Page MenuHomeVyOS Platform

varesa (Esa Varemo)
User

Projects

User does not belong to any projects.

User Details

User Since
Apr 29 2018, 3:43 PM (308 w, 4 d)

Recent Activity

Feb 17 2021

varesa added a comment to T3259: many dnat rules makes the vyos http api crash, even showConfig op timeouts.

GDB however tells a different story:

vyos@vyos# ps aux | grep cli
root      1624  0.1  1.9  35212 19508 ?        S    12:11   0:00 /bin/cli-shell-api showConfig
root      1684  0.0  0.5   9492  5720 ?        Ss   Feb16   0:00 /sbin/dhclient -4 -nw -cf /var/lib/dhcp/dhclient_eth0.conf -pf /var/lib/dhcp/dhclient_eth0.pid -lf /var/lib/dhcp/dhclient_eth0.leases eth0
vyos      2534  0.0  0.0   6084   892 pts/0    S+   12:22   0:00 grep cli
Feb 17 2021, 12:43 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
varesa added a comment to T3259: many dnat rules makes the vyos http api crash, even showConfig op timeouts.

Seems like the issue manifests in cnode-algorithm.cpp:_diff_print_indent:

Feb 17 2021, 12:16 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Feb 16 2021

varesa added a comment to T3259: many dnat rules makes the vyos http api crash, even showConfig op timeouts.

Tried to mess around/instrument https://github.com/vyos/vyatta-cfg/blob/current/src/cnode/cnode-algorithm.cpp#L924,
ended up loosing the active config and /opt/vyatta/config/active becoming empty.

Feb 16 2021, 11:21 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
varesa added a comment to T3259: many dnat rules makes the vyos http api crash, even showConfig op timeouts.

It seems that the stall happens in ConfigSession.show_config() which calls /bin/cli-shell-api showConfig.

Feb 16 2021, 9:57 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Feb 12 2021

varesa added a comment to T3307: address prefix destination NAT fails to render nftables rules / commit.

Created PR: https://github.com/vyos/vyos-1x/pull/731

Feb 12 2021, 10:15 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
varesa added a comment to T3307: address prefix destination NAT fails to render nftables rules / commit.

Tested with:

Feb 12 2021, 10:01 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
varesa added a comment to T3307: address prefix destination NAT fails to render nftables rules / commit.

Possible fix, pending testing: https://github.com/varesa/vyos-1x/commit/4a0504a96cf0f3078e964ed201f196fb55172e00

Feb 12 2021, 9:45 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
varesa created T3307: address prefix destination NAT fails to render nftables rules / commit.
Feb 12 2021, 9:31 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Jul 22 2020

varesa added a comment to T2725: Config fails to load if user has no password.

Pull request to revert that changed line: https://github.com/vyos/vyos-1x/pull/516

Jul 22 2020, 2:00 PM · VyOS 1.3 Equuleus (1.3.0)
varesa renamed T2725: Config fails to load if user has no password from 1.3-rolling-202007220117 fails to load/migrate config - KeyError: 'password_encrypted' to Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted'.
Jul 22 2020, 1:39 PM · VyOS 1.3 Equuleus (1.3.0)
varesa added a comment to T2725: Config fails to load if user has no password.

Issue only happens if a user is defined without a password, otherwise the correct field gets set:

# Encrypted password
if conf.exists(['authentication', 'encrypted-password']):
    user['password_encrypted'] = conf.return_value(['authentication', 'encrypted-password'])
Jul 22 2020, 1:26 PM · VyOS 1.3 Equuleus (1.3.0)
varesa added a comment to T2725: Config fails to load if user has no password.

https://github.com/vyos/vyos-1x/commit/a07e22377ab83104ac925e13d1824f241f0f8d4a#diff-38def27d6150350cf8bd539da90de66b (T2492) seems to have changed the initialization:

Jul 22 2020, 1:22 PM · VyOS 1.3 Equuleus (1.3.0)
varesa created T2725: Config fails to load if user has no password.
Jul 22 2020, 1:03 PM · VyOS 1.3 Equuleus (1.3.0)

Apr 3 2020

varesa added a comment to T2209: Documentation has reference to the old 'user x level admin' option.

Fix in https://github.com/vyos/vyos-documentation/pull/234

Apr 3 2020, 8:17 PM · VyOS 1.3 Equuleus (1.3.0), Restricted Project
varesa created T2209: Documentation has reference to the old 'user x level admin' option.
Apr 3 2020, 8:15 PM · VyOS 1.3 Equuleus (1.3.0), Restricted Project

Dec 4 2019

varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

Opened a separate task about the incorrect behaviour with the edit-level: T1846

Dec 4 2019, 11:25 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

Created a PR with the above change: https://github.com/vyos/vyos-1x/pull/174

Dec 4 2019, 11:23 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

This works better:

diff --git a/python/vyos/config.py b/python/vyos/config.py
index 13b2c10..82483cb 100644
--- a/python/vyos/config.py
+++ b/python/vyos/config.py
@@ -137,7 +137,10 @@ class Config(object):
         if self.__session_env:
             p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=self.__session_env)
         else:
-            p = subprocess.Popen(cmd, stdout=subprocess.PIPE)
+            env = os.environ
+            env['VYATTA_TEMPLATE_LEVEL'] = '/'
+            env['VYATTA_EDIT_LEVEL'] = '/'
+            p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=env)
         out = p.stdout.read()
         p.wait()
         if p.returncode != 0:
Dec 4 2019, 10:56 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

Simple fix could be to just override VYATTA_TEMPLATE_LEVEL and VYATTA_EDIT_LEVEL.

Dec 4 2019, 10:50 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

Okay, that doesn't work. It likely requires some variables like these:

VYATTA_ACTIVE_CONFIGURATION_DIR=/opt/vyatta/config/active
VYATTA_CONFIG_TMP=/opt/vyatta/config/tmp/tmp_1929
VYATTA_CHANGES_ONLY_DIR=/opt/vyatta/config/tmp/changes_only_1929
VYATTA_TEMP_CONFIG_DIR=/opt/vyatta/config/tmp/new_config_1929
Dec 4 2019, 10:49 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

Seems based on the uses of the Config-class, for example this in vyos-http-api-server:

session = ConfigSession(os.getpid())    
env = session.get_session_env()    
config = vyos.config.Config(session_env=env)

that the intention was to have a clean environment unless called with session_env=something.

Dec 4 2019, 10:37 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

Seems like that paths are absolute regardless of the environment variables:

Dec 4 2019, 10:21 AM
varesa updated the task description for T1846: Make session_config not depend on the current edit level.
Dec 4 2019, 10:17 AM
varesa added a comment to T1846: Make session_config not depend on the current edit level.

It would be pretty simple to pass VYATTA_{TEMPLATE,EDIT}_LEVEL=/ as environment variables in Config._run():

Dec 4 2019, 10:16 AM
varesa created T1846: Make session_config not depend on the current edit level.
Dec 4 2019, 10:06 AM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

That is caused by: session_config_text = self._run([self._cli_shell_api, '--show-working-only', '--show-show-defaults', 'showConfig'])

Dec 4 2019, 12:12 AM

Dec 3 2019

varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

@hagbard That however doesn't fix the issue where the entire config session seems to be invalid if you are not at the top level. After T1758 (commit above) the ConfigTree for session_config only contains nodes under the [edit <node>] level, not the whole config.

Dec 3 2019, 11:59 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

Okay, it seems that the major issue here is caused by commit d9ee0b95d1020b6d5412dd011ebb1ef7f6ef3fc7 / [vyos.config] T1758: use vyos.configtree for reading values, instead of calling cli-shell-api.

Dec 3 2019, 11:40 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

I just noticed that the contents of that config look awfully lot like the config node ([edit interfaces ethernet eth0]) I was at.

Dec 3 2019, 11:09 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

The ConfigTree gets created with config_string:

Dec 3 2019, 10:56 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

in configtree.py the function return_value from /usr/lib/libvyosconfig.so.0 gets called with some integer and 'interfaces ethernet'. It returns 'null'

Dec 3 2019, 10:55 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

Regardin the interface not being configured:

Dec 3 2019, 10:51 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

The original error for reference:

Dec 3 2019, 10:33 PM
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

The above PR gets rid of the exception during commit.

Dec 3 2019, 10:07 PM
varesa updated the task description for T1844: Fix interface configuration which was broken in T1762 .
Dec 3 2019, 10:06 PM
varesa added a comment to T1762: VLAN interface configuration fails after internal representation of edit level was switched from a string to a list.

https://phabricator.vyos.net/rVYOSONEX3400b1dd79702553ebbd40516bf454f3fe47885b seems to have broken interface configuration. See T1844

Dec 3 2019, 10:05 PM · VyOS 1.3 Equuleus (1.3.0)
varesa added a comment to T1844: Fix interface configuration which was broken in T1762 .

Pull request with a fix: https://github.com/vyos/vyos-1x/pull/171

Dec 3 2019, 10:01 PM
varesa created T1844: Fix interface configuration which was broken in T1762 .
Dec 3 2019, 9:48 PM

Jul 13 2019

varesa added a project to T1521: Build instructions: 'make iso' needs root: Restricted Project.
Jul 13 2019, 5:01 PM · Restricted Project
varesa created T1522: If a config session is not close cleanly, the unionfs-mount is not cleaned up in the S1 VyOS Public space.
Jul 13 2019, 4:58 PM · VyOS 1.3 Equuleus (1.3.7), VyOS 1.4 Sagitta, VyOS 1.2 Crux
varesa updated the task description for T1521: Build instructions: 'make iso' needs root.
Jul 13 2019, 12:30 PM · Restricted Project
varesa changed the status of T1521: Build instructions: 'make iso' needs root from Open to Confirmed.
Jul 13 2019, 12:29 PM · Restricted Project
varesa added a comment to T1521: Build instructions: 'make iso' needs root.

https://github.com/vyos/vyos-documentation/pull/74

Jul 13 2019, 12:28 PM · Restricted Project
varesa added a comment to T1521: Build instructions: 'make iso' needs root.

Looking at the Jenkinsfile it seems that missing sudo is the only difference:

Jul 13 2019, 12:26 PM · Restricted Project
varesa created T1521: Build instructions: 'make iso' needs root in the S1 VyOS Public space.
Jul 13 2019, 12:21 PM · Restricted Project

May 20 2019

varesa added a comment to T1385: Allow bonding interfaces to have pseudo-ethernet interfaces.

The place that limits it to only ethernet devices seems to be: https://github.com/vyos/vyatta-cfg-system/blob/crux/templates/interfaces/pseudo-ethernet/node.tag/link/node.def (the checking itself happens at https://github.com/vyos/vyatta-cfg-system/blob/current/scripts/vyatta-interfaces.pl#L377)

May 20 2019, 8:50 PM · VyOS 1.3 Equuleus (1.3.0)

Mar 11 2019

varesa added a comment to T1293: Zone-policy implementation does not allow secondary IP on an interface to communicate.

I managed to reproduce this earlier. These were the generated iptables rules and pinging from any source IP except the first one did not work. https://phabricator.vyos.net/P66
I could see the responses in tcpdump but they were getting blocked (so I assume. They did not reach the running ping program)

Mar 11 2019, 8:04 PM · VyOS 1.3 Equuleus (1.3.0)
varesa triaged T1294: Trying to delete 'system syslog' throws an exception/traceback as Low priority.
Mar 11 2019, 7:40 PM
varesa updated the task description for T1292: Issues while deleting all rules from a firewall.
Mar 11 2019, 7:23 PM · VyOS 1.4 Sagitta
varesa added a comment to T1281: Ability to start DHCP cluster in degraded state.

From the man page:

You can put the server into the PARTNER-DOWN state either by using the omshell (1) command or by stopping the server, editing the last peer state declaration in the lease file, and restarting the server.
Mar 11 2019, 8:44 AM · VyOS 1.3 Equuleus (1.3.7)
varesa created T1292: Issues while deleting all rules from a firewall in the S1 VyOS Public space.
Mar 11 2019, 8:38 AM · VyOS 1.4 Sagitta

Mar 8 2019

varesa added a comment to T1276: dhcp relay + VLAN fails.
In T1276#33655, @syncer wrote:

Wondering if we should disable all offload stuff in virtualized environments (which not make sense anyway)

Mar 8 2019, 9:07 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test

Mar 5 2019

varesa added a comment to T1276: dhcp relay + VLAN fails.

I have tested this also with putting the DHCP subnet tagged on the interface itself within proxmox. Same problem occures... So removing the server from the vlan.interface doesn't change a thing, I could test with the clients on their own interface (ethX) and add that to the relay section instead of ethX.clientVlanId but I doubt if that works.

So I don't see where do you see that this could not be a bug.

Mar 5 2019, 7:01 AM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test

Mar 4 2019

varesa added a comment to T1276: dhcp relay + VLAN fails.

The way ISC DHCP Relay works you need to give it both the upstream and downstream interfaces (e.g. where it will listen to requests and ones where it will talk to the DHCP server). It is also shown (while not explicitly said) in the documentation: https://wiki.vyos.net/wiki/DHCP_relay

Mar 4 2019, 10:40 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test
varesa added a comment to T1276: dhcp relay + VLAN fails.

vyos@vyos:~$ sh conf commands
set interfaces ethernet eth0 address '172.16.0.1/24'
[...]
set service dhcp-relay interface 'eth1.40'
set service dhcp-relay interface 'eth1.41'
set service dhcp-relay interface 'eth1.42'
set service dhcp-relay interface 'eth1.100'
set service dhcp-relay interface 'eth1.101'
set service dhcp-relay interface 'eth1.102'
set service dhcp-relay relay-options relay-agents-packets 'discard'
set service dhcp-relay server '172.16.0.10'
[...]

Mar 4 2019, 8:43 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test
varesa added a comment to T1276: dhcp relay + VLAN fails.

For those of you with issues with DHCP relay and VLANs, have you:

  • Added the interface that the DHCP server is reachable on to the service dhcp-relay interface <interface> list?
  • Added the sub-interface (e.g. eth0.20) to the interfaces instead of the parent interface (eth0)?
Mar 4 2019, 6:14 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test
varesa added a comment to T1276: dhcp relay + VLAN fails.

Tested on:

Mar 4 2019, 3:39 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test
varesa added a comment to T1276: dhcp relay + VLAN fails.

I was asked to test with VRRP, still works fine.

Mar 4 2019, 3:37 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test
varesa added a comment to T1276: dhcp relay + VLAN fails.

I did not manage to reproduce the issue.

Mar 4 2019, 3:27 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta, test

Feb 28 2019

varesa added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.

I should note that this is not my issue/task nor am I personally affected by it. I just pointed out that part of the original issue should be solved by my PR which originated from elsewhere and left my two cents about how to handle the other case here.

Feb 28 2019, 10:21 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
varesa added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.
What comes to the quoting of openvpn-option --push "xxx", if we do not want to introduce nested quotes to the parser, maybe we should have a second configuration option dedicated to --push?

There is open-vpn server push-route or so available. Sooner or later that backend will be rewritten.

Feb 28 2019, 12:13 AM · VyOS 1.3 Equuleus (1.3.0-epa1)
varesa added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.

What comes to the quoting of openvpn-option --push "xxx", if we do not want to introduce nested quotes to the parser, maybe we should have a second configuration option dedicated to --push?

Feb 28 2019, 12:06 AM · VyOS 1.3 Equuleus (1.3.0-epa1)
varesa added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.

@varesa so 'server push-route x.x.x.0/24' does work for you?
The double quotes are an issue with the parser and I doubt that if will be allowed in the future again.

Feb 28 2019, 12:00 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Feb 27 2019

varesa added a comment to T1259: OpenVPN Server Fails to Start.

In T1246 I noticed that while my fix makes the syntax correct enough that OpenVPN starts, it is actually missing the $variables inside the quotes as the patch changed double quotes to single quotes.
That means that instead of --push "dhcp-option DNS 1.1.1.1" or --push "route 192.168.0.0 255.255.255.0" it started with --push "dhcp-option " and --push "route "

Feb 27 2019, 11:59 PM · vyatta-op-vpn, openvpn, vyatta-openvpn
varesa added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.

I went ahead and dug out the other configuration that doesn't work in 1.2.0 either. This is pulled from the config.boot file in the vyos 1.2.0 image i have installed.

openvpn vtun1 {
      description clientvpn
      encryption aes256
      hash sha256
      local-port 1194
      mode server
      protocol tcp-passive
      server {
          name-server x.x.x.4
          name-server x.x.x.3
          push-route x.x.x.0/24
          push-route x.x.x.0/24
          subnet x.x.x.0/24
      }
      tls {
          ca-cert-file /config/auth/ca.crt
          cert-file /config/auth/server.crt
          dh-file /config/auth/dh2048.pem
          key-file /config/auth/server.key
      }
      use-lzo-compression
  }
Feb 27 2019, 8:15 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
varesa added a comment to T1270: DHCP Server on VIF interfaces.

e.g. could indeed be tested to make sure that it works

Feb 27 2019, 9:59 AM · Rejected
varesa added a comment to T1270: DHCP Server on VIF interfaces.

I think the issue you found might still be a valid one, even though it was not the same one that was originally talked about on IRC.

Feb 27 2019, 9:58 AM · Rejected

Feb 21 2019

varesa added a comment to T1259: OpenVPN Server Fails to Start.

PR: https://github.com/vyos/vyatta-openvpn/pull/7

Feb 21 2019, 9:36 PM · vyatta-op-vpn, openvpn, vyatta-openvpn
varesa added a comment to T1259: OpenVPN Server Fails to Start.

Hopefully a fix: https://github.com/varesa/vyatta-openvpn/commit/a0d7c07f1ff0b5fe7450d3a13c1365b8e3589725

Feb 21 2019, 9:31 PM · vyatta-op-vpn, openvpn, vyatta-openvpn
varesa added a comment to T1259: OpenVPN Server Fails to Start.

Produced command seems to be:

Feb 21 2019, 9:02 PM · vyatta-op-vpn, openvpn, vyatta-openvpn
varesa added a comment to T1259: OpenVPN Server Fails to Start.

Also managed to reproduce, some set-commands to help reproduction:

Feb 21 2019, 9:00 PM · vyatta-op-vpn, openvpn, vyatta-openvpn

Jul 10 2018

varesa added a comment to T740: User UID not properly set when add/deleting users.

Above was on 1.1.7, the same thing happens on 1.1.8:

Jul 10 2018, 1:15 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc7)
varesa added a comment to T740: User UID not properly set when add/deleting users.

I don't think the alphabetic order is even relevant (or ansible for that matter). Once you delete a user it frees up the UID but leaves the home directory around with the now unused UID. If you re-create users in a different order the UIDs that still own the home directories no longer match the corresponding users.

Jul 10 2018, 1:09 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc7)