From f923d8d90614091aa2f63ea233fbc8e3b33c2a83 Mon Sep 17 00:00:00 2001 From: Numan Siddique Date: Thu, 13 Jul 2017 20:46:45 +0530 Subject: Support deploying OVN as container services This patch adds the support to containerize OVN services for the base profile. OVN db servers do not support active-active mode yet. It does support master-slave mode supported through pacemaker, which will be supported in a later patch. Presently the tripleo container framework doesn't allow to start a container in only controller 0 (or bootstrap node). OVN db servers and ovn-northd are started on all the controllers, but only the OVN db servers running in the boot strap controller are configured to listen on the tcp ports 6641 and 6642. OVN neutron mechanism driver and ovn-controller's use the ovn_dbs_vip to connect to the OVN db servers. Haproxy configures all the controllers as back ends, but only OVN db servers running on controller 0 respond since only they are configured properly. The OVN containers running on other controller nodes do not interact any way, but are wasteful resources. This patch also adds the scenario007-multinode-containers CI template. Partial-bug: #1699085 Change-Id: I98b85191cc1fd8c2b166924044d704e79a4c4c8a (cherry picked from commit e7cd03d2f0fcd8e3069246ced94f1a83869b8bea) --- .../scenario007-multinode-containers.yaml | 82 +++++++++ docker/services/ovn-controller.yaml | 105 +++++++++++ docker/services/ovn-dbs.yaml | 202 +++++++++++++++++++++ environments/services-docker/neutron-ovn.yaml | 27 +++ .../ovn-container-support-3ab333fff6e90dc4.yaml | 4 + 5 files changed, 420 insertions(+) create mode 100644 ci/environments/scenario007-multinode-containers.yaml create mode 100644 docker/services/ovn-controller.yaml create mode 100644 docker/services/ovn-dbs.yaml create mode 100644 environments/services-docker/neutron-ovn.yaml create mode 100644 releasenotes/notes/ovn-container-support-3ab333fff6e90dc4.yaml diff --git a/ci/environments/scenario007-multinode-containers.yaml b/ci/environments/scenario007-multinode-containers.yaml new file mode 100644 index 00000000..8e1e6b6c --- /dev/null +++ b/ci/environments/scenario007-multinode-containers.yaml @@ -0,0 +1,82 @@ +resource_registry: + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + # NOTE: This is needed because of upgrades from Ocata to Pike. We + # deploy the initial environment with Ocata templates, and + # overcloud-resource-registry.yaml there doesn't have this Docker + # mapping at all. After we stop CI'ing Ocata->Pike upgrade, we can + # remove this. + OS::TripleO::Services::Docker: OS::Heat::None + OS::TripleO::Services::OVNController: ../../docker/services/ovn-controller.yaml + OS::TripleO::Services::OVNDBs: ../../docker/services/ovn-dbs.yaml + # Some infra instances don't pass the ping test but are otherwise working. + # Since the OVB jobs also test this functionality we can shut it off here. + OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml + OS::TripleO::Services::NovaMigrationTarget: OS::Heat::None +parameter_defaults: + ControllerServices: + - OS::TripleO::Services::Docker + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::MySQLClient + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::OVNDBs + - OS::TripleO::Services::OVNController + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Pacemaker + - OS::TripleO::Services::NovaConductor + - OS::TripleO::Services::NovaApi + - OS::TripleO::Services::NovaPlacement + - OS::TripleO::Services::NovaMetadata + - OS::TripleO::Services::NovaScheduler + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::NovaMigrationTarget + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Iscsid + ControllerExtraConfig: + nova::compute::libvirt::services::libvirt_virt_type: qemu + nova::compute::libvirt::libvirt_virt_type: qemu + # Required for Centos 7.3 and Qemu 2.6.0 + nova::compute::libvirt::libvirt_cpu_mode: 'none' + # For OVN. + NeutronMechanismDrivers: ovn + OVNVifType: ovs + OVNNeutronSyncMode: log + OVNQosDriver: ovn-qos + OVNTunnelEncapType: geneve + NeutronEnableDHCPAgent: false + NeutronTypeDrivers: 'geneve,vlan,flat,vxlan' + NeutronNetworkType: 'geneve' + NeutronServicePlugins: 'qos,networking_ovn.l3.l3_ovn.OVNL3RouterPlugin' + NeutronVniRanges: ['1:65536', ] + OVNBridgeMappings: 'datacentre:br-ex' + Debug: true + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** + # we don't deploy Swift so we switch to file backend. + GlanceBackend: 'file' + IronicCleaningDiskErase: 'metadata' + NotificationDriver: 'noop' diff --git a/docker/services/ovn-controller.yaml b/docker/services/ovn-controller.yaml new file mode 100644 index 00000000..c5c365e2 --- /dev/null +++ b/docker/services/ovn-controller.yaml @@ -0,0 +1,105 @@ +heat_template_version: pike + +description: > + OpenStack containerized Ovn Controller agent. + +parameters: + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + DockerOvnControllerImage: + description: image + type: string + DockerOvnControllerConfigImage: + description: The container image to use for the ovn_controller config_volume + type: string + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + OvnControllerBase: + type: ../../puppet/services/ovn-controller.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ovn Controller agent. + value: + service_name: {get_attr: [OvnControllerBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [OvnControllerBase, role_data, config_settings] + step_config: &step_config + get_attr: [OvnControllerBase, role_data, step_config] + service_config_settings: {get_attr: [OvnControllerBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + puppet_tags: vs_config + config_volume: ovn_controller + step_config: *step_config + config_image: {get_param: DockerOvnControllerConfigImage} + # We need to mount /run for puppet_config step. This is because + # puppet-vswitch runs the commands "ovs-vsctl set open_vswitch . external_ids:..." + # to configure the required parameters in ovs db which will be read + # by ovn-controller. And ovs-vsctl talks to the ovsdb-server (hosting conf.db) + # on the unix domain socket - /run/openvswitch/db.sock + volumes: + - /lib/modules:/lib/modules:ro + - /run/openvswitch:/run/openvswitch + kolla_config: + /var/lib/kolla/config_files/ovn_controller.json: + command: /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock + permissions: + - path: /var/log/openvswitch + owner: root:root + recurse: true + docker_config: + step_4: + ovn_controller: + image: {get_param: DockerOvnControllerImage} + net: host + privileged: true + user: root + restart: always + volumes: + - /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro + - /lib/modules:/lib/modules:ro + - /run/openvswitch:/run/openvswitch + - /var/log/containers/openvswitch:/var/log/openvswitch + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable ovn-controller service + tags: step2 + service: name=ovn-controller state=stopped enabled=no diff --git a/docker/services/ovn-dbs.yaml b/docker/services/ovn-dbs.yaml new file mode 100644 index 00000000..f6ac62ed --- /dev/null +++ b/docker/services/ovn-dbs.yaml @@ -0,0 +1,202 @@ +heat_template_version: pike + +description: > + OpenStack containerized Ovn DBs service + +parameters: + DockerOvnNbDbImage: + description: image + type: string + DockerOvnSbDbImage: + description: image + type: string + DockerOvnNorthdImage: + description: image + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + OVNDbsBase: + type: ../../puppet/services/ovn-dbs.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the OVN Dbs role. + value: + service_name: {get_attr: [OVNDbsBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [OVNDbsBase, role_data, config_settings] + step_config: &step_config + get_attr: [OVNDbsBase, role_data, step_config] + # BEGIN DOCKER SETTINGS + # puppet_config is not required for this service since we configure + # the NB and SB DB servers to listen on the proper IP address/port + # in the docker_config section. + # puppet_config is defined to satisfy the pep8 validations. + puppet_config: + config_volume: '' + config_image: '' + step_config: *step_config + kolla_config: + /var/lib/kolla/config_files/ovn_north_db_server.json: + command: + list_join: + - ' ' + - - '/usr/sbin/ovsdb-server' + - '/var/lib/openvswitch/ovnnb.db' + - '--pidfile=/run/openvswitch/ovnnb_db.pid' + - '-vconsole:emer -vsyslog:err -vfile:info' + - '--remote=punix:/run/openvswitch/ovnnb_db.sock' + - '--unixctl=/run/openvswitch/ovnnb_db.ctl' + - '--remote=db:OVN_Northbound,NB_Global,connections' + - '--private-key=db:OVN_Northbound,SSL,private_key' + - '--certificate=db:OVN_Northbound,SSL,certificate' + - '--ca-cert=db:OVN_Northbound,SSL,ca_cert' + - '--log-file=/var/log/openvswitch/ovsdb-server-nb.log' + permissions: + - path: /var/log/openvswitch + owner: root:root + recurse: true + /var/lib/kolla/config_files/ovn_south_db_server.json: + command: + list_join: + - ' ' + - - '/usr/sbin/ovsdb-server' + - '/var/lib/openvswitch/ovnsb.db' + - '--pidfile=/run/openvswitch/ovnsb_db.pid' + - '-vconsole:emer -vsyslog:err -vfile:info' + - '--remote=punix:/run/openvswitch/ovnsb_db.sock' + - '--unixctl=/run/openvswitch/ovnsb_db.ctl' + - '--remote=db:OVN_Southbound,SB_Global,connections' + - '--private-key=db:OVN_Southbound,SSL,private_key' + - '--certificate=db:OVN_Southbound,SSL,certificate' + - '--ca-cert=db:OVN_Southbound,SSL,ca_cert' + - '--log-file=/var/log/openvswitch/ovsdb-server-sb.log' + permissions: + - path: /var/log/openvswitch + owner: root:root + recurse: true + /var/lib/kolla/config_files/ovn_northd.json: + command: + list_join: + - ' ' + - - '/usr/bin/ovn-northd -vconsole:emer -vsyslog:err -vfile:info' + - '--ovnnb-db=unix:/run/openvswitch/ovnnb_db.sock' + - '--ovnsb-db=unix:/run/openvswitch/ovnsb_db.sock' + - '--log-file=/var/log/openvswitch/ovn-northd.log' + - '--pidfile=/run/openvswitch/ovn-northd.pid' + permissions: + - path: /var/log/openvswitch + owner: root:root + recurse: true + docker_config: + step_4: + ovn_north_db_server: + start_order: 0 + image: {get_param: DockerOvnNbDbImage} + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ovn_north_db_server.json:/var/lib/kolla/config_files/config.json:ro + - /lib/modules:/lib/modules:ro + - /var/lib/openvswitch/ovn:/var/lib/openvswitch + - /var/lib/openvswitch/ovn:/run/openvswitch + - /var/log/containers/openvswitch:/var/log/openvswitch + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + ovn_south_db_server: + start_order: 0 + image: {get_param: DockerOvnSbDbImage} + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ovn_south_db_server.json:/var/lib/kolla/config_files/config.json:ro + - /lib/modules:/lib/modules:ro + - /var/lib/openvswitch/ovn:/var/lib/openvswitch + - /var/lib/openvswitch/ovn:/run/openvswitch + - /var/log/containers/openvswitch:/var/log/openvswitch + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + configure_ovn_north_db_server: + start_order: 1 + action: exec + user: root + command: ['ovn_north_db_server', '/bin/bash', '-c', 'DBS_LISTEN_IP=`hiera ovn::northd::dbs_listen_ip -c /etc/puppet/hiera.yaml`; NB_DB_PORT=`hiera ovn::northbound::port -c /etc/puppet/hiera.yaml`; /usr/bin/bootstrap_host_exec ovn_dbs ovn-nbctl set-connection ptcp:$NB_DB_PORT:$DBS_LISTEN_IP'] + configure_ovn_south_db_server: + start_order: 1 + action: exec + user: root + command: ['ovn_south_db_server', '/bin/bash', '-c', 'DBS_LISTEN_IP=`hiera ovn::northd::dbs_listen_ip -c /etc/puppet/hiera.yaml`; SB_DB_PORT=`hiera ovn::southbound::port -c /etc/puppet/hiera.yaml`; /usr/bin/bootstrap_host_exec ovn_dbs ovn-sbctl set-connection ptcp:$SB_DB_PORT:$DBS_LISTEN_IP'] + ovn_northd: + start_order: 2 + image: {get_param: DockerOvnNorthdImage} + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ovn_northd.json:/var/lib/kolla/config_files/config.json:ro + - /lib/modules:/lib/modules:ro + - /var/lib/openvswitch/ovn:/run/openvswitch + - /var/log/containers/openvswitch:/var/log/openvswitch + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/openvswitch + - /var/lib/openvswitch/ovn + upgrade_tasks: + - name: Stop and disable ovn-northd service + tags: step2 + service: name=ovn-northd state=stopped enabled=no diff --git a/environments/services-docker/neutron-ovn.yaml b/environments/services-docker/neutron-ovn.yaml new file mode 100644 index 00000000..8c8a56c9 --- /dev/null +++ b/environments/services-docker/neutron-ovn.yaml @@ -0,0 +1,27 @@ +# A Heat environment that can be used to deploy OVN services with non HA OVN DB servers. +resource_registry: + OS::TripleO::Docker::NeutronMl2PluginBase: ../../puppet/services/neutron-plugin-ml2-ovn.yaml + OS::TripleO::Services::OVNController: ../../docker/services/ovn-controller.yaml + OS::TripleO::Services::OVNDBs: ../../docker/services/ovn-dbs.yaml +# Disabling Neutron services that overlap with OVN + OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronL3Agent: OS::Heat::None + OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None + OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None + OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None + + +parameter_defaults: + NeutronMechanismDrivers: ovn + OVNVifType: ovs + OVNNeutronSyncMode: log + OVNQosDriver: ovn-qos + OVNTunnelEncapType: geneve + NeutronEnableDHCPAgent: false + NeutronTypeDrivers: 'geneve,vxlan,vlan,flat' + NeutronNetworkType: 'geneve' + NeutronServicePlugins: 'qos,ovn-router' + NeutronVniRanges: ['1:65536', ] + DockerNeutronApiImage: 'tripleoupstream/centos-binary-neutron-server-ovn:latest' + DockerNeutronConfigImage: 'tripleoupstream/centos-binary-neutron-server-ovn:latest' diff --git a/releasenotes/notes/ovn-container-support-3ab333fff6e90dc4.yaml b/releasenotes/notes/ovn-container-support-3ab333fff6e90dc4.yaml new file mode 100644 index 00000000..25fd2fbe --- /dev/null +++ b/releasenotes/notes/ovn-container-support-3ab333fff6e90dc4.yaml @@ -0,0 +1,4 @@ +--- +features: + - Support containerized ovn-controller + - Support containerized OVN Dbs without HA -- cgit 1.2.3-korg