Please find below, with some comments redacted.

I can't reproduce it with the code in the rolling image that will be available by tomorrow.

Can you please share your configuration on the pppoe interface with us?

The only major differences I've noticed are the kernel versions:

Re-assigning to @Dmitry after checking with him as he's more experienced here.

Where do I get the local address from? Can you share your complete config? Maybe we need source-address or something similar in CLI.

Yes - there are some parts which make use of this bad practice (mostly introduced by me), cleanup required.

There is an issue with storing the state of the interface and then applying it in bulk. For some interface we want to admin it down before performing change and then bringing it back up.
If we store this then only the change and the up command will be applied, this is not going to work.

@cpo should another task be created to make sure we exclude the interfaces themself from source-interface (s) ?

https://github.com/vyos/vyos-1x/pull/316

https://github.com/vyos/vyos-1x/pull/314

Hello, @adestis!
Support of transition-scripts was added to sync-groups in a rolling version.

I have investigated this a bit. Most operations for ports are doing one-by-one. Deleting as I see is always done in this way. Adding a range is done by a single command, but checking ports are doing one-by-one.
If we skip/change mentioned checking for adding ports, this should decrease initial commit time. But when we try to change/delete ports, the issue will back.
I think that there should be better to reimplement the whole firewall group section in Python, instead of fixing this logic now.

PR for this task https://github.com/vyos/vyos-1x/pull/313

thanks to @runborg .. my own initial attempt to syslog failed (facility level ??)
This works

import logging
import logging.handlers
my_logger = logging.getLogger('MyLogger')  # logger is singleton
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.SysLogHandler(address='/dev/log', facility="auth")
my_logger.addHandler(handler)
my_logger.critical('this is critical')

Personally I'd use systemd-journald which I think provides the same logging facilities as rsyslog used to, but vyos still runs both. IMO the logging section is a mess and would need a complete rewrite to journal.

@dmbaturin I was aked on slack to report the information via syslog. However the syslog server is not listening on on UDP port 514 on localhost. How would you like to proceed ?
should it be opened (I am not sure where this should be configured) or should the log be written on the drive using the python logging module (as I currently have implemented).

@cpo AFAIU the patches are not right as the code making use of Config() in the verify() section and AFAIU this is against the separation between get_config()

Already possible via Cloud-init. For different environments may be required differently tuned images (data sources, additional tools like guest agents, etc.).

I think I can pinpoint it down to the mesh generation using wireguard. Please see the logs of two failed nodes attached. I dont find older rotations of the log file. Thats all I have.

Looks good. I don't have merge access but this definitely is a fix to an oversight in the build.

@chrismarget we autogenerate list of resolved issues for releases
so tasks names should be with more context

Not really, just make sure you include VyOS 1.3 project so we can track what can be backported
you will need to adjust your PR message to include task number T2239

Did I do the wrong thing by tagging this for vyos-build?

@fetzerms I was mistaken: cfg-stdout.log is logrotated, but not removed on boot, and this is useful info. When you are able to reproduce, please share. I believe the corner case I am seeing is distinct but related to what you are seeing. Thanks.

The automatic helper assignment is enabled in both the LTS and the current rolling releases. The only thing that is needed to make the TFTP working is to allow the udp/69 and "related" traffic.

The automatic helper assignment is enabled in both the LTS and the current rolling releases. The only thing that is needed to make the FTP working is to allow the tcp/21, "related" and "established" traffic.

merged.

@UnicronNL

vyos@R3# run show version all | match strongswan
ii  strongswan                       5.7.2-1                             all          IPsec VPN solution metapackage

But in this case, we have an issue with command

vyos@R3# sudo ip link add tun0 type gretap local 0.0.0.0
RTNETLINK answers: File exists

In old scripts, tunnels were created by following commands

ip tunnel add tun0 local 0.0.0.0 mode gre key 1 ttl 255 tos inherit
ip link set tun0 multicast on allmulticast on up
ip addr add 10.0.0.4/24 broadcast + dev tun0
ip tunnel cha tun0 local 0.0.0.0

@Dmitry @c-po is this an other version of strongswan? or is this the strongswan with dmvpn pathes in from vyos repo?

The main reason for this issue - we can't create properly tunnel

set interfaces tunnel tun0 address 10.0.0.3/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

@fetzerms I am able to reproduce this, in a manner that's not completely clean, but which will allow me to investigate further. Feel free to add any other details you run across; thanks.

@c-po let me reproduce this locally, I will find an answer.

@Dmitry maybe you have an idea why?