remove unmaintained vpnaas from all recipes and attributes

The vpnaas agent has been removed for the OpenStack Queens release.

Virtual Private Network-as-a-Service (VPNaaS) scenario
(for Rocky, no vpnaas docs found for Queens)
https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html

missing release note (or doc) on vpn-agent change in queens
https://bugs.launchpad.net/neutron/+bug/1751069

vpnaas agent is removed since Queens and configuration changed
https://bugs.launchpad.net/openstack-ansible/+bug/1781148

Change-Id: Idf74445445683058cd992e95df87724579e70433
This commit is contained in:
Roger Luethi 2018-09-26 14:15:34 +02:00 committed by Jan Klare
parent c874aec833
commit f03e5c65fa
No known key found for this signature in database
GPG Key ID: 1F8C347A7DC77FD2
9 changed files with 14 additions and 279 deletions

View File

@ -169,14 +169,14 @@ this attributes.
- Installs the openstack-network API server (currently aka neutron-server)
## openstack-network::vpnaas
- Installs the VPN as a Service
The configuration for neutron-vpn-agent is generated from the attributes in
using the same template as for the neutron.conf
```
node['openstack']['network_vpnaas']['conf']
```
This recipe has been removed since it was unmaintained since the pike release
and the vpnaas module got completely removed/refactored during the queens
release. For rocky there seems to be some kind of vpnaas implementation
directly in the l3 agent
(https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html), but
since the documentation about it is quite sparse right now, there is no recipe
for that. If you want to add vpnaas back to this cookbook, please feel free to
push a pull request.
License and Author
==================

View File

@ -135,32 +135,6 @@ default['openstack']['network_metering']['conf'].tap do |conf|
'neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver'
end
# ============================= VPN Agent Configuration ====================
# vpn_device_driver_packages in platform-specific settings is used to get driver dependencies installed, default is strongswan
# vpn_device_driver_services in platform-specific settings is used to enable services required by vpn drivers, default is strongswan
# To enable 'vpnaas' as service_plugin, you need to add it to neutron.conf
# ['Default']['service_plugins']
# Set to true to enable vpnaas
default['openstack']['network_vpnaas']['enabled'] = false
# Custom the vpnaas config file path
default['openstack']['network_vpnaas']['config_file'] = '/etc/neutron/vpn_agent.ini'
default['openstack']['network_vpnaas']['conf'].tap do |conf|
# VPN device drivers which vpn agent will use
conf['DEFAULT']['interface_driver'] =
'neutron.agent.linux.interface.OVSInterfaceDriver'
conf['vpnagent']['vpn_device_driver'] =
'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver'
# Status check interval for ipsec vpn
conf['ipsec']['ipsec_status_check_interval'] = 60
# default_config_area settings is used to set the area where default StrongSwan configuration files are located
case node['platform_family']
when 'fedora', 'rhel'
conf['strongswan']['default_config_area'] = '/usr/share/strongswan/templates/config/strongswan.d'
when 'debian'
conf['strongswan']['default_config_area'] = '/etc/strongswan.d'
end
end
# ============================= LBaaS Agent Configuration ==================
# To enable 'lbaas' as service_plugin, you need to add it to neutron.conf
# ['Default']['service_plugins']
@ -197,16 +171,10 @@ default['openstack']['network_fwaas']['config_file'] = '/etc/neutron/fwaas_drive
default['openstack']['network']['platform'].tap do |platform|
platform['user'] = 'neutron'
platform['group'] = 'neutron'
platform['vpn_device_driver_packages'] =
%w(strongswan)
platform['neutron_dhcp_agent_service'] =
'neutron-dhcp-agent'
platform['neutron_l3_agent_service'] =
'neutron-l3-agent'
platform['neutron_vpn_agent_service'] =
'neutron-vpn-agent'
platform['vpn_device_driver_services'] =
%w(strongswan)
platform['neutron_lb_agent_service'] =
'neutron-lbaasv2-agent'
platform['neutron_metadata_agent_service'] =
@ -217,8 +185,6 @@ default['openstack']['network']['platform'].tap do |platform|
'neutron-server'
platform['neutron_lbaas_python_dependencies'] =
%w(python-neutron-lbaas)
platform['neutron_vpnaas_python_dependencies'] =
%w(python-neutron-vpnaas)
case node['platform_family']
when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
platform['neutron_packages'] =
@ -230,8 +196,6 @@ default['openstack']['network']['platform'].tap do |platform|
platform['neutron_plugin_package'] =
'neutron-plugin-ml2'
# openstack-neutron-fwaas
platform['neutron_vpnaas_packages'] =
%w(openstack-neutron-vpnaas iproute)
platform['neutron_lbaas_packages'] =
%w(openstack-neutron-lbaas haproxy iproute)
platform['neutron_openvswitch_packages'] =
@ -262,8 +226,6 @@ default['openstack']['network']['platform'].tap do |platform|
platform['neutron_l3_packages'] =
%w(neutron-l3-agent radvd keepalived)
# python-neutron-fwaas
platform['neutron_vpnaas_packages'] =
%w(python-neutron-vpnaas neutron-vpn-agent)
platform['neutron_lbaas_packages'] =
%w(python-neutron-lbaas neutron-lbaas-common neutron-lbaasv2-agent haproxy)
platform['neutron_openvswitch_packages'] =

View File

@ -29,16 +29,6 @@ bash 'migrate network database' do
EOF
end
# Only if the vpnaas is enabled, migrate the database.
bash 'migrate vpnaas database' do
only_if { node['openstack']['network_vpnaas']['enabled'] }
timeout timeout
migrate_command = "neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf --config-file #{plugin_config_file}"
code <<-EOF
#{migrate_command} upgrade head
EOF
end
# Only if the fwaas is enabled, migrate the database.
bash 'migrate fwaas database' do
only_if { node['openstack']['network_fwaas']['enabled'] }

View File

@ -44,27 +44,15 @@ template node['openstack']['network_l3']['config_file'] do
variables(
service_config: service_config
)
# Not restart l3 agent to avoid synchronization problem, when vpn agent is enabled.
unless node['openstack']['network_vpnaas']['enabled']
notifies :restart, 'service[neutron-l3-agent]'
end
notifies :restart, 'service[neutron-l3-agent]'
end
# See http://docs.openstack.org/admin-guide-cloud/content/section_adv_cfg_l3_agent.html
service 'neutron-l3-agent' do
service_name platform_options['neutron_l3_agent_service']
supports status: true, restart: true
# As l3 and vpn agents are both working based on l3 bisic strategy, and there will be
# potential synchronization problems when vpn and l3 agents both running in network node.
# So if the vpn agent is enabled, we should stop and disable the l3 agent.
if node['openstack']['network_vpnaas']['enabled']
action [:stop, :disable]
else
action [:enable, :start]
subscribes :restart, [
'template[/etc/neutron/neutron.conf]',
"template[#{node['openstack']['network_fwaas']['config_file']}]",
]
end
action [:enable, :start]
subscribes :restart, [
'template[/etc/neutron/neutron.conf]',
"template[#{node['openstack']['network_fwaas']['config_file']}]",
]
end

View File

@ -76,19 +76,6 @@ if node['openstack']['network_lbaas']['enabled']
end
end
if node['openstack']['network_vpnaas']['enabled']
# neutron-vpnaas-agent may not running on network node, but on network node, neutron-server still need neutron_vpnaas module
# when loading plugin if vpnaas is list in service_plugins. In this case, we don't need include vpn_agent recipe for network node, but
# we need make sure neutron vpnaas python packages get installed on network node before neutron-server start/restart, when vpnaas is enabled.
# Otherwise neutron-server will crash for couldn't find vpnaas plugin when invoking plugins from service_plugins.
platform_options['neutron_vpnaas_python_dependencies'].each do |pkg|
package pkg do
options platform_options['package_overrides']
action :upgrade
end
end
end
# Migrate network database to latest version
include_recipe 'openstack-network::db_migration'
plugin_templates = []

View File

@ -1,74 +0,0 @@
# Encoding: utf-8
#
# Cookbook Name:: openstack-network
# Recipe:: vpn_agent
#
# Copyright 2013, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'openstack-network'
# Make Openstack object available in Chef::Recipe
class ::Chef::Recipe
include ::Openstack
end
platform_options = node['openstack']['network']['platform']
# Install package dependencies according node's vpn_device_driver.
platform_options['vpn_device_driver_packages'].each do |pkg|
package pkg do
options platform_options['package_overrides']
action :upgrade
end
end
platform_options['neutron_vpnaas_packages'].each do |pkg|
package pkg do
options platform_options['package_overrides']
action :upgrade
end
end
platform_options['vpn_device_driver_services'].each do |svc|
service 'vpn-device-driver-service' do
service_name svc
supports status: true, restart: true
action :enable
end
end
service_conf = merge_config_options 'network_vpnaas'
template node['openstack']['network_vpnaas']['config_file'] do
source 'openstack-service.conf.erb'
cookbook 'openstack-common'
owner node['openstack']['network']['platform']['user']
group node['openstack']['network']['platform']['group']
mode 0o0640
variables(
service_config: service_conf
)
end
service 'neutron-vpn-agent' do
service_name platform_options['neutron_vpn_agent_service']
supports status: true, restart: true
action [:enable, :start]
subscribes :restart, [
'template[/etc/neutron/neutron.conf]',
"template[#{node['openstack']['network_vpnaas']['config_file']}]",
"template[#{node['openstack']['network_fwaas']['config_file']}]",
]
end

View File

@ -26,19 +26,10 @@ describe 'openstack-network::db_migration' do
end
describe 'run db-migration when services are enabled' do
before do
node.override['openstack']['network_vpnaas']['enabled'] = true
node.override['openstack']['network_fwaas']['enabled'] = true
node.override['openstack']['network_lbaas']['enabled'] = true
node.override['openstack']['network']['core_plugin_config_file'] = '/etc/neutron/plugins/ml2/ml2_conf.ini'
end
it 'uses db upgrade head when vpnaas is enabled' do
migrate_cmd = %r{neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf|
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head}
expect(chef_run).to run_bash('migrate vpnaas database').with(
code: migrate_cmd,
timeout: 3600
)
end
it 'uses db upgrade head when lbaas is enabled' do
migrate_cmd = %r{neutron-db-manage --subproject neutron-lbaas --config-file /etc/neutron/neutron.conf|
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head}
@ -61,15 +52,6 @@ describe 'openstack-network::db_migration' do
node.override['openstack']['network']['core_plugin_config_file'] = '/etc/neutron/plugins/ml2/ml2_conf.ini'
end
it 'does not use db upgrade head when vpnaas is not enabled' do
migrate_cmd = %r{neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf|
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head}
expect(chef_run).not_to run_bash('migrate vpnaas database').with(
code: migrate_cmd,
timeout: 3600
)
end
it 'does not use db upgrade head when fwaas is not enabled' do
migrate_cmd = %r{neutron-db-manage --subproject neutron-fwaas --config-file /etc/neutron/neutron.conf|
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head}

View File

@ -1,23 +0,0 @@
# Encoding: utf-8
require_relative 'spec_helper'
describe 'openstack-network::vpnaas' do
describe 'redhat' do
let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) }
let(:node) { runner.node }
let(:chef_run) do
node.override['openstack']['compute']['network']['service_type'] = 'neutron'
node.override['openstack']['network']['enable_vpn'] = true
stub_command('ovs-vsctl br-exists br-ex').and_return(false)
runner.converge(described_recipe)
end
include_context 'neutron-stubs'
it 'upgrades neutron vpn packages' do
%w(iproute openstack-neutron-vpnaas strongswan).each do |pkg|
expect(chef_run).to upgrade_package(pkg)
end
end
end
end

View File

@ -1,77 +0,0 @@
# Encoding: utf-8
require_relative 'spec_helper'
describe 'openstack-network::vpnaas' do
describe 'ubuntu' do
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
let(:chef_run) do
node.override['openstack']['compute']['network']['service_type'] = 'neutron'
runner.converge(described_recipe)
end
include_context 'neutron-stubs'
it 'include the recipe openstack-network::default' do
expect(chef_run).to include_recipe('openstack-network::default')
end
it 'upgrades vpn device driver packages' do
expect(chef_run).to upgrade_package('strongswan')
end
it 'upgrades neutron vpn packages' do
expect(chef_run).to upgrade_package('neutron-vpn-agent')
expect(chef_run).to upgrade_package('python-neutron-vpnaas')
end
it 'starts strongswan on boot' do
expect(chef_run).to enable_service('strongswan')
end
it 'starts the vpn agent on boot' do
expect(chef_run).to enable_service('neutron-vpn-agent')
end
it 'subscribes the vpn agent service to neutron.conf' do
expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/neutron.conf]').delayed
end
it 'subscribes the vpn agent service to vpn_agent.ini' do
expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/vpn_agent.ini]').delayed
end
describe 'vpn_agent.ini' do
let(:file) { chef_run.template('/etc/neutron/vpn_agent.ini') }
it 'creates vpn_agent.ini' do
expect(chef_run).to create_template(file.name).with(
user: 'neutron',
group: 'neutron',
mode: 0o640
)
end
describe 'vpn_device_driver' do
it 'renders one vpn_device_driver entry in vpn_agent.ini for default vpn_device_driver' do
[/^vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver$/].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('vpnagent', line)
end
end
it 'renders no setted vpn_device_driver entry in vpn_agent.ini, when no vpn_device_driver set' do
chef_run.node.override['openstack']['network_vpnaas']['conf']['vpnagent']['vpn_device_driver'] = ''
chef_run.converge(described_recipe)
expect(chef_run).to render_config_file(file.name).with_section_content('vpnagent', /^vpn_device_driver = $/)
end
end
it 'renders default_config_area for strongswan driver' do
expect(chef_run).to render_config_file(file.name).with_section_content('strongswan', %r{^default_config_area = /etc/strongswan.d$})
end
it 'notifies the vpn agent service' do
expect(file).to notify('service[neutron-vpn-agent]').to(:restart).delayed
end
end
end
end