Integrate neutron-vpnaas-agent into the neutron Ansible role

Implements: blueprint neutron-vpnaas-agent Co-Authored-By: zhubingbing <zhubingbing10@gmail.com> Change-Id: I1fae21f48d5beef47934aef7c23910536955f2b8
2016-06-29 15:34:18 +02:00 · 2016-06-29 15:34:18 +02:00 · be0fcb5b99
parent 37ec5ecb52
commit be0fcb5b99
21 changed files with 215 additions and 19 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -257,6 +257,7 @@ enable_mistral: "no"
 enable_mongodb: "no"
 enable_multipathd: "no"
 enable_murano: "no"
+enable_neutron_vpnaas: "no"
 enable_neutron_dvr: "no"
 enable_neutron_lbaas: "no"
 enable_neutron_qos: "no"
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@ -184,6 +184,9 @@ neutron
 [neutron-metadata-agent:children]
 neutron

+[neutron-vpnaas-agent:children]
+neutron
+
 # Cinder
 [cinder-api:children]
 cinder
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@ -202,6 +202,9 @@ neutron
 [neutron-metadata-agent:children]
 neutron

+[neutron-vpnaas-agent:children]
+neutron
+
 # Cinder
 [cinder-api:children]
 cinder
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -44,6 +44,10 @@ neutron_server_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{
 neutron_server_tag: "{{ openstack_release }}"
 neutron_server_image_full: "{{ neutron_server_image }}:{{ neutron_server_tag }}"

+neutron_vpnaas_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-vpnaas-agent"
+neutron_vpnaas_agent_tag: "{{ openstack_release }}"
+neutron_vpnaas_agent_image_full: "{{ neutron_vpnaas_agent_image }}:{{ neutron_vpnaas_agent_tag }}"
+
 openvswitch_db_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-openvswitch-db-server"
 openvswitch_db_tag: "{{ openstack_release }}"
 openvswitch_db_image_full: "{{ openvswitch_db_image }}:{{ openvswitch_db_tag }}"
--- a/ansible/roles/neutron/tasks/bootstrap_service.yml
+++ b/ansible/roles/neutron/tasks/bootstrap_service.yml
@ -41,3 +41,26 @@
    - inventory_hostname in groups['neutron-lbaas-agent']
  run_once: True
  delegate_to: "{{ groups['neutron-lbaas-agent'][0] }}"
+
+- name: Running Neutron vpnaas bootstrap container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    detach: False
+    environment:
+      KOLLA_BOOTSTRAP:
+      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+    image: "{{ neutron_vpnaas_agent_image_full }}"
+    labels:
+      BOOTSTRAP:
+    name: "bootstrap_neutron_vpnaas_agent"
+    restart_policy: "never"
+    volumes:
+      - "{{ node_config_directory }}/neutron-vpnaas-agent/:{{ container_config_directory }}/:ro"
+      - "/etc/localtime:/etc/localtime:ro"
+      - "kolla_logs:/var/log/kolla/"
+  when:
+    - enable_neutron_vpnaas | bool
+    - inventory_hostname in groups['neutron-vpnaas-agent']
+  run_once: True
+  delegate_to: "{{ groups['neutron-vpnaas-agent'][0] }}"
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@ -8,6 +8,7 @@
  when:
    - set_sysctl | bool
    - inventory_hostname in groups['neutron-l3-agent']
+      or inventory_hostname in groups['neutron-vpnaas-agent']

 - name: Ensuring config directories exist
  file:
@ -24,6 +25,7 @@
    - "openvswitch-db-server"
    - "openvswitch-vswitchd"
    - "neutron-lbaas-agent"
+    - "neutron-vpnaas-agent"

 - name: Copying over config.json files for services
  template:
@ -39,6 +41,7 @@
    - "openvswitch-db-server"
    - "openvswitch-vswitchd"
    - "neutron-lbaas-agent"
+    - "neutron-vpnaas-agent"

 - name: Copying over neutron.conf
  merge_configs:
@ -61,6 +64,31 @@
    - "neutron-openvswitch-agent"
    - "neutron-server"
    - "neutron-lbaas-agent"
+    - "neutron-vpnaas-agent"
+
+- name: Copying over neutron_lbaas.conf
+  merge_configs:
+    vars:
+      service_name: "{{ item }}"
+    sources:
+      - "{{ role_path }}/templates/neutron_lbaas.conf.j2"
+      - "{{ node_custom_config }}/neutron/neutron_lbaas.conf"
+      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron_lbaas.conf"
+    dest: "{{ node_config_directory }}/{{ item }}/neutron_lbaas.conf"
+  with_items:
+    - "neutron-server"
+
+- name: Copying over neutron_vpnaas.conf
+  merge_configs:
+    vars:
+      service_name: "{{ item }}"
+    sources:
+      - "{{ role_path }}/templates/neutron_vpnaas.conf.j2"
+      - "{{ node_custom_config }}/neutron/neutron_vpnaas.conf"
+      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron_vpnaas.conf"
+    dest: "{{ node_config_directory }}/{{ item }}/neutron_vpnaas.conf"
+  with_items:
+    - "neutron-server"

 - name: Copying over ml2_conf.ini
  merge_configs:
@ -79,6 +107,7 @@
    - "neutron-metadata-agent"
    - "neutron-openvswitch-agent"
    - "neutron-server"
+    - "neutron-vpnaas-agent"

 - name: Copying over dhcp_agent.ini
  merge_configs:
@ -108,6 +137,7 @@
    dest: "{{ node_config_directory }}/{{ item }}/l3_agent.ini"
  with_items:
    - "neutron-l3-agent"
+    - "neutron-vpnaas-agent"

 - name: Copying over fwaas_driver.ini
  merge_configs:
@ -119,6 +149,7 @@
    dest: "{{ node_config_directory }}/{{ item }}/fwaas_driver.ini"
  with_items:
    - "neutron-l3-agent"
+    - "neutron-vpnaas-agent"

 - name: Copying over metadata_agent.ini
  merge_configs:
@ -141,3 +172,14 @@
    dest: "{{ node_config_directory }}/{{ item }}/lbaas_agent.ini"
  with_items:
    - "neutron-lbaas-agent"
+
+- name: Copying over vpnaas_agent.ini
+  merge_configs:
+    vars:
+      service_name: "{{ item }}"
+    sources:
+      - "{{ role_path }}/templates/vpnaas_agent.ini.j2"
+      - "/etc/kolla/config/neutron/vpnaas_agent.ini"
+    dest: "{{ node_config_directory }}/{{ item }}/vpnaas_agent.ini"
+  with_items:
+    - "neutron-vpnaas-agent"
--- a/ansible/roles/neutron/tasks/deploy.yml
+++ b/ansible/roles/neutron/tasks/deploy.yml
@ -13,6 +13,7 @@
        or inventory_hostname in groups['neutron-metadata-agent']
        or inventory_hostname in groups['neutron-server']
        or inventory_hostname in groups['neutron-lbaas-agent']
+        or inventory_hostname in groups['neutron-vpnaas-agent']

 - include: config-neutron-fake.yml
  when:
@ -30,3 +31,4 @@
        or inventory_hostname in groups['neutron-metadata-agent']
        or inventory_hostname in groups['neutron-server']
        or inventory_hostname in groups['neutron-lbaas-agent']
+        or inventory_hostname in groups['neutron-vpnaas-agent']
--- a/ansible/roles/neutron/tasks/do_reconfigure.yml
+++ b/ansible/roles/neutron/tasks/do_reconfigure.yml
@ -14,8 +14,9 @@
    - { name: neutron_l3_agent, group: neutron-l3-agent }
    - { name: neutron_l3_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }
    - { name: neutron_lbaas_agent, group: neutron-lbaas-agent, enabled: "{{ enable_neutron_lbaas | bool }}" }
-    - { name: neutron_metadata_agent, group: neutron-metadata-agent }
+    - { name: neutron_metadata_agent, group: neutron-metadata-agent }    
    - { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }
+    - { name: neutron_vpnaas_agent, group: neutron-vpnaas-agent, enabled: "{{ enable_neutron_vpnaas | bool }}" }

 - name: Ensuring the neutron_openvswitch_agent container is up
  kolla_docker:
@ -32,12 +33,14 @@
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and not enable_nova_fake | bool
        ) or
        ( inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and enable_nova_fake | bool
        )
      )
@ -55,7 +58,8 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-lbaas-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])

 - include: config.yml

@ -75,6 +79,7 @@
    - { name: neutron_lbaas_agent, group: neutron-lbaas-agent, enabled: "{{ enable_neutron_lbaas | bool }}" }
    - { name: neutron_metadata_agent, group: neutron-metadata-agent }
    - { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }
+    - { name: neutron_vpnaas_agent, group: neutron-vpnaas-agent, enabled: "{{ enable_neutron_vpnaas | bool }}" }

 - name: Check the configs in the neutron_openvswitch_agent container
  command: docker exec neutron_openvswitch_agent /usr/local/bin/kolla_set_configs --check
@ -90,12 +95,14 @@
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and not enable_nova_fake | bool
        ) or
        ( inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and enable_nova_fake | bool
        )
      )
@ -112,7 +119,8 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-lbaas-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])

 # NOTE(jeffrey4l): when config_strategy == 'COPY_ALWAYS'
 # and container env['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE',
@ -133,6 +141,7 @@
    - { name: neutron_lbaas_agent, group: neutron-lbaas-agent, enabled: "{{ enable_neutron_lbaas | bool }}" }
    - { name: neutron_metadata_agent, group: neutron-metadata-agent }
    - { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }
+    - { name: neutron_vpnaas_agent, group: neutron-vpnaas-agent, enabled: "{{ enable_neutron_vpnaas | bool }}" }

 - name: Container config strategy for the neutron_openvswitch_agent container
  kolla_docker:
@ -149,12 +158,14 @@
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
        ) or
        ( enable_nova_fake | bool
          and inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
        )
      )

@ -170,7 +181,8 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-lbaas-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])

 - name: Remove the containers running neutron-server and neutron agents
  kolla_docker:
@ -189,7 +201,8 @@
       { name: neutron_l3_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" },
       { name: neutron_lbaas_agent, group: neutron-lbaas-agent, enabled: "{{ enable_neutron_lbaas | bool }}" },
       { name: neutron_metadata_agent, group: neutron-metadata-agent },
-       { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }]
+       { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" },
+       { name: neutron_vpnaas_agent, group: neutron-vpnaas-agent, enabled: "{{ enable_neutron_vpnaas | bool }}" }]
    - "{{ neutron_container_envs.results }}"
    - "{{ neutron_check_results.results }}"

@ -208,12 +221,14 @@
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
        ) or
        ( enable_nova_fake | bool
          and inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
        )
      )
    - config_strategy == "COPY_ONCE" or openvswitch_agent_envs['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE'
@ -231,7 +246,8 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-lbaas-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - config_strategy == "COPY_ONCE" or linuxbridge_agent_envs['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE'
    - linuxbridge_agent_check_results['rc'] == 1

@ -257,7 +273,8 @@
       { name: neutron_l3_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" },
       { name: neutron_lbaas_agent, group: neutron-lbaas-agent, enabled: "{{ enable_neutron_lbaas | bool }}" },
       { name: neutron_metadata_agent, group: neutron-metadata-agent },
-       { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" }]
+       { name: neutron_metadata_agent, group: compute, enabled: "{{ enable_neutron_dvr | bool }}" },
+       { name: neutron_vpnaas_agent, group: neutron-vpnaas-agent, enabled: "{{ enable_neutron_vpnaas | bool }}" }]
    - "{{ neutron_container_envs.results }}"
    - "{{ neutron_check_results.results }}"

@ -275,12 +292,14 @@
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and not enable_nova_fake | bool
        ) or
        ( inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-lbaas-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and enable_nova_fake | bool
        )
      )
@ -299,6 +318,7 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-lbaas-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - linuxbridge_agent_envs['KOLLA_CONFIG_STRATEGY'] != 'COPY_ONCE'
    - linuxbridge_agent_check_results['rc'] == 1
--- a/ansible/roles/neutron/tasks/pull.yml
+++ b/ansible/roles/neutron/tasks/pull.yml
@ -23,7 +23,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "linuxbridge"

 - name: Pulling neutron-metadata-agent image
@ -43,7 +44,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Pulling neutron-server image
@ -63,7 +65,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Pulling openvswitch-vswitchd image
@ -76,5 +79,6 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"
--- a/ansible/roles/neutron/tasks/reconfigure.yml
+++ b/ansible/roles/neutron/tasks/reconfigure.yml
@ -7,3 +7,4 @@
        or inventory_hostname in groups['neutron-l3-agent']
        or inventory_hostname in groups['neutron-lbaas-agent']
        or inventory_hostname in groups['neutron-metadata-agent']
+        or inventory_hostname in groups['neutron-vpnaas-agent']
--- a/ansible/roles/neutron/tasks/start.yml
+++ b/ansible/roles/neutron/tasks/start.yml
@ -16,7 +16,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Waiting the openvswitch_db service to be ready
@ -31,7 +32,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Ensuring OVS bridge is properly setup
@ -43,7 +45,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Starting openvswitch-vswitchd container
@ -64,7 +67,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Starting neutron-server container
@ -99,11 +103,13 @@
          or inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and not enable_nova_fake | bool
        ) or
        ( inventory_hostname in groups['neutron-dhcp-agent']
          or inventory_hostname in groups['neutron-l3-agent']
          or inventory_hostname in groups['neutron-metadata-agent']
+          or inventory_hostname in groups['neutron-vpnaas-agent']
          and enable_nova_fake | bool
        )
      )
@ -199,7 +205,8 @@
       or (enable_manila | bool and inventory_hostname in groups['manila-share'])
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
-       or inventory_hostname in groups['neutron-metadata-agent'])
+       or inventory_hostname in groups['neutron-metadata-agent']
+       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - neutron_plugin_agent == "linuxbridge"

 - name: Starting neutron-dhcp-agent container
@ -236,6 +243,7 @@
  when:
    - (inventory_hostname in groups['neutron-l3-agent']
       or (inventory_hostname in groups['compute'] and enable_neutron_dvr | bool))
+    - not enable_neutron_vpnaas | bool

 - name: Starting neutron-lbaas-agent container
  kolla_docker:
@ -271,3 +279,21 @@
  when:
    - (inventory_hostname in groups['neutron-metadata-agent']
       or (inventory_hostname in groups['compute'] and enable_neutron_dvr | bool))
+
+- name: Starting neutron-vpnaas-agent container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    image: "{{ neutron_vpnaas_agent_image_full }}"
+    name: "neutron_vpnaas_agent"
+    privileged: True
+    volumes:
+      - "{{ node_config_directory }}/neutron-vpnaas-agent/:{{ container_config_directory }}/:ro"
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/run:/run"
+      - "/run/netns/:/run/netns/:shared"
+      - "neutron_metadata_socket:/var/lib/neutron/kolla/"
+      - "kolla_logs:/var/log/kolla/"
+  when:
+    - enable_neutron_vpnaas | bool
+    - inventory_hostname in groups['neutron-vpnaas-agent']
--- a/ansible/roles/neutron/tasks/upgrade.yml
+++ b/ansible/roles/neutron/tasks/upgrade.yml
@ -6,6 +6,7 @@
        or inventory_hostname in groups['neutron-lbaas-agent']
        or inventory_hostname in groups['neutron-metadata-agent']
        or inventory_hostname in groups['neutron-server']
+        or inventory_hostname in groups['neutron-vpnaas-agent']

 - include: config-neutron-fake.yml
  when:
@ -22,3 +23,4 @@
        or inventory_hostname in groups['neutron-lbaas-agent']
        or inventory_hostname in groups['neutron-metadata-agent']
        or inventory_hostname in groups['neutron-server']
+        or inventory_hostname in groups['neutron-vpnaas-agent']
--- a/ansible/roles/neutron/templates/neutron-server.json.j2
+++ b/ansible/roles/neutron/templates/neutron-server.json.j2
@ -1,5 +1,5 @@
 {
-    "command": "neutron-server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini",
+    "command": "neutron-server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_lbaas.conf --config-file /etc/neutron/neutron_vpnaas.conf",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/neutron.conf",
@ -7,6 +7,18 @@
            "owner": "neutron",
            "perm": "0600"
        },
+        {
+            "source": "{{ container_config_directory }}/neutron_lbaas.conf",
+            "dest": "/etc/neutron/neutron_lbaas.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/neutron_vpnaas.conf",
+            "dest": "/etc/neutron/neutron_vpnaas.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
        {
            "source": "{{ container_config_directory }}/ml2_conf.ini",
            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
--- a/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
@ -0,0 +1,29 @@
+{
+    "command": "neutron-vpn-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/fwaas_driver.ini --config-file /etc/neutron/l3_agent.ini --config-file /etc/neutron/vpnaas_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini",
+    "config_files": [
+        {
+            "source": "{{ container_config_directory }}/neutron.conf",
+            "dest": "/etc/neutron/neutron.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/ml2_conf.ini",
+            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/l3_agent.ini",
+            "dest": "/etc/neutron/l3_agent.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/vpnaas_agent.ini",
+            "dest": "/etc/neutron/vpnaas_agent.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        }
+    ]
+}
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@ -35,7 +35,7 @@ host = {{ ansible_hostname }}_{{ item }}

 allow_overlapping_ips = true
 core_plugin = ml2
-service_plugins = router{% if enable_neutron_lbaas | bool %},lbaas{% endif %}{% if enable_neutron_qos | bool %},qos{% endif %},{% if neutron_plugin_agent == "sfc" %}flow_classifier,sfc{% endif %}
+service_plugins = router{% if enable_neutron_lbaas | bool %},neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2{% endif %}{% if enable_neutron_qos | bool %},qos{% endif %}{% if enable_neutron_vpnaas | bool %},vpnass{% endif %}{% if neutron_plugin_agent == "sfc" %}flow_classifier,sfc{% endif %}

 {% if enable_neutron_agent_ha | bool %}
 dhcp_agents_per_network = {{ dhcp_agents_per_network }}
--- a/ansible/roles/neutron/templates/neutron_lbaas.conf.j2
+++ b/ansible/roles/neutron/templates/neutron_lbaas.conf.j2
@ -0,0 +1,4 @@
+{% if enable_neutron_lbaas | bool %}
+[service_providers]
+service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
+{% endif %}
--- a/ansible/roles/neutron/templates/neutron_vpnaas.conf.j2
+++ b/ansible/roles/neutron/templates/neutron_vpnaas.conf.j2
@ -0,0 +1,4 @@
+{% if enable_neutron_vpnaas | bool %}
+[service_providers]
+service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+{% endif %}
--- a/ansible/roles/neutron/templates/vpnaas_agent.ini.j2
+++ b/ansible/roles/neutron/templates/vpnaas_agent.ini.j2
@ -0,0 +1,11 @@
+{% set vpn_device_driver = 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver' if kolla_base_distro in ['ubuntu', 'debian'] else 'neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver'%}
+[DEFAULT]
+
+[ipsec]
+enable_detailed_logging = {{ neutron_logging_debug }}
+
+[service_providers]
+service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+
+[vpnagent]
+vpn_device_driver = {{ vpn_device_driver }}
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -145,6 +145,7 @@
    - neutron-l3-agent
    - neutron-lbaas-agent
    - neutron-metadata-agent
+    - neutron-vpnaas-agent
    - compute
    - manila-share
  serial: '{{ "30%" if action == "upgrade" else "0" }}'
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -136,6 +136,7 @@ kolla_internal_vip_address: "10.10.10.254"
 #enable_neutron_lbaas: "no"
 #enable_neutron_qos: "no"
 #enable_neutron_agent_ha: "no"
+#enable_neutron_vpnaas: "no"
 #enable_rally: "no"
 #enable_senlin: "no"
 #enable_swift: "no"
--- a/releasenotes/notes/add-neutron-vpnaas-88e0780326100e36.yaml
+++ b/releasenotes/notes/add-neutron-vpnaas-88e0780326100e36.yaml
@ -0,0 +1,3 @@
+---
+features:
+   - Add neutron-vpnass role