diff --git a/docs/source/roles/role-edpm_network_config.rst b/docs/source/roles/role-edpm_network_config.rst index 2c6bdc14c..99cde19f7 100644 --- a/docs/source/roles/role-edpm_network_config.rst +++ b/docs/source/roles/role-edpm_network_config.rst @@ -19,6 +19,11 @@ This Ansible role does the following tasks: - Checks for the presence of required RPMS - Uses "provider" ifcfg/nmstate based on flag "edpm_network_config_nmstate" +Note: By default this role will cleanup devices/interfaces not in +"edpm_network_config_template". If there is requirement to keep them +for pre-provisioned nodes, "edpm_network_config_nonconfigured_cleanup" +ansible var can be set to "false". + Here is an example playbook to run os-net-config tool: .. code-block:: YAML diff --git a/roles/edpm_network_config/defaults/main.yml b/roles/edpm_network_config/defaults/main.yml index fd90b9f39..6f72ab930 100644 --- a/roles/edpm_network_config/defaults/main.yml +++ b/roles/edpm_network_config/defaults/main.yml @@ -54,4 +54,4 @@ edpm_network_config_safe_defaults: true edpm_network_config_template: "" edpm_bond_interface_ovs_options: "bond_mode=active-backup" edpm_dns_search_domains: [] -edpm_network_config_nonconfigured_cleanup: false +edpm_network_config_nonconfigured_cleanup: true diff --git a/roles/edpm_network_config/meta/argument_specs.yml b/roles/edpm_network_config/meta/argument_specs.yml index 890ecd69a..3589c561b 100644 --- a/roles/edpm_network_config/meta/argument_specs.yml +++ b/roles/edpm_network_config/meta/argument_specs.yml @@ -82,4 +82,4 @@ argument_specs: edpm_network_config_nonconfigured_cleanup: type: bool description: "Cleanup network interfaces not in network config" - default: false + default: true diff --git a/roles/edpm_nftables/tasks/configure.yml b/roles/edpm_nftables/tasks/configure.yml index 9864a161c..a1aad7c9e 100644 --- a/roles/edpm_nftables/tasks/configure.yml +++ b/roles/edpm_nftables/tasks/configure.yml @@ -145,18 +145,6 @@ group: root mode: "0600" - - name: Create a sentinel file when nft rules are changed - ansible.builtin.file: - path: /etc/nftables/edpm-rules.nft.changed - state: touch - owner: root - group: root - mode: "0600" - when: - - nft_ruleset is defined - - nft_ruleset is changed - - # We cannot use the "validate" parameter from the "template" module, since # we don't load the chains before. So let's validate now, with all the things. # Remember, the "iptables" compat layout is already loaded at this point. diff --git a/roles/edpm_nftables/tasks/run.yml b/roles/edpm_nftables/tasks/run.yml index 846e98ac1..17cccdfee 100644 --- a/roles/edpm_nftables/tasks/run.yml +++ b/roles/edpm_nftables/tasks/run.yml @@ -26,22 +26,12 @@ - name: Reload custom nftables ruleset files become: true block: - - name: Check if rules are changed - ansible.builtin.stat: - path: /etc/nftables/edpm-rules.nft.changed - register: nft_ruleset_changed - name: Reload ruleset ansible.builtin.shell: >- set -o pipefail; cat /etc/nftables/edpm-flushes.nft /etc/nftables/edpm-rules.nft /etc/nftables/edpm-update-jumps.nft | nft -f - - when: nft_ruleset_changed.stat.exists register: nft_reload_ruleset changed_when: nft_reload_ruleset.rc == 0 failed_when: nft_reload_ruleset.rc != 0 - always: - - name: Delete nft_ruleset_changed file - ansible.builtin.file: - path: /etc/nftables/edpm-rules.nft.changed - state: absent diff --git a/roles/edpm_telemetry/defaults/main.yml b/roles/edpm_telemetry/defaults/main.yml index 003830a42..817a72946 100644 --- a/roles/edpm_telemetry/defaults/main.yml +++ b/roles/edpm_telemetry/defaults/main.yml @@ -28,6 +28,8 @@ edpm_telemetry_node_exporter_image: quay.io/prometheus/node-exporter:v1.5.0 edpm_telemetry_podman_exporter_image: quay.io/navidys/prometheus-podman-exporter:v1.10.1 # Image to use for Ceilometer edpm_telemetry_ceilometer_compute_image: quay.io/podified-antelope-centos9/openstack-ceilometer-compute:current-podified +# Image to use for openstack_network_exporter +edpm_telemetry_openstack_network_exporter_image: quay.io/openstack-k8s-operators/openstack-network-exporter:latest # Certificates location for tls encryption edpm_telemetry_certs: "/var/lib/openstack/certs/{{ edpm_telemetry_service_name }}/default" # CA certs location for tls encryption @@ -46,6 +48,7 @@ edpm_telemetry_healthcheck_sources: ceilometer_agent_compute: ceilometer_agent node_exporter: exporter podman_exporter: exporter + openstack_network_exporter: exporter # kepler: exporter # If telemetry services should have health checks enabled edpm_telemetry_healthcheck: true @@ -54,3 +57,4 @@ edpm_telemetry_enabled_exporters: - ceilometer_agent_compute - node_exporter - podman_exporter + - openstack_network_exporter diff --git a/roles/edpm_telemetry/meta/argument_specs.yml b/roles/edpm_telemetry/meta/argument_specs.yml index 70b73c6fd..4f92e9362 100644 --- a/roles/edpm_telemetry/meta/argument_specs.yml +++ b/roles/edpm_telemetry/meta/argument_specs.yml @@ -31,6 +31,10 @@ argument_specs: type: "str" required: true description: "The name of the ceilometer compute podman image" + edpm_telemetry_openstack_network_exporter_image: + type: "str" + required: true + description: "The name of the openstack_network_exporter podman image" edpm_telemetry_config_src: type: "str" required: true diff --git a/roles/edpm_telemetry/templates/firewall.yaml.j2 b/roles/edpm_telemetry/templates/firewall.yaml.j2 index 4f1546898..69b378e0b 100644 --- a/roles/edpm_telemetry/templates/firewall.yaml.j2 +++ b/roles/edpm_telemetry/templates/firewall.yaml.j2 @@ -10,3 +10,8 @@ proto: tcp dport: - "9882" +- rule_name: 001 Allow openstack_network_exporter traffic + rule: + proto: tcp + dport: + - "9105" diff --git a/roles/edpm_telemetry/templates/node_exporter.json.j2 b/roles/edpm_telemetry/templates/node_exporter.json.j2 index 98f4fff4b..9b13922fb 100644 --- a/roles/edpm_telemetry/templates/node_exporter.json.j2 +++ b/roles/edpm_telemetry/templates/node_exporter.json.j2 @@ -2,6 +2,7 @@ "image": "{{ edpm_telemetry_node_exporter_image }}", "restart": "always", "recreate": true, + "user": "root", "privileged": true, "ports": ["9100:9100"], "command": [ @@ -9,6 +10,8 @@ "--web.config.file=/etc/node_exporter/node_exporter.yaml", {% endif %} "--web.disable-exporter-metrics", + "--collector.systemd", + "--collector.systemd.unit-include=(edpm_.*|ovs.*|openvswitch|virt.*|rsyslog)\\.service", "--no-collector.dmi", "--no-collector.entropy", "--no-collector.thermal_zone", @@ -37,7 +40,8 @@ "volumes": [ {% if tls_cert_exists|bool %} "{{ edpm_telemetry_config_dest }}/node_exporter.yaml:/etc/node_exporter/node_exporter.yaml:z", - "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z" + "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z", {% endif %} + "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw" ] } diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 new file mode 100644 index 000000000..e14f90c02 --- /dev/null +++ b/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 @@ -0,0 +1,28 @@ +{ + "image": "{{ edpm_telemetry_openstack_network_exporter_image }}", + "restart": "always", + "recreate": true, + "privileged": true, + "ports": ["9105:9105"], + "command": [], + "net": "host", + "environment": { + "OS_ENDPOINT_TYPE":"internal", + "OPENSTACK_NETWORK_EXPORTER_YAML":"/etc/openstack_network_exporter/openstack_network_exporter.yaml" + }, +{% if edpm_telemetry_healthcheck %} + "healthcheck": { + "test": "/openstack/healthcheck openstack-netwo", + "mount": "/var/lib/openstack/healthchecks/openstack_network_exporter" + }, +{% endif %} + "volumes": [ + "{{ edpm_telemetry_config_dest }}/openstack_network_exporter.yaml:/etc/openstack_network_exporter/openstack_network_exporter.yaml:z", +{% if tls_cert_exists|bool %} + "{{ edpm_telemetry_certs }}:/etc/openstack_network_exporter/tls:z", +{% endif %} + "/var/run/openvswitch:/run/openvswitch:rw,z", + "/var/lib/openvswitch/ovn:/run/ovn:rw,z", + "/proc:/host/proc:ro" + ] +} diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 new file mode 100644 index 000000000..8644c3ed5 --- /dev/null +++ b/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 @@ -0,0 +1,124 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Robin Jarry +# +# This is the configuration file for OpenStack openstack-network-exporter. It is +# written in the YAML format. The exporter will lookup the configuration file +# at /etc/openstack-network-exporter.yaml by default. The path can be changed via +# the OPENSTACK_NETWORK_EXPORTER_YAML environment variable. +# +# All settings have default values and some of them can be overriden via +# environment variables as indicated in their description. + +--- +# Local addess and port to listen to for scraping HTTP requests. Can be +# "127.0.0.1:" or "[::1]:" to limit to localhost. If address is +# omited, listen on all addresses. +# +# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_LISTEN +# Default: ":1981" +# +http-listen: ":9105" + +# The HTTP path where to serve responses to prometheus scrapers. +# +# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_PATH +# Default: /metrics +# +#http-path: /metrics + +# The path to a TLS certificate to enable HTTPS support. +# +# Env: OPENSTACK_NETWORK_EXPORTER_TLS_CERT +# Default: "" +# +{% if tls_cert_exists|bool %} +tls-cert: "/etc/openstack_network_exporter/tls/tls.crt" +{% endif %} + +# The path to a TLS certificate secret key to enable HTTPS support. +# +# Env: OPENSTACK_NETWORK_EXPORTER_TLS_KEY +# Default: "" +# +{% if tls_cert_exists|bool %} +tls-key: "/etc/openstack_network_exporter/tls/tls.key" +{% endif %} + +# Space separated list of valid users and passwords. Leave empty to disable +# authentication. Authentication will only be enforced when TLS is enabled. +# +# Example: +# +# auth-users: +# - name: admin +# password: admin +# - name: foobar +# password: s3cr3t +# - name: johndoe +# password: p4ssw0rd +# +# Default: [] +# +#auth-users: [] + +# Overall log verbosity of the exporter. +# +# Supported levels are: debug info notice warning error critical +# +# Env: OPENSTACK_NETWORK_EXPORTER_LOG_LEVEL +# Default: notice +# +log-level: info + +# The absolute path to the runtime directory of ovn-controller. This folder is +# expected to contain the the ovn-controller pid file "ovn-controller.pid" and +# its unixctl socket "ovn-controller.$pid.ctl". +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVN_RUNDIR +# Default: /run/ovn +# + +# The absolute path to the runtime directory of openvswitch. This folder is +# expected to contain the ovsdb-server socket endpoint "db.sock", the +# "ovs-vswitchd.pid" file and each bridge openflow management sockets +# "$bridge_name.mgmt". +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVS_RUNDIR +# Default: /run/openvswitch +# +#ovs-rundir: /run/openvswitch + +# The mount path of the procfs directory to search for the PID found in +# ovs-vswitchd.pid. When running the exporter in a different PID namespace than +# OVS, this will need to be changed to another folder. +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVS_PROCDIR +# Default: /proc +# +ovs-procdir: /host/proc + +# List of metric collectors to scrape and export. To list the available +# collectors and the metrics they export, use "openstack-network-exporter -l". If +# the list is empty (default) all collectors will be enabled. +# +# Default: [] +# +#collectors: [] +#collectors: +# - bridge +# - counters +# List of metric sets to export. This is cumulative with the collectors option. +# The "openstack-network-exporter -l" flag will list all supported metrics along +# with their set name. If the list is empty (default) all metrics from enabled +# collectors will be exported. +# +# Supported sets are: base errors perf counters debug +# +# Default: [base, errors, perf, counters] +# +metric-sets: + - base + - errors + - perf + - counters + - debug