Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

362 lines
15KB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized OVN Metadata agent
  4. parameters:
  5. ContainerOvnMetadataImage:
  6. description: image
  7. type: string
  8. ContainerNeutronConfigImage:
  9. description: The container image to use for the neutron config_volume
  10. type: string
  11. OvnMetadataAgentLoggingSource:
  12. type: json
  13. default:
  14. tag: openstack.neutron.agent.ovn-metadata
  15. path: /var/log/containers/neutron/networking-ovn-metadata-agent.log
  16. OVNEnableHaproxyDockerWrapper:
  17. description: Generate a wrapper script so that haproxy is launched in a separate container.
  18. type: boolean
  19. default: true
  20. Debug:
  21. type: boolean
  22. default: false
  23. description: Set to True to enable debugging on all services.
  24. OVNWrapperDebug:
  25. type: boolean
  26. default: false
  27. description: Controls debugging for the wrapper scripts.
  28. ContainerCli:
  29. type: string
  30. default: 'podman'
  31. description: CLI tool used to manage containers.
  32. constraints:
  33. - allowed_values: ['docker', 'podman']
  34. ServiceData:
  35. default: {}
  36. description: Dictionary packing service data
  37. type: json
  38. ServiceNetMap:
  39. default: {}
  40. description: Mapping of service_name -> network name. Typically set
  41. via parameter_defaults in the resource registry. This
  42. mapping overrides those in ServiceNetMapDefaults.
  43. type: json
  44. DefaultPasswords:
  45. default: {}
  46. type: json
  47. EndpointMap:
  48. default: {}
  49. description: Mapping of service endpoint -> protocol. Typically set
  50. via parameter_defaults in the resource registry.
  51. type: json
  52. RoleName:
  53. default: ''
  54. description: Role name on which the service is applied
  55. type: string
  56. RoleParameters:
  57. default: {}
  58. description: Parameters specific to the role
  59. type: json
  60. NeutronMetadataProxySharedSecret:
  61. description: Shared secret to prevent spoofing
  62. type: string
  63. hidden: true
  64. NeutronWorkers:
  65. default: ''
  66. description: |
  67. Sets the number of worker processes for the neutron metadata agent. The
  68. default value results in the configuration being left unset and a
  69. system-dependent default will be chosen (usually the number of
  70. processors). Please note that this can result in a large number of
  71. processes and memory consumption on systems with a large core count. On
  72. such systems it is recommended that a non-default value be selected that
  73. matches the load requirements.
  74. type: string
  75. NeutronPassword:
  76. description: The password for the neutron service and db account, used by neutron agents.
  77. type: string
  78. hidden: true
  79. OVNSouthboundServerPort:
  80. description: Port of the OVN Southbound DB server
  81. type: number
  82. default: 6642
  83. OVNDbConnectionTimeout:
  84. description: Timeout in seconds for the OVSDB connection transaction
  85. type: number
  86. default: 180
  87. MonitoringSubscriptionOvnMetadata:
  88. default: 'overcloud-ovn-metadata'
  89. type: string
  90. Debug:
  91. type: boolean
  92. default: false
  93. description: Set to True to enable debugging on all services.
  94. OvnMetadataAgentDebug:
  95. default: ''
  96. description: Set to True to enable debugging for OVN Metadata agent.
  97. type: string
  98. constraints:
  99. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  100. EnableInternalTLS:
  101. type: boolean
  102. default: false
  103. InternalTLSCAFile:
  104. default: '/etc/ipa/ca.crt'
  105. type: string
  106. description: Specifies the default CA cert to use if TLS is used for
  107. services in the internal network.
  108. DockerAdditionalSockets:
  109. default: ['/var/lib/openstack/docker.sock']
  110. description: Additional domain sockets for the docker daemon to bind to (useful for mounting
  111. into containers that launch other containers)
  112. type: comma_delimited_list
  113. conditions:
  114. haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
  115. docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
  116. service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
  117. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  118. neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
  119. resources:
  120. ContainersCommon:
  121. type: ../containers-common.yaml
  122. NeutronBase:
  123. type: ../neutron/neutron-base.yaml
  124. properties:
  125. EndpointMap: {get_param: EndpointMap}
  126. ServiceData: {get_param: ServiceData}
  127. ServiceNetMap: {get_param: ServiceNetMap}
  128. DefaultPasswords: {get_param: DefaultPasswords}
  129. RoleName: {get_param: RoleName}
  130. RoleParameters: {get_param: RoleParameters}
  131. NeutronLogging:
  132. type: OS::TripleO::Services::Logging::NeutronCommon
  133. properties:
  134. NeutronServiceName: ovn-metadata-agent
  135. outputs:
  136. role_data:
  137. description: Role data for OVNMetadata agent
  138. value:
  139. service_name: ovn_metadata
  140. monitoring_subscription: {get_param: MonitoringSubscriptionOvnMetadata}
  141. config_settings:
  142. map_merge:
  143. - get_attr: [NeutronBase, role_data, config_settings]
  144. - get_attr: [NeutronLogging, config_settings]
  145. - tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
  146. tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
  147. tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: ContainerOvnMetadataImage}
  148. tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
  149. if:
  150. - service_debug_unset
  151. - {get_param: Debug }
  152. - {get_param: OVNWrapperDebug}
  153. tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
  154. neutron::agents::ovn_metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
  155. neutron::agents::ovn_metadata::auth_password: {get_param: NeutronPassword}
  156. neutron::agents::ovn_metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
  157. neutron::agents::ovn_metadata::auth_tenant: 'service'
  158. neutron::agents::ovn_metadata::metadata_host: {get_param: [EndpointMap, NovaMetadataCellInternal, host_nobrackets]}
  159. neutron::agents::ovn_metadata::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout}
  160. ovn::southbound::port: {get_param: OVNSouthboundServerPort}
  161. neutron::agents::ovn_metadata::debug:
  162. if:
  163. - service_debug_unset
  164. - {get_param: Debug}
  165. - {get_param: OvnMetadataAgentDebug}
  166. neutron::agents::ovn_metadata::metadata_protocol:
  167. if:
  168. - internal_tls_enabled
  169. - 'https'
  170. - 'http'
  171. -
  172. if:
  173. - neutron_workers_unset
  174. - {}
  175. - neutron::agents::ovn_metadata::metadata_workers: {get_param: NeutronWorkers}
  176. - if:
  177. - internal_tls_enabled
  178. - tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
  179. tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
  180. tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
  181. tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
  182. generate_service_certificates: true
  183. ovn_metadata_certificate_specs:
  184. service_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
  185. service_key: '/etc/pki/tls/private/ovn_metadata.key'
  186. hostname:
  187. str_replace:
  188. template: "%{hiera('fqdn_NETWORK')}"
  189. params:
  190. NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
  191. principal:
  192. str_replace:
  193. template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
  194. params:
  195. NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
  196. - {}
  197. puppet_config:
  198. puppet_tags: neutron_config,ovn_metadata_agent_config
  199. config_volume: neutron
  200. step_config: |
  201. include tripleo::profile::base::neutron::ovn_metadata
  202. config_image: {get_param: ContainerNeutronConfigImage}
  203. volumes:
  204. - /lib/modules:/lib/modules:ro
  205. - /run/openvswitch:/run/openvswitch:shared,z
  206. kolla_config:
  207. /var/lib/kolla/config_files/ovn_metadata_agent.json:
  208. command:
  209. list_join:
  210. - ' '
  211. - - /usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini --config-dir /etc/neutron/conf.d/networking-ovn-metadata-agent
  212. - get_attr: [NeutronLogging, cmd_extra_args]
  213. config_files:
  214. - source: "/var/lib/kolla/config_files/src/*"
  215. dest: "/"
  216. merge: true
  217. preserve_properties: true
  218. permissions:
  219. - path: /var/log/neutron
  220. owner: neutron:neutron
  221. recurse: true
  222. - path: /var/lib/neutron
  223. owner: neutron:neutron
  224. recurse: true
  225. - path: /etc/pki/tls/certs/ovn_metadata.crt
  226. owner: neutron:neutron
  227. optional: true
  228. perm: '0644'
  229. - path: /etc/pki/tls/private/ovn_metadata.key
  230. owner: neutron:neutron
  231. optional: true
  232. perm: '0644'
  233. container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
  234. deploy_steps_tasks:
  235. - when: step|int == 1
  236. block:
  237. - name: set conditions
  238. set_fact:
  239. haproxy_wrapper_enabled: {get_param: OVNEnableHaproxyDockerWrapper}
  240. debug_enabled:
  241. if:
  242. - service_debug_unset
  243. - {get_param: Debug }
  244. - {get_param: NeutronWrapperDebug}
  245. - name: Create ovn metadata systemd wrappers
  246. include_role:
  247. name: tripleo-systemd-wrapper
  248. vars:
  249. tripleo_systemd_wrapper_cmd: "{{ ovn_wrapper_item.cmd }}"
  250. tripleo_systemd_wrapper_config_bind_mount: "/var/lib/config-data/puppet-generated/neutron:/etc/neutron:ro"
  251. tripleo_systemd_wrapper_container_cli: "{{ container_cli }}"
  252. tripleo_systemd_wrapper_debug: "{{ debug_enabled }}"
  253. tripleo_systemd_wrapper_docker_additional_sockets: {get_param: DockerAdditionalSockets}
  254. tripleo_systemd_wrapper_image_name: {get_param: ContainerOvnMetadataImage}
  255. tripleo_systemd_wrapper_service_dir: /var/lib/neutron
  256. tripleo_systemd_wrapper_service_kill_script: "{{ ovn_wrapper_item.kill_script }}"
  257. tripleo_systemd_wrapper_service_name: "{{ ovn_wrapper_item.name }}"
  258. loop_control:
  259. loop_var: ovn_wrapper_item
  260. loop:
  261. - name: ovn_metadata_haproxy
  262. cmd: >-
  263. $(if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then
  264. echo "/usr/sbin/haproxy -Ds";
  265. else
  266. echo "/usr/sbin/haproxy -Ws"; fi)
  267. kill_script: haproxy-kill
  268. docker_config:
  269. step_4:
  270. setup_ovs_manager:
  271. start_order: 0
  272. detach: false
  273. net: host
  274. privileged: true
  275. user: root
  276. command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
  277. list_concat:
  278. - - '/container_puppet_apply.sh'
  279. - '4'
  280. - 'exec'
  281. - 'include ::tripleo::profile::base::neutron::ovn_metadata'
  282. image: {get_param: ContainerOvnMetadataImage}
  283. volumes:
  284. list_concat:
  285. - {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
  286. - - /lib/modules:/lib/modules:ro
  287. - /run/openvswitch:/run/openvswitch:shared,z
  288. ovn_metadata_agent:
  289. start_order: 1
  290. image: {get_param: ContainerOvnMetadataImage}
  291. net: host
  292. pid: host
  293. privileged: true
  294. restart: always
  295. healthcheck:
  296. test: /openstack/healthcheck
  297. volumes:
  298. list_concat:
  299. - {get_attr: [ContainersCommon, volumes]}
  300. - {get_attr: [NeutronLogging, volumes]}
  301. -
  302. - /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
  303. - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
  304. - /lib/modules:/lib/modules:ro
  305. - /run/openvswitch:/run/openvswitch:shared,z
  306. - /var/lib/neutron:/var/lib/neutron:shared,z
  307. - /run/netns:/run/netns:shared
  308. - /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
  309. -
  310. if:
  311. - docker_enabled
  312. - - /var/lib/openstack:/var/lib/openstack
  313. - null
  314. -
  315. if:
  316. - haproxy_wrapper_enabled
  317. - - /var/lib/neutron/ovn_metadata_haproxy/wrapper:/usr/local/bin/haproxy:ro
  318. - null
  319. - if:
  320. - internal_tls_enabled
  321. -
  322. - /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
  323. - /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
  324. - null
  325. environment:
  326. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  327. metadata_settings:
  328. list_concat:
  329. - {get_attr: [NeutronBase, role_data, metadata_settings]}
  330. - if:
  331. - internal_tls_enabled
  332. - - service: ovn_metadata
  333. network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
  334. type: node
  335. - null
  336. host_prep_tasks:
  337. list_concat:
  338. - {get_attr: [NeutronLogging, host_prep_tasks]}
  339. - - name: create /run/netns with temp namespace
  340. command: ip netns add ns_temp
  341. register: ipnetns_add_result
  342. ignore_errors: True
  343. - - name: remove temp namespace
  344. command: ip netns delete ns_temp
  345. ignore_errors: True
  346. when: ipnetns_add_result.rc == 0
  347. - - name: create /var/lib/neutron
  348. file:
  349. path: /var/lib/neutron
  350. state: directory
  351. setype: svirt_sandbox_file_t
  352. upgrade_tasks: []