After rebooting VyOS box, when I’m editing configuration (any command at all), it returns the following error on screen:
[edit]
ivan@vyos# set firewall name test rule 10 description test
Set failed
After digging about this error I’ve found that permissions are wrong on directory /opt/vyatta/config/active/
I’ve figured out that it really has the wrong permission:
ivan@vyos:~$ ls -la /opt/vyatta/config/active/
total 0
drwxrwxr-x 11 root vyattacfg 220 Oct 20 18:16 .
drwxrwxr-x 4 root vyattacfg 100 Oct 20 18:12 ..
drwxrwxr-x 6 root root 120 Oct 20 18:16 firewall
drwxrwxr-x 3 root root 60 Oct 20 18:16 high-availability
drwxrwxr-x 6 root root 120 Oct 20 18:16 interfaces
drwxrwxr-x 4 root root 80 Oct 20 18:16 nat
drwxrwxr-x 4 root root 80 Oct 20 18:16 pki
drwxrwxr-x 3 root root 60 Oct 20 18:16 policy
drwxrwxr-x 5 root root 100 Oct 20 18:16 protocols
drwxrwxr-x 6 root root 120 Oct 20 18:16 service
drwxrwxr-x 12 root root 240 Oct 20 18:16 system
The group of all directories and files should be vyattacfg but after rebooting its owner is root. After fixing permission it starts working as expected:
set high-availability vrrp group vlan5 transition-script backup '/config/scripts/vrrp-fail.sh'
set high-availability vrrp group vlan5 transition-script fault '/config/scripts/vrrp-fail.sh'
set high-availability vrrp group vlan5 transition-script master '/config/scripts/vrrp-master.sh'
These script files looks to have the correct permissions:
ivan@vyos:~$ ls -la /config/scripts/
total 20
drwxrwsr-x 2 root vyattacfg 4096 Oct 18 14:50 .
drwxrwxr-x 7 root vyattacfg 4096 Oct 20 18:11 ..
-rwxrwxr-x 1 root vyattacfg 183 Oct 18 14:37 vrrp-fail.sh
-rwxrwxr-x 1 root vyattacfg 183 Oct 18 14:48 vrrp-master.sh
-rwxrwxr-x 1 root vyattacfg 230 Sep 13 12:08 vyos-postconfig-bootup.script
Here is the content of vrrp-fail.sh script:
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
set protocols bgp neighbor 192.168.100.1 shutdown
set protocols bgp neighbor 192.168.200.1 shutdown
commit
exit
Thanks! By adding this at begin of my script, solved the problem:
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
source /opt/vyatta/etc/functions/script-template
configure
set protocols bgp neighbor 192.168.100.1 shutdown
set protocols bgp neighbor 192.168.200.1 shutdown
commit
exit
I’d suggest to modify the script samples in documentation to include this block before the commands that are executed automatically, such as vrrp transition scripts.