Have tried setting conntrack-sync but every configuration parameter results in Set failed. An example is:
set service conntrack-sync accept-protocol tcp
Tried it on 1.3.0 LTS, 1.3.1 and both failed.
Surprisingly after reverting to 1.3.0 EPA3 I am able to set these parameters. Does anyone have any idea why this may be so? Am I missing something?
Not that I fully got it working on 1.3.0 EPA3 but just that I can even set it without error.
I see the following in /var/log/cfg-stdout.log
failed to add node [/opt/vyatta/config/tmp/new_config_8544/service/conntrack-sync]
set cfg path failed
Hi, @javier.wong !
Can you provide a complete configuration or step-by-step commands that trigger the issue?
Hi @zsdc just setting the conntrac-sync protocol would trigger it.
set service conntrack-sync accept-protocol dccp
Set failed
[edit]
I found out that the permissions in folders in /opt/vyatta/config do affect this in some way
vyos@<redacted># pwd
/opt/vyatta/config/tmp/new_config_30580
[edit]
vyos@<redacted># ls -l
total 0
drwxrwxr-x 1 vyos root 300 Apr 11 22:23 **firewall**
drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **high-availability**
drwxrwxr-x 1 vyos root 100 Apr 11 22:23 **interfaces**
drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **policy**
drwxrwxr-x 1 vyos root 80 Apr 11 22:23 **protocols**
drwxrwxr-x 1 vyos root 100 Apr 11 22:23 **service**
drwxrwxr-x 1 vyos root 220 Apr 11 22:23 **system**
drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **traffic-policy**
[edit]
vyos@<redacted># sudo chown -R vyos ./
[edit]
vyos@<redacted># ls -l
total 0
drwxrwxr-x 1 vyos vyattacfg 300 Apr 13 06:58 firewall
drwxrwxr-x 1 vyos vyattacfg 60 Apr 13 06:58 high-availability
drwxrwxr-x 1 vyos vyattacfg 100 Apr 13 06:58 interfaces
drwxrwxr-x 1 vyos vyattacfg 60 Apr 13 06:58 policy
drwxrwxr-x 1 vyos vyattacfg 80 Apr 13 06:58 protocols
drwxrwxr-x 1 vyos vyattacfg 100 Apr 13 06:58 service
drwxrwxr-x 1 vyos vyattacfg 220 Apr 13 06:58 system
drwxrwxr-x 1 vyos vyattacfg 60 Apr 13 06:58 traffic-policy
[edit]
changing the ownership of the folders to vyos which will change the group to vyattacfg seems to help so that I can set the conntrack-sync in configure mode but commit also results in failure with the message Abort being shown.
I gave up and found that editing /config/config.boot directly was possible to set conntrack-sync.
But then I realized after doing all of this and once I reboot the router I can’t even do configuration on items which I previously could e.g.
vyos@<redacted># set high vrrp group <redacted> disable
Set failed
[edit]
I get the feeling it has something to do with permissions on some folders but cant seem to figure out what should be the right permissions and how come it went haywire in the first place. Anyone has any idea what should be the right permission settings for the folders to keep it permanent?
It seems your vrrp or other scripts were started from root and not from group vyattacfg
In this case you can’t configure anything
Not only conntrack-sync
You must start scripts from correct group.
sorry but I am not very familiar with where the scripts are located. Where should I be looking for these scripts? and should I just do a simple sudo chown -R vyos ./ on those folders?
On a side note wonder why its like this, I cannot remember ever doing any permission changes on any files / folders except when troubleshooting this problem. All configuration that I’ve done has been through the standard configure etc.
Thank you.
Would anyone happen to know how I can reset the permissions (if this is indeed the correct thing to do) or get the scripts to run using the vyattacfg group?
Right now I cant do any configuration at all using configure. All configuration results in Set failed.
Just reboot the router and you get correct permissions
To execute scripts from correct group
After #!/ust/bin/vbash
Add
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
And after this paste your code
Thanks real much @Viacheslav this was the one. Just noticed that this was in the guides and I totally missed it out. Thank you! sincerely much appreciated.
So is it safe to say that this is mandatory if we are running vbash scripts? I suppose if this is not set it seems like root is always used to run it.