Merge "adding linuxbridge agent feature to neutron formula."
diff --git a/README.rst b/README.rst
index 1d03977..45b3ac3 100644
--- a/README.rst
+++ b/README.rst
@@ -819,6 +819,37 @@
ovs:
driver: openvswitch
+Neutron with LinuxBridge Agents
+-------------------------------
+
+.. code-block:: yaml
+
+ neutron:
+ server:
+ firewall_driver: iptables
+ backend:
+ mechanism:
+ lb:
+ driver: linuxbridge
+ ....
+ compute:
+ backend:
+ mechanism:
+ lb:
+ driver: linuxbridge
+ ....
+ gateway:
+ backend:
+ mechanism:
+ lb:
+ driver: linuxbridge
+ agents:
+ dhcp:
+ interface_driver: linuxbridge
+ l3:
+ interface_driver: linuxbridge
+
+
Neutron with VLAN-aware-VMs
---------------------------
diff --git a/neutron/files/mitaka/l3_agent.ini b/neutron/files/mitaka/l3_agent.ini
index 3916ec3..0c0266a 100644
--- a/neutron/files/mitaka/l3_agent.ini
+++ b/neutron/files/mitaka/l3_agent.ini
@@ -26,7 +26,11 @@
# The driver used to manage the virtual interface. (string value)
#interface_driver = <None>
+{%- if neutron.get('agents', {}).get('l3', {}).interface_driver is defined %}
+interface_driver = {{ neutron.agents.l3.interface_driver }}
+{%- else %}
interface_driver = openvswitch
+{%- endif %}
# Timeout in seconds for ovs-vsctl commands. If the timeout expires, ovs commands will fail with ALARMCLOCK error. (integer value)
#ovs_vsctl_timeout = 10
diff --git a/neutron/files/mitaka/linuxbridge_agent.ini b/neutron/files/mitaka/linuxbridge_agent.ini
new file mode 100644
index 0000000..43532f4
--- /dev/null
+++ b/neutron/files/mitaka/linuxbridge_agent.ini
@@ -0,0 +1,265 @@
+{%- if pillar.neutron.gateway is defined %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- else %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file = <None>
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+#log_dir = <None>
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Enable journald for logging. If running in a systemd environment you may wish
+# to enable journal support. Doing so will use the journal native protocol
+# which includes structured metadata in addition to log messages.This option is
+# ignored if log_config_append is set. (boolean value)
+#use_journal = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = false
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Interval, number of seconds, of log rate limiting. (integer value)
+#rate_limit_interval = 0
+
+# Maximum number of logged messages per rate_limit_interval. (integer value)
+#rate_limit_burst = 0
+
+# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG
+# or empty string. Logs with level greater or equal to rate_limit_except_level
+# are not filtered. An empty string means that all levels are filtered. (string
+# value)
+#rate_limit_except_level = CRITICAL
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[agent]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# The number of seconds the agent will wait between polling for local device
+# changes. (integer value)
+#polling_interval = 2
+
+# Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If
+# value is set to 0, rpc timeout won't be changed (integer value)
+#quitting_rpc_timeout = 10
+
+# Extensions list to use (list value)
+#extensions =
+
+
+[linux_bridge]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Comma-separated list of <physical_network>:<physical_interface> tuples
+# mapping physical network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical networks
+# listed in network_vlan_ranges on the server should have mappings to
+# appropriate interfaces on each agent. (list value)
+#physical_interface_mappings =
+
+# List of <physical_network>:<physical_bridge> (list value)
+{% set bridge_mappings=[] %}
+{%- if neutron.bridge_mappings is defined %}
+{%- for physnet,bridge in neutron.bridge_mappings.iteritems() %}{%- do bridge_mappings.append(physnet+':'+bridge) %}{%- endfor %}
+{%- endif %}
+{%- if 'br-floating' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('external_access', True) %}
+{%- do bridge_mappings.append('physnet1:br-floating') %}{%- endif %}{%- endif %}
+{%- if 'br-prv' not in neutron.get('bridge_mappings', {}).values() %}{%- if "vlan" in neutron.backend.tenant_network_types %}
+{%- do bridge_mappings.append('physnet2:br-prv') %}{%- endif %}{%- endif %}
+{%- if 'br-baremetal' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('ironic_enabled', False) %}
+{%- do bridge_mappings.append('physnet3:br-baremetal') %}{%- endif %}{%- endif %}
+{%- if bridge_mappings %}
+bridge_mappings = {{ ','.join(bridge_mappings) }}
+{%- else %}
+#bridge_mappings =
+{%- endif %}
+
+[vxlan]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin
+# using linuxbridge mechanism driver (boolean value)
+{%- if "vxlan" in neutron.backend.tenant_network_types %}
+enable_vxlan = true
+{%- endif %}
+
+# TTL for vxlan interface protocol packets. (integer value)
+#ttl = <None>
+
+# TOS for vxlan interface protocol packets. (integer value)
+#tos = <None>
+
+# Multicast group(s) for vxlan interface. A range of group addresses may be
+# specified by using CIDR notation. Specifying a range allows different VNIs to
+# use different group addresses, reducing or eliminating spurious broadcast
+# traffic to the tunnel endpoints. To reserve a unique group for each possible
+# (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on
+# all the agents. (string value)
+#vxlan_group = 224.0.0.1
+
+# IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or
+# IPv6 address that resides on one of the host network interfaces. The IP
+# version of this value must match the value of the 'overlay_ip_version' option
+# in the ML2 plug-in configuration file on the neutron server node(s). (IP
+# address value)
+#local_ip = <None>
+local_ip = {{ neutron.local_ip }}
+
+# The minimum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_min = 0
+
+# The maximum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_max = 0
+
+# The UDP port used for VXLAN communication. By default, the Linux kernel
+# doesn't use the IANA assigned standard value, so if you want to use it, this
+# option must be set to 4789. It is not set by default because of backward
+# compatibiltiy. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_dstport = <None>
+
+# Extension to use alongside ml2 plugin's l2population mechanism driver. It
+# enables the plugin to populate VXLAN forwarding table. (boolean value)
+l2_population = True
+
+# Enable local ARP responder which provides local responses instead of
+# performing ARP broadcast into the overlay. Enabling local ARP responder is
+# not fully compatible with the allowed-address-pairs extension. (boolean
+# value)
+#arp_responder = false
+
+# Optional comma-separated list of <multicast address>:<vni_min>:<vni_max>
+# triples describing how to assign a multicast address to VXLAN according to
+# its VNI ID. (list value)
+#multicast_ranges =
+
+[securitygroup]
+
+#
+# From neutron.ml2.ovs.agent
+#
+
+# Driver for security groups firewall in the L2 agent (string value)
+#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
+
+# Controls whether the neutron security group API is enabled in the server. It
+# should be false when using no security groups or using the nova security
+# group API. (boolean value)
+#enable_security_group = true
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
+
+# Use ipset to speed-up the iptables based security groups. Enabling ipset
+# support requires that ipset is installed on L2 agent node. (boolean value)
+#enable_ipset = true
diff --git a/neutron/files/mitaka/ml2_conf.ini b/neutron/files/mitaka/ml2_conf.ini
index c6a7f12..312ac66 100644
--- a/neutron/files/mitaka/ml2_conf.ini
+++ b/neutron/files/mitaka/ml2_conf.ini
@@ -224,6 +224,8 @@
#firewall_driver = <None>
{%- if server.dpdk %}
firewall_driver = openvswitch
+{%- elif server.firewall_driver is defined %}
+firewall_driver = {{ server.firewall_driver }}
{%- else %}
firewall_driver = iptables_hybrid
{%- endif %}
diff --git a/neutron/files/newton/l3_agent.ini b/neutron/files/newton/l3_agent.ini
index 56bf297..12d1c37 100644
--- a/neutron/files/newton/l3_agent.ini
+++ b/neutron/files/newton/l3_agent.ini
@@ -25,7 +25,11 @@
# The driver used to manage the virtual interface. (string value)
#interface_driver = <None>
+{%- if neutron.get('agents', {}).get('l3', {}).interface_driver is defined %}
+interface_driver = {{ neutron.agents.l3.interface_driver }}
+{%- else %}
interface_driver = openvswitch
+{%- endif %}
# Timeout in seconds for ovs-vsctl commands. If the timeout expires, ovs commands will fail with ALARMCLOCK error. (integer value)
#ovs_vsctl_timeout = 10
diff --git a/neutron/files/newton/linuxbridge_agent.ini b/neutron/files/newton/linuxbridge_agent.ini
new file mode 100644
index 0000000..43532f4
--- /dev/null
+++ b/neutron/files/newton/linuxbridge_agent.ini
@@ -0,0 +1,265 @@
+{%- if pillar.neutron.gateway is defined %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- else %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file = <None>
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+#log_dir = <None>
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Enable journald for logging. If running in a systemd environment you may wish
+# to enable journal support. Doing so will use the journal native protocol
+# which includes structured metadata in addition to log messages.This option is
+# ignored if log_config_append is set. (boolean value)
+#use_journal = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = false
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Interval, number of seconds, of log rate limiting. (integer value)
+#rate_limit_interval = 0
+
+# Maximum number of logged messages per rate_limit_interval. (integer value)
+#rate_limit_burst = 0
+
+# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG
+# or empty string. Logs with level greater or equal to rate_limit_except_level
+# are not filtered. An empty string means that all levels are filtered. (string
+# value)
+#rate_limit_except_level = CRITICAL
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[agent]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# The number of seconds the agent will wait between polling for local device
+# changes. (integer value)
+#polling_interval = 2
+
+# Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If
+# value is set to 0, rpc timeout won't be changed (integer value)
+#quitting_rpc_timeout = 10
+
+# Extensions list to use (list value)
+#extensions =
+
+
+[linux_bridge]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Comma-separated list of <physical_network>:<physical_interface> tuples
+# mapping physical network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical networks
+# listed in network_vlan_ranges on the server should have mappings to
+# appropriate interfaces on each agent. (list value)
+#physical_interface_mappings =
+
+# List of <physical_network>:<physical_bridge> (list value)
+{% set bridge_mappings=[] %}
+{%- if neutron.bridge_mappings is defined %}
+{%- for physnet,bridge in neutron.bridge_mappings.iteritems() %}{%- do bridge_mappings.append(physnet+':'+bridge) %}{%- endfor %}
+{%- endif %}
+{%- if 'br-floating' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('external_access', True) %}
+{%- do bridge_mappings.append('physnet1:br-floating') %}{%- endif %}{%- endif %}
+{%- if 'br-prv' not in neutron.get('bridge_mappings', {}).values() %}{%- if "vlan" in neutron.backend.tenant_network_types %}
+{%- do bridge_mappings.append('physnet2:br-prv') %}{%- endif %}{%- endif %}
+{%- if 'br-baremetal' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('ironic_enabled', False) %}
+{%- do bridge_mappings.append('physnet3:br-baremetal') %}{%- endif %}{%- endif %}
+{%- if bridge_mappings %}
+bridge_mappings = {{ ','.join(bridge_mappings) }}
+{%- else %}
+#bridge_mappings =
+{%- endif %}
+
+[vxlan]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin
+# using linuxbridge mechanism driver (boolean value)
+{%- if "vxlan" in neutron.backend.tenant_network_types %}
+enable_vxlan = true
+{%- endif %}
+
+# TTL for vxlan interface protocol packets. (integer value)
+#ttl = <None>
+
+# TOS for vxlan interface protocol packets. (integer value)
+#tos = <None>
+
+# Multicast group(s) for vxlan interface. A range of group addresses may be
+# specified by using CIDR notation. Specifying a range allows different VNIs to
+# use different group addresses, reducing or eliminating spurious broadcast
+# traffic to the tunnel endpoints. To reserve a unique group for each possible
+# (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on
+# all the agents. (string value)
+#vxlan_group = 224.0.0.1
+
+# IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or
+# IPv6 address that resides on one of the host network interfaces. The IP
+# version of this value must match the value of the 'overlay_ip_version' option
+# in the ML2 plug-in configuration file on the neutron server node(s). (IP
+# address value)
+#local_ip = <None>
+local_ip = {{ neutron.local_ip }}
+
+# The minimum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_min = 0
+
+# The maximum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_max = 0
+
+# The UDP port used for VXLAN communication. By default, the Linux kernel
+# doesn't use the IANA assigned standard value, so if you want to use it, this
+# option must be set to 4789. It is not set by default because of backward
+# compatibiltiy. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_dstport = <None>
+
+# Extension to use alongside ml2 plugin's l2population mechanism driver. It
+# enables the plugin to populate VXLAN forwarding table. (boolean value)
+l2_population = True
+
+# Enable local ARP responder which provides local responses instead of
+# performing ARP broadcast into the overlay. Enabling local ARP responder is
+# not fully compatible with the allowed-address-pairs extension. (boolean
+# value)
+#arp_responder = false
+
+# Optional comma-separated list of <multicast address>:<vni_min>:<vni_max>
+# triples describing how to assign a multicast address to VXLAN according to
+# its VNI ID. (list value)
+#multicast_ranges =
+
+[securitygroup]
+
+#
+# From neutron.ml2.ovs.agent
+#
+
+# Driver for security groups firewall in the L2 agent (string value)
+#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
+
+# Controls whether the neutron security group API is enabled in the server. It
+# should be false when using no security groups or using the nova security
+# group API. (boolean value)
+#enable_security_group = true
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
+
+# Use ipset to speed-up the iptables based security groups. Enabling ipset
+# support requires that ipset is installed on L2 agent node. (boolean value)
+#enable_ipset = true
diff --git a/neutron/files/newton/ml2_conf.ini b/neutron/files/newton/ml2_conf.ini
index c6a7f12..312ac66 100644
--- a/neutron/files/newton/ml2_conf.ini
+++ b/neutron/files/newton/ml2_conf.ini
@@ -224,6 +224,8 @@
#firewall_driver = <None>
{%- if server.dpdk %}
firewall_driver = openvswitch
+{%- elif server.firewall_driver is defined %}
+firewall_driver = {{ server.firewall_driver }}
{%- else %}
firewall_driver = iptables_hybrid
{%- endif %}
diff --git a/neutron/files/ocata/l3_agent.ini b/neutron/files/ocata/l3_agent.ini
index 7b386a5..4c3c5cb 100644
--- a/neutron/files/ocata/l3_agent.ini
+++ b/neutron/files/ocata/l3_agent.ini
@@ -21,7 +21,11 @@
# The driver used to manage the virtual interface. (string value)
#interface_driver = <None>
+{%- if neutron.get('agents', {}).get('l3', {}).interface_driver is defined %}
+interface_driver = {{ neutron.agents.l3.interface_driver }}
+{%- else %}
interface_driver = openvswitch
+{%- endif %}
# Timeout in seconds for ovs-vsctl commands. If the timeout expires, ovs
# commands will fail with ALARMCLOCK error. (integer value)
diff --git a/neutron/files/ocata/linuxbridge_agent.ini b/neutron/files/ocata/linuxbridge_agent.ini
new file mode 100644
index 0000000..43532f4
--- /dev/null
+++ b/neutron/files/ocata/linuxbridge_agent.ini
@@ -0,0 +1,265 @@
+{%- if pillar.neutron.gateway is defined %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- else %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file = <None>
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+#log_dir = <None>
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Enable journald for logging. If running in a systemd environment you may wish
+# to enable journal support. Doing so will use the journal native protocol
+# which includes structured metadata in addition to log messages.This option is
+# ignored if log_config_append is set. (boolean value)
+#use_journal = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = false
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Interval, number of seconds, of log rate limiting. (integer value)
+#rate_limit_interval = 0
+
+# Maximum number of logged messages per rate_limit_interval. (integer value)
+#rate_limit_burst = 0
+
+# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG
+# or empty string. Logs with level greater or equal to rate_limit_except_level
+# are not filtered. An empty string means that all levels are filtered. (string
+# value)
+#rate_limit_except_level = CRITICAL
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[agent]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# The number of seconds the agent will wait between polling for local device
+# changes. (integer value)
+#polling_interval = 2
+
+# Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If
+# value is set to 0, rpc timeout won't be changed (integer value)
+#quitting_rpc_timeout = 10
+
+# Extensions list to use (list value)
+#extensions =
+
+
+[linux_bridge]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Comma-separated list of <physical_network>:<physical_interface> tuples
+# mapping physical network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical networks
+# listed in network_vlan_ranges on the server should have mappings to
+# appropriate interfaces on each agent. (list value)
+#physical_interface_mappings =
+
+# List of <physical_network>:<physical_bridge> (list value)
+{% set bridge_mappings=[] %}
+{%- if neutron.bridge_mappings is defined %}
+{%- for physnet,bridge in neutron.bridge_mappings.iteritems() %}{%- do bridge_mappings.append(physnet+':'+bridge) %}{%- endfor %}
+{%- endif %}
+{%- if 'br-floating' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('external_access', True) %}
+{%- do bridge_mappings.append('physnet1:br-floating') %}{%- endif %}{%- endif %}
+{%- if 'br-prv' not in neutron.get('bridge_mappings', {}).values() %}{%- if "vlan" in neutron.backend.tenant_network_types %}
+{%- do bridge_mappings.append('physnet2:br-prv') %}{%- endif %}{%- endif %}
+{%- if 'br-baremetal' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('ironic_enabled', False) %}
+{%- do bridge_mappings.append('physnet3:br-baremetal') %}{%- endif %}{%- endif %}
+{%- if bridge_mappings %}
+bridge_mappings = {{ ','.join(bridge_mappings) }}
+{%- else %}
+#bridge_mappings =
+{%- endif %}
+
+[vxlan]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin
+# using linuxbridge mechanism driver (boolean value)
+{%- if "vxlan" in neutron.backend.tenant_network_types %}
+enable_vxlan = true
+{%- endif %}
+
+# TTL for vxlan interface protocol packets. (integer value)
+#ttl = <None>
+
+# TOS for vxlan interface protocol packets. (integer value)
+#tos = <None>
+
+# Multicast group(s) for vxlan interface. A range of group addresses may be
+# specified by using CIDR notation. Specifying a range allows different VNIs to
+# use different group addresses, reducing or eliminating spurious broadcast
+# traffic to the tunnel endpoints. To reserve a unique group for each possible
+# (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on
+# all the agents. (string value)
+#vxlan_group = 224.0.0.1
+
+# IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or
+# IPv6 address that resides on one of the host network interfaces. The IP
+# version of this value must match the value of the 'overlay_ip_version' option
+# in the ML2 plug-in configuration file on the neutron server node(s). (IP
+# address value)
+#local_ip = <None>
+local_ip = {{ neutron.local_ip }}
+
+# The minimum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_min = 0
+
+# The maximum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_max = 0
+
+# The UDP port used for VXLAN communication. By default, the Linux kernel
+# doesn't use the IANA assigned standard value, so if you want to use it, this
+# option must be set to 4789. It is not set by default because of backward
+# compatibiltiy. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_dstport = <None>
+
+# Extension to use alongside ml2 plugin's l2population mechanism driver. It
+# enables the plugin to populate VXLAN forwarding table. (boolean value)
+l2_population = True
+
+# Enable local ARP responder which provides local responses instead of
+# performing ARP broadcast into the overlay. Enabling local ARP responder is
+# not fully compatible with the allowed-address-pairs extension. (boolean
+# value)
+#arp_responder = false
+
+# Optional comma-separated list of <multicast address>:<vni_min>:<vni_max>
+# triples describing how to assign a multicast address to VXLAN according to
+# its VNI ID. (list value)
+#multicast_ranges =
+
+[securitygroup]
+
+#
+# From neutron.ml2.ovs.agent
+#
+
+# Driver for security groups firewall in the L2 agent (string value)
+#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
+
+# Controls whether the neutron security group API is enabled in the server. It
+# should be false when using no security groups or using the nova security
+# group API. (boolean value)
+#enable_security_group = true
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
+
+# Use ipset to speed-up the iptables based security groups. Enabling ipset
+# support requires that ipset is installed on L2 agent node. (boolean value)
+#enable_ipset = true
diff --git a/neutron/files/ocata/ml2_conf.ini b/neutron/files/ocata/ml2_conf.ini
index 3f070d9..ab67788 100644
--- a/neutron/files/ocata/ml2_conf.ini
+++ b/neutron/files/ocata/ml2_conf.ini
@@ -346,6 +346,9 @@
{%- elif server.dpdk or server.get('vlan_aware_vms', False) %}
firewall_driver = openvswitch
enable_security_group = True
+{%- elif server.firewall_driver is defined %}
+firewall_driver = {{ server.firewall_driver }}
+enable_security_group = True
{%- else %}
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
diff --git a/neutron/files/pike/l3_agent.ini b/neutron/files/pike/l3_agent.ini
index 85ca1a9..a1e58bb 100644
--- a/neutron/files/pike/l3_agent.ini
+++ b/neutron/files/pike/l3_agent.ini
@@ -24,7 +24,11 @@
# The driver used to manage the virtual interface. (string value)
#interface_driver = <None>
+{%- if neutron.get('agents', {}).get('l3', {}).interface_driver is defined %}
+interface_driver = {{ neutron.agents.l3.interface_driver }}
+{%- else %}
interface_driver = openvswitch
+{%- endif %}
# Timeout in seconds for ovs-vsctl commands. If the timeout expires, ovs
# commands will fail with ALARMCLOCK error. (integer value)
diff --git a/neutron/files/pike/linuxbridge_agent.ini b/neutron/files/pike/linuxbridge_agent.ini
new file mode 100644
index 0000000..43532f4
--- /dev/null
+++ b/neutron/files/pike/linuxbridge_agent.ini
@@ -0,0 +1,265 @@
+{%- if pillar.neutron.gateway is defined %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- else %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file = <None>
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+#log_dir = <None>
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Enable journald for logging. If running in a systemd environment you may wish
+# to enable journal support. Doing so will use the journal native protocol
+# which includes structured metadata in addition to log messages.This option is
+# ignored if log_config_append is set. (boolean value)
+#use_journal = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = false
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Interval, number of seconds, of log rate limiting. (integer value)
+#rate_limit_interval = 0
+
+# Maximum number of logged messages per rate_limit_interval. (integer value)
+#rate_limit_burst = 0
+
+# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG
+# or empty string. Logs with level greater or equal to rate_limit_except_level
+# are not filtered. An empty string means that all levels are filtered. (string
+# value)
+#rate_limit_except_level = CRITICAL
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[agent]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# The number of seconds the agent will wait between polling for local device
+# changes. (integer value)
+#polling_interval = 2
+
+# Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If
+# value is set to 0, rpc timeout won't be changed (integer value)
+#quitting_rpc_timeout = 10
+
+# Extensions list to use (list value)
+#extensions =
+
+
+[linux_bridge]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Comma-separated list of <physical_network>:<physical_interface> tuples
+# mapping physical network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical networks
+# listed in network_vlan_ranges on the server should have mappings to
+# appropriate interfaces on each agent. (list value)
+#physical_interface_mappings =
+
+# List of <physical_network>:<physical_bridge> (list value)
+{% set bridge_mappings=[] %}
+{%- if neutron.bridge_mappings is defined %}
+{%- for physnet,bridge in neutron.bridge_mappings.iteritems() %}{%- do bridge_mappings.append(physnet+':'+bridge) %}{%- endfor %}
+{%- endif %}
+{%- if 'br-floating' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('external_access', True) %}
+{%- do bridge_mappings.append('physnet1:br-floating') %}{%- endif %}{%- endif %}
+{%- if 'br-prv' not in neutron.get('bridge_mappings', {}).values() %}{%- if "vlan" in neutron.backend.tenant_network_types %}
+{%- do bridge_mappings.append('physnet2:br-prv') %}{%- endif %}{%- endif %}
+{%- if 'br-baremetal' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('ironic_enabled', False) %}
+{%- do bridge_mappings.append('physnet3:br-baremetal') %}{%- endif %}{%- endif %}
+{%- if bridge_mappings %}
+bridge_mappings = {{ ','.join(bridge_mappings) }}
+{%- else %}
+#bridge_mappings =
+{%- endif %}
+
+[vxlan]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin
+# using linuxbridge mechanism driver (boolean value)
+{%- if "vxlan" in neutron.backend.tenant_network_types %}
+enable_vxlan = true
+{%- endif %}
+
+# TTL for vxlan interface protocol packets. (integer value)
+#ttl = <None>
+
+# TOS for vxlan interface protocol packets. (integer value)
+#tos = <None>
+
+# Multicast group(s) for vxlan interface. A range of group addresses may be
+# specified by using CIDR notation. Specifying a range allows different VNIs to
+# use different group addresses, reducing or eliminating spurious broadcast
+# traffic to the tunnel endpoints. To reserve a unique group for each possible
+# (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on
+# all the agents. (string value)
+#vxlan_group = 224.0.0.1
+
+# IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or
+# IPv6 address that resides on one of the host network interfaces. The IP
+# version of this value must match the value of the 'overlay_ip_version' option
+# in the ML2 plug-in configuration file on the neutron server node(s). (IP
+# address value)
+#local_ip = <None>
+local_ip = {{ neutron.local_ip }}
+
+# The minimum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_min = 0
+
+# The maximum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_max = 0
+
+# The UDP port used for VXLAN communication. By default, the Linux kernel
+# doesn't use the IANA assigned standard value, so if you want to use it, this
+# option must be set to 4789. It is not set by default because of backward
+# compatibiltiy. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_dstport = <None>
+
+# Extension to use alongside ml2 plugin's l2population mechanism driver. It
+# enables the plugin to populate VXLAN forwarding table. (boolean value)
+l2_population = True
+
+# Enable local ARP responder which provides local responses instead of
+# performing ARP broadcast into the overlay. Enabling local ARP responder is
+# not fully compatible with the allowed-address-pairs extension. (boolean
+# value)
+#arp_responder = false
+
+# Optional comma-separated list of <multicast address>:<vni_min>:<vni_max>
+# triples describing how to assign a multicast address to VXLAN according to
+# its VNI ID. (list value)
+#multicast_ranges =
+
+[securitygroup]
+
+#
+# From neutron.ml2.ovs.agent
+#
+
+# Driver for security groups firewall in the L2 agent (string value)
+#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
+
+# Controls whether the neutron security group API is enabled in the server. It
+# should be false when using no security groups or using the nova security
+# group API. (boolean value)
+#enable_security_group = true
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
+
+# Use ipset to speed-up the iptables based security groups. Enabling ipset
+# support requires that ipset is installed on L2 agent node. (boolean value)
+#enable_ipset = true
diff --git a/neutron/files/queens/l3_agent.ini b/neutron/files/queens/l3_agent.ini
index b3fcdfa..b6f1960 100644
--- a/neutron/files/queens/l3_agent.ini
+++ b/neutron/files/queens/l3_agent.ini
@@ -24,7 +24,11 @@
# The driver used to manage the virtual interface. (string value)
#interface_driver = <None>
+{%- if neutron.get('agents', {}).get('l3', {}).interface_driver is defined %}
+interface_driver = {{ neutron.agents.l3.interface_driver }}
+{%- else %}
interface_driver = openvswitch
+{%- endif %}
#
# From neutron.l3.agent
diff --git a/neutron/files/queens/linuxbridge_agent.ini b/neutron/files/queens/linuxbridge_agent.ini
new file mode 100644
index 0000000..ceeb868
--- /dev/null
+++ b/neutron/files/queens/linuxbridge_agent.ini
@@ -0,0 +1,292 @@
+{%- if pillar.neutron.gateway is defined %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- else %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+#log_file = <None>
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+#log_dir = <None>
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Enable journald for logging. If running in a systemd environment you may wish
+# to enable journal support. Doing so will use the journal native protocol
+# which includes structured metadata in addition to log messages.This option is
+# ignored if log_config_append is set. (boolean value)
+#use_journal = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Use JSON formatting for logging. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_json = false
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = false
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Interval, number of seconds, of log rate limiting. (integer value)
+#rate_limit_interval = 0
+
+# Maximum number of logged messages per rate_limit_interval. (integer value)
+#rate_limit_burst = 0
+
+# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG
+# or empty string. Logs with level greater or equal to rate_limit_except_level
+# are not filtered. An empty string means that all levels are filtered. (string
+# value)
+#rate_limit_except_level = CRITICAL
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[agent]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# The number of seconds the agent will wait between polling for local device
+# changes. (integer value)
+#polling_interval = 2
+
+# Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If
+# value is set to 0, rpc timeout won't be changed (integer value)
+#quitting_rpc_timeout = 10
+
+# The DSCP value to use for outer headers during tunnel encapsulation. (integer
+# value)
+# Minimum value: 0
+# Maximum value: 63
+#dscp = <None>
+
+# If set to True, the DSCP value of tunnel interfaces is overwritten and set to
+# inherit. The DSCP value of the inner header is then copied to the outer
+# header. (boolean value)
+#dscp_inherit = false
+# Extensions list to use (list value)
+#extensions =
+
+
+[linux_bridge]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Comma-separated list of <physical_network>:<physical_interface> tuples
+# mapping physical network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical networks
+# listed in network_vlan_ranges on the server should have mappings to
+# appropriate interfaces on each agent. (list value)
+#physical_interface_mappings =
+
+# List of <physical_network>:<physical_bridge> (list value)
+{% set bridge_mappings=[] %}
+{%- if neutron.bridge_mappings is defined %}
+{%- for physnet,bridge in neutron.bridge_mappings.iteritems() %}{%- do bridge_mappings.append(physnet+':'+bridge) %}{%- endfor %}
+{%- endif %}
+{%- if 'br-floating' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('external_access', True) %}
+{%- do bridge_mappings.append('physnet1:br-floating') %}{%- endif %}{%- endif %}
+{%- if 'br-prv' not in neutron.get('bridge_mappings', {}).values() %}{%- if "vlan" in neutron.backend.tenant_network_types %}
+{%- do bridge_mappings.append('physnet2:br-prv') %}{%- endif %}{%- endif %}
+{%- if 'br-baremetal' not in neutron.get('bridge_mappings', {}).values() %}{%- if neutron.get('ironic_enabled', False) %}
+{%- do bridge_mappings.append('physnet3:br-baremetal') %}{%- endif %}{%- endif %}
+{%- if bridge_mappings %}
+bridge_mappings = {{ ','.join(bridge_mappings) }}
+{%- else %}
+#bridge_mappings =
+{%- endif %}
+
+
+[network_log]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Maximum packets logging per second. (integer value)
+# Minimum value: 100
+#rate_limit = 100
+
+# Maximum number of packets per rate_limit. (integer value)
+# Minimum value: 25
+#burst_limit = 25
+
+# Output logfile path on agent side, default syslog file. (string value)
+#local_output_log_base = <None>
+
+
+[vxlan]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin
+# using linuxbridge mechanism driver (boolean value)
+{%- if "vxlan" in neutron.backend.tenant_network_types %}
+enable_vxlan = true
+{%- endif %}
+
+# TTL for vxlan interface protocol packets. (integer value)
+#ttl = <None>
+
+# TOS for vxlan interface protocol packets. (integer value)
+#tos = <None>
+
+# Multicast group(s) for vxlan interface. A range of group addresses may be
+# specified by using CIDR notation. Specifying a range allows different VNIs to
+# use different group addresses, reducing or eliminating spurious broadcast
+# traffic to the tunnel endpoints. To reserve a unique group for each possible
+# (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on
+# all the agents. (string value)
+#vxlan_group = 224.0.0.1
+
+# IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or
+# IPv6 address that resides on one of the host network interfaces. The IP
+# version of this value must match the value of the 'overlay_ip_version' option
+# in the ML2 plug-in configuration file on the neutron server node(s). (IP
+# address value)
+#local_ip = <None>
+local_ip = {{ neutron.local_ip }}
+
+# The minimum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_min = 0
+
+# The maximum of the UDP source port range used for VXLAN communication. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_srcport_max = 0
+
+# The UDP port used for VXLAN communication. By default, the Linux kernel
+# doesn't use the IANA assigned standard value, so if you want to use it, this
+# option must be set to 4789. It is not set by default because of backward
+# compatibiltiy. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#udp_dstport = <None>
+
+# Extension to use alongside ml2 plugin's l2population mechanism driver. It
+# enables the plugin to populate VXLAN forwarding table. (boolean value)
+l2_population = True
+
+# Enable local ARP responder which provides local responses instead of
+# performing ARP broadcast into the overlay. Enabling local ARP responder is
+# not fully compatible with the allowed-address-pairs extension. (boolean
+# value)
+#arp_responder = false
+
+# Optional comma-separated list of <multicast address>:<vni_min>:<vni_max>
+# triples describing how to assign a multicast address to VXLAN according to
+# its VNI ID. (list value)
+#multicast_ranges =
+
+[securitygroup]
+
+#
+# From neutron.ml2.linuxbridge.agent
+#
+
+# Driver for security groups firewall in the L2 agent (string value)
+#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
+
+# Controls whether the neutron security group API is enabled in the server. It
+# should be false when using no security groups or using the nova security
+# group API. (boolean value)
+#enable_security_group = true
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
+
+# Use ipset to speed-up the iptables based security groups. Enabling ipset
+# support requires that ipset is installed on L2 agent node. (boolean value)
+#enable_ipset = true
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index a605722..61b4372 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -56,14 +56,31 @@
- require:
- pkg: neutron_gateway_packages
-/etc/neutron/plugins/ml2/openvswitch_agent.ini:
+{%- if gateway.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
+
+neutron_plugins_ml2_linuxbridge_agent_ini:
file.managed:
+ - name: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ - source: salt://neutron/files/{{ gateway.version }}/linuxbridge_agent.ini
+ - mode: 0640
+ - group: neutron
+ - template: jinja
+ - require:
+ - pkg: neutron_gateway_packages
+
+{%- else %}
+
+neutron_plugins_ml2_openvswitch_agent_ini:
+ file.managed:
+ - name: /etc/neutron/plugins/ml2/openvswitch_agent.ini
- source: salt://neutron/files/{{ gateway.version }}/openvswitch_agent.ini
- mode: 0640
- group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
+
+{%- endif %}
{%- endif %}
/etc/neutron/dhcp_agent.ini:
@@ -162,8 +179,12 @@
- file: /etc/neutron/dhcp_agent.ini
{%- if gateway.opendaylight is not defined %}
- file: /etc/neutron/l3_agent.ini
+ {%- if gateway.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
+ - file: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ {%- else %}
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
{%- endif %}
+ {%- endif %}
{%- if fwaas.get('enabled', False) %}
- file: /etc/neutron/fwaas_driver.ini
{%- endif %}
diff --git a/neutron/map.jinja b/neutron/map.jinja
index 8070183..0630da2 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -11,15 +11,24 @@
{%- if pillar.neutron.compute is defined and pillar.neutron.compute.metadata is defined %}
{%- do compute_pkgs_ovn.extend(['neutron-common', 'python-networking-ovn', 'haproxy']) %}
{%- endif %}
+{%- set linuxbridge_enabled = pillar.neutron.compute is defined and pillar.neutron.compute.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
+{%- if linuxbridge_enabled %}
+{%- set pkgs_cmp = ['neutron-linuxbridge-agent'] %}
+{%- set services_cmp = ['neutron-linuxbridge-agent'] %}
+{%- else %}
+{%- set pkgs_cmp = ['neutron-openvswitch-agent', 'python-pycadf'] %}
+{%- set services_cmp = ['neutron-openvswitch-agent'] %}
{%- endif %}
+{%- endif %}
+
{% set compute = salt['grains.filter_by']({
'BaseDefaults': default_params,
'Debian': {
- 'pkgs': ['neutron-openvswitch-agent', 'python-pycadf'],
+ 'pkgs': pkgs_cmp,
'pkgs_ovn': compute_pkgs_ovn,
'pkgs_bagpipe': ['python-networking-bagpipe'],
- 'services': ['neutron-openvswitch-agent'],
+ 'services': services_cmp,
'services_ovn': ['ovn-host'],
'dpdk': false,
'notification': {},
@@ -60,9 +69,13 @@
}, merge=pillar.neutron.get('compute', {}), base='BaseDefaults') %}
{%- set opendaylight_enabled = pillar.neutron.gateway is defined and pillar.neutron.gateway.opendaylight is defined %}
+{%- set linuxbridge_enabled = pillar.neutron.gateway is defined and pillar.neutron.gateway.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
{%- set pkgs_list = ['neutron-dhcp-agent', 'neutron-metadata-agent'] %}
{%- set services_list = ['neutron-metadata-agent', 'neutron-dhcp-agent'] %}
-{%- if not opendaylight_enabled %}
+{%- if linuxbridge_enabled %}
+{%- do pkgs_list.extend(['neutron-linuxbridge-agent', 'neutron-l3-agent']) %}
+{%- do services_list.extend(['neutron-linuxbridge-agent', 'neutron-l3-agent']) %}
+{%- elif not opendaylight_enabled %}
{%- do pkgs_list.extend(['neutron-openvswitch-agent', 'neutron-l3-agent']) %}
{%- do services_list.extend(['neutron-openvswitch-agent', 'neutron-l3-agent']) %}
{%- endif %}
diff --git a/neutron/ml2_ovs/init.sls b/neutron/ml2_ovs/init.sls
index 19b5379..28fa379 100644
--- a/neutron/ml2_ovs/init.sls
+++ b/neutron/ml2_ovs/init.sls
@@ -108,21 +108,43 @@
{% endif %}
-/etc/neutron/plugins/ml2/openvswitch_agent.ini:
+{%- if compute.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
+
+neutron_plugins_ml2_linuxbridge_agent_ini:
file.managed:
- - source: salt://neutron/files/{{ compute.version }}/openvswitch_agent.ini
+ - name: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ - source: salt://neutron/files/{{ compute.version }}/linuxbridge_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_compute_packages
+{%- else %}
+
+neutron_plugins_ml2_openvswitch_agent_ini:
+ file.managed:
+ - name: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ - source: salt://neutron/files/{{ compute.version }}/openvswitch_agent.ini
+ - mode: 0640
+ - group: neutron
+ - template: jinja
+ - require:
+ - pkg: neutron_compute_packages
+
+{%- endif %}
+
neutron_compute_services:
service.running:
- names: {{ compute.services }}
- enable: true
- watch:
- file: /etc/neutron/neutron.conf
+ {%- if compute.backend.get('mechanism', {}).get('lb', {}).get('driver', {}) == "linuxbridge" %}
+ - file: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ {%- else %}
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
-
+ {%- endif %}
{%- set neutron_compute_services_list = compute.services %}
{%- if compute.backend.sriov is defined %}
{%- do neutron_compute_services_list.append('neutron-sriov-agent') %}
diff --git a/tests/pillar/compute_linuxbridge.sls b/tests/pillar/compute_linuxbridge.sls
new file mode 100644
index 0000000..5c29787
--- /dev/null
+++ b/tests/pillar/compute_linuxbridge.sls
@@ -0,0 +1,26 @@
+neutron:
+ compute:
+ agent_mode: legacy
+ firewall_driver: iptables
+ backend:
+ engine: ml2
+ tenant_network_types: "flat,vxlan"
+ mechanism:
+ lb:
+ driver: linuxbridge
+ dvr: false
+ enabled: true
+ external_access: false
+ local_ip: 10.1.0.105
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ metadata:
+ host: 127.0.0.1
+ password: password
+ workers: 2
+ version: mitaka
diff --git a/tests/pillar/control_linuxbridge.sls b/tests/pillar/control_linuxbridge.sls
new file mode 100644
index 0000000..8bc35b6
--- /dev/null
+++ b/tests/pillar/control_linuxbridge.sls
@@ -0,0 +1,54 @@
+neutron:
+ server:
+ api_workers: 2
+ rpc_workers: 2
+ rpc_state_report_workers: 2
+ backend:
+ engine: ml2
+ external_mtu: 1500
+ mechanism:
+ lb:
+ driver: linuxbridge
+ tenant_network_types: flat,vxlan
+ bind:
+ address: 172.16.10.101
+ port: 9696
+ compute:
+ host: 127.0.0.1
+ password: workshop
+ region: RegionOne
+ tenant: service
+ user: nova
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ name: neutron
+ password: workshop
+ port: 3306
+ user: neutron
+ dns_domain: novalocal
+ dvr: false
+ enabled: true
+ global_physnet_mtu: 1500
+ identity:
+ engine: keystone
+ host: 127.0.0.1
+ password: workshop
+ port: 35357
+ region: RegionOne
+ tenant: service
+ user: neutron
+ endpoint_type: internal
+ l3_ha: True
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ version: mitaka
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/gateway_linuxbridge.sls b/tests/pillar/gateway_linuxbridge.sls
new file mode 100644
index 0000000..4cbac35
--- /dev/null
+++ b/tests/pillar/gateway_linuxbridge.sls
@@ -0,0 +1,32 @@
+neutron:
+ gateway:
+ agent_mode: legacy
+ dhcp_lease_duration: 86400
+ firewall_driver: iptables
+ backend:
+ engine: ml2
+ tenant_network_types: "flat,vxlan"
+ mechanism:
+ ovs:
+ driver: openvswitch
+ dvr: false
+ enabled: true
+ external_access: True
+ local_ip: 10.1.0.110
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ metadata:
+ host: 127.0.0.1
+ password: password
+ workers: 2
+ version: mitaka
+ agents:
+ dhcp:
+ interface_driver: linuxbridge
+ l3:
+ interface_driver: linuxbridge