Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mgmt_vrf_namespace: management vrf using namespace solution #2405

Closed
wants to merge 26 commits into from
Closed

mgmt_vrf_namespace: management vrf using namespace solution #2405

wants to merge 26 commits into from

Conversation

kannankvs
Copy link
Collaborator

- What I did
Added support for management VRF using namespace solution.
Requirements that are covered are explained in the design document.

- How I did it
Added commands to enable/disable the management VRF. On enabling, it creates the management namespace, attached eth0 to management namespace, creates the required iptables rules and restarts the networking service.
Detailed design is explained in the design document.

- How to verify it
Use the following commands to enable/disable mgmt vrf and test the features.
config vrf add mgmt
config vrf del mgmt
config interface eth0 ip add ip/mask gatewayIP
Ex: config interface eth0 ip add 10.16.206.11/24 10.16.206.1

- Description for the changelog

pavel-shirshov
pavel-shirshov reviewed Dec 31, 2018
View reviewed changes
files/image_config/interfaces/delete-mgmt-vrf-iptables.sh Outdated

ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 80 -j DNAT --to-destination ${IF_IF2_IP}

ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 443 -j DNAT --to-destination ${IF_IF2_IP}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need nat rules?
why do you create rules for dports 20,21,69.80.443?

@lguohan
Copy link
Collaborator

lguohan commented Jan 2, 2019

I am not sure we should use namespace to address management vrf problem in sonic.

@batmancn batmancn mentioned this pull request Jan 3, 2019
Closed
This was referenced Jan 8, 2019
Closed
Closed
kevinwangsk and others added 17 commits January 8, 2019 11:09
@kevinwangsk @lguohan
[mellanox] Block the select function by default in get_transceiver_ch…
1acb671 
…ange_event() (#2422)

* Use default timeout value which will block the select function
* Submodule update for argument type issue in Select class

Submodule update sonic-swss-common:

e8caaea - Align the argument type with epoll_wait() (#255)
3ea133d - [selectable]: Update throw message (#253)

Signed-off-by: Kevin Wang <kevinw@mellanox.com>
@padmanarayana @lguohan
[devices]: Address Dell issue#46 : Adding MUX reset logic to fix prob…
14a0297 
…e failures (#2356)
@vharish02 @lguohan
[Dell] z9100 port qos & buffer changes of 0330 to master (#2266)
65f6253 
This commit has the forward porting of changes from 20180330
to master. Unit tested by checking the broadcom registers
for the values. The values in hardware reflect the correct values
except for TC to PFC priority group map values. Master branch values
for TC to PFC priority group map for both z9100 and s6100 in incorrect,
I have a build of Oct 12 master and the values are correct in
that build.

Signed-off-by: Harish Venkatraman <Harish_Venkatraman@Dell.com>
@lguohan
[devices]: Dell z9264f bringup (#2415)
1ffb34b 
* Updating Z9264f for A01 board

* Adding platform_reboot plugin to Z9264f

* Change execute mode for platform_reboot

* Indenting python files

* Adding missed service file

* Addressing code review comments

* Modified the polling logic in transceiver change event
@kannankvs
mgmt_vrf_namespace: management vrf using namespace solution
54af476
@kannankvs
mgmt_vrf_namespace_snmptrap: SNMPTrap enhancement on top of namespace…
993f7fd 
… solution for management vrf
@kannankvs
Merge branch 'mgmt_vrf_namespace' of https://github.com/kannankvs/son…
0effca1 
…ic-buildimage into mgmt_vrf_namespace
@kannankvs
Revert "[mellanox] update SAI,SDK,FW pointers (#2410)"
9973bd9 
This reverts commit 363951f.
@kannankvs
Revert "[barefoot]: updating deb package for platform and sai (#2413)"
088bfae 
This reverts commit b84dbd8.
@kannankvs
Revert "[Mellanox sfputil ] fix lpmode set failure on Mellanox platfo…
73fdb1b 
…rm (#2408)"

This reverts commit f0b2190.
@kannankvs
Revert "[docker-engine]: upgrade docker engine to 18.09 (#2417)"
30a2f5a 
This reverts commit b57a376.
@kannankvs
Revert "[submodules]: Update sairedis, utilities pointers (#2421)"
90e7457 
This reverts commit 584842d.
@kannankvs
Revert "[devices]: platform_reboot support for Dell S6100/Z9100 platf…
09fe027 
…orms (#2420)"

This reverts commit ab6a52f.
@kannankvs
Revert "[mellanox] Block the select function by default in get_transc…
da205fc 
…eiver_change_event() (#2422)"

This reverts commit 1acb671.
@kannankvs
Revert "[devices]: Address Dell issue#46 : Adding MUX reset logic to …
81dc85f 
…fix probe failures (#2356)"

This reverts commit 14a0297.
@kannankvs
Revert "[Dell] z9100 port qos & buffer changes of 0330 to master (#2266
74d0b4c 
…)"

This reverts commit 65f6253.
@kannankvs
Revert "[devices]: Dell z9264f bringup (#2415)"
2381263 
This reverts commit 1ffb34b.
@batmancn
Copy link

batmancn commented Jan 10, 2019
edited
Loading

- What I did
Added support for management VRF using namespace solution.
Requirements that are covered are explained in the design document.

- How I did it
Added commands to enable/disable the management VRF. On enabling, it creates the management namespace, attached eth0 to management namespace, creates the required iptables rules and restarts the networking service.
Detailed design is explained in the design document.

- How to verify it
Use the following commands to enable/disable mgmt vrf and test the features.
config vrf add mgmt
config vrf del mgmt
config interface eth0 ip add ip/mask gatewayIP
Ex: config interface eth0 ip add 10.16.206.11/24 10.16.206.1

- Description for the changelog

For 'config vrf add mgmt', is this PR 'sonic-net/sonic-utilities#422' ?

@batmancn
Copy link

batmancn commented Jan 10, 2019
edited
Loading

Added this patch, why I could not ssh onto SONiC, after restart network.

  • I'm on kernel 3.16

  • ping is OK

$ ping 172.18.8.213
PING 172.18.8.213 (172.18.8.213): 56 data bytes
64 bytes from 172.18.8.213: icmp_seq=0 ttl=62 time=4.716 ms
64 bytes from 172.18.8.213: icmp_seq=1 ttl=62 time=3.122 ms
  • This is sshd status
root@sonic:~# /etc/init.d/ssh status
� ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Thu 2016-11-10 18:42:51 UTC; 6min ago
  Process: 5496 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 5910 ExecStartPre=/usr/local/bin/host-ssh-keygen.sh (code=exited, status=0/SUCCESS)
 Main PID: 5913 (sshd)
   CGroup: /system.slice/ssh.service

Nov 10 18:42:51 sonic systemd[1]: Started OpenBSD Secure Shell server.
Nov 10 18:42:51 sonic sshd[5913]: Server listening on 0.0.0.0 port 22.
  • This is sshd log
Nov 10 18:17:20.749788 sonic INFO sshd[354]: Server listening on 0.0.0.0 port 22.
Nov 10 18:17:21.962811 sonic INFO sshd[354]: Received SIGHUP; restarting.
Nov 10 18:17:21.973555 sonic INFO sshd[354]: Server listening on 0.0.0.0 port 22.
Nov 10 18:17:36.266890 sonic INFO sshd[354]: Received SIGHUP; restarting.
Nov 10 18:17:36.274502 sonic INFO sshd[354]: Server listening on 0.0.0.0 port 22.
Nov 10 18:17:37.518905 sonic INFO sshd[354]: Received SIGHUP; restarting.
Nov 10 18:17:37.527136 sonic INFO sshd[354]: Server listening on 0.0.0.0 port 22.
Nov 10 18:20:43.041321 sonic INFO sshd[354]: Received signal 15; terminating.
Nov 10 18:20:43.060297 sonic INFO sshd[5665]: Server listening on 0.0.0.0 port 22.
Nov 10 18:20:52.537150 sonic INFO sshd[5665]: Received signal 15; terminating.
Nov 10 18:20:52.563828 sonic INFO sshd[5684]: Server listening on 0.0.0.0 port 22.
Nov 10 18:41:38.805387 sonic INFO sshd[5684]: Received signal 15; terminating.
Nov 10 18:41:53.800973 sonic INFO sshd[5864]: Server listening on 0.0.0.0 port 22.
Nov 10 18:42:51.422850 sonic INFO sshd[5864]: Received signal 15; terminating.
Nov 10 18:42:51.441402 sonic INFO sshd[5913]: Server listening on 0.0.0.0 port 22.
  • This is some information
root@sonic:~# cat /etc/network/interfaces
auto if2
iface if2 inet manual
   peer-netns mgmt
   peer-iface if1
   configure-interfaces yes
   if1-ip 127.100.100.1
   if1-prefixlen 24
   if2-ip 127.100.100.2
   if2-prefixlen 24
   mgmt-vrf-chain MgmtVrfChain

root@sonic:~# ip netns exec mgmt iptables -L -t nat
target     prot opt source               destination
SNAT       tcp  --  anywhere             anywhere             to:127.100.100.1:62000-65000
SNAT       udp  --  anywhere             anywhere             to:127.100.100.1:62000-65000
MASQUERADE  all  --  anywhere             anywhere

Chain MgmtVrfChain (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:ssh to:127.100.100.2
DNAT       tcp  --  anywhere             anywhere             tcp dpt:ftp-data to:127.100.100.2
DNAT       tcp  --  anywhere             anywhere             tcp dpt:ftp to:127.100.100.2
DNAT       udp  --  anywhere             anywhere             udp dpt:snmp to:127.100.100.2
DNAT       udp  --  anywhere             anywhere             udp dpt:tftp to:127.100.100.2
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:127.100.100.2
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:127.100.100.2
root@sonic:~# ip netns exec mgmt ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 50:6b:4b:27:b1:8e brd ff:ff:ff:ff:ff:ff
64: if1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 66:33:24:f4:f0:38 brd ff:ff:ff:ff:ff:ff
  • tcpdump show only ssh request exist
root@sonic:~# tcpdump -i if2 -nneA
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on if2, link-type EN10MB (Ethernet), capture size 262144 bytes
19:18:33.265169 66:33:24:f4:f0:38 > b2:73:99:81:78:79, ethertype IPv4 (0x0800), length 78: 127.100.100.1.62004 > 127.100.100.2.22: Flags [S], seq 4038145727, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1406601665 ecr 0,sackOK,eol], length 0
E..@y.@.=..f.dd..dd..4....6........................
S.      .........
19:18:49.479845 66:33:24:f4:f0:38 > b2:73:99:81:78:79, ethertype IPv4 (0x0800), length 78: 127.100.100.1.62004 > 127.100.100.2.22: Flags [S], seq 4038145727, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1406617665 ecr 0,sackOK,eol], length 0
E..@.u@.=..v.dd..dd..4....6..........\.............
S.HA........
19:19:22.867428 66:33:24:f4:f0:38 > b2:73:99:81:78:79, ethertype IPv4 (0x0800), length 62: 127.100.100.1.62004 > 127.100.100.2.22: Flags [S], seq 4038145727, win 65535, options [mss 1460,sackOK,eol], length 0
E..0    .@.=.m..dd..dd..4....6.....p...............
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
root@sonic:~#
  • Local iptables
root@sonic:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.18.0.0/16        anywhere    # If it's here??????

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

@batmancn
Copy link

And after reboot, could not work.

  • This is info
root@sonic:~# ip route
240.127.1.0/24 dev docker0  proto kernel  scope link  src 240.127.1.1
root@sonic:~# ip netns exec mgmt ip route
Cannot open network namespace "mgmt": No such file or directory

@kannankvs
Copy link
Collaborator Author

kannankvs commented Jan 10, 2019
edited
Loading

Since we faced some issues in raising pull requests on top of this pull request, we shall cancel this PR. New PR #2431 is raised. Once if it is decided to use namespace solution for management VRF, all the comments given in this PR will be addressed as part of PR#2431. This PR#2405 is cancelled. Similarly the related sonic-utilities PR PR 'sonic-net/sonic-utilities#422' is also cancelled.
The new PR on sonic-utilities is at sonic-net/sonic-utilities#431 that contains the configuration commands like "config vrf add/del mgmt".
PR#2431 together with PR#431 provides the complete support for namespace based management VRF solution.

@kannankvs kannankvs mentioned this pull request Jan 10, 2019
Open
@batmancn
Copy link

batmancn commented Jan 10, 2019
edited
Loading

Since we faced some issues in raising pull requests on top of this pull request, we shall cancel this PR. New PR #2431 is raised. Once if it is decided to use namespace solution for management VRF, all the comments given in this PR will be addressed as part of PR#2431. This PR#2405 is cancelled. Similarly the related sonic-utilities PR PR 'Azure/sonic-utilities#422' is also cancelled.
The new PR on sonic-utilities is at Azure/sonic-utilities#431 that contains the configuration commands like "config vrf add/del mgmt".
PR#2431 together with PR#431 provides the complete support for namespace based management VRF solution.

I read #2431 , I found it's maybe same code on vrf implementation. My kernel is 3.16, which I use 201807 branch.

Do your patch only work on kernel 4.x or above? refer this.

@kannankvs kannankvs closed this Jul 8, 2019
@kannankvs
Copy link
Collaborator Author

Closing the namespace PR.

vivekrnv added a commit to vivekrnv/sonic-buildimage that referenced this pull request Oct 20, 2022
@vivekrnv
[submodule] update sonic-utilities submodule
b814f04 
aedc05ecf [QoS] Support dynamic headroom calculation for Barefoot platforms (sonic-net#2306)
7f4da26f2 [app_ext] [auto-ts] Add available_mem_threshold option (sonic-net#2423)
b25070176 YANG Validation for ConfigDB Updates: Fix Decorator Bug (sonic-net#2405)
f62d1e596 [watermarkstat] Add new warning message for the 'q_shared_multi' counters (sonic-net#2408)
25fda264e [chassis]Add fabric counter cli commands (sonic-net#1860)
ae97e597e Update sonic command doc to add CLIs relative to SONiC fips (sonic-net#2377)
abd5eba49 [generate_dump]: Enhance show techsupport for cisco-8000 platform (sonic-net#2403)
ee15b74a2 Include configuring laser frequency and tx power (sonic-net#2437)
70be50cdc Add a subcommand to display a hexdump of transceiver EEPROM page (sonic-net#2379)
c246801ba Filter port invalid MTU configuration (sonic-net#2378)
362ec9bd7 [show] vnet advertised-route command (sonic-net#2390)
2372e2983 [show priority-group drop counters] Remove backup with cached PG drop counters after 'config reload' (sonic-net#2386)

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
liat-grozovik pushed a commit that referenced this pull request Oct 23, 2022
@vivekrnv
[submodule] update sonic-utilities pointer (#12462)
2041e76 
aedc05ecf [QoS] Support dynamic headroom calculation for Barefoot platforms (#2306)
7f4da26f2 [app_ext] [auto-ts] Add available_mem_threshold option (#2423)
b25070176 YANG Validation for ConfigDB Updates: Fix Decorator Bug (#2405)
f62d1e596 [watermarkstat] Add new warning message for the 'q_shared_multi' counters (#2408)
25fda264e [chassis]Add fabric counter cli commands (#1860)
ae97e597e Update sonic command doc to add CLIs relative to SONiC fips (#2377)
abd5eba49 [generate_dump]: Enhance show techsupport for cisco-8000 platform (#2403)
ee15b74a2 Include configuring laser frequency and tx power (#2437)
70be50cdc Add a subcommand to display a hexdump of transceiver EEPROM page (#2379)
c246801ba Filter port invalid MTU configuration (#2378)
362ec9bd7 [show] vnet advertised-route command (#2390)
2372e2983 [show priority-group drop counters] Remove backup with cached PG drop counters after 'config reload' (#2386)

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
@aravindmani-1 aravindmani-1 mentioned this pull request Nov 18, 2022
Merged
7 tasks
mihirpat1 pushed a commit to mihirpat1/sonic-buildimage that referenced this pull request Jun 14, 2023
@link19430
[orchagent, SRv6]: mysid support to set default vrf (sonic-net#2405)
f139f12 
* [orchagent, SRv6]: mysid support to set default vrf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavel-shirshov pavel-shirshov pavel-shirshov left review comments

Assignees
No one assigned
Labels
Enhancement ➕
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.