openstack/puppet-openstack-integration
Code Issues Proposed changes
4d165a20f7
puppet-openstack-integration/manifests/neutron.pp
Takashi Kajinami c39f49ed70 Neutron: Switch use_httpd according to os family 
Now deploying neutron api by wsgi server mechanism is recommended, we
should more actively test this scenario. Hide the flag to use this
pattern also in litmus job.

Change-Id: I178808488996adf1e357d21b08ae8249d84f3b0b
2024-10-26 01:24:38 +09:00

610 lines
20 KiB
Puppet
Raw Blame History

# Configure the Neutron service
#
# [*driver*]
# (optional) Neutron Driver to test
# Can be: openvswitch, linuxbridge or ovn.
# Defaults to 'openvswitch'.
#
# [*ovn_metadata_agent_enabled*]
# (optional) Enable ovn-metadata-agent
# Defaults to true
#
# [*metering_enabled*]
# (optional) Flag to enable metering agent
# Defaults to false.
#
# [*vpnaas_enabled*]
# (optional) Flag to enable VPNaaS.
# Defaults to false.
#
# [*taas_enabled*]
# (optional) Flag to enable TAPaaS.
# Defaults to false.
#
# [*bgpvpn_enabled*]
# (optional) Flag to enable BGPVPN API extensions.
# Defaults to false.
#
# [*l2gw_enabled*]
# (optional) Flag to enable L2GW.
# Defaults to false.
#
# [*bgp_dragent_enabled*]
# (optional) Flag to enable BGP dragent
# Defaults to false.
#
# [*baremetal_enabled*]
# (optional) Flag to enable networking-baremetal
# Defaults to false.
#
# [*notification_topics*]
# (optional) AMQP topic used for OpenStack notifications
# Defaults to $facts['os_service_default'].
#
class openstack_integration::neutron (
$driver = 'openvswitch',
$ovn_metadata_agent_enabled = true,
$metering_enabled = false,
$vpnaas_enabled = false,
$taas_enabled = false,
$bgpvpn_enabled = false,
$l2gw_enabled = false,
$bgp_dragent_enabled = false,
$baremetal_enabled = false,
$notification_topics = $facts['os_service_default'],
) {
$use_httpd = $facts['os']['family'] ? {
'RedHat' => true,
default => false,
}
include openstack_integration::config
include openstack_integration::params
if $driver == 'ovn' {
if $metering_enabled {
fail('Metering agent is not supported when ovn mechanism driver is used.')
}
if $bgpvpn_enabled {
fail('BGP VPN is not supported when ovn mechanism driver is used.')
}
if $l2gw_enabled {
fail('L2GW is not supported when ovn mechanism driver is used.')
}
if $bgp_dragent_enabled {
fail('BGP dragent is not supported when ovn mechanism driver is used.')
}
}
if $driver != 'openvswitch' and $taas_enabled {
fail('TaaS is supported only when ovs mechanism driver is used.')
}
if $::openstack_integration::config::ssl {
$api_service = $use_httpd ? {
true => 'httpd',
default => 'neutron-server',
}
openstack_integration::ssl_key { 'neutron':
notify => Service[$api_service],
require => Anchor['neutron::install::end'],
}
Exec['update-ca-certificates'] ~> Service[$api_service]
if $driver == 'ovn' {
openstack_integration::ovn::ssl_key { 'neutron':
notify => Anchor['neutron::service::begin'],
require => Anchor['neutron::install::end'],
}
}
}
if $facts['os']['name'] == 'CentOS' {
# os_neutron_dac_override should be on to start privsep-helper
# See https://bugzilla.redhat.com/show_bug.cgi?id=1850973
selboolean { 'os_neutron_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
if $driver == 'openvswitch' or $driver == 'linuxbridge' {
selboolean { 'os_dnsmasq_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
selboolean { 'os_keepalived_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
}
}
openstack_integration::mq_user { 'neutron':
password => 'an_even_bigger_secret',
before => Anchor['neutron::service::begin'],
}
case $driver {
'openvswitch': {
require openstack_integration::ovs
}
'ovn': {
require openstack_integration::ovn
}
'linuxbridge': {
exec { 'create_dummy_iface':
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
unless => 'ip l show loop0',
command => 'ip link add name loop0 type dummy && ip addr add 172.24.5.1/24 dev loop0 && ip link set loop0 up',
}
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
class { 'neutron::db::mysql':
charset => $::openstack_integration::params::mysql_charset,
collate => $::openstack_integration::params::mysql_collate,
password => 'neutron',
host => $::openstack_integration::config::host,
}
class { 'neutron::keystone::auth':
public_url => "${::openstack_integration::config::base_url}:9696",
internal_url => "${::openstack_integration::config::base_url}:9696",
admin_url => "${::openstack_integration::config::base_url}:9696",
roles => ['admin', 'service'],
password => 'a_big_secret',
}
if $driver == 'ovn' {
$dhcp_agent_notification = false
$vpaaas_plugin = $vpnaas_enabled ? {
true => 'ovn-vpnaas',
default => undef,
}
$plugins_list = delete_undef_values([
'qos', 'ovn-router', 'trunk', $vpaaas_plugin,
])
} else {
$dhcp_agent_notification = true
$metering_plugin = $metering_enabled ? {
true => 'metering',
default => undef,
}
$vpaaas_plugin = $vpnaas_enabled ? {
true => 'vpnaas',
default => undef,
}
$taas_plugin = $taas_enabled ? {
true => 'taas',
default => undef,
}
$bgpvpn_plugin = $bgpvpn_enabled ? {
true => 'bgpvpn',
default => undef,
}
$l2gw_plugin = $l2gw_enabled ? {
true => 'l2gw',
default => undef,
}
$bgp_dr_plugin = $bgp_dragent_enabled ? {
true => 'bgp',
default => undef,
}
$plugins_list = delete_undef_values([
'router', 'qos', 'trunk',
$metering_plugin,
$vpaaas_plugin,
$taas_plugin,
$bgpvpn_plugin,
$l2gw_plugin,
$bgp_dr_plugin
])
}
if $driver == 'linuxbridge' {
$global_physnet_mtu = '1450'
} else {
$global_physnet_mtu = undef
}
class { 'neutron::logging':
debug => true,
}
class { 'neutron':
default_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_default_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_default_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
notification_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_notify_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_notify_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
rabbit_use_ssl => $::openstack_integration::config::ssl,
core_plugin => 'ml2',
service_plugins => $plugins_list,
bind_host => $::openstack_integration::config::host,
use_ssl => $::openstack_integration::config::ssl,
cert_file => $::openstack_integration::params::cert_path,
key_file => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem",
notification_topics => $notification_topics,
notification_driver => 'messagingv2',
global_physnet_mtu => $global_physnet_mtu,
dhcp_agent_notification => $dhcp_agent_notification,
}
class { 'neutron::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
memcached_servers => $::openstack_integration::config::memcached_servers,
service_token_roles_required => true,
}
if $facts['os']['family'] == 'Debian' {
$auth_url = $::openstack_integration::config::keystone_auth_uri
$auth_opts = "--os-auth-url ${auth_url} --os-project-name services --os-username neutron --os-identity-api-version 3"
exec { 'check-neutron-server':
command => "openstack ${auth_opts} network list",
environment => ['OS_PASSWORD=a_big_secret'],
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
timeout => 60,
tries => 10,
try_sleep => 2,
refreshonly => true,
}
Anchor['neutron::service::end'] ~> Exec['check-neutron-server'] -> Neutron_network<||>
}
class { 'neutron::cache':
backend => $::openstack_integration::config::cache_driver,
enabled => true,
memcache_servers => $::openstack_integration::config::memcache_servers,
redis_server => $::openstack_integration::config::redis_server,
redis_password => 'a_big_secret',
redis_sentinels => $::openstack_integration::config::redis_sentinel_server,
tls_enabled => $::openstack_integration::config::cache_tls_enabled,
}
class { 'neutron::db':
database_connection => os_database_connection({
'dialect' => 'mysql+pymysql',
'host' => $::openstack_integration::config::ip_for_url,
'username' => 'neutron',
'password' => 'neutron',
'database' => 'neutron',
'charset' => 'utf8',
'extra' => $::openstack_integration::config::db_extra,
}),
}
if $use_httpd {
class { 'neutron::wsgi::apache':
bind_host => $::openstack_integration::config::host,
ssl_key => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
ssl => $::openstack_integration::config::ssl,
workers => 2,
}
$vpnaas_conf = $vpnaas_enabled ? {
true => 'neutron_vpnaas.conf',
default => undef,
}
$taas_conf = $taas_enabled ? {
true => 'taas_plugin.ini',
default => undef,
}
$bgpvpn_conf = $bgpvpn_enabled ? {
true => 'networking_bgpvpn.conf',
default => undef,
}
$l2gw_conf = $l2gw_enabled ? {
true => 'l2gw_plugin.ini',
default => undef,
}
$neutron_conf_files = delete_undef_values([
'neutron.conf', 'plugins/ml2/ml2_conf.ini',
$vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf
])
# TODO(tkajinam): Should this be in puppet-neutron ?
systemd::dropin_file { 'apache-os-neutron':
unit => "${::apache::service::service_name}.service",
filename => 'os-neutron.conf',
content => "[Service]
Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
require => Package['httpd'],
}
$server_service_name = false
$api_service_name = 'httpd'
} else {
$server_service_name = $::neutron::params::server_service
$api_service_name = $::neutron::params::api_service_name
}
$rpc_workers = $driver ? {
'ovn' => $vpnaas_enabled ? {
true => 2,
default => 0,
},
default => 2,
}
$rpc_state_report_workers = $driver ? {
'ovn' => 0,
default => $facts['os_service_default'],
}
$rpc_service_name = $rpc_workers ? {
0 => false,
default => $::neutron::params::rpc_service_name
}
class { 'neutron::server':
sync_db => true,
api_workers => 2,
rpc_workers => $rpc_workers,
rpc_state_report_workers => $rpc_state_report_workers,
rpc_response_max_timeout => 300,
service_name => $server_service_name,
api_service_name => $api_service_name,
rpc_service_name => $rpc_service_name,
}
$overlay_network_type = $driver ? {
'ovn' => 'geneve',
default => 'vxlan'
}
$max_header_size = $driver ? {
'ovn' => 38,
default => $facts['os_service_default']
}
$drivers_real = $baremetal_enabled ? {
true => [$driver, 'baremetal'],
default => [$driver],
}
class { 'neutron::plugins::ml2':
type_drivers => [$overlay_network_type, 'vlan', 'flat'],
tenant_network_types => [$overlay_network_type],
extension_drivers => 'port_security,qos',
mechanism_drivers => $drivers_real,
network_vlan_ranges => 'external:1000:2999',
max_header_size => $max_header_size,
overlay_ip_version => $::openstack_integration::config::ip_version,
}
case $driver {
'openvswitch': {
$agent_extensions = $taas_enabled ? {
true => ['taas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::ml2::ovs':
local_ip => $::openstack_integration::config::host,
tunnel_types => ['vxlan'],
bridge_mappings => ['external:br-ex'],
manage_vswitch => false,
firewall_driver => 'iptables_hybrid',
of_listen_address => $::openstack_integration::config::host,
extensions => $agent_extensions,
}
}
'ovn': {
# NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2,
# thus it should be included after neutron::plugins::ml2.
class { 'neutron::plugins::ml2::ovn':
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_metadata_enabled => true,
}
}
'linuxbridge': {
class { 'neutron::agents::ml2::linuxbridge':
local_ip => $facts['networking']['ip'],
tunnel_types => ['vxlan'],
physical_interface_mappings => ['external:loop0'],
firewall_driver => 'iptables',
}
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
if $driver == 'ovn' {
# NOTE(tkajinam): ovn-agent is currently available only in RDO
if $facts['os']['family'] == 'RedHat' {
$ovn_agent_extensions = $ovn_metadata_agent_enabled ? {
false => ['metadata'],
default => undef
}
if ! $ovn_metadata_agent_enabled {
class { 'neutron::agents::ml2::ovn::metadata':
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
}
class { 'neutron::agents::ml2::ovn':
debug => true,
extensions => $ovn_agent_extensions,
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
if $ovn_metadata_agent_enabled {
class { 'neutron::agents::ovn_metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
$vpn_device_driver = $facts['os']['family'] ? {
'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
default => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
}
$vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver'
if $vpnaas_enabled {
class { 'neutron::agents::vpnaas::ovn':
debug => true,
vpn_device_driver => $vpn_device_driver,
interface_driver => 'openvswitch',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
if $use_httpd {
class { 'neutron::plugins::ml2::ovn::maintenance_worker': }
}
} else {
class { 'neutron::agents::metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_workers => 2,
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
$l3_extensions = $vpnaas_enabled ? {
true => ['vpnaas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::l3':
interface_driver => $driver,
debug => true,
extensions => $l3_extensions,
}
class { 'neutron::agents::dhcp':
interface_driver => $driver,
debug => true,
}
if $metering_enabled {
class { 'neutron::agents::metering':
interface_driver => $driver,
debug => true,
}
}
$vpn_device_driver = $facts['os']['family'] ? {
'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver',
default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
}
$vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver'
if $vpnaas_enabled {
class { 'neutron::agents::vpnaas':
vpn_device_driver => $vpn_device_driver,
interface_driver => $driver,
}
}
if $taas_enabled {
class { 'neutron::agents::taas': }
class { 'neutron::services::taas': }
}
if $l2gw_enabled {
class { 'neutron::services::l2gw':
# NOTE(tkajinm): This value is picked up from the one used in CI, but is
# apparently wrong (It should have rpc_l2gw), but we can't enable
# the correct provider because of incomplete setup we have in CI.
service_providers => ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default']
}
class { 'neutron::agents::l2gw': }
}
if $bgpvpn_enabled {
class {'neutron::services::bgpvpn':
service_providers => 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
}
}
if $bgp_dragent_enabled {
class {'neutron::services::dr': }
class {'neutron::agents::bgp_dragent':
bgp_router_id => '127.0.0.1'
}
}
}
if $vpnaas_enabled {
$vpnaas_service_provider = $facts['os']['family'] ? {
'Debian' => 'strongswan',
default => 'openswan'
}
class { 'neutron::services::vpnaas':
service_providers => join([
'VPN',
$vpnaas_service_provider,
$vpnaas_driver,
'default'
], ':')
}
}
if $baremetal_enabled {
class { 'neutron::plugins::ml2::networking_baremetal': }
class { 'neutron::agents::ml2::networking_baremetal':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications::ironic':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
Anchor['ironic::service::end'] -> Service['ironic-neutron-agent-service']
}
class { 'neutron::server::notifications::nova':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications': }
class { 'neutron::server::placement':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
}
View Git Blame Copy Permalink