21c50b2e6a
The ovn-bgp-agent user was moved from neutron to ovn-bgp at [1]. Changing the permissions in the tht side to avoid: KeyError: "getpwnam(): name not found: 'neutron'" [1] https://review.opendev.org/c/openstack/tripleo-common/+/833604 Change-Id: I62950490bafa50f372c6a1f22b8e8a88301310c4
458 lines
18 KiB
YAML
458 lines
18 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Configures FRR on the host
|
|
|
|
parameters:
|
|
ContainerFrrImage:
|
|
description: The container image for Frr
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerOvnBgpAgentImage:
|
|
description: The container image for the BGP Agent
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
OvnBgpAgentCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
FrrBfdEnabled:
|
|
default: false
|
|
description: Enable Bidirectional Forwarding Detection
|
|
type: boolean
|
|
FrrBgpEnabled:
|
|
default: true
|
|
description: Enable BGP
|
|
type: boolean
|
|
FrrBgpAsn:
|
|
default: 65000
|
|
description: Default ASN to be used within FRR
|
|
type: number
|
|
FrrBgpIpv4Enabled:
|
|
default: true
|
|
description: Enable BGP advertisement of IPv4 routes
|
|
type: boolean
|
|
FrrBgpIpv4AllowASIn:
|
|
default: false
|
|
description: Allow for IPv4 routes to be received and processed even if the
|
|
router detects its own ASN in the AS-Path.
|
|
type: boolean
|
|
FrrBgpIpv4SrcNetwork:
|
|
default: ctlplane
|
|
description: The name of the Neutron network from where the IP address of
|
|
the node will be taken and set as source IPv4 address on the
|
|
default route.
|
|
type: string
|
|
FrrBgpIpv6Enabled:
|
|
default: true
|
|
description: Enable BGP advertisement of IPv6 routes
|
|
type: boolean
|
|
FrrBgpIpv6AllowASIn:
|
|
default: false
|
|
description: Allow for IPv6 routes to be received and processed even if the
|
|
router detects its own ASN in the AS-Path.
|
|
type: boolean
|
|
FrrBgpIpv6SrcNetwork:
|
|
default: ctlplane
|
|
description: The name of the Neutron network from where the IP address of
|
|
the node will be taken and set as source IPv6 address on the
|
|
default route.
|
|
type: string
|
|
FrrBgpUplinks:
|
|
default: ['nic1', 'nic2']
|
|
description: List of uplink network interfaces.
|
|
type: comma_delimited_list
|
|
FrrBgpUplinksScope:
|
|
default: 'internal'
|
|
type: string
|
|
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
|
|
constraints:
|
|
- allowed_values: ['internal', 'external']
|
|
FrrLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: system.frr
|
|
file: /var/log/containers/frr/frr.log
|
|
FrrLogLevel:
|
|
default: 'informational'
|
|
type: string
|
|
description: log level
|
|
constraints:
|
|
- allowed_values: ['emergencies', 'alerts', 'critical', 'errors',
|
|
'warnings', 'notifications', 'informational',
|
|
'debugging']
|
|
FrrZebraEnabled:
|
|
default: true
|
|
description: enable Zebra
|
|
type: boolean
|
|
FrrPacemakerVipNic:
|
|
default: 'lo'
|
|
description: Name of the nic that the pacemaker VIPs will be added to when
|
|
runninng with FRR.
|
|
type: string
|
|
FrrBgpNeighborTtlSecurityHops:
|
|
default: 1
|
|
description: Enforce Generalized TTL Security Mechanism (GTSM) where only
|
|
neighbors that are the specified number of hops away will be
|
|
allowed to become neighbors. Setting value to zero or less
|
|
will disable GTSM.
|
|
type: number
|
|
FrrBgpL2VpnEnabled:
|
|
type: boolean
|
|
default: false
|
|
description: Enable BGP L2VPN EVPN address family.
|
|
FrrBgpL2VpnEbgpMultihop:
|
|
type: number
|
|
default: 0
|
|
description: >
|
|
Allows sessions with eBGP neighbors to establish when they are multiple
|
|
hops away. Value 0 disables multi-hop eBGP peering.
|
|
FrrBgpL2VpnUplinkActivate:
|
|
type: boolean
|
|
default: true
|
|
description: >
|
|
Enable the list of uplink network interfaces defined in FrrBgpUplinks.
|
|
FrrBgpL2VpnPeers:
|
|
default: []
|
|
description: List of EVPN neighbor peers.
|
|
type: comma_delimited_list
|
|
FrrBgpL2vpnPeersScope:
|
|
default: 'external'
|
|
type: string
|
|
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
|
|
constraints:
|
|
- allowed_values: ['internal', 'external']
|
|
NeutronBridgeMappings:
|
|
description: >
|
|
The OVS logical->physical bridge mappings to use. See the Neutron
|
|
documentation for details. Defaults to mapping br-ex - the external
|
|
bridge on hosts - to a physical name 'datacentre' which can be used
|
|
to create provider networks (and we use this for the default floating
|
|
network) - if changing this either use different post-install network
|
|
scripts or be sure to keep 'datacentre' as a mapping network name.
|
|
type: comma_delimited_list
|
|
default: "datacentre:br-ex"
|
|
tags:
|
|
- role_specific
|
|
FrrOvnBgpAgentDriver:
|
|
description: >
|
|
Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs
|
|
on provider networks and FIPs associated to VMs on tenant networks via
|
|
MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant
|
|
networks via MP-BGP EVPN VXLAN.
|
|
type: string
|
|
default: 'ovn_evpn_driver'
|
|
constraints:
|
|
- allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ]
|
|
tags:
|
|
- role_specific
|
|
FrrOvnBgpAgentExposeTenantNetworks:
|
|
description: >
|
|
Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast.
|
|
Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver).
|
|
type: boolean
|
|
default: false
|
|
FrrOvnBgpAgentAsn:
|
|
default: 64999
|
|
description: >
|
|
Autonomous System Number to be used by the agent when running in BGP
|
|
mode.
|
|
type: number
|
|
FrrOvnBgpAgentOvsdbConnection:
|
|
default: 'tcp:127.0.0.1:6640'
|
|
description: >
|
|
The connection string for the native OVSDB backend. Use tcp:IP:PORT
|
|
for TCP connection.
|
|
type: string
|
|
|
|
conditions:
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerFrrImage: ContainerFrrImage
|
|
ContainerOvnBgpAgentImage: ContainerOvnBgpAgentImage
|
|
ovn_bgp_agent_driver: FrrOvnBgpAgentDriver
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerFrrImage: {get_param: ContainerFrrImage}
|
|
ContainerOvnBgpAgentImage: {get_param: ContainerOvnBgpAgentImage}
|
|
FrrOvnBgpAgentDriver: {get_param: FrrOvnBgpAgentDriver}
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the FRR and OVN BGP Agent services
|
|
value:
|
|
service_name: frr
|
|
config_settings:
|
|
tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic}
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_frr:
|
|
- {get_param: FrrLoggingSource}
|
|
firewall_rules:
|
|
'156 bgp tcp':
|
|
if:
|
|
- {get_param: FrrBgpEnabled}
|
|
- proto: 'tcp'
|
|
dport: 179
|
|
'156 bfd udp':
|
|
if:
|
|
- {get_param: FrrBfdEnabled}
|
|
- proto: 'udp'
|
|
dport:
|
|
- 3784
|
|
- 3785
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/frr.json:
|
|
# Note: We can drop /usr/libexec/frr/frrinit.sh once we stop supporting/using frr 7.x
|
|
# Note: This is currently needed because watchfrr *always* demonizes
|
|
command: bash -c $* -- eval if [ -f /usr/libexec/frr/frrinit.sh ]; then /usr/libexec/frr/frrinit.sh start; else /usr/lib/frr/frr start; fi && exec /bin/sleep infinity
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /etc/frr
|
|
owner: frr:frr
|
|
recurse: true
|
|
- path: /var/log/frr
|
|
owner: frr:frr
|
|
recurse: true
|
|
- path: /run/frr
|
|
owner: frr:frrvty
|
|
recurse: true
|
|
/var/lib/kolla/config_files/ovn_bgp_agent.json:
|
|
command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /etc/ovn-bgp-agent
|
|
owner: ovn-bgp:ovn-bgp
|
|
recurse: true
|
|
- path: /var/log/ovn-bgp-agent
|
|
owner: ovn-bgp:ovn-bgp
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/ovn_bgp_agent.crt
|
|
owner: ovn-bgp:ovn-bgp
|
|
optional: true
|
|
perm: '0644'
|
|
- path: /etc/pki/tls/private/ovn_bgp_agent.key
|
|
owner: ovn-bgp:ovn-bgp
|
|
optional: true
|
|
perm: '0640'
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: ovn_bgp_agent
|
|
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
type: node
|
|
docker_config:
|
|
# NOTE: Create container-startup-config file in step 0 so that TripleO
|
|
# does not auto-start the FRR container (it does so for containers in
|
|
# step 1-5). FRR will be started in the pre_deploy_step_tasks
|
|
step_0:
|
|
frr:
|
|
start_order: 0
|
|
image: {get_attr: [RoleParametersValue, value, ContainerFrrImage]}
|
|
net: host
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
- NET_RAW
|
|
- NET_ADMIN
|
|
- SYS_ADMIN
|
|
# We cannot bind mount the InternalTLSCAFile as freeipa might not
|
|
# be reachable without frr
|
|
volumes:
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /dev/log:/dev/log
|
|
# OpenSSL trusted CAs
|
|
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
|
|
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
|
|
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
|
|
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
|
|
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
|
|
- /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/frr:/var/log/frr:z
|
|
- /run/frr:/run/frr:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
step_5:
|
|
ovn_bgp_agent:
|
|
start_order: 0
|
|
image: {get_attr: [RoleParametersValue, value, ContainerOvnBgpAgentImage]}
|
|
net: host
|
|
pid: host
|
|
cgroupns: host
|
|
restart: always
|
|
privileged: true
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
# We cannot bind mount the InternalTLSCAFile as freeipa might not
|
|
# be reachable without frr
|
|
volumes:
|
|
list_concat:
|
|
-
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /dev/log:/dev/log
|
|
- /etc/iproute2:/etc/iproute2
|
|
# OpenSSL trusted CAs
|
|
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
|
|
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
|
|
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
|
|
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
|
|
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
|
|
- /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro
|
|
- /run/frr:/run/frr:shared,z
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt
|
|
- /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: ovn_bgp_agent
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: OvnBgpAgentCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
|
|
pre_deploy_step_tasks:
|
|
- name: Configure FRR
|
|
import_role:
|
|
name: tripleo_frr
|
|
vars:
|
|
tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr
|
|
tripleo_frr_bfd: {get_param: FrrBfdEnabled}
|
|
tripleo_frr_bgp: {get_param: FrrBgpEnabled}
|
|
tripleo_frr_bgp_asn: {get_param: FrrBgpAsn}
|
|
tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled}
|
|
tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn}
|
|
tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork}
|
|
tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled}
|
|
tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn}
|
|
tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork}
|
|
tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops}
|
|
tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks}
|
|
tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope}
|
|
tripleo_frr_log_level: {get_param: FrrLogLevel}
|
|
tripleo_frr_zebra: {get_param: FrrZebraEnabled}
|
|
tripleo_frr_bgp_l2vpn: {get_param: FrrBgpL2VpnEnabled}
|
|
tripleo_frr_bgp_l2vpn_ebgp_multihop: {get_param: FrrBgpL2VpnEbgpMultihop}
|
|
tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate}
|
|
tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers}
|
|
tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope}
|
|
tripleo_frr_ovn_bgp_agent_bridge_mappings: {get_param: NeutronBridgeMappings}
|
|
tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS}
|
|
tripleo_frr_ovn_bgp_agent_driver: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_driver]}
|
|
tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_param: FrrOvnBgpAgentExposeTenantNetworks}
|
|
tripleo_frr_ovn_bgp_agent_bgp_as: {get_param: FrrOvnBgpAgentAsn}
|
|
tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_param: FrrOvnBgpAgentOvsdbConnection}
|
|
- name: Start FRR
|
|
include_role:
|
|
name: tripleo_container_manage
|
|
vars:
|
|
tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0"
|
|
tripleo_container_manage_config_id: "frr"
|
|
tripleo_container_manage_config_patterns: "frr.json"
|
|
tripleo_container_manage_clean_orphans: false
|
|
update_tasks: []
|
|
upgrade_tasks: []
|