Convert Neutron to thin containers

*** Requires Docker 1.10 which is released *** Documentation will be in the next patch. You must set the following in your docker.service daemon control file for propogation to work: [Service] MountFlags=shared ====================================================================== Thanks to mount propagation in Docker 1.10 we can use thin containers finally! This is extremely useful to operators since now they can access the network namespaces from the hosts (outside the neutron container). But additionally it allows us to implement the VPN agent and other services easier. Neutron containers and the neutron role are brought into the standards of the new Kolla. Completely with drop-root and ansible formating updates. The ip_wrapper.py script was (thankfully) not needed so it has been removed from the repo. Partially-Implements: blueprint upgrade-neutron Change-Id: Iaf5555283240457e1912459f397a6393d886fba1
2016-01-26 19:50:43 +00:00 · 2016-01-26 19:50:43 +00:00 · ddb7cd88c5
commit ddb7cd88c5
parent 2514bcf0c3
36 changed files with 325 additions and 265 deletions
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@ -118,7 +118,13 @@ nova
 [neutron-server:children]
 neutron

-[neutron-agents:children]
+[neutron-dhcp-agent:children]
+neutron
+
+[neutron-l3-agent:children]
+neutron
+
+[neutron-metadata-agent:children]
 neutron

 # Cinder
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@ -130,7 +130,13 @@ nova
 [neutron-server:children]
 control

-[neutron-agents:children]
+[neutron-dhcp-agent:children]
+neutron
+
+[neutron-l3-agent:children]
+neutron
+
+[neutron-metadata-agent:children]
 neutron

 # Cinder
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -12,30 +12,38 @@ neutron_database_address: "{{ kolla_internal_address }}"
 ####################
 # Docker
 ####################
-neutron_server_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-server"
-neutron_server_tag: "{{ openstack_release }}"
-neutron_server_image_full: "{{ neutron_server_image }}:{{ neutron_server_tag }}"
+neutron_dhcp_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-dhcp-agent"
+neutron_dhcp_agent_tag: "{{ openstack_release }}"
+neutron_dhcp_agent_image_full: "{{ neutron_dhcp_agent_image }}:{{ neutron_dhcp_agent_tag }}"

-neutron_agents_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-agents"
-neutron_agents_tag: "{{ openstack_release }}"
-neutron_agents_image_full: "{{ neutron_agents_image }}:{{ neutron_agents_tag }}"
-
-neutron_openvswitch_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-openvswitch-agent"
-neutron_openvswitch_agent_tag: "{{ openstack_release }}"
-neutron_openvswitch_agent_image_full: "{{ neutron_openvswitch_agent_image }}:{{ neutron_openvswitch_agent_tag }}"
+neutron_l3_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-l3-agent"
+neutron_l3_agent_tag: "{{ openstack_release }}"
+neutron_l3_agent_image_full: "{{ neutron_l3_agent_image }}:{{ neutron_l3_agent_tag }}"

 neutron_linuxbridge_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-linuxbridge-agent"
 neutron_linuxbridge_agent_tag: "{{ openstack_release }}"
 neutron_linuxbridge_agent_image_full: "{{ neutron_linuxbridge_agent_image }}:{{ neutron_linuxbridge_agent_tag }}"

-openvswitch_vswitchd_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-openvswitch-vswitchd"
-openvswitch_vswitchd_tag: "{{ openstack_release }}"
-openvswitch_vswitchd_image_full: "{{ openvswitch_vswitchd_image }}:{{ openvswitch_vswitchd_tag }}"
+neutron_metadata_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-metadata-agent"
+neutron_metadata_agent_tag: "{{ openstack_release }}"
+neutron_metadata_agent_image_full: "{{ neutron_metadata_agent_image }}:{{ neutron_metadata_agent_tag }}"
+
+neutron_openvswitch_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-openvswitch-agent"
+neutron_openvswitch_agent_tag: "{{ openstack_release }}"
+neutron_openvswitch_agent_image_full: "{{ neutron_openvswitch_agent_image }}:{{ neutron_openvswitch_agent_tag }}"
+
+neutron_server_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-neutron-server"
+neutron_server_tag: "{{ openstack_release }}"
+neutron_server_image_full: "{{ neutron_server_image }}:{{ neutron_server_tag }}"

 openvswitch_db_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-openvswitch-db-server"
 openvswitch_db_tag: "{{ openstack_release }}"
 openvswitch_db_image_full: "{{ openvswitch_db_image }}:{{ openvswitch_db_tag }}"

+openvswitch_vswitchd_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-openvswitch-vswitchd"
+openvswitch_vswitchd_tag: "{{ openstack_release }}"
+openvswitch_vswitchd_image_full: "{{ openvswitch_vswitchd_image }}:{{ openvswitch_vswitchd_tag }}"
+

 ####################
 # Openstack
--- a/ansible/roles/neutron/tasks/config-neutron-fake.yml
+++ b/ansible/roles/neutron/tasks/config-neutron-fake.yml
@ -14,7 +14,6 @@
  with_sequence: start=1 end={{ num_nova_fake_per_node }}
  when:
    - inventory_hostname in groups['compute']
-    - enable_nova_fake | bool
    - neutron_plugin_agent == "openvswitch"

 - name: Copying over neutron.conf
@ -31,7 +30,6 @@
  when:
    - inventory_hostname in groups['compute']
    - neutron_plugin_agent == "openvswitch"
-    - enable_nova_fake | bool

 - name: Copying over ml2_conf.ini
  merge_configs:
@ -43,5 +41,3 @@
  when:
    - inventory_hostname in groups['compute']
    - neutron_plugin_agent == "openvswitch"
-    - enable_nova_fake | bool
-
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@ -3,7 +3,7 @@
  sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes
  when:
    - set_sysctl | bool
-    - inventory_hostname in groups['neutron-agents']
+    - inventory_hostname in groups['neutron-l3-agent']

 - name: Disabling reverse path filter on network node
  sysctl: name="net.ipv4.conf.{{ item }}.rp_filter" value=0 sysctl_set=yes
@ -12,7 +12,7 @@
    - "default"
  when:
    - set_sysctl | bool
-    - inventory_hostname in groups['neutron-agents']
+    - inventory_hostname in groups['neutron-l3-agent']

 - name: Ensuring config directories exist
  file:
@ -20,8 +20,10 @@
    state: "directory"
    recurse: yes
  with_items:
-    - "neutron-agents"
+    - "neutron-dhcp-agent"
+    - "neutron-l3-agent"
    - "neutron-linuxbridge-agent"
+    - "neutron-metadata-agent"
    - "neutron-openvswitch-agent"
    - "neutron-server"
    - "openvswitch-db-server"
@ -32,8 +34,10 @@
    src: "{{ item }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item }}/config.json"
  with_items:
-    - "neutron-agents"
+    - "neutron-dhcp-agent"
+    - "neutron-l3-agent"
    - "neutron-linuxbridge-agent"
+    - "neutron-metadata-agent"
    - "neutron-openvswitch-agent"
    - "neutron-server"
    - "openvswitch-db-server"
@ -52,8 +56,10 @@
      - "/etc/kolla/config/neutron/{{ item }}.conf"
    dest: "{{ node_config_directory }}/{{ item }}/neutron.conf"
  with_items:
-    - "neutron-agents"
+    - "neutron-dhcp-agent"
+    - "neutron-l3-agent"
    - "neutron-linuxbridge-agent"
+    - "neutron-metadata-agent"
    - "neutron-openvswitch-agent"
    - "neutron-server"

@ -66,10 +72,12 @@
      - "/etc/kolla/config/neutron/ml2_conf.ini"
    dest: "{{ node_config_directory }}/{{ item }}/ml2_conf.ini"
  with_items:
-    - "neutron-server"
-    - "neutron-agents"
+    - "neutron-dhcp-agent"
+    - "neutron-l3-agent"
    - "neutron-linuxbridge-agent"
+    - "neutron-metadata-agent"
    - "neutron-openvswitch-agent"
+    - "neutron-server"

 - name: Copying over dhcp_agent.ini
  merge_configs:
@ -80,12 +88,14 @@
      - "/etc/kolla/config/neutron/dhcp_agent.ini"
    dest: "{{ node_config_directory }}/{{ item }}/dhcp_agent.ini"
  with_items:
-    - "neutron-agents"
+    - "neutron-dhcp-agent"

 - name: Copying over dnsmasq.conf
  template:
    src: "dnsmasq.conf.j2"
-    dest: "{{ node_config_directory }}/neutron-agents/dnsmasq.conf"
+    dest: "{{ node_config_directory }}/{{ item }}/dnsmasq.conf"
+  with_items:
+    - "neutron-dhcp-agent"

 - name: Copying over l3_agent.ini
  merge_configs:
@ -96,7 +106,18 @@
      - "/etc/kolla/config/neutron/l3_agent.ini"
    dest: "{{ node_config_directory }}/{{ item }}/l3_agent.ini"
  with_items:
-    - "neutron-agents"
+    - "neutron-l3-agent"
+
+- name: Copying over fwaas_driver.ini
+  merge_configs:
+    vars:
+      service_name: "{{ item }}"
+    sources:
+      - "{{ role_path }}/templates/fwaas_driver.ini.j2"
+      - "/etc/kolla/config/neutron/fwaas_driver.ini"
+    dest: "{{ node_config_directory }}/{{ item }}/fwaas_driver.ini"
+  with_items:
+    - "neutron-l3-agent"

 - name: Copying over metadata_agent.ini
  merge_configs:
@ -107,4 +128,4 @@
      - "/etc/kolla/config/neutron/metadata_agent.ini"
    dest: "{{ node_config_directory }}/{{ item }}/metadata_agent.ini"
  with_items:
-    - "neutron-agents"
+    - "neutron-metadata-agent"
--- a/ansible/roles/neutron/tasks/deploy.yml
+++ b/ansible/roles/neutron/tasks/deploy.yml
@ -6,9 +6,11 @@
  when: inventory_hostname in groups['neutron-server']

 - include: config.yml
-  when: inventory_hostname in groups['compute'] or
-        inventory_hostname in groups['neutron-agents'] or
-        inventory_hostname in groups['neutron-server']
+  when: inventory_hostname in groups['compute']
+        or inventory_hostname in groups['neutron-dhcp-agent']
+        or inventory_hostname in groups['neutron-l3-agent']
+        or inventory_hostname in groups['neutron-metadata-agent']
+        or inventory_hostname in groups['neutron-server']

 - include: config-neutron-fake.yml
  when:
@ -19,6 +21,8 @@
  when: inventory_hostname in groups['neutron-server']

 - include: start.yml
-  when: inventory_hostname in groups['compute'] or
-        inventory_hostname in groups['neutron-agents'] or
-        inventory_hostname in groups['neutron-server']
+  when: inventory_hostname in groups['compute']
+        or inventory_hostname in groups['neutron-dhcp-agent']
+        or inventory_hostname in groups['neutron-l3-agent']
+        or inventory_hostname in groups['neutron-metadata-agent']
+        or inventory_hostname in groups['neutron-server']
--- a/ansible/roles/neutron/tasks/ironic-check.yml
+++ b/ansible/roles/neutron/tasks/ironic-check.yml
@ -1,4 +1,6 @@
 ---
 # TODO(SamYaple): run verification checks at start of playbook
 - fail: msg="neutron_plugin_agent must use openvswitch with Ironic"
-  when: enable_ironic | bool and neutron_plugin_agent != "openvswitch"
+  when:
+    - enable_ironic | bool
+    - neutron_plugin_agent != "openvswitch"
--- a/ansible/roles/neutron/tasks/pull.yml
+++ b/ansible/roles/neutron/tasks/pull.yml
@ -1,10 +1,17 @@
 ---
- name: Pulling neutron-agents image
+- name: Pulling neutron-dhcp-agent image
  kolla_docker:
    action: "pull_image"
    common_options: "{{ docker_common_options }}"
-    image: "{{ neutron_agents_image_full }}"
-  when: inventory_hostname in groups['neutron-agents']
+    image: "{{ neutron_dhcp_agent_image_full }}"
+  when: inventory_hostname in groups['neutron-dhcp-agent']
+
+- name: Pulling neutron-l3-agent image
+  kolla_docker:
+    action: "pull_image"
+    common_options: "{{ docker_common_options }}"
+    image: "{{ neutron_l3_agent_image_full }}"
+  when: inventory_hostname in groups['neutron-l3-agent']

 - name: Pulling neutron-linuxbridge-agent image
  kolla_docker:
@ -12,16 +19,29 @@
    common_options: "{{ docker_common_options }}"
    image: "{{ neutron_linuxbridge_agent_image_full }}"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "linuxbridge"

+- name: Pulling neutron-metadata-agent image
+  kolla_docker:
+    action: "pull_image"
+    common_options: "{{ docker_common_options }}"
+    image: "{{ neutron_metadata_agent_image_full }}"
+  when: inventory_hostname in groups['neutron-metadata-agent']
+
 - name: Pulling neutron-openvswitch-agent image
  kolla_docker:
    action: "pull_image"
    common_options: "{{ docker_common_options }}"
    image: "{{ neutron_openvswitch_agent_image_full }}"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Pulling neutron-server image
@ -37,7 +57,10 @@
    common_options: "{{ docker_common_options }}"
    image: "{{ openvswitch_db_image_full }}"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Pulling openvswitch-vswitchd image
@ -46,5 +69,8 @@
    common_options: "{{ docker_common_options }}"
    image: "{{ openvswitch_vswitchd_image_full }}"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"
--- a/ansible/roles/neutron/tasks/start.yml
+++ b/ansible/roles/neutron/tasks/start.yml
@ -10,7 +10,10 @@
      - "/run:/run"
      - "openvswitch_db:/var/lib/openvswitch/"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Ensuring OVS bridge is properly setup
@ -18,7 +21,10 @@
  register: status
  changed_when: status.stdout.find('changed') != -1
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Starting openvswitch-vswitchd container
@ -33,7 +39,10 @@
      - "/lib/modules:/lib/modules:ro"
      - "/run:/run"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "openvswitch"

 - name: Starting neutron-server container
@ -60,11 +69,22 @@
      - "/run:/run"
      - "/run/kolla/log:/dev/log"
  when:
+    - (
+        ( inventory_hostname in groups['compute']
+          or inventory_hostname in groups['neutron-dhcp-agent']
+          or inventory_hostname in groups['neutron-l3-agent']
+          or inventory_hostname in groups['neutron-metadata-agent']
+          and not enable_nova_fake | bool
+        ) or
+        ( inventory_hostname in groups['neutron-dhcp-agent']
+          or inventory_hostname in groups['neutron-l3-agent']
+          or inventory_hostname in groups['neutron-metadata-agent']
+          and enable_nova_fake | bool
+        )
+      )
    - neutron_plugin_agent == "openvswitch"
-    - ((inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents']) and not (enable_nova_fake | bool)) or
-      ((inventory_hostname in groups['neutron-agents']) and (enable_nova_fake | bool))

- name: Starting Neutron-openvswitch-agent container for fake nova compute
+- name: Starting neutron-openvswitch-agent container for fake nova compute
  kolla_docker:
    action: "start_container"
    common_options: "{{ docker_common_options }}"
@ -99,18 +119,55 @@
      - "/run:/run"
      - "/run/kolla/log:/dev/log"
  when:
-    - (inventory_hostname in groups['compute'] or inventory_hostname in groups['neutron-agents'])
+    - (inventory_hostname in groups['compute']
+       or inventory_hostname in groups['neutron-dhcp-agent']
+       or inventory_hostname in groups['neutron-l3-agent']
+       or inventory_hostname in groups['neutron-metadata-agent'])
    - neutron_plugin_agent == "linuxbridge"

- name: Starting neutron-agents container
+- name: Starting neutron-dhcp-agent container
  kolla_docker:
    action: "start_container"
    common_options: "{{ docker_common_options }}"
-    image: "{{ neutron_agents_image_full }}"
-    name: "neutron_agents"
+    image: "{{ neutron_dhcp_agent_image_full }}"
+    name: "neutron_dhcp_agent"
    privileged: True
    volumes:
-      - "{{ node_config_directory }}/neutron-agents/:{{ container_config_directory }}/:ro"
+      - "{{ node_config_directory }}/neutron-dhcp-agent/:{{ container_config_directory }}/:ro"
+      - "/run/:/run/"
+      - "/run/kolla/log:/dev/log"
+      - "/run/netns/:/run/netns/:shared"
+      - "neutron_metadata_socket:/var/lib/neutron/kolla/"
+  when:
+    - inventory_hostname in groups['neutron-dhcp-agent']
+
+- name: Starting neutron-l3-agent container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    image: "{{ neutron_l3_agent_image_full }}"
+    name: "neutron_l3_agent"
+    privileged: True
+    volumes:
+      - "{{ node_config_directory }}/neutron-l3-agent/:{{ container_config_directory }}/:ro"
      - "/run:/run"
      - "/run/kolla/log:/dev/log"
-  when: inventory_hostname in groups['neutron-agents']
+      - "/run/netns/:/run/netns/:shared"
+      - "neutron_metadata_socket:/var/lib/neutron/kolla/"
+  when:
+    - inventory_hostname in groups['neutron-l3-agent']
+
+- name: Starting neutron-metadata-agent container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    image: "{{ neutron_metadata_agent_image_full }}"
+    name: "neutron_metadata_agent"
+    privileged: True
+    volumes:
+      - "{{ node_config_directory }}/neutron-metadata-agent/:{{ container_config_directory }}/:ro"
+      - "/run/kolla/log:/dev/log"
+      - "/run/netns/:/run/netns/:shared"
+      - "neutron_metadata_socket:/var/lib/neutron/kolla/"
+  when:
+    - inventory_hostname in groups['neutron-metadata-agent']
--- a/ansible/roles/neutron/templates/fwaas_driver.ini.j2
+++ b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
@ -0,0 +1 @@
+[fwaas]
--- a/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2
@ -1,5 +1,5 @@
 {
-    "command": "",
+    "command": "neutron-dhcp-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/neutron.conf",
@ -7,6 +7,12 @@
            "owner": "neutron",
            "perm": "0600"
        },
+        {
+            "source": "{{ container_config_directory }}/ml2_conf.ini",
+            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
        {
            "source": "{{ container_config_directory }}/dhcp_agent.ini",
            "dest": "/etc/neutron/dhcp_agent.ini",
@ -18,24 +24,6 @@
            "dest": "/etc/neutron/dnsmasq.conf",
            "owner": "neutron",
            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/l3_agent.ini",
-            "dest": "/etc/neutron/l3_agent.ini",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/ml2_conf.ini",
-            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
-            "owner": "neutron",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/metadata_agent.ini",
-            "dest": "/etc/neutron/metadata_agent.ini",
-            "owner": "neutron",
-            "perm": "0600"
        }
    ]
 }
--- a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
@ -0,0 +1,29 @@
+{
+    "command": "neutron-l3-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-file /etc/neutron/fwaas_driver.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini",
+    "config_files": [
+        {
+            "source": "{{ container_config_directory }}/neutron.conf",
+            "dest": "/etc/neutron/neutron.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/ml2_conf.ini",
+            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/fwaas_driver.ini",
+            "dest": "/etc/neutron/fwaas_driver.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/l3_agent.ini",
+            "dest": "/etc/neutron/l3_agent.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        }
+    ]
+}
--- a/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2
@ -0,0 +1,23 @@
+{
+    "command": "neutron-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini",
+    "config_files": [
+        {
+            "source": "{{ container_config_directory }}/neutron.conf",
+            "dest": "/etc/neutron/neutron.conf",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/ml2_conf.ini",
+            "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/metadata_agent.ini",
+            "dest": "/etc/neutron/metadata_agent.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        }
+    ]
+}
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@ -8,9 +8,12 @@ syslog_log_facility = LOG_LOCAL0
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 bind_port = {{ neutron_server_port }}

-#lock_path = /var/lock/neutron
 api_paste_config = /usr/share/neutron/api-paste.ini

+# NOTE(SamYaple): We must specify this value here rather than the metadata conf
+# because it is used by the l3 and dhcp agents. The reason the path has 'kolla'
+# in it is because we are sharing this socket in a volume which is it's own dir
+metadata_proxy_socket = /var/lib/neutron/kolla/metadata_proxy

 {% if neutron_plugin_agent == "openvswitch" %}
 interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@ -15,7 +15,7 @@
    - "default"
  when:
    - set_sysctl | bool
-    - inventory_hostname in groups['neutron-agents']
+    - inventory_hostname in groups['compute']

 - name: Ensuring config directories exist
  file:
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -94,7 +94,9 @@

 - hosts:
    - compute
-    - neutron-agents
+    - neutron-dhcp-agent
+    - neutron-l3-agent
+    - neutron-metadata-agent
    - neutron-server
    - rabbitmq
  roles:
--- a/docker/neutron/neutron-agents/Dockerfile.j2
+++ b/docker/neutron/neutron-agents/Dockerfile.j2
@ -1,52 +0,0 @@
-FROM {{ namespace }}/{{ image_prefix }}neutron-base:{{ tag }}
-MAINTAINER {{ maintainer }}
-
-{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
-
-RUN yum install -y \
-        openvswitch \
-        supervisor \
-    && yum clean all
-
-COPY supervisord.conf /etc/
-
-{% elif base_distro in ['ubuntu', 'debian'] %}
-
-RUN apt-get install -y --no-install-recommends supervisor \
-    && apt-get clean
-
-COPY supervisord.conf /etc/supervisor/
-
-    {% if install_type == 'binary' %}
-
-RUN apt-get install -y --no-install-recommends \
-        neutron-metadata-agent \
-        neutron-dhcp-agent \
-        neutron-l3-agent \
-    && apt-get clean
-
-    {% endif %}
-{% endif %}
-
-# TODO: SamYaple FWaaS is part of the l3-agent, not a separate agent that is
-# why this file is needed. To support FWaaS we cannot have a separate container
-# I need to figure out the best way to make this work together
-#
-# This file _does_ _not_ need to exist, you must remove referencing it from the
-# exec line in the start script. Also all these config options can exist in the
-# main neutron.conf if we wish
-COPY fwaas_driver.ini /etc/neutron/
-
-COPY neutron-dhcp-agent/ /var/lib/kolla/neutron-dhcp-agent
-COPY neutron-l3-agent/ /var/lib/kolla/neutron-l3-agent
-COPY neutron-metadata-agent/ /var/lib/kolla/neutron-metadata-agent
-COPY config-sudoers.sh /var/lib/kolla/
-
-COPY start.sh /
-
-# We will remove this line in Docker 1.10 when namespace propagation works
-VOLUME /run/netns
-
-CMD ["/start.sh"]
-
-{{ include_footer }}
--- a/docker/neutron/neutron-agents/config-sudoers.sh
+++ b/docker/neutron/neutron-agents/config-sudoers.sh
@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Neutron uses rootwrap which requires a tty for sudo.
-# Since the container is running in daemon mode, a tty
-# is not present and requiretty must be commented out.
-if [ ! -f /sudo-modified ]; then
-    chmod 0640 /etc/sudoers
-    sed -i '/Defaults    requiretty/s/^/#/' /etc/sudoers
-    chmod 0440 /etc/sudoers
-fi
-
-touch /sudo-modified
--- a/docker/neutron/neutron-agents/fwaas_driver.ini
+++ b/docker/neutron/neutron-agents/fwaas_driver.ini
@ -1 +0,0 @@
-neutron-l3-agent/fwaas_driver.ini
--- a/docker/neutron/neutron-agents/neutron-dhcp-agent/start.sh
+++ b/docker/neutron/neutron-agents/neutron-dhcp-agent/start.sh
@ -1,11 +0,0 @@
-#!/bin/bash
-set -o errexit
-
-# Loading common functions.
-source /var/lib/kolla/config-sudoers.sh
-
-# Will be removed when neutron-agents is a thin container
-CMD="neutron-dhcp-agent"
-ARGS="--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini"
-
-exec $CMD $ARGS
--- a/docker/neutron/neutron-agents/neutron-l3-agent/fwaas_driver.ini
+++ b/docker/neutron/neutron-agents/neutron-l3-agent/fwaas_driver.ini
@ -1,3 +0,0 @@
-[fwaas]
-#driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
-#enabled = True
--- a/docker/neutron/neutron-agents/neutron-l3-agent/start.sh
+++ b/docker/neutron/neutron-agents/neutron-l3-agent/start.sh
@ -1,11 +0,0 @@
-#!/bin/bash
-set -o errexit
-
-# Loading common functions.
-source /var/lib/kolla/config-sudoers.sh
-
-# Will be removed when this container is broken out into thin containers
-CMD="neutron-l3-agent"
-ARGS="--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini --config-file /etc/neutron/fwaas_driver.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini"
-
-exec $CMD $ARGS
--- a/docker/neutron/neutron-agents/neutron-metadata-agent/start.sh
+++ b/docker/neutron/neutron-agents/neutron-metadata-agent/start.sh
@ -1,11 +0,0 @@
-#!/bin/bash
-set -o errexit
-
-# Loading common functions.
-source /var/lib/kolla/config-sudoers.sh
-
-# Will be removed when this container is broken out in thin containers
-CMD="neutron-metadata-agent"
-ARGS="--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini"
-
-exec $CMD $ARGS
--- a/docker/neutron/neutron-agents/start.sh
+++ b/docker/neutron/neutron-agents/start.sh
@ -1,10 +0,0 @@
-#!/bin/bash
-set -o errexit
-
-# We must remove all of the stale namespaces if they exist
-rm -f /run/netns/*
-
-# Processing /var/lib/kolla/config_files/config.json
-python /usr/local/bin/kolla_set_configs
-
-exec /usr/bin/supervisord
--- a/docker/neutron/neutron-agents/supervisord.conf
+++ b/docker/neutron/neutron-agents/supervisord.conf
@ -1,40 +0,0 @@
-[unix_http_server]
-file = /var/run/supervisor.sock
-
-[inet_http_server]
-port = 127.0.0.1:9001
-
-[supervisord]
-nodaemon=true
-logfile = /var/log/supervisor/supervisord.log
-logfile_maxbytes = 200KB
-logfile_backups = 1
-pidfile = /var/run/supervisord.pid
-childlogdir = /var/log/supervisor
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl = unix:///var/run/supervisor.sock
-
-[program:neutron-dhcp-agent]
-command=/var/lib/kolla/neutron-dhcp-agent/start.sh
-priority=40
-startsec=10
-stderr_events_enabled=true
-stdout_events_enabled=true
-
-[program:neutron-metadata-agent]
-command=/var/lib/kolla/neutron-metadata-agent/start.sh
-priority=40
-startsec=10
-stderr_events_enabled=true
-stdout_events_enabled=true
-
-[program:neutron-l3-agent]
-command=/var/lib/kolla/neutron-l3-agent/start.sh
-priority=40
-startsec=10
-stderr_events_enabled=true
-stdout_events_enabled=true
--- a/docker/neutron/neutron-base/Dockerfile.j2
+++ b/docker/neutron/neutron-base/Dockerfile.j2
@ -36,11 +36,12 @@ RUN yum -y install \
    {% elif base_distro in ['ubuntu', 'debian'] %}

 RUN apt-get install -y --no-install-recommends \
-        iptables \
+        arping \
        dnsmasq \
-        uuid-runtime \
        ipset \
+        iptables \
        openvswitch-switch \
+        uuid-runtime \
    && apt-get clean

    {% endif %}
@ -49,15 +50,17 @@ ADD neutron-base-archive /neutron-base-source
 RUN ln -s neutron-base-source/* neutron \
    && useradd --user-group neutron \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /neutron \
-    && mkdir -p /etc/neutron /usr/share/neutron /var/log/neutron /home/neutron \
+    && mkdir -p /etc/neutron /usr/share/neutron /var/lib/neutron /var/log/neutron /home/neutron \
    && cp -r /neutron/etc/* /etc/neutron/ \
    && cp -r /neutron/etc/neutron/* /etc/neutron/ \
    && cp /neutron/etc/api-paste.ini /usr/share/neutron \
    && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
-    && chown -R neutron: /etc/neutron /usr/share/neutron /var/log/neutron /home/neutron \
+    && chown -R neutron: /etc/neutron /usr/share/neutron /var/lib/neutron /var/log/neutron /home/neutron \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf

 {% endif %}

-COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY neutron_sudoers /etc/sudoers.d/neutron_sudoers
+RUN usermod -a -G kolla neutron \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/neutron_sudoers
--- a/docker/neutron/neutron-base/extend_start.sh
+++ b/docker/neutron/neutron-base/extend_start.sh
@ -1,11 +0,0 @@
-#!/bin/bash
-
-# Neutron uses rootwrap which requires a tty for sudo.
-# Since the container is running in daemon mode, a tty
-# is not present and requiretty must be commented out.
-if [ ! -f /sudo-modified ]; then
-    chmod 0640 /etc/sudoers
-    sed -i '/Defaults    requiretty/s/^/#/' /etc/sudoers
-    chmod 0440 /etc/sudoers
-    touch /sudo-modified
-fi
--- a/docker/neutron/neutron-base/neutron_sudoers
+++ b/docker/neutron/neutron-base/neutron_sudoers
@ -0,0 +1 @@
+neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
--- a/docker/neutron/neutron-dhcp-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-dhcp-agent/Dockerfile.j2
@ -0,0 +1,16 @@
+FROM {{ namespace }}/{{ image_prefix }}neutron-base:{{ tag }}
+MAINTAINER {{ maintainer }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+    {% if install_type == 'binary' %}
+
+RUN apt-get install -y --no-install-recommends \
+        neutron-dhcp-agent \
+    && apt-get clean
+
+    {% endif %}
+{% endif %}
+
+{{ include_footer }}
+
+USER neutron
--- a/docker/neutron/neutron-l3-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-l3-agent/Dockerfile.j2
@ -0,0 +1,16 @@
+FROM {{ namespace }}/{{ image_prefix }}neutron-base:{{ tag }}
+MAINTAINER {{ maintainer }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+    {% if install_type == 'binary' %}
+
+RUN apt-get install -y --no-install-recommends \
+        neutron-l3-agent \
+    && apt-get clean
+
+    {% endif %}
+{% endif %}
+
+{{ include_footer }}
+
+USER neutron
--- a/docker/neutron/neutron-metadata-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-metadata-agent/Dockerfile.j2
@ -0,0 +1,23 @@
+FROM {{ namespace }}/{{ image_prefix }}neutron-base:{{ tag }}
+MAINTAINER {{ maintainer }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+    {% if install_type == 'binary' %}
+
+RUN apt-get install -y --no-install-recommends \
+        neutron-metadata-agent \
+    && apt-get clean
+
+    {% endif %}
+{% endif %}
+
+COPY neutron_sudoers /etc/sudoers.d/neutron_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/neutron_sudoers \
+    && usermod -a -G kolla neutron
+
+{{ include_footer }}
+
+USER neutron
--- a/docker/neutron/neutron-metadata-agent/extend_start.sh
+++ b/docker/neutron/neutron-metadata-agent/extend_start.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Only update permissions if permissions need to be updated
+if [[ $(stat -c %U:%G /var/lib/neutron/kolla) != "neutron:neutron" ]]; then
+    sudo chown neutron: /var/lib/neutron/kolla
+fi
--- a/docker/neutron/neutron-metadata-agent/neutron_sudoers
+++ b/docker/neutron/neutron-metadata-agent/neutron_sudoers
@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /bin/chown neutron\: /var/lib/neutron/kolla, /usr/bin/chown neutron\: /var/lib/neutron/kolla
--- a/docker/neutron/neutron-openvswitch-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-openvswitch-agent/Dockerfile.j2
@ -18,14 +18,6 @@ RUN apt-get install -y --no-install-recommends \
        neutron-plugin-openvswitch-agent \
    && apt-get clean

-    {% endif %}
-{% elif install_type == 'source' %}
-    {% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
-
-# Install required packages
-RUN yum install -y openvswitch \
-    && yum clean all
-
    {% endif %}
 {% endif %}

--- a/docker/neutron/neutron-server/Dockerfile.j2
+++ b/docker/neutron/neutron-server/Dockerfile.j2
@ -9,3 +9,5 @@ RUN chmod 755 /usr/local/bin/kolla_extend_start \
       fi

 {{ include_footer }}
+
+USER neutron
--- a/docker/neutron/neutron-server/extend_start.sh
+++ b/docker/neutron/neutron-server/extend_start.sh
@ -3,16 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u neutron neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
+    neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
    exit 0
 fi
-
-# Neutron uses rootwrap which requires a tty for sudo.
-# Since the container is running in daemon mode, a tty
-# is not present and requiretty must be commented out.
-if [ ! -f /sudo-modified ]; then
-    chmod 0640 /etc/sudoers
-    sed -i '/Defaults    requiretty/s/^/#/' /etc/sudoers
-    chmod 0440 /etc/sudoers
-    touch /sudo-modified
-fi
				`@ -0,0 +1 @@`
				`neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *`
				`@ -0,0 +1 @@`
				`%kolla ALL=(root) NOPASSWD: /bin/chown neutron\: /var/lib/neutron/kolla, /usr/bin/chown neutron\: /var/lib/neutron/kolla`