Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

451 lines
19 KiB

heat_template_version: rocky
description: >
OpenStack containerized Neutron L3 agent
parameters:
ContainerNeutronL3AgentImage:
description: image
type: string
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
DockerNeutronL3AgentUlimit:
default: ['nofile=16384']
description: ulimit for Neutron L3 Agent Container
type: comma_delimited_list
DockerAdditionalSockets:
default: ['/var/lib/openstack/docker.sock']
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
into containers that launch other containers)
type: comma_delimited_list
NeutronL3AgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.l3
file: /var/log/containers/neutron/l3-agent.log
NeutronEnableKeepalivedWrapper:
description: Generate a wrapper script so neutron launches keepalived processes in a
separate container.
type: boolean
default: true
NeutronEnableHaproxyDockerWrapper:
description: Generate a wrapper script so neutron launches haproxy in a separate container.
type: boolean
default: true
NeutronEnableDibblerDockerWrapper:
description: Generate a wrapper script so neutron launches the dibbler client in a separate
container.
type: boolean
default: true
NeutronEnableRadvdDockerWrapper:
description: Generate a wrapper script so neutron launches radvd in a separate container. Note
that is currently disabled by default pending availability of a fix to radvd
(see https://bugzilla.redhat.com/show_bug.cgi?id=1564391). It will be enabled by default
once the fix to radvd is generally available across target distributions.
type: boolean
default: false
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
NeutronWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
NeutronL3AgentMode:
description: |
Agent mode for L3 agent. Must be one of legacy or dvr_snat.
default: 'legacy'
type: string
constraints:
- allowed_values:
- legacy
- dvr_snat
- dvr
tags:
- role_specific
MonitoringSubscriptionNeutronL3:
default: 'overcloud-neutron-l3-agent'
type: string
NeutronL3AgentDebug:
default: ''
description: Set to True to enable debugging for Neutron L3 agent.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
# NOTE(bogdando): we allow the L3 agent to have AZ configs defined disregard of
# the used NeutronMechanismDrivers.
NeutronL3AgentAvailabilityZone:
description: Availability zone for Neutron L3 agent. If not set,
no AZs will be configured for Neutron network services.
default: ''
type: string
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Pike cycle.
NeutronExternalNetworkBridge:
description: Name of bridge used for external network traffic. Usually L2
agent handles port wiring into external bridge, and hence the
parameter should be unset.
type: string
default: ''
NeutronL3AgentExtensions:
default: ""
description: |
Comma-separated list of extensions enabled for the Neutron L3 agent.
type: comma_delimited_list
conditions:
keepalived_wrapper_enabled: {equals: [{get_param: NeutronEnableKeepalivedWrapper}, true]}
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]}
radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]}
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
external_network_bridge_empty: {equals : [{get_param: NeutronExternalNetworkBridge}, "''"]}
az_unset: {equals: [{get_param: NeutronL3AgentAvailabilityZone}, '']}
l3_agent_extensions_empty: {equals : [{get_param: NeutronL3AgentExtensions}, "''"]}
resources:
ContainersCommon:
type: ../containers-common.yaml
NeutronBase:
type: ./neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- neutron::agents::l3::agent_mode: NeutronL3AgentMode
- values: {get_param: [RoleParameters]}
- values:
NeutronL3AgentMode: {get_param: NeutronL3AgentMode}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: l3-agent
outputs:
role_data:
description: Role data for Neutron L3 agent
value:
service_name: neutron_l3
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- get_attr: [NeutronLogging, config_settings]
- tripleo::profile::base::neutron::l3_agent_wrappers::enable_keepalived_wrapper: {get_param: NeutronEnableKeepalivedWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_process_wrapper: '/var/lib/neutron/keepalived_wrapper'
# TODO(beagles): this can be removed after a cleanup of the related puppet-tripleo code.
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_state_change_wrapper: '/var/lib/neutron/keepalived_state_change_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::keepalived_image: {get_param: ContainerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/l3_haproxy_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::haproxy_image: {get_param: ContainerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_dibbler_wrapper: {get_param: NeutronEnableDibblerDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_process_wrapper: '/var/lib/neutron/dibbler_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::dibbler_image: {get_param: ContainerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper}
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper'
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: ContainerNeutronL3AgentImage}
tripleo::profile::base::neutron::l3_agent_wrappers::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: NeutronWrapperDebug}
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
- neutron::agents::l3::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL3AgentDebug}
tripleo::neutron_l3::firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
-
if:
- external_network_bridge_empty
- {}
- neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
- if:
- az_unset
- {}
- neutron::agents::l3::availability_zone: {get_param: NeutronL3AgentAvailabilityZone}
if:
- l3_agent_extensions_empty
- {}
- neutron::agents::l3::extensions: {get_param: NeutronL3AgentExtensions}
service_config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_neutron_l3:
- {get_param: NeutronL3AgentLoggingSource}
puppet_config:
puppet_tags: neutron_config,neutron_l3_agent_config
config_volume: neutron
step_config: |
include tripleo::profile::base::neutron::l3
config_image: {get_param: ContainerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_l3_agent.json:
command:
list_join:
- ' '
- - /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-l3-agent
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
deploy_steps_tasks:
- when: step|int == 1
block:
- name: set conditions
set_fact:
keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper}
haproxy_wrapper_enabled: {get_param: NeutronEnableHaproxyDockerWrapper}
dibbler_wrapper_enabled: {get_param: NeutronEnableDibblerDockerWrapper}
radvd_wrapper_enabled: {get_param: NeutronEnableRadvdDockerWrapper}
debug_enabled: {get_param: Debug}
docker_additional_sockets: {get_param: DockerAdditionalSockets}
- name: create kill_scripts directory within /var/lib/neutron
file:
state: directory
path: /var/lib/neutron/kill_scripts
- name: create keepalived kill script
when: keepalived_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/keepalived-kill
mode: 0755
content: {get_file: ./kill-script}
- name: create haproxy kill script
when: haproxy_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/haproxy-kill
mode: 0755
content: {get_file: ./kill-script}
- name: create dibbler kill script
when: dibbler_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/dibbler-kill
mode: 0755
content: {get_file: ./kill-script}
- name: create radvd kill script
when: radvd_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/radvd-kill
mode: 0755
content: {get_file: ./kill-script}
docker_config:
step_2:
create_keepalived_wrapper:
start_order: 1
detach: false
net: host
pid: host
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
-
- '/container_puppet_apply.sh'
- '4'
- 'file'
- 'include ::tripleo::profile::base::neutron::l3_agent_wrappers'
image: {get_param: ContainerNeutronL3AgentImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
-
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
step_4:
neutron_l3_agent:
start_order: 10
image: {get_param: ContainerNeutronL3AgentImage}
net: host
pid: host
privileged: true
restart: always
depends_on:
- openvswitch
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
ulimit: {get_param: DockerNeutronL3AgentUlimit}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
- /run/netns:/run/netns:shared
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
-
if:
- docker_enabled
- - /var/lib/openstack:/var/lib/openstack
- null
-
if:
- keepalived_wrapper_enabled
- - /var/lib/neutron/keepalived_wrapper:/usr/local/bin/keepalived:ro
- null
-
if:
- haproxy_wrapper_enabled
- - /var/lib/neutron/l3_haproxy_wrapper:/usr/local/bin/haproxy:ro
- null
-
if:
- radvd_wrapper_enabled
- - /var/lib/neutron/radvd_wrapper:/usr/local/bin/radvd:ro
- null
-
if:
- dibbler_wrapper_enabled
- - /var/lib/neutron/dibbler_wrapper:/usr/local/bin/dibbler_client:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /run/netns with temp namespace
command: ip netns add ns_temp
register: ipnetns_add_result
ignore_errors: True
- - name: remove temp namespace
command: ip netns delete ns_temp
ignore_errors: True
when: ipnetns_add_result.rc == 0
- - name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check if neutron_l3_agent is deployed
command: systemctl is-enabled --quiet neutron-l3-agent
ignore_errors: True
register: neutron_l3_agent_enabled_result
- name: Set fact neutron_l3_agent_enabled
set_fact:
neutron_l3_agent_enabled: "{{ neutron_l3_agent_enabled_result.rc == 0 }}"
- name: Stop neutron_l3_agent
service: name=neutron-l3-agent state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- neutron_l3_agent_enabled|bool
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- neutron_l3_agent
tripleo_container_cli: "docker"
- name: Check for neutron user
getent:
database: passwd
key: neutron
ignore_errors: True
- name: Set neutron_user_avail
set_fact:
neutron_user_avail: "{{ getent_passwd is defined }}"
- when:
- step|int == 2
- neutron_user_avail|bool
block:
- name: Ensure r/w access for existing files after upgrade
become: true
shell: |
umask 0002
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
setfacl -R -m u:neutron:rw /var/lib/neutron
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
- name: Provide access to domain sockets
become: true
shell: |
umask 0002
setfacl -m u:neutron:rwx "{{ item }}"
with_items:
- /var/lib/neutron/metadata_proxy
- /var/lib/neutron/keepalived-state-change
- /var/lib/neutron
# These files are not necessarily present
ignore_errors: True