Podman Network Groups claims there is a circular reference when group and subset are both included

zen · November 29, 2022, 1:06pm

network-group Admin_Access {
     description "Networks and devices which admins should be able to access"
     include Worker_Access
     include SSH_Servers
     include Workers
     include Peer_Link_IPs
     include Admin_Open_Access
     include Podman_Servers
 }

network-group Passbolt {
     description "Passbolt access server"
     network 172.16.8.8/32
 }
 network-group Passbolt_DB {
     description "Passbolt DB server"
     network 172.16.8.33/32
 }

network-group Podman_Servers {
     description "Podman servers which are not host-bound"
     include Passbolt
     include Passbolt_DB
 }

This work’s but as soon as I add include passbolt to the Worker_Access group, I get this error when I commit: Group "Podman_Servers" has a circular reference

I don’t think it should behave this way.

I’d love to be able to include host groups in network groups, but I don’t think that is a possibility, so I’ve just been using mostly network groups.

sarthurdev · December 3, 2022, 11:44am

Thanks for the report, that should be accepted behaviour and I’ve PR’d a fix: firewall: T478: Fix firewall group circular dependency check by sarthurdev · Pull Request #1691 · vyos/vyos-1x · GitHub

Viacheslav · December 6, 2022, 7:29am

@zen could you re-check it?

zen · December 6, 2022, 1:26pm

I’ve been busy, I plan to upgrade the device that I was experiencing those issues on, but haven’t been able to. I’ll update it to the latest version at some point and will update this thread when that happens. Thanks!

zen · December 9, 2022, 11:17pm

If I wanted to make an update to the running image with these changes, which files would I need to update?

sudo find / -name "firewall.py"

/boot/rw/usr/libexec/vyos/conf_mode/firewall.py
find: File system loop detected; ‘/sys/kernel/debug/pinctrl’ is part of the same file system loop as ‘/sys/kernel/debug’.
/usr/lib/live/mount/persistence/boot/VyOS/rw/usr/libexec/vyos/conf_mode/firewall.py
/usr/lib/live/mount/rootfs/1.4-rolling-202210020218.squashfs/usr/lib/python3/dist-packages/salt/states/firewall.py
/usr/lib/live/mount/rootfs/1.4-rolling-202210020218.squashfs/usr/lib/python3/dist-packages/vyos/firewall.py
/usr/lib/live/mount/rootfs/1.4-rolling-202210020218.squashfs/usr/libexec/vyos/conf_mode/firewall.py
/usr/lib/live/mount/rootfs/1.4-rolling-202210020218.squashfs/usr/libexec/vyos/op_mode/firewall.py
/usr/lib/python3/dist-packages/salt/states/firewall.py
/usr/lib/python3/dist-packages/vyos/firewall.py
/usr/libexec/vyos/conf_mode/firewall.py
/usr/libexec/vyos/op_mode/firewall.py

zen · December 9, 2022, 11:38pm

I edited one of those and the changes seemed to apply across all of them, but I can’t edit the squashfs ones without more special methods. It doesn’t seem to be working. I’m not sure if that means that my changes are not being applied properly, or if the change doesn’t work.

Viacheslav · December 10, 2022, 5:02am

It is /usr/libexec/vyos/conf_mode/firewall.py only
After changes try to restart configd
sudo systemctl restart vyos-configd
or router

zen · December 10, 2022, 3:42pm

That worked, thank you very much!

system · December 12, 2022, 3:42pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.