This repository has been archived by the owner on Feb 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 180
/
neutron-l3-container-puppet.yaml
397 lines (387 loc) · 15.9 KB
/
neutron-l3-container-puppet.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
heat_template_version: rocky
description: >
OpenStack containerized Neutron L3 agent
parameters:
DockerNeutronL3AgentImage:
description: image
type: string
DockerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
DockerNeutronL3AgentUlimit:
default: ['nofile=1024']
description: ulimit for Neutron L3 Agent Container
type: comma_delimited_list
NeutronL3AgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.l3
path: /var/log/containers/neutron/l3-agent.log
NeutronEnableKeepalivedWrapper:
description: Generate a wrapper script so neutron launches keepalived processes in a
separate container.
type: boolean
default: true
NeutronEnableHaproxyDockerWrapper:
description: Generate a wrapper script so neutron launches haproxy in a separate container.
type: boolean
default: true
NeutronEnableDibblerDockerWrapper:
description: Generate a wrapper script so neutron launches the dibbler client in a separate
container.
type: boolean
default: true
NeutronEnableRadvdDockerWrapper:
description: Generate a wrapper script so neutron launches radvd in a separate container. Note
that is currently disabled by default pending availability of a fix to radvd
(see https://bugzilla.redhat.com/show_bug.cgi?id=1564391). It will be enabled by default
once the fix to radvd is generally available across target distributions.
type: boolean
default: false
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
NeutronWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
NeutronL3AgentMode:
description: |
Agent mode for L3 agent. Must be one of legacy or dvr_snat.
default: 'legacy'
type: string
constraints:
- allowed_values:
- legacy
- dvr_snat
- dvr
tags:
- role_specific
MonitoringSubscriptionNeutronL3:
default: 'overcloud-neutron-l3-agent'
type: string
NeutronL3AgentDebug:
default: ''
description: Set to True to enable debugging for Neutron L3 agent.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Pike cycle.
NeutronExternalNetworkBridge:
description: Name of bridge used for external network traffic. Usually L2
agent handles port wiring into external bridge, and hence the
parameter should be unset.
type: string
default: ''
conditions:
keepalived_wrapper_enabled: {equals: [{get_param: NeutronEnableKeepalivedWrapper}, true]}
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]}
radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]}
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]}
resources:
ContainersCommon:
type: ../../docker/services/containers-common.yaml
NeutronBase:
type: ../../puppet/services/neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- neutron::agents::l3::agent_mode: NeutronL3AgentMode
- values: {get_param: [RoleParameters]}
- values:
NeutronL3AgentMode: {get_param: NeutronL3AgentMode}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: l3-agent
outputs:
role_data:
description: Role data for Neutron L3 agent
value:
service_name: neutron_l3
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- get_attr: [NeutronLogging, config_settings]
- tripleo::profile::base::neutron::l3_agent_wrappers::enable_keepalived_wrapper: {get_param: NeutronEnableKeepalivedWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_process_wrapper: '/var/lib/neutron/keepalived_wrapper'
# TODO(beagles): this can be removed after a cleanup of the related puppet-tripleo code.
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_state_change_wrapper: '/var/lib/neutron/keepalived_state_change_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_image: {get_param: DockerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/l3_haproxy_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_image: {get_param: DockerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_dibbler_wrapper: {get_param: NeutronEnableDibblerDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_process_wrapper: '/var/lib/neutron/dibbler_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_image: {get_param: DockerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: DockerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: NeutronWrapperDebug}
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
- neutron::agents::l3::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL3AgentDebug}
tripleo::neutron_l3::firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
-
if:
- external_network_bridge_empty
- {}
- neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
service_config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_neutron_l3:
- neutron
tripleo_fluentd_sources_neutron_l3:
- {get_param: NeutronL3AgentLoggingSource}
puppet_config:
puppet_tags: neutron_config,neutron_l3_agent_config
config_volume: neutron
step_config: |
include tripleo::profile::base::neutron::l3
config_image: {get_param: DockerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_l3_agent.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-l3-agent
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_2:
create_keepalived_wrapper:
start_order: 1
detach: false
net: host
pid: host
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
-
- '/container_puppet_apply.sh'
- '4'
- 'file'
- 'include ::tripleo::profile::base::neutron::l3_agent_wrappers'
image: {get_param: DockerNeutronL3AgentImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
-
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
step_4:
neutron_l3_agent:
start_order: 10
image: {get_param: DockerNeutronL3AgentImage}
net: host
pid: host
privileged: true
restart: always
depends_on:
- openvswitch
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_param: RpcPort}
ulimit: {get_param: DockerNeutronL3AgentUlimit}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
- /run/netns:/run/netns:shared
-
if:
- docker_enabled
- - /var/lib/openstack:/var/lib/openstack
- null
-
if:
- keepalived_wrapper_enabled
- - /var/lib/neutron/keepalived_wrapper:/usr/local/bin/keepalived:ro
- null
-
if:
- haproxy_wrapper_enabled
- - /var/lib/neutron/l3_haproxy_wrapper:/usr/local/bin/haproxy:ro
- null
-
if:
- radvd_wrapper_enabled
- - /var/lib/neutron/radvd_wrapper:/usr/local/bin/radvd:ro
- null
-
if:
- dibbler_wrapper_enabled
- - /var/lib/neutron/dibbler_wrapper:/usr/local/bin/dibbler_client:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /run/netns with temp namespace
command: ip netns add ns_temp
register: ipnetns_add_result
ignore_errors: True
- - name: remove temp namespace
command: ip netns delete ns_temp
ignore_errors: True
when: ipnetns_add_result.rc == 0
- - name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check if neutron_l3_agent is deployed
command: systemctl is-enabled --quiet neutron-l3-agent
ignore_errors: True
register: neutron_l3_agent_enabled_result
- name: Set fact neutron_l3_agent_enabled
set_fact:
neutron_l3_agent_enabled: "{{ neutron_l3_agent_enabled_result.rc == 0 }}"
- name: Stop neutron_l3_agent
service: name=neutron-l3-agent state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- neutron_l3_agent_enabled|bool
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- neutron_l3_agent
- name: Check for neutron user
getent:
database: passwd
key: neutron
ignore_errors: True
- name: Set neutron_user_avail
set_fact:
neutron_user_avail: "{{ getent_passwd is defined }}"
- when:
- step|int == 2
- neutron_user_avail|bool
block:
- name: Ensure r/w access for existing files after upgrade
become: true
shell: |
umask 0002
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
setfacl -R -m u:neutron:rw /var/lib/neutron
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
- name: Provide access to domain sockets
become: true
shell: |
umask 0002
setfacl -m u:neutron:rwx "{{ item }}"
with_items:
- /var/lib/neutron/metadata_proxy
- /var/lib/neutron/keepalived-state-change
- /var/lib/neutron
# These files are not necessarily present
ignore_errors: True