Stream Version: 2026.02 - update geoip broken (permissions issues)

sirebral · February 26, 2026, 2:14pm

Hi All,

I updated to the latest stream release last night. I rely upon geoip blocking at the vyos level for some of my services, yet it appears be be broken in this release.

Current Behavior:

Geo-ip no longer updates itself, after a reboot everything setup with geoip rules in the firewall default to blocked, even if they’re specifically allowed.

If I try to upgrade via the ops mode, I get permissions errors while it tries to write the download. It cannot write to the /usr/share/vyos-geoip/ directory as the permissions are set incorrectly in the ephemeral boot image.

Workaround attempt 1, set the permissions with sudo su to allow write by all to /usr/share/vyos-geoip/
- Result: write database step completes yet then I encounter a second error: Failed to extract, aborting. The database never gets processed and all geoip rules are still blocking specific geoip allows.
Workaround attempt 2, run geoip update as root via sudo
- Result: Works, blocks/allows defined in firewall work again, YET it takes a manual fix every time the system boots.

Expected Behavior:

Same as previous versions

The system would automatically download the geoip database during firewall commits
geoip update as non root would function to completion.
geoip database would persistent reboots.
- Being I don’t code, I assume this is because if the geoip dataset is needed it re-downloads during the boot? I can’t find anything in /config/ directory related to persistence of the geoip downloads..

Impact:

Although I have a workaround, if VYOS ever reboots I now must login to fix the issue manually using the workaround attempt 2 above. If there’s an unexpected reboot, I may end up with traffic that’s allowed via geoip being blocked (this is how I realized there was an issue, my exposed geoip controlled services stopped working.

I have a few choices, I can go to rolling if this is already fixed, or find a better workaround with automation, yet I’m not exactly sure how to design this clearly. I’d love some feedback on the best option, I’ve been running VYOS in my lab for many years now, and hope for many more, yet this goes beyond my understand of the underlying mechanisms. I’d appreciate any help that can be offered!

Thank you!

sarthurdev · February 26, 2026, 3:59pm

Thanks for reporting this, I will try take a look this week.

sirebral · February 26, 2026, 4:43pm

My pleasure, at the moment I’m trying this in my postboot script

/opt/vyatta/bin/vyatta-op-cmd-wrapper update geoip

I haven’t tested it yet, waiting for a time to reboot, yet it does run properly as root, just not sure what context the scripts run as, hopeful it’s also root, assuming so, as it’s owned by root. Thanks for your time and dedication!

sirebral · February 26, 2026, 5:42pm

OK, had a chance to reboot. If anyone runs into this, it does work, add this to your /config/scripts/vyos-postconfig-bootup.script.

/opt/vyatta/bin/vyatta-op-cmd-wrapper update geoip

I know that the Stream is suppose to be for labs, and it’s only SEMI-stable, yet this is regression that I could see affecting a lot of people, as the geoip as been part of the builds for quite some time.

I don’t expect that there will be a re-release, and I understand, it’s a point-in-time snapshot. I can live with it, yet I suppose what can be taken from this is there are some unit tests that perhaps need adjustment ;).

Best to all!

taylorcb · March 22, 2026, 11:26pm

I have the exact same problem with the 2026.02 stream version, running the ‘update geoip’ command as a “normal” non-root user:

$ update geoip
Dowloading latest DB-IP database…
Unable to download “https://download.db-ip.com/free/dbip-country-lite-2026-03.csv.gz”: [Errno 13] Permission denied: ‘/usr/share/vyos-geoip/dbip-country-lite.csv.gz’
Failed to download, aborting.

The only way to get the geoip update to complete successfully is to run it as root. I have a backup script that I run once a day that runs as root, so I’m adding this command, but it would be nice to be able to run it as a non-root user.

Viacheslav · March 25, 2026, 11:45am

Try 2026.03 stream

It should be fixed.

taylorcb · April 4, 2026, 5:10pm

Confirmed the command works as a non-root user in 2026.03 Stream. Thanks!!

matthew · April 27, 2026, 6:50pm

I created a ticket here for the issue where geoip is not taking effect correctly at boot.

(I realize that’s a separate issue from the already solved permissions issue.)

xTITUS_MAXIMUSx · May 2, 2026, 4:35pm

I submitted a PR to resolve this issue.

github.com/vyos/vyos-1x

geoip: T8590: fix initialization failure and set clobbering on boot and commit

current ← xTITUSMAXIMUSX:current

opened 02:32AM - 01 May 26 UTC

xTITUSMAXIMUSX

+42 -49

## Change summary Three related bugs prevented GeoIP nftables sets from being… populated correctly at boot and when incrementally modifying firewall or policy route rules. 1. geoip_updated() always returned False node_changed() returns a flat list of changed key name strings (e.g. ['ipv4', 'rule', 'geoip', 'country_code']). The prior code passed that list to dict_search_recursive(), which searches for a key inside a dict and therefore never matches anything in a plain list. geoip_updated() consequently always returned False, meaning geoip_update() was never triggered by an incremental add or change of a GeoIP rule — only by explicit "update geoip" or by the fallback path when geoip_refresh() fails. Fix: replace the dict_search_recursive loop with a direct membership test: 'geoip' in changes. 2. GeoIP block executed unconditionally, poisoning the boot sequence geoip_sets() always returns {'name': [], 'ipv6_name': []}. A non-empty dict is truthy in Python regardless of whether its values are empty lists, so the guards "if geoip_sets:" and "if 'name' in geoip_sets:" were always True. On boot, when policy_route.py is invoked as a dependent of firewall.py (triggered by group_resync), it entered the GeoIP block even with no policy route GeoIP rules configured. Because /run/nftables-geoip.conf did not yet exist, geoip_refresh() returned False, and geoip_update(policy=policy) was called with an empty policy. This created /run/nftables-geoip.conf containing only empty table stubs. When firewall.py subsequently called geoip_refresh(), the file existed and nft loaded it successfully — so the geoip_update(firewall) call was never reached and the firewall GeoIP sets were left empty for the entire uptime of the router. Fix: check the actual list contents instead of the container dict: if geoip_sets['name'] or geoip_sets['ipv6_name']. 3. geoip_update() clobbered the other caller's sets geoip_update() renders /run/nftables-geoip.conf from both firewall_sets and policy_sets in a single pass. When called with only one argument (as firewall.py and policy_route.py each do), the other argument defaulted to None and that half of the file was rendered empty, erasing whatever the other script had written. The geoip-update helper (run by "update geoip" and the weekly cron) was unaffected because it always passes both arguments, which masked this bug in normal operation. Fix: when either argument is absent, read the missing config from the live Config session before building the set tables, so that every invocation writes the complete combined firewall + policy file. ## Types of changes - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) https://vyos.dev/T8590 ## Related PR(s) ## How to test / Smoketest result ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [ ] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly