Mgmt vrf namespace2 #431
Mgmt vrf namespace2 #431
Conversation
…n with all changes together
…n with all changes together:SNMPTrap Config File
…n with all changes together:SNMPTrap fix
…n with all changes together:Fix CLI
config/main.py
Outdated
| def vrf_add_management_vrf(): | ||
| """Enable management vrf""" | ||
|
|
||
| cmd = 'sonic-cfggen -d --var-json "MGMT_VRF_CONFIG"' |
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
Is it possible to read this address from the config DB?
Why do you read using sonic-cfggen, but write directly to DB?
Yes we can read it from config DB
There was a problem hiding this comment.
@pavel-shirshov : Addressed your comment. Removed cfggen and used config DB Read.
config/main.py
Outdated
|
|
||
| cmd = 'sonic-cfggen -d --var-json "MGMT_VRF_CONFIG"' | ||
| p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | ||
| res = p.communicate() |
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
I'd extract subprocess.Popen chunk as a function, otherwise you have a lot of duplicate code
Will change
There was a problem hiding this comment.
@pavel-shirshov : Addressed your comment. Removed cfggen and used config DB Read. Hence, there is no duplicate code for Popen chunk.
| if address in network: | ||
| return True | ||
| else: | ||
| return False |
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
return address in network ?
This function checks if the address is in network range or not so returning true/false.
config/main.py
Outdated
| @@ -876,14 +1052,42 @@ def ip(ctx): | |||
|
|
|||
| @ip.command() | |||
| @click.argument("ip_addr", metavar="<ip_addr>", required=True) | |||
| @click.argument('gw1', metavar='<default gateway IP address>', required=False) | |||
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
should we use gw here? Why gw1?
We will change
There was a problem hiding this comment.
@pavel-shirshov : Addressed your comment. Changed gw1 to gw.
config/main.py
Outdated
| """Add an IP address towards the interface""" | ||
| config_db = ctx.obj["config_db"] | ||
| interface_name = ctx.obj["interface_name"] | ||
|
|
||
| if interface_name.startswith("Ethernet"): | ||
| config_db.set_entry("INTERFACE", (interface_name, ip_addr), {"NULL": "NULL"}) | ||
| elif interface_name.startswith("eth0"): |
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
It could match interface 'eth01'. I think it's better to compare to 'eth' here
Will address this.
There was a problem hiding this comment.
@pavel-shirshov : Addressed your comment. Changed "startswith eth0", to "exact match for eth0"
config/main.py
Outdated
| @@ -903,6 +1107,8 @@ def remove(ctx, ip_addr): | |||
|
|
|||
| if interface_name.startswith("Ethernet"): | |||
| config_db.set_entry("INTERFACE", (interface_name, ip_addr), None) | |||
| elif interface_name.startswith("eth0"): | |||
There was a problem hiding this comment.
@pavel-shirshov
pavel-shirshov 11 days ago Contributor
interface_name ==
Will address this.
There was a problem hiding this comment.
@pavel-shirshov : Addressed your comment. Changed "startswith eth0", to "exact match for eth0"
…n to configDB, (2) changed gw1 to gw and (3) interface_name startswith eth0 changed to compare with eth0
|
no more valid |
- What I did
Added support for management VRF using namespace solution.
Requirements that are covered are explained in the design document. Enhancements required to support tacacs and snmptrap are also added. Enhanced the configuration for using --use-mgmt-vrf for tacacs server & snmptrap server configuration on top of namespace based solution for management VRF to configure the required rules for namespace solution.
Two PRs are raised, one for sonic-buildimage (sonic-net/sonic-buildimage#2431) and other for sonic-utilities (this PR#431).
- How I did it
Added commands to enable/disable the management VRF. On enabling, it creates the management namespace, attached eth0 to management namespace, creates the required iptables rules and restarts the networking service. Detailed design is explained in the design document https://github.com/kannankvs/mvrf_namespace/blob/master/Management%20VRF%20Design%20Document%20Namespace.md. Namespace solution requires DNAT as explained in the design document. hostcfgd is enhanced to support maximum of 10 tacacs servers. Mapping between the user configured tacacs server IP/port and internally used local IP/port are maintained in this file for adding and deleting those NAT rules. For supporting snmptrap configuration, enhanced main.py & created sonic_snmp_trap_conf.py to configure the snmptrap server IP address/port and enhanced the file docker_image_ctl.j2 to create the required /usr/bin/snmp.sh script that adds the required DNAT rules during snmp service restart process.
- How to verify it
Use the following commands to enable/disable mgmt vrf and test the basic management VRF features.
config vrf add mgmt
config vrf del mgmt
config interface eth0 ip add ip/mask gatewayIP
Ex: config interface eth0 ip add 10.16.206.11/24 10.16.206.1
Using the above configuration, all applications like Ping, SSH, SCP, apt-get, etc., can be tested on management VRF using “ip netns exec mgmt COMMAND” as explained in the design document.
Use the following steps to test tacacs.
(a) config aaa authentication login tacacs+
(b) config tacacs authtype login
(c) config tacacs passkey testing123
(d) config tacacs add --use-mgmt-vrf serveripaddress
Use the following steps to test snmptrap.