heat_template_version: wallaby description: > Configures FRR on the host parameters: ContainerFrrImage: description: The container image for Frr type: string tags: - role_specific ContainerOvnBgpAgentImage: description: The container image for the BGP Agent type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. FrrBfdEnabled: default: false description: Enable Bidirectional Forwarding Detection type: boolean FrrBgpEnabled: default: true description: Enable BGP type: boolean FrrBgpAsn: default: 64999 description: Default ASN to be used within FRR type: number tags: - role_specific FrrBgpIpv4Enabled: default: true description: Enable BGP advertisement of IPv4 routes type: boolean FrrBgpIpv4AllowASIn: default: false description: Allow for IPv4 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv4SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv4 address on the default route. type: string FrrBgpIpv6Enabled: default: true description: Enable BGP advertisement of IPv6 routes type: boolean FrrBgpIpv6AllowASIn: default: false description: Allow for IPv6 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv6SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv6 address on the default route. type: string FrrBgpUplinks: default: ['nic1', 'nic2'] description: List of uplink network interfaces. type: comma_delimited_list FrrBgpUplinksScope: default: 'internal' type: string description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] FrrLoggingSource: type: json default: tag: system.frr file: /var/log/containers/frr/frr.log FrrLogLevel: default: 'informational' type: string description: log level constraints: - allowed_values: ['emergencies', 'alerts', 'critical', 'errors', 'warnings', 'notifications', 'informational', 'debugging'] FrrZebraEnabled: default: true description: enable Zebra type: boolean FrrPacemakerVipNic: default: 'lo' description: Name of the nic that the pacemaker VIPs will be added to when runninng with FRR. type: string FrrBgpNeighborTtlSecurityHops: default: 1 description: Enforce Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. Setting value to zero or less will disable GTSM. type: number FrrBgpL2VpnEnabled: type: boolean default: false description: Enable BGP L2VPN EVPN address family. FrrBgpL2VpnEbgpMultihop: type: number default: 0 description: > Allows sessions with eBGP neighbors to establish when they are multiple hops away. Value 0 disables multi-hop eBGP peering. FrrBgpL2VpnUplinkActivate: type: boolean default: true description: > Enable the list of uplink network interfaces defined in FrrBgpUplinks. FrrBgpL2VpnPeers: default: [] description: List of EVPN neighbor peers. type: comma_delimited_list FrrBgpL2vpnPeersScope: default: 'external' type: string description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] FrrBgpRouterID: default: '' description: Set router_id explicitly (optional) type: string FrrBgpIpv4SrcIp: default: '' description: Set source ip for ipv4 traffic (optional) type: string FrrBgpIpv6SrcIp: default: '' description: Set source ip for ipv6 traffic (optional) type: string FrrConvergeTimeout: default: 10 description: Time needed for FRR to populate the routing table after a restart. type: number resources: RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerFrrImage: ContainerFrrImage frr_asn: FrrBgpAsn - values: {get_param: [RoleParameters]} - values: ContainerFrrImage: {get_param: ContainerFrrImage} FrrBgpAsn: {get_param: FrrBgpAsn} outputs: role_data: description: Role data for the FRR and OVN BGP Agent services value: service_name: frr config_settings: tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic} service_config_settings: rsyslog: tripleo_logging_sources_frr: - {get_param: FrrLoggingSource} firewall_rules: '156 bgp tcp': if: - {get_param: FrrBgpEnabled} - proto: 'tcp' dport: 179 '156 bfd udp': if: - {get_param: FrrBfdEnabled} - proto: 'udp' dport: - 3784 - 3785 kolla_config: /var/lib/kolla/config_files/frr.json: # Note: We can drop /usr/libexec/frr/frrinit.sh once we stop supporting/using frr 7.x # Note: This is currently needed because watchfrr *always* demonizes command: bash -c $* -- eval if [ -f /usr/libexec/frr/frrinit.sh ]; then /usr/libexec/frr/frrinit.sh start; else /usr/lib/frr/frr start; fi && exec /bin/sleep infinity config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /etc/frr owner: frr:frr recurse: true - path: /var/log/frr owner: frr:frr recurse: true - path: /run/frr owner: frr:frrvty recurse: true docker_config: # NOTE: Create container-startup-config file in step 0 so that TripleO # does not auto-start the FRR container (it does so for containers in # step 1-5). FRR will be started in the pre_deploy_step_tasks step_0: frr: start_order: 0 image: {get_attr: [RoleParametersValue, value, ContainerFrrImage]} net: host restart: always post_stop_exec: '/usr/bin/sleep 10' healthcheck: test: /openstack/healthcheck cap_add: - NET_BIND_SERVICE - NET_RAW - NET_ADMIN - SYS_ADMIN # We cannot bind mount the InternalTLSCAFile as freeipa might not # be reachable without frr volumes: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro - /var/log/containers/frr:/var/log/frr:z - /run/frr:/run/frr:shared,z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' } - name: ensure /run/frr is present upon reboot copy: dest: /etc/tmpfiles.d/run-frr.conf content: | d /run/frr 0750 42484 42483 - - pre_deploy_step_tasks: &frr_deploy_steps - name: Configure FRR import_role: name: tripleo_frr vars: tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr tripleo_frr_bfd: {get_param: FrrBfdEnabled} tripleo_frr_bgp: {get_param: FrrBgpEnabled} tripleo_frr_bgp_asn: {get_attr: [RoleParametersValue, value, frr_asn]} tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled} tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn} tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork} tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled} tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn} tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork} tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops} tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks} tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope} tripleo_frr_log_level: {get_param: FrrLogLevel} tripleo_frr_zebra: {get_param: FrrZebraEnabled} tripleo_frr_bgp_l2vpn: {get_param: FrrBgpL2VpnEnabled} tripleo_frr_bgp_l2vpn_ebgp_multihop: {get_param: FrrBgpL2VpnEbgpMultihop} tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate} tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers} tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope} tripleo_frr_router_id: {get_param: FrrBgpRouterID} tripleo_frr_ipv4_src_ip: {get_param: FrrBgpIpv4SrcIp} tripleo_frr_ipv6_src_ip: {get_param: FrrBgpIpv6SrcIp} - name: Start FRR include_role: name: tripleo_container_manage vars: tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0" tripleo_container_manage_config_id: "frr" tripleo_container_manage_config_patterns: "frr.json" tripleo_container_manage_systemd_order: true tripleo_container_manage_clean_orphans: false # workaround frr restart issue rhbz#2193145 tripleo_container_manage_systemd_teardown: true - name: Wait to give FRR time to converge wait_for: timeout: {get_param: FrrConvergeTimeout} update_tasks: - name: Update FRR when: - step|int == 2 block: *frr_deploy_steps upgrade_tasks: []