heat_template_version: rocky description: > OpenStack containerized Neutron L3 agent parameters: ContainerNeutronL3AgentImage: description: image type: string ContainerNeutronConfigImage: description: The container image to use for the neutron config_volume type: string DockerNeutronL3AgentUlimit: default: ['nofile=16384'] description: ulimit for Neutron L3 Agent Container type: comma_delimited_list DockerAdditionalSockets: default: ['/var/lib/openstack/docker.sock'] description: Additional domain sockets for the docker daemon to bind to (useful for mounting into containers that launch other containers) type: comma_delimited_list NeutronL3AgentLoggingSource: type: json default: tag: openstack.neutron.agent.l3 file: /var/log/containers/neutron/l3-agent.log NeutronEnableKeepalivedWrapper: description: Generate a wrapper script so neutron launches keepalived processes in a separate container. type: boolean default: true NeutronEnableHaproxyDockerWrapper: description: Generate a wrapper script so neutron launches haproxy in a separate container. type: boolean default: true NeutronEnableDibblerDockerWrapper: description: Generate a wrapper script so neutron launches the dibbler client in a separate container. type: boolean default: true NeutronEnableRadvdDockerWrapper: description: Generate a wrapper script so neutron launches radvd in a separate container. Note that is currently disabled by default pending availability of a fix to radvd (see https://bugzilla.redhat.com/show_bug.cgi?id=1564391). It will be enabled by default once the fix to radvd is generally available across target distributions. type: boolean default: false Debug: type: boolean default: false description: Set to True to enable debugging on all services. NeutronWrapperDebug: type: boolean default: false description: Controls debugging for the wrapper scripts. ContainerCli: type: string default: 'podman' description: CLI tool used to manage containers. constraints: - allowed_values: ['docker', 'podman'] ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json NeutronL3AgentMode: description: | Agent mode for L3 agent. Must be one of legacy or dvr_snat. default: 'legacy' type: string constraints: - allowed_values: - legacy - dvr_snat - dvr tags: - role_specific MonitoringSubscriptionNeutronL3: default: 'overcloud-neutron-l3-agent' type: string NeutronL3AgentDebug: default: '' description: Set to True to enable debugging for Neutron L3 agent. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] # NOTE(bogdando): we allow the L3 agent to have AZ configs defined disregard of # the used NeutronMechanismDrivers. NeutronL3AgentAvailabilityZone: description: Availability zone for Neutron L3 agent. If not set, no AZs will be configured for Neutron network services. default: '' type: string NeutronL3AgentExtensions: default: "" description: | Comma-separated list of extensions enabled for the Neutron L3 agent. type: comma_delimited_list NeutronL3AgentRadvdUser: default: "root" description: | The username passed to radvd, used to drop root privileges and change user ID to username and group ID to the primary group of username. If no user specified, the user executing the L3 agent will be passed. If "root" specified, because radvd is spawned as root, no "username" parameter will be passed type: string conditions: keepalived_wrapper_enabled: {equals: [{get_param: NeutronEnableKeepalivedWrapper}, true]} haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]} dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]} radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]} docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']} service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]} az_unset: {equals: [{get_param: NeutronL3AgentAvailabilityZone}, '']} l3_agent_extensions_empty: {equals : [{get_param: NeutronL3AgentExtensions}, "''"]} resources: ContainersCommon: type: ../containers-common.yaml NeutronBase: type: ./neutron-base.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - neutron::agents::l3::agent_mode: NeutronL3AgentMode - values: {get_param: [RoleParameters]} - values: NeutronL3AgentMode: {get_param: NeutronL3AgentMode} NeutronLogging: type: OS::TripleO::Services::Logging::NeutronCommon properties: NeutronServiceName: l3-agent outputs: role_data: description: Role data for Neutron L3 agent value: service_name: neutron_l3 firewall_rules: '106 neutron_l3 vrrp': proto: vrrp monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3} config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - get_attr: [RoleParametersValue, value] - get_attr: [NeutronLogging, config_settings] - tripleo::profile::base::neutron::l3_agent_wrappers::enable_keepalived_wrapper: {get_param: NeutronEnableKeepalivedWrapper} tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_process_wrapper: '/var/lib/neutron/keepalived_wrapper' # TODO(beagles): this can be removed after a cleanup of the related puppet-tripleo code. tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_state_change_wrapper: '/var/lib/neutron/keepalived_state_change_wrapper' tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_image: {get_param: ContainerNeutronL3AgentImage} tripleo::profile::base::neutron::l3_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper} tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/l3_haproxy_wrapper' tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_image: {get_param: ContainerNeutronL3AgentImage} tripleo::profile::base::neutron::l3_agent_wrappers::enable_dibbler_wrapper: {get_param: NeutronEnableDibblerDockerWrapper} tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_process_wrapper: '/var/lib/neutron/dibbler_wrapper' tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_image: {get_param: ContainerNeutronL3AgentImage} tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper} tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper' tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: ContainerNeutronL3AgentImage} tripleo::profile::base::neutron::l3_agent_wrappers::debug: if: - service_debug_unset - {get_param: Debug } - {get_param: NeutronWrapperDebug} tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli} - neutron::agents::l3::debug: if: - service_debug_unset - {get_param: Debug} - {get_param: NeutronL3AgentDebug} - - if: - az_unset - {} - neutron::agents::l3::availability_zone: {get_param: NeutronL3AgentAvailabilityZone} if: - l3_agent_extensions_empty - {} - neutron::agents::l3::extensions: {get_param: NeutronL3AgentExtensions} - neutron::agents::l3::radvd_user: {get_param: NeutronL3AgentRadvdUser} service_config_settings: map_merge: - get_attr: [NeutronBase, role_data, service_config_settings] - rsyslog: tripleo_logging_sources_neutron_l3: - {get_param: NeutronL3AgentLoggingSource} puppet_config: puppet_tags: neutron_config,neutron_l3_agent_config config_volume: neutron step_config: | include tripleo::profile::base::neutron::l3 config_image: {get_param: ContainerNeutronConfigImage} kolla_config: /var/lib/kolla/config_files/neutron_l3_agent.json: command: list_join: - ' ' - - /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-l3-agent - get_attr: [NeutronLogging, cmd_extra_args] config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/neutron owner: neutron:neutron recurse: true - path: /var/lib/neutron owner: neutron:neutron recurse: true container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} docker_config: step_2: create_keepalived_wrapper: start_order: 1 detach: false net: host pid: host user: root command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"' list_concat: - - '/container_puppet_apply.sh' - '4' - 'file' - 'include ::tripleo::profile::base::neutron::l3_agent_wrappers' image: {get_param: ContainerNeutronL3AgentImage} volumes: list_concat: - {get_attr: [ContainersCommon, container_puppet_apply_volumes]} - - /run/openvswitch:/run/openvswitch:shared,z - /var/lib/neutron:/var/lib/neutron:shared,z step_4: neutron_l3_agent: start_order: 10 image: {get_param: ContainerNeutronL3AgentImage} net: host pid: host privileged: true restart: always depends_on: - openvswitch.service healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]} ulimit: {get_param: DockerNeutronL3AgentUlimit} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [NeutronLogging, volumes]} - - /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - /run/openvswitch:/run/openvswitch:shared,z - /var/lib/neutron:/var/lib/neutron:shared,z - /run/netns:/run/netns:shared - /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z - if: - docker_enabled - - /var/lib/openstack:/var/lib/openstack - null - if: - keepalived_wrapper_enabled - - /var/lib/neutron/keepalived_wrapper:/usr/local/bin/keepalived:ro - null - if: - haproxy_wrapper_enabled - - /var/lib/neutron/l3_haproxy_wrapper:/usr/local/bin/haproxy:ro - null - if: - radvd_wrapper_enabled - - /var/lib/neutron/radvd_wrapper:/usr/local/bin/radvd:ro - null - if: - dibbler_wrapper_enabled - - /var/lib/neutron/dibbler_wrapper:/usr/local/bin/dibbler_client:ro - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS metadata_settings: get_attr: [NeutronBase, role_data, metadata_settings] host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} - - name: create /run/netns with temp namespace command: ip netns add ns_temp register: ipnetns_add_result failed_when: false - name: remove temp namespace command: ip netns delete ns_temp failed_when: false when: - ipnetns_add_result is defined - ipnetns_add_result.rc == 0 - name: create /var/lib/neutron file: path: /var/lib/neutron state: directory setype: container_file_t - name: enable virt_sandbox_use_netlink for healtcheck seboolean: name: virt_sandbox_use_netlink persistent: yes state: yes - name: set conditions set_fact: keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper} haproxy_wrapper_enabled: {get_param: NeutronEnableHaproxyDockerWrapper} dibbler_wrapper_enabled: {get_param: NeutronEnableDibblerDockerWrapper} radvd_wrapper_enabled: {get_param: NeutronEnableRadvdDockerWrapper} debug_enabled: if: - service_debug_unset - {get_param: Debug } - {get_param: NeutronWrapperDebug} docker_additional_sockets: {get_param: DockerAdditionalSockets} - name: create kill_scripts directory within /var/lib/neutron file: state: directory path: /var/lib/neutron/kill_scripts - name: create keepalived kill script when: keepalived_wrapper_enabled|bool copy: dest: /var/lib/neutron/kill_scripts/keepalived-kill mode: 0755 content: {get_file: ./kill-script} - name: create haproxy kill script when: haproxy_wrapper_enabled|bool copy: dest: /var/lib/neutron/kill_scripts/haproxy-kill mode: 0755 content: {get_file: ./kill-script} - name: create dibbler kill script when: dibbler_wrapper_enabled|bool copy: dest: /var/lib/neutron/kill_scripts/dibbler-kill mode: 0755 content: {get_file: ./kill-script} - name: create radvd kill script when: radvd_wrapper_enabled|bool copy: dest: /var/lib/neutron/kill_scripts/radvd-kill mode: 0755 content: {get_file: ./kill-script} upgrade_tasks: [] post_upgrade_tasks: - name: Check for neutron user getent: database: passwd key: neutron fail_key: false - name: Set neutron_user_avail set_fact: neutron_user_avail: "{{ getent_passwd is defined }}" - when: - step|int == 2 - neutron_user_avail|bool block: - name: Ensure r/w access for existing files after upgrade become: true shell: | umask 0002 setfacl -d -R -m u:neutron:rwx /var/lib/neutron setfacl -R -m u:neutron:rw /var/lib/neutron find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \; - name: Provide access to domain sockets become: true shell: | umask 0002 setfacl -m u:neutron:rwx "{{ item }}" with_items: - /var/lib/neutron/metadata_proxy - /var/lib/neutron/keepalived-state-change - /var/lib/neutron # These files are not necessarily present failed_when: false