Vyatta Config Sync

Some of us run groups of Vyatta installations,
having similar or even the same configurations,
and when we need to modify configuration
on all systems in group, we need to do it manually on every system.
That’s definitely not good.

Recent Vyatta versions include configuration synchronization,
but only in Subscription Edition.
Community Edition, which I use, does not include such feature.


Install
Add Vyatta4People.Org Repo.
Install Config-Sync (required): sudo apt-get install vyatta-config-sync
Install Config-Validator (recommended): sudo apt-get install vyatta-config-validator
LogOut and LogIn back to load script alias.


Usage
vyatta-config-sync needs one mandatory parameter, which can take 3 values,
each sets corresponding mode of vyatta-config-sync operation.

load
Distribute configurations across slave hosts and load new configuration on each slave host.
This is the most common modus operandi for vyatta-config-sync. Use it, if unsure.

noload
Distribute configurations across slave hosts, but don’t load them.
This may be needed only if your want to do something manually on a slave system
before loading new configuration. You will probably never use it.

reboot
Distribute configurations across slave hosts and reboot each slave host.
You may use this mode in case of some fundamental configuration changes,
that can not be applied at the runtime.


Quick Start
Imagine we have minimal group of 2 Vyatta routers r1 and r2.
r1 is a master, we will edit configuration there
and r2 is a slave, it will be synced to master.
NB! r2 configuration will not be touched manually!
Both routers has 2 ethernet interfaces, eth0(WAN) & eth1(LAN),
eth0 addresses are assigned via DHCP on both routers,
r1 eth1 address is 192.168.0.1,
r2 eth1 address is 192.168.0.2

NB!
Equal number of ethernet interfaces is required on master and slaves!
Other hardware details are not so important.

Create SSH private/public key pair on r1.
Install SSH public key from r1 on r1 (yes, really!).
Install SSH public key from r1 on r2.
NB!
Since Vyatta 6.0 you do not edit ~/.ssh/authorized_keys by hand.
See: system login user USERNAME authentication public-keys

NB!
Usernames on master and slave must be equal.
Launching vyatta-config-sync by root is prohibited, due to security reasons.

Now we need to edit project configuration files,
which reside in directory /etc/vyatta-config-sync/:

options.env
Global options for vyatta-config-sync. Edit on master:
enable_master_mode=1
Setting enable_master_mode to 1 will enable r1 to behave like master.

sync_hosts.conf
List of hosts in cluster. Edit on master. Append these 2 lines:
192.168.0.1 r1
192.168.0.2 r2

local_transformations.sed
Per-slave config.boot modifications are configured here.
NB! This file is edited on slave, NOT on master!
Use sed expressions, one-per-line, to modify slave config.boot before save.
Append this:
s/192\.168\.0\.1\/24/192.168.0.2\/24/g
It will replace 192.168.0.1/24 master IP with 192.168.0.2/24 slave IP.

serial
Serial number of last synchronization. NB! Should not be edited manually at all!


Verify it works
First, configure nat rule on r1, commit and save:
configure
set service nat rule 1
set service nat rule 1 type masquerade
set service nat rule 1 outbound-interface eth0
set service nat rule 1 source address 192.168.0.0/24
commit
save
exit

Second, launch on r1 “vyatta-config-sync load”.
If console output looks like this:
vyatta@r1:~$ vyatta-config-sync load
--------------------------------------------------------------------------------
* r2
--------------------------------------------------------------------------------
[ OK ]
--------------------------------------------------------------------------------

That means all OK.
If you see something else, verify your setup
and, if nothing is clear, post your problem in a comment.

NB! You may use shorthand vcs instead of issuing vyatta-config-sync load.

112 Responses to Vyatta Config Sync

  1. Patrol says:

    Good thing

  2. Serge says:

    Thanks for sharing the script. However, I did run into issue that configuration isn’t loaded on slave (using Vyatta 6.2). Apparently it requires configuration mode to load it.

  3. Cartman says:

    Please post your issue (console output) here.
    I’ll sure try to help.

  4. Serge says:

    This is the output (I’ve removed suppression of the post_sync_command to see what is happening.

    vyatta@fw01:~$ vyatta-config-sync load
    ——————————————————————————–
    * fw02
    ——————————————————————————–
    Welcome to Vyatta
    calling loadFile() without config session at /opt/vyatta/share/perl5//Vyatta/Config.pm line 200.
    Loading configuration from ‘/opt/vyatta/etc/config/config.boot’…
    Cannot load config outside configuration session
    [ OK ]
    ——————————————————————————–

  5. Cartman says:

    Hi Serge,

    Just tested it on my environment. Everything went smooth with no errors.
    Are you using latest version of vyatta-config-sync (0.1-11)?
    Are there any extra settings in SSH?

    Thanks for feedback!

  6. Serge says:

    Hello Cartman,

    No changes in ssh settings. It is the latest vyatta-config-sync (just did re-install) BTW, config-validator doesn’t work either with error:

    Can’t locate object method “getTmplPath” via package “Vyatta::Config” at /usr/sbin/vyatta-config-validator.pl line 35.

    It does copy the config, it just doesn’t want to load it.

    Thx, Serge.

  7. Cartman says:

    Rolled an update for Config Validator. It must work now.

    About Config Sync:
    Could you please post your configs from /etc/vyatta-config-sync here?
    I would like to see sync_hosts.conf and local_transformations.sed
    from both firewalls.
    Thanks!

  8. Serge says:

    Master fw01:

    sync_hosts.conf
    #
    # List of slave host addresses and names to synchronize with our master configuration
    #
    #
    #192.168.0.241 router-dev
    #192.168.0.242 router-dev2
    10.1.11.251 fw01
    10.1.11.252 fw02

    # sed transformations that will be applied one-after-one to config.boot before saving it to local filesystem
    #s/192\.168\.0\.24[0-9]\/24/192.168.0.241\/24/g

    Slave fw02:

    sync_hosts.conf
    #
    # List of slave host addresses and names to synchronize with our master configuration
    #
    #
    #192.168.0.241 router-dev
    #192.168.0.242 router-dev2

    local_transformations.sed
    # sed transformations that will be applied one-after-one to config.boot before saving it to local filesystem
    #s/192\.168\.0\.24[0-9]\/24/192.168.0.241\/24/g
    s/10\.254\.254\.1\/24/10.254.254.2\/24/g
    s/x\.x\.x\.x\/29/x.x.x.x\/29/g
    s/10\.1\.11\.251\/24/10.1.11.252\/24/g
    s/y\.y\.y\.y\/29/y.y.y.y\/29/g
    s/listen-address 10\.1\.11\.251/listen-address 10.1.11.252/g

  9. Cartman says:

    Man, thanks for provided files, I got it! πŸ™‚
    Rolled an update for Config Sync. It must work in every case!

  10. Francis says:

    Thanks for your works but I have a problem when I make vyatta-config-sync load :

    ——————————————————————————–
    * VPN
    ——————————————————————————–
    [ SKIP ]
    ——————————————————————————–

    s `/tmp/vyatta-config-sync.28497/local_transformations.sed’: No such file or directory
    chgrp: cannot access `/tmp/vyatta-config-sync.28497/local_transformations.sed’: No such file or directory
    /usr/sbin/vyatta-config-sync: line 148: [: !=: unary operator expected

  11. Cartman says:

    Hi Francis!

    Thanks for you feedback! πŸ™‚
    Let me ask you two questions:

    1. What Vyatta version are you using?
    2. Do you have proper local_transformations.sed file on your slave host?
    • Vladimir says:

      You need to install vyatta sync package from repositories on your slave node!
      But first of all add right repos to yours sources.

      sudo apt-get install vyatta-config-sync

  12. Francis says:

    Thanks to reply.

    I use vyatta VC6.2-2011.02.09 and on my slave host I have this in my local_tranformations.sed :
    s/10\.0\.1\.101\/24/10.0.1.102\/24/g

    And the ip address of the master host is 10.0.1.101 and the ip address of the slave host is 10.0.1.102

  13. Francis says:

    I have reinstall the two vyatta hosts without my vlan and openvpn config and it’s works fine.

    I have only one little problem with the file ~/.ssh/authorized_keys on the slave which is erase after reboot and I would to disable this function but I don’t know how.

    And I don’t understand also the difference between load and unload because when I make vyatta-config-sync load, I need to reboot my slave router for the config file take effect.

  14. Cartman says:

    Hi Francis!

    It’s strange, that you needed to reinstall host to make Config-Sync work…

    Since Vyatta 6.0 you don’t edit ~/.ssh/authorized_keys by hand. See:
    system login user vyatta authentication public-keys

    Hmmm… “load” MUST load changes without reboot, while “noload” does not.

    Fix the situations with SSH public keys, I’ll stress the words:

    Create SSH private/public key pair on r1.
    Install SSH public key from r1 on r1 (yes, really!).
    Install SSH public key from r1 on r2.

    and try again πŸ™‚

    Good luck!

  15. Francis says:

    Ok thanks for the help to configure ssh on the vyatta hosts but I still the problem with “load”. It doesn’t take any effect without reboot.

    I don’t know where the problem come from and where I can find log file.

  16. Cartman says:

    Francis, I’ve discovered debug output goes to /dev/null πŸ™‚
    This is because I was sure all possible problems are fixed…

    Now improved logging. Please update software on both routers:
    sudo apt-get update
    sudo apt-get --yes --force-yes install vyatta-config-sync

    Run vyatta-config-sync load and see contents of files:

    /tmp/vyatta-config-sync.out
    /tmp/vyatta-config-sync.err
    /tmp/vyatta-config-loader.log

    Send them to info@vyatta4people.org for proper examination from my side.

    Thanks!

  17. crontab says:

    If you want to automate configuration in crontab and your using this vyatta-config-sync with vyatta-config-validator.pl, make sure you have the following line in your crontab. As this variable is required by vyatta-config-validator.pl

    vyatta_cfg_templates=/opt/vyatta/share/vyatta-cfg/templates

  18. Cartman says:

    Thanks! I think I can add this variable automatic loading in next release.

  19. Tingemoto says:

    Hello Cartman, I am trying to install and the following is occuring:-
    It seems that the following is not available [packages.vyatta4people.or]

    Err http://packages.vyatta4people.org experimental Release.gpg
    Could not resolve ‘packages.vyatta4people.org’
    Err http://packages.vyatta4people.org/debian/ experimental/main Translation-en
    Could not resolve ‘packages.vyatta4people.org’
    Get:4 http://ftp.de.debian.org squeeze/main i386 Packages [8634 kB]

  20. Tingemoto says:

    Ok, seems to be working now, maybe the site was offline.

    Now I am faced with the following issue:-

    when I attempt run vyatta-config-sync load I am asked for a password.

    I have followed the following to create the ssh keys – http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html

    vyatta@R2:~$
    vyatta@R2:~$ vyatta-config-sync load
    ——————————————————————————–
    * R1
    ——————————————————————————–
    vyatta@192.168.1.100‘s password:

    • Cartman says:

      Since Vyatta 6.0 you don’t edit ~/.ssh/authorized_keys by hand. See:
      system login user vyatta authentication public-keys
      P.S.:
      I’ve updated HOWTO with this warning, thanks!

  21. tingemoto says:

    What would be the best approach for using system login user USERNAME authentication public-keys

    I am a little lost.

    • Cartman says:

      Something like this on both nodes:
      configure
      edit system login user vyatta authentication
      set public-keys vyatta@localhost type ssh-rsa
      set public-keys vyatta@localhost key AAAAB3NzaC1yc2EAAAABIwAAAQEAv6EW0DzNLlPTvbYrXtkSmHCvZiyIYGC1LBTIFmCw0+N3mT4/BlyLMIsl4V8lpgrvF5ABZCyFktidy3filsH7qH52B1Jw+oXtjOwakoAvm/Mw0RsscRn2+gWUjvREZD57iXmmSL3nMxrOeXRLCwi4xXsOcK1OH4Sbc/rlhozOtHurqSfbgnOWI3gHqhfInVpiRGTY/scZJF9hclOMuSbwk865lT/0qcGMNNUTWUz4Vut0VSJhm9TwH6+7RLz+cguEThvbec6lmqpRgn9duxUKRQxgasONs4SiGsHQul810Rd726S4bNRpdOggrbj4P+kZWD0irL9BxrPoSDK/WrZ9GQ==

      NB! Your key must be different to mine.

  22. Tingemoto says:

    Ok,
    So I guess I can create the key with the following: – ssh-keygen -t dsa,
    and apply that key with the steps you have provided above. Sorry I am not 100% up on my private and public key tech.

    S

    Create SSH private/public key pair on r1.
    Install SSH public key from r1 on r1 (yes, really!). – What does this mean?
    Install SSH public key from r1 on r2. – How is this done.? with SCP

    Sorry once again for all the questions

    • Cartman says:

      ssh-keygen -t rsa in our case πŸ™‚
      cat ~/.ssh/id_rsa.pub – examine public key file and copy key material (long alphanumeric string)
      Run Vyatta CLI commands I’ve provided before on both Vyatta systems.

  23. Tingemoto says:

    Ok,. I have all configured only issue is that the configuration from the master is fully applied to the slave.
    And it kills the connection to the slave as it thinks it is the same IP ass the running master.

    s/192\.168\.1\.101\/24/192.168.1.100\/24/g
    s/10\.10\.1\.20\/24/10.10.1.10\/24/g

  24. Cartman says:

    Have you placed local_transformations.sed file on slave?
    local_transformations are slave-specific, one master can have many slaves,
    each having its own local_transformations.sed.
    Master itself can go with empty local_transformations.sed.
    P.S.:
    192.168.1.101 & 10.10.1.20 – this is your master IPs, right?;)

  25. Tingemoto says:

    All Good now!, thanks for all your help.

  26. Tingemoto says:

    Looks to work better than the actual SE release.

  27. Tingemoto says:

    One more question, what components of the configuration are included in the configuration sync.

    I notice that syslog configuration seems to be excluded, is there a way to enable the different configuration sections (like IDS, Syslog etc).

    • Cartman says:

      I’m stunned! Config-Sync transfers whole config.boot file,
      changes hostname, removes hw-id and applies transformations if needed.
      That’s all. πŸ™‚ It always synchronizes everything.

  28. Tingemoto says:

    Hey,
    I have run into the following problem:-

    This is we updating the VRRP virtual Address.

    * R1
    ——————————————————————————–
    interfaces ethernet eth0 vrrp vrrp-group 100 virtual-address: “192.168.1.200/24” is not a valid value of type ipv4!
    interfaces ethernet eth1 vrrp vrrp-group 50 virtual-address: “10.10.1.1/24” is not a valid value of type ipv4!

    [ ERROR ]
    Config validation failed for host: R1

    • Cartman says:

      Please examine output of command dpkg -l vyatta-config-sync.
      vyatta-config-sync version must be >=0.1-15. Problems were reported on
      earlier versions.

  29. Tingemoto says:

    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name Version Description
    +++-==============-==============-============================================
    ii vyatta-config- 0.1-15 Vyatta (VC5/VC6/VC7) config.boot synchronize
    vyatta@R2:~$

  30. Cartman says:

    OK. To make things work in a quick and dirty way,
    just do this sudo apt-get remove vyatta-config-validator
    I need to make research about this problem, I’ve tested validator on two machines
    with VRRP and spotted no errors. BTW what version of Vyatta you are running?

  31. Tingemoto says:

    HI

    vyatta@R2:~$ show version
    Version: VC6.3-2011.07.21
    Description: Vyatta Core 6.3 2011.07.21
    Copyright: 2006-2011 Vyatta, Inc.
    Built by: autobuild@vyatta.com
    Built on: Thu Jul 21 06:05:47 UTC 2011
    Build ID: 1107210607-a17b235
    System type: Intel 32bit
    Boot via: image
    Hypervisor: VMware
    VMware

  32. ipmatchregex says:

    vyatta@r1:~$ /usr/sbin/vyatta-config-sync load
    ——————————————————————————–
    * r2
    ——————————————————————————–
    interfaces ethernet eth3: “ip” does not match regex /^eth[0-9]+$/
    interfaces ethernet eth4: “ip” does not match regex /^eth[0-9]+$/

    [ ERROR ]
    Config validation failed for host: r2

    For some reason I keep getting the above error. I can’t figure out what I have configured wrong, is it a local_transformations.sed configuration error?

    # sed transformations that will be applied one-after-one to config.boot before saving it to local filesystem
    #s/192\.168\.0\.24[0-9]\/24/192.168.0.241\/24/g
    s/10\.59\.96\.51\/24/10.59.96.52\/24/g
    s/45\.100\.66\.51\/25/45.100.66.52\/25/g
    s/10\.0\.5\.51\/24/10.0.5.52\/24/g
    s/10\.0\.6\.51\/24/10.0.6.52\/24/g
    s/172\.16\.12\.5\/30/172.16.12.6\/30/g
    s/2a01\:7c8\:1936\:1\:10\:59\:96\:51\/64/2a01:7c8:1936:1:10:59:96:52\/64/g
    s/2a01\:7c8\:1936\:4\:45\:100\:66\:51\/48/2a01:7c8:1936:4:45:100:66:52\/48/g
    s/2a01\:7c8\:1936\:5\:10\:0\:5\:51\/64/2a01:7c8:1936:5:10:0:5:52\/64/g
    s/2a01\:7c8\:1936\:6\:10\:0\:6\:51\/64/2a01:7c8:1936:6:10:0:6:52\/64/g
    s/2a01\:7c8\:1936\:7\:172\:16\:12\:5\/64/2a01:7c8:1936:6/g
    s/priority\ 150/priority\ 20/g

    • Cartman says:

      I can not find any mistake in your local_transformations.sed.
      Your case looks more like vyatta-config-validator error.
      Please provide me with output of this configuration command output:
      show interfaces ethernet
      I will try to reproduce it it my lab…

      P.S.:
      If you want to test a quick workaround, just remove config-validator:
      sudo apt-get remove vyatta-config-validator
      and then launch /usr/sbin/vyatta-config-sync load

      • ipmatchregex says:

        Please note, the extra IP addresses you see in r1(master) which are not included in the local_transformations.sed are VRRP addresses as shown below.

        r1(master)
        Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
        Interface IP Address S/L Description
        ——— ———- — ———–
        eth0 10.59.96.51/24 u/u
        10.59.96.50/32
        2a01:7c8:1936:1:10:59:96:51/64
        eth1 45.100.66.51/25 u/u
        45.100.66.50/32
        45.100.66.14/32
        45.100.66.15/32
        45.100.66.53/32
        45.100.66.54/32
        2a01:7c8:1936:4:45:100:66:51/48
        eth2 10.0.5.51/24 u/u
        10.0.5.50/32
        2a01:7c8:1936:5:10:0:5:51/64
        eth3 10.0.6.51/24 u/u
        10.0.6.50/32
        2a01:7c8:1936:6:10:0:6:51/64
        eth4 172.16.12.5/30 u/u
        2a01:7c8:1936:7:172:16:12:5/64
        lo 127.0.0.1/8 u/u
        ::1/128
        vtun0 10.71.32.65/27 u/u

        r2(slave):

        Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
        Interface IP Address S/L Description
        ——— ———- — ———–
        eth0 10.59.96.52/24 u/u
        2a01:7c8:1936:1:10:59:96:52/64
        eth1 45.100.66.52/25 u/u
        2a01:7c8:1936:4:45:100:66:52/48
        eth2 10.0.5.52/24 u/u
        2a01:7c8:1936:5:10:0:5:52/64
        eth3 10.0.6.52/24 u/u
        2a01:7c8:1936:6:10:0:6:52/64
        eth4 172.16.12.6/30 u/u
        2a01:7c8:1936:7:172:16:12:6/64
        lo 127.0.0.1/8 u/u
        ::1/128
        vtun0 10.71.32.65/27 u/u

        • Cartman says:

          hm… what about output from show interfaces ethernet
          from configuration mode.

          I need to examine configuration,
          operational mode is not so interesting πŸ™‚

          THANKS!

          • ipmatchregex says:

            Sorry πŸ™‚ here is r1(master):
            ethernet eth0 {
            address 10.59.96.51/24
            address 2a01:7c8:1936:1:10:59:96:51/64
            duplex auto
            hw-id 52:54:00:2b:71:48
            ipv6 {
            dup-addr-detect-transmits 1
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 10 {
            advertise-interval 1
            preempt true
            priority 150
            sync-group ALPHA
            virtual-address 10.59.96.50
            }
            }
            }
            ethernet eth1 {
            address 45.100.66.51/25
            address 2a01:7c8:1936:4:45:100:66:51/48
            duplex auto
            firewall {
            in {
            ipv6-name v6-Ingress-InternetToLAN
            name v4-Ingress-InternetToLAN
            }
            local {
            ipv6-name v6-Ingress-InternetToRouter
            name v4-Ingress-InternetToRouter
            }
            out {
            ipv6-name v6-Egress-AllToInternet
            name v4-Egress-AllToInternet
            }
            }
            hw-id 52:54:00:8f:e9:e5
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            default-lifetime 12
            link-mtu 0
            managed-flag false
            max-interval 4
            min-interval 3
            other-config-flag false
            prefix 2a01:7c8:1936:5::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            prefix 2a01:7c8:1936:6::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 40 {
            advertise-interval 1
            preempt true
            priority 150
            sync-group ALPHA
            virtual-address 45.100.66.50
            virtual-address 45.100.66.14
            virtual-address 45.100.66.15
            virtual-address 45.100.66.53
            virtual-address 45.100.66.54
            }
            }
            }
            ethernet eth2 {
            address 10.0.5.51/24
            address 2a01:7c8:1936:5:10:0:5:51/64
            duplex auto
            hw-id 52:54:00:b7:0e:11
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            link-mtu 0
            managed-flag false
            max-interval 600
            other-config-flag false
            prefix 2a01:7c8:1936:5::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 50 {
            advertise-interval 1
            preempt true
            priority 150
            sync-group ALPHA
            virtual-address 10.0.5.50
            }
            }
            }
            ethernet eth3 {
            address 10.0.6.51/24
            address 2a01:7c8:1936:6:10:0:6:51/64
            duplex auto
            hw-id 52:54:00:2b:21:91
            ip {
            }
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            link-mtu 0
            managed-flag false
            max-interval 600
            other-config-flag false
            prefix 2a01:7c8:1936:6::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 60 {
            advertise-interval 1
            preempt true
            priority 150
            sync-group ALPHA
            virtual-address 10.0.6.50
            }
            }
            }
            ethernet eth4 {
            address 172.16.12.5/30
            address 2a01:7c8:1936:7:172:16:12:5/64
            duplex auto
            hw-id 52:54:00:8a:5e:74
            ip {
            }
            ipv6 {
            dup-addr-detect-transmits 1
            }
            smp_affinity auto
            speed auto
            }

            And here is r2(slave):
            ethernet eth0 {
            address 10.59.96.52/24
            address 2a01:7c8:1936:1:10:59:96:52/64
            duplex auto
            hw-id 52:54:00:52:51:b4
            ipv6 {
            dup-addr-detect-transmits 1
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 10 {
            advertise-interval 1
            preempt true
            priority 20
            sync-group ALPHA
            virtual-address 10.59.96.50
            }
            }
            }
            ethernet eth1 {
            address 45.100.66.52/25
            address 2a01:7c8:1936:4:45:100:66:52/48
            duplex auto
            firewall {
            in {
            ipv6-name v6-Ingress-InternetToLAN
            name v4-Ingress-InternetToLAN
            }
            local {
            ipv6-name v6-Ingress-InternetToRouter
            name v4-Ingress-InternetToRouter
            }
            out {
            ipv6-name v6-Egress-AllToInternet
            name v4-Egress-AllToInternet
            }
            }
            hw-id 52:54:00:64:03:e2
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            default-lifetime 12
            link-mtu 0
            managed-flag false
            max-interval 4
            min-interval 3
            other-config-flag false
            prefix 2a01:7c8:1936:5::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            prefix 2a01:7c8:1936:6::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 40 {
            advertise-interval 1
            preempt true
            priority 20
            sync-group ALPHA
            virtual-address 45.100.66.50
            virtual-address 45.100.66.14
            virtual-address 45.100.66.15
            virtual-address 45.100.66.53
            virtual-address 45.100.66.54
            }
            }
            }
            ethernet eth2 {
            address 10.0.5.52/24
            address 2a01:7c8:1936:5:10:0:5:52/64
            duplex auto
            hw-id 52:54:00:17:1a:6b
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            link-mtu 0
            managed-flag false
            max-interval 600
            other-config-flag false
            prefix 2a01:7c8:1936:5::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 50 {
            advertise-interval 1
            preempt true
            priority 20
            sync-group ALPHA
            virtual-address 10.0.5.50
            }
            }
            }
            ethernet eth3 {
            address 10.0.6.52/24
            address 2a01:7c8:1936:6:10:0:6:52/64
            duplex auto
            hw-id 52:54:00:fd:1f:91
            ip {
            }
            ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
            cur-hop-limit 64
            link-mtu 0
            managed-flag false
            max-interval 600
            other-config-flag false
            prefix 2a01:7c8:1936:6::/64 {
            autonomous-flag false
            on-link-flag true
            valid-lifetime 2592000
            }
            reachable-time 0
            retrans-timer 0
            send-advert true
            }
            }
            smp_affinity auto
            speed auto
            vrrp {
            vrrp-group 60 {
            advertise-interval 1
            preempt true
            priority 20
            sync-group ALPHA
            virtual-address 10.0.6.50
            }
            }
            }
            ethernet eth4 {
            address 172.16.12.6/30
            address 2a01:7c8:1936:7:172:16:12:6/64
            duplex auto
            hw-id 52:54:00:2d:da:f1
            ip {
            }
            ipv6 {
            dup-addr-detect-transmits 1
            }
            smp_affinity auto
            speed auto
            }

  33. Cartman says:

    I confirm it’s vyatta-config-validator issue.
    New vyatta-config-validator just rolled out!
    Details here.

  34. nath says:

    Hi
    I’ve got config-sync running .it running but I’m getting an error with the following transformation.
    s/priority\ 150/priority\ 50/g

    /tmp/vyatta-config-sync.22798/local_transformations.sed line 4: unknown option to `s’

    the transformation works fin when I test it with:
    echo “priority 150” | sed s/priority\ 150/priority\ 50/g
    priority 50

    something that maybe related…
    I had turn the config validator off because it had issue with my VRRP config. it didn’t like the / in “virtual-address 10.22.33.1/24” which is acceptable in new releases of vyatta(6.4) but not in older ones. I think the validator needs to be updated slightly πŸ™‚

    thanks in advance

  35. Cartman says:

    Hi Nath!

    Please use
    s/priority 150/priority 50/g
    with no backslashes!

    When you test this in shell, shell removes backslashes
    before command processing, but Config-Sync does not.

    Please test your configuration without backslashes
    and tell me if sed problem went away. πŸ˜‰

    And sure I’ll see whazzup with Config-Validator!

    • Peres says:

      Hi Cartman!
      Thanks for the soft, Your script is a great help in my platform! Tks so much

      Answering your solution posted by “Nath” on June 23, 2012.

      Your suggestion worked perfectly.

      Thanks for the help.

  36. ipmatchregex says:

    When settings a ipv6 system name-server config validator fails while the Vyatta accepts it and commits it to /etc/resolv.conf.

    vyatta@masterhostname# /usr/sbin/vyatta-config-sync load
    ——————————————————————————-
    * slavehostname
    ——————————————————————————–
    system name-server: “2a01:7c8:a::c53” is not a valid value of type ipv4!

    [ ERROR ]
    Config validation failed for host: slavehostname

    • Cartman says:

      Fixed!
      Please install fixed version this way:
      sudo apt-get update
      sudo apt-get -y --force-yes install vyatta-config-validator

  37. Jeremy says:

    Hi, I’m trying to get this installed on a few of my routers and firewalls. When I try and run vyatta-config-sync load i get…

    /usr/sbin/vyatta-config-sync: line 123: [” -gt: unary operator expected
    chmod: cannot access ‘/tmp/vyatta-config-sync.4085/local_transformations.sed’ : No such file or directory
    chgrp: cannot access ‘/tmp/vyatta-config-sync.4085/local_transformations.sed’ : No such file or directory

    [ERROR]
    Slave MAC address number(1) is different from master MAC address number(2) on host: myhost

    Please help me resolve this issue!

    Thanks

  38. Jeremy says:

    I looked at the git code and figured it out! It was an issue with my keys.

    Thanks

  39. Darryl says:

    Would it be possible to have the translation file on the master, perhaps a file per slave that’s copied to the slave when you do a load?

    In our situation, all of our config changes are to add VLAN VIFs, so we still need to log into the slave before we make the changes on the master.

    Thanks!

    • Cartman says:

      No, corrently its impossible. πŸ™ But it looks like a cool feature,
      so when I’ll have some spare time, I’ll try to mess with it.

  40. ipmatchregex says:

    Anyone successfully this awesome tool on 6.6? =) Gona do it myself ofcourse but maybe someone already did.

    • Cartman says:

      I must test it ASAP, but have no time due to job matters.
      Would be totally nice, if you will test it before me! πŸ™‚

  41. Pingback: BLOG.KAWATASO.NET » Blog Archive

  42. Cartman says:

    Domo arigato, Kawataso-san! πŸ™‚
    To all folks: yes, vyatta-config-sync works with Vyatta 6.6.

  43. aligot says:

    Hello,

    thanks a lot for your software.

    I have a few question.

    1/ I’m trying it right now against my configuration but it fails with following errors:

    interfaces openvpn vtun0: “disable” does not match regex /^vtun[0-9]+$/
    interfaces openvpn vtun1: “disable” does not match regex /^vtun[0-9]+$/
    interfaces openvpn vtun2: “disable” does not match regex /^vtun[0-9]+$/
    interfaces openvpn vtun3: “disable” does not match regex /^vtun[0-9]+$/
    interfaces openvpn vtun4: “disable” does not match regex /^vtun[0-9]+$/

    here is an example of configuration:
    openvpn vtun4 {
    description “internal tcp”
    device-type tap
    disable
    local-host [xxxxx]
    local-port [xxxxx]
    mode server
    protocol tcp-passive
    server {
    client name-seminaire2 {
    ip 192.168.54.5
    }
    subnet 192.168.54.0/24
    }
    tls {

    }
    }

    2/ our router does not listen on a standard port for ssh, is it possible to change the port somewhere ?

    Best regards,

    A.

  44. Cartman says:

    Hi Aligot,

    1)
    This was quirk of config-sync companion software – vyatta-config-validator.
    I’ve fixed issue and rolled out new version of vyatta-config-validator 0.1-8.
    Please install latest vyatta-config-validator package:
    sudo apt-get update
    sudo apt-get install vyatta-config-validator

    2)
    This works for me:
    set service ssh port ANY_PORT_YOU_NEED

    I wish you pleasant vyatta-config-sync experience! πŸ™‚

    • aligot says:

      Hello,

      thanks a lot for your prompt reply and the upgrade. I’ll test in a few seconds.

      about the ssh port, both my routeur are running with the same ssh port, not 22 and in /etc/vyatta-config-sync/sync_hosts.conf, I have only one ip\tname. Maybe have I to put something like ip:port\tname in this file ?

      At the present time, here is the output of vcs command:
      $ vcs
      ——————————————————————————–
      * router02-dev
      ——————————————————————————–
      /usr/sbin/vyatta-config-sync: line 123: [: -gt: unary operator expected
      chmod: cannot access `/tmp/vyatta-config-sync.22347/local_transformations.sed’: No such file or directory
      chgrp: cannot access `/tmp/vyatta-config-sync.22347/local_transformations.sed’: No such file or directory

      [ ERROR ]
      Slave MAC address number(1) is different from master MAC address number(2) on host: router02-dev

      if I set/save/commit on both host port 22, this works.

      Best regards,

      A.

      • Cartman says:

        Hi,

        Oh, alternative port for config-sync, I haven’t got it first πŸ™‚

        I’ve rolled out new version of vyatta-config-sync. Please update.

        1.
        sudo apt-get update
        sudo apt-get install vyatta-config-sync

        2.
        Add line ssh_options="-o Port=YOUR_SSH_PORT"
        to /etc/vyatta-config-sync/options.env

        3.
        PROFIT!

  45. Traveler says:

    My environment offers some unique challenges. My Vyatta’s are never allowed to connect to the Internet (so no installing from the repository) and I need to document and have approved any changes from the baseline install. Are there directions somewhere on how to manually install VCS? I can grab the shell script and copy it in, but any addition libraries? Expected directory structure? I am not really experienced with package management so I do not know how to grab a .deb and tear it apart to see what it does. Any help/suggestions would be appreciated.

    Thanks

  46. Holmgreen says:

    Hi,
    I have installed and it seem to work just fine with Vyos 1.0.1.
    But I am using bridges and every time I run it, it moves the IP with to the second router causing an IP conflict, is there any way to specify witch section to sync, or just prevent the interface section from being synchronized?

    Thanks

    • Cartman says:

      Hi,
      please see local_transformations.sed section of this page. πŸ˜‰
      Each slave has local_transformations.sed file where
      you may store sed-based transformations for config.boot.
      Just add a transformation changing IP address of a bridge
      on a slave (secondary) router. πŸ™‚

  47. krull.mcroth says:

    Hi Cartman!

    Many thanks for your great script! I have successfully installed it on VC6.6R1 and it is working on an R1+R2 Master/Slave VRRP setup flawlessly.

    I was wondering if vyatta-config-sync has tab completion support. If it should, then it does not work in VC6.6R1 for some reason.

    I will investigate further and check back here with my findings.

    k

    • Cartman says:

      Dear Krull,

      I’m really happy my script worked for you. πŸ™‚

      And, no, for now it has no completion support. πŸ™
      But it may have it in the next future release.

      P.S.:
      You may use vcs shorthand to do vyatta-config-sync load.

  48. Tom Martinson says:

    I have installed the config-sync on VyOS 1.0.2 and VyOS development build. I ran into one issue fallowing the instructions.

    vyos@baxter:~$ vyatta-config-sync load
    ——————————————————————————–
    * baxter-r1
    ——————————————————————————–

    [ ERROR ]
    Slave serial(1) is greater than master serial(0) on host: baxter-r1

    But as we can see the serial was actually 0
    vyos@baxter-r2:~$ more /etc/vyatta-config-sync/serial
    0

    What I did was to actually remove the baxter-r1 entry from the sync_host.conf file
    root@baxter-r1:~# more /etc/vyatta-config-sync/sync_hosts.conf
    #
    # List of slave host addresses and names to synchronize with our master configuration
    #
    #
    #192.168.0.241 router-dev
    #192.168.0.242 router-dev2
    #10.0.0.1 baxter-r1
    10.0.0.2 baxter-r2

    Now I get the following

    vyos@baxter:~$ vyatta-config-sync load
    ——————————————————————————–
    * baxter-r2
    ——————————————————————————–
    [ OK ]
    ——————————————————————————–

    And everything seems to work correctly.

    Tom

    • Cartman says:

      Thank you for your comment, Tom!

      This error is not important and could actually be fixed by
      running vyatta-config-sync load again. πŸ™‚
      It appears only when you accidentally launch vyatta-config-sync
      on a slave server, which is not an intended action.

      Thank you again and I hope your experience
      with vyatta-config-sync will be pleasant! πŸ™‚

  49. krull.mcroth says:

    Hi Again!

    I think I found a bug.

    When you put a static-mapping-parameters described here, and trying to statically assign a ‘host-name’ via dhcp to your client system, the sync fails.

    Grepping for ‘host-name’ in vyatta-config-sync, it seems that you have hard-coded ‘host-name’ in the script.

    I will try to post a workaround on this later on. Hope this helps.

    -krull

    • Cartman says:

      You are right! I’ll try to fix it! THANKS!

      • krull.mcroth says:

        Hey there!

        Ok, simple fix. change your sed to the below to only change the host-name and not every instances of ‘host-name’ in your config.boot:

        s/host-name ${HOSTNAME}/host-name ${SYNC_HOST_NAME}/"

        Hope this fix help others facing the same issue I had!

        Many thanks for a great script!

        -krull

  50. Borut Mrak says:

    Hello Cartman!

    I tried the script on EdgeOS and it works well (except I had to change the config file location, EdgeOS saves it in /config only, no /opt/vyatta/etc/config present). And the aliases don’t get loaded for op mode (will look into it)

    I would also like to get it packaged for VyOS, eventually including config mode commands to set it up so there’s no need for manual editing of files in /etc/vyatta-config-sync. Would you mind sharing your /debian directory (maybe put it in the repository?) so I don’t have to reinvent the wheel? I know it’s simple, but anyway…

    Oh BTW, there is no license included, so it seems we can’t legally redistribute your code πŸ™‚ Would you mind adding one?

    Best regards,
    Borut Mrak.

  51. Steve K says:

    Hi,

    Will this (now or eventually) work with v 1.1.0 of VyOS?

    It looks like there are currently some problems with the vyatta4people repo on 1.1.0. The linked post was not me, but I observed a similar problem installing vyatta-config-sync.

    Keep up the good work,
    Steve.

  52. traveler says:

    Been using VCS for a long time now, with excellent results. However, I have just run into a new problem. We are being forced to get rid of all shared accounts and go to each administrator (there are several) having their own account. VCS only works for the first person to run it. The second person to run VCS gets a bunch of file permission errors in /tmp. When I look in the /tmp directory I see that the files are created with RW for the owner (first person to run VCS) and just R for the users group. I changed the permissions on .out and .err to RW for users and now any admin can run VCS. This is not a great workaround as I can’t guarantee these files won’t get deleted and recreated with the wrong permissions again. Is there a better workaround then manually editing the file permissions??

    Thanks
    Phil

  53. Chris Boulders says:

    Excellent guide thanks guys. I’m just starting out on Vyatta and found this really helpful. I’ve located an online tool that’s really helped me – it generates the Vyatta VPN configuration for you. Incase it’s a help to anyone you can find it here – http://www.whyaws.com/tools/vyatta_vpn_gen.htm

  54. Jeroen Kool says:

    Trying to get this to work on a VyOS 1.1 cluster (since Vyatta is murdered by Brocade). Got the SSH figured out (had to install SSL from squeeze as we are running AMD), but that works now. The cluster does what it needs to do, fail over and so forth, but when we try to do a config-sync load, I get an

    [ ERROR ]
    Slave MAC address number(2) is different from master MAC address number(3) on host: fw01b

    • Cartman says:

      Hi Jeroen!
      Both hosts must have equal number of NICs.
      It looks like master host got 3 NICs, while slave got 2 NICs.
      Is it possible to make NIC number on both hosts equal?

      • Jeroen Kool says:

        Both nodes do have the exact same number of nics but the cluster process spawns a virtual nic on the active node, I guess that is where the script gets confused.

        • Cartman says:

          OK, I got it.
          As a temporary workaround you may comment out
          line 137 – it begins like: suicide "Slave MAC in the /usr/sbin/vyatta-config-sync
          Official fix will be available in next release.

  55. Jeroen Kool says:

    Ok, let me try that,

    Thanks

    • Jeroen Kool says:

      Ok, almost there, now I get:
      cluster group cinhk1fw01 auto-failback: “00:50:56:9e:b3:bb” is not a valid value of type bool!
      system options clear-nic-hw-id: “00:50:56:9e:b3:bb” is not a valid value of type bool!

      My config file under cluster group xxx shows :
      auto-failback false

  56. Vladimir says:

    Hello, I have another issue, when I tried to enter :
    user@R1> vyatta-config-sync load

    Invalid command: [vyatta-config-sync]

    Any ideas?
    Thank you!

  57. Vladimir says:

    Trying to resolve that problem, appreciate any help!!!

    vladimir@vy1:~$vyatta-config-sync load
    ——————————————————————————–
    * vy2
    ——————————————————————————–
    /usr/sbin/vyatta-config-sync: line 125: [: -gt: unary operator expected
    chmod: cannot access `/tmp/vyatta-config-sync.22341/local_transformations.sed’: No such file or directory
    chgrp: cannot access `/tmp/vyatta-config-sync.22341/local_transformations.sed’: No such file or directory

    [ ERROR ]
    Slave MAC address number(1) is different from master MAC address number(4) on host: vy2

    • Cartman says:

      do you have valid local_transformations.sed on vy2 ?

      • Vladimir says:

        Yes…

        root@vy2:~#locate local_transformations.sed
        /boot/live-rw/etc/vyatta-config-sync/local_transformations.sed
        /etc/vyatta-config-sync/local_transformations.sed
        /live/cow/etc/vyatta-config-sync/local_transformations.sed
        /live/image/boot/vy2/live-rw/etc/vyatta-config-sync/local_transformations.sed

        # sed transformations that will be applied one-after-one to config.boot before$
        s/192\.168\.10\.13\/24/192.168.10.14\/24/g

        • Cartman says:

          hm…

          whats your VyOS/Vyatta version?
          Do both of your routers have the same number of NICs?

          weird…

          • Vladimir says:

            Cartman,

            Vyattaversion : 3.9.5-1-amd64-vyatta

            show version all:
            Version: 999.master.07120436
            Description: 999.master.07120436
            Copyright: 2006-2013 Vyatta, Inc.
            Built by: unofficial@vyattawiki.net
            Built on: Fri Jul 12 11:30:06 UTC 2013
            Build ID: 1307121130-ffd8033
            System type: Intel 64bit
            Boot via: image
            HW model: SUN FIRE X4150
            HW S/N: Chassis SN
            HW UUID: 080020FF-FFFF-FFFF-FFFF-00238BCE4F9C
            Uptime: 16:21:58 up 4 days, 21:54, 2 users, load average: 0.00, 0.01, 0.05

            Aii locate 4.4.2-1+b1
            Aii vyatta-config-sync 0.1-19
            Aii vyatta-config-validator 0.1-9

            I have two Sunfires from IBM x4150 with the same configuration!!!! Same number of NIC’s

            Thank you for your HELP!!!!

          • Vladimir says:

            Cartman,

            In VyOS, SYNC is working by default as well as in Vyatta subscription version??
            Because, subscription version of Vyatta include configuration synchronization.

            Thank you in advance!

  58. Cartman says:

    Vladimir, could you please give me an access to your systems?..
    Your error is strange…

  59. Ken says:

    admin@vpn1:~$ sudo vyatta-config-sync load
    [ ERROR ]
    Only unprivileged users may run vyatta-config-sync!!!

    Then i try,….

    admin@vpn1:~$ /usr/sbin/vyatta-config-sync load
    ——————————————————————————–
    * vpn2
    ——————————————————————————–
    admin@192.168.0.2’s password:
    admin@192.168.0.2’s password:
    admin@192.168.0.2’s password:
    admin@192.168.0.2’s password:
    admin@192.168.0.2’s password:

    I tried enter vpn1 or vpn2 password, but unsuccessful, please help

  60. vkxx says:

    Hi,

    I am using VYOS for Firewall and VPN. There are multiple interfaces or ports and these interfaces have different multiple rules. I need to configure VYOS in HA(active/standby) mode. Will vyatta-config-sync work for my case, such that once the ACTIVE (master) goes down, the firewall rules should automatically get configured to new master?

  61. Maxim says:

    Thank you very much, launched in testing environment without any problems on VyOS 1.1.6.