From 52ce402803e8ed4e3ff1722c2c63ed58804207b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= <jerome.petazzoni@gmail.com>
Date: Tue, 12 Apr 2022 22:17:27 +0200
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20Switch=20to=20official?=
 =?UTF-8?q?=20FRR=20images;=20disable=20NHT?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We're now using an official image for FRR.
Also, by default, BGPD will accept routes only if their
next-hop is reachable. This relies on a mechanism called
NHT (Next Hop Tracking). However, when we receive routes
from Kubernetes clusters, the peers usually advertise
addresses that we are not directly connected to. This
causes these addresses to be filtered out (unless the
route reflector is running on the same VPC or Layer 2
network as the Kubernetes nodes). To accept these routes
anyway, we basically disable NHT, by considering that
nodes are reachable if we can reach them through our
default route.
---
 compose/frr-route-reflector/conf/zebra.conf     |  1 +
 compose/frr-route-reflector/docker-compose.yaml | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/compose/frr-route-reflector/conf/zebra.conf b/compose/frr-route-reflector/conf/zebra.conf
index 5926118a..78747c9a 100644
--- a/compose/frr-route-reflector/conf/zebra.conf
+++ b/compose/frr-route-reflector/conf/zebra.conf
@@ -1,2 +1,3 @@
 hostname frr
+ip nht resolve-via-default
 log stdout
diff --git a/compose/frr-route-reflector/docker-compose.yaml b/compose/frr-route-reflector/docker-compose.yaml
index a5d13b92..078d953d 100644
--- a/compose/frr-route-reflector/docker-compose.yaml
+++ b/compose/frr-route-reflector/docker-compose.yaml
@@ -2,30 +2,36 @@ version: "3"
 
 services:
   bgpd:
-    image: ajones17/frr:662
+    image: frrouting/frr:v8.2.2
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
-    entrypoint: /usr/lib/frr/bgpd -f /etc/frr/bgpd.conf --log=stdout --log-level=debug --no_kernel
+    cap_add:
+    - NET_ADMIN
+    - SYS_ADMIN
+    entrypoint: /usr/lib/frr/bgpd -f /etc/frr/bgpd.conf --log=stdout --log-level=debug --no_kernel --no_zebra
     restart: always
 
   zebra:
-    image: ajones17/frr:662
+    image: frrouting/frr:v8.2.2
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
+    cap_add:
+    - NET_ADMIN
+    - SYS_ADMIN
     entrypoint: /usr/lib/frr/zebra -f /etc/frr/zebra.conf --log=stdout --log-level=debug
     restart: always
 
   vtysh:
-    image: ajones17/frr:662
+    image: frrouting/frr:v8.2.2
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
-    entrypoint: vtysh -c "show ip bgp"
+    entrypoint: vtysh
 
   chmod:
     image: alpine