From 0672e71eece590d0e2017a1bb89c86f159e87fca Mon Sep 17 00:00:00 2001 From: Gerrit91 Date: Mon, 29 Apr 2024 10:53:21 +0200 Subject: [PATCH 1/4] Move `leaf` and `router` role from metal-roles into mini-lab. --- partition/roles/leaf/files/bridgemac.json | 7 -- partition/roles/leaf/handlers/main.yaml | 13 --- partition/roles/leaf/tasks/main.yaml | 33 ------- .../roles/leaf/templates/bak/frr.conf.j2.bak | 1 - .../leaf/templates/bak/interfaces.j2.bak | 1 - partition/roles/leaf/templates/frr.conf.j2 | 41 --------- partition/roles/leaf/templates/interfaces.j2 | 57 ------------- partition/roles/router/defaults/main.yaml | 5 -- .../files/99control_plane_catch_all.rules | 36 -------- partition/roles/router/files/daemons | 2 - .../router/files/frr-validation@.service | 10 --- partition/roles/router/files/ifreload.service | 10 --- .../files/interfaces-validation@.service | 10 --- .../router/files/lldpd.d/portsubtype.conf | 2 - .../router/files/lldpd.d/tx-interval.conf | 1 - partition/roles/router/handlers/main.yaml | 50 ----------- partition/roles/router/tasks/main.yaml | 85 ------------------- partition/roles/router/tasks/mgmt_vrf.yaml | 22 ----- .../roles/router/tasks/switch_plane.yaml | 14 --- .../roles/router/templates/ports.conf.j2 | 5 -- .../roles/router/templates/resolv.conf.j2 | 3 - 21 files changed, 408 deletions(-) delete mode 100644 partition/roles/leaf/files/bridgemac.json delete mode 100644 partition/roles/leaf/handlers/main.yaml delete mode 100644 partition/roles/leaf/tasks/main.yaml delete mode 100644 partition/roles/leaf/templates/bak/frr.conf.j2.bak delete mode 100644 partition/roles/leaf/templates/bak/interfaces.j2.bak delete mode 100644 partition/roles/leaf/templates/frr.conf.j2 delete mode 100644 partition/roles/leaf/templates/interfaces.j2 delete mode 100644 partition/roles/router/defaults/main.yaml delete mode 100644 partition/roles/router/files/99control_plane_catch_all.rules delete mode 100644 partition/roles/router/files/daemons delete mode 100644 partition/roles/router/files/frr-validation@.service delete mode 100644 partition/roles/router/files/ifreload.service delete mode 100644 partition/roles/router/files/interfaces-validation@.service delete mode 100644 partition/roles/router/files/lldpd.d/portsubtype.conf delete mode 100644 partition/roles/router/files/lldpd.d/tx-interval.conf delete mode 100644 partition/roles/router/handlers/main.yaml delete mode 100644 partition/roles/router/tasks/main.yaml delete mode 100644 partition/roles/router/tasks/mgmt_vrf.yaml delete mode 100644 partition/roles/router/tasks/switch_plane.yaml delete mode 100644 partition/roles/router/templates/ports.conf.j2 delete mode 100644 partition/roles/router/templates/resolv.conf.j2 diff --git a/partition/roles/leaf/files/bridgemac.json b/partition/roles/leaf/files/bridgemac.json deleted file mode 100644 index 14b83eda6..000000000 --- a/partition/roles/leaf/files/bridgemac.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "bridge": { - "module_globals": { - "bridge_mac_iface": ["eth0", "eth1"] - } - } -} diff --git a/partition/roles/leaf/handlers/main.yaml b/partition/roles/leaf/handlers/main.yaml deleted file mode 100644 index 86eca2de2..000000000 --- a/partition/roles/leaf/handlers/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: reload interfaces - shell: sleep 3; ifreload -a - async: 1 - poll: 0 - notify: wait for new connection - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 5 - delay: 5 - timeout: 300 diff --git a/partition/roles/leaf/tasks/main.yaml b/partition/roles/leaf/tasks/main.yaml deleted file mode 100644 index c7af3fb3c..000000000 --- a/partition/roles/leaf/tasks/main.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: configure leaf - include_role: - name: metal-roles/partition/roles/router - vars: - router_enable_static_route_leak: true - -- name: flush handlers - meta: flush_handlers - -- name: masquerade for eth0 - iptables: - table: nat - chain: POSTROUTING - out_interface: eth0 - jump: MASQUERADE - -- name: check for static route in mgmt vrf - command: ip r s vrf mgmt - register: route_check - changed_when: false - -- name: ensure that static route for return path to pxe network is present - command: "ip r a 10.0.1.0/24 vrf mgmt via {{ dhcp_server_ip }} dev vlan4000" - when: - - '"10.0.1.0/24" not in route_check.stdout' - - dhcp_server_ip is defined - -- name: create bridgemac.json - copy: - src: bridgemac.json - dest: /etc/network/ifupdown2/policy.d/bridgemac.json - notify: reload interfaces diff --git a/partition/roles/leaf/templates/bak/frr.conf.j2.bak b/partition/roles/leaf/templates/bak/frr.conf.j2.bak deleted file mode 100644 index 8b1378917..000000000 --- a/partition/roles/leaf/templates/bak/frr.conf.j2.bak +++ /dev/null @@ -1 +0,0 @@ - diff --git a/partition/roles/leaf/templates/bak/interfaces.j2.bak b/partition/roles/leaf/templates/bak/interfaces.j2.bak deleted file mode 100644 index 8b1378917..000000000 --- a/partition/roles/leaf/templates/bak/interfaces.j2.bak +++ /dev/null @@ -1 +0,0 @@ - diff --git a/partition/roles/leaf/templates/frr.conf.j2 b/partition/roles/leaf/templates/frr.conf.j2 deleted file mode 100644 index 384314af6..000000000 --- a/partition/roles/leaf/templates/frr.conf.j2 +++ /dev/null @@ -1,41 +0,0 @@ -#jinja2: lstrip_blocks: "True", trim_blocks: "True" -frr version 4.0+cl3u9 -frr defaults datacenter -hostname {{ ansible_hostname }} -username cumulus nopassword -! -service integrated-vtysh-config -! -log syslog informational -! -vrf mgmt - ip route 10.0.1.0/24 {{ ansible_host }} nexthop-vrf default - exit-vrf -! -router bgp {{ asn }} - bgp router-id {{ lo }} - neighbor FABRIC peer-group - neighbor FABRIC remote-as external - {% for iface in uplinks %} - neighbor {{ iface.name }} interface peer-group FABRIC - {% endfor %} - ! - address-family ipv4 unicast - neighbor FABRIC activate - redistribute connected route-map LOOPBACKS - exit-address-family - ! - address-family l2vpn evpn - neighbor FABRIC activate - advertise-all-vni - exit-address-family -! -route-map LOOPBACKS permit 10 - match interface lo -! -{% if metal_partition_mgmt_gateway %} -ip route 0.0.0.0/0 {{ metal_partition_mgmt_gateway }} nexthop-vrf mgmt -! -{% endif %} -line vty -! diff --git a/partition/roles/leaf/templates/interfaces.j2 b/partition/roles/leaf/templates/interfaces.j2 deleted file mode 100644 index b65f75901..000000000 --- a/partition/roles/leaf/templates/interfaces.j2 +++ /dev/null @@ -1,57 +0,0 @@ -# This file describes the network interfaces available on your system -# and how to activate them. For more information, see interfaces(5). - -source /etc/network/interfaces.d/*.intf - -# The loopback network interface -auto lo -iface lo inet loopback - address {{ lo }}/32 - -# The primary network interface -auto eth0 -iface eth0 inet dhcp - vrf mgmt - -auto mgmt -iface mgmt - address 127.0.0.1/8 - vrf-table auto - -{% for iface in interfaces %} -auto {{ iface.name }} -iface {{ iface.name }} - mtu {{ mtu.default }} - bridge-access 4000 - -{% endfor %} -{% for iface in uplinks %} -auto {{ iface.name }} -iface {{ iface.name }} - mtu {{ mtu.vxlan }} - -{% endfor %} - -auto bridge -iface bridge - bridge-ports {% for iface in interfaces %}{{ iface.name }} {% endfor %}vni104000 - bridge-vids 4000 - bridge-vlan-aware yes - -auto vlan4000 -iface vlan4000 - mtu {{ mtu.default }} - address {{ metal_core_cidr }} - vlan-id 4000 - vlan-raw-device bridge - -auto vni104000 -iface vni104000 - mtu {{ mtu.default }} - bridge-access 4000 - bridge-learning off - mstpctl-bpduguard yes - mstpctl-portbpdufilter yes - vxlan-id 104000 - vxlan-local-tunnelip {{ lo }} - diff --git a/partition/roles/router/defaults/main.yaml b/partition/roles/router/defaults/main.yaml deleted file mode 100644 index 8d7b15005..000000000 --- a/partition/roles/router/defaults/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -router_enable_mgmt_vrf: true -router_enable_static_route_leak: false - -router_nameservers: [] diff --git a/partition/roles/router/files/99control_plane_catch_all.rules b/partition/roles/router/files/99control_plane_catch_all.rules deleted file mode 100644 index d469ae8ea..000000000 --- a/partition/roles/router/files/99control_plane_catch_all.rules +++ /dev/null @@ -1,36 +0,0 @@ -# -# Note: These are catch-all rules that shall be last in the over all rule set. -# - -INGRESS_INTF = swp+ - -INGRESS_CHAIN = INPUT - - - -[iptables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ip6tables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ebtables] - --A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0 -# ipv4 multicast misses --A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100 --A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100 diff --git a/partition/roles/router/files/daemons b/partition/roles/router/files/daemons deleted file mode 100644 index c86f98223..000000000 --- a/partition/roles/router/files/daemons +++ /dev/null @@ -1,2 +0,0 @@ -bgpd=yes -zebra=yes \ No newline at end of file diff --git a/partition/roles/router/files/frr-validation@.service b/partition/roles/router/files/frr-validation@.service deleted file mode 100644 index d2e9e2764..000000000 --- a/partition/roles/router/files/frr-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation run of a frr configuration file %I - -[Service] -Type=oneshot -ExecStart=/usr/bin/vtysh --dryrun --inputfile %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/ifreload.service b/partition/roles/router/files/ifreload.service deleted file mode 100644 index a71205a4a..000000000 --- a/partition/roles/router/files/ifreload.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger Interface Reload with ifreload - -[Service] -Type=oneshot -ExecStart=/sbin/ifreload -v -a -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/interfaces-validation@.service b/partition/roles/router/files/interfaces-validation@.service deleted file mode 100644 index 9df7795b2..000000000 --- a/partition/roles/router/files/interfaces-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation of a network interfaces file %I - -[Service] -Type=oneshot -ExecStart=/sbin/ifup --syntax-check --verbose --all --interfaces %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/lldpd.d/portsubtype.conf b/partition/roles/router/files/lldpd.d/portsubtype.conf deleted file mode 100644 index c54ba139d..000000000 --- a/partition/roles/router/files/lldpd.d/portsubtype.conf +++ /dev/null @@ -1,2 +0,0 @@ -configure lldp portidsubtype macaddress - diff --git a/partition/roles/router/files/lldpd.d/tx-interval.conf b/partition/roles/router/files/lldpd.d/tx-interval.conf deleted file mode 100644 index 44c7ec2b8..000000000 --- a/partition/roles/router/files/lldpd.d/tx-interval.conf +++ /dev/null @@ -1 +0,0 @@ -configure lldp tx-interval 10 diff --git a/partition/roles/router/handlers/main.yaml b/partition/roles/router/handlers/main.yaml deleted file mode 100644 index b4c228f3c..000000000 --- a/partition/roles/router/handlers/main.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: reload sysctl - command: sysctl --system - -- name: restart switchd - service: - name: switchd.service - enabled: true - state: restarted - -- name: reload interfaces - shell: sleep 3; ifreload -a - async: 1 - poll: 0 - notify: wait for new connection - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 5 - delay: 5 - timeout: 300 - -- name: reload frr - service: - name: frr - enabled: true - state: reloaded - -- name: restart frr - service: - name: frr - enabled: true - state: restarted - -- name: lldpd restart - service: - name: lldpd - enabled: true - state: restarted - -- name: restart ntp@mgmt - service: - name: ntp@mgmt - enabled: true - state: restarted diff --git a/partition/roles/router/tasks/main.yaml b/partition/roles/router/tasks/main.yaml deleted file mode 100644 index 734a48d60..000000000 --- a/partition/roles/router/tasks/main.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: configure mgmt vrf - import_tasks: mgmt_vrf.yaml - when: router_enable_mgmt_vrf - -- name: configure switch plane - import_tasks: switch_plane.yaml - when: ports is defined - -- name: flush handlers - meta: flush_handlers - -- name: install services - copy: - src: "{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - notify: reload systemd - with_items: - - frr-validation@.service - - interfaces-validation@.service - - ifreload.service - -- name: copy lldpd configs - copy: - src: lldpd.d/ - dest: /etc/lldpd.d/ - notify: lldpd restart - -- name: check if lldpd has the correct portidsubtype setting - shell: lldpcli show configuration | grep subtype - register: lldpd_subtype_check - changed_when: false - -- name: trigger lldpd restart if portidsubtype setting is wrong - service: - name: lldpd - state: restarted - when: ("macaddress" not in lldpd_subtype_check.stdout) - -- name: populate service facts - service_facts: - -- name: render interfaces configuration - template: - src: interfaces.j2 - dest: /etc/network/interfaces - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: render custom interfaces configuration section - copy: - content: "{{ custom_interface_section }}" - dest: /etc/network/interfaces.d/99_custom.intf - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: custom_interface_section is defined - -- name: render resolv.conf - template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - notify: reload interfaces - -- name: enable frr daemons - copy: - src: daemons - dest: /etc/frr/daemons - notify: restart frr - -- name: render frr configuration - template: - src: frr.conf.j2 - dest: /etc/frr/frr.conf - validate: '/usr/bin/vtysh --dryrun --inputfile %s' - tags: frr - register: frr_rendered - notify: reload frr - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: set hostname - nclu: - commands: - - add hostname {{ metal_partition_id }}-{{ inventory_hostname }} - commit: true diff --git a/partition/roles/router/tasks/mgmt_vrf.yaml b/partition/roles/router/tasks/mgmt_vrf.yaml deleted file mode 100644 index 5451e7bd2..000000000 --- a/partition/roles/router/tasks/mgmt_vrf.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: check if mgmt vrf is active - shell: vrf list | grep mgmt - changed_when: false - failed_when: false - register: mgmt_vrf_exists - -- name: activate mgmt vrf; drops connections - nclu: - commands: - - add vrf mgmt - commit: true - async: 1 - poll: 0 - when: mgmt_vrf_exists.rc != 0 - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 2 - delay: 6 - timeout: 60 diff --git a/partition/roles/router/tasks/switch_plane.yaml b/partition/roles/router/tasks/switch_plane.yaml deleted file mode 100644 index 6ccb1203f..000000000 --- a/partition/roles/router/tasks/switch_plane.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: render ports.conf - template: - src: ports.conf.j2 - dest: /etc/cumulus/ports.conf - notify: restart switchd - -- name: enable static route leak to apply hardware support - replace: - path: /etc/cumulus/switchd.conf - regexp: '#vrf_route_leak_enable = FALSE' - replace: 'vrf_route_leak_enable = TRUE' - when: router_enable_static_route_leak - notify: restart switchd diff --git a/partition/roles/router/templates/ports.conf.j2 b/partition/roles/router/templates/ports.conf.j2 deleted file mode 100644 index 238f4970b..000000000 --- a/partition/roles/router/templates/ports.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# ports.conf -- -# = [4x10G|4x25G|2x50G|40G|50G|100G] -{% for key, value in ports|dictsort %} -{{ key }}={{ value }} -{% endfor %} diff --git a/partition/roles/router/templates/resolv.conf.j2 b/partition/roles/router/templates/resolv.conf.j2 deleted file mode 100644 index 41c31ff25..000000000 --- a/partition/roles/router/templates/resolv.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for ns in router_nameservers %} -nameserver {{ ns }} -{% endfor %} From 48836ce2d16f78eae089759f5d8398293b177c2f Mon Sep 17 00:00:00 2001 From: Gerrit91 Date: Mon, 29 Apr 2024 14:01:14 +0200 Subject: [PATCH 2/4] Keep router role, it is used. --- partition/roles/router/defaults/main.yaml | 5 ++ .../files/99control_plane_catch_all.rules | 36 ++++++++ partition/roles/router/files/daemons | 2 + .../router/files/frr-validation@.service | 10 +++ partition/roles/router/files/ifreload.service | 10 +++ .../files/interfaces-validation@.service | 10 +++ .../router/files/lldpd.d/portsubtype.conf | 2 + .../router/files/lldpd.d/tx-interval.conf | 1 + partition/roles/router/handlers/main.yaml | 50 +++++++++++ partition/roles/router/tasks/main.yaml | 85 +++++++++++++++++++ partition/roles/router/tasks/mgmt_vrf.yaml | 22 +++++ .../roles/router/tasks/switch_plane.yaml | 14 +++ .../roles/router/templates/ports.conf.j2 | 5 ++ .../roles/router/templates/resolv.conf.j2 | 3 + 14 files changed, 255 insertions(+) create mode 100644 partition/roles/router/defaults/main.yaml create mode 100644 partition/roles/router/files/99control_plane_catch_all.rules create mode 100644 partition/roles/router/files/daemons create mode 100644 partition/roles/router/files/frr-validation@.service create mode 100644 partition/roles/router/files/ifreload.service create mode 100644 partition/roles/router/files/interfaces-validation@.service create mode 100644 partition/roles/router/files/lldpd.d/portsubtype.conf create mode 100644 partition/roles/router/files/lldpd.d/tx-interval.conf create mode 100644 partition/roles/router/handlers/main.yaml create mode 100644 partition/roles/router/tasks/main.yaml create mode 100644 partition/roles/router/tasks/mgmt_vrf.yaml create mode 100644 partition/roles/router/tasks/switch_plane.yaml create mode 100644 partition/roles/router/templates/ports.conf.j2 create mode 100644 partition/roles/router/templates/resolv.conf.j2 diff --git a/partition/roles/router/defaults/main.yaml b/partition/roles/router/defaults/main.yaml new file mode 100644 index 000000000..8d7b15005 --- /dev/null +++ b/partition/roles/router/defaults/main.yaml @@ -0,0 +1,5 @@ +--- +router_enable_mgmt_vrf: true +router_enable_static_route_leak: false + +router_nameservers: [] diff --git a/partition/roles/router/files/99control_plane_catch_all.rules b/partition/roles/router/files/99control_plane_catch_all.rules new file mode 100644 index 000000000..d469ae8ea --- /dev/null +++ b/partition/roles/router/files/99control_plane_catch_all.rules @@ -0,0 +1,36 @@ +# +# Note: These are catch-all rules that shall be last in the over all rule set. +# + +INGRESS_INTF = swp+ + +INGRESS_CHAIN = INPUT + + + +[iptables] + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2 + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2 + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 + + +[ip6tables] + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2 + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2 + +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 + + +[ebtables] + +-A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT +-A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT +-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0 +# ipv4 multicast misses +-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100 +-A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100 diff --git a/partition/roles/router/files/daemons b/partition/roles/router/files/daemons new file mode 100644 index 000000000..c86f98223 --- /dev/null +++ b/partition/roles/router/files/daemons @@ -0,0 +1,2 @@ +bgpd=yes +zebra=yes \ No newline at end of file diff --git a/partition/roles/router/files/frr-validation@.service b/partition/roles/router/files/frr-validation@.service new file mode 100644 index 000000000..d2e9e2764 --- /dev/null +++ b/partition/roles/router/files/frr-validation@.service @@ -0,0 +1,10 @@ +[Unit] +Description=Trigger a validation run of a frr configuration file %I + +[Service] +Type=oneshot +ExecStart=/usr/bin/vtysh --dryrun --inputfile %I +StandardOutput=journal + +[Install] +WantedBy=multi-user.target diff --git a/partition/roles/router/files/ifreload.service b/partition/roles/router/files/ifreload.service new file mode 100644 index 000000000..a71205a4a --- /dev/null +++ b/partition/roles/router/files/ifreload.service @@ -0,0 +1,10 @@ +[Unit] +Description=Trigger Interface Reload with ifreload + +[Service] +Type=oneshot +ExecStart=/sbin/ifreload -v -a +StandardOutput=journal + +[Install] +WantedBy=multi-user.target diff --git a/partition/roles/router/files/interfaces-validation@.service b/partition/roles/router/files/interfaces-validation@.service new file mode 100644 index 000000000..9df7795b2 --- /dev/null +++ b/partition/roles/router/files/interfaces-validation@.service @@ -0,0 +1,10 @@ +[Unit] +Description=Trigger a validation of a network interfaces file %I + +[Service] +Type=oneshot +ExecStart=/sbin/ifup --syntax-check --verbose --all --interfaces %I +StandardOutput=journal + +[Install] +WantedBy=multi-user.target diff --git a/partition/roles/router/files/lldpd.d/portsubtype.conf b/partition/roles/router/files/lldpd.d/portsubtype.conf new file mode 100644 index 000000000..c54ba139d --- /dev/null +++ b/partition/roles/router/files/lldpd.d/portsubtype.conf @@ -0,0 +1,2 @@ +configure lldp portidsubtype macaddress + diff --git a/partition/roles/router/files/lldpd.d/tx-interval.conf b/partition/roles/router/files/lldpd.d/tx-interval.conf new file mode 100644 index 000000000..44c7ec2b8 --- /dev/null +++ b/partition/roles/router/files/lldpd.d/tx-interval.conf @@ -0,0 +1 @@ +configure lldp tx-interval 10 diff --git a/partition/roles/router/handlers/main.yaml b/partition/roles/router/handlers/main.yaml new file mode 100644 index 000000000..b4c228f3c --- /dev/null +++ b/partition/roles/router/handlers/main.yaml @@ -0,0 +1,50 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload sysctl + command: sysctl --system + +- name: restart switchd + service: + name: switchd.service + enabled: true + state: restarted + +- name: reload interfaces + shell: sleep 3; ifreload -a + async: 1 + poll: 0 + notify: wait for new connection + +- name: wait for new connection + wait_for_connection: + connect_timeout: 20 + sleep: 5 + delay: 5 + timeout: 300 + +- name: reload frr + service: + name: frr + enabled: true + state: reloaded + +- name: restart frr + service: + name: frr + enabled: true + state: restarted + +- name: lldpd restart + service: + name: lldpd + enabled: true + state: restarted + +- name: restart ntp@mgmt + service: + name: ntp@mgmt + enabled: true + state: restarted diff --git a/partition/roles/router/tasks/main.yaml b/partition/roles/router/tasks/main.yaml new file mode 100644 index 000000000..734a48d60 --- /dev/null +++ b/partition/roles/router/tasks/main.yaml @@ -0,0 +1,85 @@ +--- +- name: configure mgmt vrf + import_tasks: mgmt_vrf.yaml + when: router_enable_mgmt_vrf + +- name: configure switch plane + import_tasks: switch_plane.yaml + when: ports is defined + +- name: flush handlers + meta: flush_handlers + +- name: install services + copy: + src: "{{ item }}" + dest: "/etc/systemd/system/{{ item }}" + notify: reload systemd + with_items: + - frr-validation@.service + - interfaces-validation@.service + - ifreload.service + +- name: copy lldpd configs + copy: + src: lldpd.d/ + dest: /etc/lldpd.d/ + notify: lldpd restart + +- name: check if lldpd has the correct portidsubtype setting + shell: lldpcli show configuration | grep subtype + register: lldpd_subtype_check + changed_when: false + +- name: trigger lldpd restart if portidsubtype setting is wrong + service: + name: lldpd + state: restarted + when: ("macaddress" not in lldpd_subtype_check.stdout) + +- name: populate service facts + service_facts: + +- name: render interfaces configuration + template: + src: interfaces.j2 + dest: /etc/network/interfaces + validate: '/sbin/ifup --syntax-check --all --interfaces %s' + notify: reload interfaces + when: "ansible_facts.services['metal-core.service'] is not defined" + +- name: render custom interfaces configuration section + copy: + content: "{{ custom_interface_section }}" + dest: /etc/network/interfaces.d/99_custom.intf + validate: '/sbin/ifup --syntax-check --all --interfaces %s' + notify: reload interfaces + when: custom_interface_section is defined + +- name: render resolv.conf + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + notify: reload interfaces + +- name: enable frr daemons + copy: + src: daemons + dest: /etc/frr/daemons + notify: restart frr + +- name: render frr configuration + template: + src: frr.conf.j2 + dest: /etc/frr/frr.conf + validate: '/usr/bin/vtysh --dryrun --inputfile %s' + tags: frr + register: frr_rendered + notify: reload frr + when: "ansible_facts.services['metal-core.service'] is not defined" + +- name: set hostname + nclu: + commands: + - add hostname {{ metal_partition_id }}-{{ inventory_hostname }} + commit: true diff --git a/partition/roles/router/tasks/mgmt_vrf.yaml b/partition/roles/router/tasks/mgmt_vrf.yaml new file mode 100644 index 000000000..5451e7bd2 --- /dev/null +++ b/partition/roles/router/tasks/mgmt_vrf.yaml @@ -0,0 +1,22 @@ +--- +- name: check if mgmt vrf is active + shell: vrf list | grep mgmt + changed_when: false + failed_when: false + register: mgmt_vrf_exists + +- name: activate mgmt vrf; drops connections + nclu: + commands: + - add vrf mgmt + commit: true + async: 1 + poll: 0 + when: mgmt_vrf_exists.rc != 0 + +- name: wait for new connection + wait_for_connection: + connect_timeout: 20 + sleep: 2 + delay: 6 + timeout: 60 diff --git a/partition/roles/router/tasks/switch_plane.yaml b/partition/roles/router/tasks/switch_plane.yaml new file mode 100644 index 000000000..6ccb1203f --- /dev/null +++ b/partition/roles/router/tasks/switch_plane.yaml @@ -0,0 +1,14 @@ +--- +- name: render ports.conf + template: + src: ports.conf.j2 + dest: /etc/cumulus/ports.conf + notify: restart switchd + +- name: enable static route leak to apply hardware support + replace: + path: /etc/cumulus/switchd.conf + regexp: '#vrf_route_leak_enable = FALSE' + replace: 'vrf_route_leak_enable = TRUE' + when: router_enable_static_route_leak + notify: restart switchd diff --git a/partition/roles/router/templates/ports.conf.j2 b/partition/roles/router/templates/ports.conf.j2 new file mode 100644 index 000000000..238f4970b --- /dev/null +++ b/partition/roles/router/templates/ports.conf.j2 @@ -0,0 +1,5 @@ +# ports.conf -- +# = [4x10G|4x25G|2x50G|40G|50G|100G] +{% for key, value in ports|dictsort %} +{{ key }}={{ value }} +{% endfor %} diff --git a/partition/roles/router/templates/resolv.conf.j2 b/partition/roles/router/templates/resolv.conf.j2 new file mode 100644 index 000000000..41c31ff25 --- /dev/null +++ b/partition/roles/router/templates/resolv.conf.j2 @@ -0,0 +1,3 @@ +{% for ns in router_nameservers %} +nameserver {{ ns }} +{% endfor %} From 0a407acb6f63e7b2a6af5fc1cffb6284a202be3d Mon Sep 17 00:00:00 2001 From: Gerrit91 Date: Thu, 2 May 2024 13:16:06 +0200 Subject: [PATCH 3/4] Revert, I misinterpreted it. --- partition/roles/router/defaults/main.yaml | 5 -- .../files/99control_plane_catch_all.rules | 36 -------- partition/roles/router/files/daemons | 2 - .../router/files/frr-validation@.service | 10 --- partition/roles/router/files/ifreload.service | 10 --- .../files/interfaces-validation@.service | 10 --- .../router/files/lldpd.d/portsubtype.conf | 2 - .../router/files/lldpd.d/tx-interval.conf | 1 - partition/roles/router/handlers/main.yaml | 50 ----------- partition/roles/router/tasks/main.yaml | 85 ------------------- partition/roles/router/tasks/mgmt_vrf.yaml | 22 ----- .../roles/router/tasks/switch_plane.yaml | 14 --- .../roles/router/templates/ports.conf.j2 | 5 -- .../roles/router/templates/resolv.conf.j2 | 3 - 14 files changed, 255 deletions(-) delete mode 100644 partition/roles/router/defaults/main.yaml delete mode 100644 partition/roles/router/files/99control_plane_catch_all.rules delete mode 100644 partition/roles/router/files/daemons delete mode 100644 partition/roles/router/files/frr-validation@.service delete mode 100644 partition/roles/router/files/ifreload.service delete mode 100644 partition/roles/router/files/interfaces-validation@.service delete mode 100644 partition/roles/router/files/lldpd.d/portsubtype.conf delete mode 100644 partition/roles/router/files/lldpd.d/tx-interval.conf delete mode 100644 partition/roles/router/handlers/main.yaml delete mode 100644 partition/roles/router/tasks/main.yaml delete mode 100644 partition/roles/router/tasks/mgmt_vrf.yaml delete mode 100644 partition/roles/router/tasks/switch_plane.yaml delete mode 100644 partition/roles/router/templates/ports.conf.j2 delete mode 100644 partition/roles/router/templates/resolv.conf.j2 diff --git a/partition/roles/router/defaults/main.yaml b/partition/roles/router/defaults/main.yaml deleted file mode 100644 index 8d7b15005..000000000 --- a/partition/roles/router/defaults/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -router_enable_mgmt_vrf: true -router_enable_static_route_leak: false - -router_nameservers: [] diff --git a/partition/roles/router/files/99control_plane_catch_all.rules b/partition/roles/router/files/99control_plane_catch_all.rules deleted file mode 100644 index d469ae8ea..000000000 --- a/partition/roles/router/files/99control_plane_catch_all.rules +++ /dev/null @@ -1,36 +0,0 @@ -# -# Note: These are catch-all rules that shall be last in the over all rule set. -# - -INGRESS_INTF = swp+ - -INGRESS_CHAIN = INPUT - - - -[iptables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ip6tables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ebtables] - --A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0 -# ipv4 multicast misses --A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100 --A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100 diff --git a/partition/roles/router/files/daemons b/partition/roles/router/files/daemons deleted file mode 100644 index c86f98223..000000000 --- a/partition/roles/router/files/daemons +++ /dev/null @@ -1,2 +0,0 @@ -bgpd=yes -zebra=yes \ No newline at end of file diff --git a/partition/roles/router/files/frr-validation@.service b/partition/roles/router/files/frr-validation@.service deleted file mode 100644 index d2e9e2764..000000000 --- a/partition/roles/router/files/frr-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation run of a frr configuration file %I - -[Service] -Type=oneshot -ExecStart=/usr/bin/vtysh --dryrun --inputfile %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/ifreload.service b/partition/roles/router/files/ifreload.service deleted file mode 100644 index a71205a4a..000000000 --- a/partition/roles/router/files/ifreload.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger Interface Reload with ifreload - -[Service] -Type=oneshot -ExecStart=/sbin/ifreload -v -a -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/interfaces-validation@.service b/partition/roles/router/files/interfaces-validation@.service deleted file mode 100644 index 9df7795b2..000000000 --- a/partition/roles/router/files/interfaces-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation of a network interfaces file %I - -[Service] -Type=oneshot -ExecStart=/sbin/ifup --syntax-check --verbose --all --interfaces %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/lldpd.d/portsubtype.conf b/partition/roles/router/files/lldpd.d/portsubtype.conf deleted file mode 100644 index c54ba139d..000000000 --- a/partition/roles/router/files/lldpd.d/portsubtype.conf +++ /dev/null @@ -1,2 +0,0 @@ -configure lldp portidsubtype macaddress - diff --git a/partition/roles/router/files/lldpd.d/tx-interval.conf b/partition/roles/router/files/lldpd.d/tx-interval.conf deleted file mode 100644 index 44c7ec2b8..000000000 --- a/partition/roles/router/files/lldpd.d/tx-interval.conf +++ /dev/null @@ -1 +0,0 @@ -configure lldp tx-interval 10 diff --git a/partition/roles/router/handlers/main.yaml b/partition/roles/router/handlers/main.yaml deleted file mode 100644 index b4c228f3c..000000000 --- a/partition/roles/router/handlers/main.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: reload sysctl - command: sysctl --system - -- name: restart switchd - service: - name: switchd.service - enabled: true - state: restarted - -- name: reload interfaces - shell: sleep 3; ifreload -a - async: 1 - poll: 0 - notify: wait for new connection - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 5 - delay: 5 - timeout: 300 - -- name: reload frr - service: - name: frr - enabled: true - state: reloaded - -- name: restart frr - service: - name: frr - enabled: true - state: restarted - -- name: lldpd restart - service: - name: lldpd - enabled: true - state: restarted - -- name: restart ntp@mgmt - service: - name: ntp@mgmt - enabled: true - state: restarted diff --git a/partition/roles/router/tasks/main.yaml b/partition/roles/router/tasks/main.yaml deleted file mode 100644 index 734a48d60..000000000 --- a/partition/roles/router/tasks/main.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: configure mgmt vrf - import_tasks: mgmt_vrf.yaml - when: router_enable_mgmt_vrf - -- name: configure switch plane - import_tasks: switch_plane.yaml - when: ports is defined - -- name: flush handlers - meta: flush_handlers - -- name: install services - copy: - src: "{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - notify: reload systemd - with_items: - - frr-validation@.service - - interfaces-validation@.service - - ifreload.service - -- name: copy lldpd configs - copy: - src: lldpd.d/ - dest: /etc/lldpd.d/ - notify: lldpd restart - -- name: check if lldpd has the correct portidsubtype setting - shell: lldpcli show configuration | grep subtype - register: lldpd_subtype_check - changed_when: false - -- name: trigger lldpd restart if portidsubtype setting is wrong - service: - name: lldpd - state: restarted - when: ("macaddress" not in lldpd_subtype_check.stdout) - -- name: populate service facts - service_facts: - -- name: render interfaces configuration - template: - src: interfaces.j2 - dest: /etc/network/interfaces - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: render custom interfaces configuration section - copy: - content: "{{ custom_interface_section }}" - dest: /etc/network/interfaces.d/99_custom.intf - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: custom_interface_section is defined - -- name: render resolv.conf - template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - notify: reload interfaces - -- name: enable frr daemons - copy: - src: daemons - dest: /etc/frr/daemons - notify: restart frr - -- name: render frr configuration - template: - src: frr.conf.j2 - dest: /etc/frr/frr.conf - validate: '/usr/bin/vtysh --dryrun --inputfile %s' - tags: frr - register: frr_rendered - notify: reload frr - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: set hostname - nclu: - commands: - - add hostname {{ metal_partition_id }}-{{ inventory_hostname }} - commit: true diff --git a/partition/roles/router/tasks/mgmt_vrf.yaml b/partition/roles/router/tasks/mgmt_vrf.yaml deleted file mode 100644 index 5451e7bd2..000000000 --- a/partition/roles/router/tasks/mgmt_vrf.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: check if mgmt vrf is active - shell: vrf list | grep mgmt - changed_when: false - failed_when: false - register: mgmt_vrf_exists - -- name: activate mgmt vrf; drops connections - nclu: - commands: - - add vrf mgmt - commit: true - async: 1 - poll: 0 - when: mgmt_vrf_exists.rc != 0 - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 2 - delay: 6 - timeout: 60 diff --git a/partition/roles/router/tasks/switch_plane.yaml b/partition/roles/router/tasks/switch_plane.yaml deleted file mode 100644 index 6ccb1203f..000000000 --- a/partition/roles/router/tasks/switch_plane.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: render ports.conf - template: - src: ports.conf.j2 - dest: /etc/cumulus/ports.conf - notify: restart switchd - -- name: enable static route leak to apply hardware support - replace: - path: /etc/cumulus/switchd.conf - regexp: '#vrf_route_leak_enable = FALSE' - replace: 'vrf_route_leak_enable = TRUE' - when: router_enable_static_route_leak - notify: restart switchd diff --git a/partition/roles/router/templates/ports.conf.j2 b/partition/roles/router/templates/ports.conf.j2 deleted file mode 100644 index 238f4970b..000000000 --- a/partition/roles/router/templates/ports.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# ports.conf -- -# = [4x10G|4x25G|2x50G|40G|50G|100G] -{% for key, value in ports|dictsort %} -{{ key }}={{ value }} -{% endfor %} diff --git a/partition/roles/router/templates/resolv.conf.j2 b/partition/roles/router/templates/resolv.conf.j2 deleted file mode 100644 index 41c31ff25..000000000 --- a/partition/roles/router/templates/resolv.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for ns in router_nameservers %} -nameserver {{ ns }} -{% endfor %} From 5a551b29bd7b4bf461321e49cb7766308e5f1606 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 4 Jun 2024 10:31:18 +0200 Subject: [PATCH 4/4] Remove README refs. --- partition/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/partition/README.md b/partition/README.md index be05f4690..d61154e8e 100644 --- a/partition/README.md +++ b/partition/README.md @@ -38,11 +38,9 @@ You can look up all the default values [here](partition-defaults/main.yaml). | [dhcp-relay](roles/dhcp-relay) | Deploys a dhcp-relay | | [docker-on-cumulus](roles/docker-on-cumulus) | Deploys docker on cumulus | | [metal-bmc](roles/metal-bmc) | Deploys metal-bmc | -| [leaf](roles/leaf) | Deploys network config for cumulus switches | | [metal-core](roles/metal-core) | Deploys metal-core | | [pixiecore](roles/pixiecore) | Deploys pixiecore | | [promtail](roles/promtail) | Deploys promtail | -| [router](roles/router) | Deploys router config on cumulus switches | ## Examples