On OVN you can configure if Floating IPs should flow directly from compute
nodes or through gateway hosts.
While this parameter can be overriden with neutron_ml2_conf_ini_overrides variable,
it might be useful for some more advanced logic in follow-up patches.
Change-Id: Ib20cd013cbf396f14e88faabc36f012fc14c3f3a
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.
With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.
In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.
Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.
In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.
Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.
[1] 517df91c9e
Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I3905e334cfbeb7ccb976358016f81c5edd6cd284
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.
Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484
According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.
`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.
If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.
So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.
[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html
Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I43840a397ea6da6c3187291a74591c2205e1dca1
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.
Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
This reverts commit 5fb6ef370e.
Reason for revert: FWAAS has been revived in Zed with I14f551c199d9badcf25b9e65c954c012326d27cd
Change-Id: I45d6cd0f039c3fd2016e52df3607a5ac22956d0a
vpnaas is being configured in l3 agent config as of today. These
variables are not used anywhere down the code and are confusing.
Change-Id: I48798d848e9ebcb2579bc5cff9caefb75f28f55f
As we need to monitor vpn connection detailes, the only way to config vpnaas to log states and connections of vpn
is to provide own templates for VPNaaS configuration. With that we enable deployers to provide custom configuration
files for using with any vpn drivers (stronswan/openswan).
Co-Authored-By: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>
Change-Id: I54dbd5c9690281af475312a277eab534403edf92
As part of the Pike goals we are moving api services to run as WSGI
apps. neutron-server service is set up as a wsgi app, and this patch
moves it over.
Since this is just a drop in replacement for the existing eventlet
service, operators an deployers should notice no difference.
Change-Id: Ia7ebd13be9ce7834679d439b7bda242805768ef8
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/820586
Implements: blueprint goal-deploy-api-in-wsgi
At present the maximum number of DHCP or L3 agents per tenant
network is governed by the total number of agents which exist
in the deployment. When using L3 routed pods it may be necessary
to deploy extra DHCP agents, but each of these only has access
to a subset of the networks.
This patch adds optional parameters 'neutron_l3_agents_max' and
'neutron_dhcp_agents_max' which allow the number of agents used
per tenant network to be limited to match the deployment's
requirements.
Change-Id: I80e6206c54cf1876b5c6c273b948718d48d495ca
This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I833d72715daff81b64da077e899615b9b2002650
Related-Bug: #1961603
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I9609542a2d0de17c9e7a148f5a21ac1e47a390ac
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I1d9e22487272b1e1f0ce5f66045bc53d7c031d67
Use list of cluster member in ovn/ml2 agent to directly talk to nb/sb
central services instead of using haproxy lb. ovn-controller agent
automatically monitor cluster member and remove them from list if
they are dead or not reachable. This is better approch then using
haproxy lb.
Change-Id: Icb490225ff34354b3f5821c5f7a54a039091c924
changed /var/lib/vhost_socket dir owner/group permission for centos-8 and
added openvswitch service name.
Change-Id: Idedbef8b70cb42588c9c9ace9530df84a5d1f6ff
This patch will add ovn clustering support, Basically it will use first
node to start cluster and then new nodes will use leader node to join
cluster.
Change-Id: I4b11d3484c99e538ecd6f7d05570486b5f59c782
Set neutron_dns_domain to the `dhcp_domain` value by default.
It is convenient to use signle variable to adjust DHCP domain
configuration across services
Change-Id: I355078189598726e0fe349c7ee2320487cfc0e7a
The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs from that subnet independent of the restrictions described in the [1].
[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html
Change-Id: I095564cec0f5804e4d0ea9b5201ed40b9d9be603
This patchset removes the ovs_nsh_support variable used to deploy
a custom-compiled release of Open vSwitch with NSH support in favor
of relying on built-in NSH support in recent releases of Open vSwitch[1].
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-November/340716.html
Change-Id: If6456d2916982226bbdc5080ec58a47b6fb1ec8d
Neutron has deprecated [1] usage of keepalived_use_no_track since
it is capable of distinguishing when no_track should and where should not
be used.
[1] https://review.opendev.org/c/openstack/neutron/+/759657
Depends-On: I351b3f2ae458abc14a899768a04999ca10c86ea4
Change-Id: Ia343cdb2268ef19d0e6270322b4ba5b97a069673
This is necessary to support the new pip resolver.
Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: Ib17a2712993c6c7e3b5622fc944d7754dbb872ba
Zuul