* Update openstack-ansible-os_neutron from branch 'master'
to 42b2492642439670c03665f3edcccb7d909b5c36
- Fix multiline yaml formatting in neutron systemd services
This patch adjusts the whitespace insertion so a space between the
--config-file instances is not trimmed anymore
Change-Id: Ia1507f03febd5bdba18610909f5c3856976566b4
* Update openstack-ansible-os_neutron from branch 'master'
to 47a7796066a08a7fffe5b48f17431127696c48e5
- Merge "Add variable to control distributed FIP choice"
- Add variable to control distributed FIP choice
On OVN you can configure if Floating IPs should flow directly from compute
nodes or through gateway hosts.
While this parameter can be overriden with neutron_ml2_conf_ini_overrides variable,
it might be useful for some more advanced logic in follow-up patches.
Change-Id: Ib20cd013cbf396f14e88faabc36f012fc14c3f3a
* Update openstack-ansible-os_neutron from branch 'master'
to f3d23171416fdfb45f966f54b953e3f0b8a84c53
- Merge "Create an openrc for nb/sb clients"
- Create an openrc for nb/sb clients
In order to connect to NB/SB leader it requires quite some parameters
to be passed to the CLI. To simplify that we define an environment variables
that are used as defaults once /root/ovnctl.rc is sourced.
Change-Id: Ia44829a48b4b73a81c82b79bc8898c1a95989aef
* Update openstack-ansible-os_neutron from branch 'master'
to b6c3bfeca781d9d7a2e5f9189252ffca33582f2b
- Merge "Restart OVN on certificate changes"
- Restart OVN on certificate changes
In cases where certificates were regenerated for OVN, a service restart
is required in order to apply and use new certs.
We provide also a unique handler name to distinguish certs between ones
installed for neutron-server and OVN.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/912768
Change-Id: Iedea6f1a67349bafecca5c792072fcd8f95cc546
* Update openstack-ansible-os_neutron from branch 'master'
to 66cdc8fa7cea0582cdbff37379a3012eef014379
- Use ansible_facts['processor_vcpus'] instead of fact variable
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/912768
Change-Id: If9fc16a7938a49d51dbd1110e908e3bda74e7adb
* Update openstack-ansible-os_neutron from branch 'master'
to 4e855db6b2f4e04242e4ef38f12367ed4f564329
- Add VPNaaS OVN support
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.
This agent spawns namespaces as used to do and talks through RPC with API.
More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].
[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1
Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
* Update openstack-ansible-os_neutron from branch 'master'
to 601c66666f0c710fcde632c9b13ad0f4c888bccc
- Run neutron OVN agents as neutron user
As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.
With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.
In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.
Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
* Update openstack-ansible-os_neutron from branch 'master'
to 88085e47fd9b44a85c9b8593020ee87cbd9a4082
- Merge "Fix permissions for rootwrap files"
- Fix permissions for rootwrap files
At the moment we set 640 permissions to /etc/neutron/rootwrap.d folder.
While it doesn't cause any issues right now, since root still able to read files in there,
but this makes us to use root for services when it should not be needed.
Also playbook is not idempotent, as it changes permissions for same
directory multiple times during runtime.
Task for setting rootwrap permissions is removed, since it's behaviour is
weird by design of file module.
It can be applied only to directories, meaning that either directory will not
have execution permissions or all files inisde it will have executable flag.
Change-Id: I577221e94d6cf9d940ee310757383cee24b80a03
* Update openstack-ansible-os_neutron from branch 'master'
to fbdb79c0553e31063a1e33426bab6b5309ed7e8c
- Replace voting jobs with Rocky Linux
There is a regression in CentOS 9 Stream libvirt version 9.10 which makes
impossible to spawn VMs in this OS and breaking CI.
Let's still leave some non-voting jobs just in case.
Change-Id: I1237769d637d318a68b1891eba7fa44671eb9ac1
* Update openstack-ansible-os_neutron from branch 'master'
to 70bb847605b3002c58802511eeec99193d0f9220
- Add Availability Zone variables
At the moment the only way to configure multi-AZ support in Neutron were
config overrides, which work quite nicely with LXB/OVS scenarios. However,
with OVN changing configuration is not enough, and command that sets
up OVN Gateway should provide extra CMS option.
In order to improve AZ support in Neutron role, we add couple of variables
that control behaviour and allow to perform required configuration without
config overrides for OVS/LXB/OVN.
Co-Authored-By: Danila Balagansky <dbalagansky@me.com>
Closes-Bug: #2002040
Change-Id: Ic964329c06765176692f7b0c32f33ec46360a3fb
* Update openstack-ansible-os_neutron from branch 'master'
to ef4d3278556c6e34f79b195cfb3e0d300f7184f7
- Update VPNaaS package for RHEL
OpenSwan Package for IPSec has been replaced with libreswan in EL9.
We missed to reflect that while adding EL9 support.
Closes-Bug: #2039098
Change-Id: I04742324ff472b3c40ee4c7d333305c67046aba2
* Update openstack-ansible-os_neutron from branch 'master'
to 4423cfb8df28b91893b99f578aaf0b9a20cf2e0a
- Merge "Workaround ovs bug that resets hostname with add command"
- Workaround ovs bug that resets hostname with add command
In Debian 12 OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.
While this was fixed be OVS version bump in Ubuntu and RHEL, it's still
an issue for Debian 12.
[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757
Change-Id: I90454ba50840f7cb900586a7b870161a0f4adc01
* Update openstack-ansible-os_neutron from branch 'master'
to bd45e1b58d8a7ed41e54cd9d2c5d04dc48e50602
- Merge "Deprecate OpenDaylight support"
- Deprecate OpenDaylight support
OpenDaylight support has been deprecated by Neutron team in 2023.2 [1]. We remove support from
our code to address that decision.
[1] 517df91c9e
Change-Id: Iaaf87b6d5400fe88c7edf86995ea9ba891866678
* Update openstack-ansible-os_neutron from branch 'master'
to de7e041af7cbd7c749c0bbe8ed653cc21641f454
- Merge "[doc] Update example on how to define neutron_vpnaas_custom_config"
- [doc] Update example on how to define neutron_vpnaas_custom_config
Closes-Bug: #2037649
Change-Id: I55b11e225286f81ec83f287e713e79d7bb847d77
* Update openstack-ansible-os_neutron from branch 'master'
to a190ae4f61cce0da08028f96c959fd3c26e2d700
- Fix conditional for non-OVN deployments
In an LXB environment, the neutron_ovn_controller group still
contains all of the compute nodes, which causes this task to
fail.
Change-Id: I7a63a79e8b9012c9f32b9316d9590ccd9e641c01
* Update openstack-ansible-os_neutron from branch 'master'
to 3569b7a27d2da431dfd6329f5b010bc56a666e80
- Fix linters for example playbook
Change-Id: Ieb2e21fe558ee14ec7cc1a4b264f0dd2671eb9fa
* Update openstack-ansible-os_neutron from branch 'master'
to b399ac2a3cb3c1f2aafad641793f5ef46032cab4
- Merge "Fix typo for vpnaas_custom_config distribution"
- Fix typo for vpnaas_custom_config distribution
Accidentally condition was to check a group against `group_name`,
while this should be `group_names`. Right now in case of definition
neutron_vpnaas_custom_config role will fail with undefined variable.
Change-Id: Ia5b44729858dd9f742f1094f46e3cde1ceb70495
* Update openstack-ansible-os_neutron from branch 'master'
to 7c0ac931b0accd02f4c03b994dcaaa65a2b901ae
- Check length of network_mappings
The OVS bridge creation logic for OVN deployments may fail
when the provider bridge has not been defined. This patch uses
logic that exists in the OVS deployment scenario to check the
length of neutron_provider_networks.network_mappings to ensure
a value has been set before attempting to create the bridge.
Change-Id: I34256e4ad22169ae6907a3c40270cb714cf33466
* Update openstack-ansible-os_neutron from branch 'master'
to 4abf3e9383b26350a2e389162d9c1e14a7c2f33c
- Merge "Retry applying OVN connection settings"
- Retry applying OVN connection settings
This task runs immediately after one which may start the OVN
services and the unix socket files may not yet be present
when the command is run to configure the connection settings.
Introduce retires to the task to give time for the services to
start and the sockets to exist.
See https://paste.opendev.org/show/bPgVSIHyVPY5MwC373Zj/
Change-Id: I286169ca9ec493ef9ff1923249336cdc168619d0
* Update openstack-ansible-os_neutron from branch 'master'
to 733c4cf8c56ca6a62f8a02ce3f0388c106b94782
- Merge "Fix linters and metadata"
- Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I3905e334cfbeb7ccb976358016f81c5edd6cd284
* Update openstack-ansible-os_neutron from branch 'master'
to ed54ffde67be84fda33f90141b4c14ff34f30b27
- Merge "Revert "Workaround ovs bug that resets hostname with add command""
- Revert "Workaround ovs bug that resets hostname with add command"
This reverts commit 74b0884fc232aa96f601b4c24c3e36f3fba4f1bb.
Reason for revert: UCA and OVS SIG have updated package and marked corresponding bugs as resolved.
Change-Id: Idbb9f4ee84a075bfa6e7e63c8d5b81951ce0ae65
* Update openstack-ansible-os_neutron from branch 'master'
to 01da88f560407dbaa18fc78fc1817a548620b6bd
- Merge "Add quorum queues support for the service"
- Add quorum queues support for the service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I43840a397ea6da6c3187291a74591c2205e1dca1
* Update openstack-ansible-os_neutron from branch 'master'
to a3c09f159bf4dc545db18d16be32488e8ff85fb7
- Stop haproxy on ovn-controller nodes
include ovn-controller nodes.
Change-Id: I122a7e2df0d546c18e4ec607abeb36cb0cec196f
* Update openstack-ansible-os_neutron from branch 'master'
to 924e290af90170c8c18f79354c479c391b73295e
- Define constraints file for docs and renos
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.
The patch will ensure that constraints are used an we should not face
simmilar issue again.
TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.
Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.
Change-Id: I877b57ba117a820be7ca05d01037069295099f06
* Update openstack-ansible-os_neutron from branch 'master'
to 2b398f5f435cd96c6f08d01863cc3bfeb40748ec
- Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I74735ad2f127a4c62d4e5c4d24dd1af76e5b76a3
* Update openstack-ansible-os_neutron from branch 'master'
to 45f823de0c11e595aee6ff54edb46c6bad451c08
- Merge "Configure OVN NB and SB DB Connection probes"
- Configure OVN NB and SB DB Connection probes
Allow configuration of `inactivity_probe` in Connection table in NB and
SB for new installations.
Issues, which successfully resolve by using this as a workaround:
1. https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07431.html
2. https://bugs.launchpad.net/kolla-ansible/+bug/1917484
According to the OVN ML, specifically this part [1], there is no other
way to set `inactivity_probe` other than using Connection table. And the
only valid option for it would be `0.0.0.0`, so that it could be applied
to all connections.
`ovn-ctl` forces `ovsdb-server` to look for addresses to listen on in
Connection table with `db-nb-use-remote-in-db` and
`db-sb-use-remote-in-db` options which are enabled by default.
If `db-nb-create-insecure-remote` and `db-sb-create-insecure-remote` are
set to `yes` (when `neutron_ovn_ssl` is `False`), this would result in
flooding OVN logs with `Address already in use` errors.
So we will rely on default value `no` for them from now on and only
listen on and with whatever options are provided in Connection tables.
[1] https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg07476.html
Change-Id: If87cf7cfa1788d68c9a4013d7f4877692f2bb11c
* Update openstack-ansible-os_neutron from branch 'master'
to 13c1ce70dd8ec03708a2cdf54687a85360659866
- Merge "Switch driver jobs to Jammy"
- Switch driver jobs to Jammy
We're dropping Ubuntu Focal support early in 2023.2 release,
so we need to switch all jobs to Jammy before this happens.
Change-Id: I677494ad02d58f891b376b44230ce9d137ca34a9
* Update openstack-ansible-os_neutron from branch 'master'
to d0c37ede9fde4a25724fbe6ec4e57426bfe7416e
- Drop OVN package installation from ovn_config
OVN packages are isntalled as a part of common package installation
as they're appended during neutron_package_list population. So
there should be no need in having another set of tasks that install
these packages.
Change-Id: I119dd30b6e11e9ba373367a1b65d56d723ef0b45
* Update openstack-ansible-os_neutron from branch 'master'
to d58bdb151af848ded8f7af4d6f31bd1a668c65b7
- Ensure OVN is restarted on package update
Change-Id: I851a81d47e2ab985213f711ccd81a6870f42317b
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/879890
* Update openstack-ansible-os_neutron from branch 'master'
to e9ef1f07073b5f03a10459e5797cdcdb8a08ef69
- Merge "Add TLS support to neutron_server backends"
- Add TLS support to neutron_server backends
By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4
* Update openstack-ansible-os_neutron from branch 'master'
to 74b0884fc232aa96f601b4c24c3e36f3fba4f1bb
- Workaround ovs bug that resets hostname with add command
In UCA repo for Antelope OVS version to 3.1.0 is used that is affected
by the bug [1]. Until that is fixed, we're masking ovs-record-hostname
service.
[1] https://bugs.launchpad.net/cloud-archive/+bug/2017757
Change-Id: Iead62b464a68bbfcffb0e79a4db004760287e89b
* Update openstack-ansible-os_neutron from branch 'master'
to 43adbb0b95d781c85e74a9e7bb802dd1705c0dd0
- Merge "Use include instead of import for conditional tasks"
- Use include instead of import for conditional tasks
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.
Change-Id: I50b99306a52f1a2379e55f390653b274afd5885f
* Update openstack-ansible-os_neutron from branch 'master'
to 090b0aeb07c253ab59f23d7ba7924d21d019e677
- Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: I831f6d62f0d31384258571e01a4e7cdd75b73e2c
* Update openstack-ansible-os_neutron from branch 'master'
to a44d3320756f9cb54212453d28d28b14dc3daeb7
- Merge "[doc] Add LXB scenario documentation"
- [doc] Add LXB scenario documentation
Since LXB was installed by default, we never had it described
explicitly as all other examples were reffering to it. Now when we've
switched to OVN as default driver, we should describe path for LXB
as well as make adjustments to reflect new defaults for neutron role.
Change-Id: I98011dbbe3a3c2f6992e1a150e5ec97642398fc0
* Update openstack-ansible-os_neutron from branch 'master'
to f1a8c358531bdf86d8aeda725bc0b1c347d325c1
- Workaround ovs bug that resets hostname with add command
After RDO bumped OVS version to 3.1 from 2.17 CentOS/Rocky fails
tempest testing due to systemd unit calling adding hostname [1]
while ovs-vsctl add in 3.1 actually behaves exactly as `set` which
simply resets defined hostname on each service restart. To avoid that
we're adding `--no-record-hostname` flag that will prevent such
behaviour.
[1] https://github.com/openvswitch/ovs/blob/branch-3.1/utilities/ovs-ctl.in#L51
Change-Id: I8bee1850e3a120f7b76f586909e6d74361696e32
Related-Bug: #2013189
* Update openstack-ansible-os_neutron from branch 'master'
to dffcff7c94804433f8fbbe4b326f7f39d11fe0b7
- Disable CentOS LXC jobs due to the bug in systemd packaging
At the moment systemd-udev package is being resolved to
systemd-boot-unsigned due to CentOS packaging issue. Resolution to this
issue would be providing a full path to any of file that is not provided
but systemd-boot-unsigned but provided by systemd-udev
which does not have a really clean and good workaround.
So we're disabling CentOS LXC jobs for now and waiting for CentOS
waiting to fix this. There're bunch of bug reports and all systemd there
in quite a messy state overall.
Change-Id: I6e744d1e708df11204b3436c53ea6ed723683b18
* Update openstack-ansible-os_neutron from branch 'master'
to 2d7f8f464357fafbf7a2056fdffc15e1e3912963
- Merge "Generate OVN certs only for OVN scenario"
- Generate OVN certs only for OVN scenario
At the moment we're generating OVN certificates regardless of
the scenario which produces unnecesary changes.
Change-Id: Ie870aa656c467b21441a38cebf7c6a075342d50f
* Update openstack-ansible-os_neutron from branch 'master'
to 017194176c42ee33f1d70db189b8ff3fbce06566
- Fix typo in ansible_facts['pkg_mgr']
In [1] we accidentally merged change containing typo.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/860480
Change-Id: Iec4eacab8f6ddd2d3d2f59c0928f5e6455bbdbdd
* Update openstack-ansible-os_neutron from branch 'master'
to 0fee203e6c5689e551735f5cf86ed7d76c6be144
- Ensure that all neutron config files are used when deployed with uwsgi
Previously only /etc/neutron/neutron.conf was passed, this patch
uses the uwsgi pyargv option to pass multiple instances of
--config-file to the service.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/872195
Change-Id: Ifa1645a9585360e15142cac929e671e60e301bdc
Closes-Bug: 1987405
* Update openstack-ansible-os_neutron from branch 'master'
to a6001b7a364218eeea2f32e9b007153856822916
- Remove "warn" parameter from command module
This is removed in ansible 2.14.
Change-Id: I454908a306bfa5d6311261448ebefab6df1b20a7
* Update openstack-ansible-os_neutron from branch 'master'
to c5e00f91f7fd4ca8973e47ddd36cbe2c725b165a
- Disable dhcp-agent and metadata-agent for OVN
OVN doesn't need the neutron-metadata-agent and
neutron-dhcp-agent service.
Change-Id: I58e94199a32ad300b3f70861dc7804f34518c8c2
* Update openstack-ansible-os_neutron from branch 'master'
to 0d6ca7f07f42e7ff3c4a8ae401332b222017eb99
- Update OVN northd group documentation
Existing docs are missing mention of network-northd_hosts, which
is a required grouping for a successful OVN deployment. This patch
addresses that.
Change-Id: Ie532573cc04722d18915996c5148eecb180ee7ec
* Update openstack-ansible-os_neutron from branch 'master'
to d4cbd2d7adcf4bba95a885c87d2c6e4dc9c1b012
- Create separate lock path for neutron-ovn-metadata-agent
root user/group ownership of the neutron-ovn-metadata service caused
the neutron lock dir to be owned by root:root, which caused issues
with neutron-server's ability to write the OVN hash ring lock file
to /run/lock/neutron and prevented the creation of networks.
It appears neutron-ovn-metadata-agent needs access to the OVS DB
schema via unix:/var/run/openvswitch/db.sock, which is owned by root,
so a separate lock path has been created for the metadata agent to
workaround this.
FWIW, this issue manifested with upstream Neutron commit
536498a29a4e7662a4d0b1bb923e2521509ad77a.
Change-Id: Ib6d69bb2ce340b50140216e2abf236a1da93e46b
* Update openstack-ansible-os_neutron from branch 'master'
to 92fa6a5295d7a7cccb102387fbd92c8c70568a72
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I533256a64b09248d3bacdb69c30b411928940182
* Update openstack-ansible-os_neutron from branch 'master'
to 3faa793469d71fe44403669d91ea3797818290eb
- Do not provision neutron config when not needed
With [1] we merged not installing neutron venv and packages
when it's not required, for example on ovn_northd. At the same
time we still try to provision config files that are not needed there.
Moreover, role is failing as smart_sources bits are relying on neutron venv
existance.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/863546
Change-Id: I59050f09577df790119e552e39cd38463755b36f
* Update openstack-ansible-os_neutron from branch 'master'
to fa974be047383f2d8a16c700856c5793470d68db
- Merge "Remove support for calico ml2 driver."
- Remove support for calico ml2 driver.
Change-Id: I25e28c678f69a1b2f067e6ce87f1b3134e6470d2
* Update openstack-ansible-os_neutron from branch 'master'
to c00039c7b0c6006ad5feff1254d99c4245b9cd3e
- Merge "Separate OVN gateway functions from ovn-controllers"
- Separate OVN gateway functions from ovn-controllers
This patch aims for the following:
- Update docs for OVN to expand on supported scenarios
- Split out the OVN gateway chassis from the OVN controller group.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862924
Change-Id: I14859a19f386676fd687ea601f2d31298cf35e84
* Update openstack-ansible-os_neutron from branch 'master'
to 5f04414da46cd34763a38a0ede470aab3c4fbfdb
- Merge "Do not install neutron venv if not needed."
- Do not install neutron venv if not needed.
Change-Id: I3675cbb5e7e9b37fce47d995e69edde945c1b581