Commit Graph

195 Commits

Author SHA1 Message Date
Liam Young 115c34fadd Add AppArmor Rule for keepalived
A patch was introduced [0] "..which sets the backup gateway
device link down by default. When the VRRP sets the master state in
one host, the L3 agent state change procedure will
do link up action for the gate$way device.".

This change causes an issue when using keepalived 2.X (focal+) which
is fixed by patch [1] which adds a new 'no_track' option to all VIPs
and routes in keepalived's config file.

Patch [1] which fixed keepalived 2.X broke keepalived 1.X (<focal).
So patch [2] was added which adds a keepalived_use_no_track config
option which is set to True control whether the 'no_track' option
is added to the keepalived config.

Finally, patchset [3] introduces automatic detection of the
keepalived version by adding a call to `keepalived --version`
but this is denied by the packages apparmor rules.

[0] https://review.opendev.org/c/openstack/neutron/+/707406
[1] https://review.opendev.org/c/openstack/neutron/+/721799
[2] https://review.opendev.org/c/openstack/neutron/+/745641
[3] https://review.opendev.org/c/openstack/neutron/+/757620

Change-Id: I3eb1ef3fe29a8c4e5e26953844f303c8e985248a
2021-09-22 11:30:52 +00:00
Edward Hope-Morley 3de85d46c1 Make fw driver configurable
The neutron-gateway uses the firewall driver just as other nodes
do when running neutron-openvswitch-agent. It is currently
hardcoded to the deprecated iptables_hybrid driver. This patch
allows the driver to be changed to openvswitch same as with the
neutron-openvswitch driver with a firewall-driver config option
that defaults to iptables_hybrid so as to maintain backwards
compatibility.

Change-Id: I4f5482425c91b5ad556c384abba7c27137c1948f
2021-07-20 14:55:28 +01:00
Edward Hope-Morley 8d71c41481 Add keepalived-healthcheck-interval config option
Defaults to 30s (i.e. enabled) but also allows disabling
healthchecks by setting to 0.

Change-Id: I49603c22d8085aabd6085058e4d4eb9c74e84a20
Closes-Bug: #1890900
2020-08-20 13:23:57 +01:00
wangfaxin 4dee9b0976 Fix misspell word
Change-Id: Id9fbb9e3daf32e7b575c16fc0793b495c6b05227
2020-03-24 11:59:32 +01:00
David Ames a03fe36fa6 Make ovs_use_veth a config option
This change uses a common DHCPAgentContext and takes care to check for a
pre-existing setting in the dhcp_agent.ini. Only allowing a config
change if there is no pre-existing setting.

Please review and merge charm-helpers PR:
https://github.com/juju/charm-helpers/pull/422

Partial-Bug: #1831935

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/157
Change-Id: Ia01c637b0837a4e594d16f6565c605460ad3f922
2020-01-29 18:24:45 -08:00
Felipe Reyes 17cbdb50a2 Add ovsdb-timeout configuration option
ovsdb-timeout sets ovsdb_timeout in openvswitch_agent.ini, this option
is used to determine when ovsdb commands should be marked as fail. This
is helpful for large clouds or where the node is under pressure.

Change-Id: I0b0e397691c49d3fcebdd30bbe9b160789acf3c3
Closes-Bug: #1849732
2019-12-15 09:18:48 -03:00
Dmitrii Shcherbakov 5ec43f6dbe Adds l3_extension_plugins to L3AgentContext ctx
* get a list of l3 plugins to enable based on relation data coming from
  neutron-api;
* refactor adding fwaasv2 service plugins to the l3 agent to accommodate
  the l3_extension_plugins change.

See https://github.com/juju/charm-helpers/pull/370
See LP: #1842353

Change-Id: Ic3a8e302942ed331bc3d80223e123c13d61db3b2
Closes-Bug: #1842353
2019-10-07 23:09:51 +03:00
Zuul 613123326a Merge "Sync charm-helpers and use "rabbit_use_ssl" for ocata" 2019-08-05 10:50:32 +00:00
Zuul 1ae213c4c3 Merge "Revert "Stop using veth pairs to connect qdhcp ns"" 2019-08-05 07:23:33 +00:00
Liam Young 9d332765e5 Revert "Stop using veth pairs to connect qdhcp ns"
Reverting as this change causes existing qdhcp namespaces to become
inaccessible.

This reverts commit bbc20dbe49.

Change-Id: I91ec8b34bd531e48d00c48512a43921f97b6d9a2
2019-08-02 11:56:17 +00:00
Corey Bryant 5c5a94fa01 Sync charm-helpers and use "rabbit_use_ssl" for ocata
Ensure "rabbit_use_ssl" is specified in the [oslo_messaging_rabbit]
config section instead of "ssl" for Ocata, since "ssl" was not yet
introduced.

Change-Id: I5c3776bf31603e93ba37e9de5a8516d1897f1935
Closes-Bug: #1838696
2019-08-01 23:05:48 -04:00
Zuul e32c5caf97 Merge "Stop using veth pairs to connect qdhcp ns" 2019-07-02 09:11:01 +00:00
Zuul 4e8b989994 Merge "Add support for FWaaS v2 logging" 2019-07-01 10:28:37 +00:00
James Page 0a809a1a19 Add support for FWaaS v2 logging
Enable support for configuration of FWaaS v2 firewall group
logging.

Configuration options mirror those for neutron-openvswitch
for security group logging.

This feature is currently only enabled for FWaaS v2 at Stein
for the charms (but is supported back to Queens in Neutron).

Change-Id: If1b332eb0f581e9acba111f79ba578a0b7081dd2
Partial-Bug: 1831972
2019-06-25 16:26:12 +01:00
Liam Young bbc20dbe49 Stop using veth pairs to connect qdhcp ns
veth pairs are currently being used to connect the qdhcp namespace
to the underlying bridge. This behaviour appears to only be needed
for old kernels with limited namespaces support (pre trusty).

Change-Id: I3b090f07c995cbf375dcc1dfdbadf0d7f10ec78e
Closes-Bug: #1832021
2019-06-20 17:14:45 +00:00
Zuul 9577778213 Merge "Enable isolated provider network metadata access" 2019-06-18 15:07:05 +00:00
David Ames ddd5228133 Enable isolated provider network metadata access
When an isolated provider network with no virtual routers metadata
access occurs in the qdhcp netns.

Without the force_metadata option in dhcp_agent.ini ns-metadata-proxy
is not enabled. ns-metdata-proxy sits in the ip netns and proxies
requests from 169.254.169.254 to the nova-api-metadata service
outside the netns.

This change adds the force_metadata option when
enable-isolated-metadata = True.

Related to LP Bug #1831935

Change-Id: I4fde7882be69772f168a1a1a201022bf9cf3cd06
2019-06-14 11:44:45 -07:00
Zhang Hua 4c150529b5 Enable keepalived VRRP health check
If you want to have vrrp watch the external networking interface
today, the option ha_vrrp_health_check_interval [1] detects a failure
it re-triggers the transitional change - which works if the external
physical interface fails because the ping will fail.

In fact, we've tried to enable it before [2], but then we had to
revert it [3] due to instability issues [4] in previous releases of
OpenStack. Maybe the previous instability issue [4] was caused by
another keepalived issue mentioned in the comment [5], now I have
tested this option again, it works.

This is how neutron allows monitoring southbound network today, so
I would suggest we add this capability into the charm again.

[1] https://docs.openstack.org/ocata/networking-guide/ \
        deploy-ovs-ha-vrrp.html#keepalived-vrrp-health-check
[2] https://review.opendev.org/#/c/601533/
[3] https://review.opendev.org/#/c/603347/
[4] https://bugs.launchpad.net/neutron/+bug/1793102
[5] https://bugs.launchpad.net/neutron/+bug/1793102/comments/5

Change-Id: If2947e7640545cb9a48215afb9b2439fdc33c645
Closes-Bug: 1825966
2019-05-08 09:54:51 +08:00
James Page dea96c0a11 stein: Switch to FWaaS v2
Stein drops support for FWaaS v1; switch agents to use FWaaS v2
drivers.

Change-Id: Iba494398df29c1e2611d06345e41146a6f8e3d6d
2019-03-20 05:51:43 +00:00
Corey Bryant c73311350e Update rabbit driver config options
The stein version of python-oslo.messaging (9.0.0+) has removed
the following config options from the [oslo_messaging_rabbit]
section:

rabbit_host, rabbit_port, rabbit_hosts, rabbit_userid,
rabbit_password, rabbit_virtual_host rabbit_max_retries, and
rabbit_durable_queues.

The above change requires a sync from charm-helpers.

Additionally the transport_url directive has been moved to the
[DEFAULT] section.

These have been deprecated since Ocata, therefore this change
will be provided to pre-Stein templates in order to drop
deprecation warnings.

See release notes at:
https://docs.openstack.org/releasenotes/oslo.messaging/index.html

test_300_neutron_config is also removed in this change as amulet
tests no longer need to confirm config file settings.

Change-Id: I4b95c3ff4a37a09e7df5fb5cb6331dc3a46c0095
Closes-Bug: #1817672
2019-02-26 12:54:55 +00:00
David Ames 684a93515d Set dhcp_domain for nova-metadata-api
For guest operating systems that rely on nova metadata rather than dhcp
offers for host dns domain settings it is necessary to set dhcp_domain
in the nova.conf.

Change-Id: If7de988ddcd8817d02b261bea601d6922275890c
Partial-Bug: #1805645
2018-11-28 09:57:49 -08:00
Dmitrii Shcherbakov 71c0120d21 Allow Juju AZ context information to be used
The change adds an option to the charm to use JUJU_AVAILABILITY_ZONE
environment variable set by Juju for the hook environment based on the
underlying provider's availability zone information for a given machine.

This information is used to configure the availability_zone setting for
Neutron DHCP and L3 agents specifically because they support it
and for other agents (because both neutron.conf and agent-specific
configuration files are loaded) such as metadata agents and lbaas
agents.

Additionally, a setting is added to allow changing the default
availability zone because 'nova' is a default value coming from the
Neutron defaults for agents.

Change-Id: I94303aa70ee3adc6ace0f9af1e7c4f5c0edbcdb5
Closes-Bug: #1796068
2018-10-09 13:52:41 +03:00
Liam Young b14f2fc47e Remove nova metadata service
The change turns off the local nova metadata service and uses
endpoint data recieved from the quantum-network-service relation
to point the neutron metadata service at the nova metadata service
on the nova cloud controller for Queens+.

Depends-On: I5ad15ba782cb87b6fdb3c0941a6482d201670bff
Change-Id: I7037a20feac73f3a3f1ed1b8b1b70d0fa534bc46
2018-10-04 14:06:08 +00:00
Zhang Hua 0320b56a71 Revert "Enable keepalived VRRP health check"
We actually need this upstream feature, but we found it has
another bug (lp bug: 1793102), so revert it first.

This reverts commit 7b60534ce8.

Change-Id: I8d8a755e250d4d80e269c853a9d3d97c3f364d40
2018-09-18 17:56:39 +08:00
Zhang Hua 7b60534ce8 Enable keepalived VRRP health check
The option ha_vrrp_health_check_interval [1] can re-trigger
the election process until a master is re-elected when multiple
masters problem appear. This is an important feature that enables
the system to recover automatically, we should enable it.

[1] https://docs.openstack.org/ocata/networking-guide/ \
        deploy-ovs-ha-vrrp.html#keepalived-vrrp-health-check

Change-Id: Iaf15ac77e249d1fe4a5101068761302e53385642
Closes-Bug: 1732154
2018-09-11 17:33:54 +08:00
Shane Peters b355ea0473 Add functionality for vendor_data
Using vendor metadata helps alleviate the need to spin custom images
for things like package mirrors, timezones, or network proxies.

Adds new config option 'vendor-data' which takes a JSON formated
string to be used as static vendor metadata.

Adds new config option 'vendor-data-url' which takes a URL which
serves dynamic JSON formatted vendor metadata.

Adds new NovaMetadataContext class which writes
/etc/nova/vendor_data.json and enables it via nova.conf.

Closes-Bug: 1777714

Change-Id: I1d70804e59d42b0651a462c81e01d9c95626f27d
2018-07-16 14:34:34 -04:00
James Page 6e3e557a0a apparmor: Misc fixes for lbaasv2 profile
Ensure that profiles are correctly applied in network
namespace using profile flag.

Allow lbaasv2 agent binary to read /proc/*/stat to support
monitoring of haproxy instances.

Change-Id: Ifc3388e894db998bfad8e5998a02120222d9e3ae
Closes-Bug: 1770040
2018-05-14 09:24:43 +01:00
David Ames a59b4d606f Apparmor profiles for Queens
Apparmor profiles were limiting queens deployments of neutron-gateway
when aa-profile-mode was set to enforce. It led to failed instance
deployments due to neutron agents failing to execute their necessary
functions.

This change updates the profiles to be Queens ready.

Closes-Bug: #1761536

Change-Id: I2e08a2de9e4ae8139ab8e4be131631883652d029
2018-04-25 21:37:52 +00:00
James Page 802f607b8c Switch keystone authentication calls to admin ep
Ensure that the keystone admin endpoint is used for calls
to keystone, resolving issues when the public ep is not
network accessible from the neutron-gateway units.

Change-Id: I79a1183e7eddd4981367baf4a22fe2ec6374b0b9
Closes-Bug: 1756111
2018-03-19 18:00:28 +00:00
James Page bbf704cbfd Further tidy for removed features
Deploy from source templates.

zeromq section templates.

Change-Id: I336ae1ceaaa67f1d78acda14b0a2e0d0f603c777
2018-03-15 15:34:28 +00:00
Liam Young 7fd04bba83 Fix up amulet for queens
* Fix up amulet tests to use keystone v3 clients.
* Remove admin_* and auth_* for Queens l3_agent and metadata
  config files as they no longer appears to be used.

Change-Id: Ib952740b0061f76083307d04a772f613a9ba0002
2018-02-25 19:45:03 +00:00
Anton Kremenetsky bf0cdcf9ee load interface_driver using a symbolic name
Instead of relying on a full class path let's use symbolic names and
namespaces from setup.cfg which relies on stevedore to use a proper
class. This can only be used for code-paths that do not rely on direct
usage of importlib which is not the case for the metering agent, which
is why its config is left untouched.

Co-Authored-By: Anton Kremenetsky <akremenetsky@dev.rtsoft.ru>
Co-Authored-By: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Change-Id: I4d3389a0fe376fed87265f51fdd69caf14fb3b16
Closes-Bug: #1747964
2018-02-09 09:11:51 +00:00
James Page eefb27a582 py3: Fix use of iteritems in templates
Switch to using items for dictionary iteration.

Change-Id: I5cd7e445e385dd23d5187ef251d8416bdd3db7d4
Closes-Bug: 1735797
2017-12-04 10:15:55 +00:00
David Ames b9f1eb6101 Enable xenial-pike amulet test
Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I13ec07348121ce9908079947f7779e09ea89c443
2017-11-14 13:17:40 -08:00
Zuul f39db13948 Merge "Fix support for FWaaS for >= Newton" 2017-10-02 11:52:43 +00:00
Liam Young a5f92548c0 Add QoS support
This patch adds support for reading the 'enable-qos' setting from the
neutron-plugin-api relation and adding 'qos' to the extension_drivers setting
if it is True. This is part of a wider set of changes to support QoS across
the neutron charms.

The amulet tests were missing the neutron-api to neutron-gateway relation this
has been added in. A side-effect of this is that the l2-population setting is
now properly being set to True so tests were updated to expect that.

A charmhelper sync was performed to pull in the QoS update to the
NeutronAPIContext.

Note: Amulet tests will fail until the corresponding neutron-api change
lands

Depends-On: I1beba9bebdb7766fd95d47bf13b6f4ad86e762b5
Change-Id: I6dc71a96b635600b7e528a9acdfd4dc0eded9259
Partial-Bug: #1705358
2017-09-28 19:20:35 +00:00
James Page 7ab7046153 Fix support for FWaaS for >= Newton
Newton introduced the new v2 driver for the l3-agent; update
configuration to stick with v1 for the time being, ensuring
that firewalls can actually be applied to routers.

Change-Id: I44b7b84a1805bc096ffdd072665189146f63eba9
Closes-Bug: 1680164
2017-09-28 16:27:50 +01:00
Jenkins ace1b34fed Merge "Support rpc_response_timeout and report_interval in neutron.conf" 2017-09-06 14:08:21 +00:00
Billy Olsen 2b2c4b745f Add dns-servers config option for upstream dns servers
Adds a dns-servers config option for specifying the forwarding
dns servers to be used by the dnsmasq services on the neutron
dhcp agent. This enables services using internal dns to also
specify the forwarding dns servers in order to resolve hosts
outside of the neutron network space.

Change-Id: I3cd608b1491a45f565d5147894b8285e638eeaa7
Implements: blueprint internal-dns
Closes-Bug: #1713721
2017-08-31 09:22:49 -07:00
Zhang Hua 3a5a2675b5 Support rpc_response_timeout and report_interval in neutron.conf
A new mitaka neutron.conf template was introduced into the charm
lately, so both rpc_response_timeout and report_interval need to
be set into the template as well.

Change-Id: I7f34227132d5491d34ff517b8842b21ac5b2991c
Partial-Bug: #1685788
2017-08-30 15:25:42 +08:00
Jenkins dfc52d0e82 Merge "Update notification config >= mitaka" 2017-08-08 12:30:26 +00:00
Zhang Hua d49b2a18ee Support setting rpc-response-timeout and report-interval
These two options are set in neutron-api charm centrally,
this patch allows neutron-gateway charm to continue doing:

1, rpc_response_timeout
   Used by all neutron agents, so both neutron-gateway charm and
   neutron-openvswitch charm get it via it's relations and set it
   in [default] of neutron.conf

2, report_interval
   Used by all neutron agents, so both neutron-gateway charm and
   neutron-openvswitch charm get it via it's relations and set it
   in [agent] of neutron.conf

This patch also syncs charmhelpers for setting them centrally.

Change-Id: Ib97418b1aaf55f508cae05f4d7809d79a92a7f6f
Partial-Bug: #1685788
2017-08-01 16:02:20 +01:00
James Page d17e6b2b95 Update notification config >= mitaka
Use oslo_messaging_notifications for mitaka or later releases
including setting the transport_url to the value provided by
the AMQP context.

This removes use of deprecated configuration options for
ceilometer notifications.

Change-Id: Ia76bd5070a1a419d35327a10c560b16e3c78320e
2017-08-01 08:58:25 +01:00
Martin Hellström 4e4597e591 adds missing entries in the apparmor profiles
Change-Id: I030ccdd267f67844ff2cea328ae1d3d0275c949b
2017-07-17 23:49:59 +02:00
Felipe Reyes 4288b01fe6 Configure DHCP Agent debug level
When a user configures neutron-gateway debug=True the dhcp agent is
reconfigured setting debug=True in dhcp_agent.ini

Change-Id: Ice125d59958d12f23fefc7754abb0882c0221b15
Closes-Bug: 1701016
2017-06-28 12:01:48 -04:00
Billy Olsen c14ab76a43 Specify dns_domain in dhcp_agent.ini from neutron-api
Specify the dns_domain value in dhcp_agent.ini configuration
file in order to indicate the dns search domain which should
be advertised by the dnsmasq DHCP server.

Change-Id: Ic8d30fb087cce8d82960f616460d832740a00ec9
Implements: blueprint internal-dns
2017-05-01 14:22:23 -07:00
James Page 4efc95a857 Update notification_driver for oslo.messaging
The 'neutron.openstack.common.notifier.rpc_notifier' notification
driver key was removed from neutron in Ocata; 'messaging' has been
provided directly from oslo.messaging since icehouse, so switch to
using the newer, correct value for configuration of notifications.

Change-Id: If39d98da6848479f223cc7bc137da1a5aba1823d
Closes-Bug: 1681452
2017-04-10 15:24:01 +01:00
Jenkins c1fb99e35f Merge "Expose metadata config options" 2017-01-25 16:46:35 +00:00
Liam Young 71a303db65 Expose metadata config options
Expose the 'enable_metadata_network' and 'enable_isolated_metadata'
configuration options. enable_isolated_metadata enables metadata the
metadata service on networks with no router port.

Change-Id: If773109007a456385adebf295d044247417135db
Closes-Bug: 1514901
2017-01-25 14:39:20 +00:00
Edward Hope-Morley 03091ad65b Add debug entry to nova.conf templates
This was previously missing making it impossible to
enable debug logging for nova-api-metadata service.

Change-Id: I7a88c4c6bb325909fc2f9046b4c266194360fe1b
Closes-Bug: 1657487
2017-01-18 15:18:39 +00:00