From ca88364175fe5177cecbb479a157d7329db05d8a Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Mon, 16 Oct 2017 15:42:42 +0200 Subject: Support separate data network for Flannel SDN (#757) * Support separate data network for Flannel SDN Document the use case for a separate flannel data network. Allow Nova servers for openshift cluster to be provisioned with that isolated data network created and connected to masters, computes and infra nodes. Do not configure dns nameservers and router for that network. Signed-off-by: Bogdan Dobrelya * Fix flannel use cases with provider network Provider network cannot be used with flannel SDN as the latter requires a separate isolated network, while the provider network is an externally managed single network. Signed-off-by: Bogdan Dobrelya * Drop unused data_net_name Signed-off-by: Bogdan Dobrelya --- roles/openstack-stack/templates/heat_stack.yaml.j2 | 31 ++++++++++++ .../templates/heat_stack_server.yaml.j2 | 57 ++++++++++++++++++++++ .../templates/heat_stack_server_nofloating.yaml.j2 | 55 +++++++++++++++++++++ 3 files changed, 143 insertions(+) (limited to 'roles') diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index a6b088efb..1f1e33cf2 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -113,6 +113,22 @@ resources: - {{ nameserver }} {% endfor %} +{% if openshift_use_flannel|default(False)|bool %} + data_net: + type: OS::Neutron::Net + properties: + name: openshift-ansible-{{ stack_name }}-data-net + port_security_enabled: false + + data_subnet: + type: OS::Neutron::Subnet + properties: + name: openshift-ansible-{{ stack_name }}-data-subnet + network: { get_resource: data_net } + cidr: {{ osm_cluster_network_cidr|default('10.128.0.0/14') }} + gateway_ip: null +{% endif %} + router: type: OS::Neutron::Router properties: @@ -641,6 +657,11 @@ resources: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} +{% if openshift_use_flannel|default(False)|bool %} + attach_data_net: true + data_net: { get_resource: data_net } + data_subnet: { get_resource: data_subnet } +{% endif %} {% endif %} secgrp: {% if openstack_flat_secgrp|default(False)|bool %} @@ -713,6 +734,11 @@ resources: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} +{% if openshift_use_flannel|default(False)|bool %} + attach_data_net: true + data_net: { get_resource: data_net } + data_subnet: { get_resource: data_subnet } +{% endif %} {% endif %} secgrp: - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } @@ -767,6 +793,11 @@ resources: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} +{% if openshift_use_flannel|default(False)|bool %} + attach_data_net: true + data_net: { get_resource: data_net } + data_subnet: { get_resource: data_subnet } +{% endif %} {% endif %} secgrp: # TODO(bogdando) filter only required node rules into infra-secgrp diff --git a/roles/openstack-stack/templates/heat_stack_server.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server.yaml.j2 index 66c2491a9..6552e0a0d 100644 --- a/roles/openstack-stack/templates/heat_stack_server.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack_server.yaml.j2 @@ -68,6 +68,28 @@ parameters: description: Subnet resource {% endif %} +{% if openshift_use_flannel|default(False)|bool %} + attach_data_net: + type: boolean + default: false + label: Attach-data-net + description: A switch for data port connection + + data_net: + type: string + default: '' + label: Net ID + description: Net resource + +{% if not provider_network %} + data_subnet: + type: string + default: '' + label: Subnet ID + description: Subnet resource +{% endif %} +{% endif %} + secgrp: type: comma_delimited_list label: Security groups @@ -133,6 +155,11 @@ outputs: {% endif %} - addr +{% if openshift_use_flannel|default(False)|bool %} +conditions: + no_data_subnet: {not: { get_param: attach_data_net} } +{% endif %} + resources: server: @@ -143,10 +170,27 @@ resources: image: { get_param: image } flavor: { get_param: flavor } networks: +{% if openshift_use_flannel|default(False)|bool %} + if: + - no_data_subnet +{% if use_trunk_ports|default(false)|bool %} + - - port: { get_attr: [trunk-port, port_id] } +{% else %} + - - port: { get_resource: port } +{% endif %} +{% if use_trunk_ports|default(false)|bool %} + - - port: { get_attr: [trunk-port, port_id] } +{% else %} + - - port: { get_resource: port } + - port: { get_resource: data_port } +{% endif %} + +{% else %} {% if use_trunk_ports|default(false)|bool %} - port: { get_attr: [trunk-port, port_id] } {% else %} - port: { get_resource: port } +{% endif %} {% endif %} user_data: get_file: user-data @@ -179,6 +223,19 @@ resources: {% endif %} security_groups: { get_param: secgrp } +{% if openshift_use_flannel|default(False)|bool %} + data_port: + type: OS::Neutron::Port + condition: { not: no_data_subnet } + properties: + network: { get_param: data_net } + port_security_enabled: false +{% if not provider_network %} + fixed_ips: + - subnet: { get_param: data_subnet } +{% endif %} +{% endif %} + {% if not provider_network %} floating-ip: type: OS::Neutron::FloatingIP diff --git a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 index 4b79d5ab6..742d53649 100644 --- a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 @@ -66,6 +66,26 @@ parameters: label: Subnet ID description: Subnet resource +{% if openshift_use_flannel|default(False)|bool %} + attach_data_net: + type: boolean + default: false + label: Attach-data-net + description: A switch for data port connection + + data_net: + type: string + default: '' + label: Net ID + description: Net resource + + data_subnet: + type: string + default: '' + label: Subnet ID + description: Subnet resource +{% endif %} + secgrp: type: comma_delimited_list label: Security groups @@ -110,6 +130,11 @@ outputs: - 0 - addr +{% if openshift_use_flannel|default(False)|bool %} +conditions: + no_data_subnet: {not: { get_param: attach_data_net} } +{% endif %} + resources: server_nofloating: @@ -120,10 +145,27 @@ resources: image: { get_param: image } flavor: { get_param: flavor } networks: +{% if openshift_use_flannel|default(False)|bool %} + if: + - no_data_subnet +{% if use_trunk_ports|default(false)|bool %} + - - port: { get_attr: [trunk-port, port_id] } +{% else %} + - - port: { get_resource: port } +{% endif %} +{% if use_trunk_ports|default(false)|bool %} + - - port: { get_attr: [trunk-port, port_id] } +{% else %} + - - port: { get_resource: port } + - port: { get_resource: data_port } +{% endif %} + +{% else %} {% if use_trunk_ports|default(false)|bool %} - port: { get_attr: [trunk-port, port_id] } {% else %} - port: { get_resource: port } +{% endif %} {% endif %} user_data: get_file: user-data @@ -154,6 +196,19 @@ resources: - subnet: { get_param: subnet } security_groups: { get_param: secgrp } +{% if openshift_use_flannel|default(False)|bool %} + data_port: + type: OS::Neutron::Port + condition: { not: no_data_subnet } + properties: + network: { get_param: data_net } + port_security_enabled: false +{% if not provider_network %} + fixed_ips: + - subnet: { get_param: data_subnet } +{% endif %} +{% endif %} + {% if not ephemeral_volumes|default(false)|bool %} cinder_volume: type: OS::Cinder::Volume -- cgit v1.2.3 From e89bd6b1cb32ad52f0109f80022e801943b51893 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Tue, 17 Oct 2017 10:12:59 +0200 Subject: [WIP] Merge server with nofloating server heat templates (#761) Merge server with nofloating server heat templates --- roles/openstack-stack/tasks/generate-templates.yml | 6 - roles/openstack-stack/templates/heat_stack.yaml.j2 | 42 ++-- .../templates/heat_stack_server.yaml.j2 | 12 +- .../templates/heat_stack_server_nofloating.yaml.j2 | 225 --------------------- 4 files changed, 35 insertions(+), 250 deletions(-) delete mode 100644 roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 (limited to 'roles') diff --git a/roles/openstack-stack/tasks/generate-templates.yml b/roles/openstack-stack/tasks/generate-templates.yml index 110da8444..0ff50a095 100644 --- a/roles/openstack-stack/tasks/generate-templates.yml +++ b/roles/openstack-stack/tasks/generate-templates.yml @@ -20,12 +20,6 @@ src: heat_stack_server.yaml.j2 dest: "{{ stack_template_pre.path }}/server.yaml" -- name: generate HOT server w/o floating IPs template from jinja2 template - template: - src: heat_stack_server_nofloating.yaml.j2 - dest: "{{ stack_template_pre.path }}/server_nofloating.yaml" - when: use_bastion|bool - - name: generate user_data from jinja2 template template: src: user_data.j2 diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index 1f1e33cf2..a69b7fc00 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -71,6 +71,9 @@ outputs: value: { get_attr: [ dns, private_ip ] } {% endif %} +conditions: + no_floating: {% if provider_network or use_bastion|bool %}true{% else %}false{% endif %} + resources: {% if not provider_network %} @@ -504,11 +507,7 @@ resources: properties: count: {{ num_etcd }} resource_def: -{% if use_bastion|bool %} - type: server_nofloating.yaml -{% else %} type: server.yaml -{% endif %} properties: name: str_replace: @@ -543,8 +542,13 @@ resources: secgrp: - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } - { get_resource: common-secgrp } -{% if not use_bastion|bool and not provider_network %} - floating_network: {{ external_network }} + floating_network: + if: + - no_floating + - null + - {{ external_network }} +{% if use_bastion|bool or provider_network %} + attach_float_net: false {% endif %} volume_size: {{ etcd_volume_size }} {% if not provider_network %} @@ -622,11 +626,7 @@ resources: properties: count: {{ num_masters }} resource_def: -{% if use_bastion|bool %} - type: server_nofloating.yaml -{% else %} type: server.yaml -{% endif %} properties: name: str_replace: @@ -674,8 +674,13 @@ resources: {% endif %} {% endif %} - { get_resource: common-secgrp } -{% if not use_bastion|bool and not provider_network %} - floating_network: {{ external_network }} + floating_network: + if: + - no_floating + - null + - {{ external_network }} +{% if use_bastion|bool or provider_network %} + attach_float_net: false {% endif %} volume_size: {{ master_volume_size }} {% if master_server_group_policies|length > 0 %} @@ -694,11 +699,7 @@ resources: removal_policies: - resource_list: {{ nodes_to_remove }} resource_def: -{% if use_bastion|bool %} - type: server_nofloating.yaml -{% else %} type: server.yaml -{% endif %} properties: name: str_replace: @@ -743,8 +744,13 @@ resources: secgrp: - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } - { get_resource: common-secgrp } -{% if not use_bastion|bool and not provider_network %} - floating_network: {{ external_network }} + floating_network: + if: + - no_floating + - null + - {{ external_network }} +{% if use_bastion|bool or provider_network %} + attach_float_net: false {% endif %} volume_size: {{ node_volume_size }} {% if not provider_network %} diff --git a/roles/openstack-stack/templates/heat_stack_server.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server.yaml.j2 index 6552e0a0d..9ffe721a5 100644 --- a/roles/openstack-stack/templates/heat_stack_server.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack_server.yaml.j2 @@ -95,9 +95,17 @@ parameters: label: Security groups description: Security group resources + attach_float_net: + type: boolean + default: true + + label: Attach-float-net + description: A switch for floating network port connection + {% if not provider_network %} floating_network: type: string + default: '' label: Floating network description: Network to allocate floating IP from {% endif %} @@ -155,8 +163,9 @@ outputs: {% endif %} - addr -{% if openshift_use_flannel|default(False)|bool %} conditions: + no_floating: {not: { get_param: attach_float_net} } +{% if openshift_use_flannel|default(False)|bool %} no_data_subnet: {not: { get_param: attach_data_net} } {% endif %} @@ -238,6 +247,7 @@ resources: {% if not provider_network %} floating-ip: + condition: { not: no_floating } type: OS::Neutron::FloatingIP properties: floating_network: { get_param: floating_network } diff --git a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 deleted file mode 100644 index 742d53649..000000000 --- a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 +++ /dev/null @@ -1,225 +0,0 @@ -heat_template_version: 2016-10-14 - -description: OpenShift cluster server w/o floating IP - -parameters: - - name: - type: string - label: Name - description: Name - - group: - type: string - label: Host Group - description: The Primary Ansible Host Group - default: host - - cluster_env: - type: string - label: Cluster environment - description: Environment of the cluster - - cluster_id: - type: string - label: Cluster ID - description: Identifier of the cluster - - type: - type: string - label: Type - description: Type master or node - - subtype: - type: string - label: Sub-type - description: Sub-type compute or infra for nodes, default otherwise - default: default - - key_name: - type: string - label: Key name - description: Key name of keypair - - image: - type: string - label: Image - description: Name of the image - - flavor: - type: string - label: Flavor - description: Name of the flavor - - net: - type: string - label: Net ID - description: Net resource - - net_name: - type: string - label: Net name - description: Net name - - subnet: - type: string - label: Subnet ID - description: Subnet resource - -{% if openshift_use_flannel|default(False)|bool %} - attach_data_net: - type: boolean - default: false - label: Attach-data-net - description: A switch for data port connection - - data_net: - type: string - default: '' - label: Net ID - description: Net resource - - data_subnet: - type: string - default: '' - label: Subnet ID - description: Subnet resource -{% endif %} - - secgrp: - type: comma_delimited_list - label: Security groups - description: Security group resources - - availability_zone: - type: string - description: The Availability Zone to launch the instance. - default: nova - - volume_size: - type: number - description: Size of the volume to be created. - default: 1 - constraints: - - range: { min: 1, max: 1024 } - description: must be between 1 and 1024 Gb. - - node_labels: - type: json - description: OpenShift Node Labels - default: {"region": "default" } - - scheduler_hints: - type: json - description: Server scheduler hints. - default: {} - -outputs: - - name: - description: Name of the server - value: { get_attr: [ server_nofloating, name ] } - - private_ip: - description: Private IP of the server - value: - get_attr: - - server_nofloating - - addresses - - { get_param: net_name } - - 0 - - addr - -{% if openshift_use_flannel|default(False)|bool %} -conditions: - no_data_subnet: {not: { get_param: attach_data_net} } -{% endif %} - -resources: - - server_nofloating: - type: OS::Nova::Server - properties: - name: { get_param: name } - key_name: { get_param: key_name } - image: { get_param: image } - flavor: { get_param: flavor } - networks: -{% if openshift_use_flannel|default(False)|bool %} - if: - - no_data_subnet -{% if use_trunk_ports|default(false)|bool %} - - - port: { get_attr: [trunk-port, port_id] } -{% else %} - - - port: { get_resource: port } -{% endif %} -{% if use_trunk_ports|default(false)|bool %} - - - port: { get_attr: [trunk-port, port_id] } -{% else %} - - - port: { get_resource: port } - - port: { get_resource: data_port } -{% endif %} - -{% else %} -{% if use_trunk_ports|default(false)|bool %} - - port: { get_attr: [trunk-port, port_id] } -{% else %} - - port: { get_resource: port } -{% endif %} -{% endif %} - user_data: - get_file: user-data - user_data_format: RAW - user_data_update_policy: IGNORE - metadata: - group: { get_param: group } - environment: { get_param: cluster_env } - clusterid: { get_param: cluster_id } - host-type: { get_param: type } - sub-host-type: { get_param: subtype } - node_labels: { get_param: node_labels } - scheduler_hints: { get_param: scheduler_hints } - -{% if use_trunk_ports|default(false)|bool %} - trunk-port: - type: OS::Neutron::Trunk - properties: - name: { get_param: name } - port: { get_resource: port } -{% endif %} - - port: - type: OS::Neutron::Port - properties: - network: { get_param: net } - fixed_ips: - - subnet: { get_param: subnet } - security_groups: { get_param: secgrp } - -{% if openshift_use_flannel|default(False)|bool %} - data_port: - type: OS::Neutron::Port - condition: { not: no_data_subnet } - properties: - network: { get_param: data_net } - port_security_enabled: false -{% if not provider_network %} - fixed_ips: - - subnet: { get_param: data_subnet } -{% endif %} -{% endif %} - -{% if not ephemeral_volumes|default(false)|bool %} - cinder_volume: - type: OS::Cinder::Volume - properties: - size: { get_param: volume_size } - availability_zone: { get_param: availability_zone } - - volume_attachment: - type: OS::Cinder::VolumeAttachment - properties: - volume_id: { get_resource: cinder_volume } - instance_uuid: { get_resource: server_nofloating } - mountpoint: /dev/sdb -{% endif %} -- cgit v1.2.3 From 8d14089a84119d4b824bfea991099941122a2c12 Mon Sep 17 00:00:00 2001 From: Chandler Wilkerson Date: Tue, 17 Oct 2017 07:53:18 -0500 Subject: Docker storage fix (#812) * Added task to stop docker before templating config * Rearranged storage roles in rhv install --- roles/docker-storage-setup/tasks/main.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'roles') diff --git a/roles/docker-storage-setup/tasks/main.yaml b/roles/docker-storage-setup/tasks/main.yaml index 209062ca7..dbff85662 100644 --- a/roles/docker-storage-setup/tasks/main.yaml +++ b/roles/docker-storage-setup/tasks/main.yaml @@ -1,4 +1,7 @@ --- +- name: stop docker + service: name=docker state=stopped + - block: - name: create the docker-storage config file template: @@ -7,7 +10,6 @@ owner: root group: root mode: 0644 - when: - ansible_distribution_version | version_compare('7.4', '>=') - ansible_distribution == "RedHat" @@ -20,7 +22,6 @@ owner: root group: root mode: 0644 - when: - ansible_distribution_version | version_compare('7.4', '<') - ansible_distribution == "RedHat" -- cgit v1.2.3 From d2ff422b284f04b8a19ad4c6aa388ba397d915e1 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 18 Oct 2017 12:53:31 +0200 Subject: Add Flannel support (#814) * Add flannel support * Document Flannel SDN use case for a separate data network. * Add post install step for flannel SDN * Configure iptables rules as described for OCP 3.4 refarch https://access.redhat.com/documentation/en-us/reference_architectures/2017/html/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/emphasis_manual_deployment_emphasis#run_ansible_installer * Configure flannel interface options Signed-off-by: Bogdan Dobrelya * Use os_firewall from galaxy for required flannel rules For flannel SDN: * Add openshift-ansible as a galaxy dependency module. * Use openshift-ansible/roles/os_firewall to apply DNS rules for flanel SDN. * Apply the remaining advanced rules with direct iptables commands as os_firewall do not support advanced rules. * Persist only iptables rules w/o dynamic KUBe rules. Those are added runtime and need restoration after reboot or iptables restart. * Configure and enable the masked iptables service on the app nodes. Enable it to allow the in-memory rules to be persisted. Disable firewalld, which is the expected default behavior of the os_firewall module. Signed-off-by: Bogdan Dobrelya * Allow access from nodes to masters' port 2379 when using flannel Flannel requires to gather information from etcd to configure and assign the subnets in the nodes, therefore, allow access from nodes to port 2379/tcp to the master security group. Signed-off-by: Bogdan Dobrelya --- roles/openstack-stack/templates/heat_stack.yaml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'roles') diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index a69b7fc00..2359842a5 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -341,6 +341,12 @@ resources: protocol: tcp port_range_min: 9090 port_range_max: 9090 +{% if openshift_use_flannel|default(False)|bool %} + - direction: ingress + protocol: tcp + port_range_min: 2379 + port_range_max: 2379 +{% endif %} etcd-secgrp: type: OS::Neutron::SecurityGroup -- cgit v1.2.3