[FROG] how to make FRR know about configured netns on a centos system?
equinox at diac24.net
Sun Oct 28 10:16:44 EDT 2018
On Sun, Oct 28, 2018 at 10:25:05AM +0300, Roman Dodin wrote:
> Thanks David!
> Indeed I use a namespace to isolate the management interface of a centos
> system from the data namespace which needs to run bgpd and ospfd
> You said there is no provided way to run frr services in a non default
> namespace and one needs to wire that themselves. But since this seems like
> a very common approach to follow (separating management domain from
> others), how does the community deal with it? Any examples maybe?
We had a discussion about this a few weeks ago where I think the
consensus was that we should add the "-N" parameter to watchfrr and the
init script. At this point this is a missing-feature bug that needs
My personal setup is a bit aged and outdated so I kinda don't want to
share it since it should be done differently nowadays, mostly because I
don't use watchfrr. I have 2 init scripts, one that has a lot of
iproute2 calls to set all the devices up, and the other one to start
FRR. Then I just start the daemons individually like this:
svcs="polyeidos:ospfd polyeidos:ospf6d polynices:ospfd polynices:ospf6d polyeidos:bgpd"
# zebra has already been started!
for I in $svcs; do
pid=`pgrep -f "zebra -N $ns"`
ebegin "Starting netns routing - $ns($pid)/$dm"
nsenter -m -n -t $pid start-stop-daemon --quiet --start --exec /usr/lib/frr/$dm \
--pidfile /run/frr/$ns/$dm.pid -- -N $ns -A ::1 -d
Note that there is a little bit of trickery going on there with
"nsenter" instead of "ip netns exec". The reason for this is simple:
"ip netns exec" creates a new mount namespace every time it is executed.
It uses the existing network namespace, but *always* creates a mount
namespace so it can mount /sys properly (and bind-mount some config
files in /etc.)
This leads to a lot of mount namespaces existing and on my setup caused
problems with mount propagation / unmounting and remounting things. So
I decided to make "zebra" the "owner" of the namespace and always use
"nsenter" so I get the same mount namespace. It's probably not relevant
for you but I want to mention this here for other people and/or if
someone finds these mails by googling "FRR netns" :D
(This is maybe something that should be fixed in iproute2.)
To do things "better", we should have the -N option on watchfrr, and
then watchfrr can be the "owner" of the namespace maybe...
That said, if you only have one namespace where FRR is running you don't
need the -N option. You could simply do a "ip netns exec NAMESPACE
watchfrr <watchfrr options>". Editing the existing init script should
work fine for that, you can put "ip netns exec" (or "nsenter") before
the start-stop-daemon calls and everything works out.
In all cases, you need something to create and set up your network
namespace with the proper devices and so on... that's not something we
can do in a generic way in a FRR init script.
More information about the frog