From aba33b344072d07d6e03f715f2050d8669fad767 Mon Sep 17 00:00:00 2001 From: Hyunsun Moon Date: Thu, 25 Jan 2018 22:27:15 +0900 Subject: [PATCH] Neutron: make metadata proxy work - corrected the path of "socket" volume, which is used for sharing metadata proxy unix socket among the agents - and give neutron user permission to write to the dir - set the default nova_metadata_ip to full hostname of metadata so that it could be accessed properly via ingress - removed unnecessary configurations from values Change-Id: I4d20dc670fecebd9799851d659c5f42edb4821ac Closes-Bug:1745370 --- .../templates/bin/_neutron-dhcp-agent.sh.tpl | 1 + neutron/templates/bin/_neutron-l3-agent.sh.tpl | 1 + .../bin/_neutron-metadata-agent-init.sh.tpl | 11 +---------- .../bin/_neutron-metadata-agent.sh.tpl | 3 +-- neutron/templates/configmap-etc.yaml | 4 ++++ neutron/templates/daemonset-dhcp-agent.yaml | 4 ++++ neutron/templates/daemonset-l3-agent.yaml | 8 ++++++-- .../templates/daemonset-metadata-agent.yaml | 18 +++++++----------- neutron/values.yaml | 13 +++---------- nova/values.yaml | 1 - .../deployment/developer/common/900-use-it.sh | 3 +++ 11 files changed, 31 insertions(+), 36 deletions(-) diff --git a/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl b/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl index b073551212..48be1cd069 100644 --- a/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl +++ b/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl @@ -20,6 +20,7 @@ set -x exec neutron-dhcp-agent \ --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/dhcp_agent.ini \ + --config-file /etc/neutron/metadata_agent.ini \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini {{- if eq .Values.network.backend "ovs" }} \ --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini diff --git a/neutron/templates/bin/_neutron-l3-agent.sh.tpl b/neutron/templates/bin/_neutron-l3-agent.sh.tpl index 24aecd87ef..94d291b7d6 100644 --- a/neutron/templates/bin/_neutron-l3-agent.sh.tpl +++ b/neutron/templates/bin/_neutron-l3-agent.sh.tpl @@ -20,6 +20,7 @@ set -x exec neutron-l3-agent \ --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/l3_agent.ini \ + --config-file /etc/neutron/metadata_agent.ini \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini {{- if eq .Values.network.backend "ovs" }} \ --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini diff --git a/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl b/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl index 8d2408f699..795479b50d 100644 --- a/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl +++ b/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl @@ -18,13 +18,4 @@ limitations under the License. set -ex -metadata_ip="{{- .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}" -if [ -z "${metadata_ip}" ] ; then - metadata_ip=$(getent hosts metadata | awk '{print $1}') -fi - -cat </tmp/pod-shared/neutron-metadata-agent.ini -[DEFAULT] -nova_metadata_ip=$metadata_ip -EOF - +chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm diff --git a/neutron/templates/bin/_neutron-metadata-agent.sh.tpl b/neutron/templates/bin/_neutron-metadata-agent.sh.tpl index 0d532468eb..6f254ff38b 100644 --- a/neutron/templates/bin/_neutron-metadata-agent.sh.tpl +++ b/neutron/templates/bin/_neutron-metadata-agent.sh.tpl @@ -20,8 +20,7 @@ set -x exec neutron-metadata-agent \ --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/metadata_agent.ini \ - --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ - --config-file /tmp/pod-shared/neutron-metadata-agent.ini + --config-file /etc/neutron/plugins/ml2/ml2_conf.ini {{- if eq .Values.network.backend "ovs" }} \ --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini {{- end }} diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 0460abd08d..8e5c02833e 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -84,6 +84,10 @@ limitations under the License. {{- set .Values.conf.neutron.nova "password" .Values.endpoints.identity.auth.nova.password | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}} +{{- tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set .Values.conf.metadata_agent.DEFAULT "nova_metadata_ip" | quote | trunc 0 -}} +{{- set .Values.conf.metadata_agent.DEFAULT "nova_metadata_port" 80 | quote | trunc 0 -}} +{{- end -}} {{- if empty .Values.conf.metadata_agent.cache.memcache_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.metadata_agent.cache "memcache_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 2d788bf563..bffd449840 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -84,6 +84,10 @@ spec: mountPath: /etc/neutron/dnsmasq.conf subPath: dnsmasq.conf readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/metadata_agent.ini + subPath: metadata_agent.ini + readOnly: true - name: neutron-etc # NOTE (Portdirect): We mount here to override Kollas # custom sudoers file when using Kolla images, this diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 9d7410c74c..1d1e410cd7 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -80,6 +80,10 @@ spec: mountPath: /etc/neutron/l3_agent.ini subPath: l3_agent.ini readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/metadata_agent.ini + subPath: metadata_agent.ini + readOnly: true - name: neutron-etc # NOTE (Portdirect): We mount here to override Kollas # custom sudoers file when using Kolla images, this @@ -135,7 +139,7 @@ spec: mountPath: /lib/modules readOnly: true - name: socket - mountPath: /var/lib/neutron/stackanetes + mountPath: /var/lib/neutron/openstack-helm {{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: neutron-bin @@ -156,6 +160,6 @@ spec: path: /lib/modules - name: socket hostPath: - path: /var/lib/neutron/stackanetes + path: /var/lib/neutron/openstack-helm {{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index a7a1d16c50..33e5a41917 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -50,7 +50,10 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: - runAsUser: {{ .Values.pod.user.neutron.uid }} + runAsUser: 0 + env: + - name: NEUTRON_USER_UID + value: "{{ .Values.pod.user.neutron.uid }}" command: - /tmp/neutron-metadata-agent-init.sh volumeMounts: @@ -62,8 +65,8 @@ spec: mountPath: /etc/neutron/neutron.conf subPath: neutron.conf readOnly: true - - name: pod-shared - mountPath: /tmp/pod-shared + - name: socket + mountPath: /var/lib/neutron/openstack-helm containers: - name: neutron-metadata-agent image: {{ .Values.images.tags.neutron_metadata }} @@ -72,8 +75,6 @@ spec: securityContext: runAsUser: {{ .Values.pod.user.neutron.uid }} privileged: true - ports: - - containerPort: {{ .Values.network.metadata.port }} command: - /tmp/neutron-metadata-agent.sh volumeMounts: @@ -153,10 +154,7 @@ spec: subPath: openvswitch-plugin.filters readOnly: true - name: socket - mountPath: /var/lib/neutron/stackanetes - - name: pod-shared - mountPath: /tmp/pod-shared - readOnly: true + mountPath: /var/lib/neutron/openstack-helm {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: neutron-bin @@ -175,7 +173,5 @@ spec: - name: socket hostPath: path: /var/lib/neutron/openstack-helm - - name: pod-shared - emptyDir: {} {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index a98cc10b72..1049e2491c 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -98,8 +98,6 @@ network: node_port: enabled: false port: 30096 - metadata: - port: 8775 bootstrap: enabled: false @@ -914,7 +912,6 @@ conf: # service_plugin can be: router, odl-router, empty for calico, # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN service_plugins: router - metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy allow_automatic_l3agent_failover: True l3_ha: True min_l3_agents_per_router: 2 @@ -991,7 +988,6 @@ conf: # openvswitch or linuxbridge interface_driver: openvswitch dnsmasq_config_file: /etc/neutron/dnsmasq.conf - enable_isolated_metadata: True force_metadata: True l3_agent: DEFAULT: @@ -999,15 +995,12 @@ conf: # openvswitch or linuxbridge interface_driver: openvswitch agent_mode: legacy - enable_metadata_proxy: True - enable_isolated_metadata: True metering_agent: null metadata_agent: DEFAULT: - # IF blank, set dynamically from metadata hosts - nova_metadata_ip: - nova_metadata_port: 80 - nova_metadata_protocol: http + # we cannot change the proxy socket path as it is declared + # as a hostPath volume from agent daemonsets + metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy metadata_proxy_shared_secret: "password" cache: enabled: true diff --git a/nova/values.yaml b/nova/values.yaml index 8cac1c777c..fee2f24956 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -940,7 +940,6 @@ conf: ram_allocation_ratio: 1.0 disk_allocation_ratio: 1.0 cpu_allocation_ratio: 3.0 - force_config_drive: true state_path: /var/lib/nova osapi_compute_listen: 0.0.0.0 osapi_compute_listen_port: 8774 diff --git a/tools/deployment/developer/common/900-use-it.sh b/tools/deployment/developer/common/900-use-it.sh index edbd0a4e52..091907c5ac 100755 --- a/tools/deployment/developer/common/900-use-it.sh +++ b/tools/deployment/developer/common/900-use-it.sh @@ -95,3 +95,6 @@ wait_for_ssh_port $FLOATING_IP # SSH into the VM and check it can reach the outside world ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*} + +# Check the VM can reach the metadata server +ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254