diff --git a/releasenotes/notes/add_tripleo_frr_role-793d53d11eded3bf.yaml b/releasenotes/notes/add_tripleo_frr_role-793d53d11eded3bf.yaml new file mode 100644 index 000000000..e0daa730d --- /dev/null +++ b/releasenotes/notes/add_tripleo_frr_role-793d53d11eded3bf.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added a new role ``tripleo_frr`` to configure FRR service instances. + FRR daemons ``zebra``, ``watchfrr``, ``bgpd`` and ``bfdd`` can be enabled. diff --git a/tripleo_ansible/roles/tripleo_frr/defaults/main.yml b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml new file mode 100644 index 000000000..2f821ac50 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. + +# All variables within this role should have a prefix of "tripleo_frr" + +tripleo_frr_bfd: false +tripleo_frr_bgp: false +tripleo_frr_bgp_ipv4: true +tripleo_frr_bgp_ipv4_allowas_in: false +tripleo_frr_bgp_ipv6: true +tripleo_frr_bgp_ipv6_allowas_in: false +tripleo_frr_bgp_uplinks_scope: internal +tripleo_frr_config_basedir: "/var/lib/config-data/ansible-generated/frr" +tripleo_frr_hostname: "{{ ansible_hostname }}" +tripleo_frr_log_level: informational +tripleo_frr_watchfrr: true +tripleo_frr_zebra: false +tripleo_frr_bgp_ipv4_default_src_map: {} diff --git a/tripleo_ansible/roles/tripleo_frr/meta/main.yml b/tripleo_ansible/roles/tripleo_frr/meta/main.yml new file mode 100644 index 000000000..35bd9559a --- /dev/null +++ b/tripleo_ansible/roles/tripleo_frr/meta/main.yml @@ -0,0 +1,42 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- tripleo_frr + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: CentOS + versions: + - 7 + - 8 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml new file mode 100644 index 000000000..184306846 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: create directory {{ tripleo_frr_config_basedir }} + become: true + ansible.builtin.file: + path: "{{ tripleo_frr_config_basedir }}/etc/frr" + recurse: true + state: directory + selevel: s0 + setype: container_file_t + +- name: configure FRR + become: true + ansible.builtin.template: + src: frr.conf.j2 + dest: "{{ tripleo_frr_config_basedir }}/etc/frr/frr.conf" + mode: '640' + selevel: s0 + setype: container_file_t + register: _frr_config_result + +- name: configure FRR daemons + become: true + ansible.builtin.template: + src: daemons.j2 + dest: "{{ tripleo_frr_config_basedir }}/etc/frr/daemons" + mode: '640' + selevel: s0 + setype: container_file_t + register: _frr_daemons_result + +- name: restart FRR + when: + - _frr_config_result.changed or _frr_daemons_result.changed + block: + - name: check if tripleo_frr systemd service is active + become: true + shell: systemctl is-active --quiet tripleo_frr + failed_when: false + register: frr_active_service + + - name: restart frr container + become: true + systemd: + name: tripleo_frr + state: restarted + when: + - frr_active_service.rc == 0 diff --git a/tripleo_ansible/roles/tripleo_frr/templates/daemons.j2 b/tripleo_ansible/roles/tripleo_frr/templates/daemons.j2 new file mode 100644 index 000000000..a09f02b1c --- /dev/null +++ b/tripleo_ansible/roles/tripleo_frr/templates/daemons.j2 @@ -0,0 +1,49 @@ +# {{ ansible_managed }} + +watchfrr_enable={{ 'yes' if tripleo_frr_watchfrr else 'no' }} +{% if tripleo_frr_watchfrr %} +watchfrr_options="-r '/usr/lib/frr/frr restart %s' -s '/usr/lib/frr/frr start %s' -k '/usr/lib/frr/frr stop %s'" +{% endif %} +# +zebra={{ 'yes' if tripleo_frr_zebra else 'no' }} +bgpd={{ 'yes' if tripleo_frr_bgp else 'no' }} +ospfd=no +ospf6d=no +ripd=no +ripngd=no +isisd=no +pimd=no +nhrpd=no +eigrpd=no +sharpd=no +pbrd=no +staticd=no +bfdd={{ 'yes' if tripleo_frr_bfd else 'no' }} +fabricd=no + +# +# Command line options for the daemons +# +zebra_options=("-A 127.0.0.1") +bgpd_options=("-A 127.0.0.1") +ospfd_options=("-A 127.0.0.1") +ospf6d_options=("-A ::1") +ripd_options=("-A 127.0.0.1") +ripngd_options=("-A ::1") +isisd_options=("-A 127.0.0.1") +pimd_options=("-A 127.0.0.1") +nhrpd_options=("-A 127.0.0.1") +eigrpd_options=("-A 127.0.0.1") +sharpd_options=("-A 127.0.0.1") +pbrd_options=("-A 127.0.0.1") +staticd_options=("-A 127.0.0.1") +bfdd_options=("-A 127.0.0.1") +fabricd_options=("-A 127.0.0.1") + +# +# If the vtysh_enable is yes, then the unified config is read +# and applied if it exists. If no unified frr.conf exists +# then the per-daemon .conf files are used) +# If vtysh_enable is no or non-existant, the frr.conf is ignored. +# it is highly suggested to have this set to yes +vtysh_enable=yes diff --git a/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2 b/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2 new file mode 100644 index 000000000..b9e67098e --- /dev/null +++ b/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2 @@ -0,0 +1,59 @@ +! {{ ansible_managed }} + +hostname {{ tripleo_frr_hostname }} +log file /var/log/frr/frr.log {{ tripleo_frr_log_level }} +service integrated-vtysh-config +line vty + +router bgp {{ tripleo_frr_bgp_asn }} + bgp log-neighbor-changes + bgp graceful-shutdown + + neighbor uplink peer-group + neighbor uplink remote-as {{ tripleo_frr_bgp_uplinks_scope }} + ! neighbor uplink capability extended-nexthop +{% if tripleo_frr_bfd %} + neighbor uplink bfd +{% endif %} +{% for iface in tripleo_frr_bgp_uplinks %} + neighbor {{ iface }} interface peer-group uplink +{% endfor %} + +{% if tripleo_frr_bgp_ipv4 %} + address-family ipv4 unicast + redistribute connected +{% if tripleo_frr_bgp_ipv4_allowas_in %} + neighbor uplink allowas-in origin +{% endif %} + neighbor uplink prefix-list only-host-prefixes out + exit-address-family +{% endif %} + +{% if tripleo_frr_bgp_ipv6 %} + address-family ipv6 unicast + redistribute connected + neighbor uplink activate +{% if tripleo_frr_bgp_ipv6_allowas_in %} + neighbor uplink allowas-in origin +{% endif %} + neighbor uplink prefix-list only-host-prefixes out + exit-address-family +{% endif %} + +{% if tripleo_frr_bgp_ipv4 %} +ip prefix-list only-default permit 0.0.0.0/0 +ip prefix-list only-host-prefixes permit 0.0.0.0/0 ge 32 + +{% if tripleo_frr_bgp_ipv4_default_src_map|length > 0 and tripleo_frr_hostname in tripleo_frr_bgp_ipv4_default_src_map %} +route-map rm-only-default permit 10 + match ip address prefix-list only-default + set src {{ tripleo_frr_bgp_ipv4_default_src_map[tripleo_frr_hostname] }} + +ip protocol bgp route-map rm-only-default +{% endif %} {# tripleo_frr_bgp_ipv4_default_src_map #} +{% endif %} {# tripleo_frr_bgp_ipv4 #} + +{% if tripleo_frr_bgp_ipv6 %} +ipv6 prefix-list only-default permit ::/0 +ipv6 prefix-list only-host-prefixes permit ::/0 ge 128 +{% endif %}