hieradata/roles/infra/incus/node.yaml

@@ -1,5 +1,6 @@
 ---
 hiera_include:
+  - profiles::selinux::frr
   - frrouting
   - incus
   - zfs
@@ -109,8 +110,15 @@ frrouting::ospfd_interfaces:
     area: 0.0.0.0
   loopback2:
     area: 0.0.0.0
-  br10:
+frrouting::mpls_te_enabled: true
-    area: 0.0.0.0
+frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_interfaces:
+  - enp2s0
+  - enp3s0
+frrouting::daemons:
+  ldpd: true
+  ospfd: true
 
 # add loopback interfaces to ssh list
 ssh::server::options:
@@ -179,6 +187,18 @@ sysctl::base::values:
     value: '1'
   net.ipv6.conf.all.forwarding:
     value: '1'
+  net.ipv4.tcp_l3mdev_accept:
+    value: '0'
+  net.ipv4.conf.default.rp_filter:
+    value: '0'
+  net.ipv4.conf.all.rp_filter:
+    value: '0'
+  net.mpls.platform_labels:
+    value: '1048575'
+  net.mpls.conf.enp2s0.input:
+    value: '1'
+  net.mpls.conf.enp3s0.input:
+    value: '1'
 
 # limits.d recommendations
 limits::entries:

hieradata/roles/infra/puppet/master.yaml

@@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
   - '198.18.15.0/24'
   - '198.18.16.0/24'
   - '198.18.17.0/24'
+  - '198.18.20.0/24'
+  - '198.18.24.0/24'
+  - '198.18.25.0/24'
+  - '198.18.26.0/24'
+  - '198.18.27.0/24'
+  - '198.18.28.0/24'
+  - '198.18.29.0/24'
 
 profiles::puppet::autosign::domains:
   - '*.main.unkin.net'

modules/frrouting/manifests/init.pp

@@ -10,12 +10,17 @@ class frrouting (
   Array[String] $ospfd_redistribute = [],
   Array[String] $ospfd_networks     = [],
   Boolean $ospfd_default_originate_always = false,
+  Boolean $mpls_te_enabled                   = false,
+  Optional[String] $mpls_ldp_router_id       = undef,
+  Optional[String] $mpls_ldp_transport_addr  = undef,
+  Array[String] $mpls_ldp_interfaces         = [],
 ) {
 
   $daemons_defaults = {
     'bgpd'    => false,
     'ospfd'   => true,
     'ospf6d'  => false,
+    'ldpd'    => false,
     'ripd'    => false,
     'ripngd'  => false,
     'isisd'   => false,
@@ -32,7 +37,7 @@ class frrouting (
     'staticd' => false,
   }
 
-  $daemons_merged = merge($daemons, $daemons_defaults)
+  $daemons_merged = merge($daemons_defaults, $daemons)
 
   if $manage_package {
     package { $package_name:
@@ -62,4 +67,23 @@ class frrouting (
       hasrestart => true,
     }
   }
+
+  if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
+    file { '/etc/modules-load.d/mpls_ldp_modules.conf':
+      ensure  => file,
+      content => @(EOT/L),
+        # Load MPLS Kernel Modules
+        mpls_router
+        mpls_iptunnel
+        | EOT
+    }
+
+    ['mpls_router', 'mpls_iptunnel'].each |$mod| {
+      exec { "load_${mod}":
+        command => "/sbin/modprobe ${mod}",
+        unless  => "/sbin/lsmod | /bin/grep -q ^${mod}",
+        path    => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
+      }
+    }
+  }
 }

modules/frrouting/templates/daemons.erb

@@ -12,6 +12,7 @@ zebra_options="  -A 127.0.0.1 -s 90000000"
 bgpd_options="   -A 127.0.0.1"
 ospfd_options="  -A 127.0.0.1"
 ospf6d_options=" -A ::1"
+ldpd_options="   -A 127.0.0.1"
 ripd_options="   -A 127.0.0.1"
 ripngd_options=" -A ::1"
 isisd_options="  -A 127.0.0.1"

modules/frrouting/templates/frr.conf.erb

@@ -24,4 +24,22 @@ router ospf
 <% if @ospfd_default_originate_always -%>
  default-information originate always
 <% end -%>
+<% if @mpls_te_enabled -%>
+ capability opaque
+ mpls-te on
+ mpls-te router-address <%= @ospfd_router_id %>
+ mpls-te inter-as area 0.0.0.0
+<% end -%>
 exit
+<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
+mpls ldp
+ router-id <%= @mpls_ldp_router_id %>
+ address-family ipv4
+  discovery transport-address <%= @mpls_ldp_transport_addr %>
+<% @mpls_ldp_interfaces.each do |iface| -%>
+  interface <%= iface %>
+  exit
+<% end -%>
+ exit-address-family
+exit
+<% end -%>

modules/libs/lib/facter/subnet_facts.rb

@@ -12,7 +12,7 @@ class SubnetAttributes
     '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
     '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
     '198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
-    '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # RESERVED
+    '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
     '198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
     '198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
     '198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public

site/profiles/manifests/selinux/frr.pp

@@ -0,0 +1,47 @@
+# this is a modification to frr-selinux that ships with EL9, adding support for frr10
+class profiles::selinux::frr {
+
+  $frr_te_content = @("EOF")
+    module frr_local 1.0;
+
+    require {
+      type frr_t;
+      type initrc_t;
+      type kernel_t;
+      type var_run_t;
+      type frr_tmp_t;
+      type frr_var_run_t;
+      type init_t;
+      class unix_stream_socket connectto;
+      class system module_request;
+      class sock_file { getattr write };
+      class dir { add_name write };
+      class file { create write open };
+      class process setpgid;
+    }
+
+    #============= frr_t ==============
+    allow frr_t initrc_t:unix_stream_socket connectto;
+    allow frr_t kernel_t:system module_request;
+    allow frr_t var_run_t:sock_file { getattr write };
+
+    #============= init_t ==============
+    allow init_t frr_tmp_t:dir add_name;
+    allow init_t frr_var_run_t:dir { write add_name };
+    allow init_t frr_var_run_t:file { create open write };
+    allow init_t self:process setpgid;
+  | EOF
+
+  selinux::module { 'frr_local':
+    ensure     => 'present',
+    content_te => $frr_te_content,
+    builder    => 'simple',
+    before     => Service['frr'],
+  }
+
+  selboolean { 'domain_can_mmap_files':
+    value      => 'on',
+    persistent => true,
+    before     => Service['frr'],
+  }
+}