From aba33b344072d07d6e03f715f2050d8669fad767 Mon Sep 17 00:00:00 2001
From: Hyunsun Moon <hyunsun.moon@gmail.com>
Date: Thu, 25 Jan 2018 22:27:15 +0900
Subject: [PATCH] Neutron: make metadata proxy work
- corrected the path of "socket" volume, which is used for sharing
metadata proxy unix socket among the agents
- and give neutron user permission to write to the dir
- set the default nova_metadata_ip to full hostname of metadata
so that it could be accessed properly via ingress
- removed unnecessary configurations from values
Change-Id: I4d20dc670fecebd9799851d659c5f42edb4821ac
Closes-Bug:1745370
---
.../templates/bin/_neutron-dhcp-agent.sh.tpl | 1 +
neutron/templates/bin/_neutron-l3-agent.sh.tpl | 1 +
.../bin/_neutron-metadata-agent-init.sh.tpl | 11 +----------
.../bin/_neutron-metadata-agent.sh.tpl | 3 +--
neutron/templates/configmap-etc.yaml | 4 ++++
neutron/templates/daemonset-dhcp-agent.yaml | 4 ++++
neutron/templates/daemonset-l3-agent.yaml | 8 ++++++--
.../templates/daemonset-metadata-agent.yaml | 18 +++++++-----------
neutron/values.yaml | 13 +++----------
nova/values.yaml | 1 -
.../deployment/developer/common/900-use-it.sh | 3 +++
11 files changed, 31 insertions(+), 36 deletions(-)
diff --git a/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl b/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
index b073551212..48be1cd069 100644
--- a/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
@@ -20,6 +20,7 @@ set -x
exec neutron-dhcp-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/dhcp_agent.ini \
+ --config-file /etc/neutron/metadata_agent.ini \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
{{- if eq .Values.network.backend "ovs" }} \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
diff --git a/neutron/templates/bin/_neutron-l3-agent.sh.tpl b/neutron/templates/bin/_neutron-l3-agent.sh.tpl
index 24aecd87ef..94d291b7d6 100644
--- a/neutron/templates/bin/_neutron-l3-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-l3-agent.sh.tpl
@@ -20,6 +20,7 @@ set -x
exec neutron-l3-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/l3_agent.ini \
+ --config-file /etc/neutron/metadata_agent.ini \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
{{- if eq .Values.network.backend "ovs" }} \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
diff --git a/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl b/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
index 8d2408f699..795479b50d 100644
--- a/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
+++ b/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
@@ -18,13 +18,4 @@ limitations under the License.
set -ex
-metadata_ip="{{- .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}"
-if [ -z "${metadata_ip}" ] ; then
- metadata_ip=$(getent hosts metadata | awk '{print $1}')
-fi
-
-cat <<EOF>/tmp/pod-shared/neutron-metadata-agent.ini
-[DEFAULT]
-nova_metadata_ip=$metadata_ip
-EOF
-
+chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm
diff --git a/neutron/templates/bin/_neutron-metadata-agent.sh.tpl b/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
index 0d532468eb..6f254ff38b 100644
--- a/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
@@ -20,8 +20,7 @@ set -x
exec neutron-metadata-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/metadata_agent.ini \
- --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
- --config-file /tmp/pod-shared/neutron-metadata-agent.ini
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
{{- if eq .Values.network.backend "ovs" }} \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini
{{- end }}
diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml
index 0460abd08d..8e5c02833e 100644
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@@ -84,6 +84,10 @@ limitations under the License.
{{- set .Values.conf.neutron.nova "password" .Values.endpoints.identity.auth.nova.password | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}
+{{- tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set .Values.conf.metadata_agent.DEFAULT "nova_metadata_ip" | quote | trunc 0 -}}
+{{- set .Values.conf.metadata_agent.DEFAULT "nova_metadata_port" 80 | quote | trunc 0 -}}
+{{- end -}}
{{- if empty .Values.conf.metadata_agent.cache.memcache_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.metadata_agent.cache "memcache_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml
index 2d788bf563..bffd449840 100644
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@@ -84,6 +84,10 @@ spec:
mountPath: /etc/neutron/dnsmasq.conf
subPath: dnsmasq.conf
readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to override Kollas
# custom sudoers file when using Kolla images, this
diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml
index 9d7410c74c..1d1e410cd7 100644
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@@ -80,6 +80,10 @@ spec:
mountPath: /etc/neutron/l3_agent.ini
subPath: l3_agent.ini
readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to override Kollas
# custom sudoers file when using Kolla images, this
@@ -135,7 +139,7 @@ spec:
mountPath: /lib/modules
readOnly: true
- name: socket
- mountPath: /var/lib/neutron/stackanetes
+ mountPath: /var/lib/neutron/openstack-helm
{{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: neutron-bin
@@ -156,6 +160,6 @@ spec:
path: /lib/modules
- name: socket
hostPath:
- path: /var/lib/neutron/stackanetes
+ path: /var/lib/neutron/openstack-helm
{{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml
index a7a1d16c50..33e5a41917 100644
--- a/neutron/templates/daemonset-metadata-agent.yaml
+++ b/neutron/templates/daemonset-metadata-agent.yaml
@@ -50,7 +50,10 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
- runAsUser: {{ .Values.pod.user.neutron.uid }}
+ runAsUser: 0
+ env:
+ - name: NEUTRON_USER_UID
+ value: "{{ .Values.pod.user.neutron.uid }}"
command:
- /tmp/neutron-metadata-agent-init.sh
volumeMounts:
@@ -62,8 +65,8 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- - name: pod-shared
- mountPath: /tmp/pod-shared
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
containers:
- name: neutron-metadata-agent
image: {{ .Values.images.tags.neutron_metadata }}
@@ -72,8 +75,6 @@ spec:
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
privileged: true
- ports:
- - containerPort: {{ .Values.network.metadata.port }}
command:
- /tmp/neutron-metadata-agent.sh
volumeMounts:
@@ -153,10 +154,7 @@ spec:
subPath: openvswitch-plugin.filters
readOnly: true
- name: socket
- mountPath: /var/lib/neutron/stackanetes
- - name: pod-shared
- mountPath: /tmp/pod-shared
- readOnly: true
+ mountPath: /var/lib/neutron/openstack-helm
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: neutron-bin
@@ -175,7 +173,5 @@ spec:
- name: socket
hostPath:
path: /var/lib/neutron/openstack-helm
- - name: pod-shared
- emptyDir: {}
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index a98cc10b72..1049e2491c 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -98,8 +98,6 @@ network:
node_port:
enabled: false
port: 30096
- metadata:
- port: 8775
bootstrap:
enabled: false
@@ -914,7 +912,6 @@ conf:
# service_plugin can be: router, odl-router, empty for calico,
# networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
service_plugins: router
- metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
allow_automatic_l3agent_failover: True
l3_ha: True
min_l3_agents_per_router: 2
@@ -991,7 +988,6 @@ conf:
# openvswitch or linuxbridge
interface_driver: openvswitch
dnsmasq_config_file: /etc/neutron/dnsmasq.conf
- enable_isolated_metadata: True
force_metadata: True
l3_agent:
DEFAULT:
@@ -999,15 +995,12 @@ conf:
# openvswitch or linuxbridge
interface_driver: openvswitch
agent_mode: legacy
- enable_metadata_proxy: True
- enable_isolated_metadata: True
metering_agent: null
metadata_agent:
DEFAULT:
- # IF blank, set dynamically from metadata hosts
- nova_metadata_ip:
- nova_metadata_port: 80
- nova_metadata_protocol: http
+ # we cannot change the proxy socket path as it is declared
+ # as a hostPath volume from agent daemonsets
+ metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
metadata_proxy_shared_secret: "password"
cache:
enabled: true
diff --git a/nova/values.yaml b/nova/values.yaml
index 8cac1c777c..fee2f24956 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -940,7 +940,6 @@ conf:
ram_allocation_ratio: 1.0
disk_allocation_ratio: 1.0
cpu_allocation_ratio: 3.0
- force_config_drive: true
state_path: /var/lib/nova
osapi_compute_listen: 0.0.0.0
osapi_compute_listen_port: 8774
diff --git a/tools/deployment/developer/common/900-use-it.sh b/tools/deployment/developer/common/900-use-it.sh
index edbd0a4e52..091907c5ac 100755
--- a/tools/deployment/developer/common/900-use-it.sh
+++ b/tools/deployment/developer/common/900-use-it.sh
@@ -95,3 +95,6 @@ wait_for_ssh_port $FLOATING_IP
# SSH into the VM and check it can reach the outside world
ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
+
+# Check the VM can reach the metadata server
+ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254