Lowering priority to normal to proceed with adding the interface-monitor daemon development, mentioned above, for 1.5.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jan 10 2024
Jan 10 2024
jestabro lowered the priority of T3871: Resolve unexpected interface name reordering from High to Normal.
Quick test done on a VM with 1 CPU and 1G RAM:
[email protected]# for I in {1..2542}; do set firewall ipv6 name Test rule $I action accept ; set firewall ipv6 name Test rule $I destination port $I; set firewall ipv6 name Test rule $I protocol tcp ; done [email protected]# time commit
@sempervictus Thanks for the update!
OK, the grub serial config described here got me as far as seeing the Grub selection screen at boot time.
Oh wow, this is ancient. Can definitely close this out - @zsdc and i figured out a bunch of the insanity around cloud-init since then and i've got it working in our openstacks as well as public clouds on a single config.
What to do with atop and logrorate?
Viacheslav changed the status of T190: two factor authentication for OpenVPN remote VPN tunnels from Open to Needs testing.
It seems we already have mfa T3834 but it never was documented
https://github.com/vyos/vyos-1x/pull/1008
vyos@r4# set interfaces openvpn vtun0 server mfa totp
Possible completions:
challenge Expect password as result of a challenge response protocol
(default: enable)
digits Number of digits to use for totp hash (default: 6)
drift Time drift in seconds (default: 0)
slop Maximum allowed clock slop in seconds (default: 180)
step Step value for totp in seconds (default: 30)@xrobau Could you test it?
Dec 9 13:04:57 vyos charon: 07[IKE] no matching CHILD_SA config found
Do you have several connections from the hosts behind the same NAT external address to the same hub?
It worked in my previous tests, but it was just one host behind NAT to connect to the HUB.
Re-check please and close if it works fine now. Need to update.
This is closed now because the required functionality perfectly works with Cloud-init + NoCloud/ConfigDrive.
@amcmillen Do you have any examples of how to deploy it on Linux / Debian, etc?
Without live examples, we'll mark it as wont fix and task will be closed.
As I understand, there are now ways to implement it natively for sshd
Reopen please if you have/know a solution for it.
@ordex Les us know if you have some ideas
Thanks
Viacheslav edited projects for T190: two factor authentication for OpenVPN remote VPN tunnels, added: VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).
sarthurdev moved T5912: DHCP Static mapping don't work on every first lease from Open to In Progress on the VyOS 1.5 Circinus board.
sarthurdev changed the status of T5912: DHCP Static mapping don't work on every first lease, a subtask of T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6), from Confirmed to Needs testing.
sarthurdev changed the status of T5912: DHCP Static mapping don't work on every first lease from Confirmed to Needs testing.
sarthurdev changed the status of T5787: dhcp-server allows duplicate static-mapping for the same IP address from In progress to Needs testing.
PR for scoped options and bugfixes: https://github.com/vyos/vyos-1x/pull/2785
Is it still bug? @sempervictus could you re-check?
We probably need more details
Viacheslav closed T4300: Extend list of supported interfaces for Cloud-init Network Configuration as Resolved.
I guess it is already done https://github.com/vyos/vyos-cloud-init/commit/ae74804ede8fb76a7f27ca869f2b880dbe276ca2
@zsdc Can we close it or you are working on it?
n.fort changed the status of T5915: Firewall zone - Re add op-mode commands from Confirmed to In progress.
GitHub <[email protected]> committed rVYOSONEXd7c50c813982: Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263 (authored by c-po).
GitHub <[email protected]> committed rVYOSONEX7a03e2b0ab1d: Merge pull request #2781 from vyos/mergify/bp/sagitta/pr-2773 (authored by c-po).
See also forum thread @ https://forum.vyos.io/t/grub-menu-fails-to-load-on-serial-only-devices-with-no-kvm/
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEX2d778c4cb468: T5530: isis: Adding loop free alternate feature (authored by Cheeze_It).
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
In T5814#171114, @Apachez wrote:On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEX65ad6728da9c: T5916: Added segment routing check for index base size and SRGB base size (authored by Cheeze_It).
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEX31c816bd5301: pki: T5911: fix service update algorithm if certificate name contains a hyphen… (authored by c-po).
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEX1f236a3ca731: boot-config-loader: T1622: add missing groups to failsafe user (authored by c-po).
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEX34eadcf2f74a: https: T5902: remove virtual-host configuration (authored by c-po).
GitHub <[email protected]> committed rVYOSONEX8523cfbc1e9f: Merge pull request #2780 from Cheeze-It/current (authored by c-po).
I tried manually loading this config in a VM and I'm still not sure what's causing the issue, maybe something isn't waiting properly for bonded interfaces to be created?:
vyos@vyos# load config.boot-cr01a-vyos.20240109_232428 Loading configuration from 'config.boot-cr01a-vyos.20240109_232428' Load complete. Use 'commit' to make changes effective. [edit] vyos@vyos# commit
In T3871#160827, @jestabro wrote:@stingalleman As mentioned above (and confirmed in discussions earlier this week), we've had few if any reports of issues with the udev approach, so we would be very interested to hear details of your case.
@himurae, Permission and ownership of config directory and files and fine. If you are still seeing the DHCP leases not being created, something else is probably going on.
Cheeze_It renamed T5916: Added segment routing check for index size and SRGB size from Add protocol handler tiebreaker for Segment Routing for IS-IS and OSPF for index base values larger than label base to Added segment routing check for index size and SRGB size .
Put in the PR for this at https://github.com/vyos/vyos-1x/pull/2780
Cheeze_It changed the status of T5916: Added segment routing check for index size and SRGB size from Open to Needs testing.
Could for example be that set system options logtoram enables the feature while set system options logtoram size 32M sets the desired size where the default is 32M or whatever would be needed as a sane minimum.
Jan 9 2024
Jan 9 2024
Maybe making the size of the ramdisk configurable via CLI would be wise? I feel that there's enough variation in hardware configurations out there that hard-coding a value would cause problems.
Apachez added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
As a side comment, the new firewall system allows more granular control and sometimes may simplify configuration. It follows better the lower level logic of nftables.
sarthurdev changed the status of T5787: dhcp-server allows duplicate static-mapping for the same IP address from Open to In progress.
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
Yes, I agree with that, readability will be better if everything is in order.
n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
I suggest changing order just as a cosmetic fix: feels more reasonable/readable to parse first "incoming", and then "outgoing"
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
@n.fort
Looks like 1) and 2) is correct, as well as 'Action=accept in vyos command shall remain as accept in nftables'.
However, the 3) is not obvious to me. As long as all rules with Action=Accept in both IN and OUT chains will migrate to Action=return, looks like there should be no difference in order, other than probably for performance reason.
I stopped using conntrack-sync before I moved to 1.3 (which I am currently running) so I can't confirm either way.
I expect it's no longer an issue though and this task can be closed.
Mergify <37929162+mergify[bot]@users.noreply.github.com> committed rVYOSONEXc3ee4b05ff04: console: T4646: Fixed USB console issues (authored by zsdc).
dmbaturin closed T3513: Attempting to remove firewall rule results in error, a subtask of T2199: Rewrite firewall in new XML/Python style, as Not Applicable.
Should be a non-issue with the new firewall implementation.
dmbaturin removed a project from T3763: wireguard checks if port already binding: VyOS 1.3 Equuleus (1.3.6).
sarthurdev changed the status of T5912: DHCP Static mapping don't work on every first lease, a subtask of T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6), from Open to Confirmed.
sarthurdev changed the status of T5912: DHCP Static mapping don't work on every first lease from Open to Confirmed.
n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
Changes that seems to be needed only in migration script https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/firewall/10-to-11:
- Use accept action for base-chains (it's done, no change needed here).
- Migrate action=accept to action=return on every rule.
- fix order and ensure all "in" rules are applied first.
vyos-vm-images will soon be phased out completely.
Jan 9 2024, 8:52 PM · Restricted Project
This issue is on and off, but mostly solved now.
dmbaturin changed the status of T3489: NUMA has been disabled for the past few years and no-one has noticed from Unknown Status to Resolved.
dmbaturin closed T3479: route-maps containing "aggregator as" can not be deleted, a subtask of T2175: Rewriting all FRR processes allow for reloading and to XML/Python style, as Not Applicable.
Jan 9 2024, 8:47 PM · Restricted Project
dmbaturin triaged T3449: Unsuccessful attempt at network boot causes packet loss on associated VLAN as High priority.
Jan 9 2024, 8:44 PM · Restricted Project
dmbaturin triaged T3430: Cloud-init failing with “Unable to render networking” on VyOS 1.3 as High priority.
dmbaturin triaged T3334: Changing serial settings from a serial console ends session abruptly as High priority.
dmbaturin triaged T3338: Some Cloud-Init configurations can prevent login on the router as High priority.
dmbaturin triaged T3011: router becomes unreachable for few minutes when vti interfaces goes down as High priority.
dmbaturin closed T3209: Load balancing rules in firewall, a subtask of T3116: Support back-end L4 level load balancing, as Invalid.
This needs to be properly worded as a feature request, if it's still relevant with the new firewall implementation.
dmbaturin triaged T3204: Performance system option destroy defined sysctl custom params as High priority.
dmbaturin edited projects for T3203: BGP unnumbered - commit fails when route-reflector-client is set, added: VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.6).
dmbaturin closed T3203: BGP unnumbered - commit fails when route-reflector-client is set, a subtask of T2174: Rewrite protocol BGP to new XML/Python style, as Not Applicable.
dmbaturin closed T3203: BGP unnumbered - commit fails when route-reflector-client is set as Not Applicable.
No longer reproducible in 1.5
Jan 9 2024, 8:23 PM · Restricted Project, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus
dmbaturin closed T3154: route-map CLI allows 32-bit ASNs in community options even though FRR doesn't as Not Applicable.
The CLI prevents that now.
dmbaturin added a comment to T3062: Multiple Wireless SSID's on Single Wireless Card causes a crash.
Someone needs to test it on a system with a real wireless NIC.