Merge branch 'master' into ping-test

.github/workflows/integration.yaml

@@ -21,6 +21,14 @@ jobs:
       run: |
         [ -d "${GITHUB_WORKSPACE}" ] && sudo chown -R $USER:$USER ${GITHUB_WORKSPACE}
 
+    - name: Setup Containerlab
+      run: |
+        bash -c "$(curl -sL https://get.containerlab.dev)"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # we can remove desired version again after this fix was released: https://github.com/srl-labs/containerlab/pull/2000
+        DESIRED_VERSION: v0.52.0
+
     - name: Log in to the container registry
       uses: docker/login-action@v3
       with:
@@ -45,13 +53,17 @@ jobs:
         file: ./images/Dockerfile.vms
         push: true
         tags: ${{ env.MINI_LAB_VM_IMAGE }}
+        cache-from: type=registry,ref=${{ env.MINI_LAB_VM_IMAGE }}
+        cache-to: type=inline
 
     - name: Build and push mini-lab-sonic container
       uses: docker/build-push-action@v5
       with:
         context: ./images/sonic
         push: true
         tags: ${{ env.MINI_LAB_SONIC_IMAGE }}
+        cache-from: type=registry,ref=${{ env.MINI_LAB_SONIC_IMAGE }}
+        cache-to: type=inline
 
     - name: Run integration tests
       shell: bash
@@ -61,3 +73,4 @@ jobs:
       env:
         DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
         DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -14,25 +14,18 @@ CONTAINERLAB=$(shell which containerlab)
 # extra vars can be used by projects that built on the mini-lab, which want to override default configuration
 ANSIBLE_EXTRA_VARS_FILE := $(or $(ANSIBLE_EXTRA_VARS_FILE),)
 
-MINI_LAB_FLAVOR := $(or $(MINI_LAB_FLAVOR),default)
+MINI_LAB_FLAVOR := $(or $(MINI_LAB_FLAVOR),sonic)
 MINI_LAB_VM_IMAGE := $(or $(MINI_LAB_VM_IMAGE),ghcr.io/metal-stack/mini-lab-vms:latest)
 MINI_LAB_SONIC_IMAGE := $(or $(MINI_LAB_SONIC_IMAGE),ghcr.io/metal-stack/mini-lab-sonic:latest)
 
 MACHINE_OS=ubuntu-22.04
 MAX_RETRIES := 10
 
-# Check: https://sonic-build.azurewebsites.net/ui/sonic/pipelines
-SONIC_REMOTE_IMG := https://sonic-build.azurewebsites.net/api/sonic/artifacts?branchName=202211&platform=vs&target=target%2Fsonic-vs.img.gz
-
 # Machine flavors
-ifeq ($(MINI_LAB_FLAVOR),default)
+ifeq ($(MINI_LAB_FLAVOR),cumulus)
 LAB_MACHINES=machine01,machine02
 LAB_TOPOLOGY=mini-lab.cumulus.yaml
 VRF=vrf20
-else ifeq ($(MINI_LAB_FLAVOR),cluster-api)
-LAB_MACHINES=machine01,machine02,machine03
-LAB_TOPOLOGY=mini-lab.cumulus.yaml
-VRF=vrf20
 else ifeq ($(MINI_LAB_FLAVOR),sonic)
 LAB_MACHINES=machine01,machine02
 LAB_TOPOLOGY=mini-lab.sonic.yaml
@@ -89,7 +82,10 @@ partition: partition-bake
 
 .PHONY: partition-bake
 partition-bake:
-	# docker pull $(MINI_LAB_VM_IMAGE)
+	docker pull $(MINI_LAB_VM_IMAGE)
+ifeq ($(MINI_LAB_FLAVOR),sonic)
+	docker pull $(MINI_LAB_SONIC_IMAGE)
+endif
 	@if ! sudo $(CONTAINERLAB) --topo $(LAB_TOPOLOGY) inspect | grep -i leaf01 > /dev/null; then \
 		sudo --preserve-env $(CONTAINERLAB) deploy --topo $(LAB_TOPOLOGY) --reconfigure && \
 		./scripts/deactivate_offloading.sh; fi
@@ -131,7 +127,8 @@ cleanup-control-plane:
 .PHONY: cleanup-partition
 cleanup-partition:
 	mkdir -p clab-mini-lab
-	sudo $(CONTAINERLAB) destroy --topo $(LAB_TOPOLOGY)
+	sudo $(CONTAINERLAB) destroy --topo mini-lab.cumulus.yaml
+	sudo $(CONTAINERLAB) destroy --topo mini-lab.sonic.yaml
 
 .PHONY: _privatenet
 _privatenet: env
@@ -151,6 +148,19 @@ ls: env
 
 ## SWITCH MANAGEMENT ##
 
+.PHONY: ssh-leafconfig
+ssh-leafconfig:
+	@grep "Host leaf01" ~/.ssh/config || echo -e "Host leaf01\n    StrictHostKeyChecking no\n    IdentityFile $(shell pwd)/files/ssh/id_rsa\n" >>~/.ssh/config
+	@grep "Host leaf02" ~/.ssh/config || echo -e "Host leaf02\n    StrictHostKeyChecking no\n    IdentityFile $(shell pwd)/files/ssh/id_rsa\n" >>~/.ssh/config
+
+.PHONY: docker-leaf01
+docker-leaf01:
+	@echo "export DOCKER_HOST=ssh://root@leaf01/var/run/docker.sock"
+
+.PHONY: docker-leaf02
+docker-leaf02:
+	@echo "export DOCKER_HOST=ssh://root@leaf02/var/run/docker.sock"
+
 .PHONY: ssh-leaf01
 ssh-leaf01:
 	ssh -o StrictHostKeyChecking=no -o "PubkeyAcceptedKeyTypes +ssh-rsa" -i files/ssh/id_rsa root@leaf01
@@ -258,6 +268,3 @@ dev-env:
 	@echo "export METALCTL_API_URL=http://api.172.17.0.1.nip.io:8080/metal"
 	@echo "export METALCTL_HMAC=metal-admin"
 	@echo "export KUBECONFIG=$(KUBECONFIG)"
-
-sonic-vs.img:
-	curl --location --output - "${SONIC_REMOTE_IMG}" | gunzip > sonic-vs.img

deploy_partition.yaml

@@ -16,12 +16,6 @@
       tags: sonic
 
 - name: Configure Cumulus switches
-  hosts: leaves:&cumulus
-  roles:
-    - name: metal-roles/partition/roles/leaf
-      tags: leaf
-
-- name: Deploy docker on Cumulus switches
   hosts: leaves:&cumulus
   pre_tasks:
     # the following task is not required as long as we do not install something from the cumulus repositories, for which all the keys are expired now
@@ -36,6 +30,8 @@
     - name: install apt-transport
       shell: dpkg -i /root/https-deps/*.deb && apt-get install -fy
   roles:
+    - name: cumulus
+      tags: cumulus
     - name: metal-roles/partition/roles/docker-on-cumulus
       tags: docker-on-cumulus
 

images/sonic/Dockerfile

@@ -1,17 +1,21 @@
 FROM ubuntu:22.04
 
 ENV LIBGUESTFS_BACKEND=direct
+# Check: https://sonic-build.azurewebsites.net/ui/sonic/pipelines
+ENV SONIC_REMOTE_IMG=https://sonic-build.azurewebsites.net/api/sonic/artifacts?branchName=202211&platform=vs&target=target%2Fsonic-vs.img.gz
 
 RUN apt-get update && \
     apt-get --no-install-recommends install --yes \
+        curl \
         linux-image-5.15.0-102-generic \
         net-tools \
         ovmf \
         python3 \
         python3-guestfs \
         qemu-system-x86 \
         telnet \
-        tini
+        tini && \
+    curl --location --output - "${SONIC_REMOTE_IMG}" | gunzip > sonic-vs.img
 
 ENTRYPOINT ["/usr/bin/tini", "--"]
 

inventories/group_vars/all/ci.yaml

@@ -2,3 +2,5 @@
 metal_registry_auth_enabled: "{{ lookup('env', 'CI') | default(false, true) | bool }}"
 metal_registry_auth_user: "{{ lookup('env', 'DOCKER_HUB_USER') | default('', true) }}"
 metal_registry_auth_password: "{{ lookup('env', 'DOCKER_HUB_TOKEN') | default('', true) }}"
+
+github_runner_token: "{{ lookup('env', 'GITHUB_TOKEN') | default('', true) }}"

inventories/group_vars/control-plane/metal.yml

@@ -11,17 +11,19 @@ metal_api_admin_key: metal-admin
 
 metal_api_nsq_tcp_address: nsqd:4150
 
+metal_api_latest_os_image_release_name: "{{ (lookup('url', 'https://api.github.com/repos/metal-stack/metal-images/releases/latest', headers=({'authorization': 'Bearer ' + github_runner_token} if github_runner_token else {})) | from_json).get('name') }}"
+
 metal_api_images:
-- id: firewall-ubuntu-3.0.20230710
-  name: Firewall 3 Ubuntu 20230710
-  description: Firewall 3 Ubuntu 20230710
-  url: https://images.metal-stack.io/metal-os/20230710/firewall/3.0-ubuntu/img.tar.lz4
+- id: firewall-ubuntu-3.0
+  name: Firewall 3 Ubuntu
+  description: Firewall 3 Ubuntu Latest Release
+  url: https://images.metal-stack.io/metal-os/{{ metal_api_latest_os_image_release_name }}/firewall/3.0-ubuntu/img.tar.lz4
   features:
     - firewall
-- id: ubuntu-22.04.20230710
-  name: Ubuntu 22.04 20230710
-  description: Ubuntu 22.04 20230710
-  url: https://images.metal-stack.io/metal-os/20230710/ubuntu/22.04/img.tar.lz4
+- id: ubuntu-22.04
+  name: Ubuntu 22.04
+  description: Ubuntu 22.04 Latest Release
+  url: https://images.metal-stack.io/metal-os/{{ metal_api_latest_os_image_release_name }}/ubuntu/22.04/img.tar.lz4
   features:
     - machine
 

inventories/partition.yaml

@@ -38,3 +38,8 @@ leaves:
     ansible_python_interpreter: /usr/bin/python
     ansible_user: root
     ansible_ssh_private_key_file: "{{ playbook_dir }}/files/ssh/id_rsa"
+
+cumulus:
+  vars:
+    router_enable_static_route_leak: true
+sonic:

mini-lab.sonic.yaml

@@ -14,7 +14,6 @@ topology:
       binds:
         - /dev:/dev
         - files/ssh/id_rsa.pub:/authorized_keys
-        - sonic-vs.img:/sonic-vs.img
     leaf02:
       kind: linux
       image: ${MINI_LAB_SONIC_IMAGE}
@@ -23,7 +22,6 @@ topology:
       binds:
         - /dev:/dev
         - files/ssh/id_rsa.pub:/authorized_keys
-        - sonic-vs.img:/sonic-vs.img
     inet:
       kind: linux
       image: quay.io/frrouting/frr:9.1.0

roles/cumulus/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+router_enable_mgmt_vrf: true
+router_enable_static_route_leak: false
+
+router_nameservers: []

roles/cumulus/files/99control_plane_catch_all.rules

@@ -0,0 +1,36 @@
+#
+# Note: These are catch-all rules that shall be last in the over all rule set.
+#
+
+INGRESS_INTF = swp+
+
+INGRESS_CHAIN = INPUT
+
+
+
+[iptables]
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
+
+
+[ip6tables]
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2
+
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
+
+
+[ebtables]
+
+-A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT
+-A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT
+-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0
+# ipv4 multicast misses
+-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100
+-A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100

roles/cumulus/files/bridgemac.json

@@ -0,0 +1,7 @@
+{
+  "bridge": {
+    "module_globals": {
+      "bridge_mac_iface": ["eth0", "eth1"]
+    }
+  }
+}

roles/cumulus/files/daemons

@@ -0,0 +1,2 @@
+bgpd=yes
+zebra=yes

roles/cumulus/files/frr-validation@.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger a validation run of a frr configuration file %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/vtysh --dryrun --inputfile %I
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target