openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Do not run puppet in docker_config 

The docker_config is not intended for puppet execution and doesn't
automatically present the common requirements like fact cache generated
on host to run puppet inside containers.

This merges puppet execution into the base puppet_task to simplify
puppet execution. Because creating ovs bridge requires access to host
pids which is not allowed to container puppet tasks, that specific
task is re-implemented by host prep tasks.

Closes-Bug: #1958240
Change-Id: I7d647afbf26ea11aff4d51cc3ea734881bf5cd32
This commit is contained in:
Takashi Kajinami 2022-01-18 23:16:49 +09:00
parent a170fc4c75
commit c275d78703
3 changed files with 19 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
deployment/neutron/neutron-agents-ib-config-container-puppet.yaml
View File

@ -32,12 +32,6 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MultiInterfaceDriverMappings:
type: comma_delimited_list
default: ""
@ -92,34 +86,13 @@ outputs:
neutron::agents::ml2::mlnx::dhcp_broadcast_reply: true
neutron::agents::ml2::mlnx::interface_driver : 'multi'
neutron::agents::ml2::mlnx::enable_multi_interface_driver_cache_maintenance : true
docker_config:
step_3:
neutron_agents_ib_config:
detach: false
image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
net: host
pid: host
user: root
privileged: true
security_opt:
- label=disable
command:
- puppet
- apply
- --modulepath
- /etc/puppet/modules:/usr/share/openstack-puppet/modules
- -v
- -e
- "include neutron::agents::ml2::mlnx"
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /lib/modules:/lib/modules:ro
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
puppet_config:
config_volume: 'neutron'
puppet_tags: eswitchd_config,neutron_dhcp_agent_config,neutron_l3_agent_config,neutron_mlnx_agent_config
step_config: |
include tripleo::profile::base::neutron::agents::mlnx
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
docker_config: {}
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
upgrade_tasks: []

38
deployment/neutron/neutron-mlnx-agent-container-puppet.yaml
View File

@ -37,12 +37,6 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
NeutronPhysicalDevMappings:
description: >
List of <physical_network>:<physical device>
@ -117,9 +111,10 @@ outputs:
- get_attr: [MlnxAgentLogging, config_settings]
puppet_config:
config_volume: 'neutron'
puppet_tags: neutron_plugin_ml2
puppet_tags: neutron_plugin_ml2,eswitchd_config,neutron_dhcp_agent_config,neutron_l3_agent_config,neutron_mlnx_agent_config
step_config: |
include tripleo::profile::base::neutron::plugins::ml2
include tripleo::profile::base::neutron::agents::mlnx
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
kolla_config:
/var/lib/kolla/config_files/neutron_mlnx_agent.json:
@ -153,35 +148,6 @@ outputs:
owner: neutron:neutron
recurse: true
docker_config:
step_3:
neutron_mlnx_agent_config:
detach: false
image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
net: host
pid: host
user: root
privileged: true
security_opt:
- label=disable
command:
- puppet
- apply
- --modulepath
- /etc/puppet/modules:/usr/share/openstack-puppet/modules
- -v
- -e
- "include tripleo::profile::base::neutron::agents::mlnx"
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/neutron_mlnx_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
neutron_mlnx_agent:
start_order: 10

54
deployment/neutron/neutron-ovs-agent-container-puppet.yaml
View File

@ -46,16 +46,6 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
DockerPuppetMountHostPuppet:
type: boolean
default: true
description: Whether containerized puppet executions use modules from the baremetal host. Defaults to true. Can be set to false to consume puppet modules from containers directly.
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
@ -281,7 +271,7 @@ outputs:
collectd::plugin::ovs_stats::socket: '/run/openvswitch/db.sock'
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2
puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2,vs_config
step_config: |
include tripleo::profile::base::neutron::ovs
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
@ -328,39 +318,6 @@ outputs:
params:
PYTHON: {get_param: PythonInterpreter}
docker_config:
step_3:
neutron_ovs_bridge:
detach: false
image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
net: host
pid: host
user: root
privileged: true
security_opt:
- label=disable
command:
- puppet
- apply
- --modulepath
- /etc/puppet/modules:/usr/share/openstack-puppet/modules
- --tags
- file,file_line,concat,augeas,neutron::plugins::ovs::bridge,vs_config
- -v
- -e
- include neutron::agents::ml2::ovs
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- if:
- {get_param: DockerPuppetMountHostPuppet}
- /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
neutron_ovs_agent:
start_order: 10
@ -421,6 +378,15 @@ outputs:
when:
- ansible_facts.selinux is defined
- ansible_facts.selinux.status == "enabled"
- block:
- name: Create the ovs bridges
shell: |
ovs-vsctl --may-exist add-br "{{ item.split(':')[1] }}"
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
- name: Activate the ovs bridges
shell: |
ip link set dev "{{ item.split(':')[1] }}" up
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
update_tasks:
# puppetlabs-firewall manages security rules via Puppet but make the rules
# consistent by default. Since Neutron also creates some rules, we don't