heat_template_version: wallaby

description: >
  OpenStack containerized Neutron DHCP service

parameters:
  ContainerNeutronDHCPImage:
    description: image
    type: string
  ContainerNeutronConfigImage:
    description: The container image to use for the neutron config_volume
    type: string
  DockerNeutronDHCPAgentUlimit:
    default: ['nofile=16384']
    description: ulimit for Neutron DHCP Agent Container
    type: comma_delimited_list
  DockerAdditionalSockets:
    default: ['/var/lib/openstack/docker.sock']
    description: Additional domain sockets for the docker daemon to bind to (useful for mounting
                 into containers that launch other containers)
    type: comma_delimited_list
  NeutronEnableDnsmasqDockerWrapper:
    description: Generate a dnsmasq wrapper script so that neutron launches
                 dnsmasq in a separate container.
    type: boolean
    default: true
  NeutronEnableHaproxyDockerWrapper:
    description: Generate a wrapper script so neutron launches haproxy in a separate container.
    type: boolean
    default: true
  Debug:
    type: boolean
    default: false
    description: Set to True to enable debugging on all services.
  NeutronWrapperDebug:
    type: boolean
    default: false
    description: Controls debugging for the wrapper scripts.
  ContainerCli:
    type: string
    default: 'podman'
    description: CLI tool used to manage containers.
    constraints:
      - allowed_values: ['docker', 'podman']
  NeutronDhcpAgentLoggingSource:
    type: json
    default:
      tag: openstack.neutron.agent.dhcp
      file: /var/log/containers/neutron/dhcp-agent.log
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EnableInternalTLS:
    type: boolean
    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  NeutronEnableMetadataNetwork:
    default: false
    description: If True, DHCP provide metadata network. Requires either
                 IsolatedMetadata or ForceMetadata parameters to also be True.
    type: boolean
  NeutronEnableIsolatedMetadata:
    default: false
    description: If True, DHCP provide metadata route to VM.
    type: boolean
  NeutronEnableForceMetadata:
    default: false
    description: If True, DHCP always provides metadata route to VM.
    type: boolean
  NeutronEnableInternalDNS:
    default: false
    description: |
      If True, enable the internal Neutron DNS server that provides name
      resolution between VMs.  This parameter has no effect if
      NeutronDhcpAgentDnsmasqDnsServers is set.
    type: boolean
  MonitoringSubscriptionNeutronDhcp:
    default: 'overcloud-neutron-dhcp'
    type: string
  NeutronDhcpAgentDebug:
    default: false
    description: Set to True to enable debugging for Neutron DHCP agent.
    type: boolean
  NeutronDhcpAgentDnsmasqDnsServers:
    default: []
    description: List of servers to use as dnsmasq forwarders
    type: comma_delimited_list
  NeutronInterfaceDriver:
    default: 'neutron.agent.linux.interface.OVSInterfaceDriver'
    description: Neutron DHCP Agent interface driver
    type: string
  NeutronDhcpOvsIntegrationBridge:
    default: ''
    type: string
    description: Name of Open vSwitch bridge to use
  NeutronDhcpServerBroadcastReply:
    default: false
    description: Neutron DHCP agent to use broadcast in DHCP replies
    type: boolean
  # TODO(bogdando): The experimental OVN SRIOV environment includes the
  # DHCP agent service. We keep it safe to not break it with AZ-related
  # configurations. Therefore, we have to determine, if
  # NeutronMechanismDrivers is OVN or not. This may change in future,
  # when OVN/SRIOV supports Neutron AZ configurations for the agent services.
  NeutronMechanismDrivers:
    default: 'ovn'
    description: |
        The mechanism drivers for the Neutron tenant network.
    type: comma_delimited_list
  NeutronDhcpAgentAvailabilityZone:
    description: Availability zone for Neutron DHCP agent. If not set,
                 no AZs will be configured for Neutron network services.
    default: ''
    type: string
  NeutronDhcpAgentDnsmasqEnableAddr6List:
    default: true
    description: |
      Enable dhcp-host entry with list of addresses when port has multiple
      IPv6 addresses in the same subnet.
    type: boolean
  CertificateKeySize:
    type: string
    default: '2048'
    description: Specifies the private key size used when creating the
                 certificate.
  NeutronDhcpCertificateKeySize:
    type: string
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service

conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]}
  haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
  docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
  dhcp_ovs_intergation_bridge_unset: {equals: [{get_param: NeutronDhcpOvsIntegrationBridge}, '']}
  az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
  key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}

resources:

  ContainersCommon:
    type: ../containers-common.yaml

  NeutronBase:
    type: ./neutron-base.yaml
    properties:
      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

  NeutronLogging:
    type: OS::TripleO::Services::Logging::NeutronCommon
    properties:
      NeutronServiceName: dhcp-agent

outputs:
  role_data:
    description: Role data for the Neutron DHCP role.
    value:
      service_name: neutron_dhcp
      firewall_rules:
        '115 neutron dhcp input':
          ipversion: 'ipv4'
          proto: 'udp'
          dport: 67
        '116 neutron dhcp output':
          ipversion: 'ipv4'
          proto: 'udp'
          chain: 'OUTPUT'
          dport: 68
        '115 neutron dhcpv6 input':
          ipversion: 'ipv6'
          proto: 'udp'
          dport: 547
        '116 neutron dhcpv6 output':
          ipversion: 'ipv6'
          proto: 'udp'
          chain: 'OUTPUT'
          dport: 546
        '116 neutron dhcpv6 relay output':
          ipversion: 'ipv6'
          proto: 'udp'
          chain: 'OUTPUT'
          dport: 547
      monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
      config_settings:
        map_merge:
          - get_attr: [NeutronBase, role_data, config_settings]
          - get_attr: [NeutronLogging, config_settings]
          - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: ContainerNeutronDHCPImage}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper'
            tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: ContainerNeutronDHCPImage}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::debug:
              if:
                - {get_param: NeutronWrapperDebug}
                - true
                - {get_param: Debug }
            tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
            neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
            neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata}
            neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork}
            neutron::agents::dhcp::dnsmasq_local_resolv: {get_param: NeutronEnableInternalDNS}
            neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers}
            neutron::agents::dhcp::interface_driver: {get_param: NeutronInterfaceDriver}
            neutron::agents::dhcp::dhcp_broadcast_reply: {get_param: NeutronDhcpServerBroadcastReply}
            neutron::agents::dhcp::dnsmasq_enable_addr6_list: {get_param: NeutronDhcpAgentDnsmasqEnableAddr6List}
            neutron::agents::dhcp::debug:
              if:
              - {get_param: NeutronDhcpAgentDebug}
              - true
              - {get_param: Debug}
          - if:
              - internal_tls_enabled
              - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
                neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
                neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
              - {}
          - if:
              - dhcp_ovs_intergation_bridge_unset
              - {}
              - neutron::agents::dhcp::ovs_integration_bridge: {get_param: NeutronDhcpOvsIntegrationBridge}
          - if:
              - az_unset
              - {}
              - neutron::agents::dhcp::availability_zone: {get_param: NeutronDhcpAgentAvailabilityZone}
      service_config_settings:
        map_merge:
          - get_attr: [NeutronBase, role_data, service_config_settings]
          - rsyslog:
              tripleo_logging_sources_neutron_dhcp:
                - {get_param: NeutronDhcpAgentLoggingSource}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: neutron
        puppet_tags: neutron_config,neutron_dhcp_agent_config
        step_config: |
          include tripleo::profile::base::neutron::dhcp
        config_image: {get_param: ContainerNeutronConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/neutron_dhcp.json:
          command:
            list_join:
            - ' '
            - - /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent
              - get_attr: [NeutronLogging, cmd_extra_args]
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src-tls/*"
              dest: "/"
              merge: true
              preserve_properties: true
              optional: true
          permissions:
            - path: /var/log/neutron
              owner: neutron:neutron
              recurse: true
            - path: /var/lib/neutron
              owner: neutron:neutron
              recurse: true
            - path: /etc/pki/tls/certs/neutron.crt
              owner: neutron:neutron
            - path: /etc/pki/tls/private/neutron.key
              owner: neutron:neutron
      container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
      docker_config:
        step_2:
          create_dnsmasq_wrapper:
            start_order: 1
            detach: false
            net: host
            pid: host
            user: root
            command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
              list_concat:
                -
                  - '/container_puppet_apply.sh'
                  - '4'
                  - 'file'
                  - 'include ::tripleo::profile::base::neutron::dhcp_agent_wrappers'
            image: {get_param: ContainerNeutronDHCPImage}
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
                -
                  - /run/openvswitch:/run/openvswitch:shared,z
                  - /var/lib/neutron:/var/lib/neutron:shared,z
        step_4:
          neutron_dhcp:
            start_order: 10
            image: {get_param: ContainerNeutronDHCPImage}
            net: host
            pid: host
            privileged: true
            restart: always
            security_opt: 'label=disable'
            depends_on:
              - openvswitch.service
            healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
            ulimit: {get_param: DockerNeutronDHCPAgentUlimit}
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                - {get_attr: [NeutronLogging, volumes]}
                -
                  - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
                  - /lib/modules:/lib/modules:ro
                  - /run/openvswitch:/run/openvswitch:shared,z
                  - /var/lib/neutron:/var/lib/neutron:shared,z
                  - /run/netns:/run/netns:shared
                  - /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
                -
                  if:
                    - docker_enabled
                    - - /var/lib/openstack:/var/lib/openstack
                    - null
                -
                  if:
                    - dnsmasq_wrapper_enabled
                    - - /var/lib/neutron/dnsmasq_wrapper:/usr/local/bin/dnsmasq:ro
                    - null
                -
                  if:
                    - haproxy_wrapper_enabled
                    - - /var/lib/neutron/dhcp_haproxy_wrapper:/usr/local/bin/haproxy:ro
                    - null
                -
                  if:
                    - internal_tls_enabled
                    - - /etc/pki/tls/certs/neutron.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron.crt:ro
                      - /etc/pki/tls/private/neutron.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron.key:ro
                    - null
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
      metadata_settings:
        if:
          - internal_tls_enabled
          -
            - service: neutron
              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
              type: node
          - null
      deploy_steps_tasks:
        - name: Certificate generation
          when:
            - step|int == 1
            - enable_internal_tls
          block:
            - include_role:
                name: linux-system-roles.certificate
              vars:
                certificate_requests:
                  - name: neutron
                    dns:
                      str_replace:
                        template: "{{fqdn_$NETWORK}}"
                        params:
                          $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
                    principal:
                      str_replace:
                        template: "neutron/{{fqdn_$NETWORK}}@{{idm_realm}}"
                        params:
                          $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
                    run_after: |
                      container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp)
                      # The certificate is also installed on the computes, but neutron_dhcp is only
                      # present on the controllers, so we exit if the container could not be found.
                      [[ -z $container_name ]] && exit 0

                      service_crt="/etc/pki/tls/certs/neutron.crt"
                      service_key="/etc/pki/tls/private/neutron.key"
                      # Copy the new cert from the mount-point to the real path
                      {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
                      # Copy the new key from the mount-point to the real path
                      {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key"
                      # No need to trigger a reload for neutron dhcpd since the cert is not cached
                    key_size:
                      if:
                        - key_size_override_unset
                        - {get_param: CertificateKeySize}
                        - {get_param: NeutronDhcpCertificateKeySize}
                    ca: ipa
      host_prep_tasks:
        list_concat:
          - {get_attr: [NeutronLogging, host_prep_tasks]}
          - - name: create /run/netns with temp namespace
              command: ip netns add ns_temp
              register: ipnetns_add_result
              failed_when: false
            - name: remove temp namespace
              command: ip netns delete ns_temp
              failed_when: false
              when:
                - ipnetns_add_result.rc is defined
                - ipnetns_add_result.rc == 0
            - name: create /var/lib/neutron
              file:
                path: /var/lib/neutron
                state: directory
                setype: container_file_t
            - name: enable virt_sandbox_use_netlink for healthcheck
              seboolean:
                name: virt_sandbox_use_netlink
                persistent: yes
                state: yes
            - name: set conditions
              set_fact:
                dnsmasq_wrapper_enabled: {get_param: NeutronEnableDnsmasqDockerWrapper}
                haproxy_wrapper_enabled: {get_param: NeutronEnableHaproxyDockerWrapper}
                debug_enabled:
                  if:
                    - {get_param: NeutronWrapperDebug}
                    - true
                    - {get_param: Debug }
                docker_additional_sockets: {get_param: DockerAdditionalSockets}
            - name: create kill_scripts directory within /var/lib/neutron
              file:
                state: directory
                path: /var/lib/neutron/kill_scripts
            - name: create dnsmasq dhcp kill script
              when: dnsmasq_wrapper_enabled|bool
              copy:
                dest: /var/lib/neutron/kill_scripts/dnsmasq-kill
                mode: 0755
                content: {get_file: ./kill-script}
            - name: create haproxy kill script
              when: haproxy_wrapper_enabled|bool
              copy:
                dest: /var/lib/neutron/kill_scripts/haproxy-kill
                mode: 0755
                content: {get_file: ./kill-script}
      upgrade_tasks: []
      post_upgrade_tasks:
        - name: Check for neutron user
          getent:
            database: passwd
            key: neutron
            fail_key: false
        - name: Set neutron_user_avail
          set_fact:
            neutron_user_avail: "{{ getent_passwd is defined }}"
        - when:
            - step|int == 2
            - neutron_user_avail|bool
          block:
            - name: Ensure read/write access for files created after upgrade
              become: true
              shell: |
                umask 0002
                setfacl -d -R -m u:neutron:rwx /var/lib/neutron
                setfacl -R -m u:neutron:rw /var/lib/neutron
                find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
            - name: Provide access for domain sockets
              become: true
              shell: |
                umask 0002
                setfacl -m u:neutron:rwx "{{ item }}"
              with_items:
                - /var/lib/neutron/metadata_proxy
                - /var/lib/neutron
              # These files are not necessarily present
              failed_when: false