Add support for ovn-bgp-agent deployment

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/909694
Change-Id: Id41c4b98d7e973ee85b77d2588ace3e2ce76490f
This commit is contained in:
Dmitriy Rabotyagov 2024-02-21 18:54:35 +01:00
parent 112d379094
commit 65fba08c94
8 changed files with 201 additions and 1 deletions

View File

@ -65,6 +65,8 @@ neutron_dynamic_routing_git_repo: https://opendev.org/openstack/neutron-dynamic-
neutron_dynamic_routing_git_install_branch: master
networking_odl_git_repo: https://opendev.org/openstack/networking-odl
networking_odl_git_install_branch: master
networking_ovn_bgp_git_repo: https://opendev.org/openstack/ovn-bgp-agent
networking_ovn_bgp_install_branch: master
networking_sfc_git_repo: https://opendev.org/openstack/networking-sfc
networking_sfc_git_install_branch: master
networking_bgpvpn_git_repo: https://opendev.org/openstack/networking-bgpvpn
@ -164,6 +166,8 @@ neutron_neutron_conf_overrides: {}
neutron_nuage_conf_ini_overrides: {}
neutron_openvswitch_agent_ini_overrides: {}
neutron_openvswitch_agent_init_overrides: {}
neutron_ovn_bgp_agent_ini_overrides: {}
neutron_ovn_bgp_agent_init_overrides: {}
neutron_nsx_conf_ini_overrides: {}
# Provide a list of access controls to update the default policy.json with.
# These changes will be merged
@ -521,6 +525,32 @@ neutron_ovsdb_manager_connection: "{{ [neutron_ovsdb_manager_proto, neutron_ovsd
neutron_ovn_sb_inactivity_probe: 60000
neutron_ovn_nb_inactivity_probe: 60000
# OVN BGP Agent
neutron_ovn_bgp_enable: False
neutron_ovn_bgp_agent_group: "{{ neutron_ovn_distributed_fip | ternary('neutron_ovn_controller', 'neutron_ovn_gateway') }}"
neutron_ovn_bgp_agent_driver: nb_ovn_bgp_driver
neutron_ovn_bgp_exposing_method: underlay
neutron_ovn_bgp_expose_tenant_networks: False
neutron_ovn_bgp_expose_ipv6_gua_tenant_networks: False
# Provide config needed for BGP peering
# neutron_ovn_bgp_config:
# AS: 64999
# nic: bgp-nic
# vrf: bgp-vrf
# vrf_table_id: 10
neutron_ovn_bgp_config: {}
neutron_frr_bgp_config: []
neutron_frr_staticd_routes: []
# This section is used when neutron_ovn_bgp_exposing_method
# is set to "ovn".
# This requires a standalone "local" cluster per node where
# ovn-bgp-agent runs.
neutron_ovn_bgp_local_nbdb: tcp:127.0.0.1:6641
neutron_ovn_bgp_local_nics: []
neutron_ovn_bgp_local_peers: []
neutron_ovn_bgp_provider_networks_prefixes: []
# Storage location for SSL certificate authority
neutron_ovn_pki_dir: "{{ openstack_pki_dir }}"
# Delegated host for operating the certificate authority

View File

@ -200,6 +200,80 @@ Routing plugin.
# openstack-ansible os-neutron-install.yml
OVN BGP Agent (optional)
~~~~~~~~~~~~~~~~~~~~~~~~
The `OVN BGP Agent`_ exposes VM Floating IPs on provider networks through BGP
by leveraging `FRRouting`_.
This intends to provide feature-complete replacement for BGP Dynamic Routing
service for environments running OVN as their ml2 plugin.
`OVN BGP Agent`_ provides multiple drivers and exposure methods which can be
checked on the `BGP Supportability Matrix`_
.. NOTE::
At the moment of writing only ``underlay`` exposure method is fully
supported by ``os_neutron`` role.
In order to enable ovn-bgp-agent you need to explicitly configure some
variables:
.. code-block:: yaml
neutron_ovn_bgp_enable: True
# This defines an AS to which ovn-bgp-agent will inject an VRF to FRR
neutron_ovn_bgp_config:
AS: 64513
# In this variable we define a base configuration for FRR that will be
# deployed as pre-requisite of ovn-bgp-agent
neutron_frr_bgp_config:
- router bgp 64513
- "bgp router-id {{ ansible_facts['bond0']['ipv4']['address'] }}"
- bgp log-neighbor-changes
- bgp graceful-shutdown
- neighbor uplink peer-group
- neighbor uplink remote-as 64512
- neighbor uplink ebgp-multihop
- neighbor 203.0.113.10 peer-group uplink
- neighbor 203.0.113.11 peer-group uplink
- neighbor 203.0.113.10 description leaf_1
- neighbor 203.0.113.11 description leaf_2
- address-family ipv4 unicast
- " redistribute connected"
- " neighbor uplink activate"
- " neighbor uplink allowas-in origin"
- " neighbor uplink prefix-list only-host-prefixes out"
- "exit-address-family"
- "ip prefix-list only-default permit 0.0.0.0/0"
- "ip prefix-list only-host-prefixes permit 0.0.0.0/0 ge 32"
- route-map rm-only-default permit 10
- " match ip address prefix-list only-default"
- " set src {{ ansible_facts['bond0']['ipv4']['address'] }}"
- ip protocol bgp route-map rm-only-default
# This variable might be useful for ebgp-multihop scenarios
neutron_frr_staticd_routes:
- ip route 203.0.113.10/32 198.51.100.1
- ip route 203.0.113.10/32 198.51.100.1
Once all required variables are set, running
``openstack-ansible os-neutron-install.yml`` should install and configure
FRRouting on all of your ``neutron_ovn_controller`` as well as a new service
``neutron-ovn-bgp-agent`` will appear.
This service does not use RabbitMQ for communication and listens for events
directly on OVN NB/SB databases, so it will not appear on
``openstack network agent list`` output like one may assume.
.. _OVN BGP Agent: https://docs.openstack.org/ovn-bgp-agent/latest/index.html
.. _FRRouting: https://docs.frrouting.org/en/latest/bgp.html
.. _BGP Supportability Matrix: https://docs.openstack.org/ovn-bgp-agent/latest/bgp_supportability_matrix.html
SR-IOV Support (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -0,0 +1,13 @@
# ovn-bgp-agent-rootwrap command filters for scripts
# This file should be owned by (and only-writable by) the root user
[Filters]
# privileged/__init__.py: priv_context.PrivContext(default)
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, ovn_bgp_agent.privileged.default, --privsep_sock_path, /tmp/.*
ovs-vsctl: CommandFilter, ovs-vsctl, root
sysctl: CommandFilter, sysctl, root
ip: IpFilter, ip, root
vtysh: CommandFilter, vtysh, root

View File

@ -52,6 +52,21 @@
delay: 2
with_items: "{{ neutron_remove_distro_packages }}"
- name: Include FRR role for OVN BGP Agent
include_role:
name: frrouting
apply:
tags:
- frrouting
vars:
frr_bgpd_config: "{{ neutron_frr_bgp_config }}"
frr_staticd_routes: "{{ neutron_frr_staticd_routes }}"
when:
- neutron_ovn_bgp_enable | bool
- neutron_services['neutron-ovn-bgp-agent']['group'] in group_names
tags:
- always
# NOTE(jrosser)
# ceilometer appears in u-c as is used by networking-odl stats plugin.
# the new pip resolver will fail to install ceilometer if two contradictory

View File

@ -73,11 +73,16 @@
- neutron_services['neutron-ovn-controller']['group'] in group_names
- neutron_provider_networks.network_mappings is defined and (neutron_provider_networks.network_mappings|length > 0)
# NOTE(noonedeadpunk): When ovn-bgp-agent is in use, physical interfaces should not be added the OVS
# bridge directly.
- name: Add ports to Network Provider Bridges
vars:
_neutron_attach_ovs_port_for_bgp: >-
{{ (neutron_ovn_bgp_enable and neutron_services['neutron-ovn-bgp-agent']['group'] in group_names) | ternary('absent', 'present') }}
openvswitch_port:
bridge: "{{ interface_mapping.split(':')[0] }}"
port: "{{ interface_mapping.split(':')[1] }}"
state: present
state: "{{ _neutron_attach_ovs_port_for_bgp }}"
with_items: "{{ neutron_provider_networks.network_interface_mappings.split(',') }}"
loop_control:
loop_var: interface_mapping

View File

@ -0,0 +1,38 @@
[DEFAULT]
debug = {{ debug }}
expose_tenant_networks = {{ neutron_ovn_bgp_expose_tenant_networks }}
expose_ipv6_gua_tenant_networks = {{ neutron_ovn_bgp_expose_ipv6_gua_tenant_networks }}
driver = {{ neutron_ovn_bgp_agent_driver }}
exposing_method = {{ neutron_ovn_bgp_exposing_method }}
{% for param, value in neutron_ovn_bgp_config.items() %}
bgp_{{ param }} = {{ value }}
{% endfor %}
ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
ovsdb_connection_timeout = 180
[agent]
root_helper=sudo {{ neutron_bin }}/ovn-bgp-agent-rootwrap {{ neutron_conf_dir }}/rootwrap.conf
root_helper_daemon=sudo {{ neutron_bin }}/ovn-bgp-agent-rootwrap-daemon {{ neutron_conf_dir }}/rootwrap.conf
[ovn]
ovn_nb_connection = {{ neutron_ovn_nb_connection }}
ovn_sb_connection = {{ neutron_ovn_sb_connection }}
{% if neutron_ovn_ssl %}
ovn_sb_ca_cert={{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
ovn_sb_certificate={{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
ovn_sb_private_key={{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
ovn_nb_ca_cert={{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
ovn_nb_certificate={{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
ovn_nb_private_key={{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
{% endif %}
{% if neutron_ovn_bgp_exposing_method == 'ovn' %}
[local_ovn_cluster]
ovn_nb_connection = {{ neutron_ovn_bgp_local_nbdb }}
external_nics = {{ neutron_ovn_bgp_local_nics | join(',') }}
peer_ips = {{ neutron_ovn_bgp_local_peers | join(',') }}
provider_networks_pool_prefixes = {{ neutron_ovn_bgp_provider_networks_prefixes | join(',') }}
{% endif %}

View File

@ -6,3 +6,8 @@ Defaults:{{ neutron_system_user_name }} secure_path="{{ neutron_bin }}:/usr/loca
{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/{{ neutron_service_name }}-rootwrap
{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/{{ neutron_service_name }}-rootwrap-daemon
{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/privsep-helper
{% if neutron_ovn_bgp_enable | bool %}
{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/ovn-bgp-agent-rootwrap
{{ neutron_system_user_name }} ALL = (root) NOPASSWD: {{ neutron_bin }}/ovn-bgp-agent-rootwrap-daemon
{% endif %}

View File

@ -58,6 +58,9 @@ neutron_optional_oslomsg_amqp1_pip_packages:
neutron_optional_bgp_pip_packages:
- "git+{{ neutron_dynamic_routing_git_repo }}@{{ neutron_dynamic_routing_git_install_branch }}#egg=neutron-dynamic-routing"
neutron_optional_ovn_bgp_pip_packages:
- "git+{{ networking_ovn_bgp_git_repo }}@{{ networking_ovn_bgp_install_branch }}#egg=ovn-bgp-agent"
neutron_optional_fwaas_pip_packages:
- "git+{{ neutron_fwaas_git_repo }}@{{ neutron_fwaas_git_install_branch }}#egg=neutron-fwaas"
@ -90,6 +93,10 @@ neutron_venv_packages: >-
{%- if neutron_fwaas_v2 | bool %}
{%- set _ = pkg_list.extend(neutron_optional_fwaas_pip_packages) %}
{%- endif %}
{%- if (neutron_ovn_bgp_enable | bool) and
(neutron_services['neutron-ovn-bgp-agent']['group'] in group_names) %}
{%- set _ = pkg_list.extend(neutron_optional_ovn_bgp_pip_packages) %}
{%- endif %}
{%- if neutron_vpnaas | bool %}
{%- set _ = pkg_list.extend(neutron_optional_vpnaas_pip_packages) %}
{%- endif %}
@ -510,6 +517,19 @@ neutron_services:
neutron-ovn-controller:
group: neutron_ovn_controller
service_en: False
neutron-ovn-bgp-agent:
group: "{{ neutron_ovn_bgp_agent_group }}"
systemd_lock_dir: /run/lock/ovn-bgp-agent
service_name: neutron-ovn-bgp-agent
service_en: "{{ (neutron_plugin_type == 'ml2.ovn') and neutron_ovn_bgp_enable | bool }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: neutron_ovn_bgp_agent.ini
service_rootwrap: rootwrap.d/ovn-bgp.filters
execstarts: "{{ neutron_bin }}/ovn-bgp-agent --config-file {{ neutron_conf_dir }}/neutron_ovn_bgp_agent.ini"
config_overrides: "{{ neutron_ovn_bgp_agent_ini_overrides }}"
config_type: "ini"
init_config_overrides: "{{ neutron_ovn_bgp_agent_init_overrides }}"
start_order: 4
neutron-ovn-metadata-agent:
group: neutron_ovn_controller
systemd_lock_dir: /run/lock/neutron-ovn-metadata