openstack
/
openstack-ansible-os_neutron
Code Issues Proposed changes

Change task ordering to perform smooth upgrades 

Currently we symlink /etc/neutron to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.

With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.

During post_install we place all of the configs inside the venv,
which is versioned at the moment.

This way we minimise downtime of the service while performing upgrades

Change-Id: I6d1686ab79647acfc086f21864bde14c8a1a1a49
This commit is contained in:
Dmitriy Rabotyagov 2021-04-28 17:48:43 +03:00 committed by Dmitriy Rabotyagov
parent 7f2b7ea4f4
commit 5763885453
5 changed files with 52 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
handlers/main.yml
View File

@ -70,6 +70,30 @@
- "Restart neutron services"
- "venv changed"
- name: Symlink neutron config directory
file:
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
# within the host/container confines when connecting to
# them using the connection plugin or the root filesystem.
src: "{{ neutron_conf_version_dir | regex_replace('^/', '../') }}"
dest: "{{ neutron_conf_dir }}"
state: link
force: true
when: neutron_install_method == 'source'
listen:
- "venv changed"
- name: Drop sudoers file
template:
src: "sudoers.j2"
dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers"
mode: "0440"
owner: "root"
group: "root"
listen:
- "Restart neutron services"
- "venv changed"
- name: Perform a DB contract
command: "{{ neutron_bin }}/neutron-db-manage upgrade --contract"
become: yes

4
tasks/neutron_db_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Perform a DB expand
command: "{{ neutron_bin }}/neutron-db-manage upgrade --expand"
command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf upgrade --expand"
become: yes
become_user: "{{ neutron_system_user_name }}"
when:
@ -29,7 +29,7 @@
value: "False"
- name: Check for available offline migrations
command: "{{ neutron_bin }}/neutron-db-manage has_offline_migrations"
command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf has_offline_migrations"
environment:
LANGUAGE: en_US.UTF-8
become: yes

24
tasks/neutron_post_install.yml
View File

@ -21,11 +21,11 @@
group: "{{ item.group|default(neutron_system_group_name) }}"
mode: "{{ item.mode | default(omit) }}"
with_items:
- path: "{{ neutron_conf_dir }}/plugins"
- path: "{{ neutron_conf_version_dir }}/plugins"
mode: "0750"
- path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}"
- path: "{{ neutron_conf_version_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}"
mode: "0750"
- path: "{{ neutron_conf_dir }}/rootwrap.d"
- path: "{{ neutron_conf_version_dir }}/rootwrap.d"
owner: "root"
group: "root"
@ -34,7 +34,7 @@
- name: Copy extra neutron rootwrap filters
copy:
src: "{{ item }}"
dest: "{{ neutron_conf_dir }}/rootwrap.d/"
dest: "{{ neutron_conf_version_dir }}/rootwrap.d/"
owner: "root"
group: "root"
with_fileglob:
@ -53,11 +53,11 @@
config_type: "{{ item.config_type }}"
with_items:
- src: "neutron.conf.j2"
dest: "{{ neutron_conf_dir }}/neutron.conf"
dest: "{{ neutron_conf_version_dir }}/neutron.conf"
config_overrides: "{{ neutron_neutron_conf_overrides }}"
config_type: "ini"
- src: "{{ neutron_plugins[neutron_plugin_type].plugin_ini }}.j2"
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"
dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"
config_overrides: "{{ neutron_plugins[neutron_plugin_type].plugin_conf_ini_overrides }}"
config_type: "ini"
notify:
@ -66,7 +66,7 @@
- name: Implement policy.yaml if there are overrides configured
config_template:
content: "{{ neutron_policy_overrides }}"
dest: "{{ neutron_conf_dir }}/policy.yaml"
dest: "{{ neutron_conf_version_dir }}/policy.yaml"
owner: "root"
group: "{{ neutron_system_group_name }}"
mode: "0640"
@ -88,7 +88,7 @@
- name: Place api-paste.ini to the correct path in RedHat
file:
src: "/usr/share/neutron/api-paste.ini"
dest: "{{ neutron_conf_dir }}/api-paste.ini"
dest: "{{ neutron_conf_version_dir }}/api-paste.ini"
owner: "root"
group: "{{ neutron_system_group_name }}"
mode: "0640"
@ -141,7 +141,7 @@
# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
- name: Set rootwrap.d permissions
file:
path: "{{ neutron_conf_dir }}/rootwrap.d"
path: "{{ neutron_conf_version_dir }}/rootwrap.d"
owner: "root"
group: "root"
mode: "0640"
@ -150,7 +150,7 @@
- name: Copy neutron ml2 plugin config
config_template:
src: "{{ ('plugin_conf_bare' not in neutron_plugins[item]) | ternary(neutron_plugins[item].plugin_ini ~ '.j2', omit) }}"
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[item].plugin_ini }}"
owner: "root"
group: "{{ neutron_system_group_name }}"
mode: "0640"
@ -161,7 +161,7 @@
- name: Generate neutron dnsmasq Config
template:
src: "dnsmasq-neutron.conf.j2"
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
dest: "{{ neutron_conf_version_dir }}/dnsmasq-neutron.conf"
owner: "root"
group: "{{ neutron_system_group_name }}"
mode: "0640"
@ -189,7 +189,7 @@
- name: Generate neutron bgpvpn networking configuration
template:
src: "networking_bgpvpn.conf.j2"
dest: "{{ neutron_conf_dir }}/networking_bgpvpn.conf"
dest: "{{ neutron_conf_version_dir }}/networking_bgpvpn.conf"
owner: "root"
group: "{{ neutron_system_group_name }}"
mode: "0640"

21
tasks/neutron_pre_install.yml
View File

@ -53,29 +53,18 @@
- name: Create neutron dir
file:
path: "{{ item.path | default(omit) }}"
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
state: "{{ item.state | default('directory') }}"
owner: "{{ item.owner | default(neutron_system_user_name) }}"
group: "{{ item.group | default(neutron_system_group_name) }}"
mode: "{{ item.mode | default(omit) }}"
force: "{{ item.force | default(omit) }}"
when:
- (item.condition | default(true)) | bool
with_items:
- path: "/openstack"
owner: "root"
group: "root"
- path: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}"
- path: "{{ neutron_conf_version_dir }}"
mode: "0755"
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
# within the host/container confines when connecting to
# them using the connection plugin or the root filesystem.
- dest: "{{ neutron_conf_dir }}"
src: "{{ neutron_bin | dirname | regex_replace('^/', '../') }}/etc/neutron"
state: link
force: true
condition: "{{ neutron_install_method == 'source' }}"
- path: "/etc/sudoers.d"
mode: "0750"
owner: "root"
@ -87,14 +76,6 @@
mode: "0755"
- path: "{{ neutron_system_home_folder }}/ha_confs"
- name: Drop sudoers file
template:
src: "sudoers.j2"
dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers"
mode: "0440"
owner: "root"
group: "root"
- name: Add dependency repos for Neutron
package:
name: "{{ neutron_repos }}"

25
vars/main.yml
View File

@ -122,6 +122,7 @@ neutron_venv_packages: >-
###
neutron_conf_dir: /etc/neutron
neutron_conf_version_dir: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}"
neutron_lock_path: "/var/lock/neutron"
neutron_system_user_name: neutron
neutron_system_group_name: neutron
@ -348,7 +349,7 @@ neutron_services:
group: neutron_dhcp_agent
service_name: neutron-dhcp-agent
service_en: "{{ neutron_dhcp | bool }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: dhcp_agent.ini
service_rootwrap: rootwrap.d/dhcp.filters
execstarts: "{{ neutron_bin }}/neutron-dhcp-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini"
@ -360,7 +361,7 @@ neutron_services:
group: neutron_openvswitch_agent
service_name: neutron-openvswitch-agent
service_en: "{{ neutron_plugin_type in ['ml2.ovs', 'ml2.ovs.dvr'] }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: plugins/ml2/openvswitch_agent.ini
service_rootwrap: rootwrap.d/openvswitch-plugin.filters
execstarts: "{{ neutron_bin }}/neutron-openvswitch-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini"
@ -372,7 +373,7 @@ neutron_services:
group: neutron_linuxbridge_agent
service_name: neutron-linuxbridge-agent
service_en: "{{ neutron_plugin_type == 'ml2.lxb' }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: plugins/ml2/linuxbridge_agent.ini
service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
execstarts: "{{ neutron_bin }}/neutron-linuxbridge-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini"
@ -384,7 +385,7 @@ neutron_services:
group: neutron_metadata_agent
service_name: neutron-metadata-agent
service_en: "{{ neutron_metadata | bool }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: metadata_agent.ini
execstarts: "{{ neutron_bin }}/neutron-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini"
config_overrides: "{{ neutron_metadata_agent_ini_overrides }}"
@ -395,7 +396,7 @@ neutron_services:
group: neutron_metering_agent
service_name: neutron-metering-agent
service_en: "{{ neutron_metering | bool }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: metering_agent.ini
execstarts: "{{ neutron_bin }}/neutron-metering-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini"
config_overrides: "{{ neutron_metering_agent_ini_overrides }}"
@ -407,7 +408,7 @@ neutron_services:
group: neutron_l3_agent
service_name: neutron-l3-agent
service_en: "{{ neutron_l3 | bool }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: l3_agent.ini
service_rootwrap: rootwrap.d/l3.filters
environment:
@ -421,7 +422,7 @@ neutron_services:
group: neutron_bgp_dragent
service_name: neutron-bgp-dragent
service_en: "{{ neutron_bgp | bool }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: bgp_dragent.ini
execstarts: "{{ neutron_bin }}/neutron-bgp-dragent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini"
config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}"
@ -436,7 +437,7 @@ neutron_services:
group: neutron_l3_agent
service_name: neutron-vpn-agent
service_en: false
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: vpnaas_agent.ini
service_rootwrap: rootwrap.d/vpnaas.filters
execstarts: "{{ neutron_bin }}/neutron-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini"
@ -480,7 +481,7 @@ neutron_services:
group: neutron_sriov_nic_agent
service_name: neutron-sriov-nic-agent
service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: plugins/ml2/sriov_nic_agent.ini
execstarts: "{{ neutron_bin }}/neutron-sriov-nic-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini"
config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}"
@ -499,7 +500,7 @@ neutron_services:
systemd_group_name: root
service_name: neutron-ovn-metadata-agent
service_en: "{{ neutron_plugin_type == 'ml2.ovn' }}"
service_conf_path: "{{ neutron_conf_dir }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: neutron_ovn_metadata_agent.ini
service_rootwrap: rootwrap.d/ovn-plugin.filters
execstarts: "{{ neutron_bin }}/neutron-ovn-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/neutron_ovn_metadata_agent.ini"
@ -543,11 +544,11 @@ neutron_role_project_group: neutron_all
neutron_core_files:
- tmp_f: "/tmp/api-paste.ini.original"
target_f: "{{ neutron_conf_dir }}/api-paste.ini"
target_f: "{{ neutron_conf_version_dir }}/api-paste.ini"
config_overrides: "{{ _neutron_api_paste_ini_overrides | combine(neutron_api_paste_ini_overrides, recursive=True) }}"
config_type: "ini"
- tmp_f: "/tmp/rootwrap.conf.original"
target_f: "{{ neutron_conf_dir }}/rootwrap.conf"
target_f: "{{ neutron_conf_version_dir }}/rootwrap.conf"
config_overrides: "{{ _neutron_rootwrap_conf_overrides | combine(neutron_rootwrap_conf_overrides, recursive=True) }}"
config_type: "ini"
owner: "root"