composable roles and network isolation

Bug #1633090 reported by Lukas Bezdicka
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Dan Sneddon

Bug Description

With composable roles one can setup for example standalone Neutron node which won't have working network isolation as environments/net-single-nic-with-vlans.yaml and network/config/single-nic-vlans does not count with roles.

Revision history for this message
Steven Hardy (shardy) wrote :

So I think this is possibly a duplicate of https://bugs.launchpad.net/tripleo/+bug/1625558 ?

Basically in environments/net-single-nic-with-vlans.yaml you have this:

resource_registry:
  OS::TripleO::BlockStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/cinder-storage.yaml
  OS::TripleO::Compute::Net::SoftwareConfig: ../network/config/single-nic-vlans/compute.yaml
  OS::TripleO::Controller::Net::SoftwareConfig: ../network/config/single-nic-vlans/controller.yaml
  OS::TripleO::ObjectStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/swift-storage.yaml
  OS::TripleO::CephStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/ceph-storage.yaml

So when defining a custom role you'll need to pass an environment which references the configuration you want for that role:

resource_registry:
  OS::TripleO::TheCustomRole::Net::SoftwareConfig: path/to/the/config.yaml

The config can be copied from whatever is in use for the other roles (all the templates are basically the same for each role in the tht examples).

If you don't pass any extra environment file, the role will simply get the default noop config:

https://github.com/openstack/tripleo-heat-templates/blob/master/overcloud-resource-registry-puppet.j2.yaml#L35

I think what you're asking for though is for just including -e environments/net-single-nic-with-vlans.yaml to apply that config to all roles automatically?

That is probably possible, but for now copying the file and passing the resource_registry as described above should work fine.

Changed in tripleo:
status: New → Triaged
milestone: none → ocata-1
assignee: nobody → Steven Hardy (shardy)
tags: added: composable-roles
Steven Hardy (shardy)
Changed in tripleo:
importance: Undecided → Medium
Steven Hardy (shardy)
tags: added: newton-backport-potential
Revision history for this message
Marius Cornea (mcornea) wrote :

Please note that in addition to the nic templates we also need to specify the cutom role ports which for the default roles are included in $tht/environments/network-isolation.yaml.

For example for a networker node running the Neutron agents with ipv4 networks:

  OS::TripleO::Networker::Ports::ExternalPort: /usr/share/openstack-tripleo-heat-templates/network/ports/noop.yaml
  OS::TripleO::Networker::Ports::TenantPort: /usr/share/openstack-tripleo-heat-templates/network/ports/tenant.yaml
  OS::TripleO::Networker::Ports::InternalApiPort: /usr/share/openstack-tripleo-heat-templates/network/ports/internal_api.yaml
  OS::TripleO::Networker::Ports::StoragePort: /usr/share/openstack-tripleo-heat-templates/network/ports/noop.yaml
  OS::TripleO::Networker::Ports::StorageMgmtPort: /usr/share/openstack-tripleo-heat-templates/network/ports/noop.yaml

If the management network is enabled then we need to pass it as well:
  OS::TripleO::Networker::Ports::ManagementPort: /usr/share/openstack-tripleo-heat-templates/network/ports/management.yaml

Revision history for this message
Steven Hardy (shardy) wrote :

Ok so we need some way to j2 template the resource_registry entries in network-isolation.yaml, similar to https://review.openstack.org/#/c/378735/

The missing piece we have here is a way to easily define which role has access to which network (roles_data.yaml doesn't contain this information, only the operator really knows what a sane mapping of networks to roles will be, in the case of operator defined custom roles).

My initial assumption was that folks would simply pass an environment file (which overrides the default noop mappings) based on knowledge of the roles they're defining, but it seems the request here is to somehow "automatically" wire this in via roles_data.yaml?

If we do that, what would a reasonable default mapping in network-isolation.yaml look like for user defined roles? Just wire all networks in to all user-defined roles?

Steven Hardy (shardy)
Changed in tripleo:
milestone: ocata-1 → ocata-2
Changed in tripleo:
assignee: Steven Hardy (shardy) → Dan Sneddon (dsneddon)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/409920

Changed in tripleo:
assignee: Dan Sneddon (dsneddon) → Steven Hardy (shardy)
Changed in tripleo:
milestone: ocata-2 → ocata-3
Changed in tripleo:
assignee: Steven Hardy (shardy) → Dan Sneddon (dsneddon)
Changed in tripleo:
milestone: ocata-3 → ocata-rc1
Changed in tripleo:
milestone: ocata-rc1 → pike-1
tags: added: ocata-backport-potential
removed: newton-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/436621

Changed in tripleo:
assignee: Dan Sneddon (dsneddon) → Steven Hardy (shardy)
Changed in tripleo:
assignee: Steven Hardy (shardy) → Dan Sneddon (dsneddon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/436621
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=d9b56b35db421e4db6d38577f3bee46331f800e1
Submitter: Jenkins
Branch: master

commit d9b56b35db421e4db6d38577f3bee46331f800e1
Author: Steven Hardy <email address hidden>
Date: Tue Feb 21 14:47:50 2017 -0500

    Add support for network_data.yaml to process templates action

    To enable rendering a list of networks we need to include an optional
    network_data.yaml file. We may make this mandatory in a future revision
    but since t-h-t doesn't yet contain this file we tolerate it being
    missing with a warning.

    Change-Id: I9f818912bd8e2a3220e41c8ccbbab3d9063b4d72
    Partial-Bug: #1633090

Changed in tripleo:
assignee: Dan Sneddon (dsneddon) → Emilien Macchi (emilienm)
Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Steven Hardy (shardy)
Changed in tripleo:
milestone: pike-1 → pike-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/409921
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a5116005d8a94b5e888791f02b53b33c407a08ad
Submitter: Jenkins
Branch: master

commit a5116005d8a94b5e888791f02b53b33c407a08ad
Author: Steven Hardy <email address hidden>
Date: Thu Dec 8 17:34:08 2016 +0000

    Add network_data.yaml to encapsulate list of networks for j2

    This moves the hard-coded networks from the default environment,
    and provides the first step towards enabling composable networks.

    Co-Author: Dan Sneddon <email address hidden>
    Partial-Bug: #1633090
    Depends-On: I9f818912bd8e2a3220e41c8ccbbab3d9063b4d72
    Change-Id: I7793b8badede5450b05437c84d9b40c28de7546b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/409920
Reason: I'm releasing RH1 nodes to help having promotion jobs running in priority. I'll restore it in a few minutes.

Changed in tripleo:
assignee: Steven Hardy (shardy) → Dan Sneddon (dsneddon)
Changed in tripleo:
milestone: pike-2 → pike-3
Changed in tripleo:
assignee: Dan Sneddon (dsneddon) → Steven Hardy (shardy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/409920
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=cba52888670d2f19a104960ed9be9bd24b97b9c0
Submitter: Jenkins
Branch: master

commit cba52888670d2f19a104960ed9be9bd24b97b9c0
Author: Steven Hardy <email address hidden>
Date: Thu Dec 8 17:15:46 2016 +0000

    Make network-isolation environment rendered for all roles

    Currently there's some hard-coded references to roles here, rendering
    from the roles_data.yaml is a step towards making the use of isolated
    networks for custom roles easier.

    Partial-Bug: #1633090
    Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
    Change-Id: If3989f24f077738845d2edbee405bd9198e7b7db

Changed in tripleo:
assignee: Steven Hardy (shardy) → Dan Sneddon (dsneddon)
Revision history for this message
Dan Sneddon (dsneddon) wrote :

Note that I have a review up with sample NIC templates for a Neutron networker role:
https://review.openstack.org/#/c/400390/

I consider this a stopgap solution. I think in the long term we may be able to utilize jinja2 templating to allow one NIC config template to work for multiple roles. Conditionals would selectively apply the network interfaces that apply to the role.

{{ if <network> in role.networks }}
    Configuration for <network>
{{ endif }}

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/400390
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=020f74572f129a1b344ab906794e9c6cbb79c739
Submitter: Jenkins
Branch: master

commit 020f74572f129a1b344ab906794e9c6cbb79c739
Author: Dan Sneddon <email address hidden>
Date: Mon Nov 21 11:15:26 2016 -0800

    Create NIC templates for Neutron Networker composable role

    This change adds a Neutron Networker role to each of the sample
    NIC config directories. The Networker roles are similar to the
    controller roles, since they use the External interface for the
    default gateway, but they don't need any connection to the
    Storage or Storage Management networks.

    Partial-bug: 1633090
    Partial-bug: 1625558
    Change-Id: Ieb4a293ea71d942cbfbf732f29c6eb41c975d4eb

Changed in tripleo:
milestone: pike-3 → pike-rc1
Changed in tripleo:
milestone: pike-rc1 → queens-1
Revision history for this message
Alex Schultz (alex-schultz) wrote :

Is there additional work for this bug or can we close it?

Changed in tripleo:
milestone: queens-1 → queens-2
Changed in tripleo:
milestone: queens-2 → queens-3
Changed in tripleo:
milestone: queens-3 → queens-rc1
Changed in tripleo:
milestone: queens-rc1 → rocky-1
Revision history for this message
Dan Sneddon (dsneddon) wrote :

I think this bug can be closed, since it was implemented by https://review.openstack.org/#/c/523638/

The above patch generates NIC configs by role, taking into account custom networks in network_data.yaml. This obviates the need for individual role NIC configs such as networker.yaml, as it will be automatically generated if a networker role is included.

Changed in tripleo:
status: In Progress → Fix Committed
milestone: rocky-1 → queens-rc1
Changed in tripleo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers