From 11ed1331a17b2d55e6d687bf98829e1c4f410a84 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 10 Aug 2023 00:28:06 +0900 Subject: [PATCH] Neutron: Run neutron api by httpd + mod_wsgi This updates neutron deployment to use httpd + mod_wsgi to run api. This is the recommended way to deploy neutron now since the existing monolithic neutron-server will be removed as part of eventlet removal initiative. Note that the change is made only in CentOS because Ubuntu does not provide the separate service for rpc-server now. Depends-on: https://review.opendev.org/c/openstack/puppet-ovn/+/933340 Change-Id: I4cd0b9b0ec5a4c98d35a2517d94131e2cdb7e894 --- copy_logs.sh | 20 +++++++++--- fixtures/scenario001.pp | 3 ++ fixtures/scenario002.pp | 3 ++ fixtures/scenario003.pp | 5 ++- fixtures/scenario004.pp | 3 ++ fixtures/scenario005.pp | 3 ++ manifests/neutron.pp | 72 +++++++++++++++++++++++++++++++++++++++-- manifests/ovn.pp | 16 +++++---- 8 files changed, 111 insertions(+), 14 deletions(-) diff --git a/copy_logs.sh b/copy_logs.sh index 5067967eb..3aa6c3a97 100755 --- a/copy_logs.sh +++ b/copy_logs.sh @@ -368,14 +368,26 @@ sudo ps -eo user,pid,ppid,lwp,%cpu,%mem,size,rss,cmd > $LOG_DIR/ps.txt sudo ip -d address > $LOG_DIR/ip_-d_address.txt sudo brctl show > $LOG_DIR/brctl_show.txt if [ `command -v ovs-vsctl` ]; then - sudo ovs-vsctl show > $LOG_DIR/ovs-vsctl_show.txt - sudo ovs-vsctl list open_vswitch > $LOG_DIR/ovs-vsctl_list_open_vswitch.txt + echo "== ovs-vsctl list open_vswitch ==" > $LOG_DIR/ovs-vsctl.txt + sudo ovs-vsctl list open_vswitch >> $LOG_DIR/ovs-vsctl.txt + echo "== ovs-vsctl show ==" >> $LOG_DIR/ovs-vsctl.txt + sudo ovs-vsctl show >> $LOG_DIR/ovs-vsctl.txt fi if [ `command -v ovn-nbctl` ]; then - sudo ovn-nbctl show > $LOG_DIR/ovn-nbctl_show.txt + echo "== ovn-nbctl get-connection ==" > $LOG_DIR/ovn-nbctl.txt + sudo ovn-nbctl get-connection >> $LOG_DIR/ovn-nbctl.txt + echo "== ovn-nbctl list connection ==" >> $LOG_DIR/ovn-nbctl.txt + sudo ovn-nbctl list connection >> $LOG_DIR/ovn-nbctl.txt + echo "== ovn-nbctl show ==" >> $LOG_DIR/ovn-nbctl.txt + sudo ovn-nbctl show >> $LOG_DIR/ovn-nbctl.txt fi if [ `command -v ovn-sbctl` ]; then - sudo ovn-sbctl show > $LOG_DIR/ovn-sbctl_show.txt + echo "== ovn-sbctl get-connection ==" > $LOG_DIR/ovn-sbctl.txt + sudo ovn-sbctl get-connection >> $LOG_DIR/ovn-sbctl.txt + echo "== ovn-sbctl list connection ==" >> $LOG_DIR/ovn-sbctl.txt + sudo ovn-sbctl list connection >> $LOG_DIR/ovn-sbctl.txt + echo "== ovn-sbctl show ==" >> $LOG_DIR/ovn-sbctl.txt + sudo ovn-sbctl show >> $LOG_DIR/ovn-sbctl.txt fi sudo netstat -tulpn > $LOG_DIR/netstat.txt sudo LC_CTYPE=C SYSTEMD_COLORS=false systemctl status --all --no-pager 2>/dev/null > $LOG_DIR/systemctl.txt diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp index 1509eb83b..ebbb51cf5 100644 --- a/fixtures/scenario001.pp +++ b/fixtures/scenario001.pp @@ -24,10 +24,12 @@ case $facts['os']['family'] { 'Debian': { $ipv6 = false $cache_backend = 'memcached' + $neutron_use_httpd = false } 'RedHat': { $ipv6 = true $cache_backend = 'redis' + $neutron_use_httpd = true } default: { fail("Unsupported osfamily (${facts['os']['family']})") @@ -59,6 +61,7 @@ class { 'openstack_integration::glance': } class { 'openstack_integration::neutron': notification_topics => ['notifications', 'vitrage_notifications'], + use_httpd => $neutron_use_httpd, metering_enabled => true, } include openstack_integration::placement diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index f38eefb9e..b31eec85e 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -26,12 +26,14 @@ case $facts['os']['family'] { $cache_backend = 'memcached' $django_cache_backend = 'memcached' $tooz_backend = 'redis' + $neutron_use_httpd = false } 'RedHat': { $ipv6 = false $cache_backend = 'redis_sentinel' $django_cache_backend = 'redis' $tooz_backend = 'redis_sentinel' + $neutron_use_httpd = true } default: { fail("Unsupported osfamily (${facts['os']['family']})") @@ -63,6 +65,7 @@ class { 'openstack_integration::glance': image_encryption => true, } class { 'openstack_integration::neutron': + use_httpd => $neutron_use_httpd, baremetal_enabled => true, metering_enabled => true, } diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp index dd2168b66..80b04da65 100644 --- a/fixtures/scenario003.pp +++ b/fixtures/scenario003.pp @@ -26,10 +26,12 @@ case $facts['os']['family'] { # NOTE(tkajinam): UCA Caracal does not provide trove packages # https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2064838 $trove_enabled = false + $neutron_use_httpd = false } 'RedHat': { $ipv6 = true $trove_enabled = true + $neutron_use_httpd = true } default: { fail("Unsupported osfamily (${facts['os']['family']})") @@ -54,7 +56,8 @@ include openstack_integration::keystone include openstack_integration::glance class { 'openstack_integration::neutron': - driver => 'ovn', + use_httpd => $neutron_use_httpd, + driver => 'ovn', } include openstack_integration::placement class { 'openstack_integration::nova': diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp index 685c8a5fd..654c494e0 100644 --- a/fixtures/scenario004.pp +++ b/fixtures/scenario004.pp @@ -23,6 +23,7 @@ if $facts['os']['name'] == 'Ubuntu' { case $facts['os']['family'] { 'Debian': { $ipv6 = false + $neutron_use_httpd = false # TODO(tkajinam): Need additional work to load the plugins $bgpvpn_enabled = false $l2gw_enabled = false @@ -32,6 +33,7 @@ case $facts['os']['family'] { } 'RedHat': { $ipv6 = true + $neutron_use_httpd = true $bgpvpn_enabled = true $l2gw_enabled = true $bgp_dragent_enabled = true @@ -64,6 +66,7 @@ class { 'openstack_integration::glance': } class { 'openstack_integration::neutron': + use_httpd => $neutron_use_httpd, vpnaas_enabled => $vpnaas_enabled, taas_enabled => $taas_enabled, bgpvpn_enabled => $bgpvpn_enabled, diff --git a/fixtures/scenario005.pp b/fixtures/scenario005.pp index b27545dd8..b1fd63b46 100644 --- a/fixtures/scenario005.pp +++ b/fixtures/scenario005.pp @@ -23,6 +23,7 @@ if $facts['os']['name'] == 'Ubuntu' { case $facts['os']['family'] { 'Debian': { $ipv6 = false + $neutron_use_httpd = false $ovn_metadata_agent_enabled = true $jobboard_backend = 'redis' # TODO(tkajinam): Enable these along with the other plugins @@ -30,6 +31,7 @@ case $facts['os']['family'] { } 'RedHat': { $ipv6 = true + $neutron_use_httpd = true $ovn_metadata_agent_enabled = false $jobboard_backend = 'redis_sentinel' $vpnaas_enabled = true @@ -60,6 +62,7 @@ class { 'openstack_integration::glance': show_multiple_locations => true, } class { 'openstack_integration::neutron': + use_httpd => $neutron_use_httpd, driver => 'ovn', ovn_metadata_agent_enabled => $ovn_metadata_agent_enabled, vpnaas_enabled => $vpnaas_enabled diff --git a/manifests/neutron.pp b/manifests/neutron.pp index c6d77cb53..8a528c5eb 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -5,6 +5,10 @@ # Can be: openvswitch, linuxbridge or ovn. # Defaults to 'openvswitch'. # +# [*use_httpd*] +# (optional) Use httpd to run neutron api +# Defaults to false +# # [*ovn_metadata_agent_enabled*] # (optional) Enable ovn-metadata-agent # Defaults to true @@ -43,6 +47,7 @@ # class openstack_integration::neutron ( $driver = 'openvswitch', + $use_httpd = false, $ovn_metadata_agent_enabled = true, $metering_enabled = false, $vpnaas_enabled = false, @@ -77,11 +82,16 @@ class openstack_integration::neutron ( } if $::openstack_integration::config::ssl { + $api_service = $use_httpd ? { + true => 'httpd', + default => 'neutron-server', + } + openstack_integration::ssl_key { 'neutron': - notify => Service['neutron-server'], + notify => Service[$api_service], require => Anchor['neutron::install::end'], } - Exec['update-ca-certificates'] ~> Service<| tag == 'neutron-service' |> + Exec['update-ca-certificates'] ~> Service[$api_service] if $driver == 'ovn' { openstack_integration::ovn::ssl_key { 'neutron': @@ -286,6 +296,53 @@ class openstack_integration::neutron ( }), } + if $use_httpd { + class { 'neutron::wsgi::apache': + bind_host => $::openstack_integration::config::host, + ssl_key => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + ssl => $::openstack_integration::config::ssl, + workers => 2, + } + + $vpnaas_conf = $vpnaas_enabled ? { + true => 'neutron_vpnaas.conf', + default => undef, + } + $taas_conf = $taas_enabled ? { + true => 'taas_plugin.ini', + default => undef, + } + $bgpvpn_conf = $bgpvpn_enabled ? { + true => 'networking_bgpvpn.conf', + default => undef, + } + $l2gw_conf = $l2gw_enabled ? { + true => 'l2gw_plugin.ini', + default => undef, + } + + $neutron_conf_files = delete_undef_values([ + 'neutron.conf', 'plugins/ml2/ml2_conf.ini', + $vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf + ]) + + # TODO(tkajinam): Should this be in puppet-neutron ? + systemd::dropin_file { 'apache-os-neutron': + unit => "${::apache::service::service_name}.service", + filename => 'os-neutron.conf', + content => "[Service] +Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", + require => Package['httpd'], + } + + $server_service_name = false + $api_service_name = 'httpd' + } else { + $server_service_name = $::neutron::params::server_service + $api_service_name = $::neutron::params::api_service_name + } + $rpc_workers = $driver ? { 'ovn' => $vpnaas_enabled ? { true => 2, @@ -297,6 +354,10 @@ class openstack_integration::neutron ( 'ovn' => 0, default => $facts['os_service_default'], } + $rpc_service_name = $rpc_workers ? { + 0 => false, + default => $::neutron::params::rpc_service_name + } class { 'neutron::server': sync_db => true, @@ -304,6 +365,9 @@ class openstack_integration::neutron ( rpc_workers => $rpc_workers, rpc_state_report_workers => $rpc_state_report_workers, rpc_response_max_timeout => 300, + service_name => $server_service_name, + api_service_name => $api_service_name, + rpc_service_name => $rpc_service_name, } $overlay_network_type = $driver ? { @@ -430,6 +494,10 @@ class openstack_integration::neutron ( ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem', } } + + if $use_httpd { + class { 'neutron::plugins::ml2::ovn::maintenance_worker': } + } } else { class { 'neutron::agents::metadata': debug => true, diff --git a/manifests/ovn.pp b/manifests/ovn.pp index 0f0421199..2a105ee56 100644 --- a/manifests/ovn.pp +++ b/manifests/ovn.pp @@ -55,13 +55,15 @@ class openstack_integration::ovn( } class { 'ovn::northd': - dbs_listen_ip => $::openstack_integration::config::ip_for_url, - ovn_nb_db_ssl_key => $ovn_nb_db_ssl_key, - ovn_nb_db_ssl_cert => $ovn_nb_db_ssl_cert, - ovn_nb_db_ssl_ca_cert => $ovn_nb_db_ssl_ca_cert, - ovn_sb_db_ssl_key => $ovn_sb_db_ssl_key, - ovn_sb_db_ssl_cert => $ovn_sb_db_ssl_cert, - ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert, + dbs_listen_ip => $::openstack_integration::config::ip_for_url, + ovn_nb_db_ssl_key => $ovn_nb_db_ssl_key, + ovn_nb_db_ssl_cert => $ovn_nb_db_ssl_cert, + ovn_nb_db_ssl_ca_cert => $ovn_nb_db_ssl_ca_cert, + ovn_sb_db_ssl_key => $ovn_sb_db_ssl_key, + ovn_sb_db_ssl_cert => $ovn_sb_db_ssl_cert, + ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert, + ovn_nb_db_inactivity_probe => 120000, + ovn_sb_db_inactivity_probe => 120000, } class { 'ovn::controller': ovn_remote => $::openstack_integration::config::ovn_sb_connection,