Merge changes from topic "update-netconf"
* changes:
buildroot upgrade
update velia
introduce sysrepo group for sysrepo-related processes
diff --git a/board/czechlight/common/patches/systemd/0001-network-Serialize-LLDP-neighbor-to-JSON-format.patch b/board/czechlight/common/patches/systemd/0001-network-Serialize-LLDP-neighbor-to-JSON-format.patch
index dc8666c..79fcb9d 100644
--- a/board/czechlight/common/patches/systemd/0001-network-Serialize-LLDP-neighbor-to-JSON-format.patch
+++ b/board/czechlight/common/patches/systemd/0001-network-Serialize-LLDP-neighbor-to-JSON-format.patch
@@ -1,4 +1,4 @@
-From a98772047310c422872163a54ddf17a9669929e0 Mon Sep 17 00:00:00 2001
+From 8d3bd15463b31c5b3347239317fcf1f41d467838 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Thu, 7 Oct 2021 11:16:57 +0200
Subject: [PATCH 1/9] network: Serialize LLDP neighbor to JSON format
@@ -142,5 +142,5 @@
/* Access to LLDP frame metadata */
int sd_lldp_neighbor_get_source_address(sd_lldp_neighbor *n, struct ether_addr* address);
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0002-network-Add-varlink-server.patch b/board/czechlight/common/patches/systemd/0002-network-Add-varlink-server.patch
index de6b7db..6302127 100644
--- a/board/czechlight/common/patches/systemd/0002-network-Add-varlink-server.patch
+++ b/board/czechlight/common/patches/systemd/0002-network-Add-varlink-server.patch
@@ -1,4 +1,4 @@
-From a99f62ee2c89b3631a23426eedfa477aa9d8dbd9 Mon Sep 17 00:00:00 2001
+From 210ae903e7f5e4813feaea9bbac1f03fa3be42cc Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Tue, 24 Aug 2021 14:59:40 +0200
Subject: [PATCH 2/9] network: Add varlink server
@@ -16,20 +16,20 @@
create mode 100644 src/network/networkd-varlink.h
diff --git a/src/network/meson.build b/src/network/meson.build
-index 5857439c5a..430dadbf05 100644
+index 48d185195c..d93e815fdf 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
-@@ -137,6 +137,8 @@ sources = files('''
- networkd-sysctl.h
- networkd-util.c
- networkd-util.h
-+ networkd-varlink.c
-+ networkd-varlink.h
- networkd-wifi.c
- networkd-wifi.h
- tc/cake.c
+@@ -137,6 +137,8 @@ sources = files(
+ 'networkd-sysctl.h',
+ 'networkd-util.c',
+ 'networkd-util.h',
++ 'networkd-varlink.c',
++ 'networkd-varlink.h',
+ 'networkd-wifi.c',
+ 'networkd-wifi.h',
+ 'tc/cake.c',
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
-index 7e89366ae8..9f6a2553f6 100644
+index 9d790224cc..5e4c5e38b4 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -41,6 +41,7 @@
@@ -40,7 +40,7 @@
#include "networkd-wifi.h"
#include "ordered-set.h"
#include "path-lookup.h"
-@@ -543,6 +544,8 @@ Manager* manager_free(Manager *m) {
+@@ -544,6 +545,8 @@ Manager* manager_free(Manager *m) {
m->fw_ctx = fw_ctx_free(m->fw_ctx);
@@ -49,7 +49,7 @@
return mfree(m);
}
-@@ -552,6 +555,10 @@ int manager_start(Manager *m) {
+@@ -553,6 +556,10 @@ int manager_start(Manager *m) {
assert(m);
@@ -135,5 +135,5 @@
+int manager_varlink_init(Manager *m);
+void manager_varlink_done(Manager *m);
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0003-network-Add-LLDP-neighbors-method-to-varlink-server.patch b/board/czechlight/common/patches/systemd/0003-network-Add-LLDP-neighbors-method-to-varlink-server.patch
index 2d4bd3f..95bb683 100644
--- a/board/czechlight/common/patches/systemd/0003-network-Add-LLDP-neighbors-method-to-varlink-server.patch
+++ b/board/czechlight/common/patches/systemd/0003-network-Add-LLDP-neighbors-method-to-varlink-server.patch
@@ -1,4 +1,4 @@
-From 04fa6f4d5d019900b084787b9ca2d4439f26d302 Mon Sep 17 00:00:00 2001
+From 2196678308d40ac4bb236776f5d9c23b87480759 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Wed, 1 Sep 2021 08:30:20 +0200
Subject: [PATCH 3/9] network: Add LLDP neighbors method to varlink server
@@ -114,5 +114,5 @@
}
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0004-varlink-Implement-varlink_observe_complete.patch b/board/czechlight/common/patches/systemd/0004-varlink-Implement-varlink_observe_complete.patch
index ca5c9f0..a181c0e 100644
--- a/board/czechlight/common/patches/systemd/0004-varlink-Implement-varlink_observe_complete.patch
+++ b/board/czechlight/common/patches/systemd/0004-varlink-Implement-varlink_observe_complete.patch
@@ -1,4 +1,4 @@
-From 4e7bdd09a12d9ed1695980d8edf94841a5c11cd8 Mon Sep 17 00:00:00 2001
+From 072ebba1de115cb31a71f6398c17a1bfdb383ee8 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Thu, 9 Sep 2021 09:19:05 +0200
Subject: [PATCH 4/9] varlink: Implement varlink_observe_complete
@@ -70,5 +70,5 @@
/* Enqueue a final reply */
int varlink_reply(Varlink *v, JsonVariant *parameters);
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0005-networkctl-lldp-uses-table_empty_string-instead-of-s.patch b/board/czechlight/common/patches/systemd/0005-networkctl-lldp-uses-table_empty_string-instead-of-s.patch
index 141e5af..ed0db4f 100644
--- a/board/czechlight/common/patches/systemd/0005-networkctl-lldp-uses-table_empty_string-instead-of-s.patch
+++ b/board/czechlight/common/patches/systemd/0005-networkctl-lldp-uses-table_empty_string-instead-of-s.patch
@@ -1,4 +1,4 @@
-From 3f997c34cdaef7a66fdb1d0bc10a1bafd4f7e656 Mon Sep 17 00:00:00 2001
+From d17ff9b2b0f3f0d2bfb54f9e3e965874e6df1974 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Thu, 7 Oct 2021 14:11:45 +0200
Subject: [PATCH 5/9] networkctl: lldp uses table_empty_string instead of strna
@@ -39,5 +39,5 @@
return table_log_add_error(r);
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0006-networkctl-lldp-table-now-ellpsizes-via-table-functi.patch b/board/czechlight/common/patches/systemd/0006-networkctl-lldp-table-now-ellpsizes-via-table-functi.patch
index ef0c2e4..9b5b54c 100644
--- a/board/czechlight/common/patches/systemd/0006-networkctl-lldp-table-now-ellpsizes-via-table-functi.patch
+++ b/board/czechlight/common/patches/systemd/0006-networkctl-lldp-table-now-ellpsizes-via-table-functi.patch
@@ -1,4 +1,4 @@
-From 90271bd69a7488714a51173dcec3f349459761c9 Mon Sep 17 00:00:00 2001
+From 5aa44bfdab3215cf495442fb931a23f88a66d1c7 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Thu, 7 Oct 2021 14:16:53 +0200
Subject: [PATCH 6/9] networkctl: lldp table now ellpsizes via table functions
@@ -86,5 +86,5 @@
capabilities = lldp_capabilities_to_string(cc);
all |= cc;
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0007-networkctl-lldp-now-uses-varlink-call.patch b/board/czechlight/common/patches/systemd/0007-networkctl-lldp-now-uses-varlink-call.patch
index d898278..44d0f82 100644
--- a/board/czechlight/common/patches/systemd/0007-networkctl-lldp-now-uses-varlink-call.patch
+++ b/board/czechlight/common/patches/systemd/0007-networkctl-lldp-now-uses-varlink-call.patch
@@ -1,4 +1,4 @@
-From ffcce15c1f130f8a52ab050d009946a50472dfbc Mon Sep 17 00:00:00 2001
+From 1e805d15da85b85dfd54684557da1415b0294903 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Wed, 15 Sep 2021 14:42:34 +0200
Subject: [PATCH 7/9] networkctl: lldp now uses varlink call
@@ -209,11 +209,9 @@
+ if (table_set_empty_string(udata.table, "n/a") < 0)
return log_oom();
-+ varlink_set_userdata(link, &udata);
-+
- for (int i = 0; i < c; i++) {
+- for (int i = 0; i < c; i++) {
- _cleanup_fclose_ FILE *f = NULL;
-+ _cleanup_(json_variant_unrefp) JsonVariant *cparams = NULL;
++ varlink_set_userdata(link, &udata);
- r = open_lldp_neighbors(links[i].ifindex, &f);
- if (r == -ENOENT)
@@ -222,18 +220,13 @@
- log_warning_errno(r, "Failed to open LLDP data for %i, ignoring: %m", links[i].ifindex);
- continue;
- }
-+ udata.link_name = links[i].name;
-
+-
- for (;;) {
- _cleanup_free_ char *capabilities = NULL;
- const char *chassis_id = NULL, *port_id = NULL, *system_name = NULL, *port_description = NULL;
- _cleanup_(sd_lldp_neighbor_unrefp) sd_lldp_neighbor *n = NULL;
- uint16_t cc;
-+ r = json_build(&cparams, JSON_BUILD_OBJECT(
-+ JSON_BUILD_PAIR("ifindex", JSON_BUILD_UNSIGNED(links[i].ifindex))));
-+ if (r < 0)
-+ return r;
-
+-
- r = next_lldp_neighbor(f, &n);
- if (r < 0) {
- log_warning_errno(r, "Failed to read neighbor data: %m");
@@ -241,20 +234,24 @@
- }
- if (r == 0)
- break;
-+ r = varlink_observe(link, method, cparams);
-+ if (r < 0)
-+ return log_error_errno(r, "Failed to execute varlink call: %m");
++ for (int i = 0; i < c; i++) {
++ _cleanup_(json_variant_unrefp) JsonVariant *cparams = NULL;
- (void) sd_lldp_neighbor_get_chassis_id_as_string(n, &chassis_id);
- (void) sd_lldp_neighbor_get_port_id_as_string(n, &port_id);
- (void) sd_lldp_neighbor_get_system_name(n, &system_name);
- (void) sd_lldp_neighbor_get_port_description(n, &port_description);
--
++ udata.link_name = links[i].name;
+
- if (sd_lldp_neighbor_get_enabled_capabilities(n, &cc) >= 0) {
- capabilities = lldp_capabilities_to_string(cc);
- all |= cc;
- }
--
++ r = json_build(&cparams, JSON_BUILD_OBJECT(
++ JSON_BUILD_PAIR("ifindex", JSON_BUILD_UNSIGNED(links[i].ifindex))));
++ if (r < 0)
++ return r;
+
- r = table_add_many(table,
- TABLE_STRING, links[i].name,
- TABLE_STRING, chassis_id,
@@ -264,7 +261,10 @@
- TABLE_STRING, port_description);
- if (r < 0)
- return table_log_add_error(r);
--
++ r = varlink_observe(link, method, cparams);
++ if (r < 0)
++ return log_error_errno(r, "Failed to execute varlink call: %m");
+
- m++;
- }
+ r = varlink_observe_complete(link);
@@ -286,5 +286,5 @@
return 0;
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0008-networkctl-allow-format-LLDP-capabilities-string-wit.patch b/board/czechlight/common/patches/systemd/0008-networkctl-allow-format-LLDP-capabilities-string-wit.patch
index 6b2c299..8e89013 100644
--- a/board/czechlight/common/patches/systemd/0008-networkctl-allow-format-LLDP-capabilities-string-wit.patch
+++ b/board/czechlight/common/patches/systemd/0008-networkctl-allow-format-LLDP-capabilities-string-wit.patch
@@ -1,4 +1,4 @@
-From b6b2ad094aba092aadda307c4d786a541d878211 Mon Sep 17 00:00:00 2001
+From de6ad887e413ee3e66e368f707e08ea84aa72a91 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Wed, 15 Sep 2021 14:30:19 +0200
Subject: [PATCH 8/9] networkctl: allow format LLDP capabilities string without
@@ -54,5 +54,5 @@
r = table_add_many(udata->table,
TABLE_STRING, udata->link_name,
--
-2.34.1
+2.35.1
diff --git a/board/czechlight/common/patches/systemd/0009-networkctl-JSON-output-in-networkctl-lldp.patch b/board/czechlight/common/patches/systemd/0009-networkctl-JSON-output-in-networkctl-lldp.patch
index f85c6c3..fc6a699 100644
--- a/board/czechlight/common/patches/systemd/0009-networkctl-JSON-output-in-networkctl-lldp.patch
+++ b/board/czechlight/common/patches/systemd/0009-networkctl-JSON-output-in-networkctl-lldp.patch
@@ -1,4 +1,4 @@
-From f681abcf74f1a03f64fbcec15c33aae026dcdf51 Mon Sep 17 00:00:00 2001
+From 2fda28e34623cd24752ecad2dcea14f7ab46cb02 Mon Sep 17 00:00:00 2001
From: Tomas Pecka <peckato1@users.noreply.github.com>
Date: Wed, 6 Oct 2021 10:11:31 +0200
Subject: [PATCH 9/9] networkctl: JSON output in networkctl lldp
@@ -6,8 +6,8 @@
`networkctl lldp` now outputs also in JSON format when `--json=*`
argument passed. The LLDP neighbors are listed in per interface lists.
---
- src/network/networkctl.c | 136 +++++++++++++++++++++++++--------------
- 1 file changed, 88 insertions(+), 48 deletions(-)
+ src/network/networkctl.c | 118 ++++++++++++++++++++++++++-------------
+ 1 file changed, 79 insertions(+), 39 deletions(-)
diff --git a/src/network/networkctl.c b/src/network/networkctl.c
index 9fbeed6908..0f48aa4bf7 100644
@@ -75,47 +75,6 @@
return c;
pager_open(arg_pager_flags);
--
-- udata.table = table_new("link",
-- "chassis id",
-- "system name",
-- "caps",
-- "port id",
-- "port description");
-- if (!udata.table)
-- return log_oom();
--
-- if (arg_full)
-- table_set_width(udata.table, 0);
--
-- table_set_header(udata.table, arg_legend);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 0));
-- table_set_minimum_width(udata.table, cell, 16);
-- table_set_maximum_width(udata.table, cell, 16);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 1));
-- table_set_minimum_width(udata.table, cell, 17);
-- table_set_maximum_width(udata.table, cell, 17);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 2));
-- table_set_minimum_width(udata.table, cell, 16);
-- table_set_maximum_width(udata.table, cell, 16);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 3));
-- table_set_minimum_width(udata.table, cell, 11);
-- table_set_maximum_width(udata.table, cell, 11);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 4));
-- table_set_minimum_width(udata.table, cell, 17);
-- table_set_maximum_width(udata.table, cell, 17);
--
-- assert_se(cell = table_get_cell(udata.table, 0, 5));
-- table_set_minimum_width(udata.table, cell, 16);
-- table_set_maximum_width(udata.table, cell, 16);
--
-- if (table_set_empty_string(udata.table, "n/a") < 0)
-- return log_oom();
+ if (arg_json_format_flags == JSON_FORMAT_OFF) {
+ TableCell *cell;
+
@@ -127,36 +86,68 @@
+ "port description");
+ if (!udata.table)
+ return log_oom();
-+
+
+- udata.table = table_new("link",
+- "chassis id",
+- "system name",
+- "caps",
+- "port id",
+- "port description");
+- if (!udata.table)
+- return log_oom();
+-
+- if (arg_full)
+- table_set_width(udata.table, 0);
+ if (arg_full)
+ table_set_width(udata.table, 0);
-+
+
+- table_set_header(udata.table, arg_legend);
+ table_set_header(udata.table, arg_legend);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 0));
+- table_set_minimum_width(udata.table, cell, 16);
+- table_set_maximum_width(udata.table, cell, 16);
+ assert_se(cell = table_get_cell(udata.table, 0, 0));
+ table_set_minimum_width(udata.table, cell, 16);
+ table_set_maximum_width(udata.table, cell, 16);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 1));
+- table_set_minimum_width(udata.table, cell, 17);
+- table_set_maximum_width(udata.table, cell, 17);
+ assert_se(cell = table_get_cell(udata.table, 0, 1));
+ table_set_minimum_width(udata.table, cell, 17);
+ table_set_maximum_width(udata.table, cell, 17);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 2));
+- table_set_minimum_width(udata.table, cell, 16);
+- table_set_maximum_width(udata.table, cell, 16);
+ assert_se(cell = table_get_cell(udata.table, 0, 2));
+ table_set_minimum_width(udata.table, cell, 16);
+ table_set_maximum_width(udata.table, cell, 16);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 3));
+- table_set_minimum_width(udata.table, cell, 11);
+- table_set_maximum_width(udata.table, cell, 11);
+ assert_se(cell = table_get_cell(udata.table, 0, 3));
+ table_set_minimum_width(udata.table, cell, 11);
+ table_set_maximum_width(udata.table, cell, 11);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 4));
+- table_set_minimum_width(udata.table, cell, 17);
+- table_set_maximum_width(udata.table, cell, 17);
+ assert_se(cell = table_get_cell(udata.table, 0, 4));
+ table_set_minimum_width(udata.table, cell, 17);
+ table_set_maximum_width(udata.table, cell, 17);
-+
+
+- assert_se(cell = table_get_cell(udata.table, 0, 5));
+- table_set_minimum_width(udata.table, cell, 16);
+- table_set_maximum_width(udata.table, cell, 16);
+ assert_se(cell = table_get_cell(udata.table, 0, 5));
+ table_set_minimum_width(udata.table, cell, 16);
+ table_set_maximum_width(udata.table, cell, 16);
-+
+
+- if (table_set_empty_string(udata.table, "n/a") < 0)
+- return log_oom();
+ if (table_set_empty_string(udata.table, "n/a") < 0)
+ return log_oom();
+ } else {
@@ -192,5 +183,5 @@
return 0;
--
-2.34.1
+2.35.1
diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 8263bc8..b3ef5b0 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -11,6 +11,7 @@
[Service]
Type=notify
ExecStart=/usr/bin/cla-sysrepod --io-log-level=5 --properties-log-level=5 --sr-bridge-log-level=5 --sysrepo-log-level=3 --appliance=__MODEL__
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/cla-sysrepo/czechlight-install-yang.service b/package/cla-sysrepo/czechlight-install-yang.service
index b4202b9..4588f71 100644
--- a/package/cla-sysrepo/czechlight-install-yang.service
+++ b/package/cla-sysrepo/czechlight-install-yang.service
@@ -8,6 +8,7 @@
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash /usr/bin/czechlight-install-yang.sh
+Group=sysrepo
[Install]
WantedBy=multi-user.target
diff --git a/package/cla-sysrepo/czechlight-install-yang.sh b/package/cla-sysrepo/czechlight-install-yang.sh
index db2387e..72b3f33 100755
--- a/package/cla-sysrepo/czechlight-install-yang.sh
+++ b/package/cla-sysrepo/czechlight-install-yang.sh
@@ -48,7 +48,7 @@
sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/iana-hardware@2018-03-13.yang
sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/ietf-hardware@2018-03-13.yang
-sysrepoctl --change ietf-hardware --permissions 0664 --enable-feature hardware-sensor
+sysrepoctl --change ietf-hardware --permissions 0660 --enable-feature hardware-sensor
if [[ ${YANG_ROADM} == 1 ]]; then
FEATURE_ARGS=""
@@ -57,54 +57,41 @@
FEATURE_ARGS="${FEATURE_ARGS} --enable-feature ${FEATURE}"
done
fi
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS}
- sysrepoctl --change czechlight-roadm-device --group optics --permissions 0664
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS} --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-roadm-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
fi
if [[ ${YANG_COHERENT} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-coherent-add-drop --new-data="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-coherent-add-drop --group optics --permissions 0664
+ sysrepoctl --change czechlight-coherent-add-drop --permissions 0660
fi
if [[ ${YANG_INLINE} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-inline-amp --import="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-inline-amp --group optics --permissions 0664
fi
if [[ ${YANG_CALIBRATION} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-calibration-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-calibration-device --group optics --permissions 0664
fi
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang
-sysrepoctl --change ietf-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang
-sysrepoctl --change czechlight-lldp --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang
-sysrepoctl --change czechlight-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang --permissions 0660
sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/iana-if-type@2017-01-19.yang
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang
-sysrepoctl --change ietf-interfaces --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang
-sysrepoctl --change ietf-ip --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang
-sysrepoctl --change ietf-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv4-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv6-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang
-sysrepoctl --change czechlight-network --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang
-sysrepoctl --change czechlight-firewall --permissions 0600
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang --permissions 0600
sysrepoctl --change ietf-access-control-list --enable-feature match-on-eth --enable-feature eth --enable-feature match-on-ipv4 --enable-feature ipv4 --enable-feature match-on-ipv6 --enable-feature ipv6 --enable-feature mixed-eth-ipv4-ipv6
# If not do not copy here from startup -> running, running might be stale.
diff --git a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
index cac0f64..d289933 100644
--- a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
+++ b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
@@ -10,6 +10,7 @@
RemainAfterExit=yes
ExecStart=/bin/sysrepocfg -d startup -f json --import=/cfg/sysrepo/startup.json
ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
StandardOutput=journal+console
[Install]
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
index 96dfb7c..2cb3dec 100644
--- a/package/czechlight-cfg-fs/nacm-restore.service
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -9,6 +9,7 @@
RemainAfterExit=yes
ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
[Install]
WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
index 8f2642c..007bd7b 100644
--- a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
+++ b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
@@ -7,3 +7,4 @@
Type=simple
UMask=0077
ExecStart=/bin/sh -c 'while true; do inotifywait -e CLOSE_WRITE /etc/sysrepo/data/*.startup && mkdir -p /cfg/sysrepo/ && sysrepocfg -d startup -f json -X > /cfg/sysrepo/startup.json; done'
+Group=sysrepo
diff --git a/package/rousette/rousette.service b/package/rousette/rousette.service
index 1f373e0..cb79d27 100644
--- a/package/rousette/rousette.service
+++ b/package/rousette/rousette.service
@@ -7,6 +7,9 @@
[Service]
Type=simple
ExecStart=/usr/bin/rousette
+User=yangnobody
+Group=yangnobody
+SupplementaryGroups=sysrepo optics
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=yes
@@ -16,8 +19,6 @@
LogRateLimitIntervalSec=10
LogRateLimitBurst=30000
SyslogLevel=alert
-User=yangnobody
-Group=yangnobody
[Install]
WantedBy=multi-user.target
diff --git a/package/velia/velia-firewall.service b/package/velia/velia-firewall.service
index 2f4a2f9..1fdb318 100644
--- a/package/velia/velia-firewall.service
+++ b/package/velia/velia-firewall.service
@@ -9,6 +9,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-firewall
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index bef35f6..6e09df3 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -12,6 +12,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index c39c3f8..84342b7 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -13,6 +13,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog-g2
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-health.service b/package/velia/velia-health.service
index f779bf6..05f66c2 100644
--- a/package/velia/velia-health.service
+++ b/package/velia/velia-health.service
@@ -9,6 +9,7 @@
ExecStartPre=/bin/sh -c 'for COLOUR in red green blue; do echo none > /sys/class/leds/status:$${COLOUR}/trigger; echo 0 > /sys/class/leds/status:green/brightness; done'
ExecStart=/usr/bin/veliad-health --appliance=czechlight-clearfog --systemd-ignore-unit=systemd-journal-upload.service
ExecStopPost=/bin/sh -c 'for COLOUR in red green blue; do echo 0 > /sys/class/leds/status:$$COLOUR/brightness; done; [[ "$EXIT_CODE" == "exited" ]] && COLOUR="green" || COLOUR="red"; echo timer > /sys/class/leds/status:$$COLOUR/trigger; echo 256 > /sys/class/leds/status:$$COLOUR/brightness'
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=yes
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index cd8db60..6963e91 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -9,6 +9,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-system
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/submodules/buildroot b/submodules/buildroot
index 2877c45..d110034 160000
--- a/submodules/buildroot
+++ b/submodules/buildroot
@@ -1 +1 @@
-Subproject commit 2877c45ae36b4e8fbc694ea16bfcb16a27c96993
+Subproject commit d110034fea07955f6dca7326ad4472f8979ca21d
diff --git a/submodules/dependencies b/submodules/dependencies
index 18d9301..68b26b0 160000
--- a/submodules/dependencies
+++ b/submodules/dependencies
@@ -1 +1 @@
-Subproject commit 18d9301a741f7dda86cb4586e787577c87214592
+Subproject commit 68b26b06d1378f15f129931339e58523e9f07465
diff --git a/submodules/velia b/submodules/velia
index f5bc8ed..7632360 160000
--- a/submodules/velia
+++ b/submodules/velia
@@ -1 +1 @@
-Subproject commit f5bc8edeb6e930c866e29c1adcaec37a1027b2e4
+Subproject commit 7632360810bd807c3820f138d6bd28a22a014aa5