github.com/cilium/cilium@v1.16.2/Documentation/network/bird.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 8 ********************************** 9 Using BIRD to run BGP (deprecated) 10 ********************************** 11 12 `BIRD is an open-source implementation for routing Internet Protocol 13 packets on Unix-like operating systems <https://en.wikipedia.org/wiki/Bird_Internet_routing_daemon>`_. 14 If you are not familiar with it, you had best have a glance at the `User's Guide`_ first. 15 16 .. _`User's Guide`: https://bird.network.cz/?get_doc&f=bird.html&v=20 17 18 BIRD provides a way to advertise routes using traditional networking protocols 19 to allow Cilium-managed endpoints to be accessible outside the cluster. This 20 guide assumes that Cilium is already deployed in the cluster, and that the 21 remaining piece is how to ensure that the pod CIDR ranges are externally 22 routable. 23 24 `BIRD <https://bird.network.cz>`_ maintains two release families at present: 25 ``1.x`` and ``2.x``, and the configuration format varies a lot between them. 26 Unless you have already deployed the ``1.x``, we suggest using ``2.x`` 27 directly, as the ``2.x`` will live longer. The following examples will denote 28 ``bird`` as the ``bird2`` software and use configuration in the format that 29 ``bird2`` understands. 30 31 This guide shows how to install and configure bird on CentOS 7.x to make it 32 collaborate with Cilium. Installation and configuration on other platforms 33 should be very similar. 34 35 Install bird 36 ################## 37 38 .. code-block:: shell-session 39 40 $ yum install -y bird2 41 42 $ systemctl enable bird 43 $ systemctl restart bird 44 45 46 Test the installation: 47 48 .. code-block:: shell-session 49 50 $ birdc show route 51 BIRD 2.0.6 ready. 52 53 $ birdc # interactive shell 54 BIRD 2.0.6 ready. 55 bird> show bfd sessions 56 There is no BFD protocol running 57 bird> 58 bird> show protocols all 59 Name Proto Table State Since Info 60 device1 Device --- up 10:53:40.147 61 62 direct1 Direct --- down 10:53:40.147 63 Channel ipv4 64 State: DOWN 65 Input filter: ACCEPT 66 Output filter: REJECT 67 ... 68 69 Basic configuration 70 ##################### 71 72 It's hard to discuss bird configurations without considering specific BGP 73 schemes. However, BGP scheme design is beyond the scope of this guide. 74 If you are interested in this topic, refer to `BGP in the Data Center 75 <https://www.oreilly.com/library/view/bgp-in-the/9781491983416/>`_ (O'Reilly, 76 2017) for a quick start. 77 78 In the following, we will restrict our BGP scenario as follows: 79 80 .. image:: images/bird_sample_topo.png 81 :scale: 70% 82 83 * physical network: simple 3-tier hierarchical architecture 84 * nodes connect to physical network via layer 2 switches 85 * announcing each node's PodCIDR to physical network via ``bird`` 86 * for each node, do not import route announcements from physical network 87 88 In this design, the BGP connections look like this: 89 90 .. image:: images/bird_sample_bgp.png 91 :scale: 70% 92 93 This scheme is simple in that: 94 95 * core routers learn PodCIDRs from ``bird``, which makes the Pod IP addresses 96 routable within the entire network. 97 * ``bird`` doesn't learn routes from core routers and other nodes, which keeps the 98 kernel routing table of each node clean and small, and suffering no 99 performance issues. 100 101 In this scheme, each node just sends pod egress traffic to node's default 102 gateway (the core routers), and lets the latter do the routing. 103 104 Below is the a reference configuration for fulfilling the above purposes: 105 106 :: 107 108 $ cat /etc/bird.conf 109 log syslog all; 110 111 router id {{ NODE_IP }}; 112 113 protocol device { 114 scan time 10; # Scan interfaces every 10 seconds 115 } 116 117 # Disable automatically generating direct routes to all network interfaces. 118 protocol direct { 119 disabled; # Disable by default 120 } 121 122 # Forbid synchronizing BIRD routing tables with the OS kernel. 123 protocol kernel { 124 ipv4 { # Connect protocol to IPv4 table by channel 125 import none; # Import to table, default is import all 126 export none; # Export to protocol. default is export none 127 }; 128 } 129 130 # Static IPv4 routes. 131 protocol static { 132 ipv4; 133 route {{ POD_CIDR }} via "cilium_host"; 134 } 135 136 # BGP peers 137 protocol bgp uplink0 { 138 description "BGP uplink 0"; 139 local {{ NODE_IP }} as {{ NODE_ASN }}; 140 neighbor {{ NEIGHBOR_0_IP }} as {{ NEIGHBOR_0_ASN }}; 141 password {{ NEIGHBOR_PWD }}; 142 143 ipv4 { 144 import filter {reject;}; 145 export filter {accept;}; 146 }; 147 } 148 149 protocol bgp uplink1 { 150 description "BGP uplink 1"; 151 local {{ NODE_IP }} as {{ NODE_ASN }}; 152 neighbor {{ NEIGHBOR_1_IP }} as {{ NEIGHBOR_1_ASN }}; 153 password {{ NEIGHBOR_PWD }}; 154 155 ipv4 { 156 import filter {reject;}; 157 export filter {accept;}; 158 }; 159 } 160 161 162 Save the above file as ``/etc/bird.conf``, and replace the placeholders with 163 your own: 164 165 .. code-block:: shell-session 166 167 sed -i 's/{{ NODE_IP }}/<your node ip>/g' /etc/bird.conf 168 sed -i 's/{{ POD_CIDR }}/<your pod cidr>/g' /etc/bird.conf 169 sed -i 's/{{ NODE_ASN }}/<your node asn>/g' /etc/bird.conf 170 sed -i 's/{{ NEIGHBOR_0_IP }}/<your neighbor 0 ip>/g' /etc/bird.conf 171 sed -i 's/{{ NEIGHBOR_1_IP }}/<your neighbor 1 ip>/g' /etc/bird.conf 172 sed -i 's/{{ NEIGHBOR_0_ASN }}/<your neighbor 0 asn>/g' /etc/bird.conf 173 sed -i 's/{{ NEIGHBOR_1_ASN }}/<your neighbor 1 asn>/g' /etc/bird.conf 174 sed -i 's/{{ NEIGHBOR_PWD }}/<your neighbor password>/g' /etc/bird.conf 175 176 Restart ``bird`` and check the logs: 177 178 .. code-block:: shell-session 179 180 $ systemctl restart bird 181 182 # check logs 183 $ journalctl -u bird 184 -- Logs begin at Sat 2020-02-22 16:11:44 CST, end at Mon 2020-02-24 18:58:35 CST. -- 185 Feb 24 18:58:24 node systemd[1]: Started BIRD Internet Routing Daemon. 186 Feb 24 18:58:24 node systemd[1]: Starting BIRD Internet Routing Daemon... 187 Feb 24 18:58:24 node bird[137410]: Started 188 189 Verify the changes, you should get something like this: 190 191 .. code-block:: shell-session 192 193 $ birdc show route 194 BIRD 2.0.6 ready. 195 Table master4: 196 10.5.48.0/24 unicast [static1 20:14:51.478] * (200) 197 dev cilium_host 198 199 This indicates that the PodCIDR ``10.5.48.0/24`` on this node has been 200 successfully imported into BIRD. 201 202 .. code-block:: shell-session 203 204 $ birdc show protocols all uplink0 | grep -A 3 -e "Description" -e "stats" 205 Description: BGP uplink 0 206 BGP state: Established 207 Neighbor address: 10.4.1.7 208 Neighbor AS: 65418 209 -- 210 Route change stats: received rejected filtered ignored accepted 211 Import updates: 0 0 0 0 0 212 Import withdraws: 10 0 --- 10 0 213 Export updates: 1 0 0 --- 1 214 215 Here we see that the uplink0 BGP session is established and our PodCIDR from 216 above has been exported and accepted by the BGP peer. 217 218 Monitoring 219 ############## 220 221 `bird_exporter <https://github.com/czerwonk/bird_exporter>`_ could collect bird 222 daemon states, and export Prometheus-style metrics. 223 224 It also provides a simple Grafana dashboard, but you could also create your 225 own, e.g. `Trip.com's <https://ctripcloud.github.io/cilium/network/2020/01/19/trip-first-step-towards-cloud-native-networking.html>`_ looks like this: 226 227 .. image:: images/bird_dashboard.png 228 229 Advanced Configurations 230 ####################### 231 232 You may need some advanced configurations to make your BGP scheme production-ready. 233 This section lists some of these parameters, but we will not dive into details, 234 that's BIRD `User's Guide`_'s responsibility. 235 236 BFD 237 ---- 238 239 `Bidirectional Forwarding Detection (BFD) 240 <https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-support-for-bfd.html>`_ 241 is a detection protocol designed to accelerate path failure detection. 242 243 **This feature also relies on peer side's configuration.** 244 245 :: 246 247 protocol bfd { 248 interface "{{ grains['node_mgnt_device'] }}" { 249 min rx interval 100 ms; 250 min tx interval 100 ms; 251 idle tx interval 300 ms; 252 multiplier 10; 253 password {{ NEIGHBOR_PWD }}; 254 }; 255 256 neighbor {{ NEIGHBOR_0_IP] }}; 257 neighbor {{ NEIGHBOR_1_IP] }}; 258 } 259 260 protocol bgp uplink0 { 261 ... 262 263 bfd on; 264 } 265 266 Verify, you should see something like this: 267 268 .. code-block:: shell-session 269 270 $ birdc show bfd sessions 271 BIRD 2.0.6 ready. 272 bfd1: 273 IP address Interface State Since Interval Timeout 274 10.5.40.2 bond0 Up 20:14:51.479 0.300 0.000 275 10.5.40.3 bond0 Up 20:14:51.479 0.300 0.000 276 277 ECMP 278 ------ 279 280 For some special purposes (e.g. L4LB), you may configure a same CIDR on multiple 281 nodes. In this case, you need to configure `Equal-Cost Multi-Path (ECMP) routing 282 <https://en.wikipedia.org/wiki/Equal-cost_multi-path_routing>`_. 283 284 **This feature also relies on peer side's configuration.** 285 286 :: 287 288 protocol kernel { 289 ipv4 { # Connect protocol to IPv4 table by channel 290 import none; # Import to table, default is import all 291 export none; # Export to protocol. default is export none 292 }; 293 294 # Configure ECMP 295 merge paths yes limit {{ N }} ; 296 } 297 298 See the user manual for more detailed information. 299 300 You need to check the ECMP correctness on physical network (Core router in the 301 above scenario): 302 303 .. code-block:: shell-session 304 305 CORE01# show ip route 10.5.2.0 306 IP Route Table for VRF "default" 307 '*' denotes best ucast next-hop 308 '**' denotes best mcast next-hop 309 '[x/y]' denotes [preference/metric] 310 '%<string>' in via output denotes VRF <string> 311 312 10.5.2.0/24, ubest/mbest: 2/0 313 *via 10.4.1.7, [200/0], 13w6d, bgp-65418, internal, tag 65418 314 *via 10.4.1.8, [200/0], 12w4d, bgp-65418, internal, tag 65418 315 316 Graceful restart 317 ---------------- 318 319 **This feature also relies on peer side's configuration.** 320 321 Add ``graceful restart`` to each ``bgp`` section: 322 323 :: 324 325 protocol bgp uplink0 { 326 ... 327 328 graceful restart; 329 }