At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
The vpnaas rootwrap filters are out of date and therefore not
functional on the latest release of OpenStack Ansible.
This updates and adds all the missing ones so that it becomes
functional again.
Change-Id: Iadcb4c7451cd51526dfd96b305a9d0b1948ce8da
Dragonflow is no longer maintained as an OpenStack project [1]
and has therefore been removed from OpenStack-Ansible as a
supported ML2 driver for neutron.
[1] https://review.openstack.org/613856
Change-Id: Ia7042e5dd697611ef4d9148b6f345d5da887b2c5
We do not have a maintainer at the moment for SELinux and hopefully
we will adopt the upstream openstack-selinux package, but for now
in order to let deploys in environments where SELinux is set to
permissive work, we'll have to remove these bits.
This change can be reverted whenever we have a maintainer that's
available to do the work required.
Change-Id: I4c7b6a9c0d8ec1458a9396422d047e1327bb4d45
This commit provides baseline changes to the os_neutron role
to support Open Virtual Networking (OVN).
Change-Id: I9af0a1d70d3381f1e5e074aaf21b15cfb40a7b60
Implements: networking-ovn support
Partial-Bug: #1782625
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.
* Source installs have the configuration files within the venv at
"<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
default configuration path to this directory. When the service is
upgraded the link will move to the new venv path.
* Distro installs package all of the required configuration files.
To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.
Change-Id: I8fba4a1f70d7f5870ad81c8a84e3b1d15742c70f
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Within the SELinux policy file itself, the policy is referenced
as `osa-neutron`, but the filename for the policy did not match.
This patch fixes the filenames to match the policy name.
Closes-Bug: 1742552
Change-Id: I52901ac48f9a95d0fe6b010f5940b5c39fce1aba
The recent move to bare metal neutron agents brought the processes
spawned by each agent under the watch of SELinux policies. This
patch ensures that neutron can still start important daemons, such
as dnsmasq or haproxy, without causing SELinux AVCs.
Closes-Bug: 1742552
Change-Id: Id1ae9d2b43cd0fb4c38460501da24733b29566e2
Add a deployment for Dragonflow, when neutron_plugin_type is ml2.dragonflow.
Change-Id: Id5184845d18461c6c37a560cdc0404c8a487c020
Co-Authored-By: Omer Anson <omer.anson@toganetworks.com>
Port 8000 is the heat metadata url that some heat resources
use for running heat-related hooks inside an instance.
Without this rule communication between the instance and the
service will fail.
This patch adds the checksum fix to the script implemented
in https://review.openstack.org/326396
Change-Id: I4aaec3f2921c2341dfd57577995e32c9ef038f2c
Also update the rootwrap filter config file copy task to handle
looking up rootwrap filter files using 'with_fileglob' to avoid
having to maintain the task with each addition or removal of these
files.
Change-Id: I57ea565bfdcd1d5c02e5fa1fec499e420e67a083
It is moved to the Nova role where libvirt/qemu is managed in
Id2cfa3353543fecd55f1135abad89f07071e2f60.
Depends-On: Id2cfa3353543fecd55f1135abad89f07071e2f60
Change-Id: Ib2d2056962e38f6fa4f96785a333413bf2c2fead
Integrate deployment for Project Calico's Neutron networking
plugin into the os_neutron role.
See http://docs.openstack.org/developer/networking-calico/
for more information about Calico.
Change-Id: I80546b6deefe0878398716d173b7dcc36c3bef3a
When running in an AIO, we need to implement an iptables rule in any
neutron_agent containers to that ensure instances can communicate with
the neutron metadata service. This is necessary because in an AIO
environment there are no physical interfaces involved in instance ->
metadata requests, and this results in the checksums being incorrect.
This is a necessary patch in order to work towards getting rid of the
run-playbooks.sh script in the integrated repository. With this patch
in place we will be able to set the AIO to activate this code path by
setting 'neutron_metadata_checksum_fix: True' in the AIO's
user_variables.yml, forgoing the needs to implement this in a bash
script.
Change-Id: I008bfdb2960800845703e721b38640b7434d1404
https://review.openstack.org/#/c/148718/ has been merged so including
the post-up-checksum-rules script is no longer necessary. A new task has
been added so that the script will be removed during upgrades from Liberty.
Tests have been added to ensure that the dhcp agent is active, that the
dhcp network namespace is being created as expected, and that this
iptables rule is being created within that namespace.
The unconfined apparmor profile has also been applied to the neutron
test container so that it has the permissions required to create network
namespaces.
Change-Id: I068d091873d2744b0849b0d52a8083e129841b1b
This updates the repository SHA's to use stable/mitaka where
available and updated SHA's where not.
It also updates all paste, policy and rootwrap configurations
to match the current contents found in stable/mitaka.
Change-Id: If1ad0e508866d2f6022ab2f20ce991733cebd384
This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
liberty
- add 2 package requirements to keystone which must be present for the
new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
and change auth_method to 'keypair' (configured is no longer an
a valid option)
Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch includes the updates to the configuration files for
Neutron for the Liberty release.
Files Removed:
- rootwrap.d/nec-plugin.filters
- rootwrap.d/ryu-plugin.filters
Variables removed due to upstream deprecation:
- neutron_l3_router_delete_namespaces
- neutron_dhcp_delete_namespaces
Defaults changed to match new upstream defaults:
- neutron_driver_network_scheduler
- neutron_driver_quota
Upgrade Notes:
- The LinuxBridge configuration has been seperated out from
plugins/ml2/ml2_conf.ini to plugins/ml2/linuxbridge_agent.ini
- prevent_arp_spoofing is now set to the upstream default, which
is True.
DocImpact
UpgradeImpact
Closes-Bug: #1482756
Implements: blueprint liberty-release
Change-Id: I879fd37db2e699bc3d48bcdd65ec7888b0f3f1a9
This commit conditionally allows the os_neutron role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.
In this PR, like all of the other venv related PRs, the
`is_metal` flag was removed from the role however unlike
some of the other PRs this removal required moving some
of the `is_metal` logic out of the role and into the
play. This was done for consistency as well as making
the role more standalone. The only thing that the role
should care about, in terms of installation, is whether
or not to install in a venv.
Implements: blueprint enable-venv-support-within-the-roles
Change-Id: I85aadc43e1c21f296b2fb5932a17eddce57b9ece
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The change modifies the neutron template tasks such that it's now
using the config_template action plugin. This change will make so that
config files can be dynamically updated, by a deployer, at run time,
without requiring the need to modify the in tree templates or defaults.
Partially implements: blueprint tunable-openstack-configuration
Change-Id: Ia9e4acdb86c1c61db182771658d6a175a4c45b38
This PR replaces the copy_update module with a proper Ansible action
plugin. This change allows for dynamic updates to configuration files
that are ini, json, and yaml.
All of the policy files have been moved to the role templates directories
and the task syntax has been updated to facilitate the new action plugin.
An entry has been added to the ansible.cfg file to inform Ansible to look
into the new directory. In order for the action plugin to work as a
"module" a virtual module was added to the library directory.
Change-Id: I80331628b2c3d426a95c89d9c1b766e2e3f70e6d
Partially implements: blueprint tunable-openstack-configuration
The will now run flake8 on all Python files and bashate on all shell
scripts. Right now I'm ignoring the bashate errors, since there were so
many of them. Follow up patches will start fixing those issues.
A few Python files had minor modifications to pass flake8.
Change-Id: I5f773eb6ea9f1311aa045951ff9bdad16cca6491
Neutron now uses ebtables as an extra security layer for ARP
spoof filtering. This patch adds the ebtables package and
rootwrap to the neutron role to ensure that the agent is able
to use this subsystem. Without it the networking from the
instances to the L3 router will fail.
Co-Authored-By: Evan Callicoat <diopter@gmail.com>
Closes-Bug: #1482756
Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443
Update neutron config and template files for Kilo release
Partially implements: blueprint master-kilofication
Change-Id: Ifeba7162ca935c86cdbaa2dac6f021af328b92bf
* Updated Keystone wsgi and paste files from upstream.
* Updated all clients in the openstack_client.yml file.
* Kilo services are tracking the head of master.
* Removed pinned middleware because they're pinned else where.
* Added additional service references for neutron vpnaas, fwaas, and
lbaas which have now been moved into their own repos and no longer
exist within the core neutron repository.
* The neutron vpnaas, fwaas, and lbaas have been removed from the
basic plugins being loaded and a comment has been added to describe
how one might add them back in.
* Updated rootwrap filters for neutron dhcp and l3.
* Updated heat policy.json
* Added the `python-libguestfs` to the nova-compute installation
packages.
* Updates all services to point to the latest kilo tag
Services updated due to deprecated configs:
* Keystone
* Glance
* Nova
* Neutron (is still using the deprecated nova auth plugin)
* Heat
* Tempest
Items for future work post initial release:
* roles/os_neutron/files/post-up-checksum-rules:25:
TODO(cloudnull) remove this script once the bug is fixed.
* roles/rabbitmq_server/tasks/rabbitmq_cluster_join.yml:17:
TODO(someone): implement a more robust way of checking
Implements: blueprint minimal-kilo
Closes-Bug: 1428421
Closes-Bug: 1428431
Closes-Bug: 1428437
Closes-Bug: 1428445
Closes-Bug: 1428451
Closes-Bug: 1428469
Closes-Bug: 1428639
Change-Id: I28a305d9e40a9cf70148ef7d7b00d467a65ca076
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e