proxmox: add initial support for L2 VXLAN

I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2.
2023-10-18 15:01:02 +02:00 · 2023-10-18 15:01:02 +02:00 · 0c1cc14e01
parent c9bb03ea36
commit 0c1cc14e01
8 changed files with 126 additions and 10 deletions
--- a/roles/proxmox/handlers/main.yml
+++ b/roles/proxmox/handlers/main.yml
@ -3,3 +3,6 @@

 - name: reload interfaces
  command: ifreload -a
+
+- name: reload frr
+  command: /usr/lib/frr/frr-reload.py --reload /etc/frr/frr.conf
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@ -13,6 +13,13 @@
  apt_repository:
    repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'

+- name: Add rules to rename network interfaces
+  template:
+    dest: /etc/udev/rules.d/10-network.rules
+    src: 10-network.rules.j2
+    mode: 0644
+  notify: reboot
+
 - name: Set up loopback interface
  template:
    dest: /etc/network/interfaces.d/loopback.intf
@ -27,6 +34,13 @@
    mode: 0644
  notify: reload interfaces

+- name: Set up interfaces
+  template:
+    dest: /etc/network/interfaces
+    src: interfaces.j2
+    mode: 0644
+  notify: reload interfaces
+
 - include_tasks: mgmt.yml

 - include_tasks: sdn.yml
--- a/roles/proxmox/tasks/mgmt.yml
+++ b/roles/proxmox/tasks/mgmt.yml
@ -1,17 +1,10 @@
 # We could probably avoid rebooting in some cases, but those should never happen
 # in normal operation anyway. This way all setup is done before rebooting once.

- name: Add rules to rename network interfaces
+- name: Set up management interfaces
  template:
-    dest: /etc/udev/rules.d/10-network.rules
-    src: 10-network.rules.j2
-    mode: 0644
-  notify: reboot
-
- name: Set up interfaces
-  template:
-    dest: /etc/network/interfaces
-    src: interfaces.j2
+    dest: /etc/network/interfaces.d/mgmt.intf
+    src: mgmt.intf.j2
    mode: 0644
  notify: reboot

--- a/roles/proxmox/tasks/sdn.yml
+++ b/roles/proxmox/tasks/sdn.yml
@ -1,3 +1,16 @@
 - name: Install packages for SDN
  package:
    name: libpve-network-perl
+
+- name: Copy FRR config
+  template:
+    dest: /etc/frr/frr.conf
+    src: frr.conf.j2
+    mode: 0644
+  notify: reload frr
+
+- name: Enable FRR service
+  service:
+    name: frr
+    enabled: yes
+    state: started
--- a/roles/proxmox/templates/frr.conf.j2
+++ b/roles/proxmox/templates/frr.conf.j2
@ -0,0 +1,36 @@
+frr defaults datacenter
+service integrated-vtysh-config
+log syslog
+
+# We only have the default route, so allow talking to BGP peers over it.
+ip nht resolve-via-default
+
+router bgp {{ hostvars[inventory_hostname].custom_fields.asn.asn }}
+  bgp bestpath as-path multipath-relax
+
+  neighbor fabric peer-group
+  neighbor fabric remote-as external
+  neighbor fabric capability extended-nexthop
+
+{% for iface in hostvars[inventory_hostname].interfaces | selectattr('name', 'match', '^lan') %}
+  neighbor {{ iface.name }} interface peer-group fabric
+  neighbor {{ iface.name }} bfd
+{% endfor %}
+
+  address-family ipv4 unicast
+    redistribute connected route-map loopback
+    neighbor fabric activate
+  exit-address-family
+
+  address-family ipv6 unicast
+    redistribute connected route-map loopback
+    neighbor fabric activate
+  exit-address-family
+
+  address-family l2vpn evpn
+    neighbor fabric activate
+    advertise-all-vni
+  exit-address-family
+
+route-map loopback permit 1
+  match interface lo
--- a/roles/proxmox/templates/interfaces.j2
+++ b/roles/proxmox/templates/interfaces.j2
@ -0,0 +1,30 @@
+# Keep vmbr0 named as is and in the main interfaces file so Proxmox can find it.
+
+# Bridge for V(X)LANs.
+auto vmbr0
+iface vmbr0 inet manual
+    bridge-vlan-aware yes
+    bridge-ports {{ vlans | map('regex_replace', '^', 'vni') | join(' ') }}
+    bridge-stp off
+    bridge-fd 0
+
+# Interfaces.
+{% for vlan in vlans %}
+auto vni{{ vlan }}
+iface vni{{ vlan }} inet static
+    vxlan-id {{ vlan }}
+    bridge-access {{ vlan }}
+    mstpctl-bpduguard yes
+    mstpctl-portbpdufilter yes
+
+{% endfor %}
+
+# In place of vni* interfaces above this should work also but does not.
+# Might start working after proxmox upgrades their ifupdown2.
+#auto vxlan
+#iface vxlan inet static
+#    bridge-vlan-vni-map {{ vlans | zip(vlans) | map('join', '=') | join(' ') }}
+#    bridge-vids {{ vlans | join(' ') }}
+#    bridge-learning off
+
+source /etc/network/interfaces.d/*
--- a/roles/proxmox/templates/mgmt.intf.j2
+++ b/roles/proxmox/templates/mgmt.intf.j2
@ -0,0 +1,23 @@
+# Management VRF and link.
+auto mgmt
+iface mgmt
+    address 127.0.0.1/8
+    address ::1/128
+    vrf-table auto
+
+{% for iface in hostvars[inventory_hostname].interfaces | selectattr('name', 'match', '^mgmt') | selectattr('ip_addresses') %}
+auto {{ iface.name }}
+iface {{ iface.name }}
+    vrf mgmt
+{% for ip in iface.ip_addresses %}
+    address {{ ip.address }}
+{% set subnet = ip.address | ipaddr('subnet') %}
+{% set prefix = query('netbox.netbox.nb_lookup', 'prefixes', api_filter=('prefix='+subnet))|first %}
+{% set gateway = prefix.value.custom_fields.gateway.address %}
+{% if gateway is defined %}
+    gateway {{ gateway | ipaddr('address') }}
+{% endif %}
+{% endfor %}
+
+{% endfor %}
+
--- a/setup.yml
+++ b/setup.yml
@ -1,3 +1,7 @@
 - hosts: ceph-*
  roles:
    - debian
+
+- hosts: proxmox-rc-next-*
+  roles:
+    - proxmox