Page MenuHomeVyOS Platform

Canot change configuration after image update from 202207220217 to 202209090217
Closed, InvalidPublicBUG

Description

When i updated vyos image from 202207220217 to 202209090217 i cannot longer edit my configuration. Always i get "Set failed" or "Delete failed" in configuration mode.

So i reinstalled vyos and i can do first edit and commit with no problem. But when i try edit after first commit i get same result "Set failed" or "Delete failed".

I use VyOS in VMs (vrrp configuration) and this problem is replicable on both VMs. When i boot back to 202207220217 i can edit my config again.

Details

Difficulty level
Unknown (require assessment)
Version
202209090217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

It seems you use some custom scripts for configuration
You have to use

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) [email protected]"
fi

before your configuration script

Nope, i use CLI for configuration and script for vrrp (wireguard interface enable/disable)

This is my config and scripts if its something wrong with configuration

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
delete interfaces wireguard wg0 disable
commit
exit
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
set interfaces wireguard wg0 disable
commit
exit
firewall {
    name lan-languest {
        default-action accept
    }
    name lan-wan {
        default-action accept
    }
    name languest-lan {
        default-action drop
    }
    name languest-wan {
        default-action accept
    }
    name wan-lan {
        default-action drop
    }
    name wan-languest {
        default-action drop
    }
    state-policy {
        established {
            action accept
        }
        invalid {
            action drop
        }
        related {
            action accept
        }
    }
}
high-availability {
    vrrp {
        group LAN {
            address 10.10.10.1/24 {
            }
            advertise-interval 1
            interface eth1
            priority 110
            vrid 10
        }
        group LAN-GUEST {
            address 10.11.11.1/24 {
            }
            advertise-interval 1
            interface eth2
            priority 110
            vrid 11
        }
        sync-group lan-group {
            member LAN
            member LAN-GUEST
            transition-script {
                backup /config/scripts/wg-down.sh
                master /config/scripts/wg-up.sh
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        description WAN-PPPoE
    }
    ethernet eth1 {
        address 10.10.10.253/24
        description LAN
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth2 {
        address 10.11.11.253/24
        description LAN-GUEST
        offload {
            gro
            gso
            sg
            tso
        }
    }
    input ifb0 {
        description "pppoe inbound interface"
        traffic-policy {
            out inbound
        }
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password xxxxxxxx
            user xxxxxxxx
        }
        ip {
            adjust-mss 1450
        }
        mtu 1492
        no-peer-dns
        source-interface eth0
    }
    wireguard wg0 {
        address 10.5.5.2/24
        address fd00:10:5:5::2/120
        mtu 1300
        peer domain.xyz {
            address xxx.xxx.xxx.xxx
            allowed-ips 0.0.0.0/0
            persistent-keepalive 20
            port 444
            preshared-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
            public-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        }
        private-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    }
}
nat {
    source {
        rule 1 {
            destination {
                address 0.0.0.0/0
            }
            outbound-interface pppoe0
            translation {
                address masquerade
            }
        }
    }
}
policy {
    local-route {
        rule 10 {
            set {
                table 10
            }
            source 10.10.10.130
        }
    }
}
protocols {
    static {
        route 10.20.20.0/24 {
            next-hop 10.5.5.1 {
            }
        }
        route 10.21.21.0/24 {
            next-hop 10.5.5.1 {
            }
        }
        route 10.30.30.0/24 {
            next-hop 10.5.5.1 {
            }
        }
        route 10.31.31.0/24 {
            next-hop 10.5.5.1 {
            }
        }
        table 10 {
            route 0.0.0.0/0 {
                next-hop 10.5.5.1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        failover {
            name lan-dhcp
            remote 10.10.10.254
            source-address 10.10.10.253
            status secondary
        }
        hostfile-update
        shared-network-name lan {
            domain-name lan
            domain-search lan
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                description lan-subnet
                enable-failover
                name-server 10.10.10.254
                name-server 10.10.10.253
                ping-check
                range pool01 {
                    start 10.10.10.210
                    stop 10.10.10.240
                }
                static-mapping XX1 {
                    ip-address 10.10.10.50
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX2 {
                    ip-address 10.10.10.101
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX3 {
                    ip-address 10.10.10.120
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX4 {
                    ip-address 10.10.10.51
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX5 {
                    ip-address 10.10.10.202
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX6 {
                    ip-address 10.10.10.20
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX7 {
                    ip-address 10.10.10.203
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX8 {
                    ip-address 10.10.10.201
                    mac-address xx:xx:xx:xx:xx:xx
                }
                static-mapping XX9 {
                    ip-address 10.10.10.103
                    mac-address xx:xx:xx:xx:xx:xx
                }
            }
        }
        shared-network-name lan-guest {
            ping-check
            subnet 10.11.11.0/24 {
                default-router 10.11.11.1
                enable-failover
                name-server 10.11.11.254
                name-server 10.11.11.253
                ping-check
                range pool02 {
                    start 10.11.11.10
                    stop 10.11.11.240
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 10.0.0.0/8
            authoritative-domain lan {
                records {
                    a XY1 {
                        address 10.10.10.30
                    }
                    a XY2 {
                        address 10.30.30.2
                    }
                    a XY3 {
                        address 10.10.10.50
                    }
                    a XY4 {
                        address 10.10.10.101
                    }
                    a XY5 {
                        address 10.20.20.150
                    }
                    a XY6 {
                        address 10.10.10.120
                    }
                    a XY7 {
                        address 10.10.10.100
                    }
                    a XY8 {
                        address 10.20.20.2
                    }
                    a XY9 {
                        address 10.20.20.3
                    }
                    a XY10 {
                        address 10.10.10.202
                    }
                    a XY11 {
                        address 10.20.20.5
                    }
                    a XY12 {
                        address 10.10.10.20
                    }
                    a XY13 {
                        address 10.20.20.1
                    }
                    a XY14 {
                        address 10.10.10.31
                    }
                    a XY15 {
                        address 10.30.30.1
                    }
                    a XY16 {
                        address 10.10.10.103
                    }
                    a XY17 {
                        address 10.10.10.1
                    }
                    a XY18 {
                        address 10.10.10.3
                    }
                    a XY19 {
                        address 10.10.10.2
                    }
                    a XY20 {
                        address 10.10.10.254
                    }
                    a XY21 {
                        address 10.10.10.253
                    }
                    a XY22 {
                        address 10.11.11.2
                    }
                    cname XZ1 {
                        target XY1
                    }
                    cname XZ2 {
                        target XY1
                    }
                }
            }
            listen-address 10.10.10.253
            listen-address 10.11.11.253
            system
        }
    }
    snmp {
        community public {
            authorization ro
        }
        location BA
    }
    ssh {
        listen-address 10.10.10.253
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name lan
    host-name yama02
    login {
        user admin {
            authentication {
                encrypted-password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
            }
        }
    }
    name-server 193.17.47.1
    name-server 185.43.135.1
    name-server 1.1.1.1
    name-server 8.8.8.8
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    static-host-mapping {
        host-name XA1 {
            inet 10.10.10.3
        }
        host-name XA2 {
            inet 10.10.10.254
        }
        host-name XA3 {
            inet 10.10.10.253
        }
        host-name XA4 {
            inet 10.11.11.2
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Bratislava
}
traffic-policy {
    shaper inbound {
        bandwidth 750mbit
        default {
            bandwidth 100%
            burst 15k
            queue-type fq-codel
        }
        description SQM_inbound_rule
    }
}
zone-policy {
    zone LAN {
        default-action drop
        from LAN-GUEST {
            firewall {
                name languest-lan
            }
        }
        from WAN {
            firewall {
                name wan-lan
            }
        }
        interface eth1
        interface wg0
    }
    zone LAN-GUEST {
        default-action drop
        from LAN {
            firewall {
                name lan-languest
            }
        }
        from WAN {
            firewall {
                name wan-languest
            }
        }
        interface eth2
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name lan-wan
            }
        }
        from LAN-GUEST {
            firewall {
                name languest-wan
            }
        }
        interface pppoe0
    }
}

When i try edit config i get this.

[email protected]# set interfaces pppoe pppoe0 description "telekom uplink"

  Set failed

[edit]
[email protected]# ru show system image 
The system currently has the following image(s) installed:

   1: 1.4-rolling-202209090217 (default boot) (running image)
   2: 1.4-rolling-202207220217
   3: 1.4-rolling-202206050217

[edit]
[email protected]#

Both firewalls are running as VMs (Proxmox configs)

agent: 1
balloon: 0
boot: order=scsi0;ide2
cores: 4
cpu: host,flags=+aes
cpuunits: 2048
description: 
ide2: none,media=cdrom
memory: 2048
meta: creation-qemu=6.2.0,ctime=1650664693
name: yama02.lan
net0: virtio=72:4C:67:24:7B:5D,bridge=vmbr1
net1: virtio=22:7B:C3:07:71:77,bridge=vmbr0
net2: virtio=56:4C:38:1D:B3:23,bridge=vmbr0,tag=11
numa: 1
onboot: 1
ostype: l26
scsi0: local-lvm01:vm-253-disk-0,discard=on,iothread=1,size=4G
scsihw: virtio-scsi-single
serial0: socket
smbios1: uuid=a7b40860-d622-423b-8588-fa0e5081ff3a
sockets: 1{F3190031}
startup: up=20
vmgenid: 38024cea-e1fd-435f-bece-3b074cc59e03

Also i have problem with VyOS 1.4 stability on SFF PC from Aliexpress (Proxmox VE VyOS as VM) with N6005 + 4x 2.5Gbit Intel NICs. After some time VyOS ends up in kernel panic. But other VMs runs just fine. I tried set CPU to kvm64 and disable offload settings, but nothing. Second VyOS is on AMD TR 1920x CPU and no kernel panics. (backups are also disabled for VyOSes). But this is second problem of course. (Screenshot from 2022-09-10 23-07-13.png)

(edit) Ok problem with kernel panic looks related to Proxmox kernel on Intel 11gen cpus
https://forums.servethehome.com/index.php?threads/topton-jasper-lake-quad-i225v-mini-pc-report.36699/page-35#post-346943

As I mentioned above, use it before the configuration, it described in the doc

#!/bin/vbash

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) [email protected]"
fi

source /opt/vyatta/etc/functions/script-template
configure
delete interfaces wireguard wg0 disable
commit
exit

Ok now its working. Thanks. My bad.