diff --git a/.github/renovate.json b/.github/renovate.json index 9e84da8..266b8d8 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -103,6 +103,12 @@ "matchPackageNames": [ "systemd/systemd" ] + }, + { + "allowedVersions": "< 3.0.0", + "matchPackageNames": [ + "https://gitlab.nic.cz/labs/bird.git" + ] } ], "separateMajorMinor": false diff --git a/.kres.yaml b/.kres.yaml index 243f2f9..4cd9823 100644 --- a/.kres.yaml +++ b/.kres.yaml @@ -6,6 +6,7 @@ spec: - amdgpu - amd-ucode - binfmt-misc + - bird2 - bnx2-bnx2x - btrfs - chelsio-drivers @@ -299,3 +300,6 @@ spec: - matchPackageNames: - systemd/systemd versioning: 'regex:^(?\d+)\.?(?\d+)?\.?(?\d+)?$' + - matchPackageNames: + - https://gitlab.nic.cz/labs/bird.git + allowedVersions: "< 3.0.0" diff --git a/Makefile b/Makefile index 7e1dfd2..85002f2 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2025-12-05T14:27:38Z by kres 571923f. +# Generated on 2025-12-04T12:12:14Z by kres 571923f. # common variables @@ -63,6 +63,7 @@ TARGETS = amazon-ena TARGETS += amdgpu TARGETS += amd-ucode TARGETS += binfmt-misc +TARGETS += bird2 TARGETS += bnx2-bnx2x TARGETS += btrfs TARGETS += chelsio-drivers @@ -296,4 +297,3 @@ release-notes: $(ARTIFACTS) conformance: @docker pull $(CONFORMANCE_IMAGE) @docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce - diff --git a/README.md b/README.md index ed01ae5..9008890 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ tiers based on support level: | Name | Tier | Image | Version | Description | | ---- | ---- | ----- | ------- | ----------- | +| [bird2](network/bird2) | :white_large_square: contrib | [ghcr.io/siderolabs/bird2](https://github.com/siderolabs/extensions/pkgs/container/bird2) | `2.17.1` | bird2 routing daemon for Talos. bird2cl can be used to interface with the daemon (lightweight CLI only!). More info: https://bird.network.cz/ | | [cloudflared](network/cloudflared) | :white_large_square: contrib | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | `2025.11.1` | Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. More info: https://github.com/cloudflare/cloudflared/ | | [lldpd](network/lldpd) | :yellow_square: extra | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | `1.0.20` | LLDP adds a LLDP discovery service to Talos. LLDP cli can be used to interface with the daemon. | | [nebula](network/nebula) | :white_large_square: contrib | [ghcr.io/siderolabs/nebula](https://github.com/siderolabs/extensions/pkgs/container/nebula) | `1.9.7` | A scalable overlay networking tool with a focus on performance, simplicity and security | diff --git a/network/bird2/README.md b/network/bird2/README.md new file mode 100644 index 0000000..41a2ff3 --- /dev/null +++ b/network/bird2/README.md @@ -0,0 +1,158 @@ +# bird2 +> +> [!WARNING] +> This SystemExtensio does **not** support dynamic reloading. A configuration change triggers a restart of bird! + +Adds [bird2](https://bird.network.cz/) routing daemon as Talos system extensions. + +## Installation + +See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions). + +## Usage + +1. Configure the extension via `ExtensionServiceConfig` document. + +```yaml +--- +apiVersion: v1alpha1 +kind: ExtensionServiceConfig +name: bird2 +configFiles: + - mountPath: /usr/local/etc/bird.conf + content: | + # This is just a minimal NOOP config! + log stderr all; + router id 6.6.6.6; + protocol device {} +``` + +1. Apply the patch to your node's MachineConfigs + +```bash +talosctl patch mc -p @bird2-config.yaml +``` + +## Debugging + +A Bird client can be spawned by a node debug container, e.g.: `chroot /proc/$(pgrep bird)/cwd /usr/local/sbin/birdcl` + +## Examples + +### Dual Top of Rack uplink with CNI integration +> +> [!WARNING] +> This is a lab configuration, review and adjust to your needs before production. For this to work, ToR switches must advertise the default route. + +This bird2 configuration peers with a top of rack switches, listens on localhost for BGP sessions established by a CNI (here [Cilium](https://cilium.io)) and redistributes them within the network fabric: + +```yaml +--- +apiVersion: v1alpha1 +kind: ExtensionServiceConfig +name: bird2 +configFiles: + - mountPath: /usr/local/etc/bird.conf + content: | + define FABRIC_AS = 65000; + define TALOS_NODE_AS = 65001; + define CILIUM_AS = 65002; + + log stderr all; + debug protocols all; + + router id from "dummy0"; + + protocol device { + scan time 10; + } + + protocol direct loopback { + interface "dummy0"; + ipv4 { + import all; + export none; + }; + } + + protocol kernel { + merge paths on; + learn off; + ipv4 { + export filter { + if proto = "cilium" then reject; + if proto = "loopback" then reject; + accept; + }; + import none; + }; + } + + protocol bgp fabric_enp33s0f1np1 { + local as TALOS_NODE_AS; + source address 10.66.66.6; + neighbor 10.66.66.1 as FABRIC_AS; + ipv4 { + import all; + export all; + next hop self; + }; + interface "enp33s0f1np1"; + }; + + protocol bgp cilium { + passive on; + multihop 2; # bypass bird statup check for localhost IP address + + local as TALOS_NODE_AS; + neighbor 127.0.0.1 as CILIUM_AS; + + ipv4 { + import all; + export none; + }; + }; +``` + +Cilium configuration (just for demonstration purposes!): + +```yaml +--- +apiVersion: cilium.io/v2 +kind: CiliumBGPPeerConfig +metadata: + name: cilium-bird2-nodelocal +spec: + families: + - afi: ipv4 + safi: unicast + advertisements: + matchLabels: + bgp: cilium-peer +--- +apiVersion: cilium.io/v2 +kind: CiliumBGPAdvertisement +metadata: + name: pod-cidr-advertisement + labels: + bgp: cilium-bird2-nodelocal +spec: + advertisements: + - advertisementType: "PodCIDR" +--- +apiVersion: cilium.io/v2 +kind: CiliumBGPClusterConfig +metadata: + name: bird2-nodelocal-bgp +spec: + nodeSelector: {} + bgpInstances: + - name: "bird2-nodelocal-bgp-65002" + localASN: 65002 + peers: + - name: "bird2-nodelocal" + peerASN: 65001 + peerAddress: 127.0.0.1 + peerConfigRef: + name: "cilium-bird2-nodelocal" +``` diff --git a/network/bird2/bird2.yaml b/network/bird2/bird2.yaml new file mode 100644 index 0000000..944bcba --- /dev/null +++ b/network/bird2/bird2.yaml @@ -0,0 +1,26 @@ +# © 2025 DE-CIX +# Licensed under the Mozilla Public License 2.0 +# SPDX-License-Identifier: MPL-2.0 +name: bird2 +depends: + - service: cri + - network: + - addresses + - etcfiles + - hostname + - configuration: true +container: + entrypoint: /usr/local/sbin/bird + args: + - -f + security: + writeableRootfs: false + writeableSysfs: true + mounts: + - source: /var/run/bird + destination: /usr/local/var/run + type: bind + options: + - bind + - rw +restart: always diff --git a/network/bird2/manifest.yaml.tmpl b/network/bird2/manifest.yaml.tmpl new file mode 100644 index 0000000..8e37bf7 --- /dev/null +++ b/network/bird2/manifest.yaml.tmpl @@ -0,0 +1,14 @@ +# © 2025 DE-CIX +# Licensed under the Mozilla Public License 2.0 +# SPDX-License-Identifier: MPL-2.0 +version: v1alpha1 +metadata: + name: bird2 + version: "{{ .VERSION }}" + author: Matthias Riegler + description: | + [{{ .TIER }}] bird2 routing daemon for Talos. bird2cl can be used to interface with the daemon (lightweight CLI only!). + More info: https://bird.network.cz/ + compatibility: + talos: + version: ">= v1.11.0" diff --git a/network/bird2/pkg.yaml b/network/bird2/pkg.yaml new file mode 100644 index 0000000..bcd3f5f --- /dev/null +++ b/network/bird2/pkg.yaml @@ -0,0 +1,53 @@ +# © 2025 DE-CIX +# Licensed under the Mozilla Public License 2.0 +# SPDX-License-Identifier: MPL-2.0 +name: bird2 +variant: scratch +shell: /bin/bash +dependencies: + - stage: base +steps: + - sources: + - url: "https://bird.network.cz/download/bird-{{ .BIRD2_VERSION }}.tar.gz" + destination: bird2.tar.gz + sha256: "{{ .BIRD2_SHA256 }}" + sha512: "{{ .BIRD2_SHA512 }}" + env: + SOURCE_DATE_EPOCH: "{{ .BUILD_ARG_SOURCE_DATE_EPOCH }}" + prepare: + - | + tar -xf bird2.tar.gz --strip-components=1 + + - | + export CFLAGS="${CFLAGS} -I/usr/local/include -static" + export LDFLAGS="${LDFLAGS} -static" + + ./configure --disable-client --prefix=/usr/local + build: + - | + make -j $(nproc) all + install: + - | + mkdir -p /rootfs/usr/local/{etc/containers,lib/containers/bird2} + cp /pkg/bird2.yaml /rootfs/usr/local/etc/containers/bird2.yaml + + make DESTDIR=/rootfs/usr/local/lib/containers/bird2 install + rm /rootfs/usr/local/lib/containers/bird2/usr/local/etc/bird.conf + test: + - | + mkdir -p /extensions-validator-rootfs + cp -r /rootfs/ /extensions-validator-rootfs/rootfs + cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml + /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}" + sbom: + outputPath: /rootfs/usr/local/share/spdx/bird2.spdx.json + version: "{{ .VERSION }}" + cpes: + - "cpe:2.3:a:bird_project:bird:{{ .VERSION }}:*:*:*:*:*:*:*" + licenses: + - GPL-2.0-or-later +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / diff --git a/network/bird2/vars.yaml b/network/bird2/vars.yaml new file mode 100644 index 0000000..cd3452b --- /dev/null +++ b/network/bird2/vars.yaml @@ -0,0 +1,5 @@ +# © 2025 DE-CIX +# Licensed under the Mozilla Public License 2.0 +# SPDX-License-Identifier: MPL-2.0 +VERSION: "{{ .BIRD2_VERSION }}" +TIER: "contrib" diff --git a/network/vars.yaml b/network/vars.yaml index 0454bf7..51e4f05 100644 --- a/network/vars.yaml +++ b/network/vars.yaml @@ -28,3 +28,7 @@ NEWT_SHA512: 021cb93f8616a907f5d0d2e5c2979cc28669042b2cc77322633a23e49cae48e0498 NETBIRD_VERSION: 0.59.12 NETBIRD_SHA256: 2f0bdd45996f46f2e2c1dbf5a6712bba38a06cbfb7e4c00f814b0ffe149d7c6d NETBIRD_SHA512: c1c171de52b2d65130cfdf3fb54add154dcbefdaf4d753f9ab0ca2371924ae927eff2fc504175ab0951f4e5e4986ae56006518706eb1d0312ae56c4ba19d62f6 +# renovate: datasource=git-tags extractVersion=^v(?.*)$ depName=https://gitlab.nic.cz/labs/bird.git +BIRD2_VERSION: "2.17.1" +BIRD2_SHA256: bfd718dfa596819b3801688783212514b467163329aec9bbcd0fa3dee03e10e9 +BIRD2_SHA512: b535bc74f7e865167f40eef3dd82042f085d06de394a2eac2d94bae4c44e247b590d4c45206afe360b2d8879e33f2478117f0a0b1a5182431204cbbf595b9890