Issues encountered while upgrading from 1.1.8 to 1.2.0 (201904151631)

ciprian.craciun · April 15, 2019, 8:01pm

I’ve tried today to upgrade VyOS from 1.1.8 to 1.2.0 build 201904151631, and I’ve encountered the following issues:

it seems that in service dhcp-server the authoritative enable is missing, and is not replaced with authoritative as it would happen if configured manually; the following is the relevant diff between the before-upgrade and after manually re-enabling the authoritative option (diff -U10 -w ./config.boot.2019-04-15-1740.pre-migration ./config.boot) (i.e. the authoritative line is missing from the automatically migrated file):

 service {
     dhcp-server {
-        disabled false
         shared-network-name ******** {
-            authoritative enable
+            authoritative
             subnet ********/24 {

I did encounter a strange error with the initial configuration migration because of my L2TP VPN (which is almost an 1-to-1 match of what is presented in the documentation); (I fixed it by rebooting with 1.1.8, deleting that configuration, and re-adding the commands afterwards;) I think the issue is only with the migration script (especially since I don’t have any RADIUS related configuration); the following is the relevant extract from /var/log/messages:

Apr 15 17:40:39 localhost vyos-router[956]: Starting VyOS router: migrateTraceback (most recent call last):
Apr 15 17:40:39 localhost vyos-router[956]: File "/opt/vyatta/etc/config-migrate/migrate/l2tp/0-to-1", line 38, in <module>
Apr 15 17:40:39 localhost vyos-router[956]: for server in config.list_nodes(cfg_base + ['radius-server']):
Apr 15 17:40:39 localhost vyos-router[956]: File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 255, in list_nodes
Apr 15 17:40:39 localhost vyos-router[956]: raise ConfigTreeError("Path [{}] doesn't exist".format(path_str))
Apr 15 17:40:39 localhost vyos-router[956]: vyos.configtree.ConfigTreeError: Path [b'vpn l2tp remote-access authentication radius-server'] doesn't exis
t

previously system domain-name allowed a domain-name that ended in a dot, like for example domain-name whatever.; now it silently fails when booting, but the hostname remains debian; manually configuring it issues an error about the invalid domain name;
previously the service ssh allow-root option existed, which now has disappeared; even by setting service ssh access-control allow user root the resulting /etc/ssh/sshd_config still contains PermitRootLogin no; (I understand the risks of allowing root to login via SSH, but if one uses key only authentication it is safe enough; especially since admin, which is allowed to SSH, does have password-less sudo rights;) (I think this is related to ⚓ T167 "set service ssh allow-root" is not enough to root system-access via ssh)
previously the root shell was bash, and now it is vbash; (bash as default shell for root combined with the previous mentioned SSH access for root, would allow one to write some automation scripts with ssh, outside the control language, but now these are broken;) (this was not mentioned in the release notes;)
moreover previously if one would just issue sudo -i it would start bash as root, but now it just starts vbash as root;

hagbard · April 15, 2019, 9:47pm

Hi,

there is quite a jump in between the versions, some of the changes were announced.

dhcp-server {
-        disabled false

to

dhcp-server {
-        disable

The migration script has definitely an issue, please open a bug in https://phabricator.vyos.net for it, same for your domain name issue.

service ssh allow-root were removed as option, since you are basically root as user vyos.
Call sudo bash and you’ll have bash as root shell, or sudo -u root -i etc… Bash for root hasn’t changed by the way. (cat /etc/passwd | grep root).
Vbash ‘understands’ the same built-ins as bash does, since it’s a derivate.

ciprian.craciun · April 15, 2019, 10:22pm

From my /etc/passwd:

root:x:0:0:root:/root:/bin/vbash

Also vbash doesn’t understand “normal” auto-completion…

ciprian.craciun · April 16, 2019, 1:11pm

I’ve created two bug reports for the DHCP and domain-name issue:

⚓ T1335 Configuration migration issue from 1.1.8 to latest 1.2.0 regarding DHCP `authoritative enable` statement
⚓ T1336 `system domain-name` statement doesn't allow domain names ending in a dot on latest 1.2.0

Should I open one also for the L2TP issue? (It might be my fault for that one as I’ve “hacked” the configuration script as described in: Getting an L2TP (with IPSEC) VPN (remote-access) to work with PPPoE (in VyOS 1.1.8 and 1.2.0))

ciprian.craciun · April 16, 2019, 1:26pm

Apparently the root shell being replaced by vbash is a consequence of trying to configure it via system login root authentication .... I’ve opened an issue about it: Login

c-po · April 22, 2019, 9:47am

A fix for both

is already in the latest rolling images and will be in VyOS 1.2.2

Thanks for your detailed reports! I like it.