Reduce neutron configuration

Reduce neutron configuration as follows:

1) Limit [ml2*] sections to neutron server containers [1].
2) Remove the [vlan] section everywhere because it only
   pertains to the defunct Linux bridge monolithic
   plug-in [2].
3) Explicitly disable VXLAN if deployment only includes flat
   or VLAN networks [3].
4) Limit Linux bridge agent configuration options to neutron
   agent containers.
5) Remove [agent] tunnel_type option because the Linux bridge
   agent does not use it.
6) Move some options to correct locations.
7) Reorder some options to improve readability.
8) Annotate groups of options or specific options.

[1] https://review.openstack.org/#/c/196759/
[2] https://review.openstack.org/#/c/196765/
[3] https://review.openstack.org/#/c/160826/

Change-Id: I275fb600360530534f7673e6eb2a3d397b10fb8e
Closes-Bug: #1473230

playbooks/roles/os_neutron/defaults/main.yml

@@ -192,9 +192,6 @@ neutron_ml2_mechanism_drivers: "linuxbridge,l2population"
 #   type: "veth"
 neutron_overlay_network: {}
 
-# Set the vxlan udp port. This is only used when neutron_tunnel_address is defined.
-neutron_vxlan_udp_port: 4789
-
 ## The neutron multicast group address. This should be set as a host variable if used.
 ## This defaults to an empty string
 # neutron_vxlan_group: 239.1.1.100

playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2

@@ -3,19 +3,28 @@
 {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
 {% set api_threads = _api_threads if _api_threads > 0 else 1 %}
 
+# General
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 
-interface_driver = {{ neutron_driver_interface }}
-dhcp_driver = {{ neutron_driver_dhcp }}
-enable_isolated_metadata = True
-
 num_sync_threads = {{ neutron_num_sync_threads | default(api_threads) }}
 
-dhcp_domain = {{ neutron_dhcp_domain }}
-dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }}
+# Drivers
+interface_driver = {{ neutron_driver_interface }}
+dhcp_driver = {{ neutron_driver_dhcp }}
 
+# Default domain for DHCP leases
+dhcp_domain = {{ neutron_dhcp_domain }}
+
+# Dnsmasq options
 dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
 dnsmasq_dns_servers = {{ neutron_dnsmasq_dns_servers }}
 dnsmasq_lease_max = {{ neutron_dnsmasq_lease_max }}
+
+# Metadata
+enable_isolated_metadata = True
+
+# Delete defunct namespaces
+dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }}
+

playbooks/roles/os_neutron/templates/l3_agent.ini.j2

@@ -1,34 +1,41 @@
 # {{ ansible_managed }}
 
+# General
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 
-allow_automatic_l3agent_failover = True
-enable_metadata_proxy = True
+handle_internal_only_routers = True
 external_network_bridge = {{ neutron_external_network_bridge }}
 gateway_external_network_id = {{ neutron_gateway_external_network_id }}
 
-# L3 Agent HA
-ha_confs_path = {{ neutron_system_home_folder }}/ha_confs
-ha_vrrp_advert_int = {{ neutron_ha_vrrp_advert_int }}
-ha_vrrp_auth_password = {{ neutron_ha_vrrp_auth_password }}
-ha_vrrp_auth_type = {{ neutron_ha_vrrp_auth_type }}
-handle_internal_only_routers = {{ neutron_handle_internal_only_routers }}
-l3_ha = {{ neutron_l3_ha_enabled }}
-l3_ha_net_cidr = {{ neutron_l3_ha_net_cidr }}
-max_l3_agents_per_router = {{ neutron_max_l3_agents_per_router | default(groups['neutron_agent']|length) }}
+# Drivers
+interface_driver = {{ neutron_driver_interface }}
+
+# Agent mode (legacy only)
+agent_mode = {{ neutron_agent_mode }}
+
+# Conventional failover
+allow_automatic_l3agent_failover = True
 
 {% set min_router = groups['neutron_agent'] | length // 2 %}
 {% set min_l3_router = min_router if min_router > 0 else 1 %}
 
 min_l3_agents_per_router = {{ neutron_min_l3_agents_per_router | default(min_l3_router) }}
+max_l3_agents_per_router = {{ neutron_max_l3_agents_per_router | default(groups['neutron_agent']|length) }}
+
+# HA failover
+l3_ha = {{ neutron_l3_ha_enabled }}
+l3_ha_net_cidr = {{ neutron_l3_ha_net_cidr }}
+ha_confs_path = {{ neutron_system_home_folder }}/ha_confs
+ha_vrrp_advert_int = {{ neutron_ha_vrrp_advert_int }}
+ha_vrrp_auth_password = {{ neutron_ha_vrrp_auth_password }}
+ha_vrrp_auth_type = {{ neutron_ha_vrrp_auth_type }}
+handle_internal_only_routers = {{ neutron_handle_internal_only_routers }}
 send_arp_for_ha = 3
 
-# L3 configuration options
-router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }}
+# Metadata
+enable_metadata_proxy = True
 
-# L3 Agent interfaces
-interface_driver = {{ neutron_driver_interface }}
-handle_internal_only_routers = True
-agent_mode = {{ neutron_agent_mode }}
+# Delete defunct namespaces
+router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }}

playbooks/roles/os_neutron/templates/metadata_agent.ini.j2

@@ -3,11 +3,12 @@
 {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
 {% set api_threads = _api_threads if _api_threads > 0 else 1 %}
 
+# General
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 
-# The Neutron user information for accessing the Neutron API.
+# Neutron credentials for API access
 auth_plugin = {{ neutron_keystone_auth_plugin }}
 auth_url = {{ keystone_service_adminuri }}
 auth_uri = {{ keystone_service_internaluri }}
@@ -19,14 +20,16 @@ username = {{ neutron_service_user_name }}
 password = {{ neutron_service_password }}
 endpoint_type = adminURL
 
-# TCP Port used by Nova metadata server
+# Nova metadata service IP and port
 nova_metadata_ip = {{ internal_lb_vip_address }}
 nova_metadata_port = {{ nova_metadata_port }}
 
-# Number of backlog requests to configure the metadata server socket with
+# Metadata proxy shared secret
 metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
+
+# Workers and backlog requests
 metadata_workers = {{ neutron_metadata_workers | default(api_threads) }}
 metadata_backlog = {{ neutron_metadata_backlog }}
 
-# Metadata Caching
+# Caching
 cache_url = memory://?default_ttl=5

playbooks/roles/os_neutron/templates/metering_agent.ini.j2

@@ -1,11 +1,15 @@
 # {{ ansible_managed }}
 
+# General
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 
+# Drivers
 driver = {{ neutron_driver_metering }}
 interface_driver = {{ neutron_driver_interface }}
+
+# Intervals
 measure_interval = 30
 
 [AGENT]

playbooks/roles/os_neutron/templates/neutron.conf.j2

@@ -3,72 +3,66 @@
 {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
 {% set api_threads = _api_threads if _api_threads > 0 else 1 %}
 
+# General, applies to all host groups
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 fatal_deprecations = {{ neutron_fatal_deprecations }}
-
 use_syslog = False
-
 log_file = /var/log/neutron/neutron.log
-auth_strategy = keystone
+
+{% if inventory_hostname in groups['neutron_server'] %}
+
+# General, only applies to neutron server host group
 network_device_mtu = {{ neutron_network_device_mtu }}
 allow_overlapping_ips = True
 vlan_transparent = False
 
-
-## Drivers
-network_scheduler_driver = {{ neutron_driver_network_scheduler }}
-router_scheduler_driver = {{ neutron_driver_router_scheduler }}
-loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }}
-dhcp_driver = {{ neutron_driver_dhcp }}
-notification_driver = {{ neutron_driver_notification }}
-
-
-## Schedulers
-router_distributed = False
-network_auto_schedule = True
-router_auto_schedule = True
-
-
-## Agents
-agent_down_time = {{ neutron_agent_down_time }}
-
-
-## API
-bind_port = 9696
-bind_host = 0.0.0.0
-
-
-## Workers
-api_workers = {{ neutron_api_workers | default(api_threads) }}
-rpc_workers = {{ neutron_rpc_workers }}
-
-
-## Plugins
+# Plugins
 core_plugin = {{ neutron_plugin_core }}
 service_plugins = {{ neutron_plugin_loaded_base }}
 
-
-## MAC Address
+# MAC address generation for VIFs
 base_mac = fa:16:3e:00:00:00
 mac_generation_retries = 16
 
+# Authentication method
+auth_strategy = keystone
 
-## DHCP
+# Drivers
+network_scheduler_driver = {{ neutron_driver_network_scheduler }}
+router_scheduler_driver = {{ neutron_driver_router_scheduler }}
+loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }}
+notification_driver = {{ neutron_driver_notification }}
+
+# Schedulers
+network_auto_schedule = True
+router_auto_schedule = True
+
+# Distributed virtual routing (disable by default)
+router_distributed = False
+
+# Agents
+agent_down_time = {{ neutron_agent_down_time }}
+
+# API
+bind_port = 9696
+bind_host = 0.0.0.0
+
+# Workers
+api_workers = {{ neutron_api_workers | default(api_threads) }}
+rpc_workers = {{ neutron_rpc_workers }}
+
+# DHCP
 dhcp_agent_notification = True
 dhcp_agents_per_network = {{ groups['neutron_agent'] | length }}
-dhcp_delete_namespaces = True
 dhcp_lease_duration = 86400
 advertise_mtu = False
 
-## Notifications
+# Nova notifications
 notify_nova_on_port_status_changes = True
 notify_nova_on_port_data_changes = True
 send_events_interval = 2
-
-
-## Nova
 nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }}
 
 ## Rpc all
@@ -87,7 +81,7 @@ project_name = {{ nova_service_project_name }}
 username = {{ nova_service_user_name }}
 password = {{ nova_service_password }}
 
-
+# Quotas
 [quotas]
 quota_driver = {{ neutron_driver_quota }}
 quota_items = network,subnet,port
@@ -106,13 +100,7 @@ quota_security_group_rule = {{ neutron_quota_security_group_rule }}
 quota_subnet = {{ neutron_quota_subnet }}
 quota_vip = {{ neutron_quota_vip }}
 
-
-[agent]
-polling_interval = {{ neutron_agent_polling_interval|default(5) }}
-report_interval = {{ neutron_report_interval|int }}
-root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
-
-
+# Keystone authentication
 [keystone_authtoken]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_plugin = {{ neutron_keystone_auth_plugin }}
@@ -130,34 +118,41 @@ memcached_servers = {{ memcached_servers }}
 token_cache_time = 300
 revocation_cache_time = 60
 
-# if your memcached server is shared, use these settings to avoid cache poisoning
+# Prevent cache poisoning if sharing a memcached server
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcached_encryption_key }}
 
-# if your keystone deployment uses PKI, and you value security over performance:
+# Enable if your keystone deployment uses PKI and you prefer security over
+# performance (disable by default)
 check_revocations_for_cached = False
 
-{% if inventory_hostname in groups['neutron_server'] %}
-
+# Database
 [database]
 connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8
 max_overflow = {{ neutron_db_max_overflow }}
 max_pool_size = {{ neutron_db_pool_size }}
 pool_timeout = {{ neutron_db_pool_timeout }}
 
+# Service providers
+[service_providers]
+service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+
 {% endif %}
 
+# Agent
+[agent]
+polling_interval = {{ neutron_agent_polling_interval|default(5) }}
+report_interval = {{ neutron_report_interval|int }}
+root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+
+# Messaging service
 [oslo_messaging_rabbit]
 rabbit_port = {{ rabbitmq_port }}
 rabbit_userid = {{ rabbitmq_userid }}
 rabbit_password = {{ rabbitmq_password }}
 rabbit_hosts = {{ rabbitmq_servers }}
 
-
+# Concurrency (locking mechanisms)
 [oslo_concurrency]
 lock_path = /var/lock/neutron
-
-
-[service_providers]
-service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
-service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2

@@ -1,5 +1,8 @@
 # {{ ansible_managed }}
 
+{% if inventory_hostname in groups['neutron_server'] %}
+
+# ML2 general
 [ml2]
 type_drivers = {{ neutron_ml2_drivers_type }}
 tenant_network_types = {{ neutron_provider_networks.network_types }}
@@ -7,66 +10,83 @@ mechanism_drivers = {{ neutron_ml2_mechanism_drivers }}
 path_mtu = 0
 segment_mtu = 0
 
-
 {% if neutron_provider_networks.network_flat_networks %}
+
+# ML2 flat networks
 [ml2_type_flat]
 flat_networks = {{ neutron_provider_networks.network_flat_networks }}
+
 {% endif %}
 
-
 {% if neutron_provider_networks.network_vlan_ranges %}
+
+# ML2 VLAN networks
 [ml2_type_vlan]
 network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }}
 
-
-[vlans]
-tenant_network_type = vlan
-network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }}
 {% endif %}
 
-
 {% if neutron_provider_networks.network_vxlan_ranges is defined %}
+
+# ML2 VXLAN networks
 [ml2_type_vxlan]
 vxlan_group = {{ neutron_vxlan_group|default('') }}
 vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }}
+
+{% endif %}
 {% endif %}
 
+{% if inventory_hostname in groups['neutron_linuxbridge_agent'] %}
+
+# Linux bridge agent VXLAN networks
+[vxlan]
 
 {% if neutron_overlay_network %}
-[vxlan]
+
 enable_vxlan = True
 vxlan_group = {{ neutron_vxlan_group|default('') }}
+
 {% if (is_metal == true or is_metal == "True") and neutron_overlay_network.bridge is defined %}
 {% set on_metal_tunnel_bridge = 'ansible_' + neutron_overlay_network.bridge|replace('-', '_') %}
+
+# VXLAN local tunnel endpoint (bare metal)
 local_ip = {{ hostvars[inventory_hostname][on_metal_tunnel_bridge]['ipv4']['address'] }}
+
 {% else %}
+
+# VXLAN local tunnel endpoint (container)
 local_ip = {{ neutron_overlay_network.address }}
+
 {% endif %}
+
 l2_population = {{ neutron_l2_population }}
+
+{% else %}
+
+# Disable VXLAN for deployments with only flat or VLAN networks
+enable_vxlan = False
+
 {% endif %}
 
-
-[agent]
-tunnel_types = vxlan
-## VXLAN udp port
-# This is set for the vxlan port and while this
-# is being set here it's ignored because
-# the port is assigned by the kernel
-vxlan_udp_port = {{ neutron_vxlan_udp_port }}
-
-
 {% if neutron_provider_networks.network_mappings is defined %}
+
+# Linux bridge agent physical interface mappings
 [linux_bridge]
 physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
+
 {% endif %}
 
+# Agent (empty for Linux bridge agent)
+[agent]
 
+# L2 population
 [l2pop]
 agent_boot_time = 180
 
+{% endif %}
 
+# Security groups
 [securitygroup]
 enable_security_group = True
 enable_ipset = True
 firewall_driver = {{ neutron_driver_firewall }}
-