yatin
70276931a4
Nova compute and cinder volume uses oslo concurrency processuitls.execute to run privileged commands. Containers inherit file descriptor limit from docker daemon (currently:1048576) which is too high and leads to performance issue. This patch sets nofile limit to 1024 for nova compute and 131072 for cinder volume, which is reasonable as before containers nova compute used host defaults i.e 1024 and cinder volume systemctl override([1]) i.e 131072. Also updated neutron l3, dhcp and ovs agent to use Parameters for ulimit configuration. [1] https://review.rdoproject.org/r/#/c/1360/. Closes-Bug: #1762455 Related-Bug: #1760471 Related-Bug: #1757556 Change-Id: I4d4b36de32f8a8e311efd87ea1c4095c5568dec4
204 lines
7.4 KiB
YAML
204 lines
7.4 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack containerized Neutron DHCP service
|
|
|
|
parameters:
|
|
DockerNeutronDHCPImage:
|
|
description: image
|
|
type: string
|
|
DockerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
DockerNeutronDHCPAgentUlimit:
|
|
default: ['nofile=1024']
|
|
description: ulimit for Neutron DHCP Agent Container
|
|
type: comma_delimited_list
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ../../puppet/services/neutron-dhcp.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: dhcp-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Neutron DHCP role.
|
|
value:
|
|
service_name: {get_attr: [NeutronBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- if:
|
|
- internal_tls_enabled
|
|
- tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
|
|
- {}
|
|
logging_source: {get_attr: [NeutronBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [NeutronBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: neutron
|
|
puppet_tags: neutron_config,neutron_dhcp_agent_config
|
|
step_config:
|
|
get_attr: [NeutronBase, role_data, step_config]
|
|
config_image: {get_param: DockerNeutronConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/neutron_dhcp.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/neutron.crt
|
|
owner: neutron:neutron
|
|
- path: /etc/pki/tls/private/neutron.key
|
|
owner: neutron:neutron
|
|
docker_config:
|
|
step_4:
|
|
neutron_dhcp:
|
|
start_order: 10
|
|
image: {get_param: DockerNeutronDHCPImage}
|
|
net: host
|
|
pid: host
|
|
privileged: true
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
ulimit: {get_param: DockerNeutronDHCPAgentUlimit}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch
|
|
- /var/lib/neutron:/var/lib/neutron
|
|
- /run/netns:/run/netns:shared
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/neutron.crt:/etc/pki/tls/certs/neutron.crt:ro
|
|
- /etc/pki/tls/private/neutron.key:/etc/pki/tls/private/neutron.key:ro
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [NeutronBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
upgrade_tasks:
|
|
- name: Check if neutron_dhcp_agent is deployed
|
|
command: systemctl is-enabled --quiet neutron-dhcp-agent
|
|
tags: common
|
|
ignore_errors: True
|
|
register: neutron_dhcp_agent_enabled
|
|
- name: "PreUpgrade step0,validation: Check service neutron-dhcp-agent is running"
|
|
command: systemctl is-active --quiet neutron-dhcp-agent
|
|
when:
|
|
- step|int == 0
|
|
- neutron_dhcp_agent_enabled.rc == 0
|
|
tags: validation
|
|
- name: Stop and disable neutron_dhcp service
|
|
when:
|
|
- step|int == 2
|
|
- neutron_dhcp_agent_enabled.rc == 0
|
|
service: name=neutron-dhcp-agent state=stopped enabled=no
|
|
fast_forward_upgrade_tasks:
|
|
- name: Check if neutron_dhcp_agent is deployed
|
|
command: systemctl is-enabled --quiet neutron-dhcp-agent
|
|
ignore_errors: True
|
|
register: neutron_dhcp_agent_enabled_result
|
|
when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
- name: Set fact neutron_dhcp_agent_enabled
|
|
set_fact:
|
|
neutron_dhcp_agent_enabled: "{{ neutron_dhcp_agent_enabled_result.rc == 0 }}"
|
|
when:
|
|
- step|int == 0
|
|
- release == 'ocata'
|
|
- name: Stop neutron_dhcp_agent
|
|
service: name=neutron-dhcp-agent state=stopped enabled=no
|
|
when:
|
|
- step|int == 2
|
|
- release == 'ocata'
|
|
- neutron_dhcp_agent_enabled|bool
|