From 313627fbe178b0ee97c8a58488da4135a775dd4f Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Sat, 3 Oct 2015 00:32:12 -0500 Subject: [PATCH] Implement neutron venv support This commit conditionally allows the os_neutron role to install build and deploy within a venv. This is the new default behavior of the role however the functionality can be disabled. In this PR, like all of the other venv related PRs, the `is_metal` flag was removed from the role however unlike some of the other PRs this removal required moving some of the `is_metal` logic out of the role and into the play. This was done for consistency as well as making the role more standalone. The only thing that the role should care about, in terms of installation, is whether or not to install in a venv. Implements: blueprint enable-venv-support-within-the-roles Change-Id: I85aadc43e1c21f296b2fb5932a17eddce57b9ece Signed-off-by: Kevin Carter --- playbooks/os-neutron-install.yml | 30 ++++++- playbooks/roles/os_neutron/defaults/main.yml | 29 +++++++ .../library/neutron_migrations_facts | 83 +++++++++++++++---- .../os_neutron/tasks/neutron_db_setup.yml | 8 +- .../os_neutron/tasks/neutron_install.yml | 41 ++++++++- .../roles/os_neutron/tasks/neutron_l3_ha.yml | 4 +- .../os_neutron/tasks/neutron_post_install.yml | 53 ++++++------ .../os_neutron/tasks/neutron_pre_install.yml | 14 ++++ .../os_neutron/tasks/plumgrid_config.yml | 5 +- .../neutron-ha-tool.py.j2} | 8 ++ .../templates/neutron-upstart-init.j2 | 7 +- .../os_neutron/templates/neutron.conf.j2 | 2 +- .../templates/plugins/ml2/ml2_conf.ini.j2 | 20 ++--- .../templates/plugins/plumgrid/plumlib.ini | 2 +- .../os_neutron/templates/rootwrap.conf.j2 | 2 +- .../rootwrap.d/debug.filters.j2} | 0 .../rootwrap.d/dhcp.filters.j2} | 3 +- .../rootwrap.d/ebtables.filters.j2} | 0 .../rootwrap.d/ipset-firewall.filters.j2} | 0 .../rootwrap.d/iptables-firewall.filters.j2} | 0 .../rootwrap.d/l3.filters.j2} | 3 +- .../rootwrap.d/lbaas-haproxy.filters.j2} | 0 .../rootwrap.d/linuxbridge-plugin.filters.j2} | 0 .../rootwrap.d/nec-plugin.filters.j2} | 0 .../rootwrap.d/openvswitch-plugin.filters.j2} | 0 .../rootwrap.d/ryu-plugin.filters.j2} | 0 .../rootwrap.d/vpnaas.filters.j2} | 0 .../roles/os_neutron/templates/sudoers.j2 | 6 +- 28 files changed, 246 insertions(+), 74 deletions(-) rename playbooks/roles/os_neutron/{files/neutron-ha-tool.py => templates/neutron-ha-tool.py.j2} (99%) rename playbooks/roles/os_neutron/{files/rootwrap.d/debug.filters => templates/rootwrap.d/debug.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/dhcp.filters => templates/rootwrap.d/dhcp.filters.j2} (93%) rename playbooks/roles/os_neutron/{files/rootwrap.d/ebtables.filters => templates/rootwrap.d/ebtables.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/ipset-firewall.filters => templates/rootwrap.d/ipset-firewall.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/iptables-firewall.filters => templates/rootwrap.d/iptables-firewall.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/l3.filters => templates/rootwrap.d/l3.filters.j2} (95%) rename playbooks/roles/os_neutron/{files/rootwrap.d/lbaas-haproxy.filters => templates/rootwrap.d/lbaas-haproxy.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/linuxbridge-plugin.filters => templates/rootwrap.d/linuxbridge-plugin.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/nec-plugin.filters => templates/rootwrap.d/nec-plugin.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/openvswitch-plugin.filters => templates/rootwrap.d/openvswitch-plugin.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/ryu-plugin.filters => templates/rootwrap.d/ryu-plugin.filters.j2} (100%) rename playbooks/roles/os_neutron/{files/rootwrap.d/vpnaas.filters => templates/rootwrap.d/vpnaas.filters.j2} (100%) diff --git a/playbooks/os-neutron-install.yml b/playbooks/os-neutron-install.yml index 428110bae8..8fe3eda598 100644 --- a/playbooks/os-neutron-install.yml +++ b/playbooks/os-neutron-install.yml @@ -85,6 +85,7 @@ when: is_metal | bool tags: - neutron-logs + - name: Create the neutron provider networks facts provider_networks: provider_networks: "{{ provider_networks }}" @@ -94,15 +95,37 @@ tags: - neutron-provider-networks - neutron-config + - name: Set provider network fact(s) set_fact: - neutron_provider_networks: "{{ pndata }}" - neutron_overlay_network: "{{ container_networks.tunnel_address|default({}) }}" + _provider_networks: "{{ pndata }}" + _overlay_network: "{{ container_networks.tunnel_address|default({}) }}" tags: - neutron-provider-networks - neutron-config + + - name: set local_ip fact (is_metal) + set_fact: + _local_ip: "{{ hostvars[inventory_hostname]['ansible_' + _overlay_network.bridge|replace('-', '_')]['ipv4']['address'] }}" + when: is_metal | bool + tags: + - neutron-config + + - name: set local_ip fact (container) + set_fact: + _local_ip: "{{ _overlay_network.address|default(ansible_ssh_host) }}" + when: not is_metal | bool + tags: + - neutron-config roles: - - { role: "os_neutron", tags: [ "os-neutron" ] } + - role: "os_neutron" + neutron_venv_tag: "{{ openstack_release }}" + neutron_galera_address: "{{ galera_address }}" + neutron_local_ip: "{{ _local_ip }}" + neutron_overlay_network: "{{ _overlay_network }}" + neutron_provider_networks: "{{ _provider_networks }}" + tags: + - "os-neutron" - { role: "openstack_openrc", tags: [ "openstack-openrc" ] } - role: "rsyslog_client" rsyslog_client_log_rotate_file: neutron_log_rotate @@ -119,7 +142,6 @@ - "system-crontab-coordination" vars: galera_address: "{{ internal_lb_vip_address }}" - neutron_galera_address: "{{ internal_lb_vip_address }}" ansible_hostname: "{{ container_name }}" is_metal: "{{ properties.is_metal|default(false) }}" bind_prefix: "{{ provider_network_bind_prefix|default('') }}" diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index fb16118573..d06cac6630 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -19,6 +19,25 @@ is_metal: true ## Verbosity Options debug: False verbose: True + +# Name of the virtual env to deploy into +neutron_venv_tag: untagged +neutron_venv_bin: "/openstack/venvs/neutron-{{ neutron_venv_tag }}/bin" + +# Set this to enable or disable installing in a venv +neutron_venv_enabled: true + +# The bin path defaults to the venv path however if installation in a +# venv is disabled the bin path will be dynamically set based on the +# system path used when the installing. +neutron_bin: "{{ neutron_venv_bin }}" + +# Set the lib dir path to that of the local python path where neutron is installed. +# This is used for role access to the db migrations. +# Example: +# neutron_lib_dir: "/usr/local/lib/python2.7/dist-packages/neutron" +neutron_lib_dir: "{{ neutron_bin | dirname }}/lib/python2.7/site-packages/neutron" + neutron_fatal_deprecations: False ## neutron User / Group @@ -250,6 +269,8 @@ neutron_vxlan_group: "" # network_vlan_ranges: "vlan:1:1,vlan:1024:1025" # network_vxlan_ranges: "1:1000" +neutron_vxlan_enabled: true + neutron_dhcp_domain: openstacklocal neutron_dhcp_delete_namespaces: True # Comma-separated list of DNS servers which will be used by dnsmasq as forwarders. @@ -273,6 +294,9 @@ neutron_rpc_response_timeout: 60 # "create_subnet": "rule:admin_or_network_owner" # "get_subnet": "rule:admin_or_owner or rule:shared" +# neutron_local_ip is used for the VXLAN local tunnel endpoint +neutron_local_ip: 127.0.0.1 + neutron_apt_packages: - conntrack - dnsmasq-base @@ -286,6 +310,11 @@ neutron_apt_packages: neutron_apt_remove_packages: - conntrackd +# neutron packages that must be installed before anything else +neutron_requires_pip_packages: + - virtualenv + - python-keystoneclient # Keystoneclient needed to OSA keystone lib + neutron_pip_packages: - configobj - cliff diff --git a/playbooks/roles/os_neutron/library/neutron_migrations_facts b/playbooks/roles/os_neutron/library/neutron_migrations_facts index 1fbb8e8659..27322dc8a5 100644 --- a/playbooks/roles/os_neutron/library/neutron_migrations_facts +++ b/playbooks/roles/os_neutron/library/neutron_migrations_facts @@ -18,6 +18,7 @@ import re import subprocess from ansible.module_utils.basic import * + DOCUMENTATION = """ --- module: neutron_migrations_facts @@ -38,45 +39,89 @@ options: - This is the OpenStack release you're running, used when searching for migration revisions in the neutron code. default: liberty + library_path: + description: + - Local path to the location where the neutron python package + is installed. + default: /usr/local/lib/python2.7/dist-packages/neutron + bin_path: + description: + - Local path to the where the neutron binaries are. + default: /usr/local/bin author: Rcbops """ + EXAMPLES = """ - name: Gather neutron migration facts neutron_migrations_facts: release: mitaka """ -MIGRATIONS = {'expand': {'revision': None, 'head': None}, - 'contract': {'revision': None, 'head': None}} + +MIGRATIONS = { + 'expand': { + 'revision': None, + 'head': None + }, + 'contract': { + 'revision': None, + 'head': None + } +} -def get_branch(release, revision): - migrations_dir = '/usr/local/lib/python2.7/dist-packages/neutron/db/' \ - 'migration/alembic_migrations/versions/%s/' % release +def get_branch(release, revision, library_path): + migrations_dir = ( + '%s/db/migration/alembic_migrations/versions/%s/' % ( + library_path, + release, + ) + ) for branch in MIGRATIONS.keys(): - for file in os.listdir('%s/%s' % (migrations_dir, branch)): + migration_dir = os.path.join(get_abs_path(migrations_dir), branch) + for file in os.listdir(migration_dir): if file.endswith('.py') and file.split('_')[0] == revision: return branch +def get_abs_path(path): + return os.path.abspath( + os.path.expanduser( + path + ) + ) + + def main(): module = AnsibleModule( argument_spec=dict( release=dict( type='str', default='liberty' + ), + library_path=dict( + type='str', + default='/usr/local/lib/python2.7/dist-packages/neutron' + ), + bin_path=dict( + type='str', + default='/usr/local/bin' ) ), supports_check_mode=False ) state_change = False + command = [ + '%s/neutron-db-manage' % get_abs_path(module.params['bin_path']), + 'current' + ] + try: - current = subprocess.check_output(['neutron-db-manage', 'current']) + current = subprocess.check_output(command) except subprocess.CalledProcessError as e: - message = 'neutron fact collection failed: "%s".' % e - module.fail_json(msg=message) + module.fail_json(msg='neutron fact collection failed: "%s".' % e) for line in current.splitlines(): head = False @@ -85,17 +130,25 @@ def main(): revision = match.group(1) if match.group(2): head = True - branch = get_branch(module.params['release'], revision) + + branch = get_branch( + release=module.params['release'], + revision=revision, + library_path=get_abs_path(module.params['library_path']) + ) if branch is None: - message = 'neutron fact collection failed: unable to find ' \ - 'migration with revision %s' % revision - module.fail_json(msg=message) + module.fail_json( + msg='neutron fact collection failed: unable to find' + ' migration with revision %s' % revision + ) MIGRATIONS[branch]['revision'] = revision MIGRATIONS[branch]['head'] = head - module.exit_json(changed=state_change, - ansible_facts={'neutron_migrations': MIGRATIONS}) + module.exit_json( + changed=state_change, + ansible_facts={'neutron_migrations': MIGRATIONS} + ) if __name__ == '__main__': main() diff --git a/playbooks/roles/os_neutron/tasks/neutron_db_setup.yml b/playbooks/roles/os_neutron/tasks/neutron_db_setup.yml index a5328722e4..7d76ebec60 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_db_setup.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_db_setup.yml @@ -42,6 +42,8 @@ - name: Get neutron migrations facts neutron_migrations_facts: release: liberty + library_path: "{{ neutron_lib_dir }}" + bin_path: "{{ neutron_bin }}" tags: - neutron-db-setup - neutron-upgrade @@ -54,7 +56,8 @@ - name: Perform a Neutron DB online upgrade (expand) command: | - neutron-db-manage --config-file {{ neutron_db_config }} + {{ neutron_bin }}/neutron-db-manage + --config-file {{ neutron_db_config }} --config-file {{ neutron_db_plugin }} upgrade --expand sudo: yes @@ -78,7 +81,8 @@ - name: Perform a Neutron DB offline upgrade (contract) command: | - neutron-db-manage --config-file {{ neutron_db_config }} + {{ neutron_bin }}/neutron-db-manage + --config-file {{ neutron_db_config }} --config-file {{ neutron_db_plugin }} upgrade --contract sudo: yes diff --git a/playbooks/roles/os_neutron/tasks/neutron_install.yml b/playbooks/roles/os_neutron/tasks/neutron_install.yml index 79f18c7159..bd41126eee 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_install.yml @@ -34,6 +34,7 @@ delay: 2 with_items: neutron_apt_packages tags: + - neutron-install - neutron-apt-packages - name: remove specific apt packages @@ -46,9 +47,43 @@ delay: 2 with_items: neutron_apt_remove_packages tags: + - neutron-install - neutron-apt-packages -- name: Install pip packages +- name: Install requires pip packages + pip: + name: "{{ item }}" + state: present + extra_args: "{{ pip_install_options|default('') }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: + - "{{ neutron_requires_pip_packages }}" + tags: + - neutron-install + - neutron-pip-packages + +- name: Install pip packages (venv) + pip: + name: "{{ item }}" + state: present + virtualenv: "{{ neutron_venv_bin | dirname }}" + virtualenv_site_packages: "no" + extra_args: "{{ pip_install_options|default('') }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: + - "{{ neutron_pip_packages }}" + when: neutron_venv_enabled | bool + tags: + - neutron-install + - neutron-pip-packages + +- name: Install pip packages (no venv) pip: name: "{{ item }}" state: present @@ -59,5 +94,7 @@ delay: 2 with_items: - "{{ neutron_pip_packages }}" + when: not neutron_venv_enabled | bool tags: - - neutron-pip-packages + - neutron-install + - neutron-pip-packages \ No newline at end of file diff --git a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml index 28c4e12070..fb5b1a92a7 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml @@ -17,8 +17,8 @@ # kilo_revision: true - name: "Drop AT&T neutron ha tool" - copy: - src: "neutron-ha-tool.py" + template: + src: "neutron-ha-tool.py.j2" dest: "/opt/neutron-ha-tool.py" owner: "root" group: "root" diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index bc0f713f9b..d6745f79ba 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -13,19 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Ensure service tenant - shell: | - . {{ ansible_env.HOME }}/openrc && keystone tenant-list | awk '/service/ {print $2}' - register: service_id - tags: - - neutron-config - -- name: Set service tenant id - set_fact: - nova_admin_tenant_id: "{{ service_id.stdout }}" - tags: - - neutron-config - - name: Copy neutron config config_template: src: "{{ item.src }}" @@ -97,29 +84,29 @@ - neutron-config - name: Drop neutron Configs - copy: + template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ neutron_system_user_name }}" group: "{{ neutron_system_group_name }}" with_items: - - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" } - - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" } - - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" } - - { src: "rootwrap.d/nec-plugin.filters", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" } - - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" } - - { src: "rootwrap.d/ryu-plugin.filters", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" } - - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } - - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } - - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } + - { src: "rootwrap.d/debug.filters.j2", dest: "/etc/neutron/rootwrap.d/debug.filters" } + - { src: "rootwrap.d/ipset-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" } + - { src: "rootwrap.d/iptables-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" } + - { src: "rootwrap.d/nec-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" } + - { src: "rootwrap.d/openvswitch-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" } + - { src: "rootwrap.d/ryu-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" } + - { src: "rootwrap.d/lbaas-haproxy.filters.j2", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } + - { src: "rootwrap.d/vpnaas.filters.j2", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } + - { src: "rootwrap.d/ebtables.filters.j2", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } notify: - Restart neutron services tags: - neutron-config - name: Drop neutron agent filters - copy: - src: "{{ item.value.service_rootwrap }}" + template: + src: "{{ item.value.service_rootwrap }}.j2" dest: "/etc/neutron/{{ item.value.service_rootwrap }}" owner: "{{ neutron_system_user_name }}" group: "{{ neutron_system_group_name }}" @@ -156,3 +143,19 @@ - name: Setup PLUMgrid config include: plumgrid_config.yml when: neutron_plugin_type == 'plumgrid' + +- name: Get neutron command path + command: which neutron + register: neutron_command_path + when: + - not neutron_venv_enabled | bool + tags: + - neutron-command-bin + +- name: Set neutron command path + set_fact: + neutron_bin: "{{ neutron_command_path.stdout | dirname }}" + when: + - not neutron_venv_enabled | bool + tags: + - neutron-command-bin diff --git a/playbooks/roles/os_neutron/tasks/neutron_pre_install.yml b/playbooks/roles/os_neutron/tasks/neutron_pre_install.yml index f19d27edb0..d579669d2e 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_pre_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_pre_install.yml @@ -40,6 +40,7 @@ owner: "{{ item.owner|default(neutron_system_user_name) }}" group: "{{ item.group|default(neutron_system_group_name) }}" with_items: + - { path: "/openstack", owner: "root", group: "root" } - { path: "/etc/neutron" } - { path: "/etc/neutron/plugins" } - { path: "/etc/neutron/plugins/{{ neutron_plugin_type }}" } @@ -53,6 +54,19 @@ tags: - neutron-dirs +- name: Create neutron venv dir + file: + path: "{{ item.path }}" + state: directory + owner: "{{ item.owner|default(neutron_system_user_name) }}" + group: "{{ item.group|default(neutron_system_group_name) }}" + with_items: + - { path: "/openstack/venvs", mode: "0755", owner: "root", group: "root" } + - { path: "{{ neutron_venv_bin }}" } + when: neutron_venv_enabled | bool + tags: + - neutron-dirs + - name: Test for log directory or link shell: | if [ -h "/var/log/neutron" ]; then diff --git a/playbooks/roles/os_neutron/tasks/plumgrid_config.yml b/playbooks/roles/os_neutron/tasks/plumgrid_config.yml index cda7572edc..b9ffd28948 100644 --- a/playbooks/roles/os_neutron/tasks/plumgrid_config.yml +++ b/playbooks/roles/os_neutron/tasks/plumgrid_config.yml @@ -33,4 +33,7 @@ retries: 5 delay: 2 when: - inventory_hostname in groups['neutron_server'] + - inventory_hostname in groups['neutron_server'] + tags: + - neutron-install + - neutron-pip-packages diff --git a/playbooks/roles/os_neutron/files/neutron-ha-tool.py b/playbooks/roles/os_neutron/templates/neutron-ha-tool.py.j2 similarity index 99% rename from playbooks/roles/os_neutron/files/neutron-ha-tool.py rename to playbooks/roles/os_neutron/templates/neutron-ha-tool.py.j2 index 908463dfda..73d8c9435d 100644 --- a/playbooks/roles/os_neutron/files/neutron-ha-tool.py +++ b/playbooks/roles/os_neutron/templates/neutron-ha-tool.py.j2 @@ -21,6 +21,14 @@ from collections import OrderedDict import logging from logging.handlers import SysLogHandler import os + +{% if neutron_venv_enabled | bool %} + +activate_this = os.path.expanduser("{{ neutron_venv_bin }}/activate_this.py") +execfile(activate_this, dict(__file__=activate_this)) + +{% endif %} + import random import sys import time diff --git a/playbooks/roles/os_neutron/templates/neutron-upstart-init.j2 b/playbooks/roles/os_neutron/templates/neutron-upstart-init.j2 index 3a13e33123..e501d213ab 100644 --- a/playbooks/roles/os_neutron/templates/neutron-upstart-init.j2 +++ b/playbooks/roles/os_neutron/templates/neutron-upstart-init.j2 @@ -12,7 +12,7 @@ respawn respawn limit 10 5 # Set the RUNBIN environment variable -env RUNBIN="/usr/local/bin/{{ program_name }}" +env RUNBIN="{{ neutron_bin }}/{{ program_name }}" # Change directory to service users home chdir "{{ service_home }}" @@ -24,6 +24,11 @@ pre-start script mkdir -p "/var/lock/{{ program_name }}" chown {{ system_user }}:{{ system_group }} "/var/lock/{{ program_name }}" + + {% if neutron_venv_enabled | bool -%} + . {{ neutron_venv_bin }}/activate + {%- endif %} + end script # Post stop actions diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2 index 9ee967bdb8..6af327265d 100644 --- a/playbooks/roles/os_neutron/templates/neutron.conf.j2 +++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2 @@ -146,7 +146,7 @@ service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsec [agent] polling_interval = {{ neutron_agent_polling_interval|default(5) }} report_interval = {{ neutron_report_interval|int }} -root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf +root_helper = sudo {{ neutron_bin }}/neutron-rootwrap /etc/neutron/rootwrap.conf # Messaging service [oslo_messaging_rabbit] diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 index 28457ca111..72edb64c1a 100644 --- a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 +++ b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 @@ -30,7 +30,7 @@ network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }} # ML2 VXLAN networks [ml2_type_vxlan] -vxlan_group = {{ neutron_vxlan_group|default('') }} +vxlan_group = {{ neutron_vxlan_group }} vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }} {% endif %} @@ -41,23 +41,13 @@ vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }} # Linux bridge agent VXLAN networks [vxlan] -{% if neutron_overlay_network %} +{% if neutron_vxlan_enabled | bool %} enable_vxlan = True -vxlan_group = {{ neutron_vxlan_group|default('') }} +vxlan_group = {{ neutron_vxlan_group }} -{% if (is_metal == true or is_metal == "True") and neutron_overlay_network.bridge is defined %} -{% set on_metal_tunnel_bridge = 'ansible_' + neutron_overlay_network.bridge|replace('-', '_') %} - -# VXLAN local tunnel endpoint (bare metal) -local_ip = {{ hostvars[inventory_hostname][on_metal_tunnel_bridge]['ipv4']['address'] }} - -{% else %} - -# VXLAN local tunnel endpoint (container) -local_ip = {{ neutron_overlay_network.address }} - -{% endif %} +# VXLAN local tunnel endpoint +local_ip = {{ neutron_local_ip }} l2_population = {{ neutron_l2_population }} diff --git a/playbooks/roles/os_neutron/templates/plugins/plumgrid/plumlib.ini b/playbooks/roles/os_neutron/templates/plugins/plumgrid/plumlib.ini index 20b6cf960d..19aefa333f 100644 --- a/playbooks/roles/os_neutron/templates/plugins/plumgrid/plumlib.ini +++ b/playbooks/roles/os_neutron/templates/plugins/plumgrid/plumlib.ini @@ -40,7 +40,7 @@ metadata_mode = local # Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real # root filter facility. # Change to "sudo" to skip the filtering and just run the comand directly -root_helper_name = /usr/bin/neutron-rootwrap +root_helper_name = {{ neutron_bin }}/neutron-rootwrap [keystone_authtoken] admin_user = {{ neutron_service_user_name }} diff --git a/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 b/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 index dee1dd94b1..cca669a346 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 +++ b/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 @@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin # Enable logging to syslog # Default value is False diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/debug.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/debug.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/debug.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/debug.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 similarity index 93% rename from playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 index 20d2800116..07bac489e2 100644 --- a/playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters +++ b/playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 @@ -25,7 +25,8 @@ dhcp_release: CommandFilter, dhcp_release, root metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root # If installed from source (say, by devstack), the prefix will be # /usr/local instead of /usr/bin. -metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root + +metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python kill_metadata: KillFilter, root, python, -9 kill_metadata7: KillFilter, root, python2.7, -9 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/ebtables.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/ebtables.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/ipset-firewall.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/ipset-firewall.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/ipset-firewall.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/ipset-firewall.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/iptables-firewall.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/iptables-firewall.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 similarity index 95% rename from playbooks/roles/os_neutron/files/rootwrap.d/l3.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 index 27c78742c9..9f09f32830 100644 --- a/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters +++ b/playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 @@ -20,7 +20,8 @@ radvd: CommandFilter, radvd, root metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root # If installed from source (say, by devstack), the prefix will be # /usr/local instead of /usr/bin. -metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root + +metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python kill_metadata: KillFilter, root, python, -9 kill_metadata7: KillFilter, root, python2.7, -9 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/lbaas-haproxy.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/lbaas-haproxy.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/lbaas-haproxy.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/lbaas-haproxy.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/linuxbridge-plugin.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/linuxbridge-plugin.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/linuxbridge-plugin.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/linuxbridge-plugin.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/nec-plugin.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/nec-plugin.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/nec-plugin.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/nec-plugin.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/openvswitch-plugin.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/openvswitch-plugin.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/openvswitch-plugin.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/openvswitch-plugin.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/ryu-plugin.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/ryu-plugin.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/ryu-plugin.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/ryu-plugin.filters.j2 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/vpnaas.filters b/playbooks/roles/os_neutron/templates/rootwrap.d/vpnaas.filters.j2 similarity index 100% rename from playbooks/roles/os_neutron/files/rootwrap.d/vpnaas.filters rename to playbooks/roles/os_neutron/templates/rootwrap.d/vpnaas.filters.j2 diff --git a/playbooks/roles/os_neutron/templates/sudoers.j2 b/playbooks/roles/os_neutron/templates/sudoers.j2 index 9b68d1ba0a..1491ea0c1d 100644 --- a/playbooks/roles/os_neutron/templates/sudoers.j2 +++ b/playbooks/roles/os_neutron/templates/sudoers.j2 @@ -1,4 +1,6 @@ # {{ ansible_managed }} -# Defaults:{{ neutron_system_user_name }}!requiretty -{{ neutron_system_user_name }} ALL = (root) NOPASSWD: /usr/local/bin/{{ neutron_service_name }}-rootwrap +Defaults:{{ neutron_system_user_name }} !requiretty +Defaults:{{ neutron_system_user_name }} secure_path="{{ neutron_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/{{ neutron_service_name }}-rootwrap