabled
• Include Buildroot legal-info in releases, i.e., licenses, sources with patches, as well as csv files for packages and toolchain
• Drop shell command from CLI to allow confining users
• The CLI copy command now allows absolute paths
• Local resolver, dnsmasq, had port 53 visible from external nmap scans, even though it dropped non-local requests, it now only binds to the loopback interface reduce number of externally visible ports
• Kernel log messages, of severity error or higher, now log directly to the console. This may cause some annoyance but has been enabled to ease debugging, in particular issues where the system crashes before the syslog daemon has flushed logs to disk. (Logs are still saved to log files as well.)
• Issue #325: Add support for multiple administrator users by opening up basic NETCONF ACM support. See documentation for details
  • Any user can be added to the admin NACM group
  • Any user not in the admin group is not allowed to have a login shell other than the CLI (or disabled). POSIX shell, e.g., Bash is reserved for system administrators
• Issue #327: Remove IPv6LL from bridge port interfaces
• Issue #358: translate YANG model's LOWER-LAYER-DOWN -> LINK-DOWN in CLI show interfaces command
• Issue #360: document factory-config, startup-config, and the various failure modes in the system
• Issue #361: document how a privileged container can break out of its confinement and run host commands, e.g., call sysrepocfg
• Issue #365: add limited support for container capabilities, e.g., to enable CAP_NET_RAW to allow containers to use ping. This allows users to avoid enabling privileged mode
• Issue #367: setting date/time over NETCONF now saves system time also to the RTC, which otherwise is only saved on reboot or power-down
• Issue #369: Remove limitation that the routing instance must be named 'default'

Fixes

• confd: Fix memory leak when operating on candidate configuration
• probe: Fix crash on systems without USB
• Reduced syslog errors for accesses no non-existing xpaths
• Fix bogus warning about not properly updating /etc/motd in new motd-banner setting, introduced in v24.02.0
• infix-routing model: the enable configuration setting for OSPF, in default-route-advertise has been obsoleted and replaced by enabled
• Fix #328: when setting up a VLAN filtering bridge, the PVID for bridge ports defaulted to 1, making it impossible to set up "tagged-only" ports which drop ingressing untagged traffic
• Fix #329: VLAN inference for interfaces named eth0.1, i.e., VID 1 on lower-layer-if eth0. Only affects automatic inference in the CLI, entering the values manually (CLI/NETCONF) not affected by this bug
• Fix #331: inconsistent naming of 'enabled' in infix-routing.yang
• Fix #349: minor changes to bridge-port settings, like setting pvid when you forget it, did not take without a reboot
• Fix #353: impossible to remove bridge port with no bridge-port
• Fix #358: MAC address no longer shown for bridge interfaces in CLI show interfaces command
• Fix #365: not possible to run ping from container
• Fix #366: static routes from container host interfaces do not work. Documentation updated with an example
• Fix #368: upgrading oci-archive:/ images fail because system thinks the image can be pulled from a localhost registry. Documentation has also been updated, describing various methods and how to upgrade them
• Fix #370: despite the documentation stating containers must explicitly declare network settings, Infix v23.02 had a late regression that reverted back to the podman default: network behind a CNI bridge (firewalled and NAT:ed, hidden from the rest of the network)
• Fix #375: k8s-logger, used for containers, does not exit properly and causes 100% CPU load when container stop or are restarted. Also in this issue: handle ip/route additions to container networks at runtime
• Fix #384: segfault in helper function when disabling the DHCP client using no dhcp-client from the CLI
• Fix #391 Creating VLAN interface in the CLI with edit interface vlanN does not set VLAN id to N.
• Fix #404: lldpd should be disabled on internal interface dsa0
• Fix #406: an overly restrictive when expression in the bridge YANG model prevented users from adding VLAN interfaces as bridge ports. E.g., creating interface eth0.10 and adding that to br0
• Fix #412: after starting up with DHCP client enabled on any interface set dhcp-client enabled false does not bite at runtime
• Fix #414: spelling error in infix-hardware.yang, leaf node coutry
• Fix #415: startup-config owned by root user and group instead of admin. The file ownership is now adjusted on every boot
• Fix #416: admin user cannot perform a factory reset with RPC using sysrepocfg tool over SSH
• Fix bogus syslog warning about not updating /etc/motd properly

Infix v24.02.0

Note: the root account is disabled in official builds. Only the
admin user can log in to the system. This can be changed, but only
in developer builds: make menuconfig -> System configuration ->
[*]Enable root login with password

YANG Status

Infix devices support downloading all YANG models over NETCONF, including
models with submodules. As a rule, standard models are used as long as
they map to underlying Linux concepts and services. All exceptions are
listed in Infix specific models, detailing deviations and augmentations.

Currently supported models:

• ieee802-ethernet-interface:

  • Toggle port speed & duplex auto-negotiation on/off
  • Set port speed and duplex when auto-negotiation is off
  • Query port speed/duplex and auto-negotiation status (operational)
  • Frame counters:

  YANG	Linux / Ethtool
  out-frames	FramesTransmittedOK
  out-multicast-frames	MulticastFramesXmittedOK
  out-broadcast-frames	BroadcastFramesXmittedOK
  in-total-octets	FramesReceivedOK
  	+ FrameCheckSequenceErrors
  	+ FramesLostDueToIntMACRcvError
  	+ AlignmentErrors
  	+ etherStatsOversizePkts
  	+ etherStatsJabbers
  in-frames	FramesReceivedOK
  in-multicast-frames	MulticastFramesReceivedOK
  in-broadcast-frames	BroadcastFramesReceivedOK
  in-error-undersize-frames	undersize_pkts
  in-error-fcs-frames	FrameCheckSequenceErrors
  in-good-octets	OctetsReceivedOK
  out-good-octets	OctetsTransmittedOK

• ietf-hardware:

  • Populates standard hardware model from corresponding data in device EEPROMs
  • augments:
    • Initial support for USB ports
    • Vital Product Data (VPD) from device EEPROMs (ONIE structure)
  • infix-hardware: Deviations and augments

• ietf-system:

  • augments:
    • Message of the Day (MotD) banner, shown after SSH or console login.
      Please note: the legacy motd has been replaced with motd-banner os
      of v24.02. Use CLI text-editor to modify the latter
    • User login shell, default: /bin/false (no SSH or console login)
    • State information for remotely querying firmware version information
  • deviations:
    • timezone-name, using IANA timezones instead of plain string
    • UTC offset, only support per-hour offsets with tzdata
    • Usernames, clarifying Linux restrictions
    • Unsupported features marked as deviations, e.g. RADIUS
  • infix-system-software: firmware upgrade with install-bundle RPC

• ietf-interfaces:

  • deviation to allow read-write if:phys-address for custom MAC address
  • ietf-ip: augments
    • IPv4LL similar to standardized IPv6LL
  • ietf-ip: deviations (not-supported) added for IPv4 and IPv6:
    • /if:interfaces/if:interface/ip:ipv4/ip:address/ip:subnet/ip:netmask
    • /if:interfaces/if:interface/ip:ipv6/ip:address/ip:status
    • /if:interfaces/if:interface/ip:ipv4/ip:neighbor
    • /if:interfaces/if:interface/ip:ipv6/ip:neighbor
  • ietf-routing: Base model for routing
  • ietf-ipv4-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv4 routes and reading IPv4 routing table
  • ietf-ipv6-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv6 routes and reading IPv6 routing table
  • ietf-ospf: Limited support for OSPFv2, with additional support for
    injecting default route, and route redistribution. Underlying routing
    engine in use is Frr. Includes operational status + data (routes).
    See infix-routing model for detailed list of deviations
  • infix-ethernet-interface: deviations for ieee802-ethernet-interface
  • infix-routing: Limit ietf-routing to one instance default per
    routing protocol, also details unsupported features (deviations) to both
    ietf-routing and ietf-ospf models, as well as augments made to support
    injecting default route in OSPFv2
  • infix-if-bridge: Linux bridge interfaces with native VLAN support
  • infix-if-type: deviation for interface types, limiting number to
    supported types only. New identities are derived from default IANA
    interface types, ensuring compatibility with other standard models, e.g.,
    ieee802-ethernet-interface.yang
  • infix-if-veth: Linux VETH pairs
  • infix-if-vlan: Linux VLAN interfaces, e.g. eth0.10

• infix-containers: Support for Docker containers, incl. operational data
  to query status and remotely stop/start containers

• infix-dhcp-client: DHCPv4 client, including supported options

• Configurable services:

  • ieee802-dot1ab-lldp: stripped down to an enabled setting
  • infix-services: support for enabling mDNS service/device discovery

Changes

• New hardware support: NanoPi R2S from FriendlyELEC, a simple two-port router
• Static routing support, now also for IPv6
• Dynamic routing support with OSPFv2, limited (see infix-routing.yang for
  deviations), but still usable in most relevant use-cases. If you are using
  this and are interested in more features, please let us know!
  • Multiple area support, including different area types
  • Route redistribution
  • Default route injection
  • Full integration with Bidirectional Forward Detection (BFD)
  • Operational status, including but not limited to:
    • OSPF Router ID
    • Neighbor status
    • OSPF routing table
    • Interface type, incl. passive status
  • For more information, see doc/networking.md
• Support for disabling USB ports in startup-config (no auto-mount yet!)
• Initial support for Docker containers, see documentation for details:
  • Custom Infix model, see infix-containers.yang for details
  • Add image URL/location and volumes/mounts/interfaces to configuration,
    the system ensures the image is downloaded and container created in the
    background before launching it. If now networking is available the job
    is queued and retried every time a new network route is learned
  • Status and actions (stop/start/restart) available in operational datastore
  • Possible to move physical switch ports inside container, see docs
  • Possible to bundle OCI archives in Infix image, as well as storing any
    file content in factory-config to override container image defaults
• IEEE Ethernet interface:
  • Support for setting port speed/duplex or auto-negotiating
  • New per-port counters, augments to IEEE model added in infix-ethernet.yang:
    in-good-octets, out-good-octets
• Many updates to DHCPv4 client YANG model:
  • new options, see infix-dhcp-client.yang for details:
    • Default options: subnet, router, dns+domain, hostname, broadcast, ntpsrv
    • Set NTP servers, require NTP client in ietf-system to be enabled, will
      be treated as non-preferred sources, configured prefer servers wins
    • Learn DNS servers, statically configured serve...

Infix v24.02.0-rc2

Note: the root account is disabled in official builds. Only the
admin user can log in to the system. This can be changed, but only
in developer builds: make menuconfig -> System configuration ->
[*]Enable root login with password

YANG Status

Infix devices support downloading all YANG models over NETCONF, including
models with submodules. As a rule, standard models are used as long as
they map to underlying Linux concepts and services. All exceptions are
listed in Infix specific models, detailing deviations and augmentations.

Currently supported models:

• ieee802-ethernet-interface:

  • Toggle port speed & duplex auto-negotiation on/off
  • Set port speed and duplex when auto-negotiation is off
  • Query port speed/duplex and auto-negotiation status (operational)
  • Frame counters:

  YANG	Linux / Ethtool
  out-frames	FramesTransmittedOK
  out-multicast-frames	MulticastFramesXmittedOK
  out-broadcast-frames	BroadcastFramesXmittedOK
  in-total-octets	FramesReceivedOK
  	+ FrameCheckSequenceErrors
  	+ FramesLostDueToIntMACRcvError
  	+ AlignmentErrors
  	+ etherStatsOversizePkts
  	+ etherStatsJabbers
  in-frames	FramesReceivedOK
  in-multicast-frames	MulticastFramesReceivedOK
  in-broadcast-frames	BroadcastFramesReceivedOK
  in-error-undersize-frames	undersize_pkts
  in-error-fcs-frames	FrameCheckSequenceErrors
  in-good-octets	OctetsReceivedOK
  out-good-octets	OctetsTransmittedOK

• ietf-hardware:

  • Populates standard hardware model from corresponding data in device EEPROMs
  • augments:
    • Initial support for USB ports
    • Vital Product Data (VPD) from device EEPROMs (ONIE structure)
  • infix-hardware: Deviations and augments

• ietf-system:

  • augments:
    • Message of the Day (MotD) banner, shown after SSH or console login.
      Please note: the legacy motd has been replaced with motd-banner os
      of v24.02. Use CLI text-editor to modify the latter
    • User login shell, default: /bin/false (no SSH or console login)
    • State information for remotely querying firmware version information
  • deviations:
    • timezone-name, using IANA timezones instead of plain string
    • UTC offset, only support per-hour offsets with tzdata
    • Usernames, clarifying Linux restrictions
    • Unsupported features marked as deviations, e.g. RADIUS
  • infix-system-software: firmware upgrade with install-bundle RPC

• ietf-interfaces:

  • deviation to allow read-write if:phys-address for custom MAC address
  • ietf-ip: augments
    • IPv4LL similar to standardized IPv6LL
  • ietf-ip: deviations (not-supported) added for IPv4 and IPv6:
    • /if:interfaces/if:interface/ip:ipv4/ip:address/ip:subnet/ip:netmask
    • /if:interfaces/if:interface/ip:ipv6/ip:address/ip:status
    • /if:interfaces/if:interface/ip:ipv4/ip:neighbor
    • /if:interfaces/if:interface/ip:ipv6/ip:neighbor
  • ietf-routing: Base model for routing
  • ietf-ipv4-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv4 routes and reading IPv4 routing table
  • ietf-ipv6-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv6 routes and reading IPv6 routing table
  • ietf-ospf: Limited support for OSPFv2, with additional support for
    injecting default route, and route redistribution. Underlying routing
    engine in use is Frr. Includes operational status + data (routes).
    See infix-routing model for detailed list of deviations
  • infix-ethernet-interface: deviations for ieee802-ethernet-interface
  • infix-routing: Limit ietf-routing to one instance default per
    routing protocol, also details unsupported features (deviations) to both
    ietf-routing and ietf-ospf models, as well as augments made to support
    injecting default route in OSPFv2
  • infix-if-bridge: Linux bridge interfaces with native VLAN support
  • infix-if-type: deviation for interface types, limiting number to
    supported types only. New identities are derived from default IANA
    interface types, ensuring compatibility with other standard models, e.g.,
    ieee802-ethernet-interface.yang
  • infix-if-veth: Linux VETH pairs
  • infix-if-vlan: Linux VLAN interfaces, e.g. eth0.10

• infix-containers: Support for Docker containers, incl. operational data
  to query status and remotely stop/start containers

• infix-dhcp-client: DHCPv4 client, including supported options

• Configurable services:

  • ieee802-dot1ab-lldp: stripped down to an enabled setting
  • infix-services: support for enabling mDNS service/device discovery

Changes

• New hardware support: NanoPi R2S from FriendlyELEC, a simple two-port router
• Static routing support, now also for IPv6
• Dynamic routing support with OSPFv2, limited (see infix-routing.yang for
  deviations), but still usable in most relevant use-cases. If you are using
  this and are interested in more features, please let us know!
  • Multiple area support, including different area types
  • Route redistribution
  • Default route injection
  • Full integration with Bidirectional Forward Detection (BFD)
  • Operational status, including but not limited to:
    • OSPF Router ID
    • Neighbor status
    • OSPF routing table
    • Interface type, incl. passive status
  • For more information, see doc/networking.md
• Support for disabling USB ports in startup-config (no auto-mount yet!)
• Initial support for Docker containers, see documentation for details:
  • Custom Infix model, see infix-containers.yang for details
  • Add image URL/location and volumes/mounts/interfaces to configuration,
    the system ensures the image is downloaded and container created in the
    background before launching it. If now networking is available the job
    is queued and retried every time a new network route is learned
  • Status and actions (stop/start/restart) available in operational datastore
  • Possible to move physical switch ports inside container, see docs
  • Possible to bundle OCI archives in Infix image, as well as storing any
    file content in factory-config to override container image defaults
• IEEE Ethernet interface:
  • Support for setting port speed/duplex or auto-negotiating
  • New per-port counters, augments to IEEE model added in infix-ethernet.yang:
    in-good-octets, out-good-octets
• Many updates to DHCPv4 client YANG model:
  • new options, see infix-dhcp-client.yang for details:
    • Default options: subnet, router, dns+domain, hostname, broadcast, ntpsrv
    • Set NTP servers, require NTP client in ietf-system to be enabled, will
      be treated as non-preferred sources, configured prefer servers wins
    • Learn DNS servers, statically configured serve...

Infix v24.02.0-rc1

Note: the root account is disabled in official builds. Only the
admin user can log in to the system. This can be changed, but only
in developer builds: make menuconfig -> System configuration ->
[*]Enable root login with password

YANG Status

Infix devices support downloading all YANG models over NETCONF, including
models with submodules. As a rule, standard models are used as long as
they map to underlying Linux concepts and services. All exceptions are
listed in Infix specific models, detailing deviations and augmentations.

Currently supported models:

• ieee802-ethernet-interface:

  • Toggle port speed & duplex auto-negotiation on/off
  • Set port speed and duplex when auto-negotiation is off
  • Query port speed/duplex and auto-negotiation status (operational)
  • Frame counters:

  YANG	Linux / Ethtool
  out-frames	FramesTransmittedOK
  out-multicast-frames	MulticastFramesXmittedOK
  out-broadcast-frames	BroadcastFramesXmittedOK
  in-total-octets	FramesReceivedOK
  	+ FrameCheckSequenceErrors
  	+ FramesLostDueToIntMACRcvError
  	+ AlignmentErrors
  	+ etherStatsOversizePkts
  	+ etherStatsJabbers
  in-frames	FramesReceivedOK
  in-multicast-frames	MulticastFramesReceivedOK
  in-broadcast-frames	BroadcastFramesReceivedOK
  in-error-undersize-frames	undersize_pkts
  in-error-fcs-frames	FrameCheckSequenceErrors
  in-good-octets	OctetsReceivedOK
  out-good-octets	OctetsTransmittedOK

• ietf-hardware:

  • Populates standard hardware model from corresponding data in device EEPROMs
  • augments:
    • Initial support for USB ports
    • Vital Product Data (VPD) from device EEPROMs (ONIE structure)
  • infix-hardware: Deviations and augments

• ietf-system:

  • augments:
    • Message of the Day (MotD) banner, shown after SSH or console login.
      Please note: the legacy motd has been replaced with motd-banner os
      of v24.02. Use CLI text-editor to modify the latter
    • User login shell, default: /bin/false (no SSH or console login)
    • State information for remotely querying firmware version information
  • deviations:
    • timezone-name, using IANA timezones instead of plain string
    • UTC offset, only support per-hour offsets with tzdata
    • Usernames, clarifying Linux restrictions
    • Unsupported features marked as deviations, e.g. RADIUS
  • infix-system-software: firmware upgrade with install-bundle RPC

• ietf-interfaces:

  • deviation to allow read-write if:phys-address for custom MAC address
  • ietf-ip: augments
    • IPv4LL similar to standardized IPv6LL
  • ietf-ip: deviations (not-supported) added for IPv4 and IPv6:
    • /if:interfaces/if:interface/ip:ipv4/ip:address/ip:subnet/ip:netmask
    • /if:interfaces/if:interface/ip:ipv6/ip:address/ip:status
    • /if:interfaces/if:interface/ip:ipv4/ip:neighbor
    • /if:interfaces/if:interface/ip:ipv6/ip:neighbor
  • ietf-routing: Base model for routing
  • ietf-ipv4-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv4 routes and reading IPv4 routing table
  • ietf-ipv6-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv6 routes and reading IPv6 routing table
  • ietf-ospf: Limited support for OSPFv2, with additional support for
    injecting default route, and route redistribution. Underlying routing
    engine in use is Frr. Includes operational status + data (routes).
    See infix-routing model for detailed list of deviations
  • infix-ethernet-interface: deviations for ieee802-ethernet-interface
  • infix-routing: Limit ietf-routing to one instance default per
    routing protocol, also details unsupported features (deviations) to both
    ietf-routing and ietf-ospf models, as well as augments made to support
    injecting default route in OSPFv2
  • infix-if-bridge: Linux bridge interfaces with native VLAN support
  • infix-if-type: deviation for interface types, limiting number to
    supported types only. New identities are derived from default IANA
    interface types, ensuring compatibility with other standard models, e.g.,
    ieee802-ethernet-interface.yang
  • infix-if-veth: Linux VETH pairs
  • infix-if-vlan: Linux VLAN interfaces, e.g. eth0.10

• infix-containers: Support for Docker containers, incl. operational data
  to query status and remotely stop/start containers

• infix-dhcp-client: DHCPv4 client, including supported options

• Configurable services:

  • ieee802-dot1ab-lldp: stripped down to an enabled setting
  • infix-services: support for enabling mDNS service/device discovery

Changes

• New hardware support: NanoPi R2S from FriendlyELEC, a simple two-port router
• Static routing support, now also for IPv6
• Dynamic routing support with OSPFv2, limited (see infix-routing.yang for
  deviations), but still usable in most relevant use-cases. If you are using
  this and are interested in more features, please let us know!
  • Multiple area support, including different area types
  • Route redistribution
  • Default route injection
  • Full integration with Bidirectional Forward Detection (BFD)
  • Operational status, including but not limited to:
    • OSPF Router ID
    • Neighbor status
    • OSPF routing table
    • Interface type, incl. passive status
  • For more information, see doc/networking.md
• Support for disabling USB ports in startup-config (no auto-mount yet!)
• Initial support for Docker containers, see documentation for details:
  • Custom Infix model, see infix-containers.yang for details
  • Add image URL/location and volumes/mounts/interfaces to configuration,
    the system ensures the image is downloaded and container created in the
    background before launching it. If now networking is available the job
    is queued and retried every time a new network route is learned
  • Status and actions (stop/start/restart) available in operational datastore
  • Possible to move physical switch ports inside container, see docs
  • Possible to bundle OCI archives in Infix image, as well as storing any
    file content in factory-config to override container image defaults
• IEEE Ethernet interface:
  • Support for setting port speed/duplex or auto-negotiating
  • New per-port counters, augments to IEEE model added in infix-ethernet.yang:
    in-good-octets, out-good-octets
• Many updates to DHCPv4 client YANG model:
  • new options, see infix-dhcp-client.yang for details:
    • Default options: subnet, router, dns+domain, hostname, broadcast, ntpsrv
    • Set NTP servers, require NTP client in ie...

Infix v23.11.0

Note: this is the first release where the root account is disabled in default builds. Only the admin user,
generated from factory-config, can log in to the system. This can be changed only in developer builds:
make menuconfig -> System configuration -> [*]Enable root login with password

YANG Status

• ieee802-ethernet-interface: Currently supported (read-only) features:

  • Status of auto-negotiation, and if enabled.
  • Current speed and duplex
  • Frame counters:

  YANG	Linux / Ethtool
  out-frames	FramesTransmittedOK
  out-multicast-frames	MulticastFramesXmittedOK
  out-broadcast-frames	BroadcastFramesXmittedOK
  in-total-octets	FramesReceivedOK
  	+ FrameCheckSequenceErrors
  	+ FramesLostDueToIntMACRcvError
  	+ AlignmentErrors
  	+ etherStatsOversizePkts
  	+ etherStatsJabbers
  in-frames	FramesReceivedOK
  in-multicast-frames	MulticastFramesReceivedOK
  in-broadcast-frames	BroadcastFramesReceivedOK
  in-error-undersize-frames	undersize_pkts
  in-error-fcs-frames	FrameCheckSequenceErrors

• ietf-system:

  • augments:
    • MotD (Message of the Day)
    • User login shell, default: /bin/false (no SSH or console login)
    • State information for remotely querying firmware version information
  • deviations:
    • timezone-name, using IANA timezones instead of plain string
    • UTC offset, only support per-hour offsets with tzdata
    • Usernames, clarifying Linux restrictions
    • Unsupported features marked as deviations, e.g. RADIUS
  • infix-system-software: firmware upgrade with install-bundle RPC

• ietf-interfaces:

  • deviation to allow read-write if:phys-address for custom MAC address
  • ietf-ip: augments
    • IPv4LL similar to standardized IPv6LL
  • ietf-ip: deviations (not-supported) added for IPv4 and IPv6:
    • /if:interfaces/if:interface/ip:ipv4/ip:address/ip:subnet/ip:netmask
    • /if:interfaces/if:interface/ip:ipv6/ip:address/ip:status
    • /if:interfaces/if:interface/ip:ipv4/ip:neighbor
    • /if:interfaces/if:interface/ip:ipv6/ip:neighbor
  • ietf-routing: Base model for routing
  • ietf-ipv4-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv4 routes and reading IPv4 routing table
  • infix-ethernet-interface: deviations for ieee802-ethernet-interface
  • infix-routing: Limit ietf-routing to one instance default per
    routing protocol, also details unsupported features (deviations)
  • infix-if-bridge: Linux bridge interfaces with native VLAN support
  • infix-if-type: deviation for interface types, limiting number
    to supported types only. New identities are derived from default
    IANA interface types, ensuring compatibility with other standard
    models, e.g., ieee802-ethernet-interface.yang
  • infix-if-veth: Linux VETH pairs
  • infix-if-vlan: Linux VLAN interfaces, e.g. eth0.10

• Configurable services:

  • ieee802-dot1ab-lldp: stripped down to an enabled setting
  • infix-services: support for enabling mDNS service/device discovery

Changes

• The CLI built-in command password generate has been changed to use the
  secure mode of the pwgen tool, and 13 chars for increased entropy
• The qemu.sh -c command, available in developer builds and the release zip,
  can now be used to modify the RAM size and enable VPD emulation
• Add support for overriding generated factory defaults in derivatives
  using a /etc/confdrc.lcocal file -- incl. updated branding docs.
• Add support for detecting factory reset condition from a bootloader
• Ensure /var is also cleared (properly) during factory reset
• Add support for port auto-negotiation status in operational datastore
• Add CLI support for showing veth pairs in show interfaces
• Speedups to CLI detailed view of a single interface
• Updated documentation of VLAN interfaces and VLAN filtering bridge
• Updated documentation for how to customize services in Hybrid Mode
• In RMA mode (runlevel 9), the system no longer has any login services
• Disable root login in all NETCONF builds, only admin available
• Add support for VPD data in ONIE EEPROM format
• Add iito, the intelligent input/output daemon for LED control
• Add port autoneg and speed/duplex status to operational data
• Upgrade Linux to v6.5.11, with kkit extensions
• Add support for static IPv4 routing using [email protected] and
  [email protected], one default instance only
• Add support for partitioning and self-provisioning of new devices
• Add support for reading admin user's default password from VPD. Devices
  that do not have a VPD can set a password hash in the device tree
• Add support for upgrading software bundles (images) from the CLI.
  Supported remote servers: ftp, tftp, and http/https.
• Traversing the CLI configure context has been simplified by collapsing all
  YANG containers that only contain a single list element. Example:
  edit interfaces interface eth0 becomes edit interface eth0
• Add CLI support for creating configuration backups and transferring files
  to/from remote servers: tftp, ftp, http/https (download only). Issue #155
• Add _netconf-ssh._tcp record to mDNS-SD

Fixes

• Fix #111: fix auto-inference of dynamic interface types (bridge, veth)
• Fix #125: improved feedback on invalid input in configure context
• Fix #198: drop bridge default PVID setting, for VLAN filtering bridge.
  All bridge ports must have explicit VLAN assignment (security)
• Fix #215: impossible to enable NTP client, regression from v23.06.0
• Fix regression in CLI show factory-config command
• Fix missing version in /etc/os-release variable PRETTY_NAME
• Fix failure to start podman in GNS3 (missing Ext4 filesystem feature)
• Fix initial terminal size probing in CLI when logging in from console port
• Fix CLI show running-config, use proper JSON format like other files
• Fix caching of libyang module references in confd. Loading other plugins to
  sysrepo-plugind modifies these references, which may can cause corruption
• Fix missing v in VERSION, VERSION_ID, and IMAGE_VERSION in
  /etc/os-release and other generated files for release builds.

Infix v23.11.0-rc3

Note: this is the first release where the root account is disabled in default builds. Only the admin user, generated from factory-config, can log in to the system. This can be changed only in developer builds: make menuconfig -> System configuration -> [*]Enable root login with password

YANG Status

• ieee802-ethernet-interface: Currently supported (read-only) features:

  • Status of auto-negotiation, and if enabled.
  • Current speed and duplex
  • Frame counters:

  YANG	Linux / Ethtool
  out-frames	FramesTransmittedOK
  out-multicast-frames	MulticastFramesXmittedOK
  out-broadcast-frames	BroadcastFramesXmittedOK
  in-total-octets	FramesReceivedOK
  	+ FrameCheckSequenceErrors
  	+ FramesLostDueToIntMACRcvError
  	+ AlignmentErrors
  	+ etherStatsOversizePkts
  	+ etherStatsJabbers
  in-frames	FramesReceivedOK
  in-multicast-frames	MulticastFramesReceivedOK
  in-broadcast-frames	BroadcastFramesReceivedOK
  in-error-undersize-frames	undersize_pkts
  in-error-fcs-frames	FrameCheckSequenceErrors

• ietf-system:

  • augments:
    • MotD (Message of the Day)
    • User login shell, default: /bin/false (no SSH or console login)
    • State information for remotely querying firmware version information
  • deviations:
    • timezone-name, using IANA timezones instead of plain string
    • UTC offset, only support per-hour offsets with tzdata
    • Usernames, clarifying Linux restrictions
    • Unsupported features marked as deviations, e.g. RADIUS
  • infix-system-software: firmware upgrade with install-bundle RPC

• ietf-interfaces:

  • deviation to allow read-write if:phys-address for custom MAC address
  • ietf-ip: augments
    • IPv4LL similar to standardized IPv6LL
  • ietf-ip: deviations (not-supported) added for IPv4 and IPv6:
    • /if:interfaces/if:interface/ip:ipv4/ip:address/ip:subnet/ip:netmask
    • /if:interfaces/if:interface/ip:ipv6/ip:address/ip:status
    • /if:interfaces/if:interface/ip:ipv4/ip:neighbor
    • /if:interfaces/if:interface/ip:ipv6/ip:neighbor
  • ietf-routing: Base model for routing
  • ietf-ipv4-unicast-routing: Static unicast routing, incl. operational
    data, i.e., setting static IPv4 routes and reading IPv4 routing table
  • infix-ethernet-interface: deviations for ieee802-ethernet-interface
  • infix-routing: Limit ietf-routing to one instance default per
    routing protocol, also details unsupported features (deviations)
  • infix-if-bridge: Linux bridge interfaces with native VLAN support
  • infix-if-type: deviation for interface types, limiting number
    to supported types only. New identities are derived from default
    IANA interface types, ensuring compatibility with other standard
    models, e.g., ieee802-ethernet-interface.yang
  • infix-if-veth: Linux VETH pairs
  • infix-if-vlan: Linux VLAN interfaces, e.g. eth0.10

• Configurable services:

  • ieee802-dot1ab-lldp: stripped down to an enabled setting
  • infix-services: support for enabling mDNS service/device discovery

Changes

• The CLI built-in command password generate has been changed to use the
  secure mode of the pwgen tool, and 13 chars for increased entropy
• The qemu.sh -c command, available in developer builds and the release zip,
  can now be used to modify the RAM size and enable VPD emulation
• Add support for overriding generated factory defaults in derivatives
  using a /etc/confdrc.lcocal file -- incl. updated branding docs.
• Add support for detecting factory reset condition from a bootloader
• Ensure /var is also cleared (properly) during factory reset
• Add support for port auto-negotiation status in operational datastore
• Add CLI support for showing veth pairs in show interfaces
• Speedups to CLI detailed view of a single interface
• Updated documentation of VLAN interfaces and VLAN filtering bridge
• Updated documentation for how to customize services in Hybrid Mode
• In RMA mode (runlevel 9), the system no longer has any login services
• Disable root login in all NETCONF builds, only admin available
• Add support for VPD data in ONIE EEPROM format
• Add iito, the intelligent input/output daemon for LED control
• Add port autoneg and speed/duplex status to operational data
• Upgrade Linux to v6.5.11, with kkit extensions
• Add support for static IPv4 routing using [email protected] and
  [email protected], one default instance only
• Add support for partitioning and self-provisioning of new devices
• Add support for reading admin user's default password from VPD. Devices
  that do not have a VPD can set a password hash in the device tree
• Add support for upgrading software bundles (images) from the CLI.
  Supported remote servers: ftp, tftp, and http/https.
• Traversing the CLI configure context has been simplified by collapsing all
  YANG containers that only contain a single list element. Example:
  edit interfaces interface eth0 becomes edit interface eth0
• Add CLI support for creating configuration backups and transferring files
  to/from remote servers: tftp, ftp, http/https (download only). Issue #155
• Add _netconf-ssh._tcp record to mDNS-SD

Fixes

• Fix #111: fix auto-inference of dynamic interface types (bridge, veth)
• Fix #125: improved feedback on invalid input in configure context
• Fix #198: drop bridge default PVID setting, for VLAN filtering bridge.
  All bridge ports must have explicit VLAN assignment (security)
• Fix #215: impossible to enable NTP client, regression from v23.06.0
• Fix regression in CLI show factory-config command
• Fix missing version in /etc/os-release variable PRETTY_NAME
• Fix failure to start podman in GNS3 (missing Ext4 filesystem feature)
• Fix initial terminal size probing in CLI when logging in from console port
• Fix CLI show running-config, use proper JSON format like other files
• Fix caching of libyang module references in confd. Loading other plugins to
  sysrepo-plugind modifies these references, which may can cause corruption
• Fix missing v in VERSION, VERSION_ID, and IMAGE_VERSION in
  /etc/os-release and other generated files for release builds.