Page MenuHomeVyOS Platform
Create Task
Maniphest T2439

Configuration dependency problem, unable to load complex configuration after reboot
Closed, ResolvedPublicBUG
Actions

Description

At present, vyos has serious configuration file configuration item application dependency order problem, which can be manually configured, but for the following vyos configuration files:

firewall {
    all-ping enable
    broadcast-ping enable
    config-trap disable
    ipv6-receive-redirects enable
    ipv6-src-route enable
    ip-src-route enable
    log-martians enable
    name wan {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name wan-local {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 3 {
            action drop
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 4 {
            action accept
            protocol tcp
            state {
                new enable
            }
        }
    }
    options {
        interface pppoe0 {
            adjust-mss 1452
            adjust-mss6 1280
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    state-policy {
        established {
            action accept
            log {
                enable
            }
        }
        invalid {
            action accept
            log {
                enable
            }
        }
        related {
            action accept
            log {
                enable
            }
        }
    }
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    bridge br1 {
        address 192.168.0.1/24
        address fc00:470:f1cd::1/64
        description "lan 0"
        dhcpv6-options {
            temporary
        }
        ipv6 {
            address {
                autoconf
                eui64 fc00:470:f1cd::/64
            }
            dup-addr-detect-transmits 1
        }
        member {
            interface eth1.1 {
            }
            interface eth2 {
            }
        }
        stp
    }
    bridge br2 {
        address 192.168.101.1/24
        address fc00:470:f1cd:101::1/64
        description "lan 101"
        dhcpv6-options {
            temporary
        }
        ipv6 {
            address {
                autoconf
                eui64 fc00:470:f1cd:101::/64
            }
            dup-addr-detect-transmits 1
        }
        member {
            interface eth0 {
            }
            interface eth1.2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
        stp
    }
    ethernet eth0 {
        description LAN
        hw-id 00:98:2b:f8:3f:11
        ipv6 {
            address {
            }
            dup-addr-detect-transmits 1
        }
    }
    ethernet eth1 {
        description Trunk
        hw-id 00:98:2b:f8:3f:12
        vif 1 {
            description "vlan 1 of eth1"
        }
        vif 2 {
            description "vlan 2 of eth1"
        }
    }
    ethernet eth2 {
        description LAN
        hw-id 00:98:2b:f8:3f:13
    }
    ethernet eth3 {
        description LAN
        hw-id 00:98:2b:f8:3f:14
    }
    ethernet eth4 {
        description LAN
        hw-id 00:98:2b:f8:3f:15
    }
    ethernet eth5 {
        description WAN
        disable-flow-control
        firewall {
            in {
                name wan
            }
            local {
                name wan-local
            }
        }
        hw-id 00:98:2b:f8:3f:16
    }
}
nat {
    nptv6 {
        rule 2 {
            description "IPv6 NPT"
            outbound-interface pppoe0
            source {
                prefix fc00:470:f1cd::/48
            }
            translation {
                prefix 240e:fc:7d:64b9::/64
            }
        }
    }
    source {
        rule 1 {
            description PUBLIC
            log enable
            outbound-interface pppoe0
            protocol all
            source {
                address 0.0.0.0/0
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface pppoe0 {
            }
        }
        interface-route6 ::/0 {
            next-hop-interface pppoe0 {
            }
        }
        table 150 {
            interface-route 0.0.0.0/0 {
                next-hop-interface pppoe0 {
                }
            }
            interface-route6 ::/0 {
                next-hop-interface pppoe0 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name pri101 {
            description "DHCP 101"
            subnet 192.168.101.0/24 {
                default-router 192.168.101.1
                dns-server 192.168.0.254
                dns-server 192.168.101.1
                dns-server 192.168.0.1
                lease 86400
                ntp-server 192.168.101.1
                range 0 {
                    start 192.168.101.8
                    stop 192.168.101.254
                }
            }
        }
    }
    dhcpv6-server {
        preference 0
        shared-network-name pri101 {
            subnet fc00:470:f1cd:101::/64 {
                address-range {
                    start fc00:470:f1cd:101::8 {
                        stop fc00:470:f1cd:101:ffff:ffff:ffff:ffff
                    }
                }
                name-server fc00:470:f1cd::ff00
                name-server fc00:470:f1cd::1
                name-server fc00:470:f1cd:101::1
            }
        }
    }
    dns {
        forwarding {
            allow-from 192.168.0.0/16
            allow-from 2001:470:f1cd::/48
            cache-size 1024
            domain pve. {
                server 192.168.0.47
                server 2001:470:f1cd::47
            }
            listen-address 0.0.0.0
            listen-address ::
            name-server 2001:470:f1cd::ff00
            name-server 192.168.0.254
            name-server 202.96.134.33
            name-server 202.96.128.86
            name-server 114.114.114.114
            name-server 1.1.1.1
            name-server 1.0.0.1
            system
        }
    }
    https {
        virtual-host vhost0 {
            listen-address "*"
            server-name 192.168.0.1
        }
    }
    mdns {
        repeater {
            interface br1
            interface br2
        }
    }
    router-advert {
        interface br1 {
        }
        interface br2 {
            name-server fc00:410:f1cd:101::1
        }
    }
    ssh {
        listen-address 0.0.0.0
    }
}
system {
    acceleration {
    }
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name router
    host-name vyos
    ip {
        arp {
            table-size 2048
        }
        multipath {
            layer4-hashing
        }
    }
    ipv6 {
        multipath {
            layer4-hashing
        }
        neighbor {
            table-size 2048
        }
        strict-dad
    }
    login {
        user vyos {
            authentication {
                encrypted-password $6$UaXQViDvJ.Hr$85U/9Q5d/tc9hdtrnntMVgrztOCext..OJCHaJYZUo82GAdD95lchvSjI3vCZJTNte7cIAs87YctYlXODGXAz1
                plaintext-password ""
            }
        }
    }
    name-server 192.168.0.1
    ntp {
        allow-clients {
            address 192.168.0.0/16
            address fc00:470:f1cd::/48
        }
        listen-address ::
        listen-address 0.0.0.0
        server 0.debian.pool.ntp.org {
        }
        server 1.debian.pool.ntp.org {
        }
        server 2.debian.pool.ntp.org {
        }
        server 3.debian.pool.ntp.org {
        }
    }
    sysctl {
        custom net.ipv4.conf.all.rp_filter {
            value 0
        }
        custom net.ipv4.conf.default.rp_filter {
            value 0
        }
        custom net.ipv4.conf.eth0.rp_filter {
            value 0
        }
        custom net.ipv6.conf.all.accept_ra {
            value 2
        }
        custom net.ipv6.conf.all.forwarding {
            value 1
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Asia/Shanghai
}

Please test its configuration item dependency according to the above configuration!

Details

Version
vyos-1.3-rolling-202005051136
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

jack9603301 created this task.May 8 2020, 12:10 PM
jack9603301 triaged this task as High priority.
jjakob subscribed.May 8 2020, 12:56 PM

202005051136 has multiple issues, there are multiple PRs waiting to be applied on vyos-1x to fix them. You didn't append the exact error messages.

jack9603301 added a comment.May 8 2020, 1:24 PM

Due to configuration dependency, accurate error information cannot be provided, but there is no problem using the following order:

set int eth
set int br
set service dhcp-server
set service dhcpv6-server

The prediction is due to the problem that the configuration item depends on the application configuration in the process of restarting the system to perform load loading, but the dependency information is lost in the process of starting the sequential application configuration (for example, in the process of using VLAN sub interface as interface member verification in the application bridge, it is found that the VLAN sub interface is not configured, or the address is not configured, and the VLAN configuration is not Application, etc.)

jack9603301 added a comment.May 8 2020, 1:25 PM

Because the problem is that in the process of loading config.boot after the vyos system is restarted, the configuration dependency of the sequential application configuration is not considered, so the accurate error reporting information cannot be provided. You can use the above configuration structure to reproduce.

jack9603301 added a comment.May 8 2020, 1:28 PM

After relevant tests, it is highly suspected that the configuration dependency problem can be solved by manually loading the following instructions:

load
delete ......
commit
load 
commit

However, even if the successfully applied configuration save is restarted, this problem still occurs!

pasik subscribed.May 8 2020, 5:16 PM
jjakob added a comment.EditedMay 9 2020, 9:09 AM

Please test using the latest rolling ISO at https://downloads.vyos.io/?dir=rolling/current/amd64 which has multiple fixes for interfaces included. Also, I still don't understand what the exact issue is. I have a similar configuration here and I have no issues with the image from 20200509.

jack9603301 added a comment.May 10 2020, 2:46 AM

Test problem solved

jack9603301 closed this task as Resolved.May 10 2020, 2:46 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.May 21 2020, 4:15 PM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:17 AM
erkin removed a subscriber: Global Notifications.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 30 2022, 2:02 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.