Merge "Implement neutron venv support"

playbooks/os-neutron-install.yml

@@ -90,6 +90,7 @@
       when: is_metal | bool
       tags:
         - neutron-logs
+
     - name: Create the neutron provider networks facts
       provider_networks:
         provider_networks: "{{ provider_networks }}"
@@ -99,15 +100,37 @@
       tags:
         - neutron-provider-networks
         - neutron-config
+
     - name: Set provider network fact(s)
       set_fact:
-        neutron_provider_networks: "{{ pndata }}"
+        _provider_networks: "{{ pndata }}"
-        neutron_overlay_network: "{{ container_networks.tunnel_address|default({}) }}"
+        _overlay_network: "{{ container_networks.tunnel_address|default({}) }}"
       tags:
         - neutron-provider-networks
         - neutron-config
+
+    - name: set local_ip fact (is_metal)
+      set_fact:
+        _local_ip: "{{ hostvars[inventory_hostname]['ansible_' + _overlay_network.bridge|replace('-', '_')]['ipv4']['address'] }}"
+      when: is_metal | bool
+      tags:
+        - neutron-config
+
+    - name: set local_ip fact (container)
+      set_fact:
+        _local_ip: "{{ _overlay_network.address|default(ansible_ssh_host) }}"
+      when: not is_metal | bool
+      tags:
+        - neutron-config
   roles:
-    - { role: "os_neutron", tags: [ "os-neutron" ] }
+    - role: "os_neutron"
+      neutron_venv_tag: "{{ openstack_release }}"
+      neutron_galera_address: "{{ galera_address }}"
+      neutron_local_ip: "{{ _local_ip }}"
+      neutron_overlay_network: "{{ _overlay_network }}"
+      neutron_provider_networks: "{{ _provider_networks }}"
+      tags:
+        - "os-neutron"
     - { role: "openstack_openrc", tags: [ "openstack-openrc" ] }
     - role: "rsyslog_client"
       rsyslog_client_log_rotate_file: neutron_log_rotate
@@ -124,7 +147,6 @@
         - "system-crontab-coordination"
   vars:
     galera_address: "{{ internal_lb_vip_address }}"
-    neutron_galera_address: "{{ internal_lb_vip_address }}"
     ansible_hostname: "{{ container_name }}"
     is_metal: "{{ properties.is_metal|default(false) }}"
     bind_prefix: "{{ provider_network_bind_prefix|default('') }}"

playbooks/roles/os_neutron/defaults/main.yml

@@ -19,6 +19,25 @@ is_metal: true
 ## Verbosity Options
 debug: False
 verbose: True
+
+# Name of the virtual env to deploy into
+neutron_venv_tag: untagged
+neutron_venv_bin: "/openstack/venvs/neutron-{{ neutron_venv_tag }}/bin"
+
+# Set this to enable or disable installing in a venv
+neutron_venv_enabled: true
+
+# The bin path defaults to the venv path however if installation in a
+#  venv is disabled the bin path will be dynamically set based on the
+#  system path used when the installing.
+neutron_bin: "{{ neutron_venv_bin }}"
+
+# Set the lib dir path to that of the local python path where neutron is installed.
+#  This is used for role access to the db migrations.
+#  Example:
+#  neutron_lib_dir: "/usr/local/lib/python2.7/dist-packages/neutron"
+neutron_lib_dir: "{{ neutron_bin | dirname }}/lib/python2.7/site-packages/neutron"
+
 neutron_fatal_deprecations: False
 
 ## neutron User / Group
@@ -250,6 +269,8 @@ neutron_vxlan_group: ""
 #   network_vlan_ranges: "vlan:1:1,vlan:1024:1025"
 #   network_vxlan_ranges: "1:1000"
 
+neutron_vxlan_enabled: true
+
 neutron_dhcp_domain: openstacklocal
 neutron_dhcp_delete_namespaces: True
 # Comma-separated list of DNS servers which will be used by dnsmasq as forwarders.
@@ -273,6 +294,9 @@ neutron_rpc_response_timeout: 60
 #  "create_subnet": "rule:admin_or_network_owner"
 #  "get_subnet": "rule:admin_or_owner or rule:shared"
 
+# neutron_local_ip is used for the VXLAN local tunnel endpoint
+neutron_local_ip: 127.0.0.1
+
 neutron_apt_packages:
   - conntrack
   - dnsmasq-base
@@ -286,6 +310,11 @@ neutron_apt_packages:
 neutron_apt_remove_packages:
   - conntrackd
 
+# neutron packages that must be installed before anything else
+neutron_requires_pip_packages:
+  - virtualenv
+  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
+
 neutron_pip_packages:
   - configobj
   - cliff

playbooks/roles/os_neutron/library/neutron_migrations_facts

@@ -18,6 +18,7 @@ import re
 import subprocess
 from ansible.module_utils.basic import *
 
+
 DOCUMENTATION = """
 ---
 module: neutron_migrations_facts
@@ -38,45 +39,89 @@ options:
             - This is the OpenStack release you're running, used when
               searching for migration revisions in the neutron code.
         default: liberty
+    library_path:
+        description:
+            - Local path to the location where the neutron python package
+              is installed.
+        default: /usr/local/lib/python2.7/dist-packages/neutron
+    bin_path:
+        description:
+            - Local path to the where the neutron binaries are.
+        default: /usr/local/bin
 author: Rcbops
 """
 
+
 EXAMPLES = """
 - name: Gather neutron migration facts
   neutron_migrations_facts:
     release: mitaka
 """
 
-MIGRATIONS = {'expand': {'revision': None, 'head': None},
+
-              'contract': {'revision': None, 'head': None}}
+MIGRATIONS = {
+    'expand': {
+        'revision': None,
+        'head': None
+    },
+    'contract': {
+        'revision': None,
+        'head': None
+    }
+}
 
 
-def get_branch(release, revision):
+def get_branch(release, revision, library_path):
-    migrations_dir = '/usr/local/lib/python2.7/dist-packages/neutron/db/' \
+    migrations_dir = (
-                     'migration/alembic_migrations/versions/%s/' % release
+        '%s/db/migration/alembic_migrations/versions/%s/' % (
+            library_path,
+            release,
+        )
+    )
     for branch in MIGRATIONS.keys():
-        for file in os.listdir('%s/%s' % (migrations_dir, branch)):
+        migration_dir = os.path.join(get_abs_path(migrations_dir), branch)
+        for file in os.listdir(migration_dir):
             if file.endswith('.py') and file.split('_')[0] == revision:
                 return branch
 
 
+def get_abs_path(path):
+    return os.path.abspath(
+        os.path.expanduser(
+            path
+        )
+    )
+
+
 def main():
     module = AnsibleModule(
         argument_spec=dict(
             release=dict(
                 type='str',
                 default='liberty'
+            ),
+            library_path=dict(
+                type='str',
+                default='/usr/local/lib/python2.7/dist-packages/neutron'
+            ),
+            bin_path=dict(
+                type='str',
+                default='/usr/local/bin'
             )
         ),
         supports_check_mode=False
     )
     state_change = False
 
+    command = [
+        '%s/neutron-db-manage' % get_abs_path(module.params['bin_path']),
+        'current'
+    ]
+
     try:
-        current = subprocess.check_output(['neutron-db-manage', 'current'])
+        current = subprocess.check_output(command)
     except subprocess.CalledProcessError as e:
-        message = 'neutron fact collection failed: "%s".' % e
+        module.fail_json(msg='neutron fact collection failed: "%s".' % e)
-        module.fail_json(msg=message)
 
     for line in current.splitlines():
         head = False
@@ -85,17 +130,25 @@ def main():
             revision = match.group(1)
             if match.group(2):
                 head = True
-            branch = get_branch(module.params['release'], revision)
+
+            branch = get_branch(
+                release=module.params['release'],
+                revision=revision,
+                library_path=get_abs_path(module.params['library_path'])
+            )
             if branch is None:
-                message = 'neutron fact collection failed: unable to find ' \
+                module.fail_json(
-                          'migration with revision %s' % revision
+                    msg='neutron fact collection failed: unable to find'
-                module.fail_json(msg=message)
+                        ' migration with revision %s' % revision
+                )
 
             MIGRATIONS[branch]['revision'] = revision
             MIGRATIONS[branch]['head'] = head
 
-    module.exit_json(changed=state_change,
+    module.exit_json(
-                     ansible_facts={'neutron_migrations': MIGRATIONS})
+        changed=state_change,
+        ansible_facts={'neutron_migrations': MIGRATIONS}
+    )
 
 if __name__ == '__main__':
     main()

playbooks/roles/os_neutron/tasks/neutron_db_setup.yml

@@ -42,6 +42,8 @@
 - name: Get neutron migrations facts
   neutron_migrations_facts:
     release: liberty
+    library_path: "{{ neutron_lib_dir }}"
+    bin_path: "{{ neutron_bin }}"
   tags:
     - neutron-db-setup
     - neutron-upgrade
@@ -54,7 +56,8 @@
 
 - name: Perform a Neutron DB online upgrade (expand)
   command: |
-    neutron-db-manage --config-file {{ neutron_db_config }}
+    {{ neutron_bin }}/neutron-db-manage
+                      --config-file {{ neutron_db_config }}
                       --config-file {{ neutron_db_plugin }}
                       upgrade --expand
   sudo: yes
@@ -78,7 +81,8 @@
 
 - name: Perform a Neutron DB offline upgrade (contract)
   command: |
-    neutron-db-manage --config-file {{ neutron_db_config }}
+    {{ neutron_bin }}/neutron-db-manage
+                      --config-file {{ neutron_db_config }}
                       --config-file {{ neutron_db_plugin }}
                       upgrade --contract
   sudo: yes

playbooks/roles/os_neutron/tasks/neutron_install.yml

@@ -34,6 +34,7 @@
   delay: 2
   with_items: neutron_apt_packages
   tags:
+    - neutron-install
     - neutron-apt-packages
 
 - name: remove specific apt packages
@@ -46,9 +47,43 @@
   delay: 2
   with_items: neutron_apt_remove_packages
   tags:
+    - neutron-install
     - neutron-apt-packages
 
-- name: Install pip packages
+- name: Install requires pip packages
+  pip:
+    name: "{{ item }}"
+    state: present
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ neutron_requires_pip_packages }}"
+  tags:
+    - neutron-install
+    - neutron-pip-packages
+
+- name: Install pip packages (venv)
+  pip:
+    name: "{{ item }}"
+    state: present
+    virtualenv: "{{ neutron_venv_bin | dirname }}"
+    virtualenv_site_packages: "no"
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ neutron_pip_packages }}"
+  when: neutron_venv_enabled | bool
+  tags:
+    - neutron-install
+    - neutron-pip-packages
+
+- name: Install pip packages (no venv)
   pip:
     name: "{{ item }}"
     state: present
@@ -59,5 +94,7 @@
   delay: 2
   with_items:
     - "{{ neutron_pip_packages }}"
+  when: not neutron_venv_enabled | bool
   tags:
-    - neutron-pip-packages
+    - neutron-install
+    - neutron-pip-packages

playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml

@@ -17,8 +17,8 @@
 # kilo_revision: true
 
 - name: "Drop AT&T neutron ha tool"
-  copy:
+  template:
-    src: "neutron-ha-tool.py"
+    src: "neutron-ha-tool.py.j2"
     dest: "/opt/neutron-ha-tool.py"
     owner: "root"
     group: "root"

playbooks/roles/os_neutron/tasks/neutron_post_install.yml

@@ -84,29 +84,29 @@
     - neutron-config
 
 - name: Drop neutron Configs
-  copy:
+  template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: "{{ neutron_system_user_name }}"
     group: "{{ neutron_system_group_name }}"
   with_items:
-    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
+    - { src: "rootwrap.d/debug.filters.j2", dest: "/etc/neutron/rootwrap.d/debug.filters" }
-    - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
+    - { src: "rootwrap.d/ipset-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
-    - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
+    - { src: "rootwrap.d/iptables-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
-    - { src: "rootwrap.d/nec-plugin.filters", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" }
+    - { src: "rootwrap.d/nec-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" }
-    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
+    - { src: "rootwrap.d/openvswitch-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
-    - { src: "rootwrap.d/ryu-plugin.filters", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" }
+    - { src: "rootwrap.d/ryu-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" }
-    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
+    - { src: "rootwrap.d/lbaas-haproxy.filters.j2", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
-    - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/vpnaas.filters.j2", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
+    - { src: "rootwrap.d/ebtables.filters.j2", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:
     - neutron-config
 
 - name: Drop neutron agent filters
-  copy:
+  template:
-    src: "{{ item.value.service_rootwrap }}"
+    src: "{{ item.value.service_rootwrap }}.j2"
     dest: "/etc/neutron/{{ item.value.service_rootwrap }}"
     owner: "{{ neutron_system_user_name }}"
     group: "{{ neutron_system_group_name }}"
@@ -143,3 +143,19 @@
 - name: Setup PLUMgrid config
   include: plumgrid_config.yml
   when: neutron_plugin_type == 'plumgrid'
+
+- name: Get neutron command path
+  command: which neutron
+  register: neutron_command_path
+  when:
+    - not neutron_venv_enabled | bool
+  tags:
+    - neutron-command-bin
+
+- name: Set neutron command path
+  set_fact:
+    neutron_bin: "{{ neutron_command_path.stdout | dirname }}"
+  when:
+    - not neutron_venv_enabled | bool
+  tags:
+    - neutron-command-bin

playbooks/roles/os_neutron/tasks/neutron_pre_install.yml

@@ -40,6 +40,7 @@
     owner: "{{ item.owner|default(neutron_system_user_name) }}"
     group: "{{ item.group|default(neutron_system_group_name) }}"
   with_items:
+    - { path: "/openstack", owner: "root", group: "root" }
     - { path: "/etc/neutron" }
     - { path: "/etc/neutron/plugins" }
     - { path: "/etc/neutron/plugins/{{ neutron_plugin_type }}" }
@@ -53,6 +54,19 @@
   tags:
     - neutron-dirs
 
+- name: Create neutron venv dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner|default(neutron_system_user_name) }}"
+    group: "{{ item.group|default(neutron_system_group_name) }}"
+  with_items:
+    - { path: "/openstack/venvs", mode: "0755", owner: "root", group: "root" }
+    - { path: "{{ neutron_venv_bin }}" }
+  when: neutron_venv_enabled | bool
+  tags:
+    - neutron-dirs
+
 - name: Test for log directory or link
   shell: |
     if [ -h "/var/log/neutron"  ]; then

playbooks/roles/os_neutron/tasks/plumgrid_config.yml

@@ -33,4 +33,7 @@
   retries: 5
   delay: 2
   when:
-    inventory_hostname in groups['neutron_server']
+    - inventory_hostname in groups['neutron_server']
+  tags:
+    - neutron-install
+    - neutron-pip-packages

playbooks/roles/os_neutron/templates/neutron-ha-tool.py.j2

@@ -21,6 +21,14 @@ from collections import OrderedDict
 import logging
 from logging.handlers import SysLogHandler
 import os
+
+{% if neutron_venv_enabled | bool %}
+
+activate_this = os.path.expanduser("{{ neutron_venv_bin }}/activate_this.py")
+execfile(activate_this, dict(__file__=activate_this))
+
+{% endif %}
+
 import random
 import sys
 import time

playbooks/roles/os_neutron/templates/neutron-upstart-init.j2

@@ -12,7 +12,7 @@ respawn
 respawn limit 10 5
 
 # Set the RUNBIN environment variable
-env RUNBIN="/usr/local/bin/{{ program_name }}"
+env RUNBIN="{{ neutron_bin }}/{{ program_name }}"
 
 # Change directory to service users home
 chdir "{{ service_home }}"
@@ -24,6 +24,11 @@ pre-start script
 
   mkdir -p "/var/lock/{{ program_name }}"
   chown {{ system_user }}:{{ system_group }} "/var/lock/{{ program_name }}"
+
+  {% if neutron_venv_enabled | bool -%}
+  . {{ neutron_venv_bin }}/activate
+  {%- endif %}
+
 end script
 
 # Post stop actions

playbooks/roles/os_neutron/templates/neutron.conf.j2

@@ -146,7 +146,7 @@ service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsec
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}
 report_interval = {{ neutron_report_interval|int }}
-root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+root_helper = sudo {{ neutron_bin }}/neutron-rootwrap /etc/neutron/rootwrap.conf
 
 # Messaging service
 [oslo_messaging_rabbit]

playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2

@@ -30,7 +30,7 @@ network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }}
 
 # ML2 VXLAN networks
 [ml2_type_vxlan]
-vxlan_group = {{ neutron_vxlan_group|default('') }}
+vxlan_group = {{ neutron_vxlan_group }}
 vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }}
 
 {% endif %}
@@ -41,23 +41,13 @@ vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }}
 # Linux bridge agent VXLAN networks
 [vxlan]
 
-{% if neutron_overlay_network %}
+{% if neutron_vxlan_enabled | bool %}
 
 enable_vxlan = True
-vxlan_group = {{ neutron_vxlan_group|default('') }}
+vxlan_group = {{ neutron_vxlan_group }}
 
-{% if (is_metal == true or is_metal == "True") and neutron_overlay_network.bridge is defined %}
+# VXLAN local tunnel endpoint
-{% set on_metal_tunnel_bridge = 'ansible_' + neutron_overlay_network.bridge|replace('-', '_') %}
+local_ip = {{ neutron_local_ip }}
-
-# VXLAN local tunnel endpoint (bare metal)
-local_ip = {{ hostvars[inventory_hostname][on_metal_tunnel_bridge]['ipv4']['address'] }}
-
-{% else %}
-
-# VXLAN local tunnel endpoint (container)
-local_ip = {{ neutron_overlay_network.address }}
-
-{% endif %}
 
 l2_population = {{ neutron_l2_population }}
 

playbooks/roles/os_neutron/templates/plugins/plumgrid/plumlib.ini

@@ -40,7 +40,7 @@ metadata_mode = local
 # Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
 # root filter facility.
 # Change to "sudo" to skip the filtering and just run the comand directly
-root_helper_name = /usr/bin/neutron-rootwrap
+root_helper_name = {{ neutron_bin }}/neutron-rootwrap
 
 [keystone_authtoken]
 admin_user = {{ neutron_service_user_name  }}

playbooks/roles/os_neutron/templates/rootwrap.conf.j2

@@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 
 # Enable logging to syslog
 # Default value is False

playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2

@@ -25,7 +25,8 @@ dhcp_release: CommandFilter, dhcp_release, root
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
-metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
+
+metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9

playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2

@@ -20,7 +20,8 @@ radvd: CommandFilter, radvd, root
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
-metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
+
+metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9

playbooks/roles/os_neutron/templates/sudoers.j2

@@ -1,4 +1,6 @@
 # {{ ansible_managed }}
 
-# Defaults:{{ neutron_system_user_name }}!requiretty
+Defaults:{{ neutron_system_user_name }} !requiretty
-{{ neutron_system_user_name }} ALL = (root) NOPASSWD: /usr/local/bin/{{ neutron_service_name }}-rootwrap
+Defaults:{{ neutron_system_user_name }} secure_path="{{ neutron_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/{{ neutron_service_name }}-rootwrap