diff --git a/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl b/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl new file mode 100644 index 0000000000..5eb5b13773 --- /dev/null +++ b/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl @@ -0,0 +1,24 @@ +#!/usr/bin/env python + +import sys +import time + +from oslo_config import cfg + +from neutron.cmd.netns_cleanup import main + +if __name__ == "__main__": + while True: + try: + main() + # Sleep for 12 hours + time.sleep(43200) + except Exception as ex: + sys.stderr.write( + "Cleaning network namespaces caught an exception %s" + % str(ex)) + except: + sys.stderr.write( + "Cleaning network namespaces caught an exception") + finally: + cfg.CONF.clear() diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml index 2d6b43192b..14acb4b818 100644 --- a/neutron/templates/configmap-bin.yaml +++ b/neutron/templates/configmap-bin.yaml @@ -87,6 +87,8 @@ data: {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-ironic-agent.sh: | {{ tuple "bin/_neutron-ironic-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-netns-cleanup-cron.py: | +{{ tuple "bin/_neutron-netns-cleanup-cron.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} rabbit-init.sh: | {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} neutron-test-force-cleanup.sh: | diff --git a/neutron/templates/daemonset-netns-cleanup-cron.yaml b/neutron/templates/daemonset-netns-cleanup-cron.yaml new file mode 100644 index 0000000000..739a58d16a --- /dev/null +++ b/neutron/templates/daemonset-netns-cleanup-cron.yaml @@ -0,0 +1,179 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "neutron.netns_cleanup_cron.daemonset" }} +{{- $daemonset := index . 0 }} +{{- $configMapName := index . 1 }} +{{- $serviceAccountName := index . 2 }} +{{- $envAll := index . 3 }} +{{- with $envAll }} + +{{- $mounts_neutron_netns_cleanup_cron := .Values.pod.mounts.neutron_netns_cleanup_cron.neutron_netns_cleanup_cron }} +{{- $mounts_neutron_netns_cleanup_cron_init := .Values.pod.mounts.neutron_netns_cleanup_cron.init_container }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: neutron-netns-cleanup-cron + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll "netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + shareProcessNamespace: true + {{- else }} + hostPID: true + {{- end }} + initContainers: +{{ tuple $envAll "pod_dependency" $mounts_neutron_netns_cleanup_cron_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: neutron-netns-cleanup-cron +{{ tuple $envAll "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.netns_cleanup_cron | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" "container" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - python + - /tmp/neutron-netns-cleanup-cron.py + - --config-file + - /etc/neutron/neutron.conf + - --config-file + - /etc/neutron/dhcp_agent.ini + - --config-file + - /etc/neutron/l3_agent.ini + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: neutron-bin + mountPath: /tmp/neutron-netns-cleanup-cron.py + subPath: neutron-netns-cleanup-cron.py + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/neutron.conf + subPath: neutron.conf + readOnly: true + {{- if .Values.conf.neutron.DEFAULT.log_config_append }} + - name: neutron-etc + mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }} + subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }} + readOnly: true + {{- end }} + - name: neutron-etc + mountPath: /etc/neutron/dhcp_agent.ini + subPath: dhcp_agent.ini + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/l3_agent.ini + subPath: l3_agent.ini + readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to override Kollas + # custom sudoers file when using Kolla images, this + # location will also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "netns_cleanup_cron" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} + - name: neutron-etc + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} + readOnly: true + {{- end }} + {{- end }} + - name: libmodules + mountPath: /lib/modules + readOnly: true + - name: iptables-lockfile + mountPath: /run/xtables.lock + - name: socket + mountPath: /var/lib/neutron/openstack-helm + {{- if .Values.network.share_namespaces }} + - name: host-run-netns + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} +{{ if $mounts_neutron_netns_cleanup_cron.volumeMounts }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-var-neutron + emptyDir: {} + - name: neutron-bin + configMap: + name: neutron-bin + defaultMode: 0555 + - name: neutron-etc + secret: + secretName: {{ $configMapName }} + defaultMode: 0444 + - name: libmodules + hostPath: + path: /lib/modules + - name: iptables-lockfile + hostPath: + path: /run/xtables.lock + - name: socket + hostPath: + path: /var/lib/neutron/openstack-helm + {{- if .Values.network.share_namespaces }} + - name: host-run-netns + hostPath: + path: /run/netns + {{- end }} +#{{ if $mounts_neutron_netns_cleanup_cron.volumes }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumes | indent 8 }}{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.manifests.daemonset_netns_cleanup_cron}} +{{- $envAll := . }} +{{- $daemonset := "netns-cleanup-cron" }} +{{- $configMapName := "neutron-etc" }} +{{- $serviceAccountName := "neutron-netns-cleanup-cron" }} +{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "netns_cleanup_cron" -}} +{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }} +{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.netns_cleanup_cron.daemonset" | toString | fromYaml }} +{{- $configmap_yaml := "neutron.configmap.etc" }} +{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }} +{{- end }} + diff --git a/neutron/values.yaml b/neutron/values.yaml index f132b44376..cc0c2c3736 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -42,6 +42,7 @@ images: neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic + neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 image_repo_sync: docker.io/docker:17.07.0 pull_policy: "IfNotPresent" @@ -90,6 +91,9 @@ labels: ironic_agent: node_selector_key: openstack-control-plane node_selector_value: enabled + netns_cleanup_cron: + node_selector_key: openstack-control-plane + node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled @@ -496,6 +500,13 @@ pod: neutron_ironic_agent: pod: runAsUser: 42424 + neutron_netns_cleanup_cron: + pod: + runAsUser: 42424 + container: + neutron_netns_cleanup_cron: + readOnlyRootFilesystem: true + privileged: true affinity: anti: type: @@ -555,6 +566,11 @@ pod: neutron_ironic_agent: volumeMounts: volumes: + neutron_netns_cleanup_cron: + init_container: null + neutron_netns_cleanup_cron: + volumeMounts: + volumes: neutron_tests: init_container: null neutron_tests: @@ -610,6 +626,10 @@ pod: enabled: true min_ready_seconds: 0 max_unavailable: 1 + netns_cleanup_cron: + enabled: true + min_ready_seconds: 0 + max_unavailable: 1 disruption_budget: server: min_available: 0 @@ -691,6 +711,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + netns_cleanup_cron: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" jobs: bootstrap: requests: @@ -1483,6 +1510,7 @@ conf: - metadata_agent - ovs_agent - sriov_agent + - netns_cleanup_cron content: | # neutron-rootwrap command filters for nodes on which neutron is # expected to control network @@ -1504,6 +1532,7 @@ conf: - metadata_agent - ovs_agent - sriov_agent + - netns_cleanup_cron content: | # neutron-rootwrap command filters for nodes on which neutron is # expected to control network @@ -1681,6 +1710,7 @@ conf: - metadata_agent - ovs_agent - sriov_agent + - netns_cleanup_cron content: | # Command filters to allow privsep daemon to be started via rootwrap. # @@ -2374,6 +2404,7 @@ manifests: daemonset_sriov_agent: true daemonset_l2gw_agent: false daemonset_bagpipe_bgp: false + daemonset_netns_cleanup_cron: true deployment_ironic_agent: false deployment_server: true ingress_server: true diff --git a/neutron/values_overrides/apparmor.yaml b/neutron/values_overrides/apparmor.yaml index a602d95c2a..39c7ac6349 100644 --- a/neutron/values_overrides/apparmor.yaml +++ b/neutron/values_overrides/apparmor.yaml @@ -13,3 +13,5 @@ pod: neutron-ovs-agent-default: runtime/default neutron-sriov-agent-default: neutron-sriov-agent-default: runtime/default + neutron-netns-cleanup-cron-default: + neutron-netns-cleanup-cron-default: runtime/default diff --git a/neutron/values_overrides/ocata-ubuntu_xenial.yaml b/neutron/values_overrides/ocata-ubuntu_xenial.yaml index a1083bf345..db77959d70 100644 --- a/neutron/values_overrides/ocata-ubuntu_xenial.yaml +++ b/neutron/values_overrides/ocata-ubuntu_xenial.yaml @@ -12,6 +12,7 @@ images: neutron_l3: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" neutron_metadata: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial" neutron_sriov_agent: docker.io/openstackhelm/neutron:ocata-18.04-sriov diff --git a/neutron/values_overrides/pike-ubuntu_xenial.yaml b/neutron/values_overrides/pike-ubuntu_xenial.yaml index 8458fc05ad..5c520e9a94 100644 --- a/neutron/values_overrides/pike-ubuntu_xenial.yaml +++ b/neutron/values_overrides/pike-ubuntu_xenial.yaml @@ -13,6 +13,7 @@ images: neutron_l2gw: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_metadata: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" diff --git a/neutron/values_overrides/queens-ubuntu_xenial.yaml b/neutron/values_overrides/queens-ubuntu_xenial.yaml index ef332bc235..d43df926c9 100644 --- a/neutron/values_overrides/queens-ubuntu_xenial.yaml +++ b/neutron/values_overrides/queens-ubuntu_xenial.yaml @@ -13,6 +13,7 @@ images: neutron_l2gw: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_metadata: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" diff --git a/neutron/values_overrides/rocky-opensuse_15.yaml b/neutron/values_overrides/rocky-opensuse_15.yaml index 1dd621ac0f..c1f245491e 100644 --- a/neutron/values_overrides/rocky-opensuse_15.yaml +++ b/neutron/values_overrides/rocky-opensuse_15.yaml @@ -13,6 +13,7 @@ images: neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_metadata: "docker.io/openstackhelm/neutron:rocky-opensuse_15" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_server: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-opensuse_15" diff --git a/neutron/values_overrides/rocky-ubuntu_bionic.yaml b/neutron/values_overrides/rocky-ubuntu_bionic.yaml index 3e2598ae81..0f07a19c4f 100644 --- a/neutron/values_overrides/rocky-ubuntu_bionic.yaml +++ b/neutron/values_overrides/rocky-ubuntu_bionic.yaml @@ -13,6 +13,7 @@ images: neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" diff --git a/neutron/values_overrides/rocky-ubuntu_xenial.yaml b/neutron/values_overrides/rocky-ubuntu_xenial.yaml index 0335527d46..396055d7f9 100644 --- a/neutron/values_overrides/rocky-ubuntu_xenial.yaml +++ b/neutron/values_overrides/rocky-ubuntu_xenial.yaml @@ -13,6 +13,7 @@ images: neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" + neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"