Commands for managing bgp auth and route local preference #795
Conversation
rcgoodfellow
force-pushed
the
bgp-auth
branch
6 times, most recently
from
a5cba56 to
6fbbd55
Compare
elaine-oxide
left a comment
elaine-oxide
left a comment
There was a problem hiding this comment.
See comments regarding help output and #[command(name = "xyz")]
| ] | ||
| }, | ||
| { | ||
| "name": "route", |
There was a problem hiding this comment.
Just noting that no help appears for this top level route command (nor for the bgp command).
The help looks like:
$ oxide system networking --help
Usage: oxide system networking [OPTIONS] <COMMAND>
Commands:
addr Manage switch port addresses.
address-lot
allow-list
bfd
bgp
link Manage switch port links.
loopback-address
route
switch-port-settings
help Print this message or the help of the given subcommand(s)
There was a problem hiding this comment.
Updated the docstrings that are for custom commands. For the autogenerated ones, not sure there is much that can be done here.
There was a problem hiding this comment.
Note that bgp is a combined custom command and an autogenerated one.
|
I am using Oxide CLI version: I am running a4x2 with the following combination of commits:
I tried deleting a peer that I never created (no peer exists at It unexpectedly did not provide a warning that the peer did not exist. ===== Update on 27 Aug 2024: Issue resolved. |
|
I am using Oxide CLI version: I am running a4x2 with the following combination of commits:
I tried the following: Also Error message could be less terse for end user or operator. More help output needed for acceptable values for the flags indicated. ===== Update on 27 Aug 2024: Last item (but not earlier items) resolved: |
|
I am running Oxide CLI version: I am running a4x2 with omicron I tried the following (the 90 char Output for The following showed expected output for all password variations (90 chars, no password, real password). In addition to trying a long password like the 90 char ===== Update on 27 Aug 2024: Issues resolved. |
|
Suggestion to consider naming consistency for flags, in CLI commands below, where the first one has |
|
Per RFC 2385 section 4.5
We only support up to 80-byte keys. The underlying TCP-MD5 implementation in illumos also only supports up to 80 byte keys. |
I've added warnings for when delete operations do nothing. |
The output of the |
This is fixed by |
Both are now |
|
@elaine-oxide I believe I've addressed your feedback. |
Now the help looks like: Could choose to copy the second one (it's more descriptive) to the first one. |
done |
|
Minor comment (can ignore): Inconsistent appearance of periods at the end of the help strings for the top level help, but consistent (no periods used) for the lowest level help output that I checked (I only checked the lowest level for commands that are new in this PR). |
elaine-oxide
left a comment
elaine-oxide
left a comment
There was a problem hiding this comment.
See minor comments.
| /// Set a filtering specification for a peer. | ||
| Filter(CmdBgpFilter), | ||
|
|
||
| /// Set an authentication string. |
There was a problem hiding this comment.
It's not clear to me why this help string and the one on line 225 do not appear in the output.
$ oxide system networking bgp --help
Usage: oxide system networking bgp [OPTIONS] <COMMAND>
Commands:
announce Announce a prefix over BGP.
announce-set
auth
config
exported Get BGP exported routes
filter Add a filtering requirement to a BGP session.
history Get BGP router message history
imported
peer Manage BGP peers.
pref
show-status Get the status of BGP on the rack.
status Get BGP peer status
withdraw Withdraw a prefix over BGP.
help Print this message or the help of the given subcommand(s)
Options:
--profile <PROFILE> Configuration profile to use for commands
-h, --help Print help
It also doesn't appear here:
$ oxide system networking bgp auth --help
Usage: oxide system networking bgp auth [OPTIONS] --rack <RACK> --switch <SWITCH> --port <PORT> --peer <PEER>
Options:
--rack <RACK> Id of the rack to add the auth config to
--profile <PROFILE> Configuration profile to use for commands
--switch <SWITCH> Switch to add the auth config to [possible values: switch0, switch1]
--port <PORT> Port to add the auth config to [possible values: qsfp0, qsfp1, qsfp2, qsfp3, qsfp4, qsfp5, qsfp6, qsfp7, qsfp8, qsfp9, qsfp10, qsfp11, qsfp12, qsfp13, qsfp14, qsfp15, qsfp16, qsfp17, qsfp18, qsfp19, qsfp20, qsfp21, qsfp22, qsfp23, qsfp24, qsfp25, qsfp26, qsfp27, qsfp28, qsfp29, qsfp30, qsfp31]
--peer <PEER> Peer to add the auth config to
--authstring <AUTHSTRING> Use the given authorization string for TCP-MD5 authentication with the peer
-h, --help Print help
There was a problem hiding this comment.
This is because those top-level structures are never included in cli/src/main.rs. See the add_custom directives in main.rs to see how commands are included in the overall CLI program. Because some top-level names like bgp must share their command namespace with commands that are autogenerated from the API, it is not possible to include them using cmd_net, so we need to cherry-pick more specific commands below the bgp part of the command.
There was a problem hiding this comment.
I've added a few more dostrings. But the purely API-generated commands will not have doscstrings.
elaine-oxide
left a comment
elaine-oxide
left a comment
There was a problem hiding this comment.
Completed runtime testing on this version for static route local preference (performed runtime testing on earlier version for MD5 auth).
See minor comments (optional).
| enum BgpConfigPeerSubCommand { | ||
| /// Add a BGP peer to a port configuration. | ||
| Add(CmdBgpPeerAdd), | ||
| /// Set a BGP peer on a port configuration. |
There was a problem hiding this comment.
Looking at consistency of terminology in help output.
oxide system networking bgp auth --helpsays "switch port settings configuration".oxide system networking bgp peer --helpsays "switch port settings objects".oxide system networking bgp peer set --help(here) says "port configuration".oxide system networking bgp peer delete --helpsays "port configuration".oxide system networking bgp pref --helpsays "switch port settings configuration".
Could make consistent as needed.
| #[arg(long)] | ||
| peer: IpAddr, | ||
|
|
||
| /// Apply this local preference to routes received from the peer. |
There was a problem hiding this comment.
User currently must see an example to know what type/values are allowed, not obvious from help output. This is the case for all places where this flag is specified:
oxide system networking route setoxide system networking bgp peer setoxide system networking bgp pref(here)
There was a problem hiding this comment.
Maybe there is a switch for clap to make the help more useful. But I don't think we should go manually comment on the type of every single clap argument.
| #[derive(clap::ValueEnum, Clone, Copy, Debug)] | ||
| pub enum CliLinkFec { | ||
| /// Firecode forward error correction. | ||
| Firecode, | ||
| /// No forward error correction. | ||
| None, | ||
| /// Reed-Solomon forward error correction. | ||
| Rs, | ||
| } | ||
|
|
||
| impl From<CliLinkFec> for LinkFec { | ||
| fn from(value: CliLinkFec) -> Self { | ||
| match value { | ||
| CliLinkFec::Firecode => LinkFec::Firecode, | ||
| CliLinkFec::None => LinkFec::None, | ||
| CliLinkFec::Rs => LinkFec::Rs, | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
FWIW, https://github.com/oxidecomputer/oxide.rs/blob/main/sdk/src/clap_feature.rs show another way to address what I infer to be the problem you were solving here, but I'm not sure.
| eprintln_nopipe!("no originated prefixes match the provided args"); | ||
| return Ok(()); |
There was a problem hiding this comment.
Do we want to return an anyhow error or does that not produce the desired result? Do we test this (do we want to)?
| eprintln_nopipe!("no routes match the provided args"); | ||
| return Ok(()); |
There was a problem hiding this comment.
This error message was produced when I tried to delete the same route twice (which meant I was deleting a non-existing route the second time).
$ oxide system networking route delete --rack 2d1fe615-0fd9-485d-8898-cd024883d222 --switch switch1 --port qsfp0 --destination 240.0.0.0/4 --nexthop 169.254.30.1
no routes match the provided args
| eprintln_nopipe!("no addresses match the provided args"); | ||
| return Ok(()); |
This PR adds three new networking commands
bgp authto manage MD5 authentication authorization stringsbgp prefto manage the local preference setting of BGP peersrouteto manage static routesAll of the above perform partial updates on port settings objects through read-modify-write actions.