Conntrack-sync configuration failed

javier.wong · April 11, 2022, 9:37am

Have tried setting conntrack-sync but every configuration parameter results in Set failed. An example is:

set service conntrack-sync accept-protocol tcp

Tried it on 1.3.0 LTS, 1.3.1 and both failed.

Surprisingly after reverting to 1.3.0 EPA3 I am able to set these parameters. Does anyone have any idea why this may be so? Am I missing something?

Not that I fully got it working on 1.3.0 EPA3 but just that I can even set it without error.

javier.wong · April 11, 2022, 1:29pm

I see the following in /var/log/cfg-stdout.log

failed to add node [/opt/vyatta/config/tmp/new_config_8544/service/conntrack-sync]

set cfg path failed

zsdc · April 12, 2022, 7:28pm

Hi, @javier.wong !

Can you provide a complete configuration or step-by-step commands that trigger the issue?

javier.wong · April 12, 2022, 11:07pm

Hi @zsdc just setting the conntrac-sync protocol would trigger it.

set service conntrack-sync accept-protocol dccp

  Set failed

[edit]

I found out that the permissions in folders in /opt/vyatta/config do affect this in some way

vyos@<redacted># pwd

/opt/vyatta/config/tmp/new_config_30580

[edit]

vyos@<redacted># ls -l

total 0

drwxrwxr-x 1 vyos root 300 Apr 11 22:23 **firewall**

drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **high-availability**

drwxrwxr-x 1 vyos root 100 Apr 11 22:23 **interfaces**

drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **policy**

drwxrwxr-x 1 vyos root 80 Apr 11 22:23 **protocols**

drwxrwxr-x 1 vyos root 100 Apr 11 22:23 **service**

drwxrwxr-x 1 vyos root 220 Apr 11 22:23 **system**

drwxrwxr-x 1 vyos root 60 Apr 11 22:23 **traffic-policy**

[edit]

vyos@<redacted># sudo chown -R vyos ./
[edit]
vyos@<redacted># ls -l
total 0
drwxrwxr-x 1 vyos vyattacfg 300 Apr 13 06:58 firewall
drwxrwxr-x 1 vyos vyattacfg  60 Apr 13 06:58 high-availability
drwxrwxr-x 1 vyos vyattacfg 100 Apr 13 06:58 interfaces
drwxrwxr-x 1 vyos vyattacfg  60 Apr 13 06:58 policy
drwxrwxr-x 1 vyos vyattacfg  80 Apr 13 06:58 protocols
drwxrwxr-x 1 vyos vyattacfg 100 Apr 13 06:58 service
drwxrwxr-x 1 vyos vyattacfg 220 Apr 13 06:58 system
drwxrwxr-x 1 vyos vyattacfg  60 Apr 13 06:58 traffic-policy
[edit]

changing the ownership of the folders to vyos which will change the group to vyattacfg seems to help so that I can set the conntrack-sync in configure mode but commit also results in failure with the message Abort being shown.

I gave up and found that editing /config/config.boot directly was possible to set conntrack-sync.

But then I realized after doing all of this and once I reboot the router I can’t even do configuration on items which I previously could e.g.

vyos@<redacted># set high vrrp group <redacted> disable 

  Set failed

[edit]

I get the feeling it has something to do with permissions on some folders but cant seem to figure out what should be the right permissions and how come it went haywire in the first place. Anyone has any idea what should be the right permission settings for the folders to keep it permanent?

Viacheslav · April 13, 2022, 7:12am

It seems your vrrp or other scripts were started from root and not from group vyattacfg
In this case you can’t configure anything
Not only conntrack-sync
You must start scripts from correct group.

javier.wong · April 13, 2022, 8:39am

sorry but I am not very familiar with where the scripts are located. Where should I be looking for these scripts? and should I just do a simple sudo chown -R vyos ./ on those folders?

On a side note wonder why its like this, I cannot remember ever doing any permission changes on any files / folders except when troubleshooting this problem. All configuration that I’ve done has been through the standard configure etc.

Thank you.

javier.wong · April 15, 2022, 2:51pm

Would anyone happen to know how I can reset the permissions (if this is indeed the correct thing to do) or get the scripts to run using the vyattacfg group?

Right now I cant do any configuration at all using configure. All configuration results in Set failed.

Viacheslav · April 15, 2022, 3:06pm

Just reboot the router and you get correct permissions

To execute scripts from correct group
After #!/ust/bin/vbash
Add


if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

And after this paste your code

javier.wong · April 16, 2022, 3:41am

Thanks real much @Viacheslav this was the one. Just noticed that this was in the guides and I totally missed it out. Thank you! sincerely much appreciated.

So is it safe to say that this is mandatory if we are running vbash scripts? I suppose if this is not set it seems like root is always used to run it.