I can not reproduce the issue using the following command sequence using VyOS 1.4-rolling-202106010417:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Jun 1 2021
Why you closing the issue? Bug or issue is not resolved.
@Viacheslav I seem to find a strange problem. If I run two containers of adguardhome and nginx, they seem to work normally in the same image. However, once I upgrade and boot the new system, these two containers will be abnormal and can only be restored manually (try to delete them first, then recommit them, and need to modify the program appropriately), This is a robustness problem, which needs to be confirmed. If there is a problem, it needs to be solved!
PR https://github.com/vyos/vyos-1x/pull/860
To provide the possibility to read RADIUS attribute by script, also need to define radattr=/run/radattr param
Note
ipsec-interface not deprecated. This option needed.
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec esp-group ESP-GRP compression 'disable' set vpn ipsec esp-group ESP-GRP lifetime '1800' set vpn ipsec esp-group ESP-GRP mode 'tunnel' set vpn ipsec esp-group ESP-GRP pfs 'enable' set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP lifetime '3600' set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 connection-type 'respond' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 ike-group 'IKE-GRP' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 local-address 'c01d:c01a:cafe::2' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 esp-group 'ESP-GRP' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 local prefix '2001:db7::/64' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 remote prefix '2001:db8::/64' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-nat-networks 'disable' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-public-networks 'disable' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 esp-group 'ESP-GRP' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 local prefix '10.2.3.0/24' set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 remote prefix '10.1.0.0/24'
@Viacheslav
I can spin up a working example without VRF.
May 31 2021
@mTx87 Do you have a working example in Linux?
Maybe it also needs OpenVPN >= 2.5.0
https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/
Here are some kernel features we need to consider:
- Disable kexec. The user should never need to swap the kernel.
- Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
- Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
- Harden BPF JIT. Might interfere with XDP. Testing necessary.
- Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.
An easy start would be adding
export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs
to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.
just wanting to chime in here, I think I've been bitten by what appears to be a similar cause.
In T3578#95246, @fernando wrote:Hi
I tried to replicate that issue with the same version but I couldn't , let me show
vyos@vipv6-lp# run show version
Version: VyOS 1.4-rolling-202104270417
Release Train: sagittaBuilt by: [email protected]
Built on: Wed 28 Apr 2021 01:17 UTC
May 30 2021
Turns out this was actually a very small change in the old framework - implemented also on 1.3 and backported to 1.2.8
thank you for the suggestion, I will work on this.
Also mentioned here: https://forum.vyos.io/t/roadwarrior-config-with-ikev2-and-different-user-groups/2457
Maybe a completion helper could work here, too?
When the following command "set system syslog file <filename> facility <keyword> level <keyword>" is applied, then the files are stored in the /var/log/user directory. These files can be deleted using the command "delete log file <text>"
This is possibly a problem on curl's end but funnily enough, there's a similar problem with the native implementation over T3563. Once that's solved, this bug will be rendered moot.
install-image now calls a routine that queries the size of the remote file and aborts if there isn't enough space to download the image.
commit-archive now uses Paramiko for SSH connections instead of curl and directly reads ~/.ssh/known_hosts if it exists.
This is a consequence of using an old Paramiko version. I just sent a PR upping the version of cryptography and Paramiko.
New file transfer script parses the port field in the URL.
Also vpn ipsec site-to-site peer x tunnel x allow-nat-networks and vpn ipsec site-to-site peer x tunnel x allow-public-networks