feat: manage route-reflectors

- add route-reflector role and hieradata - enable using dhcp in networkd - add hieradata/node/* entries for route-reflectors
2025-04-25 00:34:09 +10:00 · 2025-04-25 00:34:09 +10:00 · f4ac1f2000
commit f4ac1f2000
parent 2321186ad5
12 changed files with 143 additions and 12 deletions
--- a/hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml
@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.14  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:69:0f:3b
--- a/hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml
@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.15  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:55:46:bd
--- a/hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml
@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.16  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:6a:25:6b
--- a/hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml
@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.17  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:63:89:f2
--- a/hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml
@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.18  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:ca:e1:51
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@ -110,12 +110,16 @@ frrouting::ospfd_interfaces:
    area: 0.0.0.0
  loopback2:
    area: 0.0.0.0
+  brmplscore:
+    area: 0.0.0.0
 frrouting::mpls_te_enabled: true
 frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
 frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
 frrouting::mpls_ldp_interfaces:
+  - loopback0
  - enp2s0
  - enp3s0
+  - brmplscore
 frrouting::daemons:
  ldpd: true
  ospfd: true
@ -199,6 +203,10 @@ sysctl::base::values:
    value: '1'
  net.mpls.conf.enp3s0.input:
    value: '1'
+  net.mpls.conf.brmplscore.input:
+    value: '1'
+  net.mpls.conf.loopback0.input:
+    value: '1'

 # limits.d recommendations
 limits::entries:
--- a/hieradata/roles/infra/mpls/rr.yaml
+++ b/hieradata/roles/infra/mpls/rr.yaml
@ -0,0 +1,79 @@
+---
+hiera_include:
+  - profiles::selinux::frr
+  - frrouting
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+
+# networking
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    dhcp: true
+    type: physical
+    mtu: 8000
+    forwarding: true
+  loopback0:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback0_ip')}"
+    netmask: 255.255.255.255
+    mtu: 8000
+
+# frrouting
+frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  loopback0:
+    area: 0.0.0.0
+frrouting::mpls_te_enabled: true
+frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_interfaces:
+  - eth0
+  - loopback0
+frrouting::daemons:
+  ldpd: true
+  ospfd: true
+
+# add loopback interfaces to ssh list
+ssh::server::options:
+  ListenAddress:
+    - "%{hiera('networking_loopback0_ip')}"
+
+# sysctl recommendations
+sysctl::base::values:
+  net.ipv4.conf.all.forwarding:
+    value: '1'
+  net.ipv6.conf.all.forwarding:
+    value: '1'
+  net.ipv4.tcp_l3mdev_accept:
+    value: '0'
+  net.ipv4.conf.default.rp_filter:
+    value: '0'
+  net.ipv4.conf.all.rp_filter:
+    value: '0'
+  net.mpls.platform_labels:
+    value: '1048575'
+  net.mpls.conf.eth0.input:
+    value: '1'
+  net.mpls.conf.loopback0.input:
+    value: '1'
--- a/modules/frrouting/templates/frr.conf.erb
+++ b/modules/frrouting/templates/frr.conf.erb
@ -10,6 +10,9 @@ interface <%= iface %>
 <% if params['passive'] == true -%>
 ip ospf passive
 <% end -%>
+<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
+ mpls enable
+<% end -%>
 exit
 <% end -%>
 router ospf
--- a/modules/networking/manifests/static.pp
+++ b/modules/networking/manifests/static.pp
@ -1,10 +1,11 @@
 # manage static interfaces
 define networking::static (
  String                $type,
-  Stdlib::IP::Address   $ipaddress,
  Stdlib::IP::Address   $netmask  = '255.255.255.0',
  Integer[100-9200]     $mtu      = 1500,
+  Boolean               $dhcp     = false,
  Optional[Boolean]     $forwarding = false,
+  Optional[Stdlib::IP::Address]         $ipaddress = undef,
  Optional[Stdlib::IP::Address]         $gateway = undef,
  Optional[Array[Stdlib::IP::Address]]  $dns = undef,
  Optional[Array[Stdlib::Fqdn]]         $domains = undef,
--- a/modules/networking/templates/networkd-network.erb
+++ b/modules/networking/templates/networkd-network.erb
@ -2,6 +2,9 @@
 Name=<%= @title %>

 [Network]
+<% if @dhcp == true -%>
+DHCP=yes
+<% else -%>
 <% if @ipaddress && @netmask -%>
 Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
 <% end -%>
@ -14,6 +17,7 @@ DNS=<%= Array(@dns).join(' ') %>
 <% if @domains -%>
 Domains=<%= Array(@domains).join(' ') %>
 <% end -%>
+<% end -%>
 <% if @bridge and @bridge != true -%>
 Bridge=<%= @bridge %>
 <% end -%>
--- a/site/profiles/manifests/selinux/frr.pp
+++ b/site/profiles/manifests/selinux/frr.pp
@ -32,16 +32,17 @@ class profiles::selinux::frr {
    allow init_t self:process setpgid;
  | EOF

-  selinux::module { 'frr_local':
-    ensure     => 'present',
-    content_te => $frr_te_content,
-    builder    => 'simple',
-    before     => Service['frr'],
-  }
-
-  selboolean { 'domain_can_mmap_files':
-    value      => 'on',
-    persistent => true,
-    before     => Service['frr'],
+  if $facts['virtual'] != 'lxc' {
+    selinux::module { 'frr_local':
+      ensure     => 'present',
+      content_te => $frr_te_content,
+      builder    => 'simple',
+      before     => Service['frr'],
+    }
+    selboolean { 'domain_can_mmap_files':
+      value      => 'on',
+      persistent => true,
+      before     => Service['frr'],
+    }
  }
 }
--- a/site/roles/manifests/infra/mpls/rr.pp
+++ b/site/roles/manifests/infra/mpls/rr.pp
@ -0,0 +1,10 @@
+# a role to manage mpls route-reflectors
+class roles::infra::mpls::rr {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}