-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd: disable foreign route management #61
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Feb 16, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
1 task
krnowak
approved these changes
Feb 17, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
The systemd drop-in files should only be in one repository, and using init is better than baselayout for that (baselayout is also used for the SDK).
While systemd-networkd follows the principle of a declarative network configuration and thus needs a way to ensure that unwanted routes or routing policy rules get discarded, the interfacing with procedural network management from CNIs like Cilium is limited, so that when the interface is set to "unmanaged" through a networkd unit, any routing policies there would also be ignored and discarded unless they would be defined for a new unit for a dummy network interface. This means the only option left is to disable the discarding of foreign rules globally. Set the default for ManageForeignRoutes and ManageForeignRoutingPolicyRules to "no" to ensure that we don't interfere with the network management of the CNIs. Users that rely on the setting can still enable it again but only through a drop-in under /etc/systemd/networkd.conf.d/ because this here is a drop-in already that takes precedence over the top config file. See cilium/cilium#18706 and flatcar/Flatcar#620 Replaces flatcar-archive/coreos-overlay#1622
pothos
force-pushed
the
kai/disable-foreign-route-mgmt
branch
from
February 17, 2022 08:37
f059d23
to
cd33898
Compare
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Feb 17, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
1 task
jepio
pushed a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Mar 1, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
systemd: disable foreign route management
While systemd-networkd follows the principle of a declarative network
configuration and thus needs a way to ensure that unwanted routes or
routing policy rules get discarded, the interfacing with procedural
network management from CNIs like Cilium is limited, so that when the
interface is set to "unmanaged" through a networkd unit, any routing
policies there would also be ignored and discarded unless they would
be defined for a new unit for a dummy network interface. This means
the only option left is to disable the discarding of foreign rules
globally.
Set the default for ManageForeignRoutes and
ManageForeignRoutingPolicyRules to "no" to ensure that we don't
interfere with the network management of the CNIs. Users that rely on
the setting can still enable it again but only through a drop-in
under /etc/systemd/networkd.conf.d/ because this here is a drop-in
already that takes precedence over the top config file.
See Host network broken after one of the underlying interfaces of a bond goes down cilium/cilium#18706
and Cilium routing policy rules can get lost Flatcar#620
Replaces sys-apps/systemd: add downstream patch to disable foreign route mgmt flatcar-archive/coreos-overlay#1622
systemd: move files to init repo as unified location
The systemd drop-in files should only be in one repository, and using
init is better than baselayout for that (baselayout is also used for
the SDK).
How to use
Together with baselayout PR
Testing done
See coreos-overlay PR
changelog/
directory (user-facing change, bug fix, security fix, update)↑ TODO in coreos-overlay