In cases where certificates were regenerated for OVN, a service restart
is required in order to apply and use new certs.
We provide also a unique handler name to distinguish certs between ones
installed for neutron-server and OVN.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/912768
Change-Id: Iedea6f1a67349bafecca5c792072fcd8f95cc546
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
At the moment we set 640 permissions to /etc/neutron/rootwrap.d folder.
While it doesn't cause any issues right now, since root still able to read files in there,
but this makes us to use root for services when it should not be needed.
Also playbook is not idempotent, as it changes permissions for same
directory multiple times during runtime.
Task for setting rootwrap permissions is removed, since it's behaviour is
weird by design of file module.
It can be applied only to directories, meaning that either directory will not
have execution permissions or all files inisde it will have executable flag.
Change-Id: I577221e94d6cf9d940ee310757383cee24b80a03
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.
In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.
Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
In Debian 12 OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.
While this was fixed be OVS version bump in Ubuntu and RHEL, it's still
an issue for Debian 12.
[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757
Change-Id: I90454ba50840f7cb900586a7b870161a0f4adc01
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.
[1] 517df91c9e
Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
In an LXB environment, the neutron_ovn_controller group still
contains all of the compute nodes, which causes this task to
fail.
Change-Id: I7a63a79e8b9012c9f32b9316d9590ccd9e641c01
The OVS bridge creation logic for OVN deployments may fail
when the provider bridge has not been defined. This patch uses
logic that exists in the OVS deployment scenario to check the
length of neutron_provider_networks.network_mappings to ensure
a value has been set before attempting to create the bridge.
Change-Id: I34256e4ad22169ae6907a3c40270cb714cf33466
Accidentally condition was to check a group against `group_name`,
while this should be `group_names`. Right now in case of definition
neutron_vpnaas_custom_config role will fail with undefined variable.
Change-Id: Ia5b44729858dd9f742f1094f46e3cde1ceb70495
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I3905e334cfbeb7ccb976358016f81c5edd6cd284
This task runs immediately after one which may start the OVN
services and the unix socket files may not yet be present
when the command is run to configure the connection settings.
Introduce retires to the task to give time for the services to
start and the sockets to exist.
See https://paste.opendev.org/show/bPgVSIHyVPY5MwC373Zj/
Change-Id: I286169ca9ec493ef9ff1923249336cdc168619d0
This reverts commit 74b0884fc2.
Reason for revert: UCA and OVS SIG have updated package and marked corresponding bugs as resolved.
Change-Id: Idbb9f4ee84a075bfa6e7e63c8d5b81951ce0ae65
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.
Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484
According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.
`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.
If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.
So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.
[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html
Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
OVN packages are isntalled as a part of common package installation
as they're appended during neutron_package_list population. So
there should be no need in having another set of tasks that install
these packages.
Change-Id: I119dd30b6e11e9ba373367a1b65d56d723ef0b45
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
In UCA repo for Antelope OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.
[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757
Change-Id: Iead62b464a68bbfcffb0e79a4db004760287e89b
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.
Change-Id: I50b99306a52f1a2379e55f390653b274afd5885f
After RDO bumped OVS version to 3.1 from 2.17 CentOS/Rocky fails
tempest testing due to systemd unit calling adding hostname [1]
while ovs-vsctl add in 3.1 actually behaves exactly as `set` which
simply resets defined hostname on each service restart. To avoid that
we're adding `--no-record-hostname` flag that will prevent such
behaviour.
[1] https://github.com/openvswitch/ovs/blob/branch-3.1/utilities/ovs-ctl.in#L51
Change-Id: I8bee1850e3a120f7b76f586909e6d74361696e32
Related-Bug: #2013189
At the moment we're generating OVN certificates regardless of
the scenario which produces unnecesary changes.
Change-Id: Ie870aa656c467b21441a38cebf7c6a075342d50f
With [1] we merged not installing neutron venv and packages
when it's not required, for example on ovn_northd. At the same
time we still try to provision config files that are not needed there.
Moreover, role is failing as smart_sources bits are relying on neutron venv
existance.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/863546
Change-Id: I59050f09577df790119e552e39cd38463755b36f
This patch aims for the following:
- Update docs for OVN to expand on supported scenarios
- Split out the OVN gateway chassis from the OVN controller group.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862924
Change-Id: I14859a19f386676fd687ea601f2d31298cf35e84
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.
Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
There is no need to configure and run Open vSwitch (data-plane) services
on `neutron-ovn-northd` (control-plane) nodes.
Change-Id: I6fdc5b0e212a8b21fc576639a2a82dfe3324244e
When installing/upgrading packages (like ovs) a race-condition may occur
when neutron-ovs-agent tries to restore mesh while ovs is being spawning
down. This results in errors in neutron-ovs-agent like:
ovsdb-client: tcp:127.0.0.1:6640: Open_vSwitch database was removed
ovsdbapp.exceptions.TimeoutException: TXN queue is full
In order to prevent that we disable ablity to restart services on
package installation/upgrade, but do that with handler after
neutron-ovs-agent get stopped.
Change-Id: I4bd717c35e030aa1ede21d9a01460037d1ab070c
This line snuck in with Ic4c4ef1083b4f1842a586dd8611f8ee9f2ba7dad
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I3d54f093df0ca6113c60d8ceaf6ef278b336ed1f
Include is deprecated, additionally include_tasks is now faster.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Ifd04358878aacce0b8236f01b9b53aaaba8a95d5
Set ovn-encap-type to intersection of
`neutron_provider_networks.network_types.split` and ovn-controllers supported
tunnel types.
Change-Id: I2f385466dccd9aee734685ad488cf12194ae00d9
Related-Bug: #1951517
As we need to monitor vpn connection detailes, the only way to config vpnaas to log states and connections of vpn
is to provide own templates for VPNaaS configuration. With that we enable deployers to provide custom configuration
files for using with any vpn drivers (stronswan/openswan).
Co-Authored-By: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>
Change-Id: I54dbd5c9690281af475312a277eab534403edf92
As part of the Pike goals we are moving api services to run as WSGI
apps. neutron-server service is set up as a wsgi app, and this patch
moves it over.
Since this is just a drop in replacement for the existing eventlet
service, operators an deployers should notice no difference.
Change-Id: Ia7ebd13be9ce7834679d439b7bda242805768ef8
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/820586
Implements: blueprint goal-deploy-api-in-wsgi
RDO stopped shipping api-paste file for glance, so we can't provide it
anymore. To avoid maintaining it for this usecase we simply stop
provisioning as well for this path.
Change-Id: I9ba7f373e16a16d13f3a42484931a6f67dcfca89