openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13487 Commits
3 Branches
24 Tags
312 MiB
 
 
 
Tree: 38a35afcf2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '38a35afcf2'
${ noResults }
tripleo-heat-templates/deployment/ovn/ovn-controller-container-pu...

384 lines
14 KiB
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Ovn Controller agent.
parameters:
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ContainerOvnControllerImage:
description: image
type: string
ContainerOvnControllerConfigImage:
description: The container image to use for the ovn_controller config_volume
type: string
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
OVNSouthboundServerPort:
description: Port of the Southbound DB Server
type: number
default: 6642
NeutronBridgeMappings:
description: >
The OVS logical->physical bridge mappings to use. See the Neutron
documentation for details. Defaults to mapping br-ex - the external
bridge on hosts - to a physical name 'datacentre' which can be used
to create provider networks (and we use this for the default floating
network) - if changing this either use different post-install network
scripts or be sure to keep 'datacentre' as a mapping network name.
type: comma_delimited_list
default: "datacentre:br-ex"
tags:
- role_specific
EnableVLANTransparency:
default: false
description: >
If True, then allow plugins that support it to create VLAN
transparent networks.
type: boolean
OVNEncapType:
description: >
Type of encapsulation used in OVN. It can be "geneve" or "vxlan".
type: string
default: "geneve"
constraints:
- allowed_values: ["geneve", "vxlan"]
OVNIntegrationBridge:
description: >
Name of the OVS bridge to use as integration bridge by OVN Controller.
type: string
default: "br-int"
OVNMetadataEnabled:
description: Whether Metadata Service has to be enabled
type: boolean
default: true
OVNAvailabilityZone:
description: The az options to configure in ovs db.
eg. ['az-0', 'az-1', 'az-2']
type: comma_delimited_list
default: []
tags:
- role_specific
OVNCMSOptions:
description: The CMS options to configure in ovs db
type: string
default: ""
tags:
- role_specific
OvsHwOffload:
default: false
description: |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type: boolean
tags:
- role_specific
OVNRemoteProbeInterval:
description: Probe interval in ms
type: number
default: 60000
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
OVNOpenflowProbeInterval:
description: >
The inactivity probe interval of the OpenFlow connection to the
OpenvSwitch integration bridge, in seconds.
type: number
default: 60
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ContainerOvnCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
enable_vlan_transparency: {equals: [{get_param: EnableVLANTransparency}, true]}
az_ovn_unset: {equals: [{get_param: OVNAvailabilityZone}, []]}
resources:
ContainersCommon:
type: ../containers-common.yaml
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ovn::controller::ovn_bridge_mappings: NeutronBridgeMappings
ovn::controller::enable_hw_offload: OvsHwOffload
ovn::controller::ovn_cms_options:
if:
- az_ovn_unset
- OVNCMSOptions
- list_join:
- ''
- - OVNCMSOptions
- ",availability-zones="
- {get_param: OVNAvailabilityZone}
- values: {get_param: [RoleParameters]}
- values:
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
OVNCMSOptions: {get_param: OVNCMSOptions}
OvsHwOffload: {get_param: OvsHwOffload}
outputs:
role_data:
description: Role data for the Ovn Controller agent.
value:
service_name: ovn_controller
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
'120 neutron geneve networks no conntrack':
proto: 'udp'
dport: 6081
table: 'raw'
chain: 'OUTPUT'
jump: 'NOTRACK'
action: 'append'
state: []
'121 neutron geneve networks no conntrack':
proto: 'udp'
dport: 6081
table: 'raw'
chain: 'PREROUTING'
jump: 'NOTRACK'
action: 'append'
state: []
config_settings:
map_merge:
- get_attr: [RoleParametersValue, value]
- ovn::southbound::port: {get_param: OVNSouthboundServerPort}
ovn::controller::ovn_encap_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
ovn::controller::ovn_encap_type: {get_param: OVNEncapType}
ovn::controller::ovn_bridge: {get_param: OVNIntegrationBridge}
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
ovn::controller::ovn_monitor_all: true
- if:
- force_config_drive
- nova::compute::force_config_drive: true
- {}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
ovn_controller_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovn_controller.crt'
service_key: '/etc/pki/tls/private/ovn_controller.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
- {}
-
if:
- enable_vlan_transparency
- vswitch::ovs::vlan_limit: 0
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
puppet_tags: vs_config,exec
config_volume: ovn_controller
step_config: |
include tripleo::profile::base::neutron::agents::ovn
config_image: {get_param: ContainerOvnControllerConfigImage}
# We need to mount /run for puppet_config step. This is because
# puppet-vswitch runs the commands "ovs-vsctl set open_vswitch . external_ids:..."
# to configure the required parameters in ovs db which will be read
# by ovn-controller. And ovs-vsctl talks to the ovsdb-server (hosting conf.db)
# on the unix domain socket - /run/openvswitch/db.sock
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
# Needed for creating module load files
- /etc/sysconfig/modules:/etc/sysconfig/modules
kolla_config:
/var/lib/kolla/config_files/ovn_controller.json:
command:
list_join:
- ' '
- - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
- if:
- internal_tls_enabled
- list_join:
- ' '
- - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C
- {get_param: InternalTLSCAFile}
- ''
permissions:
- path: /var/log/openvswitch
owner: root:root
recurse: true
- path: /var/log/ovn
owner: root:root
recurse: true
metadata_settings:
if:
- internal_tls_enabled
- - service: ovn_controller
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
- null
docker_config:
step_4:
configure_cms_options:
start_order: 0
detach: false
net: host
privileged: true
user: root
command: ['/bin/bash', '-c', 'CMS_OPTS=$(hiera ovn::controller::ovn_cms_options -c /etc/puppet/hiera.yaml); if [ X"$CMS_OPTS" != X ]; then ovs-vsctl set open . external_ids:ovn-cms-options=$CMS_OPTS;else ovs-vsctl remove open . external_ids ovn-cms-options; fi']
image: &ovn_controller_image {get_param: ContainerOvnControllerImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
ovn_controller:
start_order: 1
image: *ovn_controller_image
net: host
privileged: true
user: root
restart: always
depends_on:
- openvswitch.service
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_param: OVNSouthboundServerPort}
volumes:
list_concat:
-
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
- /lib/modules:/lib/modules:ro
# TODO(numans): This is temporary. Mount /run/openvswitch once
# openvswitch systemd script is fixed to not delete /run/openvswitch
# folder in the host when openvswitch service is stopped.
- /run:/run
- /var/lib/openvswitch/ovn:/run/ovn:shared,z
- /var/log/containers/openvswitch:/var/log/openvswitch:z
- /var/log/containers/openvswitch:/var/log/ovn:z
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt
- /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
- name: Copy in cleanup script
copy:
content: {get_file: ../neutron/neutron-cleanup}
dest: '/usr/libexec/neutron-cleanup'
force: yes
mode: '0755'
- name: Copy in cleanup service
copy:
content: {get_file: ../neutron/neutron-cleanup.service}
dest: '/usr/lib/systemd/system/neutron-cleanup.service'
force: yes
- name: Enabling the cleanup service
service:
name: neutron-cleanup
enabled: yes
upgrade_tasks: []