From 601c66666f0c710fcde632c9b13ad0f4c888bccc Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Tue, 20 Feb 2024 13:34:49 +0100
Subject: [PATCH] Run neutron OVN agents as neutron user

As of today we run some agents, like neutron-ovn-metadata agent as
root user, since it needs access to ovsdb socket, which has 750 permissions
by default.

With that, for OVN we already use connection via host:port to the same
ovsdb manager, which allows to run it as an arbitrary user.

In order to align connection methods and to run services with lower
privileges
we introduce couple of new variables that allow to create valid connection
strings for both OpenFlow listeners and regular connection to the manager.

Change-Id: Iceab27aa1fdacc8b13f7ef6974b6a9076b8b7cd9
---
 defaults/main.yml                               |  6 +++++-
 ...sdb_manager_connection-5ea44a5fd9aa789b.yaml | 17 +++++++++++++++++
 templates/neutron_ovn_metadata_agent.ini.j2     |  2 +-
 vars/debian.yml                                 |  2 --
 vars/main.yml                                   |  2 --
 vars/redhat.yml                                 |  2 --
 6 files changed, 23 insertions(+), 8 deletions(-)
 create mode 100644 releasenotes/notes/ovsdb_manager_connection-5ea44a5fd9aa789b.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 2d6db1d0..b08914ec 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -510,7 +510,11 @@ neutron_ovn_nb_connection: >-
   {{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,' + ovn_proto + ':') }}:6641
 neutron_ovn_sb_connection: >-
   {{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + ovn_proto + ':') }}:6642
-neutron_ovsdb_manager: ptcp:6640:127.0.0.1
+neutron_ovsdb_manager_host: 127.0.0.1
+neutron_ovsdb_manager_port: 6640
+neutron_ovsdb_manager_proto: tcp
+neutron_ovsdb_manager: "p{{ [neutron_ovsdb_manager_proto, neutron_ovsdb_manager_port, neutron_ovsdb_manager_host] | select | join(':') }}"
+neutron_ovsdb_manager_connection: "{{ [neutron_ovsdb_manager_proto, neutron_ovsdb_manager_host, neutron_ovsdb_manager_port] | select | join(':') }}"
 neutron_ovn_sb_inactivity_probe: 60000
 neutron_ovn_nb_inactivity_probe: 60000
 
diff --git a/releasenotes/notes/ovsdb_manager_connection-5ea44a5fd9aa789b.yaml b/releasenotes/notes/ovsdb_manager_connection-5ea44a5fd9aa789b.yaml
new file mode 100644
index 00000000..a5b37bb8
--- /dev/null
+++ b/releasenotes/notes/ovsdb_manager_connection-5ea44a5fd9aa789b.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Added new variables to os_neutron role that allow to adjust connection
+    to OVS manager:
+
+      * ``neutron_ovsdb_manager_host``: defaults to 127.0.0.1
+      * ``neutron_ovsdb_manager_port``: defaults to 6640
+      * ``neutron_ovsdb_manager_proto``: defaults to tcp
+      * ``neutron_ovsdb_manager_connection``: Combines proto, host and port
+        into a valid connection string for neutron plugins.
+
+deprecations:
+  - |
+    Variable ``neutron_ovs_socket_path`` has been deprecated and will be
+    silently ignored. Please use ``neutron_ovsdb_manager_connection`` in
+    order to override connection to OVS.
diff --git a/templates/neutron_ovn_metadata_agent.ini.j2 b/templates/neutron_ovn_metadata_agent.ini.j2
index 537e46ab..ab600d55 100644
--- a/templates/neutron_ovn_metadata_agent.ini.j2
+++ b/templates/neutron_ovn_metadata_agent.ini.j2
@@ -14,5 +14,5 @@ metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
 nova_metadata_protocol = {{ neutron_nova_metadata_protocol }}
 
 [ovs]
-ovsdb_connection = unix:{{ neutron_ovs_socket_path }}/db.sock
+ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
 ovsdb_connection_timeout = 180
diff --git a/vars/debian.yml b/vars/debian.yml
index ac8607c3..8b939c95 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -23,8 +23,6 @@ neutron_ovn_northd_service_name: ovn-central
 
 neutron_ovn_controller_service_name: ovn-host
 
-neutron_ovs_socket_path: "/var/run/openvswitch"
-
 neutron_ovn_northd_opts: "OVN_CTL_OPTS"
 
 neutron_ovn_northd_opts_file: "/etc/default/ovn-central"
diff --git a/vars/main.yml b/vars/main.yml
index ac6e4ed2..a9de53da 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -512,8 +512,6 @@ neutron_services:
     service_en: False
   neutron-ovn-metadata-agent:
     group: neutron_ovn_controller
-    systemd_user_name: root
-    systemd_group_name: root
     systemd_lock_dir: /run/lock/neutron-ovn-metadata
     service_name: neutron-ovn-metadata-agent
     service_en: "{{ neutron_plugin_type == 'ml2.ovn' }}"
diff --git a/vars/redhat.yml b/vars/redhat.yml
index b59e78e6..096b2754 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -30,8 +30,6 @@ neutron_ovn_northd_service_name: ovn-northd
 
 neutron_ovn_controller_service_name: ovn-controller
 
-neutron_ovs_socket_path: "/var/run/openvswitch"
-
 neutron_ovn_northd_opts: "OVN_NORTHD_OPTS"
 
 neutron_ovn_northd_opts_file: "/etc/sysconfig/ovn-northd"