From 7ff9bf3513e6cc1474b2eacba07d60d6612f7fe4 Mon Sep 17 00:00:00 2001
From: Gerrit91 <info@gerritschwerthelm.de>
Date: Thu, 2 May 2024 12:21:07 +0200
Subject: [PATCH] Revert, I misinterpreted it.

---
 roles/leaf/tasks/main.yaml                    |  2 +-
 roles/router/defaults/main.yaml               |  5 ++
 .../files/99control_plane_catch_all.rules     | 36 ++++++++
 roles/router/files/daemons                    |  2 +
 roles/router/files/frr-validation@.service    | 10 +++
 roles/router/files/ifreload.service           | 10 +++
 .../files/interfaces-validation@.service      | 10 +++
 roles/router/files/lldpd.d/portsubtype.conf   |  2 +
 roles/router/files/lldpd.d/tx-interval.conf   |  1 +
 roles/router/handlers/main.yaml               | 50 +++++++++++
 roles/router/tasks/main.yaml                  | 85 +++++++++++++++++++
 roles/router/tasks/mgmt_vrf.yaml              | 22 +++++
 roles/router/tasks/switch_plane.yaml          | 14 +++
 roles/router/templates/ports.conf.j2          |  5 ++
 roles/router/templates/resolv.conf.j2         |  3 +
 15 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 roles/router/defaults/main.yaml
 create mode 100644 roles/router/files/99control_plane_catch_all.rules
 create mode 100644 roles/router/files/daemons
 create mode 100644 roles/router/files/frr-validation@.service
 create mode 100644 roles/router/files/ifreload.service
 create mode 100644 roles/router/files/interfaces-validation@.service
 create mode 100644 roles/router/files/lldpd.d/portsubtype.conf
 create mode 100644 roles/router/files/lldpd.d/tx-interval.conf
 create mode 100644 roles/router/handlers/main.yaml
 create mode 100644 roles/router/tasks/main.yaml
 create mode 100644 roles/router/tasks/mgmt_vrf.yaml
 create mode 100644 roles/router/tasks/switch_plane.yaml
 create mode 100644 roles/router/templates/ports.conf.j2
 create mode 100644 roles/router/templates/resolv.conf.j2

diff --git a/roles/leaf/tasks/main.yaml b/roles/leaf/tasks/main.yaml
index c7af3fb3..5fec8349 100644
--- a/roles/leaf/tasks/main.yaml
+++ b/roles/leaf/tasks/main.yaml
@@ -1,7 +1,7 @@
 ---
 - name: configure leaf
   include_role:
-    name: metal-roles/partition/roles/router
+    name: router
   vars:
     router_enable_static_route_leak: true
 
diff --git a/roles/router/defaults/main.yaml b/roles/router/defaults/main.yaml
new file mode 100644
index 00000000..8d7b1500
--- /dev/null
+++ b/roles/router/defaults/main.yaml
@@ -0,0 +1,5 @@
+---
+router_enable_mgmt_vrf: true
+router_enable_static_route_leak: false
+
+router_nameservers: []
diff --git a/roles/router/files/99control_plane_catch_all.rules b/roles/router/files/99control_plane_catch_all.rules
new file mode 100644
index 00000000..d469ae8e
--- /dev/null
+++ b/roles/router/files/99control_plane_catch_all.rules
@@ -0,0 +1,36 @@
+#
+# Note: These are catch-all rules that shall be last in the over all rule set.
+#
+
+INGRESS_INTF = swp+
+
+INGRESS_CHAIN = INPUT
+
+
+
+[iptables]
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
+
+
+[ip6tables]
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
+
+
+[ebtables]
+
+-A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT
+-A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0
+# ipv4 multicast misses
+-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100
+-A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100
diff --git a/roles/router/files/daemons b/roles/router/files/daemons
new file mode 100644
index 00000000..c86f9822
--- /dev/null
+++ b/roles/router/files/daemons
@@ -0,0 +1,2 @@
+bgpd=yes
+zebra=yes
\ No newline at end of file
diff --git a/roles/router/files/frr-validation@.service b/roles/router/files/frr-validation@.service
new file mode 100644
index 00000000..d2e9e276
--- /dev/null
+++ b/roles/router/files/frr-validation@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger a validation run of a frr configuration file %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/vtysh --dryrun --inputfile %I
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/router/files/ifreload.service b/roles/router/files/ifreload.service
new file mode 100644
index 00000000..a71205a4
--- /dev/null
+++ b/roles/router/files/ifreload.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger Interface Reload with ifreload
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ifreload -v -a
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/router/files/interfaces-validation@.service b/roles/router/files/interfaces-validation@.service
new file mode 100644
index 00000000..9df7795b
--- /dev/null
+++ b/roles/router/files/interfaces-validation@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger a validation of a network interfaces file %I
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ifup --syntax-check --verbose --all --interfaces %I
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/router/files/lldpd.d/portsubtype.conf b/roles/router/files/lldpd.d/portsubtype.conf
new file mode 100644
index 00000000..c54ba139
--- /dev/null
+++ b/roles/router/files/lldpd.d/portsubtype.conf
@@ -0,0 +1,2 @@
+configure lldp portidsubtype macaddress
+
diff --git a/roles/router/files/lldpd.d/tx-interval.conf b/roles/router/files/lldpd.d/tx-interval.conf
new file mode 100644
index 00000000..44c7ec2b
--- /dev/null
+++ b/roles/router/files/lldpd.d/tx-interval.conf
@@ -0,0 +1 @@
+configure lldp tx-interval 10
diff --git a/roles/router/handlers/main.yaml b/roles/router/handlers/main.yaml
new file mode 100644
index 00000000..b4c228f3
--- /dev/null
+++ b/roles/router/handlers/main.yaml
@@ -0,0 +1,50 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: reload sysctl
+  command: sysctl --system
+
+- name: restart switchd
+  service:
+    name: switchd.service
+    enabled: true
+    state: restarted
+
+- name: reload interfaces
+  shell: sleep 3; ifreload -a
+  async: 1
+  poll: 0
+  notify: wait for new connection
+
+- name: wait for new connection
+  wait_for_connection:
+    connect_timeout: 20
+    sleep: 5
+    delay: 5
+    timeout: 300
+
+- name: reload frr
+  service:
+    name: frr
+    enabled: true
+    state: reloaded
+
+- name: restart frr
+  service:
+    name: frr
+    enabled: true
+    state: restarted
+
+- name: lldpd restart
+  service:
+    name: lldpd
+    enabled: true
+    state: restarted
+
+- name: restart ntp@mgmt
+  service:
+    name: ntp@mgmt
+    enabled: true
+    state: restarted
diff --git a/roles/router/tasks/main.yaml b/roles/router/tasks/main.yaml
new file mode 100644
index 00000000..734a48d6
--- /dev/null
+++ b/roles/router/tasks/main.yaml
@@ -0,0 +1,85 @@
+---
+- name: configure mgmt vrf
+  import_tasks: mgmt_vrf.yaml
+  when: router_enable_mgmt_vrf
+
+- name: configure switch plane
+  import_tasks: switch_plane.yaml
+  when: ports is defined
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: install services
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+  notify: reload systemd
+  with_items:
+    - frr-validation@.service
+    - interfaces-validation@.service
+    - ifreload.service
+
+- name: copy lldpd configs
+  copy:
+    src: lldpd.d/
+    dest: /etc/lldpd.d/
+  notify: lldpd restart
+
+- name: check if lldpd has the correct portidsubtype setting
+  shell: lldpcli show configuration | grep subtype
+  register: lldpd_subtype_check
+  changed_when: false
+
+- name: trigger lldpd restart if portidsubtype setting is wrong
+  service:
+    name: lldpd
+    state: restarted
+  when: ("macaddress" not in lldpd_subtype_check.stdout)
+
+- name: populate service facts
+  service_facts:
+
+- name: render interfaces configuration
+  template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces
+    validate: '/sbin/ifup --syntax-check --all --interfaces %s'
+  notify: reload interfaces
+  when: "ansible_facts.services['metal-core.service'] is not defined"
+
+- name: render custom interfaces configuration section
+  copy:
+    content: "{{ custom_interface_section }}"
+    dest: /etc/network/interfaces.d/99_custom.intf
+    validate: '/sbin/ifup --syntax-check --all --interfaces %s'
+  notify: reload interfaces
+  when: custom_interface_section is defined
+
+- name: render resolv.conf
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+  notify: reload interfaces
+
+- name: enable frr daemons
+  copy:
+    src: daemons
+    dest: /etc/frr/daemons
+  notify: restart frr
+
+- name: render frr configuration
+  template:
+    src: frr.conf.j2
+    dest: /etc/frr/frr.conf
+    validate: '/usr/bin/vtysh --dryrun --inputfile %s'
+  tags: frr
+  register: frr_rendered
+  notify: reload frr
+  when: "ansible_facts.services['metal-core.service'] is not defined"
+
+- name: set hostname
+  nclu:
+    commands:
+      - add hostname {{ metal_partition_id }}-{{ inventory_hostname }}
+    commit: true
diff --git a/roles/router/tasks/mgmt_vrf.yaml b/roles/router/tasks/mgmt_vrf.yaml
new file mode 100644
index 00000000..5451e7bd
--- /dev/null
+++ b/roles/router/tasks/mgmt_vrf.yaml
@@ -0,0 +1,22 @@
+---
+- name: check if mgmt vrf is active
+  shell: vrf list | grep mgmt
+  changed_when: false
+  failed_when: false
+  register: mgmt_vrf_exists
+
+- name: activate mgmt vrf; drops connections
+  nclu:
+    commands:
+      - add vrf mgmt
+    commit: true
+  async: 1
+  poll: 0
+  when: mgmt_vrf_exists.rc != 0
+
+- name: wait for new connection
+  wait_for_connection:
+    connect_timeout: 20
+    sleep: 2
+    delay: 6
+    timeout: 60
diff --git a/roles/router/tasks/switch_plane.yaml b/roles/router/tasks/switch_plane.yaml
new file mode 100644
index 00000000..6ccb1203
--- /dev/null
+++ b/roles/router/tasks/switch_plane.yaml
@@ -0,0 +1,14 @@
+---
+- name: render ports.conf
+  template:
+    src: ports.conf.j2
+    dest: /etc/cumulus/ports.conf
+  notify: restart switchd
+
+- name: enable static route leak to apply hardware support
+  replace:
+    path: /etc/cumulus/switchd.conf
+    regexp: '#vrf_route_leak_enable = FALSE'
+    replace: 'vrf_route_leak_enable = TRUE'
+  when: router_enable_static_route_leak
+  notify: restart switchd
diff --git a/roles/router/templates/ports.conf.j2 b/roles/router/templates/ports.conf.j2
new file mode 100644
index 00000000..238f4970
--- /dev/null
+++ b/roles/router/templates/ports.conf.j2
@@ -0,0 +1,5 @@
+# ports.conf --
+# <port label 1-32> = [4x10G|4x25G|2x50G|40G|50G|100G]
+{% for key, value in ports|dictsort %}
+{{ key }}={{ value }}
+{% endfor %}
diff --git a/roles/router/templates/resolv.conf.j2 b/roles/router/templates/resolv.conf.j2
new file mode 100644
index 00000000..41c31ff2
--- /dev/null
+++ b/roles/router/templates/resolv.conf.j2
@@ -0,0 +1,3 @@
+{% for ns in router_nameservers %}
+nameserver {{ ns }}
+{% endfor %}