Restructure the vpnaas roles

As neutron-vpnaas-agent has been loaded just inside of the existing l3 agent rather than requiring operators to run a completely different binary with a subclass of the existing L3 agent[1]. We need restructure this role to fit with this new feature. [1] https://review.openstack.org/488247 Depends-On: I47cd8ba5a14da3c76d5b1eb0b4c0cf0c729eb2ff Change-Id: Id690a652bc9facf1c3e39358f548ab7ddd967d80 Implements: blueprint restructure-neutron-vpnaas Closes-Bug: #1731498
2017-12-25 18:20:17 +08:00 · 2017-12-25 18:20:17 +08:00 · 102f4b8f4a
parent 2fcdbfd3f5
commit 102f4b8f4a
16 changed files with 22 additions and 214 deletions
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@ -296,9 +296,6 @@ neutron
 [neutron-metadata-agent:children]
 neutron

-[neutron-vpnaas-agent:children]
-neutron
-
 [neutron-bgp-dragent:children]
 neutron

--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@ -315,9 +315,6 @@ neutron
 [neutron-metadata-agent:children]
 neutron

-[neutron-vpnaas-agent:children]
-neutron
-
 [neutron-bgp-dragent:children]
 neutron

--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -24,13 +24,11 @@ neutron_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      and not enable_nova_fake | bool
      ) or
      ( inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      and enable_nova_fake | bool
      )
      }}
@ -71,7 +69,6 @@ neutron_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      }}
    volumes:
      - "{{ node_config_directory }}/neutron-linuxbridge-agent/:{{ container_config_directory }}/:ro"
@ -96,7 +93,7 @@ neutron_services:
    container_name: "neutron_l3_agent"
    image: "{{ neutron_l3_agent_image_full }}"
    privileged: True
-    enabled: "{{ not enable_neutron_vpnaas | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_dvs'] and not enable_opendaylight_l3 | bool }}"
+    enabled: "{{ neutron_plugin_agent not in ['vmware_nsxv', 'vmware_dvs'] and not enable_opendaylight_l3 | bool }}"
    host_in_groups: >-
      {{
      inventory_hostname in groups['neutron-l3-agent']
@ -148,19 +145,6 @@ neutron_services:
      - "/run/:/run/:shared"
      - "neutron_metadata_socket:/var/lib/neutron/kolla/"
      - "kolla_logs:/var/log/kolla/"
-  neutron-vpnaas-agent:
-    container_name: "neutron_vpnaas_agent"
-    image: "{{ neutron_vpnaas_agent_image_full }}"
-    privileged: True
-    enabled: "{{ enable_neutron_vpnaas | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_dvs'] }}"
-    group: "neutron-vpnaas-agent"
-    host_in_groups: "{{ inventory_hostname in groups['neutron-vpnaas-agent'] }}"
-    volumes:
-      - "{{ node_config_directory }}/neutron-vpnaas-agent/:{{ container_config_directory }}/:ro"
-      - "/etc/localtime:/etc/localtime:ro"
-      - "/run:/run:shared"
-      - "/lib/modules:/lib/modules:ro"
-      - "kolla_logs:/var/log/kolla/"
  neutron-bgp-dragent:
    container_name: "neutron_bgp_dragent"
    image: "{{ neutron_bgp_dragent_image_full }}"
@ -221,10 +205,6 @@ neutron_server_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{
 neutron_server_tag: "{{ neutron_tag }}"
 neutron_server_image_full: "{{ neutron_server_image }}:{{ neutron_server_tag }}"

-neutron_vpnaas_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ neutron_install_type }}-neutron-vpnaas-agent"
-neutron_vpnaas_agent_tag: "{{ neutron_tag }}"
-neutron_vpnaas_agent_image_full: "{{ neutron_vpnaas_agent_image }}:{{ neutron_vpnaas_agent_tag }}"
-
 neutron_bgp_dragent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ neutron_install_type }}-neutron-bgp-dragent"
 neutron_bgp_dragent_tag: "{{ neutron_tag }}"
 neutron_bgp_dragent_image_full: "{{ neutron_bgp_dragent_image }}:{{ neutron_bgp_dragent_tag }}"
@ -318,6 +298,8 @@ l3_agent_extensions:
    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v1' }}"
  - name: "fwaas_v2"
    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v2' }}"
+  - name: "vpnaas"
+    enabled: "{{ enable_neutron_vpnaas | bool }}"

 neutron_l3_agent_extensions: "{{ l3_agent_extensions | selectattr('enabled', 'equalto', true) | list }}"

--- a/ansible/roles/neutron/handlers/main.yml
+++ b/ansible/roles/neutron/handlers/main.yml
@ -170,6 +170,7 @@
    neutron_conf: "{{ neutron_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
    neutron_l3_agent_ini: "{{ neutron_l3_agent_inis.results|selectattr('item.key', 'equalto', service_name)|first }}"
    neutron_fwaas_driver_ini: "{{ neutron_fwaas_driver_inis.results|selectattr('item.key', 'equalto', service_name)|first }}"
+    neutron_vpnaas_conf: "{{ neutron_vpnaas_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"

    policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
    neutron_l3_agent_container: "{{ check_neutron_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
@ -188,6 +189,7 @@
      or neutron_conf | changed
      or neutron_l3_agent_ini | changed
      or neutron_fwaas_driver_ini | changed
+      or neutron_vpnaas_conf | changed
      or policy_json | changed
      or neutron_l3_agent_wrapper | changed
      or neutron_l3_agent_container | changed
@ -269,38 +271,6 @@
      or policy_json | changed
      or neutron_metadata_agent_container | changed

- name: Restart neutron-vpnaas-agent container
-  vars:
-    service_name: "neutron-vpnaas-agent"
-    service: "{{ neutron_services[service_name] }}"
-    config_json: "{{ neutron_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    neutron_conf: "{{ neutron_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    neutron_vpnaas_conf: "{{ neutron_vpnaas_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    neutron_l3_agent_ini: "{{ neutron_l3_agent_inis.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    neutron_fwaas_driver_ini: "{{ neutron_fwaas_driver_inis.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    neutron_vpnaas_agent_container: "{{ check_neutron_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
-  kolla_docker:
-    action: "recreate_or_restart_container"
-    common_options: "{{ docker_common_options }}"
-    name: "{{ service.container_name }}"
-    image: "{{ service.image }}"
-    volumes: "{{ service.volumes }}"
-    privileged: "{{ service.privileged | default(False) }}"
-  when:
-    - action != "config"
-    - service.enabled | bool
-    - service.host_in_groups | bool
-    - config_json | changed
-      or neutron_conf | changed
-      or neutron_vpnaas_conf | changed
-      or neutron_l3_agent_ini | changed
-      or neutron_fwaas_driver_ini | changed
-      or neutron_vpnaas_agent_ini | changed
-      or policy_json | changed
-      or neutron_vpnaas_agent_wrapper | changed
-      or neutron_vpnaas_agent_container | changed
-
 - name: Restart neutron-bgp-dragent container
  vars:
    service_name: "neutron-bgp-dragent"
--- a/ansible/roles/neutron/tasks/bootstrap_service.yml
+++ b/ansible/roles/neutron/tasks/bootstrap_service.yml
@ -40,28 +40,6 @@
  run_once: True
  delegate_to: "{{ groups[neutron_lbaas_agent.group][0] }}"

- name: Running Neutron vpnaas bootstrap container
-  vars:
-    neutron_vpnaas_agent: "{{ neutron_services['neutron-vpnaas-agent'] }}"
-  kolla_docker:
-    action: "start_container"
-    common_options: "{{ docker_common_options }}"
-    detach: False
-    environment:
-      KOLLA_BOOTSTRAP:
-      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
-    image: "{{ neutron_vpnaas_agent.image }}"
-    labels:
-      BOOTSTRAP:
-    name: "bootstrap_neutron_vpnaas_agent"
-    restart_policy: "never"
-    volumes: "{{ neutron_vpnaas_agent.volumes }}"
-  when:
-    - neutron_vpnaas_agent.enabled | bool
-    - neutron_vpnaas_agent.host_in_groups | bool
-  run_once: True
-  delegate_to: "{{ groups[neutron_vpnaas_agent.group][0] }}"
-
 - name: Running Neutron sfc bootstrap container
  vars:
    neutron_server: "{{ neutron_services['neutron-server'] }}"
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@ -3,7 +3,6 @@
  become: true
  vars:
    neutron_l3_agent: "{{ neutron_services['neutron-l3-agent'] }}"
-    neutron_vpnaas_agent: "{{ neutron_services['neutron-vpnaas-agent'] }}"
  sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
  with_items:
    - { name: "net.ipv4.ip_forward", value: 1}
@ -12,7 +11,6 @@
  when:
    - set_sysctl | bool
    - (neutron_l3_agent.enabled | bool and neutron_l3_agent.host_in_groups | bool)
-      or (neutron_vpnaas_agent.enabled | bool and  neutron_vpnaas_agent.host_in_groups | bool)

 - name: Ensuring config directories exist
  become: true
@ -54,7 +52,6 @@
      - "neutron-openvswitch-agent-xenapi"
      - "neutron-server"
      - "neutron-lbaas-agent"
-      - "neutron-vpnaas-agent"
      - "neutron-bgp-dragent"
      - "neutron-sriov-agent"
  merge_configs:
@ -103,7 +100,7 @@
    service_name: "{{ item.key }}"
    services_need_neutron_vpnaas_conf:
      - "neutron-server"
-      - "neutron-vpnaas-agent"
+      - "neutron-l3-agent"
  merge_configs:
    sources:
      - "{{ role_path }}/templates/neutron_vpnaas.conf.j2"
@ -226,7 +223,6 @@
    service_name: "{{ item.key }}"
    services_need_l3_agent_ini:
      - "neutron-l3-agent"
-      - "neutron-vpnaas-agent"
  merge_configs:
    sources:
      - "{{ role_path }}/templates/l3_agent.ini.j2"
@ -250,7 +246,6 @@
    services_need_fwaas_driver_ini:
      - "neutron-server"
      - "neutron-l3-agent"
-      - "neutron-vpnaas-agent"
  merge_configs:
    sources:
      - "{{ role_path }}/templates/fwaas_driver.ini.j2"
@ -302,24 +297,6 @@
  notify:
    - "Restart {{ service_name }} container"

- name: Copying over vpnaas_agent.ini
-  become: true
-  vars:
-    service_name: "neutron-vpnaas-agent"
-    neutron_vpnaas_agent: "{{ neutron_services[service_name] }}"
-  merge_configs:
-    sources:
-      - "{{ role_path }}/templates/vpnaas_agent.ini.j2"
-      - "{{ node_custom_config }}/neutron/vpnaas_agent.ini"
-    dest: "{{ node_config_directory }}/{{ service_name }}/vpnaas_agent.ini"
-    mode: "0660"
-  register: neutron_vpnaas_agent_ini
-  when:
-    - neutron_vpnaas_agent.enabled | bool
-    - neutron_vpnaas_agent.host_in_groups | bool
-  notify:
-    - "Restart {{ service_name }} container"
-
 - name: Copying over bgp_dragent.ini
  become: true
  vars:
@ -373,7 +350,6 @@
      - "neutron-openvswitch-agent-xenapi"
      - "neutron-server"
      - "neutron-lbaas-agent"
-      - "neutron-vpnaas-agent"
      - "neutron-bgp-dragent"
      - "neutron-sriov-agent"
  template:
@ -404,21 +380,6 @@
  notify:
    - "Restart {{ service_name }} container"

- name: Copy neutron-vpnaas-agent-wrapper script
-  become: true
-  vars:
-    service_name: "neutron-vpnaas-agent"
-    service: "{{ neutron_services[service_name] }}"
-  template:
-    src: neutron-vpnaas-agent-wrapper.sh.j2
-    dest: "{{ node_config_directory }}/{{ service_name }}/neutron-vpnaas-agent-wrapper.sh"
-  register: neutron_vpnaas_agent_wrapper
-  when:
-    - service.enabled | bool
-    - service.host_in_groups | bool
-  notify:
-    - "Restart {{ service_name }} container"
-
 # TODO check the environment change
 - name: Check neutron containers
  kolla_docker:
--- a/ansible/roles/neutron/templates/l3_agent.ini.j2
+++ b/ansible/roles/neutron/templates/l3_agent.ini.j2
@ -1,4 +1,5 @@
 #jinja2: trim_blocks: False
+{% set vpn_device_driver = 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver' if kolla_base_distro in ['ubuntu', 'debian'] else 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'%}
 [DEFAULT]
 {% if enable_neutron_dvr | bool %}
 {% if inventory_hostname in groups['network'] %}
@ -21,6 +22,14 @@ ha_vrrp_health_check_interval = 5
 extensions = "{{ neutron_l3_agent_extensions|map(attribute='name')|join(',') }}"
 {% endif %}

+{% if enable_neutron_vpnaas | bool %}
+[ipsec]
+enable_detailed_logging = {{ neutron_logging_debug }}
+
+[vpnagent]
+vpn_device_driver = {{ vpn_device_driver }}
+{% endif %}
+
 [ovs]
 ovsdb_interface = native
 ovsdb_connection = tcp:127.0.0.1:{{ ovsdb_port }}
--- a/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2
@ -11,5 +11,6 @@ neutron-netns-cleanup \

 neutron-l3-agent \
        --config-file /etc/neutron/neutron.conf \
+        --config-file /etc/neutron/neutron_vpnaas.conf \
        --config-file /etc/neutron/l3_agent.ini \
        --config-file /etc/neutron/fwaas_driver.ini
--- a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
@ -13,6 +13,12 @@
            "owner": "neutron",
            "perm": "0600"
        },
+        {
+            "source": "{{ container_config_directory }}/neutron_vpnaas.conf",
+            "dest": "/etc/neutron/neutron_vpnaas.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
        {
            "source": "{{ container_config_directory }}/fwaas_driver.ini",
            "dest": "/etc/neutron/fwaas_driver.ini",
--- a/ansible/roles/neutron/templates/neutron-vpnaas-agent-wrapper.sh.j2
+++ b/ansible/roles/neutron/templates/neutron-vpnaas-agent-wrapper.sh.j2
@ -1,17 +0,0 @@
-#!/bin/bash
-
-set -o errexit
-
-# NOTE(jeffrey4l): Remove all l3 related netns in case of multiple active routers in l3 high available mode.
-neutron-netns-cleanup \
-        --config-file /etc/neutron/neutron.conf \
-        --config-file /etc/neutron/fwaas_driver.ini \
-        --config-file /etc/neutron/l3_agent.ini \
-        --force --agent-type l3
-
-neutron-vpn-agent \
-        --config-file /etc/neutron/neutron.conf \
-        --config-file /etc/neutron/neutron_vpnaas.conf \
-        --config-file /etc/neutron/fwaas_driver.ini \
-        --config-file /etc/neutron/l3_agent.ini \
-        --config-file /etc/neutron/vpnaas_agent.ini
--- a/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-vpnaas-agent.json.j2
@ -1,60 +0,0 @@
-{
-    "command": "/usr/local/bin/neutron-vpnaas-agent-wrapper.sh",
-    "config_files": [
-        {
-            "source": "{{ container_config_directory }}/neutron-vpnaas-agent-wrapper.sh",
-            "dest": "/usr/local/bin/neutron-vpnaas-agent-wrapper.sh",
-            "owner": "root",
-            "perm": "0755"
-        },
-        {
-            "source": "{{ container_config_directory }}/neutron.conf",
-            "dest": "/etc/neutron/neutron.conf",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/neutron_vpnaas.conf",
-            "dest": "/etc/neutron/neutron_vpnaas.conf",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/fwaas_driver.ini",
-            "dest": "/etc/neutron/fwaas_driver.ini",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/l3_agent.ini",
-            "dest": "/etc/neutron/l3_agent.ini",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/vpnaas_agent.ini",
-            "dest": "/etc/neutron/vpnaas_agent.ini",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/policy.json",
-            "dest": "/etc/neutron/policy.json",
-            "owner": "neutron",
-            "perm": "0600",
-            "optional": true
-        }
-    ],
-    "permissions": [
-        {
-            "path": "/var/log/kolla/neutron",
-            "owner": "neutron:neutron",
-            "recurse": true
-        },
-        {
-            "path": "/var/lib/neutron/kolla",
-            "owner": "neutron:neutron",
-            "recurse": true
-        }
-    ]
-}
--- a/ansible/roles/neutron/templates/vpnaas_agent.ini.j2
+++ b/ansible/roles/neutron/templates/vpnaas_agent.ini.j2
@ -1,8 +0,0 @@
-{% set vpn_device_driver = 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver' if kolla_base_distro in ['ubuntu', 'debian'] else 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'%}
-[DEFAULT]
-
-[ipsec]
-enable_detailed_logging = {{ neutron_logging_debug }}
-
-[vpnagent]
-vpn_device_driver = {{ vpn_device_driver }}
--- a/ansible/roles/openvswitch/defaults/main.yml
+++ b/ansible/roles/openvswitch/defaults/main.yml
@ -14,7 +14,6 @@ openvswitch_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      }}
    volumes:
      - "{{ node_config_directory }}/openvswitch-db-server/:{{ container_config_directory }}/:ro"
@ -35,7 +34,6 @@ openvswitch_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      }}
    privileged: True
    volumes:
--- a/ansible/roles/ovs-dpdk/defaults/main.yml
+++ b/ansible/roles/ovs-dpdk/defaults/main.yml
@ -15,7 +15,6 @@ ovsdpdk_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      }}
    volumes:
      - "{{ node_config_directory }}/ovsdpdk-db/:{{ container_config_directory }}/:ro"
@ -35,7 +34,6 @@ ovsdpdk_services:
      or inventory_hostname in groups['neutron-dhcp-agent']
      or inventory_hostname in groups['neutron-l3-agent']
      or inventory_hostname in groups['neutron-metadata-agent']
-      or inventory_hostname in groups['neutron-vpnaas-agent']
      }}
    volumes:
      - "{{ node_config_directory }}/ovsdpdk-vswitchd/:{{ container_config_directory }}/:ro"
--- a/ansible/roles/ovs-dpdk/handlers/main.yml
+++ b/ansible/roles/ovs-dpdk/handlers/main.yml
@ -49,7 +49,6 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-metadata-agent']
-       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - ovs_physical_port_policy == 'indexed'

 - name: Restart ovsdpdk-vswitchd container
@ -85,7 +84,6 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-metadata-agent']
-       or inventory_hostname in groups['neutron-vpnaas-agent'])
    - ovs_physical_port_policy == 'named'

 - name: wait for dpdk tunnel ip
@ -103,4 +101,3 @@
       or inventory_hostname in groups['neutron-dhcp-agent']
       or inventory_hostname in groups['neutron-l3-agent']
       or inventory_hostname in groups['neutron-metadata-agent']
-       or inventory_hostname in groups['neutron-vpnaas-agent'])
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -379,7 +379,6 @@
    - neutron-l3-agent
    - neutron-lbaas-agent
    - neutron-metadata-agent
-    - neutron-vpnaas-agent
    - compute
    - manila-share
  serial: '{{ serial|default("0") }}'