Adds a wrapper script to run ovs-vsctl commands in the container

Libvirt needs to be able to plug ports into openvswitch bridges.
It does this using the ovs-vsctl command, which it searches for
in $PATH[1, 2]. This change will optionally install a wrapper
script that executes the ovs-vsctl commands in the context of the
openvswitchd container. This is useful when running libvirt on the
host whilst still running openvswitch in a container. The advantage
of this method over install the packages on the host is that it
ensures client compatability with the daemon. The default is set
to false as the wrapper could overwrite ovs-vsctl installed on the
host.

[1] ee51ab86c2/src/util/virnetdevopenvswitch.c (L59)
[2] a89b17c2a7/docs/kbase/internals/command.rst (id3)

Closes-Bug: #1995409
Change-Id: Iaa6bfb012ae847f5f6aa0a1fc1c27970ac265f93

ansible/roles/openvswitch/defaults/main.yml

@@ -96,6 +96,8 @@ openvswitch_extra_volumes: "{{ default_extra_volumes }}"
 openvswitch_db_extra_volumes: "{{ openvswitch_extra_volumes }}"
 openvswitch_vswitchd_extra_volumes: "{{ openvswitch_extra_volumes }}"
 
+openvswitch_ovs_vsctl_wrapper_enabled: false
+
 #############
 # OpenvSwitch
 #############

ansible/roles/openvswitch/tasks/config.yml

@@ -52,3 +52,16 @@
     - service.enabled | bool
   notify:
     - "Restart openvswitch-db-server container"
+
+- name: Copying over ovs-vsctl wrapper
+  vars:
+    service: "{{ openvswitch_services['openvswitch-vswitchd'] }}"
+  template:
+    src: "ovs-vsctl.j2"
+    dest: "/usr/bin/ovs-vsctl"
+    mode: "0755"
+  become: true
+  when:
+    - service.host_in_groups | bool
+    - service.enabled | bool
+    - openvswitch_ovs_vsctl_wrapper_enabled | bool

ansible/roles/openvswitch/templates/ovs-vsctl.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec docker exec openvswitch_vswitchd ovs-vsctl "$@"

doc/source/reference/compute/libvirt-guide.rst

@@ -54,6 +54,23 @@ libvirt as a host daemon. However, since the Yoga release, if a libvirt daemon
 has already been set up, then Kolla Ansible may be configured to use it. This
 may be achieved by setting ``enable_nova_libvirt_container`` to ``false``.
 
+When the firewall driver is set to ``openvswitch``, libvirt will plug VMs
+directly into the integration bridge, ``br-int``. To do this it uses the
+``ovs-vsctl`` utility. The search path for this binary is controlled by the
+``$PATH`` environment variable (as seen by the libvirt process). There are a
+few options to ensure that this binary can be found:
+
+* Set ``openvswitch_ovs_vsctl_wrapper_enabled`` to ``True``. This will install
+  a wrapper script to the path: ``/usr/bin/ovs-vsctl`` that will execute
+  ``ovs-vsctl`` in the context of the ``openvswitch_vswitchd`` container. This
+  option is useful if you do not have openvswitch installed on the host. It
+  also has the advantage that the ``ovs-vsctl`` utility will match the version
+  of the server.
+
+* Install openvswitch on the hypervisor. Kolla mounts ``/run/openvswitch`` from
+  the host into the ``openvswitch_vswitchd`` container. This means that socket
+  is in the location ``ovs-vsctl`` expects with its default options.
+
 Migration from container to host
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

releasenotes/notes/adds-ovs-vsctl-wrapper-da3dbbb19d5cc6f5.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new flag, ``openvswitch_ovs_vsctl_wrapper_enabled`` which will
+    install a wrapper script to ``/usr/bin/ovs-vsctl`` to docker exec into
+    the openvswitchd container.