Rolling 1.4 1.4-rolling-202307070317 pki commit errors

cmonck · July 8, 2023, 12:51am

Hi All

I usually upgrade my home Vyos regularly using the rolling release version, but since 1.4-rolling-202210150526, there appears to be a number of changes breaking my config. I thought I would work through them this weekend but this time there seems to be a lot of broken (well, changed).

I can see that traffic-shaper is now under qos. That’s fine. I can deal with that, however I’m getting errors when trying to re-add my pki config.

When I commit the command set pki ca ca certificate 'MII.... I receive the following error:

chris@router-vmware# commit
[ pki ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2023-07-08 10:49:55
Image version:    VyOS 1.4-rolling-202307070317
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Fri 07 Jul 2023 03:17 UTC
Build UUID:       f9b9362e-3db6-47bc-99b8-3bb0c5568672
Build commit ID:  934bccc686d764

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-56 4d e8 55 4c 29 e3 8d-d2 ea 79 d4 28 ee 8e 0f
Hardware UUID:    564de855-4c29-e38d-d2ea-79d428ee8e0f

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/pki.py", line 302, in <module>
    c = get_config()
        ^^^^^^^^^^^^
  File "/usr/libexec/vyos/conf_mode/pki.py", line 94, in get_config
    pki = conf.get_config_dict(base, key_mangling=('-', '_'),
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 250, in get_config_dict
    conf_dict = multi_to_list(rpath, conf_dict)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/xml_ref/__init__.py", line 55, in multi_to_list
    return load_reference().multi_to_list(rpath, conf)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/xml_ref/definition.py", line 139, in multi_to_list
    res[k] = self.multi_to_list(rpath + [k], conf[k])
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/xml_ref/definition.py", line 127, in multi_to_list
    raise ValueError('rpath should be disjoint from conf keys')
ValueError: rpath should be disjoint from conf keys



[[pki]] failed
Commit failed
[edit]

I seem to get the same error for the majority of pki commands.

Before I created a bug report I thought I’d just check here first to make sure I haven’t missed anything.

Cheers

Chris…

acosgrove · July 8, 2023, 4:37pm

I would like to think that if pki broke big time like that there would be a lot more complaints.

It sounds like your entire pki section may just need a do-over (9 - 10 months is a long time). If you roll that instance out fresh (1.4-rolling-202307070317) and with absolutely nothing else in there so there are no references back to certs & CAs does that CA cert commit fail?

cmonck · July 8, 2023, 9:51pm

Thanks Anthony

I know what you mean; I tend to agree with your thoughts, but it’s also possible for things to be broken. There does appear to be much config that doesn’t work from the old rolling release to the current one (eg all by interface config disappears too).

I did try what you suggested - I blew away the config and started fresh. With only a nic configured with an IP address and SSH enabled, the command still doesn’t work.

c-po · July 9, 2023, 6:22pm

Any change you can publish your pki section so we can revise this.

@jestabro any idea?

jestabro · July 9, 2023, 7:50pm

I’ve opened ⚓ T5345 Error incorrectly raised in revised multi_to_list when tag node value name == tag node name, and should have a fix shortly; thanks for the details !

jestabro · July 10, 2023, 12:34am

As described in the task, this was a bug introduced in recent work on the vyos.xml lib. The fix will be in the next nightly build.

cmonck · July 10, 2023, 1:10am

Thanks everyone. Will try again with then next nightly build.

Chris…

Apachez · July 10, 2023, 10:31am

Hands up for fast fixes from the VyOS maintainers.

I was about to say thats what comes with the package of running a rolling-release (things will suddently change so if you dont like changes stick to the LTS versions or dont update your rolling-release that often).

cmonck · July 10, 2023, 11:17am

Yeah, exactly. I’m not complaining at all about the changes and why I’m keen to report things when they do appear to be broken. …or at least make sure I’m doing things correctly. This is for my home internet so if it breaks it’s not the end of the world.

I’ve also got a “golden” version that I go back to if I can’t get things to work.

…and on that, I can confirm the latest rolling (1.4-rolling-202307100526) fixes those issues (and most of the other config issues I noticed too). However, I do use shaping which seems to be a known issue so I’m back to the golden release and will try again later.