Pass-through/transparent management interfaces #268
Conversation
|
Very cool! As an anecdote, in the early days, probably in the first year after I wrote vrnetlab, I presented to a few NTT guys and they were curious if they could bridge into the mgmt interfaces instead of doing NAT. At the time, the whole networking story in docker looked quite different and doing what we do now in containerlab wasn't easy, which is why vr-xcon was built in the first place. We also did a lot of work around SnabbSwitch (now Snabb - https://github.com/snabbco/snabb) and I had these ideas on using it to apply flexible forwarding rules, like take port 5000 (serial console) and send to the container while the rest could be forwarded transparently to the VM. We never had time / it was never important enough to warrant the work. But here we are, a lot later, and this PR is looking really good, very cool :) I can't help but wonder if we can make the tc rules more specific and only redirect specific traffic, and that way, we could still have some ports be forwarded to the container so we can reach the serial port!? WDYT? |
|
Thanks for the review @plajjan! I pushed two commits to address your comments, which should work in theory, but they're still untested at the moment. I'm not sure if I can run tests today, but I'll try testing the changes over the weekend. |
…to correct interface
This comment was marked as outdated.
This comment was marked as outdated.
|
Correction to the post above: if you clone the management MAC of the VM, and mirror both ARP requests and responses incoming to the management interface of the VM, the serial port workaround now works! I'm marking the PR as ready for review. |
|
Looks great! Based on your ideas I have added support for SROS in #272 |
|
@michelredondo I added IPv6 support to the management address/gw helper functions. Do note that v4/v6 has been combined into the same function returning a tuple. |
|
@vista- I am changing the base for this PR to be the In other words, your branch becomes the base for other systems to test/align/implement this method. |
|
One important thing to consider is that docker implements POSTROUTING MASQUERADE rules for mgmt. prefixes: So all traffic leaving the node will be source-nated to the same IP address , which contradicts the whole purpose of transparency. A workaround is to insert a rule that just accepts the traffic before the masquerade kicks in. |
* vrnetlab: Add pass-through management interfaces * vjunos: Add pass-through management interface support * vrnetlab: Use JSON output of iproute2 * vrnetlab: Add exception for serial console ports 5000-5007 for transparent mode mgmt interface * vrnetlab: Remove non-working port 5000 tc mirred exception, redirect to correct interface * vrnetlab: Use tc clsact qdisc and flower matching as best practice * vrnetlab: Re-add workaround for serial ports in transparent mgmt mode * vrnetlab: Add IPv6 support to management address/gw functions * vjunos: Add IPv6 management addresses, fix v4 address templating * vrnetlab: Set dummy IPv6 address/gw for hostfwd management
* Pass-through/transparent management interfaces (#268) * vrnetlab: Add pass-through management interfaces * vjunos: Add pass-through management interface support * vrnetlab: Use JSON output of iproute2 * vrnetlab: Add exception for serial console ports 5000-5007 for transparent mode mgmt interface * vrnetlab: Remove non-working port 5000 tc mirred exception, redirect to correct interface * vrnetlab: Use tc clsact qdisc and flower matching as best practice * vrnetlab: Re-add workaround for serial ports in transparent mgmt mode * vrnetlab: Add IPv6 support to management address/gw functions * vjunos: Add IPv6 management addresses, fix v4 address templating * vrnetlab: Set dummy IPv6 address/gw for hostfwd management * nokia_sros: Add pass-through management interface support (#272) * vrnetlab: Add pass-through management interfaces * vjunos: Add pass-through management interface support * vrnetlab: Use JSON output of iproute2 * vrnetlab: Add exception for serial console ports 5000-5007 for transparent mode mgmt interface * vrnetlab: Remove non-working port 5000 tc mirred exception, redirect to correct interface * vrnetlab: Use tc clsact qdisc and flower matching as best practice * vrnetlab: Re-add workaround for serial ports in transparent mgmt mode * vrnetlab: Add IPv6 support to management address/gw functions * vjunos: Add IPv6 management addresses, fix v4 address templating * vrnetlab: Set dummy IPv6 address/gw for hostfwd management * Fix CSR1000v and c8000v (#269) * Remove whitespaces from IMG_NAME and IMG_VENDOR * Fix Cisco CSR1000v * Fix Cisco c8000v * Use env var passed from containerlab for IOL launch PID (#270) * nokia_sros: Add pass-through management interface support * fix comment * change mgmt address parsing * added self.mgmt_nic_passthrough to VR and VM classes * remove copy of a healthcheck * formatting * added mgmt passthrough to the VR class and aligned SR OS * added v6 address to bof --------- Co-authored-by: vista <[email protected]> Co-authored-by: Athanasios Kompouras <[email protected]> Co-authored-by: Kaelem <[email protected]> Co-authored-by: Roman Dodin <[email protected]> * default vjunos to to host-forwarded mgmt mode * note on default systems * vsrx: Add transparent management interface mode compatibility (#288) * fix host vs passthrough notes * Transparent management interfaces for Cisco nodes. (#290) * Add function to convert CIDR to DDN notation * Add IOS-XE device support for transparent mgmt intf * Implement transparent mgmt intf on XRv * Add transparent mgmt if functionality to xrv9k * Add transparent mgmt intf to vIOS * Add transparent mgmt intf to n9kv and use 2048 bit keys * Remove incorrectly pasted command from n9kv * Add explicit IPv6 enablement to vIOS * Update vIOS default creds to `admin:admin` * NXOS: Add transparent mgmt intf support + mgmt vrf + 2048-bit SSH keys * change n9kv version parser and FROM image * fix comment * Update images to `debian:bookworm-slim` * Update `cidr_to_ddn()` func to use stdlib for address splitting * use `super().gen_mgmt()` to extend `gen_mgmt()` fn on XRv9k --------- Co-authored-by: Roman Dodin <[email protected]> * added dell sonic transparent mgmt (#292) --------- Co-authored-by: vista- <[email protected]> Co-authored-by: Michel Redondo <[email protected]> Co-authored-by: Athanasios Kompouras <[email protected]> Co-authored-by: Kaelem <[email protected]> Co-authored-by: Kaelem Chandra <[email protected]>
This PR adds pass-through as a mode for management interfaces. The default mode for management interfaces remains host-forwarded (which is the previous and only mode supported for management interfaces).
The pass-through mode functions by simply creating yet another tc mirred interface for the NOS VM management NIC instead of binding it to a user-mode, host-forwarded one.
The main advantages of transparently passing management traffic is:
The downside of this approach is that it is no longer possible to pass traffic directly from the vrnetlab container, which has two main implications, which means you cannot install/update packages, download files via curl, etc in the container.
Pre-defined exception traffic originating from outside the container (e.g. to the QEMU serial port listening on port 5000) can be selectively directed to the container.
With this change, three NOSes default to pass-through/transparent management:
All other NOS types should not be impacted by this change.
The management interface mode can be overridden by passing the envvar
CLAB_MGMT_PASSTHROUGH(true/false).Tip
For developers:
The
__init__constructor ofvrnetlab.VMnow has an additional parametermgmt_passthrough, which defaults to False. Setting this to True creates a tc mirred interface for the management/first NIC instead of the host-forwarded type. This can be overridden by the envvar described above, and the resolved value can be accessed through theself.mgmt_nic_passthroughattribute ofvrnetlab.VM.Two additional convenience attributes are also available for automatically generating startup configs:
self.mgmt_address_ipv4contains the management IP of the node in CIDR format.This is either
10.0.0.15/24for host-forwarded mode, or the actual management IP for pass-through mode.self.mgmt_gw_ipv4contains the management default gateway for the node.10.0.0.2for host-forwarded mode, or the actual management gateway IP for pass-through mode.To add new exception traffic that should be directed towards the VM, you need to add a new tc filter rule.
An example rule is the following, for the QEMU serial port listening on TCP port 5000-5007.
The exception traffic filters should be added first (lower priority numbers), before the eth0 mirred redirect rule, which should be the last.
NOS Implementations
SR OS
The work is done in #272