[pve-devel] Regression in ifupdown2 with templates ?

[pve-devel] Regression in ifupdown2 with templates ?

[Daniel Berteaud]

Hi there. 

I'm running a 5 nodes PVE6 cluster, and I'm using ifupdown2 templating features to create vxlan overlays between my nodes (setup this before the SDN feature went live). Here's a snippet of my /etc/network/interfaces : 

%for i in range(1, 6): 
%for v in range(0, 21): 
auto vxlan${i*100+v} 
iface vxlan${i*100+v} 
vxlan-id ${i*100+v} 
vxlan-mcastgrp 225.20.118.1 
vxlan-physdev enp132s0f0.2018 
bridge-access ${i*100+v} 
%endfor 
%endfor 

auto vmbr0 
iface vmbr0 inet manual 
%for i in range(1, 6): 
bridge-ports glob vxlan${i*100}-${i*100+20} 
%endfor 
bridge-stp off 
bridge-fd 0 
bridge-vlan-aware yes 
bridge-vids 2-4094 


Everything is working fine with ifupdown2-2.0.1-1+pve10 but if I update ifupdown to v 3.0.0-1+pve2, my vxlan aren't created anymore. An ifreload -a outputs these errors : 

root@pve4:~# ifreload -a 
warning: unable to set template lookup path /etc/network/ifupdown2/templates ('NoneType' object is not callable): are you sure 'python-mako'is installed? 
warning: /etc/network/interfaces: line33: vxlan${i*100+v}: unexpected characters in interface name 
error: /etc/network/interfaces: line37: iface vxlan${i*100+v}: invalid syntax '%endfor' 
error: /etc/network/interfaces: line38: iface vxlan${i*100+v}: invalid syntax '%endfor' 
error: /etc/network/interfaces: line44: iface vmbr0: invalid syntax '%endfor' 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
error: vxlan${i*100+v}: invalid vxlan-id '${i*100+v}' 
warning: vxlan${i*100+v}: invalid use of bridge attribute (bridge-access) on non-bridge stanza 
error: netlink: vxlan${i*100}-${i*100+20}: cannot enslave link vxlan${i*100}-${i*100+20} to vmbr0: interface name exceeds max length of 15 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
error: vmbr0: bridge port vxlan${i*100}-${i*100+20} does not exist 


(yes, python-mako is installed) 

I had to downgrade ifupdown2 on all my nodes to get my network stack back online. 

Is there a regression with templating support in ifupdown2 v3 or has something changed and must be adapted ? 

Cheers, 
Daniel 
-- 


[ https://www.firewall-services.com/ ] 	
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ] 

Re: [pve-devel] Regression in ifupdown2 with templates ?

[Alexandre DERUMIER]

Hi,

ifupdown3 have migrated to python3,

maybe try to install python3-mako package ?


----- Mail original -----
De: "Daniel Berteaud" <daniel@firewall-services.com>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Jeudi 16 Juillet 2020 08:04:42
Objet: [pve-devel] Regression in ifupdown2 with templates ?

Hi there. 

I'm running a 5 nodes PVE6 cluster, and I'm using ifupdown2 templating features to create vxlan overlays between my nodes (setup this before the SDN feature went live). Here's a snippet of my /etc/network/interfaces : 

%for i in range(1, 6): 
%for v in range(0, 21): 
auto vxlan${i*100+v} 
iface vxlan${i*100+v} 
vxlan-id ${i*100+v} 
vxlan-mcastgrp 225.20.118.1 
vxlan-physdev enp132s0f0.2018 
bridge-access ${i*100+v} 
%endfor 
%endfor 

auto vmbr0 
iface vmbr0 inet manual 
%for i in range(1, 6): 
bridge-ports glob vxlan${i*100}-${i*100+20} 
%endfor 
bridge-stp off 
bridge-fd 0 
bridge-vlan-aware yes 
bridge-vids 2-4094 


Everything is working fine with ifupdown2-2.0.1-1+pve10 but if I update ifupdown to v 3.0.0-1+pve2, my vxlan aren't created anymore. An ifreload -a outputs these errors : 

root@pve4:~# ifreload -a 
warning: unable to set template lookup path /etc/network/ifupdown2/templates ('NoneType' object is not callable): are you sure 'python-mako'is installed? 
warning: /etc/network/interfaces: line33: vxlan${i*100+v}: unexpected characters in interface name 
error: /etc/network/interfaces: line37: iface vxlan${i*100+v}: invalid syntax '%endfor' 
error: /etc/network/interfaces: line38: iface vxlan${i*100+v}: invalid syntax '%endfor' 
error: /etc/network/interfaces: line44: iface vmbr0: invalid syntax '%endfor' 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
error: vxlan${i*100+v}: invalid vxlan-id '${i*100+v}' 
warning: vxlan${i*100+v}: invalid use of bridge attribute (bridge-access) on non-bridge stanza 
error: netlink: vxlan${i*100}-${i*100+20}: cannot enslave link vxlan${i*100}-${i*100+20} to vmbr0: interface name exceeds max length of 15 
warning: vmbr0: error parsing glob expression 'vxlan${i*100}-${i*100+20}' (supported glob syntax: swp1-10.300 or swp[1-10].300 or swp[1-10]sub[0-4].300 
error: vmbr0: bridge port vxlan${i*100}-${i*100+20} does not exist 


(yes, python-mako is installed) 

I had to downgrade ifupdown2 on all my nodes to get my network stack back online. 

Is there a regression with templating support in ifupdown2 v3 or has something changed and must be adapted ? 

Cheers, 
Daniel 
-- 


[ https://www.firewall-services.com/ ] 
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ] 
_______________________________________________ 
pve-devel mailing list 
pve-devel@lists.proxmox.com 
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

Re: [pve-devel] Regression in ifupdown2 with templates ?

[Daniel Berteaud]

----- Le 16 Juil 20, à 9:29, Alexandre DERUMIER aderumier@odiso.com a écrit :

> Hi,
> 
> ifupdown3 have migrated to python3,
> 
> maybe try to install python3-mako package ?

Didn't know it was switching to py3 :-)
Indeed, installing python3-mako makes the previous error message go away. But the result is even worst now, as ifupdown2 completly fails and don't even configure interfaces which are not using templates in /etc/network/interfaces

root@pve5:~# ifreload -a -v
info: requesting link dump
info: requesting address dump
info: requesting netconf dump
info: loading builtin modules from ['/usr/share/ifupdown2/addons']
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
info: executing /sbin/sysctl net.bridge.bridge-allow-multiple-vlans
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: executing /bin/ip rule show
info: executing /bin/ip -6 rule show
info: address: using default mtu 1500
info: address: max_mtu undefined
info: executing /usr/sbin/ip vrf id
info: mgmt vrf_context = False
info: dhclient: dhclient_retry_on_failure set to 0
info: executing /bin/ip addr help
info: address metric support: OK
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
info: looking for user scripts under /etc/network
info: loading scripts under /etc/network/if-pre-up.d ...
info: loading scripts under /etc/network/if-up.d ...
info: loading scripts under /etc/network/if-post-up.d ...
info: loading scripts under /etc/network/if-pre-down.d ...
info: loading scripts under /etc/network/if-down.d ...
info: loading scripts under /etc/network/if-post-down.d ...
info: 'link_master_slave' is set. slave admin state changes will be delayed till the masters admin state change.
info: using mgmt iface default prefix eth
info: processing interfaces file /etc/network/interfaces
info: template processing on interfaces file ...
error: main exception: a bytes-like object is required, not 'str'
info: exit status 1
root@pve5:~# 


So it looks like ifupdown2 v3 is not fully compatible with config working in v2. Haven't digged yet into it (those are prod servers, so not easy to play with their network stack)

Cheers,
Daniel

-- 
[ https://www.firewall-services.com/ ] 	
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ]

Re: [pve-devel] Regression in ifupdown2 with templates ?

[Alexandre DERUMIER]

>>error: main exception: a bytes-like object is required, not 'str'

seem to be a bug here, maybe in template parsing.

Maybe this commit is fixing it:

https://github.com/CumulusNetworks/ifupdown2/commit/c44a7a363579d78c42b0cf17ff1b726dcde9296c



----- Mail original -----
De: "Daniel Berteaud" <daniel@firewall-services.com>
À: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Jeudi 16 Juillet 2020 10:14:49
Objet: Re: [pve-devel] Regression in ifupdown2 with templates ?

----- Le 16 Juil 20, à 9:29, Alexandre DERUMIER aderumier@odiso.com a écrit : 

> Hi, 
> 
> ifupdown3 have migrated to python3, 
> 
> maybe try to install python3-mako package ? 

Didn't know it was switching to py3 :-) 
Indeed, installing python3-mako makes the previous error message go away. But the result is even worst now, as ifupdown2 completly fails and don't even configure interfaces which are not using templates in /etc/network/interfaces 

root@pve5:~# ifreload -a -v 
info: requesting link dump 
info: requesting address dump 
info: requesting netconf dump 
info: loading builtin modules from ['/usr/share/ifupdown2/addons'] 
info: module ppp not loaded (module init failed: no /usr/bin/pon found) 
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found) 
info: executing /sbin/sysctl net.bridge.bridge-allow-multiple-vlans 
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found) 
info: executing /bin/ip rule show 
info: executing /bin/ip -6 rule show 
info: address: using default mtu 1500 
info: address: max_mtu undefined 
info: executing /usr/sbin/ip vrf id 
info: mgmt vrf_context = False 
info: dhclient: dhclient_retry_on_failure set to 0 
info: executing /bin/ip addr help 
info: address metric support: OK 
info: module ppp not loaded (module init failed: no /usr/bin/pon found) 
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found) 
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found) 
info: looking for user scripts under /etc/network 
info: loading scripts under /etc/network/if-pre-up.d ... 
info: loading scripts under /etc/network/if-up.d ... 
info: loading scripts under /etc/network/if-post-up.d ... 
info: loading scripts under /etc/network/if-pre-down.d ... 
info: loading scripts under /etc/network/if-down.d ... 
info: loading scripts under /etc/network/if-post-down.d ... 
info: 'link_master_slave' is set. slave admin state changes will be delayed till the masters admin state change. 
info: using mgmt iface default prefix eth 
info: processing interfaces file /etc/network/interfaces 
info: template processing on interfaces file ... 
error: main exception: a bytes-like object is required, not 'str' 
info: exit status 1 
root@pve5:~# 


So it looks like ifupdown2 v3 is not fully compatible with config working in v2. Haven't digged yet into it (those are prod servers, so not easy to play with their network stack) 

Cheers, 
Daniel 

-- 
[ https://www.firewall-services.com/ ] 
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ] 


_______________________________________________ 
pve-devel mailing list 
pve-devel@lists.proxmox.com 
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

Re: [pve-devel] Regression in ifupdown2 with templates ?

[Daniel Berteaud]

----- Le 16 Juil 20, à 10:38, Alexandre DERUMIER aderumier@odiso.com a écrit :

>>>error: main exception: a bytes-like object is required, not 'str'
> 
> seem to be a bug here, maybe in template parsing.
> 
> Maybe this commit is fixing it:
> 
> https://github.com/CumulusNetworks/ifupdown2/commit/c44a7a363579d78c42b0cf17ff1b726dcde9296c

That's it !
Installing python3-mako and applying this patch made everything working again. I guess it'll picked up on the next ifupdown2 release (or should this be backported in pve package ?)

Anyway, many thanks Alexandre !

Regards, Daniel


-- 
[ https://www.firewall-services.com/ ] 	
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ]

Re: [pve-devel] Regression in ifupdown2 with templates ?

[Alexandre DERUMIER]

I'll try to see if we can backport this patch, or bump to last master version, until a new release is done.



----- Mail original -----
De: "Daniel Berteaud" <daniel@firewall-services.com>
À: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Jeudi 16 Juillet 2020 11:17:17
Objet: Re: [pve-devel] Regression in ifupdown2 with templates ?

----- Le 16 Juil 20, à 10:38, Alexandre DERUMIER aderumier@odiso.com a écrit : 

>>>error: main exception: a bytes-like object is required, not 'str' 
> 
> seem to be a bug here, maybe in template parsing. 
> 
> Maybe this commit is fixing it: 
> 
> https://github.com/CumulusNetworks/ifupdown2/commit/c44a7a363579d78c42b0cf17ff1b726dcde9296c 

That's it ! 
Installing python3-mako and applying this patch made everything working again. I guess it'll picked up on the next ifupdown2 release (or should this be backported in pve package ?) 

Anyway, many thanks Alexandre ! 

Regards, Daniel 


-- 
[ https://www.firewall-services.com/ ] 
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ] 


_______________________________________________ 
pve-devel mailing list 
pve-devel@lists.proxmox.com 
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel