In T5157#146979, @sdev wrote:

Can you share container config section?

Can you share container config section?

If I need to guess, it is just an issue that the BGP session gets configured before the route-maps

As I said, this happens with any config that includes route maps

Self-configuration of the http-api calls a service restart from the config mode script: some re-configuration should be possible without restart; the remaining should provide an explanatory 'success' response. Move to high-priority to address.

This is available in Sagitta thanks to the PKI subsystem; backport depends on backport of that subsystem.

Thanks for clarifying. Yes , I also saw the possibility of extending role based IAM to add on-premise image (that could be interesting for VyOS).

Could you share configuration ? where attached RM and BGP settings:

We can add guidelines about running vyos on LXC/LXD in the documentation

Must run in physical NIC pass-through mode
It is recommended to execute the container in privileged mode
This is currently only an initial implementation!

This should be implemented under the rewrite of system-image-tools:
https://vyos.dev/T4516

This has not been seen subsequently. Close unless recurrence.

Discussed, and ready to be implemented shortly.

Related to T3651.

This will be integrated with the PKI subsystem, using the ideas there.

@fernando

1. In order to apply SSM auto-configuration of the CloudWatch agent, an SSM agent must be installed that installs the CloudWatch agent with the necessary configuration. Currently, there is no SSM agent inside VyOS AWS images, and I haven't heard anything about willingness to include it.
2. The amazon-cloudwatch-agent package has only one dependency, libc6. Therefore, it does not need the aws-cli to be configured or set up at all.
3. Granting access to the CloudWatch service from an EC2 instance is done by applying the corresponding IAM role to the instance. While it is possible to do this via manual credential input, it is an unwanted practice inside AWS.
4. The possible scenario of sending data to CloudWatch out of AWS is unique and requires another Phorge task, I think.

@unity when you need AWS credential , will they be automatically deployed from SSM or will we have to add those credentials in the virtual machine? ? shouldn't aws-cli be integrated?

This was addressed within T4364, and backported in T4874.

@Viacheslav confirmed working.

@Viacheslav Confirmed fixed, thank you.

I've created the PR https://github.com/vyos/vyos-documentation/pull/987 as a temporary explanation for users on how to preserve CloudWatch Agent configuration in a semi-automated way, using the SSM Parameter Store.

The firewall for ocserv is handled by https://gitlab.com/openconnect/ocserv/-/blob/master/src/ocserv-fw and uses iptables by default

Supporting (draft) PR and minor fixes linked in PR:
https://github.com/vyos/vyos-1x/pull/1768

PR 1.3 https://github.com/vyos/vyos-1x/pull/1951

@Harliff Could you re-check?

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1954

In T5153#146789, @Viacheslav wrote:

Could you send sudo nft list ruleset ?

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1952
PR for 1.4 fix https://github.com/vyos/vyos-1x/pull/1953

For 1.4 rate-limit in the wrong place

set vpn pptp remote-access authentication rate-limit

Expected in the radius section:

set vpn pptp remote-access authentication radius rate-limit

Yes, I forgot to add this task. I'll make the PR

@n.fort Could you add PR for 1.3?

@fernando Could you add PR for 1.3?

PR https://github.com/vyos/vyos-1x/pull/1950

Could you send sudo nft list ruleset ?

In T4891#139693, @RyVolodya wrote:

I reproduced this configuration. Version VyOS 1.4-rolling-202212270317 - BFD works fine.

Configuration:

set interfaces ethernet eth0 address '10.221.3.18/30'
set interfaces ethernet eth0 mtu '9000'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso

BFD peer status:

BFD Peers:
        peer 10.221.3.17 vrf default
                ID: 2428685750
                Remote ID: 2382320760
                Active mode
                Status: up
                Uptime: 30 minute(s), 19 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: configured
                RTT min/avg/max: 0/0/0 usec
                Local timers:
                        Detect-multiplier: 5
                        Receive interval: 100ms
                        Transmission interval: 100ms
                        Echo receive interval: 50ms
                        Echo transmission interval: disabled
                Remote timers:
                        Detect-multiplier: 5
                        Receive interval: 100ms
                        Transmission interval: 100ms
                        Echo receive interval: 50ms

[edit]

Try upgrading the VyOS to the latest version.