Page MenuHomeVyOS Platform
Create Task
Maniphest T850

Change Request: Handle non existing listen-address assignments in e.g. TFTP or SNMP
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Lets assume we have a service where we can configure a listen-address (TFTP/SNMP) and that address is crucial for the service to operate - meaning service won't start if this address is not present on the system. Should we raise ConfigError() in the Python script?

This can be ok - during system runtime - but also it could have the following sideeffect:
Imagine the user de-configures the interface with this listen-address delete interface ethernet eth0 address <x.x.x.x> commits the config (no checks on the TFTP/SNMP service are performed) and then save this config. On the subsequent OS reboot the SNMP/TFTP service will be removed from the running config b/c the verify() stage in the Python scripts see that there is a non-assigned IP address configured. => Users may think of a BUG in VyOS.

Other services like pdns recursor don't have this hard limitation as they can be bound to non-existing IP addresses (imagine VRRP) and make use of them the second the IP address get's really assigned on the host.

Change Request
If a listen address is configured - but not available on the system - bind the service to at least localhost (127.0.0.1, [::1]) to not expose it on all IP addresses on the system as when listen-address has not been specified. On commit we will inform the user about this miss-configuration making everything save (for reboots) and not loose configuration fragments.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTc-poT850 Change Request: Handle non existing listen-address assignments in e.g. TFTP or SNMP
 ResolvedFEATURE REQUESTc-poT847 SNMP add listen-address validator

Event Timeline

c-po created this task.Sep 16 2018, 6:11 PM
c-po added a subtask: T847: SNMP add listen-address validator.
c-po updated the task description. (Show Details)
c-po added a comment.Sep 16 2018, 6:34 PM

Invalid SNMP addresses must be filtered, else the service won't start with this error message:

Sep 16 20:32:58 LR1 snmpd[4848]: Error opening specified endpoint "udp:192.168.1.1:161"
Sep 16 20:32:58 LR1 snmpd[4848]: Server Exiting with code 1
Sep 16 20:32:58 LR1 snmpd[4845]: Starting SNMP services::
Sep 16 20:32:58 LR1 systemd[1]: snmpd.service: control process exited, code=exited status=1
Sep 16 20:32:58 LR1 systemd[1]: Failed to start LSB: SNMP agents.
Sep 16 20:32:58 LR1 systemd[1]: Unit snmpd.service entered failed state.
c-po closed subtask T847: SNMP add listen-address validator as Resolved.Sep 16 2018, 7:24 PM
c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.Sep 18 2018, 5:16 PM
syncer triaged this task as Normal priority.Sep 25 2018, 2:02 PM
pasik added a subscriber: pasik.Oct 1 2018, 9:47 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:08 AM
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.
c-po merged a task: T482: SNMP: non verbose error message on wrong listen-address.Oct 20 2018, 9:37 PM
c-po added a subscriber: dmbaturin.

Both SNMP and TFTP now print a warning. In a subsequent step we could change this to be an error on commit and introduce a migration script deleting invalid addresses to not kill currently deployed configs!

c-po closed this task as Resolved.Oct 20 2018, 9:38 PM
c-po claimed this task.
syncer added a project: VyOS-1.2.0-GA.Oct 20 2018, 9:39 PM
syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.