[RFC] Add site.conf option for fastd peer upgrade #1257
Conversation
|
Next time please just update your pull request instead of opening a new one. |
CodeFetch
force-pushed
the
master
branch
5 times, most recently
from
c2c52a7
to
bc0002f
Compare
CodeFetch
force-pushed
the
master
branch
4 times, most recently
from
500e1d8
to
524d965
Compare
|
please adjust the commit message to include the module being changed. |
| @@ -92,6 +92,64 @@ function add_groups(prefix, groups, parent) | |||
| end | |||
| end | |||
|
|
|||
| local function match_custom(gp) | |||
There was a problem hiding this comment.
instead of defining match_custom using something like
if (string.find(gp, 'custom'))
then
print 'We have a match'
end
could be used for a little more brevity & clarity.
docs/user/site.rst
Outdated
| @@ -230,6 +235,8 @@ mesh_vpn | |||
| methods = {'salsa2012+umac'}, | |||
| -- configurable = true, | |||
| -- syslog_level = 'warn', | |||
| -- delete_old_peers = false, | |||
| -- delete_custom_peers = false, | |||
There was a problem hiding this comment.
can you elaborate on the use case of delete_custom_peers?
There was a problem hiding this comment.
This option is more about being able to retain custom peers. As the default for site values is always false I had to name it this way.
If you update from another community and your community does not support N2N or you want to abandon N2N or never planned on introducing it, you might want to get custom peers deleted also.
There was a problem hiding this comment.
what is N2N? i don't know about custom peers and N2N either, so this should be documented with this Pull Request so everyone knows what it is
There was a problem hiding this comment.
node to node VPN. I think it is great supporting that however I did not get this from the custom peers and rather would call them n2n_peers but that is just taking nit-picking to an extreme.
There is another PR open for supporting node to node VPN...
CodeFetch
changed the title
|
I changed the title to make clear that I didn't want to get this merged as it is, but to drive forth the fallen asleep topic about handling peers on update. |
|
@CodeFetch so what reactions would drive you to continue working on this to make it merge-ready? :D |
|
@rotanid Sorry, I'm very busy at the moment. I'm going to clean this up after initial xlat464 support. |
rotanid
added
the
2. status: merge conflict
|
@CodeFetch it's been another year now, whats the progress/plan here? i'm not sure why people open PRs and don't do anything afterwards - this way opening the PR is wasted time for the opener... |
This commit introduces two additional fastd site.conf options: `sysupgrade_remove_old_peers` removes peer and peer group entries existing from an old configuration except those which were defined using the node2node VPN feature after a sysupgrade. `sysupgrade_remove_n2n_peers` removes existing peer and peer group entries which were defined using the node2node VPN feature (which have 'n2n_vpn' in their name) after a sysupgrade.
|
@rotanid Done. |
rotanid
removed
2. status: merge conflict
|
@CodeFetch thanks! |
|
@rotanid That's why I didn't want to call it n2n_vpn, but custom. The user may want to keep some "custom" entries whether they are being set by the n2n feature or by hand. |
|
IMO: If site.conf ships a peer group that should supersede the locally configured peer group of the same name, so just replace that, no knob please. Edit: Obvious gotcha is the missing possibility to delete an unused group, d'oh. |
|
@mweinelt This was discussed earlier and NeoRaider did not want to break the ability to incrementally add peers to peer groups. @rotanid I'll have a look at the node2node feature the next days. It shouldn't be that hard to get it merged, should it? christf said it is not considered before the babel release. I don't see a real reason for this. I just want to get these annoying 3 year old PRs merged. Having an established fastd node2node solution means I can be certain how the uci structure looks like and may simplify this PR. Thus you can set it blocked. |
|
@rotanid Okay I've realized that it was not clear what I want to achieve here and I was confused about it at some point, too. At the moment there is only a single fastd mesh package called "gluon-mesh-vpn-fastd". This should be more modular. The package "gluon-mesh-vpn-fastd-core" should provide the configuration and upgrade scripts that are common to each flavor. The forwarding option of the node2node feature will always disable forwarding, too. The node2node feature should be able to define "custom" peers and ones defined using site.conf (If the node is a regular one it uses the node2node feature to use custom peerings defined by the user. However if it is a supernode it will use the node2node feature to connect with other supernodes and e.g. nameservers which will either be defined in the site.conf or manually). In that case the term "custom" and "n2n" peers cannot be used interchangeably anymore. In the future another package may come up to allow supernode functionality using gluon which will allow forwarding between peers using even another fastd instance providing connectivity to regular nodes. This package will have a configuration option to permit nodes to connect without authorization and will be able to handle site.conf and custom peer entries, too (thus the firmware does not always have to be flashed when a new node's public is being submitted). Thus "custom" peers should not only be a feature of n2n, but be provided by the "gluon-mesh-vpn-fastd-core" package. I'm going to change this pull-request to not rely on the naming of the options to decide whether a peer/peer group is custom, but introduce a boolean option called "custom" to peers/peer groups and fastd instances. If custom is set to true on one level of the configuration hierarchy all children will be considered custom. I'm also going to split the "gluon-mesh-vpn-fastd" package into "gluon-mesh-vpn-fastd-core" and "gluon-mesh-vpn-fastd-n2s". |
mweinelt
added
the
9. meta: reviewday
|
Today in review we decided the following:
|
christf
removed
the
9. meta: reviewday
|
@christf's comment sort of mixes up the short-term and long-term solutions I proposed: Short-term we will simply add a flag |
|
So the only change is that the "custom" flag should be called "preserve" instead? |
Basically, the whole implementation can be simplified to:
|
|
@NeoRaider Maybe I misunderstand you...
I think one needs to check whether a group's subelements contain the |
|
Meanwhile I've seen that there is a more elegant way to do this. Thus I'll look into it next week. |
|
Superseded by #2021. |
Shouldn't this resolve #557?
BTW: Sorry for my inability to use Github. I don't like pull requests.