Add network namespace cleanup

Removes stale DHCP and L3 namespaces. The cron runs once in 12 hours.

Network namespace cleanup is implemented as a daemonset as Kubernetes
does not have a cronjob that works like daemonset-cronjob.
Network namespace cleanup should run on all nodes where DHCP and L3
agents run.

Change-Id: I7525e493067669026e0d57889a3e3238a2bd1308
This commit is contained in:
Hemachandra Reddy 2020-02-11 04:42:56 +00:00 committed by Hemachandra Reddy
parent 400b686f52
commit 62db99d1d1
11 changed files with 244 additions and 0 deletions

View File

@ -0,0 +1,24 @@
#!/usr/bin/env python
import sys
import time
from oslo_config import cfg
from neutron.cmd.netns_cleanup import main
if __name__ == "__main__":
while True:
try:
main()
# Sleep for 12 hours
time.sleep(43200)
except Exception as ex:
sys.stderr.write(
"Cleaning network namespaces caught an exception %s"
% str(ex))
except:
sys.stderr.write(
"Cleaning network namespaces caught an exception")
finally:
cfg.CONF.clear()

View File

@ -87,6 +87,8 @@ data:
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-ironic-agent.sh: |
{{ tuple "bin/_neutron-ironic-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-netns-cleanup-cron.py: |
{{ tuple "bin/_neutron-netns-cleanup-cron.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbit-init.sh: |
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
neutron-test-force-cleanup.sh: |

View File

@ -0,0 +1,179 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "neutron.netns_cleanup_cron.daemonset" }}
{{- $daemonset := index . 0 }}
{{- $configMapName := index . 1 }}
{{- $serviceAccountName := index . 2 }}
{{- $envAll := index . 3 }}
{{- with $envAll }}
{{- $mounts_neutron_netns_cleanup_cron := .Values.pod.mounts.neutron_netns_cleanup_cron.neutron_netns_cleanup_cron }}
{{- $mounts_neutron_netns_cleanup_cron_init := .Values.pod.mounts.neutron_netns_cleanup_cron.init_container }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: neutron-netns-cleanup-cron
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll "netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
{{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }}
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
shareProcessNamespace: true
{{- else }}
hostPID: true
{{- end }}
initContainers:
{{ tuple $envAll "pod_dependency" $mounts_neutron_netns_cleanup_cron_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: neutron-netns-cleanup-cron
{{ tuple $envAll "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.netns_cleanup_cron | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" "container" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- python
- /tmp/neutron-netns-cleanup-cron.py
- --config-file
- /etc/neutron/neutron.conf
- --config-file
- /etc/neutron/dhcp_agent.ini
- --config-file
- /etc/neutron/l3_agent.ini
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: neutron-bin
mountPath: /tmp/neutron-netns-cleanup-cron.py
subPath: neutron-netns-cleanup-cron.py
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
readOnly: true
{{- end }}
- name: neutron-etc
mountPath: /etc/neutron/dhcp_agent.ini
subPath: dhcp_agent.ini
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/l3_agent.ini
subPath: l3_agent.ini
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to override Kollas
# custom sudoers file when using Kolla images, this
# location will also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "netns_cleanup_cron" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc
mountPath: {{ $rootwrapFile }}
subPath: {{ base $rootwrapFile }}
readOnly: true
{{- end }}
{{- end }}
- name: libmodules
mountPath: /lib/modules
readOnly: true
- name: iptables-lockfile
mountPath: /run/xtables.lock
- name: socket
mountPath: /var/lib/neutron/openstack-helm
{{- if .Values.network.share_namespaces }}
- name: host-run-netns
mountPath: /run/netns
mountPropagation: Bidirectional
{{- end }}
{{ if $mounts_neutron_netns_cleanup_cron.volumeMounts }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin
configMap:
name: neutron-bin
defaultMode: 0555
- name: neutron-etc
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: libmodules
hostPath:
path: /lib/modules
- name: iptables-lockfile
hostPath:
path: /run/xtables.lock
- name: socket
hostPath:
path: /var/lib/neutron/openstack-helm
{{- if .Values.network.share_namespaces }}
- name: host-run-netns
hostPath:
path: /run/netns
{{- end }}
#{{ if $mounts_neutron_netns_cleanup_cron.volumes }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}
{{- if .Values.manifests.daemonset_netns_cleanup_cron}}
{{- $envAll := . }}
{{- $daemonset := "netns-cleanup-cron" }}
{{- $configMapName := "neutron-etc" }}
{{- $serviceAccountName := "neutron-netns-cleanup-cron" }}
{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "netns_cleanup_cron" -}}
{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.netns_cleanup_cron.daemonset" | toString | fromYaml }}
{{- $configmap_yaml := "neutron.configmap.etc" }}
{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
{{- end }}

View File

@ -42,6 +42,7 @@ images:
neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
@ -90,6 +91,9 @@ labels:
ironic_agent:
node_selector_key: openstack-control-plane
node_selector_value: enabled
netns_cleanup_cron:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
@ -496,6 +500,13 @@ pod:
neutron_ironic_agent:
pod:
runAsUser: 42424
neutron_netns_cleanup_cron:
pod:
runAsUser: 42424
container:
neutron_netns_cleanup_cron:
readOnlyRootFilesystem: true
privileged: true
affinity:
anti:
type:
@ -555,6 +566,11 @@ pod:
neutron_ironic_agent:
volumeMounts:
volumes:
neutron_netns_cleanup_cron:
init_container: null
neutron_netns_cleanup_cron:
volumeMounts:
volumes:
neutron_tests:
init_container: null
neutron_tests:
@ -610,6 +626,10 @@ pod:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
netns_cleanup_cron:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
server:
min_available: 0
@ -691,6 +711,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
netns_cleanup_cron:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
@ -1483,6 +1510,7 @@ conf:
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
@ -1504,6 +1532,7 @@ conf:
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
@ -1681,6 +1710,7 @@ conf:
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# Command filters to allow privsep daemon to be started via rootwrap.
#
@ -2374,6 +2404,7 @@ manifests:
daemonset_sriov_agent: true
daemonset_l2gw_agent: false
daemonset_bagpipe_bgp: false
daemonset_netns_cleanup_cron: true
deployment_ironic_agent: false
deployment_server: true
ingress_server: true

View File

@ -13,3 +13,5 @@ pod:
neutron-ovs-agent-default: runtime/default
neutron-sriov-agent-default:
neutron-sriov-agent-default: runtime/default
neutron-netns-cleanup-cron-default:
neutron-netns-cleanup-cron-default: runtime/default

View File

@ -12,6 +12,7 @@ images:
neutron_l3: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_metadata: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_server: "docker.io/openstackhelm/neutron:ocata-ubuntu_xenial"
neutron_sriov_agent: docker.io/openstackhelm/neutron:ocata-18.04-sriov

View File

@ -13,6 +13,7 @@ images:
neutron_l2gw: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_metadata: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_server: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"

View File

@ -13,6 +13,7 @@ images:
neutron_l2gw: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_metadata: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_server: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"

View File

@ -13,6 +13,7 @@ images:
neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_metadata: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_server: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-opensuse_15"

View File

@ -13,6 +13,7 @@ images:
neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"

View File

@ -13,6 +13,7 @@ images:
neutron_l2gw: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_linuxbridge_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"