At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.
With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.
In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.
Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.
In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.
Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.
[1] 517df91c9e
Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I74735ad2f127a4c62d4e5c4d24dd1af76e5b76a3
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.
Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484
According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.
`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.
If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.
So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.
[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html
Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I43840a397ea6da6c3187291a74591c2205e1dca1
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.
Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
In cases when neutron_plugin_type is set to ml2.lxb we should explicitly
enable execution of LXB since it's experimental faeature starting Zed.
Change-Id: If4d4250528e39ba4c9f11713088fc2412ab9e5db
This reverts commit 5fb6ef370e.
Reason for revert: FWAAS has been revived in Zed with I14f551c199d9badcf25b9e65c954c012326d27cd
Change-Id: I45d6cd0f039c3fd2016e52df3607a5ac22956d0a
This patch will enable the fdb extension for the Open vSwitch agent
when ml2.sriov plugin type is enabled. This was implemented for the
linuxbridge agent originally and missed for the openvswitch agent.
Change-Id: Id7c6b916fdf804c43203c7d357b8fe53f60a7332
At present the maximum number of DHCP or L3 agents per tenant
network is governed by the total number of agents which exist
in the deployment. When using L3 routed pods it may be necessary
to deploy extra DHCP agents, but each of these only has access
to a subset of the networks.
This patch adds optional parameters 'neutron_l3_agents_max' and
'neutron_dhcp_agents_max' which allow the number of agents used
per tenant network to be limited to match the deployment's
requirements.
Change-Id: I80e6206c54cf1876b5c6c273b948718d48d495ca
This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.
Change-Id: I833d72715daff81b64da077e899615b9b2002650
Related-Bug: #1961603
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I9609542a2d0de17c9e7a148f5a21ac1e47a390ac
Currently the metering agent is using the old import method,
use stevedore instead.
https://review.openstack.org/#/c/419881/ merged long ago.
Change-Id: I4e5b8734f00cfa98cb60a70cc85b6c8924d9b718
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I1d9e22487272b1e1f0ce5f66045bc53d7c031d67
Use list of cluster member in ovn/ml2 agent to directly talk to nb/sb
central services instead of using haproxy lb. ovn-controller agent
automatically monitor cluster member and remove them from list if
they are dead or not reachable. This is better approch then using
haproxy lb.
Change-Id: Icb490225ff34354b3f5821c5f7a54a039091c924
This patch will adjust some variable for C8-Stream job to fix
OVN deployment for CentOS-8-Stream. Renamed ovn-central with
ovn-northd for more generic name.
Change-Id: Ifdb773f9f539469e21d37075f6b88259eb1ffa3e
In OSA recently we moved all our LB endpoint vips to https or all SSL
and that break ovn metadata which was default using http. This patch
will fix that and allow us to override variable.
Change-Id: Ia9189adae01d8515e392abdbede7fd7b3f89e02e
This patch will add ovn clustering support, Basically it will use first
node to start cluster and then new nodes will use leader node to join
cluster.
Change-Id: I4b11d3484c99e538ecd6f7d05570486b5f59c782
The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs from that subnet independent of the restrictions described in the [1].
[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html
Change-Id: I095564cec0f5804e4d0ea9b5201ed40b9d9be603
Neutron has deprecated [1] usage of keepalived_use_no_track since
it is capable of distinguishing when no_track should and where should not
be used.
[1] https://review.opendev.org/c/openstack/neutron/+/759657
Depends-On: I351b3f2ae458abc14a899768a04999ca10c86ea4
Change-Id: Ia343cdb2268ef19d0e6270322b4ba5b97a069673
Once we do not kill keepalived for l3 agent, it might be usefull to
override that. This is possible with neutron_l3_cleanup_on_shutdown
When it set to True, keepalived will be restarted by l3 agent
except first service restart, where it wil be killed by handler,
since config should be loaded first.
Change-Id: I9eea72d68398f9fd272b1e9ae0c0c0198336c2f5
Rename nova_metadata_* variables to neutron_nova_metadata_*
so less confusing names. At the same time these new variables will
have their defaults set to nova_metadata_*
Change-Id: I073da66f9e395bbb99b1c21701c808f252c3a6cb
Until neutron bug is not fixed, we should control whether to use no_track
for keepalived or not, based on the distro version
We should probably rollback it once upstream bug got fixed and bumped.
Change-Id: I539dfd90576b34693eb8e7aef9f97e64739700ae
Related-Bug: #1896506
Default variables are established to add NSX integration to OSA,
as well as documentation on how to implement the integration.
Change-Id: I9843fedf2463251f7663d4607932f029f86dbda2
During the transition from networking-ovn to the neutron tree, the name
of the metadata agent binary changed from networking-ovn-metadata-agent to
neutron-ovn-metadata-agent. This patch updates the service definition to
allow the metadata agent to function.
Change-Id: I69a4e5deed4b21e70afd7dac747375b81e98cb22