I see the issue. Whitespace is fine in a tag node name as long as the name is quoted, however ConfigTree.to_string() does not re-quote the name, hence on the next migration script, parsing the config file will throw an error. I will investigate the proper solution.
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Aug 19 2022
Aug 19 2022
jestabro added a comment to T4628: ConfigTree() throws ValueError() if tagNode contains whitespaces.
c-po changed the status of T4629: Raised ConfigErrors contain dict instead of only the dict key from Open to In progress.
GitHub <noreply@github.com> committed rVYOSONEXd247bc04b765: Merge pull request #1476 from sever-sever/T4620 (authored by c-po).
c-po changed the status of T4538: Macsec does not work correctly when the interface status changes. from In progress to Needs testing.
PR for vyos 1.3 (equuleus) https://github.com/vyos/vyos-1x/pull/1479
c-po moved T4614: OpenConnect split-dns directive from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po edited projects for T4614: OpenConnect split-dns directive, added: VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.3).
c-po moved T4616: openconnect: KeyError: 'local_users' from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po edited projects for T4616: openconnect: KeyError: 'local_users', added: VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.3).
Viacheslav updated the task description for T4627: Ability to set host part IPv6 address via interface IP token.
Viacheslav changed the subtype of T4627: Ability to set host part IPv6 address via interface IP token from "Bug" to "Feature Request".
Viacheslav moved T4619: Static arp is not set if another entry is present from Open to Finished on the VyOS 1.4 Sagitta board.
aserkin added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Nothing helps
Successfully tested
There is an example of how we build ocserv for 1.3 https://github.com/vyos/vyos-build/commit/2e1eac5980720d060834540e717f4f8a1189b9b0
Aug 18 2022
Aug 18 2022
I was also suggested to try this -
I tried this command as suggested - no luck.
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Try to add some capabilities, for example, CAP_CHOWN or CAP_DAC_OVERRIDE or something else
sudo nano /etc/systemd/system/vyos-telegraf.service.d/10-override.conf
PR https://github.com/vyos/vyos-1x/pull/1478
set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 protocol 'tcp' set firewall name FOO rule 10 tcp flags syn set firewall name FOO rule 10 tcp mss '1-500'
Viacheslav changed the status of T4622: Firewall allow drop packets by TCP MSS size from Open to In progress.
jestabro edited projects for T4146: Nginx should not listen on port 80, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.2).
Discussed in dev meeting today and the conclusion was to move this to 1.3.3.
GitHub <noreply@github.com> committed rVYOSONEXdc0e468046be: Merge pull request #1470 from c-po/openconnect-T4614 (authored by dmbaturin).
I did my internal tests and can't reproduce it
20K entries applied in 0.20 sec
root@r14:/home/vyos# cat tmp.nft | wc -l 20029 root@r14:/home/vyos# root@r14:/home/vyos# sudo time nft -f tmp.nft real 0m 0.20s user 0m 0.13s sys 0m 0.06s root@r14:/home/vyos#
200K entries in 2 sec
root@r14:/home/vyos# cat tmp.nft | wc -l 200029 root@r14:/home/vyos# root@r14:/home/vyos# sudo nft flush ruleset root@r14:/home/vyos# root@r14:/home/vyos# sudo time nft -f tmp.nft real 0m 1.91s user 0m 1.20s sys 0m 0.70s root@r14:/home/vyos#
aserkin added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
The only way to start telegraf with ip vrf exec i found - is to comment out
#User=telegraf
in /etc/systemd/system/vyos-telegraf.service and
chown root:root /run/telegraf
Viacheslav added a parent task for T4623: Add show conntrack statistics: T4564: Root task for rewriting [op-mode] to vyos.opmode format.
Aug 17 2022
Aug 17 2022
Not supported at the moment, but we can look into adding it for both ipv4/v6 in 1.4
While I'm for changing to prefixed tables, I think the issue of tailscale and custom apps should fall under the accepted risk of running custom scripts outside of the config.
Any config available to test against?
I think that having the configuration stored exclusively in files outside the config file breaks portability as exporting system state through # show | commands won't produce an output sufficient for full state backup of a device.
If the configuration attributes were all in the CLI which then generated the relevant files in the FS, that would address the stateless backing filesystem concern by centralizing the device config as the source of truth.
@SquirePug - could you possibly provide a link to or the contents of the changes you made? Thanks
Viacheslav renamed T4622: Firewall allow drop packets by TCP MSS size from Firewall allow drop packets by TCP MSS to Firewall allow drop packets by TCP MSS size.
Viacheslav changed the status of T4619: Static arp is not set if another entry is present from Open to Needs testing.
Viacheslav moved T4480: add an ability to configure squid acl safe ports and acl ssl safe ports from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved T4598: nat66 - Add exclude options from Open to Finished on the VyOS 1.4 Sagitta board.
n.fort closed T4480: add an ability to configure squid acl safe ports and acl ssl safe ports as Resolved.
n.fort closed T4598: nat66 - Add exclude options, a subtask of T2518: Add support for IPv6 NAT (NPTv6), as Resolved.
@m.korobeinikov Could you check it in 1.3
Viacheslav moved T4618: Traffic policy not set on virtual interfaces from Open to Finished on the VyOS 1.4 Sagitta board.
PR for 1.3.2 https://github.com/vyos/vyatta-cfg-qos/pull/16
The similar request T3896
Aug 16 2022
Aug 16 2022
c-po edited projects for T4538: Macsec does not work correctly when the interface status changes., added: VyOS 1.3 Equuleus (1.3.3), VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.2).
c-po moved T4260: Extend vyos.configdict.node_changed() to support recursiveness from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po moved T4537: MACsec not working with cipher gcm-aes-256 from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
GitHub <noreply@github.com> committed rVYOSONEX1f880973e221: Merge pull request #1475 from sever-sever/T4613 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX9c9e7618cdc5: T4619: Replacing instead of adding a static arp entry (authored by daniil).
GitHub <noreply@github.com> committed rVYOSONEX8093312a899b: Merge pull request #1474 from DaniilHarun/current (authored by c-po).
aserkin added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Manual start of telegraf works for me
Viacheslav changed the status of T4611: UPnP rule IP should be a prefix instead of an address from Open to In progress.
Viacheslav changed the status of T4620: UPnP does not work due to incorrect template from Open to In progress.
It seems UPnP rules doesn't work at all task T4620
@patrickli Could you send a real example? In your example, port ranges are incorrect also it is not all required UPnP configuration
If you sent all UPnP configuration, it already has been done :)
I'm not a UPnP person, so I ask for some examples.
Viacheslav changed the status of T4613: UPnP configuration without listen option fail from Open to In progress.
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
I tried to add vrf, but it requires some permissions, service is not starting
diff --git a/data/templates/monitoring/override.conf.j2 b/data/templates/monitoring/override.conf.j2 index 9f1b4ebe..63e479af 100644 --- a/data/templates/monitoring/override.conf.j2 +++ b/data/templates/monitoring/override.conf.j2 @@ -1,7 +1,10 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After=vyos-router.service ConditionPathExists=/run/telegraf/vyos-telegraf.conf [Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index 36f40a53..dc014ee1 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -306,6 +306,7 @@ </leafNode> </children> </node> + #include <include/interface/vrf.xml.i> </children> </node> </children>
jestabro moved T3993: Extend HTTP API GraphQL support from Open to In Progress on the VyOS 1.4 Sagitta board.
jestabro edited projects for T3993: Extend HTTP API GraphQL support, added: VyOS 1.4 Sagitta, VyOS 1.3 Equuleus; removed VyOS 1.3 Equuleus (1.3.2).
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .