From 61784d75e913fb10800fbdf8c1d780463d559b40 Mon Sep 17 00:00:00 2001
From: Carlos Goncalves <cgoncalves@redhat.com>
Date: Tue, 29 Jun 2021 11:35:13 +0200
Subject: [PATCH] OVN BGP Agent support

It is in charge of creating the right config files for the
ovn-bgp-agent and to restart the service

Change-Id: I30e2c44d734e28ecf5ba573a53e24b544d156597
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
---
 .../roles/tripleo_frr/defaults/main.yml       | 18 ++++
 .../roles/tripleo_frr/tasks/main.yml          |  4 +
 .../roles/tripleo_frr/tasks/ovn_bgp_agent.yml | 93 +++++++++++++++++++
 .../templates/ovn-bgp-agent.conf.j2           | 17 ++++
 .../tripleo_frr/templates/rootwrap.conf.j2    | 27 ++++++
 .../tripleo_frr/templates/rootwrap.filters.j2 | 13 +++
 6 files changed, 172 insertions(+)
 create mode 100644 tripleo_ansible/roles/tripleo_frr/tasks/ovn_bgp_agent.yml
 create mode 100644 tripleo_ansible/roles/tripleo_frr/templates/ovn-bgp-agent.conf.j2
 create mode 100644 tripleo_ansible/roles/tripleo_frr/templates/rootwrap.conf.j2
 create mode 100644 tripleo_ansible/roles/tripleo_frr/templates/rootwrap.filters.j2

diff --git a/tripleo_ansible/roles/tripleo_frr/defaults/main.yml b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
index 5ebb1d61b..387c4ada5 100644
--- a/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
@@ -61,3 +61,21 @@ tripleo_frr_conf_custom_globals: ''
 tripleo_frr_conf_custom_router_bgp: ''
 tripleo_frr_conf_custom_ipv4: ''
 tripleo_frr_conf_custom_ipv6: ''
+
+# BGP agent
+tripleo_frr_ovn_bgp_agent_enable: true
+tripleo_frr_ovn_bgp_agent_debug: true
+tripleo_frr_ovn_bgp_agent_reconcile_interval: 120
+tripleo_frr_ovn_bgp_agent_expose_tenant_networks: false
+tripleo_frr_ovn_bgp_agent_driver: ovn_bgp_driver
+tripleo_frr_ovn_bgp_agent_private_key: /etc/pki/tls/private/ovn_bgp_agent.key
+tripleo_frr_ovn_bgp_agent_certificate: /etc/pki/tls/certs/ovn_bgp_agent.crt
+tripleo_frr_ovn_bgp_agent_ca_cert: /etc/ipa/ca.crt
+tripleo_frr_ovn_bgp_agent_internal_tls_enable: false
+tripleo_frr_ovn_bgp_agent_config_basedir: "/var/lib/config-data/ansible-generated/ovn-bgp-agent"
+tripleo_frr_ovn_bgp_agent_bridge_mappings: []
+tripleo_frr_ovn_bgp_agent_bgp_as: 64999
+tripleo_frr_ovn_bgp_agent_root_helper: "sudo ovn-bgp-agent-rootwrap /etc/ovn-bgp-agent/rootwrap.conf"
+tripleo_frr_ovn_bgp_agent_root_helper_daemon: "sudo ovn-bgp-agent-rootwrap-daemon /etc/ovn-bgp-agent/rootwrap.conf"
+tripleo_frr_ovn_bgp_agent_ovsdb_connection: "tcp:127.0.0.1:6640"
+tripleo_frr_ovn_bgp_agent_ovs_manager: "ptcp:6640:127.0.0.1"
diff --git a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml
index 45dc66ff4..cf912e7cf 100644
--- a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml
@@ -98,3 +98,7 @@
         state: restarted
       when:
         - frr_active_service.rc == 0
+
+- name: include OVN BGP agent
+  include_tasks: ovn_bgp_agent.yml
+  when: tripleo_frr_ovn_bgp_agent_enable | bool
diff --git a/tripleo_ansible/roles/tripleo_frr/tasks/ovn_bgp_agent.yml b/tripleo_ansible/roles/tripleo_frr/tasks/ovn_bgp_agent.yml
new file mode 100644
index 000000000..aae8f7139
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_frr/tasks/ovn_bgp_agent.yml
@@ -0,0 +1,93 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: create OVN BGP agent directories
+  ansible.builtin.file:
+    path: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.d"
+    recurse: true
+    state: directory
+    selevel: s0
+    setype: container_file_t
+
+- name: configure OVN BGP agent
+  ansible.builtin.template:
+    src: ovn-bgp-agent.conf.j2
+    dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/bgp-agent.conf"
+    mode: '640'
+    selevel: s0
+    setype: container_file_t
+  register: _ovn_bgp_agent_config_result
+
+- name: configure OVN BGP agent rootwrap
+  ansible.builtin.template:
+    src: rootwrap.conf.j2
+    dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.conf"
+    mode: '640'
+    selevel: s0
+    setype: container_file_t
+  register: _ovn_bgp_agent_rootwrap_result
+
+- name: configure OVN BGP agent rootwrap filters
+  ansible.builtin.template:
+    src: rootwrap.filters.j2
+    dest: "{{ tripleo_frr_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/rootwrap.d/rootwrap.filters"
+    mode: '640'
+    selevel: s0
+    setype: container_file_t
+  register: _ovn_bgp_agent_rootwrap_filters_result
+
+- name: configure ovs manager
+  command: ovs-vsctl set-manager "{{ tripleo_frr_ovn_bgp_agent_ovs_manager }}"
+
+
+# ['datacenter:br-ex', 'foo:br-vlan']
+- name: Set ipv4 proxy_arp for each physical nic used in bridge mappings
+  sysctl:
+    name: "net.ipv4.conf.{{ item.split(':')[1] }}.proxy_arp"
+    value: 1
+    sysctl_set: true
+    sysctl_file: /etc/sysctl.d/99-tripleo-ovn-bgp-agent.conf
+    state: present
+    reload: true
+  loop: "{{ tripleo_frr_ovn_bgp_agent_bridge_mappings }}"
+
+- name: Set ipv6 proxy_ndp for each physical nic used in bridge mappings
+  sysctl:
+    name: "net.ipv6.conf.{{ item.split(':')[1] }}.proxy_ndp"
+    value: 1
+    sysctl_set: true
+    sysctl_file: /etc/sysctl.d/99-tripleo-ovn-bgp-agent.conf
+    state: present
+    reload: true
+  loop: "{{ tripleo_frr_ovn_bgp_agent_bridge_mappings }}"
+
+- name: restart OVN BGP agent
+  when:
+    - _ovn_bgp_agent_config_result.changed or
+      _ovn_bgp_agent_rootwrap_result.changed or
+      _ovn_bgp_agent_rootwrap_filters_result.changed
+  block:
+    - name: check if tripleo_ovn_bgp_agent systemd service is active
+      shell: systemctl is-active --quiet tripleo_ovn_bgp_agent
+      failed_when: false
+      register: ovn_bgp_agent_active_service
+
+    - name: restart tripleo_ovn_bgp_agent container
+      systemd:
+        name: tripleo_ovn_bgp_agent
+        state: restarted
+      when:
+        - ovn_bgp_agent_active_service.rc == 0
diff --git a/tripleo_ansible/roles/tripleo_frr/templates/ovn-bgp-agent.conf.j2 b/tripleo_ansible/roles/tripleo_frr/templates/ovn-bgp-agent.conf.j2
new file mode 100644
index 000000000..ad8066032
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_frr/templates/ovn-bgp-agent.conf.j2
@@ -0,0 +1,17 @@
+[DEFAULT]
+debug={{ tripleo_frr_ovn_bgp_agent_debug }}
+reconcile_interval={{ tripleo_frr_ovn_bgp_agent_reconcile_interval }}
+expose_tenant_networks={{ tripleo_frr_ovn_bgp_agent_expose_tenant_networks }}
+driver={{ tripleo_frr_ovn_bgp_agent_driver }}
+bgp_AS={{ tripleo_frr_ovn_bgp_agent_bgp_as }}
+ovsdb_connection={{ tripleo_frr_ovn_bgp_agent_ovsdb_connection }}
+
+{% if tripleo_frr_ovn_bgp_agent_internal_tls_enable %}
+ovn_sb_private_key={{ tripleo_frr_ovn_bgp_agent_private_key }}
+ovn_sb_certificate={{ tripleo_frr_ovn_bgp_agent_certificate }}
+ovn_sb_ca_cert={{ tripleo_frr_ovn_bgp_agent_ca_cert }}
+{% endif %}
+
+[agent]
+root_helper={{ tripleo_frr_ovn_bgp_agent_root_helper }}
+root_helper_daemon={{ tripleo_frr_ovn_bgp_agent_root_helper_daemon }}
diff --git a/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.conf.j2 b/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.conf.j2
new file mode 100644
index 000000000..675fa64cf
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.conf.j2
@@ -0,0 +1,27 @@
+# Configuration for ovn-bgp-agent-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/ovn-bgp-agent/rootwrap.d,/usr/share/ovn-bgp-agent/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
diff --git a/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.filters.j2 b/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.filters.j2
new file mode 100644
index 000000000..da3cc0cdd
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_frr/templates/rootwrap.filters.j2
@@ -0,0 +1,13 @@
+# ovn-bgp-agent-rootwrap command filters for scripts
+# This file should be owned by (and only-writable by) the root user
+
+[Filters]
+# privileged/__init__.py: priv_context.PrivContext(default)
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, ovn_bgp_agent.privileged.default, --privsep_sock_path, /tmp/.*
+
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+sysctl: CommandFilter, sysctl, root
+ip: IpFilter, ip, root
+vtysh: CommandFilter, vtysh, root