Merge branch 'master' into sonic-healthcheck

Makefile

@@ -1,6 +1,8 @@
 .DEFAULT_GOAL := up
 .EXPORT_ALL_VARIABLES:
 
+-include .env
+
 # Commands
 YQ=docker run --rm -i -v $(shell pwd):/workdir mikefarah/yq:4
 
@@ -127,10 +129,16 @@ external_network:
 			--driver=bridge \
 			--gateway=203.0.113.1 \
 			--subnet=203.0.113.0/24 \
+			--ip-range=203.0.113.0/26 \
+			--ipv6 \
+			--gateway=2001:db8::1 \
+			--subnet=2001:db8::/48 \
 			--opt "com.docker.network.driver.mtu=9000" \
 			--opt "com.docker.network.bridge.name=mini_lab_ext" \
 			--opt "com.docker.network.bridge.enable_ip_masquerade=true" && \
-		sudo ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext; fi
+		sudo ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext && \
+		sudo ip -6 route add 2001:db8:0:113::/64 via 2001:db8:0:1::1 dev mini_lab_ext; \
+	fi
 
 .PHONY: env
 env:
@@ -157,17 +165,44 @@ cleanup-partition:
 _privatenet: env
 	docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network list --name user-private-network | grep user-private-network || docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network allocate --partition mini-lab --project 00000000-0000-0000-0000-000000000001 --name user-private-network
 
+.PHONY: update-userdata
+update-userdata:
+	cat files/ignition.yaml | docker run --rm -i ghcr.io/metal-stack/metal-deployment-base:$$DEPLOYMENT_BASE_IMAGE_TAG ct | jq > files/ignition.json
+
 .PHONY: machine
-machine: _privatenet
-	docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --networks $(shell docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
+machine: _privatenet update-userdata
+	docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl machine create \
+		--description test \
+		--name test \
+		--hostname test \
+		--project 00000000-0000-0000-0000-000000000001 \
+		--partition mini-lab \
+		--image $(MACHINE_OS) \
+		--size v1-small-x86 \
+		--userdata "@/tmp/ignition.json" \
+		--networks $(shell docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
 
 .PHONY: firewall
-firewall: _privatenet
-	docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
+firewall: _privatenet update-userdata
+	docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl firewall create \
+		--description fw \
+		--name fw \
+		--hostname fw \
+		--project 00000000-0000-0000-0000-000000000001 \
+		--partition mini-lab \
+		--image firewall-ubuntu-3.0 \
+		--size v1-small-x86 \
+		--userdata "@/tmp/ignition.json" \
+		--firewall-rules-file=/tmp/rules.yaml \
+		--networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
 
 .PHONY: public-ip
 public-ip:
-	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 -o template --template "{{ .ipaddress }}"
+	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 --addressfamily IPv4 -o template --template "{{ .ipaddress }}"
+
+.PHONY: public-ipv6
+public-ipv6:
+	@docker compose run $(DOCKER_COMPOSE_RUN_ARG) metalctl network ip create --name test --network internet-mini-lab --project 00000000-0000-0000-0000-000000000001 --addressfamily IPv6 -o template --template "{{ .ipaddress }}"
 
 .PHONY: ls
 ls: env
@@ -276,7 +311,7 @@ ssh-machine:
 .PHONY: test-connectivity-to-external-service
 test-connectivity-to-external-service:
 	@for i in $$(seq 1 $(MAX_RETRIES)); do \
-		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://203.0.113.10" > /dev/null 2>&1; then \
+		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://203.0.113.100" > /dev/null 2>&1; then \
 			echo "Connected successfully"; \
 			exit 0; \
 		else \
@@ -291,12 +326,31 @@ test-connectivity-to-external-service:
 		fi; \
 	done
 
+.PHONY: test-connectivity-to-external-service-via-ipv6
+test-connectivity-to-external-service-via-ipv6:
+	@for i in $$(seq 1 $(MAX_RETRIES)); do \
+		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[2001:db8::10]" > /dev/null 2>&1; then \
+			echo "Connected successfully"; \
+			exit 0; \
+		else \
+			echo "Connection failed"; \
+			if [ $$i -lt $(MAX_RETRIES) ]; then \
+				echo "Retrying in 2 seconds..."; \
+				sleep 2; \
+			else \
+				echo "Max retries reached"; \
+				exit 1; \
+			fi; \
+		fi; \
+	done
+
+
 ## DEV TARGETS ##
 
 .PHONY: dev-env
 dev-env:
-	@echo "export METALCTL_API_URL=http://api.172.17.0.1.nip.io:8080/metal"
-	@echo "export METALCTL_HMAC=metal-admin"
+	@echo "export METALCTL_API_URL=${METALCTL_API_URL}"
+	@echo "export METALCTL_HMAC=${METALCTL_HMAC}"
 	@echo "export KUBECONFIG=$(KUBECONFIG)"
 
 ## Gardener integration

compose.yaml

@@ -70,6 +70,7 @@ services:
     environment:
       - METALCTL_HMAC=${METALCTL_HMAC}
       - METALCTL_API_URL=${METALCTL_API_URL}
+      - METALCTL_HMAC_AUTH_TYPE=${METALCTL_HMAC_AUTH_TYPE}
     volumes:
       - ./files/ssh:/root/.ssh:ro
       - ./files/ignition.json:/tmp/ignition.json

deploy_control_plane.yaml

@@ -18,7 +18,11 @@
       tags: ipam-db
     - name: metal-roles/control-plane/roles/masterdata-db
       tags: masterdata-db
+    - name: metal-roles/control-plane/roles/auditing-timescaledb
+      when: metal_auditing_timescaledb_enabled
+      tags: auditing
     - name: metal-roles/control-plane/roles/auditing-meili
+      when: metal_auditing_meili_enabled
       tags: auditing
     - name: metal-roles/control-plane/roles/metal
       tags: metal

files/certs/grpc/server.json

@@ -1,7 +1,8 @@
 {
   "CN": "metal-api",
   "hosts": [
-    "172.17.0.1"
+    "172.17.0.1",
+    "203.0.113.1"
   ],
   "key": {
     "algo": "rsa",

files/exit/frr.conf

@@ -6,6 +6,7 @@ log syslog informational
 vrf vrfInternet
  vni 104009
  ip route 0.0.0.0/0 203.0.113.1
+ ipv6 route ::/0 2001:db8::1
 exit-vrf
 !
 interface eth1
@@ -18,6 +19,7 @@ interface eth2
 !
 interface mini_lab_ext
  ip address 203.0.113.128/24
+ ipv6 address 2001:db8:0:1::1/48
 !
 interface lo
  ip address 10.0.0.21/32
@@ -35,6 +37,10 @@ router bgp 4200000021
   redistribute connected route-map LOOPBACKS
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -49,8 +55,13 @@ router bgp 4200000021 vrf vrfInternet
   redistribute static
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute static
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 route-map LOOPBACKS permit 10

files/exit/network.sh

@@ -25,3 +25,5 @@ bridge vlan del vid 1 untagged pvid dev vniInternet
 bridge vlan add vid 1000 dev vniInternet
 bridge vlan add vid 1000 untagged pvid dev vniInternet
 ip link set up dev vniInternet
+
+sysctl -w net.ipv6.conf.all.forwarding=1

files/external_service/network.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 set -o errexit -o xtrace
 
-ip addr add 203.0.113.10/24 dev mini_lab_ext
+ip addr add 203.0.113.100/24 dev mini_lab_ext
 ip route add 203.0.113.128/25 via 203.0.113.128 dev mini_lab_ext
+ip -6 addr add 2001:db8::10/48 dev mini_lab_ext
+ip -6 route add 2001:db8:0:113::/64 via 2001:db8:0:1::1 dev mini_lab_ext

files/ignition.json

@@ -1,9 +1,11 @@
 {
   "ignition": {
     "config": {},
-    "security": {},
+    "security": {
+      "tls": {}
+    },
     "timeouts": {},
-    "version": "2.3.0"
+    "version": "2.2.0"
   },
   "networkd": {},
   "passwd": {},
@@ -14,10 +16,10 @@
         "path": "/etc/hosts.allow",
         "append": true,
         "contents": {
-          "source": "data:,ALL%3A%20%5Bfe80%3A%3A%5D%2F10%0D%0AALL%3A%20203.0.113.1%0D%0A",
+          "source": "data:,ALL%3A%20%5Bfe80%3A%3A%5D%2F10%0AALL%3A%20203.0.113.1%0AALL%3A%20%5B2001%3Adb8%3A%3A1%5D%0A",
           "verification": {}
         },
-        "mode": 644
+        "mode": 420
       }
     ]
   },

files/ignition.yaml

@@ -0,0 +1,11 @@
+storage:
+  files:
+    - path: /etc/hosts.allow
+      filesystem: root
+      append: true
+      mode: 0644
+      contents:
+        inline: |
+          ALL: [fe80::]/10
+          ALL: 203.0.113.1
+          ALL: [2001:db8::1]

files/rules.yaml

@@ -3,10 +3,27 @@ egress:
   - comment: allow outgoing http and https
     ports:
       - 80
+    protocol: TCP
+    to:
+      - 0.0.0.0/0
+  - comment: allow outgoing http
+    ports:
+      - 80
+    protocol: TCP
+    to:
+      - ::/0
+  - comment: allow outgoing https
+    ports:
       - 443
     protocol: TCP
     to:
       - 0.0.0.0/0
+  - comment: allow outgoing https
+    ports:
+      - 443
+    protocol: TCP
+    to:
+      - ::/0
   - comment: allow outgoing dns via tcp
     ports:
       - 53
@@ -38,3 +55,11 @@ ingress:
       - 203.0.113.0/24
     to:
       - 203.0.113.128/25
+  - comment: allow incoming ssh
+    ports:
+      - 22
+    protocol: TCP
+    from:
+      - 2001:db8::1/128
+    to:
+      - 2001:db8:0:113::/64

images/sonic/launch.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 import fcntl
 import glob
+import ipaddress
 import json
 import logging
 import os
@@ -227,6 +228,8 @@ def wait_until_all_interfaces_are_connected(interfaces: int) -> None:
         time.sleep(1)
 
 
+# This function works only for IPv4 interfaces.
+# See: man 7 netdevice
 def get_ip_address(iface: str) -> str:
     # Source: https://bit.ly/3dROGBN
     s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
@@ -237,6 +240,20 @@ def get_ip_address(iface: str) -> str:
     )[20:24])
 
 
+# This function works only for IPv4 interfaces
+# See: man 7 netdevice
+def get_netmask(iface: str) -> str:
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    netmask = socket.inet_ntoa(fcntl.ioctl(
+        s.fileno(),
+        0x891b,  # SIOCGIFNETMASK
+        struct.pack('256s', iface.encode('utf-8'))
+    )[20:24])
+    return str(ipaddress.ip_network(f"0.0.0.0/{netmask}").prefixlen)
+
+
+# This function works only for IPv4 interfaces
+# Set: man 7 netdevice
 def get_mac_address(iface: str) -> str:
     s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
     mac = fcntl.ioctl(
@@ -247,6 +264,7 @@ def get_mac_address(iface: str) -> str:
     return ':'.join('%02x' % b for b in mac)
 
 
+# This function works only for IPv4 interfaces
 def get_default_gateway() -> str:
     # Source: https://splunktool.com/python-get-default-gateway-for-a-local-interfaceip-address-in-linux
     with open("/proc/net/route") as fh:
@@ -295,6 +313,7 @@ def parse_port_config() -> dict[str, dict]:
 
 
 def create_config_db(hwsku: str) -> dict:
+    mgmt_interface_cidr = get_ip_address("eth0") + "/" + get_netmask("eth0")
     return {
         'AUTO_TECHSUPPORT': {
             'GLOBAL': {
@@ -326,7 +345,7 @@ def create_config_db(hwsku: str) -> dict:
             }
         },
         'MGMT_INTERFACE': {
-            f'eth0|{get_ip_address("eth0")}/16': {
+            f'eth0|{mgmt_interface_cidr}': {
                 'gwaddr': get_default_gateway(),
             }
         },

inventories/group_vars/all/images.yaml

@@ -18,10 +18,10 @@ setup_yaml:
 # metal_masterdata_api_image_tag:
 # metal_console_image_name:
 # metal_console_image_tag:
+# metal_core_image_name:
+# metal_core_image_tag:
 # ...
 #
-# further overrides can be looked up in the metal-role projects where the mapping is defined:
-# https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml
 
 ##
 ## for ansible roles
@@ -30,3 +30,13 @@ setup_yaml:
 # ansible_common_version:
 # metal_roles_version:
 # metal_ansible_modules_version:
+
+##
+## helm charts
+##
+
+# metal_helm_chart_version:
+# metal_helm_chart_repo:
+
+# further overrides can be looked up in the metal-role projects where the mapping is defined:
+# https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml

inventories/group_vars/control-plane/auditing.yaml

@@ -1,3 +1,6 @@
 ---
+auditing_timescaledb_storage_size: 10Gi
+auditing_timescaledb_resources: {}
+
 auditing_meili_storage_size: 10Gi
 auditing_meili_resources: {}