From c275d7870310fc6dc081855eca9d8e8e7c81545f Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 18 Jan 2022 23:16:49 +0900 Subject: [PATCH] Do not run puppet in docker_config The docker_config is not intended for puppet execution and doesn't automatically present the common requirements like fact cache generated on host to run puppet inside containers. This merges puppet execution into the base puppet_task to simplify puppet execution. Because creating ovs bridge requires access to host pids which is not allowed to container puppet tasks, that specific task is re-implemented by host prep tasks. Closes-Bug: #1958240 Change-Id: I7d647afbf26ea11aff4d51cc3ea734881bf5cd32 --- ...ron-agents-ib-config-container-puppet.yaml | 41 +++----------- .../neutron-mlnx-agent-container-puppet.yaml | 38 +------------ .../neutron-ovs-agent-container-puppet.yaml | 54 ++++--------------- 3 files changed, 19 insertions(+), 114 deletions(-) diff --git a/deployment/neutron/neutron-agents-ib-config-container-puppet.yaml b/deployment/neutron/neutron-agents-ib-config-container-puppet.yaml index a363fc44b4..82242e6292 100644 --- a/deployment/neutron/neutron-agents-ib-config-container-puppet.yaml +++ b/deployment/neutron/neutron-agents-ib-config-container-puppet.yaml @@ -32,12 +32,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. MultiInterfaceDriverMappings: type: comma_delimited_list default: "" @@ -92,34 +86,13 @@ outputs: neutron::agents::ml2::mlnx::dhcp_broadcast_reply: true neutron::agents::ml2::mlnx::interface_driver : 'multi' neutron::agents::ml2::mlnx::enable_multi_interface_driver_cache_maintenance : true - docker_config: - step_3: - neutron_agents_ib_config: - detach: false - image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} - net: host - pid: host - user: root - privileged: true - security_opt: - - label=disable - command: - - puppet - - apply - - --modulepath - - /etc/puppet/modules:/usr/share/openstack-puppet/modules - - -v - - -e - - "include neutron::agents::ml2::mlnx" - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - /lib/modules:/lib/modules:ro - - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro - - /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron - environment: - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} + puppet_config: + config_volume: 'neutron' + puppet_tags: eswitchd_config,neutron_dhcp_agent_config,neutron_l3_agent_config,neutron_mlnx_agent_config + step_config: | + include tripleo::profile::base::neutron::agents::mlnx + config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} + docker_config: {} metadata_settings: get_attr: [NeutronBase, role_data, metadata_settings] upgrade_tasks: [] diff --git a/deployment/neutron/neutron-mlnx-agent-container-puppet.yaml b/deployment/neutron/neutron-mlnx-agent-container-puppet.yaml index 7547722dd5..7138c9fb5c 100644 --- a/deployment/neutron/neutron-mlnx-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-mlnx-agent-container-puppet.yaml @@ -37,12 +37,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. NeutronPhysicalDevMappings: description: > List of : @@ -117,9 +111,10 @@ outputs: - get_attr: [MlnxAgentLogging, config_settings] puppet_config: config_volume: 'neutron' - puppet_tags: neutron_plugin_ml2 + puppet_tags: neutron_plugin_ml2,eswitchd_config,neutron_dhcp_agent_config,neutron_l3_agent_config,neutron_mlnx_agent_config step_config: | include tripleo::profile::base::neutron::plugins::ml2 + include tripleo::profile::base::neutron::agents::mlnx config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} kolla_config: /var/lib/kolla/config_files/neutron_mlnx_agent.json: @@ -153,35 +148,6 @@ outputs: owner: neutron:neutron recurse: true docker_config: - step_3: - neutron_mlnx_agent_config: - detach: false - image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} - net: host - pid: host - user: root - privileged: true - security_opt: - - label=disable - command: - - puppet - - apply - - --modulepath - - /etc/puppet/modules:/usr/share/openstack-puppet/modules - - -v - - -e - - "include tripleo::profile::base::neutron::agents::mlnx" - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - /var/lib/kolla/config_files/neutron_mlnx_agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro - - /lib/modules:/lib/modules:ro - - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro - - /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron - environment: - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: neutron_mlnx_agent: start_order: 10 diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml index 9acd0646d3..7cd9a06820 100644 --- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml @@ -46,16 +46,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. - DockerPuppetMountHostPuppet: - type: boolean - default: true - description: Whether containerized puppet executions use modules from the baremetal host. Defaults to true. Can be set to false to consume puppet modules from containers directly. PythonInterpreter: type: string description: The python interpreter to use for python and ansible actions @@ -281,7 +271,7 @@ outputs: collectd::plugin::ovs_stats::socket: '/run/openvswitch/db.sock' puppet_config: config_volume: neutron - puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 + puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2,vs_config step_config: | include tripleo::profile::base::neutron::ovs config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} @@ -328,39 +318,6 @@ outputs: params: PYTHON: {get_param: PythonInterpreter} docker_config: - step_3: - neutron_ovs_bridge: - detach: false - image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]} - net: host - pid: host - user: root - privileged: true - security_opt: - - label=disable - command: - - puppet - - apply - - --modulepath - - /etc/puppet/modules:/usr/share/openstack-puppet/modules - - --tags - - file,file_line,concat,augeas,neutron::plugins::ovs::bridge,vs_config - - -v - - -e - - include neutron::agents::ml2::ovs - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro - - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch:shared,z - - if: - - {get_param: DockerPuppetMountHostPuppet} - - /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro - environment: - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: neutron_ovs_agent: start_order: 10 @@ -421,6 +378,15 @@ outputs: when: - ansible_facts.selinux is defined - ansible_facts.selinux.status == "enabled" + - block: + - name: Create the ovs bridges + shell: | + ovs-vsctl --may-exist add-br "{{ item.split(':')[1] }}" + with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']} + - name: Activate the ovs bridges + shell: | + ip link set dev "{{ item.split(':')[1] }}" up + with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']} update_tasks: # puppetlabs-firewall manages security rules via Puppet but make the rules # consistent by default. Since Neutron also creates some rules, we don't