fb53535ca5
The username passed to radvd, used to drop root privileges and change user ID to username and group ID to the primary group of username. If no user specified, the user executing the L3 agent will be passed. If "root" specified, because radvd is spawned as root, no "username" parameter will be passed Depends-On: https://review.opendev.org/#/c/691846/ Change-Id: Ie9f16f3117e6531f4ef1e4973e61c72dbf904b8a Closes-Bug: #1844688
450 lines
18 KiB
YAML
450 lines
18 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Neutron L3 agent
|
|
|
|
parameters:
|
|
ContainerNeutronL3AgentImage:
|
|
description: image
|
|
type: string
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
DockerNeutronL3AgentUlimit:
|
|
default: ['nofile=16384']
|
|
description: ulimit for Neutron L3 Agent Container
|
|
type: comma_delimited_list
|
|
DockerAdditionalSockets:
|
|
default: ['/var/lib/openstack/docker.sock']
|
|
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
|
into containers that launch other containers)
|
|
type: comma_delimited_list
|
|
NeutronL3AgentLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.agent.l3
|
|
file: /var/log/containers/neutron/l3-agent.log
|
|
NeutronEnableKeepalivedWrapper:
|
|
description: Generate a wrapper script so neutron launches keepalived processes in a
|
|
separate container.
|
|
type: boolean
|
|
default: true
|
|
NeutronEnableHaproxyDockerWrapper:
|
|
description: Generate a wrapper script so neutron launches haproxy in a separate container.
|
|
type: boolean
|
|
default: true
|
|
NeutronEnableDibblerDockerWrapper:
|
|
description: Generate a wrapper script so neutron launches the dibbler client in a separate
|
|
container.
|
|
type: boolean
|
|
default: true
|
|
NeutronEnableRadvdDockerWrapper:
|
|
description: Generate a wrapper script so neutron launches radvd in a separate container. Note
|
|
that is currently disabled by default pending availability of a fix to radvd
|
|
(see https://bugzilla.redhat.com/show_bug.cgi?id=1564391). It will be enabled by default
|
|
once the fix to radvd is generally available across target distributions.
|
|
type: boolean
|
|
default: false
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
NeutronWrapperDebug:
|
|
type: boolean
|
|
default: false
|
|
description: Controls debugging for the wrapper scripts.
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
NeutronL3AgentMode:
|
|
description: |
|
|
Agent mode for L3 agent. Must be one of legacy or dvr_snat.
|
|
default: 'legacy'
|
|
type: string
|
|
constraints:
|
|
- allowed_values:
|
|
- legacy
|
|
- dvr_snat
|
|
- dvr
|
|
tags:
|
|
- role_specific
|
|
MonitoringSubscriptionNeutronL3:
|
|
default: 'overcloud-neutron-l3-agent'
|
|
type: string
|
|
NeutronL3AgentDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging for Neutron L3 agent.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
# NOTE(bogdando): we allow the L3 agent to have AZ configs defined disregard of
|
|
# the used NeutronMechanismDrivers.
|
|
NeutronL3AgentAvailabilityZone:
|
|
description: Availability zone for Neutron L3 agent. If not set,
|
|
no AZs will be configured for Neutron network services.
|
|
default: ''
|
|
type: string
|
|
|
|
NeutronL3AgentExtensions:
|
|
default: ""
|
|
description: |
|
|
Comma-separated list of extensions enabled for the Neutron L3 agent.
|
|
type: comma_delimited_list
|
|
|
|
NeutronL3AgentRadvdUser:
|
|
default: "root"
|
|
description: |
|
|
The username passed to radvd, used to drop root privileges and change
|
|
user ID to username and group ID to the primary group of username. If no
|
|
user specified, the user executing the L3 agent will be passed. If "root"
|
|
specified, because radvd is spawned as root, no "username" parameter
|
|
will be passed
|
|
type: string
|
|
|
|
conditions:
|
|
keepalived_wrapper_enabled: {equals: [{get_param: NeutronEnableKeepalivedWrapper}, true]}
|
|
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
|
|
dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]}
|
|
radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]}
|
|
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
|
service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
|
|
az_unset: {equals: [{get_param: NeutronL3AgentAvailabilityZone}, '']}
|
|
l3_agent_extensions_empty: {equals : [{get_param: NeutronL3AgentExtensions}, "''"]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ./neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
|
# RoleParameters will have the precedence over the default parameters.
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- neutron::agents::l3::agent_mode: NeutronL3AgentMode
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
NeutronL3AgentMode: {get_param: NeutronL3AgentMode}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: l3-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for Neutron L3 agent
|
|
value:
|
|
service_name: neutron_l3
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [RoleParametersValue, value]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- tripleo::profile::base::neutron::l3_agent_wrappers::enable_keepalived_wrapper: {get_param: NeutronEnableKeepalivedWrapper}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_process_wrapper: '/var/lib/neutron/keepalived_wrapper'
|
|
# TODO(beagles): this can be removed after a cleanup of the related puppet-tripleo code.
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_state_change_wrapper: '/var/lib/neutron/keepalived_state_change_wrapper'
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_image: {get_param: ContainerNeutronL3AgentImage}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/l3_haproxy_wrapper'
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_image: {get_param: ContainerNeutronL3AgentImage}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::enable_dibbler_wrapper: {get_param: NeutronEnableDibblerDockerWrapper}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_process_wrapper: '/var/lib/neutron/dibbler_wrapper'
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_image: {get_param: ContainerNeutronL3AgentImage}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper'
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: ContainerNeutronL3AgentImage}
|
|
tripleo::profile::base::neutron::l3_agent_wrappers::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: NeutronWrapperDebug}
|
|
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
|
- neutron::agents::l3::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug}
|
|
- {get_param: NeutronL3AgentDebug}
|
|
tripleo::neutron_l3::firewall_rules:
|
|
'106 neutron_l3 vrrp':
|
|
proto: vrrp
|
|
-
|
|
- if:
|
|
- az_unset
|
|
- {}
|
|
- neutron::agents::l3::availability_zone: {get_param: NeutronL3AgentAvailabilityZone}
|
|
if:
|
|
- l3_agent_extensions_empty
|
|
- {}
|
|
- neutron::agents::l3::extensions: {get_param: NeutronL3AgentExtensions}
|
|
- neutron::agents::l3::radvd_user: {get_param: NeutronL3AgentRadvdUser}
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, service_config_settings]
|
|
- rsyslog:
|
|
tripleo_logging_sources_neutron_l3:
|
|
- {get_param: NeutronL3AgentLoggingSource}
|
|
puppet_config:
|
|
puppet_tags: neutron_config,neutron_l3_agent_config
|
|
config_volume: neutron
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::l3
|
|
config_image: {get_param: ContainerNeutronConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/neutron_l3_agent.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-l3-agent
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
|
deploy_steps_tasks:
|
|
- when: step|int == 1
|
|
block:
|
|
- name: set conditions
|
|
set_fact:
|
|
keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper}
|
|
haproxy_wrapper_enabled: {get_param: NeutronEnableHaproxyDockerWrapper}
|
|
dibbler_wrapper_enabled: {get_param: NeutronEnableDibblerDockerWrapper}
|
|
radvd_wrapper_enabled: {get_param: NeutronEnableRadvdDockerWrapper}
|
|
debug_enabled: {get_param: Debug}
|
|
docker_additional_sockets: {get_param: DockerAdditionalSockets}
|
|
- name: create kill_scripts directory within /var/lib/neutron
|
|
file:
|
|
state: directory
|
|
path: /var/lib/neutron/kill_scripts
|
|
- name: create keepalived kill script
|
|
when: keepalived_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/keepalived-kill
|
|
mode: 0755
|
|
content: {get_file: ./kill-script}
|
|
- name: create haproxy kill script
|
|
when: haproxy_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/haproxy-kill
|
|
mode: 0755
|
|
content: {get_file: ./kill-script}
|
|
- name: create dibbler kill script
|
|
when: dibbler_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/dibbler-kill
|
|
mode: 0755
|
|
content: {get_file: ./kill-script}
|
|
- name: create radvd kill script
|
|
when: radvd_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/radvd-kill
|
|
mode: 0755
|
|
content: {get_file: ./kill-script}
|
|
docker_config:
|
|
step_2:
|
|
create_keepalived_wrapper:
|
|
start_order: 1
|
|
detach: false
|
|
net: host
|
|
pid: host
|
|
user: root
|
|
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
-
|
|
- '/container_puppet_apply.sh'
|
|
- '4'
|
|
- 'file'
|
|
- 'include ::tripleo::profile::base::neutron::l3_agent_wrappers'
|
|
image: {get_param: ContainerNeutronL3AgentImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
|
-
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
step_4:
|
|
neutron_l3_agent:
|
|
start_order: 10
|
|
image: {get_param: ContainerNeutronL3AgentImage}
|
|
net: host
|
|
pid: host
|
|
privileged: true
|
|
restart: always
|
|
depends_on:
|
|
- openvswitch
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
ulimit: {get_param: DockerNeutronL3AgentUlimit}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
- /run/netns:/run/netns:shared
|
|
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
|
-
|
|
if:
|
|
- docker_enabled
|
|
- - /var/lib/openstack:/var/lib/openstack
|
|
- null
|
|
-
|
|
if:
|
|
- keepalived_wrapper_enabled
|
|
- - /var/lib/neutron/keepalived_wrapper:/usr/local/bin/keepalived:ro
|
|
- null
|
|
-
|
|
if:
|
|
- haproxy_wrapper_enabled
|
|
- - /var/lib/neutron/l3_haproxy_wrapper:/usr/local/bin/haproxy:ro
|
|
- null
|
|
-
|
|
if:
|
|
- radvd_wrapper_enabled
|
|
- - /var/lib/neutron/radvd_wrapper:/usr/local/bin/radvd:ro
|
|
- null
|
|
-
|
|
if:
|
|
- dibbler_wrapper_enabled
|
|
- - /var/lib/neutron/dibbler_wrapper:/usr/local/bin/dibbler_client:ro
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [NeutronBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /run/netns with temp namespace
|
|
command: ip netns add ns_temp
|
|
register: ipnetns_add_result
|
|
ignore_errors: True
|
|
- - name: remove temp namespace
|
|
command: ip netns delete ns_temp
|
|
ignore_errors: True
|
|
when: ipnetns_add_result.rc == 0
|
|
- - name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
setype: svirt_sandbox_file_t
|
|
- - name: enable virt_sandbox_use_netlink for healtcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
upgrade_tasks: []
|
|
fast_forward_upgrade_tasks:
|
|
- when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
block:
|
|
- name: Check if neutron_l3_agent is deployed
|
|
command: systemctl is-enabled --quiet neutron-l3-agent
|
|
ignore_errors: True
|
|
register: neutron_l3_agent_enabled_result
|
|
- name: Set fact neutron_l3_agent_enabled
|
|
set_fact:
|
|
neutron_l3_agent_enabled: "{{ neutron_l3_agent_enabled_result.rc == 0 }}"
|
|
- name: Stop neutron_l3_agent
|
|
service: name=neutron-l3-agent state=stopped enabled=no
|
|
when:
|
|
- step|int == 1
|
|
- release == 'ocata'
|
|
- neutron_l3_agent_enabled|bool
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- neutron_l3_agent
|
|
tripleo_container_cli: "docker"
|
|
- name: Check for neutron user
|
|
getent:
|
|
database: passwd
|
|
key: neutron
|
|
ignore_errors: True
|
|
- name: Set neutron_user_avail
|
|
set_fact:
|
|
neutron_user_avail: "{{ getent_passwd is defined }}"
|
|
- when:
|
|
- step|int == 2
|
|
- neutron_user_avail|bool
|
|
block:
|
|
- name: Ensure r/w access for existing files after upgrade
|
|
become: true
|
|
shell: |
|
|
umask 0002
|
|
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
|
|
setfacl -R -m u:neutron:rw /var/lib/neutron
|
|
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
|
|
- name: Provide access to domain sockets
|
|
become: true
|
|
shell: |
|
|
umask 0002
|
|
setfacl -m u:neutron:rwx "{{ item }}"
|
|
with_items:
|
|
- /var/lib/neutron/metadata_proxy
|
|
- /var/lib/neutron/keepalived-state-change
|
|
- /var/lib/neutron
|
|
# These files are not necessarily present
|
|
ignore_errors: True
|