The package provides the following plugins for strongSwan.
- agent (RSA/ECDSA private key backend connecting to SSH-Agent)
- gcm (GCM cipher mode wrapper)
- openssl (Crypto backend based on OpenSSL, provides
RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG)
Change-Id: Id459831d936a60843a2c07d79c97a1b6aeaa6126
This patch adjusts the whitespace insertion so a space between the
--config-file instances is not trimmed anymore
Change-Id: Ia1507f03febd5bdba18610909f5c3856976566b4
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.
With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.
In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.
Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
OpenSwan Package for IPSec has been replaced with libreswan in EL9.
We missed to reflect that while adding EL9 support.
Closes-Bug: #2039098
Change-Id: I04742324ff472b3c40ee4c7d333305c67046aba2
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.
[1] 517df91c9e
Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I3905e334cfbeb7ccb976358016f81c5edd6cd284
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I43840a397ea6da6c3187291a74591c2205e1dca1
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: I831f6d62f0d31384258571e01a4e7cdd75b73e2c
Previously only /etc/neutron/neutron.conf was passed, this patch
uses the uwsgi pyargv option to pass multiple instances of
--config-file to the service.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/872195
Change-Id: Ifa1645a9585360e15142cac929e671e60e301bdc
Closes-Bug: 1987405
root user/group ownership of the neutron-ovn-metadata service caused
the neutron lock dir to be owned by root:root, which caused issues
with neutron-server's ability to write the OVN hash ring lock file
to /run/lock/neutron and prevented the creation of networks.
It appears neutron-ovn-metadata-agent needs access to the OVS DB
schema via unix:/var/run/openvswitch/db.sock, which is owned by root,
so a separate lock path has been created for the metadata agent to
workaround this.
FWIW, this issue manifested with upstream Neutron commit
536498a29a4e7662a4d0b1bb923e2521509ad77a.
Change-Id: Ib6d69bb2ce340b50140216e2abf236a1da93e46b
neutron-server appears to require ovsdb-client to communicate with ovsdb
in an OVN install. On metal, this isn't an issue since ovsdb-client is
installed with openvswitch-common but with LXC, OVS packages aren't installed
in the neutron server lxc container.
Ubuntu/Debian splits out openvswitch-common utilities from the actual
openvswitch service (openvswitch-server), while CentOS/RHEL-based distros
package them all up. This method was chosen as lowest common denominator
between supported releases.
Change-Id: I7a08ed81a15c0678832bcdd192bdc4e10064bd6d
Create ssl-certs for ovn deployment
ssl encryption is now enabled between neutron and ovn componants.
Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
The dogpile library is attempting to load bmemcached and without the
dependencies the service will throw an excessive amount of errors
when attempting to load the library. To resolve this issue we install
the missing dependency.
* Package install for debian
* Pip install
X no RPM was found so none included in this PR
Change-Id: I6af7f0d643ad09f98120fca9c18063b4fe4d29e9
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
There is no need to configure and run Open vSwitch (data-plane) services
on `neutron-ovn-northd` (control-plane) nodes.
Change-Id: I6fdc5b0e212a8b21fc576639a2a82dfe3324244e
This reverts commit 5fb6ef370e.
Reason for revert: FWAAS has been revived in Zed with I14f551c199d9badcf25b9e65c954c012326d27cd
Change-Id: I45d6cd0f039c3fd2016e52df3607a5ac22956d0a
With ansible-core 2.13 it tries to substitude package resolution in apt
module.
However git-core is used in Debian as transitional name, but ansible
tries to select it and provide version, which is not correct behaviour.
But since git-core is not really valid anyway, we just replace it
to workaround ansible's imperfectness.
Change-Id: Ie10bd40a37d4e508842d978365d03cc6f4e9194c
As part of the Pike goals we are moving api services to run as WSGI
apps. neutron-server service is set up as a wsgi app, and this patch
moves it over.
Since this is just a drop in replacement for the existing eventlet
service, operators an deployers should notice no difference.
Change-Id: Ia7ebd13be9ce7834679d439b7bda242805768ef8
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/820586
Implements: blueprint goal-deploy-api-in-wsgi
Currently the metering agent is using the old import method,
use stevedore instead.
https://review.openstack.org/#/c/419881/ merged long ago.
Change-Id: I4e5b8734f00cfa98cb60a70cc85b6c8924d9b718
Without this package ovs failed to bind dpdk interface to
ovs provider bridge. This is ubuntu where they split
dependencies libs/drivers to different package.
Example: /usr/lib/x86_64-linux-gnu/dpdk/pmds-20.0/librte_pmd_ixgbe.so
file required by Intel NIC which is part of that package.
Change-Id: Ia0cacbbffca363f79d4d43edbc1eb140bfea5e04
This patch enables the openvswitch interface driver when the
ML2/OVN driver is used. An interface driver is required when
using the legacy DHCP agent (required for OVN+Ironic).
Change-Id: I56bad4e6ec94b516d1e94d76b423cc3437e3f464
This patch will adjust some variable for C8-Stream job to fix
OVN deployment for CentOS-8-Stream. Renamed ovn-central with
ovn-northd for more generic name.
Change-Id: Ifdb773f9f539469e21d37075f6b88259eb1ffa3e
changed /var/lib/vhost_socket dir owner/group permission for centos-8 and
added openvswitch service name.
Change-Id: Idedbef8b70cb42588c9c9ace9530df84a5d1f6ff
Debian Bullseye has dropped py2 library packages and they should not
be installed for other systems either. So we replace it with
py3 alternative.
Change-Id: I0931759c05ec395f1688b0fbc4fec879dd52a0f8
Currently we symlink /etc/neutron to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.
With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.
During post_install we place all of the configs inside the venv,
which is versioned at the moment.
This way we minimise downtime of the service while performing upgrades
Change-Id: I6d1686ab79647acfc086f21864bde14c8a1a1a49
This patchset removes the ovs_nsh_support variable used to deploy
a custom-compiled release of Open vSwitch with NSH support in favor
of relying on built-in NSH support in recent releases of Open vSwitch[1].
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-November/340716.html
Change-Id: If6456d2916982226bbdc5080ec58a47b6fb1ec8d
Neutron has deprecated [1] usage of keepalived_use_no_track since
it is capable of distinguishing when no_track should and where should not
be used.
[1] https://review.opendev.org/c/openstack/neutron/+/759657
Depends-On: I351b3f2ae458abc14a899768a04999ca10c86ea4
Change-Id: Ia343cdb2268ef19d0e6270322b4ba5b97a069673
This is necessary to support the new pip resolver.
Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: Ib17a2712993c6c7e3b5622fc944d7754dbb872ba