OVN BGP Agent support
It is in charge of creating the right config files for the
ovn-bgp-agent and to restart the service
Change-Id: I30e2c44d734e28ecf5ba573a53e24b544d156597
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
(cherry picked from commit 61784d75e9
)
This commit is contained in:
parent
c7eff95ac4
commit
14fcb36d42
|
@ -61,3 +61,21 @@ tripleo_frr_conf_custom_globals: ''
|
|||
tripleo_frr_conf_custom_router_bgp: ''
|
||||
tripleo_frr_conf_custom_ipv4: ''
|
||||
tripleo_frr_conf_custom_ipv6: ''
|
||||
|
||||
# BGP agent
|
||||
tripleo_frr_ovn_bgp_agent_enable: true
|
||||
tripleo_frr_ovn_bgp_agent_debug: true
|
||||
tripleo_frr_ovn_bgp_agent_reconcile_interval: 120
|
||||
tripleo_frr_ovn_bgp_agent_expose_tenant_networks: false
|
||||
tripleo_frr_ovn_bgp_agent_driver: ovn_bgp_driver
|
||||
tripleo_frr_ovn_bgp_agent_private_key: /etc/pki/tls/private/ovn_bgp_agent.key
|
||||
tripleo_frr_ovn_bgp_agent_certificate: /etc/pki/tls/certs/ovn_bgp_agent.crt
|
||||
tripleo_frr_ovn_bgp_agent_ca_cert: /etc/ipa/ca.crt
|
||||
tripleo_frr_ovn_bgp_agent_internal_tls_enable: false
|
||||
tripleo_frr_ovn_bgp_agent_config_basedir: "/var/lib/config-data/ansible-generated/ovn-bgp-agent"
|
||||
tripleo_frr_ovn_bgp_agent_bridge_mappings: []
|
||||
tripleo_frr_ovn_bgp_agent_bgp_as: 64999
|
||||
tripleo_frr_ovn_bgp_agent_root_helper: "sudo ovn-bgp-agent-rootwrap /etc/ovn-bgp-agent/rootwrap.conf"
|
||||
tripleo_frr_ovn_bgp_agent_root_helper_daemon: "sudo ovn-bgp-agent-rootwrap-daemon /etc/ovn-bgp-agent/rootwrap.conf"
|
||||
tripleo_frr_ovn_bgp_agent_ovsdb_connection: "tcp:127.0.0.1:6640"
|
||||
tripleo_frr_ovn_bgp_agent_ovs_manager: "ptcp:6640:127.0.0.1"
|
||||
|
|
|
@ -98,3 +98,7 @@
|
|||
state: restarted
|
||||
when:
|
||||
- frr_active_service.rc == 0
|
||||
|
||||
- name: include OVN BGP agent
|
||||
include_tasks: ovn_bgp_agent.yml
|
||||
when: tripleo_frr_ovn_bgp_agent_enable | bool
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
# Copyright 2021 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: create OVN BGP agent directories
|
||||
ansible.builtin.file:
|
||||
path: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.d"
|
||||
recurse: true
|
||||
state: directory
|
||||
selevel: s0
|
||||
setype: container_file_t
|
||||
|
||||
- name: configure OVN BGP agent
|
||||
ansible.builtin.template:
|
||||
src: ovn-bgp-agent.conf.j2
|
||||
dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/bgp-agent.conf"
|
||||
mode: '640'
|
||||
selevel: s0
|
||||
setype: container_file_t
|
||||
register: _ovn_bgp_agent_config_result
|
||||
|
||||
- name: configure OVN BGP agent rootwrap
|
||||
ansible.builtin.template:
|
||||
src: rootwrap.conf.j2
|
||||
dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.conf"
|
||||
mode: '640'
|
||||
selevel: s0
|
||||
setype: container_file_t
|
||||
register: _ovn_bgp_agent_rootwrap_result
|
||||
|
||||
- name: configure OVN BGP agent rootwrap filters
|
||||
ansible.builtin.template:
|
||||
src: rootwrap.filters.j2
|
||||
dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.d/rootwrap.filters"
|
||||
mode: '640'
|
||||
selevel: s0
|
||||
setype: container_file_t
|
||||
register: _ovn_bgp_agent_rootwrap_filters_result
|
||||
|
||||
- name: configure ovs manager
|
||||
command: ovs-vsctl set-manager "{{ tripleo_frr_ovn_bgp_agent_ovs_manager }}"
|
||||
|
||||
|
||||
# ['datacenter:br-ex', 'foo:br-vlan']
|
||||
- name: Set ipv4 proxy_arp for each physical nic used in bridge mappings
|
||||
sysctl:
|
||||
name: "net.ipv4.conf.{{ item.split(':')[1] }}.proxy_arp"
|
||||
value: 1
|
||||
sysctl_set: true
|
||||
sysctl_file: /etc/sysctl.d/99-tripleo-ovn-bgp-agent.conf
|
||||
state: present
|
||||
reload: true
|
||||
loop: "{{ tripleo_frr_ovn_bgp_agent_bridge_mappings }}"
|
||||
|
||||
- name: Set ipv6 proxy_ndp for each physical nic used in bridge mappings
|
||||
sysctl:
|
||||
name: "net.ipv6.conf.{{ item.split(':')[1] }}.proxy_ndp"
|
||||
value: 1
|
||||
sysctl_set: true
|
||||
sysctl_file: /etc/sysctl.d/99-tripleo-ovn-bgp-agent.conf
|
||||
state: present
|
||||
reload: true
|
||||
loop: "{{ tripleo_frr_ovn_bgp_agent_bridge_mappings }}"
|
||||
|
||||
- name: restart OVN BGP agent
|
||||
when:
|
||||
- _ovn_bgp_agent_config_result.changed or
|
||||
_ovn_bgp_agent_rootwrap_result.changed or
|
||||
_ovn_bgp_agent_rootwrap_filters_result.changed
|
||||
block:
|
||||
- name: check if tripleo_ovn_bgp_agent systemd service is active
|
||||
shell: systemctl is-active --quiet tripleo_ovn_bgp_agent
|
||||
failed_when: false
|
||||
register: ovn_bgp_agent_active_service
|
||||
|
||||
- name: restart tripleo_ovn_bgp_agent container
|
||||
systemd:
|
||||
name: tripleo_ovn_bgp_agent
|
||||
state: restarted
|
||||
when:
|
||||
- ovn_bgp_agent_active_service.rc == 0
|
|
@ -0,0 +1,17 @@
|
|||
[DEFAULT]
|
||||
debug={{ tripleo_frr_ovn_bgp_agent_debug }}
|
||||
reconcile_interval={{ tripleo_frr_ovn_bgp_agent_reconcile_interval }}
|
||||
expose_tenant_networks={{ tripleo_frr_ovn_bgp_agent_expose_tenant_networks }}
|
||||
driver={{ tripleo_frr_ovn_bgp_agent_driver }}
|
||||
bgp_AS={{ tripleo_frr_ovn_bgp_agent_bgp_as }}
|
||||
ovsdb_connection={{ tripleo_frr_ovn_bgp_agent_ovsdb_connection }}
|
||||
|
||||
{% if tripleo_frr_ovn_bgp_agent_internal_tls_enable %}
|
||||
ovn_sb_private_key={{ tripleo_frr_ovn_bgp_agent_private_key }}
|
||||
ovn_sb_certificate={{ tripleo_frr_ovn_bgp_agent_certificate }}
|
||||
ovn_sb_ca_cert={{ tripleo_frr_ovn_bgp_agent_ca_cert }}
|
||||
{% endif %}
|
||||
|
||||
[agent]
|
||||
root_helper={{ tripleo_frr_ovn_bgp_agent_root_helper }}
|
||||
root_helper_daemon={{ tripleo_frr_ovn_bgp_agent_root_helper_daemon }}
|
|
@ -0,0 +1,27 @@
|
|||
# Configuration for ovn-bgp-agent-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/ovn-bgp-agent/rootwrap.d,/usr/share/ovn-bgp-agent/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
|
@ -0,0 +1,13 @@
|
|||
# ovn-bgp-agent-rootwrap command filters for scripts
|
||||
# This file should be owned by (and only-writable by) the root user
|
||||
|
||||
[Filters]
|
||||
# privileged/__init__.py: priv_context.PrivContext(default)
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, ovn_bgp_agent.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
ip: IpFilter, ip, root
|
||||
vtysh: CommandFilter, vtysh, root
|
Loading…
Reference in New Issue