Run neutron OVN agents as neutron user

As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.

With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.

In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.

Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9

defaults/main.yml

@@ -510,7 +510,11 @@ neutron_ovn_nb_connection: >-
   {{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,' + ovn_proto + ':') }}:6641
 neutron_ovn_sb_connection: >-
   {{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + ovn_proto + ':') }}:6642
-neutron_ovsdb_manager: ptcp:6640:127.0.0.1
+neutron_ovsdb_manager_host: 127.0.0.1
+neutron_ovsdb_manager_port: 6640
+neutron_ovsdb_manager_proto: tcp
+neutron_ovsdb_manager: "p{{ [neutron_ovsdb_manager_proto, neutron_ovsdb_manager_port, neutron_ovsdb_manager_host] | select | join(':') }}"
+neutron_ovsdb_manager_connection: "{{ [neutron_ovsdb_manager_proto, neutron_ovsdb_manager_host, neutron_ovsdb_manager_port] | select | join(':') }}"
 neutron_ovn_sb_inactivity_probe: 60000
 neutron_ovn_nb_inactivity_probe: 60000
 

releasenotes/notes/ovsdb_manager_connection-5ea44a5fd9aa789b.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Added new variables to os_neutron role that allow to adjust connection
+    to OVS manager:
+
+      * ``neutron_ovsdb_manager_host``: defaults to 127.0.0.1
+      * ``neutron_ovsdb_manager_port``: defaults to 6640
+      * ``neutron_ovsdb_manager_proto``: defaults to tcp
+      * ``neutron_ovsdb_manager_connection``: Combines proto, host and port
+        into a valid connection string for neutron plugins.
+
+deprecations:
+  - |
+    Variable ``neutron_ovs_socket_path`` has been deprecated and will be
+    silently ignored. Please use ``neutron_ovsdb_manager_connection`` in
+    order to override connection to OVS.

templates/neutron_ovn_metadata_agent.ini.j2

@@ -14,5 +14,5 @@ metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
 nova_metadata_protocol = {{ neutron_nova_metadata_protocol }}
 
 [ovs]
-ovsdb_connection = unix:{{ neutron_ovs_socket_path }}/db.sock
+ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
 ovsdb_connection_timeout = 180

vars/debian.yml

@@ -23,8 +23,6 @@ neutron_ovn_northd_service_name: ovn-central
 
 neutron_ovn_controller_service_name: ovn-host
 
-neutron_ovs_socket_path: "/var/run/openvswitch"
-
 neutron_ovn_northd_opts: "OVN_CTL_OPTS"
 
 neutron_ovn_northd_opts_file: "/etc/default/ovn-central"

vars/main.yml

@@ -512,8 +512,6 @@ neutron_services:
     service_en: False
   neutron-ovn-metadata-agent:
     group: neutron_ovn_controller
-    systemd_user_name: root
-    systemd_group_name: root
     systemd_lock_dir: /run/lock/neutron-ovn-metadata
     service_name: neutron-ovn-metadata-agent
     service_en: "{{ neutron_plugin_type == 'ml2.ovn' }}"

vars/redhat.yml

@@ -30,8 +30,6 @@ neutron_ovn_northd_service_name: ovn-northd
 
 neutron_ovn_controller_service_name: ovn-controller
 
-neutron_ovs_socket_path: "/var/run/openvswitch"
-
 neutron_ovn_northd_opts: "OVN_NORTHD_OPTS"
 
 neutron_ovn_northd_opts_file: "/etc/sysconfig/ovn-northd"