Ticket: CM-7939
Reviewed By: CCR-3732
Testing Done: Tested ifreload --allow=class
this now
The ifreload classes already supported allow. This just opens up the
option in /sbin/ifupdown
example 1:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test swp3
iface swp3
/* should only act on swp2 and swp3 */
example 2:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br1
iface br1
bridge-ports swp25 swp26
/* change bridge name and do an ifreload */
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br2
iface br2
bridge-ports swp25 swp26
should delete br1 and create br2
Ticket: CM-6626
Reviewed By: CCR-3768
Testing Done: Tested with testcase specified in bug
There was an earlier implementation for this for 2.5.4 (CCR-3599 a quick
fix for 2.5.4). This patch re-implements the fix.
This patch essentially handles stp set before and after the port is
processed. It replaces the below commit with the patch in this review
{noformat}
commit 3af351f0a005236e747913bb499c6165e3ec43a4
Author: Roopa Prabhu <roopa@cumulusnetworks.com>
Date: Tue Sep 29 10:12:07 2015 -0700
Fix mstp settings ordering issues when bridge stp is toggled on and
off
(when mstp settings are specified under the port)
Ticket: CM-6626
Reviewed By: CCR-3599
Testing Done: Tested the problem case mentioned in the bug (Plan to
re-work the fix a bit for 2.5.5)
{noformat}
Example:
{noformat}
auto host1
iface host1
mtu 9000
bond-slaves glob swp[25-26]
bond-mode 802.3ad
bond-miimon 100
bond-use-carrier 1
bond-lacp-rate 1
bond-min-links 1
bond-xmit-hash-policy layer3+4
clag-id 1
mstpctl-portadminedge yes
mstpctl-bpduguard yes
auto bridge
iface bridge
mtu 9000
bridge-vlan-aware yes
bridge-ports peerlink host1
bridge-stp on
bridge-vids 1000-3000
bridge-pvid 1
info log stmts:
--------------------
info: host1: ignoring mstpctl-portadminedge config (stp on bridge bridge
is not on yet)
info: host1: ignoring mstpctl-bpduguard config (stp on bridge bridge is
not on yet)
<snip>
info: bridge: processing bridge config for port host1
info: bridge: processing mstp config for port host1
info: executing /sbin/mstpctl showportdetail bridge host1
admin-edge-port
info: executing /sbin/mstpctl setportadminedge bridge host1 yes
info: executing /sbin/mstpctl showportdetail bridge host1
bpdu-guard-port
info: executing /sbin/mstpctl setbpduguard bridge host1 yes
{noformat}
Ticket: CM-8161
Reviewed By: Roopa
Testing Done:
With vlan-aware bridge, when replacing a port's pvid, the kernel leaves
the port in the original pvid and relies on user space to explicitly
delete the port from that vlan if it is no longer a member of that.
ifupdown does that correctly in ifup and ifreload cases, but missed
removing the port from the default pvid during system reboot. This
patch fixes that by removing the PERFMODE check specifically for pvid
that causes ifupdown to skip checking running config on reboot which
leads to the bug.
(cherry picked from commit 0461a3f3cc82691cd32b9f6dbefaacf7b23eaeea)
listed interface that had a blacklisted parent
Ticket: CM-7851
Reviewed By: CCR-3664
Testing Done: Tested with auto/non-auto dependent and non-dependent interfaces
example config from sam:
iface swp3.100
auto swp3
iface swp3
iface swp3
address 66.66.66.66/24
Ticket: CM-6740
Reviewed By: roopa
Testing Done: tested multiple ifreloads with various test cases
In the case of duplicate iface stanzas where one of the stanzas sets
the link attributes, ifupdown2 was confused because the absence
of link attributes forced it to reset them to default values
(when they existed).
This patch tracks link changes and prevents resetting to defaults
only if there are no explicit settings configured. Furthermore,
only the last interface processed (from the duplicates) will take
care of resetting to defaults.
Ticket: CM-6106
Reviewed By: CCR-3637
Testing Done: Tested address under a bridge
We had shipped example files with addresses under bridges and slaves
in 2.5.3. With the warning introduced in 2.5.4, we will start emitting
warnings for existing customer files. And I have recently
learnt that users are relying on warnings to detect errors.
With this commit I am changing the warn to an info message
to avoid breaking existing users. We can change it back to a warn in
3.0.
changed:
"warning: interface bridge is enslaved or a vlan aware bridge and cannot
have an IP Address"
to:
"info: bridge: ignoring ip address. Interface is enslaved or a vlan
aware bridge and cannot have an IP Address"
(cherry picked from commit ecb20279e3d3c123537b9e6fddea4590c63a5013)
(ie to allow -i option)
Ticket: CM-7066
Reviewed By: CCR-3636
Testing Done: Tested ifupdown2 -i option
Administrators can protect from sudo users executing files with -i
by changing the disable_cli_interfacesfile=1 in ifupdown2.conf
I have uploaded the patch in CCR-3636. And checked with shm and nolan
before pushing this change in 2.5.4.
The default is being changed because of the fear of breaking existing
users of -i after an upgrade to 2.5.4.
The shipping default behaviour for -i will be revisited in 3.0
timeframe.
(cherry picked from commit 5dce566a94dafc99c441e66c412d8d66a083aa5e)
Ticket: CM-7851
Reviewed By: CCR-3639
Testing Done: Tested a combination of auto and non-auto interfaces.
This fixes a regression introduced in 2.5.4 where ifreload was
picking up non-auto interfaces
This also fixes a minor issue with blacklisting interfaces introduced by
("450c679249b546dbc2cd97d81b49e011fec948bd remove blacklisted interfaces
only if they are upperifaces (ie root of the tree") when an interface
has multiple auto and non-auto stanzas (A rare case, but it was an easy
fix and around the same area).
example, the fix will now blacklist an interface only if all of its stanzas are
blacklisted. In the below example, swp4 is not blacklisted if user
specified auto because one of the iface stanzas is auto.
auto swp4
iface swp4
iface swp4
address 10.0.14.2/24
(cherry picked from commit ad6d4567fdf9413c804a348c1712d8706934264a)
Ticket: CM-7066
Reviewed By: roopa
Testing Done: unit tested and wrote new testcase in testifupdown2
Use case for ifquery where stdin used with -i breaks
because interfacesfileiobuf was not checked in addition to interfacesfilename.
Testcase like:
echo '[{"name": "swp1","auto": true,"config": {"address": "10.10.10.10/24"}}]' | ifquery -i - -t json swp1
would fail because while -i was given with stdin, the check for missing filename would produce an error.
It was also decided by consensus that the ifquery command does not need to have a check for
disable_cli_interfacesfile since a query "should" not pose a security check.
(I've also added some test cases for this in cl-tests).
(cherry picked from commit 4d37e932b43da87a9240a866be2d8b9508a9c7eb)
the tree)
Ticket: CM-7765
Reviewed By: CCR-3621
Testing Done: tested interface dependencies with auto and non-auto
interfaces
This commit fixes a change in behaviour introduced by "460906d0552d" ("skip adding
filtered or blacklisted interfaces in the dependency graph") that
skipped non-auto (or blacklisted) interfaces.
Turns out we have files out there that do have non-auto
dependents. This patch makes sure blacklisted interfaces who are
dependents of other interfaces are always picked up.
to make sure the state file in persistent storage is cleaned up
correctly
Ticket: CM-7774
Reviewed By: CCR-3623
Testing Done: Tested statefile accross reboots
ifupdown2 state file was moved to /var/tmp because /var/tmp was tmpfs
and was large enough (100MB) for the state file. But it appears it has
changed (or is not consistent) across all platforms. We can move it
under /run, but /run again size varies on various platforms and it is
too small on some platforms.
This patch:
- continues to keep the ifupdown2 state file under /var/tmp (because it
needs the space)
- ntroduces a second level /run/network/ifstatelock file that stays on
non-persistant storage and is used to delete the state file at /boot up
(when mstp settings are specified under the port)
Ticket: CM-6626
Reviewed By: CCR-3599
Testing Done: Tested the problem case mentioned in the bug (Plan to
re-work the fix a bit for 2.5.5)
problem:
mstp parameters can be specified under the port or under the bridge
When they are specified under the bridge, there should be no problem
(When you process the bridge, all things on the bridge port are set in
order)
When they are specified under the port:
we check if the bridge is up, if yes, and stp is already configured,
we process mstpctl settings
This check today only checks running stp_state
We should also check the user configured stp state for the bridge
Note that the problem exists only if the bridge and ports are
already up and user executes ifup again and when we need to re-evaluate
the bridge port settings
solution:
When the bridge port is being checked for mstp settings, not only
check running stp state, but also check user specified stp state and
correct bridge stp state before proceeding with mstp configuration
Few things to note with this patch:
- If user changed stp state on bridge to 'on', and did `ifup
<bridge_port>'`,
though the user has not ifup'ed the bridge yet, the bridge stp state
will be applied (very few people will run into this and practically this
should not be a problem atall. But from correctness POV it is
a voilation. ).
- To avoid this, the other solution would have been to let the bridge
port code be as is, but handle this during bringing up the bridge,
but, this can confuse the user, because when processing the
bridge_port, you will still throw warnings even if the port stp config
is later reapplied when the bridge comes up
- note that the patch only handles the case when stp state is not on and
somebody turned it on. For the case where stp state was on and somebody
turned it off, this patch wont throw warnings for the mstpctl config. But
it will not cause any issues because once stp is off things will be ok
everywhere. I want to keep any changes here out of this patch. I will
document this in the bug...and see if i can handle this in 2.5.5
Ticket: CM-7635
Reviewed By: CCR-3575
Testing Done: Tested failing ifquery output in json format
This patch fixes a bug introduced by 0dea0cfeeec8b342ee2e2b767daa4071ac760f31
("Add support to display status (pass, fail) in ifquery --check json
output").
This patch separates the json encoders for iface objects with and
without status (ifaceJsonEncoder and ifaceJsonEncoderWithStatus) so
that they dont interfere with each other.
Ticket: CM-7464
Reviewed By: CCR-3507
Testing Done: Tested ifquery check sanity
ifquery --check non-json output displays 'pass' and 'fail' for
each attribute on the same line (see below). This output is not json
friendly. For json, include status in 'config_status' a dictionary
whose keys are similar to the 'config' dictionary but values are status
for the corresponding keys in the 'config' dictionary (see example below)
auto bond4
iface bond4 inet static
[pass]
bond-mode 802.3ad [pass]
bond-miimon 100 [pass]
bond-use-carrier 1 [pass]
bond-lacp-rate 1 [pass]
bond-min-links 1 [pass]
bond-xmit-hash-policy layer3+4 [pass]
bond-slaves swp3 swp4 [pass]
[
{
"name": "bond4",
"addr_method": "static",
"addr_family": "inet",
"auto": true,
"config": {
"bond-use-carrier": "1",
"bond-miimon": "100",
"bond-lacp-rate": "1",
"bond-min-links": "1",
"bond-slaves": "swp3 swp4",
"bond-mode": "802.3ad",
"bond-xmit-hash-policy": "layer3+4"
},
"config_status": {
"bond-use-carrier": "pass",
"bond-miimon": "pass",
"bond-lacp-rate": "pass",
"bond-min-links": "pass",
"bond-slaves": "pass",
"bond-mode": "pass",
"bond-xmit-hash-policy": "pass"
},
"status": "pass"
}
]
Ticket: CM-7410
Reviewed By: CCR-3470
Testing Done:
When vxrd is not enabled in /etc/default/vxrd, the 'service vxrd status'
command returns 0, causing the vxlan-remoteip to be not applied even
though it should have. Fix is to change to checking pidfile of vxrd.
Ticket: CM-7087
Reviewed By: CCR-3379
Testing Done: unit testing with clag_vxlan_clos_spec/cfg.py
On clag pairing, clagd changes local address of vxlan device to anycast ip.
If user does ifreload now, ifupdown2 will overwrite local address with
individual ip contained in /etc/netwrok/interfaces. vxlan.py caches
anycast_ip configuration so that ifquery -c can skip it from flagging error
and ifreload skip overwriting vxlan device's local ip.
vxrd provisions head-end replication endpoints by adding bridge fdb entries.
If /etc/network/interfaces doesn't have remote-ip attribute, then on ifreload
ifupdown2 will delete all vxrd provisioned entries. ifupdown will check for
presence of vxrd service and skip add/delete bridge fdb entries for
head-end replication
On ifreload vxlan device are put in proto-down even if they are up and running.
Check for operstate and put it in proto-down only if operstate transitions from
down to up.
Ticket: CM-7313
Reviewed By: trivial
Testing Done: tested in active-active vxlan scale testbed
With recent change to ifupdown2 to create dummy devices (CM-3525), pre-up
sequence has been inadvertently changed to invoke clag before vxlan. This
causes protodown of vxlan device by clag addon to happen before vxlan device
gets added. Revert the pre-up order to have vxlan pre-up before clag's.
Ticket: CM-3525
Reviewed By: CCR-3326
Testing Done: Tested creating dummy devices using ifupdown2
This is modification to gospos loopback module. It solves the same
purpose ie using linux dummy device like a loopback device but there were
objections on calling it loopback so i have renamed it to link and i have changed it
into a generic module that can do any 'ip link'. Can be extended for
link args in the future.
below example creates a loopy device
$ifquery loopy
auto loopy
iface loopy
link-type dummy
$ifup loopy
$ifquery -c loopy
auto loopy
iface loopy [pass]
link-type dummy [pass]
(cherry picked from commit 1151420408a53c106d29183a1e0da5562c8b03a3)
Ticket: CM-7128
Reviewed By: Trivial
Testing Done: unit tested on Ken's machine
The ifupdown2 ethtool addon module fails to set/check
the link-speed on bridge ports.
I removed excessive ifaceLinkKind checking since CM-6619
(03642a9a) added BRIDGE_PORT and BOND_SLAVE. This is ok
since we now check to see if ports have defaults (only swp do)
before showing or changing settings).
Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing
This patch does two things:
1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.
2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).
Note: this new default takes away users ability to specify an interfaces file.
This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.
This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.
Ticket: CM-6862
Reviewed By: CCR-3278
Testing Done:
Currently, ifupdown implicitly configures pvid on a bridge port
in case user doesn't configure it. There is no way to configure
a bridge port to not accept untagged packets. The new option
allows user to do that without changing the current default
behavior.
ifupdown2 code was one level deeper because ifupdown2 initially
had ifupdown2 and ifupdown2-addons as two separate packages.
Since they were combined into one package, it makes sense to
move all combined code under the top level directory
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Ticket: CM-6496
Reviewed By: CCR-3196
Testing Done:
The "ip batch command to add a bridge port and flush the dev" command with 1k netdevices was taking 1.4G of memory. With 2k netdevices batch, this command was causing a OOM condition. To avoid this, commit the batch after 250 ports. Ideally we have to look at the internal batch implementation to see if there is an underlying issue.
Ticket: CM-6587
Reviewed By: roopa
Testing Done: checked man paged
If we do an ifdown on all ports and try to exclude a bond or bridge port.
But we also have an iface defined for swp1 or swp4
(even if these are empty).
The lower interfaces will not be excluded. So if we
do an "ifdown -a -X bridge", swp ports in the bridge or bond
will go down effectively bringing a bond or bridge down.
This patch simply adds some documentation to the man pages.
ifupdown2 never follows dependents if the user has given an
interface list (unless explicitly requested with --with-depends
option which is available with some options).
Ticket: CM-6702
Reviewed By: roopa
Testing Done: unit and smoke tested with ifupdown2 suite
When address-virtual mac adddress is modified, removed from an SVI, or the SVI is removed,
the permanent mac address is not removed.
This patch addresses all three cases but creating a global statemanager instance
and removing address-virtual FDB entries that were previously configured.
Ticket: CM-6815, CM-6816, CM-6817
Reviewed By: CCR-3234
Testing Done: unit testing
CM-6815 : ip link set syntax for svcnode has been changed. Absence of svcnode
will retain the existing values. svcnode 0.0.0.0 is needed to wipe out service
node addresses in vxlan device. Modified ifupdown2 to use svcnode 0.0.0.0 to
clean up service node address.
CM-6816: "bridge-clan-aware no" is not handled in query-check and hence ifquery
on bridge interface with "bridge-vlan-aware no" fails. Modified bridge's
query-check to take care of this.
CM-6817: With default ageing value (300), if query -c <vxlan device> was
failing. Set ageing to 300 if not specified and compare it with running config.
Ticket: CM-6619
Reviewed By: CCR-3191
Testing Done: Tested upperiface bringup for bridge and vlan devices
'up' on bridge was always done to add the newly created port to the bridge
in cases where the bridge is not part of the interfaces being brought
up. But This will try to re-apply bridge port attributes on all bridge
ports and that can take a while when there are large number of bridge
ports. This patch currently avoids the bridge up for only the vlan
aware bridge case.
Ticket: CM-6723
Reviewed By: roopa
Testing Done: unit tested and testifupdown2 test suite
This patch installs bond interface defaults in
/etc/network/ifupdown2/policy.d/bond_defaults.json
and allows users to modify this file. Users can then leave out these
bond attributes in their configs to save typing and space.
It also changes the ifenslave and ifenslaveutil module to bond and
bondutil, respectively to be consistent with other modules
(and also because customers think of "bond" interfaces not
"ifenslave" interfaces.)
For example, the default file installed looks like the following:
{
"README": "This file is user generated and modifiable.",
"bond": {
"defaults": {
"bond-mode": "802.3ad",
"bond-miimon": "100",
"bond-use-carrier": "1",
"bond-lacp-rate": "0",
"bond-min-links": "1",
"bond-xmic-hash-policy": "layer3+4"
}
}
}
Please enter the commit message for your changes. Lines starting
Ticket: CM-6655
Reviewed By: Trivial
Testing Done: tested install and removal of python-ifupdown2
There was an invalid equality test in the postrm script for
ifupdown2. In Dash, equality is tested with a single '='
and not '=='.
Ticket: CM-6630
Reviewed By: roopa
Testing Done: unit tested
We still run ethtool on most interfaces even if we don't have defaults to use.
The last bug I fixed (CM-6557) should have also fixed that (even if it was specific to
ifquery).
We now check if there is a configured attribute and if there is a default
value. If we do not have both, we continue without calling ethtool to get the running value.
Ticket: CM-6358
Reviewed By: roopa
Testing Done: Yes
ifupdown2 creates overrides vxrd's config when either (or both) the vxrd-src-ip and vxrd-svcnode-ip appear under the loopback interface's configuration.
Example
address 12.0.0.4/32
vxrd-src-ip 12.0.0.4
vxrd-svcnode-ip 99.99.99.9
