Add network namespace cleanup

Removes stale DHCP and L3 namespaces. The cron runs once in 12 hours. Network namespace cleanup is implemented as a daemonset as Kubernetes does not have a cronjob that works like daemonset-cronjob. Network namespace cleanup should run on all nodes where DHCP and L3 agents run. Change-Id: I7525e493067669026e0d57889a3e3238a2bd1308
2020-02-11 04:42:56 +00:00 · 2020-02-11 04:42:56 +00:00 · 62db99d1d1
commit 62db99d1d1
parent 400b686f52
11 changed files with 244 additions and 0 deletions
--- a/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
+++ b/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+import sys
+import time
+
+from oslo_config import cfg
+
+from neutron.cmd.netns_cleanup import main
+
+if __name__ == "__main__":
+    while True:
+        try:
+            main()
+            # Sleep for 12 hours
+            time.sleep(43200)
+        except Exception as ex:
+            sys.stderr.write(
+                "Cleaning network namespaces caught an exception %s"
+                % str(ex))
+        except:
+            sys.stderr.write(
+                "Cleaning network namespaces caught an exception")
+        finally:
+            cfg.CONF.clear()
--- a/neutron/templates/configmap-bin.yaml
+++ b/neutron/templates/configmap-bin.yaml
@ -87,6 +87,8 @@ data:
 {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  neutron-ironic-agent.sh: |
 {{ tuple "bin/_neutron-ironic-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-netns-cleanup-cron.py: |
+{{ tuple "bin/_neutron-netns-cleanup-cron.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  rabbit-init.sh: |
 {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
  neutron-test-force-cleanup.sh: |
--- a/neutron/templates/daemonset-netns-cleanup-cron.yaml
+++ b/neutron/templates/daemonset-netns-cleanup-cron.yaml
@ -0,0 +1,179 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "neutron.netns_cleanup_cron.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_netns_cleanup_cron := .Values.pod.mounts.neutron_netns_cleanup_cron.neutron_netns_cleanup_cron }}
+{{- $mounts_neutron_netns_cleanup_cron_init := .Values.pod.mounts.neutron_netns_cleanup_cron.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-netns-cleanup-cron
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_netns_cleanup_cron_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: neutron-netns-cleanup-cron
+{{ tuple $envAll "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.netns_cleanup_cron | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" "container" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - python
+            - /tmp/neutron-netns-cleanup-cron.py
+            - --config-file
+            -  /etc/neutron/neutron.conf
+            - --config-file
+            - /etc/neutron/dhcp_agent.ini
+            - --config-file
+            - /etc/neutron/l3_agent.ini
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-netns-cleanup-cron.py
+              subPath: neutron-netns-cleanup-cron.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/dhcp_agent.ini
+              subPath: dhcp_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/l3_agent.ini
+              subPath: l3_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "netns_cleanup_cron" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: libmodules
+              mountPath: /lib/modules
+              readOnly: true
+            - name: iptables-lockfile
+              mountPath: /run/xtables.lock
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+            {{- if .Values.network.share_namespaces }}
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: Bidirectional
+            {{- end }}
+{{ if $mounts_neutron_netns_cleanup_cron.volumeMounts }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: iptables-lockfile
+          hostPath:
+            path: /run/xtables.lock
+        - name: socket
+          hostPath:
+            path: /var/lib/neutron/openstack-helm
+        {{- if .Values.network.share_namespaces }}
+        - name: host-run-netns
+          hostPath:
+            path: /run/netns
+        {{- end }}
+#{{ if $mounts_neutron_netns_cleanup_cron.volumes }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_netns_cleanup_cron}}
+{{- $envAll := . }}
+{{- $daemonset := "netns-cleanup-cron" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-netns-cleanup-cron" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "netns_cleanup_cron" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.netns_cleanup_cron.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
+
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -42,6 +42,7 @@ images:
    neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
    neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
    neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: "IfNotPresent"
@ -90,6 +91,9 @@ labels:
  ironic_agent:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
+  netns_cleanup_cron:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
  test:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
@ -496,6 +500,13 @@ pod:
    neutron_ironic_agent:
      pod:
        runAsUser: 42424
+    neutron_netns_cleanup_cron:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_netns_cleanup_cron:
+          readOnlyRootFilesystem: true
+          privileged: true
  affinity:
    anti:
      type:
@ -555,6 +566,11 @@ pod:
      neutron_ironic_agent:
        volumeMounts:
        volumes:
+    neutron_netns_cleanup_cron:
+      init_container: null
+      neutron_netns_cleanup_cron:
+        volumeMounts:
+        volumes:
    neutron_tests:
      init_container: null
      neutron_tests:
@ -610,6 +626,10 @@ pod:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 1
+        netns_cleanup_cron:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
    disruption_budget:
      server:
        min_available: 0
@ -691,6 +711,13 @@ pod:
      limits:
        memory: "1024Mi"
        cpu: "2000m"
+    netns_cleanup_cron:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
    jobs:
      bootstrap:
        requests:
@ -1483,6 +1510,7 @@ conf:
        - metadata_agent
        - ovs_agent
        - sriov_agent
+        - netns_cleanup_cron
      content: |
        # neutron-rootwrap command filters for nodes on which neutron is
        # expected to control network
@ -1504,6 +1532,7 @@ conf:
        - metadata_agent
        - ovs_agent
        - sriov_agent
+        - netns_cleanup_cron
      content: |
        # neutron-rootwrap command filters for nodes on which neutron is
        # expected to control network
@ -1681,6 +1710,7 @@ conf:
        - metadata_agent
        - ovs_agent
        - sriov_agent
+        - netns_cleanup_cron
      content: |
        # Command filters to allow privsep daemon to be started via rootwrap.
        #
@ -2374,6 +2404,7 @@ manifests:
  daemonset_sriov_agent: true
  daemonset_l2gw_agent: false
  daemonset_bagpipe_bgp: false
+  daemonset_netns_cleanup_cron: true
  deployment_ironic_agent: false
  deployment_server: true
  ingress_server: true
--- a/neutron/values_overrides/apparmor.yaml
+++ b/neutron/values_overrides/apparmor.yaml
@ -13,3 +13,5 @@ pod:
      neutron-ovs-agent-default: runtime/default
    neutron-sriov-agent-default:
      neutron-sriov-agent-default: runtime/default
+    neutron-netns-cleanup-cron-default:
+      neutron-netns-cleanup-cron-default: runtime/default
--- a/neutron/values_overrides/ocata-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/ocata-ubuntu_xenial.yaml
@ -12,6 +12,7 @@ images:
    neutron_l3: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
    neutron_metadata: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
    neutron_sriov_agent: docker.io/openstackhelm/neutron:ocata-18.04-sriov
--- a/neutron/values_overrides/pike-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/pike-ubuntu_xenial.yaml
@ -13,6 +13,7 @@ images:
    neutron_l2gw: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_metadata: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
--- a/neutron/values_overrides/queens-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/queens-ubuntu_xenial.yaml
@ -13,6 +13,7 @@ images:
    neutron_l2gw: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_metadata: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
--- a/neutron/values_overrides/rocky-opensuse_15.yaml
+++ b/neutron/values_overrides/rocky-opensuse_15.yaml
@ -13,6 +13,7 @@ images:
    neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
--- a/neutron/values_overrides/rocky-ubuntu_bionic.yaml
+++ b/neutron/values_overrides/rocky-ubuntu_bionic.yaml
@ -13,6 +13,7 @@ images:
    neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
--- a/neutron/values_overrides/rocky-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/rocky-ubuntu_xenial.yaml
@ -13,6 +13,7 @@ images:
    neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
+    neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"