Commit Graph

459 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 14094eb311 Restart OVN on certificate changes
In cases where certificates were regenerated for OVN, a service restart
is required in order to apply and use new certs.

We provide also a unique handler name to distinguish certs between ones
installed for neutron-server and OVN.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/912768
Change-Id: Iedea6f1a67349bafecca5c792072fcd8f95cc546
2024-03-13 18:04:45 +00:00
Dmitriy Rabotyagov 4e855db6b2 Add VPNaaS OVN support
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.

This agent spawns namespaces as used to do and talks through RPC with API.

More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].

[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1

Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
2024-02-20 12:37:13 +00:00
Dmitriy Rabotyagov cdcf7f15b0 Fix permissions for rootwrap files
At the moment we set 640 permissions to /etc/neutron/rootwrap.d folder.
While it doesn't cause any issues right now, since root still able to read files in there,
but this makes us to use root for services when it should not be needed.

Also playbook is not idempotent, as it changes permissions for same
directory multiple times during runtime.

Task for setting rootwrap permissions is removed, since it's behaviour is
weird by design of file module.
It can be applied only to directories, meaning that either directory will not
have execution permissions or all files inisde it will have executable flag.

Change-Id: I577221e94d6cf9d940ee310757383cee24b80a03
2024-02-14 19:03:24 +01:00
Dmitriy Rabotyagov 70bb847605 Add Availability Zone variables
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.

In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.

Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
2024-01-03 15:03:27 +01:00
Zuul 4423cfb8df Merge "Workaround ovs bug that resets hostname with add command" 2023-10-11 14:37:53 +00:00
Dmitriy Rabotyagov be3d0f3a49 Workaround ovs bug that resets hostname with add command
In Debian 12 OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.

While this was fixed be OVS version bump in Ubuntu and RHEL, it's still
an issue for Debian 12.

[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757

Change-Id: I90454ba50840f7cb900586a7b870161a0f4adc01
2023-10-09 15:26:54 +00:00
Dmitriy Rabotyagov 59697ba1c5 Deprecate OpenDaylight support
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.

[1] 517df91c9e

Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
2023-10-05 14:48:53 +00:00
Andrew Bonney a190ae4f61 Fix conditional for non-OVN deployments
In an LXB environment, the neutron_ovn_controller group still
contains all of the compute nodes, which causes this task to
fail.

Change-Id: I7a63a79e8b9012c9f32b9316d9590ccd9e641c01
2023-09-28 08:20:34 +00:00
Zuul b399ac2a3c Merge "Fix typo for vpnaas_custom_config distribution" 2023-09-16 00:42:05 +00:00
James Denton 7c0ac931b0 Check length of network_mappings
The OVS bridge creation logic for OVN deployments may fail
when the provider bridge has not been defined. This patch uses
logic that exists in the OVS deployment scenario to check the
length of neutron_provider_networks.network_mappings to ensure
a value has been set before attempting to create the bridge.

Change-Id: I34256e4ad22169ae6907a3c40270cb714cf33466
2023-09-06 08:53:08 -05:00
Zuul 4abf3e9383 Merge "Retry applying OVN connection settings" 2023-09-06 12:34:16 +00:00
Dmitriy Rabotyagov 30ef7c945f Fix typo for vpnaas_custom_config distribution
Accidentally condition was to check a group against `group_name`,
while this should be `group_names`. Right now in case of definition
neutron_vpnaas_custom_config role will fail with undefined variable.

Change-Id: Ia5b44729858dd9f742f1094f46e3cde1ceb70495
2023-09-06 12:05:57 +02:00
Zuul 733c4cf8c5 Merge "Fix linters and metadata" 2023-09-06 00:31:43 +00:00
Zuul ed54ffde67 Merge "Revert "Workaround ovs bug that resets hostname with add command"" 2023-09-05 18:38:27 +00:00
Dmitriy Rabotyagov 8ceea78a97 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I3905e334cfbeb7ccb976358016f81c5edd6cd284
2023-09-04 18:55:41 +02:00
Jonathan Rosser ab19186dad Retry applying OVN connection settings
This task runs immediately after one which may start the OVN
services and the unix socket files may not yet be present
when the command is run to configure the connection settings.

Introduce retires to the task to give time for the services to
start and the sockets to exist.

See https://paste.opendev.org/show/bPgVSIHyVPY5MwC373Zj/

Change-Id: I286169ca9ec493ef9ff1923249336cdc168619d0
2023-09-04 16:16:02 +01:00
Marc Gariepy a3c09f159b Stop haproxy on ovn-controller nodes
include ovn-controller nodes.

Change-Id: I122a7e2df0d546c18e4ec607abeb36cb0cec196f
2023-08-21 13:32:57 +00:00
Dmitriy Rabotyagov 0a5e0de6b0 Revert "Workaround ovs bug that resets hostname with add command"
This reverts commit 74b0884fc2.

Reason for revert: UCA and OVS SIG have updated package and marked corresponding bugs as resolved.

Change-Id: Idbb9f4ee84a075bfa6e7e63c8d5b81951ce0ae65
2023-08-17 15:41:31 +00:00
Danila Balagansky d35c27bf71 Configure OVN NB and SB DB Connection probes
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.

Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484

According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.

`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.

If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.

So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.

[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html

Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
2023-07-12 13:24:18 +03:00
Dmitriy Rabotyagov d0c37ede9f Drop OVN package installation from ovn_config
OVN packages are isntalled as a part of common package installation
as they're appended during neutron_package_list population. So
there should be no need in having another set of tasks that install
these packages.

Change-Id: I119dd30b6e11e9ba373367a1b65d56d723ef0b45
2023-05-22 17:18:01 +00:00
Dmitriy Rabotyagov d58bdb151a Ensure OVN is restarted on package update
Change-Id: I851a81d47e2ab985213f711ccd81a6870f42317b
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/879890
2023-05-22 17:17:55 +00:00
Zuul e9ef1f0707 Merge "Add TLS support to neutron_server backends" 2023-05-03 11:41:36 +00:00
Damian Dabrowski a68fe97981 Add TLS support to neutron_server backends
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
2023-04-29 18:42:54 +02:00
Dmitriy Rabotyagov 74b0884fc2 Workaround ovs bug that resets hostname with add command
In UCA repo for Antelope OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.

[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757

Change-Id: Iead62b464a68bbfcffb0e79a4db004760287e89b
2023-04-27 08:51:53 +00:00
Dmitriy Rabotyagov 956896e8a7 Use include instead of import for conditional tasks
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.

Change-Id: I50b99306a52f1a2379e55f390653b274afd5885f
2023-04-13 17:16:07 +00:00
Dmitriy Rabotyagov f1a8c35853 Workaround ovs bug that resets hostname with add command
After RDO bumped OVS version to 3.1 from 2.17 CentOS/Rocky fails
tempest testing due to systemd unit calling adding hostname [1]
while ovs-vsctl add in 3.1 actually behaves exactly as `set` which
simply resets defined hostname on each service restart. To avoid that
we're adding `--no-record-hostname` flag that will prevent such
behaviour.

[1] https://github.com/openvswitch/ovs/blob/branch-3.1/utilities/ovs-ctl.in#L51

Change-Id: I8bee1850e3a120f7b76f586909e6d74361696e32
Related-Bug: #2013189
2023-03-30 17:48:01 +00:00
Dmitriy Rabotyagov d083bfcc55 Generate OVN certs only for OVN scenario
At the moment we're generating OVN certificates regardless of
the scenario which produces unnecesary changes.

Change-Id: Ie870aa656c467b21441a38cebf7c6a075342d50f
2023-01-27 15:30:38 +00:00
Jonathan Rosser a6001b7a36 Remove "warn" parameter from command module
This is removed in ansible 2.14.

Change-Id: I454908a306bfa5d6311261448ebefab6df1b20a7
2023-01-19 21:25:55 +00:00
Marc Gariepy c5e00f91f7 Disable dhcp-agent and metadata-agent for OVN
OVN doesn't need the neutron-metadata-agent and
neutron-dhcp-agent service.

Change-Id: I58e94199a32ad300b3f70861dc7804f34518c8c2
2023-01-18 13:58:28 +00:00
Dmitriy Rabotyagov 3faa793469 Do not provision neutron config when not needed
With [1] we merged not installing neutron venv and packages
when it's not required, for example on ovn_northd. At the same
time we still try to provision config files that are not needed there.
Moreover, role is failing as smart_sources bits are relying on neutron venv
existance.

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/863546

Change-Id: I59050f09577df790119e552e39cd38463755b36f
2022-12-09 14:52:48 +00:00
Zuul fa974be047 Merge "Remove support for calico ml2 driver." 2022-12-09 11:02:23 +00:00
Zuul c00039c7b0 Merge "Separate OVN gateway functions from ovn-controllers" 2022-12-09 00:26:26 +00:00
James Denton 3d9a20b69b Separate OVN gateway functions from ovn-controllers
This patch aims for the following:

- Update docs for OVN to expand on supported scenarios
- Split out the OVN gateway chassis from the OVN controller group.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862924
Change-Id: I14859a19f386676fd687ea601f2d31298cf35e84
2022-12-06 17:10:57 +00:00
Jonathan Rosser 4d1889a233 Remove support for calico ml2 driver.
Change-Id: I25e28c678f69a1b2f067e6ce87f1b3134e6470d2
2022-12-06 12:28:17 +00:00
Marc Gariepy e74d486424 Do not install neutron venv if not needed.
Change-Id: I3675cbb5e7e9b37fce47d995e69edde945c1b581
2022-12-03 19:14:24 +00:00
Marc Gariepy 556c5c6733 add ovn ssl config
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.

Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
2022-11-30 16:03:14 +00:00
Danila Balagansky 61cd240918 Disable/stop/mask Open vSwitch on ovn-northd nodes
There is no need to configure and run Open vSwitch (data-plane) services
on `neutron-ovn-northd` (control-plane) nodes.

Change-Id: I6fdc5b0e212a8b21fc576639a2a82dfe3324244e
2022-10-28 07:53:48 +00:00
Zuul 5baba40337 Merge "Avoid ovs restart during package upgrade" 2022-10-18 16:16:14 +00:00
Dmitriy Rabotyagov 435440a495 Avoid ovs restart during package upgrade
When installing/upgrading packages (like ovs) a race-condition may occur
when neutron-ovs-agent tries to restore mesh while ovs is being spawning
down. This results in errors in neutron-ovs-agent like:
ovsdb-client: tcp:127.0.0.1:6640: Open_vSwitch database was removed
ovsdbapp.exceptions.TimeoutException: TXN queue is full

In order to prevent that we disable ablity to restart services on
package installation/upgrade, but do that with handler after
neutron-ovs-agent get stopped.

Change-Id: I4bd717c35e030aa1ede21d9a01460037d1ab070c
2022-10-14 08:08:13 +00:00
Jonathan Rosser d42c065003 Use ansible_facts[] rather than ansible_ variables
Change-Id: Idd4bd35e1bbeb30b9dfa8c9b7a39acfd14bfd6ac
2022-10-05 18:12:50 +01:00
Zuul f2df86fb26 Merge "Remove redundant vars line" 2022-09-20 19:50:50 +00:00
Erik Berg f933dace9f Remove redundant vars line
This line snuck in with Ic4c4ef1083b4f1842a586dd8611f8ee9f2ba7dad
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.

Change-Id: I3d54f093df0ca6113c60d8ceaf6ef278b336ed1f
2022-09-14 13:05:01 +02:00
Zuul 37b11c5b11 Merge "Convert include to include_tasks" 2022-09-06 11:02:56 +00:00
Kevin Carter 4c88b486fc Convert include to include_tasks
Include is deprecated, additionally include_tasks is now faster.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Ifd04358878aacce0b8236f01b9b53aaaba8a95d5
2022-09-03 21:12:28 -05:00
Danila Balagansky 7ab11796ee Dynamic ovn-encap-type configuration
Set ovn-encap-type to intersection of
`neutron_provider_networks.network_types.split` and ovn-controllers supported
tunnel types.

Change-Id: I2f385466dccd9aee734685ad488cf12194ae00d9
Related-Bug: #1951517
2022-09-02 16:09:57 +00:00
shahab taee 26b768ea5b Allow to provide custom configuration for VPNaaS
As we need to monitor vpn connection detailes, the only way to config vpnaas to log states and connections of vpn
is to provide own templates for VPNaaS configuration. With that we enable deployers to provide custom configuration
files for using with any vpn drivers (stronswan/openswan).

Co-Authored-By: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>
Change-Id: I54dbd5c9690281af475312a277eab534403edf92
2022-06-18 10:00:36 +02:00
Dmitriy Rabotyagov ce9992335e Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/845903
Change-Id: Id2a50a1df6287789eeb59d6ed5246e2375d93b52
2022-06-16 06:50:16 +00:00
Andy McCrae bdd06c8448 Implement uWSGI for neutron-api
As part of the Pike goals we are moving api services to run as WSGI
apps. neutron-server service is set up as a wsgi app, and this patch
moves it over.

Since this is just a drop in replacement for the existing eventlet
service, operators an deployers should notice no difference.

Change-Id: Ia7ebd13be9ce7834679d439b7bda242805768ef8
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/820586
Implements: blueprint goal-deploy-api-in-wsgi
2022-05-27 18:34:38 +00:00
Zuul 82fe765f09 Merge "Do not deploy api-paste for CentOS distro deployment" 2022-04-26 13:44:54 +00:00
Dmitriy Rabotyagov de24a98646 Do not deploy api-paste for CentOS distro deployment
RDO stopped shipping api-paste file for glance, so we can't provide it
anymore. To avoid maintaining it for this usecase we simply stop
provisioning as well for this path.

Change-Id: I9ba7f373e16a16d13f3a42484931a6f67dcfca89
2022-04-20 16:25:47 +02:00