metal-stack · Gerrit91 · Jun 27, 2023 · Jan 23, 2023 · Jan 26, 2023 · Jan 27, 2023
@@ -0,0 +1,12 @@
+# frr
+
+Configures and starts frr.
+
+This role can deploy on bare metal machines with Debian or Almalinux. It depends on fact gathering.
+
+## Variables
+
+| Name        | Mandatory | Description                         |
+| ----------- | --------- | ----------------------------------- |
+| frr_version |           | The version of FRR to be installed. |
+| frr_repo    |           | The repository that contains FRR.   |
@@ -0,0 +1,3 @@
+---
+frr_version: 8.4
+frr_repo: frr-8
@@ -0,0 +1,3 @@
+bgpd=yes
+zebra=yes
+bfdd=yes
@@ -0,0 +1,55 @@
+# source: https://github.com/FRRouting/frr/blob/master/doc/user/Useful_Sysctl_Settings.md
+# The below sysctl values provide a logical set of defaults which can be further optimized.
+#
+# /etc/sysctl.d/99frr_defaults.conf
+# Place this file at the location above and reload the device.
+# or run the sysctl -p /etc/sysctl.d/99frr_defaults.conf
+
+# Enables IPv4/IPv6 Routing
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding=1
+
+# Routing
+net.ipv6.route.max_size=131072
+net.ipv4.conf.all.ignore_routes_with_linkdown=1
+net.ipv6.conf.all.ignore_routes_with_linkdown=1
+
+# Best Settings for Peering w/ BGP Unnumbered
+#    and OSPF Neighbors
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.lo.rp_filter = 0
+net.ipv4.conf.all.forwarding = 1
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.conf.default.arp_announce = 2
+net.ipv4.conf.default.arp_notify = 1
+net.ipv4.conf.default.arp_ignore=1
+net.ipv4.conf.all.arp_announce = 2
+net.ipv4.conf.all.arp_notify = 1
+net.ipv4.conf.all.arp_ignore=1
+net.ipv4.icmp_errors_use_inbound_ifaddr=1
+
+# Miscellaneous Settings
+#   Keep ipv6 permanent addresses on an admin down
+net.ipv6.conf.all.keep_addr_on_down=1
+
+# igmp
+net.ipv4.igmp_max_memberships=1000
+net.ipv4.neigh.default.mcast_solicit = 10
+
+# MLD
+net.ipv6.mld_max_msf=512
+
+# Garbage Collection Settings for ARP and Neighbors
+net.ipv4.neigh.default.gc_thresh2=7168
+net.ipv4.neigh.default.gc_thresh3=8192
+net.ipv4.neigh.default.base_reachable_time_ms=14400000
+net.ipv6.neigh.default.gc_thresh2=3584
+net.ipv6.neigh.default.gc_thresh3=4096
+net.ipv6.neigh.default.base_reachable_time_ms=14400000
+
+# Use neigh information on selection of nexthop for multipath hops
+net.ipv4.fib_multipath_use_neigh=1
+
+# Allows Apps to Work with VRF
+net.ipv4.tcp_l3mdev_accept=1
@@ -0,0 +1 @@
+service integrated-vtysh-config
@@ -0,0 +1,13 @@
+---
+- name: reload frr
+  service:
+    name: frr
+    state: reloaded
+
+- name: restart frr
+  service:
+    name: frr
+    state: restarted
+
+- name: reload sysctls
+  command: sysctl --system
@@ -0,0 +1,19 @@
+---
+- name: add FRR apt-key to verify FRR package
+  apt_key:
+    url: https://deb-us.frrouting.org/frr/keys.asc
+    state: present
+
+- name: add mainline FRR repository to install FRR
+  apt_repository:
+    repo: deb https://deb-us.frrouting.org/frr {{ ansible_distribution_release }} {{ frr_repo }}
+    state: present
+    filename: frr.list
+
+- name: install required packages to have the network stack in place
+  apt:
+    name:
+    - frr={{ frr_version }}*
+    - frr-pythontools={{ frr_version }}*
+    update_cache : yes
+    force_apt_get: yes
@@ -0,0 +1,5 @@
+---
+- name: install frr
+  dnf:
+    name: frr
+    state: present
@@ -0,0 +1,53 @@
+---
+- name: check mandatory variables for this role are set
+  assert:
+    fail_msg: "not all mandatory variables given, check role documentation"
+    quiet: yes
+    that:
+      - frr_version is not none
+      - frr_repo is not none
+      - ansible_os_family in ['Debian', 'RedHat']
+
+- name: gather package facts
+  package_facts:
+    manager: auto
+
+- name: check if frr is installed
+  set_fact:
+    frr_installed: "{{ ('packages' in ansible_facts and ('frr' in ansible_facts.packages) and (frr_version|string in (ansible_facts.packages['frr'][0].version))) | bool }}"
+
+- import_tasks: install/debian.yaml
+  when: not frr_installed and ansible_os_family == 'Debian'
+
+- import_tasks: install/redhat.yaml
+  when: not frr_installed and ansible_os_family == 'RedHat'
+
+- name: copy sysctls for frr
+  copy:
+    src: sysctl.conf
+    dest: /etc/sysctl.d/98-frr.conf
+  notify: reload sysctls
+
+- name: enable vtysh
+  copy:
+    src: vtysh.conf
+    dest: /etc/frr/
+  notify: restart frr
+
+- name: enable frr daemons
+  copy:
+    src: daemons
+    dest: /etc/frr/daemons
+  notify: restart frr
+
+- name: ensure frr is started
+  systemd:
+    name: frr
+    enabled: yes
+    state: started
+
+- name: copy frr conf
+  copy:
+    content: "{{ frr_conf }}"
+    dest: /etc/frr/frr.conf
+  notify: reload frr
@@ -56,6 +56,7 @@
     systemd_docker_volumes: "{{ lookup('template', 'metal-core-volumes.j2') | from_yaml }}"
     systemd_docker_cap_add:
       - sys_admin
+      - net_admin
     systemd_service_environment: "{{ lookup('template', 'metal-core-env.j2') | from_yaml }}"
     systemd_external_config_changed: "{{ grpc_certs is changed }}"
     systemd_service_after: "{{ metal_core_service_dependency }}"

@@ -4,15 +4,20 @@ Configures a server to act as management server for a metal-stack partition.
 
 ## Variables
 
-| Name                                  | Mandatory | Description                                                                     |
-|---------------------------------------|-----------|---------------------------------------------------------------------------------|
-| mgmt_server_asn                       | yes       | the ASN to use for routing.                                                     |
-| mgmt_server_dns_over_tls              |           | whether to use DNSoverTLS (default is true).                                    |
-| mgmt_server_firewall_facing_interface | yes       | the interface where the firewall is connected at the management server.         |
-| mgmt_server_firewall_ip               |           | the remote ip of the firewall for setting up a numbered BGP session.            |
-| mgmt_server_frr_match_interfaces      |           | announce the networks attached to the given interfaces over BGP.                |
-| mgmt_server_frr_rep                   |           | the FRR repo to use.                                                            |
-| mgmt_server_frr_version               |           | the FRR version to use.                                                         |
-| mgmt_server_nameservers               |           | the nameservers to use (default is dns0.eu).                                    |
-| mgmt_server_router_id                 | yes       | the router-id to use for routing.                                               |
-| mgmt_server_spine_facing_interface    | yes       | the interface where the management spine is connected at the management server. |
+| Name                                  | Mandatory | Description                                                                          |
+| ------------------------------------- | --------- | ------------------------------------------------------------------------------------ |
+| mgmt_server_asn                       | yes       | the ASN to use for routing.                                                          |
+| mgmt_server_dns_over_tls              |           | whether to use DNSoverTLS (default is true).                                         |
+| mgmt_server_firewall_facing_interface | yes       | the interface where the firewall is connected at the management server.              |
+| mgmt_server_firewall_ip               |           | the remote ip of the firewall for setting up a numbered BGP session.                 |
+| mgmt_server_frr_match_interfaces      |           | announce the networks attached to the given interfaces over BGP.                     |
+| mgmt_server_frr_repo                  |           | the FRR repo to use.                                                                 |
+| mgmt_server_frr_version               |           | the FRR version to use.                                                              |
+| mgmt_server_nameservers               |           | the nameservers to use (default is dns0.eu).                                         |
+| mgmt_server_router_id                 | yes       | the router-id to use for routing.                                                    |
+| mgmt_server_spine_facing_interface    | yes       | the interface where the management spine is connected at the management server.      |
+| mgmt_server_metal_ssh_groups          |           | the ansible group to include into the ssh config                                     |
+| mgmt_server_metal_ssh_privkey         | yes       | the private SSH key of the `metal` admin user for connecting to the other components |
+| mgmt_server_metal_ssh_pubkey          | yes       | the public SSH key of the `metal` admin user for connecting to the other components  |
+| mgmt_server_preserve_dhcp_route       | no        | preserve the dhcp (default) route the mgmt server got from the mgmt firewall         |
+| mgmt_server_provide_default_route     | no        | provide the default route with bgp (`network 0.0.0.0/0`)                             |
@@ -3,7 +3,7 @@
 # mgmt_server_router_id:
 # mgmt_server_spine_facing_interface:
 # mgmt_server_firewall_facing_interface:
-# mgmt_server_firewall_ip: 
+# mgmt_server_firewall_ip:
 
 mgmt_server_registry_mirror: https://mirror.gcr.io
 
@@ -17,5 +17,8 @@ mgmt_server_dns_over_tls: true
 mgmt_server_frr_match_interfaces:
 - lo
 
-mgmt_server_frr_version: 8.4.2
+mgmt_server_frr_version: 8.5-0
 mgmt_server_frr_repo: frr-8
+mgmt_server_provide_default_route: false
+
+mgmt_server_metal_ssh_groups: "{{ groups.all }}"
@@ -33,3 +33,9 @@
 - name: save iptables v6 rules
   shell: ip6tables-save > /etc/iptables/rules.v6
   listen: persist iptables
+
+- name: restart sshd
+  service:
+    name: sshd
+    enabled: true
+    state: restarted
@@ -1,4 +1,11 @@
 ---
+- name: ensure gpg is installed to handle FRR repo key
+  apt:
+    name:
+    - gpg
+    update_cache : yes
+    force_apt_get: yes
+
 - name: add FRR apt-key to verify FRR package
   apt_key:
     url: https://deb-us.frrouting.org/frr/keys.asc

@@ -7,6 +7,8 @@
       - mgmt_server_asn is not none
       - mgmt_server_router_id is not none
       - mgmt_server_spine_facing_interface is not none
+      - mgmt_server_metal_ssh_privkey is not none
+      - mgmt_server_metal_ssh_pubkey is not none
 
 - name: gather package facts
   package_facts:
@@ -33,7 +35,7 @@
     name:
     - net-tools
     - ipmitool
-    - docker-ce
+    - docker.io
     - iptables-persistent
     update_cache : yes
     force_apt_get: yes
@@ -85,9 +87,66 @@
   notify:
     - reload frr
 
+- name: Copy ssh key pair for metal user
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode}}"
+    owner: metal
+    group: metal
+  loop:
+  - content: "{{ mgmt_server_metal_ssh_privkey }}"
+    dest: /home/metal/.ssh/id_rsa
+    mode: "0600"
+  - content: "{{ mgmt_server_metal_ssh_pubkey }}"
+    dest: /home/metal/.ssh/id_rsa.pub
+    mode: "0644"
+
+# This is so that self connect and cross connect to the other mgmtserver is possible
+- name: Add own ssh key to authorized_keys
+  lineinfile:
+    path: /home/metal/.ssh/authorized_keys
+    regexp: '^{{ mgmt_server_metal_ssh_pubkey }}$'
+    line: '{{ mgmt_server_metal_ssh_pubkey }}'
+
+- name: configure sshd to avoid root login and password authentication, hide OS information
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    validate: /usr/sbin/sshd -t -f %s
+  notify: restart sshd
+  loop:
+    - { regexp: "^PasswordAuthentication .+", line: "PasswordAuthentication no" }
+    - { regexp: "^PermitRootLogin .+", line: "PermitRootLogin no" }
+    - { regexp: "^DebianBanner .+", line: "DebianBanner no" }
+
+- name: Add IP's of all hosts to /etc/hosts to use those hostnames for connections
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '.*\s{{ item }}$'
+    line: "{{ hostvars[item].ansible_host }} {{ item }} {{ hostvars[item].host_alias|default('') }}"
+    owner: root
+    group: root
+    mode: 0644
+  when:
+    - hostvars[item].ansible_host is defined
+  loop: "{{ mgmt_server_metal_ssh_groups }}"
+
+- name: Create ssh configuration for easier access to mgmt components
+  template:
+    src: ssh_config.j2
+    dest: /home/metal/.ssh/config
+    mode: 0644
+    owner: metal
+    group: metal
+
 - name: flush handlers to complete the mgmt-server setup
   meta: flush_handlers
 
 - name: flush dhcp routes if we have a bgp session to the firewall
   command: ip route flush proto dhcp
-  when: mgmt_server_firewall_ip is defined
+  when:
+    - mgmt_server_firewall_ip is defined
+    - mgmt_server_preserve_dhcp_route is undefined or not mgmt_server_preserve_dhcp_route
@@ -28,6 +28,9 @@ router bgp {{ mgmt_server_asn }}
  !
  address-family ipv4 unicast
   redistribute connected route-map LOCAL_INTERFACES
+  {% if mgmt_server_provide_default_route %}
+  network 0.0.0.0/0
+  {% endif %}
  exit-address-family
 !
 route-map LOCAL_INTERFACES permit 10

@@ -0,0 +1,8 @@
+{% for host in mgmt_server_metal_ssh_groups %}
+{% if hostvars[host].ansible_host is defined %}
+{% if hostvars[host].ansible_user is defined %}
+Host {{ host }} {{ hostvars[host].host_alias|default('') }}
+        User {{ hostvars[host].ansible_user }}
+{% endif %}
+{% endif %}
+{% endfor %}
@@ -0,0 +1,16 @@
+# sonic-upgrade
+
+Performs an upgrade of the SONiC OS on a device and reboots it to complete the installation.
+
+It depends on the `switch_facts` module from `ansible-common`, so make sure modules from `ansible-common` are included before executing this role.
+
+## Variables
+
+| Name                     | Mandatory | Description                                                                                                         |
+| ------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------- |
+| sonic_upgrade_host       | yes       | The host from which to dowload the image.                                                                           |
+| sonic_upgrade_image_path |           | The path to the image. If this is given and not `sonic_upgrade_host`, the image is pushed to the device by ansible. |
+| sonic_upgrade_vrf        |           | The vrf used for pulling the upgrade image.                                                                         |
+| sonic_upgrade_protocol   |           | The protocol (http or https) to use when downloading the sonic image.                                               |
+| sonic_upgrade_port       |           | The port on which the image server listens.                                                                         |
+| sonic_upgrade_image      | yes       | The file name of the sonic image.                                                                                   |
@@ -0,0 +1,4 @@
+---
+sonic_upgrade_protocol: "http"
+sonic_upgrade_port: 8080
+sonic_upgrade_vrf: "mgmt"