Page MenuHomeVyOS Platform

VRF aware services - connection no longer possible after system reboot
Closed, ResolvedPublicBUG

Description

Moving the SSH service into any VRF will not work accross reboots.

Once the system is rebooted SSHd can't be started as it errors out with the following message:

Jul 04 20:26:34 vyos systemd[1]: Starting OpenBSD Secure Shell server...
Jul 04 20:26:34 vyos ip[1453]: Failed to load BPF prog: 'Operation not permitted'
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Main process exited, code=exited, status=1/FAILURE
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Failed with result 'exit-code'.
Jul 04 20:26:34 vyos systemd[1]: Failed to start OpenBSD Secure Shell server.
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Service RestartSec=100ms expired, scheduling restart.
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Scheduled restart job, restart counter is at 1.
Jul 04 20:26:34 vyos systemd[1]: Stopped OpenBSD Secure Shell server.
Jul 04 20:26:34 vyos systemd[1]: Starting OpenBSD Secure Shell server...

It can be reproduced by:

set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
set interfaces ethernet eth0 vif 201 vrf 'red'
set protocols vrf red static route 0.0.0.0/0 next-hop 172.18.201.254
set service ssh vrf 'red'
set vrf name red table '1000'

This is also a possible issue for other VRF based services like SNMP and NTP - thus the same change will be applied here, too

Details

Version
1.3-rolling-202007041726
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po changed the task status from Open to Confirmed.Jul 4 2020, 6:31 PM
c-po claimed this task.
c-po triaged this task as Urgent! priority.
c-po updated the task description. (Show Details)

Linux tries to bind SSHd to the VRF but it is yet not ready. After restarting SSH to often (rate-limiting) it is blocked.

Using Restart/RestartSec is not enough - systemd services use start rate limiting (enabled by default). If service is started more than StartLimitBurst times in StartLimitIntervalSec seconds is it not permitted to start any more. Parameters are inherited from DefaultStartLimitIntervalSec(default 10s) and DefaultStartLimitBurst(default 5).

c-po renamed this task from SSH: VRF: connection no longer possible after system reboot to VRF aware services - connection no longer possible after system reboot.Jul 4 2020, 7:56 PM
c-po updated the task description. (Show Details)
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:56 PM
erkin removed a subscriber: Global Notifications.