Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

473 lines
20 KiB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Neutron DHCP service
  4. parameters:
  5. ContainerNeutronDHCPImage:
  6. description: image
  7. type: string
  8. ContainerNeutronConfigImage:
  9. description: The container image to use for the neutron config_volume
  10. type: string
  11. DockerNeutronDHCPAgentUlimit:
  12. default: ['nofile=16384']
  13. description: ulimit for Neutron DHCP Agent Container
  14. type: comma_delimited_list
  15. DockerAdditionalSockets:
  16. default: ['/var/lib/openstack/docker.sock']
  17. description: Additional domain sockets for the docker daemon to bind to (useful for mounting
  18. into containers that launch other containers)
  19. type: comma_delimited_list
  20. NeutronEnableDnsmasqDockerWrapper:
  21. description: Generate a dnsmasq wrapper script so that neutron launches
  22. dnsmasq in a separate container.
  23. type: boolean
  24. default: true
  25. NeutronEnableHaproxyDockerWrapper:
  26. description: Generate a wrapper script so neutron launches haproxy in a separate container.
  27. type: boolean
  28. default: true
  29. Debug:
  30. type: boolean
  31. default: false
  32. description: Set to True to enable debugging on all services.
  33. NeutronWrapperDebug:
  34. type: boolean
  35. default: false
  36. description: Controls debugging for the wrapper scripts.
  37. ContainerCli:
  38. type: string
  39. default: 'podman'
  40. description: CLI tool used to manage containers.
  41. constraints:
  42. - allowed_values: ['docker', 'podman']
  43. NeutronDhcpAgentLoggingSource:
  44. type: json
  45. default:
  46. tag: openstack.neutron.agent.dhcp
  47. file: /var/log/containers/neutron/dhcp-agent.log
  48. EndpointMap:
  49. default: {}
  50. description: Mapping of service endpoint -> protocol. Typically set
  51. via parameter_defaults in the resource registry.
  52. type: json
  53. ServiceData:
  54. default: {}
  55. description: Dictionary packing service data
  56. type: json
  57. ServiceNetMap:
  58. default: {}
  59. description: Mapping of service_name -> network name. Typically set
  60. via parameter_defaults in the resource registry. This
  61. mapping overrides those in ServiceNetMapDefaults.
  62. type: json
  63. DefaultPasswords:
  64. default: {}
  65. type: json
  66. RoleName:
  67. default: ''
  68. description: Role name on which the service is applied
  69. type: string
  70. RoleParameters:
  71. default: {}
  72. description: Parameters specific to the role
  73. type: json
  74. EnableInternalTLS:
  75. type: boolean
  76. default: false
  77. InternalTLSCAFile:
  78. default: '/etc/ipa/ca.crt'
  79. type: string
  80. description: Specifies the default CA cert to use if TLS is used for
  81. services in the internal network.
  82. NeutronEnableMetadataNetwork:
  83. default: false
  84. description: If True, DHCP provide metadata network. Requires either
  85. IsolatedMetadata or ForceMetadata parameters to also be True.
  86. type: boolean
  87. NeutronEnableIsolatedMetadata:
  88. default: false
  89. description: If True, DHCP provide metadata route to VM.
  90. type: boolean
  91. NeutronEnableForceMetadata:
  92. default: false
  93. description: If True, DHCP always provides metadata route to VM.
  94. type: boolean
  95. NeutronEnableInternalDNS:
  96. default: false
  97. description: |
  98. If True, enable the internal Neutron DNS server that provides name
  99. resolution between VMs. This parameter has no effect if
  100. NeutronDhcpAgentDnsmasqDnsServers is set.
  101. type: boolean
  102. MonitoringSubscriptionNeutronDhcp:
  103. default: 'overcloud-neutron-dhcp'
  104. type: string
  105. NeutronDhcpAgentDebug:
  106. default: ''
  107. description: Set to True to enable debugging for Neutron DHCP agent.
  108. type: string
  109. constraints:
  110. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  111. NeutronDhcpAgentDnsmasqDnsServers:
  112. default: []
  113. description: List of servers to use as dnsmasq forwarders
  114. type: comma_delimited_list
  115. NeutronInterfaceDriver:
  116. default: 'neutron.agent.linux.interface.OVSInterfaceDriver'
  117. description: Neutron DHCP Agent interface driver
  118. type: string
  119. NeutronDhcpOvsIntegrationBridge:
  120. default: ''
  121. type: string
  122. description: Name of Open vSwitch bridge to use
  123. NeutronDhcpServerBroadcastReply:
  124. default: false
  125. description: Neutron DHCP agent to use broadcast in DHCP replies
  126. type: boolean
  127. # TODO(bogdando): The experimental OVN SRIOV environment includes the
  128. # DHCP agent service. We keep it safe to not break it with AZ-related
  129. # configurations. Therefore, we have to determine, if
  130. # NeutronMechanismDrivers is OVN or not. This may change in future,
  131. # when OVN/SRIOV supports Neutron AZ configurations for the agent services.
  132. NeutronMechanismDrivers:
  133. default: 'ovn'
  134. description: |
  135. The mechanism drivers for the Neutron tenant network.
  136. type: comma_delimited_list
  137. NeutronDhcpAgentAvailabilityZone:
  138. description: Availability zone for Neutron DHCP agent. If not set,
  139. no AZs will be configured for Neutron network services.
  140. default: ''
  141. type: string
  142. conditions:
  143. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  144. dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]}
  145. haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
  146. docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
  147. service_wrapper_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
  148. service_debug_unset: {equals: [{get_param: NeutronDhcpAgentDebug}, '']}
  149. dhcp_ovs_intergation_bridge_unset: {equals: [{get_param: NeutronDhcpOvsIntegrationBridge}, '']}
  150. is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
  151. az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
  152. omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
  153. resources:
  154. ContainersCommon:
  155. type: ../containers-common.yaml
  156. NeutronBase:
  157. type: ./neutron-base.yaml
  158. properties:
  159. EndpointMap: {get_param: EndpointMap}
  160. ServiceData: {get_param: ServiceData}
  161. ServiceNetMap: {get_param: ServiceNetMap}
  162. DefaultPasswords: {get_param: DefaultPasswords}
  163. RoleName: {get_param: RoleName}
  164. RoleParameters: {get_param: RoleParameters}
  165. NeutronLogging:
  166. type: OS::TripleO::Services::Logging::NeutronCommon
  167. properties:
  168. NeutronServiceName: dhcp-agent
  169. outputs:
  170. role_data:
  171. description: Role data for the Neutron DHCP role.
  172. value:
  173. service_name: neutron_dhcp
  174. monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
  175. config_settings:
  176. map_merge:
  177. - get_attr: [NeutronBase, role_data, config_settings]
  178. - get_attr: [NeutronLogging, config_settings]
  179. - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
  180. tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
  181. tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: ContainerNeutronDHCPImage}
  182. tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
  183. tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper'
  184. tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: ContainerNeutronDHCPImage}
  185. tripleo::profile::base::neutron::dhcp_agent_wrappers::debug:
  186. if:
  187. - service_wrapper_debug_unset
  188. - {get_param: Debug }
  189. - {get_param: NeutronWrapperDebug}
  190. tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
  191. neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
  192. neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata}
  193. neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork}
  194. neutron::agents::dhcp::dnsmasq_local_resolv: {get_param: NeutronEnableInternalDNS}
  195. neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers}
  196. neutron::agents::dhcp::interface_driver: {get_param: NeutronInterfaceDriver}
  197. neutron::agents::dhcp::dhcp_broadcast_reply: {get_param: NeutronDhcpServerBroadcastReply}
  198. neutron::agents::dhcp::debug:
  199. if:
  200. - service_debug_unset
  201. - {get_param: Debug}
  202. - {get_param: NeutronDhcpAgentDebug}
  203. tripleo::neutron_dhcp::firewall_rules:
  204. '115 neutron dhcp input':
  205. ipversion: 'ipv4'
  206. proto: 'udp'
  207. dport: 67
  208. '116 neutron dhcp output':
  209. ipversion: 'ipv4'
  210. proto: 'udp'
  211. chain: 'OUTPUT'
  212. dport: 68
  213. '115 neutron dhcpv6 input':
  214. ipversion: 'ipv6'
  215. proto: 'udp'
  216. dport: 547
  217. '116 neutron dhcpv6 output':
  218. ipversion: 'ipv6'
  219. proto: 'udp'
  220. chain: 'OUTPUT'
  221. dport: 546
  222. '116 neutron dhcpv6 relay output':
  223. ipversion: 'ipv6'
  224. proto: 'udp'
  225. chain: 'OUTPUT'
  226. dport: 547
  227. - if:
  228. - internal_tls_enabled
  229. - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
  230. neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
  231. neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
  232. generate_service_certificates: true
  233. tripleo::profile::base::neutron::certificate_specs:
  234. service_certificate: '/etc/pki/tls/certs/neutron.crt'
  235. service_key: '/etc/pki/tls/private/neutron.key'
  236. hostname:
  237. str_replace:
  238. template: "%{hiera('fqdn_NETWORK')}"
  239. params:
  240. NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
  241. principal:
  242. str_replace:
  243. template: "neutron/%{hiera('fqdn_NETWORK')}"
  244. params:
  245. NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
  246. postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
  247. - {}
  248. - if:
  249. - dhcp_ovs_intergation_bridge_unset
  250. - {}
  251. - neutron::agents::dhcp::ovs_integration_bridge: {get_param: NeutronDhcpOvsIntegrationBridge}
  252. - if:
  253. - omit_az_configs
  254. - {}
  255. - neutron::agents::dhcp::availability_zone: {get_param: NeutronDhcpAgentAvailabilityZone}
  256. service_config_settings:
  257. map_merge:
  258. - get_attr: [NeutronBase, role_data, service_config_settings]
  259. - rsyslog:
  260. tripleo_logging_sources_neutron_dhcp:
  261. - {get_param: NeutronDhcpAgentLoggingSource}
  262. # BEGIN DOCKER SETTINGS
  263. puppet_config:
  264. config_volume: neutron
  265. puppet_tags: neutron_config,neutron_dhcp_agent_config
  266. step_config: |
  267. include tripleo::profile::base::neutron::dhcp
  268. config_image: {get_param: ContainerNeutronConfigImage}
  269. kolla_config:
  270. /var/lib/kolla/config_files/neutron_dhcp.json:
  271. command:
  272. list_join:
  273. - ' '
  274. - - /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent
  275. - get_attr: [NeutronLogging, cmd_extra_args]
  276. config_files:
  277. - source: "/var/lib/kolla/config_files/src/*"
  278. dest: "/"
  279. merge: true
  280. preserve_properties: true
  281. - source: "/var/lib/kolla/config_files/src-tls/*"
  282. dest: "/"
  283. merge: true
  284. preserve_properties: true
  285. optional: true
  286. permissions:
  287. - path: /var/log/neutron
  288. owner: neutron:neutron
  289. recurse: true
  290. - path: /var/lib/neutron
  291. owner: neutron:neutron
  292. recurse: true
  293. - path: /etc/pki/tls/certs/neutron.crt
  294. owner: neutron:neutron
  295. - path: /etc/pki/tls/private/neutron.key
  296. owner: neutron:neutron
  297. container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
  298. deploy_steps_tasks:
  299. - when: step|int == 1
  300. block:
  301. - name: set conditions
  302. set_fact:
  303. dnsmasq_wrapper_enabled: {get_param: NeutronEnableDnsmasqDockerWrapper}
  304. haproxy_wrapper_enabled: {get_param: NeutronEnableHaproxyDockerWrapper}
  305. debug_enabled:
  306. if:
  307. - service_debug_unset
  308. - {get_param: Debug }
  309. - {get_param: NeutronWrapperDebug}
  310. - name: Create dhcp systemd wrappers
  311. include_role:
  312. name: tripleo-systemd-wrapper
  313. vars:
  314. tripleo_systemd_wrapper_cmd: "{{ dhcp_wrapper_item.cmd }}"
  315. tripleo_systemd_wrapper_config_bind_mount: "/var/lib/config-data/puppet-generated/neutron:/etc/neutron:ro"
  316. tripleo_systemd_wrapper_container_cli: "{{ container_cli }}"
  317. tripleo_systemd_wrapper_debug: "{{ debug_enabled }}"
  318. tripleo_systemd_wrapper_docker_additional_sockets: {get_param: DockerAdditionalSockets}
  319. tripleo_systemd_wrapper_image_name: {get_param: ContainerNeutronDHCPImage}
  320. tripleo_systemd_wrapper_service_dir: /var/lib/neutron
  321. tripleo_systemd_wrapper_service_kill_script: "{{ dhcp_wrapper_item.kill_script }}"
  322. tripleo_systemd_wrapper_service_name: "{{ dhcp_wrapper_item.name }}"
  323. loop_control:
  324. loop_var: dhcp_wrapper_item
  325. loop:
  326. - name: dhcp_dnsmasq
  327. cmd: /usr/sbin/dnsmasq -k
  328. kill_script: dnsmasq-kill
  329. - name: dhcp_haproxy
  330. cmd: >-
  331. $(if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then
  332. echo "/usr/sbin/haproxy -Ds";
  333. else
  334. echo "/usr/sbin/haproxy -Ws"; fi)
  335. kill_script: haproxy-kill
  336. docker_config:
  337. step_4:
  338. neutron_dhcp:
  339. start_order: 10
  340. image: {get_param: ContainerNeutronDHCPImage}
  341. net: host
  342. pid: host
  343. privileged: true
  344. restart: always
  345. security_opt: 'label=disable'
  346. depends_on:
  347. - openvswitch
  348. healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
  349. ulimit: {get_param: DockerNeutronDHCPAgentUlimit}
  350. volumes:
  351. list_concat:
  352. - {get_attr: [ContainersCommon, volumes]}
  353. - {get_attr: [NeutronLogging, volumes]}
  354. -
  355. - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
  356. - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
  357. - /lib/modules:/lib/modules:ro
  358. - /run/openvswitch:/run/openvswitch:shared,z
  359. - /var/lib/neutron:/var/lib/neutron:shared,z
  360. - /run/netns:/run/netns:shared
  361. - /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
  362. -
  363. if:
  364. - docker_enabled
  365. - - /var/lib/openstack:/var/lib/openstack
  366. - null
  367. -
  368. if:
  369. - dnsmasq_wrapper_enabled
  370. - - /var/lib/neutron/dhcp_dnsmasq/wrapper:/usr/local/bin/dnsmasq:ro
  371. - null
  372. -
  373. if:
  374. - haproxy_wrapper_enabled
  375. - - /var/lib/neutron/dhcp_haproxy/wrapper:/usr/local/bin/haproxy:ro
  376. - null
  377. -
  378. if:
  379. - internal_tls_enabled
  380. - - /etc/pki/tls/certs/neutron.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron.crt:ro
  381. - /etc/pki/tls/private/neutron.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron.key:ro
  382. - null
  383. environment:
  384. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  385. metadata_settings:
  386. if:
  387. - internal_tls_enabled
  388. -
  389. - service: neutron
  390. network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
  391. type: node
  392. - null
  393. host_prep_tasks:
  394. list_concat:
  395. - {get_attr: [NeutronLogging, host_prep_tasks]}
  396. - - name: create /run/netns with temp namespace
  397. command: ip netns add ns_temp
  398. register: ipnetns_add_result
  399. ignore_errors: True
  400. - - name: remove temp namespace
  401. command: ip netns delete ns_temp
  402. ignore_errors: True
  403. when: ipnetns_add_result.rc == 0
  404. - - name: create /var/lib/neutron
  405. file:
  406. path: /var/lib/neutron
  407. state: directory
  408. setype: svirt_sandbox_file_t
  409. - - name: enable virt_sandbox_use_netlink for healtcheck
  410. seboolean:
  411. name: virt_sandbox_use_netlink
  412. persistent: yes
  413. state: yes
  414. upgrade_tasks: []
  415. fast_forward_upgrade_tasks:
  416. - when:
  417. - step|int == 0
  418. - release == 'ocata'
  419. block:
  420. - name: Check if neutron_dhcp_agent is deployed
  421. command: systemctl is-enabled --quiet neutron-dhcp-agent
  422. ignore_errors: True
  423. register: neutron_dhcp_agent_enabled_result
  424. - name: Set fact neutron_dhcp_agent_enabled
  425. set_fact:
  426. neutron_dhcp_agent_enabled: "{{ neutron_dhcp_agent_enabled_result.rc == 0 }}"
  427. - name: Stop neutron_dhcp_agent
  428. service: name=neutron-dhcp-agent state=stopped enabled=no
  429. when:
  430. - step|int == 2
  431. - release == 'ocata'
  432. - neutron_dhcp_agent_enabled|bool
  433. post_upgrade_tasks:
  434. - name: Check for neutron user
  435. getent:
  436. database: passwd
  437. key: neutron
  438. ignore_errors: True
  439. - name: Set neutron_user_avail
  440. set_fact:
  441. neutron_user_avail: "{{ getent_passwd is defined }}"
  442. - when:
  443. - step|int == 2
  444. - neutron_user_avail|bool
  445. block:
  446. - name: Ensure read/write access for files created after upgrade
  447. become: true
  448. shell: |
  449. umask 0002
  450. setfacl -d -R -m u:neutron:rwx /var/lib/neutron
  451. setfacl -R -m u:neutron:rw /var/lib/neutron
  452. find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
  453. - name: Provide access for domain sockets
  454. ignore_errors: True
  455. become: true
  456. shell: |
  457. umask 0002
  458. setfacl -m u:neutron:rwx "{{ item }}"
  459. with_items:
  460. - /var/lib/neutron/metadata_proxy
  461. - /var/lib/neutron
  462. # These files are not necessarily present
  463. ignore_errors: True