$ ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
vrf mgmt
link-down yes
auto mgmt
iface mgmt
vrf-table auto
$ ifup -a -d
...
...
debug: mgmt: pre-up : running module vrf
info: executing /usr/lib/vrf/vrf-helper create mgmt 1001
debug: mgmt: eth0: slave configured with link-down yes
info: mgmt: netlink: ip link set dev mgmt up
...
$ ip link show eth0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master mgmt state DOWN mode DEFAULT group default qlen 1000
link/ether 08:00:27:80:e2:97 brd ff:ff:ff:ff:ff:ff
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
In linux its possible to assign an ip address to a vlan-aware bridge
For some use cases is it useful to restrict users from configuring ips on
bridges VA. This patch will let admins and distributions decide if it is
necessary to warn the user in such case.
The patch introduces a new configuration variable in:
/etc/network/ifudpown2/ifupdown2.conf
vlan_aware_bridge_address_support: yes|no|on|off|0|1 (default to yes)
[8:30:41] root:~ # cat /etc/network/ifupdown2/ifupdown2.conf | grep "vlan_aware_bridge_address_support"
[8:30:43] root:~ # ifquery bridge
auto bridge
iface bridge
bridge-ports swp1
bridge-vlan-aware yes
address 10.10.10.10
[8:30:46] root:~ # ifup bridge --syntax-check
[8:30:52] root:~ # echo $?
0
[8:30:54] root:~ # echo "vlan_aware_bridge_address_support=no" >> /etc/network/ifupdown2/ifupdown2.conf
[8:31:11] root:~ # ifup bridge --syntax-check
warning: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:14] root:~ # echo $?
1
[8:31:17] root:~ #
[8:31:20] root:~ # ifup -a
[8:31:22] root:~ # echo $?
0
[8:31:25] root:~ # ifquery bridge -c
auto bridge
iface bridge [fail]
bridge-vlan-aware yes [pass]
bridge-ports swp1 [pass]
address 10.10.10.10 [fail]
[8:31:29] root:~ # ifdown bridge && ifup bridge -v |& grep "bridge vlan aware interfaces"
info: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:57] root:~ #
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Now that some system support ip addr METRIC sets we dont have to do this
"fix_connected_route" hack. The hack was previously introduced to make
sure the primary address was the first in the routing table. Some events
could cause some issues like having the macvlan address first in the
routing table. In that case the macvlan needs to be flapped. This shouldn't
happen when we are able to set the address metric
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
[14:53:46] root:~ # ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto vlan1903
iface vlan1903
alias LAB-CUST-VMS
vlan-id 1903
vlan-raw-device bridge
address 2a06:c01:1:1903::3/64
address 185.98.123.3/24
address-virtual 00:00:5e:00:01:a3 2a06:c01:1:1903::1/64 fe80::1/64 185.98.123.1/24
vrf public
auto public
iface public
vrf-table auto
auto bridge
iface bridge
bridge-ports swp1
[14:53:47] root:~ # ifup -a
[14:53:50] root:~ # ip addr show vlan1903-v0
46: vlan1903-v0@vlan1903: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master public state UP group default
link/ether 00:00:5e:00:01:a3 brd ff:ff:ff:ff:ff:ff
inet 185.98.123.1/24 scope global vlan1903-v0
valid_lft forever preferred_lft forever
inet6 2a06:c01:1:1903::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::200:5eff:fe00:1a3/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
[14:53:52] root:~ #
[14:53:54] root:~ #
[14:53:54] root:~ # nano /etc/network/interfaces
[14:53:57] root:~ # ifquery vlan1903
auto vlan1903
iface vlan1903
alias LAB-CUST-VMS
vlan-id 1903
vlan-raw-device bridge
address 2a06:c01:1:1903::3/64
address 185.98.123.3/24
address-virtual 00:00:5e:00:01:a3 2a06:c01:1:1903::1/64 fe80::1/64 185.98.123.1/24
address-virtual-ipv6-addrgen off
vrf public
[14:54:05] root:~ # ifdown -a -X eth0
[14:54:08] root:~ # ifup -a -v
...
...
info: executing /bin/ip -force -batch - [link set dev vlan1903-v0 master public
link set dev vlan1903-v0 addrgenmode none
link set dev vlan1903-v0 down
link set dev vlan1903-v0 address 00:00:5e:00:01:a3
link set dev vlan1903-v0 up
addr add 2a06:c01:1:1903::1/64 dev vlan1903-v0
addr add fe80::1/64 dev vlan1903-v0
addr add 185.98.123.1/24 dev vlan1903-v0
route del 2a06:c01:1:1903::/64 table 1001 dev vlan1903-v0
route del fe80::/64 table 1001 dev vlan1903-v0
route add 2a06:c01:1:1903::/64 table 1001 dev vlan1903-v0 proto kernel metric 9999
route add fe80::/64 table 1001 dev vlan1903-v0 proto kernel metric 9999
]
...
...
[14:54:14] root:~ # ip addr show vlan1903-v0
50: vlan1903-v0@vlan1903: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master public state UP group default
link/ether 00:00:5e:00:01:a3 brd ff:ff:ff:ff:ff:ff
inet 185.98.123.1/24 scope global vlan1903-v0
valid_lft forever preferred_lft forever
inet6 2a06:c01:1:1903::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
[14:54:16] root:~ #
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
backporting the following commit to master-next:
commit eb92e5efff776602081b8bbd2cc74462293c4b79
Author: Maximilian Wilhelm <max@rfc2324.org>
Date: Thu Oct 6 19:22:06 2016 +0200
Add support for setting phys-dev for VXLAN interfaces.
Add interface configuration option »vxlan-physdev« to set »dev« attribute
of VXLAN interfaces and a check for the running configuration.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
This backport also:
- adds support for ifquery --running
- uses the netlink cache
- includes some pep8 fixes
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Co-authored-by: Julien Fortin <julien@cumulusnetworks.com>
Co-authored-by: Maximilian Wilhelm <max@rfc2324.org>
this has been upstreamed recently in linux kernel, with
IFLA_BRPORT_NEIGH_SUPPRESS, with 32 as netlink value.
https://www.spinics.net/lists/linux-ethernet-bridging/msg06910.html
Cumulus is using a temp 152 number in his own kernel.
This is needed for bgp evpn and anycast gateway.
auto vmbr3
iface vmbr3
bridge_ports vxlan3
bridge_stp off
bridge_fd 0
auto vxlan3
iface vxlan3 inet manual
vxlan-id 3
vxlan-local-tunnelip 10.59.100.231
bridge-learning off
bridge-arp-nd-suppress on
info: reading '/sys/class/net/vmbr3/bridge/stp_state'
debug: vmbr3: evaluating port expr '['vxlan3']'
debug: _cache_get(['vxlan3', 'hwaddress']) : ['hwaddress']
debug: reading '/sys/class/net/vxlan3/address'
info: writing '1' to file /proc/sys/net/ipv6/conf/vxlan3/disable_ipv6
info: executing /bin/ip -force -batch - [link set dev vxlan3 master vmbr3
addr flush dev vxlan3
]
info: vmbr3: applying bridge port configuration: ['vxlan3']
info: vmbr3: vxlan3: set bridge-learning off
debug: (cache None)
info: vmbr3: vxlan3: set bridge-arp-nd-suppress on
debug: (cache None)
info: vmbr3: vxlan3: vxlan learning and bridge learning out of sync: set False
info: vxlan3: netlink: ip link set dev vxlan3: bridge slave attributes
debug: vxlan3: ifla_info_data {7: False}
debug: vxlan3: ifla_info_slave_data {8: False, 152: True}
This is a major update coming all at once from master-next branch
master-next branch was started with --orphan option which is basically a new
branch without history.
The major changes are:
- repackaging
- cleanup the directory tree
- rewritte setup.py to allow install from deb file or pypi (pip install)
- add a Makefile to make things (like building a deb) easier
- review all debian files
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
ifupdown2 code was one level deeper because ifupdown2 initially
had ifupdown2 and ifupdown2-addons as two separate packages.
Since they were combined into one package, it makes sense to
move all combined code under the top level directory
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
This patch moved policymanager.py and python-ifupdown2.preinst
to their correct locations. A previous patch incorrectly added
these files to the wrong path.
Testing Done: built new ifupdown package and ran testifupdown2 suite of tests
This patch prevents enslaved interfaces from having IP addresses.
(cherry picked from commit 0c00606fbc76db11557a8e946310e93a2b376aa7)
Testing Done: built ifupdown2 deb and tested on switch
This patch adds man page mention of undocumented (but working)
option to exclude interfaces from a reload (-X option)
(cherry picked from commit 0358905782a4c0290a967d6f730fdcb27f2af3d9)
skip deconfiguring interfaces
Testing Done: Tested 'service networking stop' during system reboot and shutdown
(cherry picked from commit ac231e966a04eb78153d9b53f0d236a149c7bba5)
(cherry picked from commit 496b5b0176df9d3be05021c93e917afb195ee799)
Testing Done: tested master and 2.5_br images with testifupdown2 suite and hand tested
This patch creates a json defaults file upon bootup
(which can be overridden by customer configs in /etc)
which the ethtool module in ifupdown2 will consult
when "link-x" configs are removed in order to restore
them to the initial settings used by the switch.
(cherry picked from commit 8388664f5a5a85f2a813cafbf40ac92d7b86f4bf)
Conflicts:
packages/cl-utilities/dist-packages/cumulus/portconfig.py
packages/cl-utilities/usrlib/update-ports
tests/tests/smoke/testifupdown2.py
Testing Done: Tested with test case in the bug and other orders
kernel(upstream and us) does not seem to honor the vidinfo flags
during the deletes. Hence, this reordering becomes necessary.
tested with the example in the bug and also some other examples.
code wise this combines two existing methods but leaves the two existing methods
around for future use. Will remove them if they become completely
unnecessary.
(cherry picked from commit 992906e0771b7415cbd8c03563a99a8f050415bd)
(cherry picked from commit 1ad488b44e1a9a0e059765e8ee4a19164b386dfe)
down all changed interfaces
Testing Done: Tested man page
(cherry picked from commit 93ecf73b22d317dcf2a0924030f34f008fc25c33)
(cherry picked from commit 73d846c447d575a72822abd5ac5d5d758e9686e5)
sections for that interface changed
Testing Done: tested ifreload with new iface section
problem stmt:
if the user adds a new section for an existing interface, I mark the
interface for down.
Basically the below:
if len(newifaceobjlist) != len(lastifaceobjlist):
ifacedownlist.append(ifname)
continue
You rarely need to add a new section to the interfaces file. It is not
recommended even by the user guide.
sankaran was trying to add a new address. Which he could have added to
the same iface section.
But, looking at his trivial example, i am thinking of not marking an
interface for down if the user merely tried to add a new section to an
existing interface
(cherry picked from commit 65c62c02981cf6e2677b18c0aafcb3f2bd737b1b)
(cherry picked from commit 4453b1921fc3f8e959131cb5e1b9e79e0433cc08)
Testing Done: build and tested man page
(cherry picked from commit 540aa30332a3c49e8a2be2c3975a3a24dbbf1209)
(cherry picked from commit 9426b13318950a6d285e6dcc1844d8cdc0d140df)
Testing Done: of course none ;) Will update when I have some time to test
fupdown2's postinst and postrm scripts do not conform to Debian's policy
for maintainer scripts [1]. Specific non-conformance follows:
* fixed maintainer scripts so they only use /bin/sh as other shells are
non-essential packages and may not exist on the system
* fixed maintainer scripts so only actions specified by $1 are performed
per run of the script
* fixed maintainer scripts to only support specific values for $1, and
will otherwise exit with error
* included at the bottom of the postrm script the "#DEBHELPER#" tag as
during package building debianhelper will inject extra code at this
location
[1] https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html
(cherry picked from commit 2289fe4e90a0134fcb07fe7e2e838de755d73e68)
ifdown behaviour.
Testing Done: tested ifreload evo test case
ifreload_down_changed is 0 by default which will make
sure ifreload will not execute down on changed interfaces
but only on deleted interfaces making it non-disruptive.
some notes from CCR:
ifreload was designed to be an optimization for 'service networking
restart' or 'ifdown -a + ifup -a'.
essentially it is a combination of 'ifdown + ifup' with some smarts in
which interfaces it will execute ifdown on.
By default it does the below:
ifdown all interfaces that were deleted from the interfaces file
ifdown all interfaces that were changed from the last time they were
ifup'ed
ifup -a (execute ifup on all interfaces marked auto)
Did not realize people will use ifreload as much as they do today. Also,
they may execute it on a production box when changes are made. ifdown on a production box can be
disruptive because if the ifdown which is part of the ifreload.
To have a non-disruptive option to ifreload, 2.5 added a new option -c
that only executed 'ifup' on all interfaces. Thus reloading all auto +
any other interfaces that were once brought up on the box (essentially
all interfaces present in the saved state file). This by default did not
do anything to the interfaces that got deleted from the file. But had an
ifupdown2.conf toggle to do so.
Looking at the evo use case, they do want to use a single command that
modifies, adds, deletes with
minimum disruption. we can achieve maybe what they want with multiple
commands (But there is also a case of a bug in the build evo is running
which makes it not so easy ).
This patch fixes the bug and also tries to change the default ifreload
behaviour controllable via a variable in ifupdown2.conf.
when ifreload_down_changed=0 in ifupdown2.conf, ifreload will only
ifdown interfaces that were deleted
from the file but not the ones that changed. subsequent ifup as part of
ifreload on the interfaces
that changed will apply the delta. And ifreload_down_changed default
value is '0'.
WIth the patch, ifreload by default will do the below (going back to the
previous default is just a toggle in the ifupdown.conf file):
ifdown all interfaces that were deleted from the interfaces file
ifup -a (execute ifup on all interfaces marked auto)
It sounds like a big change of behaviour for a hotfix release, but
essentially the patch just moves a few things around. And the change in
behaviour is so subtle that it is not very visible.
It just makes it non-disruptive.
(cherry picked from commit 2f7977834d4912a69159d27e54ba201f58a321d8)
(cherry picked from commit 09f283009e7de62ef1d258de81c94cc86fa13323)
(cherry picked from commit 898562e0e2284ccdc201dafc62b25b928037e0c6)
Testing Done: Tested with shared slaves in bridge and bonds
(cherry picked from commit 6f990450001d367a775681a29cdce74f862f7848)
(cherry picked from commit 8d9a5107112628ee8434e227dff49a0ef09966ee)
Testing Done: tested ifreload with example in the bug
ifdown of the bridge svi was following the lowerdev and downing the
bridge. kernel implicitly deletes all svi's on bridge down.
ifup of the bridge usually handles it, but a change done in 2.5.1
was causing it not to. Thinking about this some more, its safe
to not follow dependents on down during a ifreload. This patch does
just that.
(cherry picked from commit 03f7a376aee944b4037b7b7b02a5096e9360f79e)
(cherry picked from commit aac5777ecc7d367ada0681f813fbec7f78fa80ee)
Testing Done: tested bridge and bonds with interfaces with configs
Both bridge and mstpctl modules set priv_flags on interfaces
that have configs (like link-speed) even when used as bridge-ports.
And this collision causes statemanager.ifaceobj_sync() to never get called
because ifaceobj.priv_flags is 1 (we return immediately):
The fix was to create a new iface module_flags array to carry module info.
(cherry picked from commit 56924fef20984fd959939bf7f17c3dd6fd6b137a)
(cherry picked from commit 28d96f7643e2885b1f9c17ad9324a6dbb1b0f8c7)
In addition fixed up the Debian maintainer scripts to prevent a
potential upgrade failure, discussion follows:
The Cause For the upgrade Failure
=================================
A commit introduced changes to
ifupdown2's package maintainer scripts to override some files provided
by the bridge-utils and udev packages as they conflict with ifupdown2.
The change to ifupdown2's postrm script is currently causing the script
to exit with a failure code if the following files do not exist on the
box:
/etc/udev/rules.d/80-networking.rules
/etc/udev/rules.d/60-bridge-network-interface.rules
The reason for this is in how the script is written.
Since the postrm script is configured to exit on the first command
failure, the "set -e" on line 3, the commands on lines 20 and 22 will
fail if the files being looked for do not exist, causing the script to
exit with a non-zero exit code. Causing apt to fail the upgrade.
.postrm script excerpt
----------
20 udevlink=$(readlink /etc/udev/rules.d/80-networking.rules 2>/dev/null)
21 [ -n "$udevlink" -a "$udevlink" == "/dev/null" ] && rm -f /etc/udev/rules.d/80-networking.rules
22 udevlink=$(readlink /etc/udev/rules.d/60-bridge-network-interface.rules 2>/dev/null)
23 [ -n "$udevlink" -a "$udevlink" == "/dev/null" ] && rm -f /etc/udev/rules.d/60-bridge-network-interface.rules
----------
Solution
--------
The solution requires having the newer version of the ifupdown2 package
provide a preinst script that gets run before the older package's postrm
script is run[1,2]. This gives us the opportunity to quietly fix the
problem. We also fix the postrm script in newer versions of the package
so it cannot bomb out in this way.
Finally, removed what appears to be a poor merge from commit
5f5d84e3261bf70dd3541666a3d3a7f817727ce6.
Fixes: 8959e8e4ec93487228733b17ef2b220ed47c1260
(cherry picked from commit 0eab79eb5aed4cdf0674e3f0ddad3631dd457bdc)
Conflicts:
packages/cl-utilities/debian/postinst
packages/cl-utilities/debian/prerm
Replaced vxlan-peernodeip attribute with vxlan-remoteip. Updated
the vxlan and iproute2 modules to configure head end replication
using bridge fdb commands.
(cherry picked from commit 567f445fc4a1828fc2aac0da3f2402a185656cb5)
Conflicts:
packages/ifupdown2/addons/vxlan.py
packages/ifupdown2/ifupdownaddons/iproute2.py
Conflicts:
ifupdown2/addons/vxlan.py
ifupdown2/ifupdownaddons/iproute2.py
MTU settings are defaulted 1500 when interface is ifdowned.
This has the effect of changing the MTU on the interface and any subinterfaces to
1500. And if these subinterfaces are in a bridge, the bridge will pick the MIN MTU
so the bridge keeps this MTU even after the interface is brought back up. The sub
interface does not change to a higher value then 1500 (kernel VLAN driver only
moves the MTU is the decreasing direction.
(cherry picked from commit 70e67ab15efb13e1499288152d801b39f28a190b)
(cherry picked from commit 56238543a980e983957a180c583b9412c3ab48ab)
Corrected a minor error in how we handle unsupported config attributes.
Instead of
error: not enough arguments for format string
we will now print this:
warning: peerlink.4000: unsupported attribute 'clagd-foobar'
(cherry picked from commit 44c6004a33d59ee234f8ee3d5f450e158c9e5bdc)
(cherry picked from commit f2c2321301d05e88d3c9ab9c26e6d4e256c884e9)
