openstack/tripleo-heat-templates
Code Issues Proposed changes
3e983806e0
tripleo-heat-templates/deployment/frr/frr-container-ansible.yaml

474 lines
19 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
Configures FRR on the host
parameters:
ContainerFrrImage:
description: The container image for Frr
type: string
tags:
- role_specific
ContainerOvnBgpAgentImage:
description: The container image for the BGP Agent
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnBgpAgentCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
FrrBfdEnabled:
default: false
description: Enable Bidirectional Forwarding Detection
type: boolean
FrrBgpEnabled:
default: true
description: Enable BGP
type: boolean
FrrBgpAsn:
default: 65000
description: Default ASN to be used within FRR
type: number
FrrBgpIpv4Enabled:
default: true
description: Enable BGP advertisement of IPv4 routes
type: boolean
FrrBgpIpv4AllowASIn:
default: false
description: Allow for IPv4 routes to be received and processed even if the
router detects its own ASN in the AS-Path.
type: boolean
FrrBgpIpv4SrcNetwork:
default: ctlplane
description: The name of the Neutron network from where the IP address of
the node will be taken and set as source IPv4 address on the
default route.
type: string
FrrBgpIpv6Enabled:
default: true
description: Enable BGP advertisement of IPv6 routes
type: boolean
FrrBgpIpv6AllowASIn:
default: false
description: Allow for IPv6 routes to be received and processed even if the
router detects its own ASN in the AS-Path.
type: boolean
FrrBgpIpv6SrcNetwork:
default: ctlplane
description: The name of the Neutron network from where the IP address of
the node will be taken and set as source IPv6 address on the
default route.
type: string
FrrBgpUplinks:
default: ['nic1', 'nic2']
description: List of uplink network interfaces.
type: comma_delimited_list
FrrBgpUplinksScope:
default: 'internal'
type: string
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
constraints:
- allowed_values: ['internal', 'external']
FrrLoggingSource:
type: json
default:
tag: system.frr
file: /var/log/containers/frr/frr.log
FrrLogLevel:
default: 'informational'
type: string
description: log level
constraints:
- allowed_values: ['emergencies', 'alerts', 'critical', 'errors',
'warnings', 'notifications', 'informational',
'debugging']
FrrZebraEnabled:
default: true
description: enable Zebra
type: boolean
FrrPacemakerVipNic:
default: 'lo'
description: Name of the nic that the pacemaker VIPs will be added to when
running with FRR.
type: string
FrrBgpNeighborTtlSecurityHops:
default: 1
description: Enforce Generalized TTL Security Mechanism (GTSM) where only
neighbors that are the specified number of hops away will be
allowed to become neighbors. Setting value to zero or less
will disable GTSM.
type: number
FrrBgpL2VpnEnabled:
type: boolean
default: false
description: Enable BGP L2VPN EVPN address family.
FrrBgpL2VpnEbgpMultihop:
type: number
default: 0
description: >
Allows sessions with eBGP neighbors to establish when they are multiple
hops away. Value 0 disables multi-hop eBGP peering.
FrrBgpL2VpnUplinkActivate:
type: boolean
default: true
description: >
Enable the list of uplink network interfaces defined in FrrBgpUplinks.
FrrBgpL2VpnPeers:
default: []
description: List of EVPN neighbor peers.
type: comma_delimited_list
FrrBgpL2vpnPeersScope:
default: 'external'
type: string
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
constraints:
- allowed_values: ['internal', 'external']
FrrOvnBgpAgentDriver:
description: >
Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs
on provider networks and FIPs associated to VMs on tenant networks via
MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant
networks via MP-BGP EVPN VXLAN.
type: string
default: 'ovn_evpn_driver'
constraints:
- allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ]
tags:
- role_specific
FrrOvnBgpAgentExposeTenantNetworks:
description: >
Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast.
Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver).
type: boolean
default: false
tags:
- role_specific
FrrOvnBgpAgentAsn:
default: 64999
description: >
Autonomous System Number to be used by the agent when running in BGP
mode.
type: number
tags:
- role_specific
FrrOvnBgpAgentOvsdbConnection:
default: 'tcp:127.0.0.1:6640'
description: >
The connection string for the native OVSDB backend. Use tcp:IP:PORT
for TCP connection.
type: string
tags:
- role_specific
FrrOvnBgpAgentReconcileInterval:
default: 120
description: >
Defines how frequently to reconcile the status, to ensure only the
right IPs are exposed on the right locations.
type: number
tags:
- role_specific
conditions:
key_size_override_set:
not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']}
resources:
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerFrrImage: ContainerFrrImage
ContainerOvnBgpAgentImage: ContainerOvnBgpAgentImage
ovn_bgp_agent_driver: FrrOvnBgpAgentDriver
ovn_bgp_agent_expose_tenant_networks: FrrOvnBgpAgentExposeTenantNetworks
ovn_bgp_agent_bgp_as: FrrOvnBgpAgentAsn
ovn_bgp_agent_ovsdb_connection: FrrOvnBgpAgentOvsdbConnection
ovn_bgp_agent_reconcile_interval: FrrOvnBgpAgentReconcileInterval
- values: {get_param: [RoleParameters]}
- values:
ContainerFrrImage: {get_param: ContainerFrrImage}
ContainerOvnBgpAgentImage: {get_param: ContainerOvnBgpAgentImage}
FrrOvnBgpAgentDriver: {get_param: FrrOvnBgpAgentDriver}
FrrOvnBgpAgentExposeTenantNetworks: {get_param: FrrOvnBgpAgentExposeTenantNetworks}
FrrOvnBgpAgentAsn: {get_param: FrrOvnBgpAgentAsn}
FrrOvnBgpAgentOvsdbConnection: {get_param: FrrOvnBgpAgentOvsdbConnection}
FrrOvnBgpAgentReconcileInterval: {get_param: FrrOvnBgpAgentReconcileInterval}
outputs:
role_data:
description: Role data for the FRR and OVN BGP Agent services
value:
service_name: frr
config_settings:
tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic}
service_config_settings:
rsyslog:
tripleo_logging_sources_frr:
- {get_param: FrrLoggingSource}
firewall_rules:
'156 bgp tcp':
if:
- {get_param: FrrBgpEnabled}
- proto: 'tcp'
dport: 179
'156 bfd udp':
if:
- {get_param: FrrBfdEnabled}
- proto: 'udp'
dport:
- 3784
- 3785
kolla_config:
/var/lib/kolla/config_files/frr.json:
# Note: We can drop /usr/libexec/frr/frrinit.sh once we stop supporting/using frr 7.x
# Note: This is currently needed because watchfrr *always* demonizes
command: bash -c $* -- eval if [ -f /usr/libexec/frr/frrinit.sh ]; then /usr/libexec/frr/frrinit.sh start; else /usr/lib/frr/frr start; fi && exec /bin/sleep infinity
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /etc/frr
owner: frr:frr
recurse: true
- path: /var/log/frr
owner: frr:frr
recurse: true
- path: /run/frr
owner: frr:frrvty
recurse: true
/var/lib/kolla/config_files/ovn_bgp_agent.json:
command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /etc/ovn-bgp-agent
owner: ovn-bgp:ovn-bgp
recurse: true
- path: /var/log/ovn-bgp-agent
owner: ovn-bgp:ovn-bgp
recurse: true
- path: /etc/pki/tls/certs/ovn_bgp_agent.crt
owner: ovn-bgp:ovn-bgp
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_bgp_agent.key
owner: ovn-bgp:ovn-bgp
optional: true
perm: '0640'
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: ovn_bgp_agent
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
docker_config:
# NOTE: Create container-startup-config file in step 0 so that TripleO
# does not auto-start the FRR container (it does so for containers in
# step 1-5). FRR will be started in the pre_deploy_step_tasks
step_0:
frr:
start_order: 0
image: {get_attr: [RoleParametersValue, value, ContainerFrrImage]}
net: host
restart: always
healthcheck:
test: /openstack/healthcheck
cap_add:
- NET_BIND_SERVICE
- NET_RAW
- NET_ADMIN
- SYS_ADMIN
# We cannot bind mount the InternalTLSCAFile as freeipa might not
# be reachable without frr
volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- /dev/log:/dev/log
# OpenSSL trusted CAs
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
- /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro
- /var/log/containers/frr:/var/log/frr:z
- /run/frr:/run/frr:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_5:
ovn_bgp_agent:
start_order: 0
image: {get_attr: [RoleParametersValue, value, ContainerOvnBgpAgentImage]}
net: host
pid: host
cgroupns: host
restart: always
privileged: true
healthcheck:
test: /openstack/healthcheck
# We cannot bind mount the InternalTLSCAFile as freeipa might not
# be reachable without frr
volumes:
list_concat:
-
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- /dev/log:/dev/log
- /etc/iproute2:/etc/iproute2
# OpenSSL trusted CAs
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
- /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro
- /run/frr:/run/frr:shared,z
- /run/openvswitch:/run/openvswitch:shared,z
- if:
- {get_param: EnableInternalTLS}
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt
- /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_bgp_agent
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: OvnBgpAgentCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
- name: ensure /run/frr is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-frr.conf
content: |
d /run/frr 0750 root root - -
pre_deploy_step_tasks:
- name: Configure FRR
import_role:
name: tripleo_frr
vars:
tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr
tripleo_frr_bfd: {get_param: FrrBfdEnabled}
tripleo_frr_bgp: {get_param: FrrBgpEnabled}
tripleo_frr_bgp_asn: {get_param: FrrBgpAsn}
tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled}
tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn}
tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork}
tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled}
tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn}
tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork}
tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops}
tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks}
tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope}
tripleo_frr_log_level: {get_param: FrrLogLevel}
tripleo_frr_zebra: {get_param: FrrZebraEnabled}
tripleo_frr_bgp_l2vpn: {get_param: FrrBgpL2VpnEnabled}
tripleo_frr_bgp_l2vpn_ebgp_multihop: {get_param: FrrBgpL2VpnEbgpMultihop}
tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate}
tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers}
tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope}
tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS}
tripleo_frr_ovn_bgp_agent_driver: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_driver]}
tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_expose_tenant_networks]}
tripleo_frr_ovn_bgp_agent_bgp_as: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_bgp_as]}
tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_ovsdb_connection]}
tripleo_frr_ovn_bgp_agent_reconcile_interval: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_reconcile_interval]}
tripleo_frr_ovn_bgp_agent_ca_cert: {get_param: InternalTLSCAFile}
- name: Start FRR
include_role:
name: tripleo_container_manage
vars:
tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0"
tripleo_container_manage_config_id: "frr"
tripleo_container_manage_config_patterns: "frr.json"
tripleo_container_manage_clean_orphans: false
update_tasks: []
upgrade_tasks: []
View Git Blame Copy Permalink