systemd: disable foreign route management#61
Merged
pothos merged 2 commits intoflatcar-masterfrom Feb 17, 2022
Merged
Conversation
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Feb 16, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
1 task
The systemd drop-in files should only be in one repository, and using init is better than baselayout for that (baselayout is also used for the SDK).
While systemd-networkd follows the principle of a declarative network configuration and thus needs a way to ensure that unwanted routes or routing policy rules get discarded, the interfacing with procedural network management from CNIs like Cilium is limited, so that when the interface is set to "unmanaged" through a networkd unit, any routing policies there would also be ignored and discarded unless they would be defined for a new unit for a dummy network interface. This means the only option left is to disable the discarding of foreign rules globally. Set the default for ManageForeignRoutes and ManageForeignRoutingPolicyRules to "no" to ensure that we don't interfere with the network management of the CNIs. Users that rely on the setting can still enable it again but only through a drop-in under /etc/systemd/networkd.conf.d/ because this here is a drop-in already that takes precedence over the top config file. See cilium/cilium#18706 and flatcar/Flatcar#620 Replaces flatcar-archive/coreos-overlay#1622
pothos
force-pushed
the
kai/disable-foreign-route-mgmt
branch
from
f059d23 to
cd33898
Compare
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Feb 17, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
1 task
jepio
pushed a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Mar 1, 2022
This pulls in flatcar/init#61 and flatcar/baselayout#22 to use a drop-in file instead of the systemd patch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
systemd: disable foreign route management
While systemd-networkd follows the principle of a declarative network
configuration and thus needs a way to ensure that unwanted routes or
routing policy rules get discarded, the interfacing with procedural
network management from CNIs like Cilium is limited, so that when the
interface is set to "unmanaged" through a networkd unit, any routing
policies there would also be ignored and discarded unless they would
be defined for a new unit for a dummy network interface. This means
the only option left is to disable the discarding of foreign rules
globally.
Set the default for ManageForeignRoutes and
ManageForeignRoutingPolicyRules to "no" to ensure that we don't
interfere with the network management of the CNIs. Users that rely on
the setting can still enable it again but only through a drop-in
under /etc/systemd/networkd.conf.d/ because this here is a drop-in
already that takes precedence over the top config file.
See Host network broken after one of the underlying interfaces of a bond goes down cilium/cilium#18706
and Cilium routing policy rules can get lost Flatcar#620
Replaces sys-apps/systemd: add downstream patch to disable foreign route mgmt flatcar-archive/coreos-overlay#1622
systemd: move files to init repo as unified location
The systemd drop-in files should only be in one repository, and using
init is better than baselayout for that (baselayout is also used for
the SDK).
How to use
Together with baselayout PR
Testing done
See coreos-overlay PR
changelog/directory (user-facing change, bug fix, security fix, update)↑ TODO in coreos-overlay