156 lines
5.6 KiB
YAML
156 lines
5.6 KiB
YAML
---
|
|
- hosts: all
|
|
any_errors_fatal: true
|
|
vars:
|
|
logs_dir: "/tmp/logs"
|
|
roles:
|
|
- bindep
|
|
- multi-node-firewall
|
|
tasks:
|
|
# We have had cases where the nodepool private IP address is not assigned,
|
|
# which causes hard to diagnose errors later on. Catch it early.
|
|
- name: Assert that the nodepool private IPv4 address is assigned
|
|
assert:
|
|
that: nodepool.private_ipv4 in ansible_all_ipv4_addresses
|
|
fail_msg: >-
|
|
The nodepool private IP address {{ nodepool.private_ipv4 }} is not assigned
|
|
|
|
- name: Install dbus for debian system
|
|
apt: name=dbus
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
become: true
|
|
|
|
- name: Ensure /tmp/logs/ dir
|
|
file:
|
|
path: "{{ logs_dir }}"
|
|
state: "directory"
|
|
|
|
- name: Ensure node directories
|
|
file:
|
|
path: "{{ logs_dir }}/{{ item }}"
|
|
state: "directory"
|
|
mode: 0777
|
|
with_items:
|
|
- "docker_logs"
|
|
- "kolla_configs"
|
|
- "system_logs"
|
|
- "kolla"
|
|
- "ansible"
|
|
|
|
- name: set new hostname based on ansible inventory file
|
|
hostname:
|
|
name: "{{ inventory_hostname }}"
|
|
become: true
|
|
|
|
# NOTE(yoctozepto): start VXLAN interface config
|
|
|
|
- name: Set VXLAN interface facts
|
|
set_fact:
|
|
api_interface_address: "{{ api_network_prefix }}{{ groups['all'].index(inventory_hostname) + 1 }}"
|
|
api_interface_tunnel_vni: 10001
|
|
tunnel_local_address: "{{ nodepool.private_ipv4 }}"
|
|
|
|
# NOTE(yoctozepto): CI VXLAN must use a different port than neutron-openvswitch-agent
|
|
# which defaults to 4789 (the default is used in CI)
|
|
# hence using port 4790
|
|
- name: Create VXLAN interface
|
|
become: true
|
|
command: ip link add {{ api_interface_name }} type vxlan id {{ api_interface_tunnel_vni }} local {{ tunnel_local_address }} dstport 4790
|
|
|
|
- name: Set VXLAN interface MTU
|
|
become: true
|
|
vars:
|
|
# Find the parent interface
|
|
parent_interface: >-
|
|
{{ ansible_interfaces |
|
|
map('extract', ansible_facts) |
|
|
selectattr('ipv4.address', 'defined') |
|
|
selectattr('ipv4.address', 'equalto', tunnel_local_address) |
|
|
first }}
|
|
# Allow 50 bytes overhead for VXLAN headers.
|
|
mtu: "{{ parent_interface.mtu | int - 50 }}"
|
|
command: ip link set {{ api_interface_name }} mtu {{ mtu }}
|
|
|
|
# emulate BUM by multiplicating traffic to unicast targets
|
|
- name: Add fdb entries for BUM traffic
|
|
become: true
|
|
vars:
|
|
dest_ip: "{{ hostvars[item].tunnel_local_address }}"
|
|
command: bridge fdb append 00:00:00:00:00:00 dev {{ api_interface_name }} dst {{ dest_ip }}
|
|
with_inventory_hostnames: all
|
|
when: item != inventory_hostname
|
|
|
|
- name: Add IPv4 address for VXLAN network
|
|
become: true
|
|
vars:
|
|
api_network_cidr: "{{ api_interface_address }}/{{ api_network_prefix_length }}"
|
|
# NOTE(yoctozepto): we have to compute and explicitly set the broadcast address,
|
|
# otherwise bifrost fails its pre-bootstrap sanity checks due to missing
|
|
# broadcast address as ansible picks up scope ('global') as the interface's
|
|
# broadcast address which fails checks logic
|
|
api_network_broadcast_address: "{{ api_network_cidr | ipaddr('broadcast') }}"
|
|
command: ip address add {{ api_network_cidr }} broadcast {{ api_network_broadcast_address }} dev {{ api_interface_name }}
|
|
when: address_family == 'ipv4'
|
|
|
|
# NOTE(yoctozepto): IPv6 has no broadcast address, let's not create confusion by setting it
|
|
- name: Add IPv6 address for VXLAN network
|
|
become: true
|
|
command: ip address add {{ api_interface_address }}/{{ api_network_prefix_length }} dev {{ api_interface_name }}
|
|
when: address_family == 'ipv6'
|
|
|
|
- name: Accept traffic on the VXLAN network (IN)
|
|
become: true
|
|
iptables:
|
|
state: present
|
|
action: insert
|
|
chain: INPUT
|
|
ip_version: "{{ address_family }}"
|
|
in_interface: "{{ api_interface_name }}"
|
|
jump: ACCEPT
|
|
|
|
# NOTE(yoctozepto): the default policy is ACCEPT but it is nicer to get statistics
|
|
- name: Accept traffic on the VXLAN network (OUT)
|
|
become: true
|
|
iptables:
|
|
state: present
|
|
action: insert
|
|
chain: OUTPUT
|
|
ip_version: "{{ address_family }}"
|
|
out_interface: "{{ api_interface_name }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Bring VXLAN interface up
|
|
become: true
|
|
command: ip link set {{ api_interface_name }} up
|
|
|
|
# NOTE(yoctozepto): IPv6 DAD may delay proper address assignment
|
|
# this task will wait until DAD is done and addresses are no longer tentative
|
|
# we assign addresses uniquely so DAD can only move it to preferred
|
|
# hence we only check whether it's no longer tentative
|
|
- name: Ensure IPv6 addresses on VXLAN are no longer tentative
|
|
become: true
|
|
command: ip -o address show tentative dev {{ api_interface_name }}
|
|
register: tentative_addresses
|
|
until: tentative_addresses.stdout == ''
|
|
retries: 30
|
|
delay: 2
|
|
when:
|
|
- address_family == 'ipv6'
|
|
|
|
- name: Ping across VXLAN
|
|
vars:
|
|
ping_command: "{{ 'ping' if address_family == 'ipv4' else 'ping6' }}"
|
|
command: "{{ ping_command }} -c1 {{ hostvars[item].api_interface_address }}"
|
|
with_inventory_hostnames: all
|
|
|
|
# NOTE(yoctozepto): CentOS 7 image uses myhostname plugin for NSS
|
|
# which creates issues with IPv6-only deployment by providing
|
|
# an IPv4 address for the current hostname (affects rabbitmq)
|
|
- name: Disable myhostname NSS plugin
|
|
become: true
|
|
replace:
|
|
path: /etc/nsswitch.conf
|
|
regexp: ' myhostname'
|
|
replace: ''
|