60d77b37ec
Without this change on Centos Stream 9 we will get errors like the following: + nsenter --net=/run/netns/qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49 --preserve-credentials -m -t 1 podman run --detach --log-driver k8s-file --log-opt path=/var/log/containers/stdouts/neutron-dnsmasq-qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49.log -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro -v /run/netns:/run/netns:shared -v /var/lib/neutron:/var/lib/neutron:shared -v /dev/log:/dev/log --net host --pid host --cgroupns host --privileged -u root --name neutron-dnsmasq-qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49 undercloud-0.ctlplane.home.arpa:8787/tripleomastercentos9/openstack-neutron-dhcp-agent:8f4fa80dca5a62ca9a9049b664a60868 /usr/sbin/dnsmasq -k --no-hosts --no-resolv --pid-file=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/host --addn-hosts=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/opts --dhcp-leasefile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/leases --dhcp-match=set:ipxe,175 --dhcp-userclass=set:ipxe6,iPXE --local-service --bind-dynamic --dhcp-range=set:subnet-eaf4f552-0023-4e4a-9b6e-b5f3727e647e,192.168.24.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=256 --conf-file=/dev/null --domain=home.arpa Error: create directory `/sys/fs/cgroup/../../libpod-b43b25a3bf3af73d24d3f4c52b983334ead7d28462e9ed8ba83f207e4264b1ed.scope`: No such file or directory: OCI runtime attempted to invoke a command that was not found See also the related libvirt/nova issue in https://bugs.launchpad.net/tripleo/+bug/1936005 Tested and with this change the error is gone and dhcp/ovn-metadata is functional again. Closes-Bug: #1944522 Change-Id: I8a5b885782386a89c463ff0b7afd7ace91958278
372 lines
15 KiB
YAML
372 lines
15 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized OVN Metadata agent
|
|
|
|
parameters:
|
|
ContainerOvnMetadataImage:
|
|
description: image
|
|
type: string
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
OvnMetadataAgentLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.agent.ovn-metadata
|
|
file: /var/log/containers/neutron/networking-ovn-metadata-agent.log
|
|
OVNEnableHaproxyDockerWrapper:
|
|
description: Generate a wrapper script so that haproxy is launched in a separate container.
|
|
type: boolean
|
|
default: true
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
OVNWrapperDebug:
|
|
type: boolean
|
|
default: false
|
|
description: Controls debugging for the wrapper scripts.
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
NeutronMetadataWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of worker processes for the neutron OVN metadata agent.
|
|
The default value results in the configuration being left unset and a
|
|
system-dependent default will be chosen (usually the number of
|
|
processors). Please note that this can result in a large number of
|
|
processes and memory consumption on systems with a large core count. On
|
|
such systems it is recommended that a non-default value be selected that
|
|
matches the load requirements.
|
|
type: string
|
|
OVNSouthboundServerPort:
|
|
description: Port of the OVN Southbound DB server
|
|
type: number
|
|
default: 6642
|
|
OVNDbConnectionTimeout:
|
|
description: Timeout in seconds for the OVSDB connection transaction
|
|
type: number
|
|
default: 180
|
|
MonitoringSubscriptionOvnMetadata:
|
|
default: 'overcloud-ovn-metadata'
|
|
type: string
|
|
OvnMetadataAgentDebug:
|
|
default: false
|
|
description: Set to True to enable debugging for OVN Metadata agent.
|
|
type: boolean
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
DockerAdditionalSockets:
|
|
default: ['/var/lib/openstack/docker.sock']
|
|
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
|
into containers that launch other containers)
|
|
type: comma_delimited_list
|
|
OVNRemoteProbeInterval:
|
|
description: Probe interval in ms
|
|
type: number
|
|
default: 60000
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
OvnMetadataCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
neutron_metadata_workers_set:
|
|
not: {equals : [{get_param: NeutronMetadataWorkers}, '']}
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ../neutron/neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: ovn-metadata-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for OVNMetadata agent
|
|
value:
|
|
service_name: ovn_metadata
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOvnMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: ContainerOvnMetadataImage}
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
|
|
if:
|
|
- {get_param: OVNWrapperDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
|
neutron::agents::ovn_metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
|
neutron::agents::ovn_metadata::metadata_host: {get_param: [EndpointMap, NovaMetadataCellInternal, host_nobrackets]}
|
|
neutron::agents::ovn_metadata::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout}
|
|
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
|
neutron::agents::ovn_metadata::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
|
neutron::agents::ovn_metadata::debug:
|
|
if:
|
|
- {get_param: OvnMetadataAgentDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
neutron::agents::ovn_metadata::metadata_protocol:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- 'https'
|
|
- 'http'
|
|
neutron::agents::ovn_metadata::metadata_workers:
|
|
if:
|
|
- neutron_metadata_workers_set
|
|
- {get_param: NeutronMetadataWorkers}
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
|
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
|
|
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
|
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
|
|
puppet_config:
|
|
puppet_tags: neutron_config,ovn_metadata_agent_config
|
|
config_volume: neutron
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::ovn_metadata
|
|
config_image: {get_param: ContainerNeutronConfigImage}
|
|
volumes:
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/ovn_metadata_agent.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/ovn_metadata.crt
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
- path: /etc/pki/tls/private/ovn_metadata.key
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
|
docker_config:
|
|
step_2:
|
|
create_haproxy_wrapper:
|
|
start_order: 1
|
|
detach: false
|
|
net: host
|
|
pid: host
|
|
user: root
|
|
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
- - '/container_puppet_apply.sh'
|
|
- '4'
|
|
- 'file'
|
|
- 'include ::tripleo::profile::base::neutron::ovn_metadata_agent_wrappers'
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
|
- - /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
step_4:
|
|
setup_ovs_manager:
|
|
start_order: 0
|
|
detach: false
|
|
net: host
|
|
privileged: true
|
|
user: root
|
|
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
- - '/container_puppet_apply.sh'
|
|
- '4'
|
|
- 'exec'
|
|
- 'include tripleo::profile::base::neutron::ovn_metadata'
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
|
- - /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
ovn_metadata_agent:
|
|
start_order: 1
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
net: host
|
|
pid: host
|
|
cgroupns: host
|
|
privileged: true
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
- /run/netns:/run/netns:shared
|
|
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
|
- if:
|
|
- {get_param: OVNEnableHaproxyDockerWrapper}
|
|
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
|
|
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [NeutronBase, role_data, metadata_settings]}
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: ovn_metadata
|
|
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: ovn_metadata
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: OvnMetadataCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /run/netns with temp namespace
|
|
command: ip netns add ns_temp
|
|
register: ipnetns_add_result
|
|
failed_when: false
|
|
- name: remove temp namespace
|
|
command: ip netns delete ns_temp
|
|
failed_when: false
|
|
when:
|
|
- ipnetns_add_result.rc is defined
|
|
- ipnetns_add_result.rc == 0
|
|
- name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
setype: container_file_t
|
|
- name: set conditions
|
|
set_fact:
|
|
haproxy_wrapper_enabled: {get_param: OVNEnableHaproxyDockerWrapper}
|
|
debug_enabled:
|
|
if:
|
|
- {get_param: OVNWrapperDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
docker_additional_sockets: {get_param: DockerAdditionalSockets}
|
|
- name: create kill_scripts directory within /var/lib/neutron
|
|
file:
|
|
state: directory
|
|
path: /var/lib/neutron/kill_scripts
|
|
- name: create haproxy kill script
|
|
when: haproxy_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/haproxy-kill
|
|
mode: 0755
|
|
content: {get_file: ../neutron/kill-script}
|
|
upgrade_tasks: []
|