Maniphest T2050

Problem migrating from 1.3-rolling-202002050217 to current
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	SteveP
	Feb 18 2020, 12:15 PM

Description

Hi, I have been running 1.3-rolling-202002050217 and just tried to migrate to 1.3-rolling-202002180217 and the system breaks. Interfaces don't come up and can't log in with any user. vyos user doesn't respond to configured password or the default password.

I have traced the problem back to between 1.3-rolling-202002050217 and 1.3-rolling-202002070217 and, looking at the completed tickets around that time, T1990 is looking like it might have something to do with it.

I did a fresh install of 1.3-rolling-202002070217 in a virtual machine, set the vyos password, copied out the login section and replaced the login section of my 1.3-rolling-202002050217 installation. I then upgraded from 1.3-rolling-202002050217 to 1.3-rolling-202002070217 and it migrated the config with the new login section. I then re-booted to 1.3-rolling-202002070217 with the replaced login section and it worked. I then upgraded from 1.3-rolling-202002070217 to 1.3-rolling-202002180217 and all is OK.

I have kept the 1.3-rolling-202002050217 image so if you want me to test anything further, let me know but I am past the problem now so this ticket is just for your information.

SteveP

Details

Difficulty level: Unknown (require assessment)
Version: 1.3-rolling-202002180217
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)

Related Objects

Mentioned In: T2109: Ping by name broken in VyOS 1.3-rolling-202003080217
Mentioned Here: T1990: Migrate "system login" to XML/Python representation

Event Timeline

SteveP created this task.Feb 18 2020, 12:15 PM

SteveP created this object in space S1 VyOS Public.

Hi @SteveP,

thanks for reporting this. As we always want to maintain config upgrade compatibility could you please share your full config with me so I can reproduce it?

Thanks!

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        network-group Private_IPs {
            network 10.0.0.0/8
            network 127.0.0.0/8
            network 172.16.0.0/12
            network 192.168.0.0/16
            network 168.254.0.0/16
            network 169.254.0.0/16
            network 192.0.2.0/24
            network 224.0.0.0/4
            network 240.0.0.0/4
        }
        port-group NetBIOS_TCP {
            port 135-139
            port 445
        }
        port-group NetBIOS_UDP {
            port 137-138
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name accept_all {
        default-action accept
    }
    name private_to_public {
        default-action accept
        rule 9 {
            action accept
            description "Allow admin of Vigor 130"
            destination {
                address 192.168.5.2
                port 443
            }
            protocol tcp
            source {
                address 192.168.3.100
            }
        }
        rule 10 {
            action drop
            description "Stop Local Addresses traversing the WEB"
            destination {
                group {
                    network-group Private_IPs
                }
            }
        }
        rule 20 {
            action drop
            description "Block NetBIOS from LAN to WEB"
            destination {
                group {
                    port-group NetBIOS_TCP
                }
            }
            protocol tcp
        }
        rule 21 {
            action drop
            description "Block NetBIOS from LAN to WEB"
            destination {
                group {
                    port-group NetBIOS_UDP
                }
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    state-policy {
        established {
            action accept
        }
        related {
            action accept
        }
    }
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 192.168.3.1/24
        duplex auto
        hw-id 4c:02:89:12:16:ce
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        duplex auto
        hw-id 4c:02:89:12:16:cf
        smp-affinity auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.4.1/24
        duplex auto
        hw-id 4c:02:89:12:16:d0
        smp-affinity auto
        speed auto
    }
    ethernet eth3 {
        address 192.168.5.1/24
        duplex auto
        hw-id 4c:02:89:12:16:d1
        mtu 1508
        pppoe 0 {
            default-route auto
            mtu 1500
            name-server none
            password ********
            user-id [email protected]
        }
        smp-affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 10 {
            outbound-interface pppoe0
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name ETH0_Pool {
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                range 0 {
                    start 192.168.3.100
                    stop 192.168.3.199
                }
                static-mapping NB0001 {
                    ip-address 192.168.3.100
                    mac-address EC:F4:BB:******
                }
            }
        }
        shared-network-name ETH1_Pool {
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                range 0 {
                    start 192.168.1.100
                    stop 192.168.1.199
                }
                static-mapping SamsungTV {
                    ip-address 192.168.1.103
                    mac-address cc:b1:1a:******
                }
            }
        }
        shared-network-name ETH2_Pool {
            subnet 192.168.4.0/24 {
                default-router 192.168.4.1
                dns-server 192.168.4.1
                lease 86400
                range 0 {
                    start 192.168.4.100
                    stop 192.168.4.199
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 0.0.0.0/0
            allow-from ::/0
            cache-size 150
            listen-address 192.168.1.1
            listen-address 192.168.3.1
            listen-address 192.168.4.1
            name-server 194.72.6.51
            name-server 194.74.65.69
        }
    }
    ssh {
        listen-address 192.168.3.1
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name home-r1
    login {
        user stevep {
            authentication {
                encrypted-password ********************************************
                plaintext-password ""
            }
            full-name "Steve Palmer"
        }
        user vyos {
            authentication {
                encrypted-password **********************************************
                plaintext-password ""
            }
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
}
zone-policy {
    zone local {
        default-action drop
        from private {
            firewall {
                name accept_all
            }
        }
        local-zone
    }
    zone public {
        default-action drop
        description "Public Zone"
        from private {
            firewall {
                name private_to_public
            }
        }
        interface pppoe0
        interface eth3
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@2:firewall@5:interfaces@4:ipsec@5:l2tp@2:lldp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@4:snmp@1:ssh@1:system@16:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.3-rolling-202002180217 */

This is the bit from 1.3-rolling-202002050217 that I manually replaced with the login section above

login {
    user root {
        authentication {
            encrypted-password **********************************************
            plaintext-password ""
        }
        level admin
    }
    user stevep {
        authentication {
            encrypted-password *********************************************
            plaintext-password ""
        }
        full-name "Steve Palmer"
        level admin
    }
    user vyos {
        authentication {
            encrypted-password ******************************
            plaintext-password ""
        }
        level admin
    }
}

SteveP

pasik added a subscriber: pasik.Feb 19 2020, 4:31 PM

On first glance this looks to me like zone policy issue.

You supplied config loaded like a charm once I removed the zone-policy as you reference a zone (private) which does not exist.

Can you please double check this that this could have been the root cause?

c-po changed the task status from Open to On hold.Feb 23 2020, 7:46 PM

c-po triaged this task as Normal priority.

Hi, That wasn't the problem. I did remove some of the config. I must have left a bit.

The config I was running on the older version was running fine. It had updated many times. All I changed to get it working was replaced this:

login {
    user root {
        authentication {
            encrypted-password **********************************************
            plaintext-password ""
        }
        level admin
    }
    user stevep {
        authentication {
            encrypted-password *********************************************
            plaintext-password ""
        }
        full-name "Steve Palmer"
        level admin
    }
    user vyos {
        authentication {
            encrypted-password ******************************
            plaintext-password ""
        }
        level admin
    }
}

With this:

login {
    user vyos {
        authentication {
            encrypted-password **********************************************
            plaintext-password ""
        }
    }
}

Which I copied from a fresh install. Looks pretty much the same really just without level admin

SteveP

This is the bottom of the config that fails the upgrade

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@2:firewall@5:interfaces@4:ipsec@5:l2tp@2:lldp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@4:snmp@1:ssh@1:system@15:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.3-rolling-202002050217 */

Could you provide me with your full 1:1 configuration (paswords can be omitted)? Then I check again

config-05.boot9 KBDownload

There you go

Hi @SteveP,

looking at your config I see the issue, it is b/c you define a root user which triggered an exception. I will fix the code to mitigate this bug.
Thanks for testing and reporting.

c-po closed this task as Resolved.Feb 27 2020, 5:00 PM

Ah, that is just legacy. Ironically, when I updated the code manually to mitigate this problem, I deleted the root user. Lol. Still, there may still be users out there from the Vyatta days that still have it there. Off topic here but I am also a PPPoE user and am now running the latest version with all the recent PPPoE re-write and all is working fine.

SteveP

SteveP mentioned this in T2109: Ping by name broken in VyOS 1.3-rolling-202003080217.Mar 8 2020, 7:15 AM

	F474168: config-05.boot
	Feb 25 2020, 6:16 PM

	F473713: image.png
	Feb 23 2020, 7:45 PM

Problem migrating from 1.3-rolling-202002050217 to currentClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Problem migrating from 1.3-rolling-202002050217 to current
Closed, ResolvedPublic
Actions