heat_template_version: wallaby description: > OpenStack containerized Ovn Controller agent. parameters: RootStackName: description: The name of the stack/plan. type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json ServiceData: default: {} description: Dictionary packing service data type: json ContainerOvnControllerImage: description: image type: string ContainerOvnControllerConfigImage: description: The container image to use for the ovn_controller config_volume type: string RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. OVNSouthboundServerPort: description: Port of the Southbound DB Server type: number default: 6642 NeutronBridgeMappings: description: > The OVS logical->physical bridge mappings to use. See the Neutron documentation for details. Defaults to mapping br-ex - the external bridge on hosts - to a physical name 'datacentre' which can be used to create provider networks (and we use this for the default floating network) - if changing this either use different post-install network scripts or be sure to keep 'datacentre' as a mapping network name. type: comma_delimited_list default: "datacentre:br-ex" tags: - role_specific EnableVLANTransparency: default: false description: > If True, then allow plugins that support it to create VLAN transparent networks. type: boolean OVNEncapType: description: > Type of encapsulation used in OVN. It can be "geneve" or "vxlan". type: string default: "geneve" constraints: - allowed_values: ["geneve", "vxlan"] OVNIntegrationBridge: description: > Name of the OVS bridge to use as integration bridge by OVN Controller. type: string default: "br-int" OVNMetadataEnabled: description: Whether Metadata Service has to be enabled type: boolean default: true OVNCMSOptions: description: The CMS options to configure in ovs db type: string default: "" tags: - role_specific OvsHwOffload: default: false description: | Enable OVS Hardware Offload. This feature supported from OVS 2.8.0 type: boolean tags: - role_specific OVNRemoteProbeInterval: description: Probe interval in ms type: number default: 60000 EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. OVNOpenflowProbeInterval: description: > The inactivity probe interval of the OpenFlow connection to the OpenvSwitch integration bridge, in seconds. type: number default: 60 CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. ContainerOvnCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service OVNStaticBridgeMacMappings: type: json default: {} description: | Static OVN Bridge MAC address mappings. Unique OVN bridge mac addresses is dynamically allocated by creating neutron ports. When neutron isn't available, for instance in the standalone deployment, use this parameter to provide static OVN bridge mac addresses. For example: controller-0: datacenter: 00:00:5E:00:53:00 provider: 00:00:5E:00:53:01 compute-0: datacenter: 00:00:5E:00:54:00 provider: 00:00:5E:00:54:01 tags: - role_specific conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} enable_vlan_transparency: {equals: [{get_param: EnableVLANTransparency}, true]} resources: ContainersCommon: type: ../containers-common.yaml # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ovn::controller::ovn_bridge_mappings: NeutronBridgeMappings ovn::controller::ovn_cms_options: OVNCMSOptions vswitch::ovs::enable_hw_offload: OvsHwOffload - values: {get_param: [RoleParameters]} - values: NeutronBridgeMappings: {get_param: NeutronBridgeMappings} OVNCMSOptions: {get_param: OVNCMSOptions} OvsHwOffload: {get_param: OvsHwOffload} OVNBridgeMappingsValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ovn_bridge_mappings: NeutronBridgeMappings ovn_static_bridge_mac_mappings: OVNStaticBridgeMacMappings - values: {get_param: [RoleParameters]} - values: NeutronBridgeMappings: {get_param: NeutronBridgeMappings} OVNStaticBridgeMacMappings: {get_param: OVNStaticBridgeMacMappings} outputs: role_data: description: Role data for the Ovn Controller agent. value: service_name: ovn_controller firewall_rules: '118 neutron vxlan networks': proto: 'udp' dport: 4789 '119 neutron geneve networks': proto: 'udp' dport: 6081 '120 neutron geneve networks no conntrack': proto: 'udp' dport: 6081 table: 'raw' chain: 'OUTPUT' jump: 'NOTRACK' action: 'append' state: [] '121 neutron geneve networks no conntrack': proto: 'udp' dport: 6081 table: 'raw' chain: 'PREROUTING' jump: 'NOTRACK' action: 'append' state: [] config_settings: map_merge: - get_attr: [RoleParametersValue, value] - ovn::southbound::port: {get_param: OVNSouthboundServerPort} ovn::controller::ovn_encap_ip: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]} ovn::controller::ovn_encap_type: {get_param: OVNEncapType} ovn::controller::ovn_bridge: {get_param: OVNIntegrationBridge} ovn::controller::hostname: "%{hiera('fqdn_canonical')}" ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval} ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval} - if: - force_config_drive - nova::compute::force_config_drive: true - {} - if: - internal_tls_enabled - tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl' - {} - if: - enable_vlan_transparency - vswitch::ovs::vlan_limit: 0 - {} service_config_settings: {} # BEGIN DOCKER SETTINGS puppet_config: puppet_tags: vs_config,exec config_volume: ovn_controller step_config: | include tripleo::profile::base::neutron::agents::ovn config_image: {get_param: ContainerOvnControllerConfigImage} # We need to mount /run for puppet_config step. This is because # puppet-vswitch runs the commands "ovs-vsctl set open_vswitch . external_ids:..." # to configure the required parameters in ovs db which will be read # by ovn-controller. And ovs-vsctl talks to the ovsdb-server (hosting conf.db) # on the unix domain socket - /run/openvswitch/db.sock volumes: - /lib/modules:/lib/modules:ro - /run/openvswitch:/run/openvswitch:shared,z # Needed for creating module load files - /etc/sysconfig/modules:/etc/sysconfig/modules kolla_config: /var/lib/kolla/config_files/ovn_controller.json: command: list_join: - ' ' - - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock - if: - internal_tls_enabled - list_join: - ' ' - - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C - {get_param: InternalTLSCAFile} - '' permissions: - path: /var/log/openvswitch owner: root:root recurse: true - path: /var/log/ovn owner: root:root recurse: true metadata_settings: if: - internal_tls_enabled - - service: ovn_controller network: {get_param: [ServiceNetMap, OvnDbsNetwork]} type: node - null docker_config: step_4: configure_cms_options: start_order: 0 detach: false net: host privileged: true user: root command: ['/bin/bash', '-c', 'CMS_OPTS=$(hiera ovn::controller::ovn_cms_options -c /etc/puppet/hiera.yaml); if [ X"$CMS_OPTS" != X ]; then ovs-vsctl set open . external_ids:ovn-cms-options=$CMS_OPTS;else ovs-vsctl remove open . external_ids ovn-cms-options; fi'] image: &ovn_controller_image {get_param: ContainerOvnControllerImage} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /lib/modules:/lib/modules:ro - /run/openvswitch:/run/openvswitch:shared,z environment: TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} ovn_controller: start_order: 1 image: *ovn_controller_image net: host privileged: true user: root restart: always depends_on: - openvswitch.service healthcheck: test: list_join: - ' ' - - '/openstack/healthcheck' - yaql: expression: str($.data.port) data: port: {get_param: OVNSouthboundServerPort} volumes: list_concat: - - /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro - /lib/modules:/lib/modules:ro # TODO(numans): This is temporary. Mount /run/openvswitch once # openvswitch systemd script is fixed to not delete /run/openvswitch # folder in the host when openvswitch service is stopped. - /run:/run - /var/lib/openvswitch/ovn:/run/ovn:shared,z - /var/log/containers/openvswitch:/var/log/openvswitch:z - /var/log/containers/openvswitch:/var/log/ovn:z - if: - internal_tls_enabled - - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' - /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt - /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: ovn_controller dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} principal: str_replace: template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size: if: - key_size_override_unset - {get_param: CertificateKeySize} - {get_param: ContainerOvnCertificateKeySize} ca: ipa host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink persistent: yes state: yes - name: Copy in cleanup script copy: content: {get_file: ../neutron/neutron-cleanup} dest: '/usr/libexec/neutron-cleanup' force: yes mode: '0755' - name: Copy in cleanup service copy: content: {get_file: ../neutron/neutron-cleanup.service} dest: '/usr/lib/systemd/system/neutron-cleanup.service' force: yes - name: Enabling the cleanup service service: name: neutron-cleanup enabled: yes external_deploy_tasks: - when: - step|int == 0 name: ovn_controller_external_deploy_init block: - name: str_replace: template: create ovn mac address for $ROLE_NAME role nodes params: $ROLE_NAME: {get_param: RoleName} tripleo_ovn_mac_addresses: playbook_dir: "{{ playbook_dir }}" stack_name: {get_param: RootStackName} role_name: {get_param: RoleName} server_resource_names: str_replace: template: '{{ groups["$ROLE_NAME"] }}' params: $ROLE_NAME: {get_param: RoleName} ovn_bridge_mappings: {get_attr: [OVNBridgeMappingsValue, value, ovn_bridge_mappings]} ovn_static_bridge_mac_mappings: {get_attr: [OVNBridgeMappingsValue, value, ovn_static_bridge_mac_mappings]} upgrade_tasks: []