1.2.7 Official Image - Config load failed

leonarit · March 29, 2021, 10:53pm

Hi,

I’ve tried to upgrade from 1.2.5 to 1.2.7 using the official VyOS 1.2.7 generic ISO image
and it seems there is something wrong with one of the boot scripts.

I see this error during the boot.

[ OK  ] Started LSB: Set console font and keymap.
[FAILED] Failed to start LSB: Change system config parameters... configuration.
See 'systemctl status vyatta-config-reboot-params.service' for details.
         Starting Load Kernel Modules...
[  OK  ] Started Load Kernel Modules.

Logs from /var/log/messages

Mar 29 22:30:57 localhost systemd[1]: Starting LSB: Change system config parameters based on[ 1152.427539] serial8250: too much work for irq4
 Vyatta configuration...
Mar 29 22:30:57 localhost vyatta-config-reboot-params[1499]: sh: -c: line 0: syntax error near unexpected token `('
Mar 29 22:30:57 localhost vyatta-config-reboot-params[1499]: sh: -c: line 0: `echo options nf_conntrack hashsize=Invalid config file (syntax error): error at line 1930, text [.] nf_conntrack_helper=1 >> /etc/modprobe.d/vyatta_nf_conntrack.conf'
Mar 29 22:30:57 localhost vyatta-config-reboot-params[1499]: run-parts: /opt/vyatta/bin/sudo-users/check-params-on-reboot.d/conntrack-hash-size exited with return code 1
Mar 29 22:30:57 localhost vyatta-config-reboot-params[1499]: Invalid config file (syntax error): error at line 1930, text [.]
Mar 29 22:30:57 localhost vyatta-config-reboot-params[1499]: Invalid config file (syntax error): error at line 1930, text [.]
Mar 29 22:30:57 localhost systemd[1]: vyatta-config-reboot-params.service: control process exited, code=exited status=1
Mar 29 22:30:57 localhost systemd[1]: Failed to start LSB: Change system config parameters based on Vyatta configuration.
Mar 29 22:30:57 localhost systemd[1]: Unit vyatta-config-reboot-params.service entered failed state.
Mar 29 22:38:57 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 29 22:38:57 localhost systemd[1]: Started Cleanup of Temporary Directories.

I’ve upgraded to 1.2.6 using the official image and dont have any problems.

tjh · March 29, 2021, 11:16pm

Hi @leonarit !
What happens if you try to go to 1.2.6, edit something small (like change an interface desc), commit, then try to going to 1.2.7?

If that doesn’t work, it would probably be valuable to log a Phabricator ticket if you’re able, that way the problem can be more officially tracked.

Dmitry · March 30, 2021, 8:56am

Hello @leonarit , also provide please NAT and conntrak configuration.

show configuration commands | strip-private | grep "nat\|conntrack\|sysctl"

leonarit · March 30, 2021, 9:04am

Hi @Dmitry , here’s the output of that command:

set firewall name ICT-LOCAL rule 20 destination port '179'
set firewall name ICT-OSS rule 20 destination group address-group 'OSS1'
set firewall name ICT-OSS rule 30 destination group address-group 'OSS1_NTP'
set firewall name ICT-OSS rule 30 destination port '123'
set firewall name ICT-OSS rule 40 destination address 'xxx.xxx.90.17'
set firewall name ICT-OSS rule 40 destination port '514,161,1514'
set firewall name ICT-OSS rule 50 destination address 'xxx.xxx.90.18'
set firewall name ICT-OSS rule 50 destination port '49'
set firewall name ICT-OSS rule 60 destination address 'xxx.xxx.90.18'
set firewall name ICT-OSS rule 60 destination port '1812,1813'
set firewall name ICT-OSS rule 70 destination address 'xxx.xxx.90.11'
set firewall name ICT-OSS rule 70 destination port '514,1514'
set firewall name ICT-OSS rule 71 destination address 'xxx.xxx.90.11'
set firewall name ICT-OSS rule 71 destination port '514,1514'
set firewall name ICT-OSS rule 75 destination address 'xxx.xxx.90.50'
set firewall name ICT-OSS rule 80 destination address 'xxx.xxx.90.19'
set firewall name ICT-OSS rule 80 destination port '21,22'
set firewall name ICT-OSS rule 90 destination address 'xxx.xxx.90.21'
set firewall name ICT-OSS rule 90 destination port '69'
set firewall name ICT-OSS rule 91 destination address 'xxx.xxx.90.21'
set firewall name ICT-OSS rule 91 destination port '22'
set firewall name ICT-OSS rule 92 destination address 'xxx.xxx.90.51'
set firewall name ICT2-OSS rule 20 destination group address-group 'OSS1'
set firewall name ICT2-OSS rule 30 destination group address-group 'OSS1_NTP'
set firewall name ICT2-OSS rule 30 destination port '123'
set firewall name ICT2-OSS rule 40 destination address 'xxx.xxx.90.17'
set firewall name ICT2-OSS rule 40 destination port '514,161,1514'
set firewall name ICT2-OSS rule 50 destination address 'xxx.xxx.90.18'
set firewall name ICT2-OSS rule 50 destination port '49'
set firewall name ICT2-OSS rule 60 destination address 'xxx.xxx.90.18'
set firewall name ICT2-OSS rule 60 destination port '1812,1813'
set firewall name ICT2-OSS rule 70 destination address 'xxx.xxx.90.11'
set firewall name ICT2-OSS rule 70 destination port '514,1514'
set firewall name ICT2-OSS rule 75 destination address 'xxx.xxx.90.50'
set firewall name ICT2-OSS rule 80 destination address 'xxx.xxx.90.19'
set firewall name ICT2-OSS rule 80 destination port '21,22'
set firewall name ICT2-OSS rule 90 destination address 'xxx.xxx.90.21'
set firewall name ICT2-OSS rule 90 destination port '69'
set firewall name ICT2-OSS rule 91 destination address 'xxx.xxx.90.21'
set firewall name ICT2-OSS rule 91 destination port '22'
set firewall name LAB1-LOCAL rule 30 destination port '389,22'
set firewall name LAB1-OSS rule 30 destination port '389'
set firewall name LAB1-OSS rule 40 destination port '49'
set firewall name LOCAL-OUTSIDE rule 20 destination port '500,4500'
set firewall name LOCAL-OUTSIDE rule 70 destination port '443,1195'
set firewall name OSS-ICT rule 40 destination address 'xxx.xxx.0.0/13'
set firewall name OSS-ICT rule 40 destination port '22,23,80,443,554,22022,65443,65001'
set firewall name OSS-ICT rule 50 destination address 'xxx.xxx.0.0/13'
set firewall name OSS-ICT rule 50 destination port '161'
set firewall name OSS-ICT rule 60 destination address 'xxx.xxx.0.0/16'
set firewall name OSS-ICT rule 60 destination port '22,23,80,443,6080,6081,22022,65443'
set firewall name OSS-ICT rule 70 destination address 'xxx.xxx.0.0/16'
set firewall name OSS-ICT rule 70 destination port '161'
set firewall name OSS-ICT rule 71 destination address 'xxx.xxx.0.49'
set firewall name OSS-ICT rule 75 destination address 'xxx.xxx.2.192/26'
set firewall name OSS-ICT rule 76 destination address 'xxx.xxx.0.17'
set firewall name OSS-ICT2 rule 40 destination address 'xxx.xxx.0.0/13'
set firewall name OSS-ICT2 rule 40 destination port '22,23,80,443,2068,902'
set firewall name OSS-ICT2 rule 50 destination address 'xxx.xxx.0.0/13'
set firewall name OSS-ICT2 rule 50 destination port '161'
set firewall name OSS-ICT2 rule 60 destination address 'xxx.xxx.0.0/16'
set firewall name OSS-ICT2 rule 60 destination port '22,23,80,443,6080'
set firewall name OSS-ICT2 rule 70 destination address 'xxx.xxx.0.0/16'
set firewall name OSS-ICT2 rule 70 destination port '161'
set firewall name OSS-LAB1 rule 21 destination address 'xxx.xxx.50.0/24'
set firewall name OSS-LAB1 rule 22 destination address 'xxx.xxx.90.30'
set firewall name OSS-LAB1 rule 30 destination
set firewall name OSS-LAB1 rule 40 destination address 'xxx.xxx.50.0/24'
set firewall name OSS-LAB1 rule 40 destination port '161'
set firewall name OSS-LOCAL rule 20 destination port '22,179'
set firewall name OSS-LOCAL rule 40 destination port '53,161'
set firewall name OSS-LOCAL rule 60 destination address 'xxx.xxx.90.18'
set firewall name OSS-LOCAL rule 60 destination port '1812,1813'
set firewall name OSS-LOCAL rule 70 destination address 'xxx.xxx.90.21'
set firewall name OSS-LOCAL rule 70 destination port '80,443'
set firewall name OSS-LOCAL rule 71 destination address 'xxx.xxx.90.11'
set firewall name OSS-LOCAL rule 71 destination port '514'
set firewall name OUTSIDE-LOCAL rule 20 destination port '500,4500'
set firewall name OUTSIDE-LOCAL rule 70 destination port '1195'
set nat destination rule 101 description 'TFPTS'
set nat destination rule 101 destination port '69'
set nat destination rule 101 inbound-interface 'eth0'
set nat destination rule 101 protocol 'udp'
set nat destination rule 101 source
set nat destination rule 101 translation address 'xxx.xxx.90.21'
set nat destination rule 101 translation port '69'
set nat destination rule 102 description 'TACACS'
set nat destination rule 102 destination port '49'
set nat destination rule 102 inbound-interface 'eth1'
set nat destination rule 102 protocol 'tcp'
set nat destination rule 102 source
set nat destination rule 102 translation address 'xxx.xxx.90.18'
set nat destination rule 102 translation port '49'
set nat destination rule 103 description 'FTPST1'
set nat destination rule 103 destination port '21'
set nat destination rule 103 inbound-interface 'eth0'
set nat destination rule 103 protocol 'tcp'
set nat destination rule 103 source
set nat destination rule 103 translation address 'xxx.xxx.90.21'
set nat destination rule 103 translation port '21'
set nat destination rule 104 description 'NTP1'
set nat destination rule 104 destination address 'xxx.xxx.90.10'
set nat destination rule 104 destination port '123'
set nat destination rule 104 inbound-interface 'any'
set nat destination rule 104 protocol 'udp'
set nat destination rule 104 source
set nat destination rule 104 translation address 'xxx.xxx.90.15'
set nat destination rule 104 translation port '123'
set nat destination rule 105 description 'OSSRDP1'
set nat destination rule 105 destination address 'xxx.xxx.90.19'
set nat destination rule 105 destination port '8085'
set nat destination rule 105 inbound-interface 'eth0'
set nat destination rule 105 protocol 'tcp'
set nat destination rule 105 source
set nat destination rule 105 translation address 'xxx.xxx.90.30'
set nat destination rule 105 translation port '3389'
set nat destination rule 106 description 'LOG1'
set nat destination rule 106 destination address 'xxx.xxx.128.138'
set nat destination rule 106 destination port '514'
set nat destination rule 106 inbound-interface 'eth0'
set nat destination rule 106 protocol 'udp'
set nat destination rule 106 source
set nat destination rule 106 translation address 'xxx.xxx.90.11'
set nat destination rule 106 translation port '514'
set nat destination rule 107 description 'LOG1'
set nat destination rule 107 destination port '162'
set nat destination rule 107 inbound-interface 'eth0'
set nat destination rule 107 protocol 'udp'
set nat destination rule 107 source
set nat destination rule 107 translation address 'xxx.xxx.90.11'
set nat destination rule 107 translation port '162'
set nat destination rule 108 destination port '10000-10050'
set nat destination rule 108 inbound-interface 'eth0'
set nat destination rule 108 protocol 'tcp'
set nat destination rule 108 source
set nat destination rule 108 translation address 'xxx.xxx.90.21'
set nat destination rule 108 translation port '10000-10050'
set nat source rule 98 destination address '!xxx.xxx.0.0/8'
set nat source rule 98 outbound-interface 'eth0'
set nat source rule 98 source address 'xxx.xxx.90.30'
set nat source rule 98 translation address 'xxx.xxx.128.141'
set nat source rule 99 destination address 'xxx.xxx.0.0/13'
set nat source rule 99 outbound-interface 'eth2'
set nat source rule 99 source address 'xxx.xxx.50.0/24'
set nat source rule 99 translation address 'masquerade'
set nat source rule 100 destination address '!xxx.xxx.0.0/8'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.90.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 destination address 'xxx.xxx.50.0/24'
set nat source rule 101 outbound-interface 'eth1'
set nat source rule 101 source address 'xxx.xxx.27.0/24'
set nat source rule 101 translation address 'masquerade'
set nat source rule 102 destination address 'xxx.xxx.50.0/24'
set nat source rule 102 outbound-interface 'eth1'
set nat source rule 102 source address 'xxx.xxx.90.0/24'
set nat source rule 102 translation address 'masquerade'
set nat source rule 103 destination address '!xxx.xxx.0.0/8'
set nat source rule 103 outbound-interface 'eth0'
set nat source rule 103 source address 'xxx.xxx.60.0/24'
set nat source rule 103 translation address 'masquerade'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101831 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 01 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101971 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101681 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 10191 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101761 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101762 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101763 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1011371 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1011151 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1011141 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101051 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 101731 allow-nat-networks 'disable'

leonarit · March 30, 2021, 5:40pm

Did a change in 1.2.6 and moved to 1.2.7 but the issue persists.