neoloc/mpls_ldp_frr (#255)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
2025-04-24 16:51:31 +10:00 · 2025-04-24 16:51:31 +10:00 · 2321186ad5
commit 2321186ad5
parent c24babe309
7 changed files with 121 additions and 4 deletions
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@ -1,5 +1,6 @@
 ---
 hiera_include:
+  - profiles::selinux::frr
  - frrouting
  - incus
  - zfs
@ -109,8 +110,15 @@ frrouting::ospfd_interfaces:
    area: 0.0.0.0
  loopback2:
    area: 0.0.0.0
-  br10:
-    area: 0.0.0.0
+frrouting::mpls_te_enabled: true
+frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_interfaces:
+  - enp2s0
+  - enp3s0
+frrouting::daemons:
+  ldpd: true
+  ospfd: true

 # add loopback interfaces to ssh list
 ssh::server::options:
@ -179,6 +187,18 @@ sysctl::base::values:
    value: '1'
  net.ipv6.conf.all.forwarding:
    value: '1'
+  net.ipv4.tcp_l3mdev_accept:
+    value: '0'
+  net.ipv4.conf.default.rp_filter:
+    value: '0'
+  net.ipv4.conf.all.rp_filter:
+    value: '0'
+  net.mpls.platform_labels:
+    value: '1048575'
+  net.mpls.conf.enp2s0.input:
+    value: '1'
+  net.mpls.conf.enp3s0.input:
+    value: '1'

 # limits.d recommendations
 limits::entries:
--- a/hieradata/roles/infra/puppet/master.yaml
+++ b/hieradata/roles/infra/puppet/master.yaml
@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
  - '198.18.15.0/24'
  - '198.18.16.0/24'
  - '198.18.17.0/24'
+  - '198.18.20.0/24'
+  - '198.18.24.0/24'
+  - '198.18.25.0/24'
+  - '198.18.26.0/24'
+  - '198.18.27.0/24'
+  - '198.18.28.0/24'
+  - '198.18.29.0/24'

 profiles::puppet::autosign::domains:
  - '*.main.unkin.net'
--- a/modules/frrouting/manifests/init.pp
+++ b/modules/frrouting/manifests/init.pp
@ -10,12 +10,17 @@ class frrouting (
  Array[String] $ospfd_redistribute = [],
  Array[String] $ospfd_networks     = [],
  Boolean $ospfd_default_originate_always = false,
+  Boolean $mpls_te_enabled                   = false,
+  Optional[String] $mpls_ldp_router_id       = undef,
+  Optional[String] $mpls_ldp_transport_addr  = undef,
+  Array[String] $mpls_ldp_interfaces         = [],
 ) {

  $daemons_defaults = {
    'bgpd'    => false,
    'ospfd'   => true,
    'ospf6d'  => false,
+    'ldpd'    => false,
    'ripd'    => false,
    'ripngd'  => false,
    'isisd'   => false,
@ -32,7 +37,7 @@ class frrouting (
    'staticd' => false,
  }

-  $daemons_merged = merge($daemons, $daemons_defaults)
+  $daemons_merged = merge($daemons_defaults, $daemons)

  if $manage_package {
    package { $package_name:
@ -62,4 +67,23 @@ class frrouting (
      hasrestart => true,
    }
  }
+
+  if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
+    file { '/etc/modules-load.d/mpls_ldp_modules.conf':
+      ensure  => file,
+      content => @(EOT/L),
+        # Load MPLS Kernel Modules
+        mpls_router
+        mpls_iptunnel
+        | EOT
+    }
+
+    ['mpls_router', 'mpls_iptunnel'].each |$mod| {
+      exec { "load_${mod}":
+        command => "/sbin/modprobe ${mod}",
+        unless  => "/sbin/lsmod | /bin/grep -q ^${mod}",
+        path    => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
+      }
+    }
+  }
 }
--- a/modules/frrouting/templates/daemons.erb
+++ b/modules/frrouting/templates/daemons.erb
@ -12,6 +12,7 @@ zebra_options="  -A 127.0.0.1 -s 90000000"
 bgpd_options="   -A 127.0.0.1"
 ospfd_options="  -A 127.0.0.1"
 ospf6d_options=" -A ::1"
+ldpd_options="   -A 127.0.0.1"
 ripd_options="   -A 127.0.0.1"
 ripngd_options=" -A ::1"
 isisd_options="  -A 127.0.0.1"
--- a/modules/frrouting/templates/frr.conf.erb
+++ b/modules/frrouting/templates/frr.conf.erb
@ -24,4 +24,22 @@ router ospf
 <% if @ospfd_default_originate_always -%>
 default-information originate always
 <% end -%>
+<% if @mpls_te_enabled -%>
+ capability opaque
+ mpls-te on
+ mpls-te router-address <%= @ospfd_router_id %>
+ mpls-te inter-as area 0.0.0.0
+<% end -%>
 exit
+<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
+mpls ldp
+ router-id <%= @mpls_ldp_router_id %>
+ address-family ipv4
+  discovery transport-address <%= @mpls_ldp_transport_addr %>
+<% @mpls_ldp_interfaces.each do |iface| -%>
+  interface <%= iface %>
+  exit
+<% end -%>
+ exit-address-family
+exit
+<% end -%>
--- a/modules/libs/lib/facter/subnet_facts.rb
+++ b/modules/libs/lib/facter/subnet_facts.rb
@ -12,7 +12,7 @@ class SubnetAttributes
    '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
    '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
    '198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
-    '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # RESERVED
+    '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
    '198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
    '198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
    '198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
--- a/site/profiles/manifests/selinux/frr.pp
+++ b/site/profiles/manifests/selinux/frr.pp
@ -0,0 +1,47 @@
+# this is a modification to frr-selinux that ships with EL9, adding support for frr10
+class profiles::selinux::frr {
+
+  $frr_te_content = @("EOF")
+    module frr_local 1.0;
+
+    require {
+      type frr_t;
+      type initrc_t;
+      type kernel_t;
+      type var_run_t;
+      type frr_tmp_t;
+      type frr_var_run_t;
+      type init_t;
+      class unix_stream_socket connectto;
+      class system module_request;
+      class sock_file { getattr write };
+      class dir { add_name write };
+      class file { create write open };
+      class process setpgid;
+    }
+
+    #============= frr_t ==============
+    allow frr_t initrc_t:unix_stream_socket connectto;
+    allow frr_t kernel_t:system module_request;
+    allow frr_t var_run_t:sock_file { getattr write };
+
+    #============= init_t ==============
+    allow init_t frr_tmp_t:dir add_name;
+    allow init_t frr_var_run_t:dir { write add_name };
+    allow init_t frr_var_run_t:file { create open write };
+    allow init_t self:process setpgid;
+  | EOF
+
+  selinux::module { 'frr_local':
+    ensure     => 'present',
+    content_te => $frr_te_content,
+    builder    => 'simple',
+    before     => Service['frr'],
+  }
+
+  selboolean { 'domain_can_mmap_files':
+    value      => 'on',
+    persistent => true,
+    before     => Service['frr'],
+  }
+}