I’ve tried today to upgrade VyOS from 1.1.8 to 1.2.0 build 201904151631
, and I’ve encountered the following issues:
- it seems that in
service dhcp-server
theauthoritative enable
is missing, and is not replaced withauthoritative
as it would happen if configured manually; the following is the relevant diff between the before-upgrade and after manually re-enabling theauthoritative
option (diff -U10 -w ./config.boot.2019-04-15-1740.pre-migration ./config.boot
) (i.e. theauthoritative
line is missing from the automatically migrated file):
service {
dhcp-server {
- disabled false
shared-network-name ******** {
- authoritative enable
+ authoritative
subnet ********/24 {
- I did encounter a strange error with the initial configuration migration because of my L2TP VPN (which is almost an 1-to-1 match of what is presented in the documentation); (I fixed it by rebooting with 1.1.8, deleting that configuration, and re-adding the commands afterwards;) I think the issue is only with the migration script (especially since I don’t have any RADIUS related configuration); the following is the relevant extract from
/var/log/messages
:
Apr 15 17:40:39 localhost vyos-router[956]: Starting VyOS router: migrateTraceback (most recent call last):
Apr 15 17:40:39 localhost vyos-router[956]: File "/opt/vyatta/etc/config-migrate/migrate/l2tp/0-to-1", line 38, in <module>
Apr 15 17:40:39 localhost vyos-router[956]: for server in config.list_nodes(cfg_base + ['radius-server']):
Apr 15 17:40:39 localhost vyos-router[956]: File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 255, in list_nodes
Apr 15 17:40:39 localhost vyos-router[956]: raise ConfigTreeError("Path [{}] doesn't exist".format(path_str))
Apr 15 17:40:39 localhost vyos-router[956]: vyos.configtree.ConfigTreeError: Path [b'vpn l2tp remote-access authentication radius-server'] doesn't exis
t
-
previously
system domain-name
allowed a domain-name that ended in a dot, like for exampledomain-name whatever.
; now it silently fails when booting, but the hostname remainsdebian
; manually configuring it issues an error about the invalid domain name; -
previously the
service ssh allow-root
option existed, which now has disappeared; even by settingservice ssh access-control allow user root
the resulting/etc/ssh/sshd_config
still containsPermitRootLogin no
; (I understand the risks of allowingroot
to login via SSH, but if one uses key only authentication it is safe enough; especially sinceadmin
, which is allowed to SSH, does have password-lesssudo
rights;) (I think this is related to ⚓ T167 "set service ssh allow-root" is not enough to root system-access via ssh) -
previously the
root
shell wasbash
, and now it isvbash
; (bash
as default shell forroot
combined with the previous mentioned SSH access forroot
, would allow one to write some automation scripts withssh
, outside the control language, but now these are broken;) (this was not mentioned in the release notes;) -
moreover previously if one would just issue
sudo -i
it would startbash
asroot
, but now it just startsvbash
asroot
;