diff --git a/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl b/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl new file mode 100644 index 0000000000..7926dbd711 --- /dev/null +++ b/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl @@ -0,0 +1,21 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +chroot /mnt/host-rootfs modprobe ip6_tables +chroot /mnt/host-rootfs modprobe ebtables diff --git a/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl b/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl index 4816c90f01..52a372897a 100644 --- a/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl +++ b/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl @@ -18,8 +18,6 @@ limitations under the License. set -ex -modprobe ebtables - # configure external bridge external_bridge="{{- .Values.network.external_bridge -}}" external_interface="{{- .Values.network.interface.external -}}" diff --git a/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl b/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl new file mode 100644 index 0000000000..3321a9f7c3 --- /dev/null +++ b/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl @@ -0,0 +1,20 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +chroot /mnt/host-rootfs modprobe ip6_tables diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml index 197c9d8926..aaef7f3b2d 100644 --- a/neutron/templates/configmap-bin.yaml +++ b/neutron/templates/configmap-bin.yaml @@ -49,6 +49,8 @@ data: {{ tuple "bin/_neutron-linuxbridge-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-linuxbridge-agent-init.sh: |+ {{ tuple "bin/_neutron-linuxbridge-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-linuxbridge-agent-init-modules.sh: |+ +{{ tuple "bin/_neutron-linuxbridge-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-metadata-agent.sh: |+ {{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-metadata-agent-init.sh: |+ @@ -57,6 +59,8 @@ data: {{ tuple "bin/_neutron-openvswitch-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-openvswitch-agent-init.sh: |+ {{ tuple "bin/_neutron-openvswitch-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-openvswitch-agent-init-modules.sh: |+ +{{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-server.sh: |+ {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml index 5af6fb7bc5..b12bf4f693 100644 --- a/neutron/templates/daemonset-lb-agent.yaml +++ b/neutron/templates/daemonset-lb-agent.yaml @@ -40,6 +40,24 @@ spec: hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: neutron-lb-agent-kernel-modules + image: {{ .Values.images.tags.neutron_linuxbridge_agent }} + imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + capabilities: + add: + - SYS_MODULE + runAsUser: 0 + command: + - /tmp/neutron-linuxbridge-agent-init-modules.sh + volumeMounts: + - name: neutron-bin + mountPath: /tmp/neutron-linuxbridge-agent-init-modules.sh + subPath: neutron-linuxbridge-agent-init-modules.sh + readOnly: true + - name: host-rootfs + mountPath: /mnt/host-rootfs + readOnly: true - name: neutron-lb-agent-init image: {{ .Values.images.tags.neutron_linuxbridge_agent }} imagePullPolicy: {{ .Values.images.pull_policy }} @@ -119,9 +137,6 @@ spec: mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters subPath: openvswitch-plugin.filters readOnly: true - - name: libmodules - mountPath: /lib/modules - readOnly: true - name: run mountPath: /run {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} @@ -211,9 +226,6 @@ spec: mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters subPath: openvswitch-plugin.filters readOnly: true - - name: libmodules - mountPath: /lib/modules - readOnly: true - name: run mountPath: /run {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} @@ -228,11 +240,11 @@ spec: configMap: name: neutron-etc defaultMode: 0444 - - name: libmodules - hostPath: - path: /lib/modules - name: run hostPath: path: /run + - name: host-rootfs + hostPath: + path: / {{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index a73ec9e046..3312b5bb13 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -40,6 +40,24 @@ spec: hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: neutron-openvswitch-agent-kernel-modules + image: {{ .Values.images.tags.neutron_openvswitch_agent }} + imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + capabilities: + add: + - SYS_MODULE + runAsUser: 0 + command: + - /tmp/neutron-openvswitch-agent-init-modules.sh + volumeMounts: + - name: neutron-bin + mountPath: /tmp/neutron-openvswitch-agent-init-modules.sh + subPath: neutron-openvswitch-agent-init-modules.sh + readOnly: true + - name: host-rootfs + mountPath: /mnt/host-rootfs + readOnly: true - name: neutron-ovs-agent-init image: {{ .Values.images.tags.neutron_openvswitch_agent }} imagePullPolicy: {{ .Values.images.pull_policy }} @@ -119,9 +137,6 @@ spec: mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters subPath: openvswitch-plugin.filters readOnly: true - - name: libmodules - mountPath: /lib/modules - readOnly: true - name: run mountPath: /run {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} @@ -213,9 +228,6 @@ spec: mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters subPath: openvswitch-plugin.filters readOnly: true - - name: libmodules - mountPath: /lib/modules - readOnly: true - name: run mountPath: /run {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} @@ -232,11 +244,11 @@ spec: configMap: name: neutron-etc defaultMode: 0444 - - name: libmodules - hostPath: - path: /lib/modules - name: run hostPath: path: /run + - name: host-rootfs + hostPath: + path: / {{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl new file mode 100644 index 0000000000..ae06b97c1c --- /dev/null +++ b/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl @@ -0,0 +1,22 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +chroot /mnt/host-rootfs modprobe openvswitch +chroot /mnt/host-rootfs modprobe gre +chroot /mnt/host-rootfs modprobe vxlan diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl index 61364aa1a6..0c0477a5da 100644 --- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl +++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl @@ -18,12 +18,6 @@ limitations under the License. set -ex -# load tunnel kernel modules we may use and gre/vxlan -modprobe openvswitch - -modprobe gre -modprobe vxlan - sock="/var/run/openvswitch/db.sock" t=0 while [ ! -e "${sock}" ] ; do diff --git a/openvswitch/templates/configmap-bin.yaml b/openvswitch/templates/configmap-bin.yaml index ac13c9a312..43fc8fb2df 100644 --- a/openvswitch/templates/configmap-bin.yaml +++ b/openvswitch/templates/configmap-bin.yaml @@ -26,4 +26,6 @@ data: {{ tuple "bin/_openvswitch-db-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} openvswitch-vswitchd.sh: |+ {{ tuple "bin/_openvswitch-vswitchd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + openvswitch-vswitchd-init-modules.sh: |+ +{{ tuple "bin/_openvswitch-vswitchd-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/openvswitch/templates/daemonset-ovs-vswitchd.yaml b/openvswitch/templates/daemonset-ovs-vswitchd.yaml index 60bfca7af5..24127cc111 100644 --- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml +++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml @@ -34,6 +34,25 @@ spec: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true + initContainers: + - name: openvswitch-vswitchd-modules + image: {{ .Values.images.tags.openvswitch_vswitchd }} + imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + capabilities: + add: + - SYS_MODULE + runAsUser: 0 + command: + - /tmp/openvswitch-vswitchd-init-modules.sh + volumeMounts: + - name: openvswitch-bin + mountPath: /tmp/openvswitch-vswitchd-init-modules.sh + subPath: openvswitch-vswitchd-init-modules.sh + readOnly: true + - name: host-rootfs + mountPath: /mnt/host-rootfs + readOnly: true containers: - name: openvswitch-vswitchd image: {{ .Values.images.tags.openvswitch_vswitchd }} @@ -56,9 +75,6 @@ spec: mountPath: /tmp/openvswitch-vswitchd.sh subPath: openvswitch-vswitchd.sh readOnly: true - - name: libmodules - mountPath: /lib/modules - readOnly: true - name: run mountPath: /run volumes: @@ -66,10 +82,10 @@ spec: configMap: name: openvswitch-bin defaultMode: 0555 - - name: libmodules - hostPath: - path: /lib/modules - name: run hostPath: path: /run + - name: host-rootfs + hostPath: + path: / {{- end }} diff --git a/tools/gate/funcs/common.sh b/tools/gate/funcs/common.sh index 11162c1ee7..081960d395 100644 --- a/tools/gate/funcs/common.sh +++ b/tools/gate/funcs/common.sh @@ -70,15 +70,6 @@ function base_install { sdn_lb_support_install fi - # NOTE(portdirect): Temp workaround until module loading is supported by - # OpenStack-Helm in Fedora - if [ "x$HOST_OS" == "xfedora" ]; then - sudo modprobe openvswitch - sudo modprobe ebtables - sudo modprobe gre - sudo modprobe vxlan - sudo modprobe ip6_tables - fi } function json_to_yaml {