openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/neutron.pp
Takashi Kajinami d61718175e Remove support for linuxbridge mechanism driver 
This mechanism driver was deprecated several cycles ago and we've not
used it in our testing for some time.

It's being removed from neutron[1] now so it's time to clean up
the unused logic.

[1] https://review.opendev.org/c/openstack/neutron/+/927216

Change-Id: I78bb7f9d49577b8556ea93067399f19b21a060c0
2025-01-16 12:53:36 +09:00

587 lines
20 KiB
Puppet
Raw Blame History

# Configure the Neutron service
#
# [*driver*]
# (optional) Neutron Driver to test
# Can be: openvswitch or ovn.
# Defaults to 'openvswitch'.
#
# [*ovn_metadata_agent_enabled*]
# (optional) Enable ovn-metadata-agent
# Defaults to true
#
# [*metering_enabled*]
# (optional) Flag to enable metering agent
# Defaults to false.
#
# [*vpnaas_enabled*]
# (optional) Flag to enable VPNaaS.
# Defaults to false.
#
# [*taas_enabled*]
# (optional) Flag to enable TAPaaS.
# Defaults to false.
#
# [*bgpvpn_enabled*]
# (optional) Flag to enable BGPVPN API extensions.
# Defaults to false.
#
# [*l2gw_enabled*]
# (optional) Flag to enable L2GW.
# Defaults to false.
#
# [*bgp_dragent_enabled*]
# (optional) Flag to enable BGP dragent
# Defaults to false.
#
# [*baremetal_enabled*]
# (optional) Flag to enable networking-baremetal
# Defaults to false.
#
# [*notification_topics*]
# (optional) AMQP topic used for OpenStack notifications
# Defaults to $facts['os_service_default'].
#
class openstack_integration::neutron (
$driver = 'openvswitch',
$ovn_metadata_agent_enabled = true,
$metering_enabled = false,
$vpnaas_enabled = false,
$taas_enabled = false,
$bgpvpn_enabled = false,
$l2gw_enabled = false,
$bgp_dragent_enabled = false,
$baremetal_enabled = false,
$notification_topics = $facts['os_service_default'],
) {
$use_httpd = $facts['os']['family'] ? {
'RedHat' => true,
default => false,
}
include openstack_integration::config
include openstack_integration::params
if $driver == 'ovn' {
if $metering_enabled {
fail('Metering agent is not supported when ovn mechanism driver is used.')
}
if $bgpvpn_enabled {
fail('BGP VPN is not supported when ovn mechanism driver is used.')
}
if $l2gw_enabled {
fail('L2GW is not supported when ovn mechanism driver is used.')
}
if $bgp_dragent_enabled {
fail('BGP dragent is not supported when ovn mechanism driver is used.')
}
}
if $driver != 'openvswitch' and $taas_enabled {
fail('TaaS is supported only when ovs mechanism driver is used.')
}
if $::openstack_integration::config::ssl {
$api_service = $use_httpd ? {
true => 'httpd',
default => 'neutron-server',
}
openstack_integration::ssl_key { 'neutron':
notify => Service[$api_service],
require => Anchor['neutron::install::end'],
}
Exec['update-ca-certificates'] ~> Service[$api_service]
if $driver == 'ovn' {
openstack_integration::ovn::ssl_key { 'neutron':
notify => Anchor['neutron::service::begin'],
require => Anchor['neutron::install::end'],
}
}
}
if $facts['os']['name'] == 'CentOS' {
# os_neutron_dac_override should be on to start privsep-helper
# See https://bugzilla.redhat.com/show_bug.cgi?id=1850973
selboolean { 'os_neutron_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
if $driver == 'openvswitch' {
selboolean { 'os_dnsmasq_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
selboolean { 'os_keepalived_dac_override':
persistent => true,
value => on,
require => Package['openstack-selinux'],
before => Anchor['neutron::service::begin'],
}
}
}
openstack_integration::mq_user { 'neutron':
password => 'an_even_bigger_secret',
before => Anchor['neutron::service::begin'],
}
case $driver {
'openvswitch': {
require openstack_integration::ovs
}
'ovn': {
require openstack_integration::ovn
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
class { 'neutron::db::mysql':
charset => $::openstack_integration::params::mysql_charset,
collate => $::openstack_integration::params::mysql_collate,
password => 'neutron',
host => $::openstack_integration::config::host,
}
class { 'neutron::keystone::auth':
public_url => "${::openstack_integration::config::base_url}:9696",
internal_url => "${::openstack_integration::config::base_url}:9696",
admin_url => "${::openstack_integration::config::base_url}:9696",
roles => ['admin', 'service'],
password => 'a_big_secret',
}
if $driver == 'ovn' {
$dhcp_agent_notification = false
$vpaaas_plugin = $vpnaas_enabled ? {
true => 'ovn-vpnaas',
default => undef,
}
$plugins_list = delete_undef_values([
'qos', 'ovn-router', 'trunk', $vpaaas_plugin,
])
} else {
$dhcp_agent_notification = true
$metering_plugin = $metering_enabled ? {
true => 'metering',
default => undef,
}
$vpaaas_plugin = $vpnaas_enabled ? {
true => 'vpnaas',
default => undef,
}
$taas_plugin = $taas_enabled ? {
true => 'taas',
default => undef,
}
$bgpvpn_plugin = $bgpvpn_enabled ? {
true => 'bgpvpn',
default => undef,
}
$l2gw_plugin = $l2gw_enabled ? {
true => 'l2gw',
default => undef,
}
$bgp_dr_plugin = $bgp_dragent_enabled ? {
true => 'bgp',
default => undef,
}
$plugins_list = delete_undef_values([
'router', 'qos', 'trunk',
$metering_plugin,
$vpaaas_plugin,
$taas_plugin,
$bgpvpn_plugin,
$l2gw_plugin,
$bgp_dr_plugin
])
}
class { 'neutron::logging':
debug => true,
}
class { 'neutron':
default_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_default_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_default_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
notification_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_notify_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_notify_port,
'username' => 'neutron',
'password' => 'an_even_bigger_secret',
}),
rabbit_use_ssl => $::openstack_integration::config::ssl,
core_plugin => 'ml2',
service_plugins => $plugins_list,
bind_host => $::openstack_integration::config::host,
use_ssl => $::openstack_integration::config::ssl,
cert_file => $::openstack_integration::params::cert_path,
key_file => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem",
notification_topics => $notification_topics,
notification_driver => 'messagingv2',
dhcp_agent_notification => $dhcp_agent_notification,
}
class { 'neutron::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
memcached_servers => $::openstack_integration::config::memcached_servers,
service_token_roles_required => true,
}
if $facts['os']['family'] == 'Debian' {
$auth_url = $::openstack_integration::config::keystone_auth_uri
$auth_opts = "--os-auth-url ${auth_url} --os-project-name services --os-username neutron --os-identity-api-version 3"
exec { 'check-neutron-server':
command => "openstack ${auth_opts} network list",
environment => ['OS_PASSWORD=a_big_secret'],
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
timeout => 60,
tries => 10,
try_sleep => 2,
refreshonly => true,
}
Anchor['neutron::service::end'] ~> Exec['check-neutron-server'] -> Neutron_network<||>
}
class { 'neutron::cache':
backend => $::openstack_integration::config::cache_driver,
enabled => true,
memcache_servers => $::openstack_integration::config::memcache_servers,
redis_server => $::openstack_integration::config::redis_server,
redis_password => 'a_big_secret',
redis_sentinels => $::openstack_integration::config::redis_sentinel_server,
tls_enabled => $::openstack_integration::config::cache_tls_enabled,
}
class { 'neutron::db':
database_connection => os_database_connection({
'dialect' => 'mysql+pymysql',
'host' => $::openstack_integration::config::ip_for_url,
'username' => 'neutron',
'password' => 'neutron',
'database' => 'neutron',
'charset' => 'utf8',
'extra' => $::openstack_integration::config::db_extra,
}),
}
if $use_httpd {
class { 'neutron::wsgi::apache':
bind_host => $::openstack_integration::config::host,
ssl_key => "/etc/neutron/ssl/private/${facts['networking']['fqdn']}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
ssl => $::openstack_integration::config::ssl,
workers => 2,
}
$vpnaas_conf = $vpnaas_enabled ? {
true => 'neutron_vpnaas.conf',
default => undef,
}
$taas_conf = $taas_enabled ? {
true => 'taas_plugin.ini',
default => undef,
}
$bgpvpn_conf = $bgpvpn_enabled ? {
true => 'networking_bgpvpn.conf',
default => undef,
}
$l2gw_conf = $l2gw_enabled ? {
true => 'l2gw_plugin.ini',
default => undef,
}
$neutron_conf_files = delete_undef_values([
'neutron.conf', 'plugins/ml2/ml2_conf.ini',
$vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf
])
# TODO(tkajinam): Should this be in puppet-neutron ?
systemd::dropin_file { 'apache-os-neutron':
unit => "${::apache::service::service_name}.service",
filename => 'os-neutron.conf',
content => "[Service]
Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
require => Package['httpd'],
}
$server_service_name = false
$api_service_name = 'httpd'
} else {
$server_service_name = $::neutron::params::server_service
$api_service_name = $::neutron::params::api_service_name
}
$rpc_workers = $driver ? {
'ovn' => $vpnaas_enabled ? {
true => 2,
default => 0,
},
default => 2,
}
$rpc_state_report_workers = $driver ? {
'ovn' => 0,
default => $facts['os_service_default'],
}
$rpc_service_name = $rpc_workers ? {
0 => false,
default => $::neutron::params::rpc_service_name
}
class { 'neutron::server':
sync_db => true,
api_workers => 2,
rpc_workers => $rpc_workers,
rpc_state_report_workers => $rpc_state_report_workers,
rpc_response_max_timeout => 300,
service_name => $server_service_name,
api_service_name => $api_service_name,
rpc_service_name => $rpc_service_name,
}
$overlay_network_type = $driver ? {
'ovn' => 'geneve',
default => 'vxlan'
}
$max_header_size = $driver ? {
'ovn' => 38,
default => $facts['os_service_default']
}
$drivers_real = $baremetal_enabled ? {
true => [$driver, 'baremetal'],
default => [$driver],
}
class { 'neutron::plugins::ml2':
type_drivers => [$overlay_network_type, 'vlan', 'flat'],
tenant_network_types => [$overlay_network_type],
extension_drivers => 'port_security,qos',
mechanism_drivers => $drivers_real,
network_vlan_ranges => 'external:1000:2999',
max_header_size => $max_header_size,
overlay_ip_version => $::openstack_integration::config::ip_version,
}
case $driver {
'openvswitch': {
$agent_extensions = $taas_enabled ? {
true => ['taas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::ml2::ovs':
local_ip => $::openstack_integration::config::host,
tunnel_types => ['vxlan'],
bridge_mappings => ['external:br-ex'],
manage_vswitch => false,
firewall_driver => 'iptables_hybrid',
of_listen_address => $::openstack_integration::config::host,
extensions => $agent_extensions,
}
}
'ovn': {
# NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2,
# thus it should be included after neutron::plugins::ml2.
class { 'neutron::plugins::ml2::ovn':
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_metadata_enabled => true,
}
}
default: {
fail("Unsupported neutron driver (${driver})")
}
}
if $driver == 'ovn' {
# NOTE(tkajinam): ovn-agent is currently available only in RDO
if $facts['os']['family'] == 'RedHat' {
$ovn_agent_extensions = $ovn_metadata_agent_enabled ? {
false => ['metadata'],
default => undef
}
if ! $ovn_metadata_agent_enabled {
class { 'neutron::agents::ml2::ovn::metadata':
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
}
class { 'neutron::agents::ml2::ovn':
debug => true,
extensions => $ovn_agent_extensions,
ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
if $ovn_metadata_agent_enabled {
class { 'neutron::agents::ovn_metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
$vpn_device_driver = $facts['os']['family'] ? {
'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
default => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
}
$vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver'
if $vpnaas_enabled {
class { 'neutron::agents::vpnaas::ovn':
debug => true,
vpn_device_driver => $vpn_device_driver,
interface_driver => 'openvswitch',
ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
}
}
if $use_httpd {
class { 'neutron::plugins::ml2::ovn::maintenance_worker': }
}
} else {
class { 'neutron::agents::metadata':
debug => true,
shared_secret => 'a_big_secret',
metadata_workers => 2,
metadata_host => $::openstack_integration::config::host,
metadata_protocol => $::openstack_integration::config::proto,
}
$l3_extensions = $vpnaas_enabled ? {
true => ['vpnaas'],
default => $facts['os_service_default'],
}
class { 'neutron::agents::l3':
interface_driver => $driver,
debug => true,
extensions => $l3_extensions,
}
class { 'neutron::agents::dhcp':
interface_driver => $driver,
debug => true,
}
if $metering_enabled {
class { 'neutron::agents::metering':
interface_driver => $driver,
debug => true,
}
}
$vpn_device_driver = $facts['os']['family'] ? {
'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver',
default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
}
$vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver'
if $vpnaas_enabled {
class { 'neutron::agents::vpnaas':
vpn_device_driver => $vpn_device_driver,
interface_driver => $driver,
}
}
if $taas_enabled {
class { 'neutron::agents::taas': }
class { 'neutron::services::taas': }
}
if $l2gw_enabled {
class { 'neutron::services::l2gw':
# NOTE(tkajinm): This value is picked up from the one used in CI, but is
# apparently wrong (It should have rpc_l2gw), but we can't enable
# the correct provider because of incomplete setup we have in CI.
service_providers => ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default']
}
class { 'neutron::agents::l2gw': }
}
if $bgpvpn_enabled {
class {'neutron::services::bgpvpn':
service_providers => 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
}
}
if $bgp_dragent_enabled {
class {'neutron::services::dr': }
class {'neutron::agents::bgp_dragent':
bgp_router_id => '127.0.0.1'
}
}
}
if $vpnaas_enabled {
$vpnaas_service_provider = $facts['os']['family'] ? {
'Debian' => 'strongswan',
default => 'openswan'
}
class { 'neutron::services::vpnaas':
service_providers => join([
'VPN',
$vpnaas_service_provider,
$vpnaas_driver,
'default'
], ':')
}
}
if $baremetal_enabled {
class { 'neutron::plugins::ml2::networking_baremetal': }
class { 'neutron::agents::ml2::networking_baremetal':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications::ironic':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
Anchor['ironic::service::end'] -> Service['ironic-neutron-agent-service']
}
class { 'neutron::server::notifications::nova':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { 'neutron::server::notifications': }
class { 'neutron::server::placement':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
}
View Git Blame Copy Permalink