PVE SAM Redundancy Live Evidence
Date: 2026-06-29
Branch/build: codex/dynamic-rr-leaf-enrollment, commit 63f0cb53.
Result: PASS.
This records the PVE-only cloud-SAM redundancy live test that preceded the full cloud plus on-prem test. Raw logs are intentionally kept outside the repository; this file records stable paths, checksum, and the key outcome.
Topology
- RR set:
routerd-samred-rr-1,routerd-samred-rr-2. - VLAN 999 site:
routerd-samred-leaf-a,routerd-samred-leaf-b,routerd-samred-client-999. - VLAN 998 site:
routerd-samred-leaf-c,routerd-samred-leaf-d,routerd-samred-client-998. - PVE host:
pve07. - Transport tested: FOU over private underlay,
encryption: none.
Assertions
- RR base configs contained no static
SAMEnrollmentClaimresources and no per-leafBGPPeerresources. - Leaves submitted enrollment claims at runtime and fetched the authorized RRSet.
- Both RRs discovered four dynamic BGP peers via
BGPDynamicPeer/samred-leaves. - Each leaf established BGP to both RRs and installed remote /32 routes.
client-999andclient-998passed bidirectional ping and SSH across the dynamically enrolled SAM fabric.
Evidence Bundle
- Raw run directory:
/tmp/routerd-samred-20260629T035652Z. - Preserved copy:
/tmp/routerd-samred-preserved-20260629T050450Z. - Tarball:
/tmp/routerd-samred-20260629T035652Z.tar.gz. - Tarball SHA256:
77277d94e9c1b097ff0e9b7158b1cdeed772b27300c3a7c58bc007db9c1c92f4. - Key excerpts:
/tmp/routerd-samred-20260629T035652Z/evidence/client-ping-ssh-final.txt/tmp/routerd-samred-20260629T035652Z/evidence/final-routerd-status.txt
HTTP Control API Note
routerd serve --http-listen exposes the mutation/control API over TCP. It is
for controlled management or private underlay networks only, and must be bound
only to protected addresses or shielded by equivalent network policy. It is not
an Internet-safe listener.