commit de1878ad73597897a432dc056ec883117b3db39f Author: Cory Hawkless Date: Thu Jul 30 17:36:21 2020 +0930 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..905a0ae --- /dev/null +++ b/README.md @@ -0,0 +1,407 @@ + +Example server with loads of things going on + +config_network_interfaces: true +enable_configured_interfaces_after_defining: false +network_interfaces: + - name: 'enp3s0f0' + configure: true + method: 'static' + address: '172.25.112.184' + #gateway: '172.25.112.1' + netmask: '255.255.254.0' + enable: true + - name: 'enp3s0f1' + configure: true + enable: false + method: 'manual' + - name: 'enp3s0f2' + configure: true + enable: false + method: 'manual' + - name: 'enp3s0f3' + configure: true + enable: false + method: 'manual' + + - name: 'ens2f0' + comment: "Link to 40G Switch" + auto_bgp_interface: true + configure: true + method: 'static' + address: '{{host_loopback_IP}}' + netmask: '255.255.255.255' + enable: true + + - name: 'ens2f1' + comment: "Link to 10G Switch" + configure: true + method: 'manual' + enable: true + + - name: 'ens3f0' + comment: "Link to 40G Switch" + auto_bgp_interface: true + configure: true + method: 'static' + address: '{{host_loopback_IP}}' + netmask: '255.255.255.255' + enable: true + + - name: 'ens3f1' + comment: "Link to 10G Switch" + configure: true + method: 'manual' + enable: true + + +dns_nameservers: + - '172.25.110.2' + - '172.20.0.2' +pri_domain_name: 'bfn.local' + +host_loopback_IP: 172.25.4.31 +host_ASN: 64653 + + + +Example network, no bond, docker frr +host_loopback_IP: 172.25.4.20 +host_loopback_IP_v6: 2405:6680:8000:10::4:10 +host_ASN: 64642 + +OOBNET_IP: 172.25.112.174 +OOBNET_Netmask: 23 +OOBNET_NIC: enp2s0f0 + +autobgp_interfaces: + - name: 'enp2s0f1' + force10G: True + mtu: 9000 + - name: 'enp2s0f4' + force10G: True + mtu: 9000 + +Example configuration for Dell s6000-ON running Openswitch +host_loopback_IP: 172.25.9.3 +host_loopback_IP_v6: 2000:3000:8000:10::9:3 +host_ASN: 64661 + +OOBNET_IP: 172.25.112.196 +OOBNET_Netmask: 23 + +network_interface_breakout_with_vlans: + - name: 'e101-002-1' + mtu: 9000 + force10G: True + vlans: + - '1001' + - '1005' + - '1009' + - '1013' + + - name: 'e101-002-2' + mtu: 9000 + force10G: True + vlans: + - '1002' + - '1006' + - '1010' + - '1014' + + - name: 'e101-002-3' + mtu: 9000 + force10G: True + vlans: + - '1003' + - '1007' + - '1011' + - '1015' + + - name: 'e101-002-4' + mtu: 9000 + force10G: True + vlans: + - '1004' + - '1008' + - '1012' + - '1016' + + + + - name: 'e101-003-1' + mtu: 9000 + force10G: True + vlans: + - '1017' + - '1021' + - '1025' + - '1029' + + - name: 'e101-003-2' + mtu: 9000 + force10G: True + vlans: + - '1018' + - '1022' + - '1026' + - '1030' + + - name: 'e101-003-3' + mtu: 9000 + force10G: True + vlans: + - '1019' + - '1023' + - '1027' + - '1031' + + - name: 'e101-003-4' + mtu: 9000 + force10G: True + vlans: + - '1020' + - '1024' + - '1028' + - '1032' + + + + + + - name: 'e101-004-1' + mtu: 9000 + force10G: True + vlans: + - '1033' + - '1037' + - '1041' + - '1045' + + - name: 'e101-004-2' + mtu: 9000 + force10G: True + vlans: + - '1034' + - '1038' + - '1042' + - '1046' + + - name: 'e101-004-3' + mtu: 9000 + force10G: True + vlans: + - '1035' + - '1039' + - '1043' + - '1047' + + - name: 'e101-004-4' + mtu: 9000 + force10G: True + vlans: + - '1036' + - '1040' + - '1044' + - '1048' + + + + + + - name: 'e101-005-1' + mtu: 9000 + force10G: True + vlans: + - '1049' + - '1053' + - '1057' + - '1061' + + - name: 'e101-005-2' + mtu: 9000 + force10G: True + vlans: + - '1050' + - '1054' + - '1058' + - '1062' + + - name: 'e101-005-3' + mtu: 9000 + force10G: True + vlans: + - '1051' + - '1055' + - '1059' + - '1063' + + - name: 'e101-005-4' + mtu: 9000 + force10G: True + vlans: + - '1052' + - '1056' + - '1060' + - '1064' + + + + + - name: 'e101-006-1' + mtu: 9000 + force10G: True + vlans: + - '1065' + - '1069' + + - name: 'e101-006-2' + force10G: True + mtu: 9000 + vlans: + - '1066' + - '1070' + + - name: 'e101-006-3' + force10G: True + mtu: 9000 + vlans: + - '1067' + - '1071' + + - name: 'e101-006-4' + force10G: True + mtu: 9000 + vlans: + - '1068' + - '1072' + + +autobgp_interfaces: + + + - name: 'e101-007-1' + mtu: 9000 + force10G: True + - name: 'e101-007-2' + mtu: 9000 + force10G: True + - name: 'e101-007-3' + mtu: 9000 + force10G: True + - name: 'e101-007-4' + mtu: 9000 + force10G: True + + - name: 'e101-008-1' + mtu: 9000 + force10G: True + - name: 'e101-008-2' + mtu: 9000 + force10G: True + - name: 'e101-008-3' + mtu: 9000 + force10G: True + - name: 'e101-008-4' + mtu: 9000 + force10G: True + + - name: 'e101-009-1' + mtu: 9000 + force10G: True + - name: 'e101-009-2' + mtu: 9000 + force10G: True + - name: 'e101-009-3' + mtu: 9000 + force10G: True + - name: 'e101-009-4' + mtu: 9000 + force10G: True + + - name: 'e101-010-1' + mtu: 9000 + force10G: True + - name: 'e101-010-2' + mtu: 9000 + force10G: True + - name: 'e101-010-3' + mtu: 9000 + force10G: True + - name: 'e101-010-4' + mtu: 9000 + force10G: True + + + + + - name: 'e101-013-0' + mtu: 9000 + - name: 'e101-014-0' + mtu: 9000 + - name: 'e101-015-0' + mtu: 9000 + - name: 'e101-016-0' + mtu: 9000 + - name: 'e101-017-0' + mtu: 9000 + + - name: 'e101-019-0' + mtu: 9000 + - name: 'e101-020-0' + mtu: 9000 + - name: 'e101-021-0' + mtu: 9000 + + - name: 'e101-027-0' + mtu: 9000 + auto40G: True + - name: 'e101-028-0' + mtu: 9000 + auto40G: True + - name: 'e101-029-0' + mtu: 9000 + auto40G: True + - name: 'e101-030-0' + mtu: 9000 + auto40G: True + - name: 'e101-031-0' + mtu: 9000 + auto40G: True + - name: 'e101-032-0' + mtu: 9000 + auto40G: True + +breakout_ports: + - name: 'e101-001-0' + - name: 'e101-002-0' + - name: 'e101-003-0' + - name: 'e101-004-0' + - name: 'e101-005-0' + - name: 'e101-006-0' + - name: 'e101-007-0' + - name: 'e101-008-0' + - name: 'e101-009-0' + - name: 'e101-010-0' + + - name: 'e101-018-0' + + - name: 'e101-026-0' + +addressed_interfaces: + - name: 'e101-026-1' + mtu: 9000 + ip_address: '10.251.251.21' + ip_netmask: '30' + force10G: True + + - name: 'e101-018-1' + mtu: 9000 + ip_address: '10.251.251.25' + ip_netmask: '30' + force10G: True + +frr_other_peers: + - name: "Services Router" + ip: "10.251.251.22" + remote_ASN: "64700" diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c119a28 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,9 @@ +docker__edition: "ce" +docker__apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" +docker__apt_key_server: "https://download.docker.com/linux/{{ ansible_distribution|lower }}/gpg" # yamllint disable-line rule:line-length +docker__channel: "stable" +docker__version: "latest" +docker__apt_repository: > + deb [arch=amd64] + https://download.docker.com/linux/{{ ansible_distribution|lower }} + {{ ansible_distribution_release }} {{ docker__channel }} \ No newline at end of file diff --git a/files/bfdd.conf b/files/bfdd.conf new file mode 100644 index 0000000..5c968e7 --- /dev/null +++ b/files/bfdd.conf @@ -0,0 +1 @@ +#Managed by asnible, do not configure manually \ No newline at end of file diff --git a/files/bgpd.conf b/files/bgpd.conf new file mode 100644 index 0000000..5c968e7 --- /dev/null +++ b/files/bgpd.conf @@ -0,0 +1 @@ +#Managed by asnible, do not configure manually \ No newline at end of file diff --git a/files/daemons b/files/daemons new file mode 100644 index 0000000..472ae9f --- /dev/null +++ b/files/daemons @@ -0,0 +1,80 @@ +#Managed by asnible, do not configure manually +# +# Sample configurations for these daemons can be found in +# /usr/share/doc/frr/examples/. +# +# ATTENTION: +# +# When activating a daemon for the first time, a config file, even if it is +# empty, has to be present *and* be owned by the user and group "frr", else +# the daemon will not be started by /etc/init.d/frr. The permissions should +# be u=rw,g=r,o=. +# When using "vtysh" such a config file is also needed. It should be owned by +# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too. +# +# The watchfrr and zebra daemons are always started. +# +bgpd=yes +ospfd=no +ospf6d=no +ripd=no +ripngd=no +isisd=no +pimd=no +ldpd=no +nhrpd=no +eigrpd=no +babeld=no +sharpd=no +pbrd=no +bfdd=yes +fabricd=no +vrrpd=no + +# +# If this option is set the /etc/init.d/frr script automatically loads +# the config via "vtysh -b" when the servers are started. +# Check /etc/pam.d/frr if you intend to use "vtysh"! +# +vtysh_enable=yes +zebra_options=" -A 127.0.0.1 -s 90000000" +bgpd_options=" -A 127.0.0.1" +ospfd_options=" -A 127.0.0.1" +ospf6d_options=" -A ::1" +ripd_options=" -A 127.0.0.1" +ripngd_options=" -A ::1" +isisd_options=" -A 127.0.0.1" +pimd_options=" -A 127.0.0.1" +ldpd_options=" -A 127.0.0.1" +nhrpd_options=" -A 127.0.0.1" +eigrpd_options=" -A 127.0.0.1" +babeld_options=" -A 127.0.0.1" +sharpd_options=" -A 127.0.0.1" +pbrd_options=" -A 127.0.0.1" +staticd_options="-A 127.0.0.1" +bfdd_options=" -A 127.0.0.1" +fabricd_options="-A 127.0.0.1" +vrrpd_options=" -A 127.0.0.1" + +# configuration profile +# +#frr_profile="traditional" +#frr_profile="datacenter" + +# +# This is the maximum number of FD's that will be available. +# Upon startup this is read by the control files and ulimit +# is called. Uncomment and use a reasonable value for your +# setup if you are expecting a large number of peers in +# say BGP. +#MAX_FDS=1024 + +# The list of daemons to watch is automatically generated by the init script. +#watchfrr_options="" + +# for debugging purposes, you can specify a "wrap" command to start instead +# of starting the daemon directly, e.g. to use valgrind on ospfd: +# ospfd_wrap="/usr/bin/valgrind" +# or you can use "all_wrap" for all daemons, e.g. to use perf record: +# all_wrap="/usr/bin/perf record --call-graph -" +# the normal daemon command is added to this at the end. diff --git a/files/dockerfrr.sh b/files/dockerfrr.sh new file mode 100644 index 0000000..dd663b9 --- /dev/null +++ b/files/dockerfrr.sh @@ -0,0 +1 @@ +docker exec -i -t frr /usr/bin/vtysh \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..1754d27 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart frr-docker + action: service name=frr-docker enabled=yes state=restarted + +- name: reload 99frr_defaults + action: shell /sbin/sysctl -p /etc/sysctl.d/99frr_defaults.conf \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2bd21b6 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,52 @@ +- name: Configure 99_frr_defaults.conf + action: template src=templates/99frr_defaults.conf.j2 dest=/etc/sysctl.d/99frr_defaults.conf backup=yes + notify: + - reload 99frr_defaults + tags: frr-docker + +- name: "Copy dockerfrr.sh shortcut script" + copy: + src: files/dockerfrr.sh + dest: /usr/sbin/dockerfrr.sh + mode: "+x" + +- name: "Configure /etc/frr" + file: + path: "/etc/frr/" + state: directory + +- name: "Copy daemons file" + copy: + src: daemons + dest: "/etc/frr/daemons" + +- name: "Copy bgpd.conf file" + copy: + src: bgpd.conf + dest: "/etc/frr/bgpd.conf" + +- name: "Copy bfdd.conf file" + copy: + src: bfdd.conf + dest: "/etc/frr/bfdd.conf" + +- name: "Configure frr.conf" + action: template src=templates/frr.conf.j2 dest=/etc/frr/frr.conf backup=yes + notify: + - restart frr-docker + when: ignore_frrconf is not defined + tags: frr-docker,frrconf + +- name: "Configure frr-docker.service" + action: template src=templates/frr-docker.service.j2 dest=/etc/systemd/system/frr-docker.service backup=yes + notify: + - restart frr-docker + tags: frr-docker + +- name: "Reload systemctl then enable & start frr-docker service" + systemd: + state: started + enabled: True + daemon_reload: yes + name: frr-docker.service + tags: frr-docker \ No newline at end of file diff --git a/templates/99frr_defaults.conf.j2 b/templates/99frr_defaults.conf.j2 new file mode 100644 index 0000000..bc170c4 --- /dev/null +++ b/templates/99frr_defaults.conf.j2 @@ -0,0 +1,42 @@ +# /etc/sysctl.d/99frr_defaults.conf +# Place this file at the location above and reload the device. +# or run the sysctl -p /etc/sysctl.d/99frr_defaults.conf +# Enables IPv4/IPv6 Routing +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding=1 +# Routing +net.ipv6.route.max_size=131072 +net.ipv4.conf.all.ignore_routes_with_linkdown=1 +net.ipv6.conf.all.ignore_routes_with_linkdown=1 +# Best Settings for Peering w/ BGP Unnumbered and OSPF Neighbors +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.default.rp_filter = 0 +net.ipv4.conf.lo.rp_filter = 0 +net.ipv4.conf.all.forwarding = 1 +net.ipv4.conf.default.forwarding = 1 +net.ipv4.conf.default.arp_announce = 2 +net.ipv4.conf.default.arp_notify = 1 +net.ipv4.conf.default.arp_ignore=1 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.all.arp_notify = 1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.icmp_errors_use_inbound_ifaddr=1 +# Miscellaneous Settings +# Keep ipv6 permanent addresses on an admin down +net.ipv6.conf.all.keep_addr_on_down=1 +# igmp +net.ipv4.igmp_max_memberships=1000 +net.ipv4.neigh.default.mcast_solicit = 10 +# MLD +net.ipv6.mld_max_msf=512 +# Garbage Collection Settings for ARP and Neighbors +net.ipv4.neigh.default.gc_thresh2=7168 +net.ipv4.neigh.default.gc_thresh3=8192 +net.ipv4.neigh.default.base_reachable_time_ms=14400000 +net.ipv6.neigh.default.gc_thresh2=3584 +net.ipv6.neigh.default.gc_thresh3=4096 +net.ipv6.neigh.default.base_reachable_time_ms=14400000 +# Use neigh information on selection of nexthop for multipath hops +net.ipv4.fib_multipath_use_neigh=1 +# Allows Apps to Work with VRF +net.ipv4.tcp_l3mdev_accept=1 \ No newline at end of file diff --git a/templates/frr-docker.service.j2 b/templates/frr-docker.service.j2 new file mode 100644 index 0000000..06788ea --- /dev/null +++ b/templates/frr-docker.service.j2 @@ -0,0 +1,20 @@ + +[Unit] +Description=Cumulus Frr Container +After=docker.service network-online.target +Requires=docker.service + + +[Service] +Restart=always +TimeoutStartSec=0 +#One ExecStart/ExecStop line to prevent hitting bugs in certain systemd versions +ExecStart=/bin/sh -c 'docker rm -f frr; \ + docker pull registry.acs2.lan:5000/frrouting/frr; \ + docker run -t --net=host --privileged --name frr -v /etc/frr/frr.conf:/etc/frr/frr.conf -v /etc/frr/daemons:/etc/frr/daemons -v /etc/frr/bgpd.conf:/etc/frr/bgpd.conf -v /etc/frr/bfdd.conf:/etc/frr/bfdd.conf -v /var/log/frr/frr.log:/var/log/frr/frr.log registry.acs2.lan:5000/frrouting/frr' +ExecStop=-/bin/sh -c '/usr/bin/docker stop frr; \ + /usr/bin/docker rm -f frr' + + +[Install] +WantedBy=multi-user.target diff --git a/templates/frr.conf.j2 b/templates/frr.conf.j2 new file mode 100644 index 0000000..124644b --- /dev/null +++ b/templates/frr.conf.j2 @@ -0,0 +1,96 @@ +frr defaults datacenter +hostname {{ansible_hostname}} +! +service integrated-vtysh-config +! +log syslog informational +! +{% if autobgp_interfaces is defined and autobgp_interfaces != [] %} +{% for item in autobgp_interfaces %} +interface {{ item['name'] }} + ipv6 nd ra-interval 10 + no ipv6 nd suppress-ra +! +{% endfor %} +{% endif %} + + +router bgp {{host_ASN}} + bgp router-id {{host_loopback_IP}} + bgp bestpath as-path multipath-relax + bgp bestpath compare-routerid +{% if autobgp_interfaces is defined and autobgp_interfaces != [] %} + neighbor fabric peer-group + neighbor fabric remote-as external + neighbor fabric description Internal Fabric Network + neighbor fabric capability extended-nexthop +{% endif %} +{% if addressed_interfaces is defined and addressed_interfaces != [] %} +{% for item in addressed_interfaces %} +{% if item['bgpPeerIP'] is defined %} + neighbor {{ item['bgpPeerIP'] }} remote-as {{ item['bgpPeerASN'] }} +{% endif %} +{% endfor %} +{% endif %} +{% if autobgp_interfaces is defined and autobgp_interfaces != [] %} +{% for item in autobgp_interfaces %} + neighbor {{ item['name'] }} interface peer-group fabric +{% endfor %} +{% endif %} +{% if frr_other_peers is defined and frr_other_peers != [] %} +{% for item in frr_other_peers %} + neighbor {{ item['ip'] }} remote-as {{ item['remote_ASN'] }} +{% endfor %} +{% endif %} + ! + address-family ipv4 unicast + network {{host_loopback_IP}}/32 +{% if autobgp_interfaces is defined and autobgp_interfaces != [] %} + neighbor fabric activate + neighbor fabric prefix-list AS{{host_ASN}}-OUT out +{% endif %} +{% if frr_other_peers is defined and frr_other_peers != [] %} +{% for item in frr_other_peers %} + neighbor {{ item['ip'] }} remote-as {{ item['remote_ASN'] }} prefix-list AS{{host_ASN}}-OUT out +{% endfor %} +{% endif %} +{% if addressed_interfaces is defined and addressed_interfaces != [] %} +{% for item in addressed_interfaces %} +{% if item['bgpPeerIP'] is defined %} + neighbor {{ item['bgpPeerIP'] }} prefix-list AS{{host_ASN}}-OUT out +{% endif %} +{% endfor %} +{% endif %} + exit-address-family + ! + address-family ipv6 unicast + network {{host_loopback_IP_v6}}/128 +{% if frr_other_peers is defined and frr_other_peers != [] %} +{% for item in frr_other_peers %} + neighbor {{ item['ip'] }} prefix-list AS{{host_ASN}}-OUT out +{% endfor %} +{% endif %} +{% if autobgp_interfaces is defined and autobgp_interfaces != [] %} + neighbor fabric activate + neighbor fabric prefix-list AS{{host_ASN}}-OUT out +{% endif %} +{% if addressed_interfaces is defined and addressed_interfaces != [] %} +{% for item in addressed_interfaces %} +{% if item['bgpPeerIP'] is defined %} + neighbor {{ item['bgpPeerIP'] }} prefix-list AS{{host_ASN}}-OUT out +{% endif %} +{% endfor %} +{% endif %} + exit-address-family + ! + address-family l2vpn evpn + neighbor fabric activate + advertise-all-vni + advertise-default-gw + exit-address-family +! +ip prefix-list AS{{host_ASN}}-OUT seq 5 permit {{host_loopback_IP}}/32 +! +ipv6 prefix-list AS{{host_ASN}}-OUT seq 5 permit {{host_loopback_IP_v6}}/128 +line vty +!