openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/neutron.pp
Takashi Kajinami 646eeea9d5 Test redis (sentinel) cache backend 
oslo.cache 3.7.0 introduced new options to use redis or redis sentinel
as backend. To test the functionality to configure this backend, switch
the cache backend in scenario001(Redis) and scenario002(Sentinel).

The switch is made only in CentOS because Caracal (or master) packages
are not available for Ubuntu, but may be later made in Ubuntu as well
once UCA Caracal is released.

Change-Id: Ieb681f5bbbf28e1963ab346c17e07265769da4e6
2024-04-12 00:23:33 +09:00

509 lines
17 KiB
Puppet
Raw Blame History

# Configure the Neutron service
#
# [*driver*]
# (optional) Neutron Driver to test
# Can be: openvswitch, linuxbridge or ovn.
# Defaults to 'openvswitch'.
#
# [*ovn_metadata_agent_enabled*]
# (optional) Enable ovn-metadata-agent
# Defaults to true
#
# [*metering_enabled*]
# (optional) Flag to enable metering agent
# Defaults to false.
#
# [*vpnaas_enabled*]
# (optional) Flag to enable VPNaaS.
# Defaults to false.
#
# [*taas_enabled*]
# (optional) Flag to enable TAPaaS.
# Defaults to false.
#
# [*bgpvpn_enabled*]
# (optional) Flag to enable BGPVPN API extensions.
# Defaults to false.
#
# [*l2gw_enabled*]
# (optional) Flag to enable L2GW.
# Defaults to false.
#
# [*bgp_dragent_enabled*]
# (optional) Flag to enable BGP dragent
# Defaults to false.
#
# [*baremetal_enabled*]
# (optional) Flag to enable networking-baremetal
# Defaults to false.
#
# [*notification_topics*]
# (optional) AMQP topic used for OpenStack notifications
# Defaults to $facts['os_service_default'].
#
class openstack_integration::neutron (
$driver = 'openvswitch',
$ovn_metadata_agent_enabled = true,
$metering_enabled = false,
$vpnaas_enabled = false,
$taas_enabled = false,
$bgpvpn_enabled = false,
$l2gw_enabled = false,
$bgp_dragent_enabled = false,
$baremetal_enabled = false,
$notification_topics = $facts['os_service_default'],
) {
include openstack_integration::config
include openstack_integration::params
if $driver == 'ovn' {
if $metering_enabled {
fail('Metering agent is not supported when ovn mechanism driver is used.')
}
if $vpnaas_enabled {
fail('VPNaaS is not supported when ovn mechanism driver is used.')
}
if $bgpvpn_enabled {
fail('BGP VPN is not supported when ovn mechanism driver is used.')
}
if $l2gw_enabled {
fail('L2GW is not supported when ovn mechanism driver is used.')
}
if $bgp_dragent_enabled {
fail('BGP dragent is not supported when ovn mechanism driver is used.')
}
}
if $driver != 'openvswitch' and $taas_enabled {
fail('TaaS is supported only when ovs mechanism driver is used.')
}
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'neutron':
notify => Service['neutron-server'],
require => Anchor['neutron::install::end'],
}
Exec['update-ca-certificates'] ~> Service<| tag == 'neutron-service' |>
if $driver == 'ovn' {
openstack_integration::ovn::ssl_key { 'neutron':
notify => Anchor['neutron::service::begin'],
require => Anchor['neutron::install::end'],
}
}
}
if $facts['os']['name'] == 'CentOS' {
# os_neutron_dac_override should be on to start privsep-helper
# See https://bugzilla.redhat.com/show_bug.cgi?id=1850973
selboolean { 'os_neutron_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
if $driver == 'openvswitch' or $driver == 'linuxbridge' {
selboolean { 'os_dnsmasq_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
selboolean { 'os_keepalived_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
}
}
openstack_integration::mq_user { 'neutron':
password => 'an_even_bigger_secret',
before => Anchor['neutron::service::begin'],
}
case $driver {
'openvswitch', 'ovn': {
include openstack_integration::ovs
}
'linuxbridge': {
exec { 'create_dummy_iface':
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
unless => 'ip l show loop0',
command => 'ip link add name loop0 type dummy && ip addr add 172.24.5.1/24 dev loop0 && ip link set loop0 up',
}
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
class { 'neutron::db::mysql':
charset => $::openstack_integration::params::mysql_charset,
collate => $::openstack_integration::params::mysql_collate,
password => 'neutron',
host => $::openstack_integration::config::host,
}
class { 'neutron::keystone::auth':
public_url => "${::openstack_integration::config::base_url}:9696",
internal_url => "${::openstack_integration::config::base_url}:9696",
admin_url => "${::openstack_integration::config::base_url}:9696",
roles => ['admin', 'service'],
password => 'a_big_secret',
}
if $driver == 'ovn' {
$dhcp_agent_notification = false
$plugins_list = ['qos', 'ovn-router', 'trunk']
} else {
$dhcp_agent_notification = true
$metering_plugin = $metering_enabled ? {
true => 'metering',
default => undef,
}
$vpaaas_plugin = $vpnaas_enabled ? {
true => 'vpnaas',
default => undef,
}
$taas_plugin = $taas_enabled ? {
true => 'taas',
default => undef,
}
$bgpvpn_plugin = $bgpvpn_enabled ? {
true => 'bgpvpn',
default => undef,
}
$l2gw_plugin = $l2gw_enabled ? {
true => 'l2gw',
default => undef,
}
$bgp_dr_plugin = $bgp_dragent_enabled ? {
true => 'bgp',
default => undef,
}
$plugins_list = delete_undef_values([
'router', 'qos', 'trunk',
$metering_plugin,
$vpaaas_plugin,
$taas_plugin,
$bgpvpn_plugin,
$l2gw_plugin,
$bgp_dr_plugin
])
}
if $driver == 'linuxbridge' {
$global_physnet_mtu = '1450'
} else {
$global_physnet_mtu = undef
}
class { 'neutron::logging':
debug => true,
}
class { 'neutron':
default_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_default_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_default_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
notification_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_notify_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_notify_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
rabbit_use_ssl => $::openstack_integration::config::ssl,
core_plugin => 'ml2',
service_plugins => $plugins_list,
bind_host => $::openstack_integration::config::host,
use_ssl => $::openstack_integration::config::ssl,
cert_file => $::openstack_integration::params::cert_path,
key_file => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem",
notification_topics => $notification_topics,
notification_driver => 'messagingv2',
global_physnet_mtu => $global_physnet_mtu,
dhcp_agent_notification => $dhcp_agent_notification,
}
class { 'neutron::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
memcached_servers => $::openstack_integration::config::memcached_servers,
service_token_roles_required => true,
}
if $facts['os']['family'] == 'Debian' {
$auth_url = $::openstack_integration::config::keystone_auth_uri
$auth_opts = "--os-auth-url ${auth_url} --os-project-name services --os-username neutron --os-identity-api-version 3"
exec { 'check-neutron-server':
command => "openstack ${auth_opts} network list",
environment => ['OS_PASSWORD=a_big_secret'],
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
timeout => 60,
tries => 10,
try_sleep => 2,
refreshonly => true,
}
Anchor['neutron::service::end'] ~> Exec['check-neutron-server'] -> Neutron_network<||>
}
class { 'neutron::cache':
backend => $::openstack_integration::config::cache_driver,
enabled => true,
memcache_servers => $::openstack_integration::config::memcache_servers,
redis_server => $::openstack_integration::config::redis_server,
redis_password => 'a_big_secret',
redis_sentinels => $::openstack_integration::config::redis_sentinel_server,
tls_enabled => $::openstack_integration::config::cache_tls_enabled,
}
class { 'neutron::db':
database_connection => os_database_connection({
'dialect' => 'mysql+pymysql',
'host' => $::openstack_integration::config::ip_for_url,
'username' => 'neutron',
'password' => 'neutron',
'database' => 'neutron',
'charset' => 'utf8',
'extra' => $::openstack_integration::config::db_extra,
}),
}
$rpc_workers = $driver ? {
'ovn' => 0,
default => 2,
}
$rpc_state_report_workers = $driver ? {
'ovn' => 0,
default => $facts['os_service_default'],
}
class { 'neutron::server':
sync_db => true,
api_workers => 2,
rpc_workers => $rpc_workers,
rpc_state_report_workers => $rpc_state_report_workers,
rpc_response_max_timeout => 300,
ensure_dr_package => $bgp_dragent_enabled,
}
$overlay_network_type = $driver ? {
'ovn' => 'geneve',
default => 'vxlan'
}
$max_header_size = $driver ? {
'ovn' => 38,
default => $facts['os_service_default']
}
$drivers_real = $baremetal_enabled ? {
true => [$driver, 'baremetal'],
default => [$driver],
}
class { 'neutron::plugins::ml2':
type_drivers => [$overlay_network_type, 'vlan', 'flat'],
tenant_network_types => [$overlay_network_type, 'vlan', 'flat'],
extension_drivers => 'port_security,qos',
mechanism_drivers => $drivers_real,
max_header_size => $max_header_size,
overlay_ip_version => $::openstack_integration::config::ip_version,
}
case $driver {
'openvswitch': {
$agent_extensions = $taas_enabled ? {
true => ['taas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::ml2::ovs':
local_ip => $::openstack_integration::config::host,
tunnel_types => ['vxlan'],
bridge_mappings => ['external:br-ex'],
manage_vswitch => false,
firewall_driver => 'iptables_hybrid',
of_listen_address => $::openstack_integration::config::host,
extensions => $agent_extensions,
}
}
'ovn': {
# NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2,
# thus it should be included after neutron::plugins::ml2.
class { 'neutron::plugins::ml2::ovn':
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_metadata_enabled => true,
}
}
'linuxbridge': {
class { 'neutron::agents::ml2::linuxbridge':
local_ip => $facts['networking']['ip'],
tunnel_types => ['vxlan'],
physical_interface_mappings => ['external:loop0'],
firewall_driver => 'iptables',
}
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
if $driver == 'ovn' {
# NOTE(tkajinam): ovn-agent is currently available only in RDO
if $facts['os']['family'] == 'RedHat' {
$ovn_agent_extensions = $ovn_metadata_agent_enabled ? {
false => ['metadata'],
default => undef
}
if ! $ovn_metadata_agent_enabled {
class { 'neutron::agents::ml2::ovn::metadata':
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
}
class { 'neutron::agents::ml2::ovn':
debug => true,
extensions => $ovn_agent_extensions,
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
if $ovn_metadata_agent_enabled {
class { 'neutron::agents::ovn_metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
} else {
class { 'neutron::agents::metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_workers => 2,
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
$l3_extensions = $vpnaas_enabled ? {
true => ['vpnaas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::l3':
interface_driver => $driver,
debug => true,
extensions => $l3_extensions,
}
class { 'neutron::agents::dhcp':
interface_driver => $driver,
debug => true,
}
if $metering_enabled {
class { 'neutron::agents::metering':
interface_driver => $driver,
debug => true,
}
}
if $vpnaas_enabled {
$vpn_device_driver = $facts['os']['family'] ? {
'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver',
default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
}
$service_provider_name = $facts['os']['family'] ? {
'Debian' => 'strongswan',
default => 'openswan'
}
class { 'neutron::services::vpnaas':
service_providers => join([
'VPN',
$service_provider_name,
'neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver',
'default'
], ':')
}
class { 'neutron::agents::vpnaas':
vpn_device_driver => $vpn_device_driver,
interface_driver => $driver,
}
}
if $taas_enabled {
class { 'neutron::agents::taas': }
class { 'neutron::services::taas': }
}
if $l2gw_enabled {
class { 'neutron::services::l2gw':
# NOTE(tkajinm): This value is picked up from the one used in CI, but is
# apparently wrong (It should have rpc_l2gw), but we can't enable
# the correct provider because of incomplete setup we have in CI.
service_providers => ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default']
}
class { 'neutron::agents::l2gw': }
}
if $bgpvpn_enabled {
class {'neutron::services::bgpvpn':
service_providers => 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
}
}
if $bgp_dragent_enabled {
class {'neutron::agents::bgp_dragent':
bgp_router_id => '127.0.0.1'
}
}
}
if $baremetal_enabled {
class { 'neutron::plugins::ml2::networking_baremetal': }
class { 'neutron::agents::ml2::networking_baremetal':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications::ironic':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
Anchor['ironic::service::end'] -> Service['ironic-neutron-agent-service']
}
class { 'neutron::server::notifications::nova':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications': }
class { 'neutron::server::placement':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
}
View Git Blame Copy Permalink