From 52b1342753be7283ee369aa2126ccc58bcf7cc4c Mon Sep 17 00:00:00 2001 From: Ritesh Anand Date: Tue, 16 Jul 2019 21:29:07 +0000 Subject: [PATCH 1/3] designate: Update ns_records with all nameservers (SOC-9636) Added public FQDN for all nodes running dns-server. This follows PR 1887 in crowbar-core which when designate is enabled will made the dns servers listen on the public network. --- chef/cookbooks/designate/recipes/mdns.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/chef/cookbooks/designate/recipes/mdns.rb b/chef/cookbooks/designate/recipes/mdns.rb index cfb1e04ea6..da49003ce6 100644 --- a/chef/cookbooks/designate/recipes/mdns.rb +++ b/chef/cookbooks/designate/recipes/mdns.rb @@ -18,7 +18,8 @@ require "yaml" -dns = node_search_with_cache("roles:dns-server").first +dns_all = node_search_with_cache("roles:dns-server") +dns = dns_all.first dnsmaster = dns[:dns][:master_ip] dnsslaves = dns[:dns][:slave_ips].to_a dnsservers = [dnsmaster] + dnsslaves @@ -34,12 +35,14 @@ # with every delete/create cycle of proposal. This might mess # up the designate configuration. So the advantage of having # non-hardcoded is high enough + +ns_records = dns_all.map { |dnss| { "hostname" => "public-#{dnss[:fqdn]}.", "priority" => 1 } } pools = [{ "name" => "default-bind", "description" => "Default BIND9 Pool", "id" => "794ccc2c-d751-44fe-b57f-8894c9f5c842", "attributes" => {}, - "ns_records" => [{ "hostname" => "#{dns[:fqdn]}.", "priority" => 1 }], + "ns_records" => ns_records, "nameservers" => dnsservers.map { |ip| { "host" => ip, "port" => 53 } }, "also_notifies" => dnsslaves.map { |ip| { "host" => ip, "port" => 53 } }, "targets" => [{ From e18adc60bc703f087fd57ea4904fa820e343dc38 Mon Sep 17 00:00:00 2001 From: Madhu Mohan Nelemane Date: Mon, 2 Sep 2019 15:47:55 +0200 Subject: [PATCH 2/3] Changes to integrate with ACI 4.1 and new packages (SOC-10403) This commit provides changes in plugin packages and config files needed for integration of SOC with ACI 4.1 and higher versions. ACI 4.1 uses a slightly different set of plugin packages and configs for integration with OpenStack. This includes: - python-gbpclient renamed to python-group-based-policy-client - ovs-bridge-name in opflex-agent-ovs.conf removed - addition of int-bridge-name and access-bridge-name in opflex-agent-ovs.conf - Renaming of agent-ovs to opflex-agent For uniformity, the template for opflex-agent-ovs.conf is now renamed from 10-opflex-agent-ovs.conf.erb to opflex-agent-ovs.conf.erb - The neutron template schema and json templates are updated to provide integration_bridge and access_bridge details with default values. The corresponding migration scripts are also updated. --- chef/cookbooks/neutron/attributes/default.rb | 9 ++++---- .../neutron/recipes/cisco_apic_agents.rb | 7 ++++--- ...ovs.conf.erb => opflex-agent-ovs.conf.erb} | 3 ++- ...08_add_opflex_access_integration_bridge.rb | 21 +++++++++++++++++++ chef/data_bags/crowbar/template-neutron.json | 6 ++++-- .../data_bags/crowbar/template-neutron.schema | 2 ++ 6 files changed, 38 insertions(+), 10 deletions(-) rename chef/cookbooks/neutron/templates/default/{10-opflex-agent-ovs.conf.erb => opflex-agent-ovs.conf.erb} (93%) create mode 100644 chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb diff --git a/chef/cookbooks/neutron/attributes/default.rb b/chef/cookbooks/neutron/attributes/default.rb index 2b8f8827cf..f9d1cffed6 100644 --- a/chef/cookbooks/neutron/attributes/default.rb +++ b/chef/cookbooks/neutron/attributes/default.rb @@ -33,6 +33,7 @@ default[:neutron][:nsx_config_file] = "/etc/neutron/neutron.conf.d/110-nsx.conf" default[:neutron][:ml2_cisco_config_file] = "/etc/neutron/neutron.conf.d/115-ml2_cisco.conf" default[:neutron][:ml2_cisco_apic_config_file] = "/etc/neutron/neutron.conf.d/115-ml2_cisco_apic.conf" +default[:neutron][:opflex_config_file] = "/etc/opflex-agent-ovs/conf.d/10-opflex-agent-ovs.conf" default[:neutron][:rpc_workers] = 1 default[:neutron][:db][:database] = "neutron" @@ -128,8 +129,8 @@ cisco_apic_pkgs: ["python-apicapi", "python-neutron-ml2-driver-apic"], cisco_apic_gbp_pkgs: ["openstack-neutron-gbp", - "python-gbpclient"], - cisco_opflex_pkgs: ["agent-ovs", + "python-group-based-policy-client"], + cisco_opflex_pkgs: ["opflex-agent", "lldpd", "openstack-neutron-opflex-agent"], infoblox_pkgs: ["python-infoblox-client", @@ -174,8 +175,8 @@ cisco_apic_pkgs: ["python-apicapi", "python-neutron-ml2-driver-apic"], cisco_apic_gbp_pkgs: ["openstack-neutron-gbp", - "python-gbpclient"], - cisco_opflex_pkgs: ["agent-ovs", + "python-group-based-policy-client"], + cisco_opflex_pkgs: ["opflex-agent", "lldpd", "neutron-opflex-agent"], infoblox_pkgs: [], diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb index 96aa0303e8..aa754f8c34 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb @@ -91,15 +91,14 @@ end # Update config file from template -opflex_agent_conf = "/etc/opflex-agent-ovs/conf.d/10-opflex-agent-ovs.conf" apic = neutron[:neutron][:apic] opflex_list = apic[:opflex].select { |i| i[:nodes].include? node[:hostname] } opflex_list.any? || raise("Opflex instance not found for node '#{node[:hostname]}'") opflex_list.one? || raise("Multiple opflex instances found for node '#{node[:hostname]}'") opflex = opflex_list.first -template opflex_agent_conf do +template node[:neutron][:opflex_config_file] do cookbook "neutron" - source "10-opflex-agent-ovs.conf.erb" + source "opflex-agent-ovs.conf.erb" mode "0755" owner "root" group neutron[:neutron][:platform][:group] @@ -109,6 +108,8 @@ socketgroup: neutron[:neutron][:platform][:group], opflex_peer_ip: opflex[:peer_ip], opflex_peer_port: opflex[:peer_port], + opflex_int_bridge: opflex[:integration_bridge], + opflex_access_bridge: opflex[:access_bridge], opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface], opflex_vxlan_uplink_iface: opflex[:vxlan][:uplink_iface], opflex_vxlan_uplink_vlan: opflex[:vxlan][:uplink_vlan], diff --git a/chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb similarity index 93% rename from chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb rename to chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb index 28f504218d..b03e7a3b25 100644 --- a/chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb +++ b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb @@ -36,7 +36,8 @@ "renderers": { "stitched-mode": { - "ovs-bridge-name": "br-int", + "int-bridge-name": "<%= @opflex_int_bridge %>", + "access-bridge-name": "<%= @opflex_access_bridge %>", "encap": { "vxlan" : { "encap-iface": "<%= @opflex_vxlan_encap_iface %>", diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb new file mode 100644 index 0000000000..2e781a2005 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb @@ -0,0 +1,21 @@ +def upgrade(tattr, tdep, attr, dep) + unless attr["apic"]["opflex"].key?("integration_bridge") + attr["apic"]["opflex"]["integration_bridge"] = tattr["apic"]["opflex"]["integration_bridge"] + end + unless attr["apic"]["opflex"].key?("access_bridge") + attr["apic"]["opflex"]["access_bridge"] = tattr["apic"]["opflex"]["access_bridge"] + end + + return attr, dep +end + +def downgrade(tattr, tdep, attr, dep) + unless tattr["apic"]["opflex"].key?("integration_bridge") + attr["apic"]["opflex"].delete("integration_bridge") if attr.key?("integration_bridge") + end + unless tattr["apic"]["opflex"].key?("access_bridge") + attr["apic"]["opflex"].delete("access_bridge") if attr.key?("access_bridge") + end + + return attr, dep +end diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json index f4b3f3c766..05fb8bc50e 100644 --- a/chef/data_bags/crowbar/template-neutron.json +++ b/chef/data_bags/crowbar/template-neutron.json @@ -64,8 +64,10 @@ "peer_ip": "", "peer_port": 8009, "encap": "vxlan", + "integration_bridge": "br-int", + "access_bridge": "br-fabric", "vxlan": { - "encap_iface": "br-int_vxlan0", + "encap_iface": "br-fab_vxlan0", "uplink_iface": "vlan.4093", "uplink_vlan": 4093, "remote_ip": "", @@ -193,7 +195,7 @@ "neutron": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 307, + "schema-revision": 308, "element_states": { "neutron-server": [ "readying", "ready", "applying" ], "neutron-network": [ "readying", "ready", "applying" ], diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema index 211d081588..7a6594cd6f 100644 --- a/chef/data_bags/crowbar/template-neutron.schema +++ b/chef/data_bags/crowbar/template-neutron.schema @@ -72,6 +72,8 @@ "peer_ip": { "type": "str", "required" : true }, "peer_port": { "type": "int", "required" : true }, "encap": { "type": "str", "required": true }, + "integration_bridge": { "type": "str", "required": true }, + "access_bridge": { "type": "str", "required": true }, "vxlan": { "type": "map", "required": true, "mapping" : { "encap_iface": {"type": "str", "required": true }, "uplink_iface": { "type": "str", "required": true }, From 1f164360fda298d36f2e3ab982cd7e3f126b3a3e Mon Sep 17 00:00:00 2001 From: Varadhan Veerapuram Date: Thu, 1 Feb 2018 18:15:30 +0530 Subject: [PATCH 3/3] [neutron][Cisco ACI] Multi-VMM domain support (SOC - 10471) A Single ACI fabric can support multiple VMM domains. Each VMM domain can be governed by a different controller (Eg: VMWare vCenter or OpenStack or MicroSoft SCVMM). Several production data centers tend to use multiple VMM domains and expect to be able to monitor and control network policies from a single ACI fabric. Integration of OpenStack with such a setup requires crowbar to provide parameters specific to each VMM domain. This commit adds the additional parameters and logic to validate and send these to the correct config location. The changes now allow to provide "Vmware" or "OpenStack" as the VMM type. Multiple entries of either types are possible. - Also added "ssl_mode" as a configurable parameter which is needed to be in "encrypted" mode if ESXi is used as compute. Other use-cases may need to change it as required and hence included it as a configurable parameter within the opflex node structure. --- .../neutron/recipes/cisco_apic_agents.rb | 7 ++++--- .../neutron/recipes/cisco_apic_support.rb | 4 ++++ .../default/ml2_conf_cisco_apic.ini.erb | 15 ++++++++++--- .../default/opflex-agent-ovs.conf.erb | 2 +- .../neutron/308_add_apic_multi_vmm_domains.rb | 15 +++++++++++++ ...08_add_opflex_access_integration_bridge.rb | 21 ------------------- chef/data_bags/crowbar/template-neutron.json | 13 +++++++++++- .../data_bags/crowbar/template-neutron.schema | 10 ++++++++- 8 files changed, 57 insertions(+), 30 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb delete mode 100644 chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb index aa754f8c34..3c02d8c879 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb @@ -108,6 +108,7 @@ socketgroup: neutron[:neutron][:platform][:group], opflex_peer_ip: opflex[:peer_ip], opflex_peer_port: opflex[:peer_port], + opflex_ssl_mode: opflex[:ssl_mode], opflex_int_bridge: opflex[:integration_bridge], opflex_access_bridge: opflex[:access_bridge], opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface], @@ -132,8 +133,8 @@ end utils_systemd_service_restart "neutron-opflex-agent" -service "agent-ovs" do +service "opflex-agent" do action [:enable, :start] - subscribes :restart, resources("template[#{opflex_agent_conf}]") + subscribes :restart, resources("template[#{node[:neutron][:opflex_config_file]}]") end -utils_systemd_service_restart "agent-ovs" +utils_systemd_service_restart "opflex-agent" diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb index ba2cc2c414..d81ec62bbf 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb @@ -41,6 +41,7 @@ end aciswitches = node[:neutron][:apic][:apic_switches].to_hash +acivmms = node[:neutron][:apic][:apic_vmms] template node[:neutron][:ml2_cisco_apic_config_file] do cookbook "neutron" @@ -51,6 +52,9 @@ variables( vpc_pairs: node[:neutron][:apic][:vpc_pairs], apic_switches: aciswitches, + optimized_dhcp: node[:neutron][:apic][:optimized_dhcp], + optimized_metadata: node[:neutron][:apic][:optimized_metadata], + apic_vmms: acivmms, ml2_mechanism_drivers: node[:neutron][:ml2_mechanism_drivers], policy_drivers: "implicit_policy,apic", default_ip_pool: "192.168.0.0/16" diff --git a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb index 30e24dc022..421c8bebbc 100644 --- a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb +++ b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb @@ -2,7 +2,7 @@ apic_system_id=<%= node[:neutron][:apic][:system_id] %> [opflex] networks = * -[ml2_cisco_apic] +[apic] apic_hosts=<%= node[:neutron][:apic][:hosts] %> apic_username=<%= node[:neutron][:apic][:username] %> apic_password=<%= node[:neutron][:apic][:password] %> @@ -11,8 +11,8 @@ apic_name_mapping = use_name apic_clear_node_profiles = True enable_aci_routing = True apic_arp_flooding = True -enable_optimized_metadata = <%= node[:neutron][:apic][:optimized_metadata] %> -enable_optimized_dhcp = <%= node[:neutron][:apic][:optimized_dhcp] %> +enable_optimized_metadata = <%= @optimized_metadata %> +enable_optimized_dhcp = <%= @optimized_dhcp %> apic_provision_infra = True apic_provision_hostlinks = True <% unless @vpc_pairs.nil? -%> @@ -41,3 +41,12 @@ enable_nat = <%= node[:neutron][:apic][:ext_net][:nat_enabled] %> <% end -%> external_epg = <%= node[:neutron][:apic][:ext_net][:ext_epg] %> host_pool_cidr = <%= node[:neutron][:apic][:ext_net][:host_pool_cidr] %> + +<% @apic_vmms.each do |vmm_domain| -%> +[apic_vmdom:<%= vmm_domain[:vmm_name]%>] +vmm_type = <%= vmm_domain[:vmm_type]%> +<% if vmm_domain[:vlan_ranges] -%> +vlan_ranges = <%= vmm_domain[:vlan_ranges] %> +<% end -%> +<% end -%> + diff --git a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb index b03e7a3b25..45eb74dcbb 100644 --- a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb +++ b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb @@ -10,7 +10,7 @@ {"hostname": "<%= @opflex_peer_ip %>", "port": "<%= @opflex_peer_port %>"} ], "ssl": { - "mode": "enabled", + "mode": "<%= @opflex_ssl_mode %>", "ca-store": "/etc/ssl/certs/" }, "inspector": { diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb new file mode 100644 index 0000000000..ac15244d9d --- /dev/null +++ b/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb @@ -0,0 +1,15 @@ +def upgrade(tattr, tdep, attr, dep) + unless attr["apic"].key?("apic_vmms") + attr["apic"]["apic_vmms"] = tattr["apic"]["apic_vmms"] + end + + return attr, dep +end + +def downgrade(tattr, tdep, attr, dep) + unless tattr["apic"].key?("apic_vmms") + attr["apic"].delete("apic_vmms") if attr.key?("apic_vmms") + end + + return attr, dep +end diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb deleted file mode 100644 index 2e781a2005..0000000000 --- a/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb +++ /dev/null @@ -1,21 +0,0 @@ -def upgrade(tattr, tdep, attr, dep) - unless attr["apic"]["opflex"].key?("integration_bridge") - attr["apic"]["opflex"]["integration_bridge"] = tattr["apic"]["opflex"]["integration_bridge"] - end - unless attr["apic"]["opflex"].key?("access_bridge") - attr["apic"]["opflex"]["access_bridge"] = tattr["apic"]["opflex"]["access_bridge"] - end - - return attr, dep -end - -def downgrade(tattr, tdep, attr, dep) - unless tattr["apic"]["opflex"].key?("integration_bridge") - attr["apic"]["opflex"].delete("integration_bridge") if attr.key?("integration_bridge") - end - unless tattr["apic"]["opflex"].key?("access_bridge") - attr["apic"]["opflex"].delete("access_bridge") if attr.key?("access_bridge") - end - - return attr, dep -end diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json index 05fb8bc50e..ab78f2a3bc 100644 --- a/chef/data_bags/crowbar/template-neutron.json +++ b/chef/data_bags/crowbar/template-neutron.json @@ -63,6 +63,7 @@ "nodes" : [], "peer_ip": "", "peer_port": 8009, + "ssl_mode": "encrypted", "encap": "vxlan", "integration_bridge": "br-int", "access_bridge": "br-fabric", @@ -98,7 +99,17 @@ } } } - } + }, + "apic_vmms": [{ + "vmm_name": "soc_kvm_domain", + "vmm_type": "openstack", + "vlan_ranges": "" + }, + { + "vmm_name": "soc_vm_domain", + "vmm_type": "vmware", + "vlan_ranges": "" + }] }, "allow_overlapping_ips": true, "use_syslog": false, diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema index 7a6594cd6f..e837a1dd2a 100644 --- a/chef/data_bags/crowbar/template-neutron.schema +++ b/chef/data_bags/crowbar/template-neutron.schema @@ -71,6 +71,7 @@ "nodes": { "type" : "seq", "required" : true, "sequence": [ { "type": "str" } ] }, "peer_ip": { "type": "str", "required" : true }, "peer_port": { "type": "int", "required" : true }, + "ssl_mode": { "type": "str", "required": true }, "encap": { "type": "str", "required": true }, "integration_bridge": { "type": "str", "required": true }, "access_bridge": { "type": "str", "required": true }, @@ -94,7 +95,14 @@ }} }} }} - } + }, + "apic_vmms": { "type" : "seq", "required" : true, "sequence" : [ { + "type" : "map", "required" : true, "mapping" : { + "vmm_name": { "type": "str", "required": true }, + "vmm_type": { "type": "str", "required": true }, + "vlan_ranges": { "type": "str", "required": true } + } + } ] } }}, "allow_overlapping_ips": { "type": "bool", "required": true }, "cisco_switches": {