Skip to content

T7432: RPKI VRF Support #4497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: current
Choose a base branch
from
Open

T7432: RPKI VRF Support #4497

wants to merge 2 commits into from
+316 −183

Conversation

yzguy
Copy link
Contributor

@yzguy yzguy commented May 5, 2025
edited
Loading

Change summary

Add support for RPKI in a VRF

TODO:

Need to add to documentation

Op-mode commands

show rpki as-number <asn>  vrf <vrf>
show rpki cache-connection vrf <vrf>
show rpki cache-server vrf <vrf>
show rpki prefix <prefix> vrf <vrf>
show rpki prefix <prefix> as-number <asn> vrf <vrf>
show rpki prefix-table vrf <vrf>
reset rpki vrf <vrf>

Configuration Commands

set vrf name <name> protocols rpki cache <cache> port <port>
set vrf name <name> protocols rpki cache <cache> preference <pref>
set vrf name <name> protocols rpki cache <cache> source-address <src>
set vrf name <name> protocols rpki cache <cache> ssh username <username>
set vrf name <name> protocols rpki cache <cache> ssh key <key>
set vrf name <name> protocols rpki polling-period <rolling-period>
set vrf name <name> protocols rpki retry-interval <retry-interval>

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T7432

Related PR(s)

How to test / Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@yzguy yzguy force-pushed the T7432 branch 7 times, most recently from 6d47fa7 to c673102 Compare May 9, 2025 04:37
@yzguy yzguy force-pushed the T7432 branch 4 times, most recently from 0e108f4 to db24f1e Compare May 17, 2025 02:10
@sever-sever sever-sever requested review from c-po and dmbaturin May 19, 2025 10:28
c-po
c-po requested changes May 22, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You do not set a VRF table id in your smoketests which makes them fail:

======================================================================
ERROR: test_rpki_ssh (__main__.TestProtocolsRPKI.test_rpki_ssh)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/libexec/vyos/tests/smoke/cli/test_protocols_rpki.py", line 211, in test_rpki_ssh
    self.cli_commit()
  File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 103, in cli_commit
    out = self._session.commit()
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 280, in commit
    out = self.__run_command([COMMIT])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 210, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ vrf ]
VRF "blue" table id is mandatory!
[[vrf]] failed
[ pki ]
Embedded PKI openssh with name "rpki-smoketest" is still in use by CLI
path "protocols rpki cache 192.0.2.3 ssh key"
[[pki]] failed
[[vrf name blue protocols rpki]] failed
Commit failed

c-po
c-po reviewed May 22, 2025
View reviewed changes
c-po
c-po requested changes May 22, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proposed CLI op-mode commands differ from other VRF enabled implementations:

c-po
c-po reviewed May 26, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The general implementation looks good and follows established patterns for FRR.

Smoketests still fail:

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_protocols_rpki.py
test_rpki (__main__.TestProtocolsRPKI.test_rpki) ... ok
test_rpki_source_address (__main__.TestProtocolsRPKI.test_rpki_source_address) ... ok
test_rpki_ssh (__main__.TestProtocolsRPKI.test_rpki_ssh) ... ERROR
test_rpki_verify_preference (__main__.TestProtocolsRPKI.test_rpki_verify_preference) ... ok

======================================================================
ERROR: test_rpki_ssh (__main__.TestProtocolsRPKI.test_rpki_ssh)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/libexec/vyos/tests/smoke/cli/test_protocols_rpki.py", line 217, in test_rpki_ssh
    self.cli_commit()
  File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 103, in cli_commit
    out = self._session.commit()
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 280, in commit
    out = self.__run_command([COMMIT])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 210, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ pki ]
Embedded PKI openssh with name "rpki-smoketest" is still in use by CLI
path "protocols rpki cache 192.0.2.3 ssh key"
[[pki]] failed
[ vrf name blue protocols rpki ]
RPKI+SSH requires key to be defined!
[[vrf name blue protocols rpki]] failed
Commit failed


----------------------------------------------------------------------
Ran 4 tests in 65.914s

FAILED (errors=1)

@yzguy yzguy force-pushed the T7432 branch 2 times, most recently from 781b71c to 0a5062c Compare May 28, 2025 03:05
@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

c-po
c-po approved these changes May 29, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New feature additiona vailable with FRR10.2 - implementation follows established paths for FRR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

At least 2 approving reviews are required to merge this pull request.

Assignees

@yzguy yzguy

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yzguy @c-po