path: root/openstack/etc/neutron
diff options
authorRichard Maw <>2015-03-23 21:06:52 +0000
committerPedro Alvarez <>2015-04-08 18:29:23 +0100
commitf41a9c330d16c546407d91e8a549e48154d967f7 (patch)
treeb744bd5541fba8a171066e0e52bd48e595c4bafe /openstack/etc/neutron
parentc6d832f7cf10e1f986a617735c1f2a59b26f751f (diff)
WIP: Add OpenStack initial configuration
TODO: Split this out into: 1. initial config (openstack/etc) default values 2+. as many individual changes to initial config as possible to extract, including support scripts and configuration extensions
Diffstat (limited to 'openstack/etc/neutron')
55 files changed, 3163 insertions, 0 deletions
diff --git a/openstack/etc/neutron/api-paste.ini b/openstack/etc/neutron/api-paste.ini
new file mode 100644
index 00000000..24193fcd
--- /dev/null
+++ b/openstack/etc/neutron/api-paste.ini
@@ -0,0 +1,30 @@
+use = egg:Paste#urlmap
+/: neutronversions
+/v2.0: neutronapi_v2_0
+use = call:neutron.auth:pipeline_factory
+noauth = request_id catch_errors extensions neutronapiapp_v2_0
+keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+paste.filter_factory = neutron.openstack.common.middleware.request_id:RequestIdMiddleware.factory
+paste.filter_factory = neutron.openstack.common.middleware.catch_errors:CatchErrorsMiddleware.factory
+paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_factory
+paste.app_factory = neutron.api.versions:Versions.factory
+paste.app_factory = neutron.api.v2.router:APIRouter.factory
diff --git a/openstack/etc/neutron/dhcp_agent.ini b/openstack/etc/neutron/dhcp_agent.ini
new file mode 100644
index 00000000..de177b6f
--- /dev/null
+++ b/openstack/etc/neutron/dhcp_agent.ini
@@ -0,0 +1,89 @@
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+verbose = True
+# The DHCP agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+# resync_interval = 5
+# The DHCP agent requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+# Name of Open vSwitch bridge to use
+# ovs_integration_bridge = br-int
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
+# no additional setup of the DHCP server.
+dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+# The DHCP server can assist with providing metadata support on isolated
+# networks. Setting this value to True will cause the DHCP server to append
+# specific host routes to the DHCP request. The metadata service will only
+# be activated when the subnet does not contain any router port. The guest
+# instance must be configured to request host routes via DHCP (Option 121).
+enable_isolated_metadata = True
+# Allows for serving metadata requests coming from a dedicated metadata
+# access network whose cidr is (or larger prefix), and
+# is connected to a Neutron router from which the VMs send metadata
+# request. In this case DHCP Option 121 will not be injected in VMs, as
+# they will be able to reach through a router.
+# This option requires enable_isolated_metadata = True
+# enable_metadata_network = False
+# Number of threads to use during sync process. Should not exceed connection
+# pool size configured on server.
+# num_sync_threads = 4
+# Location to store DHCP server config files
+# dhcp_confs = $state_path/dhcp
+# Domain to use for building the hostnames
+# dhcp_domain = openstacklocal
+# Override the default dnsmasq settings with this file
+# dnsmasq_config_file =
+# Comma-separated list of DNS servers which will be used by dnsmasq
+# as forwarders.
+# dnsmasq_dns_servers =
+# Limit number of leases to prevent a denial-of-service.
+# dnsmasq_lease_max = 16777216
+# Location to DHCP lease relay UNIX domain socket
+# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+# dhcp_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the dhcp agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a dhcp server is disabled.
+# dhcp_delete_namespaces = False
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
diff --git a/openstack/etc/neutron/fwaas_driver.ini b/openstack/etc/neutron/fwaas_driver.ini
new file mode 100644
index 00000000..41f761ab
--- /dev/null
+++ b/openstack/etc/neutron/fwaas_driver.ini
@@ -0,0 +1,3 @@
+#driver =
+#enabled = True
diff --git a/openstack/etc/neutron/l3_agent.ini b/openstack/etc/neutron/l3_agent.ini
new file mode 100644
index 00000000..e29c88c4
--- /dev/null
+++ b/openstack/etc/neutron/l3_agent.ini
@@ -0,0 +1,103 @@
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+verbose = True
+# L3 requires that an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
+# that supports L3 agent
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
+# iproute2 package that supports namespaces).
+use_namespaces = True
+# If use_namespaces is set as False then the agent can only configure one router.
+# This is done by setting the specific router_id.
+# router_id =
+# When external_network_bridge is set, each L3 agent can be associated
+# with no more than one external network. This value should be set to the UUID
+# of that external network. To allow L3 agent support multiple external
+# networks, both the external_network_bridge and gateway_external_network_id
+# must be left empty.
+# gateway_external_network_id =
+# Indicates that this L3 agent should also handle routers that do not have
+# an external network gateway configured. This option should be True only
+# for a single agent in a Neutron deployment, and may be False for all agents
+# if all routers must have an external network gateway
+# handle_internal_only_routers = True
+# Name of bridge used for external network traffic. This should be set to
+# empty value for the linux bridge. when this parameter is set, each L3 agent
+# can be associated with no more than one external network.
+external_network_bridge = br-ex
+# TCP Port used by Neutron metadata server
+# metadata_port = 9697
+# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
+# to disable this feature.
+# send_arp_for_ha = 3
+# seconds between re-sync routers' data if needed
+# periodic_interval = 40
+# seconds to start to sync routers' data after
+# starting agent
+# periodic_fuzzy_delay = 5
+# enable_metadata_proxy, which is true by default, can be set to False
+# if the Nova metadata server is not available
+# enable_metadata_proxy = True
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+# router_delete_namespaces, which is false by default, can be set to True if
+# namespaces can be deleted cleanly on the host running the L3 agent.
+# Do not enable this until you understand the problem with the Linux iproute
+# utility mentioned in and
+# you are sure that your version of iproute does not suffer from the problem.
+# If True, namespaces will be deleted when a router is destroyed.
+# router_delete_namespaces = False
+# Timeout for ovs-vsctl commands.
+# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
+# ovs_vsctl_timeout = 10
+# The working mode for the agent. Allowed values are:
+# - legacy: this preserves the existing behavior where the L3 agent is
+# deployed on a centralized networking node to provide L3 services
+# like DNAT, and SNAT. Use this mode if you do not want to adopt DVR.
+# - dvr: this mode enables DVR functionality, and must be used for an L3
+# agent that runs on a compute host.
+# - dvr_snat: this enables centralized SNAT support in conjunction with
+# DVR. This mode must be used for an L3 agent running on a centralized
+# node (or in single-host deployments, e.g. devstack).
+# agent_mode = legacy
+# Location to store keepalived and all HA configurations
+# ha_confs_path = $state_path/ha_confs
+# VRRP authentication type AH/PASS
+# ha_vrrp_auth_type = PASS
+# VRRP authentication password
+# ha_vrrp_auth_password =
+# The advertisement interval in seconds
+# ha_vrrp_advert_int = 2
diff --git a/openstack/etc/neutron/lbaas_agent.ini b/openstack/etc/neutron/lbaas_agent.ini
new file mode 100644
index 00000000..8d231b5c
--- /dev/null
+++ b/openstack/etc/neutron/lbaas_agent.ini
@@ -0,0 +1,42 @@
+# Show debugging output in log (sets DEBUG log level output).
+# debug = False
+# The LBaaS agent will resync its state with Neutron to recover from any
+# transient notification or rpc errors. The interval is number of
+# seconds between attempts.
+# periodic_interval = 10
+# LBaas requires an interface driver be set. Choose the one that best
+# matches your plugin.
+# interface_driver =
+# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC, NVP,
+# BigSwitch/Floodlight)
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+# Use veth for an OVS interface or not.
+# Support kernels with limited namespace support
+# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
+# ovs_use_veth = False
+# Example of interface_driver option for LinuxBridge
+# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
+# The agent requires drivers to manage the loadbalancer. HAProxy is the opensource version.
+# Multiple device drivers reflecting different service providers could be specified:
+# device_driver =
+# device_driver =
+# Default is:
+# device_driver =
+# Location to store config and state files
+# loadbalancer_state_path = $state_path/lbaas
+# The user group
+# user_group = nogroup
+# When delete and re-add the same vip, send this many gratuitous ARPs to flush
+# the ARP cache in the Router. Set it below or equal to 0 to disable this feature.
+# send_gratuitous_arp = 3
diff --git a/openstack/etc/neutron/metadata_agent.ini b/openstack/etc/neutron/metadata_agent.ini
new file mode 100644
index 00000000..6a3d0102
--- /dev/null
+++ b/openstack/etc/neutron/metadata_agent.ini
@@ -0,0 +1,60 @@
+# Show debugging output in log (sets DEBUG log level output)
+debug = True
+verbose = True
+# The Neutron user information for accessing the Neutron API.
+auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
+admin_tenant_name = service
+admin_user = ##NEUTRON_SERVICE_USER##
+admin_password = ##NEUTRON_SERVICE_PASSWORD##
+# Network service endpoint type to pull from the keystone catalog
+# endpoint_type = adminURL
+# IP address used by Nova metadata server
+nova_metadata_ip = ##NOVA_HOST##
+# TCP Port used by Nova metadata server
+# nova_metadata_port = 8775
+# Which protocol to use for requests to Nova metadata server, http or https
+# nova_metadata_protocol = http
+# Whether insecure SSL connection should be accepted for Nova metadata server
+# requests
+# nova_metadata_insecure = False
+# Client certificate for nova api, needed when nova api requires client
+# certificates
+# nova_client_cert =
+# Private key for nova client certificate
+# nova_client_priv_key =
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it must match here and in the configuration used by the Nova Metadata
+# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+metadata_proxy_shared_secret = ##METADATA_PROXY_SHARED_SECRET##
+# Location of Metadata Proxy UNIX domain socket
+# metadata_proxy_socket = $state_path/metadata_proxy
+# Number of separate worker processes for metadata server. Defaults to
+# half the number of CPU cores
+# metadata_workers =
+# Number of backlog requests to configure the metadata server socket with
+# metadata_backlog = 4096
+# URL to connect to the cache backend.
+# default_ttl=0 parameter will cause cache entries to never expire.
+# Otherwise default_ttl specifies time in seconds a cache entry is valid for.
+# No cache is used in case no value is passed.
+# cache_url = memory://?default_ttl=5
diff --git a/openstack/etc/neutron/metering_agent.ini b/openstack/etc/neutron/metering_agent.ini
new file mode 100644
index 00000000..88826ce7
--- /dev/null
+++ b/openstack/etc/neutron/metering_agent.ini
@@ -0,0 +1,18 @@
+# Show debugging output in log (sets DEBUG log level output)
+# debug = True
+# Default driver:
+# driver =
+# Example of non-default driver
+# driver =
+# Interval between two metering measures
+# measure_interval = 30
+# Interval between two metering reports
+# report_interval = 300
+# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+# use_namespaces = True
diff --git a/openstack/etc/neutron/neutron.conf b/openstack/etc/neutron/neutron.conf
new file mode 100644
index 00000000..1e832ccd
--- /dev/null
+++ b/openstack/etc/neutron/neutron.conf
@@ -0,0 +1,642 @@
+# Print more verbose output (set logging level to INFO instead of default WARNING level).
+verbose = True
+# =========Start Global Config Option for Distributed L3 Router===============
+# Setting the "router_distributed" flag to "True" will default to the creation
+# of distributed tenant routers. The admin can override this flag by specifying
+# the type of the router on the create request (admin-only attribute). Default
+# value is "False" to support legacy mode (centralized) routers.
+# router_distributed = False
+# ===========End Global Config Option for Distributed L3 Router===============
+# Print debugging output (set logging level to DEBUG instead of default WARNING level).
+debug = True
+# Where to store Neutron state files. This directory must be writable by the
+# user executing the agent.
+state_path = /var/lib/neutron
+# Where to store lock files
+lock_path = $state_path/lock
+# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
+# log_date_format = %Y-%m-%d %H:%M:%S
+# use_syslog -> syslog
+# log_file and log_dir -> log_dir/log_file
+# (not log_file) and log_dir -> log_dir/{binary_name}.log
+# use_stderr -> stderr
+# (not user_stderr) and (not log_file) -> stdout
+# publish_errors -> notification system
+# use_syslog = False
+# syslog_log_facility = LOG_USER
+# use_stderr = True
+# log_file =
+# log_dir =
+# publish_errors = False
+# Address to bind the API server to
+# bind_host =
+# Port the bind the API server to
+# bind_port = 9696
+# Path to the extensions. Note that this can be a colon-separated list of
+# paths. For example:
+# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions
+# The __path__ of neutron.extensions is appended to this, so if your
+# extensions are in there you don't need to specify them here
+# api_extensions_path =
+# (StrOpt) Neutron core plugin entrypoint to be loaded from the
+# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the
+# plugins included in the neutron source distribution. For compatibility with
+# previous versions, the class name of a plugin can be specified instead of its
+# entrypoint name.
+core_plugin = ml2
+# Example: core_plugin = ml2
+# (ListOpt) List of service plugin entrypoints to be loaded from the
+# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
+# the plugins included in the neutron source distribution. For compatibility
+# with previous versions, the class name of a plugin can be specified instead
+# of its entrypoint name.
+service_plugins = router
+# Example: service_plugins = router,firewall,lbaas,vpnaas,metering
+# Paste configuration file
+api_paste_config = api-paste.ini
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+auth_strategy = keystone
+# Base MAC address. The first 3 octets will remain unchanged. If the
+# 4h octet is not 00, it will also be used. The others will be
+# randomly generated.
+# 3 octet
+# base_mac = fa:16:3e:00:00:00
+# 4 octet
+# base_mac = fa:16:3e:4f:00:00
+# DVR Base MAC address. The first 3 octets will remain unchanged. If the
+# 4th octet is not 00, it will also be used. The others will be randomly
+# generated. The 'dvr_base_mac' *must* be different from 'base_mac' to
+# avoid mixing them up with MAC's allocated for tenant ports.
+# A 4 octet example would be dvr_base_mac = fa:16:3f:4f:00:00
+# The default is 3 octet
+# dvr_base_mac = fa:16:3f:00:00:00
+# Maximum amount of retries to generate a unique MAC address
+# mac_generation_retries = 16
+# DHCP Lease duration (in seconds). Use -1 to
+# tell dnsmasq to use infinite lease times.
+# dhcp_lease_duration = 86400
+# Allow sending resource operation notification to DHCP agent
+# dhcp_agent_notification = True
+# Enable or disable bulk create/update/delete operations
+# allow_bulk = True
+# Enable or disable pagination
+# allow_pagination = False
+# Enable or disable sorting
+# allow_sorting = False
+# Enable or disable overlapping IPs for subnets
+# Attention: the following parameter MUST be set to False if Neutron is
+# being used in conjunction with nova security groups
+allow_overlapping_ips = True
+# Ensure that configured gateway is on subnet. For IPv6, validate only if
+# gateway is not a link local address. Deprecated, to be removed during the
+# K release, at which point the check will be mandatory.
+# force_gateway_on_subnet = True
+# Default maximum number of items returned in a single response,
+# value == infinite and value < 0 means no max limit, and value must
+# be greater than 0. If the number of items requested is greater than
+# pagination_max_limit, server will just return pagination_max_limit
+# of number of items.
+# pagination_max_limit = -1
+# Maximum number of DNS nameservers per subnet
+# max_dns_nameservers = 5
+# Maximum number of host routes per subnet
+# max_subnet_host_routes = 20
+# Maximum number of fixed ips per port
+# max_fixed_ips_per_port = 5
+# Maximum number of routes per router
+# max_routes = 30
+# =========== items for agent management extension =============
+# Seconds to regard the agent as down; should be at least twice
+# report_interval, to be sure the agent is down for good
+# agent_down_time = 75
+# =========== end of items for agent management extension =====
+# =========== items for agent scheduler extension =============
+# Driver to use for scheduling network to DHCP agent
+# network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling router to a default L3 agent
+# router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler
+# Driver to use for scheduling a loadbalancer pool to an lbaas agent
+# loadbalancer_pool_scheduler_driver =
+# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted
+# networks to first DHCP agent which sends get_active_networks message to
+# neutron server
+# network_auto_schedule = True
+# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
+# routers to first L3 agent which sends sync_routers message to neutron server
+# router_auto_schedule = True
+# Allow automatic rescheduling of routers from dead L3 agents with
+# admin_state_up set to True to alive agents.
+# allow_automatic_l3agent_failover = False
+# Number of DHCP agents scheduled to host a network. This enables redundant
+# DHCP agents for configured networks.
+# dhcp_agents_per_network = 1
+# =========== end of items for agent scheduler extension =====
+# =========== items for l3 extension ==============
+# Enable high availability for virtual routers.
+# l3_ha = False
+# Maximum number of l3 agents which a HA router will be scheduled on. If it
+# is set to 0 the router will be scheduled on every agent.
+# max_l3_agents_per_router = 3
+# Minimum number of l3 agents which a HA router will be scheduled on. The
+# default value is 2.
+# min_l3_agents_per_router = 2
+# CIDR of the administrative network if HA mode is enabled
+# l3_ha_net_cidr =
+# =========== end of items for l3 extension =======
+# =========== WSGI parameters related to the API server ==============
+# Number of separate worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as workers. The parent process manages them.
+# api_workers = 0
+# Number of separate RPC worker processes to spawn. The default, 0, runs the
+# worker thread in the current process. Greater than 0 launches that number of
+# child processes as RPC workers. The parent process manages them.
+# This feature is experimental until issues are addressed and testing has been
+# enabled for various plugins for compatibility.
+# rpc_workers = 0
+# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
+# starting API server. Not supported on OS X.
+# tcp_keepidle = 600
+# Number of seconds to keep retrying to listen
+# retry_until_window = 30
+# Number of backlog requests to configure the socket with.
+# backlog = 4096
+# Max header line to accommodate large tokens
+# max_header_line = 16384
+# Enable SSL on the API server
+# use_ssl = False
+# Certificate file to use when starting API server securely
+# ssl_cert_file = /path/to/certfile
+# Private key file to use when starting API server securely
+# ssl_key_file = /path/to/keyfile
+# CA certificate file to use when starting API server securely to
+# verify connecting clients. This is an optional parameter only required if
+# API clients need to authenticate to the API server using SSL certificates
+# signed by a trusted CA
+# ssl_ca_file = /path/to/cafile
+# ======== end of WSGI parameters related to the API server ==========
+# ======== neutron nova interactions ==========
+# Send notification to nova when port status is active.
+notify_nova_on_port_status_changes = True
+# Send notifications to nova when port data (fixed_ips/floatingips) change
+# so nova can update it's cache.
+notify_nova_on_port_data_changes = True
+# URL for connection to nova (Only supports one nova region currently).
+nova_url = http://onenode:8774/v2
+# Name of nova region to use. Useful if keystone manages more than one region
+nova_region_name = ##NOVA_REGION##
+# Username for connection to nova in admin context
+nova_admin_username = ##NOVA_SERVICE_USER##
+# The uuid of the admin nova tenant
+nova_admin_tenant_id = ##SERVICE_TENANT_ID##
+# Password for connection to nova in admin context.
+nova_admin_password = ##NOVA_SERVICE_PASSWORD##
+# Authorization URL for connection to nova in admin context.
+nova_admin_auth_url = ##KEYSTONE_ADMIN_URL##
+# CA file for novaclient to verify server certificates
+# nova_ca_certificates_file =
+# Boolean to control ignoring SSL errors on the nova url
+# nova_api_insecure = False
+# Number of seconds between sending events to nova if there are any events to send
+# send_events_interval = 2
+# ======== end of neutron nova interactions ==========
+# Options defined in oslo.messaging
+# Use durable queues in amqp. (boolean value)
+# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
+# Auto-delete queues in amqp. (boolean value)
+# Size of RPC connection pool. (integer value)
+# Qpid broker hostname. (string value)
+# Qpid broker port. (integer value)
+# Qpid HA cluster host:port pairs. (list value)
+# Username for Qpid connection. (string value)
+# Password for Qpid connection. (string value)
+# Space separated list of SASL mechanisms to use for auth.
+# (string value)
+# Seconds between connection keepalive heartbeats. (integer
+# value)
+# Transport to use, either 'tcp' or 'ssl'. (string value)
+# Whether to disable the Nagle algorithm. (boolean value)
+# The qpid topology version to use. Version 1 is what was
+# originally used by impl_qpid. Version 2 includes some
+# backwards-incompatible changes that allow broker federation
+# to work. Users should update to version 2 when they are
+# able to take everything down, as it requires a clean break.
+# (integer value)
+# SSL version to use (valid only if SSL enabled). valid values
+# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
+# distributions. (string value)
+# SSL key file (valid only if SSL enabled). (string value)
+# SSL cert file (valid only if SSL enabled). (string value)
+# SSL certification authority file (valid only if SSL
+# enabled). (string value)
+# How long to wait before reconnecting in response to an AMQP
+# consumer cancel notification. (floating point value)
+# The RabbitMQ broker address where a single node is used.
+# (string value)
+# The RabbitMQ broker port where a single node is used.
+# (integer value)
+# RabbitMQ HA cluster host:port pairs. (list value)
+# Connect over SSL for RabbitMQ. (boolean value)
+# The RabbitMQ userid. (string value)
+# The RabbitMQ password. (string value)
+# the RabbitMQ login method (string value)
+# The RabbitMQ virtual host. (string value)
+# How frequently to retry connecting with RabbitMQ. (integer
+# value)
+# How long to backoff for between retries when connecting to
+# RabbitMQ. (integer value)
+# Maximum number of RabbitMQ connection retries. Default is 0
+# (infinite retry count). (integer value)
+# Use HA queues in RabbitMQ (x-ha-policy: all). If you change
+# this option, you must wipe the RabbitMQ database. (boolean
+# value)
+# If passed, use a fake RabbitMQ provider. (boolean value)
+# ZeroMQ bind address. Should be a wildcard (*), an ethernet
+# interface, or IP. The "host" option should point or resolve
+# to this address. (string value)
+# MatchMaker driver. (string value)
+# ZeroMQ receiver listening port. (integer value)
+# Number of ZeroMQ contexts, defaults to 1. (integer value)
+# Maximum number of ingress messages to locally buffer per
+# topic. Default is unlimited. (integer value)
+# Directory for holding IPC sockets. (string value)
+# Name of this node. Must be a valid hostname, FQDN, or IP
+# address. Must match "host" option, if running Nova. (string
+# value)
+# Seconds to wait before a cast expires (TTL). Only supported
+# by impl_zmq. (integer value)
+# Heartbeat frequency. (integer value)
+# Heartbeat time-to-live. (integer value)
+# Size of RPC greenthread pool. (integer value)
+# Driver or drivers to handle sending notifications. (multi
+# valued)
+# AMQP topic used for OpenStack notifications. (list value)
+# Deprecated group/name - [rpc_notifier2]/topics
+# Seconds to wait for a response from a call. (integer value)
+# A URL representing the messaging driver to use and its full
+# configuration. If not set, we fall back to the rpc_backend
+# option and driver specific configuration. (string value)
+# The messaging driver to use, defaults to rabbit. Other
+# drivers include qpid and zmq. (string value)
+# The default exchange under which topics are scoped. May be
+# overridden by an exchange name specified in the
+# transport_url option. (string value)
+# Options defined in oslo.messaging
+# Host to locate redis. (string value)
+# Use this port to connect to redis host. (integer value)
+# Password for Redis server (optional). (string value)
+# Options defined in oslo.messaging
+# Matchmaker ring file (JSON). (string value)
+# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
+# Default driver to use for quota checks
+# quota_driver = neutron.db.quota_db.DbQuotaDriver
+# Resource name(s) that are supported in quota features
+# quota_items = network,subnet,port
+# Default number of resource allowed per tenant. A negative value means
+# unlimited.
+# default_quota = -1
+# Number of networks allowed per tenant. A negative value means unlimited.
+# quota_network = 10
+# Number of subnets allowed per tenant. A negative value means unlimited.
+# quota_subnet = 10
+# Number of ports allowed per tenant. A negative value means unlimited.
+# quota_port = 50
+# Number of security groups allowed per tenant. A negative value means
+# unlimited.
+# quota_security_group = 10
+# Number of security group rules allowed per tenant. A negative value means
+# unlimited.
+# quota_security_group_rule = 100
+# Number of vips allowed per tenant. A negative value means unlimited.
+# quota_vip = 10
+# Number of pools allowed per tenant. A negative value means unlimited.
+# quota_pool = 10
+# Number of pool members allowed per tenant. A negative value means unlimited.
+# The default is unlimited because a member is not a real resource consumer
+# on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_member = -1
+# Number of health monitors allowed per tenant. A negative value means
+# unlimited.
+# The default is unlimited because a health monitor is not a real resource
+# consumer on Openstack. However, on back-end, a member is a resource consumer
+# and that is the reason why quota is possible.
+# quota_health_monitor = -1
+# Number of routers allowed per tenant. A negative value means unlimited.
+# quota_router = 10
+# Number of floating IPs allowed per tenant. A negative value means unlimited.
+# quota_floatingip = 50
+# Number of firewalls allowed per tenant. A negative value means unlimited.
+# quota_firewall = 1
+# Number of firewall policies allowed per tenant. A negative value means
+# unlimited.
+# quota_firewall_policy = 1
+# Number of firewall rules allowed per tenant. A negative value means
+# unlimited.
+# quota_firewall_rule = 100
+# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+# root_helper = sudo
+root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+# =========== items for agent management extension =============
+# seconds between nodes reporting state to server; should be less than
+# agent_down_time, best if it is half or less than agent_down_time
+# report_interval = 30
+# =========== end of items for agent management extension =====
+auth_uri = ##KEYSTONE_PUBLIC_URL##
+identity_uri = ##IDENTITY_URI##
+admin_tenant_name = service
+admin_user = ##NEUTRON_SERVICE_USER##
+admin_password = ##NEUTRON_SERVICE_PASSWORD##
+# This line MUST be changed to actually run the plugin.
+# Example:
+# connection = mysql://root:pass@localhost:3306/neutron
+# Replace localhost above with the IP address of the database used by the
+# main neutron server. (Leave it as is if the database runs on this host.)
+# connection = sqlite://
+# NOTE: In deployment the [database] section and its connection attribute may
+# be set in the corresponding core plugin '.ini' file. However, it is suggested
+# to put the [database] section and its connection attribute in this
+# configuration file.
+# Database engine for which script will be generated when using offline
+# migration
+# engine =
+# The SQLAlchemy connection string used to connect to the slave database
+# slave_connection =
+# Database reconnection retry times - in event connectivity is lost
+# set to -1 implies an infinite retry count
+# max_retries = 10
+# Database reconnection interval in seconds - if the initial connection to the
+# database fails
+# retry_interval = 10
+# Minimum number of SQL connections to keep open in a pool
+# min_pool_size = 1
+# Maximum number of SQL connections to keep open in a pool
+# max_pool_size = 10
+# Timeout in seconds before idle sql connections are reaped
+# idle_timeout = 3600
+# If set, use this value for max_overflow with sqlalchemy
+# max_overflow = 20
+# Verbosity of SQL debugging information. 0=None, 100=Everything
+# connection_debug = 0
+# Add python stack traces to SQL as comment strings
+# connection_trace = False
+# If set, use this value for pool_timeout with sqlalchemy
+# pool_timeout = 10
+# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall.
+# Must be in form:
+# service_provider=<service_type>:<name>:<driver>[:default]
+# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
+# Combination of <service type> and <name> must be unique; <driver> must also be unique
+# This is multiline option, example for default provider:
+# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
+# example of non-default provider:
+# service_provider=FIREWALL:name2:firewall_driver_path
+# --- Reference implementations ---
+# In order to activate Radware's lbaas driver you need to uncomment the next line.
+# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below.
+# Otherwise comment the HA Proxy line
+# service_provider =
+# uncomment the following line to make the 'netscaler' LBaaS provider available.
+# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver.
+# Uncomment the line below to use Embrane heleos as Load Balancer service provider.
+# Uncomment the line below to use the A10 Networks LBaaS driver. Requires 'pip install a10-neutron-lbaas'.
+#service_provider =
+# Uncomment the following line to test the LBaaS v2 API _WITHOUT_ a real backend
+# service_provider =
diff --git a/openstack/etc/neutron/plugins/bigswitch/restproxy.ini b/openstack/etc/neutron/plugins/bigswitch/restproxy.ini
new file mode 100644
index 00000000..36e99bd7
--- /dev/null
+++ b/openstack/etc/neutron/plugins/bigswitch/restproxy.ini
@@ -0,0 +1,114 @@
+# Config file for neutron-proxy-plugin.
+# All configuration for this plugin is in section '[restproxy]'
+# The following parameters are supported:
+# servers : <host:port>[,<host:port>]* (Error if not set)
+# server_auth : <username:password> (default: no auth)
+# server_ssl : True | False (default: True)
+# ssl_cert_directory : <path> (default: /etc/neutron/plugins/bigswitch/ssl)
+# no_ssl_validation : True | False (default: False)
+# ssl_sticky : True | False (default: True)
+# sync_data : True | False (default: False)
+# auto_sync_on_failure : True | False (default: True)
+# consistency_interval : <integer> (default: 60 seconds)
+# server_timeout : <integer> (default: 10 seconds)
+# neutron_id : <string> (default: neutron-<hostname>)
+# add_meta_server_route : True | False (default: True)
+# thread_pool_size : <int> (default: 4)
+# A comma separated list of BigSwitch or Floodlight servers and port numbers. The plugin proxies the requests to the BigSwitch/Floodlight server, which performs the networking configuration. Note that only one server is needed per deployment, but you may wish to deploy multiple servers to support failover.
+# The username and password for authenticating against the BigSwitch or Floodlight controller.
+# server_auth=username:password
+# Use SSL when connecting to the BigSwitch or Floodlight controller.
+# server_ssl=True
+# Directory which contains the ca_certs and host_certs to be used to validate
+# controller certificates.
+# ssl_cert_directory=/etc/neutron/plugins/bigswitch/ssl/
+# If a certificate does not exist for a controller, trust and store the first
+# certificate received for that controller and use it to validate future
+# connections to that controller.
+# ssl_sticky=True
+# Do not validate the controller certificates for SSL
+# Warning: This will not provide protection against man-in-the-middle attacks
+# no_ssl_validation=False
+# Sync data on connect
+# sync_data=False
+# If neutron fails to create a resource because the backend controller
+# doesn't know of a dependency, automatically trigger a full data
+# synchronization to the controller.
+# auto_sync_on_failure=True
+# Time between verifications that the backend controller
+# database is consistent with Neutron. (0 to disable)
+# consistency_interval = 60
+# Maximum number of seconds to wait for proxy request to connect and complete.
+# server_timeout=10
+# User defined identifier for this Neutron deployment
+# neutron_id =
+# Flag to decide if a route to the metadata server should be injected into the VM
+# add_meta_server_route = True
+# Number of threads to use to handle large volumes of port creation requests
+# thread_pool_size = 4
+# Specify the VIF_TYPE that will be controlled on the Nova compute instances
+# options: ivs or ovs
+# default: ovs
+# vif_type = ovs
+# Overrides for vif types based on nova compute node host IDs
+# Comma separated list of host IDs to fix to a specific VIF type
+# The VIF type is taken from the end of the configuration item
+# node_override_vif_<vif_type>
+# For example, the following would set the VIF type to IVS for
+# host-id1 and host-id2
+# node_overrride_vif_ivs=host-id1,host-id2
+# Specify the default router rules installed in newly created tenant routers
+# Specify multiple times for multiple rules
+# Format is <tenant>:<source>:<destination>:<action>
+# Optionally, a comma-separated list of nexthops may be included after <action>
+# Use an * to specify default for all tenants
+# Default is any any allow for all tenants
+# tenant_default_router_rule=*:any:any:permit
+# Maximum number of rules that a single router may have
+# Default is 200
+# max_router_rules=200
+# Specify the name of the bridge used on compute nodes
+# for attachment.
+# Default: br-int
+# integration_bridge=br-int
+# Change the frequency of polling by the restproxy agent.
+# Value is seconds
+# Default: 5
+# polling_interval=5
+# Virtual switch type on the compute node.
+# Options: ovs or ivs
+# Default: ovs
+# virtual_switch_type = ovs
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
diff --git a/openstack/etc/neutron/plugins/bigswitch/ssl/ca_certs/README b/openstack/etc/neutron/plugins/bigswitch/ssl/ca_certs/README
new file mode 100644
index 00000000..e7e47a27
--- /dev/null
+++ b/openstack/etc/neutron/plugins/bigswitch/ssl/ca_certs/README
@@ -0,0 +1,3 @@
+Certificates in this folder will be used to
+verify signatures for any controllers the plugin
+connects to.
diff --git a/openstack/etc/neutron/plugins/bigswitch/ssl/host_certs/README b/openstack/etc/neutron/plugins/bigswitch/ssl/host_certs/README
new file mode 100644
index 00000000..8f5f5e77
--- /dev/null
+++ b/openstack/etc/neutron/plugins/bigswitch/ssl/host_certs/README
@@ -0,0 +1,6 @@
+Certificates in this folder must match the name
+of the controller they should be used to authenticate
+with a .pem extension.
+For example, the certificate for the controller
+"" should be named "".
diff --git a/openstack/etc/neutron/plugins/brocade/brocade.ini b/openstack/etc/neutron/plugins/brocade/brocade.ini
new file mode 100644
index 00000000..916e9e5d
--- /dev/null
+++ b/openstack/etc/neutron/plugins/brocade/brocade.ini
@@ -0,0 +1,29 @@
+# username = The SSH username to use
+# password = The SSH password to use
+# address = The address of the host to SSH to
+# ostype = Should be NOS, but is unused otherwise
+# Example:
+# username = admin
+# password = password
+# address =
+# ostype = NOS
+# physical_interface = The network interface to use when creating a port
+# Example:
+# physical_interface = physnet1
+# network_vlan_ranges = <physical network name>:nnnn:mmmm
+# Example:
+# network_vlan_ranges = physnet1:1000:2999
+# physical_interface_mappings = <physical network name>:<local interface>
+# Example:
+# physical_interface_mappings = physnet1:em1
diff --git a/openstack/etc/neutron/plugins/cisco/cisco_cfg_agent.ini b/openstack/etc/neutron/plugins/cisco/cisco_cfg_agent.ini
new file mode 100644
index 00000000..d99e8382
--- /dev/null
+++ b/openstack/etc/neutron/plugins/cisco/cisco_cfg_agent.ini
@@ -0,0 +1,15 @@
+# (IntOpt) Interval in seconds for processing of service updates.
+# That is when the config agent's process_services() loop executes
+# and it lets each service helper to process its service resources.
+# rpc_loop_interval = 10
+# (StrOpt) Period-separated module path to the routing service helper class.
+# routing_svc_helper_class =
+# (IntOpt) Timeout value in seconds for connecting to a hosting device.
+# device_connection_timeout = 30
+# (IntOpt) The time in seconds until a backlogged hosting device is
+# presumed dead or booted to an error state.
+# hosting_device_dead_timeout = 300
diff --git a/openstack/etc/neutron/plugins/cisco/cisco_plugins.ini b/openstack/etc/neutron/plugins/cisco/cisco_plugins.ini
new file mode 100644
index 00000000..a93bc7f1
--- /dev/null
+++ b/openstack/etc/neutron/plugins/cisco/cisco_plugins.ini
@@ -0,0 +1,107 @@
+# (StrOpt) A short prefix to prepend to the VLAN number when creating a
+# VLAN interface. For example, if an interface is being created for
+# VLAN 2001 it will be named 'q-2001' using the default prefix.
+# vlan_name_prefix = q-
+# Example: vlan_name_prefix = vnet-
+# (StrOpt) A short prefix to prepend to the VLAN number when creating a
+# provider VLAN interface. For example, if an interface is being created
+# for provider VLAN 3003 it will be named 'p-3003' using the default prefix.
+# provider_vlan_name_prefix = p-
+# Example: provider_vlan_name_prefix = PV-
+# (BoolOpt) A flag indicating whether Openstack networking should manage the
+# creation and removal of VLAN interfaces for provider networks on the Nexus
+# switches. If the flag is set to False then Openstack will not create or
+# remove VLAN interfaces for provider networks, and the administrator needs
+# to manage these interfaces manually or by external orchestration.
+# provider_vlan_auto_create = True
+# (BoolOpt) A flag indicating whether Openstack networking should manage
+# the adding and removing of provider VLANs from trunk ports on the Nexus
+# switches. If the flag is set to False then Openstack will not add or
+# remove provider VLANs from trunk ports, and the administrator needs to
+# manage these operations manually or by external orchestration.
+# provider_vlan_auto_trunk = True
+# (StrOpt) Period-separated module path to the model class to use for
+# the Cisco neutron plugin.
+# model_class =
+# (BoolOpt) A flag to enable Layer 3 support on the Nexus switches.
+# Note: This feature is not supported on all models/versions of Cisco
+# Nexus switches. To use this feature, all of the Nexus switches in the
+# deployment must support it.
+# nexus_l3_enable = False
+# (BoolOpt) A flag to enable round robin scheduling of routers for SVI.
+# svi_round_robin = False
+# Cisco Nexus Switch configurations.
+# Each switch to be managed by Openstack Neutron must be configured here.
+# N1KV Format.
+# [N1KV:<IP address of VSM>]
+# username=<credential username>
+# password=<credential password>
+# Example:
+# [N1KV:]
+# username=admin
+# password=mySecretPassword
+# (StrOpt) Specify the name of the integration bridge to which the VIFs are
+# attached.
+# Default value: br-int
+# integration_bridge = br-int
+# (StrOpt) Name of the policy profile to be associated with a port when no
+# policy profile is specified during port creates.
+# Default value: service_profile
+# default_policy_profile = service_profile
+# (StrOpt) Name of the policy profile to be associated with a port owned by
+# network node (dhcp, router).
+# Default value: dhcp_pp
+# network_node_policy_profile = dhcp_pp
+# (StrOpt) Name of the network profile to be associated with a network when no
+# network profile is specified during network creates. Admin should pre-create
+# a network profile with this name.
+# Default value: default_network_profile
+# default_network_profile = network_pool
+# (IntOpt) Time in seconds for which the plugin polls the VSM for updates in
+# policy profiles.
+# Default value: 60
+# poll_duration = 60
+# (BoolOpt) Specify whether tenants are restricted from accessing all the
+# policy profiles.
+# Default value: False, indicating all tenants can access all policy profiles.
+# restrict_policy_profiles = False
+# (IntOpt) Number of threads to use to make HTTP requests to the VSM.
+# Default value: 4
+# http_pool_size = 4
+# (IntOpt) Timeout duration in seconds for the http request
+# Default value: 15
+# http_timeout = 15
+# (BoolOpt) Specify whether tenants are restricted from accessing network
+# profiles belonging to other tenants.
+# Default value: True, indicating other tenants cannot access network
+# profiles belonging to a tenant.
+# restrict_network_profiles = True
diff --git a/openstack/etc/neutron/plugins/cisco/cisco_router_plugin.ini b/openstack/etc/neutron/plugins/cisco/cisco_router_plugin.ini
new file mode 100644
index 00000000..3ef271d2
--- /dev/null
+++ b/openstack/etc/neutron/plugins/cisco/cisco_router_plugin.ini
@@ -0,0 +1,76 @@
+#(IntOpt) Time in seconds between renewed scheduling attempts of non-scheduled routers
+# backlog_processing_interval = 10
+#(StrOpt) Name of the L3 admin tenant
+# l3_admin_tenant = L3AdminTenant
+#(StrOpt) Name of management network for hosting device configuration
+# management_network = osn_mgmt_nw
+#(StrOpt) Default security group applied on management port
+# default_security_group = mgmt_sec_grp
+#(IntOpt) Seconds of no status update until a cfg agent is considered down
+# cfg_agent_down_time = 60
+#(StrOpt) Path to templates for hosting devices
+# templates_path = /opt/stack/data/neutron/cisco/templates
+#(StrOpt) Path to config drive files for service VM instances
+# service_vm_config_path = /opt/stack/data/neutron/cisco/config_drive
+#(BoolOpt) Ensure that Nova is running before attempting to create any VM
+# ensure_nova_running = True
+# Settings coupled to CSR1kv VM devices
+# -------------------------------------
+#(StrOpt) Name of Glance image for CSR1kv
+# csr1kv_image = csr1kv_openstack_img
+#(StrOpt) UUID of Nova flavor for CSR1kv
+# csr1kv_flavor = 621
+#(StrOpt) Plugging driver for CSR1kv
+# csr1kv_plugging_driver =
+#(StrOpt) Hosting device driver for CSR1kv
+# csr1kv_device_driver =
+#(StrOpt) Config agent router service driver for CSR1kv
+# csr1kv_cfgagent_router_driver =
+#(StrOpt) Configdrive template file for CSR1kv
+# csr1kv_configdrive_template = csr1kv_cfg_template
+#(IntOpt) Booting time in seconds before a CSR1kv becomes operational
+# csr1kv_booting_time = 420
+#(StrOpt) Username to use for CSR1kv configurations
+# csr1kv_username = stack
+#(StrOpt) Password to use for CSR1kv configurations
+# csr1kv_password = cisco
+# Settings coupled to inter-working with N1kv plugin
+# --------------------------------------------------
+#(StrOpt) Name of N1kv port profile for management ports
+# management_port_profile = osn_mgmt_pp
+#(StrOpt) Name of N1kv port profile for T1 ports (i.e., ports carrying traffic
+# from VXLAN segmented networks).
+# t1_port_profile = osn_t1_pp
+#(StrOpt) Name of N1kv port profile for T2 ports (i.e., ports carrying traffic
+# from VLAN segmented networks).
+# t2_port_profile = osn_t2_pp
+#(StrOpt) Name of N1kv network profile for T1 networks (i.e., trunk networks
+# for VXLAN segmented traffic).
+# t1_network_profile = osn_t1_np
+#(StrOpt) Name of N1kv network profile for T2 networks (i.e., trunk networks
+# for VLAN segmented traffic).
+# t2_network_profile = osn_t2_np
diff --git a/openstack/etc/neutron/plugins/cisco/cisco_vpn_agent.ini b/openstack/etc/neutron/plugins/cisco/cisco_vpn_agent.ini
new file mode 100644
index 00000000..0aee17eb
--- /dev/null
+++ b/openstack/etc/neutron/plugins/cisco/cisco_vpn_agent.ini
@@ -0,0 +1,26 @@
+# Status check interval in seconds, for VPNaaS IPSec connections used on CSR
+# status_check_interval = 60
+# Cisco CSR management port information for REST access used by VPNaaS
+# TODO(pcm): Remove once CSR is integrated in as a Neutron router.
+# Format is:
+# [cisco_csr_rest:<public IP>]
+# rest_mgmt = <mgmt port IP>
+# tunnel_ip = <tunnel IP>
+# username = <user>
+# password = <password>
+# timeout = <timeout>
+# host = <hostname>
+# tunnel_if = <tunnel I/F>
+# where:
+# public IP ----- Public IP address of router used with a VPN service (1:1 with CSR)
+# tunnel IP ----- Public IP address of the CSR used for the IPSec tunnel
+# mgmt port IP -- IP address of CSR for REST API access
+# user ---------- Username for REST management port access to Cisco CSR
+# password ------ Password for REST management port access to Cisco CSR
+# timeout ------- REST request timeout to Cisco CSR (optional)
+# hostname ------ Name of host where CSR is running as a VM
+# tunnel I/F ---- CSR port name used for tunnels' IP address
diff --git a/openstack/etc/neutron/plugins/embrane/heleos_conf.ini b/openstack/etc/neutron/plugins/embrane/heleos_conf.ini
new file mode 100644
index 00000000..0ca9b46f
--- /dev/null
+++ b/openstack/etc/neutron/plugins/embrane/heleos_conf.ini
@@ -0,0 +1,41 @@
+#configure the ESM management address
+#in the first version of this plugin, only one ESM can be specified
+#configure admin username and password
+#router image id
+#mgmt shared security zone id
+#defines the shared management security zone. Each tenant can have a private one configured through the ESM
+#in-band shared security zone id
+#defines the shared in-band security zone. Each tenant can have a private one configured through the ESM
+#oob-band shared security zone id
+#defines the shared out-of-band security zone. Each tenant can have a private one configured through the ESM
+#dummy security zone id
+#defines the dummy security zone ID. this security zone will be used by the DVAs with no neutron interfaces
+#resource pool id
+#define the shared resource pool. Each tenant can have a private one configured through the ESM
+#define if the requests have to be executed asynchronously by the plugin or not
diff --git a/openstack/etc/neutron/plugins/hyperv/hyperv_neutron_plugin.ini b/openstack/etc/neutron/plugins/hyperv/hyperv_neutron_plugin.ini
new file mode 100644
index 00000000..5eeec570
--- /dev/null
+++ b/openstack/etc/neutron/plugins/hyperv/hyperv_neutron_plugin.ini
@@ -0,0 +1,63 @@
+# (StrOpt) Type of network to allocate for tenant networks. The
+# default value 'local' is useful only for single-box testing and
+# provides no connectivity between hosts. You MUST either change this
+# to 'vlan' and configure network_vlan_ranges below or to 'flat'.
+# Set to 'none' to disable creation of tenant networks.
+# tenant_network_type = local
+# Example: tenant_network_type = vlan
+# (ListOpt) Comma-separated list of
+# <physical_network>[:<vlan_min>:<vlan_max>] tuples enumerating ranges
+# of VLAN IDs on named physical networks that are available for
+# allocation. All physical networks listed are available for flat and
+# VLAN provider network creation. Specified ranges of VLAN IDs are
+# available for tenant network allocation if tenant_network_type is
+# 'vlan'. If empty, only gre and local networks may be created.
+# network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999
+# Agent's polling interval in seconds
+# polling_interval = 2
+# (ListOpt) Comma separated list of <physical_network>:<vswitch>
+# where the physical networks can be expressed with wildcards,
+# e.g.: ."*:external".
+# The referred external virtual switches need to be already present on
+# the Hyper-V server.
+# If a given physical network name will not match any value in the list
+# the plugin will look for a virtual switch with the same name.
+# physical_network_vswitch_mappings = *:external
+# Example: physical_network_vswitch_mappings = net1:external1,net2:external2
+# (StrOpt) Private virtual switch name used for local networking.
+# local_network_vswitch = private
+# Example: local_network_vswitch = custom_vswitch
+# (BoolOpt) Enables metrics collections for switch ports by using Hyper-V's
+# metric APIs. Collected data can by retrieved by other apps and services,
+# e.g.: Ceilometer. Requires Hyper-V / Windows Server 2012 and above.
+# enable_metrics_collection = False
+# Sample Configurations.
+# Neutron server:
+# tenant_network_type = vlan
+# network_vlan_ranges = default:2000:3999
+# Agent running on Hyper-V node:
+# [AGENT]
+# polling_interval = 2
+# physical_network_vswitch_mappings = *:external
+# local_network_vswitch = private
diff --git a/openstack/etc/neutron/plugins/ibm/sdnve_neutron_plugin.ini b/openstack/etc/neutron/plugins/ibm/sdnve_neutron_plugin.ini
new file mode 100644
index 00000000..0fab5070
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ibm/sdnve_neutron_plugin.ini
@@ -0,0 +1,50 @@
+# (ListOpt) The IP address of one (or more) SDN-VE controllers
+# Default value is: controller_ips =
+# Example: controller_ips =,
+# (StrOpt) The integration bridge for OF based implementation
+# The default value for integration_bridge is None
+# Example: integration_bridge = br-int
+# (ListOpt) The interface mapping connecting the integration
+# bridge to external network as a list of physical network names and
+# interfaces: <physical_network_name>:<interface_name>
+# Example: interface_mappings = default:eth2
+# (BoolOpt) Used to reset the integration bridge, if exists
+# The default value for reset_bridge is True
+# Example: reset_bridge = False
+# (BoolOpt) Used to set the OVS controller as out-of-band
+# The default value for out_of_band is True
+# Example: out_of_band = False
+# (BoolOpt) The fake controller for testing purposes
+# Default value is: use_fake_controller = False
+# (StrOpt) The port number for use with controller
+# The default value for the port is 8443
+# Example: port = 8443
+# (StrOpt) The userid for use with controller
+# The default value for the userid is admin
+# Example: userid = sdnve_user
+# (StrOpt) The password for use with controller
+# The default value for the password is admin
+# Example: password = sdnve_password
+# (StrOpt) The default type of tenants (and associated resources)
+# Available choices are: OVERLAY or OF
+# The default value for tenant type is OVERLAY
+# Example: default_tenant_type = OVERLAY
+# (StrOpt) The string in tenant description that indicates
+# Default value for OF tenants: of_signature = SDNVE-OF
+# (StrOpt) The string in tenant description that indicates
+# Default value for OVERLAY tenants: overlay_signature = SDNVE-OVERLAY
+# (IntOpt) Agent's polling interval in seconds
+# polling_interval = 2
+# (StrOpt) What to use for root helper
+# The default value: root_helper = 'sudo'
+# (BoolOpt) Whether to use rpc or not
+# The default value: rpc = True
+# The security group is not supported:
+# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
diff --git a/openstack/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini b/openstack/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini
new file mode 100644
index 00000000..94fe9803
--- /dev/null
+++ b/openstack/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini
@@ -0,0 +1,78 @@
+# (StrOpt) Type of network to allocate for tenant networks. The
+# default value 'local' is useful only for single-box testing and
+# provides no connectivity between hosts. You MUST change this to
+# 'vlan' and configure network_vlan_ranges below in order for tenant
+# networks to provide connectivity between hosts. Set to 'none' to
+# disable creation of tenant networks.
+# tenant_network_type = local
+# Example: tenant_network_type = vlan
+# (ListOpt) Comma-separated list of
+# <physical_network>[:<vlan_min>:<vlan_max>] tuples enumerating ranges
+# of VLAN IDs on named physical networks that are available for
+# allocation. All physical networks listed are available for flat and
+# VLAN provider network creation. Specified ranges of VLAN IDs are
+# available for tenant network allocation if tenant_network_type is
+# 'vlan'. If empty, only local networks may be created.
+# network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999
+# (ListOpt) Comma-separated list of
+# <physical_network>:<physical_interface> tuples mapping physical
+# network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical
+# networks listed in network_vlan_ranges on the server should have
+# mappings to appropriate interfaces on each agent.
+# physical_interface_mappings =
+# Example: physical_interface_mappings = physnet1:eth1
+# (BoolOpt) enable VXLAN on the agent
+# VXLAN support can be enabled when agent is managed by ml2 plugin using
+# linuxbridge mechanism driver. Useless if set while using linuxbridge plugin.
+# enable_vxlan = False
+# (IntOpt) use specific TTL for vxlan interface protocol packets
+# ttl =
+# (IntOpt) use specific TOS for vxlan interface protocol packets
+# tos =
+# (StrOpt) multicast group to use for broadcast emulation.
+# This group must be the same on all the agents.
+# vxlan_group =
+# (StrOpt) Local IP address to use for VXLAN endpoints (required)
+# local_ip =
+# (BoolOpt) Flag to enable l2population extension. This option should be used
+# in conjunction with ml2 plugin l2population mechanism driver (in that case,
+# both linuxbridge and l2population mechanism drivers should be loaded).
+# It enables plugin to populate VXLAN forwarding table, in order to limit
+# the use of broadcast emulation (multicast will be turned off if kernel and
+# iproute2 supports unicast flooding - requires 3.11 kernel and iproute2 3.10)
+# l2_population = False
+# Agent's polling interval in seconds
+# polling_interval = 2
+# (BoolOpt) Enable server RPC compatibility with old (pre-havana)
+# agents.
+# rpc_support_old_agents = False
+# Example: rpc_support_old_agents = True
+# Firewall driver for realizing neutron security group function
+# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
+# Example: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
diff --git a/openstack/etc/neutron/plugins/metaplugin/metaplugin.ini b/openstack/etc/neutron/plugins/metaplugin/metaplugin.ini
new file mode 100644
index 00000000..2b9bfa5e
--- /dev/null
+++ b/openstack/etc/neutron/plugins/metaplugin/metaplugin.ini
@@ -0,0 +1,31 @@
+# Config file for Metaplugin
+# Comma separated list of flavor:neutron_plugin for plugins to load.
+# Extension method is searched in the list order and the first one is used.
+plugin_list = 'ml2:neutron.plugins.ml2.plugin.Ml2Plugin,nvp:neutron.plugins.vmware.plugin.NsxPluginV2'
+# Comma separated list of flavor:neutron_plugin for L3 service plugins
+# to load.
+# This is intended for specifying L2 plugins which support L3 functions.
+# If you use a router service plugin, set this blank.
+l3_plugin_list =
+# Default flavor to use, when flavor:network is not specified at network
+# creation.
+default_flavor = 'nvp'
+# Default L3 flavor to use, when flavor:router is not specified at router
+# creation.
+# Ignored if 'l3_plugin_list' is blank.
+default_l3_flavor =
+# Comma separated list of supported extension aliases.
+supported_extension_aliases = 'provider,binding,agent,dhcp_agent_scheduler'
+# Comma separated list of method:flavor to select specific plugin for a method.
+# This has priority over method search order based on 'plugin_list'.
+extension_map = 'get_port_stats:nvp'
+# Specifies flavor for plugin to handle 'q-plugin' RPC requests.
+rpc_flavor = 'ml2'
diff --git a/openstack/etc/neutron/plugins/midonet/midonet.ini b/openstack/etc/neutron/plugins/midonet/midonet.ini
new file mode 100644
index 00000000..6cc02117
--- /dev/null
+++ b/openstack/etc/neutron/plugins/midonet/midonet.ini
@@ -0,0 +1,19 @@
+# MidoNet API server URI
+# midonet_uri =
+# MidoNet admin username
+# username = admin
+# MidoNet admin password
+# password = passw0rd
+# ID of the project that MidoNet admin user belongs to
+# project_id = 77777777-7777-7777-7777-777777777777
+# Virtual provider router ID
+# provider_router_id = 00112233-0011-0011-0011-001122334455
+# Path to midonet host uuid file
+# midonet_host_uuid_path = /etc/midolman/
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf.ini
new file mode 100644
index 00000000..58e5fe21
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf.ini
@@ -0,0 +1,85 @@
+# (ListOpt) List of network type driver entrypoints to be loaded from
+# the neutron.ml2.type_drivers namespace.
+# type_drivers = local,flat,vlan,gre,vxlan
+# Example: type_drivers = flat,vlan,gre,vxlan
+type_drivers = flat,gre
+# (ListOpt) Ordered list of network_types to allocate as tenant
+# networks. The default value 'local' is useful for single-box testing
+# but provides no connectivity between hosts.
+# tenant_network_types = local
+# Example: tenant_network_types = vlan,gre,vxlan
+tenant_network_types = gre
+# (ListOpt) Ordered list of networking mechanism driver entrypoints
+# to be loaded from the neutron.ml2.mechanism_drivers namespace.
+# mechanism_drivers =
+# Example: mechanism_drivers = openvswitch,mlnx
+# Example: mechanism_drivers = arista
+# Example: mechanism_drivers = cisco,logger
+# Example: mechanism_drivers = openvswitch,brocade
+# Example: mechanism_drivers = linuxbridge,brocade
+mechanism_drivers = openvswitch
+# (ListOpt) Ordered list of extension driver entrypoints
+# to be loaded from the neutron.ml2.extension_drivers namespace.
+# extension_drivers =
+# Example: extension_drivers = anewextensiondriver
+# (ListOpt) List of physical_network names with which flat networks
+# can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+# flat_networks =
+# Example:flat_networks = physnet1,physnet2
+# Example:flat_networks = *
+flat_networks = External
+# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
+# specifying physical_network names usable for VLAN provider and
+# tenant networks, as well as ranges of VLAN tags on each
+# physical_network available for allocation as tenant networks.
+# network_vlan_ranges =
+# Example: network_vlan_ranges = physnet1:1000:2999,physnet2
+#network_vlan_ranges = Physnet1:100:200
+# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
+tunnel_id_ranges = 1:1000
+# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network allocation.
+# vni_ranges =
+# (StrOpt) Multicast group for the VXLAN interface. When configured, will
+# enable sending all broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode.
+# vxlan_group =
+# Example: vxlan_group =
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+enable_security_group = True
+# Use ipset to speed-up the iptables security groups. Enabling ipset support
+# requires that ipset is installed on L2 agent node.
+enable_ipset = True
+local_ip = onenode
+enable_tunneling = True
+tunnel_types = gre
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_arista.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_arista.ini
new file mode 100644
index 00000000..abaf5bc7
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_arista.ini
@@ -0,0 +1,100 @@
+# Defines configuration options specific for Arista ML2 Mechanism driver
+# (StrOpt) EOS IP address. This is required field. If not set, all
+# communications to Arista EOS will fail
+# eapi_host =
+# Example: eapi_host =
+# (StrOpt) EOS command API username. This is required field.
+# if not set, all communications to Arista EOS will fail.
+# eapi_username =
+# Example: arista_eapi_username = admin
+# (StrOpt) EOS command API password. This is required field.
+# if not set, all communications to Arista EOS will fail.
+# eapi_password =
+# Example: eapi_password = my_password
+# (StrOpt) Defines if hostnames are sent to Arista EOS as FQDNs
+# ("") or as short names ("node1"). This is
+# optional. If not set, a value of "True" is assumed.
+# use_fqdn =
+# Example: use_fqdn = True
+# (IntOpt) Sync interval in seconds between Neutron plugin and EOS.
+# This field defines how often the synchronization is performed.
+# This is an optional field. If not set, a value of 180 seconds
+# is assumed.
+# sync_interval =
+# Example: sync_interval = 60
+# (StrOpt) Defines Region Name that is assigned to this OpenStack Controller.
+# This is useful when multiple OpenStack/Neutron controllers are
+# managing the same Arista HW clusters. Note that this name must
+# match with the region name registered (or known) to keystone
+# service. Authentication with Keysotne is performed by EOS.
+# This is optional. If not set, a value of "RegionOne" is assumed.
+# region_name =
+# Example: region_name = RegionOne
+# (StrOpt) primary host IP address. This is required field. If not set, all
+# communications to Arista EOS will fail. This is the host where
+# primary router is created.
+# primary_l3_host =
+# Example: primary_l3_host =
+# (StrOpt) Primary host username. This is required field.
+# if not set, all communications to Arista EOS will fail.
+# primary_l3_host_username =
+# Example: arista_primary_l3_username = admin
+# (StrOpt) Primary host password. This is required field.
+# if not set, all communications to Arista EOS will fail.
+# primary_l3_host_password =
+# Example: primary_l3_password = my_password
+# (StrOpt) IP address of the second Arista switch paired as
+# MLAG (Multi-chassis Link Aggregation) with the first.
+# This is optional field, however, if mlag_config flag is set,
+# then this is a required field. If not set, all
+# communications to Arista EOS will fail. If mlag_config is set
+# to False, then this field is ignored
+# seconadary_l3_host =
+# Example: seconadary_l3_host =
+# (BoolOpt) Defines if Arista switches are configured in MLAG mode
+# If yes, all L3 configuration is pushed to both switches
+# automatically. If this flag is set, ensure that secondary_l3_host
+# is set to the second switch's IP.
+# This flag is Optional. If not set, a value of "False" is assumed.
+# mlag_config =
+# Example: mlag_config = True
+# (BoolOpt) Defines if the router is created in default VRF or a
+# a specific VRF. This is optional.
+# If not set, a value of "False" is assumed.
+# Example: use_vrf = True
+# (IntOpt) Sync interval in seconds between Neutron plugin and EOS.
+# This field defines how often the synchronization is performed.
+# This is an optional field. If not set, a value of 180 seconds
+# is assumed.
+# l3_sync_interval =
+# Example: l3_sync_interval = 60
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_brocade.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_brocade.ini
new file mode 100644
index 00000000..67574110
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_brocade.ini
@@ -0,0 +1,15 @@
+# username = <mgmt admin username>
+# password = <mgmt admin password>
+# address = <switch mgmt ip address>
+# ostype = NOS
+# osversion = autodetect | n.n.n
+# physical_networks = physnet1,physnet2
+# Example:
+# username = admin
+# password = password
+# address =
+# ostype = NOS
+# osversion = 4.1.1
+# physical_networks = physnet1,physnet2
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_cisco.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
new file mode 100644
index 00000000..1b69100e
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
@@ -0,0 +1,118 @@
+# (StrOpt) A short prefix to prepend to the VLAN number when creating a
+# VLAN interface. For example, if an interface is being created for
+# VLAN 2001 it will be named 'q-2001' using the default prefix.
+# vlan_name_prefix = q-
+# Example: vlan_name_prefix = vnet-
+# (BoolOpt) A flag to enable round robin scheduling of routers for SVI.
+# svi_round_robin = False
+# (StrOpt) The name of the physical_network managed via the Cisco Nexus Switch.
+# This string value must be present in the ml2_conf.ini network_vlan_ranges
+# variable.
+# managed_physical_network =
+# Example: managed_physical_network = physnet1
+# Cisco Nexus Switch configurations.
+# Each switch to be managed by Openstack Neutron must be configured here.
+# Cisco Nexus Switch Format.
+# [ml2_mech_cisco_nexus:<IP address of switch>]
+# <hostname>=<intf_type:port> (1)
+# ssh_port=<ssh port> (2)
+# username=<credential username> (3)
+# password=<credential password> (4)
+# (1) For each host connected to a port on the switch, specify the hostname
+# and the Nexus physical port (interface) it is connected to.
+# Valid intf_type's are 'ethernet' and 'port-channel'.
+# The default setting for <intf_type:> is 'ethernet' and need not be
+# added to this setting.
+# (2) The TCP port for connecting via SSH to manage the switch. This is
+# port number 22 unless the switch has been configured otherwise.
+# (3) The username for logging into the switch to manage it.
+# (4) The password for logging into the switch to manage it.
+# Example:
+# [ml2_mech_cisco_nexus:]
+# compute1=1/1
+# compute2=ethernet:1/2
+# compute3=port-channel:1
+# ssh_port=22
+# username=admin
+# password=mySecretPassword
+# Hostname:port list of APIC controllers
+# apic_hosts =,,
+# Username for the APIC controller
+# apic_username = user
+# Password for the APIC controller
+# apic_password = password
+# Whether use SSl for connecting to the APIC controller or not
+# apic_use_ssl = True
+# How to map names to APIC: use_uuid or use_name
+# apic_name_mapping = use_name
+# Names for APIC objects used by Neutron
+# Note: When deploying multiple clouds against one APIC,
+# these names must be unique between the clouds.
+# apic_vmm_domain = openstack
+# apic_vlan_ns_name = openstack_ns
+# apic_node_profile = openstack_profile
+# apic_entity_profile = openstack_entity
+# apic_function_profile = openstack_function
+# apic_app_profile_name = openstack_app
+# Agent timers for State reporting and topology discovery
+# apic_sync_interval = 30
+# apic_agent_report_interval = 30
+# apic_agent_poll_interval = 2
+# Specify your network topology.
+# This section indicates how your compute nodes are connected to the fabric's
+# switches and ports. The format is as follows:
+# [apic_switch:<swich_id_from_the_apic>]
+# <compute_host>,<compute_host> = <switchport_the_host(s)_are_connected_to>
+# You can have multiple sections, one for each switch in your fabric that is
+# participating in Openstack. e.g.
+# [apic_switch:17]
+# ubuntu,ubuntu1 = 1/10
+# ubuntu2,ubuntu3 = 1/11
+# [apic_switch:18]
+# ubuntu5,ubuntu6 = 1/1
+# ubuntu7,ubuntu8 = 1/2
+# Describe external connectivity.
+# In this section you can specify the external network configuration in order
+# for the plugin to be able to teach the fabric how to route the internal
+# traffic to the outside world. The external connectivity configuration
+# format is as follows:
+# [apic_external_network:<externalNetworkName>]
+# switch = <switch_id_from_the_apic>
+# port = <switchport_the_external_router_is_connected_to>
+# encap = <encapsulation>
+# cidr_exposed = <cidr_exposed_to_the_external_router>
+# gateway_ip = <ip_of_the_external_gateway>
+# An example follows:
+# [apic_external_network:network_ext]
+# switch=203
+# port=1/34
+# encap=vlan-100
+# cidr_exposed=
+# gateway_ip=
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_fslsdn.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_fslsdn.ini
new file mode 100644
index 00000000..6ee4a4e0
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_fslsdn.ini
@@ -0,0 +1,52 @@
+# Defines Configuration options for FSL SDN OS Mechanism Driver
+# Cloud Resource Discovery (CRD) authorization credentials
+#(StrOpt) User name for authentication to CRD.
+# e.g.: user12
+# crd_user_name =
+#(StrOpt) Password for authentication to CRD.
+# e.g.: secret
+# crd_password =
+#(StrOpt) Tenant name for CRD service.
+# e.g.: service
+# crd_tenant_name =
+#(StrOpt) CRD auth URL.
+# e.g.:
+# crd_auth_url =
+#(StrOpt) URL for connecting to CRD Service.
+# e.g.:
+# crd_url=
+#(IntOpt) Timeout value for connecting to CRD service
+# in seconds, e.g.: 30
+# crd_url_timeout=
+#(StrOpt) Region name for connecting to CRD in
+# admin context, e.g.: RegionOne
+# crd_region_name=
+#(BoolOpt)If set, ignore any SSL validation issues (boolean value)
+# e.g.: False
+# crd_api_insecure=
+#(StrOpt)Authorization strategy for connecting to CRD in admin
+# context, e.g.: keystone
+# crd_auth_strategy=
+#(StrOpt)Location of CA certificates file to use for CRD client
+# requests.
+# crd_ca_certificates_file=
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_mlnx.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_mlnx.ini
new file mode 100644
index 00000000..46139aed
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_mlnx.ini
@@ -0,0 +1,4 @@
+# (StrOpt) Type of Network Interface to allocate for VM:
+# mlnx_direct or hostdev according to libvirt terminology
+# vnic_type = mlnx_direct
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_ncs.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_ncs.ini
new file mode 100644
index 00000000..dbbfcbd2
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_ncs.ini
@@ -0,0 +1,28 @@
+# Defines configuration options specific to the Tail-f NCS Mechanism Driver
+# (StrOpt) Tail-f NCS HTTP endpoint for REST access to the OpenStack
+# subtree.
+# If this is not set then no HTTP requests will be made.
+# url =
+# Example: url = http://ncs/api/running/services/openstack
+# (StrOpt) Username for HTTP basic authentication to NCS.
+# This is an optional parameter. If unspecified then no authentication is used.
+# username =
+# Example: username = admin
+# (StrOpt) Password for HTTP basic authentication to NCS.
+# This is an optional parameter. If unspecified then no authentication is used.
+# password =
+# Example: password = admin
+# (IntOpt) Timeout in seconds to wait for NCS HTTP request completion.
+# This is an optional parameter, default value is 10 seconds.
+# timeout =
+# Example: timeout = 15
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_odl.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_odl.ini
new file mode 100644
index 00000000..9e88c1bb
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_odl.ini
@@ -0,0 +1,30 @@
+# Configuration for the OpenDaylight MechanismDriver
+# (StrOpt) OpenDaylight REST URL
+# If this is not set then no HTTP requests will be made.
+# url =
+# Example: url =
+# (StrOpt) Username for HTTP basic authentication to ODL.
+# username =
+# Example: username = admin
+# (StrOpt) Password for HTTP basic authentication to ODL.
+# password =
+# Example: password = admin
+# (IntOpt) Timeout in seconds to wait for ODL HTTP request completion.
+# This is an optional parameter, default value is 10 seconds.
+# timeout = 10
+# Example: timeout = 15
+# (IntOpt) Timeout in minutes to wait for a Tomcat session timeout.
+# This is an optional parameter, default value is 30 minutes.
+# session_timeout = 30
+# Example: session_timeout = 60
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_ofa.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_ofa.ini
new file mode 100644
index 00000000..4a94b987
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_ofa.ini
@@ -0,0 +1,13 @@
+# Defines configuration options specific to the OpenFlow Agent Mechanism Driver
+# Please refer to configuration options to the OpenvSwitch
+# (IntOpt) Number of seconds to retry acquiring an Open vSwitch datapath.
+# This is an optional parameter, default value is 60 seconds.
+# get_datapath_retry_times =
+# Example: get_datapath_retry_times = 30
+# Please refer to configuration options to the OpenvSwitch else the above.
diff --git a/openstack/etc/neutron/plugins/ml2/ml2_conf_sriov.ini b/openstack/etc/neutron/plugins/ml2/ml2_conf_sriov.ini
new file mode 100644
index 00000000..f9522e7f
--- /dev/null
+++ b/openstack/etc/neutron/plugins/ml2/ml2_conf_sriov.ini
@@ -0,0 +1,31 @@
+# Defines configuration options for SRIOV NIC Switch MechanismDriver
+# and Agent
+# (ListOpt) Comma-separated list of
+# supported Vendor PCI Devices, in format vendor_id:product_id
+# supported_pci_vendor_devs = 15b3:1004, 8086:10ca
+# Example: supported_pci_vendor_devs = 15b3:1004
+# (BoolOpt) Requires running SRIOV neutron agent for port binding
+# agent_required = False
+# (ListOpt) Comma-separated list of <physical_network>:<network_device>
+# tuples mapping physical network names to the agent's node-specific
+# physical network device interfaces of SR-IOV physical function to be used
+# for VLAN networks. All physical networks listed in network_vlan_ranges on
+# the server should have mappings to appropriate interfaces on each agent.
+# physical_device_mappings =
+# Example: physical_device_mappings = physnet1:eth1
+# (ListOpt) Comma-separated list of <network_device>:<vfs__to_exclude>
+# tuples, mapping network_device to the agent's node-specific list of virtual
+# functions that should not be used for virtual networking.
+# vfs_to_exclude is a semicolon-separated list of virtual
+# functions to exclude from network_device. The network_device in the
+# mapping should appear in the physical_device_mappings list.
+# exclude_devices =
+# Example: exclude_devices = eth1:0000:07:00.2; 0000:07:00.3
diff --git a/openstack/etc/neutron/plugins/mlnx/mlnx_conf.ini b/openstack/etc/neutron/plugins/mlnx/mlnx_conf.ini
new file mode 100644
index 00000000..b1225111
--- /dev/null
+++ b/openstack/etc/neutron/plugins/mlnx/mlnx_conf.ini
@@ -0,0 +1,79 @@
+# (StrOpt) Type of network to allocate for tenant networks. The
+# default value is 'vlan' You MUST configure network_vlan_ranges below
+# in order for tenant networks to provide connectivity between hosts.
+# Set to 'none' to disable creation of tenant networks.
+# tenant_network_type = vlan
+# Example: tenant_network_type = vlan
+# (ListOpt) Comma-separated list of
+# <physical_network>[:<vlan_min>:<vlan_max>] tuples enumerating ranges
+# of VLAN IDs on named physical networks that are available for
+# allocation. All physical networks listed are available for flat and
+# VLAN provider network creation. Specified ranges of VLAN IDs are
+# available for tenant network allocation if tenant_network_type is
+# 'vlan'. If empty, only local networks may be created.
+# network_vlan_ranges =
+# Example: network_vlan_ranges = default:1:100
+# (ListOpt) Comma-separated list of
+# <physical_network>:<physical_network_type> tuples mapping physical
+# network names to physical network types. All physical
+# networks listed in network_vlan_ranges should have
+# mappings to appropriate physical network type.
+# Type of the physical network can be either eth (Ethernet) or
+# ib (InfiniBand). If empty, physical network eth type is assumed.
+# physical_network_type_mappings =
+# Example: physical_network_type_mappings = default:eth
+# (StrOpt) Type of the physical network, can be either 'eth' or 'ib'
+# The default value is 'eth'
+# physical_network_type = eth
+# (ListOpt) Comma-separated list of
+# <physical_network>:<physical_interface> tuples mapping physical
+# network names to the agent's node-specific physical network
+# interfaces to be used for flat and VLAN networks. All physical
+# networks listed in network_vlan_ranges on the server should have
+# mappings to appropriate interfaces on each agent.
+# physical_interface_mappings =
+# Example: physical_interface_mappings = default:eth2
+# (StrOpt) Type of Network Interface to allocate for VM:
+# direct or hosdev according to libvirt terminology
+# vnic_type = mlnx_direct
+# (StrOpt) Eswitch daemon end point connection url
+# daemon_endpoint = 'tcp://'
+# The number of milliseconds the agent will wait for
+# response on request to daemon
+# request_timeout = 3000
+# The number of retries the agent will send request
+# to daemon before giving up
+# retries = 3
+# The backoff rate multiplier for waiting period between retries
+# on request to daemon, i.e. value of 2 will double
+# the request timeout each retry
+# backoff_rate = 2
+# Agent's polling interval in seconds
+# polling_interval = 2
+# (BoolOpt) Enable server RPC compatibility with old (pre-havana)
+# agents.
+# rpc_support_old_agents = False
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
diff --git a/openstack/etc/neutron/plugins/nec/nec.ini b/openstack/etc/neutron/plugins/nec/nec.ini
new file mode 100644
index 00000000..798a5a61
--- /dev/null
+++ b/openstack/etc/neutron/plugins/nec/nec.ini
@@ -0,0 +1,63 @@
+# Sample Configurations
+# Do not change this parameter unless you have a good reason to.
+# This is the name of the OVS integration bridge. There is one per hypervisor.
+# The integration bridge acts as a virtual "patch port". All VM VIFs are
+# attached to this bridge and then "patched" according to their network
+# connectivity.
+# integration_bridge = br-int
+# Agent's polling interval in seconds
+# polling_interval = 2
+# Firewall driver for realizing neutron security group function
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+# Specify OpenFlow Controller Host, Port and Driver to connect.
+# host =
+# port = 8888
+# Base URL of OpenFlow Controller REST API.
+# It is prepended to a path of each API request.
+# path_prefix =
+# Drivers are in neutron/plugins/nec/drivers/ .
+# driver = trema
+# PacketFilter is available when it's enabled in this configuration
+# and supported by the driver.
+# enable_packet_filter = true
+# Support PacketFilter on OFC router interface
+# support_packet_filter_on_ofc_router = true
+# Use SSL to connect
+# use_ssl = false
+# Key file
+# key_file =
+# Certificate file
+# cert_file =
+# Disable SSL certificate verification
+# insecure_ssl = false
+# Maximum attempts per OFC API request. NEC plugin retries
+# API request to OFC when OFC returns ServiceUnavailable (503).
+# The value must be greater than 0.
+# api_max_attempts = 3
+# Default router provider to use.
+# default_router_provider = l3-agent
+# List of enabled router providers.
+# router_providers = l3-agent,openflow
diff --git a/openstack/etc/neutron/plugins/nuage/nuage_plugin.ini b/openstack/etc/neutron/plugins/nuage/nuage_plugin.ini
new file mode 100644
index 00000000..aad37bd5
--- /dev/null
+++ b/openstack/etc/neutron/plugins/nuage/nuage_plugin.ini
@@ -0,0 +1,41 @@
+# Please fill in the correct data for all the keys below and uncomment key-value pairs
+# (StrOpt) Default Network partition in which VSD will
+# orchestrate network resources using openstack
+#default_net_partition_name = <default-net-partition-name>
+# (StrOpt) Nuage provided uri for initial authorization to
+# access VSD
+#auth_resource = /auth
+# (StrOpt) IP Address and Port of VSD
+#server = ip:port
+# (StrOpt) Organization name in which VSD will orchestrate
+# network resources using openstack
+#organization = org
+# (StrOpt) Username and password of VSD for authentication
+#serverauth = uname:pass
+# (BoolOpt) Boolean for SSL connection with VSD server
+#serverssl = True
+# (StrOpt) Nuage provided base uri to reach out to VSD
+#base_uri = /base
+# (BoolOpt) Boolean to enable sync between openstack and VSD
+#enable_sync = False
+# (IntOpt) Sync interval in seconds between openstack and VSD
+#sync_interval = 0 \ No newline at end of file
diff --git a/openstack/etc/neutron/plugins/oneconvergence/nvsdplugin.ini b/openstack/etc/neutron/plugins/oneconvergence/nvsdplugin.ini
new file mode 100644
index 00000000..a1c05d97
--- /dev/null
+++ b/openstack/etc/neutron/plugins/oneconvergence/nvsdplugin.ini
@@ -0,0 +1,35 @@
+# Configure the NVSD controller. The plugin proxies the api calls using
+# to NVSD controller which implements the required functionality.
+# IP address of NVSD controller api server
+# nvsd_ip = <ip address of nvsd controller>
+# Port number of NVSD controller api server
+# nvsd_port = 8082
+# Authentication credentials to access the api server
+# nvsd_user = <nvsd controller username>
+# nvsd_passwd = <password>
+# API request timeout in seconds
+# request_timeout = <default request timeout>
+# Maximum number of retry attempts to login to the NVSD controller
+# Specify 0 to retry until success (default)
+# nvsd_retries = 0
+# Specify firewall_driver option, if neutron security groups are disabled,
+# then NoopFirewallDriver otherwise OVSHybridIptablesFirewallDriver.
+# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+# root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+# connection = mysql://root:<passwd>@<neutron_db>?charset=utf8
diff --git a/openstack/etc/neutron/plugins/opencontrail/contrailplugin.ini b/openstack/etc/neutron/plugins/opencontrail/contrailplugin.ini
new file mode 100644
index 00000000..629f1fc4
--- /dev/null
+++ b/openstack/etc/neutron/plugins/opencontrail/contrailplugin.ini
@@ -0,0 +1,26 @@
+# OpenContrail is an Apache 2.0-licensed project that is built using
+# standards-based protocols and provides all the necessary components for
+# network virtualization–SDN controller, virtual router, analytics engine,
+# and published northbound APIs
+# For more information visit:
+# Opencontrail plugin specific configuration
+# (StrOpt) IP address to connect to opencontrail controller.
+# Uncomment this line for specifying the IP address of the opencontrail
+# Api-Server.
+# Default value is local host(
+# api_server_ip=''
+# (IntOpt) port to connect to opencontrail controller.
+# Uncomment this line for the specifying the Port of the opencontrail
+# Api-Server.
+# Default value is 8082
+# api_server_port=8082
+# (DictOpt) enable opencontrail extensions
+# Opencontrail in future would support extension such as ipam, policy,
+# these extensions can be configured as shown below. Plugin will then
+# load the specified extensions.
+# Default value is None, it wont load any extension
+# contrail_extensions=ipam:<classpath>,policy:<classpath>
diff --git a/openstack/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini b/openstack/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
new file mode 100644
index 00000000..232ca71d
--- /dev/null
+++ b/openstack/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
@@ -0,0 +1,141 @@
+# (BoolOpt) Set to True in the server and the agents to enable support
+# for GRE or VXLAN networks. Requires kernel support for OVS patch ports and
+# GRE or VXLAN tunneling.
+# WARNING: This option will be deprecated in the Icehouse release, at which
+# point setting tunnel_types will be required to enable tunneling.
+# enable_tunneling = False
+# Do not change this parameter unless you have a good reason to.
+# This is the name of the OVS integration bridge. There is one per hypervisor.
+# The integration bridge acts as a virtual "patch bay". All VM VIFs are
+# attached to this bridge and then "patched" according to their network
+# connectivity.
+# integration_bridge = br-int
+# Only used for the agent if tunnel_id_ranges is not empty for
+# the server. In most cases, the default value should be fine.
+# tunnel_bridge = br-tun
+# Peer patch port in integration bridge for tunnel bridge
+# int_peer_patch_port = patch-tun
+# Peer patch port in tunnel bridge for integration bridge
+# tun_peer_patch_port = patch-int
+# Uncomment this line for the agent if tunnel_id_ranges is not
+# empty for the server. Set local-ip to be the local IP address of
+# this hypervisor.
+# local_ip =
+# (ListOpt) Comma-separated list of <physical_network>:<bridge> tuples
+# mapping physical network names to the agent's node-specific OVS
+# bridge names to be used for flat and VLAN networks. The length of
+# bridge names should be no more than 11. Each bridge must
+# exist, and should have a physical network interface configured as a
+# port. All physical networks configured on the server should have
+# mappings to appropriate bridges on each agent.
+# bridge_mappings =
+# Example: bridge_mappings = physnet1:br-eth1
+# (BoolOpt) Use veths instead of patch ports to interconnect the integration
+# bridge to physical networks. Support kernel without ovs patch port support
+# so long as it is set to True.
+# use_veth_interconnection = False
+# Agent's polling interval in seconds
+# polling_interval = 2
+# Minimize polling by monitoring ovsdb for interface changes
+# minimize_polling = True
+# When minimize_polling = True, the number of seconds to wait before
+# respawning the ovsdb monitor after losing communication with it
+# ovsdb_monitor_respawn_interval = 30
+# (ListOpt) The types of tenant network tunnels supported by the agent.
+# Setting this will enable tunneling support in the agent. This can be set to
+# either 'gre' or 'vxlan'. If this is unset, it will default to [] and
+# disable tunneling support in the agent.
+# You can specify as many values here as your compute hosts supports.
+# tunnel_types =
+# Example: tunnel_types = gre
+# Example: tunnel_types = vxlan
+# Example: tunnel_types = vxlan, gre
+# (IntOpt) The port number to utilize if tunnel_types includes 'vxlan'. By
+# default, this will make use of the Open vSwitch default value of '4789' if
+# not specified.
+# vxlan_udp_port =
+# Example: vxlan_udp_port = 8472
+# (IntOpt) This is the MTU size of veth interfaces.
+# Do not change unless you have a good reason to.
+# The default MTU size of veth interfaces is 1500.
+# This option has no effect if use_veth_interconnection is False
+# veth_mtu =
+# Example: veth_mtu = 1504
+# (BoolOpt) Flag to enable l2-population extension. This option should only be
+# used in conjunction with ml2 plugin and l2population mechanism driver. It'll
+# enable plugin to populate remote ports macs and IPs (using fdb_add/remove
+# RPC calbbacks instead of tunnel_sync/update) on OVS agents in order to
+# optimize tunnel management.
+# l2_population = False
+# Enable local ARP responder. Requires OVS 2.1. This is only used by the l2
+# population ML2 MechanismDriver.
+# arp_responder = False
+# (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
+# carrying GRE/VXLAN tunnel. The default value is True.
+# dont_fragment = True
+# (BoolOpt) Set to True on L2 agents to enable support
+# for distributed virtual routing.
+# enable_distributed_routing = False
+# Firewall driver for realizing neutron security group function.
+# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
+# Example: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+# Controls if neutron security group is enabled or not.
+# It should be false when you use nova security group.
+# enable_security_group = True
+# Sample Configurations.
+# 1. With VLANs on eth1.
+# [ovs]
+# integration_bridge = br-int
+# bridge_mappings = default:br-eth1
+# 2. With GRE tunneling.
+# [ovs]
+# integration_bridge = br-int
+# tunnel_bridge = br-tun
+# local_ip =
+# 3. With VXLAN tunneling.
+# [ovs]
+# integration_bridge = br-int
+# tunnel_bridge = br-tun
+# local_ip =
+# [agent]
+# tunnel_types = vxlan
diff --git a/openstack/etc/neutron/plugins/plumgrid/plumgrid.ini b/openstack/etc/neutron/plugins/plumgrid/plumgrid.ini
new file mode 100644
index 00000000..bfe8062a
--- /dev/null
+++ b/openstack/etc/neutron/plugins/plumgrid/plumgrid.ini
@@ -0,0 +1,14 @@
+# Config file for Neutron PLUMgrid Plugin
+# This line should be pointing to the PLUMgrid Director,
+# for the PLUMgrid platform.
+# director_server=<director-ip-address>
+# director_server_port=<director-port>
+# Authentification parameters for the Director.
+# These are the admin credentials to manage and control
+# the PLUMgrid Director server.
+# username=<director-admin-username>
+# password=<director-admin-password>
+# servertimeout=5
+# driver=<plugin-driver>
diff --git a/openstack/etc/neutron/plugins/vmware/nsx.ini b/openstack/etc/neutron/plugins/vmware/nsx.ini
new file mode 100644
index 00000000..a9bf5c5e
--- /dev/null
+++ b/openstack/etc/neutron/plugins/vmware/nsx.ini
@@ -0,0 +1,203 @@
+# User name for NSX controller
+# nsx_user = admin
+# Password for NSX controller
+# nsx_password = admin
+# Time before aborting a request on an unresponsive controller (Seconds)
+# http_timeout = 75
+# Maximum number of times a particular request should be retried
+# retries = 2
+# Maximum number of times a redirect response should be followed
+# redirects = 2
+# Comma-separated list of NSX controller endpoints (<ip>:<port>). When port
+# is omitted, 443 is assumed. This option MUST be specified, e.g.:
+# nsx_controllers = xx.yy.zz.ww:443,,
+# UUID of the pre-existing default NSX Transport zone to be used for creating
+# tunneled isolated "Neutron" networks. This option MUST be specified, e.g.:
+# default_tz_uuid = 1e8e52cf-fa7f-46b0-a14a-f99835a9cb53
+# (Optional) UUID for the default l3 gateway service to use with this cluster.
+# To be specified if planning to use logical routers with external gateways.
+# default_l3_gw_service_uuid =
+# (Optional) UUID for the default l2 gateway service to use with this cluster.
+# To be specified for providing a predefined gateway tenant for connecting their networks.
+# default_l2_gw_service_uuid =
+# (Optional) UUID for the default service cluster. A service cluster is introduced to
+# represent a group of gateways and it is needed in order to use Logical Services like
+# dhcp and metadata in the logical space. NOTE: If agent_mode is set to 'agentless' this
+# config parameter *MUST BE* set to a valid pre-existent service cluster uuid.
+# default_service_cluster_uuid =
+# Name of the default interface name to be used on network-gateway. This value
+# will be used for any device associated with a network gateway for which an
+# interface name was not specified
+# default_interface_name = breth0
+# Reconnect connection to nsx if not used within this amount of time.
+# conn_idle_timeout = 900
+# number of network gateways allowed per tenant, -1 means unlimited
+# quota_network_gateway = 5
+# URL for VCNS manager
+# manager_uri = https://management_ip
+# User name for VCNS manager
+# user = admin
+# Password for VCNS manager
+# password = default
+# (Optional) Datacenter ID for Edge deployment
+# datacenter_moid =
+# (Optional) Deployment Container ID for NSX Edge deployment
+# If not specified, either a default global container will be used, or
+# the resource pool and datastore specified below will be used
+# deployment_container_id =
+# (Optional) Resource pool ID for NSX Edge deployment
+# resource_pool_id =
+# (Optional) Datastore ID for NSX Edge deployment
+# datastore_id =
+# (Required) UUID of logic switch for physical network connectivity
+# external_network =
+# (Optional) Asynchronous task status check interval
+# default is 2000 (millisecond)
+# task_status_check_interval = 2000
+# Maximum number of ports for each bridged logical switch
+# The recommended value for this parameter varies with NSX version
+# Please use:
+# NSX 2.x -> 64
+# NSX 3.0, 3.1 -> 5000
+# NSX 3.2 -> 10000
+# max_lp_per_bridged_ls = 5000
+# Maximum number of ports for each overlay (stt, gre) logical switch
+# max_lp_per_overlay_ls = 256
+# Number of connections to each controller node.
+# default is 10
+# concurrent_connections = 10
+# Number of seconds a generation id should be valid for (default -1 meaning do not time out)
+# nsx_gen_timeout = -1
+# Acceptable values for 'metadata_mode' are:
+# - 'access_network': this enables a dedicated connection to the metadata
+# proxy for metadata server access via Neutron router.
+# - 'dhcp_host_route': this enables host route injection via the dhcp agent.
+# This option is only useful if running on a host that does not support
+# namespaces otherwise access_network should be used.
+# metadata_mode = access_network
+# The default network transport type to use (stt, gre, bridge, ipsec_gre, or ipsec_stt)
+# default_transport_type = stt
+# Specifies in which mode the plugin needs to operate in order to provide DHCP and
+# metadata proxy services to tenant instances. If 'agent' is chosen (default)
+# the NSX plugin relies on external RPC agents (i.e. dhcp and metadata agents) to
+# provide such services. In this mode, the plugin supports API extensions 'agent'
+# and 'dhcp_agent_scheduler'. If 'agentless' is chosen (experimental in Icehouse),
+# the plugin will use NSX logical services for DHCP and metadata proxy. This
+# simplifies the deployment model for Neutron, in that the plugin no longer requires
+# the RPC agents to operate. When 'agentless' is chosen, the config option metadata_mode
+# becomes ineffective. The 'agentless' mode is supported from NSX 4.2 or above.
+# Furthermore, a 'combined' mode is also provided and is used to support existing
+# deployments that want to adopt the agentless mode going forward. With this mode,
+# existing networks keep being served by the existing infrastructure (thus preserving
+# backward compatibility, whereas new networks will be served by the new infrastructure.
+# Migration tools are provided to 'move' one network from one model to another; with
+# agent_mode set to 'combined', option 'network_auto_schedule' in neutron.conf is
+# ignored, as new networks will no longer be scheduled to existing dhcp agents.
+# agent_mode = agent
+# Specifies which mode packet replication should be done in. If set to service
+# a service node is required in order to perform packet replication. This can
+# also be set to source if one wants replication to be performed locally (NOTE:
+# usually only useful for testing if one does not want to deploy a service node).
+# In order to leverage distributed routers, replication_mode should be set to
+# "service".
+# replication_mode = service
+# Interval in seconds between runs of the status synchronization task.
+# The plugin will aim at resynchronizing operational status for all
+# resources in this interval, and it should be therefore large enough
+# to ensure the task is feasible. Otherwise the plugin will be
+# constantly synchronizing resource status, ie: a new task is started
+# as soon as the previous is completed.
+# If this value is set to 0, the state synchronization thread for this
+# Neutron instance will be disabled.
+# state_sync_interval = 10
+# Random additional delay between two runs of the state synchronization task.
+# An additional wait time between 0 and max_random_sync_delay seconds
+# will be added on top of state_sync_interval.
+# max_random_sync_delay = 0
+# Minimum delay, in seconds, between two status synchronization requests for NSX.
+# Depending on chunk size, controller load, and other factors, state
+# synchronization requests might be pretty heavy. This means the
+# controller might take time to respond, and its load might be quite
+# increased by them. This parameter allows to specify a minimum
+# interval between two subsequent requests.
+# The value for this parameter must never exceed state_sync_interval.
+# If this does, an error will be raised at startup.
+# min_sync_req_delay = 1
+# Minimum number of resources to be retrieved from NSX in a single status
+# synchronization request.
+# The actual size of the chunk will increase if the number of resources is such
+# that using the minimum chunk size will cause the interval between two
+# requests to be less than min_sync_req_delay
+# min_chunk_size = 500
+# Enable this option to allow punctual state synchronization on show
+# operations. In this way, show operations will always fetch the operational
+# status of the resource from the NSX backend, and this might have
+# a considerable impact on overall performance.
+# always_read_status = False
+# Pull LSN information from NSX in case it is missing from the local
+# data store. This is useful to rebuild the local store in case of
+# server recovery
+# sync_on_missing_data = False
+# (Optional) Comma separated list of additional dns servers. Default is an empty list
+# extra_domain_name_servers =
+# Domain to use for building the hostnames
+# domain_name = openstacklocal
+# Default DHCP lease time
+# default_lease_time = 43200
+# IP address used by Metadata server
+# metadata_server_address =
+# TCP Port used by Metadata server
+# metadata_server_port = 8775
+# When proxying metadata requests, Neutron signs the Instance-ID header with a
+# shared secret to prevent spoofing. You may select any string for a secret,
+# but it MUST match with the configuration used by the Metadata server
+# metadata_shared_secret =
diff --git a/openstack/etc/neutron/policy.json b/openstack/etc/neutron/policy.json
new file mode 100644
index 00000000..3f692281
--- /dev/null
+++ b/openstack/etc/neutron/policy.json
@@ -0,0 +1,138 @@
+ "context_is_admin": "role:admin",
+ "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+ "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+ "admin_only": "rule:context_is_admin",
+ "regular_user": "",
+ "shared": "field:networks:shared=True",
+ "shared_firewalls": "field:firewalls:shared=True",
+ "external": "field:networks:router:external=True",
+ "default": "rule:admin_or_owner",
+ "create_subnet": "rule:admin_or_network_owner",
+ "get_subnet": "rule:admin_or_owner or rule:shared",
+ "update_subnet": "rule:admin_or_network_owner",
+ "delete_subnet": "rule:admin_or_network_owner",
+ "create_network": "",
+ "get_network": "rule:admin_or_owner or rule:shared or rule:external",
+ "get_network:router:external": "rule:regular_user",
+ "get_network:segments": "rule:admin_only",
+ "get_network:provider:network_type": "rule:admin_only",
+ "get_network:provider:physical_network": "rule:admin_only",
+ "get_network:provider:segmentation_id": "rule:admin_only",
+ "get_network:queue_id": "rule:admin_only",
+ "create_network:shared": "rule:admin_only",
+ "create_network:router:external": "rule:admin_only",
+ "create_network:segments": "rule:admin_only",
+ "create_network:provider:network_type": "rule:admin_only",
+ "create_network:provider:physical_network": "rule:admin_only",
+ "create_network:provider:segmentation_id": "rule:admin_only",
+ "update_network": "rule:admin_or_owner",
+ "update_network:segments": "rule:admin_only",
+ "update_network:shared": "rule:admin_only",
+ "update_network:provider:network_type": "rule:admin_only",
+ "update_network:provider:physical_network": "rule:admin_only",
+ "update_network:provider:segmentation_id": "rule:admin_only",
+ "update_network:router:external": "rule:admin_only",
+ "delete_network": "rule:admin_or_owner",
+ "create_port": "",
+ "create_port:mac_address": "rule:admin_or_network_owner",
+ "create_port:fixed_ips": "rule:admin_or_network_owner",
+ "create_port:port_security_enabled": "rule:admin_or_network_owner",
+ "create_port:binding:host_id": "rule:admin_only",
+ "create_port:binding:profile": "rule:admin_only",
+ "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
+ "get_port": "rule:admin_or_owner",
+ "get_port:queue_id": "rule:admin_only",
+ "get_port:binding:vif_type": "rule:admin_only",
+ "get_port:binding:vif_details": "rule:admin_only",
+ "get_port:binding:host_id": "rule:admin_only",
+ "get_port:binding:profile": "rule:admin_only",
+ "update_port": "rule:admin_or_owner",
+ "update_port:fixed_ips": "rule:admin_or_network_owner",
+ "update_port:port_security_enabled": "rule:admin_or_network_owner",
+ "update_port:binding:host_id": "rule:admin_only",
+ "update_port:binding:profile": "rule:admin_only",
+ "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
+ "delete_port": "rule:admin_or_owner",
+ "get_router:ha": "rule:admin_only",
+ "create_router": "rule:regular_user",
+ "create_router:external_gateway_info:enable_snat": "rule:admin_only",
+ "create_router:distributed": "rule:admin_only",
+ "create_router:ha": "rule:admin_only",
+ "get_router": "rule:admin_or_owner",
+ "get_router:distributed": "rule:admin_only",
+ "update_router:external_gateway_info:enable_snat": "rule:admin_only",
+ "update_router:distributed": "rule:admin_only",
+ "update_router:ha": "rule:admin_only",
+ "delete_router": "rule:admin_or_owner",
+ "add_router_interface": "rule:admin_or_owner",
+ "remove_router_interface": "rule:admin_or_owner",
+ "create_firewall": "",
+ "get_firewall": "rule:admin_or_owner",
+ "create_firewall:shared": "rule:admin_only",
+ "get_firewall:shared": "rule:admin_only",
+ "update_firewall": "rule:admin_or_owner",
+ "update_firewall:shared": "rule:admin_only",
+ "delete_firewall": "rule:admin_or_owner",
+ "create_firewall_policy": "",
+ "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
+ "create_firewall_policy:shared": "rule:admin_or_owner",
+ "update_firewall_policy": "rule:admin_or_owner",
+ "delete_firewall_policy": "rule:admin_or_owner",
+ "create_firewall_rule": "",
+ "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
+ "update_firewall_rule": "rule:admin_or_owner",
+ "delete_firewall_rule": "rule:admin_or_owner",
+ "create_qos_queue": "rule:admin_only",
+ "get_qos_queue": "rule:admin_only",
+ "update_agent": "rule:admin_only",
+ "delete_agent": "rule:admin_only",
+ "get_agent": "rule:admin_only",
+ "create_dhcp-network": "rule:admin_only",
+ "delete_dhcp-network": "rule:admin_only",
+ "get_dhcp-networks": "rule:admin_only",
+ "create_l3-router": "rule:admin_only",
+ "delete_l3-router": "rule:admin_only",
+ "get_l3-routers": "rule:admin_only",
+ "get_dhcp-agents": "rule:admin_only",
+ "get_l3-agents": "rule:admin_only",
+ "get_loadbalancer-agent": "rule:admin_only",
+ "get_loadbalancer-pools": "rule:admin_only",
+ "create_floatingip": "rule:regular_user",
+ "update_floatingip": "rule:admin_or_owner",
+ "delete_floatingip": "rule:admin_or_owner",
+ "get_floatingip": "rule:admin_or_owner",
+ "create_network_profile": "rule:admin_only",
+ "update_network_profile": "rule:admin_only",
+ "delete_network_profile": "rule:admin_only",
+ "get_network_profiles": "",
+ "get_network_profile": "",
+ "update_policy_profiles": "rule:admin_only",
+ "get_policy_profiles": "",
+ "get_policy_profile": "",
+ "create_metering_label": "rule:admin_only",
+ "delete_metering_label": "rule:admin_only",
+ "get_metering_label": "rule:admin_only",
+ "create_metering_label_rule": "rule:admin_only",
+ "delete_metering_label_rule": "rule:admin_only",
+ "get_metering_label_rule": "rule:admin_only",
+ "get_service_provider": "rule:regular_user",
+ "get_lsn": "rule:admin_only",
+ "create_lsn": "rule:admin_only"
diff --git a/openstack/etc/neutron/rootwrap.conf b/openstack/etc/neutron/rootwrap.conf
new file mode 100644
index 00000000..ab5f4393
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.conf
@@ -0,0 +1,34 @@
+# Configuration for neutron-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+# Enable logging to syslog
+# Default value is False
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+# XenAPI configuration is only required by the L2 agent if it is to
+# target a XenServer/XCP compute host's dom0.
diff --git a/openstack/etc/neutron/rootwrap.d/cisco-apic.filters b/openstack/etc/neutron/rootwrap.d/cisco-apic.filters
new file mode 100644
index 00000000..69e4afcc
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/cisco-apic.filters
@@ -0,0 +1,16 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# cisco-apic filters
+lldpctl: CommandFilter, lldpctl, root
+# ip_lib filters
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/openstack/etc/neutron/rootwrap.d/debug.filters b/openstack/etc/neutron/rootwrap.d/debug.filters
new file mode 100644
index 00000000..b61d9601
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/debug.filters
@@ -0,0 +1,14 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# This is needed because we should ping
+# from inside a namespace which requires root
+ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
diff --git a/openstack/etc/neutron/rootwrap.d/dhcp.filters b/openstack/etc/neutron/rootwrap.d/dhcp.filters
new file mode 100644
index 00000000..0712ec13
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/dhcp.filters
@@ -0,0 +1,35 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# dhcp-agent
+dnsmasq: EnvFilter, dnsmasq, root, NEUTRON_NETWORK_ID=
+# dhcp-agent uses kill as well, that's handled by the generic KillFilter
+# it looks like these are the only signals needed, per
+# neutron/agent/linux/
+kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP
+kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+ivs-ctl: CommandFilter, ivs-ctl, root
+mm-ctl: CommandFilter, mm-ctl, root
+dhcp_release: CommandFilter, dhcp_release, root
+# metadata proxy
+metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+# If installed from source (say, by devstack), the prefix will be
+# /usr/local instead of /usr/bin.
+metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
+# RHEL invocation of the metadata proxy will report /usr/bin/python
+kill_metadata: KillFilter, root, python, -9
+kill_metadata7: KillFilter, root, python2.7, -9
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters b/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters
new file mode 100644
index 00000000..52c66373
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters
@@ -0,0 +1,12 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# neutron/agent/linux/
+# "ipset", "-A", ...
+ipset: CommandFilter, ipset, root
diff --git a/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters b/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters
new file mode 100644
index 00000000..b8a6ab5b
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -0,0 +1,21 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# neutron/agent/linux/
+# "iptables-save", ...
+iptables-save: CommandFilter, iptables-save, root
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+# neutron/agent/linux/
+# "iptables", "-A", ...
+iptables: CommandFilter, iptables, root
+ip6tables: CommandFilter, ip6tables, root
diff --git a/openstack/etc/neutron/rootwrap.d/l3.filters b/openstack/etc/neutron/rootwrap.d/l3.filters
new file mode 100644
index 00000000..be69b32c
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/l3.filters
@@ -0,0 +1,48 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# arping
+arping: CommandFilter, arping, root
+# l3_agent
+sysctl: CommandFilter, sysctl, root
+route: CommandFilter, route, root
+radvd: CommandFilter, radvd, root
+# metadata proxy
+metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+# If installed from source (say, by devstack), the prefix will be
+# /usr/local instead of /usr/bin.
+metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
+# RHEL invocation of the metadata proxy will report /usr/bin/python
+kill_metadata: KillFilter, root, python, -9
+kill_metadata7: KillFilter, root, python2.7, -9
+kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP
+kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+# ovs_lib (if OVSInterfaceDriver is used)
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+# iptables_manager
+iptables-save: CommandFilter, iptables-save, root
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+# Keepalived
+keepalived: CommandFilter, keepalived, root
+kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
+# l3 agent to delete floatingip's conntrack state
+conntrack: CommandFilter, conntrack, root
diff --git a/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters b/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters
new file mode 100644
index 00000000..b4e1ecba
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters
@@ -0,0 +1,26 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# haproxy
+haproxy: CommandFilter, haproxy, root
+# lbaas-agent uses kill as well, that's handled by the generic KillFilter
+kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+mm-ctl: CommandFilter, mm-ctl, root
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+route: CommandFilter, route, root
+# arping
+arping: CommandFilter, arping, root
diff --git a/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters b/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters
new file mode 100644
index 00000000..03df3959
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters
@@ -0,0 +1,19 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# linuxbridge-agent
+# unclear whether both variants are necessary, but I'm transliterating
+# from the old mechanism
+brctl: CommandFilter, brctl, root
+bridge: CommandFilter, bridge, root
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/openstack/etc/neutron/rootwrap.d/nec-plugin.filters b/openstack/etc/neutron/rootwrap.d/nec-plugin.filters
new file mode 100644
index 00000000..89c4cfe3
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/nec-plugin.filters
@@ -0,0 +1,12 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# nec_neutron_agent
+ovs-vsctl: CommandFilter, ovs-vsctl, root
diff --git a/openstack/etc/neutron/rootwrap.d/ofagent.filters b/openstack/etc/neutron/rootwrap.d/ofagent.filters
new file mode 100644
index 00000000..11e42564
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/ofagent.filters
@@ -0,0 +1,16 @@
+# neutron-rootwrap command filters for nodes on which
+# neutron-ofagent-agent is expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# ovs_lib
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters
new file mode 100644
index 00000000..b63a83b9
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters
@@ -0,0 +1,22 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+# openvswitch-agent
+# unclear whether both variants are necessary, but I'm transliterating
+# from the old mechanism
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
+ovsdb-client: CommandFilter, ovsdb-client, root
+xe: CommandFilter, xe, root
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/openstack/etc/neutron/rootwrap.d/vpnaas.filters b/openstack/etc/neutron/rootwrap.d/vpnaas.filters
new file mode 100644
index 00000000..7848136b
--- /dev/null
+++ b/openstack/etc/neutron/rootwrap.d/vpnaas.filters
@@ -0,0 +1,13 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+# This file should be owned by (and only-writeable by) the root user
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+openswan: CommandFilter, ipsec, root
diff --git a/openstack/etc/neutron/vpn_agent.ini b/openstack/etc/neutron/vpn_agent.ini
new file mode 100644
index 00000000..c3089df9
--- /dev/null
+++ b/openstack/etc/neutron/vpn_agent.ini
@@ -0,0 +1,14 @@
+# VPN-Agent configuration file
+# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
+# vpn device drivers which vpn agent will use
+# If we want to use multiple drivers, we need to define this option multiple times.
+# vpn_device_driver=another_driver
+# Status check interval
+# ipsec_status_check_interval=60