diff --git a/README.md b/README.md index 20dda92e..698e29b0 100644 --- a/README.md +++ b/README.md @@ -169,14 +169,14 @@ this attributes. - Installs the openstack-network API server (currently aka neutron-server) ## openstack-network::vpnaas -- Installs the VPN as a Service - -The configuration for neutron-vpn-agent is generated from the attributes in -using the same template as for the neutron.conf - -``` -node['openstack']['network_vpnaas']['conf'] -``` +This recipe has been removed since it was unmaintained since the pike release +and the vpnaas module got completely removed/refactored during the queens +release. For rocky there seems to be some kind of vpnaas implementation +directly in the l3 agent +(https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html), but +since the documentation about it is quite sparse right now, there is no recipe +for that. If you want to add vpnaas back to this cookbook, please feel free to +push a pull request. License and Author ================== diff --git a/attributes/default.rb b/attributes/default.rb index 1cbed54a..48858156 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -135,32 +135,6 @@ default['openstack']['network_metering']['conf'].tap do |conf| 'neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver' end -# ============================= VPN Agent Configuration ==================== -# vpn_device_driver_packages in platform-specific settings is used to get driver dependencies installed, default is strongswan -# vpn_device_driver_services in platform-specific settings is used to enable services required by vpn drivers, default is strongswan -# To enable 'vpnaas' as service_plugin, you need to add it to neutron.conf -# ['Default']['service_plugins'] -# Set to true to enable vpnaas -default['openstack']['network_vpnaas']['enabled'] = false -# Custom the vpnaas config file path -default['openstack']['network_vpnaas']['config_file'] = '/etc/neutron/vpn_agent.ini' -default['openstack']['network_vpnaas']['conf'].tap do |conf| - # VPN device drivers which vpn agent will use - conf['DEFAULT']['interface_driver'] = - 'neutron.agent.linux.interface.OVSInterfaceDriver' - conf['vpnagent']['vpn_device_driver'] = - 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver' - # Status check interval for ipsec vpn - conf['ipsec']['ipsec_status_check_interval'] = 60 - # default_config_area settings is used to set the area where default StrongSwan configuration files are located - case node['platform_family'] - when 'fedora', 'rhel' - conf['strongswan']['default_config_area'] = '/usr/share/strongswan/templates/config/strongswan.d' - when 'debian' - conf['strongswan']['default_config_area'] = '/etc/strongswan.d' - end -end - # ============================= LBaaS Agent Configuration ================== # To enable 'lbaas' as service_plugin, you need to add it to neutron.conf # ['Default']['service_plugins'] @@ -197,16 +171,10 @@ default['openstack']['network_fwaas']['config_file'] = '/etc/neutron/fwaas_drive default['openstack']['network']['platform'].tap do |platform| platform['user'] = 'neutron' platform['group'] = 'neutron' - platform['vpn_device_driver_packages'] = - %w(strongswan) platform['neutron_dhcp_agent_service'] = 'neutron-dhcp-agent' platform['neutron_l3_agent_service'] = 'neutron-l3-agent' - platform['neutron_vpn_agent_service'] = - 'neutron-vpn-agent' - platform['vpn_device_driver_services'] = - %w(strongswan) platform['neutron_lb_agent_service'] = 'neutron-lbaasv2-agent' platform['neutron_metadata_agent_service'] = @@ -217,8 +185,6 @@ default['openstack']['network']['platform'].tap do |platform| 'neutron-server' platform['neutron_lbaas_python_dependencies'] = %w(python-neutron-lbaas) - platform['neutron_vpnaas_python_dependencies'] = - %w(python-neutron-vpnaas) case node['platform_family'] when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this platform['neutron_packages'] = @@ -230,8 +196,6 @@ default['openstack']['network']['platform'].tap do |platform| platform['neutron_plugin_package'] = 'neutron-plugin-ml2' # openstack-neutron-fwaas - platform['neutron_vpnaas_packages'] = - %w(openstack-neutron-vpnaas iproute) platform['neutron_lbaas_packages'] = %w(openstack-neutron-lbaas haproxy iproute) platform['neutron_openvswitch_packages'] = @@ -262,8 +226,6 @@ default['openstack']['network']['platform'].tap do |platform| platform['neutron_l3_packages'] = %w(neutron-l3-agent radvd keepalived) # python-neutron-fwaas - platform['neutron_vpnaas_packages'] = - %w(python-neutron-vpnaas neutron-vpn-agent) platform['neutron_lbaas_packages'] = %w(python-neutron-lbaas neutron-lbaas-common neutron-lbaasv2-agent haproxy) platform['neutron_openvswitch_packages'] = diff --git a/recipes/db_migration.rb b/recipes/db_migration.rb index 47643d7b..e3f2cf87 100644 --- a/recipes/db_migration.rb +++ b/recipes/db_migration.rb @@ -29,16 +29,6 @@ bash 'migrate network database' do EOF end -# Only if the vpnaas is enabled, migrate the database. -bash 'migrate vpnaas database' do - only_if { node['openstack']['network_vpnaas']['enabled'] } - timeout timeout - migrate_command = "neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf --config-file #{plugin_config_file}" - code <<-EOF -#{migrate_command} upgrade head -EOF -end - # Only if the fwaas is enabled, migrate the database. bash 'migrate fwaas database' do only_if { node['openstack']['network_fwaas']['enabled'] } diff --git a/recipes/l3_agent.rb b/recipes/l3_agent.rb index 78971528..2e1c9f71 100644 --- a/recipes/l3_agent.rb +++ b/recipes/l3_agent.rb @@ -44,27 +44,15 @@ template node['openstack']['network_l3']['config_file'] do variables( service_config: service_config ) - # Not restart l3 agent to avoid synchronization problem, when vpn agent is enabled. - unless node['openstack']['network_vpnaas']['enabled'] - notifies :restart, 'service[neutron-l3-agent]' - end + notifies :restart, 'service[neutron-l3-agent]' end -# See http://docs.openstack.org/admin-guide-cloud/content/section_adv_cfg_l3_agent.html - service 'neutron-l3-agent' do service_name platform_options['neutron_l3_agent_service'] supports status: true, restart: true - # As l3 and vpn agents are both working based on l3 bisic strategy, and there will be - # potential synchronization problems when vpn and l3 agents both running in network node. - # So if the vpn agent is enabled, we should stop and disable the l3 agent. - if node['openstack']['network_vpnaas']['enabled'] - action [:stop, :disable] - else - action [:enable, :start] - subscribes :restart, [ - 'template[/etc/neutron/neutron.conf]', - "template[#{node['openstack']['network_fwaas']['config_file']}]", - ] - end + action [:enable, :start] + subscribes :restart, [ + 'template[/etc/neutron/neutron.conf]', + "template[#{node['openstack']['network_fwaas']['config_file']}]", + ] end diff --git a/recipes/server.rb b/recipes/server.rb index aaaf2fc1..602a361f 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -76,19 +76,6 @@ if node['openstack']['network_lbaas']['enabled'] end end -if node['openstack']['network_vpnaas']['enabled'] - # neutron-vpnaas-agent may not running on network node, but on network node, neutron-server still need neutron_vpnaas module - # when loading plugin if vpnaas is list in service_plugins. In this case, we don't need include vpn_agent recipe for network node, but - # we need make sure neutron vpnaas python packages get installed on network node before neutron-server start/restart, when vpnaas is enabled. - # Otherwise neutron-server will crash for couldn't find vpnaas plugin when invoking plugins from service_plugins. - platform_options['neutron_vpnaas_python_dependencies'].each do |pkg| - package pkg do - options platform_options['package_overrides'] - action :upgrade - end - end -end - # Migrate network database to latest version include_recipe 'openstack-network::db_migration' plugin_templates = [] diff --git a/recipes/vpnaas.rb b/recipes/vpnaas.rb deleted file mode 100644 index f49c9cfd..00000000 --- a/recipes/vpnaas.rb +++ /dev/null @@ -1,74 +0,0 @@ -# Encoding: utf-8 -# -# Cookbook Name:: openstack-network -# Recipe:: vpn_agent -# -# Copyright 2013, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe 'openstack-network' - -# Make Openstack object available in Chef::Recipe -class ::Chef::Recipe - include ::Openstack -end - -platform_options = node['openstack']['network']['platform'] - -# Install package dependencies according node's vpn_device_driver. -platform_options['vpn_device_driver_packages'].each do |pkg| - package pkg do - options platform_options['package_overrides'] - action :upgrade - end -end - -platform_options['neutron_vpnaas_packages'].each do |pkg| - package pkg do - options platform_options['package_overrides'] - action :upgrade - end -end - -platform_options['vpn_device_driver_services'].each do |svc| - service 'vpn-device-driver-service' do - service_name svc - supports status: true, restart: true - action :enable - end -end - -service_conf = merge_config_options 'network_vpnaas' -template node['openstack']['network_vpnaas']['config_file'] do - source 'openstack-service.conf.erb' - cookbook 'openstack-common' - owner node['openstack']['network']['platform']['user'] - group node['openstack']['network']['platform']['group'] - mode 0o0640 - variables( - service_config: service_conf - ) -end - -service 'neutron-vpn-agent' do - service_name platform_options['neutron_vpn_agent_service'] - supports status: true, restart: true - action [:enable, :start] - subscribes :restart, [ - 'template[/etc/neutron/neutron.conf]', - "template[#{node['openstack']['network_vpnaas']['config_file']}]", - "template[#{node['openstack']['network_fwaas']['config_file']}]", - ] -end diff --git a/spec/db_migration_spec.rb b/spec/db_migration_spec.rb index fb54a7c6..c28b11c4 100644 --- a/spec/db_migration_spec.rb +++ b/spec/db_migration_spec.rb @@ -26,19 +26,10 @@ describe 'openstack-network::db_migration' do end describe 'run db-migration when services are enabled' do before do - node.override['openstack']['network_vpnaas']['enabled'] = true node.override['openstack']['network_fwaas']['enabled'] = true node.override['openstack']['network_lbaas']['enabled'] = true node.override['openstack']['network']['core_plugin_config_file'] = '/etc/neutron/plugins/ml2/ml2_conf.ini' end - it 'uses db upgrade head when vpnaas is enabled' do - migrate_cmd = %r{neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf| - --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head} - expect(chef_run).to run_bash('migrate vpnaas database').with( - code: migrate_cmd, - timeout: 3600 - ) - end it 'uses db upgrade head when lbaas is enabled' do migrate_cmd = %r{neutron-db-manage --subproject neutron-lbaas --config-file /etc/neutron/neutron.conf| --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head} @@ -61,15 +52,6 @@ describe 'openstack-network::db_migration' do node.override['openstack']['network']['core_plugin_config_file'] = '/etc/neutron/plugins/ml2/ml2_conf.ini' end - it 'does not use db upgrade head when vpnaas is not enabled' do - migrate_cmd = %r{neutron-db-manage --subproject neutron-vpnaas --config-file /etc/neutron/neutron.conf| - --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head} - expect(chef_run).not_to run_bash('migrate vpnaas database').with( - code: migrate_cmd, - timeout: 3600 - ) - end - it 'does not use db upgrade head when fwaas is not enabled' do migrate_cmd = %r{neutron-db-manage --subproject neutron-fwaas --config-file /etc/neutron/neutron.conf| --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head} diff --git a/spec/vpnaas-redhat_spec.rb b/spec/vpnaas-redhat_spec.rb deleted file mode 100644 index fe59fa32..00000000 --- a/spec/vpnaas-redhat_spec.rb +++ /dev/null @@ -1,23 +0,0 @@ -# Encoding: utf-8 -require_relative 'spec_helper' - -describe 'openstack-network::vpnaas' do - describe 'redhat' do - let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) } - let(:node) { runner.node } - let(:chef_run) do - node.override['openstack']['compute']['network']['service_type'] = 'neutron' - node.override['openstack']['network']['enable_vpn'] = true - stub_command('ovs-vsctl br-exists br-ex').and_return(false) - runner.converge(described_recipe) - end - - include_context 'neutron-stubs' - - it 'upgrades neutron vpn packages' do - %w(iproute openstack-neutron-vpnaas strongswan).each do |pkg| - expect(chef_run).to upgrade_package(pkg) - end - end - end -end diff --git a/spec/vpnaas_spec.rb b/spec/vpnaas_spec.rb deleted file mode 100644 index d9ec218c..00000000 --- a/spec/vpnaas_spec.rb +++ /dev/null @@ -1,77 +0,0 @@ -# Encoding: utf-8 -require_relative 'spec_helper' - -describe 'openstack-network::vpnaas' do - describe 'ubuntu' do - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - let(:chef_run) do - node.override['openstack']['compute']['network']['service_type'] = 'neutron' - runner.converge(described_recipe) - end - - include_context 'neutron-stubs' - it 'include the recipe openstack-network::default' do - expect(chef_run).to include_recipe('openstack-network::default') - end - - it 'upgrades vpn device driver packages' do - expect(chef_run).to upgrade_package('strongswan') - end - - it 'upgrades neutron vpn packages' do - expect(chef_run).to upgrade_package('neutron-vpn-agent') - expect(chef_run).to upgrade_package('python-neutron-vpnaas') - end - - it 'starts strongswan on boot' do - expect(chef_run).to enable_service('strongswan') - end - - it 'starts the vpn agent on boot' do - expect(chef_run).to enable_service('neutron-vpn-agent') - end - - it 'subscribes the vpn agent service to neutron.conf' do - expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/neutron.conf]').delayed - end - - it 'subscribes the vpn agent service to vpn_agent.ini' do - expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/vpn_agent.ini]').delayed - end - - describe 'vpn_agent.ini' do - let(:file) { chef_run.template('/etc/neutron/vpn_agent.ini') } - - it 'creates vpn_agent.ini' do - expect(chef_run).to create_template(file.name).with( - user: 'neutron', - group: 'neutron', - mode: 0o640 - ) - end - - describe 'vpn_device_driver' do - it 'renders one vpn_device_driver entry in vpn_agent.ini for default vpn_device_driver' do - [/^vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver$/].each do |line| - expect(chef_run).to render_config_file(file.name).with_section_content('vpnagent', line) - end - end - - it 'renders no setted vpn_device_driver entry in vpn_agent.ini, when no vpn_device_driver set' do - chef_run.node.override['openstack']['network_vpnaas']['conf']['vpnagent']['vpn_device_driver'] = '' - chef_run.converge(described_recipe) - expect(chef_run).to render_config_file(file.name).with_section_content('vpnagent', /^vpn_device_driver = $/) - end - end - - it 'renders default_config_area for strongswan driver' do - expect(chef_run).to render_config_file(file.name).with_section_content('strongswan', %r{^default_config_area = /etc/strongswan.d$}) - end - - it 'notifies the vpn agent service' do - expect(file).to notify('service[neutron-vpn-agent]').to(:restart).delayed - end - end - end -end