Infrastructure as code-oriented open source network appliance?

[Deleted member 43669]

Just for my curiosity...

In the past I used pfSense, and I liked it. But I was bitten by the infra-as-code bug, and so far I have not found anything like pfSense, but which can be automated well.

I've seen people use OpenWrt to do this, but it looks a bit bolted on top.

I'd really like something where I can feed an entire network configuration as a single JSON-like file, apply that, and move forward (and e.g. if I drop a part of the JSON file, the corresponding config is purged). Bonus points if one can define modules on top to make some configuration more declarative.

I could do this with any infra-as-code solution on a Linux or whatever box, but it would be highly manual (and if I do it, low quality).

 

[spiralscratch]

I'm not too familiar with it, but VyOS maybe?

Automation-Friendly​

Native Support for API (GraphQL), Configuration-Management / IaaC Tools (Ansible / salt / Netmiko / NAPALM / Terraform), Cloud-init (own config-modules), Containers and Scripting API for Shell and Python.

Not sure if it's possible to simply drop in a new config file, but I'm guessing probably yes as this can be done with EdgeOS (Ubiquiti) and they both share Vyatta as their origin.

However, it's just a router (and VPN endpoint). There's no other built-in services AFAICT like DNS/DHCP/etc. or plugins as with pfSense/OPNsense. Also, there's currently no GUI, in case that's a factor.

 

[Deleted member 43669]

Well, I dug a bit and it looks very good.

Although at first glance it looks stateful (all the set, set, set on the docs), it does have a global JSON-like configuration that I assume can be pushed wholesale. At least it supports cloud-init, so worst case I could redeploy on every config change.

It's a bunch of Python code rendering Jinja templates from that global configuration, so that should work pretty well.

It does have quite a few services (including DNS/DHCP ). Interestingly, it can also run containers using Podman.

I think this would fit my bill, although my specific purpose right now was running a SOCKS proxy, which it does not have. However, it does have Squid, which I could live with. Adding a module for SOCKS doesn't look terribly daunting. However, I wasn't able to find quickly how to create plugins without modifying VyOS itself

Very nice!

 

[Drizzt321]

opnSense? Originally based on pfSense, although of course it's evolved somewhat it's own way from what I understand.

 

[Frennzy]

I worked with pre-release VyOs/Vyatta in my time at Brocade. It was legit way back then, if a bit quirky. I'm not sure where the open-source stuff has gone in the intervening decade.+

 

[Drizzt321]

I think they've had to find a way to make some money simply to keep folks developing. Somehow. Makes sense.

 

[YoHo]

I see this from a different angle working mostly in enterprise switching.

I feel like a lot of the higher end Open Source networking stuff basically became Google/Yahoo/AWS/Azure custom product and everything not related to that high speed switching use model had limited market.


Once you get to the enterprise side of the market, sure you can push JSON configs and use REST and do it all from Ansible, but it's still a mostly proprietary NOS underneath.