From ae143ae670cf3bec9a220ff0defcafe39061244d Mon Sep 17 00:00:00 2001 From: Thomas Bachman Date: Thu, 12 Dec 2024 12:23:58 +0000 Subject: [PATCH] Add cisco_neutron_opflex_agent role --- .../defaults/main.yml | 99 +++++++++++++++++++ .../edpm_cisco_neutron_opflex/files/.gitkeep | 0 .../handlers/main.yml | 22 +++++ .../meta/argument_specs.yml | 64 ++++++++++++ roles/edpm_cisco_neutron_opflex/meta/main.yml | 43 ++++++++ .../tasks/boostrap.yml | 20 ++++ .../tasks/configure.yml | 70 +++++++++++++ .../tasks/download_cache.yml | 11 +++ .../tasks/install.yml | 64 ++++++++++++ .../edpm_cisco_neutron_opflex/tasks/main.yml | 27 +++++ roles/edpm_cisco_neutron_opflex/tasks/run.yml | 44 +++++++++ .../cisco-neutron-opflex-agent.conf.j2 | 15 +++ .../cisco_neutron_opflex_agent.yaml.j2 | 16 +++ .../cisco_neutron_opflex_agent.yaml.j2 | 18 ++++ .../templates/neutron-conf.j2 | 13 +++ .../templates/rootwrap.conf.j2 | 8 ++ roles/edpm_cisco_neutron_opflex/vars/main.yml | 22 +++++ 17 files changed, 556 insertions(+) create mode 100644 roles/edpm_cisco_neutron_opflex/defaults/main.yml create mode 100644 roles/edpm_cisco_neutron_opflex/files/.gitkeep create mode 100644 roles/edpm_cisco_neutron_opflex/handlers/main.yml create mode 100644 roles/edpm_cisco_neutron_opflex/meta/argument_specs.yml create mode 100644 roles/edpm_cisco_neutron_opflex/meta/main.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/boostrap.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/configure.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/download_cache.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/install.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/main.yml create mode 100644 roles/edpm_cisco_neutron_opflex/tasks/run.yml create mode 100644 roles/edpm_cisco_neutron_opflex/templates/cisco-neutron-opflex-agent.conf.j2 create mode 100644 roles/edpm_cisco_neutron_opflex/templates/cisco_neutron_opflex_agent.yaml.j2 create mode 100644 roles/edpm_cisco_neutron_opflex/templates/kolla_config/cisco_neutron_opflex_agent.yaml.j2 create mode 100644 roles/edpm_cisco_neutron_opflex/templates/neutron-conf.j2 create mode 100644 roles/edpm_cisco_neutron_opflex/templates/rootwrap.conf.j2 create mode 100644 roles/edpm_cisco_neutron_opflex/vars/main.yml diff --git a/roles/edpm_cisco_neutron_opflex/defaults/main.yml b/roles/edpm_cisco_neutron_opflex/defaults/main.yml new file mode 100644 index 000000000..b96820281 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/defaults/main.yml @@ -0,0 +1,99 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. +# All variables within this role should have a prefix of "edpm_cisco_neutron_opflex" + +# service name this role manages +edpm_cisco_neutron_opflex_service_name: cisco-neutron-opflex + +# seconds between retries for download tasks +edpm_cisco_neutron_opflex_images_download_delay: 5 + +# number of retries for download tasks +edpm_cisco_neutron_opflex_images_download_retries: 5 + +edpm_cisco_neutron_opflex_agent_config_src: "/var/lib/openstack/configs/{{ edpm_cisco_neutron_opflex_service_name }}" +edpm_cisco_neutron_opflex_agent_config_dir: "/var/lib/config-data/ansible-generated/cisco-neutron-opflex-agent" +edpm_cisco_neutron_opflex_agent_lib_dir: "/var/lib/neutron" +edpm_cisco_neutron_opflex_image: "quay.io/podified-antelope-centos9/openstack-cisco-neutron-opflex-agent:current-podified" + +edpm_cisco_neutron_opflex_common_volumes: + - /run/netns:/run/netns:shared + - "{{ edpm_cisco_neutron_opflex_agent_config_dir }}:/etc/neutron.conf.d:z" + - "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}:/var/lib/neutron:shared,z" + - /var/lib/kolla/config_files/cisco_neutron_opflex_agent.json:/var/lib/kolla/config_files/config.json:ro + - /run/openvswitch:/run/openvswitch:shared,z + - "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/dhcp_agent_haproxy_wrapper:/usr/local/bin/haproxy:ro" + - "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/kill_scripts:/etc/neutron/kill_scripts:ro" + - /var/lib/opflex/files/endpoints:/var/lib/opflex-agent-ovs/endpoints:shared,z + - /var/lib/opflex/files/services:/var/lib/opflex-agent-ovs/services:shared,z + - /var/lib/opflex/files/ids:/var/lib/opflex-agent-ovs/ids:shared,z + - /var/lib/opflex/files/mcast:/var/lib/opflex-agent-ovs/mcast:shared,z + - /var/lib/opflex/files/droplog:/var/lib/opflex-agent-ovs/droplog:shared,z + - /var/lib/opflex/files/faults:/var/lib/opflex-agent-ovs/faults:shared,z + - /var/lib/opflex/files/policy:/var/lib/opflex-agent-ovs/policy:shared,z + - /var/lib/opflex/files/restarts:/var/lib/opflex-agent-ovs/restarts:shared,z + - /var/lib/opflex/sockets:/var/lib/opflex-agent-ovs/sockets:shared,z + +edpm_cisco_neutron_opflex_tls_cacert_bundle_src: "/var/lib/openstack/cacerts/{{ edpm_cisco_neutron_opflex_service_name }}/tls-ca-bundle.pem" +edpm_cisco_neutron_opflex_tls_cacert_bundle_dest: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" +edpm_cisco_neutron_opflex_tls_cacert_volumes: [] + +# Sidecar containers settings +edpm_cisco_neutron_opflex_sidecar_debug: false +edpm_cisco_neutron_opflex_sidecar_haproxy_image_name: "{{ edpm_cisco_neutron_opflex_image }}" + +# neutron.conf +# DEFAULT +edpm_cisco_neutron_opflex_DEFAULT_debug: false +edpm_cisco_neutron_opflex_DEFAULT_rpc_response_timeout: 60 +edpm_cisco_neutron_opflex_DEFAULT_transport_url: '' + +# oslo_concurrency +edpm_cisco_neutron_opflex_oslo_concurrency_lock_patch: '$state_path/lock' +# oslo_messaging_rabbit +edpm_cisco_neutron_opflex_oslo_messaging_rabbit_heartbeat_timeout_threshold: 60 +# oslo_middleware +edpm_cisco_neutron_opflex_oslo_middleware_enable_proxy_headers_parsing: 60 + +# rootwrap.conf +# DEFAULT +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_filters_path: '/usr/share/neutron/rootwrap' +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_exec_dirs: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_use_syslog: false +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_syslog_log_facility: 'syslog' +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_syslog_log_level: 'ERROR' +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_daemon_timeout: 600 +edpm_cisco_neutron_opflex_rootwrap_DEFAULT_rlimit_nofile: 1024 + +# cisco-neutron-opflex-agent.conf +# DEFAULT +edpm_cisco_neutron_opflex_agent_DEFAULT_state_path: '/var/lib/neutron' +edpm_cisco_neutron_opflex_agent_DEFAULT_resync_interval: 5 +edpm_cisco_neutron_opflex_agent_DEFAULT_resync_throttle: 1 +edpm_cisco_neutron_opflex_agent_DEFAULT_dhcp_driver: 'neutron.agent.linux.dhcp.Dnsmasq' +edpm_cisco_neutron_opflex_agent_DEFAULT_enable_isolated_metadata: false +edpm_cisco_neutron_opflex_agent_DEFAULT_force_metadata: false +edpm_cisco_neutron_opflex_agent_DEFAULT_enable_metadata_network: false +edpm_cisco_neutron_opflex_agent_DEFAULT_num_sync_threads: 4 +edpm_cisco_neutron_opflex_agent_DEFAULT_bulk_reload_interval: 0 +edpm_cisco_neutron_opflex_agent_DEFAULT_dhcp_broadcast_reply: false +# AGENT +edpm_cisco_neutron_opflex_agent_AGENT_root_helper: 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf' +edpm_cisco_neutron_opflex_agent_AGENT_report_interval: 30 +edpm_cisco_neutron_opflex_agent_AGENT_availability_zone: 'nova' diff --git a/roles/edpm_cisco_neutron_opflex/files/.gitkeep b/roles/edpm_cisco_neutron_opflex/files/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/roles/edpm_cisco_neutron_opflex/handlers/main.yml b/roles/edpm_cisco_neutron_opflex/handlers/main.yml new file mode 100644 index 000000000..3d9071cef --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/handlers/main.yml @@ -0,0 +1,22 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Restart cisco-neutron-opflex-agent container + become: true + ansible.builtin.systemd: + state: restarted + name: "edpm_cisco_neutron_opflex_agent.service" + listen: "Restart cisco-neutron-opflex-agent" diff --git a/roles/edpm_cisco_neutron_opflex/meta/argument_specs.yml b/roles/edpm_cisco_neutron_opflex/meta/argument_specs.yml new file mode 100644 index 000000000..ed2a8b56f --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/meta/argument_specs.yml @@ -0,0 +1,64 @@ +--- +argument_specs: + # ./roles/edpm_cisco_neutron_opflex/tasks/main.yml entry point + main: + short_description: The main entry point for the edpm_cisco_neutron_opflex role. + options: + edpm_cisco_neutron_opflex_images_download_delay: + type: int + default: 5 + description: The seconds between retries for failed download tasks + edpm_cisco_neutron_opflex_images_download_retries: + type: int + default: 5 + description: The number of retries for failed download tasks + edpm_cisco_neutron_opflex_agent_config_src: + default: "/var/lib/openstack/configs/cisco-neutron-opflex" + description: | + The path to the directory containing source of the Neutron DHCP + agent configs. + type: str + edpm_cisco_neutron_opflex_agent_config_dir: + default: "/var/lib/config-data/ansible-generated/cisco-neutron-opflex-agent" + description: | + The path to the directory containing Neutron DHCP agent config + files. + type: str + edpm_cisco_neutron_opflex_agent_lib_dir: + default: "/var/lib/neutron" + description: | + The path to the directory containing files required by the Neutron DHCP + agent, like e.g. sidecar container wrappers. + type: str + edpm_cisco_neutron_opflex_image: + default: "quay.io/podified-antelope-centos9/openstack-cisco-neutron-opflex-agent:current-podified" + description: Neutron DHCP agent container image. + type: str + edpm_cisco_neutron_opflex_common_volumes: + default: + - /run/netns:/run/netns:shared + - "{{ edpm_neutron_opflex_agent_config_dir }}:/etc/neutron.conf.d:z" + - "{{ edpm_neutron_opflex_agent_lib_dir }}:/var/lib/neutron:shared,z" + - /var/lib/kolla/config_files/neutron_opflex_agent.json:/var/lib/kolla/config_files/config.json:ro + - /run/openvswitch:/run/openvswitch:shared,z + - "{{ edpm_neutron_opflex_agent_lib_dir }}/opflex_agent_haproxy_wrapper:/usr/local/bin/haproxy:ro" + - "{{ edpm_neutron_opflex_agent_lib_dir }}/kill_scripts:/etc/neutron/kill_scripts:ro" + - /var/lib/opflex/files/endpoints:/var/lib/opflex-agent-ovs/endpoints:shared,z + - /var/lib/opflex/files/services:/var/lib/opflex-agent-ovs/services:shared,z + - /var/lib/opflex/files/ids:/var/lib/opflex-agent-ovs/ids:shared,z + - /var/lib/opflex/files/mcast:/var/lib/opflex-agent-ovs/mcast:shared,z + - /var/lib/opflex/files/droplog:/var/lib/opflex-agent-ovs/droplog:shared,z + - /var/lib/opflex/files/faults:/var/lib/opflex-agent-ovs/faults:shared,z + - /var/lib/opflex/files/policy:/var/lib/opflex-agent-ovs/policy:shared,z + - /var/lib/opflex/files/restarts:/var/lib/opflex-agent-ovs/restarts:shared,z + - /var/lib/opflex/sockets:/var/lib/opflex-agent-ovs/sockets:shared,z + description: List of volumes in a mount point form. + type: list + edpm_neutron_dhcp_agent_AGENT_root_helper: + default: 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf' + description: '' + type: str + edpm_neutron_dhcp_agent_AGENT_report_interval: + default: 300 + description: '' + type: int diff --git a/roles/edpm_cisco_neutron_opflex/meta/main.yml b/roles/edpm_cisco_neutron_opflex/meta/main.yml new file mode 100644 index 000000000..6d1bcabff --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/meta/main.yml @@ -0,0 +1,43 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: EDPM OpenStack Role -- edpm_cisco_neutron_opflex + company: Cisco Systems + license: Apache-2.0 + min_ansible_version: '2.14' + namespace: openstack + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: 'EL' + versions: + - '8' + - '9' + + galaxy_tags: + - edpm + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/roles/edpm_cisco_neutron_opflex/tasks/boostrap.yml b/roles/edpm_cisco_neutron_opflex/tasks/boostrap.yml new file mode 100644 index 000000000..3c9417269 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/boostrap.yml @@ -0,0 +1,20 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Ensure Openvswitch installed and running + ansible.builtin.include_role: + name: osp.edpm.edpm_ovs + tasks_from: "install.yml" diff --git a/roles/edpm_cisco_neutron_opflex/tasks/configure.yml b/roles/edpm_cisco_neutron_opflex/tasks/configure.yml new file mode 100644 index 000000000..e6a0a2b2f --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/configure.yml @@ -0,0 +1,70 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Configure neutron configuration files + block: + - name: Render neutron configuration files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ edpm_cisco_neutron_opflex_agent_config_dir }}/{{ item.dest }}" + setype: "container_file_t" + mode: "0644" + loop: + - {"src": "neutron.conf.j2", "dest": "01-neutron.conf"} + - {"src": "rootwrap.conf.j2", "dest": "01-rootwrap.conf"} + - {"src": "cisco-neutron-opflex-agent.conf.j2", "dest": "01-cisco-neutron-opflex-agent.conf"} + tags: + - configure + - neutron + notify: + - Restart cisco-neutron-opflex-agent + + - name: Discover secrets in {{ edpm_cisco_neutron_opflex_agent_config_src }} + ansible.builtin.find: + paths: "{{ edpm_cisco_neutron_opflex_agent_config_src }}" + file_type: file + recurse: true + patterns: + - "*dhcp*conf" + register: edpm_cisco_neutron_opflex_secrets + delegate_to: localhost + become: false + + - name: Flatten secrets into {{ edpm_cisco_neutron_opflex_agent_config_dir }} + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ edpm_cisco_neutron_opflex_agent_config_dir }}/{{ item.path | basename }}" + setype: "container_file_t" + mode: "0644" + loop: "{{ edpm_cisco_neutron_opflex_secrets.files }}" + +- name: Configure sidecar containers scripts + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/{{ item.dest }}" + setype: "container_file_t" + mode: "0755" + loop: + - {"src": "wrappers/haproxy.j2", "dest": "dhcp_agent_haproxy_wrapper"} + +- name: Configure kill_scripts for sidecar containers + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/kill_scripts/{{ item.dest }}" + setype: "container_file_t" + mode: "0755" + with_items: + - {"src": "wrappers/kill-script.j2", "dest": "haproxy-kill"} diff --git a/roles/edpm_cisco_neutron_opflex/tasks/download_cache.yml b/roles/edpm_cisco_neutron_opflex/tasks/download_cache.yml new file mode 100644 index 000000000..ff87c7ea2 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/download_cache.yml @@ -0,0 +1,11 @@ +--- + +- name: Download needed container images + containers.podman.podman_image: + name: "{{ edpm_cisco_neutron_opflex_image }}" + auth_file: "{{ edpm_download_cache_podman_auth_file }}" + become: true + register: edpm_cisco_neutron_opflex_images_download + until: edpm_cisco_neutron_opflex_images_download.failed == false + retries: "{{ edpm_cisco_neutron_opflex_images_download_retries }}" + delay: "{{ edpm_cisco_neutron_opflex_images_download_delay }}" diff --git a/roles/edpm_cisco_neutron_opflex/tasks/install.yml b/roles/edpm_cisco_neutron_opflex/tasks/install.yml new file mode 100644 index 000000000..09c69de2a --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/install.yml @@ -0,0 +1,64 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +- name: Gather user fact + ansible.builtin.setup: + gather_subset: + - "!all" + - "!min" + - "user" + when: + - ansible_user is undefined + +- name: Create cisco-neutron-opflex-agent directories + become: true + ansible.builtin.file: + path: "{{ item.path }}" + setype: "container_file_t" + state: directory + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" + mode: "{{ item.mode | default(omit) }}" + loop: + - {'path': "/var/lib/openstack/config/containers", "mode": "0750"} + - {'path': "/var/lib/neutron", "mode": "0750"} + - {'path': "{{ edpm_cisco_neutron_opflex_agent_config_dir }}", "mode": "0755"} + - {'path': "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}", "mode": "0755"} + - {'path': "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/kill_scripts", "mode": "0755"} + - {'path': "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/ns-metadata-proxy", "mode": "0755"} + - {'path': "{{ edpm_cisco_neutron_opflex_agent_lib_dir }}/external/pids", "mode": "0755"} + - { 'path': /var/lib/opflex/files/endpoints, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/files/services, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/files/ids, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/files/mcast, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/files/droplog, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/files/faults, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/opflex/sockets, 'setype': svirt_sandbox_file_t } + tags: + - install + - neutron + +- name: Render cisco-neutron-opflex-agent container + become: true + ansible.builtin.template: + src: "cisco_neutron_opflex_agent.yaml.j2" + dest: "/var/lib/openstack/config/containers/cisco_neutron_opflex_agent.yaml" + setype: "container_file_t" + mode: "0644" + notify: + - Restart cisco-neutron-opflex-agent + tags: + - install + - neutron diff --git a/roles/edpm_cisco_neutron_opflex/tasks/main.yml b/roles/edpm_cisco_neutron_opflex/tasks/main.yml new file mode 100644 index 000000000..e6e794b1e --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Bootstrap cisco-neutron-opflex-agent + ansible.builtin.import_tasks: bootstrap.yml + +- name: Install cisco-neutron-opflex-agent + ansible.builtin.import_tasks: install.yml + +- name: Configure cisco-neutron-opflex-agent + ansible.builtin.import_tasks: configure.yml + +- name: Ensure cisco-neutron-opflex-agent is running + ansible.builtin.import_tasks: run.yml diff --git a/roles/edpm_cisco_neutron_opflex/tasks/run.yml b/roles/edpm_cisco_neutron_opflex/tasks/run.yml new file mode 100644 index 000000000..609cbab29 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/tasks/run.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Set cacert mount if present + block: + - name: Determine if cacert file exists + ansible.builtin.stat: + path: "{{ edpm_cisco_neutron_opflex_tls_P1+r[24~\P0+r\P0+r\P1+r\P0+r\P1+r[3~\P1+rOH\P1+rOF\P1+r[5~\P1+r[6~\cacert_bundle_src }}" + register: cacert_bundle_exists + + - name: Set ca_cert mount + ansible.builtin.set_fact: + edpm_cisco_neutron_opflex_tls_cacert_volumes: + - "{{ edpm_cisco_neutron_opflex_tls_cacert_bundle_src }}:{{ edpm_cisco_neutron_opflex_tls_cacert_bundle_dest }}:ro,z" + when: cacert_bundle_exists.stat.exists + +- name: Ensure /usr/libexec/edpm-start-podman-container exists + ansible.builtin.import_role: + name: edpm_container_manage + tasks_from: shutdown.yml + +- name: Run cisco-neutron-opflx-agent container + debugger: on_failed + ansible.builtin.include_role: + name: osp.edpm.edpm_container_standalone + vars: + edpm_container_standalone_service: cisco_neutron_opflex + edpm_container_standalone_container_defs: + cisco_neutron_opflex_agent: "{{ lookup('template', 'cisco_neutron_opflex_agent.yaml.j2') | from_yaml }}" + edpm_container_standalone_kolla_config_files: + cisco_neutron_opflex_agent: "{{ lookup('template', 'kolla_config/cisco_neutron_opflex_agent.yaml.j2') | from_yaml }}" diff --git a/roles/edpm_cisco_neutron_opflex/templates/cisco-neutron-opflex-agent.conf.j2 b/roles/edpm_cisco_neutron_opflex/templates/cisco-neutron-opflex-agent.conf.j2 new file mode 100644 index 000000000..3f33ee79a --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/templates/cisco-neutron-opflex-agent.conf.j2 @@ -0,0 +1,15 @@ +[DEFAULT] +interface_driver = openvswitch +ovs_use_veth = False +state_path = {{ edpm_cisco_neutron_opflex_agent_DEFAULT_state_path }} +host = {{ canonical_hostname }} +resync_interval = {{ edpm_cisco_neutron_opflex_agent_DEFAULT_resync_interval }} +resync_throttle = {{ edpm_cisco_neutron_opflex_agent_DEFAULT_resync_throttle }} +num_sync_threads = {{ edpm_cisco_neutron_opflex_agent_DEFAULT_num_sync_threads }} +bulk_reload_interval = {{ edpm_cisco_neutron_opflex_agent_DEFAULT_bulk_reload_interval }} + + +[AGENT] +root_helper = {{ edpm_cisco_neutron_opflex_agent_AGENT_root_helper }} +report_interval = {{ edpm_cisco_neutron_opflex_agent_AGENT_report_interval }} +availability_zone = {{ edpm_cisco_neutron_opflex_agent_AGENT_availability_zone }} diff --git a/roles/edpm_cisco_neutron_opflex/templates/cisco_neutron_opflex_agent.yaml.j2 b/roles/edpm_cisco_neutron_opflex/templates/cisco_neutron_opflex_agent.yaml.j2 new file mode 100644 index 000000000..d5bab5af2 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/templates/cisco_neutron_opflex_agent.yaml.j2 @@ -0,0 +1,16 @@ +image: "{{ edpm_cisco_neutron_opflex_image }}" +net: host +pid: host +cgroupns: host +privileged: true +user: root +restart: always +volumes: + {% set edpm_cisco_neutron_opflex_volumes = [] %} + {%- set edpm_cisco_neutron_opflex_volumes = + edpm_cisco_neutron_opflex_volumes + + edpm_cisco_neutron_opflex_common_volumes + + edpm_cisco_neutron_opflex_tls_cacert_volumes %} + {{ edpm_cisco_neutron_opflex_volumes }} +environment: + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS diff --git a/roles/edpm_cisco_neutron_opflex/templates/kolla_config/cisco_neutron_opflex_agent.yaml.j2 b/roles/edpm_cisco_neutron_opflex/templates/kolla_config/cisco_neutron_opflex_agent.yaml.j2 new file mode 100644 index 000000000..002002769 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/templates/kolla_config/cisco_neutron_opflex_agent.yaml.j2 @@ -0,0 +1,18 @@ +command: "/usr/bin/cisco-neutron-opflex-agent" +config_files: + - source: /etc/neutron.conf.d/01-rootwrap.conf + dest: /etc/neutron/rootwrap.conf + owner: root:root + perm: '0600' +permissions: + - owner: neutron:neutron + path: /var/lib/neutron + recurse: true + - optional: true + owner: neutron:neutron + path: /etc/pki/tls/certs/cisco_neutron_opflex_agent.crt + perm: 0644 + - optional: true + owner: neutron:neutron + path: /etc/pki/tls/private/cisco_neutron_opflex_agent.key + perm: 0644 diff --git a/roles/edpm_cisco_neutron_opflex/templates/neutron-conf.j2 b/roles/edpm_cisco_neutron_opflex/templates/neutron-conf.j2 new file mode 100644 index 000000000..de3f5ddb6 --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/templates/neutron-conf.j2 @@ -0,0 +1,13 @@ +[DEFAULT] +debug = {{ edpm_cisco_neutron_opflex_DEFAULT_debug }} +rpc_response_timeout = {{ edpm_cisco_neutron_opflex_DEFAULT_rpc_response_timeout }} +transport_url = {{ edpm_cisco_neutron_opflex_DEFAULT_transport_url }} + +[oslo_concurrency] +lock_path = {{ edpm_cisco_neutron_opflex_oslo_concurrency_lock_patch }} + +[oslo_messaging_rabbit] +heartbeat_timeout_threshold = {{ edpm_cisco_neutron_opflex_oslo_messaging_rabbit_heartbeat_timeout_threshold }} + +[oslo_middleware] +enable_proxy_headers_parsing = {{ edpm_cisco_neutron_opflex_oslo_middleware_enable_proxy_headers_parsing }} diff --git a/roles/edpm_cisco_neutron_opflex/templates/rootwrap.conf.j2 b/roles/edpm_cisco_neutron_opflex/templates/rootwrap.conf.j2 new file mode 100644 index 000000000..1ae243ccb --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/templates/rootwrap.conf.j2 @@ -0,0 +1,8 @@ +[DEFAULT] +filters_path = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_filters_path }} +exec_dirs = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_exec_dirs }} +use_syslog = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_use_syslog }} +syslog_log_facility = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_syslog_log_facility }} +syslog_log_level = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_syslog_log_level }} +daemon_timeout = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_daemon_timeout }} +rlimit_nofile = {{ edpm_cisco_neutron_opflex_rootwrap_DEFAULT_rlimit_nofile }} diff --git a/roles/edpm_cisco_neutron_opflex/vars/main.yml b/roles/edpm_cisco_neutron_opflex/vars/main.yml new file mode 100644 index 000000000..d9c76041a --- /dev/null +++ b/roles/edpm_cisco_neutron_opflex/vars/main.yml @@ -0,0 +1,22 @@ +--- +# Copyright 2024 Cisco Systems Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# While options found within the vars/ path can be overridden using extra +# vars, items within this path are considered part of the role and not +# intended to be modified. + +# All variables within this role should have a prefix of "edpm_cisco_neutron_opflex"