Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] VLAN is assigned to group Default netbox-ssot vlan group (scope: None); cannot also assign to site Foo. #358

Open
n-rodriguez opened this issue Nov 28, 2024 · 9 comments
Assignees
Labels
bug Something isn't working

Comments

@n-rodriguez
Copy link
Contributor

n-rodriguez commented Nov 28, 2024

Is this urgent?

Yes, it's critical

How are you running netbox-ssot?

From source (Go)

What is the version of netbox-ssot

Running version unknown built on unknown (commit unknown)

Which module has the issue?

General (not module-specific)

Share your configuration

---
logger:
  level: 3
  dest: ""

netbox:
  apiToken: "foo"
  hostname: "netbox.foo.corp"
  httpScheme: http
  port: 80
  timeout: 30
  sourcePriority: ["vcenter67.corp"]
  removeOrphans: false

source:
  - name: vcenter67.corp
    type: vmware
    hostname: vcenter67.corp
    username: [email protected]
    password: "password"
    clusterSiteRelations:
      - .* = Foo
    hostSiteRelations:
      - .* = Foo
    clusterTenantRelations:
      - .* = ACME
    hostTenantRelations:
      - .* = ACME
    vmTenantRelations:
      - .* = ACME

What is the problem?

VLAN is not created in Netbox.

Steps to reproduce

  1. run netbox-ssot -config ./config.yml

What did you expect to happen?

It should work

What actually happened?

nicolas@MacBook-Pro-de-Nicolas:~/go/src/github.com/n-rodriguez/netbox-ssot$ ./dist/dynamic_darwin_arm64_v8.0/netbox-ssot -config ./config.yml
Running version unknown built on unknown (commit unknown)

Netbox-SSOT has started at 2024-11-28T01:53:59+01:00
2024/11/28 01:54:13 ERROR   (main): unexpected status code: 400: {"__all__":["VLAN is assigned to group Default netbox-ssot vlan group (scope: None); cannot also assign to site Foo."]}: initVlans

Share DEBUG-level logs (remove sensitive information)

2024/11/28 02:46:36 add_items.go:714    DEBUG   (inventory): Vlan VM Network does not exist in Netbox. Creating it...
2024/11/28 02:46:36 rest.go:137         DEBUG   (inventory): Creating objects.Vlan with path /api/ipam/vlans/ with data: Vlan{ID: 96, Name: VM Network, Vid: 10, Status: active}
2024/11/28 02:46:36 main.go:69          ERROR   (main): unexpected status code: 400: {"__all__":["VLAN is assigned to group Default netbox-ssot vlan group (scope: None); cannot also assign to site Foo."]}: initVlans

Share your environment details

No response

@n-rodriguez
Copy link
Contributor Author

n-rodriguez commented Nov 28, 2024

Actually vlan should be scoped to site if site exists.

Example :

Vlan{ID: 90, Name: VM Network, Vid: 10, Status: active, Site: 13}
Vlan{ID: 96, Name: VM Network, Vid: 10, Status: active, Site: 14}

From netbox-sync : https://github.com/bb-Ricardo/netbox-sync/blob/main/module/sources/vmware/connection.py#L1868

@n-rodriguez
Copy link
Contributor Author

n-rodriguez commented Nov 28, 2024

@bb-Ricardo can you please confirm this is the current implementation in netbox-sync ? Thank you!

@n-rodriguez
Copy link
Contributor Author

It seems to come from here https://github.com/bl4ko/netbox-ssot/blob/main/internal/netbox/inventory/add_items.go#L695

IMHO AddVlan should be improved to take Site or Site.ID in consideration.

@bl4ko
Copy link
Owner

bl4ko commented Nov 28, 2024

Oh, I see this is a limitation on the netbox's side. If a vlan is assigned to vlangroup, and vlangroup is not assigned to a site, this vlan can't be assigned a site, because site isn't the same as vlangroup's one.

So I guess to implement this feature, I need to change the logic of assigning vlangroup to vlans. If vlan is a assigned a site than the vlangroup for this vlan should also be part of the site...

@bl4ko bl4ko self-assigned this Nov 28, 2024
@bl4ko bl4ko added the bug Something isn't working label Nov 28, 2024
@bb-Ricardo
Copy link

Hi,

indeed, the Interface, IP and VLAN syncing is not trivial for vCenter objects:

The logic is implemented here: https://github.com/bb-Ricardo/netbox-sync/blob/3c07a4c001443f50d95ae4668c931599e41efeae/module/sources/common/source_base.py#L234

this function is used on each interface of a Host or VM:

  • extract object site name and tenant
  • iterate over each discovered interface IP addresses
    • try to find prefix for IP in NetBox. site specific first, fall back to global prefix
    • if no prefix can be found, IP address can't be synced to NetBox
    • sanity check if defined prefix length for IP matches prefix length configured in NetBox
    • extract VRF data and tenant data from prefix if present
    • add prefix length to IP address if IP address was discovered without an prefix length
    • try to find the IP address object in NetBox
    • check if the possible prefix VRF matches the configured IP VRF (need to be the same)
    • check if the IP has been reassigned to different interface and/or device
      • check if current interface status is active or not
      • check if the discovery interface status is active or not
        • move ip from disabled to enabled interface
        • postpone reassignment of IP address if both interfaces are (at this state of sync) are enabled
    • based on config assign Host/VM tenant to IP address
    • assign discovered VRF to IP address
    • remove IP addresses/interface association if IP address is no longer assigned to any interface
  • iterate over all matching IP prefixes and try to find:
    • assigned VLAN from IP prefix for untagged interfaces
    • assigned VLANs from IP prefixes for tagged interfaces
  • iterate over all tagged and untagged VLANs discovered for the interface
    • try to find a matching site specific VLAN if prefix did not have VLAN assigned
    • try to find a matching global VLAN if prefix did not have VLAN assigned
    • check if VLAN should even be synced according to config
    • assign VLAN group according to config

This has been done to comply to the object relations and constrains within NetBox

@bb-Ricardo
Copy link

Oh, I see this is a limitation on the netbox's side. If a vlan is assigned to vlangroup, and vlangroup is not assigned to a site, this vlan can't be assigned a site, because site isn't the same as vlangroup's one.

So I guess to implement this feature, I need to change the logic of assigning vlangroup to vlans. If vlan is a assigned a site than the vlangroup for this vlan should also be part of the site...

Yes, the VLAN Group needs to be defined with the site constrain and matched accordingly.

To give the user the flexibility to configure this, these config options have been added:
https://github.com/bb-Ricardo/netbox-sync/blob/13685c5b6018ba032f770c0af9a8264985b16833/settings-example.ini#L326-L344

@bb-Ricardo
Copy link

bb-Ricardo commented Nov 28, 2024

And I forgot:

After all sources are synced, then the IP address assignment for active and non active interfaces are reevaluated and set accordingly.

Only after you have discovered all objects and interfaces you are able to tell for sure if an IP address has been moved from one object/interface to another. And if this was the primary IP then this primary IP has to be first removed from the object, then the IP needs to be assigned to the new object interface and then the primary can be defined to the newly assigned object.

Otherwise NetBox will complain all the time.

@bl4ko
Copy link
Owner

bl4ko commented Nov 28, 2024

Hi, thanks for all of the resources. I see this is a quite complex problem. And this logic must not only be implemented for vcenter, but also for other sources, so I will try to create common functions that can be shared. I will dive into it.

@bb-Ricardo
Copy link

Hi, thanks for all of the resources. I see this is a quite complex problem. And this logic must not only be implemented for vcenter, but also for other sources, so I will try to create common functions that can be shared. I will dive into it.

I know, this took a lot of iterations to get to this state (still believe it's missing some edge cases). I also moved this to the common source section as it is indeed, a common concept of assigning relations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants