Page MenuHomeVyOS Platform

trae32566 (Trae E Santiago)
User

Projects

User does not belong to any projects.

User Details

User Since
Jan 18 2019, 4:03 PM (310 w, 2 d)

Recent Activity

Wed, Dec 4

trae32566 closed T6809: System CA Not Updated with Configuration as Resolved.

This works!:

trae@cr01b-vyos# set pki ca IPA.TRAE32566.ORG system-install 
[edit]
trae@cr01b-vyos# commit
Archiving config...
  sftp://stor01a-rh9.int.trae32566.org/int/cr01b-vyos [edit]
trae@cr01b-vyos# run restart ntp
[edit]
trae@cr01b-vyos# run show ntp sources
.-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* ns02.ac.trae32566.org         2   6     7     0     +2ns[ -188ms] +/- 5513us
^- ns01.ac.trae32566.org         2   6     7     0   +120us[ -188ms] +/- 5598us
Wed, Dec 4, 4:37 AM · VyOS Rolling, Bugs

Nov 1 2024

trae32566 added a comment to T6842: Prevent addition of Bond interfaces to Flowtables .

I think @Viacheslav is right here, I added the ethernet interfaces instead and now it works. I guess maybe add something that prevents adding bonds to flowtable, and instead directs the user to add the member interfaces?

Nov 1 2024, 12:47 AM · VyOS Rolling

Oct 31 2024

trae32566 created T6842: Prevent addition of Bond interfaces to Flowtables .
Oct 31 2024, 3:43 AM · VyOS Rolling

Oct 24 2024

trae32566 added a comment to T6809: System CA Not Updated with Configuration.

Personally, I would just create a directory in /usr/local/share/ca-certificates/ for each CA certificate named the same as that part of the config node (ex: IPA.TRAE32566.ORG in my example), then run update-ca-certificates...I just don't know how to implement this myself.

Oct 24 2024, 2:38 AM · VyOS Rolling, Bugs
trae32566 created T6809: System CA Not Updated with Configuration.
Oct 24 2024, 2:33 AM · VyOS Rolling, Bugs

Oct 15 2024

trae32566 created T6779: Op-Mode community-info and large-community-info Functionality Missing.
Oct 15 2024, 5:19 AM · VyOS Rolling, Bugs
trae32566 added a comment to T6748: `show ntp sources` Command Broken.

@c-po So what's interesting here is it seems like it might be something with the reconfiguration of the daemon. Try deleting and then adding the default config, like this (obviously after delete service ntp and commit):

vyos@cr01-vyos# set service ntp allow-client address 127.0.0.0/8
[edit]
vyos@cr01-vyos# set service ntp allow-client address 169.254.0.0/16
[edit]
vyos@cr01-vyos# set service ntp allow-client address 10.0.0.0/8
[edit]
vyos@cr01-vyos# set service ntp allow-client address 172.16.0.0/12
[edit]
vyos@cr01-vyos# set service ntp allow-client address 192.168.0.0/16
[edit]
vyos@cr01-vyos# set service ntp allow-client address ::1/128
[edit]
vyos@cr01-vyos# set service ntp allow-client address fe80::/10
[edit]
vyos@cr01-vyos# set service ntp allow-client address fc00::/7
[edit]
vyos@cr01-vyos# 
[edit]
vyos@cr01-vyos# set service ntp server time1.vyos.net
[edit]
vyos@cr01-vyos# set service ntp server time2.vyos.net
[edit]
vyos@cr01-vyos# set service ntp server time3.vyos.net
[edit]
vyos@cr01-vyos# commit
Archiving config...
  sftp://stor01a-rh9.int.trae32566.org/bhs/cr01-vyos Host 'stor01a-rh9.int.trae32566.org' not found in known hosts.
Fingerprint: 1083a0c4ff8380df83596781bcddf2a9
Do you wish to continue? [y/N] y
Oct 15 2024, 5:05 AM · Bugs, VyOS Rolling

Sep 30 2024

trae32566 renamed T6751: Missing Well Known Communities in Command Completion from Missing Well Known Communities in Documentation to Missing Well Known Communities in Command Completion.
Sep 30 2024, 5:17 AM · VyOS 1.4 Sagitta (1.4.1), VyOS Rolling, VyOS 1.5 Circinus
trae32566 updated the task description for T6751: Missing Well Known Communities in Command Completion.
Sep 30 2024, 5:16 AM · VyOS 1.4 Sagitta (1.4.1), VyOS Rolling, VyOS 1.5 Circinus
trae32566 updated the task description for T6751: Missing Well Known Communities in Command Completion.
Sep 30 2024, 2:51 AM · VyOS 1.4 Sagitta (1.4.1), VyOS Rolling, VyOS 1.5 Circinus
trae32566 created T6751: Missing Well Known Communities in Command Completion.
Sep 30 2024, 2:49 AM · VyOS 1.4 Sagitta (1.4.1), VyOS Rolling, VyOS 1.5 Circinus

Sep 28 2024

trae32566 created T6748: `show ntp sources` Command Broken.
Sep 28 2024, 9:04 AM · Bugs, VyOS Rolling

Sep 25 2024

trae32566 created T6737: 4K Native Sector Size Install Fails.
Sep 25 2024, 4:54 AM · VyOS Rolling

Sep 12 2024

trae32566 created T6714: NAT66 Interface Group Support.
Sep 12 2024, 6:51 PM · VyOS Rolling

Sep 11 2024

trae32566 created T6711: 'restart vrrp` Functionality Broken.
Sep 11 2024, 11:42 PM · VyOS Rolling, VyOS 1.5 Circinus

Sep 9 2024

trae32566 created T6709: Add EAPOL Bonding Support.
Sep 9 2024, 9:39 PM · VyOS Rolling, VyOS 1.5 Circinus

Jun 6 2024

trae32566 changed the status of T6132: Conntrack-sync Internal Cache Growing Uncontrollably from Needs reporter action to Open.
Jun 6 2024, 6:22 AM · VyOS Rolling, Bugs
trae32566 added a comment to T6132: Conntrack-sync Internal Cache Growing Uncontrollably.

@Viacheslav sorry, for some reason I didn't see this until now. I actually moved the routers to 1.4-epa3 to test whether it occurs on that version, and it does. Here are my conntrack stats after a week on 1.4-epa3 (note that I haven't started seeing connectivity issues yet, but I imagine I will in the next few days once I hit the limit):

trae@cr01a-vyos:~$ show conntrack-sync statist
cache internal:
current active connections:           403218
connections created:                 4998006    failed:            0
connections updated:                11289840    failed:            0
connections destroyed:               4594788    failed:            0
Jun 6 2024, 6:11 AM · VyOS Rolling, Bugs

May 9 2024

trae32566 added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

I think this was resolved at some point, but I ended up removing it (the accept-protocol stuff) from my config since it didn't appear necessary and was causing issues, so I'm not certain.

May 9 2024, 8:50 AM · VyOS 1.4 Sagitta (1.4.2)

Mar 17 2024

trae32566 added a comment to T6132: Conntrack-sync Internal Cache Growing Uncontrollably.

Here's the generated configuration from /run/conntrackd/conntrackd.conf:

# Synchronizer settings
Sync {
    Mode FTFW {
        DisableExternalCache on
    }
    Multicast {
        IPv4_address 225.0.0.50
        Group 3780
        IPv4_interface 192.168.15.3
        Interface bond0.110
        SndSocketBuffer 104857600
        RcvSocketBuffer 104857600
        Checksum on
    }
}
Helper {
    Type rpc inet tcp {
        QueueNum 3
        Policy rpc {
            ExpectMax 1
            ExpectTimeout 300
        }
    }
    Type rpc inet udp {
        QueueNum 4
        Policy rpc {
            ExpectMax 1
            ExpectTimeout 300
        }
    }
    Type tns inet tcp {
        QueueNum 5
        Policy tns {
            ExpectMax 1
            ExpectTimeout 300
        }
    }
}
Mar 17 2024, 5:41 PM · VyOS Rolling, Bugs
trae32566 triaged T6132: Conntrack-sync Internal Cache Growing Uncontrollably as High priority.
Mar 17 2024, 12:35 PM · VyOS Rolling, Bugs

Feb 25 2024

trae32566 added a comment to T2447: Additional boot argument configuration to limit CPU C-States.

I would say this would still be useful for c-states, and also for other things, for example setting hugepages, and If I remember right, the VPP addon also requires boot arguments be added.

Feb 25 2024, 10:13 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Jan 22 2024

trae32566 added a comment to T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.

All you need to do to test it is set interfaces <ifaceClass> <iface> policy , commit, save, and then upgrade from 1.3.5 to 1.4, then this happens:

trae@cr01b-vyos:~$ configure
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
trae@cr01b-vyos# comp saved
[interfaces bonding bond0]
- policy

I feel like maybe it would be a smart move to prune config structures:

  1. when deleting configuration nodes (ex: If I had a traffic policy set, then ran delete interfaces bonding bond0 vif 123 policy route FOO, make sure to delete the policy section of the configuration assuming there is no route6, not just the route FOO part):
  2. when upgrading major versions
Jan 22 2024, 1:42 PM · VyOS 1.4 Sagitta
trae32566 closed T4721: Static IPv6 Route Tags Missing as Resolved.

Yeah I'm migrating everything to 1.4, so I don't need this.

Jan 22 2024, 3:20 AM · VyOS 1.3 Equuleus (1.3.6)

Jan 21 2024

trae32566 added a comment to T5845: sftp/scp commit-archive error.

Yes, this is fixed.

Jan 21 2024, 7:01 AM · VyOS 1.5 Circinus

Jan 17 2024

trae32566 added a comment to T5947: [1.3.2 -> 1.4.0-RC1 Migration] Static ipv6 routes dropped.

I'd be curious if updating to 1.3.5 first, then moving to 1.4 has any impact on this issue. I only say this because I have two separate routers I just upgraded from 1.3.5 that both have the following (after upgrade) which looks to have been correctly migrated:

route6 ::/0 {
    next-hop 2001:db8:3a01:a5::1 {
    }
}
route6 2001:db8:3a01:2::/64 {
    blackhole {
    }
}
route6 2001:db8:3a01:c5::/64 {
    interface bond1.1258 {
    }
}
route6 2001:db8:3a01:fd::/64 {
    interface bond1.1258 {
    }
}
route6 fc00::/7 {
    blackhole {
    }
}
route6 2001:db8:8011:239d::/64 {
    interface bond0.925 {
    }
}
Jan 17 2024, 3:32 AM · VyOS Rolling

Jan 16 2024

trae32566 added a comment to T5940: [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate.

It also doesn't appear to accept %, *, or ^ in the password. Perhaps we should consider splitting this up into something like:

set system config-management commit-archive location SERVER1 protocol sftp
set system config-management commit-archive location SERVER1 path '/wdc07/cr01b-vyos'
set system config-management commit-archive location SERVER1 host 'stor01a-rh9.int.trae32566.org'
set system config-management commit-archive location SERVER1 user 'myuser'
set system config-management commit-archive location SERVER1 password '$P4SsW0RD!'
Jan 16 2024, 11:34 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 renamed T5951: [1.4.0-RC2] show hardware dmi Operational Mode Command Broken from [1.3.5 -> 1.4.0-RC2 Migration] show hardware dmi Operational Mode Command Broken to [1.4.0-RC2] show hardware dmi Operational Mode Command Broken.
Jan 16 2024, 6:40 AM · VyOS 1.4 Sagitta
trae32566 created T5951: [1.4.0-RC2] show hardware dmi Operational Mode Command Broken.
Jan 16 2024, 6:04 AM · VyOS 1.4 Sagitta
trae32566 added a comment to T5947: [1.3.2 -> 1.4.0-RC1 Migration] Static ipv6 routes dropped.

I think this is happening because in 1.3, interface-based static routes are under protocols static interface-route6, whereas in 1.4+, they're located in protocols static route6 <address> interface

Jan 16 2024, 5:45 AM · VyOS Rolling

Jan 15 2024

trae32566 added a comment to T5940: [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate.

I think I see part of what's happening here; it looks like the format for configuration-sync URIs removed the colon (:) between the host and path:
<PROTO>://<USER>:<PASS>@<HOST>:<PATH>
is now:
<PROTO>://<USER>:<PASS>@<HOST><PATH>

Jan 15 2024, 8:09 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 added a comment to T5939: [1.3.5 -> 1.4.0-RC1 Migration] as-path-list Entries Get Messed Up.

It looks like what this should be converted to is as follows:

trae@cr01b-vyos# show as-path-list 
 as-path-list DAL10 {
     rule 10 {
         action permit
         description "Allow anything from or via DAL10"
>        regex 4242420668_$
     }
 }
 as-path-list IBM {
     rule 10 {
         action permit
         description "Allow anything directly from IBM Cloud"
>        regex ^_42424206(68|70)_$
     }
 }
 as-path-list INT {
     rule 10 {
         action permit
         description "Allow anything from or via int"
>        regex 4242420666_$
     }
 }

It looks like with VyOS 1.3, one way to match AS path (or at least, the way I did it) was to use an escaped parenthesis [\)], but in 1.4+ it appears this way no longer works, and instead those escapes should probably be converted to underscores (_).

Jan 15 2024, 6:24 AM · VyOS 1.4 Sagitta (1.4.0-GA)

Jan 14 2024

trae32566 updated the task description for T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.
Jan 14 2024, 11:56 AM · VyOS 1.4 Sagitta
trae32566 renamed T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues from [1.3.5 -> 1.4.0-RC1 Migration] PBR Configuration is Not Migrated to [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.
Jan 14 2024, 11:56 AM · VyOS 1.4 Sagitta
trae32566 added a subtask for T5938: Migration fail root task for 1.4-rc: T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.
Jan 14 2024, 11:31 AM · VyOS Rolling, Bugs
trae32566 added a parent task for T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues: T5938: Migration fail root task for 1.4-rc.
Jan 14 2024, 11:31 AM · VyOS 1.4 Sagitta
trae32566 updated the task description for T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.
Jan 14 2024, 11:31 AM · VyOS 1.4 Sagitta
trae32566 created T5941: [1.3.5 -> 1.4.0-RC1 Migration] Orphaned Configuration Nodes Cause Issues.
Jan 14 2024, 11:27 AM · VyOS 1.4 Sagitta
trae32566 added a parent task for T5940: [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate: T5938: Migration fail root task for 1.4-rc.
Jan 14 2024, 11:18 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 added a subtask for T5938: Migration fail root task for 1.4-rc: T5940: [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate.
Jan 14 2024, 11:18 AM · VyOS Rolling, Bugs
trae32566 created T5940: [1.3.5 -> 1.4.0-RC1 Migration] commit-archive Fails to Migrate.
Jan 14 2024, 11:18 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 renamed T5937: [1.3.5 -> 1.4.0-RC1 Migration] IPv6 BGP Neighbor Peer Groups Missing / Not Migrated from [1.3.5 -> 1.4-RC1 Migration] IPv6 BGP Neighbor Peer Groups Missing / Not Migrated to [1.3.5 -> 1.4.0-RC1 Migration] IPv6 BGP Neighbor Peer Groups Missing / Not Migrated.
Jan 14 2024, 10:49 AM · VyOS 1.4 Sagitta
trae32566 renamed T5936: [1.3.5 -> 1.4.0-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly from [1.3.5 -> 1.4-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly to [1.3.5 -> 1.4.0-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly.
Jan 14 2024, 10:49 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
trae32566 added a subtask for T5938: Migration fail root task for 1.4-rc: T5939: [1.3.5 -> 1.4.0-RC1 Migration] as-path-list Entries Get Messed Up.
Jan 14 2024, 10:47 AM · VyOS Rolling, Bugs
trae32566 added a parent task for T5939: [1.3.5 -> 1.4.0-RC1 Migration] as-path-list Entries Get Messed Up: T5938: Migration fail root task for 1.4-rc.
Jan 14 2024, 10:47 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 created T5939: [1.3.5 -> 1.4.0-RC1 Migration] as-path-list Entries Get Messed Up.
Jan 14 2024, 10:46 AM · VyOS 1.4 Sagitta (1.4.0-GA)
trae32566 created T5937: [1.3.5 -> 1.4.0-RC1 Migration] IPv6 BGP Neighbor Peer Groups Missing / Not Migrated.
Jan 14 2024, 10:18 AM · VyOS 1.4 Sagitta
trae32566 added a comment to T5933: Unable to commit BGP config with unnumbered neighbour.

@samip537 You should use the peer group definition inside the v6-only stanza, like so:

neighbor wg1 {                                                                                           
    interface {                                                                                          
        v6only {                                                                                         
            peer-group BACKBONE                                                                          
            remote-as 4242420669                                                                         
        }                                                                                                
    }                                                                                                    
}
Jan 14 2024, 9:53 AM · Bugs, VyOS Rolling, VyOS 1.5 Circinus
trae32566 updated the task description for T5936: [1.3.5 -> 1.4.0-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly.
Jan 14 2024, 9:41 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
trae32566 created T5936: [1.3.5 -> 1.4.0-RC1 Migration] OSPF Passive Interface Configuration Not Working Correctly.
Jan 14 2024, 9:39 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Jan 12 2024

trae32566 added a comment to T5928: Configuration fails to load on boot if offloading has VLAN interfaces defined.

My only comment here would be to hesitate when putting in restrictions; as Doug Gwyn once said:

Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Jan 12 2024, 9:30 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Jan 10 2024

trae32566 added a comment to T5863: Failure to Load Config on Recent 1.5 Versions.

I tried manually loading this config in a VM and I'm still not sure what's causing the issue, maybe something isn't waiting properly for bonded interfaces to be created?:

vyos@vyos# load config.boot-cr01a-vyos.20240109_232428
Loading configuration from 'config.boot-cr01a-vyos.20240109_232428'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# commit
Jan 10 2024, 5:42 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Dec 30 2023

trae32566 attached a referenced file: F4059192: config-sanitized.boot.
Dec 30 2023, 4:15 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Dec 28 2023

trae32566 added a comment to T5845: sftp/scp commit-archive error.

I haven't been able to test beyond 1.5-rolling-202312130023 due to T5863. I'll test it again once I'm able to update to the latest rolling. Thanks!

Dec 28 2023, 5:42 PM · VyOS 1.5 Circinus
trae32566 triaged T5864: 'show ntp' Commands Not Working as Normal priority.
Dec 28 2023, 8:44 AM · VyOS 1.5 Circinus
trae32566 added a comment to T5845: sftp/scp commit-archive error.

Yeah I'm having this issue as well:

trae@cr01a-vyos# commit
Archiving config...
  sftp://stor01a-rh9.int.trae32566.org/int/cr01a-vyos FAILED!
Dec 28 2023, 3:43 AM · VyOS 1.5 Circinus
trae32566 closed T5827: image-tools: 'show system image' Command Not in Order, a subtask of T4516: Rewrite system image manipulation tools in Python, as Resolved.
Dec 28 2023, 2:32 AM · VyOS 1.4 Sagitta (1.4.0-epa3)
trae32566 closed T5827: image-tools: 'show system image' Command Not in Order as Resolved.
Dec 28 2023, 2:32 AM · VyOS 1.5 Circinus

Dec 27 2023

trae32566 created T5863: Failure to Load Config on Recent 1.5 Versions.
Dec 27 2023, 8:58 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
trae32566 added a comment to T4541: Improve `strip-private` to make stripped configs reproducible.

Food for thought:

Dec 27 2023, 8:49 PM · VyOS Rolling

Dec 14 2023

trae32566 renamed T5827: image-tools: 'show system image' Command Not in Order from image-tools: Show System Image Command Not in Order to image-tools: 'show system image' Command Not in Order.
Dec 14 2023, 12:43 PM · VyOS 1.5 Circinus
trae32566 added a subtask for T4516: Rewrite system image manipulation tools in Python: T5827: image-tools: 'show system image' Command Not in Order.
Dec 14 2023, 12:41 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
trae32566 added a parent task for T5827: image-tools: 'show system image' Command Not in Order: T4516: Rewrite system image manipulation tools in Python.
Dec 14 2023, 12:41 PM · VyOS 1.5 Circinus
trae32566 renamed T5827: image-tools: 'show system image' Command Not in Order from image-toolsShow System Image Command Not in Order to image-tools: Show System Image Command Not in Order.
Dec 14 2023, 12:39 PM · VyOS 1.5 Circinus
trae32566 renamed T5827: image-tools: 'show system image' Command Not in Order from Show System Image Command Not in Order to image-toolsShow System Image Command Not in Order.
Dec 14 2023, 12:38 PM · VyOS 1.5 Circinus
trae32566 updated the task description for T5827: image-tools: 'show system image' Command Not in Order.
Dec 14 2023, 12:37 PM · VyOS 1.5 Circinus
trae32566 changed the status of T5827: image-tools: 'show system image' Command Not in Order from Open to In progress.
Dec 14 2023, 12:32 PM · VyOS 1.5 Circinus
trae32566 added a comment to T5827: image-tools: 'show system image' Command Not in Order.

should be fixed by https://github.com/vyos/vyos-1x/pull/2634

Dec 14 2023, 11:50 AM · VyOS 1.5 Circinus
trae32566 created T5827: image-tools: 'show system image' Command Not in Order.
Dec 14 2023, 11:24 AM · VyOS 1.5 Circinus

Dec 12 2023

trae32566 added a comment to T5816: BGP Large Community List Validation Broken.

This should fix it:
{F4006571}

Dec 12 2023, 11:43 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
trae32566 created T5816: BGP Large Community List Validation Broken.
Dec 12 2023, 9:58 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Sep 18 2023

trae32566 added a comment to T5554: Disable sudo for PAM RADIUS.

I haven't tried anything else since I rebooted back into 1.4, but I did try sudo su - which gave the same error.

Sep 18 2023, 7:13 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
trae32566 added a comment to T5554: Disable sudo for PAM RADIUS.

I think this broke a whole lot of things for RADIUS users (these work fine in 1.4-rolling-202308040317, but are broken in 1.5-rolling-202309170024):

Sep 18 2023, 6:25 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Jul 11 2023

trae32566 reopened T1869: Install and Boot from RAID Doesn't Work as "Open".

Why is this closed? If you don't want the functionality, fine, but don't leave broken functionality in the installer....at least take it out so you're not confusing your users when it doesn't work.

Jul 11 2023, 10:12 PM

Jul 9 2023

trae32566 added a comment to T775: Config Sync between two VyOS routers.

@Viacheslav So I figured out what's causing it..it looks like for some reason my commit-archive configuration on the secondary side (which works fine normally) is causing the hanging. As soon as I remove the set system config-management commit-archive on the secondary side, everything starts working fine, even with my full firewall configuration. Has this been tested at all with commit-archive? Could there be some sort of bug happening with it? Here's the section of the secondary side config, for reference:

[system config-management]
- commit-archive {
-     location "sftp://<someUser>:<somePass>@stor01a-rh9.int.trae32566.org/int/cr01b-vyos"
-     source-address "fd52:d62e:8011:fffe::3"
- }
Jul 9 2023, 6:21 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

Yeah I tried increasing the timeout to the maximum (300) and it still timed out, but I'll try config-sync mode 'set' I guess. The config is fairly large; 549 lines of just set firewall.

Jul 9 2023, 6:01 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

@Viacheslav I'm not sure why, but it appears that after doing this, there is high CPU usage on the secondary side, and eventually it stops responding entirely (bgp sessions go down, no response to anything via icmp) and has to be hard reset; it won't even respond to a console login attempt:

image.png (668×819 px, 380 KB)

Jul 9 2023, 5:04 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

@Viacheslav I think that fixed it...sorta. It looks like now it does sync successfully, though it appears to time out after awhile for some reason:

trae@cr01a-vyos:~$ sudo nano -c +140 /run/scripts/commit/post-hooks.d/vyos_config_sync
trae@cr01a-vyos:~$ sudo systemctl restart vyos-configd
trae@cr01a-vyos:~$ configure
[edit]
trae@cr01a-vyos# set firewall name INT_TO_LOCAL rule 80 destination address 192.168.253.2-192.168.253.3                                                                                                                                                                                                                    
[edit]
trae@cr01a-vyos# commit
INFO:vyos_config_sync:Config synchronization: Mode=load, Secondary=cr01b-vyos.int.rtr.trae32566.org
Jul 9 2023, 3:00 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

Same version on both, 1.4-rolling-202307070317. Also, if you can disable 2 factor on my Slack account (tsantiago@us.ibm.com) we can talk in Slack about this (lost my 2 factor app / backup codes).
@Viacheslav

Jul 9 2023, 2:45 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

@trae32566 Try the same with ip address, I tested with IPv4 addresses

Jul 9 2023, 1:15 PM · VyOS 1.4 Sagitta
trae32566 added a comment to T775: Config Sync between two VyOS routers.

@Viacheslav Thanks for all the work on this, I'm glad to see it moving along! This doesn't appear to work for me on 1.4-rolling-202307070317; I've configured it for both firewall and NAT and it appears to not be getting triggered (though I've only tried firewall changes so far). Here's the primary side (cr01a-vyos.int) config:

trae@cr01a-vyos# show service config-sync
 mode load
 secondary {
     address cr01b-vyos.int.rtr.trae32566.org
     key <MyKey>
 }
 section nat
 section firewall
Jul 9 2023, 3:36 AM · VyOS 1.4 Sagitta

Feb 13 2023

trae32566 added a comment to T4774: Disallow duplicate pubkey on peers of a wireguard interface.
In T4774#142529, @c-po wrote:

Please note the WireGuard crypto Key routing concept: https://www.wireguard.com/#cryptokey-routing

Keys should not be re-used

Feb 13 2023, 6:52 AM · VyOS 1.3 Equuleus (1.3.6), VyOS 1.4 Sagitta
trae32566 updated subscribers of T4774: Disallow duplicate pubkey on peers of a wireguard interface.

@sdev @c-po @Alfa80 Can we look at rolling this back until it works fully, or fixing it so that it allows the above scenario please? Newer versions of 1.4 are unusable for me for a few months due to this. Let me know if I should file a separate bug.

Feb 13 2023, 6:44 AM · VyOS 1.3 Equuleus (1.3.6), VyOS 1.4 Sagitta

Nov 22 2022

trae32566 added a comment to T4774: Disallow duplicate pubkey on peers of a wireguard interface.

This breaks a perfectly valid use case which I utilize regularly: using IPv4 + IPv6 peers with the same public key. Why would I want to create multiple keys for the exact same devices going over IPv4 and IPv6? If you want to include a warning, fine, but don't limit functionality based on someone's interpretation of how something will be used. I understand where this came from, but any time you limit functionality, you limit your users. As Donald Knuth once said:

Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Nov 22 2022, 5:14 AM · VyOS 1.3 Equuleus (1.3.6), VyOS 1.4 Sagitta

Sep 30 2022

trae32566 created T4721: Static IPv6 Route Tags Missing.
Sep 30 2022, 3:34 AM · VyOS 1.3 Equuleus (1.3.6)

Jun 30 2022

trae32566 added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

@trae32566 Extentd conntrack table and reduce timeouts:
for example

Jun 30 2022, 8:37 PM · VyOS 1.4 Sagitta (1.4.2)
trae32566 added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

This seems to be an issue in 1.4 as well, I have the exact same symptoms, and removing the accept-protocol fixes the issue.

Jun 30 2022, 3:05 AM · VyOS 1.4 Sagitta (1.4.2)

Jun 16 2022

trae32566 created T4467: Validator Does Not Accept Signed Numbers.
Jun 16 2022, 6:44 AM · VyOS 1.4 Sagitta

Dec 17 2021

trae32566 added a comment to T3628: commit-archive source-address Interface Broken.
Dec 17 2021, 10:46 AM · VyOS 1.4 Sagitta
trae32566 reopened T3628: commit-archive source-address Interface Broken, a subtask of T3356: Script for remote file transfers, as Open.
Dec 17 2021, 9:31 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
trae32566 reopened T3628: commit-archive source-address Interface Broken as "Open".
Dec 17 2021, 9:31 AM · VyOS 1.4 Sagitta
trae32566 added a comment to T3628: commit-archive source-address Interface Broken.

Still broken:

trae@cr01b-vyos:~$ show conf com | grep arch
set service dhcp-server shared-network-name INT subnet 192.168.1.0/24 domain-search 'int.trae32566.org'
set service dhcp-server shared-network-name INT subnet 192.168.1.0/24 domain-search 'ipa.trae32566.org'
set service dhcp-server shared-network-name INT subnet 192.168.1.0/24 domain-search 'trae32566.org'
set system config-management commit-archive location 'sftp://USER:PASS@stor01z-rh8.int.trae32566.org:/int/cr01b-vyos'                                                                          
set system config-management commit-archive source-address 'lo'
set system domain-search domain 'int.trae32566.org'
set system domain-search domain 'ipa.trae32566.org'
set system domain-search domain 'trae32566.org'
trae@cr01b-vyos:~$ configure
[edit]
trae@cr01b-vyos# set system host-name temp
[edit]
trae@cr01b-vyos# commit
Using source address lo
Archiving config...
  sftp://stor01z-rh8.int.trae32566.org:/int/cr01b-vyos Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/vyos/remote.py", line 312, in upload
    urlc(urlstring, *args, **kwargs).upload(local_path)
  File "/usr/lib/python3/dist-packages/vyos/remote.py", line 202, in upload
    with self._establish() as ssh, ssh.open_sftp() as sftp:
  File "/usr/lib/python3/dist-packages/vyos/remote.py", line 189, in _establish
    sock = socket.create_connection((self.hostname, self.port), socket.getdefaulttimeout(), self.source)
  File "/usr/lib/python3.9/socket.py", line 843, in create_connection
    raise err
  File "/usr/lib/python3.9/socket.py", line 830, in create_connection
    sock.bind(source_address)
socket.gaierror: [Errno -5] No address associated with hostname
[edit]

This is on 1.4-rolling-202112160318

Dec 17 2021, 9:30 AM · VyOS 1.4 Sagitta

Dec 6 2021

trae32566 reopened T1869: Install and Boot from RAID Doesn't Work as "Open".

I think this actually inadvertently broke things even more, because now:

Dec 6 2021, 7:43 AM

Nov 20 2021

trae32566 added a comment to T3936: [Feature] - DHCP Option 82 Support.

I think this is what it would look like in service dhcp server. I left some comments to explain my thinking a bit, and I tried to make it as flexible as possible (for example the way match options are strings, so future DHCP options can be supported as soon as ISC supports them):

failover {
    name INT
    remote 192.168.15.4
    source-address 192.168.15.3
    status primary
}
shared-network-name INT {
    description "Internal connection to ir01"
    class CLIENT_MAP {
       rule 10 {
           action permit                                       # This is equivalent to dhcpd's allow/deny members of
           match option "agent.circuit_id" value "Vlan200"     # This could match any option (ex: dhcp-client-identifier)
       }
    }
    class GUEST_MAP {
       rule 10 {
           action permit
           match option "agent.circuit_id" value "Vlan240"
       }
    }
    subnet 192.168.1.0/24 {
        class CLIENT_MAP
        default-router 192.168.1.1
        domain-name int.trae32566.org
        domain-search int.trae32566.org
        domain-search ipa.trae32566.org
        domain-search trae32566.org
        enable-failover
        name-server 192.168.255.1
        name-server 192.168.15.10
        name-server 192.168.31.3
        ntp-server 192.168.255.2
        ntp-server 192.168.15.11
        ntp-server 192.168.31.4
        range CLIENTS {
            start 192.168.1.2
            stop 192.168.1.240
        }
        server-identifier 192.168.15.2
        static-mapping QUEST {
            ip-address 192.168.1.17
            mac-address 80:f3:ef:11:e7:e7
        }
    }
    subnet 192.168.6.0/24 {
        class GUEST_MAP
        default-router 192.168.6.1
        enable-failover
        name-server 1.1.1.1
        name-server 1.0.0.1
        name-server 8.8.8.8
        ntp-server 50.205.57.38
        ntp-server 64.225.34.103
        ntp-server 129.250.35.251
        server-identifier 192.168.15.2
        range GUESTS {
            start 192.168.6.2
            stop 192.168.6.254
        }
    }
    subnet 192.168.15.0/29 {        # This tells it indirectly to use the interface eth2, which is on this subnet (is there a better way?)
        default-router 192.168.15.1
        enable-failover
        range DUMMY {
            start 192.168.15.2
            stop 192.168.15.7
        }
    }
}
Nov 20 2021, 3:54 AM · VyOS Rolling

Oct 23 2021

trae32566 created T3936: [Feature] - DHCP Option 82 Support.
Oct 23 2021, 11:26 PM · VyOS Rolling

Oct 14 2021

trae32566 created T3906: [Traffic Control] Invalid Port Configuration Still Commits.
Oct 14 2021, 8:28 AM · Known issue, VyOS 1.4 Sagitta
trae32566 awarded T2798: Allow port range in tc filter a Like token.
Oct 14 2021, 8:13 AM · VyOS Rolling

Oct 9 2021

trae32566 created T3898: [RADIUS] - Reverse DNS Lookup Failing .
Oct 9 2021, 10:52 PM · Bugs, VyOS 1.4 Sagitta (1.4.0-GA)

Jul 8 2021

trae32566 added a comment to T3628: commit-archive source-address Interface Broken.
trae@cr01a-vyos# show system config-management 
 commit-archive {
     location sftp://cr01a-vyos.int:<somePassword>@stor01z-rh8.int.trae32566.org:/int/cr01a-vyos
     source-address lo
 }
 commit-revisions 10000
Jul 8 2021, 5:20 AM · VyOS 1.4 Sagitta

Jul 7 2021

trae32566 reopened T3628: commit-archive source-address Interface Broken, a subtask of T3356: Script for remote file transfers, as Open.
Jul 7 2021, 5:51 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta