I met this issue before. But I can save firewall group to a txt then use ipset to load the firewall groups when system boot. It works well. Vyos boot quickly and firewall policy updated well.

Hi guys,

Could this be related to some timeout of the scripts loading the firewall config into iptables at boot time? Longer rulesets would mean longer loading times, until this hypothetical timeout is triggered and the issue manifests?

What it really looks strange to us is that this issue only seems to happen at boot time. Loading and commiting these long rulesets once the VyOS has booted seem to work seamlessly.

Thanks!

I agree with @aibanez
In addition, sometimes it works (but only a very few) while almost always it crashes at startup and interfaces are messed.
Do you guys have any clue/suggestion or any other further test that can be done?

I was looking on this issue. Please find below a description of what I think is the root cause for this issue:

• During boot time VyOs is using udev linux subsystem to rename the network interfaces
  • https://github.com/vyos/vyatta-cfg-system/blob/current/sysconf/65-vyatta-net.rules
  • The rule-set used by udev for ethernet interface rename process can be found in the above link.
  • As you will see in the rule-set a perl script “vyatta_net_name” is used to identify the names of the interfaces that must be renamed.
  • “vyatta_net_name” script is using as identificator the mac address defined in the VyOS configuration using the "hw-id command"
  • https://github.com/vyos/vyatta-cfg-system/blob/current/scripts/vyatta_net_name
• Taking a look on the perl scipt “vyatta_net_name”, at the end of the script we can find the actual logic that caused the issue with our VyOs devices:

if ( -d $VYATTACFG ) {
$newname = hotplug($ifname, $hwaddr);
} else {
  $newname = coldplug($ifname, $hwaddr);
}

• hotplug() and coldplug() are 2 functions that are conditional called by our script as described below:
• hotplug() should be used when on a vyos device that is up and running and a new interface is added
• coldplug() should be used when vyos devices are rebooted – to populate the network interfaces with the correct names
• as you can see in the code the decision is taken based on the existence of a $VYATTACFG directory
• This directory is where the active config for a running VyOs is kept (/opt/vyatta/config/active).

The above logic is ok as long as the VyOS boot time is not taking too long and the $VYATTACFG directory is not created before the udev linux subsystem will load the rule-set for interfaces.
On the other hand, on our case, because we have a very long config file – loading it is very time and resource consuming. Because of this we end up in a situation where $VYATTACFG directory is created before the udev subsystem is executed for all interfaces. And because of this the above "if statement" will use the path with hotplug() function for some of the interfaces and for these interfaces the rename process is not completed successfully.

The solution proposed by me in pull request https://github.com/vyos/vyatta-cfg-system/pull/102 is looking for the existence of config directory for active interfaces "/opt/vyatta/config/active/interfaces" instead of looking only for "/opt/vyatta/config/active" directory.

Hi @zsdc,

I have upgraded a couple of clusters to 1.2.0-rolling+201906240337 and systems started successfully, and I also applied the hotfix indicated in thel pull request (https://github.com/vyos/vyatta-cfg-system/pull/102/files) to several productive clusters by just adding "/interfaces" to $VYATTACFG variable with the same successful results, so I can confirm that the fix provided by @mtudosoiu works great.

So many thanks to him for the fix, great job!

Finally, is this fix expected to be merged in the next stable release (1.2.2)?