tripleo-heat-templates/deployment/ovn/ovn-metadata-container-puppet.yaml
Michele Baldessari 60d77b37ec Set cgroupns=host for neutron_dhcp and ovn-metadata
Without this change on Centos Stream 9 we will get errors like the
following:
+ nsenter --net=/run/netns/qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49 --preserve-credentials -m -t 1 podman run --detach --log-driver k8s-file --log-opt path=/var/log/containers/stdouts/neutron-dnsmasq-qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49.log -v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro -v /run/netns:/run/netns:shared -v /var/lib/neutron:/var/lib/neutron:shared -v /dev/log:/dev/log --net host --pid host --cgroupns host --privileged -u root --name neutron-dnsmasq-qdhcp-7083ee69-e139-4844-8af8-7efa798a3c49 undercloud-0.ctlplane.home.arpa:8787/tripleomastercentos9/openstack-neutron-dhcp-agent:8f4fa80dca5a62ca9a9049b664a60868 /usr/sbin/dnsmasq -k --no-hosts --no-resolv --pid-file=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/host --addn-hosts=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/opts --dhcp-leasefile=/var/lib/neutron/dhcp/7083ee69-e139-4844-8af8-7efa798a3c49/leases --dhcp-match=set:ipxe,175 --dhcp-userclass=set:ipxe6,iPXE --local-service --bind-dynamic --dhcp-range=set:subnet-eaf4f552-0023-4e4a-9b6e-b5f3727e647e,192.168.24.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=256 --conf-file=/dev/null --domain=home.arpa
Error: create directory `/sys/fs/cgroup/../../libpod-b43b25a3bf3af73d24d3f4c52b983334ead7d28462e9ed8ba83f207e4264b1ed.scope`: No such file or directory: OCI runtime attempted to invoke a command that was not found

See also the related libvirt/nova issue in https://bugs.launchpad.net/tripleo/+bug/1936005

Tested and with this change the error is gone and dhcp/ovn-metadata is functional
again.

Closes-Bug: #1944522

Change-Id: I8a5b885782386a89c463ff0b7afd7ace91958278
2021-09-22 09:35:07 +02:00

372 lines
15 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized OVN Metadata agent
parameters:
ContainerOvnMetadataImage:
description: image
type: string
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
OvnMetadataAgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.ovn-metadata
file: /var/log/containers/neutron/networking-ovn-metadata-agent.log
OVNEnableHaproxyDockerWrapper:
description: Generate a wrapper script so that haproxy is launched in a separate container.
type: boolean
default: true
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
OVNWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
NeutronMetadataWorkers:
default: ''
description: |
Sets the number of worker processes for the neutron OVN metadata agent.
The default value results in the configuration being left unset and a
system-dependent default will be chosen (usually the number of
processors). Please note that this can result in a large number of
processes and memory consumption on systems with a large core count. On
such systems it is recommended that a non-default value be selected that
matches the load requirements.
type: string
OVNSouthboundServerPort:
description: Port of the OVN Southbound DB server
type: number
default: 6642
OVNDbConnectionTimeout:
description: Timeout in seconds for the OVSDB connection transaction
type: number
default: 180
MonitoringSubscriptionOvnMetadata:
default: 'overcloud-ovn-metadata'
type: string
OvnMetadataAgentDebug:
default: false
description: Set to True to enable debugging for OVN Metadata agent.
type: boolean
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
DockerAdditionalSockets:
default: ['/var/lib/openstack/docker.sock']
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
into containers that launch other containers)
type: comma_delimited_list
OVNRemoteProbeInterval:
description: Probe interval in ms
type: number
default: 60000
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnMetadataCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
neutron_metadata_workers_set:
not: {equals : [{get_param: NeutronMetadataWorkers}, '']}
key_size_override_set:
not: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
NeutronBase:
type: ../neutron/neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: ovn-metadata-agent
outputs:
role_data:
description: Role data for OVNMetadata agent
value:
service_name: ovn_metadata
monitoring_subscription: {get_param: MonitoringSubscriptionOvnMetadata}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: ContainerOvnMetadataImage}
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
if:
- {get_param: OVNWrapperDebug}
- true
- {get_param: Debug}
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
neutron::agents::ovn_metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
neutron::agents::ovn_metadata::metadata_host: {get_param: [EndpointMap, NovaMetadataCellInternal, host_nobrackets]}
neutron::agents::ovn_metadata::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
neutron::agents::ovn_metadata::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
neutron::agents::ovn_metadata::debug:
if:
- {get_param: OvnMetadataAgentDebug}
- true
- {get_param: Debug}
neutron::agents::ovn_metadata::metadata_protocol:
if:
- {get_param: EnableInternalTLS}
- 'https'
- 'http'
neutron::agents::ovn_metadata::metadata_workers:
if:
- neutron_metadata_workers_set
- {get_param: NeutronMetadataWorkers}
- if:
- {get_param: EnableInternalTLS}
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
puppet_config:
puppet_tags: neutron_config,ovn_metadata_agent_config
config_volume: neutron
step_config: |
include tripleo::profile::base::neutron::ovn_metadata
config_image: {get_param: ContainerNeutronConfigImage}
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
kolla_config:
/var/lib/kolla/config_files/ovn_metadata_agent.json:
command:
list_join:
- ' '
- - /usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/ovn_metadata.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_metadata.key
owner: neutron:neutron
optional: true
perm: '0644'
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_2:
create_haproxy_wrapper:
start_order: 1
detach: false
net: host
pid: host
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
- - '/container_puppet_apply.sh'
- '4'
- 'file'
- 'include ::tripleo::profile::base::neutron::ovn_metadata_agent_wrappers'
image: {get_param: ContainerOvnMetadataImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
- - /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
step_4:
setup_ovs_manager:
start_order: 0
detach: false
net: host
privileged: true
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
- - '/container_puppet_apply.sh'
- '4'
- 'exec'
- 'include tripleo::profile::base::neutron::ovn_metadata'
image: {get_param: ContainerOvnMetadataImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
- - /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
ovn_metadata_agent:
start_order: 1
image: {get_param: ContainerOvnMetadataImage}
net: host
pid: host
cgroupns: host
privileged: true
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- - /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
- /run/netns:/run/netns:shared
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
- if:
- {get_param: OVNEnableHaproxyDockerWrapper}
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
list_concat:
- {get_attr: [NeutronBase, role_data, metadata_settings]}
- if:
- {get_param: EnableInternalTLS}
- - service: ovn_metadata
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: OvnMetadataCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /run/netns with temp namespace
command: ip netns add ns_temp
register: ipnetns_add_result
failed_when: false
- name: remove temp namespace
command: ip netns delete ns_temp
failed_when: false
when:
- ipnetns_add_result.rc is defined
- ipnetns_add_result.rc == 0
- name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: container_file_t
- name: set conditions
set_fact:
haproxy_wrapper_enabled: {get_param: OVNEnableHaproxyDockerWrapper}
debug_enabled:
if:
- {get_param: OVNWrapperDebug}
- true
- {get_param: Debug}
docker_additional_sockets: {get_param: DockerAdditionalSockets}
- name: create kill_scripts directory within /var/lib/neutron
file:
state: directory
path: /var/lib/neutron/kill_scripts
- name: create haproxy kill script
when: haproxy_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/haproxy-kill
mode: 0755
content: {get_file: ../neutron/kill-script}
upgrade_tasks: []