From 76d2ba51d28702116c25e7dc1f480fafba41ef6d Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 14:05:55 +0100 Subject: [PATCH 01/27] setup sonic via ztp only --- partition/roles/ztp/README.md | 22 +++++++++------- partition/roles/ztp/defaults/main/main.yaml | 5 ++++ partition/roles/ztp/files/config_db.json | 7 ----- partition/roles/ztp/files/reload.sh | 3 --- partition/roles/ztp/tasks/main.yaml | 29 ++++++--------------- partition/roles/ztp/templates/ztp.json.j2 | 25 +++++++++++++----- 6 files changed, 44 insertions(+), 47 deletions(-) delete mode 100644 partition/roles/ztp/files/config_db.json delete mode 100644 partition/roles/ztp/files/reload.sh diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index f49ae6f1..bb5055cb 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -4,16 +4,18 @@ Configures a server for providing zero-touch-provisioning scripts for switches. ## Variables -| Name | Mandatory | Description | -| -------------------- | --------- | ----------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | +| Name | Mandatory | Description | +| ----------------------- | --------- | ------------------------------------------------------------ | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | +| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | +| ztp_sonic_extended_cacl | | used to populate /etc/sonic/iptables.json for sonic switches | ## Provisioning SONiC Switches via ztp.json diff --git a/partition/roles/ztp/defaults/main/main.yaml b/partition/roles/ztp/defaults/main/main.yaml index 01dfafc3..1e49003d 100644 --- a/partition/roles/ztp/defaults/main/main.yaml +++ b/partition/roles/ztp/defaults/main/main.yaml @@ -10,3 +10,8 @@ ztp_port: 8080 ztp_additional_files: [] # - name: foo.sh # data: echo + +ztp_sonic_nameservers: [] +ztp_sonic_extended_cacl: + ipv4: [] + ipv6: [] diff --git a/partition/roles/ztp/files/config_db.json b/partition/roles/ztp/files/config_db.json deleted file mode 100644 index 0d7ecddd..00000000 --- a/partition/roles/ztp/files/config_db.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "DEVICE_METADATA": { - "localhost": { - "docker_routing_config_mode": "split" - } - } -} \ No newline at end of file diff --git a/partition/roles/ztp/files/reload.sh b/partition/roles/ztp/files/reload.sh deleted file mode 100644 index 4712145e..00000000 --- a/partition/roles/ztp/files/reload.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -sudo systemctl restart bgp diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index 1f17f311..f46ecbf4 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -17,29 +17,16 @@ path: "{{ ztp_host_dir_path }}/config" state: directory -- name: render ztp script +- name: render templates template: - src: "ztp.sh.j2" - dest: "{{ ztp_host_dir_path }}/config/ztp.sh" - mode: 0644 - -- name: copy config_db.json - copy: - src: "config_db.json" - dest: "{{ ztp_host_dir_path }}/config/config_db.json" - mode: 0644 - -- name: copy reload script - copy: - src: "reload.sh" - dest: "{{ ztp_host_dir_path }}/config/reload.sh" - mode: 0644 - -- name: render ztp.json - template: - src: "ztp.json.j2" - dest: "{{ ztp_host_dir_path }}/config/ztp.json" + src: "{{ item }}" + dest: "{{ ztp_host_dir_path }}/config/{{ item | splitext | first }}" mode: 0644 + loop: + - iptables.json.j2 + - resolv.conf.j2 + - ztp.json.j2 + - ztp.sh.j2 - name: copy additional contents copy: diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 29da1d14..6930ca30 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -5,17 +5,30 @@ "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp.sh" } }, - "03-configdb-json": { + "03-additional-files": { "url": { - "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/config_db.json" + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/resolv.conf", + "destination": "/etc/resolv.conf" }, + "url": { + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/iptables.json", + "destination": "/etc/sonic/iptables.json" + } + }, + "04-configdb-json": { + "dynamic-url": { + "source": { + "prefix": "http://{{ ztp_listen_address }}:{{ ztp_port }}/", + "identifier": "hostname", + "suffix": "_config_db.json" + }, "clear-config": false }, - "04-reload": { - "plugin": { - "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/reload.sh" - } +{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} + "05-ztp-additional-script": { + "plugin": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh", }, +{% endif %} "restart-ztp-no-config": false } } From cb8de60363bb9666bd76112812b898388aafa806 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 14:26:02 +0100 Subject: [PATCH 02/27] templates --- partition/roles/ztp/templates/iptables.json.j2 | 13 +++++++++++++ partition/roles/ztp/templates/resolv.conf.j2 | 3 +++ 2 files changed, 16 insertions(+) create mode 100644 partition/roles/ztp/templates/iptables.json.j2 create mode 100644 partition/roles/ztp/templates/resolv.conf.j2 diff --git a/partition/roles/ztp/templates/iptables.json.j2 b/partition/roles/ztp/templates/iptables.json.j2 new file mode 100644 index 00000000..d802871a --- /dev/null +++ b/partition/roles/ztp/templates/iptables.json.j2 @@ -0,0 +1,13 @@ +{# jinja2: lstrip_blocks: "False", trim_blocks: "False" #} +{ + "ipv4":[ +{% for rule in ztp_sonic_extended_cacl.ipv4|default([]) %} + "{{ rule }}"{% if not loop.last %},{% endif +%} +{% endfor %} + ], + "ipv6":[ +{% for rule in ztp_sonic_extended_cacl.ipv6|default([]) %} + "{{ rule }}"{% if not loop.last %},{% endif +%} +{% endfor %} + ] +} diff --git a/partition/roles/ztp/templates/resolv.conf.j2 b/partition/roles/ztp/templates/resolv.conf.j2 new file mode 100644 index 00000000..596bdf60 --- /dev/null +++ b/partition/roles/ztp/templates/resolv.conf.j2 @@ -0,0 +1,3 @@ +{% for ns in ztp_sonic_nameservers %} +nameserver {{ ns }} +{% endfor %} From a28f370e87d6608aad5a98be87b84655ceaa6d9e Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 15:12:38 +0100 Subject: [PATCH 03/27] remove trailing comma --- partition/roles/ztp/templates/ztp.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 6930ca30..33f3909e 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -26,7 +26,7 @@ }, {% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} "05-ztp-additional-script": { - "plugin": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh", + "plugin": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" }, {% endif %} "restart-ztp-no-config": false From e30286c194359e93140e21c388a487c8c5f2fee1 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 15:20:20 +0100 Subject: [PATCH 04/27] fix json syntax --- partition/roles/ztp/templates/ztp.json.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 33f3909e..d6c8b1c3 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -21,7 +21,8 @@ "prefix": "http://{{ ztp_listen_address }}:{{ ztp_port }}/", "identifier": "hostname", "suffix": "_config_db.json" - }, + } + }, "clear-config": false }, {% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} From d79b12a06f9500b694e7b40af887b1887a51f79b Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 16:17:11 +0100 Subject: [PATCH 05/27] fix json --- partition/roles/ztp/templates/ztp.json.j2 | 29 +++++++++++++++-------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index d6c8b1c3..179962b8 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -6,14 +6,20 @@ } }, "03-additional-files": { - "url": { - "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/resolv.conf", - "destination": "/etc/resolv.conf" - }, - "url": { - "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/iptables.json", - "destination": "/etc/sonic/iptables.json" - } + "files": [ + { + "url": { + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/resolv.conf", + "destination": "/etc/resolv.conf" + }, + }, + { + "url": { + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/iptables.json", + "destination": "/etc/sonic/iptables.json" + } + } + ] }, "04-configdb-json": { "dynamic-url": { @@ -23,13 +29,16 @@ "suffix": "_config_db.json" } }, - "clear-config": false + "clear-config": true }, {% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} "05-ztp-additional-script": { - "plugin": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" + "plugin": { + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" + } }, {% endif %} + "reboot-on-success": true, "restart-ztp-no-config": false } } From a2a6b8391ea3102fac46db854837a19ecd1fbabe Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 16:28:41 +0100 Subject: [PATCH 06/27] fix json --- partition/roles/ztp/templates/ztp.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 179962b8..4bfce71a 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -11,7 +11,7 @@ "url": { "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/resolv.conf", "destination": "/etc/resolv.conf" - }, + } }, { "url": { From e2dde8cd0f8a699daa5648297de68ef0a89fb895 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 13 Nov 2024 16:35:32 +0100 Subject: [PATCH 07/27] use defined plugins in ztp.json --- partition/roles/ztp/templates/ztp.json.j2 | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 4bfce71a..55fb5c23 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -5,7 +5,7 @@ "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp.sh" } }, - "03-additional-files": { + "03-download": { "files": [ { "url": { @@ -32,10 +32,8 @@ "clear-config": true }, {% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} - "05-ztp-additional-script": { - "plugin": { - "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" - } + "05-plugin": { + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" }, {% endif %} "reboot-on-success": true, From 0294e20ba24bc2552ac5f2b5bdbfd1a53432f1cd Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 14 Nov 2024 10:23:05 +0100 Subject: [PATCH 08/27] execute provisioning script with shell: true --- partition/roles/ztp/templates/ztp.json.j2 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 55fb5c23..e85cdbf6 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -31,12 +31,15 @@ }, "clear-config": true }, -{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-additional-script.sh') %} - "05-plugin": { - "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-additional-script.sh" +{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-provisioning-script.sh') %} + "05-provisioning-script": { + "plugin": { + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" + }, + "shell": true, + "reboot-on-success": true, }, {% endif %} - "reboot-on-success": true, "restart-ztp-no-config": false } } From 72feca4f2a9ef82578dc5588ffa35222ede54b85 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 14 Nov 2024 10:40:18 +0100 Subject: [PATCH 09/27] json bug --- partition/roles/ztp/templates/ztp.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index e85cdbf6..8a10617c 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -37,7 +37,7 @@ "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" }, "shell": true, - "reboot-on-success": true, + "reboot-on-success": true }, {% endif %} "restart-ztp-no-config": false From 42e97f3470c612ad054e9e2102883a88582e464e Mon Sep 17 00:00:00 2001 From: iljarotar Date: Fri, 15 Nov 2024 15:39:20 +0100 Subject: [PATCH 10/27] readme --- partition/roles/ztp/README.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index bb5055cb..5e470822 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -4,18 +4,19 @@ Configures a server for providing zero-touch-provisioning scripts for switches. ## Variables -| Name | Mandatory | Description | -| ----------------------- | --------- | ------------------------------------------------------------ | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | -| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | -| ztp_sonic_extended_cacl | | used to populate /etc/sonic/iptables.json for sonic switches | +| Name | Mandatory | Description | +| ---------------------------- | --------- | --------------------------------------------------------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | +| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | +| ztp_sonic_extended_cacl.ipv4 | | iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | +| ztp_sonic_extended_cacl.ipv6 | | iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | ## Provisioning SONiC Switches via ztp.json From 49588bc9b95049d37c3036ad9457495eed599fe6 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Tue, 26 Nov 2024 08:50:48 +0100 Subject: [PATCH 11/27] readme --- partition/roles/ztp/README.md | 51 +++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 5e470822..711bd330 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -2,27 +2,11 @@ Configures a server for providing zero-touch-provisioning scripts for switches. -## Variables - -| Name | Mandatory | Description | -| ---------------------------- | --------- | --------------------------------------------------------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | -| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | -| ztp_sonic_extended_cacl.ipv4 | | iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | -| ztp_sonic_extended_cacl.ipv6 | | iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | - ## Provisioning SONiC Switches via ztp.json On SONiC switches it is possible to describe the ZTP procedure in a file called `ztp.json`. It contains all steps that should be performed during ZTP along with some additional options. -We use `ztp.json` to trigger a restart of the BGP service after the initial switch provisioning. +For example, host-specific download paths for the `config_db.json` or any additional files or scripts can be provided in the `ztp.json`. To use the `ztp.json` file, add a DHCP option with code 67 to the DHCP server that serves the file. For example, add a section like the following to `/etc/dhcp/dhcpd.conf`: @@ -37,3 +21,36 @@ host leaf01 { ``` For more information on the `ztp.json` format refer to the [documentation](https://github.com/sonic-net/SONiC/blob/master/doc/ztp/ztp.md). + +### Noteworthy + +With a `ztp.json` file it is possible to provision a SONiC switch entirely via ZTP without using the `sonic` role. +To achieve this, some of the variables from the `sonic` role are reused in this role. +They are needed to render the templates for the `/etc/resolv.conf` and the `/etc/sonic/iptables.json`. +Note that each switch that uses the `ztp.json` file needs an individual `config_db.json`, that it can download at `http://{{ ztp_listen_address }}:{{ ztp_port }}/_config_db.json`. +For example, if the switch's hostname is `r01leaf02`, there should be a file called `r01leaf02_config_db.json` located in `{{ ztp_host_dir_path }}/config/`. +The configs can be added to the `ztp_additional_files` variable, e.g. + +```yaml +ztp_additional_files: + - name: r01leaf02_config_db.json + data: "{{ lookup('file', 'path/to/r01leaf02_config_db.json)' | string }}" # using `string` to keep the formatting + - name: r02leaf01_config_db.json + data: ... +``` + +## Variables + +| Name | Mandatory | Description | +| ---------------------------- | --------- | --------------------------------------------------------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | +| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | +| ztp_sonic_extended_cacl.ipv4 | | iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | +| ztp_sonic_extended_cacl.ipv6 | | iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | From ea01c31c3fb40d92816a51e5de99956d9d9642cd Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 4 Dec 2024 12:14:16 +0100 Subject: [PATCH 12/27] conditionally render sonic config --- partition/roles/sonic/README.md | 1 + partition/roles/sonic/defaults/main.yaml | 1 + partition/roles/sonic/tasks/main.yaml | 21 +++++++++------- partition/roles/sonic/templates/frr.conf.j2 | 1 + partition/roles/ztp/README.md | 28 ++++++++------------- partition/roles/ztp/tasks/main.yaml | 2 -- 6 files changed, 25 insertions(+), 29 deletions(-) diff --git a/partition/roles/sonic/README.md b/partition/roles/sonic/README.md index 3e6f921c..9352b327 100644 --- a/partition/roles/sonic/README.md +++ b/partition/roles/sonic/README.md @@ -18,6 +18,7 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu | sonic_ip_masquerade | | Enable ip masquerading on eth0. | | sonic_breakouts | | The breakout configuration for ports, e.g. `dict('Ethernet0'='4x25G')` | | sonic_config_action | | Either `load` or `reload`. In the latter case all services will be restarted. If not given, defaults to `load` | +| sonic_render_config_db_template | | When `true` the `metal.yaml.j2` template will be rendered into `/etc/sonic/config_db.json` | | sonic_ports | | Configuration for ports (mtu, fec, have highest precedence). These ports will be up by default. | | sonic_ports.name | | The port name. | | sonic_ports.speed | | Speed of the port. | diff --git a/partition/roles/sonic/defaults/main.yaml b/partition/roles/sonic/defaults/main.yaml index 1506557c..f0445fdb 100644 --- a/partition/roles/sonic/defaults/main.yaml +++ b/partition/roles/sonic/defaults/main.yaml @@ -5,6 +5,7 @@ sonic_nameservers: [] sonic_ip_masquerade: false sonic_timezone: Europe/Berlin sonic_config_action: load +sonic_render_config_db_template: true ## Physical settings sonic_ports: [] diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml index 1bae92e4..fb9877ec 100644 --- a/partition/roles/sonic/tasks/main.yaml +++ b/partition/roles/sonic/tasks/main.yaml @@ -105,15 +105,18 @@ fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'. when: sonic_breakouts is defined -- name: Render config_db - set_fact: - config_db: "{{ lookup('template', 'metal.yaml.j2') }}" - -- name: Save config_db as JSON file - copy: - content: "{{ config_db | from_yaml | to_nice_json }}" - dest: /etc/sonic/config_db.json - notify: "config {{ sonic_config_action }}" +- name: Render and save config_db + when: sonic_render_config_db_template + block: + - name: Render config_db + set_fact: + config_db: "{{ lookup('template', 'metal.yaml.j2') }}" + + - name: Save config_db as JSON file + copy: + content: "{{ config_db | from_yaml | to_nice_json }}" + dest: /etc/sonic/config_db.json + notify: "config {{ sonic_config_action }}" - name: Set NTP timezone timezone: diff --git a/partition/roles/sonic/templates/frr.conf.j2 b/partition/roles/sonic/templates/frr.conf.j2 index e903786e..2feb614b 100644 --- a/partition/roles/sonic/templates/frr.conf.j2 +++ b/partition/roles/sonic/templates/frr.conf.j2 @@ -4,6 +4,7 @@ hostname {{ inventory_hostname }} ! service integrated-vtysh-config ! +agentx log syslog {{ sonic_frr_syslog_level }} {% if sonic_frr_debug_options is defined %} {% for option in sonic_frr_debug_options %} diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 711bd330..88f43856 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -22,11 +22,6 @@ host leaf01 { For more information on the `ztp.json` format refer to the [documentation](https://github.com/sonic-net/SONiC/blob/master/doc/ztp/ztp.md). -### Noteworthy - -With a `ztp.json` file it is possible to provision a SONiC switch entirely via ZTP without using the `sonic` role. -To achieve this, some of the variables from the `sonic` role are reused in this role. -They are needed to render the templates for the `/etc/resolv.conf` and the `/etc/sonic/iptables.json`. Note that each switch that uses the `ztp.json` file needs an individual `config_db.json`, that it can download at `http://{{ ztp_listen_address }}:{{ ztp_port }}/_config_db.json`. For example, if the switch's hostname is `r01leaf02`, there should be a file called `r01leaf02_config_db.json` located in `{{ ztp_host_dir_path }}/config/`. The configs can be added to the `ztp_additional_files` variable, e.g. @@ -41,16 +36,13 @@ ztp_additional_files: ## Variables -| Name | Mandatory | Description | -| ---------------------------- | --------- | --------------------------------------------------------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | -| ztp_sonic_nameservers | | the nameservers to put into resolv.conf for sonic | -| ztp_sonic_extended_cacl.ipv4 | | iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | -| ztp_sonic_extended_cacl.ipv6 | | iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | +| Name | Mandatory | Description | +| -------------------- | --------- | ----------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index f46ecbf4..50210ca7 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -23,8 +23,6 @@ dest: "{{ ztp_host_dir_path }}/config/{{ item | splitext | first }}" mode: 0644 loop: - - iptables.json.j2 - - resolv.conf.j2 - ztp.json.j2 - ztp.sh.j2 From ffc99842f7dd249e55b7032547e8ac776c3f0413 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 4 Dec 2024 15:00:40 +0100 Subject: [PATCH 13/27] fix tests --- partition/roles/sonic/test/data/exit/frr.conf | 3 ++- partition/roles/sonic/test/data/l2_leaf/frr.conf | 3 ++- partition/roles/sonic/test/data/mgmtleaf/frr.conf | 3 ++- partition/roles/sonic/test/data/sonic-vs/frr.conf | 3 ++- partition/roles/sonic/test/data/spine/frr.conf | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/partition/roles/sonic/test/data/exit/frr.conf b/partition/roles/sonic/test/data/exit/frr.conf index d6e31f66..fd8ab387 100644 --- a/partition/roles/sonic/test/data/exit/frr.conf +++ b/partition/roles/sonic/test/data/exit/frr.conf @@ -3,6 +3,7 @@ hostname exit01 ! service integrated-vtysh-config ! +agentx log syslog informational ! vrf VrfMpls @@ -105,4 +106,4 @@ route-map LOOPBACKS permit 10 ip route 0.0.0.0/0 10.1.2.1 ! line vty -! \ No newline at end of file +! diff --git a/partition/roles/sonic/test/data/l2_leaf/frr.conf b/partition/roles/sonic/test/data/l2_leaf/frr.conf index e4e1b838..8fda0baf 100644 --- a/partition/roles/sonic/test/data/l2_leaf/frr.conf +++ b/partition/roles/sonic/test/data/l2_leaf/frr.conf @@ -3,6 +3,7 @@ hostname l2leaf01 ! service integrated-vtysh-config ! +agentx log syslog informational ! vrf Vrf46 @@ -62,4 +63,4 @@ route-map LOOPBACKS permit 10 match interface Loopback0 ! line vty -! \ No newline at end of file +! diff --git a/partition/roles/sonic/test/data/mgmtleaf/frr.conf b/partition/roles/sonic/test/data/mgmtleaf/frr.conf index ff440493..a33e16b6 100644 --- a/partition/roles/sonic/test/data/mgmtleaf/frr.conf +++ b/partition/roles/sonic/test/data/mgmtleaf/frr.conf @@ -3,6 +3,7 @@ hostname r01mgmtleaf ! service integrated-vtysh-config ! +agentx log syslog informational ! interface Ethernet120 @@ -31,4 +32,4 @@ route-map DENY_MGMT deny 10 route-map DENY_MGMT permit 20 ! line vty -! \ No newline at end of file +! diff --git a/partition/roles/sonic/test/data/sonic-vs/frr.conf b/partition/roles/sonic/test/data/sonic-vs/frr.conf index 120ac33e..dea03d84 100644 --- a/partition/roles/sonic/test/data/sonic-vs/frr.conf +++ b/partition/roles/sonic/test/data/sonic-vs/frr.conf @@ -3,6 +3,7 @@ hostname sonic-vs ! service integrated-vtysh-config ! +agentx log syslog informational ! interface Ethernet0 @@ -26,4 +27,4 @@ route-map DENY_MGMT deny 10 route-map DENY_MGMT permit 20 ! line vty -! \ No newline at end of file +! diff --git a/partition/roles/sonic/test/data/spine/frr.conf b/partition/roles/sonic/test/data/spine/frr.conf index 5826ab01..e35fb497 100644 --- a/partition/roles/sonic/test/data/spine/frr.conf +++ b/partition/roles/sonic/test/data/spine/frr.conf @@ -3,6 +3,7 @@ hostname spine01 ! service integrated-vtysh-config ! +agentx log syslog informational ! interface Ethernet120 @@ -35,4 +36,4 @@ route-map LOOPBACKS permit 10 match interface Loopback0 ! line vty -! \ No newline at end of file +! From 66056b3b235250695a44ae47e688860589a958e9 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Wed, 4 Dec 2024 15:45:52 +0100 Subject: [PATCH 14/27] add a noteworthy section --- partition/roles/ztp/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 88f43856..7355b9c9 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -34,6 +34,12 @@ ztp_additional_files: data: ... ``` +## Noteworthy + +When a SONiC switch is deployed via `ztp.json` and configured by the `sonic` role afterwards, make sure to leave the `sonic_ports`, `sonic_portchannels` and `sonic_breakouts` variables empty and set `sonic_render_config_db_template` to false. +Otherwise the `sonic` role will override the `config_db.json` provided by the `ztp.json`. +The result of this is unpredictable and, in the worst case, the switch might reach a broken state from which it can only be restored by resetting it completely and setting it up from scratch. + ## Variables | Name | Mandatory | Description | From f7a2f446854c9ddf8da03fcc32516b6a8731e5ac Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 5 Dec 2024 15:46:33 +0100 Subject: [PATCH 15/27] add frr.conf and remove iptables and resolv.conf --- partition/roles/ztp/defaults/main/main.yaml | 5 ----- partition/roles/ztp/files/frr.conf | 9 +++++++++ partition/roles/ztp/tasks/main.yaml | 8 +++++++- partition/roles/ztp/templates/iptables.json.j2 | 13 ------------- partition/roles/ztp/templates/resolv.conf.j2 | 3 --- partition/roles/ztp/templates/ztp.json.j2 | 10 ++-------- 6 files changed, 18 insertions(+), 30 deletions(-) create mode 100644 partition/roles/ztp/files/frr.conf delete mode 100644 partition/roles/ztp/templates/iptables.json.j2 delete mode 100644 partition/roles/ztp/templates/resolv.conf.j2 diff --git a/partition/roles/ztp/defaults/main/main.yaml b/partition/roles/ztp/defaults/main/main.yaml index 1e49003d..01dfafc3 100644 --- a/partition/roles/ztp/defaults/main/main.yaml +++ b/partition/roles/ztp/defaults/main/main.yaml @@ -10,8 +10,3 @@ ztp_port: 8080 ztp_additional_files: [] # - name: foo.sh # data: echo - -ztp_sonic_nameservers: [] -ztp_sonic_extended_cacl: - ipv4: [] - ipv6: [] diff --git a/partition/roles/ztp/files/frr.conf b/partition/roles/ztp/files/frr.conf new file mode 100644 index 00000000..684de281 --- /dev/null +++ b/partition/roles/ztp/files/frr.conf @@ -0,0 +1,9 @@ +frr defaults datacenter +password zebra +enable password zebra +! +log syslog informational +log facility local4 +! +agentx +! diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index 50210ca7..c20adbdc 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -26,7 +26,13 @@ - ztp.json.j2 - ztp.sh.j2 -- name: copy additional contents +- name: copy frr.conf + copy: + dest: "{{ ztp_host_dir_path }}/config/frr.conf" + src: frr.conf + mode: 0644 + +- name: copy additional files copy: dest: "{{ ztp_host_dir_path }}/config/{{ item.name }}" content: "{{ item.data }}" diff --git a/partition/roles/ztp/templates/iptables.json.j2 b/partition/roles/ztp/templates/iptables.json.j2 deleted file mode 100644 index d802871a..00000000 --- a/partition/roles/ztp/templates/iptables.json.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{# jinja2: lstrip_blocks: "False", trim_blocks: "False" #} -{ - "ipv4":[ -{% for rule in ztp_sonic_extended_cacl.ipv4|default([]) %} - "{{ rule }}"{% if not loop.last %},{% endif +%} -{% endfor %} - ], - "ipv6":[ -{% for rule in ztp_sonic_extended_cacl.ipv6|default([]) %} - "{{ rule }}"{% if not loop.last %},{% endif +%} -{% endfor %} - ] -} diff --git a/partition/roles/ztp/templates/resolv.conf.j2 b/partition/roles/ztp/templates/resolv.conf.j2 deleted file mode 100644 index 596bdf60..00000000 --- a/partition/roles/ztp/templates/resolv.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for ns in ztp_sonic_nameservers %} -nameserver {{ ns }} -{% endfor %} diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 8a10617c..00aa03e6 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -9,14 +9,8 @@ "files": [ { "url": { - "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/resolv.conf", - "destination": "/etc/resolv.conf" - } - }, - { - "url": { - "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/iptables.json", - "destination": "/etc/sonic/iptables.json" + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/frr.conf", + "destination": "/etc/sonic/frr/frr.conf" } } ] From ffd1fe6438862beefbf33e43a603504e66d9505b Mon Sep 17 00:00:00 2001 From: iljarotar Date: Mon, 9 Dec 2024 14:22:33 +0100 Subject: [PATCH 16/27] readme --- partition/roles/ztp/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 7355b9c9..c0fab9c8 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -34,8 +34,6 @@ ztp_additional_files: data: ... ``` -## Noteworthy - When a SONiC switch is deployed via `ztp.json` and configured by the `sonic` role afterwards, make sure to leave the `sonic_ports`, `sonic_portchannels` and `sonic_breakouts` variables empty and set `sonic_render_config_db_template` to false. Otherwise the `sonic` role will override the `config_db.json` provided by the `ztp.json`. The result of this is unpredictable and, in the worst case, the switch might reach a broken state from which it can only be restored by resetting it completely and setting it up from scratch. From eb95178d2ea2c19fe3aed90250821fafc8ce0cf2 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 08:14:41 +0100 Subject: [PATCH 17/27] ztp provisioning script as a template --- partition/roles/ztp/README.md | 21 +++++++++++---------- partition/roles/ztp/tasks/main.yaml | 7 +++++++ partition/roles/ztp/templates/ztp.json.j2 | 2 +- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index c0fab9c8..84c24a6a 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -40,13 +40,14 @@ The result of this is unpredictable and, in the worst case, the switch might rea ## Variables -| Name | Mandatory | Description | -| -------------------- | --------- | ----------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | +| Name | Mandatory | Description | +| ----------------------- | --------- | ---------------------------------------------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | +| ztp_provisioning_script | | jinja template for optional ztp-provisioning-script.sh to be executed at the end of `ztp.json` | diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index c20adbdc..bdbff349 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -26,6 +26,13 @@ - ztp.json.j2 - ztp.sh.j2 +- name: render ztp-provisioning-script + template: + content: "{{ ztp_provisioning_script }}" + dest: "{{ ztp_host_dir_path }}/config/ztp-provisioning-script.sh" + mode: 0644 + when: ztp_provisioning_script is defined + - name: copy frr.conf copy: dest: "{{ ztp_host_dir_path }}/config/frr.conf" diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 00aa03e6..777a4c9a 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -25,7 +25,7 @@ }, "clear-config": true }, -{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-provisioning-script.sh') %} +{% if ztp_provisioning_script %} "05-provisioning-script": { "plugin": { "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" From a60aedd91783a7ea71398395c74d08a73c7d358a Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 08:36:45 +0100 Subject: [PATCH 18/27] fix template jobs --- partition/roles/ztp/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index bdbff349..cdd0fdb6 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -28,7 +28,7 @@ - name: render ztp-provisioning-script template: - content: "{{ ztp_provisioning_script }}" + src: "{{ ztp_provisioning_script }}" dest: "{{ ztp_host_dir_path }}/config/ztp-provisioning-script.sh" mode: 0644 when: ztp_provisioning_script is defined From 3ace65e4154b0b7079815ebbfa4d1742e54937b0 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 08:40:26 +0100 Subject: [PATCH 19/27] Revert "fix template jobs" This reverts commit a60aedd91783a7ea71398395c74d08a73c7d358a. --- partition/roles/ztp/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index cdd0fdb6..bdbff349 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -28,7 +28,7 @@ - name: render ztp-provisioning-script template: - src: "{{ ztp_provisioning_script }}" + content: "{{ ztp_provisioning_script }}" dest: "{{ ztp_host_dir_path }}/config/ztp-provisioning-script.sh" mode: 0644 when: ztp_provisioning_script is defined From f65afe186bba6c15291d0de2d0091fab5f2ed035 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 08:40:32 +0100 Subject: [PATCH 20/27] Revert "ztp provisioning script as a template" This reverts commit eb95178d2ea2c19fe3aed90250821fafc8ce0cf2. --- partition/roles/ztp/README.md | 21 ++++++++++----------- partition/roles/ztp/tasks/main.yaml | 7 ------- partition/roles/ztp/templates/ztp.json.j2 | 2 +- 3 files changed, 11 insertions(+), 19 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 84c24a6a..c0fab9c8 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -40,14 +40,13 @@ The result of this is unpredictable and, in the worst case, the switch might rea ## Variables -| Name | Mandatory | Description | -| ----------------------- | --------- | ---------------------------------------------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | -| ztp_provisioning_script | | jinja template for optional ztp-provisioning-script.sh to be executed at the end of `ztp.json` | +| Name | Mandatory | Description | +| -------------------- | --------- | ----------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index bdbff349..c20adbdc 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -26,13 +26,6 @@ - ztp.json.j2 - ztp.sh.j2 -- name: render ztp-provisioning-script - template: - content: "{{ ztp_provisioning_script }}" - dest: "{{ ztp_host_dir_path }}/config/ztp-provisioning-script.sh" - mode: 0644 - when: ztp_provisioning_script is defined - - name: copy frr.conf copy: dest: "{{ ztp_host_dir_path }}/config/frr.conf" diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 777a4c9a..00aa03e6 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -25,7 +25,7 @@ }, "clear-config": true }, -{% if ztp_provisioning_script %} +{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-provisioning-script.sh') %} "05-provisioning-script": { "plugin": { "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" From 4042c6fd8132117145398570cf2efc9cf2194cfc Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 15:03:46 +0100 Subject: [PATCH 21/27] readme --- partition/roles/ztp/README.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index c0fab9c8..b5e84238 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -36,7 +36,25 @@ ztp_additional_files: When a SONiC switch is deployed via `ztp.json` and configured by the `sonic` role afterwards, make sure to leave the `sonic_ports`, `sonic_portchannels` and `sonic_breakouts` variables empty and set `sonic_render_config_db_template` to false. Otherwise the `sonic` role will override the `config_db.json` provided by the `ztp.json`. -The result of this is unpredictable and, in the worst case, the switch might reach a broken state from which it can only be restored by resetting it completely and setting it up from scratch. +The result of this may not be intended and, in the worst case, the switch will reach a broken state from which it only can be restored by a factory reset. +Of course it is also possible to load only a minimal `config_db.json` via ZTP and allow the `sonic` role to render its template based on the `sonic_ports`, `sonic_portchannels` and `sonic_breakouts` variables. +Both approaches have their pros and cons. + +### Pros and Cons of Loading a Static config_db.json via ZTP + +The main advantage of loading the `config_db.json` once via ZTP and disabling template rendering by the `sonic` role is a better stability and the ability to configure the switch exactly as needed without relying on the complex templating logic in the `sonic` role. +As mentioned above, the problem with loading a new config each time the `sonic` role is run is that even seemingly small changes might break the system (swss crash). +On the other hand, with a ZTP-only approach, since ZTP only runs during initial setup of the switch, the only way of changing the config is by resetting the switch to activate ZTP. +So the desicion of whether to use the `sonic` role's dynamic config or a static ZTP-only config comes down to questions like: + +- how often will the config need to change? +- do all ports on the switch look more or less the same or are there ports that require some specific configuration? + +In the latter case the templating might run into certain edge cases, where the resulting config breaks the system. +Then you should consider using only a static config. + +> For the time being it is up to the user which provisioning procedure they prefer. +> In the future we hope to come up with a single solution that is both flexible and reliable. ## Variables From 69f9b339d69efaf18ceb32bed8aea465de39bea2 Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 15:17:06 +0100 Subject: [PATCH 22/27] ztp_provisioning_script var --- partition/roles/ztp/README.md | 21 +++++++++++---------- partition/roles/ztp/tasks/main.yaml | 7 +++++++ 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index b5e84238..b6f7ca57 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -58,13 +58,14 @@ Then you should consider using only a static config. ## Variables -| Name | Mandatory | Description | -| -------------------- | --------- | ----------------------------------------------------------- | -| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | -| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | -| ztp_host_dir_path | | the path to serve ztp scripts from. | -| ztp_listen_address | | the address used to serve ztp requests | -| ztp_port | | the port to serve ztp scripts on. | -| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | -| ztp_admin_user | | the user for which the authorized keys will be provisioned. | -| ztp_additional_files | | puts additional files into serve directory. | +| Name | Mandatory | Description | +| ----------------------- | --------- | ----------------------------------------------------------- | +| ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | +| ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | +| ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | +| ztp_port | | the port to serve ztp scripts on. | +| ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | +| ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | +| ztp_provisioning_script | | shell script to be executed as a last step in the ztp.json | diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index c20adbdc..0704dd9d 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -41,6 +41,13 @@ loop_control: label: "{{ item.name }}" +- name: copy ztp-provisioning-script + copy: + dest: "{{ ztp_host_dir_path }}/config/ztp-provisioning-script.sh" + content: "{{ ztp_provisioning_script }}" + mode: 0644 + when: ztp_provisioning_script is defined + - name: deploy server for serving ztp.sh include_role: name: ansible-common/roles/systemd-docker-service From 1981cee755e87a45bba68f46fa3a57d63347960e Mon Sep 17 00:00:00 2001 From: iljarotar Date: Thu, 12 Dec 2024 16:08:02 +0100 Subject: [PATCH 23/27] fix template --- partition/roles/ztp/templates/ztp.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 00aa03e6..777a4c9a 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -25,7 +25,7 @@ }, "clear-config": true }, -{% if ztp_additional_files | selectattr('name', 'equalto', 'ztp-provisioning-script.sh') %} +{% if ztp_provisioning_script %} "05-provisioning-script": { "plugin": { "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" From b95bf4a3583b74144bfdd1f11559d3c2e38cbe0e Mon Sep 17 00:00:00 2001 From: iljarotar Date: Fri, 13 Dec 2024 12:59:50 +0100 Subject: [PATCH 24/27] rename ztp.sh to user.sh --- partition/roles/dhcp/defaults/main.yaml | 2 +- partition/roles/ztp/tasks/main.yaml | 6 +++--- partition/roles/ztp/templates/{ztp.sh.j2 => user.sh.j2} | 0 partition/roles/ztp/templates/ztp.json.j2 | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) rename partition/roles/ztp/templates/{ztp.sh.j2 => user.sh.j2} (100%) diff --git a/partition/roles/dhcp/defaults/main.yaml b/partition/roles/dhcp/defaults/main.yaml index 96794a45..b412604c 100644 --- a/partition/roles/dhcp/defaults/main.yaml +++ b/partition/roles/dhcp/defaults/main.yaml @@ -19,7 +19,7 @@ dhcp_global_options: [] # examples: # - default-url = "http://{{ ansible_host }}/onie-installer" # - ztp_provisioning_script_url code 239 = text -# - ztp_provisioning_script_url "http://{{ ansible_host }}/ztp.sh" +# - ztp_provisioning_script_url "http://{{ ansible_host }}/user.sh" dhcp_global_deny_list: [] # examples: diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index 0704dd9d..02c9b2e8 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -10,7 +10,7 @@ - ztp_nginx_image_name is defined - ztp_nginx_image_tag is defined - ztp_authorized_keys is not none - - "'ztp.sh' not in ztp_additional_files | map(attribute='name')" + - "'user.sh' not in ztp_additional_files | map(attribute='name')" - name: create ztp config directory file: @@ -24,7 +24,7 @@ mode: 0644 loop: - ztp.json.j2 - - ztp.sh.j2 + - user.sh.j2 - name: copy frr.conf copy: @@ -48,7 +48,7 @@ mode: 0644 when: ztp_provisioning_script is defined -- name: deploy server for serving ztp.sh +- name: deploy server for serving ztp files include_role: name: ansible-common/roles/systemd-docker-service vars: diff --git a/partition/roles/ztp/templates/ztp.sh.j2 b/partition/roles/ztp/templates/user.sh.j2 similarity index 100% rename from partition/roles/ztp/templates/ztp.sh.j2 rename to partition/roles/ztp/templates/user.sh.j2 diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 777a4c9a..1eb2add3 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -2,7 +2,7 @@ "ztp": { "02-user": { "plugin": { - "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp.sh" + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/user.sh" } }, "03-download": { From c64b4a0e9fdd4fe2f5edd8ae30a1a65d0843f30e Mon Sep 17 00:00:00 2001 From: iljarotar Date: Fri, 13 Dec 2024 13:01:41 +0100 Subject: [PATCH 25/27] adjustments to ztp.json --- partition/roles/ztp/templates/ztp.json.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 index 1eb2add3..e40b96b5 100644 --- a/partition/roles/ztp/templates/ztp.json.j2 +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -30,10 +30,9 @@ "plugin": { "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp-provisioning-script.sh" }, - "shell": true, - "reboot-on-success": true + "shell": true }, {% endif %} - "restart-ztp-no-config": false + "reboot-on-success": true } } From 8ec6bb34af966d97bd641c93e24a8153d7df845c Mon Sep 17 00:00:00 2001 From: iljarotar Date: Fri, 13 Dec 2024 14:14:04 +0100 Subject: [PATCH 26/27] factor out config_db tasks into separate file --- partition/roles/sonic/tasks/config_db.yaml | 79 +++++++++++++++++++++ partition/roles/sonic/tasks/main.yaml | 80 +--------------------- 2 files changed, 80 insertions(+), 79 deletions(-) create mode 100644 partition/roles/sonic/tasks/config_db.yaml diff --git a/partition/roles/sonic/tasks/config_db.yaml b/partition/roles/sonic/tasks/config_db.yaml new file mode 100644 index 00000000..28478855 --- /dev/null +++ b/partition/roles/sonic/tasks/config_db.yaml @@ -0,0 +1,79 @@ +--- +- name: Check mandatory variables on non-empty sonic_ports are set + assert: + fail_msg: "default port configuration is necessary on non-empty sonic_ports" + quiet: yes + that: + - sonic_ports_default_speed + - sonic_ports_default_mtu + when: sonic_ports + +- name: Check mandatory variables on non-empty sonic_portchannels are set + assert: + fail_msg: "default configuration is necessary on non-empty sonic_portchannels" + quiet: yes + that: + - sonic_portchannels_default_mtu + when: sonic_portchannels + +- name: Populate sonic_ports_dict + set_fact: + sonic_ports_dict: "{{ sonic_ports_dict|default({}) | combine( {item.name: item} ) }}" + loop: "{{ sonic_ports }}" + +# Dependencies are returned by config. +- name: Configure breakouts + command: "config interface breakout --yes {{ item.key }} '{{ item.value }}'" + register: breakout_result + changed_when: "'Breakout process got successfully completed.' in breakout_result.stdout" + failed_when: "breakout_result.rc != 0 or 'Dependecies Exist. No further action will be taken' in breakout_result.stdout" + with_dict: "{{ sonic_breakouts }}" + when: sonic_breakouts is defined + +- name: Delete deprecated metal.yaml + ansible.builtin.file: + path: "/etc/sonic/metal.yaml" + state: absent + +- name: Get running configuration + ansible.builtin.command: show runningconfiguration all + register: sonic_running_cfg_result + changed_when: false + +- name: Parse running configuration + ansible.builtin.set_fact: + sonic_running_cfg: "{{ sonic_running_cfg_result.stdout | from_json }}" + +- name: Extract running configuration for breakouts and ports + ansible.builtin.set_fact: + sonic_running_cfg_breakouts: "{{ sonic_running_cfg | community.general.json_query('BREAKOUT_CFG') }}" + sonic_running_cfg_hwsku: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.hwsku') }}" + sonic_running_cfg_mac: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.mac') }}" + sonic_running_cfg_platform: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.platform') }}" + sonic_running_cfg_ports: "{{ sonic_running_cfg | community.general.json_query('PORT') }}" + +- name: Fail if running configuration doesn't contain required information + ansible.builtin.assert: + that: + - sonic_running_cfg_hwsku + - sonic_running_cfg_mac + - sonic_running_cfg_platform + - sonic_running_cfg_ports + fail_msg: The running configuration is incomplete because it does not contain 'PORT' or complete 'DEVICE_METADATA'. + +- name: Fail if running configuration doesn't contain breakout configuration + ansible.builtin.assert: + that: + - sonic_running_cfg_breakouts + fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'. + when: sonic_breakouts is defined + +- name: Render config_db + set_fact: + config_db: "{{ lookup('template', 'metal.yaml.j2') }}" + +- name: Save config_db as JSON file + copy: + content: "{{ config_db | from_yaml | to_nice_json }}" + dest: /etc/sonic/config_db.json + notify: "config {{ sonic_config_action }}" diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml index fb9877ec..c5831bfe 100644 --- a/partition/roles/sonic/tasks/main.yaml +++ b/partition/roles/sonic/tasks/main.yaml @@ -15,28 +15,6 @@ - sonic_nameservers is defined - metal_stack_switch_os_is_sonic -- name: Check mandatory variables on non-empty sonic_ports are set - assert: - fail_msg: "default port configuration is necessary on non-empty sonic_ports" - quiet: yes - that: - - sonic_ports_default_speed - - sonic_ports_default_mtu - when: sonic_ports - -- name: Check mandatory variables on non-empty sonic_portchannels are set - assert: - fail_msg: "default configuration is necessary on non-empty sonic_portchannels" - quiet: yes - that: - - sonic_portchannels_default_mtu - when: sonic_portchannels - -- name: Populate sonic_ports_dict - set_fact: - sonic_ports_dict: "{{ sonic_ports_dict|default({}) | combine( {item.name: item} ) }}" - loop: "{{ sonic_ports }}" - - name: render resolv.conf template: src: resolv.conf.j2 @@ -58,65 +36,9 @@ value: "1" when: sonic_ip_masquerade -# Dependencies are returned by config. -- name: Configure breakouts - command: "config interface breakout --yes {{ item.key }} '{{ item.value }}'" - register: breakout_result - changed_when: "'Breakout process got successfully completed.' in breakout_result.stdout" - failed_when: "breakout_result.rc != 0 or 'Dependecies Exist. No further action will be taken' in breakout_result.stdout" - with_dict: "{{ sonic_breakouts }}" - when: sonic_breakouts is defined - -- name: Delete deprecated metal.yaml - ansible.builtin.file: - path: "/etc/sonic/metal.yaml" - state: absent - -- name: Get running configuration - ansible.builtin.command: show runningconfiguration all - register: sonic_running_cfg_result - changed_when: false - -- name: Parse running configuration - ansible.builtin.set_fact: - sonic_running_cfg: "{{ sonic_running_cfg_result.stdout | from_json }}" - -- name: Extract running configuration for breakouts and ports - ansible.builtin.set_fact: - sonic_running_cfg_breakouts: "{{ sonic_running_cfg | community.general.json_query('BREAKOUT_CFG') }}" - sonic_running_cfg_hwsku: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.hwsku') }}" - sonic_running_cfg_mac: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.mac') }}" - sonic_running_cfg_platform: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.platform') }}" - sonic_running_cfg_ports: "{{ sonic_running_cfg | community.general.json_query('PORT') }}" - -- name: Fail if running configuration doesn't contain required information - ansible.builtin.assert: - that: - - sonic_running_cfg_hwsku - - sonic_running_cfg_mac - - sonic_running_cfg_platform - - sonic_running_cfg_ports - fail_msg: The running configuration is incomplete because it does not contain 'PORT' or complete 'DEVICE_METADATA'. - -- name: Fail if running configuration doesn't contain breakout configuration - ansible.builtin.assert: - that: - - sonic_running_cfg_breakouts - fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'. - when: sonic_breakouts is defined - - name: Render and save config_db + include_tasks: config_db.yaml when: sonic_render_config_db_template - block: - - name: Render config_db - set_fact: - config_db: "{{ lookup('template', 'metal.yaml.j2') }}" - - - name: Save config_db as JSON file - copy: - content: "{{ config_db | from_yaml | to_nice_json }}" - dest: /etc/sonic/config_db.json - notify: "config {{ sonic_config_action }}" - name: Set NTP timezone timezone: From 92ee6863947c2e5a747e8dfe25b370bf46f18acb Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Fri, 13 Dec 2024 14:33:57 +0100 Subject: [PATCH 27/27] Update partition/roles/sonic/tasks/main.yaml Co-authored-by: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> --- partition/roles/sonic/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml index c5831bfe..bbf3263c 100644 --- a/partition/roles/sonic/tasks/main.yaml +++ b/partition/roles/sonic/tasks/main.yaml @@ -37,7 +37,7 @@ when: sonic_ip_masquerade - name: Render and save config_db - include_tasks: config_db.yaml + import_tasks: config_db.yaml when: sonic_render_config_db_template - name: Set NTP timezone