Neutron role for OpenStack-Ansible

Neutron role for OpenStack-Ansible

tags:openstack, neutron, cloud, ansible
category:*nix

This role installs the following Systemd services:

  • neutron-server
  • neutron-agents

To clone or view the source code for this repository, visit the role repository for os_neutron.

Default variables

###
### Verbosity Options
###

debug: False

###
### Packages Options
###

# Set the package install state for distribution
# Options are 'present' and 'latest'
neutron_package_state: "latest"

###
### Python code details
###

neutron_log_dir: "/var/log/neutron"

# Set the package install state for pip_package
# Options are 'present' and 'latest'
neutron_pip_package_state: "latest"

# Source git repo/branch settings
neutron_git_repo: https://git.openstack.org/openstack/neutron
neutron_git_install_branch: "stable/queens"
neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas
neutron_fwaas_git_install_branch: "stable/queens"
neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas
neutron_lbaas_git_install_branch: "stable/queens"
neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas
neutron_vpnaas_git_install_branch: "stable/queens"
neutron_dynamic_routing_git_repo: https://git.openstack.org/openstack/neutron-dynamic-routing
neutron_dynamic_routing_git_install_branch: "stable/queens"
networking_calico_git_repo: https://git.openstack.org/openstack/networking-calico
networking_calico_git_install_branch: master # no "stable/queens" branch
dragonflow_git_repo: https://git.openstack.org/openstack/dragonflow
dragonflow_git_install_branch: master # no "stable/queens" branch
networking_odl_git_repo: https://git.openstack.org/openstack/networking-odl
networking_odl_git_install_branch: "stable/queens"
networking_sfc_git_repo: https://git.openstack.org/openstack/networking-sfc
networking_sfc_git_install_branch: "stable/queens"
networking_bgpvpn_git_repo: https://git.openstack.org/openstack/networking-bgpvpn
networking_bgpvpn_git_install_branch: "stable/queens"

# Developer mode
neutron_developer_mode: false

# Name of the virtual env to deploy into
neutron_venv_tag: untagged

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
neutron_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/neutron.tgz

###
### Generic Neutron Config
###

# Fatal Deprecations
neutron_fatal_deprecations: False

# If ``neutron_api_workers`` is unset the system will use half the number of available VCPUs to
# compute the number of api workers to use with a default capping value of 16.
# neutron_api_workers: 16

## Cap the maximun number of threads / workers when a user value is unspecified.
neutron_api_threads_max: 16
neutron_api_threads: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, neutron_api_threads_max] | min }}"

neutron_agent_down_time: 120
neutron_agent_polling_interval: 5
neutron_report_interval: "{{ neutron_agent_down_time | int / 2 | int }}"

# TODO(evrardjp): Remove this when vpnaas/Dragonflow don't use it anymore.
# This was deprecated in Pike cycle.
neutron_external_network_bridge: ""

neutron_dns_domain: "openstacklocal."

# If ``neutron_num_sync_threads`` is unset, the system will use the value of
# neutron_api_threads in templates/dhcp_agent.ini.j2 for num_sync_threads.
# neutron_num_sync_threads: 4

###
### DNSMasq configuration
###
# Dnsmasq doesn't work with config_template override, a deployer
# should instead configure its own neutron_dhcp_config key/values
neutron_dhcp_config:
  log-facility: "{{ neutron_log_dir }}/neutron-dnsmasq.log"

# Disable dnsmasq to resolve DNS via local resolv.conf.
# When dnsmasq_dns_servers are not set,
# and neutron_dnsmasq_noresolv is set to True, dnsmasq will reply with
# empty respose on DNS requests.
neutron_dnsmasq_noresolv: False

# Set the neutron lbaasv2 user group, defaults from os specific vars
neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}"

###
### Tunable Overrides (Sorted alphabetically)
###

# These variables facilitate adding config file entries
# for anything supported by the service. See the section
# 'Overriding OpenStack configuration defaults' in the
# 'Advanced configuration' appendix of the Deploy Guide.
neutron_api_paste_ini_overrides: {}
neutron_bgp_dragent_ini_overrides: {}
neutron_bgp_dragent_init_overrides: {}
neutron_calico_dhcp_agent_ini_overrides: {}
neutron_calico_dhcp_agent_init_overrides: {}
neutron_calico_felix_ini_overrides: {}
neutron_calico_felix_init_overrides: {}
neutron_dhcp_agent_ini_overrides: {}
neutron_dhcp_agent_init_overrides: {}
neutron_dragonflow_controller_agent_init_overrides: {}
neutron_dragonflow_ini_overrides: {}
neutron_dragonflow_l3_agent_init_overrides: {}
neutron_dragonflow_pubsub_agent_init_overrides: {}
neutron_l3_agent_ini_overrides: {}
neutron_l3_agent_init_overrides: {}
neutron_lbaas_agent_ini_overrides: {}
neutron_lbaas_agent_init_overrides: {}
neutron_linuxbridge_agent_ini_overrides: {}
neutron_linuxbridge_agent_init_overrides: {}
neutron_metadata_agent_ini_overrides: {}
neutron_metadata_agent_init_overrides: {}
neutron_metering_agent_ini_overrides: {}
neutron_metering_agent_init_overrides: {}
neutron_ml2_conf_ini_overrides: {}
neutron_neutron_conf_overrides: {}
neutron_nuage_conf_ini_overrides: {}
neutron_opendaylight_conf_ini_overrides: {}
neutron_openvswitch_agent_ini_overrides: {}
neutron_openvswitch_agent_init_overrides: {}
# Provide a list of access controls to update the default policy.json with.
# These changes will be merged
# with the access controls in the default policy.json. E.g.
#neutron_policy_overrides:
#  "create_subnet": "rule:admin_or_network_owner"
#  "get_subnet": "rule:admin_or_owner or rule:shared"
neutron_policy_overrides: {}
neutron_rootwrap_conf_overrides: {}
neutron_server_init_overrides: {}
neutron_sriov_nic_agent_ini_overrides: {}
neutron_sriov_nic_agent_init_overrides: {}
neutron_vpn_agent_init_overrides: {}
neutron_vpnaas_agent_ini_overrides: {}

###
### Quotas
###

neutron_default_quota: -1
neutron_quota_floatingip: 50
neutron_quota_health_monitor: -1
neutron_quota_member: -1
neutron_quota_network: 100
neutron_quota_network_gateway: 5
neutron_quota_packet_filter: 100
neutron_quota_pool: 10
neutron_quota_port: 500
neutron_quota_router: 10
neutron_quota_security_group: 10
neutron_quota_security_group_rule: 100
neutron_quota_subnet: 100
neutron_quota_vip: 10

###
### DB (Galera) integration
###

neutron_galera_user: neutron
neutron_galera_database: neutron
neutron_db_max_overflow: 20
neutron_db_pool_size: 120
neutron_db_pool_timeout: 30
neutron_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
neutron_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"

###
### RPC (RabbitMQ) integration
###

neutron_rabbitmq_userid: neutron
neutron_rabbitmq_vhost: /neutron
neutron_rabbitmq_port: 5672
neutron_rabbitmq_servers: 127.0.0.1
neutron_rabbitmq_use_ssl: False
neutron_rpc_thread_pool_size: 64
neutron_rpc_conn_pool_size: 30
neutron_rpc_response_timeout: 60
neutron_rpc_workers: 1

###
### Identity (Keystone) integration
###

neutron_service_project_name: service
neutron_service_project_domain_id: default
neutron_service_user_domain_id: default
neutron_service_role_name: admin
neutron_service_user_name: neutron
neutron_service_name: neutron
neutron_service_type: network
neutron_service_description: "OpenStack Networking"
neutron_service_port: 9696
neutron_service_proto: http
neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}"
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
neutron_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(neutron_service_proto) }}"
neutron_service_publicuri: "{{ neutron_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ neutron_service_port }}"
neutron_service_publicurl: "{{ neutron_service_publicuri }}"
neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
neutron_service_adminurl: "{{ neutron_service_adminuri }}"
neutron_service_internaluri: "{{ neutron_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
neutron_service_internalurl: "{{ neutron_service_internaluri }}"
neutron_service_region: RegionOne
neutron_keystone_auth_plugin: "{{ neutron_keystone_auth_type }}"
neutron_keystone_auth_type: password
neutron_service_in_ldap: false

###
### Telemetry integration
###

neutron_ceilometer_enabled: False

# Configuration for notifications communication, i.e. [oslo_messaging_notifications]
neutron_rabbitmq_telemetry_userid: "{{ neutron_rabbitmq_userid }}"
neutron_rabbitmq_telemetry_password: "{{ neutron_rabbitmq_password }}"
neutron_rabbitmq_telemetry_vhost: "{{ neutron_rabbitmq_vhost }}"
neutron_rabbitmq_telemetry_port: "{{ neutron_rabbitmq_port }}"
neutron_rabbitmq_telemetry_servers: "{{ neutron_rabbitmq_servers }}"
neutron_rabbitmq_telemetry_use_ssl: "{{ neutron_rabbitmq_use_ssl }}"

###
### Designate integration
###

neutron_designate_enabled: False
neutron_allow_reverse_dns_lookup: True
neutron_ipv4_ptr_zone_prefix_size: 24
neutron_ipv6_ptr_zone_prefix_size: 116

# Notifications topic for designate
neutron_notifications_designate: notifications_designate

###
### Plugins Loading
###

# Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
# neutron_plugin_base:
#   - router
#   - firewall/firewall_v2 either one or the other, not both
#   - lbaas
#   - neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
#   - neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin
#   - vpnaas
#   - metering
#   - qos
#   - dns
neutron_plugin_base:
  - router
  - metering

###
### ML2 Plugin Configuration
###

# The neutron core plugin (ML2) is defined with neutron_plugin_type,
# you can not load multiple ML2 plugins as core.
neutron_plugin_type: 'ml2.lxb'

# Additional ML2 plugins can be loaded with neutron_plugin_types (as list)
neutron_plugin_types: []

# ml2 network type drivers to load
neutron_ml2_drivers_type: "flat,vlan,vxlan,local"

# Enable or disable L2 Population.
neutron_l2_population: "False"

neutron_vxlan_enabled: true

## The neutron multicast group address. This should be set as a host variable if used.
neutron_vxlan_group: "239.1.1.1"

neutron_sriov_excluded_devices: ""

# neutron_local_ip is used for the VXLAN local tunnel endpoint
neutron_local_ip: 127.0.0.1

## Set this variable to configure the provider networks that will be available
## When setting up networking in things like the ml2_conf.ini file. Normally
## this will be defined as a host variable used within neutron as network configuration
## are likely to differ in between hosts.
# neutron_provider_networks:
#   network_flat_networks: "flat"
#   network_mappings: "flat:eth12,vlan:eth11"
#   network_types: "vxlan,flat,vlan"
#   network_vlan_ranges: "vlan:1:1,vlan:1024:1025"
#   network_vxlan_ranges: "1:1000"
#   network_sriov_mappings: "vlan:p4p1"

###
### L3 Agent Plugin Configuration
###

# Set this option to "true" to enable legacy neutron L3HA tool support
# TODO(cloudnull): Remove this in the Ocata cycle
neutron_legacy_ha_tool_enabled: false

# L3HA configuration options
neutron_ha_vrrp_auth_type: PASS
neutron_l3_ha_net_cidr: 169.254.192.0/18

###
### DHCP Agent Plugin Configuration
###

# Comma-separated list of DNS servers which will be used by dnsmasq as forwarders.
neutron_dnsmasq_dns_servers: ""

# Limit number of leases to prevent a denial-of-service.
neutron_dnsmasq_lease_max: 16777216

###
### Metadata Agent Plugin Configuration
###

# If ``neutron_metadata_workers`` is unset the system will use half the number of available VCPUs to
# compute the number of api workers to use with a default capping value of 16.
# neutron_metadata_workers: 16
neutron_metadata_backlog: 4096

# When running in an AIO, we need to implement an iptables rule in any
# neutron_agent containers to that ensure instances can communicate with
# the neutron metadata service. This is necessary because in an AIO
# environment there are no physical interfaces involved in instance ->
# metadata requests, and this results in the checksums being incorrect.
neutron_metadata_checksum_fix: False

# The protocol used by neutron to access the nova metadata service.
nova_metadata_protocol: http

# If the nova_metadata_protocol is using a self-signed cert, then
# this flag should be set to a boolean True.
nova_metadata_insecure: False

###
### LBaaS Configuration
###

# See documentation section titled "Configuring the Network Load Balancing
# Service (Optional)" for more details.
neutron_octavia_request_poll_timeout: 100

# Use the Octavia proxy
neutron_octavia_proxy_plugin: False

###
### VPNaaS Configuration
###

# See VPNaaS documentation for driver/service provider selection
# in case you want to override it.
neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
neutron_vpnaas_service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

###
### Dragonflow Configuration
###

# neutron_management_ip is used to configure the location (IP) of the
# neutron-server
neutron_management_ip: 127.0.0.1

# Calico Felix agent upstream settings
calico_felix_url: "https://github.com/projectcalico/felix/releases/download/{{ calico_felix_version }}/calico-felix-amd64"
calico_felix_version: v3.7.0
calico_felix_sha256: ae0bed304702097cee0ad5d9b4abb07b263deeb46ac21f2bcb0118d5bf439f46
calico_felix_validate_certs: yes

# Database specific configuration
dragonflow_remote_db_ip: 127.0.0.1 # etcd has local proxy installed
dragonflow_remote_db_port: 4001
dragonflow_port_status_notifier:
dragonflow_apps:
    - l2_app.L2App
    - l3_proactive_app.L3ProactiveApp
    - dhcp_app.DHCPApp
    - dnat_app.DNATApp
    - sg_app.SGApp
    - portsec_app.PortSecApp
dragonflow_ex_peer_patch_port: patch-int
dragonflow_int_peer_patch_port: patch-ex
dragonflow_external_network_bridge: br-ex
dragonflow_publisher_bind_address: "*"

# Install Openvswitch without NSH support
ovs_nsh_support: False

# Set higher priority to mardim PPA when ovs_nsh_support is True
ovs_nsh_apt_pinned_packages: [{ package: "*", release: "LP-PPA-mardim-mardim-ppa"}]

Dependencies

This role needs pip >= 7.1 installed on the target host.

Example playbook

- name: Installation and setup of Neutron
  hosts: neutron_all
  user: root
  roles:
    - { role: "os_neutron", tags: [ "neutron-install", "neutron-config" ] }
  vars:
    neutron_galera_address: "{{ internal_lb_vip_address }}"

Tags

This role supports two tags: neutron-install and neutron-config. The neutron-install tag can be used to install and upgrade. The neutron-config tag can be used to maintain the configuration of the service.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.