Mentioned in SAL (#wikimedia-operations) [2021-02-03T15:32:42Z] <volans> disabling puppet on install1003 for a quick test for T221388

Mentioned in SAL (#wikimedia-operations) [2021-02-03T16:13:14Z] <volans> enabled puppet on install1003 after the test T221388

I tested the config with:

host sretest1001 {
    host-identifier option agent.circuit-id "ge-3/0/15.0:private1-d-eqiad";
     fixed-address sretest1001.eqiad.wmnet;
}

And it seemed to work as expected. I need to perform a more in depth test as I want to reimage sretest1001 with the same config so to ensure that this works across the whole reimage process, but looks promising.
Another bits to look at is the Junos side of the configuration.
The tested configuration was:

ayounsi@asw2-d-eqiad# show | compare 
[edit vlans private1-d-eqiad]
+    forwarding-options {
+        dhcp-security {
+            option-82 {
+                remote-id {
+                    host-name;
+                }
+            }
+        }
+    }

We can check if we could have the switch hostname as part of the injected data.

Adding the circuit-id prefix host-name setting and removing the remote-id that we're not gonna use, the circuit ID includes the switch hostname too, so becoming asw2-d-eqiad:ge-3/0/15.0:private1-d-eqiad. That should be enough to be able to set the DHCP with in a unique manner.

References used:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/example-setting-up-dhcp-option82-no-relay.html#id-setting-up-dhcp-option-82-on-the-switch-with-no-relay-els

http://www.miquels.cistron.nl/isc-dhcpd/

The config for the above test used:

circuit-id {
    prefix {
        host-name;
    }
}

Change 663233 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] dhcpd: create and include files for option 82

https://gerrit.wikimedia.org/r/663233

Change 663234 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] dhcpd: move sretest1002 to option 82

https://gerrit.wikimedia.org/r/663234

Change 663233 merged by Volans:
[operations/puppet@production] dhcpd: create and include files for option 82

https://gerrit.wikimedia.org/r/663233

Change 663234 merged by Volans:
[operations/puppet@production] dhcpd: move sretest1002 to option 82

https://gerrit.wikimedia.org/r/663234

With the above patches merged, and with:

root@install1003:/etc/dhcp# cat opt82-entries.ttyS1-115200
host sretest1002 {
    host-identifier option agent.circuit-id "asw2-d-eqiad:ge-6/0/5.0:private1-d-eqiad";
    fixed-address sretest1002.eqiad.wmnet;
}

The DHCP requests from sretest1002 seems to work fine. I'll shortly test also a reimage.

I'm probably not up to date on concrete plans built on top of this, but it seems like having the numeric vlan id might be useful metadata here in addition to the abstract name of the vlan (e.g. scenarios where we might do vlan trunking on the main interface of the host and need to see or match that primary-vlan number in some interface setup scripts?)

From the doc:

Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):

[edit vlans vlan-name forwarding-options dhcp-security option-82]
user@switch# set circuit-id use-vlan-id

So it seems possible.

In T221388#6822703, @BBlack wrote:

I'm probably not up to date on concrete plans built on top of this, but it seems like having the numeric vlan id might be useful metadata here in addition to the abstract name of the vlan (e.g. scenarios where we might do vlan trunking on the main interface of the host and need to see or match that primary-vlan number in some interface setup scripts?)

@BBlack The option on the JunOS side allows to pick either the name or the ID, not both. In terms of assured uniqueness we can surely use the ID if the name can be duplicated (I don't think that Netbox enforces it).