Merge branch 'fc-21.05-dev' into PL-132122-upgrade-hardware-to-24.11

flyingcircusio · Nov 29, 2024 · 939d536 · 939d536
2 parents ba77f39 + 24ce655
commit 939d536
Show file tree

Hide file tree

Showing 19 changed files with 1,073 additions and 47 deletions.
diff --git a/changelog.d/20241113_202234_PL-133174-rekey-pbkdf_scriv.md b/changelog.d/20241113_202234_PL-133174-rekey-pbkdf_scriv.md
@@ -0,0 +1,17 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+
+### NixOS XX.XX platform
+
+- fc-luks: fix rekeying to use the specified encryption parameters. We accidentally fell back to defaults before. (PL-133174)
diff --git a/changelog.d/20241126_174743_PL-133205-dhcp-port-to-kea_scriv.md b/changelog.d/20241126_174743_PL-133205-dhcp-port-to-kea_scriv.md
@@ -0,0 +1,20 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+
+### NixOS XX.XX platform
+
+- router: the ISC DHCP server, which is end-of-life, has been replaced
+  with its successor implementation, Kea. (PL-133205)
diff --git a/changelog.d/20241127_101712_PL-133199-rib-monitor-nokia-nexthop_scriv.md b/changelog.d/20241127_101712_PL-133199-rib-monitor-nokia-nexthop_scriv.md
@@ -0,0 +1,21 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+
+### NixOS XX.XX platform
+
+- pkgs: fix the monitoring script for the IPv4 underlay network to
+  correctly handle next hop addresses sent by Nokia SR Linux
+  switches. (PL-133199)
diff --git a/changelog.d/20241127_112609_PL-133201-radvd-fix-interface-names_scriv.md b/changelog.d/20241127_112609_PL-133201-radvd-fix-interface-names_scriv.md
@@ -0,0 +1,21 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+
+
+### NixOS XX.XX platform
+
+- router: fix radvd config generation to use the correct derived
+  interface name. (PL-133201)
diff --git a/changelog.d/CHANGELOG.md b/changelog.d/CHANGELOG.md
@@ -60,6 +60,15 @@
   This may have impact if you have multiple unauthenticated SSH connections in a short time.
   We tested this change on non-production machines over the last 3 weeks and got no reports of problems.
 
+# Release 2024_033
+
+## NixOS XX.XX platform
+
+- physical machines: load `dm_mirror` kernel module by default, to support several LVM disk migration scenarios
+
+- Update fc.qemu to ensure reduce cluster load on rbd list. (PL-133194)
+
+
 # Release 2024_032
 
 ## NixOS XX.XX platform

diff --git a/nixos/infrastructure/flyingcircus-physical.nix b/nixos/infrastructure/flyingcircus-physical.nix
@@ -31,6 +31,11 @@ mkIf (cfg.infrastructureModule == "flyingcircus-physical") (lib.mkMerge [
         "nvme"
       ];
 
+      # not relevant for boot stage1
+      kernelModules = [
+        "dm_mirror"   # LVM disk migration scenarios
+      ];
+
       kernelParams = [
         # Drivers
         "dolvm"

diff --git a/nixos/roles/router/default.nix b/nixos/roles/router/default.nix
@@ -73,7 +73,7 @@ in
     ./bird2
     ./keepalived
     ./chrony.nix
-    ./dhcpd.nix
+    ./kea.nix
     ./pmacctd.nix
     ./radvd.nix
     ./trafficclient.nix
@@ -273,8 +273,6 @@ in
 
     flyingcircus.agent = {
       extraPreCommands = ''
-        fc-dhcpd -4 -o /etc/nixos/localconfig-dhcpd4.conf ${location}
-        fc-dhcpd -6 -o /etc/nixos/localconfig-dhcpd6.conf ${location}
         # Updates files in /etc/bind and /etc/bind/pri where also Nix-generated config exists.
         fc-zones
       '';

diff --git a/nixos/roles/router/kea.nix b/nixos/roles/router/kea.nix
@@ -0,0 +1,154 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+
+let
+  role = config.flyingcircus.roles.router;
+  inherit (config) fclib;
+  inherit (config.flyingcircus) location;
+  inherit (config.networking) hostName;
+  suffix = "gocept.net";
+
+  dhcpNetworks' =
+    [ "mgm" "srv" "fe" ] ++
+    (config.flyingcircus.static.additionalDhcpNetworks."${location}" or []);
+
+  dhcpNetworks = [ "ipmi" ] ++ dhcpNetworks';
+  dhcpInterfaces = map (net: fclib.network."${net}".interface) dhcpNetworks';
+
+  bootServer = head fclib.network.mgm.v4.defaultGateways;
+
+  resolvers4 = if (hasAttr location config.flyingcircus.static.nameservers)
+        then config.flyingcircus.static.nameservers.${location}
+        else [];
+
+  resolvers6 =
+        if (hasAttr location config.flyingcircus.static.nameservers6)
+        then config.flyingcircus.static.nameservers6.${location}
+        else [];
+
+  baseConfig = {
+    dhcp-ddns = { enable-updates = false; };
+    valid-lifetime = 1800;
+    max-valid-lifetime = 7200;
+  };
+
+  kea4Config = {
+    interfaces-config = {
+      interfaces = dhcpInterfaces;
+      dhcp-socket-type = "raw";
+    };
+
+    lease-database = {
+      type = "memfile";
+      persist = true;
+      name = "/var/lib/kea/dhcp4.leases";
+    };
+
+    authoritative = true;  # match previous isc-dhcpd behaviour
+
+    option-data = [
+      { name = "domain-name"; data = suffix; }
+      { name = "domain-search"; data = "${suffix}, ${location}.${suffix}"; }
+      { name = "domain-name-servers"; data = lib.concatStringsSep ", " resolvers4; }
+      # NTP options set on a per-subnet basis by fc-kea
+    ];
+
+    next-server = bootServer;
+
+    # default to efi netboot. bios clients and the ipxe loader are
+    # identified with client classes, with the options specified in
+    # the first match taking precedence.
+    boot-file-name = "ipxe.efi";
+    client-classes = [
+      {
+        name = "iPXE";
+        test = "option[user-class].exists and (option[user-class].hex == 'iPXE')";
+        boot-file-name = "flyingcircus.ipxe";
+      }
+      {
+        name = "BIOS PXE";
+        test = "substring(option[vendor-class-identifier].hex, 15, 5) == '00000'";
+        boot-file-name = "undionly.kpxe";
+      }
+    ];
+  };
+
+  kea6Config = {
+    interfaces-config = {
+      interfaces = dhcpInterfaces;
+    };
+
+    lease-database = {
+      type = "memfile";
+      persist = true;
+      name = "/var/lib/kea/dhcp6.leases";
+    };
+
+    option-data = [
+      { name = "dns-servers"; data = lib.concatStringsSep ", " resolvers6; }
+      { name = "domain-search"; data = "${suffix}, ${location}.${suffix}"; }
+      # no direct equivalent to dhcpv4 option 15 in dhcpv6, fqdn
+      # configured on a per-host basis.
+    ];
+  };
+
+in
+{
+  options = with lib; {
+    flyingcircus.services.dhcpd4.localconfig = mkOption {
+      type = types.attrs;
+      default = fclib.jsonFromFile "/etc/nixos/localconfig-dhcpd4.json" "{}";
+    };
+    flyingcircus.services.dhcpd6.localconfig = mkOption {
+      type = types.attrs;
+      default = fclib.jsonFromFile "/etc/nixos/localconfig-dhcpd6.json" "{}";
+    };
+  };
+
+  config = lib.mkIf role.enable {
+    flyingcircus.agent.extraPreCommands = ''
+      # Generate DHCP server configuration
+      fc-kea -4 -L ${location} -o /etc/nixos/localconfig-dhcpd4.json -e ipmi ${lib.concatMapStringsSep " " (net: "-n ${net}") dhcpNetworks}
+      fc-kea -6 -L ${location} -o /etc/nixos/localconfig-dhcpd6.json -e ipmi ${lib.concatMapStringsSep " " (net: "-n ${net}") dhcpNetworks} -d ${suffix}
+    '';
+
+    services.kea.dhcp4 = {
+      enable = role.isPrimary;
+      settings = (
+        baseConfig //
+        kea4Config //
+        config.flyingcircus.services.dhcpd4.localconfig
+      );
+    };
+    services.kea.dhcp6 = {
+      enable = role.isPrimary;
+      settings = (
+        baseConfig //
+        kea6Config //
+        config.flyingcircus.services.dhcpd6.localconfig
+      );
+    };
+
+    services.atftpd = {
+      enable = role.isPrimary;
+      extraOptions = [
+        "--verbose=5"
+      ];
+      root = pkgs.runCommand "tftpd-root-for-dhcpd4" {} ''
+        mkdir $out
+        # place a file called "flyingcircus.ipxe" in this path, take it from ./flyingcircus.ipxe
+        cp ${./flyingcircus.ipxe} $out/flyingcircus.ipxe
+        # place a file called "undionly.kpxe" in this path, take it from ${pkgs.ipxe}/undionly.kpxe
+        cp ${pkgs.ipxe}/undionly.kpxe $out/
+        cp ${pkgs.ipxe}/ipxe.efi $out/
+      '';
+    };
+
+    networking.firewall.extraCommands = ''
+      # TFTP
+      ip46tables -A nixos-fw -i ${fclib.network.mgm.interface} -p udp --dport 69 -j nixos-fw-accept
+    '';
+
+  };
+}
diff --git a/nixos/roles/router/radvd.nix b/nixos/roles/router/radvd.nix
@@ -6,6 +6,7 @@ let
 
   role = config.flyingcircus.roles.router;
   inherit (config) fclib;
+  inherit (config.flyingcircus) location static;
   blockIndent = width: text:
     let
       # Create a string of `width` number of spaces.
@@ -15,15 +16,15 @@ let
       fclib.unlines
         ([(head lines)] ++ (fclib.indentWith spaces (tail lines)));
 
-  vlans =
-    lib.filterAttrs
-      (vlan: networkAttrs: networkAttrs != [])
-      (lib.mapAttrs
-        (vlan: interface:
-          if lib.elem vlan ["lo" "ipmi" "tr" "sto" "stb"]
-          then []
-          else (filter (na: na.addresses != []) interface.v6.networkAttrs))
-        fclib.network);
+  ifaces = listToAttrs
+    (filter (iface: iface.value.networkAttrs != [])
+      (map (vlan: lib.nameValuePair vlan (
+        let iface = fclib.network."${vlan}";
+        in {
+          inherit (iface) interface;
+          networkAttrs = filter (attr: attr.addresses != []) iface.v6.networkAttrs;
+        }
+      )) static.floatingGatewayNetworks."${location}"));
 
   mkPrefixBlock = { network, prefixLength, ... }: ''
     prefix ${network}/${toString prefixLength} {
@@ -32,24 +33,24 @@ let
     };
   '';
 
-  mkInterfaceBlock = vlan: networkAttrs:
+  mkInterfaceBlock = vlan: iface:
     let
-      interfaceName = if vlan == "ws" then "br${vlan}" else "eth${vlan}";
-      prefixConfigurations = lib.concatMapStringsSep "\n\n" mkPrefixBlock networkAttrs;
+      prefixConfigurations = lib.concatMapStringsSep "\n\n" mkPrefixBlock iface.networkAttrs;
     in ''
-      # ${vlan} VLAN
-      interface ${interfaceName} {
+      # ${vlan} network
+      interface ${iface.interface} {
         AdvSendAdvert on;
         AdvOtherConfigFlag on;
         ${blockIndent 2 prefixConfigurations}
       };
     '';
+
 in
 {
   config = lib.mkIf (role.enable && role.isPrimary) {
     services.radvd = {
       enable = true;
-      config = lib.concatStringsSep "\n\n" (lib.mapAttrsToList mkInterfaceBlock vlans);
+      config = lib.concatStringsSep "\n\n" (lib.mapAttrsToList mkInterfaceBlock ifaces);
     };
   };
 }
diff --git a/nixos/services/default.nix b/nixos/services/default.nix
@@ -49,6 +49,9 @@ in {
     # Imported from NixOS 23.05
     ./frr.nix
 
+    # Imported from NixOS 24.05
+    ./kea.nix
+
     (mkRemovedOptionModule [ "flyingcircus" "services" "percona" "rootPassword" ] "Change the root password via MySQL and modify secret files")
   ];
 }