tripleo-heat-templates/deployment/neutron/neutron-api-container-puppet.yaml
Daniel Alvarez 6053eb1964 Switch default neutron ML2 mechanism driver to OVN
This patch switches the default mechanism driver for neutron from
openvswitch to OVN.

It will also flip scenario007 job to run with ML2/OVS.

Depends-On: I74ffb6b7f912e1fce6ce428cd23a7283c91b8b96
Depends-On: I99ba2fd6a85b4895b577719a7541b7cbf1fdb85c
Depends-On: Ib60de9b0df451273d1d81ba049b46b5214e09080
Depends-On: Iaed7304adf40a87a0f14b7a95339f8416140e947
Change-Id: Iab52cdf5d0f7a392c4f17c884493b5c5beb1d89f
Co-Authored-By: Kamil Sambor <ksambor@redhat.com>
2019-02-14 15:58:27 +01:00

471 lines
19 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Neutron API service
parameters:
DockerNeutronApiImage:
description: image
type: string
DockerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
NeutronApiLoggingSource:
type: json
default:
tag: openstack.neutron.api
path: /var/log/containers/neutron/server.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
UpgradeRemoveUnusedPackages:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
NeutronApiOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
NeutronApiOptEnvVars:
default: []
description: list of optional environment variables
type: comma_delimited_list
NeutronWorkers:
default: ''
description: |
Sets the number of API workers for the Neutron service.
The default value results in the configuration being left unset
and a system-dependent default will be chosen (usually the number
of processors). Please note that this can result in a large number
of processes and memory consumption on systems with a large core
count. On such systems it is recommended that a non-default value
be selected that matches the load requirements.
type: string
NeutronRpcWorkers:
default: ''
description: |
Sets the number of RPC workers for the Neutron service.
If not specified, it'll take the value of NeutronWorkers and if this is
not specified either, the default value results in the configuration
being left unset and a system-dependent default will be chosen
(usually 1).
type: string
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
NeutronAllowL3AgentFailover:
default: 'True'
description: Allow automatic l3-agent failover
type: string
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
NeutronEnableDVR:
description: Enable Neutron DVR.
default: ''
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionNeutronServer:
default: 'overcloud-neutron-server'
type: string
NeutronApiLoggingSource:
type: json
default:
tag: openstack.neutron.api
path: /var/log/neutron/server.log
EnableInternalTLS:
type: boolean
default: false
NeutronApiPolicies:
description: |
A hash of policies to configure for Neutron API.
e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NeutronOvsIntegrationBridge:
default: ''
type: string
description: Name of Open vSwitch bridge to use
NeutronPortQuota:
default: '500'
type: string
description: Number of ports allowed per tenant, and minus means unlimited.
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
default: ''
type: string
description: |
Whether to enable HA for virtual routers. When not set, L3 HA will be
automatically enabled if the number of nodes hosting controller
configurations and DVR is disabled. Valid values are 'true' or 'false'
This parameter is being deprecated in Newton and is scheduled to be
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- NeutronL3HA
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
neutron_rpc_workers_unset: {equals : [{get_param: NeutronRpcWorkers}, '']}
neutron_ovs_int_br_unset: {equals : [{get_param: NeutronOvsIntegrationBridge}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
neutron_dvr_unset: {equals : [{get_param: NeutronEnableDVR}, '']}
resources:
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
NeutronBase:
type: ../../puppet/services/neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronApi
properties:
NeutronServiceName: server
outputs:
role_data:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- neutron::server::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: neutron
password: {get_param: NeutronPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /ovs_neutron
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
neutron::server::notifications::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
neutron::server::notifications::tenant_name: 'service'
neutron::server::notifications::project_name: 'service'
neutron::server::notifications::password: {get_param: NovaPassword}
neutron::server::notifications::endpoint_type: 'internal'
neutron::keystone::authtoken::project_name: 'service'
neutron::keystone::authtoken::user_domain_name: 'Default'
neutron::keystone::authtoken::project_domain_name: 'Default'
neutron::quota::quota_port: {get_param: NeutronPortQuota}
neutron::server::sync_db: true
tripleo::neutron_api::firewall_rules:
'114 neutron api':
dport:
- 9696
- 13696
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::neutron::server::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::tls_proxy_port:
get_param: [EndpointMap, NeutronInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
neutron::bind_host:
if:
- use_tls_proxy
- 'localhost'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
-
if:
- neutron_dvr_unset
- {}
- neutron::server::router_distributed: {get_param: NeutronEnableDVR}
neutron::server::enable_dvr: {get_param: NeutronEnableDVR}
-
if:
- neutron_workers_unset
- {}
- neutron::server::api_workers: {get_param: NeutronWorkers}
-
if:
- neutron_rpc_workers_unset
-
if:
- neutron_workers_unset
- {}
- neutron::server::rpc_workers: {get_param: NeutronWorkers}
- neutron::server::rpc_workers: {get_param: NeutronRpcWorkers}
-
if:
- neutron_ovs_int_br_unset
- {}
- neutron::server::ovs_integration_bridge: {get_param: NeutronOvsIntegrationBridge}
service_config_settings:
fluentd:
tripleo_fluentd_groups_neutron_api:
- neutron
tripleo_fluentd_sources_neutron_api:
- {get_param: NeutronApiLoggingSource}
keystone:
neutron::keystone::auth::tenant: 'service'
neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]}
neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
neutron::keystone::auth::password: {get_param: NeutronPassword}
neutron::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron
neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
neutron::db::mysql::dbname: ovs_neutron
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_api_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::neutron::server
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_api.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-server
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
/var/lib/kolla/config_files/neutron_server_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
docker_config:
step_2:
get_attr: [NeutronLogging, docker_config, step_2]
step_3:
neutron_db_sync:
image: &neutron_api_image {get_param: DockerNeutronApiImage}
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/config-data/neutron/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro
command: ['/usr/bin/bootstrap_host_exec', 'neutron_api', 'neutron-db-manage', 'upgrade', 'heads']
# FIXME: we should make config file permissions right
# and run as neutron user
#command: "/usr/bin/bootstrap_host_exec neutron_api su neutron -s /bin/bash -c 'neutron-db-manage upgrade heads'"
step_4:
map_merge:
- neutron_api:
start_order: 0
image: *neutron_api_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- {get_param: NeutronApiOptVolumes}
-
- /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
environment:
list_concat:
- {get_param: NeutronApiOptEnvVars}
-
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- if:
- internal_tls_enabled
- neutron_server_tls_proxy:
image: *neutron_api_image
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {}
host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 3
block:
- name: Set fact for removal of openstack-neutron package
set_fact:
remove_neutron_package: {get_param: UpgradeRemoveUnusedPackages}
- name: Remove openstack-neutron package if operator requests it
package: name=openstack-neutron state=removed
ignore_errors: True
when: remove_neutron_package|bool
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
with_items:
list_concat:
- - neutron_api
- - if:
- internal_tls_enabled
- - neutron_server_tls_proxy
- null
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check if neutron_server is deployed
command: systemctl is-enabled --quiet neutron-server
ignore_errors: True
register: neutron_server_enabled_result
- name: Set fact neutron_server_enabled
set_fact:
neutron_server_enabled: "{{ neutron_server_enabled_result.rc == 0 }}"
- name: Stop neutron_server
service: name=neutron-server state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- neutron_server_enabled|bool
- when:
- step|int == 6
- is_bootstrap_node|bool
block:
- name: Neutron package update
package:
name: 'openstack-neutron*'
state: latest
- name: Neutron package update workaround
package: name=python-networking-odl state=latest
# package python-networking-cisco may or may not be present
- name: Networking cisco db sync workaround
ignore_errors: true
package: name=python-networking-cisco state=latest
- name: Neutron db sync
command: neutron-db-manage upgrade head
when:
- step|int == 8
- is_bootstrap_node|bool