Neutron: make metadata proxy work

- corrected the path of "socket" volume, which is used for sharing metadata proxy unix socket among the agents - and give neutron user permission to write to the dir - set the default nova_metadata_ip to full hostname of metadata so that it could be accessed properly via ingress - removed unnecessary configurations from values Change-Id: I4d20dc670fecebd9799851d659c5f42edb4821ac Closes-Bug:1745370
2018-01-25 22:27:15 +09:00 · 2018-01-25 22:27:15 +09:00 · aba33b3440
parent 9f13514073
commit aba33b3440
11 changed files with 31 additions and 36 deletions
--- a/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
@ -20,6 +20,7 @@ set -x
 exec neutron-dhcp-agent \
      --config-file /etc/neutron/neutron.conf \
      --config-file /etc/neutron/dhcp_agent.ini \
+      --config-file /etc/neutron/metadata_agent.ini \
      --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
 {{- if eq .Values.network.backend "ovs" }} \
      --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
--- a/neutron/templates/bin/_neutron-l3-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-l3-agent.sh.tpl
@ -20,6 +20,7 @@ set -x
 exec neutron-l3-agent \
      --config-file /etc/neutron/neutron.conf \
      --config-file /etc/neutron/l3_agent.ini \
+      --config-file /etc/neutron/metadata_agent.ini \
      --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
 {{- if eq .Values.network.backend "ovs" }} \
      --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
--- a/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
+++ b/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
@ -18,13 +18,4 @@ limitations under the License.

 set -ex

-metadata_ip="{{- .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}"
-if [ -z "${metadata_ip}" ] ; then
-    metadata_ip=$(getent hosts metadata | awk '{print $1}')
-fi
-
-cat <<EOF>/tmp/pod-shared/neutron-metadata-agent.ini
-[DEFAULT]
-nova_metadata_ip=$metadata_ip
-EOF
-
+chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm
--- a/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
@ -20,8 +20,7 @@ set -x
 exec neutron-metadata-agent \
      --config-file /etc/neutron/neutron.conf \
      --config-file /etc/neutron/metadata_agent.ini \
-      --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
-      --config-file /tmp/pod-shared/neutron-metadata-agent.ini
+      --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
 {{- if eq .Values.network.backend "ovs" }} \
      --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
 {{- end }}
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -84,6 +84,10 @@ limitations under the License.
 {{- set .Values.conf.neutron.nova "password" .Values.endpoints.identity.auth.nova.password | quote | trunc 0 -}}
 {{- end -}}

+{{- if empty .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}
+{{- tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set .Values.conf.metadata_agent.DEFAULT "nova_metadata_ip" | quote | trunc 0 -}}
+{{- set .Values.conf.metadata_agent.DEFAULT "nova_metadata_port" 80 | quote | trunc 0 -}}
+{{- end -}}
 {{- if empty .Values.conf.metadata_agent.cache.memcache_servers -}}
 {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.metadata_agent.cache "memcache_servers" | quote | trunc 0 -}}
 {{- end -}}
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@ -84,6 +84,10 @@ spec:
              mountPath: /etc/neutron/dnsmasq.conf
              subPath: dnsmasq.conf
              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
            - name: neutron-etc
              # NOTE (Portdirect): We mount here to override Kollas
              # custom sudoers file when using Kolla images, this
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@ -80,6 +80,10 @@ spec:
              mountPath: /etc/neutron/l3_agent.ini
              subPath: l3_agent.ini
              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
            - name: neutron-etc
              # NOTE (Portdirect): We mount here to override Kollas
              # custom sudoers file when using Kolla images, this
@ -135,7 +139,7 @@ spec:
              mountPath: /lib/modules
              readOnly: true
            - name: socket
-              mountPath: /var/lib/neutron/stackanetes
+              mountPath: /var/lib/neutron/openstack-helm
 {{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: neutron-bin
@ -156,6 +160,6 @@ spec:
            path: /lib/modules
        - name: socket
          hostPath:
-            path: /var/lib/neutron/stackanetes
+            path: /var/lib/neutron/openstack-helm
 {{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/neutron/templates/daemonset-metadata-agent.yaml
+++ b/neutron/templates/daemonset-metadata-agent.yaml
@ -50,7 +50,10 @@ spec:
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          securityContext:
-            runAsUser: {{ .Values.pod.user.neutron.uid }}
+            runAsUser: 0
+          env:
+            - name: NEUTRON_USER_UID
+              value: "{{ .Values.pod.user.neutron.uid }}"
          command:
            - /tmp/neutron-metadata-agent-init.sh
          volumeMounts:
@ -62,8 +65,8 @@ spec:
              mountPath: /etc/neutron/neutron.conf
              subPath: neutron.conf
              readOnly: true
-            - name: pod-shared
-              mountPath: /tmp/pod-shared
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
      containers:
        - name: neutron-metadata-agent
          image: {{ .Values.images.tags.neutron_metadata }}
@ -72,8 +75,6 @@ spec:
          securityContext:
            runAsUser: {{ .Values.pod.user.neutron.uid }}
            privileged: true
-          ports:
-            - containerPort: {{ .Values.network.metadata.port }}
          command:
            - /tmp/neutron-metadata-agent.sh
          volumeMounts:
@ -153,10 +154,7 @@ spec:
              subPath: openvswitch-plugin.filters
              readOnly: true
            - name: socket
-              mountPath: /var/lib/neutron/stackanetes
-            - name: pod-shared
-              mountPath: /tmp/pod-shared
-              readOnly: true
+              mountPath: /var/lib/neutron/openstack-helm
 {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: neutron-bin
@ -175,7 +173,5 @@ spec:
        - name: socket
          hostPath:
            path: /var/lib/neutron/openstack-helm
-        - name: pod-shared
-          emptyDir: {}
 {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -98,8 +98,6 @@ network:
    node_port:
      enabled: false
      port: 30096
-  metadata:
-    port: 8775

 bootstrap:
  enabled: false
@ -914,7 +912,6 @@ conf:
      # service_plugin can be: router, odl-router, empty for calico,
      # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
      service_plugins: router
-      metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
      allow_automatic_l3agent_failover: True
      l3_ha: True
      min_l3_agents_per_router: 2
@ -991,7 +988,6 @@ conf:
      # openvswitch or linuxbridge
      interface_driver: openvswitch
      dnsmasq_config_file: /etc/neutron/dnsmasq.conf
-      enable_isolated_metadata: True
      force_metadata: True
  l3_agent:
    DEFAULT:
@ -999,15 +995,12 @@ conf:
      # openvswitch or linuxbridge
      interface_driver: openvswitch
      agent_mode: legacy
-      enable_metadata_proxy: True
-      enable_isolated_metadata: True
  metering_agent: null
  metadata_agent:
    DEFAULT:
-      # IF blank, set dynamically from metadata hosts
-      nova_metadata_ip:
-      nova_metadata_port: 80
-      nova_metadata_protocol: http
+      # we cannot change the proxy socket path as it is declared
+      # as a hostPath volume from agent daemonsets
+      metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
      metadata_proxy_shared_secret: "password"
    cache:
      enabled: true
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -940,7 +940,6 @@ conf:
      ram_allocation_ratio: 1.0
      disk_allocation_ratio: 1.0
      cpu_allocation_ratio: 3.0
-      force_config_drive: true
      state_path: /var/lib/nova
      osapi_compute_listen: 0.0.0.0
      osapi_compute_listen_port: 8774
--- a/tools/deployment/developer/common/900-use-it.sh
+++ b/tools/deployment/developer/common/900-use-it.sh
@ -95,3 +95,6 @@ wait_for_ssh_port $FLOATING_IP
 # SSH into the VM and check it can reach the outside world
 ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
 ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
+
+# Check the VM can reach the metadata server
+ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254