On the firewall the metal user is not allowed to execute from a vrf

[majst01]

on the firewall doing something like this:

ip vrf exec vrf64 bash
mkdir failed for /sys/fs/cgroup/unified/user.slice/user-1000.slice/session-20.scope/vrf: Permission denied
Failed to setup vrf cgroup2 directory

Does not work. This is related to unified hierarchies from cgroup2 as described:

• https://unix.stackexchange.com/questions/493187/systemd-under-ubuntu-18-04-1-fails-with-failed-to-create-user-slice-serv/504688
• https://github.com/systemd/systemd/issues/3388

A proposed solutions seems to be to change the kernel cmdline to have systemd.legacy_systemd_cgroup_controller=1 set.:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ...more... systemd.legacy_systemd_cgroup_controller=1"

If this works, https://github.com/fi-ts/cloudctl/pull/8 will be able to make a ssh session to a machine through the firewall, once the metal user is able to load the required bpf program loaded by ip.

[mwindower]

I would propose an other option to solve the "ssh to machine" problem.

We could import the tenant VRF to the default VRF only locally on the firewall.

So there would be no need to change the VRF to access the tenant VRF.

[majst01]

If this does not break the existing networking, this would be great. It would also solve a problem i actually see with the evebox event forwarding which can potentially be towards internet or the tenant vrf.

[mwindower]

It's currently active on gerrit's test cluster in fra.

[majst01]

great so i can test with the machine access