From 5096c4757f23480b76a8170104a6809459ba6b9c Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 9 Apr 2021 17:25:31 +0200 Subject: [PATCH] Add support for ovn bgp agent Conflict: deployment/frr/frr-container-ansible.yaml Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/834144 Change-Id: Iba6492dad085cec94a93acf119666b0d5c67306e Co-Authored-By: Carlos Goncalves Co-Authored-By: Luis Tomas Bolivar (cherry picked from commit 0fa959acb8c9a3768743d2b001c6a0376763b54f) --- deployment/frr/frr-container-ansible.yaml | 176 +++++++++++++++++++++- environments/services/frr.yaml | 4 + 2 files changed, 178 insertions(+), 2 deletions(-) diff --git a/deployment/frr/frr-container-ansible.yaml b/deployment/frr/frr-container-ansible.yaml index 89f5e82815..55c78e568d 100644 --- a/deployment/frr/frr-container-ansible.yaml +++ b/deployment/frr/frr-container-ansible.yaml @@ -7,6 +7,9 @@ parameters: ContainerFrrImage: description: The container image for Frr type: string + ContainerOvnBgpAgentImage: + description: The container image for the BGP Agent + type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -30,6 +33,24 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnBgpAgentCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service FrrBfdEnabled: default: false description: Enable Bidirectional Forwarding Detection @@ -136,10 +157,56 @@ parameters: description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] + NeutronBridgeMappings: + description: > + The OVS logical->physical bridge mappings to use. See the Neutron + documentation for details. Defaults to mapping br-ex - the external + bridge on hosts - to a physical name 'datacentre' which can be used + to create provider networks (and we use this for the default floating + network) - if changing this either use different post-install network + scripts or be sure to keep 'datacentre' as a mapping network name. + type: comma_delimited_list + default: "datacentre:br-ex" + tags: + - role_specific + FrrOvnBgpAgentDriver: + description: > + Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs + on provider networks and FIPs associated to VMs on tenant networks via + MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant + networks via MP-BGP EVPN VXLAN. + type: string + default: 'ovn_evpn_driver' + constraints: + - allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ] + tags: + - role_specific + FrrOvnBgpAgentExposeTenantNetworks: + description: > + Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast. + Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver). + type: boolean + default: false + FrrOvnBgpAgentAsn: + default: 64999 + description: > + Autonomous System Number to be used by the agent when running in BGP + mode. + type: number + FrrOvnBgpAgentOvsdbConnection: + default: 'tcp:127.0.0.1:6640' + description: > + The connection string for the native OVSDB backend. Use tcp:IP:PORT + for TCP connection. + type: string + +conditions: + key_size_override_set: + not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']} outputs: role_data: - description: Role data for the FRR service + description: Role data for the FRR and OVN BGP Agent services value: service_name: frr config_settings: @@ -181,7 +248,34 @@ outputs: - path: /run/frr owner: frr:frrvty recurse: true - + /var/lib/kolla/config_files/ovn_bgp_agent.json: + command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /etc/ovn-bgp-agent + owner: neutron:neutron + recurse: true + - path: /var/log/ovn-bgp-agent + owner: neutron:neutron + recurse: true + - path: /etc/pki/tls/certs/ovn_bgp_agent.crt + owner: neutron:neutron + optional: true + perm: '0644' + - path: /etc/pki/tls/private/ovn_bgp_agent.key + owner: neutron:neutron + optional: true + perm: '0640' + metadata_settings: + if: + - {get_param: EnableInternalTLS} + - - service: ovn_bgp_agent + network: {get_param: [ServiceNetMap, OvnDbsNetwork]} + type: node docker_config: # NOTE: Create container-startup-config file in step 0 so that TripleO # does not auto-start the FRR container (it does so for containers in @@ -217,6 +311,76 @@ outputs: - /run/frr:/run/frr:shared,z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + step_5: + ovn_bgp_agent: + start_order: 0 + image: {get_param: ContainerOvnBgpAgentImage} + net: host + pid: host + cgroupns: host + restart: always + privileged: true + healthcheck: + test: /openstack/healthcheck + # We cannot bind mount the InternalTLSCAFile as freeipa might not + # be reachable without frr + volumes: + list_concat: + - + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /dev/log:/dev/log + - /etc/iproute2:/etc/iproute2 + # OpenSSL trusted CAs + - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro + - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro + - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro + - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro + - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro + - /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro + - /run/frr:/run/frr:shared,z + - /run/openvswitch:/run/openvswitch:shared,z + - if: + - {get_param: EnableInternalTLS} + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt + - /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key + - null + environment: + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + deploy_steps_tasks: + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ovn_bgp_agent + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + principal: + str_replace: + template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_set + - {get_param: OvnBgpAgentCertificateKeySize} + - {get_param: CertificateKeySize} + ca: ipa host_prep_tasks: - name: create persistent directories file: @@ -228,6 +392,8 @@ outputs: - { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } pre_deploy_step_tasks: - name: Configure FRR import_role: @@ -253,6 +419,12 @@ outputs: tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate} tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers} tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope} + tripleo_frr_ovn_bgp_agent_bridge_mappings: {get_param: NeutronBridgeMappings} + tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS} + tripleo_frr_ovn_bgp_agent_driver: {get_param: FrrOvnBgpAgentDriver} + tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_param: FrrOvnBgpAgentExposeTenantNetworks} + tripleo_frr_ovn_bgp_agent_bgp_as: {get_param: FrrOvnBgpAgentAsn} + tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_param: FrrOvnBgpAgentOvsdbConnection} - name: Start FRR include_role: name: tripleo_container_manage diff --git a/environments/services/frr.yaml b/environments/services/frr.yaml index 5865cd8c0b..9215bfb4af 100644 --- a/environments/services/frr.yaml +++ b/environments/services/frr.yaml @@ -7,3 +7,7 @@ parameter_defaults: # that early in the deployment (i.e. BGP needs to be up and functional for that to work) ValidateControllersIcmp: false ValidateGatewaysIcmp: false + # Needed for the BGP Agent + KernelIpForward: 1 + KernelIpv6ConfAllForwarding: 1 + KernelIpv4ConfAllRpFilter: 2