-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sonic
role to support SONiC switches.
#121
Changes from all commits
0acc3a3
7d24f39
fc240c1
3dddfa5
9af639b
620246e
c305eec
c3e2c06
5185a2a
f0e2de5
2275cb1
ac4abd6
19854e8
ab9a394
9695a4c
4ff7b6d
7441911
cf2a232
fda581e
6275de0
be418c4
710bb9b
d8e6562
e9218cd
2fd6524
52f89e0
6e11ed1
3bdaf2c
2639503
3a6300f
ad355db
6ce15e8
26dbbf5
a1567ba
dd8cfaa
42e0c2e
2bc9433
e5a48a8
eefa43f
f95972e
05e40c0
cf4712e
7c6a436
5ef9982
f7f6bef
18915b2
eb7b92e
ee2bd8d
801c2cf
4388d20
512798a
d6e3496
203042f
2340c3a
0ed5306
68f895f
7537f98
1676c5b
e16d695
c9fecf1
2a3c724
3231093
6eecfa0
6209569
402246b
3ed186e
39c274e
7393dea
c5f85bd
1b7b892
efc2531
d1a0105
4c2e73a
7a36f7e
bfd0028
2e0c81e
b62ea96
caef2a9
39e64ed
7313b74
464c089
f171eb9
88a40e8
5e1d634
e6c6606
0306f0e
31c2730
66c578d
3bbb885
029f49b
617ac2a
261e6d3
73be6e0
a1148f3
63536b9
d63ed98
8a9ce98
3d5680d
ac5db29
e2044e9
9b81d94
e27f477
f3c0511
f5c3db2
f74ad6f
69d05c8
6ce00f8
7e1fb9b
776ba3a
28377b7
1180b26
5b6db26
50b3b85
d303009
addf328
d76e624
b1d2b4a
7396072
58659d0
e00de17
a56ca27
d50dbaf
d00e754
11aeaf2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# frr | ||
|
||
Configures and starts frr. | ||
|
||
This role can deploy on bare metal machines with Debian or Almalinux. It depends on fact gathering. | ||
|
||
## Variables | ||
|
||
| Name | Mandatory | Description | | ||
| ----------- | --------- | ----------------------------------- | | ||
| frr_version | | The version of FRR to be installed. | | ||
| frr_repo | | The repository that contains FRR. | |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
frr_version: 8.4 | ||
frr_repo: frr-8 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
bgpd=yes | ||
zebra=yes | ||
bfdd=yes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# source: https://github.com/FRRouting/frr/blob/master/doc/user/Useful_Sysctl_Settings.md | ||
# The below sysctl values provide a logical set of defaults which can be further optimized. | ||
# | ||
# /etc/sysctl.d/99frr_defaults.conf | ||
# Place this file at the location above and reload the device. | ||
# or run the sysctl -p /etc/sysctl.d/99frr_defaults.conf | ||
|
||
# Enables IPv4/IPv6 Routing | ||
net.ipv4.ip_forward = 1 | ||
net.ipv6.conf.all.forwarding=1 | ||
|
||
# Routing | ||
net.ipv6.route.max_size=131072 | ||
net.ipv4.conf.all.ignore_routes_with_linkdown=1 | ||
net.ipv6.conf.all.ignore_routes_with_linkdown=1 | ||
|
||
# Best Settings for Peering w/ BGP Unnumbered | ||
# and OSPF Neighbors | ||
net.ipv4.conf.all.rp_filter = 0 | ||
net.ipv4.conf.default.rp_filter = 0 | ||
net.ipv4.conf.lo.rp_filter = 0 | ||
net.ipv4.conf.all.forwarding = 1 | ||
net.ipv4.conf.default.forwarding = 1 | ||
net.ipv4.conf.default.arp_announce = 2 | ||
net.ipv4.conf.default.arp_notify = 1 | ||
net.ipv4.conf.default.arp_ignore=1 | ||
net.ipv4.conf.all.arp_announce = 2 | ||
net.ipv4.conf.all.arp_notify = 1 | ||
net.ipv4.conf.all.arp_ignore=1 | ||
net.ipv4.icmp_errors_use_inbound_ifaddr=1 | ||
|
||
# Miscellaneous Settings | ||
# Keep ipv6 permanent addresses on an admin down | ||
net.ipv6.conf.all.keep_addr_on_down=1 | ||
|
||
# igmp | ||
net.ipv4.igmp_max_memberships=1000 | ||
net.ipv4.neigh.default.mcast_solicit = 10 | ||
|
||
# MLD | ||
net.ipv6.mld_max_msf=512 | ||
|
||
# Garbage Collection Settings for ARP and Neighbors | ||
net.ipv4.neigh.default.gc_thresh2=7168 | ||
net.ipv4.neigh.default.gc_thresh3=8192 | ||
net.ipv4.neigh.default.base_reachable_time_ms=14400000 | ||
net.ipv6.neigh.default.gc_thresh2=3584 | ||
net.ipv6.neigh.default.gc_thresh3=4096 | ||
net.ipv6.neigh.default.base_reachable_time_ms=14400000 | ||
|
||
# Use neigh information on selection of nexthop for multipath hops | ||
net.ipv4.fib_multipath_use_neigh=1 | ||
|
||
# Allows Apps to Work with VRF | ||
net.ipv4.tcp_l3mdev_accept=1 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
service integrated-vtysh-config |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
- name: reload frr | ||
service: | ||
name: frr | ||
state: reloaded | ||
|
||
- name: restart frr | ||
service: | ||
name: frr | ||
state: restarted | ||
|
||
- name: reload sysctls | ||
command: sysctl --system |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
- name: add FRR apt-key to verify FRR package | ||
apt_key: | ||
url: https://deb-us.frrouting.org/frr/keys.asc | ||
state: present | ||
|
||
- name: add mainline FRR repository to install FRR | ||
apt_repository: | ||
repo: deb https://deb-us.frrouting.org/frr {{ ansible_distribution_release }} {{ frr_repo }} | ||
state: present | ||
filename: frr.list | ||
|
||
- name: install required packages to have the network stack in place | ||
apt: | ||
name: | ||
- frr={{ frr_version }}* | ||
- frr-pythontools={{ frr_version }}* | ||
update_cache : yes | ||
force_apt_get: yes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
- name: install frr | ||
dnf: | ||
name: frr | ||
state: present |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
--- | ||
- name: check mandatory variables for this role are set | ||
assert: | ||
fail_msg: "not all mandatory variables given, check role documentation" | ||
quiet: yes | ||
that: | ||
- frr_version is not none | ||
- frr_repo is not none | ||
- ansible_os_family in ['Debian', 'RedHat'] | ||
|
||
- name: gather package facts | ||
package_facts: | ||
manager: auto | ||
|
||
- name: check if frr is installed | ||
set_fact: | ||
frr_installed: "{{ ('packages' in ansible_facts and ('frr' in ansible_facts.packages) and (frr_version|string in (ansible_facts.packages['frr'][0].version))) | bool }}" | ||
|
||
- import_tasks: install/debian.yaml | ||
when: not frr_installed and ansible_os_family == 'Debian' | ||
|
||
- import_tasks: install/redhat.yaml | ||
when: not frr_installed and ansible_os_family == 'RedHat' | ||
|
||
- name: copy sysctls for frr | ||
copy: | ||
src: sysctl.conf | ||
dest: /etc/sysctl.d/98-frr.conf | ||
notify: reload sysctls | ||
|
||
- name: enable vtysh | ||
copy: | ||
src: vtysh.conf | ||
dest: /etc/frr/ | ||
notify: restart frr | ||
|
||
- name: enable frr daemons | ||
copy: | ||
src: daemons | ||
dest: /etc/frr/daemons | ||
notify: restart frr | ||
|
||
- name: ensure frr is started | ||
systemd: | ||
name: frr | ||
enabled: yes | ||
state: started | ||
|
||
- name: copy frr conf | ||
copy: | ||
content: "{{ frr_conf }}" | ||
dest: /etc/frr/frr.conf | ||
notify: reload frr |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,6 +7,8 @@ | |
- mgmt_server_asn is not none | ||
- mgmt_server_router_id is not none | ||
- mgmt_server_spine_facing_interface is not none | ||
- mgmt_server_metal_ssh_privkey is not none | ||
- mgmt_server_metal_ssh_pubkey is not none | ||
|
||
- name: gather package facts | ||
package_facts: | ||
|
@@ -33,7 +35,7 @@ | |
name: | ||
- net-tools | ||
- ipmitool | ||
- docker-ce | ||
- docker.io | ||
- iptables-persistent | ||
update_cache : yes | ||
force_apt_get: yes | ||
|
@@ -85,9 +87,66 @@ | |
notify: | ||
- reload frr | ||
|
||
- name: Copy ssh key pair for metal user | ||
copy: | ||
content: "{{ item.content }}" | ||
dest: "{{ item.dest }}" | ||
mode: "{{ item.mode}}" | ||
owner: metal | ||
group: metal | ||
loop: | ||
- content: "{{ mgmt_server_metal_ssh_privkey }}" | ||
dest: /home/metal/.ssh/id_rsa | ||
mode: "0600" | ||
- content: "{{ mgmt_server_metal_ssh_pubkey }}" | ||
dest: /home/metal/.ssh/id_rsa.pub | ||
mode: "0644" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why we need the public key on the machine? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't know. |
||
|
||
# This is so that self connect and cross connect to the other mgmtserver is possible | ||
- name: Add own ssh key to authorized_keys | ||
lineinfile: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not using |
||
path: /home/metal/.ssh/authorized_keys | ||
regexp: '^{{ mgmt_server_metal_ssh_pubkey }}$' | ||
line: '{{ mgmt_server_metal_ssh_pubkey }}' | ||
|
||
- name: configure sshd to avoid root login and password authentication, hide OS information | ||
lineinfile: | ||
path: /etc/ssh/sshd_config | ||
state: present | ||
regexp: "{{ item.regexp }}" | ||
line: "{{ item.line }}" | ||
validate: /usr/sbin/sshd -t -f %s | ||
notify: restart sshd | ||
loop: | ||
- { regexp: "^PasswordAuthentication .+", line: "PasswordAuthentication no" } | ||
- { regexp: "^PermitRootLogin .+", line: "PermitRootLogin no" } | ||
- { regexp: "^DebianBanner .+", line: "DebianBanner no" } | ||
|
||
- name: Add IP's of all hosts to /etc/hosts to use those hostnames for connections | ||
lineinfile: | ||
dest: /etc/hosts | ||
regexp: '.*\s{{ item }}$' | ||
line: "{{ hostvars[item].ansible_host }} {{ item }} {{ hostvars[item].host_alias|default('') }}" | ||
owner: root | ||
group: root | ||
mode: 0644 | ||
when: | ||
- hostvars[item].ansible_host is defined | ||
loop: "{{ mgmt_server_metal_ssh_groups }}" | ||
|
||
- name: Create ssh configuration for easier access to mgmt components | ||
template: | ||
src: ssh_config.j2 | ||
dest: /home/metal/.ssh/config | ||
mode: 0644 | ||
owner: metal | ||
group: metal | ||
|
||
- name: flush handlers to complete the mgmt-server setup | ||
meta: flush_handlers | ||
|
||
- name: flush dhcp routes if we have a bgp session to the firewall | ||
command: ip route flush proto dhcp | ||
when: mgmt_server_firewall_ip is defined | ||
when: | ||
- mgmt_server_firewall_ip is defined | ||
- mgmt_server_preserve_dhcp_route is undefined or not mgmt_server_preserve_dhcp_route |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{% for host in mgmt_server_metal_ssh_groups %} | ||
{% if hostvars[host].ansible_host is defined %} | ||
{% if hostvars[host].ansible_user is defined %} | ||
Host {{ host }} {{ hostvars[host].host_alias|default('') }} | ||
User {{ hostvars[host].ansible_user }} | ||
{% endif %} | ||
{% endif %} | ||
{% endfor %} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# sonic-upgrade | ||
|
||
Performs an upgrade of the SONiC OS on a device and reboots it to complete the installation. | ||
|
||
It depends on the `switch_facts` module from `ansible-common`, so make sure modules from `ansible-common` are included before executing this role. | ||
|
||
## Variables | ||
|
||
| Name | Mandatory | Description | | ||
| ------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------- | | ||
| sonic_upgrade_host | yes | The host from which to dowload the image. | | ||
| sonic_upgrade_image_path | | The path to the image. If this is given and not `sonic_upgrade_host`, the image is pushed to the device by ansible. | | ||
| sonic_upgrade_vrf | | The vrf used for pulling the upgrade image. | | ||
| sonic_upgrade_protocol | | The protocol (http or https) to use when downloading the sonic image. | | ||
| sonic_upgrade_port | | The port on which the image server listens. | | ||
| sonic_upgrade_image | yes | The file name of the sonic image. | |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
sonic_upgrade_protocol: "http" | ||
sonic_upgrade_port: 8080 | ||
sonic_upgrade_vrf: "mgmt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit sad we have an FRR role now and the mgmt-server's FRR is still installed here without using it.