Add FRR service

This adds support for BGP via the OS::TripleO::Services::Frr service. Spec: https://review.opendev.org/c/openstack/tripleo-specs/+/758249 We create the frr configuration via the corresponding tripleo_frr ansible role at step0. We start the FRR container at deployment step 1 before pacemaker gets configured as the routing to all the other nodes needs to be functional before setting up the cluster. Co-Authored-By: Carlos Gonçalves <cgoncalves@redhat.com> Change-Id: I7cef73c57e7b69f4d031e220c954803afd5e0b8c
5 months ago · 97016b2012
--- a/deployment/frr/frr-container-ansible.yaml
+++ b/deployment/frr/frr-container-ansible.yaml
@ -0,0 +1,236 @@
 heat_template_version: rocky

 description: >
  Configures FRR on the host

 parameters:
  ContainerFrrImage:
    description: The container image for Frr
    type: string
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  FrrBfdEnabled:
    default: false
    description: Enable Bidirectional Forwarding Detection
    type: boolean
  FrrBgpEnabled:
    default: true
    description: Enable BGP
    type: boolean
  FrrBgpAsn:
    default: 65000
    description: Default ASN to be used within FRR
    type: number
  FrrBgpIpv4Enabled:
    default: true
    description: Enable BGP advertisement of IPv4 routes
    type: boolean
  FrrBgpIpv4AllowASIn:
    default: false
    description: Allow for IPv4 routes to be received and processed even if the
                 router detects its own ASN in the AS-Path.
    type: boolean
  FrrBgpIpv4SrcNetwork:
    default: ctlplane
    description: The name of the Neutron network from where the IP address of
                 the node will be taken and set as source IPv4 address on the
                 default route.
    type: string
  FrrBgpIpv6Enabled:
    default: true
    description: Enable BGP advertisement of IPv6 routes
    type: boolean
  FrrBgpIpv6AllowASIn:
    default: false
    description: Allow for IPv6 routes to be received and processed even if the
                 router detects its own ASN in the AS-Path.
    type: boolean
  FrrBgpIpv6SrcNetwork:
    default: ctlplane
    description: The name of the Neutron network from where the IP address of
                 the node will be taken and set as source IPv6 address on the
                 default route.
    type: string
  FrrBgpUplinks:
    default: ['nic1', 'nic2']
    description: List of uplink network interfaces.
    type: comma_delimited_list
  FrrBgpUplinksScope:
    default: 'internal'
    type: string
    description: Either peer with internal (iBGP) or external (eBGP) neighbors.
    constraints:
      - allowed_values: ['internal', 'external']
  FrrLoggingSource:
    type: json
    default:
      tag: system.frr
      file: /var/log/containers/frr/frr.log
  FrrLogLevel:
    default: 'informational'
    type: string
    description: log level
    constraints:
      - allowed_values: ['emergencies', 'alerts', 'critical', 'errors',
                         'warnings', 'notifications', 'informational',
                         'debugging']
  FrrZebraEnabled:
    default: true
    description: enable Zebra
    type: boolean
  FrrPacemakerVipNic:
    default: 'lo'
    description: Name of the nic that the pacemaker VIPs will be added to when
                 runninng with FRR.
    type: string
  FrrBgpNeighborTtlSecurityHops:
    default: 1
    description: Enforce Generalized TTL Security Mechanism (GTSM) where only
                 neighbors that are the specified number of hops away will be
                 allowed to become neighbors. Setting value to zero or less
                 will disable GTSM.
    type: number

 outputs:
  role_data:
    description: Role data for the FRR service
    value:
      service_name: frr
      config_settings:
        tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic}
      service_config_settings:
        rsyslog:
          tripleo_logging_sources_frr:
            - {get_param: FrrLoggingSource}
      firewall_rules:
        map_merge:
          - if:
            - {get_param: FrrBgpEnabled}
            - '156 bgp tcp':
                proto: 'tcp'
                dport: 179
            - {}
          - if:
            - {get_param: FrrBfdEnabled}
            - '156 bfd udp':
                 proto: 'udp'
                 dport:
                 - 3784
                 - 3785
            - {}
      kolla_config:
        /var/lib/kolla/config_files/frr.json:
          # Note: This is currently needed because watchfrr *always* demonizes
          command: bash -c $* -- eval /usr/lib/frr/frr start && /bin/sleep infinity
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
          permissions:
            - path: /etc/frr
              owner: frr:frr
              recurse: true
            - path: /var/log/frr
              owner: frr:frr
              recurse: true

      docker_config:
        # NOTE: Create container-startup-config file in step 0 so that TripleO
        # does not auto-start the FRR container (it does so for containers in
        # step 1-5). FRR needs to be started in step 1 but before any HA service.
        step_0:
          frr:
            start_order: 0
            image: {get_param: ContainerFrrImage}
            net: host
            state: stopped
            restart: always
            healthcheck:
              test: /openstack/healthcheck
            cap_add:
              - NET_BIND_SERVICE
              - NET_RAW
              - NET_ADMIN
              - SYS_ADMIN
            # We cannot bind mount the InternalTLSCAFile as freeipa might not
            # be reachable without frr
            volumes:
              - /etc/hosts:/etc/hosts:ro
              - /etc/localtime:/etc/localtime:ro
              - /dev/log:/dev/log
              # OpenSSL trusted CAs
              - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
              - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
              - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
              - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
              - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
              - /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro
              - /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro
              - /var/log/containers/frr:/var/log/frr:z
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
      host_prep_tasks:
        - name: create persistent directories
          file:
            path: "{{ item.path }}"
            state: directory
            setype: "{{ item.setype }}"
            mode: "{{ item.mode }}"
          with_items:
            - { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' }
      deploy_steps_tasks:
        - name: Configure and start FRR before an HA service
          when: step|int == 1
          block:
            - name: Configure FRR
              import_role:
                name: tripleo_frr
              vars:
                tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr
                tripleo_frr_bfd: {get_param: FrrBfdEnabled}
                tripleo_frr_bgp: {get_param: FrrBgpEnabled}
                tripleo_frr_bgp_asn: {get_param: FrrBgpAsn}
                tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled}
                tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn}
                tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork}
                tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled}
                tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn}
                tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork}
                tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops}
                tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks}
                tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope}
                tripleo_frr_log_level: {get_param: FrrLogLevel}
                tripleo_frr_zebra: {get_param: FrrZebraEnabled}
            - name: Start FRR
              include_role:
                name: tripleo_container_manage
              vars:
                tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0"
                tripleo_container_manage_config_id: "frr"
                tripleo_container_manage_config_patterns: "frr.json"
                tripleo_container_manage_systemd_order: true
      update_tasks: []
      upgrade_tasks: []
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -60,3 +60,4 @@ parameter_defaults:
    - OS::TripleO::Services::Rear
    - OS::TripleO::Services::Rhsm
    - OS::TripleO::Services::Podman
    - OS::TripleO::Services::Frr
--- a/environments/services/frr.yaml
+++ b/environments/services/frr.yaml
@ -0,0 +1,9 @@
 resource_registry:
  OS::TripleO::Services::Frr: ../../deployment/frr/frr-container-ansible.yaml

 parameter_defaults:
  # These need to be disabled by default when using FRR/BGP because
  # the gateways and other controllers are very unlikely to be reachable
  # that early in the deployment (i.e. BGP needs to be up and functional for that to work)
  ValidateControllersIcmp: false
  ValidateGatewaysIcmp: false
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -323,6 +323,7 @@ resource_registry:
  OS::TripleO::Services::Multipathd: OS::Heat::None
  OS::TripleO::Services::GlanceApiEdge: OS::Heat::None
  OS::TripleO::Services::HAproxyEdge: OS::Heat::None
  OS::TripleO::Services::Frr: OS::Heat::None

  # Logging
  OS::TripleO::Services::Tmpwatch: deployment/logrotate/tmpwatch-install.yaml
--- a/releasenotes/notes/frr-support-21648d0660a810ac.yaml
+++ b/releasenotes/notes/frr-support-21648d0660a810ac.yaml
@ -0,0 +1,15 @@
 ---
 features:
  - |
    Added FRR as a new TripleO service. This service allows cloud operators to
    deploy pure L3 control plane via BGP protocol. This has the following
    benefits:

    * Obtain multiple routes on multiple uplinks
    * BGP used for ECMP load balancing and BFD for resiliency
    * Advertise routes to API endpoints
    * Less L2 traffic

    Please refer to `Install and Configure FRRouter specification
    <https://specs.openstack.org/openstack/tripleo-specs/specs/wallaby/triplo-bgp-frrouter.html>`_
    for more information.
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -24,6 +24,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::CinderBackendVRTSHyperScale
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/CellController.yaml
+++ b/roles/CellController.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::ContainerImagePrepare
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::HAproxy
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/CephAll.yaml
+++ b/roles/CephAll.yaml
@ -28,6 +28,7 @@
    - OS::TripleO::Services::CephRgw
    - OS::TripleO::Services::CephOSD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/CephFile.yaml
+++ b/roles/CephFile.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::CephMds
    - OS::TripleO::Services::CephOSD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/CephObject.yaml
+++ b/roles/CephObject.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::CephRgw
    - OS::TripleO::Services::CephOSD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -24,6 +24,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::CephOSD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -45,6 +45,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeAlt.yaml
+++ b/roles/ComputeAlt.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgentAlt
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::IscsidAlt
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeDVR.yaml
+++ b/roles/ComputeDVR.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeHCIOvsDpdk.yaml
+++ b/roles/ComputeHCIOvsDpdk.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeHCISriov.yaml
+++ b/roles/ComputeHCISriov.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeInstanceHA.yaml
+++ b/roles/ComputeInstanceHA.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeLiquidio.yaml
+++ b/roles/ComputeLiquidio.yaml
@ -33,6 +33,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeLocalEphemeral.yaml
+++ b/roles/ComputeLocalEphemeral.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -35,6 +35,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeOvsDpdkRT.yaml
+++ b/roles/ComputeOvsDpdkRT.yaml
@ -37,6 +37,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeOvsDpdkSriov.yaml
+++ b/roles/ComputeOvsDpdkSriov.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeOvsDpdkSriovRT.yaml
+++ b/roles/ComputeOvsDpdkSriovRT.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputePPC64LE.yaml
+++ b/roles/ComputePPC64LE.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeRBDEphemeral.yaml
+++ b/roles/ComputeRBDEphemeral.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeRealTime.yaml
+++ b/roles/ComputeRealTime.yaml
@ -42,6 +42,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeSriovIB.yaml
+++ b/roles/ComputeSriovIB.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/ComputeSriovRT.yaml
+++ b/roles/ComputeSriovRT.yaml
@ -33,6 +33,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -91,6 +91,7 @@
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
--- a/roles/ControllerAllNovaStandalone.yaml
+++ b/roles/ControllerAllNovaStandalone.yaml
@ -56,6 +56,7 @@
    - OS::TripleO::Services::DesignateMDNS
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
--- a/roles/ControllerNoCeph.yaml
+++ b/roles/ControllerNoCeph.yaml
@ -78,6 +78,7 @@
    - OS::TripleO::Services::DesignateMDNS
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerNovaStandalone.yaml
+++ b/roles/ControllerNovaStandalone.yaml
@ -64,6 +64,7 @@
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -61,6 +61,7 @@
    - OS::TripleO::Services::DesignateMDNS
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
--- a/roles/ControllerSriov.yaml
+++ b/roles/ControllerSriov.yaml
@ -83,6 +83,7 @@
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerStorageDashboard.yaml
+++ b/roles/ControllerStorageDashboard.yaml
@ -88,6 +88,7 @@
    - OS::TripleO::Services::DesignateMDNS
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerStorageNfs.yaml
+++ b/roles/ControllerStorageNfs.yaml
@ -89,6 +89,7 @@
    - OS::TripleO::Services::DesignateMDNS
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -16,6 +16,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/DistributedCompute.yaml
+++ b/roles/DistributedCompute.yaml
@ -33,6 +33,7 @@
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApiEdge
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
--- a/roles/DistributedComputeHCI.yaml
+++ b/roles/DistributedComputeHCI.yaml
@ -42,6 +42,7 @@
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApiEdge
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
--- a/roles/DistributedComputeHCIDashboard.yaml
+++ b/roles/DistributedComputeHCIDashboard.yaml
@ -44,6 +44,7 @@
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApiEdge
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
--- a/roles/DistributedComputeHCIScaleOut.yaml
+++ b/roles/DistributedComputeHCIScaleOut.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::HAproxyEdge
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
--- a/roles/DistributedComputeScaleOut.yaml
+++ b/roles/DistributedComputeScaleOut.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::HAproxyEdge
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
--- a/roles/HciCephAll.yaml
+++ b/roles/HciCephAll.yaml
@ -40,6 +40,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/HciCephFile.yaml
+++ b/roles/HciCephFile.yaml
@ -35,6 +35,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/HciCephMon.yaml
+++ b/roles/HciCephMon.yaml
@ -36,6 +36,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/HciCephObject.yaml
+++ b/roles/HciCephObject.yaml
@ -35,6 +35,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -17,6 +17,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicConductor
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicNeutronAgent
--- a/roles/NetworkerSriov.yaml
+++ b/roles/NetworkerSriov.yaml
@ -20,6 +20,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicNeutronAgent
--- a/roles/NovaManager.yaml
+++ b/roles/NovaManager.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/Novacontrol.yaml
+++ b/roles/Novacontrol.yaml
@ -16,6 +16,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles/Standalone.yaml
+++ b/roles/Standalone.yaml
@ -89,6 +89,7 @@
    - OS::TripleO::Services::DockerRegistry
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
--- a/roles/Telemetry.yaml
+++ b/roles/Telemetry.yaml
@ -26,6 +26,7 @@
    - OS::TripleO::Services::CephExternal
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
    - OS::TripleO::Services::GnocchiStatsd
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ContainerImagePrepare
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::DockerRegistry
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -94,6 +94,7 @@
    - OS::TripleO::Services::DesignateSink
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::ExternalSwiftProxy
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
@ -232,6 +233,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
@ -291,6 +293,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::CinderBackendVRTSHyperScale
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
@ -345,6 +348,7 @@
    - OS::TripleO::Services::BootParams
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
@ -394,6 +398,7 @@
    - OS::TripleO::Services::CACerts
    - OS::TripleO::Services::CephOSD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@ -41,6 +41,7 @@
    - OS::TripleO::Services::ContainerImagePrepare
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::DockerRegistry
    - OS::TripleO::Services::Frr
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd