heat_template_version: wallaby description: > Configures FRR on the host parameters: ContainerFrrImage: description: The container image for Frr type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json FrrBfdEnabled: default: false description: Enable Bidirectional Forwarding Detection type: boolean FrrBgpEnabled: default: true description: Enable BGP type: boolean FrrBgpAsn: default: 65000 description: Default ASN to be used within FRR type: number FrrBgpIpv4Enabled: default: true description: Enable BGP advertisement of IPv4 routes type: boolean FrrBgpIpv4AllowASIn: default: false description: Allow for IPv4 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv4SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv4 address on the default route. type: string FrrBgpIpv6Enabled: default: true description: Enable BGP advertisement of IPv6 routes type: boolean FrrBgpIpv6AllowASIn: default: false description: Allow for IPv6 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv6SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv6 address on the default route. type: string FrrBgpUplinks: default: ['nic1', 'nic2'] description: List of uplink network interfaces. type: comma_delimited_list FrrBgpUplinksScope: default: 'internal' type: string description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] FrrLoggingSource: type: json default: tag: system.frr file: /var/log/containers/frr/frr.log FrrLogLevel: default: 'informational' type: string description: log level constraints: - allowed_values: ['emergencies', 'alerts', 'critical', 'errors', 'warnings', 'notifications', 'informational', 'debugging'] FrrZebraEnabled: default: true description: enable Zebra type: boolean FrrPacemakerVipNic: default: 'lo' description: Name of the nic that the pacemaker VIPs will be added to when runninng with FRR. type: string FrrBgpNeighborTtlSecurityHops: default: 1 description: Enforce Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. Setting value to zero or less will disable GTSM. type: number outputs: role_data: description: Role data for the FRR service value: service_name: frr config_settings: tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic} service_config_settings: rsyslog: tripleo_logging_sources_frr: - {get_param: FrrLoggingSource} firewall_rules: '156 bgp tcp': if: - {get_param: FrrBgpEnabled} - proto: 'tcp' dport: 179 '156 bfd udp': if: - {get_param: FrrBfdEnabled} - proto: 'udp' dport: - 3784 - 3785 kolla_config: /var/lib/kolla/config_files/frr.json: # Note: This is currently needed because watchfrr *always* demonizes command: bash -c $* -- eval /usr/lib/frr/frr start && exec /bin/sleep infinity config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /etc/frr owner: frr:frr recurse: true - path: /var/log/frr owner: frr:frr recurse: true docker_config: # NOTE: Create container-startup-config file in step 0 so that TripleO # does not auto-start the FRR container (it does so for containers in # step 1-5). FRR will be started in the pre_deploy_step_tasks step_0: frr: start_order: 0 image: {get_param: ContainerFrrImage} net: host restart: always healthcheck: test: /openstack/healthcheck cap_add: - NET_BIND_SERVICE - NET_RAW - NET_ADMIN - SYS_ADMIN # We cannot bind mount the InternalTLSCAFile as freeipa might not # be reachable without frr volumes: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro - /var/log/containers/frr:/var/log/frr:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' } pre_deploy_step_tasks: - name: Configure FRR import_role: name: tripleo_frr vars: tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr tripleo_frr_bfd: {get_param: FrrBfdEnabled} tripleo_frr_bgp: {get_param: FrrBgpEnabled} tripleo_frr_bgp_asn: {get_param: FrrBgpAsn} tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled} tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn} tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork} tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled} tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn} tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork} tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops} tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks} tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope} tripleo_frr_log_level: {get_param: FrrLogLevel} tripleo_frr_zebra: {get_param: FrrZebraEnabled} - name: Start FRR include_role: name: tripleo_container_manage vars: tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0" tripleo_container_manage_config_id: "frr" tripleo_container_manage_config_patterns: "frr.json" tripleo_container_manage_systemd_order: true tripleo_container_manage_clean_orphans: false update_tasks: [] upgrade_tasks: []