From 4f4d81acb51f3d8d6efaab0fc3beeabdeebd9957 Mon Sep 17 00:00:00 2001 From: Matthew Kassawara Date: Thu, 16 Jul 2015 19:02:26 -0500 Subject: [PATCH] Reduce neutron configuration Reduce neutron configuration as follows: 1) Limit [ml2*] sections to neutron server containers [1]. 2) Remove the [vlan] section everywhere because it only pertains to the defunct Linux bridge monolithic plug-in [2]. 3) Explicitly disable VXLAN if deployment only includes flat or VLAN networks [3]. 4) Limit Linux bridge agent configuration options to neutron agent containers. 5) Remove [agent] tunnel_type option because the Linux bridge agent does not use it. 6) Move some options to correct locations. 7) Reorder some options to improve readability. 8) Annotate groups of options or specific options. [1] https://review.openstack.org/#/c/196759/ [2] https://review.openstack.org/#/c/196765/ [3] https://review.openstack.org/#/c/160826/ Change-Id: I275fb600360530534f7673e6eb2a3d397b10fb8e Closes-Bug: #1473230 --- playbooks/roles/os_neutron/defaults/main.yml | 3 - .../os_neutron/templates/dhcp_agent.ini.j2 | 21 +++- .../os_neutron/templates/l3_agent.ini.j2 | 41 ++++--- .../templates/metadata_agent.ini.j2 | 11 +- .../templates/metering_agent.ini.j2 | 4 + .../os_neutron/templates/neutron.conf.j2 | 113 +++++++++--------- .../templates/plugins/ml2/ml2_conf.ini.j2 | 58 ++++++--- 7 files changed, 143 insertions(+), 108 deletions(-) diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index 691f90c63b..f5ee973b23 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -192,9 +192,6 @@ neutron_ml2_mechanism_drivers: "linuxbridge,l2population" # type: "veth" neutron_overlay_network: {} -# Set the vxlan udp port. This is only used when neutron_tunnel_address is defined. -neutron_vxlan_udp_port: 4789 - ## The neutron multicast group address. This should be set as a host variable if used. ## This defaults to an empty string # neutron_vxlan_group: 239.1.1.100 diff --git a/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 b/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 index 4de712980b..52dce45029 100644 --- a/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 @@ -3,19 +3,28 @@ {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %} {% set api_threads = _api_threads if _api_threads > 0 else 1 %} +# General [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} -interface_driver = {{ neutron_driver_interface }} -dhcp_driver = {{ neutron_driver_dhcp }} -enable_isolated_metadata = True - num_sync_threads = {{ neutron_num_sync_threads | default(api_threads) }} -dhcp_domain = {{ neutron_dhcp_domain }} -dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }} +# Drivers +interface_driver = {{ neutron_driver_interface }} +dhcp_driver = {{ neutron_driver_dhcp }} +# Default domain for DHCP leases +dhcp_domain = {{ neutron_dhcp_domain }} + +# Dnsmasq options dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf dnsmasq_dns_servers = {{ neutron_dnsmasq_dns_servers }} dnsmasq_lease_max = {{ neutron_dnsmasq_lease_max }} + +# Metadata +enable_isolated_metadata = True + +# Delete defunct namespaces +dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }} + diff --git a/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 b/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 index 5802758c12..10022484fa 100644 --- a/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 @@ -1,34 +1,41 @@ # {{ ansible_managed }} +# General [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} -allow_automatic_l3agent_failover = True -enable_metadata_proxy = True +handle_internal_only_routers = True external_network_bridge = {{ neutron_external_network_bridge }} gateway_external_network_id = {{ neutron_gateway_external_network_id }} -# L3 Agent HA -ha_confs_path = {{ neutron_system_home_folder }}/ha_confs -ha_vrrp_advert_int = {{ neutron_ha_vrrp_advert_int }} -ha_vrrp_auth_password = {{ neutron_ha_vrrp_auth_password }} -ha_vrrp_auth_type = {{ neutron_ha_vrrp_auth_type }} -handle_internal_only_routers = {{ neutron_handle_internal_only_routers }} -l3_ha = {{ neutron_l3_ha_enabled }} -l3_ha_net_cidr = {{ neutron_l3_ha_net_cidr }} -max_l3_agents_per_router = {{ neutron_max_l3_agents_per_router | default(groups['neutron_agent']|length) }} +# Drivers +interface_driver = {{ neutron_driver_interface }} + +# Agent mode (legacy only) +agent_mode = {{ neutron_agent_mode }} + +# Conventional failover +allow_automatic_l3agent_failover = True {% set min_router = groups['neutron_agent'] | length // 2 %} {% set min_l3_router = min_router if min_router > 0 else 1 %} min_l3_agents_per_router = {{ neutron_min_l3_agents_per_router | default(min_l3_router) }} +max_l3_agents_per_router = {{ neutron_max_l3_agents_per_router | default(groups['neutron_agent']|length) }} + +# HA failover +l3_ha = {{ neutron_l3_ha_enabled }} +l3_ha_net_cidr = {{ neutron_l3_ha_net_cidr }} +ha_confs_path = {{ neutron_system_home_folder }}/ha_confs +ha_vrrp_advert_int = {{ neutron_ha_vrrp_advert_int }} +ha_vrrp_auth_password = {{ neutron_ha_vrrp_auth_password }} +ha_vrrp_auth_type = {{ neutron_ha_vrrp_auth_type }} +handle_internal_only_routers = {{ neutron_handle_internal_only_routers }} send_arp_for_ha = 3 -# L3 configuration options -router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }} +# Metadata +enable_metadata_proxy = True -# L3 Agent interfaces -interface_driver = {{ neutron_driver_interface }} -handle_internal_only_routers = True -agent_mode = {{ neutron_agent_mode }} +# Delete defunct namespaces +router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }} diff --git a/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2 b/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2 index a5626cd2ff..ca8c9cfd1c 100644 --- a/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2 @@ -3,11 +3,12 @@ {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %} {% set api_threads = _api_threads if _api_threads > 0 else 1 %} +# General [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} -# The Neutron user information for accessing the Neutron API. +# Neutron credentials for API access auth_plugin = {{ neutron_keystone_auth_plugin }} auth_url = {{ keystone_service_adminuri }} auth_uri = {{ keystone_service_internaluri }} @@ -19,14 +20,16 @@ username = {{ neutron_service_user_name }} password = {{ neutron_service_password }} endpoint_type = adminURL -# TCP Port used by Nova metadata server +# Nova metadata service IP and port nova_metadata_ip = {{ internal_lb_vip_address }} nova_metadata_port = {{ nova_metadata_port }} -# Number of backlog requests to configure the metadata server socket with +# Metadata proxy shared secret metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }} + +# Workers and backlog requests metadata_workers = {{ neutron_metadata_workers | default(api_threads) }} metadata_backlog = {{ neutron_metadata_backlog }} -# Metadata Caching +# Caching cache_url = memory://?default_ttl=5 diff --git a/playbooks/roles/os_neutron/templates/metering_agent.ini.j2 b/playbooks/roles/os_neutron/templates/metering_agent.ini.j2 index 9b5a5efd8f..bee349f23b 100644 --- a/playbooks/roles/os_neutron/templates/metering_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/metering_agent.ini.j2 @@ -1,11 +1,15 @@ # {{ ansible_managed }} +# General [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} +# Drivers driver = {{ neutron_driver_metering }} interface_driver = {{ neutron_driver_interface }} + +# Intervals measure_interval = 30 [AGENT] diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2 index 7afd42777b..b9622533a4 100644 --- a/playbooks/roles/os_neutron/templates/neutron.conf.j2 +++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2 @@ -3,72 +3,66 @@ {% set _api_threads = ansible_processor_vcpus|default(2) // 2 %} {% set api_threads = _api_threads if _api_threads > 0 else 1 %} +# General, applies to all host groups [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} fatal_deprecations = {{ neutron_fatal_deprecations }} - use_syslog = False - log_file = /var/log/neutron/neutron.log -auth_strategy = keystone + +{% if inventory_hostname in groups['neutron_server'] %} + +# General, only applies to neutron server host group network_device_mtu = {{ neutron_network_device_mtu }} allow_overlapping_ips = True vlan_transparent = False - -## Drivers -network_scheduler_driver = {{ neutron_driver_network_scheduler }} -router_scheduler_driver = {{ neutron_driver_router_scheduler }} -loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }} -dhcp_driver = {{ neutron_driver_dhcp }} -notification_driver = {{ neutron_driver_notification }} - - -## Schedulers -router_distributed = False -network_auto_schedule = True -router_auto_schedule = True - - -## Agents -agent_down_time = {{ neutron_agent_down_time }} - - -## API -bind_port = 9696 -bind_host = 0.0.0.0 - - -## Workers -api_workers = {{ neutron_api_workers | default(api_threads) }} -rpc_workers = {{ neutron_rpc_workers }} - - -## Plugins +# Plugins core_plugin = {{ neutron_plugin_core }} service_plugins = {{ neutron_plugin_loaded_base }} - -## MAC Address +# MAC address generation for VIFs base_mac = fa:16:3e:00:00:00 mac_generation_retries = 16 +# Authentication method +auth_strategy = keystone -## DHCP +# Drivers +network_scheduler_driver = {{ neutron_driver_network_scheduler }} +router_scheduler_driver = {{ neutron_driver_router_scheduler }} +loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }} +notification_driver = {{ neutron_driver_notification }} + +# Schedulers +network_auto_schedule = True +router_auto_schedule = True + +# Distributed virtual routing (disable by default) +router_distributed = False + +# Agents +agent_down_time = {{ neutron_agent_down_time }} + +# API +bind_port = 9696 +bind_host = 0.0.0.0 + +# Workers +api_workers = {{ neutron_api_workers | default(api_threads) }} +rpc_workers = {{ neutron_rpc_workers }} + +# DHCP dhcp_agent_notification = True dhcp_agents_per_network = {{ groups['neutron_agent'] | length }} -dhcp_delete_namespaces = True dhcp_lease_duration = 86400 advertise_mtu = False -## Notifications +# Nova notifications notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True send_events_interval = 2 - - -## Nova nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }} ## Rpc all @@ -87,7 +81,7 @@ project_name = {{ nova_service_project_name }} username = {{ nova_service_user_name }} password = {{ nova_service_password }} - +# Quotas [quotas] quota_driver = {{ neutron_driver_quota }} quota_items = network,subnet,port @@ -106,13 +100,7 @@ quota_security_group_rule = {{ neutron_quota_security_group_rule }} quota_subnet = {{ neutron_quota_subnet }} quota_vip = {{ neutron_quota_vip }} - -[agent] -polling_interval = {{ neutron_agent_polling_interval|default(5) }} -report_interval = {{ neutron_report_interval|int }} -root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf - - +# Keystone authentication [keystone_authtoken] insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ neutron_keystone_auth_plugin }} @@ -130,34 +118,41 @@ memcached_servers = {{ memcached_servers }} token_cache_time = 300 revocation_cache_time = 60 -# if your memcached server is shared, use these settings to avoid cache poisoning +# Prevent cache poisoning if sharing a memcached server memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcached_encryption_key }} -# if your keystone deployment uses PKI, and you value security over performance: +# Enable if your keystone deployment uses PKI and you prefer security over +# performance (disable by default) check_revocations_for_cached = False -{% if inventory_hostname in groups['neutron_server'] %} - +# Database [database] connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8 max_overflow = {{ neutron_db_max_overflow }} max_pool_size = {{ neutron_db_pool_size }} pool_timeout = {{ neutron_db_pool_timeout }} +# Service providers +[service_providers] +service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default +service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default + {% endif %} +# Agent +[agent] +polling_interval = {{ neutron_agent_polling_interval|default(5) }} +report_interval = {{ neutron_report_interval|int }} +root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf + +# Messaging service [oslo_messaging_rabbit] rabbit_port = {{ rabbitmq_port }} rabbit_userid = {{ rabbitmq_userid }} rabbit_password = {{ rabbitmq_password }} rabbit_hosts = {{ rabbitmq_servers }} - +# Concurrency (locking mechanisms) [oslo_concurrency] lock_path = /var/lock/neutron - - -[service_providers] -service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default -service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 index 31ee9a7145..3a82320258 100644 --- a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 +++ b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 @@ -1,5 +1,8 @@ # {{ ansible_managed }} +{% if inventory_hostname in groups['neutron_server'] %} + +# ML2 general [ml2] type_drivers = {{ neutron_ml2_drivers_type }} tenant_network_types = {{ neutron_provider_networks.network_types }} @@ -7,66 +10,83 @@ mechanism_drivers = {{ neutron_ml2_mechanism_drivers }} path_mtu = 0 segment_mtu = 0 - {% if neutron_provider_networks.network_flat_networks %} + +# ML2 flat networks [ml2_type_flat] flat_networks = {{ neutron_provider_networks.network_flat_networks }} + {% endif %} - {% if neutron_provider_networks.network_vlan_ranges %} + +# ML2 VLAN networks [ml2_type_vlan] network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }} - -[vlans] -tenant_network_type = vlan -network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }} {% endif %} - {% if neutron_provider_networks.network_vxlan_ranges is defined %} + +# ML2 VXLAN networks [ml2_type_vxlan] vxlan_group = {{ neutron_vxlan_group|default('') }} vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }} + +{% endif %} {% endif %} +{% if inventory_hostname in groups['neutron_linuxbridge_agent'] %} + +# Linux bridge agent VXLAN networks +[vxlan] {% if neutron_overlay_network %} -[vxlan] + enable_vxlan = True vxlan_group = {{ neutron_vxlan_group|default('') }} + {% if (is_metal == true or is_metal == "True") and neutron_overlay_network.bridge is defined %} {% set on_metal_tunnel_bridge = 'ansible_' + neutron_overlay_network.bridge|replace('-', '_') %} + +# VXLAN local tunnel endpoint (bare metal) local_ip = {{ hostvars[inventory_hostname][on_metal_tunnel_bridge]['ipv4']['address'] }} + {% else %} + +# VXLAN local tunnel endpoint (container) local_ip = {{ neutron_overlay_network.address }} + {% endif %} + l2_population = {{ neutron_l2_population }} + +{% else %} + +# Disable VXLAN for deployments with only flat or VLAN networks +enable_vxlan = False + {% endif %} - -[agent] -tunnel_types = vxlan -## VXLAN udp port -# This is set for the vxlan port and while this -# is being set here it's ignored because -# the port is assigned by the kernel -vxlan_udp_port = {{ neutron_vxlan_udp_port }} - - {% if neutron_provider_networks.network_mappings is defined %} + +# Linux bridge agent physical interface mappings [linux_bridge] physical_interface_mappings = {{ neutron_provider_networks.network_mappings }} + {% endif %} +# Agent (empty for Linux bridge agent) +[agent] +# L2 population [l2pop] agent_boot_time = 180 +{% endif %} +# Security groups [securitygroup] enable_security_group = True enable_ipset = True firewall_driver = {{ neutron_driver_firewall }} -