Add ovn-bgp-agent and FRR

Creates the configuration to add FRR and ovn-bgp-agent to kolla. FRR
and ovn-bgp-agent introduces dynamic routing capabilities to
OpenStack environments.

[1] https://opendev.org/openstack/ovn-bgp-agent

Change-Id: Id2ec5d23505146247e397393996e996e903a378e

README.rst

@@ -116,6 +116,7 @@ Kolla provides images to deploy the following infrastructure components:
   a reliable way to store data across a cluster of machines.
 - `Fluentd <https://www.fluentd.org/>`__ as an open source data collector
   for unified logging layer.
+- `FRR <https://frrouting.org/>`__ as a routing daemon for OVN-BGP-Agent.
 - `Gnocchi <https://gnocchi.xyz/>`__ a time-series storage database.
 - `HAProxy <https://www.haproxy.org/>`__ and
   `Keepalived <https://www.keepalived.org/>`__ for high availability of services

docker/base/Dockerfile.j2

@@ -53,6 +53,7 @@ COPY dnf.conf /etc/dnf/dnf.conf
 #### BEGIN REPO ENABLEMENT
 {% set base_yum_repo_files = [
     'docker-ce.repo',
+    'frr.repo',
     'grafana.repo',
     'influxdb.repo',
     'mariadb.repo',
@@ -305,6 +306,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom
 {# NOTE(hrw): type field defaults to 'asc' which is used for single keys #}
 {% set base_remote_apt_keys = [
    {'name': 'docker-ce', 'url': 'https://download.docker.com/linux/debian/gpg'},
+   {'name': 'frr', 'url': 'https://deb.frrouting.org/frr/keys.asc'},
    {'name': 'grafana', 'url': 'https://rpm.grafana.com/gpg.key'},
    {'name': 'influxdb', 'url': 'https://repos.influxdata.com/influxdata-archive_compat.key'},
    {'name': 'mariadb', 'url': 'https://downloads.mariadb.com/MariaDB/mariadb-keyring-2019.gpg', 'type': 'gpg'},

docker/base/frr.repo

@@ -0,0 +1,12 @@
+[frr]
+name=FRRouting 9.x Packages for Enterprise Linux $releasever - $basearch
+baseurl=https://rpm.frrouting.org/repo/el$releasever/frr9
+enabled=0
+gpgcheck=0
+
+[frr-extras]
+name=FRRouting Dependencies for Enterprise Linux $releasever - $basearch
+baseurl=https://rpm.frrouting.org/repo/el$releasever/extras
+enabled=0
+gpgcheck=0
+

docker/frr/Dockerfile.j2

@@ -0,0 +1,34 @@
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block frr_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='frr') }}
+
+{{ macros.enable_extra_repos(['frr']) }}
+
+{% if base_package_type == 'rpm' %}
+
+    {{ macros.enable_extra_repos(['frr-extras']) }}
+
+{% endif %}
+
+{% set frr_packages = [
+    'frr',
+    'frr-pythontools',
+] %}
+
+COPY frr_sudoers /etc/sudoers.d/kolla_frr_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+
+{{ macros.install_packages(frr_packages | customizable("packages")) }} \
+    && chmod 440 /etc/sudoers.d/kolla_frr_sudoers \
+    && chmod 644 /usr/local/bin/kolla_extend_start
+
+{% block frr_footer %}{% endblock %}
+{% block footer %}{% endblock %}
+

docker/frr/extend_start.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Give processes executed with the "kolla" group the permission to create files
+# and sub-directories in the /var/log/kolla directory.
+#
+# Also set the setgid permission on the /var/log/kolla directory so that new
+# files and sub-directories in that directory inherit its group id ("kolla").
+
+USERGROUP="frr:kolla"
+FRR="frr"
+
+if [ ! -d /var/log/kolla/frr ]; then
+    mkdir -p /var/log/kolla/frr
+fi
+if [[ $(stat -c %U:%G /var/log/kolla/frr) != "${USERGROUP}" ]]; then
+    sudo chown ${USERGROUP} /var/log/kolla/frr
+fi
+if [[ $(stat -c %a /var/log/kolla/frr) != "2775" ]]; then
+    sudo chmod 2775 /var/log/kolla/frr
+fi
+if [[ (-d /var/lib/${FRR}) && ($(stat -c %U:%G /var/lib/${FRR}) != "${USERGROUP}") ]]; then
+    sudo chown ${USERGROUP} /var/lib/${FRR}
+fi
+

docker/frr/frr_sudoers

@@ -0,0 +1,5 @@
+%kolla ALL=(root) NOPASSWD: /bin/chown frr\:kolla /var/log/kolla, /usr/bin/chown frr\:kolla /var/log/kolla
+%kolla ALL=(root) NOPASSWD: /bin/chown frr\:kolla /var/lib/frr, /usr/bin/chown frr\:kolla /var/lib/frr
+%kolla ALL=(root) NOPASSWD: /bin/chmod 2775 /var/log/kolla, /usr/bin/chmod 2775 /var/log/kolla
+%kolla ALL=(root) NOPASSWD: /bin/chmod 2775 /var/lib/frr, /usr/bin/chmod 2775 /var/lib/frr
+

docker/neutron/ovn-bgp-agent/Dockerfile.j2

@@ -0,0 +1,62 @@
+FROM {{ namespace }}/{{ image_prefix }}neutron-base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block ovn_bgp_agent_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='ovn-bgp-agent') }}
+{{ macros.configure_user(name='frr') }}
+
+{{ macros.enable_extra_repos(['frr']) }}
+{{ macros.enable_extra_repos(['openvswitch']) }}
+
+{% if base_package_type == 'rpm' %}
+
+    {{ macros.enable_extra_repos(['frr-extras']) }}
+
+    {% set ovn_bgp_agent_packages = [
+        'frr',
+        'frr-pythontools',
+        'libibverbs',
+        'python3-netifaces',
+    ] %}
+
+{% elif base_package_type == 'deb' %}
+
+    {% set ovn_bgp_agent_packages = [
+        'frr',
+        'frr-pythontools',
+        'python3-netifaces',
+    ] %}
+
+{% endif %}
+
+COPY ovn_bgp_agent_sudoers /etc/sudoers.d/kolla_ovn_bgp_agent_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+
+{{ macros.install_packages(ovn_bgp_agent_packages | customizable("packages")) }} \
+# NOTE(hrw): Upstream moved tcpdump to /usr/bin/ in 4.99 version (used in Debian)
+    && if [ -e /usr/sbin/tcpdump ]; then mv /usr/sbin/tcpdump /usr/bin/tcpdump; fi
+
+{% set ovn_bgp_agent_pip_packages = [
+    '/ovn-bgp-agent',
+] %}
+
+ADD ovn-bgp-agent-archive /ovn-bgp-agent-source
+
+RUN ln -s ovn-bgp-agent-source/* ovn-bgp-agent \
+    && {{ macros.install_pip(ovn_bgp_agent_pip_packages | customizable("pip_packages")) }} \
+    && mkdir -p /etc/ovn-bgp-agent /etc/frr /var/run/ovn-bgp-agent \
+    && cp -r /ovn-bgp-agent/etc/ovn-bgp-agent/* /etc/ovn-bgp-agent/ \
+    && cp -r /ovn-bgp-agent/etc/frr/* /etc/frr/ \
+    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ovn-bgp-agent/rootwrap.conf \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/kolla_ovn_bgp_agent_sudoers \
+    && chmod 644 /usr/local/bin/kolla_extend_start
+
+{% block ovn_bgp_agent_footer %}{% endblock %}
+{% block footer %}{% endblock %}
+

docker/neutron/ovn-bgp-agent/extend_start.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Give processes executed with the "kolla" group the permission to create files
+# and sub-directories in the /var/log/kolla directory.
+
+USERGROUP="ovn-bgp-agent:kolla"
+OVN_BGP_AGENT_DIR="/var/lib/ovn-bgp-agent"
+
+if [[ (-d ${OVN_BGP_AGENT_DIR}}) && ($(stat -c %U:%G ${OVN_BGP_AGENT_DIR}) != "${USERGROUP}") ]]; then
+    sudo chown ${USERGROUP} ${OVN_BGP_AGENT_DIR}
+fi
+

docker/neutron/ovn-bgp-agent/ovn_bgp_agent_sudoers

@@ -0,0 +1,5 @@
+%kolla ALL=(root) NOPASSWD: /bin/chown ovn-bgp-agent\:kolla /var/log/kolla, /usr/bin/chown ovn-bgp-agent\:kolla /var/log/kolla
+%kolla ALL=(root) NOPASSWD: /bin/chown ovn-bgp-agent\:kolla /var/lib/ovn-bgp-agent, /usr/bin/chown ovn-bgp-agent\:kolla /var/lib/ovn-bgp-agent
+%kolla ALL=(root) NOPASSWD: /bin/chmod 2775 /var/log/kolla, /usr/bin/chmod 2775 /var/log/kolla
+%kolla ALL=(root) NOPASSWD: /bin/chmod 2775 /var/lib/ovn-bgp-agent, /usr/bin/chmod 2775 /var/lib/ovn-bgp-agent
+

kolla/common/config.py

@@ -53,6 +53,7 @@ _PROFILE_OPTS = [
                     'cron',
                     'etcd',
                     'fluentd',
+                    'frr',
                     'haproxy',
                     'hacluster',
                     'keepalived',
@@ -62,6 +63,7 @@ _PROFILE_OPTS = [
                     'memcached',
                     'opensearch',
                     'openvswitch',
+                    'ovn-bgp-agent',
                     'proxysql',
                     'rabbitmq',
                     'redis',

kolla/common/sources.py

@@ -269,6 +269,10 @@ SOURCES = {
         'type': 'url',
         'location': ('$tarballs_base/openstack/ovn-octavia-provider/'
                      'ovn-octavia-provider-${openstack_branch}.tar.gz')},
+    'ovn-bgp-agent': {
+        'type': 'url',
+        'location': ('$tarballs_base/openstack/ovn-bgp-agent/'
+                     'ovn-bgp-agent-${openstack_branch}.tar.gz')},
     'placement-base': {
         'type': 'url',
         'location': ('$tarballs_base/openstack/placement/'

kolla/common/users.py

@@ -345,5 +345,13 @@ USERS = {
     'hsmusers-user': {
         'uid': 42493,  # This is not used, but the group ID is required.
         'gid': 42493,
+    },
+    'frr-user': {
+        'uid': 42494,
+        'gid': 42494,
+    },
+    'ovn-bgp-agent-user': {
+        'uid': 42495,
+        'gid': 42495,
     }
 }

kolla/image/unbuildable.py

@@ -42,6 +42,11 @@ UNBUILDABLE_IMAGES = {
         "tgtd",                  # Not supported on CentOS
     },
 
+    'rocky+aarch64': {
+        "frr",            # no aarch64 packages
+        "ovn-bgp-agent",  # no frr aarch64 packages
+    },
+
     'ubuntu': {
     },
 
@@ -50,6 +55,8 @@ UNBUILDABLE_IMAGES = {
     },
 
     'centos+aarch64': {
-        "telegraf",      # no binary package
+        "frr",            # no aarch64 packages
+        "ovn-bgp-agent",  # no frr aarch64 packages
+        "telegraf",       # no binary package
     },
 }

kolla/template/repos.yaml

@@ -7,6 +7,8 @@ centos:
   erlang: "rabbitmq_rabbitmq-erlang"
   extras: "extras"
   fluentd: "fluent-package-lts"
+  frr: "frr"
+  frr-extras: "frr-extras"
   grafana: "grafana"
   hacluster: "highavailability"
   influxdb: "influxdb"
@@ -26,6 +28,8 @@ centos-aarch64:
   erlang: "copr-rabbitmq-erlang"
   extras: "extras"
   fluentd: "fluent-package-lts"
+  frr: "frr"
+  frr-extras: "frr-extras"
   grafana: "grafana"
   hacluster: "highavailability"
   influxdb: "influxdb"
@@ -56,6 +60,11 @@ debian:
     suite: "bookworm"
     component: "contrib"
     gpg_key: "treasuredata.asc"
+  frr:
+    url: "https://deb.frrouting.org/frr"
+    suite: "bullseye"
+    component: "frr-9"
+    gpg_key: "frr.asc"
   grafana:
     url: "https://apt.grafana.com"
     suite: "stable"
@@ -108,6 +117,11 @@ debian-aarch64:
     suite: "bookworm"
     component: "contrib"
     gpg_key: "treasuredata.asc"
+  frr:
+    url: "https://deb.frrouting.org/frr"
+    suite: "bullseye"
+    component: "frr-9"
+    gpg_key: "frr.asc"
   grafana:
     url: "https://apt.grafana.com"
     suite: "stable"
@@ -155,6 +169,8 @@ rocky:
   erlang: "rabbitmq_rabbitmq-erlang"
   extras: "extras"
   fluentd: "fluent-package-lts"
+  frr: "frr"
+  frr-extras: "frr-extras"
   grafana: "grafana"
   hacluster: "highavailability"
   influxdb: "influxdb"
@@ -174,6 +190,8 @@ rocky-aarch64:
   erlang: "copr-rabbitmq-erlang"
   extras: "extras"
   fluentd: "fluent-package-lts"
+  frr: "frr"
+  frr-extras: "frr-extras"
   grafana: "grafana"
   influxdb: "influxdb"
   hacluster: "highavailability"
@@ -201,6 +219,11 @@ ubuntu:
     suite: "noble"
     component: "contrib"
     gpg_key: "treasuredata.asc"
+  frr:
+    url: "https://deb.frrouting.org/frr"
+    suite: "noble"
+    component: "frr-9"
+    gpg_key: "frr.asc"
   grafana:
     url: "https://apt.grafana.com"
     suite: "stable"
@@ -254,6 +277,11 @@ ubuntu-aarch64:
     suite: "noble"
     component: "contrib"
     gpg_key: "treasuredata.asc"
+  frr:
+    url: "https://deb.frrouting.org/frr"
+    suite: "noble"
+    component: "frr-9"
+    gpg_key: "frr.asc"
   grafana:
     url: "https://apt.grafana.com"
     suite: "stable"

releasenotes/notes/add-ovn-bgp-agent-frr-21d0e02acaf69a2b.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds FRR and ovn-bgp-agent container images to kolla