Page MenuHomeVyOS Platform
Create Task
Maniphest T5896

Config Error on Boot with Podman and Firewall
Closed, ResolvedPublicBUG
Actions

Description

When including a podman network interface in the firewall rules (pod-network-name), VyOS initially validates it and the configuration works as intended (traffic is properly filtered and the configuration is applied). However, on reboot, the configuration fails to validate as the podman network interface does not exist on the device or in the config and the firewall is omitted entirely from the configuration leaving the device exposed to whatever networks it is connected.

Either the CLI should catch this as a validation error on initial commit or some form of support for these types of interfaces should be added.

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0-rc1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

astr0n8t created this task.Jan 4 2024, 6:09 AM
pasik added a subscriber: pasik.Jan 4 2024, 9:05 AM
Viacheslav added a subscriber: Viacheslav.Jan 4 2024, 10:16 AM

Add please the simple examples with set of commands to reproduce

set xxxx x.x.xx
astr0n8t added a comment.EditedJan 4 2024, 4:24 PM

I've further determined that it also occurs if no container is attached to the network because the interface is only created when a container is attached.

Steps to reproduce:

  1. Pull a container image
add container image docker.io/alpine:latest
  1. Create a podman network and a container that uses it (the interface is only created if a container uses the network)
conf
set container network test prefix 172.16.0.0/24
set container name test network test
set container name test image docker.io/alpine:latest
set container name test command 'sleep 10000'
commit
exit
  1. Start the container
restart container test
  1. Create a firewall chain that includes the interface for that network
conf
set firewall ipv4 name test rule 1 action 'accept'
set firewall ipv4 name test rule 1 inbound-interface 'pod-test'
  1. Commit and save changes (will succeed)
commit
save

Should result in the following config snippet:

container {
    name test {
        command "sleep 10000"
        image docker.io/alpine:latest
        network test {
        }
    }
    network test {
        prefix 172.16.0.0/24
    }
}
firewall {
    ipv4 {
        name test {
            rule 1 {
                action accept
                inbound-interface {
                    name pod-test
                }
            }
        }
    }
}
interfaces {
  1. Reboot and then enter config mode

Will see the following error message:

WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]

Firewall section will be completely removed from config (doesn't matter if additional firewall rules or chains or options are present):

vyos@vyos:~$ show conf
container {
    name test {
        command "sleep 10000"
        image docker.io/alpine:latest
        network test {
        }
    }
    network test {
        prefix 172.16.0.0/24
    }
}
interfaces {

But you can also load and commit the saved config and it will restore it with no error:

vyos@vyos:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@vyos# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# commit
[edit]

The only way to actually see the error is to boot with the vyos-config-debug command line option:

vyos@vyos:~$ cat /tmp/boot-config-trace
Traceback (most recent call last):
  File "/usr/libexec/vyos/vyos-boot-config-loader.py", line 143, in <module>
    commit_out = session.commit()
                 ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 187, in commit
    out = self.__run_command([COMMIT])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 143, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError:  Processing the Priority Queue
  Entering the _commit_check_cfg_node
   Executing the "system host-name vyos" ...
   Elapsed 0.001 sec:
  Elapsed 0.001 sec: _commit_check_cfg_node
  Entering the _commit_exec_cfg_node
   Executing the "system host-name vyos" ...
   Elapsed 0.147 sec:
  Elapsed 0.147 sec: _commit_exec_cfg_node
  Entering the _commit_check_cfg_node
   Executing the "firewall ipv4 name test" ...
   Elapsed 0.002 sec:
   Executing the "firewall ipv4 name test rule 1" ...
   Elapsed 0.026 sec:
   Executing the "firewall ipv4 name test rule 1 action accept" ...
   Elapsed 0.002 sec:
   Executing the "firewall ipv4 name test rule 1 inbound-interface name pod-test" ...
[ firewall ipv4 name test rule 1 inbound-interface name pod-test ]
Incorrect path /sys/class/net/pod-test: no such file or directory



[ firewall ipv4 name test rule 1 inbound-interface name pod-test ]
Invalid value

   Elapsed 0.033 sec:
  Elapsed 0.064 sec: _commit_check_cfg_node
[[firewall]] failed
yun added a subscriber: yun.Jan 5 2024, 2:49 PM
n.fort changed the task status from Open to Confirmed.Jan 5 2024, 3:53 PM
n.fort changed the task status from Confirmed to In progress.Jan 8 2024, 10:14 AM
n.fort claimed this task.
n.fort added a comment.Jan 8 2024, 11:11 AM

PR: https://github.com/vyos/vyos-1x/pull/2771

n.fort changed the task status from In progress to Needs testing.Jan 8 2024, 6:41 PM
n.fort closed this task as Resolved.Jan 11 2024, 11:11 AM