Page MenuHomeVyOS Platform
Create Task
Maniphest T2682

VRF aware services - connection no longer possible after system reboot
Closed, ResolvedPublicBUG
Actions

Description

Moving the SSH service into any VRF will not work accross reboots.

Once the system is rebooted SSHd can't be started as it errors out with the following message:

Jul 04 20:26:34 vyos systemd[1]: Starting OpenBSD Secure Shell server...
Jul 04 20:26:34 vyos ip[1453]: Failed to load BPF prog: 'Operation not permitted'
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Main process exited, code=exited, status=1/FAILURE
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Failed with result 'exit-code'.
Jul 04 20:26:34 vyos systemd[1]: Failed to start OpenBSD Secure Shell server.
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Service RestartSec=100ms expired, scheduling restart.
Jul 04 20:26:34 vyos systemd[1]: ssh.service: Scheduled restart job, restart counter is at 1.
Jul 04 20:26:34 vyos systemd[1]: Stopped OpenBSD Secure Shell server.
Jul 04 20:26:34 vyos systemd[1]: Starting OpenBSD Secure Shell server...

It can be reproduced by:

set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
set interfaces ethernet eth0 vif 201 vrf 'red'
set protocols vrf red static route 0.0.0.0/0 next-hop 172.18.201.254
set service ssh vrf 'red'
set vrf name red table '1000'

This is also a possible issue for other VRF based services like SNMP and NTP - thus the same change will be applied here, too

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202007041726
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po created this task.Jul 4 2020, 6:10 PM
c-po changed the task status from Open to Confirmed.Jul 4 2020, 6:31 PM
c-po claimed this task.
c-po triaged this task as Unbreak Now! priority.
c-po updated the task description. (Show Details)
c-po added a comment.Jul 4 2020, 7:19 PM

Linux tries to bind SSHd to the VRF but it is yet not ready. After restarting SSH to often (rate-limiting) it is blocked.

Using Restart/RestartSec is not enough - systemd services use start rate limiting (enabled by default). If service is started more than StartLimitBurst times in StartLimitIntervalSec seconds is it not permitted to start any more. Parameters are inherited from DefaultStartLimitIntervalSec(default 10s) and DefaultStartLimitBurst(default 5).

c-po closed this task as Resolved.Jul 4 2020, 7:36 PM
c-po renamed this task from SSH: VRF: connection no longer possible after system reboot to VRF aware services - connection no longer possible after system reboot.Jul 4 2020, 7:56 PM
c-po updated the task description. (Show Details)
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Jul 7 2020, 4:10 PM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:56 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.