From 7fbe2b6d31aab0e40c79305574ea19a0918eac55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20M=C3=A1gr?= Date: Tue, 18 Feb 2025 12:02:24 +0100 Subject: [PATCH 1/5] Revert "node_exporter should not be mounting dbus" This reverts commit c0048fd82a792e0e3ac10c2d80aba5d1fa234948. --- roles/edpm_telemetry/templates/node_exporter.json.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/edpm_telemetry/templates/node_exporter.json.j2 b/roles/edpm_telemetry/templates/node_exporter.json.j2 index 98f4fff4b..282da4585 100644 --- a/roles/edpm_telemetry/templates/node_exporter.json.j2 +++ b/roles/edpm_telemetry/templates/node_exporter.json.j2 @@ -37,7 +37,8 @@ "volumes": [ {% if tls_cert_exists|bool %} "{{ edpm_telemetry_config_dest }}/node_exporter.yaml:/etc/node_exporter/node_exporter.yaml:z", - "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z" + "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z", {% endif %} + "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw,z" ] } From 46f2198dd067563c7b261db6eb8fa64faba1fdce Mon Sep 17 00:00:00 2001 From: Brendan Shephard Date: Mon, 24 Feb 2025 13:35:14 +1000 Subject: [PATCH 2/5] Always load custom nftables rules This change ensures the custom nftables rules are always loaded by removing the conditional check and associated sential file. This is necessary since we're always loading the iptables compatibility rules and this sets the policy of the INPUT chain to accept. After our custom rules are configured, this policy should be reset to drop to ensure we're only allowing defined traffic and dropping anything that doesn't match a rule in the chain. Jira: OSPRH-14250 Signed-off-by: Brendan Shephard --- roles/edpm_nftables/tasks/configure.yml | 12 ------------ roles/edpm_nftables/tasks/run.yml | 10 ---------- 2 files changed, 22 deletions(-) diff --git a/roles/edpm_nftables/tasks/configure.yml b/roles/edpm_nftables/tasks/configure.yml index 9864a161c..a1aad7c9e 100644 --- a/roles/edpm_nftables/tasks/configure.yml +++ b/roles/edpm_nftables/tasks/configure.yml @@ -145,18 +145,6 @@ group: root mode: "0600" - - name: Create a sentinel file when nft rules are changed - ansible.builtin.file: - path: /etc/nftables/edpm-rules.nft.changed - state: touch - owner: root - group: root - mode: "0600" - when: - - nft_ruleset is defined - - nft_ruleset is changed - - # We cannot use the "validate" parameter from the "template" module, since # we don't load the chains before. So let's validate now, with all the things. # Remember, the "iptables" compat layout is already loaded at this point. diff --git a/roles/edpm_nftables/tasks/run.yml b/roles/edpm_nftables/tasks/run.yml index 846e98ac1..17cccdfee 100644 --- a/roles/edpm_nftables/tasks/run.yml +++ b/roles/edpm_nftables/tasks/run.yml @@ -26,22 +26,12 @@ - name: Reload custom nftables ruleset files become: true block: - - name: Check if rules are changed - ansible.builtin.stat: - path: /etc/nftables/edpm-rules.nft.changed - register: nft_ruleset_changed - name: Reload ruleset ansible.builtin.shell: >- set -o pipefail; cat /etc/nftables/edpm-flushes.nft /etc/nftables/edpm-rules.nft /etc/nftables/edpm-update-jumps.nft | nft -f - - when: nft_ruleset_changed.stat.exists register: nft_reload_ruleset changed_when: nft_reload_ruleset.rc == 0 failed_when: nft_reload_ruleset.rc != 0 - always: - - name: Delete nft_ruleset_changed file - ansible.builtin.file: - path: /etc/nftables/edpm-rules.nft.changed - state: absent From d6df441fafd107b7337eaec8a21cfe6bd87acbd6 Mon Sep 17 00:00:00 2001 From: rabi Date: Fri, 14 Feb 2025 10:14:25 +0530 Subject: [PATCH 3/5] Flip the default for edpm_network_config_nonconfigured_cleanup We will switch this to cleanup the configurations not in `edpm_network_config_template` by default. This is required for provisioned nodes using vlan tagged ctlplane network. The ansible var could be set to false for cases where we want to keep the existing configuration. This would also be useful when we want to change the initial configuration using `edpm_network_config_update` to cleanup whatever redundant interfaces created earlier. jira: https://issues.redhat.com/browse/OSPRH-10124 Signed-off-by: rabi --- docs/source/roles/role-edpm_network_config.rst | 5 +++++ roles/edpm_network_config/defaults/main.yml | 2 +- roles/edpm_network_config/meta/argument_specs.yml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/source/roles/role-edpm_network_config.rst b/docs/source/roles/role-edpm_network_config.rst index 2c6bdc14c..99cde19f7 100644 --- a/docs/source/roles/role-edpm_network_config.rst +++ b/docs/source/roles/role-edpm_network_config.rst @@ -19,6 +19,11 @@ This Ansible role does the following tasks: - Checks for the presence of required RPMS - Uses "provider" ifcfg/nmstate based on flag "edpm_network_config_nmstate" +Note: By default this role will cleanup devices/interfaces not in +"edpm_network_config_template". If there is requirement to keep them +for pre-provisioned nodes, "edpm_network_config_nonconfigured_cleanup" +ansible var can be set to "false". + Here is an example playbook to run os-net-config tool: .. code-block:: YAML diff --git a/roles/edpm_network_config/defaults/main.yml b/roles/edpm_network_config/defaults/main.yml index fd90b9f39..6f72ab930 100644 --- a/roles/edpm_network_config/defaults/main.yml +++ b/roles/edpm_network_config/defaults/main.yml @@ -54,4 +54,4 @@ edpm_network_config_safe_defaults: true edpm_network_config_template: "" edpm_bond_interface_ovs_options: "bond_mode=active-backup" edpm_dns_search_domains: [] -edpm_network_config_nonconfigured_cleanup: false +edpm_network_config_nonconfigured_cleanup: true diff --git a/roles/edpm_network_config/meta/argument_specs.yml b/roles/edpm_network_config/meta/argument_specs.yml index 890ecd69a..3589c561b 100644 --- a/roles/edpm_network_config/meta/argument_specs.yml +++ b/roles/edpm_network_config/meta/argument_specs.yml @@ -82,4 +82,4 @@ argument_specs: edpm_network_config_nonconfigured_cleanup: type: bool description: "Cleanup network interfaces not in network config" - default: false + default: true From f21a6865ee3a70d2b5bcdd6744f87dcf301598d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20M=C3=A1gr?= Date: Tue, 18 Feb 2025 12:03:20 +0100 Subject: [PATCH 4/5] Don't relabel dbus director Relabeling the directory makes systemd loosing access to DBUS due to AVC denials. Running node_exporter as root enables communication with systemd. --- roles/edpm_telemetry/templates/node_exporter.json.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/edpm_telemetry/templates/node_exporter.json.j2 b/roles/edpm_telemetry/templates/node_exporter.json.j2 index 282da4585..9b13922fb 100644 --- a/roles/edpm_telemetry/templates/node_exporter.json.j2 +++ b/roles/edpm_telemetry/templates/node_exporter.json.j2 @@ -2,6 +2,7 @@ "image": "{{ edpm_telemetry_node_exporter_image }}", "restart": "always", "recreate": true, + "user": "root", "privileged": true, "ports": ["9100:9100"], "command": [ @@ -9,6 +10,8 @@ "--web.config.file=/etc/node_exporter/node_exporter.yaml", {% endif %} "--web.disable-exporter-metrics", + "--collector.systemd", + "--collector.systemd.unit-include=(edpm_.*|ovs.*|openvswitch|virt.*|rsyslog)\\.service", "--no-collector.dmi", "--no-collector.entropy", "--no-collector.thermal_zone", @@ -39,6 +42,6 @@ "{{ edpm_telemetry_config_dest }}/node_exporter.yaml:/etc/node_exporter/node_exporter.yaml:z", "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z", {% endif %} - "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw,z" + "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw" ] } From abe8e2215546d7969291f5c858cada53002cd5e1 Mon Sep 17 00:00:00 2001 From: "Aaron T. Smith" Date: Wed, 26 Feb 2025 04:41:22 +0100 Subject: [PATCH 5/5] telemetry-role: add support for the openstack-network-exporter The telemetry role is used to install the openstack-network-exporter. Do Not Merge until the JIRA ticket for the creation of the downstream [containj](https://issues.redhat.com/browse/OSPRH-14278l) is completed. Signed-off-by: Aaron T. Smith --- roles/edpm_telemetry/defaults/main.yml | 4 + roles/edpm_telemetry/meta/argument_specs.yml | 4 + .../edpm_telemetry/templates/firewall.yaml.j2 | 6 + .../openstack_network_exporter.json.j2 | 28 ++++ .../openstack_network_exporter.yaml.j2 | 124 ++++++++++++++++++ 5 files changed, 166 insertions(+) create mode 100644 roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 create mode 100644 roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 diff --git a/roles/edpm_telemetry/defaults/main.yml b/roles/edpm_telemetry/defaults/main.yml index 003830a42..817a72946 100644 --- a/roles/edpm_telemetry/defaults/main.yml +++ b/roles/edpm_telemetry/defaults/main.yml @@ -28,6 +28,8 @@ edpm_telemetry_node_exporter_image: quay.io/prometheus/node-exporter:v1.5.0 edpm_telemetry_podman_exporter_image: quay.io/navidys/prometheus-podman-exporter:v1.10.1 # Image to use for Ceilometer edpm_telemetry_ceilometer_compute_image: quay.io/podified-antelope-centos9/openstack-ceilometer-compute:current-podified +# Image to use for openstack_network_exporter +edpm_telemetry_openstack_network_exporter_image: quay.io/openstack-k8s-operators/openstack-network-exporter:latest # Certificates location for tls encryption edpm_telemetry_certs: "/var/lib/openstack/certs/{{ edpm_telemetry_service_name }}/default" # CA certs location for tls encryption @@ -46,6 +48,7 @@ edpm_telemetry_healthcheck_sources: ceilometer_agent_compute: ceilometer_agent node_exporter: exporter podman_exporter: exporter + openstack_network_exporter: exporter # kepler: exporter # If telemetry services should have health checks enabled edpm_telemetry_healthcheck: true @@ -54,3 +57,4 @@ edpm_telemetry_enabled_exporters: - ceilometer_agent_compute - node_exporter - podman_exporter + - openstack_network_exporter diff --git a/roles/edpm_telemetry/meta/argument_specs.yml b/roles/edpm_telemetry/meta/argument_specs.yml index 70b73c6fd..4f92e9362 100644 --- a/roles/edpm_telemetry/meta/argument_specs.yml +++ b/roles/edpm_telemetry/meta/argument_specs.yml @@ -31,6 +31,10 @@ argument_specs: type: "str" required: true description: "The name of the ceilometer compute podman image" + edpm_telemetry_openstack_network_exporter_image: + type: "str" + required: true + description: "The name of the openstack_network_exporter podman image" edpm_telemetry_config_src: type: "str" required: true diff --git a/roles/edpm_telemetry/templates/firewall.yaml.j2 b/roles/edpm_telemetry/templates/firewall.yaml.j2 index 08c7a762a..7df6d48a0 100644 --- a/roles/edpm_telemetry/templates/firewall.yaml.j2 +++ b/roles/edpm_telemetry/templates/firewall.yaml.j2 @@ -5,3 +5,9 @@ proto: tcp dport: - "9100" + +- rule_name: 001 Allow openstack_network_exporter traffic + rule: + proto: tcp + dport: + - "9105" diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 new file mode 100644 index 000000000..e14f90c02 --- /dev/null +++ b/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 @@ -0,0 +1,28 @@ +{ + "image": "{{ edpm_telemetry_openstack_network_exporter_image }}", + "restart": "always", + "recreate": true, + "privileged": true, + "ports": ["9105:9105"], + "command": [], + "net": "host", + "environment": { + "OS_ENDPOINT_TYPE":"internal", + "OPENSTACK_NETWORK_EXPORTER_YAML":"/etc/openstack_network_exporter/openstack_network_exporter.yaml" + }, +{% if edpm_telemetry_healthcheck %} + "healthcheck": { + "test": "/openstack/healthcheck openstack-netwo", + "mount": "/var/lib/openstack/healthchecks/openstack_network_exporter" + }, +{% endif %} + "volumes": [ + "{{ edpm_telemetry_config_dest }}/openstack_network_exporter.yaml:/etc/openstack_network_exporter/openstack_network_exporter.yaml:z", +{% if tls_cert_exists|bool %} + "{{ edpm_telemetry_certs }}:/etc/openstack_network_exporter/tls:z", +{% endif %} + "/var/run/openvswitch:/run/openvswitch:rw,z", + "/var/lib/openvswitch/ovn:/run/ovn:rw,z", + "/proc:/host/proc:ro" + ] +} diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 new file mode 100644 index 000000000..8644c3ed5 --- /dev/null +++ b/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 @@ -0,0 +1,124 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Robin Jarry +# +# This is the configuration file for OpenStack openstack-network-exporter. It is +# written in the YAML format. The exporter will lookup the configuration file +# at /etc/openstack-network-exporter.yaml by default. The path can be changed via +# the OPENSTACK_NETWORK_EXPORTER_YAML environment variable. +# +# All settings have default values and some of them can be overriden via +# environment variables as indicated in their description. + +--- +# Local addess and port to listen to for scraping HTTP requests. Can be +# "127.0.0.1:" or "[::1]:" to limit to localhost. If address is +# omited, listen on all addresses. +# +# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_LISTEN +# Default: ":1981" +# +http-listen: ":9105" + +# The HTTP path where to serve responses to prometheus scrapers. +# +# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_PATH +# Default: /metrics +# +#http-path: /metrics + +# The path to a TLS certificate to enable HTTPS support. +# +# Env: OPENSTACK_NETWORK_EXPORTER_TLS_CERT +# Default: "" +# +{% if tls_cert_exists|bool %} +tls-cert: "/etc/openstack_network_exporter/tls/tls.crt" +{% endif %} + +# The path to a TLS certificate secret key to enable HTTPS support. +# +# Env: OPENSTACK_NETWORK_EXPORTER_TLS_KEY +# Default: "" +# +{% if tls_cert_exists|bool %} +tls-key: "/etc/openstack_network_exporter/tls/tls.key" +{% endif %} + +# Space separated list of valid users and passwords. Leave empty to disable +# authentication. Authentication will only be enforced when TLS is enabled. +# +# Example: +# +# auth-users: +# - name: admin +# password: admin +# - name: foobar +# password: s3cr3t +# - name: johndoe +# password: p4ssw0rd +# +# Default: [] +# +#auth-users: [] + +# Overall log verbosity of the exporter. +# +# Supported levels are: debug info notice warning error critical +# +# Env: OPENSTACK_NETWORK_EXPORTER_LOG_LEVEL +# Default: notice +# +log-level: info + +# The absolute path to the runtime directory of ovn-controller. This folder is +# expected to contain the the ovn-controller pid file "ovn-controller.pid" and +# its unixctl socket "ovn-controller.$pid.ctl". +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVN_RUNDIR +# Default: /run/ovn +# + +# The absolute path to the runtime directory of openvswitch. This folder is +# expected to contain the ovsdb-server socket endpoint "db.sock", the +# "ovs-vswitchd.pid" file and each bridge openflow management sockets +# "$bridge_name.mgmt". +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVS_RUNDIR +# Default: /run/openvswitch +# +#ovs-rundir: /run/openvswitch + +# The mount path of the procfs directory to search for the PID found in +# ovs-vswitchd.pid. When running the exporter in a different PID namespace than +# OVS, this will need to be changed to another folder. +# +# Env: OPENSTACK_NETWORK_EXPORTER_OVS_PROCDIR +# Default: /proc +# +ovs-procdir: /host/proc + +# List of metric collectors to scrape and export. To list the available +# collectors and the metrics they export, use "openstack-network-exporter -l". If +# the list is empty (default) all collectors will be enabled. +# +# Default: [] +# +#collectors: [] +#collectors: +# - bridge +# - counters +# List of metric sets to export. This is cumulative with the collectors option. +# The "openstack-network-exporter -l" flag will list all supported metrics along +# with their set name. If the list is empty (default) all metrics from enabled +# collectors will be exported. +# +# Supported sets are: base errors perf counters debug +# +# Default: [base, errors, perf, counters] +# +metric-sets: + - base + - errors + - perf + - counters + - debug