openstack/tripleo-heat-templates
Code Issues Proposed changes
170cd2be9d
tripleo-heat-templates/deployment/neutron/neutron-dhcp-container-puppet.yaml
Slawek Kaplonski 5d3fe630db Increase default ulimit values for Neutron agents containers 
For containers where Neutron DHCP, L3 and OVS agents are running
there is limit for number of opened files set.
This limit was configured by default to 1024 which looks that is
quite low and can cause problems even with relatively small number
of networks or routers handled by agent.

This patch increase default ulimit values for those containers to be
16x higher than it was before. Such value should allow to handle much
more routers or networks and shouldn't be too high for any system.

Change-Id: Ibc8fa0c1ccd4f60ec7c876623a7262003197f67d
Closes-bug: #1824020
2019-04-09 22:49:18 +02:00

437 lines
17 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Neutron DHCP service
parameters:
DockerNeutronDHCPImage:
description: image
type: string
DockerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
DockerNeutronDHCPAgentUlimit:
default: ['nofile=16384']
description: ulimit for Neutron DHCP Agent Container
type: comma_delimited_list
NeutronEnableDnsmasqDockerWrapper:
description: Generate a dnsmasq wrapper script so that neutron launches
dnsmasq in a separate container.
type: boolean
default: true
NeutronEnableHaproxyDockerWrapper:
description: Generate a wrapper script so neutron launches haproxy in a separate container.
type: boolean
default: true
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
NeutronWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
NeutronDhcpAgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.dhcp
path: /var/log/containers/neutron/dhcp-agent.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
NeutronEnableMetadataNetwork:
default: false
description: If True, DHCP provide metadata network. Requires either
IsolatedMetadata or ForceMetadata parameters to also be True.
type: boolean
NeutronEnableIsolatedMetadata:
default: false
description: If True, DHCP provide metadata route to VM.
type: boolean
NeutronEnableForceMetadata:
default: false
description: If True, DHCP always provides metadata route to VM.
type: boolean
NeutronEnableInternalDNS:
default: false
description: |
If True, enable the internal Neutron DNS server that provides name
resolution between VMs. This parameter has no effect if
NeutronDhcpAgentDnsmasqDnsServers is set.
type: boolean
MonitoringSubscriptionNeutronDhcp:
default: 'overcloud-neutron-dhcp'
type: string
NeutronDhcpAgentDebug:
default: ''
description: Set to True to enable debugging for Neutron DHCP agent.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
NeutronDhcpAgentDnsmasqDnsServers:
default: []
description: List of servers to use as dnsmasq forwarders
type: comma_delimited_list
NeutronInterfaceDriver:
default: 'neutron.agent.linux.interface.OVSInterfaceDriver'
description: Neutron DHCP Agent interface driver
type: string
NeutronDhcpOvsIntegrationBridge:
default: ''
type: string
description: Name of Open vSwitch bridge to use
NeutronDhcpServerBroadcastReply:
default: false
description: Neutron DHCP agent to use broadcast in DHCP replies
type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]}
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
service_wrapper_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
service_debug_unset: {equals: [{get_param: NeutronDhcpAgentDebug}, '']}
dhcp_ovs_intergation_bridge_unset: {equals: [{get_param: NeutronDhcpOvsIntegrationBridge}, '']}
resources:
ContainersCommon:
type: ../../docker/services/containers-common.yaml
NeutronBase:
type: ../../puppet/services/neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: dhcp-agent
outputs:
role_data:
description: Role data for the Neutron DHCP role.
value:
service_name: neutron_dhcp
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: DockerNeutronDHCPImage}
tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper'
tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: DockerNeutronDHCPImage}
tripleo::profile::base::neutron::dhcp_agent_wrappers::debug:
if:
- service_wrapper_debug_unset
- {get_param: Debug }
- {get_param: NeutronWrapperDebug}
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata}
neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork}
neutron::agents::dhcp::dnsmasq_local_resolv: {get_param: NeutronEnableInternalDNS}
neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers}
neutron::agents::dhcp::interface_driver: {get_param: NeutronInterfaceDriver}
neutron::agents::dhcp::dhcp_broadcast_reply: {get_param: NeutronDhcpServerBroadcastReply}
neutron::agents::dhcp::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronDhcpAgentDebug}
tripleo::neutron_dhcp::firewall_rules:
'115 neutron dhcp input':
proto: 'udp'
dport: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
dport: 68
- if:
- internal_tls_enabled
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
generate_service_certificates: true
tripleo::profile::base::neutron::certificate_specs:
service_certificate: '/etc/pki/tls/certs/neutron.crt'
service_key: '/etc/pki/tls/private/neutron.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
- {}
- if:
- dhcp_ovs_intergation_bridge_unset
- {}
- neutron::agents::dhcp::ovs_integration_bridge: {get_param: NeutronDhcpOvsIntegrationBridge}
service_config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_neutron_dhcp:
- neutron
tripleo_fluentd_sources_neutron_dhcp:
- {get_param: NeutronDhcpAgentLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_dhcp_agent_config
step_config: |
include tripleo::profile::base::neutron::dhcp
config_image: {get_param: DockerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_dhcp.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/neutron.crt
owner: neutron:neutron
- path: /etc/pki/tls/private/neutron.key
owner: neutron:neutron
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_2:
create_dnsmasq_wrapper:
start_order: 1
detach: false
net: host
pid: host
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
-
- '/container_puppet_apply.sh'
- '4'
- 'file'
- 'include ::tripleo::profile::base::neutron::dhcp_agent_wrappers'
image: {get_param: DockerNeutronDHCPImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
-
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
step_4:
neutron_dhcp:
start_order: 10
image: {get_param: DockerNeutronDHCPImage}
net: host
pid: host
privileged: true
restart: always
security_opt: 'label=disable'
depends_on:
- openvswitch
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_param: RpcPort}
ulimit: {get_param: DockerNeutronDHCPAgentUlimit}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
- /run/netns:/run/netns:shared
-
if:
- docker_enabled
- - /var/lib/openstack:/var/lib/openstack
- null
-
if:
- dnsmasq_wrapper_enabled
- - /var/lib/neutron/dnsmasq_wrapper:/usr/local/bin/dnsmasq:ro
- null
-
if:
- haproxy_wrapper_enabled
- - /var/lib/neutron/dhcp_haproxy_wrapper:/usr/local/bin/haproxy:ro
- null
-
if:
- internal_tls_enabled
- - /etc/pki/tls/certs/neutron.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron.crt:ro
- /etc/pki/tls/private/neutron.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron.key:ro
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
if:
- internal_tls_enabled
-
- service: neutron
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
type: node
- null
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /run/netns with temp namespace
command: ip netns add ns_temp
register: ipnetns_add_result
ignore_errors: True
- - name: remove temp namespace
command: ip netns delete ns_temp
ignore_errors: True
when: ipnetns_add_result.rc == 0
- - name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check if neutron_dhcp_agent is deployed
command: systemctl is-enabled --quiet neutron-dhcp-agent
ignore_errors: True
register: neutron_dhcp_agent_enabled_result
- name: Set fact neutron_dhcp_agent_enabled
set_fact:
neutron_dhcp_agent_enabled: "{{ neutron_dhcp_agent_enabled_result.rc == 0 }}"
- name: Stop neutron_dhcp_agent
service: name=neutron-dhcp-agent state=stopped enabled=no
when:
- step|int == 2
- release == 'ocata'
- neutron_dhcp_agent_enabled|bool
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- neutron_dhcp
- name: Check for neutron user
getent:
database: passwd
key: neutron
ignore_errors: True
- name: Set neutron_user_avail
set_fact:
neutron_user_avail: "{{ getent_passwd is defined }}"
- when:
- step|int == 2
- neutron_user_avail|bool
block:
- name: Ensure read/write access for files created after upgrade
become: true
shell: |
umask 0002
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
setfacl -R -m u:neutron:rw /var/lib/neutron
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
- name: Provide access for domain sockets
ignore_errors: True
become: true
shell: |
umask 0002
setfacl -m u:neutron:rwx "{{ item }}"
with_items:
- /var/lib/neutron/metadata_proxy
- /var/lib/neutron
# These files are not necessarily present
ignore_errors: True
View Git Blame Copy Permalink