tripleo-heat-templates/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
Cédric Jeanneret 0074098f0e Cleanup iptables resources
The only supported firewall engine is nftables from now on.
Tripleo-ansible has been cleaned from its tripleo_iptables related
resources and actions, meaning we don't need to keep the FirewallEngine
anymore.

This patch also removes an old and deprecated upgrade action related to
puppet-firewall - since Train, we're using tripleo_iptables and related,
meaning there shouldn't be any trailing config at this point. Especially
since iptables and ip6tables services are now deactivated for good.

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063
Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a
2022-10-03 08:07:31 +02:00

406 lines
16 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack Neutron openvswitch service
parameters:
ContainerOpenvswitchImage:
description: image
type: string
tags:
- role_specific
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
tags:
- role_specific
DockerOpenvswitchUlimit:
default: ['nofile=16384']
description: ulimit for Openvswitch Container
type: comma_delimited_list
NeutronOpenVswitchAgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.openvswitch
file: /var/log/containers/neutron/openvswitch-agent.log
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: "$(command -v python3 || command -v python)"
NeutronEnableL2Pop:
type: string
description: Enable/disable the L2 population feature in the Neutron agents.
default: "False"
NeutronBridgeMappings:
description: >
The OVS logical->physical bridge mappings to use. See the Neutron
documentation for details. Defaults to mapping br-ex - the external
bridge on hosts - to a physical name 'datacentre' which can be used
to create provider networks (and we use this for the default floating
network) - if changing this either use different post-install network
scripts or be sure to keep 'datacentre' as a mapping network name.
type: comma_delimited_list
default: "datacentre:br-ex"
tags:
- role_specific
NeutronTunnelTypes:
default: 'vxlan'
description: The tunnel types for the Neutron tenant network.
type: comma_delimited_list
NeutronAgentExtensions:
default: "qos"
description: |
Comma-separated list of extensions enabled for the Neutron agents.
type: comma_delimited_list
NeutronEnableDVR:
default: false
description: Enable Neutron DVR.
type: boolean
NeutronEnableARPResponder:
default: false
description: |
Enable ARP responder feature in the OVS Agent.
type: boolean
MonitoringSubscriptionNeutronOvs:
default: 'overcloud-neutron-ovs-agent'
type: string
NeutronOVSFirewallDriver:
default: ''
description: |
Configure the classname of the firewall driver to use for implementing
security groups. Possible values depend on system configuration. Some
examples are: noop, openvswitch, iptables_hybrid. The default value of an
empty string will result in a default supported configuration.
type: string
OvsHwOffload:
default: false
description: |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type: boolean
tags:
- role_specific
OvsDisableEMC:
default: false
description: |
Disable OVS Exact Match Cache.
type: boolean
tags:
- role_specific
NeutronOVSTunnelCsum:
default: false
description: |
Set or un-set the tunnel header checksum on outgoing IP packet
carrying GRE/VXLAN tunnel.
type: boolean
NeutronPermittedEthertypes:
default: []
description: |
Set additional ethertypes to to be configured on neutron firewalls.
type: comma_delimited_list
NeutronOvsResourceProviderBandwidths:
description: >
Comma-separated list of <bridge>:<egress_bw>:<ingress_bw> tuples, showing
the available bandwidth for the given bridge in the given direction. The
direction is meant from VM perspective. Bandwidth is measured in kilobits
per second (kbps). The bridge must appear in bridge_mappings as the value.
type: comma_delimited_list
default: ""
tags:
- role_specific
NeutronEnableIgmpSnooping:
description: Enable IGMP Snooping.
type: boolean
default: false
NeutronOVSAgentLoggingRateLimit:
default: 100
description: |
Maximum number of packets logging per second
type: number
NeutronOVSAgentLoggingBurstLimit:
default: 25
description: |
Maximum number of packets per rate_limit
type: number
NeutronOVSAgentLoggingLocalOutputLogBase:
default: ''
description: |
Output logfile path on agent side, default syslog file
type: string
conditions:
firewall_driver_set:
not: {equals : [{get_param: NeutronOVSFirewallDriver}, '']}
ethertypes_set:
not: {equals : [{get_param: NeutronPermittedEthertypes}, []]}
network_log_local_output_log_base_set:
not: {equals : [{get_param: NeutronOVSAgentLoggingLocalOutputLogBase}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- neutron::agents::ml2::ovs::bridge_mappings: NeutronBridgeMappings
vswitch::ovs::enable_hw_offload: OvsHwOffload
vswitch::ovs::disable_emc: OvsDisableEMC
neutron::agents::ml2::ovs::resource_provider_bandwidths: NeutronOvsResourceProviderBandwidths
ContainerOpenvswitchImage: ContainerOpenvswitchImage
ContainerNeutronConfigImage: ContainerNeutronConfigImage
- values: {get_param: [RoleParameters]}
- values:
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
OvsHwOffload: {get_param: OvsHwOffload}
OvsDisableEMC: {get_param: OvsDisableEMC}
NeutronOvsResourceProviderBandwidths: {get_param: NeutronOvsResourceProviderBandwidths}
ContainerOpenvswitchImage: {get_param: ContainerOpenvswitchImage}
ContainerNeutronConfigImage: {get_param: ContainerNeutronConfigImage}
NeutronBase:
type: ./neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: openvswitch-agent
outputs:
role_data:
description: Role data for Neutron openvswitch service
value:
service_name: neutron_ovs_agent
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'120 neutron vxlan networks no conntrack':
proto: 'udp'
dport: 4789
table: 'raw'
chain: 'OUTPUT'
jump: 'NOTRACK'
action: 'append'
state: []
'121 neutron vxlan networks no conntrack':
proto: 'udp'
dport: 4789
table: 'raw'
chain: 'PREROUTING'
jump: 'NOTRACK'
action: 'append'
state: []
'136 neutron gre networks':
proto: 'gre'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- get_attr: [NeutronLogging, config_settings]
- neutron::agents::ml2::ovs::l2_population: {get_param: NeutronEnableL2Pop}
neutron::agents::ml2::ovs::arp_responder: {get_param: NeutronEnableARPResponder}
neutron::agents::ml2::ovs::tunnel_types: {get_param: NeutronTunnelTypes}
neutron::agents::ml2::ovs::extensions: {get_param: NeutronAgentExtensions}
neutron::agents::ml2::ovs::tunnel_csum: {get_param: NeutronOVSTunnelCsum}
neutron::agents::ml2::ovs::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}
neutron::agents::ml2::ovs::resource_provider_default_hypervisor: "%{lookup('fqdn_canonical')}"
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::agents::ml2::ovs::local_ip:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
neutron::agents::ml2::ovs::enable_distributed_routing: {get_param: NeutronEnableDVR}
neutron::agents::ml2::ovs::firewall_driver:
if:
- firewall_driver_set
- {get_param: NeutronOVSFirewallDriver}
neutron::agents::ml2::ovs::permitted_ethertypes:
if:
- ethertypes_set
- {get_param: NeutronPermittedEthertypes}
- neutron::agents::ml2::ovs::network_log_rate_limit: {get_param: NeutronOVSAgentLoggingRateLimit}
- neutron::agents::ml2::ovs::network_log_burst_limit: {get_param: NeutronOVSAgentLoggingBurstLimit}
- if:
- network_log_local_output_log_base_set
- neutron::agents::ml2::ovs::network_log_local_output_log_base: {get_param: NeutronOVSAgentLoggingLocalOutputLogBase}
service_config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_neutron_ovs_agent:
- {get_param: NeutronOpenVswitchAgentLoggingSource}
collectd:
tripleo.collectd.plugins.neutron_ovs_agent:
- ovs_events
- ovs_stats
collectd::plugin::ovs_events::socket: '/run/openvswitch/db.sock'
collectd::plugin::ovs_stats::socket: '/run/openvswitch/db.sock'
neutron_api:
neutron::server::router_distributed: {get_param: NeutronEnableDVR}
neutron::server::enable_dvr: {get_param: NeutronEnableDVR}
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2,vs_config
step_config: |
include tripleo::profile::base::neutron::ovs
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
# We need to mount /run for puppet_config step. This is because
# puppet-vswitch runs the commands "ovs-vsctl list open_vswitch ."
# when running vswitch::ovs::enable_hw_offload: true
# ovs-vsctl talks to the ovsdb-server (hosting conf.db)
# on the unix domain socket - /run/openvswitch/db.sock
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
kolla_config:
/var/lib/kolla/config_files/neutron_ovs_agent.json:
command: /neutron_ovs_agent_launcher.sh
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
container_config_scripts:
neutron_ovs_agent_launcher.sh:
mode: "0755"
content:
str_replace:
template: |
#!/bin/bash
set -xe
PYTHON -m neutron.cmd.destroy_patch_ports \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
--config-dir /etc/neutron/conf.d/common \
--config-dir /etc/neutron/conf.d/neutron-openvswitch-agent \
--log-file=/var/log/neutron/openvswitch-agent.log
/usr/bin/neutron-openvswitch-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
--config-dir /etc/neutron/conf.d/common \
--log-file=/var/log/neutron/openvswitch-agent.log
params:
PYTHON: {get_param: PythonInterpreter}
docker_config:
step_4:
neutron_ovs_agent:
start_order: 10
image: {get_attr: [RoleParametersValue, value, ContainerOpenvswitchImage]}
net: host
pid: host
privileged: true
security_opt:
- label=disable
restart: always
depends_on:
- openvswitch.service
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
ulimit: {get_param: DockerOpenvswitchUlimit}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /var/lib/container-config-scripts/neutron_ovs_agent_launcher.sh:/neutron_ovs_agent_launcher.sh:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - block:
- name: load openvswitch module
import_role:
name: tripleo_module_load
vars:
modules:
- name: openvswitch
- name: Copy in cleanup script
copy:
content: {get_file: ./neutron-cleanup}
dest: '/usr/libexec/neutron-cleanup'
force: true
mode: '0755'
- name: Copy in cleanup service
copy:
content: {get_file: ./neutron-cleanup.service}
dest: '/usr/lib/systemd/system/neutron-cleanup.service'
force: true
- name: Enabling the cleanup service
service:
name: neutron-cleanup
enabled: true
when: not (ansible_check_mode|bool)
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: true
state: true
when:
- ansible_facts.selinux is defined
- ansible_facts.selinux.status == "enabled"
- block:
- name: Create the ovs bridges
shell: |
ovs-vsctl --may-exist add-br "{{ item.split(':')[1] }}"
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
- name: Activate the ovs bridges
shell: |
ip link set dev "{{ item.split(':')[1] }}" up
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
update_tasks: []