Commit Graph

294 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 4e855db6b2 Add VPNaaS OVN support
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.

This agent spawns namespaces as used to do and talks through RPC with API.

More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].

[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1

Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
2024-02-20 12:37:13 +00:00
Dmitriy Rabotyagov 601c66666f Run neutron OVN agents as neutron user
As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.

With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.

In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.

Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
2024-02-20 13:34:49 +01:00
Dmitriy Rabotyagov 70bb847605 Add Availability Zone variables
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.

In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.

Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
2024-01-03 15:03:27 +01:00
Dmitriy Rabotyagov 59697ba1c5 Deprecate OpenDaylight support
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.

[1] 517df91c9e

Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
2023-10-05 14:48:53 +00:00
Zuul 01da88f560 Merge "Add quorum queues support for the service" 2023-09-04 08:24:11 +00:00
Dmitriy Rabotyagov 2b398f5f43 Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.

Change-Id: I74735ad2f127a4c62d4e5c4d24dd1af76e5b76a3
2023-08-07 07:05:15 +00:00
Danila Balagansky d35c27bf71 Configure OVN NB and SB DB Connection probes
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.

Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484

According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.

`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.

If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.

So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.

[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html

Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
2023-07-12 13:24:18 +03:00
Dmitriy Rabotyagov 89c24924dc Add quorum queues support for the service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I43840a397ea6da6c3187291a74591c2205e1dca1
2023-07-06 13:43:00 +00:00
Damian Dabrowski a68fe97981 Add TLS support to neutron_server backends
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
2023-04-29 18:42:54 +02:00
James Denton e4c18905a9 Switch OVN Metadata Agent to journal logging
This patch enables logging to journal for the Neutron OVN
Metadata Agent service.

Change-Id: If1b73b1d14b1d3be4fdfad5a9b91d2f048a640e2
2022-12-06 14:03:39 +00:00
Zuul b0db979c90 Merge "add ovn ssl config" 2022-12-01 11:23:56 +00:00
Marc Gariepy 556c5c6733 add ovn ssl config
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.

Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
2022-11-30 16:03:14 +00:00
Marcus Klein 2d53620286 Allow to set dnsmasq configuration options
This is useful to work around
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1974230 by setting
"no-negcache" into neutron_dhcp_config_list.

Change-Id: I1a0c1b5a125c72635efc89c9763aa41bfb503a3f
2022-11-23 15:19:59 +01:00
Dmitriy Rabotyagov 1a0077705f Enable experimental execution of LXB if required
In cases when neutron_plugin_type is set to ml2.lxb we should explicitly
enable execution of LXB since it's experimental faeature starting Zed.

Change-Id: If4d4250528e39ba4c9f11713088fc2412ab9e5db
2022-10-25 13:01:56 +02:00
Dmitriy Rabotyagov bd1db203a0 Revert "Remove the neutron-fwaas since it retired"
This reverts commit 5fb6ef370e.

Reason for revert: FWAAS has been revived in Zed with I14f551c199d9badcf25b9e65c954c012326d27cd

Change-Id: I45d6cd0f039c3fd2016e52df3607a5ac22956d0a
2022-10-14 08:03:37 +00:00
Dmitriy Rabotyagov 1700cc37ca Deprecate allow_overlapping_ips option
This option has been deprecated and ignored by the service.

Change-Id: Icba65866407a142fb110d1ec25b9ebdcba75d821
2022-06-17 14:59:14 +00:00
Dmitriy Rabotyagov ce9992335e Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/845903
Change-Id: Id2a50a1df6287789eeb59d6ed5246e2375d93b52
2022-06-16 06:50:16 +00:00
Zuul c5ee345054 Merge "Support dns_domain_keywords extension" 2022-05-24 20:44:26 +00:00
James Denton 903b28829b Enable FDB extension for OVS Agent when using SR-IOV
This patch will enable the fdb extension for the Open vSwitch agent
when ml2.sriov plugin type is enabled. This was implemented for the
linuxbridge agent originally and missed for the openvswitch agent.

Change-Id: Id7c6b916fdf804c43203c7d357b8fe53f60a7332
2022-05-18 11:37:17 -05:00
Jonathan Rosser c0f6f603f0 Support dns_domain_keywords extension
Change-Id: I709abb91ac125edf2c63a85bd6af37f723e6bb6a
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/842153
Closes-Bug: 1973165
2022-05-17 16:34:34 +00:00
Andrew Bonney fb6284b257 Add parameters to limit the number of DHCP or L3 agents
At present the maximum number of DHCP or L3 agents per tenant
network is governed by the total number of agents which exist
in the deployment. When using L3 routed pods it may be necessary
to deploy extra DHCP agents, but each of these only has access
to a subset of the networks.

This patch adds optional parameters 'neutron_l3_agents_max' and
'neutron_dhcp_agents_max' which allow the number of agents used
per tenant network to be limited to match the deployment's
requirements.

Change-Id: I80e6206c54cf1876b5c6c273b948718d48d495ca
2022-04-07 11:41:05 +00:00
Andrew Bonney 01951cd77b Add configuration option for heartbeat_in_pthread
This configuration option has been observed to result in file
descriptor leaks in certain circumstances. A variable is added
here so that it can be easily overridden.

Change-Id: I833d72715daff81b64da077e899615b9b2002650
Related-Bug: #1961603
2022-03-15 10:39:52 +00:00
James Denton 6559b1f5de Change os_region to region_name
os_region is deprecated in favor of region_name. Fixes deprecation
notice.

Change-Id: Ia92e9c43157620bd89466d95a620898396def8b9
2021-12-30 23:42:49 +00:00
Damian Dabrowski 2134df4c53 Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I9609542a2d0de17c9e7a148f5a21ac1e47a390ac
2021-12-08 13:55:04 +00:00
Zuul 8752d02a9f Merge "Drop designate notifications topic" 2021-12-06 10:54:29 +00:00
Dmitriy Rabotyagov ee144c110f Refactor definition of lock path
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819300
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/819298
Change-Id: I9bfda41d3916aa31249e36e8ac7cad9e0767d285
2021-11-30 12:08:48 +02:00
Dmitriy Rabotyagov 821a43489d Drop designate notifications topic
According to Designate integration guide [1] notification queue is not
required anymore as all interaction happens through API.

[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html

Change-Id: I7821dbfcb63f86274fca64e107cc5e4ec3983756
2021-11-25 15:50:33 +02:00
Zuul 035357d0b8 Merge "Update metering agent to use interface_driver alias" 2021-11-22 20:07:26 +00:00
James Denton bb1ca2e87c Update metering agent to use interface_driver alias
Currently the metering agent is using the old import method,
use stevedore instead.

https://review.openstack.org/#/c/419881/ merged long ago.

Change-Id: I4e5b8734f00cfa98cb60a70cc85b6c8924d9b718
2021-11-17 03:09:01 +00:00
James Denton 23964743a5 Implement ironic_neutron_agent and baremetal driver
This patch implements changes to support the ironic_neutron_agent
and baremetal plugin for Neutron (Ironic).

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/813006
Change-Id: If37161aaee17d72d9463b361489d5febac434e83
2021-10-27 10:43:13 +00:00
Dmitriy Rabotyagov 18024df25d Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I1d9e22487272b1e1f0ce5f66045bc53d7c031d67
2021-09-20 17:57:22 +03:00
Satish Patel 454866176f Use list of cluster member for ovn ml2 agent to directly connect
Use list of cluster member in ovn/ml2 agent to directly talk to nb/sb
central services instead of using haproxy lb. ovn-controller agent
automatically monitor cluster member and remove them from list if
they are dead or not reachable. This is better approch then using
haproxy lb.

Change-Id: Icb490225ff34354b3f5821c5f7a54a039091c924
2021-08-12 03:45:07 +00:00
Satish Patel 97d409a911 Add support of OVN for CentOS-8-Stream
This patch will adjust some variable for C8-Stream job to fix
OVN deployment for CentOS-8-Stream. Renamed ovn-central with
ovn-northd for more generic name.

Change-Id: Ifdb773f9f539469e21d37075f6b88259eb1ffa3e
2021-08-12 03:44:45 +00:00
Satish Patel e5e3ccfae6 Fix OVN metadata protocol to point https
In OSA recently we moved all our LB endpoint vips to https or all SSL
and that break ovn metadata which was default using http. This patch
will fix that and allow us to override variable.

Change-Id: Ia9189adae01d8515e392abdbede7fd7b3f89e02e
2021-08-10 15:17:09 +00:00
Satish Patel d6198cdd32 Add ovn clustering support
This patch will add ovn clustering support, Basically it will use first
node to start cluster and then new nodes will use leader node to join
cluster.

Change-Id: I4b11d3484c99e538ecd6f7d05570486b5f59c782
2021-06-15 18:58:57 +00:00
Jonathan Rosser 3546176dc7 Add variables for rabbitmq ssl configuration
Change-Id: I5674041a749c6c1521e43e8a2a5a5823ed9f87b6
2021-05-13 14:40:54 +00:00
Zuul 8be83f5d5d Merge "Remove neutron_keepalived_no_track variable" 2021-04-05 02:31:27 +00:00
Zuul e06c25eaa1 Merge "Adding support of subnet_dns_publish_fixed_ip extension in ml2 plugin" 2021-03-25 10:37:00 +00:00
Satish Patel 10e31ea1e2 Adding support of subnet_dns_publish_fixed_ip extension in ml2 plugin
The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs from that subnet independent of the restrictions described in the [1].

[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html

Change-Id: I095564cec0f5804e4d0ea9b5201ed40b9d9be603
2021-03-22 21:44:14 +00:00
Dmitriy Rabotyagov da4924577f Remove neutron_keepalived_no_track variable
Neutron has deprecated [1] usage of keepalived_use_no_track since
it is capable of distinguishing when no_track should and where should not
be used.

[1] https://review.opendev.org/c/openstack/neutron/+/759657

Depends-On: I351b3f2ae458abc14a899768a04999ca10c86ea4
Change-Id: Ia343cdb2268ef19d0e6270322b4ba5b97a069673
2021-03-15 15:15:38 +02:00
Jonathan Rosser 43f7212019 Work around keystonemiddleware bug #1883659
See https://bugs.launchpad.net/keystonemiddleware/+bug/1883659

Change-Id: Ie51a60f9e151dc8be813d0ed8ffed10e793a5144
2021-03-10 23:17:46 +00:00
Dmitriy Rabotyagov 4b080bb3f9 L3 agent cleanup_on_shutdown
Once we do not kill keepalived for l3 agent, it might be usefull to
override that. This is possible with neutron_l3_cleanup_on_shutdown
When it set to True, keepalived will be restarted by l3 agent
except first service restart, where it wil be killed by handler,
since config should be loaded first.

Change-Id: I9eea72d68398f9fd272b1e9ae0c0c0198336c2f5
2021-01-26 11:58:47 +00:00
Dmitriy Rabotyagov e43313af85 Rename nova_metadata_* variables
Rename nova_metadata_* variables to neutron_nova_metadata_*
so less confusing names. At the same time these new variables will
have their defaults set to nova_metadata_*

Change-Id: I073da66f9e395bbb99b1c21701c808f252c3a6cb
2020-11-25 13:22:32 +00:00
siavashsardari 225ddf5c0a Remove firewall_driver from securitygoup section due to duplication in agents config file
Change-Id: I4469dc572acf7d53bcf759e28138cc6733101ed4
Closes-Bug: 1903390
2020-11-10 17:15:29 +03:30
Dmitriy Rabotyagov e3f04ef863 Enable notifications when Designate is enabled
Change-Id: I92780df25e02dd1125e53a3633715fcf948a47d9
2020-11-03 22:33:15 +00:00
Dmitriy Rabotyagov 24d64bbd52 Add neutron_keepalived_no_track variable
Until neutron bug is not fixed, we should control whether to use no_track
for keepalived or not, based on the distro version
We should probably rollback it once upstream bug got fixed and bumped.

Change-Id: I539dfd90576b34693eb8e7aef9f97e64739700ae
Related-Bug: #1896506
2020-09-22 11:43:45 +03:00
Jay Jahns 18468787b9 Add Initial NSX Integration
Default variables are established to add NSX integration to OSA,
as well as documentation on how to implement the integration.

Change-Id: I9843fedf2463251f7663d4607932f029f86dbda2
2020-08-28 20:21:07 +00:00
gugug 5fb6ef370e Remove the neutron-fwaas since it retired
Depends-On: I561504160e5548c54d1af31821c3366ab34cf0ec
Change-Id: I7c2f011ea36b6ea4f8d1854a87df160034c6dcc6
2020-06-17 13:30:15 +08:00
James Denton fccf1b75ce Update OVN metadata agent binary name
During the transition from networking-ovn to the neutron tree, the name
of the metadata agent binary changed from networking-ovn-metadata-agent to
neutron-ovn-metadata-agent. This patch updates the service definition to
allow the metadata agent to function.

Change-Id: I69a4e5deed4b21e70afd7dac747375b81e98cb22
2020-06-03 18:53:10 -05:00
Zuul 2a42d4533c Merge "config: add region_name to nova" 2020-05-21 18:59:48 +00:00