4 files changed, 152 insertions, 21 deletions

diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py
index e18b426b1..2b1cdbd23 100755
--- a/src/conf_mode/high-availability.py
+++ b/src/conf_mode/high-availability.py
@@ -175,6 +175,11 @@ def verify(ha):
     # Virtual-server
     if 'virtual_server' in ha:
         for vs, vs_config in ha['virtual_server'].items():
+
+            if 'address' not in vs_config and 'fwmark' not in vs_config:
+                raise ConfigError('Either address or fwmark is required '
+                                  f'but not set for virtual-server "{vs}"')
+
             if 'port' not in vs_config and 'fwmark' not in vs_config:
                 raise ConfigError(f'Port or fwmark is required but not set for virtual-server "{vs}"')
             if 'port' in vs_config and 'fwmark' in vs_config:
diff --git a/src/conf_mode/service_config_sync.py b/src/conf_mode/service_config_sync.py
new file mode 100755
index 000000000..5cde735a1
--- /dev/null
+++ b/src/conf_mode/service_config_sync.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import json
+from pathlib import Path
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.xml import defaults
+from vyos import ConfigError
+from vyos import airbag
+
+airbag.enable()
+
+
+service_conf = Path(f'/run/config_sync_conf.conf')
+post_commit_dir = '/run/scripts/commit/post-hooks.d'
+post_commit_file_src = '/usr/libexec/vyos/vyos_config_sync.py'
+post_commit_file = f'{post_commit_dir}/vyos_config_sync'
+
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['service', 'config-sync']
+    if not conf.exists(base):
+        return None
+    config = conf.get_config_dict(base,
+                                  get_first_key=True,
+                                  no_tag_node_value_mangle=True)
+
+    default_values = defaults(base)
+    config = dict_merge(default_values, config)
+
+    return config
+
+
+def verify(config):
+    # bail out early - looks like removal from running config
+    if not config:
+        return None
+
+    if 'mode' not in config:
+        raise ConfigError(f'config-sync mode is mandatory!')
+
+    for option in ['secondary', 'section']:
+        if option not in config:
+            raise ConfigError(f"config-sync '{option}' is not configured!")
+
+    if 'address' not in config['secondary']:
+        raise ConfigError(f'secondary address is mandatory!')
+    if 'key' not in config['secondary']:
+        raise ConfigError(f'secondary key is mandatory!')
+
+
+def generate(config):
+    if not config:
+
+        if os.path.exists(post_commit_file):
+            os.unlink(post_commit_file)
+
+        if service_conf.exists():
+            service_conf.unlink()
+
+        return None
+
+    # Write configuration file
+    conf_json = json.dumps(config, indent=4)
+    service_conf.write_text(conf_json)
+
+    # Create post commit dir
+    if not os.path.isdir(post_commit_dir):
+        os.makedirs(post_commit_dir)
+
+    # Symlink from helpers to post-commit
+    if not os.path.exists(post_commit_file):
+        os.symlink(post_commit_file_src, post_commit_file)
+
+    return None
+
+
+def apply(config):
+    return None
+
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 9b7c04eb0..f4611e15e 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -161,8 +161,12 @@ def verify(snmp):
         for address in snmp['listen_address']:
             # We only wan't to configure addresses that exist on the system.
             # Hint the user if they don't exist
-            if not is_addr_assigned(address):
-                Warning(f'SNMP listen address "{address}" not configured!')
+            if 'vrf' in snmp:
+                vrf_name = snmp['vrf']
+                if not is_addr_assigned(address, vrf_name) and address not in ['::1','127.0.0.1']:
+                    raise ConfigError(f'SNMP listen address "{address}" not configured in vrf "{vrf_name}"!')
+            elif not is_addr_assigned(address):
+                raise ConfigError(f'SNMP listen address "{address}" not configured in default vrf!')
 
     if 'trap_target' in snmp:
         for trap, trap_config in snmp['trap_target'].items():
diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py
index dc13f4e60..87ebc3ea9 100755
--- a/src/conf_mode/vpp.py
+++ b/src/conf_mode/vpp.py
@@ -15,7 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import psutil
+from psutil import virtual_memory
 
 from pathlib import Path
 from re import search as re_search, MULTILINE as re_M
@@ -26,6 +26,7 @@ from vyos.configdict import dict_merge
 from vyos.configdict import node_changed
 from vyos.ifconfig import Section
 from vyos.util import call, rc_cmd, boot_configuration_complete
+from vyos.utils.system import sysctl_read, sysctl_apply
 from vyos.template import render
 from vyos.xml import defaults
 
@@ -39,10 +40,10 @@ airbag.enable()
 service_name = 'vpp'
 service_conf = Path(f'/run/vpp/{service_name}.conf')
 systemd_override = '/run/systemd/system/vpp.service.d/10-override.conf'
-sysctl_vpp = '/etc/sysctl.d/80-vpp.conf'
 
-# Min memory 6GB (2GB reserved for vpp)
-MIN_TOTAL_MEMORY = 6
+# Free memory required for VPP
+# 2 GB for hugepages + 1 GB for other services
+MIN_AVAILABLE_MEMORY: int = 3 * 1024**3
 
 
 def _get_pci_address_by_interface(iface) -> str:
@@ -64,7 +65,6 @@ def _get_pci_address_by_interface(iface) -> str:
     raise ConfigError(f'Cannot find PCI address for interface {iface}')
 
 
-
 def get_config(config=None):
     if config:
         conf = config
@@ -131,32 +131,45 @@ def verify(config):
         return None
 
     if 'interface' not in config:
-        raise ConfigError(f'"interface" is required but not set!')
+        raise ConfigError('"interface" is required but not set!')
 
     if 'cpu' in config:
-        if 'corelist_workers' in config['cpu'] and 'main_core' not in config['cpu']:
-            raise ConfigError(f'"cpu main-core" is required but not set!')
+        if 'corelist_workers' in config['cpu'] and 'main_core' not in config[
+                'cpu']:
+            raise ConfigError('"cpu main-core" is required but not set!')
 
-    memory = psutil.virtual_memory()
-    memory_total = round(memory.total / (1024 ** 3), 2)
-    if memory_total < MIN_TOTAL_MEMORY:
+    memory_available: int = virtual_memory().available
+    if memory_available < MIN_AVAILABLE_MEMORY:
         raise ConfigError(
-            f'Not enough installed memory {memory_total}GB! '
-            f'The minimum required memory is {MIN_TOTAL_MEMORY}GB.'
-        )
+            'Not enough free memory to start VPP:\n'
+            f'available: {round(memory_available / 1024**3, 1)}GB\n'
+            f'required: {round(MIN_AVAILABLE_MEMORY / 1024**3, 1)}GB')
 
 
 def generate(config):
     if not config or (len(config) == 1 and 'removed_ifaces' in config):
         # Remove old config and return
         service_conf.unlink(missing_ok=True)
-        if os.path.isfile(sysctl_vpp):
-            os.unlink(sysctl_vpp)
         return None
 
     render(service_conf, 'vpp/startup.conf.j2', config)
     render(systemd_override, 'vpp/override.conf.j2', config)
-    render(sysctl_vpp, 'vpp/sysctl.conf.j2', config)
+
+    # apply default sysctl values from
+    # https://github.com/FDio/vpp/blob/v23.06/src/vpp/conf/80-vpp.conf
+    sysctl_config: dict[str, str] = {
+        'vm.nr_hugepages': '1024',
+        'vm.max_map_count': '3096',
+        'vm.hugetlb_shm_group': '0',
+        'kernel.shmmax': '2147483648'
+    }
+    # we do not want to reduce `kernel.shmmax`
+    kernel_shmnax_current: str = sysctl_read('kernel.shmmax')
+    if int(kernel_shmnax_current) > int(sysctl_config['kernel.shmmax']):
+        sysctl_config['kernel.shmmax'] = kernel_shmnax_current
+
+    if not sysctl_apply(sysctl_config):
+        raise ConfigError('Cannot configure sysctl parameters for VPP')
 
     return None
 
@@ -168,8 +181,6 @@ def apply(config):
         call('systemctl daemon-reload')
         call(f'systemctl restart {service_name}.service')
 
-    call(f'sysctl -qp {sysctl_vpp}')
-
     # Initialize interfaces removed from VPP
     for iface in config.get('removed_ifaces', []):
         host_control = HostControl()