Adding VRF and VXLAN support for systemd-networkd (LP: #1764716, LP: #1773522)

[netdever]

Description

Adding VRF and VXLAN support for systemd-networkd.

Checklist

• Runs make check successfully.
• Retains 100% code coverage (make check-coverage).
• New/changed keys in YAML format are documented.
• (Optional) Adds example YAML for new feature.
• (Optional) Closes an open bug in Launchpad. LP#1764716, LP#1773522

[codecov-commenter]

Codecov Report

Merging #272 (c8ed0cf) into main (6b9a3b7) will decrease coverage by 0.82%.
The diff coverage is 66.54%.

@@            Coverage Diff             @@
##             main     #272      +/-   ##
==========================================
- Coverage   99.06%   98.24%   -0.83%     
==========================================
  Files          61       63       +2     
  Lines       11160    11471     +311     
==========================================
+ Hits        11056    11270     +214     
- Misses        104      201      +97     

Impacted Files	Coverage Δ
src/parse-nm.c	100.00% <ø> (ø)
src/parse.c	97.97% <38.23%> (-1.87%)	⬇️
src/netplan.c	90.97% <45.71%> (-9.03%)	⬇️
src/networkd.c	95.62% <57.53%> (-4.38%)	⬇️
src/validation.c	98.51% <75.00%> (-1.10%)	⬇️
netplan/configmanager.py	100.00% <100.00%> (ø)
src/types.c	100.00% <100.00%> (ø)
tests/generator/base.py	100.00% <100.00%> (ø)
tests/generator/test_bridges.py	100.00% <100.00%> (ø)
tests/generator/test_ethernets.py	100.00% <100.00%> (ø)
... and 11 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b9a3b7...c8ed0cf. Read the comment docs.

[slyon]

Hi @netdever
Thank you very much for your contribution to netplan, this is highly appreciated, especially as the two LP bugs that you're addressing have been long-standing feature requests!

I did an initial review and mentioned some smaller issues and questions in inline comments.

I am now also thinking about bigger changes that might be needed:

• configmanager.py to go away (conflict with YAML consolidation: final patch set for configmanager.py (FR-702) #255)
• NetplanTristate type should be added (conflict with Add tristate type for offload options (LP: #1956264) #270)
• Linking of network interfaces: I wonder if we should rather define a VRF's child interfaces inside the vrf definition itself, using an interfaces: [...] setting (as suggested in the LP#1773522) instead of splitting the definition across parent and child, using the vrf: ... link:

network:
  version: 2
  renderer: networkd
  vrfs:
    vrf-test:
      interfaces:
        - bond0
        - br0
        - br-bond0
        - tun0
      table: auto # or a specific integer

• Similarly, I need to thinkg about the linking of VXLAN devices, as the ethX.vxlans.names = [...] seems to be a bit cumbersome. Is there a specific reason why you went for this nestring structure?
• Overall, I want to review all the new YAML settings in detail, to make sure we implement a simple and easily comprehensible wording. There is nothing to change about this right now... for the current stage we can just go with systemd-networkd's naming scheme and we can easily change/adopt that, once agreed upon (but before we merge the PR :))
• NetworkManager also supports (most) VRF/VXLAN settings that are implemented in this PR for the systemd-networkd backend renderer. With all the parsing code already in place, it should be relatively easy to implement those in src/nm.c. Would you be interested in doing that? But it could also be done as part of a separate PR, in which case we should at least log a warning from the NetworkManager backend renderer, that those settings are not currently supported on that backend.
• Finally, I'd really love to see some actuall integration tests (in tests/integration/...) that make use of those new VRF and VXLAN features and check the fully configured system at runtime, to make sure the settings are actually applied. Is that something you could add do your PR? The tests are being run as autopkgtests, as can be seen (and reproduced locally) in ".github/workflows/autopkgtest.yml`.

[slyon]

I wonder if we should bundle those up as individual Flags somehow, e.g. checksums: [udp6-zero-rx, udp6-zero-tx, remote-rx, remote-tx, udp]

Similar to how it is done for optional-addresses

[netdever]

I gave this a shot but hit some snags. I'm not sure optional-addresses behaves the same way, but I could be missing something.

[slyon]

configmanager.py will go away once we land PR #255 So this might need to be re-worked to make it play nice with the new and consolidated YAML parser from that PR (depending on which PR will be merged first...)

This is just a FYI for you right now. The vrf/vxlan configmanager code is good as-is for now. We shouldn't put too much effort into it, though as it will go away.

[netdever]

Fingers crossed this gets merged first :)

[slyon]

maybe those could be bundled as flags/enum, similar to NetplanOptionalAddressFlag

[netdever]

Had some trouble trying to bundle these myself, so leaving as is for now. Any help would be appreciated if we feel it's necessary to make this change.

[slyon]

In which way would we specify a "port-range" value? Can you give an example for this?

It seems like NetworkManager uses two separate settings for this:

• source-port-max
• source-port-min

Combining those into a single "port-range" sounds nice, but I'm wondering about the syntax?

https://networkmanager.dev/docs/api/latest/nm-settings-nmcli.html#id-1.2.9.4.43

[netdever]

In my testing, I could only specify an integer for PortRange= using systemd-networkd. Obviously that's not a "range." Documentation is lacking for this parameter in systemd-networkd.

[slyon]

I found and answer in systemd's source code: https://github.com/systemd/systemd/blob/main/src/basic/parse-util.c#L259

the parse_range() util allows giving a range like this: "1-2892" from LOWER to UPPER bound, separated by dash.

I think we should potentially use a source-port-range: [1, 2892] syntax in netplan, i.e. an explicit list with exactly two elements (LOWER, UPPER).

[netdever]

OK, I was able to get this to work as described. There isn't validation for it yet, though.

[slyon]

IIUC Networkmanager uses a single setting to specify "remote" and "group", I wonder if we could do the same? Would the "remote" and "group" settings ever be used at the same time? Or can we deduct from the setting's value which one was meant by the user?

https://networkmanager.dev/docs/api/latest/nm-settings-nmcli.html#id-1.2.9.4.43

[slyon]

Ineed, Group= will always be a multicast IP address (i.e. from a reserved IPv4/6 range), so we can implicitly derive this information, therefore I'd like to reduce those two fields to just a single remote field, that is than translated to Remote= or Group= for systemd-networkd depending on if it is a multicast IP or not.

[slyon]

Beware that the gboolean variable cannot hold a TRUE, FALSE or UNSET (i.e. kernel's default) value, as described in the netplan.md documentation. I think we need a NetplanTristate type here, as is currently being drafted in #270 (src/types.h). We should probably copy and use that type definition into this PR, too, so it can be merged later on (depending on which PR lands first).

The same problem applies to neigh-suppress and potentially other boolean values, that are also supposed to have an "unset" state.

[netdever]

• Linking of VRFs now looks more like the example in the linked LP bug.
• Linking of VXLANs to source interfaces no longer requires the names subvar.
• VXLAN source-port-range now works as suggested (lacks validation)

[slyon]

This seems to be a rather generic [Bridge] setting, not necessarily related to VXLANs.. Is it required for VXLAN? If so, we should implement it as a generic bridge feature (and probably use a tristate type, too).

Otherwise, I'd like to just drop it from this PR, as it seems unrelated. Especially, as there is currently no implementation in any backend (neither networkd.c nor nm.c for this neigh_suppress variable).

[netdever]

Neighbor suppression (arp-nd-suppression) is required for VXLAN configuration. It is disabled by default, but many implementations, specifically those utilizing EVPN, will need it to be enabled. In systemd-networkd, it looks like this:

root@host1:~# cat /run/systemd/network/10-netplan-vxlan10.network 
[Match]
Name=vxlan10

[Link]
MTUBytes=8950

[Network]
LinkLocalAddressing=no
IPv6AcceptRA=no
ConfigureWithoutCarrier=yes
Bridge=bridge10

[Bridge]
NeighborSuppression=True

[netdever]

The command to enable this feature is bridge link set dev vxlan10 neigh_suppress on

[slyon]

Thank you for your comments about this. Being a [Bridge] setting in sd-networkd, I still wonder if this is a setting that should be set on the VXLAN device itself, or rather on a bridge device that is a parent interface to the vxlan?

[netdever]

It is a VXLAN setting (ie. you cannot enable it on the master Bridge interface). It may be confusing for netplan to have it as a bridge setting, especially since enslaving a VXLAN to a Bridge is not technically a requirement.

root@host1:~# bridge link set dev bridge10 neigh_suppress on
RTNETLINK answers: Operation not supported

[slyon]

This PR got closed by accident after rebasing on top of the current main branch and then pushing the wrong branch to netdever/main. I do not have write access to netdever's branch anymore. So I created a copy of this in #285

A backup of netdever's original branch is still available here: https://github.com/slyon/netplan/tree/vrf-vxlan-netdever-BACKUP