tripleo-heat-templates/deployment/ovn/ovn-controller-container-puppet.yaml
David Vallee Delisle 1314f345fa [ovn] Deleting ovn agents during scale down tasks
When we scale down nodes, we need to make sure that the ovn agents are
deleted otherwise it's going to cause issues.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=2017827
Closes-Bug: #1949203

Change-Id: I9a253e77178bfe1cdd867a31e8b9adc310238819
2021-11-04 17:52:38 +00:00

475 lines
18 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Ovn Controller agent.
parameters:
RootStackName:
description: The name of the stack/plan.
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ContainerOvnControllerImage:
description: image
type: string
ContainerOvnControllerConfigImage:
description: The container image to use for the ovn_controller config_volume
type: string
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
OVNSouthboundServerPort:
description: Port of the Southbound DB Server
type: number
default: 6642
NeutronBridgeMappings:
description: >
The OVS logical->physical bridge mappings to use. See the Neutron
documentation for details. Defaults to mapping br-ex - the external
bridge on hosts - to a physical name 'datacentre' which can be used
to create provider networks (and we use this for the default floating
network) - if changing this either use different post-install network
scripts or be sure to keep 'datacentre' as a mapping network name.
type: comma_delimited_list
default: "datacentre:br-ex"
tags:
- role_specific
EnableVLANTransparency:
default: false
description: >
If True, then allow plugins that support it to create VLAN
transparent networks.
type: boolean
OVNEncapType:
description: >
Type of encapsulation used in OVN. It can be "geneve" or "vxlan".
type: string
default: "geneve"
constraints:
- allowed_values: ["geneve", "vxlan"]
OVNIntegrationBridge:
description: >
Name of the OVS bridge to use as integration bridge by OVN Controller.
type: string
default: "br-int"
OVNMetadataEnabled:
description: Whether Metadata Service has to be enabled
type: boolean
default: true
OVNAvailabilityZone:
description: The az options to configure in ovs db.
eg. ['az-0', 'az-1', 'az-2']
type: comma_delimited_list
default: []
tags:
- role_specific
OVNCMSOptions:
description: The CMS options to configure in ovs db
type: string
default: ""
tags:
- role_specific
OvsHwOffload:
default: false
description: |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type: boolean
tags:
- role_specific
OVNRemoteProbeInterval:
description: Probe interval in ms
type: number
default: 60000
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
OVNOpenflowProbeInterval:
description: >
The inactivity probe interval of the OpenFlow connection to the
OpenvSwitch integration bridge, in seconds.
type: number
default: 60
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ContainerOvnCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
OVNStaticBridgeMacMappings:
type: json
default: {}
description: |
Static OVN Bridge MAC address mappings. Unique OVN bridge mac addresses
is dynamically allocated by creating neutron ports. When neutron isn't
available, for instance in the standalone deployment, use this parameter
to provide static OVN bridge mac addresses. For example:
controller-0:
datacenter: 00:00:5E:00:53:00
provider: 00:00:5E:00:53:01
compute-0:
datacenter: 00:00:5E:00:54:00
provider: 00:00:5E:00:54:01
tags:
- role_specific
conditions:
key_size_override_set:
not: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
az_ovn_unset: {equals: [{get_param: OVNAvailabilityZone}, []]}
resources:
ContainersCommon:
type: ../containers-common.yaml
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ovn::controller::ovn_bridge_mappings: NeutronBridgeMappings
ovn::controller::ovn_cms_options:
if:
- az_ovn_unset
- OVNCMSOptions
- list_join:
- ''
- - OVNCMSOptions
- ",availability-zones="
- {get_param: OVNAvailabilityZone}
vswitch::ovs::enable_hw_offload: OvsHwOffload
- values: {get_param: [RoleParameters]}
- values:
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
OVNCMSOptions: {get_param: OVNCMSOptions}
OvsHwOffload: {get_param: OvsHwOffload}
OVNBridgeMappingsValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ovn_bridge_mappings: NeutronBridgeMappings
ovn_static_bridge_mac_mappings: OVNStaticBridgeMacMappings
- values: {get_param: [RoleParameters]}
- values:
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
OVNStaticBridgeMacMappings: {get_param: OVNStaticBridgeMacMappings}
outputs:
role_data:
description: Role data for the Ovn Controller agent.
value:
service_name: ovn_controller
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
'120 neutron geneve networks no conntrack':
proto: 'udp'
dport: 6081
table: 'raw'
chain: 'OUTPUT'
jump: 'NOTRACK'
action: 'append'
state: []
'121 neutron geneve networks no conntrack':
proto: 'udp'
dport: 6081
table: 'raw'
chain: 'PREROUTING'
jump: 'NOTRACK'
action: 'append'
state: []
config_settings:
map_merge:
- get_attr: [RoleParametersValue, value]
- ovn::southbound::port: {get_param: OVNSouthboundServerPort}
ovn::controller::ovn_encap_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
ovn::controller::ovn_encap_type: {get_param: OVNEncapType}
ovn::controller::ovn_bridge: {get_param: OVNIntegrationBridge}
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
nova::compute::force_config_drive: {get_param: OVNMetadataEnabled}
ovn::controller::ovn_monitor_all: true
tripleo::profile::base::neutron::agents::ovn::protocol:
if:
- {get_param: EnableInternalTLS}
- 'ssl'
vswitch::ovs::vlan_limit:
if:
- {get_param: EnableVLANTransparency}
- 0
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
puppet_tags: vs_config,exec
config_volume: ovn_controller
step_config: |
include tripleo::profile::base::neutron::agents::ovn
config_image: {get_param: ContainerOvnControllerConfigImage}
# We need to mount /run for puppet_config step. This is because
# puppet-vswitch runs the commands "ovs-vsctl set open_vswitch . external_ids:..."
# to configure the required parameters in ovs db which will be read
# by ovn-controller. And ovs-vsctl talks to the ovsdb-server (hosting conf.db)
# on the unix domain socket - /run/openvswitch/db.sock
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
# Needed for creating module load files
- /etc/sysconfig/modules:/etc/sysconfig/modules
kolla_config:
/var/lib/kolla/config_files/ovn_controller.json:
command:
list_join:
- ' '
- - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
- if:
- {get_param: EnableInternalTLS}
- list_join:
- ' '
- - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C
- {get_param: InternalTLSCAFile}
permissions:
- path: /var/log/openvswitch
owner: root:root
recurse: true
- path: /var/log/ovn
owner: root:root
recurse: true
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: ovn_controller
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
docker_config:
step_4:
configure_cms_options:
start_order: 0
detach: false
net: host
privileged: true
user: root
command: ['/bin/bash', '-c', 'CMS_OPTS=$(hiera ovn::controller::ovn_cms_options -c /etc/puppet/hiera.yaml); if [ X"$CMS_OPTS" != X ]; then ovs-vsctl set open . external_ids:ovn-cms-options=$CMS_OPTS;else ovs-vsctl remove open . external_ids ovn-cms-options; fi']
image: &ovn_controller_image {get_param: ContainerOvnControllerImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
ovn_controller:
start_order: 1
image: *ovn_controller_image
net: host
privileged: true
user: root
restart: always
depends_on:
- openvswitch.service
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_param: OVNSouthboundServerPort}
volumes:
list_concat:
- - /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
- /lib/modules:/lib/modules:ro
# TODO(numans): This is temporary. Mount /run/openvswitch once
# openvswitch systemd script is fixed to not delete /run/openvswitch
# folder in the host when openvswitch service is stopped.
- /run:/run
- /var/lib/openvswitch/ovn:/run/ovn:shared,z
- /var/log/containers/openvswitch:/var/log/openvswitch:z
- /var/log/containers/openvswitch:/var/log/ovn:z
- if:
- {get_param: EnableInternalTLS}
- - list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt
- /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_controller
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: ContainerOvnCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: true
state: true
- name: Copy in cleanup script
copy:
content: {get_file: ../neutron/neutron-cleanup}
dest: '/usr/libexec/neutron-cleanup'
force: true
mode: '0755'
- name: Copy in cleanup service
copy:
content: {get_file: ../neutron/neutron-cleanup.service}
dest: '/usr/lib/systemd/system/neutron-cleanup.service'
force: true
- name: Enabling the cleanup service
service:
name: neutron-cleanup
enabled: true
external_deploy_tasks:
- when:
- step|int == 0
name: ovn_controller_external_deploy_init
block:
- name:
str_replace:
template: create ovn mac address for $ROLE_NAME role nodes
params:
$ROLE_NAME: {get_param: RoleName}
tripleo_ovn_mac_addresses:
playbook_dir: "{{ playbook_dir }}"
stack_name: {get_param: RootStackName}
role_name: {get_param: RoleName}
server_resource_names:
str_replace:
template: '{{ groups["$ROLE_NAME"] }}'
params:
$ROLE_NAME: {get_param: RoleName}
ovn_bridge_mappings: {get_attr: [OVNBridgeMappingsValue, value, ovn_bridge_mappings]}
ovn_static_bridge_mac_mappings: {get_attr: [OVNBridgeMappingsValue, value, ovn_static_bridge_mac_mappings]}
upgrade_tasks: []
scale_tasks:
- when:
- step|int == 1
- container_cli == 'podman'
tags: down
environment:
OS_CLOUD: {get_param: RootStackName}
block:
# Some tasks are running from the Undercloud which has
# the OpenStack clients installed.
- name: Get neutron agents ID
command: openstack network agent list --column ID --column Host --column Binary --format yaml
register: neutron_agents_result
delegate_to: "{{ groups['Undercloud'] | first }}"
check_mode: false
changed_when: false
- name: Filter only current host
set_fact:
neutron_agents: "{{ neutron_agents_result.stdout | from_yaml | selectattr('Host', 'match', ansible_facts['fqdn'] ~ '.*') | list }}"
delegate_to: "{{ groups['Undercloud'] | first }}"
check_mode: false
- name: Deleting OVN agents
block:
- name: Stop OVN containers
loop:
- tripleo_ovn_controller
- tripleo_ovn_metadata_agent
service:
name: "{{ item }}"
state: stopped
enabled: false
become: true
register: stop_containers
failed_when: "('msg' in stop_containers and
'Could not find the requested service' not in stop_containers.msg) or
('rc' in stop_containers and stop_containers.rc != 0)"
- name: Delete neutron agents
loop: "{{ neutron_agents }}"
loop_control:
loop_var: agent
label: "{{ agent.Host }}/{{ agent.Binary }}"
command: openstack network agent delete {{ agent.ID }}
delegate_to: "{{ groups['Undercloud'] | first }}"
check_mode: false