From df31016a9af5003533f80989bcb8d3da42099953 Mon Sep 17 00:00:00 2001 From: Tim Rozet Date: Thu, 8 Mar 2018 10:59:14 -0500 Subject: [PATCH] Fixes certificate generation error for Neutron agents TLS certificates were introduced for the Neutron Base service in order for Neutron to securely communicate with OVS via SSL/TLS. However, the implementation only required Neutron DHCP agent (ODL deployment) to use the certificates. The other OVS agents are not used in ODL deployments and SSL/TLS use there may be added in the future. However, since other services inherit NeutronBase config_settings, they will attempt to generate certs. This certificate generation will fail because these services do not inherit metadata settings. This patch fixes the above issue by adding the metadata settings inheritance to every service derived from NeutronBase. Closes-Bug: 1754363 Change-Id: I87afc3a11efeefc1cfd768dfe817fbb3b2422694 Signed-off-by: Tim Rozet --- docker/services/neutron-l3.yaml | 2 ++ docker/services/neutron-metadata.yaml | 2 ++ docker/services/neutron-ovs-agent.yaml | 2 ++ docker/services/neutron-ovs-dpdk-agent.yaml | 2 ++ docker/services/neutron-plugin-ml2-cisco-vts.yaml | 2 ++ docker/services/neutron-plugin-ml2.yaml | 2 ++ docker/services/neutron-sriov-agent.yaml | 2 ++ docker/services/ovn-metadata.yaml | 2 ++ puppet/services/neutron-l3-compute-dvr.yaml | 2 ++ puppet/services/neutron-l3.yaml | 2 ++ puppet/services/neutron-lbaas.yaml | 2 ++ puppet/services/neutron-linuxbridge-agent.yaml | 2 ++ puppet/services/neutron-metadata.yaml | 2 ++ puppet/services/neutron-ovs-agent.yaml | 2 ++ puppet/services/neutron-ovs-dpdk-agent.yaml | 2 ++ puppet/services/neutron-plugin-ml2-cisco-vts.yaml | 2 ++ puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml | 2 ++ puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml | 3 ++- puppet/services/neutron-plugin-ml2-nuage.yaml | 2 ++ puppet/services/neutron-plugin-ml2-odl.yaml | 2 ++ puppet/services/neutron-plugin-ml2-ovn.yaml | 2 ++ puppet/services/neutron-plugin-ml2.yaml | 2 ++ puppet/services/neutron-plugin-nuage.yaml | 2 ++ puppet/services/neutron-sriov-agent.yaml | 2 ++ puppet/services/neutron-sriov-host-config.yaml | 2 ++ puppet/services/neutron-vpp-agent.yaml | 4 +++- puppet/services/ovn-metadata.yaml | 2 ++ .../notes/fix-tls-neutron-agents-c40d5fc779d53bfa.yaml | 6 ++++++ 28 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-tls-neutron-agents-c40d5fc779d53bfa.yaml diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index 1b0d565f88..5f76ac33dd 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -117,6 +117,8 @@ outputs: - /run/netns:/run/netns:shared environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [NeutronL3Base, role_data, metadata_settings] host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml index 1cde3eb40f..037934ed86 100644 --- a/docker/services/neutron-metadata.yaml +++ b/docker/services/neutron-metadata.yaml @@ -115,6 +115,8 @@ outputs: - /var/lib/neutron:/var/lib/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [NeutronMetadataBase, role_data, metadata_settings] host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index f5e29b588c..5185a03b15 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -155,6 +155,8 @@ outputs: - /run/openvswitch:/run/openvswitch environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [NeutronOvsAgentBase, role_data, metadata_settings] host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]} upgrade_tasks: list_concat: diff --git a/docker/services/neutron-ovs-dpdk-agent.yaml b/docker/services/neutron-ovs-dpdk-agent.yaml index 18de01adca..583dd9a492 100644 --- a/docker/services/neutron-ovs-dpdk-agent.yaml +++ b/docker/services/neutron-ovs-dpdk-agent.yaml @@ -95,6 +95,8 @@ outputs: get_attr: [NeutronOvsAgentDockerBase, role_data, kolla_config] docker_config: get_attr: [NeutronOvsAgentDockerBase, role_data, docker_config] + metadata_settings: + get_attr: [NeutronOvsAgentDockerBase, role_data, metadata_settings] host_prep_tasks: get_attr: [NeutronOvsAgentDockerBase, role_data, host_prep_tasks] upgrade_tasks: diff --git a/docker/services/neutron-plugin-ml2-cisco-vts.yaml b/docker/services/neutron-plugin-ml2-cisco-vts.yaml index 0529cb302f..2162adfc35 100644 --- a/docker/services/neutron-plugin-ml2-cisco-vts.yaml +++ b/docker/services/neutron-plugin-ml2-cisco-vts.yaml @@ -53,6 +53,8 @@ outputs: logging_source: {get_attr: [NeutronMl2VtsBase, role_data, logging_source]} logging_groups: {get_attr: [NeutronMl2VtsBase, role_data, logging_groups]} service_config_settings: {get_attr: [NeutronMl2VtsBase, role_data, service_config_settings]} + metadata_settings: + get_attr: [NeutronMl2VtsBase, role_data, metadata_settings] # BEGIN DOCKER SETTINGS puppet_config: config_volume: 'neutron' diff --git a/docker/services/neutron-plugin-ml2.yaml b/docker/services/neutron-plugin-ml2.yaml index f3c87eb441..ca3b712502 100644 --- a/docker/services/neutron-plugin-ml2.yaml +++ b/docker/services/neutron-plugin-ml2.yaml @@ -56,6 +56,8 @@ outputs: logging_source: {get_attr: [NeutronBase, role_data, logging_source]} logging_groups: {get_attr: [NeutronBase, role_data, logging_groups]} service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] # BEGIN DOCKER SETTINGS puppet_config: config_volume: 'neutron' diff --git a/docker/services/neutron-sriov-agent.yaml b/docker/services/neutron-sriov-agent.yaml index 4c566bfc66..2872097c19 100644 --- a/docker/services/neutron-sriov-agent.yaml +++ b/docker/services/neutron-sriov-agent.yaml @@ -110,6 +110,8 @@ outputs: environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]} + metadata_settings: + get_attr: [NeutronSriovAgentBase, role_data, metadata_settings] upgrade_tasks: - name: Check if neutron_sriov_nic_agent is deployed command: systemctl is-enabled --quiet neutron-sriov-nic-agent diff --git a/docker/services/ovn-metadata.yaml b/docker/services/ovn-metadata.yaml index 4d4834160d..89da739278 100644 --- a/docker/services/ovn-metadata.yaml +++ b/docker/services/ovn-metadata.yaml @@ -138,6 +138,8 @@ outputs: - /run/netns:/run/netns:shared environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [OVNMetadataBase, role_data, metadata_settings] host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/puppet/services/neutron-l3-compute-dvr.yaml b/puppet/services/neutron-l3-compute-dvr.yaml index ae31e677d5..5a4900738f 100644 --- a/puppet/services/neutron-l3-compute-dvr.yaml +++ b/puppet/services/neutron-l3-compute-dvr.yaml @@ -92,3 +92,5 @@ outputs: - {get_param: NeutronL3ComputeAgentLoggingSource} step_config: | include tripleo::profile::base::neutron::l3 + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index c6a179d5b3..ba290c1ad9 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -131,3 +131,5 @@ outputs: - step|int == 1 - neutron_l3_agent_enabled.rc == 0 service: name=neutron-l3-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-lbaas.yaml b/puppet/services/neutron-lbaas.yaml index 117d81c1f9..b7c897b157 100644 --- a/puppet/services/neutron-lbaas.yaml +++ b/puppet/services/neutron-lbaas.yaml @@ -81,3 +81,5 @@ outputs: horizon: horizon::neutron_options: enable_lb: True + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-linuxbridge-agent.yaml b/puppet/services/neutron-linuxbridge-agent.yaml index 0fb99631a8..6f5bda88f6 100644 --- a/puppet/services/neutron-linuxbridge-agent.yaml +++ b/puppet/services/neutron-linuxbridge-agent.yaml @@ -86,3 +86,5 @@ outputs: - neutron::agents::ml2::linuxbridge::firewall_driver: {get_param: NeutronLinuxbridgeFirewallDriver} step_config: | include ::tripleo::profile::base::neutron::linuxbridge + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 4bd2d6a450..7f747fd7ed 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -148,3 +148,5 @@ outputs: - step|int == 1 - neutron_metadata_agent_enabled.rc == 0 service: name=neutron-metadata-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index ec1ec16ae2..0d8ac5f593 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -184,3 +184,5 @@ outputs: - step|int == 1 - neutron_ovs_agent_enabled.rc == 0 service: name=neutron-openvswitch-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 609c709fd0..d5ec16566a 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -125,3 +125,5 @@ outputs: step_config: {get_attr: [NeutronOvsAgent, role_data, step_config]} upgrade_tasks: get_attr: [Ovs, role_data, upgrade_tasks] + metadata_settings: + get_attr: [NeutronOvsAgent, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-cisco-vts.yaml b/puppet/services/neutron-plugin-ml2-cisco-vts.yaml index d7f30925c1..e6e4f7c50b 100644 --- a/puppet/services/neutron-plugin-ml2-cisco-vts.yaml +++ b/puppet/services/neutron-plugin-ml2-cisco-vts.yaml @@ -85,3 +85,5 @@ outputs: neutron::plugins::ml2::cisco::vts::vts_timeout: {get_param: VTSTimeout} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml index 9063908da7..00b5610ee9 100644 --- a/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml +++ b/puppet/services/neutron-plugin-ml2-fujitsu-cfab.yaml @@ -86,3 +86,5 @@ outputs: neutron::plugins::ml2::fujitsu::cfab::save_config: {get_param: NeutronFujitsuCfabSaveConfig} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml index 843653590c..3c44995cad 100644 --- a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml +++ b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml @@ -90,4 +90,5 @@ outputs: neutron::plugins::ml2::fujitsu::fossw::ovsdb_port: {get_param: NeutronFujitsuFosswOvsdbPort} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 - + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml index d7c2214583..bea8e2fef3 100644 --- a/puppet/services/neutron-plugin-ml2-nuage.yaml +++ b/puppet/services/neutron-plugin-ml2-nuage.yaml @@ -109,3 +109,5 @@ outputs: nova::patch::config::monkey_patch_modules: {get_param: NovaPatchConfigMonkeyPatchModules} step_config: | include tripleo::profile::base::neutron::plugins::ml2 + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml index b72ddc200d..cc6e21494c 100644 --- a/puppet/services/neutron-plugin-ml2-odl.yaml +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -71,3 +71,5 @@ outputs: - {} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2-ovn.yaml b/puppet/services/neutron-plugin-ml2-ovn.yaml index 8356526d45..07fbd2d177 100644 --- a/puppet/services/neutron-plugin-ml2-ovn.yaml +++ b/puppet/services/neutron-plugin-ml2-ovn.yaml @@ -103,3 +103,5 @@ outputs: neutron::plugins::ml2::ovn::dvr_enabled: {get_param: NeutronEnableDVR} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + metadata_settings: + get_attr: [NeutronMl2Base, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index aeb2b25ab5..4af3c55b79 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -118,3 +118,5 @@ outputs: service_config_settings: horizon: neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-plugin-nuage.yaml b/puppet/services/neutron-plugin-nuage.yaml index 4a4d6515d3..e562acea17 100644 --- a/puppet/services/neutron-plugin-nuage.yaml +++ b/puppet/services/neutron-plugin-nuage.yaml @@ -97,3 +97,5 @@ outputs: nova::api::use_forwarded_for: {get_param: UseForwardedFor} step_config: | include tripleo::profile::base::neutron::plugins::nuage + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-sriov-agent.yaml b/puppet/services/neutron-sriov-agent.yaml index fc99ee25a7..5bf5917b8c 100644 --- a/puppet/services/neutron-sriov-agent.yaml +++ b/puppet/services/neutron-sriov-agent.yaml @@ -131,3 +131,5 @@ outputs: - step|int == 1 - neutron_sriov_nic_agent_enabled.rc == 0 service: name=neutron-sriov-nic-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-sriov-host-config.yaml b/puppet/services/neutron-sriov-host-config.yaml index 511a90333e..29ed5d4453 100644 --- a/puppet/services/neutron-sriov-host-config.yaml +++ b/puppet/services/neutron-sriov-host-config.yaml @@ -78,3 +78,5 @@ outputs: - get_attr: [RoleParametersValue, value] step_config: | include ::tripleo::host::sriov + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/neutron-vpp-agent.yaml b/puppet/services/neutron-vpp-agent.yaml index f45ab6a8e4..9e63245648 100644 --- a/puppet/services/neutron-vpp-agent.yaml +++ b/puppet/services/neutron-vpp-agent.yaml @@ -58,4 +58,6 @@ outputs: - get_attr: [NeutronBase, role_data, config_settings] - tripleo::profile::base::neutron::agents::vpp::physnet_mapping: {get_param: NeutronVPPAgentPhysnets} step_config: | - include ::tripleo::profile::base::neutron::agents::vpp \ No newline at end of file + include ::tripleo::profile::base::neutron::agents::vpp + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/ovn-metadata.yaml b/puppet/services/ovn-metadata.yaml index f371772460..9461df4b30 100644 --- a/puppet/services/ovn-metadata.yaml +++ b/puppet/services/ovn-metadata.yaml @@ -124,3 +124,5 @@ outputs: - step|int == 1 - neutron_metadata_agent_enabled.rc == 0 service: name=networking-ovn-metadata-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/releasenotes/notes/fix-tls-neutron-agents-c40d5fc779d53bfa.yaml b/releasenotes/notes/fix-tls-neutron-agents-c40d5fc779d53bfa.yaml new file mode 100644 index 0000000000..6975787402 --- /dev/null +++ b/releasenotes/notes/fix-tls-neutron-agents-c40d5fc779d53bfa.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes failure to create Neutron certificates for roles which do not + contain Neutron DHCP agent, but include other Neutron agents + (i.e. default Compute role).