neutron/doc/source/admin/config-services-agent.rst

132 lines
5.2 KiB
ReStructuredText

.. _config-services-agent:
===================
Services and agents
===================
A usual neutron setup consists of multiple services and agents running on one
or multiple nodes (though some setups may not need any agents).
Each of these services provide some of the networking or API services.
Among those of special interest are:
#. The neutron-server that provides API endpoints and serves as a single point
of access to the database. It usually runs on the controller nodes.
#. Layer2 agent that can utilize Open vSwitch, Linux Bridge or other
vendor-specific technology to provide network segmentation and isolation
for project networks.
The L2 agent should run on every node where it is deemed
responsible for wiring and securing virtual interfaces (usually both
compute and network nodes).
#. Layer3 agent that runs on network node and provides east-west and
north-south routing plus some advanced services such as FWaaS or VPNaaS.
Configuration options
~~~~~~~~~~~~~~~~~~~~~
The neutron configuration options are segregated between
neutron-server and agents. Both services and agents may load the main
``neutron.conf`` since this file should contain the oslo.messaging
configuration for internal neutron RPCs and may contain host specific
configuration, such as file paths. The ``neutron.conf`` contains the
database, keystone, nova credentials, and endpoints strictly for
neutron-server to use.
In addition, neutron-server may load a plugin-specific configuration file, yet
the agents should not. As the plugin configuration is primarily site wide
options and the plugin provides the persistence layer for neutron, agents
should be instructed to act upon these values through RPC.
Each individual agent may have its own configuration file. This file should be
loaded after the main ``neutron.conf`` file, so the agent configuration takes
precedence. The agent-specific configuration may contain configurations which
vary between hosts in a neutron deployment such as the ``local_ip`` for an L2
agent. If any agent requires access to additional external services beyond the
neutron RPC, those endpoints should be defined in the agent-specific
configuration file (for example, nova metadata for metadata agent).
Agent's admin state specific config options
-------------------------------------------
When creating a new agent the ``admin_state_up`` field will be set to the
value of ``enable_new_agents`` config option, the default value of this config
option is ``true``:
.. code-block:: ini
[DEFAULT]
enable_new_agents = true
It is possible to set the ``admin_state_up`` value of an agent to ``False``
via the API, or CLI:
.. code-block:: console
$ openstack network agent set agent-uuid --disable
The effect of this varies by agent type:
L2 agents
~~~~~~~~~
The ``admin_state_up`` field of the agent in the Neutron database is set to
``False``, but the agent is still capable of binding ports.
This is true for openvswitch-agent, linuxbridge-agent, and sriov-agent.
.. note::
In case of OVN based deployment Neutron doesn't keep track of OVN
controllers in the ``agents`` db table, so setting the ``admin_state_up``
is not allowed as Neutron has no control over OVN entities.
The possiblity to delete an OVN agent via Neutron REST API, is to clean
up bad chassis information.
Metadata agent
~~~~~~~~~~~~~~
Setting ``admin_state_up`` to False has no effect to the Metadata agent.
DHCP agent
~~~~~~~~~~
DHCP agent scheduler will schedule networks to agents whose ``admin_state_up``
is ``True``.
L3 agent
~~~~~~~~
L3 scheduler will schedule routers to L3 agents whose ``admin_state_up`` field
is ``True``.
External processes run by agents
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some neutron agents, like DHCP, Metadata or L3, often run external
processes to provide some of their functionalities. It may be keepalived,
dnsmasq, haproxy or some other process.
Neutron agents are responsible for spawning and killing such processes when
necessary. By default, to kill such processes, agents use a simple ``kill``
command, but in some cases, like for example when those additional services
are running inside containers, it may be not a good solution.
To address this problem, operators should use the ``AGENT`` config group option
``kill_scripts_path`` to configure a path to where ``kill scripts`` for such
processes live. By default, it is set to ``/etc/neutron/kill_scripts/``.
If option ``kill_scripts_path`` is changed in the config to the different
location, ``exec_dirs`` in ``/etc/rootwrap.conf`` should be changed accordingly.
If ``kill_scripts_path`` is set, every time neutron has to kill a process,
for example ``dnsmasq``, it will look in this directory for a file with the name
``<process_name>-kill``. So for ``dnsmasq`` process it will look for a
``dnsmasq-kill`` script. If such a file exists there, it will be called
instead of using the ``kill`` command.
Kill scripts are called with two parameters:
.. code-block::
<process>-kill <sig> <pid>
where: ``<sig>`` is the signal, same as with the ``kill`` command, for example
``9`` or ``SIGKILL``; and ``<pid>`` is pid of the process to kill.
This external script should then handle killing of the given process as neutron
will not call the ``kill`` command for it anymore.