b4cec5b729
Since OVN 2.13 it is possible to use vxlan encapsulation in the OVN
tunnel networks.
To do that, it has to be set in the external_ids:ovn-encap-type. There
is support for that in the puppet-ovn module already.
This patch adds missing TripleO-heat-template variable.
Related-bz: #1881697
Change-Id: I54e617745e76f27a4c88156a9b1b17d0255ec837
(cherry picked from commit 1542df355b)
367 lines
14 KiB
YAML
367 lines
14 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Ovn Controller agent.
|
|
|
|
parameters:
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ContainerOvnControllerImage:
|
|
description: image
|
|
type: string
|
|
ContainerOvnControllerConfigImage:
|
|
description: The container image to use for the ovn_controller config_volume
|
|
type: string
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
OVNSouthboundServerPort:
|
|
description: Port of the Southbound DB Server
|
|
type: number
|
|
default: 6642
|
|
NeutronBridgeMappings:
|
|
description: >
|
|
The OVS logical->physical bridge mappings to use. See the Neutron
|
|
documentation for details. Defaults to mapping br-ex - the external
|
|
bridge on hosts - to a physical name 'datacentre' which can be used
|
|
to create provider networks (and we use this for the default floating
|
|
network) - if changing this either use different post-install network
|
|
scripts or be sure to keep 'datacentre' as a mapping network name.
|
|
type: comma_delimited_list
|
|
default: "datacentre:br-ex"
|
|
tags:
|
|
- role_specific
|
|
EnableVLANTransparency:
|
|
default: false
|
|
description: >
|
|
If True, then allow plugins that support it to create VLAN
|
|
transparent networks.
|
|
type: boolean
|
|
OVNEncapType:
|
|
description: >
|
|
Type of encapsulation used in OVN. It can be "geneve" or "vxlan".
|
|
type: string
|
|
default: "geneve"
|
|
constraints:
|
|
- allowed_values: ["geneve", "vxlan"]
|
|
OVNIntegrationBridge:
|
|
description: >
|
|
Name of the OVS bridge to use as integration bridge by OVN Controller.
|
|
type: string
|
|
default: "br-int"
|
|
OVNMetadataEnabled:
|
|
description: Whether Metadata Service has to be enabled
|
|
type: boolean
|
|
default: true
|
|
OVNCMSOptions:
|
|
description: The CMS options to configure in ovs db
|
|
type: string
|
|
default: ""
|
|
tags:
|
|
- role_specific
|
|
OvsHwOffload:
|
|
default: false
|
|
description: |
|
|
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
|
|
type: boolean
|
|
tags:
|
|
- role_specific
|
|
OVNRemoteProbeInterval:
|
|
description: Probe interval in ms
|
|
type: number
|
|
default: 60000
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
OVNOpenflowProbeInterval:
|
|
description: >
|
|
The inactivity probe interval of the OpenFlow connection to the
|
|
OpenvSwitch integration bridge, in seconds.
|
|
type: number
|
|
default: 60
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
ContainerOvnCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
|
|
enable_vlan_transparency: {equals: [{get_param: EnableVLANTransparency}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
|
# RoleParameters will have the precedence over the default parameters.
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ovn::controller::ovn_bridge_mappings: NeutronBridgeMappings
|
|
ovn::controller::ovn_cms_options: OVNCMSOptions
|
|
ovn::controller::enable_hw_offload: OvsHwOffload
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
|
|
OVNCMSOptions: {get_param: OVNCMSOptions}
|
|
OvsHwOffload: {get_param: OvsHwOffload}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ovn Controller agent.
|
|
value:
|
|
service_name: ovn_controller
|
|
firewall_rules:
|
|
'118 neutron vxlan networks':
|
|
proto: 'udp'
|
|
dport: 4789
|
|
'119 neutron geneve networks':
|
|
proto: 'udp'
|
|
dport: 6081
|
|
'120 neutron geneve networks no conntrack':
|
|
proto: 'udp'
|
|
dport: 6081
|
|
table: 'raw'
|
|
chain: 'OUTPUT'
|
|
jump: 'NOTRACK'
|
|
action: 'append'
|
|
state: []
|
|
'121 neutron geneve networks no conntrack':
|
|
proto: 'udp'
|
|
dport: 6081
|
|
table: 'raw'
|
|
chain: 'PREROUTING'
|
|
jump: 'NOTRACK'
|
|
action: 'append'
|
|
state: []
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [RoleParametersValue, value]
|
|
- ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
|
ovn::controller::ovn_encap_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
|
ovn::controller::ovn_encap_type: {get_param: OVNEncapType}
|
|
ovn::controller::ovn_bridge: {get_param: OVNIntegrationBridge}
|
|
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
|
|
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
|
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
|
|
- if:
|
|
- force_config_drive
|
|
- nova::compute::force_config_drive: true
|
|
- {}
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- generate_service_certificates: true
|
|
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
|
|
ovn_controller_certificate_specs:
|
|
service_certificate: '/etc/pki/tls/certs/ovn_controller.crt'
|
|
service_key: '/etc/pki/tls/private/ovn_controller.key'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: ContainerOvnCertificateKeySize}
|
|
- {}
|
|
-
|
|
if:
|
|
- enable_vlan_transparency
|
|
- vswitch::ovs::vlan_limit: 0
|
|
- {}
|
|
service_config_settings: {}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
puppet_tags: vs_config,exec
|
|
config_volume: ovn_controller
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::agents::ovn
|
|
config_image: {get_param: ContainerOvnControllerConfigImage}
|
|
# We need to mount /run for puppet_config step. This is because
|
|
# puppet-vswitch runs the commands "ovs-vsctl set open_vswitch . external_ids:..."
|
|
# to configure the required parameters in ovs db which will be read
|
|
# by ovn-controller. And ovs-vsctl talks to the ovsdb-server (hosting conf.db)
|
|
# on the unix domain socket - /run/openvswitch/db.sock
|
|
volumes:
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
# Needed for creating module load files
|
|
- /etc/sysconfig/modules:/etc/sysconfig/modules
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/ovn_controller.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
|
|
- if:
|
|
- internal_tls_enabled
|
|
- list_join:
|
|
- ' '
|
|
- - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C
|
|
- {get_param: InternalTLSCAFile}
|
|
- ''
|
|
permissions:
|
|
- path: /var/log/openvswitch
|
|
owner: root:root
|
|
recurse: true
|
|
- path: /var/log/ovn
|
|
owner: root:root
|
|
recurse: true
|
|
metadata_settings:
|
|
if:
|
|
- internal_tls_enabled
|
|
- - service: ovn_controller
|
|
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
type: node
|
|
- null
|
|
docker_config:
|
|
step_4:
|
|
configure_cms_options:
|
|
start_order: 0
|
|
detach: false
|
|
net: host
|
|
privileged: true
|
|
user: root
|
|
command: ['/bin/bash', '-c', 'CMS_OPTS=$(hiera ovn::controller::ovn_cms_options -c /etc/puppet/hiera.yaml); if [ X"$CMS_OPTS" != X ]; then ovs-vsctl set open . external_ids:ovn-cms-options=$CMS_OPTS;else ovs-vsctl remove open . external_ids ovn-cms-options; fi']
|
|
image: &ovn_controller_image {get_param: ContainerOvnControllerImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
ovn_controller:
|
|
start_order: 1
|
|
image: *ovn_controller_image
|
|
net: host
|
|
privileged: true
|
|
user: root
|
|
restart: always
|
|
depends_on:
|
|
- openvswitch.service
|
|
healthcheck:
|
|
test:
|
|
list_join:
|
|
- ' '
|
|
- - '/openstack/healthcheck'
|
|
- yaql:
|
|
expression: str($.data.port)
|
|
data:
|
|
port: {get_param: OVNSouthboundServerPort}
|
|
volumes:
|
|
list_concat:
|
|
-
|
|
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
# TODO(numans): This is temporary. Mount /run/openvswitch once
|
|
# openvswitch systemd script is fixed to not delete /run/openvswitch
|
|
# folder in the host when openvswitch service is stopped.
|
|
- /run:/run
|
|
- /var/lib/openvswitch/ovn:/run/ovn:shared,z
|
|
- /var/log/containers/openvswitch:/var/log/openvswitch:z
|
|
- /var/log/containers/openvswitch:/var/log/ovn:z
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt
|
|
- /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
|
|
- name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
- name: Copy in cleanup script
|
|
copy:
|
|
content: {get_file: ../neutron/neutron-cleanup}
|
|
dest: '/usr/libexec/neutron-cleanup'
|
|
force: yes
|
|
mode: '0755'
|
|
- name: Copy in cleanup service
|
|
copy:
|
|
content: {get_file: ../neutron/neutron-cleanup.service}
|
|
dest: '/usr/lib/systemd/system/neutron-cleanup.service'
|
|
force: yes
|
|
- name: Enabling the cleanup service
|
|
service:
|
|
name: neutron-cleanup
|
|
enabled: yes
|
|
upgrade_tasks: []
|