diff options
Diffstat (limited to 'old/install-files/openstack/usr')
96 files changed, 16632 insertions, 0 deletions
diff --git a/old/install-files/openstack/usr/lib/sysctl.d/neutron.conf b/old/install-files/openstack/usr/lib/sysctl.d/neutron.conf new file mode 100644 index 00000000..644ca116 --- /dev/null +++ b/old/install-files/openstack/usr/lib/sysctl.d/neutron.conf @@ -0,0 +1,3 @@ +# Disable rp filtering, enabling forwarding is handled by networkd +net.ipv4.conf.all.rp_filter=0 +net.ipv4.conf.default.rp_filter=0 diff --git a/old/install-files/openstack/usr/lib/systemd/system/apache-httpd.service b/old/install-files/openstack/usr/lib/systemd/system/apache-httpd.service new file mode 100644 index 00000000..e2a840c6 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/apache-httpd.service @@ -0,0 +1,16 @@ +[Unit] +Description=Apache Web Server +After=network.target remote-fs.target nss-lookup.target +Wants=network.target + +[Service] +Type=forking +PIDFile=/var/run/httpd.pid +ExecStart=/usr/sbin/apachectl start +ExecStop=/usr/sbin/apachectl graceful-stop +ExecReload=/usr/sbin/apachectl graceful +PrivateTmp=true +LimitNOFILE=infinity + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/iscsi-setup.service b/old/install-files/openstack/usr/lib/systemd/system/iscsi-setup.service new file mode 100644 index 00000000..4cb10045 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/iscsi-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run iscsi-setup Ansible scripts +Before=iscsid.service target.service +Wants=iscsid.service target.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/iscsi.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-evaluator.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-evaluator.service new file mode 100644 index 00000000..6e3ada59 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-evaluator.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer alarm evaluation service +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-alarm-evaluator --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-notifier.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-notifier.service new file mode 100644 index 00000000..7a3e1c91 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-alarm-notifier.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer alarm notification service +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-alarm-notifier --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-api.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-api.service new file mode 100644 index 00000000..eb0293bf --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-api.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer API service +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-api --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-central.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-central.service new file mode 100644 index 00000000..a1bc11ee --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-central.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer central agent +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service openstack-ceilometer-collector.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-agent-central --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-collector.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-collector.service new file mode 100644 index 00000000..dafc3ac7 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-collector.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer collection service +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-collector --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-compute.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-compute.service new file mode 100644 index 00000000..9fe8a1e6 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-compute.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer compute agent +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-agent-compute --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-config-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-config-setup.service new file mode 100644 index 00000000..c3e809d7 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-config-setup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run ceilometer-config-setup Ansible scripts +ConditionPathExists=/etc/openstack/ceilometer.conf + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/ceilometer-config.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-db-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-db-setup.service new file mode 100644 index 00000000..7a785227 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-db-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run ceilometer-db-setup Ansible scripts +ConditionPathExists=/etc/openstack/ceilometer.conf +After=network-online.target postgres-server-setup.service openstack-keystone-setup.service openstack-ceilometer-config-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/ceilometer-db.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-notification.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-notification.service new file mode 100644 index 00000000..6696116e --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ceilometer-notification.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack ceilometer notification agent +ConditionPathExists=/etc/ceilometer/ceilometer.conf +After=network-online.target openstack-ceilometer-config-setup.service openstack-ceilometer-db-setup.service openstack-ceilometer-collector.service +Wants=network-online.target + +[Service] +Type=simple +User=ceilometer +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ceilometer-agent-notification --config-file /etc/ceilometer/ceilometer.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-api.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-api.service new file mode 100644 index 00000000..a284f31d --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-api.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Volume Service (code-named Cinder) API server +ConditionPathExists=/etc/cinder/cinder.conf +After=network-online.target openstack-cinder-config-setup.service openstack-cinder-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=cinder +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/cinder-api --config-file /etc/cinder/cinder.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-backup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-backup.service new file mode 100644 index 00000000..c14e13aa --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-backup.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Cinder backup server +ConditionPathExists=/etc/cinder/cinder.conf +After=network-online.target openstack-cinder-config-setup.service openstack-cinder-db-setup.service openstack-cinder-volume.service +Wants=network-online.target + +[Service] +Type=simple +User=cinder +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/cinder-backup --config-file /etc/cinder/cinder.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-config-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-config-setup.service new file mode 100644 index 00000000..1c966933 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-config-setup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run cinder-config-setup Ansible scripts +ConditionPathExists=/etc/openstack/cinder.conf + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/cinder-config.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-db-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-db-setup.service new file mode 100644 index 00000000..a3c66d67 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-db-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run cinder-db-setup Ansible scripts +ConditionPathExists=/etc/openstack/cinder.conf +After=network-online.target postgres-server-setup.service openstack-keystone-setup.service openstack-cinder-config-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/cinder-db.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-lv-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-lv-setup.service new file mode 100644 index 00000000..82e9b08d --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-lv-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run cinder-lvs-setup Ansible scripts +ConditionPathExists=/etc/openstack/cinder.conf +Wants=lvm2-lvmetad.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/cinder-lvs.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-scheduler.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-scheduler.service new file mode 100644 index 00000000..f205aaff --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-scheduler.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Cinder scheduler server +ConditionPathExists=/etc/cinder/cinder.conf +After=network-online.target openstack-cinder-config-setup.service openstack-cinder-db-setup.service openstack-cinder-volume.service +Wants=network-online.target + +[Service] +Type=simple +User=cinder +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/cinder-scheduler --config-file /etc/cinder/cinder.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-volume.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-volume.service new file mode 100644 index 00000000..a5b7fe85 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-cinder-volume.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Cinder volume server +ConditionPathExists=/etc/cinder/cinder.conf +After=network-online.target openstack-cinder-config-setup.service openstack-cinder-db-setup.service openstack-cinder-lv-setup.service lvm2-lvmetad.service iscsid.service target.service +Requisite=openstack-cinder-lv-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=cinder +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/cinder-volume --config-file /etc/cinder/cinder.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-api.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-api.service new file mode 100644 index 00000000..4c34ff10 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-api.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Image Service (code-named Glance) API server +ConditionPathExists=/etc/glance/glance-api.conf +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=glance +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/glance-api --config-file /etc/glance/glance-api.conf + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-registry.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-registry.service new file mode 100644 index 00000000..d53c8b33 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-registry.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Image Service (code-named Glance) Registry server +ConditionPathExists=/etc/glance/glance-registry.conf +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=glance +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/glance-registry --config-file /etc/glance/glance-registry.conf + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-setup.service new file mode 100644 index 00000000..43810797 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-glance-setup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run glance-setup Ansible scripts +ConditionPathExists=/etc/openstack/glance.conf +After=local-fs.target network-online.target postgres-server-setup.service openstack-keystone-setup.service +Wants=network-online.target + +[Service] +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/glance.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-horizon-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-horizon-setup.service new file mode 100644 index 00000000..9ec3197a --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-horizon-setup.service @@ -0,0 +1,10 @@ +[Unit] +Description=Run horizon-setup Ansible scripts +After=local-fs.target +Before=apache-httpd.service + +[Service] +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/horizon.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-api.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-api.service new file mode 100644 index 00000000..5a286a95 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-api.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Bare Metal Provisioning Service (code-named Ironic) API server +ConditionPathExists=/etc/ironic/ironic.conf +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=ironic +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ironic-api --config-file /etc/ironic/ironic.conf + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-conductor.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-conductor.service new file mode 100644 index 00000000..b3b226e0 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-conductor.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Bare Metal Provisioning Service (code-named Ironic) Conductor server +ConditionPathExists=/etc/ironic/ironic.conf +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=ironic +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/ironic-conductor --config-file /etc/ironic/ironic.conf + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-setup.service new file mode 100644 index 00000000..e3a58eb5 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-ironic-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run ironic-setup Ansible scripts +ConditionPathExists=/etc/openstack/ironic.conf +After=local-fs.target network-online.target postgres-server-setup.service openstack-keystone-setup.service +Wants=network-online.target + +[Service] +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/ironic.yml + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone-setup.service new file mode 100644 index 00000000..db9d0b2b --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone-setup.service @@ -0,0 +1,14 @@ +[Unit] +Description=Run keystone-setup Ansible scripts +ConditionPathExists=/etc/openstack/keystone.conf +After=local-fs.target network-online.target postgres-server-setup.service +Wants=network-online.target + +[Service] +# Oneshot, since others setup have to wait until this service finishes +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/keystone.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone.service new file mode 100644 index 00000000..6f6ff644 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-keystone.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Identity Service (code-named Keystone) +ConditionPathExists=/etc/keystone/keystone.conf +After=network-online.target +Wants=network-online.target + +[Service] +Type=notify +Restart=always +User=keystone +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/keystone-all --config-file /etc/keystone/keystone.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-network-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-network-setup.service new file mode 100644 index 00000000..021370d9 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-network-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run Ansible scripts to configure internal network for OpenStack +After=openvswitch-setup.service openvswitch.service +Before=systemd-networkd.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/network.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-config-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-config-setup.service new file mode 100644 index 00000000..b74f44ab --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-config-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run neutron-config-setup Ansible scripts +ConditionPathExists=/etc/openstack/neutron.conf +After=network-online.target openstack-keystone-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/neutron-config.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-db-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-db-setup.service new file mode 100644 index 00000000..5d07da2e --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-db-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run neutron-db-setup Ansible scripts +ConditionPathExists=/etc/openstack/neutron.conf +After=network-online.target postgres-server-setup.service openstack-keystone-setup.service openstack-neutron-config-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/neutron-db.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-dhcp-agent.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-dhcp-agent.service new file mode 100644 index 00000000..9080f3c1 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-dhcp-agent.service @@ -0,0 +1,17 @@ +[Unit] +Description=Neutron DHCP Agent +ConditionPathExists=/etc/neutron/neutron.conf +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service openstack-neutron-ovs-cleanup.service +Wants=network-online.target + +[Service] +Type=simple +User=neutron +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/neutron-dhcp-agent \ + --config-file=/etc/neutron/neutron.conf \ + --config-file=/etc/neutron/dhcp_agent.ini + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-l3-agent.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-l3-agent.service new file mode 100644 index 00000000..72cd1651 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-l3-agent.service @@ -0,0 +1,17 @@ +[Unit] +Description=Neutron Layer 3 Agent +ConditionPathExists=/etc/neutron/neutron.conf +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service openstack-neutron-ovs-cleanup.service +Wants=network-online.target + +[Service] +Type=simple +User=neutron +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/neutron-l3-agent \ + --config-file=/etc/neutron/neutron.conf \ + --config-file=/etc/neutron/l3_agent.ini + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-metadata-agent.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-metadata-agent.service new file mode 100644 index 00000000..20540e4c --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-metadata-agent.service @@ -0,0 +1,17 @@ +[Unit] +Description=Neutron Metadata Plugin Agent +ConditionPathExists=/etc/neutron/neutron.conf +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=neutron +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/neutron-metadata-agent \ + --config-file=/etc/neutron/neutron.conf \ + --config-file=/etc/neutron/metadata_agent.ini + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-ovs-cleanup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-ovs-cleanup.service new file mode 100644 index 00000000..f5709028 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-ovs-cleanup.service @@ -0,0 +1,18 @@ +[Unit] +Description=Neutron OVS cleanup +ConditionPathExists=/etc/neutron/neutron.conf +ConditionFileIsExecutable=/usr/bin/neutron-ovs-cleanup +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service openvswitch.service +Before=openstack-neutron-plugin-openvswitch-agent.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardOutput=null +StandardError=null +User=neutron +ExecStart=/usr/bin/neutron-ovs-cleanup --config-file /etc/neutron/neutron.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-plugin-openvswitch-agent.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-plugin-openvswitch-agent.service new file mode 100644 index 00000000..6c579a62 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-plugin-openvswitch-agent.service @@ -0,0 +1,17 @@ +[Unit] +Description=Neutron OpenvSwitch Plugin Agent +ConditionPathExists=/etc/neutron/neutron.conf +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=neutron +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/neutron-openvswitch-agent \ + --config-file=/etc/neutron/neutron.conf \ + --config-file=/etc/neutron/plugins/ml2/ml2_conf.ini + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-server.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-server.service new file mode 100644 index 00000000..6376c3d8 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-neutron-server.service @@ -0,0 +1,17 @@ +[Unit] +Description=Neutron Api Server +ConditionPathExists=/etc/neutron/neutron.conf +After=network-online.target openstack-neutron-config-setup.service openstack-neutron-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=neutron +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/neutron-server \ + --config-file=/etc/neutron/neutron.conf \ + --config-file=/etc/neutron/plugins/ml2/ml2_conf.ini + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-api.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-api.service new file mode 100644 index 00000000..521353db --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-api.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Compute Service (code-named Nova) API server +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-api --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-cert.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-cert.service new file mode 100644 index 00000000..b3733816 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-cert.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Nova Cert +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-cert --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-compute.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-compute.service new file mode 100644 index 00000000..4f9b8196 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-compute.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Compute Service (code-named Nova) compute server +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service libvirtd.service +Wants=network-online.target +Requires=libvirtd.service + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/nova-compute.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-conductor.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-conductor.service new file mode 100644 index 00000000..4c0d7d43 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-conductor.service @@ -0,0 +1,16 @@ +[Unit] +Description=Database-access support for Compute nodes (nova-conductor) +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service libvirtd.service +Wants=network-online.target +Requires=libvirtd.service + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-conductor --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-config-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-config-setup.service new file mode 100644 index 00000000..df669aa9 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-config-setup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run nova-config-setup Ansible scripts +ConditionPathExists=/etc/openstack/nova.conf + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/nova-config.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-consoleauth.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-consoleauth.service new file mode 100644 index 00000000..e22780a9 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-consoleauth.service @@ -0,0 +1,15 @@ +[Unit] +Description=Openstack Console Auth (nova-consoleauth) +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-consoleauth --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-db-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-db-setup.service new file mode 100644 index 00000000..8e004327 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-db-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run nova-db-setup Ansible scripts +ConditionPathExists=/etc/openstack/nova.conf +After=network-online.target postgres-server-setup.service openstack-keystone-setup.service openstack-nova-config-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/nova-db.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-novncproxy.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-novncproxy.service new file mode 100644 index 00000000..8cbb20fd --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-novncproxy.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Nova NoVNC proxy +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-novncproxy --config-file /etc/nova/nova.conf --web /usr/share/novnc + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-scheduler.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-scheduler.service new file mode 100644 index 00000000..e89f0d3e --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-scheduler.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Nova Scheduler +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-scheduler --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-serialproxy.service b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-serialproxy.service new file mode 100644 index 00000000..30af8305 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openstack-nova-serialproxy.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Nova Serial Proxy +ConditionPathExists=/etc/nova/nova.conf +After=network-online.target openstack-nova-config-setup.service openstack-nova-db-setup.service +Wants=network-online.target + +[Service] +Type=simple +User=nova +StandardOutput=null +StandardError=null +ExecStart=/usr/bin/nova-serialproxy --config-file /etc/nova/nova.conf + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openvswitch-db-server.service b/old/install-files/openstack/usr/lib/systemd/system/openvswitch-db-server.service new file mode 100644 index 00000000..34a7c812 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openvswitch-db-server.service @@ -0,0 +1,12 @@ +[Unit] +Description=Open vSwitch Database Server Daemon +After=local-fs.target + +[Service] +Type=forking +ExecStartPre=-/usr/bin/mkdir -p /var/run/openvswitch +ExecStart=/usr/sbin/ovsdb-server --remote=punix:/var/run/openvswitch/db.sock --remote=db:Open_vSwitch,Open_vSwitch,manager_options --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach + +[Install] +WantedBy=multi-user.target + diff --git a/old/install-files/openstack/usr/lib/systemd/system/openvswitch-setup.service b/old/install-files/openstack/usr/lib/systemd/system/openvswitch-setup.service new file mode 100644 index 00000000..8393ebbc --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openvswitch-setup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run openvswitch-setup Ansible scripts +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -i /usr/share/openstack/hosts /usr/share/openstack/openvswitch.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/openvswitch.service b/old/install-files/openstack/usr/lib/systemd/system/openvswitch.service new file mode 100644 index 00000000..113911f6 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/openvswitch.service @@ -0,0 +1,12 @@ +[Unit] +Description=Open vSwitch Daemon +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=forking +ExecStartPre=-/usr/bin/mkdir -p /var/run/openvswitch +ExecStart=/usr/sbin/ovs-vswitchd --pidfile --detach + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/postgres-server-setup.service b/old/install-files/openstack/usr/lib/systemd/system/postgres-server-setup.service new file mode 100644 index 00000000..202c0636 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/postgres-server-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run postgres-setup Ansible scripts +ConditionPathExists=/etc/openstack/postgres.conf +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -i /usr/share/openstack/hosts /usr/share/openstack/postgres.yml + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/postgres-server.service b/old/install-files/openstack/usr/lib/systemd/system/postgres-server.service new file mode 100644 index 00000000..9e11f26d --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/postgres-server.service @@ -0,0 +1,26 @@ +[Unit] +Description=PostgreSQL database server +After=network-online.target +Wants=network-online.target + +[Service] +Type=forking +TimeoutSec=120 +User=postgres +Group=postgres + +Environment=PGROOT=/var/lib/pgsql + +SyslogIdentifier=postgres +PIDFile=/var/lib/pgsql/data/postmaster.pid + +ExecStart=/usr/bin/pg_ctl -s -D ${PGROOT}/data start -w -t 120 +ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT}/data reload +ExecStop=/usr/bin/pg_ctl -s -D ${PGROOT}/data stop -m fast + +# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in +# killing Postgres, so adjust it downward +OOMScoreAdjust=-200 + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/rabbitmq-server.service b/old/install-files/openstack/usr/lib/systemd/system/rabbitmq-server.service new file mode 100644 index 00000000..1a20f3e4 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/rabbitmq-server.service @@ -0,0 +1,16 @@ +[Unit] +Description=RabbitMQ broker +After=network-online.target +Wants=network-online.target + +[Service] +Type=notify +User=rabbitmq +Group=rabbitmq +Environment=HOME=/var/lib/rabbitmq +WorkingDirectory=/var/lib/rabbitmq +ExecStart=/usr/sbin/rabbitmq-server +ExecStop=/usr/sbin/rabbitmqctl stop + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/swift-controller-setup.service b/old/install-files/openstack/usr/lib/systemd/system/swift-controller-setup.service new file mode 100644 index 00000000..ccfbcbe6 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/swift-controller-setup.service @@ -0,0 +1,13 @@ +[Unit] +Description=Run swift-controller-setup (once) +After=local-fs.target network-online.target postgres-server-setup.service openstack-keystone-setup.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/swift-controller.yml +Restart=no + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/lib/systemd/system/swift-proxy.service b/old/install-files/openstack/usr/lib/systemd/system/swift-proxy.service new file mode 100644 index 00000000..7b0a2e17 --- /dev/null +++ b/old/install-files/openstack/usr/lib/systemd/system/swift-proxy.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Swift Proxy Server +After=network-online.target swift-controller-setup.service memcached.service +Wants=network-online.target + +[Service] +Type=forking +PIDFile=/var/run/swift/proxy-server.pid +Restart=on-failure +ExecStart=/usr/bin/swift-init proxy-server start +ExecStop=/usr/bin/swift-init proxy-server stop + +[Install] +WantedBy=multi-user.target diff --git a/old/install-files/openstack/usr/share/openstack/ceilometer-config.yml b/old/install-files/openstack/usr/share/openstack/ceilometer-config.yml new file mode 100644 index 00000000..9850d84d --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/ceilometer-config.yml @@ -0,0 +1,36 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/ceilometer.conf" + tasks: +# Configure ceilometer + - name: Create the ceilometer user. + user: + name: ceilometer + comment: Openstack Ceilometer Daemons + shell: /sbin/nologin + home: /var/lib/ceilometer + + - name: Create the /var folders for ceilometer + file: + path: "{{ item }}" + state: directory + owner: ceilometer + group: ceilometer + with_items: + - /var/run/ceilometer + - /var/lock/ceilometer + - /var/log/ceilometer + - /var/lib/ceilometer + + - name: Create /etc/ceilometer directory + file: + path: /etc/ceilometer + state: directory + + - name: Add the configuration needed for ceilometer in /etc/ceilometer using templates + template: + src: /usr/share/openstack/ceilometer/{{ item }} + dest: /etc/ceilometer/{{ item }} + with_lines: + - cd /usr/share/openstack/ceilometer && find -type f diff --git a/old/install-files/openstack/usr/share/openstack/ceilometer-db.yml b/old/install-files/openstack/usr/share/openstack/ceilometer-db.yml new file mode 100644 index 00000000..46a929bc --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/ceilometer-db.yml @@ -0,0 +1,50 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/ceilometer.conf" + tasks: + - name: Create ceilometer service user in service tenant + keystone_user: + user: "{{ CEILOMETER_SERVICE_USER }}" + password: "{{ CEILOMETER_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Assign admin role to ceilometers service user in the service tenant + keystone_user: + role: admin + user: "{{ CEILOMETER_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add ceilometer endpoint + keystone_service: + name: ceilometer + type: metering + description: Openstack Metering Service + publicurl: http://{{ ansible_hostname }}:8777 + internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:8777 + adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:8777 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for ceilometer + postgresql_user: + name: "{{ CEILOMETER_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + password: "{{ CEILOMETER_DB_PASSWORD }}" + sudo: yes + sudo_user: ceilometer + + - name: Create database for ceilometer services + postgresql_db: + name: ceilometer + owner: "{{ CEILOMETER_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + sudo: yes + sudo_user: ceilometer + + - name: Initiate ceilometer database + command: ceilometer-dbsync + sudo: yes + sudo_user: ceilometer diff --git a/old/install-files/openstack/usr/share/openstack/ceilometer/ceilometer.conf b/old/install-files/openstack/usr/share/openstack/ceilometer/ceilometer.conf new file mode 100644 index 00000000..b1ad2f47 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/ceilometer/ceilometer.conf @@ -0,0 +1,1330 @@ +[DEFAULT] + +# +# From ceilometer +# + +auth_strategy = keystone + +# To reduce large requests at same time to Nova or other components +# from different compute agents, shuffle start time of polling task. +# (integer value) +#shuffle_time_before_polling_task = 0 + +# Configuration file for WSGI definition of API. (string value) +api_paste_config = api_paste.ini + +# Number of workers for Ceilometer API server. (integer value) +#api_workers = 1 + +# Polling namespace(s) to be used while resource polling (unknown +# type) +#polling_namespaces = ['compute', 'central'] + +# List of pollsters (or wildcard templates) to be used while polling +# (unknown type) +#pollster_list = [] + +# Exchange name for Nova notifications. (string value) +nova_control_exchange = nova + +# List of metadata prefixes reserved for metering use. (list value) +reserved_metadata_namespace = metering. + +# Limit on length of reserved metadata values. (integer value) +#reserved_metadata_length = 256 + +# List of metadata keys reserved for metering use. And these keys are +# additional to the ones included in the namespace. (list value) +#reserved_metadata_keys = + +# Inspector to use for inspecting the hypervisor layer. (string value) +hypervisor_inspector = libvirt + +# Libvirt domain type. (string value) +# Allowed values: kvm, lxc, qemu, uml, xen +libvirt_type = {{ NOVA_VIRT_TYPE }} + +# Override the default libvirt URI (which is dependent on +# libvirt_type). (string value) +#libvirt_uri = + +# Exchange name for Data Processing notifications. (string value) +#sahara_control_exchange = sahara + +# Dispatcher to process data. (multi valued) +# Deprecated group/name - [collector]/dispatcher +#dispatcher = database + +# Exchange name for Keystone notifications. (string value) +keystone_control_exchange = keystone + +# Number of items to request in each paginated Glance API request +# (parameter used by glancecelient). If this is less than or equal to +# 0, page size is not specified (default value in glanceclient is +# used). (integer value) +#glance_page_size = 0 + +# Exchange name for Glance notifications. (string value) +glance_control_exchange = glance + +# Exchange name for Ironic notifications. (string value) +ironic_exchange = ironic + +# Exchanges name to listen for notifications. (multi valued) +#http_control_exchanges = nova +#http_control_exchanges = glance +#http_control_exchanges = neutron +#http_control_exchanges = cinder + +# Exchange name for Neutron notifications. (string value) +# Deprecated group/name - [DEFAULT]/quantum_control_exchange +neutron_control_exchange = neutron + +# Allow novaclient's debug log output. (boolean value) +#nova_http_log_debug = false + +# Swift reseller prefix. Must be on par with reseller_prefix in proxy- +# server.conf. (string value) +#reseller_prefix = AUTH_ + +# Enable eventlet backdoor. Acceptable values are 0, <port>, and +# <start>:<end>, where 0 results in listening on a random tcp port +# number; <port> results in listening on the specified port number +# (and not enabling backdoor if that port is in use); and +# <start>:<end> results in listening on the smallest unused port +# number within the specified range of port numbers. The chosen port +# is displayed in the service's log file. (string value) +#backdoor_port = <None> + +# Print debugging output (set logging level to DEBUG instead of +# default WARNING level). (boolean value) +#debug = false + +# Print more verbose output (set logging level to INFO instead of +# default WARNING level). (boolean value) +#verbose = false + +# Log output to standard error. (boolean value) +#use_stderr = true + +# The name of a logging configuration file. This file is appended to +# any existing logging configuration files. For details about logging +# configuration files, see the Python logging module documentation. +# (string value) +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = <None> + +# DEPRECATED. A logging.Formatter log message format string which may +# use any of the available logging.LogRecord attributes. This option +# is deprecated. Please use logging_context_format_string and +# logging_default_format_string instead. (string value) +#log_format = <None> + +# Format string for %%(asctime)s in log records. Default: %(default)s +# . (string value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, +# logging will go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = <None> + +# (Optional) The base directory used for relative --log-file paths. +# (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = <None> + +# Use syslog for logging. Existing syslog format is DEPRECATED during +# I, and will change in J to honor RFC5424. (boolean value) +use_syslog = True + +# (Optional) Enables or disables syslog rfc5424 format for logging. If +# enabled, prefixes the MSG part of the syslog message with APP-NAME +# (RFC5424). The format without the APP-NAME is deprecated in I, and +# will be removed in J. (boolean value) +#use_syslog_rfc_format = false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility = LOG_USER + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string +# value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string +# value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# The format for an instance that is passed with the log message. +# (string value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. +# (string value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Exchange name for Heat notifications (string value) +#heat_control_exchange = heat + +# Configuration file for pipeline definition. (string value) +pipeline_cfg_file = pipeline.yaml + +# Configuration file for event pipeline definition. (string value) +event_pipeline_cfg_file = event_pipeline.yaml + +# Exchange name for DBaaS notifications. (string value) +#trove_control_exchange = trove + +# Exchange name for Messaging service notifications. (string value) +#zaqar_control_exchange = zaqar + +# Source for samples emitted on this instance. (string value) +# Deprecated group/name - [DEFAULT]/counter_source +#sample_source = openstack + +# Name of this node, which must be valid in an AMQP key. Can be an +# opaque identifier. For ZeroMQ only, must be a valid host name, FQDN, +# or IP address. (string value) +#host = noisecell + +# Number of workers for collector service. A single collector is +# enabled by default. (integer value) +#collector_workers = 1 + +# Number of workers for notification service. A single notification +# agent is enabled by default. (integer value) +#notification_workers = 1 + +# Timeout seconds for HTTP requests. Set it to None to disable +# timeout. (integer value) +#http_timeout = 600 + +# DEPRECATED - Database connection string. (string value) +#database_connection = <None> + +# Path to the rootwrap configuration file touse for running commands +# as root (string value) +rootwrap_config = /etc/ceilometer/rootwrap.conf + +# Exchange name for Cinder notifications. (string value) +cinder_control_exchange = cinder + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet +# interface, or IP. The "host" option should point or resolve to this +# address. (string value) +#rpc_zmq_bind_address = * + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker = local + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port = 9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts = 1 + +# Maximum number of ingress messages to locally buffer per topic. +# Default is unlimited. (integer value) +#rpc_zmq_topic_backlog = <None> + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir = /var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. +# Must match "host" option, if running Nova. (string value) +#rpc_zmq_host = localhost + +# Seconds to wait before a cast expires (TTL). Only supported by +# impl_zmq. (integer value) +#rpc_cast_timeout = 30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq = 300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl = 600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size = 64 + +# Driver or drivers to handle sending notifications. (multi valued) +#notification_driver = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics = notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# A URL representing the messaging driver to use and its full +# configuration. If not set, we fall back to the rpc_backend option +# and driver specific configuration. (string value) +#transport_url = <None> + +# The messaging driver to use, defaults to rabbit. Other drivers +# include qpid and zmq. (string value) +rpc_backend = rabbit + +# The default exchange under which topics are scoped. May be +# overridden by an exchange name specified in the transport_url +# option. (string value) +#control_exchange = openstack + + +[alarm] + +# +# From ceilometer +# + +# SSL Client certificate for REST notifier. (string value) +#rest_notifier_certificate_file = + +# SSL Client private key for REST notifier. (string value) +#rest_notifier_certificate_key = + +# Whether to verify the SSL Server certificate when calling alarm +# action. (boolean value) +#rest_notifier_ssl_verify = true + +# Number of retries for REST notifier (integer value) +#rest_notifier_max_retries = 0 + +# Period of evaluation cycle, should be >= than configured pipeline +# interval for collection of underlying metrics. (integer value) +# Deprecated group/name - [alarm]/threshold_evaluation_interval +#evaluation_interval = 60 + +# The topic that ceilometer uses for alarm notifier messages. (string +# value) +notifier_rpc_topic = alarm_notifier + +# The topic that ceilometer uses for alarm partition coordination +# messages. DEPRECATED: RPC-based partitionedalarm evaluation service +# will be removed in Kilo in favour of the default alarm evaluation +# service using tooz for partitioning. (string value) +#partition_rpc_topic = alarm_partition_coordination + +# URL to Gnocchi. (string value) +#gnocchi_url = http://localhost:8041 + +# Record alarm change events. (boolean value) +#record_history = true + +# Maximum number of alarms defined for a user. (integer value) +#user_alarm_quota = <None> + +# Maximum number of alarms defined for a project. (integer value) +#project_alarm_quota = <None> + +# Driver to use for alarm evaluation service. DEPRECATED: "singleton" +# and "partitioned" alarm evaluator services will be removed in Kilo +# in favour of the default alarm evaluation service using tooz for +# partitioning. (string value) +#evaluation_service = default + + +[api] + +# +# From ceilometer +# + +# The port for the ceilometer API server. (integer value) +# Deprecated group/name - [DEFAULT]/metering_api_port +port = 8777 + +# The listen IP for the ceilometer API server. (string value) +host = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Toggle Pecan Debug Middleware. (boolean value) +#pecan_debug = false + + +[central] + +# +# From ceilometer +# + +# Work-load partitioning group prefix. Use only if you want to run +# multiple polling agents with different config files. For each sub- +# group of the agent pool with the same partitioning_group_prefix a +# disjoint subset of pollsters should be loaded. (string value) +# Deprecated group/name - [central]/partitioning_group_prefix +#partitioning_group_prefix = <None> + + +[collector] + +# +# From ceilometer +# + +# Address to which the UDP socket is bound. Set to an empty string to +# disable. (string value) +#udp_address = 0.0.0.0 + +# Port to which the UDP socket is bound. (integer value) +#udp_port = 4952 + +# Requeue the sample on the collector sample queue when the collector +# fails to dispatch it. This is only valid if the sample come from the +# notifier publisher. (boolean value) +#requeue_sample_on_dispatcher_error = false + +# Requeue the event on the collector event queue when the collector +# fails to dispatch it. (boolean value) +#requeue_event_on_dispatcher_error = false + + +[compute] + +# +# From ceilometer +# + +# Enable work-load partitioning, allowing multiple compute agents to +# be run simultaneously. (boolean value) +#workload_partitioning = false + + +[coordination] + +# +# From ceilometer +# + +# The backend URL to use for distributed coordination. If left empty, +# per-deployment central agent and per-host compute agent won't do +# workload partitioning and will only function correctly if a single +# instance of that service is running. (string value) +#backend_url = <None> + +# Number of seconds between heartbeats for distributed coordination. +# (floating point value) +#heartbeat = 1.0 + +# Number of seconds between checks to see if group membership has +# changed (floating point value) +#check_watchers = 10.0 + + +[database] + +# +# From ceilometer +# + +# Number of seconds that samples are kept in the database for (<= 0 +# means forever). (integer value) +# Deprecated group/name - [database]/time_to_live +#metering_time_to_live = -1 + +# Number of seconds that events are kept in the database for (<= 0 +# means forever). (integer value) +#event_time_to_live = -1 + +# The connection string used to connect to the metering database. (if +# unset, connection is used) (string value) +#metering_connection = <None> + +# The connection string used to connect to the alarm database. (if +# unset, connection is used) (string value) +#alarm_connection = <None> + +# The connection string used to connect to the event database. (if +# unset, connection is used) (string value) +#event_connection = <None> + +# The name of the replica set which is used to connect to MongoDB +# database. If it is set, MongoReplicaSetClient will be used instead +# of MongoClient. (string value) +#mongodb_replica_set = + +# The max length of resources id in DB2 nosql, the value should be +# larger than len(hostname) * 2 as compute node's resource id is +# <hostname>_<nodename>. (integer value) +#db2nosql_resource_id_maxlen = 512 + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. +# (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = <None> +connection=postgresql://{{ CEILOMETER_DB_USER }}:{{ CEILOMETER_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/ceilometer + +# The SQLAlchemy connection string to use to connect to the slave +# database. (string value) +#slave_connection = <None> + +# The SQL mode to be used for MySQL sessions. This option, including +# the default, overrides any server-set SQL mode. To use whatever SQL +# mode is set by the server configuration, set this to no value. +# Example: mysql_sql_mode= (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = <None> + +# Maximum number of database connection retries during startup. Set to +# -1 to specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = <None> + +# Verbosity of SQL debugging information: 0=None, 100=Everything. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer +# value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on connection +# lost. (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database +# operation up to db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries +# of a database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before +# error is raised. Set to -1 to specify an infinite retry count. +# (integer value) +#db_max_retries = 20 + + +[dispatcher_file] + +# +# From ceilometer +# + +# Name and the location of the file to record meters. (string value) +#file_path = <None> + +# The max size of the file. (integer value) +#max_bytes = 0 + +# The max number of the files to keep. (integer value) +#backup_count = 0 + + +[event] + +# +# From ceilometer +# + +# Configuration file for event definitions. (string value) +definitions_cfg_file = event_definitions.yaml + +# Drop notifications if no event definition matches. (Otherwise, we +# convert them with just the default traits) (boolean value) +#drop_unmatched_notifications = false + +# Store the raw notification for select priority levels (info and/or +# error). By default, raw details are not captured. (multi valued) +#store_raw = + + +[hardware] + +# +# From ceilometer +# + +# URL scheme to use for hardware nodes. (string value) +#url_scheme = snmp:// + +# SNMPd user name of all nodes running in the cloud. (string value) +#readonly_user_name = ro_snmp_user + +# SNMPd password of all the nodes running in the cloud. (string value) +#readonly_user_password = password + + +[ipmi] + +# +# From ceilometer +# + +# Number of retries upon Intel Node Manager initialization failure +# (integer value) +#node_manager_init_retry = 3 + +# Tolerance of IPMI/NM polling failures before disable this pollster. +# Negative indicates retrying forever. (integer value) +#polling_retry = 3 + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + +# API version of the admin Identity API endpoint. (string value) +#auth_version = <None> + +# Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. +# (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. +# (integer value) +#http_connect_timeout = <None> + +# How many times are we trying to reconnect when communicating with +# Identity API Server. (integer value) +#http_request_max_retries = 3 + +# Env key for the swift cache. (string value) +#cache = <None> + +# Required if identity server requires client certificate (string +# value) +#certfile = <None> + +# Required if identity server requires client certificate (string +# value) +#keyfile = <None> + +# A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. Defaults to system CAs. (string value) +#cafile = <None> + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = <None> + +# Optionally specify a list of memcached server(s) to use for caching. +# If left undefined, tokens will instead be cached in-process. (list +# value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers = <None> + +# In order to prevent excessive effort spent validating tokens, the +# middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. (integer +# value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of +# revocation events combined with a low cache duration may +# significantly reduce performance. (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be +# authenticated or authenticated and encrypted. Acceptable values are +# MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in +# the cache. If ENCRYPT, token data is encrypted and authenticated in +# the cache. If the value is not one of these options or empty, +# auth_token will raise an exception on initialization. (string value) +#memcache_security_strategy = <None> + +# (Optional, mandatory if memcache_security_strategy is defined) This +# string is used for key derivation. (string value) +#memcache_secret_key = <None> + +# (Optional) Number of seconds memcached server is considered dead +# before it is tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every +# memcached server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a +# memcache server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held +# unused in the pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a +# memcache client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcache client pool. +# The advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If +# False, middleware will not ask for service catalog on token +# validation and will not set the X-Service-Catalog header. (boolean +# value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: +# "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to +# the server and ignore it if not. "strict" like "permissive" but if +# the bind type is unknown the token will be rejected. "required" any +# form of token binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This +# requires that PKI tokens are configured on the identity server. +# (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single +# algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, +# so put the preferred one first for performance. The result of the +# first hash will be stored in the cache. This will typically be set +# to multiple values only while migrating from a less secure algorithm +# to a more secure one. Once all the old tokens are expired this +# option should be set to a single value for better performance. (list +# value) +#hash_algorithms = md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use +# identity_uri. (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use +# identity_uri. (string value) +#auth_host = 127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use +# identity_uri. (integer value) +#auth_port = 35357 + +# Protocol of the admin Identity API endpoint (http or https). +# Deprecated, use identity_uri. (string value) +#auth_protocol = https + +# Complete admin Identity API endpoint. This should specify the +# unversioned root endpoint e.g. https://localhost:35357/ (string +# value) +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 + +# This option is deprecated and may be removed in a future release. +# Single shared secret with the Keystone configuration used for +# bootstrapping a Keystone installation, or otherwise bypassing the +# normal authentication process. This option should not be used, use +# `admin_user` and `admin_password` instead. (string value) +#admin_token = <None> + +# Service username. (string value) +admin_user = {{ CEILOMETER_SERVICE_USER }} + +# Service user password. (string value) +admin_password = {{ CEILOMETER_SERVICE_PASSWORD }} + +# Service tenant name. (string value) +admin_tenant_name = service + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host = 127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port = 6379 + +# Password for Redis server (optional). (string value) +#password = <None> + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile = /etc/oslo/matchmaker_ring.json + + +[notification] + +# +# From ceilometer +# + +# Acknowledge message when event persistence fails. (boolean value) +# Deprecated group/name - [collector]/ack_on_event_error +#ack_on_event_error = true + +# Save event details. (boolean value) +# Deprecated group/name - [collector]/store_events +#store_events = false + +# WARNING: Ceilometer historically offered the ability to store events +# as meters. This usage is NOT advised as it can flood the metering +# database and cause performance degradation. This option disables the +# collection of non-metric meters and will be the default behavior in +# Liberty. (boolean value) +#disable_non_metric_meters = false + +# Enable workload partitioning, allowing multiple notification agents +# to be run simultaneously. (boolean value) +#workload_partitioning = false + +# Messaging URLs to listen for notifications. Example: +# transport://user:pass@host1:port[,hostN:portN]/virtual_host +# (DEFAULT/transport_url is used if empty) (multi valued) +#messaging_urls = + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group/name - [DEFAULT]/disable_process_locking +#disable_process_locking = false + +# Directory to use for lock files. For security, the specified +# directory should only be writable by the user running the processes +# that need locking. Defaults to environment variable OSLO_LOCK_PATH. +# If external locks are used, a lock path must be set. (string value) +# Deprecated group/name - [DEFAULT]/lock_path +#lock_path = <None> + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group/name - [amqp1]/server_request_prefix +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group/name - [amqp1]/broadcast_prefix +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group/name - [amqp1]/group_request_prefix +#group_request_prefix = unicast + +# Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name +#container_name = <None> + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group/name - [amqp1]/idle_timeout +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace +#trace = false + +# CA certificate PEM file for verifing server certificate (string +# value) +# Deprecated group/name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string +# value) +# Deprecated group/name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string +# value) +# Deprecated group/name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group/name - [amqp1]/ssl_key_password +#ssl_key_password = <None> + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients +#allow_insecure_clients = false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# Qpid broker hostname. (string value) +# Deprecated group/name - [DEFAULT]/qpid_hostname +#qpid_hostname = localhost + +# Qpid broker port. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_port +#qpid_port = 5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/qpid_hosts +#qpid_hosts = $qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string +# value) +# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_heartbeat +#qpid_heartbeat = 60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group/name - [DEFAULT]/qpid_protocol +#qpid_protocol = tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay +#qpid_tcp_nodelay = true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity +#qpid_receiver_capacity = 1 + +# The qpid topology version to use. Version 1 is what was originally +# used by impl_qpid. Version 2 includes some backwards-incompatible +# changes that allow broker federation to work. Users should update +# to version 2 when they are able to take everything down, as it +# requires a clean break. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_topology_version +#qpid_topology_version = 1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# SSL version to use (valid only if SSL enabled). Valid values are +# TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be +# available on some distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). +# (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer +# cancel notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay +#kombu_reconnect_delay = 1.0 + +# The RabbitMQ broker address where a single node is used. (string +# value) +# Deprecated group/name - [DEFAULT]/rabbit_host +rabbit_host = {{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. (integer +# value) +# Deprecated group/name - [DEFAULT]/rabbit_port +rabbit_port = {{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts +#rabbit_hosts = $rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl +rabbit_use_ssl = false + +# The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid +rabbit_userid = {{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password +rabbit_password = {{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method +#rabbit_login_method = AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host +rabbit_virtual_host = / + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. +# (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff +#rabbit_retry_backoff = 2 + +# Maximum number of RabbitMQ connection retries. Default is 0 +# (infinite retry count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries +#rabbit_max_retries = 0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues +#rabbit_ha_queues = false + +# Number of seconds after which the Rabbit broker is considered down +# if heartbeat's keep-alive fails (0 disables the heartbeat, >0 +# enables it. Enabling heartbeats requires kombu>=3.0.7 and +# amqp>=1.4.0). EXPERIMENTAL (integer value) +#heartbeat_timeout_threshold = 0 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake +# (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit +#fake_rabbit = false + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string +# value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +policy_default_rule = default + +# Directories where policy configuration files are stored. They can be +# relative to any directory in the search path defined by the +# config_dir option, or absolute paths. The file defined by +# policy_file must exist for these directories to be searched. +# Missing or empty directories are ignored. (multi valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + + +[polling] + +# +# From ceilometer +# + +# Work-load partitioning group prefix. Use only if you want to run +# multiple polling agents with different config files. For each sub- +# group of the agent pool with the same partitioning_group_prefix a +# disjoint subset of pollsters should be loaded. (string value) +# Deprecated group/name - [central]/partitioning_group_prefix +#partitioning_group_prefix = <None> + + +[publisher] + +# +# From ceilometer +# + +# Secret value for signing messages. Set value empty if signing is not +# required to avoid computational overhead. (string value) +# Deprecated group/name - [DEFAULT]/metering_secret +# Deprecated group/name - [publisher_rpc]/metering_secret +# Deprecated group/name - [publisher]/metering_secret +#telemetry_secret = change this for valid signing + + +[publisher_notifier] + +# +# From ceilometer +# + +# The topic that ceilometer uses for metering notifications. (string +# value) +#metering_topic = metering + +# The topic that ceilometer uses for event notifications. (string +# value) +#event_topic = event + +# The driver that ceilometer uses for metering notifications. (string +# value) +# Deprecated group/name - [DEFAULT]/metering_driver +#telemetry_driver = messagingv2 + + +[publisher_rpc] + +# +# From ceilometer +# + +# The topic that ceilometer uses for metering messages. (string value) +# Deprecated group/name - [DEFAULT]/metering_topic +#metering_topic = metering + + +[rgw_admin_credentials] + +# +# From ceilometer +# + +# Access key for Radosgw Admin. (string value) +#access_key = <None> + +# Secret key for Radosgw Admin. (string value) +#secret_key = <None> + + +[service_credentials] + +# +# From ceilometer +# + +# User name to use for OpenStack service access. (string value) +# Deprecated group/name - [DEFAULT]/os_username +os_username = {{ CEILOMETER_SERVICE_USER }} + +# Password to use for OpenStack service access. (string value) +# Deprecated group/name - [DEFAULT]/os_password +os_password = {{ CEILOMETER_SERVICE_PASSWORD }} + +# Tenant ID to use for OpenStack service access. (string value) +# Deprecated group/name - [DEFAULT]/os_tenant_id +#os_tenant_id = + +# Tenant name to use for OpenStack service access. (string value) +# Deprecated group/name - [DEFAULT]/os_tenant_name +os_tenant_name = service + +# Certificate chain for SSL validation. (string value) +#os_cacert = <None> + +# Auth URL to use for OpenStack service access. (string value) +# Deprecated group/name - [DEFAULT]/os_auth_url +os_auth_url = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + +# Region name to use for OpenStack service endpoints. (string value) +# Deprecated group/name - [DEFAULT]/os_region_name +os_region_name = regionOne + +# Type of endpoint in Identity service catalog to use for +# communication with OpenStack services. (string value) +os_endpoint_type = internalURL + +# Disables X.509 certificate validation when an SSL connection to +# Identity Service is established. (boolean value) +#insecure = false + + +[service_types] + +# +# From ceilometer +# + +# Kwapi service type. (string value) +#kwapi = energy + +# Glance service type. (string value) +glance = image + +# Neutron service type. (string value) +neutron = network + +# Nova service type. (string value) +nova = compute + +# Radosgw service type. (string value) +#radosgw = object-store + +# Swift service type. (string value) +#swift = object-store + + +[vmware] + +# +# From ceilometer +# + +# IP address of the VMware Vsphere host. (string value) +#host_ip = + +# Port of the VMware Vsphere host. (integer value) +#host_port = 443 + +# Username of VMware Vsphere. (string value) +#host_username = + +# Password of VMware Vsphere. (string value) +#host_password = + +# Number of times a VMware Vsphere API may be retried. (integer value) +#api_retry_count = 10 + +# Sleep time in seconds for polling an ongoing async task. (floating +# point value) +#task_poll_interval = 0.5 + +# Optional vim service WSDL location e.g +# http://<server>/vimService.wsdl. Optional over-ride to default +# location for bug work-arounds. (string value) +#wsdl_location = <None> + + +[xenapi] + +# +# From ceilometer +# + +# URL for connection to XenServer/Xen Cloud Platform. (string value) +#connection_url = <None> + +# Username for connection to XenServer/Xen Cloud Platform. (string +# value) +#connection_username = root + +# Password for connection to XenServer/Xen Cloud Platform. (string +# value) +#connection_password = <None> + +# Timeout in seconds for XenAPI login. (integer value) +#login_timeout = 10 diff --git a/old/install-files/openstack/usr/share/openstack/cinder-config.yml b/old/install-files/openstack/usr/share/openstack/cinder-config.yml new file mode 100644 index 00000000..fd3e2cd0 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/cinder-config.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/cinder.conf" + tasks: +# Configure cinder + - name: Create the cinder user. + user: + name: cinder + comment: Openstack Cinder Daemons + shell: /sbin/nologin + home: /var/lib/cinder + + - name: Create the /var folders for cinder + file: + path: "{{ item }}" + state: directory + owner: cinder + group: cinder + with_items: + - /var/run/cinder + - /var/lock/cinder + - /var/log/cinder + - /var/lib/cinder + - /var/lib/cinder/volumes + + - name: Create /etc/cinder directory + file: + path: /etc/cinder + state: directory + + - name: Add the configuration needed for cinder in /etc/cinder using templates + template: + src: /usr/share/openstack/cinder/{{ item }} + dest: /etc/cinder/{{ item }} + with_lines: + - cd /usr/share/openstack/cinder && find -type f diff --git a/old/install-files/openstack/usr/share/openstack/cinder-db.yml b/old/install-files/openstack/usr/share/openstack/cinder-db.yml new file mode 100644 index 00000000..24e4980f --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/cinder-db.yml @@ -0,0 +1,59 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/cinder.conf" + tasks: + - name: Create cinder service user in service tenant + keystone_user: + user: "{{ CINDER_SERVICE_USER }}" + password: "{{ CINDER_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Assign admin role to cinder service user in the service tenant + keystone_user: + role: admin + user: "{{ CINDER_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add cinder endpoint + keystone_service: + name: cinder + type: volume + description: Openstack Block Storage + publicurl: 'http://{{ ansible_hostname }}:8776/v1/%(tenant_id)s' + internalurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8776/v1/%(tenant_id)s' + adminurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8776/v1/%(tenant_id)s' + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add cinderv2 endpoint + keystone_service: + name: cinderv2 + type: volumev2 + description: Openstack Block Storage + publicurl: 'http://{{ ansible_hostname }}:8776/v2/%(tenant_id)s' + internalurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8776/v2/%(tenant_id)s' + adminurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8776/v2/%(tenant_id)s' + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for cinder + postgresql_user: + name: "{{ CINDER_DB_USER }}" + password: "{{ CINDER_DB_PASSWORD }}" + sudo: yes + sudo_user: cinder + + - name: Create database for cinder services + postgresql_db: + name: cinder + owner: "{{ CINDER_DB_USER }}" + sudo: yes + sudo_user: cinder + + - name: Initiate cinder database + command: cinder-manage db sync + sudo: yes + sudo_user: cinder diff --git a/old/install-files/openstack/usr/share/openstack/cinder-lvs.yml b/old/install-files/openstack/usr/share/openstack/cinder-lvs.yml new file mode 100644 index 00000000..7a91a306 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/cinder-lvs.yml @@ -0,0 +1,21 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/cinder.conf" + tasks: + - name: Check that CINDER_DEVICE exists + stat: + path: "{{ CINDER_DEVICE }}" + register: cinder_device_stats + failed_when: cinder_device_stats.stat.exists == false + + - name: Configure LVM group for cinder + lvg: + vg: cinder-volumes + pvs: "{{ CINDER_DEVICE }}" + + - lineinfile: + dest: /etc/lvm/lvm.conf + regexp: '# filter = \[ \"a\/\.\*/\" \]' + line: ' filter = [ "a|{{ CINDER_DEVICE }}|", "r/.*/" ]' + backrefs: yes diff --git a/old/install-files/openstack/usr/share/openstack/cinder/cinder.conf b/old/install-files/openstack/usr/share/openstack/cinder/cinder.conf new file mode 100644 index 00000000..f3e4f11c --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/cinder/cinder.conf @@ -0,0 +1,2991 @@ +[DEFAULT] + +use_syslog = True + +# +# Options defined in oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet +# interface, or IP. The "host" option should point or resolve +# to this address. (string value) +#rpc_zmq_bind_address=* + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker=local + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port=9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts=1 + +# Maximum number of ingress messages to locally buffer per +# topic. Default is unlimited. (integer value) +#rpc_zmq_topic_backlog=<None> + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir=/var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP +# address. Must match "host" option, if running Nova. (string +# value) +#rpc_zmq_host=cinder + +# Seconds to wait before a cast expires (TTL). Only supported +# by impl_zmq. (integer value) +#rpc_cast_timeout=30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl=600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size=64 + +# Driver or drivers to handle sending notifications. (multi +# valued) +notification_driver=messagingv2 + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics=notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout=60 + +# A URL representing the messaging driver to use and its full +# configuration. If not set, we fall back to the rpc_backend +# option and driver specific configuration. (string value) +#transport_url=<None> + +# The messaging driver to use, defaults to rabbit. Other +# drivers include qpid and zmq. (string value) +rpc_backend=rabbit + +# The default exchange under which topics are scoped. May be +# overridden by an exchange name specified in the +# transport_url option. (string value) +control_exchange=cinder + + +# +# Options defined in cinder.exception +# + +# Make exception message format errors fatal. (boolean value) +#fatal_exception_format_errors=false + + +# +# Options defined in cinder.quota +# + +# Number of volumes allowed per project (integer value) +#quota_volumes=10 + +# Number of volume snapshots allowed per project (integer +# value) +#quota_snapshots=10 + +# Number of consistencygroups allowed per project (integer +# value) +#quota_consistencygroups=10 + +# Total amount of storage, in gigabytes, allowed for volumes +# and snapshots per project (integer value) +#quota_gigabytes=1000 + +# Number of volume backups allowed per project (integer value) +#quota_backups=10 + +# Total amount of storage, in gigabytes, allowed for backups +# per project (integer value) +#quota_backup_gigabytes=1000 + +# Number of seconds until a reservation expires (integer +# value) +#reservation_expire=86400 + +# Count of reservations until usage is refreshed (integer +# value) +#until_refresh=0 + +# Number of seconds between subsequent usage refreshes +# (integer value) +#max_age=0 + +# Default driver to use for quota checks (string value) +#quota_driver=cinder.quota.DbQuotaDriver + +# Enables or disables use of default quota class with default +# quota. (boolean value) +#use_default_quota_class=true + + +# +# Options defined in cinder.service +# + +# Interval, in seconds, between nodes reporting state to +# datastore (integer value) +#report_interval=10 + +# Interval, in seconds, between running periodic tasks +# (integer value) +#periodic_interval=60 + +# Range, in seconds, to randomly delay when starting the +# periodic task scheduler to reduce stampeding. (Disable by +# setting to 0) (integer value) +#periodic_fuzzy_delay=60 + +# IP address on which OpenStack Volume API listens (string +# value) +#osapi_volume_listen=0.0.0.0 + +# Port on which OpenStack Volume API listens (integer value) +#osapi_volume_listen_port=8776 + +# Number of workers for OpenStack Volume API service. The +# default is equal to the number of CPUs available. (integer +# value) +#osapi_volume_workers=<None> + + +# +# Options defined in cinder.ssh_utils +# + +# Option to enable strict host key checking. When set to +# "True" Cinder will only connect to systems with a host key +# present in the configured "ssh_hosts_key_file". When set to +# "False" the host key will be saved upon first connection and +# used for subsequent connections. Default=False (boolean +# value) +#strict_ssh_host_key_policy=false + +# File containing SSH host keys for the systems with which +# Cinder needs to communicate. OPTIONAL: +# Default=$state_path/ssh_known_hosts (string value) +#ssh_hosts_key_file=$state_path/ssh_known_hosts + + +# +# Options defined in cinder.test +# + +# File name of clean sqlite db (string value) +#sqlite_clean_db=clean.sqlite + + +# +# Options defined in cinder.wsgi +# + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + +# Timeout for client connections' socket operations. If an +# incoming connection is idle for this number of seconds it +# will be closed. A value of '0' means wait forever. (integer +# value) +#client_socket_timeout=900 + +# If False, closes the client socket connection explicitly. +# Setting it to True to maintain backward compatibility. +# Recommended setting is set it to False. (boolean value) +#wsgi_keep_alive=true + +# Sets the value of TCP_KEEPALIVE (True/False) for each server +# socket. (boolean value) +#tcp_keepalive=true + +# Sets the value of TCP_KEEPIDLE in seconds for each server +# socket. Not supported on OS X. (integer value) +#tcp_keepidle=600 + +# Sets the value of TCP_KEEPINTVL in seconds for each server +# socket. Not supported on OS X. (integer value) +#tcp_keepalive_interval=<None> + +# Sets the value of TCP_KEEPCNT for each server socket. Not +# supported on OS X. (integer value) +#tcp_keepalive_count=<None> + +# CA certificate file to use to verify connecting clients +# (string value) +#ssl_ca_file=<None> + +# Certificate file to use when starting the server securely +# (string value) +#ssl_cert_file=<None> + +# Private key file to use when starting the server securely +# (string value) +#ssl_key_file=<None> + + +# +# Options defined in cinder.api.common +# + +# The maximum number of items that a collection resource +# returns in a single response (integer value) +#osapi_max_limit=1000 + +# Base URL that will be presented to users in links to the +# OpenStack Volume API (string value) +# Deprecated group/name - [DEFAULT]/osapi_compute_link_prefix +#osapi_volume_base_URL=<None> + + +# +# Options defined in cinder.api.middleware.auth +# + +# Treat X-Forwarded-For as the canonical remote address. Only +# enable this if you have a sanitizing proxy. (boolean value) +#use_forwarded_for=false + + +# +# Options defined in cinder.api.middleware.sizelimit +# + +# Max size for body of a request (integer value) +#osapi_max_request_body_size=114688 + + +# +# Options defined in cinder.api.views.versions +# + +# Public url to use for versions endpoint. The default is +# None, which will use the request's host_url attribute to +# populate the URL base. If Cinder is operating behind a +# proxy, you will want to change this to represent the proxy's +# URL. (string value) +#public_endpoint=<None> + + +# +# Options defined in cinder.backup.chunkeddriver +# + +# Compression algorithm (None to disable) (string value) +#backup_compression_algorithm=zlib + + +# +# Options defined in cinder.backup.driver +# + +# Backup metadata version to be used when backing up volume +# metadata. If this number is bumped, make sure the service +# doing the restore supports the new version. (integer value) +#backup_metadata_version=2 + +# The number of chunks or objects, for which one Ceilometer +# notification will be sent (integer value) +#backup_object_number_per_notification=10 + +# Interval, in seconds, between two progress notifications +# reporting the backup status (integer value) +#backup_timer_interval=120 + + +# +# Options defined in cinder.backup.drivers.ceph +# + +# Ceph configuration file to use. (string value) +#backup_ceph_conf=/etc/ceph/ceph.conf + +# The Ceph user to connect with. Default here is to use the +# same user as for Cinder volumes. If not using cephx this +# should be set to None. (string value) +#backup_ceph_user=cinder + +# The chunk size, in bytes, that a backup is broken into +# before transfer to the Ceph object store. (integer value) +#backup_ceph_chunk_size=134217728 + +# The Ceph pool where volume backups are stored. (string +# value) +#backup_ceph_pool=backups + +# RBD stripe unit to use when creating a backup image. +# (integer value) +#backup_ceph_stripe_unit=0 + +# RBD stripe count to use when creating a backup image. +# (integer value) +#backup_ceph_stripe_count=0 + +# If True, always discard excess bytes when restoring volumes +# i.e. pad with zeroes. (boolean value) +#restore_discard_excess_bytes=true + + +# +# Options defined in cinder.backup.drivers.nfs +# + +# The maximum size in bytes of the files used to hold backups. +# If the volume being backed up exceeds this size, then it +# will be backed up into multiple files. (integer value) +#backup_file_size=1999994880 + +# The size in bytes that changes are tracked for incremental +# backups. backup_swift_object_size has to be multiple of +# backup_swift_block_size. (integer value) +#backup_sha_block_size_bytes=32768 + +# Enable or Disable the timer to send the periodic progress +# notifications to Ceilometer when backing up the volume to +# the backend storage. The default value is True to enable the +# timer. (boolean value) +#backup_enable_progress_timer=true + +# Base dir containing mount point for NFS share. (string +# value) +#backup_mount_point_base=$state_path/backup_mount + +# NFS share in fqdn:path, ipv4addr:path, or "[ipv6addr]:path" +# format. (string value) +#backup_share=<None> + +# Mount options passed to the NFS client. See NFS man page for +# details. (string value) +#backup_mount_options=<None> + +# Custom container to use for backups. (string value) +#backup_container=<None> + + +# +# Options defined in cinder.backup.drivers.swift +# + +# The URL of the Swift endpoint (string value) +#backup_swift_url=<None> + +# Info to match when looking for swift in the service catalog. +# Format is: separated values of the form: +# <service_type>:<service_name>:<endpoint_type> - Only used if +# backup_swift_url is unset (string value) +#swift_catalog_info=object-store:swift:publicURL + +# Swift authentication mechanism (string value) +#backup_swift_auth=per_user + +# Swift authentication version. Specify "1" for auth 1.0, or +# "2" for auth 2.0 (string value) +#backup_swift_auth_version=1 + +# Swift tenant/account name. Required when connecting to an +# auth 2.0 system (string value) +#backup_swift_tenant=<None> + +# Swift user name (string value) +#backup_swift_user=<None> + +# Swift key for authentication (string value) +#backup_swift_key=<None> + +# The default Swift container to use (string value) +#backup_swift_container=volumebackups + +# The size in bytes of Swift backup objects (integer value) +#backup_swift_object_size=52428800 + +# The size in bytes that changes are tracked for incremental +# backups. backup_swift_object_size has to be multiple of +# backup_swift_block_size. (integer value) +#backup_swift_block_size=32768 + +# The number of retries to make for Swift operations (integer +# value) +#backup_swift_retry_attempts=3 + +# The backoff time in seconds between Swift retries (integer +# value) +#backup_swift_retry_backoff=2 + +# Enable or Disable the timer to send the periodic progress +# notifications to Ceilometer when backing up the volume to +# the Swift backend storage. The default value is True to +# enable the timer. (boolean value) +#backup_swift_enable_progress_timer=true + + +# +# Options defined in cinder.backup.drivers.tsm +# + +# Volume prefix for the backup id when backing up to TSM +# (string value) +#backup_tsm_volume_prefix=backup + +# TSM password for the running username (string value) +#backup_tsm_password=password + +# Enable or Disable compression for backups (boolean value) +#backup_tsm_compression=true + + +# +# Options defined in cinder.backup.manager +# + +# Driver to use for backups. (string value) +# Deprecated group/name - [DEFAULT]/backup_service +#backup_driver=cinder.backup.drivers.swift + + +# +# Options defined in cinder.cmd.volume +# + +# Backend override of host value. (string value) +# Deprecated group/name - [DEFAULT]/host +#backend_host=<None> + + +# +# Options defined in cinder.cmd.volume_usage_audit +# + +# If this option is specified then the start time specified is +# used instead of the start time of the last completed audit +# period. (string value) +#start_time=<None> + +# If this option is specified then the end time specified is +# used instead of the end time of the last completed audit +# period. (string value) +#end_time=<None> + +# Send the volume and snapshot create and delete notifications +# generated in the specified period. (boolean value) +#send_actions=false + + +# +# Options defined in cinder.common.config +# + +# File name for the paste.deploy config for cinder-api (string +# value) +api_paste_config=api-paste.ini + +# Top-level directory for maintaining cinder's state (string +# value) +# Deprecated group/name - [DEFAULT]/pybasedir +state_path=/var/lib/cinder + +# IP address of this host (string value) +my_ip={{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Default glance host name or IP (string value) +glance_host={{ CONTROLLER_HOST_ADDRESS }} + +# Default glance port (integer value) +#glance_port=9292 + +# A list of the glance API servers available to cinder +# ([hostname|ip]:port) (list value) +#glance_api_servers=$glance_host:$glance_port + +# Version of the glance API to use (integer value) +#glance_api_version=1 + +# Number retries when downloading an image from glance +# (integer value) +#glance_num_retries=0 + +# Allow to perform insecure SSL (https) requests to glance +# (boolean value) +#glance_api_insecure=false + +# Enables or disables negotiation of SSL layer compression. In +# some cases disabling compression can improve data +# throughput, such as when high network bandwidth is available +# and you use compressed image formats like qcow2. (boolean +# value) +#glance_api_ssl_compression=false + +# Location of ca certificates file to use for glance client +# requests. (string value) +#glance_ca_certificates_file=<None> + +# http/https timeout value for glance operations. If no value +# (None) is supplied here, the glanceclient default value is +# used. (integer value) +#glance_request_timeout=<None> + +# The topic that scheduler nodes listen on (string value) +#scheduler_topic=cinder-scheduler + +# The topic that volume nodes listen on (string value) +#volume_topic=cinder-volume + +# The topic that volume backup nodes listen on (string value) +#backup_topic=cinder-backup + +# DEPRECATED: Deploy v1 of the Cinder API. (boolean value) +#enable_v1_api=true + +# Deploy v2 of the Cinder API. (boolean value) +#enable_v2_api=true + +# Enables or disables rate limit of the API. (boolean value) +#api_rate_limit=true + +# Specify list of extensions to load when using +# osapi_volume_extension option with +# cinder.api.contrib.select_extensions (list value) +#osapi_volume_ext_list= + +# osapi volume extension to load (multi valued) +#osapi_volume_extension=cinder.api.contrib.standard_extensions + +# Full class name for the Manager for volume (string value) +#volume_manager=cinder.volume.manager.VolumeManager + +# Full class name for the Manager for volume backup (string +# value) +#backup_manager=cinder.backup.manager.BackupManager + +# Full class name for the Manager for scheduler (string value) +#scheduler_manager=cinder.scheduler.manager.SchedulerManager + +# Name of this node. This can be an opaque identifier. It is +# not necessarily a host name, FQDN, or IP address. (string +# value) +#host=cinder + +# Availability zone of this node (string value) +#storage_availability_zone=nova + +# Default availability zone for new volumes. If not set, the +# storage_availability_zone option value is used as the +# default for new volumes. (string value) +#default_availability_zone=<None> + +# Default volume type to use (string value) +#default_volume_type=<None> + +# Time period for which to generate volume usages. The options +# are hour, day, month, or year. (string value) +#volume_usage_audit_period=month + +# Path to the rootwrap configuration file to use for running +# commands as root (string value) +rootwrap_config=/etc/cinder/rootwrap.conf + +# Enable monkey patching (boolean value) +#monkey_patch=false + +# List of modules/decorators to monkey patch (list value) +#monkey_patch_modules= + +# Maximum time since last check-in for a service to be +# considered up (integer value) +#service_down_time=60 + +# The full class name of the volume API class to use (string +# value) +#volume_api_class=cinder.volume.api.API + +# The full class name of the volume backup API class (string +# value) +#backup_api_class=cinder.backup.api.API + +# The strategy to use for auth. Supports noauth, keystone, and +# deprecated. (string value) +auth_strategy=keystone + +# A list of backend names to use. These backend names should +# be backed by a unique [CONFIG] group with its options (list +# value) +#enabled_backends=<None> + +# Whether snapshots count against gigabyte quota (boolean +# value) +#no_snapshot_gb_quota=false + +# The full class name of the volume transfer API class (string +# value) +#transfer_api_class=cinder.transfer.api.API + +# The full class name of the volume replication API class +# (string value) +#replication_api_class=cinder.replication.api.API + +# The full class name of the consistencygroup API class +# (string value) +#consistencygroup_api_class=cinder.consistencygroup.api.API + +# OpenStack privileged account username. Used for requests to +# other services (such as Nova) that require an account with +# special rights. (string value) +#os_privileged_user_name=<None> + +# Password associated with the OpenStack privileged account. +# (string value) +#os_privileged_user_password=<None> + +# Tenant name associated with the OpenStack privileged +# account. (string value) +#os_privileged_user_tenant=<None> + + +# +# Options defined in cinder.compute +# + +# The full class name of the compute API class to use (string +# value) +#compute_api_class=cinder.compute.nova.API + + +# +# Options defined in cinder.compute.nova +# + +# Match this value when searching for nova in the service +# catalog. Format is: separated values of the form: +# <service_type>:<service_name>:<endpoint_type> (string value) +#nova_catalog_info=compute:Compute Service:publicURL + +# Same as nova_catalog_info, but for admin endpoint. (string +# value) +#nova_catalog_admin_info=compute:Compute Service:adminURL + +# Override service catalog lookup with template for nova +# endpoint e.g. http://localhost:8774/v2/%(project_id)s +# (string value) +#nova_endpoint_template=<None> + +# Same as nova_endpoint_template, but for admin endpoint. +# (string value) +#nova_endpoint_admin_template=<None> + +# Region name of this node (string value) +#os_region_name=<None> + +# Location of ca certificates file to use for nova client +# requests. (string value) +#nova_ca_certificates_file=<None> + +# Allow to perform insecure SSL requests to nova (boolean +# value) +#nova_api_insecure=false + + +# +# Options defined in cinder.db.api +# + +# Services to be added to the available pool on create +# (boolean value) +#enable_new_services=true + +# Template string to be used to generate volume names (string +# value) +volume_name_template=volume-%s + +# Template string to be used to generate snapshot names +# (string value) +snapshot_name_template=snapshot-%s + +# Template string to be used to generate backup names (string +# value) +backup_name_template=backup-%s + + +# +# Options defined in cinder.db.base +# + +# Driver to use for database access (string value) +#db_driver=cinder.db + + +# +# Options defined in cinder.image.glance +# + +# Default core properties of image (list value) +#glance_core_properties=checksum,container_format,disk_format,image_name,image_id,min_disk,min_ram,name,size + +# A list of url schemes that can be downloaded directly via +# the direct_url. Currently supported schemes: [file]. (list +# value) +#allowed_direct_url_schemes= + + +# +# Options defined in cinder.image.image_utils +# + +# Directory used for temporary storage during image conversion +# (string value) +#image_conversion_dir=$state_path/conversion + + +# +# Options defined in cinder.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, <port>, +# and <start>:<end>, where 0 results in listening on a random +# tcp port number; <port> results in listening on the +# specified port number (and not enabling backdoor if that +# port is in use); and <start>:<end> results in listening on +# the smallest unused port number within the specified range +# of port numbers. The chosen port is displayed in the +# service's log file. (string value) +#backdoor_port=<None> + + +# +# Options defined in cinder.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# +# Options defined in cinder.openstack.common.policy +# + +# The JSON file that defines policies. (string value) +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# (string value) +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. The +# file defined by policy_file must exist for these directories +# to be searched. Missing or empty directories are ignored. +# (multi valued) +#policy_dirs=policy.d + + +# +# Options defined in cinder.openstack.common.versionutils +# + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + + +# +# Options defined in cinder.scheduler.driver +# + +# The scheduler host manager class to use (string value) +#scheduler_host_manager=cinder.scheduler.host_manager.HostManager + +# Maximum number of attempts to schedule an volume (integer +# value) +#scheduler_max_attempts=3 + + +# +# Options defined in cinder.scheduler.host_manager +# + +# Which filter class names to use for filtering hosts when not +# specified in the request. (list value) +#scheduler_default_filters=AvailabilityZoneFilter,CapacityFilter,CapabilitiesFilter + +# Which weigher class names to use for weighing hosts. (list +# value) +#scheduler_default_weighers=CapacityWeigher + + +# +# Options defined in cinder.scheduler.manager +# + +# Default scheduler driver to use (string value) +#scheduler_driver=cinder.scheduler.filter_scheduler.FilterScheduler + + +# +# Options defined in cinder.scheduler.scheduler_options +# + +# Absolute path to scheduler configuration JSON file. (string +# value) +#scheduler_json_config_location= + + +# +# Options defined in cinder.scheduler.simple +# + +# This configure option has been deprecated along with the +# SimpleScheduler. New scheduler is able to gather capacity +# information for each host, thus setting the maximum number +# of volume gigabytes for host is no longer needed. It's safe +# to remove this configure from cinder.conf. (integer value) +#max_gigabytes=10000 + + +# +# Options defined in cinder.scheduler.weights.capacity +# + +# Multiplier used for weighing volume capacity. Negative +# numbers mean to stack vs spread. (floating point value) +#capacity_weight_multiplier=1.0 + +# Multiplier used for weighing volume capacity. Negative +# numbers mean to stack vs spread. (floating point value) +#allocated_capacity_weight_multiplier=-1.0 + + +# +# Options defined in cinder.scheduler.weights.volume_number +# + +# Multiplier used for weighing volume number. Negative numbers +# mean to spread vs stack. (floating point value) +#volume_number_multiplier=-1.0 + + +# +# Options defined in cinder.transfer.api +# + +# The number of characters in the salt. (integer value) +#volume_transfer_salt_length=8 + +# The number of characters in the autogenerated auth key. +# (integer value) +#volume_transfer_key_length=16 + + +# +# Options defined in cinder.volume.api +# + +# Cache volume availability zones in memory for the provided +# duration in seconds (integer value) +#az_cache_duration=3600 + +# Create volume from snapshot at the host where snapshot +# resides (boolean value) +#snapshot_same_host=true + +# Ensure that the new volumes are the same AZ as snapshot or +# source volume (boolean value) +#cloned_volume_same_az=true + + +# +# Options defined in cinder.volume.driver +# + +# The maximum number of times to rescan iSER targetto find +# volume (integer value) +#num_iser_scan_tries=3 + +# This option is deprecated and unused. It will be removed in +# the Liberty release. (integer value) +#iser_num_targets=<None> + +# Prefix for iSER volumes (string value) +#iser_target_prefix=iqn.2010-10.org.openstack: + +# The IP address that the iSER daemon is listening on (string +# value) +#iser_ip_address=$my_ip + +# The port that the iSER daemon is listening on (integer +# value) +#iser_port=3260 + +# The name of the iSER target user-land tool to use (string +# value) +#iser_helper=tgtadm + +# Number of times to attempt to run flakey shell commands +# (integer value) +#num_shell_tries=3 + +# The percentage of backend capacity is reserved (integer +# value) +#reserved_percentage=0 + +# This option is deprecated and unused. It will be removed in +# the Liberty release. (integer value) +#iscsi_num_targets=<None> + +# Prefix for iSCSI volumes (string value) +#iscsi_target_prefix=iqn.2010-10.org.openstack: + +# The IP address that the iSCSI daemon is listening on (string +# value) +iscsi_ip_address={{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# The list of secondary IP addresses of the iSCSI daemon (list +# value) +#iscsi_secondary_ip_addresses= + +# The port that the iSCSI daemon is listening on (integer +# value) +iscsi_port=3260 + +# The maximum number of times to rescan targets to find volume +# (integer value) +# Deprecated group/name - [DEFAULT]/num_iscsi_scan_tries +#num_volume_device_scan_tries=3 + +# The backend name for a given driver implementation (string +# value) +volume_backend_name=LVM_iSCSI + +# Do we attach/detach volumes in cinder using multipath for +# volume to image and image to volume transfers? (boolean +# value) +#use_multipath_for_image_xfer=false + +# If this is set to True, attachment of volumes for image +# transfer will be aborted when multipathd is not running. +# Otherwise, it will fallback to single path. (boolean value) +#enforce_multipath_for_image_xfer=false + +# Method used to wipe old volumes (string value) +volume_clear=zero + +# Size in MiB to wipe at start of old volumes. 0 => all +# (integer value) +volume_clear_size=50 + +# The flag to pass to ionice to alter the i/o priority of the +# process used to zero a volume after deletion, for example +# "-c3" for idle only priority. (string value) +#volume_clear_ionice=<None> + +# iSCSI target user-land tool to use. tgtadm is default, use +# lioadm for LIO iSCSI support, scstadmin for SCST target +# support, iseradm for the ISER protocol, ietadm for iSCSI +# Enterprise Target, iscsictl for Chelsio iSCSI Target or fake +# for testing. (string value) +iscsi_helper=lioadm + +# Volume configuration file storage directory (string value) +volumes_dir=$state_path/volumes + +# IET configuration file (string value) +#iet_conf=/etc/iet/ietd.conf + +# Chiscsi (CXT) global defaults configuration file (string +# value) +#chiscsi_conf=/etc/chelsio-iscsi/chiscsi.conf + +# This option is deprecated and unused. It will be removed in +# the next release. (string value) +#lio_initiator_iqns= + +# Sets the behavior of the iSCSI target to either perform +# blockio or fileio optionally, auto can be set and Cinder +# will autodetect type of backing device (string value) +#iscsi_iotype=fileio + +# The default block size used when copying/clearing volumes +# (string value) +#volume_dd_blocksize=1M + +# The blkio cgroup name to be used to limit bandwidth of +# volume copy (string value) +#volume_copy_blkio_cgroup_name=cinder-volume-copy + +# The upper limit of bandwidth of volume copy. 0 => unlimited +# (integer value) +#volume_copy_bps_limit=0 + +# Sets the behavior of the iSCSI target to either perform +# write-back(on) or write-through(off). This parameter is +# valid if iscsi_helper is set to tgtadm or iseradm. (string +# value) +#iscsi_write_cache=on + +# Determines the iSCSI protocol for new iSCSI volumes, created +# with tgtadm or lioadm target helpers. In order to enable +# RDMA, this parameter should be set with the value "iser". +# The supported iSCSI protocol values are "iscsi" and "iser". +# (string value) +#iscsi_protocol=iscsi + +# The path to the client certificate key for verification, if +# the driver supports it. (string value) +#driver_client_cert_key=<None> + +# The path to the client certificate for verification, if the +# driver supports it. (string value) +#driver_client_cert=<None> + +# Tell driver to use SSL for connection to backend storage if +# the driver supports it. (boolean value) +#driver_use_ssl=false + +# Float representation of the over subscription ratio when +# thin provisioning is involved. Default ratio is 20.0, +# meaning provisioned capacity can be 20 times of the total +# physical capacity. If the ratio is 10.5, it means +# provisioned capacity can be 10.5 times of the total physical +# capacity. A ratio of 1.0 means provisioned capacity cannot +# exceed the total physical capacity. A ratio lower than 1.0 +# will be ignored and the default value will be used instead. +# (floating point value) +#max_over_subscription_ratio=20.0 + +# Certain ISCSI targets have predefined target names, SCST +# target driver uses this name. (string value) +#scst_target_iqn_name=<None> + +# SCST target implementation can choose from multiple SCST +# target drivers. (string value) +#scst_target_driver=iscsi + +# Option to enable/disable CHAP authentication for targets. +# (boolean value) +# Deprecated group/name - [DEFAULT]/eqlx_use_chap +#use_chap_auth=false + +# CHAP user name. (string value) +# Deprecated group/name - [DEFAULT]/eqlx_chap_login +#chap_username= + +# Password for specified CHAP account name. (string value) +# Deprecated group/name - [DEFAULT]/eqlx_chap_password +#chap_password= + +# Namespace for driver private data values to be saved in. +# (string value) +#driver_data_namespace=<None> + +# String representation for an equation that will be used to +# filter hosts. Only used when the driver filter is set to be +# used by the Cinder scheduler. (string value) +#filter_function=<None> + +# String representation for an equation that will be used to +# determine the goodness of a host. Only used when using the +# goodness weigher is set to be used by the Cinder scheduler. +# (string value) +#goodness_function=<None> + + +# +# Options defined in cinder.volume.drivers.block_device +# + +# List of all available devices (list value) +#available_devices= + + +# +# Options defined in cinder.volume.drivers.cloudbyte.options +# + +# These values will be used for CloudByte storage's addQos API +# call. (dict value) +#cb_add_qosgroup=latency:15,iops:10,graceallowed:false,iopscontrol:true,memlimit:0,throughput:0,tpcontrol:false,networkspeed:0 + +# Driver will use this API key to authenticate against the +# CloudByte storage's management interface. (string value) +#cb_apikey=None + +# CloudByte storage specific account name. This maps to a +# project name in OpenStack. (string value) +#cb_account_name=None + +# This corresponds to the name of Tenant Storage Machine (TSM) +# in CloudByte storage. A volume will be created in this TSM. +# (string value) +#cb_tsm_name=None + +# A retry value in seconds. Will be used by the driver to +# check if volume creation was successful in CloudByte +# storage. (integer value) +#cb_confirm_volume_create_retry_interval=5 + +# Will confirm a successful volume creation in CloudByte +# storage by making this many number of attempts. (integer +# value) +#cb_confirm_volume_create_retries=3 + +# These values will be used for CloudByte storage's +# createVolume API call. (dict value) +#cb_create_volume=compression:off,deduplication:off,blocklength:512B,sync:always,protocoltype:ISCSI,recordsize:16k + + +# +# Options defined in cinder.volume.drivers.datera +# + +# DEPRECATED: This will be removed in the Liberty release. Use +# san_login and san_password instead. This directly sets the +# Datera API token. (string value) +#datera_api_token=<None> + +# Datera API port. (string value) +#datera_api_port=7717 + +# Datera API version. (string value) +#datera_api_version=1 + +# Number of replicas to create of an inode. (string value) +#datera_num_replicas=3 + + +# +# Options defined in cinder.volume.drivers.dell.dell_storagecenter_common +# + +# Storage Center System Serial Number (integer value) +#dell_sc_ssn=64702 + +# Dell API port (integer value) +#dell_sc_api_port=3033 + +# Name of the server folder to use on the Storage Center +# (string value) +#dell_sc_server_folder=openstack + +# Name of the volume folder to use on the Storage Center +# (string value) +#dell_sc_volume_folder=openstack + + +# +# Options defined in cinder.volume.drivers.emc.emc_vmax_common +# + +# use this file for cinder emc plugin config data (string +# value) +#cinder_emc_config_file=/etc/cinder/cinder_emc_config.xml + + +# +# Options defined in cinder.volume.drivers.emc.emc_vnx_cli +# + +# VNX authentication scope type. (string value) +#storage_vnx_authentication_type=global + +# Directory path that contains the VNX security file. Make +# sure the security file is generated first. (string value) +#storage_vnx_security_file_dir=<None> + +# Naviseccli Path. (string value) +#naviseccli_path= + +# Storage pool name. (string value) +#storage_vnx_pool_name=<None> + +# VNX secondary SP IP Address. (string value) +#san_secondary_ip=<None> + +# Default timeout for CLI operations in minutes. For example, +# LUN migration is a typical long running operation, which +# depends on the LUN size and the load of the array. An upper +# bound in the specific deployment can be set to avoid +# unnecessary long wait. By default, it is 365 days long. +# (integer value) +#default_timeout=525600 + +# Default max number of LUNs in a storage group. By default, +# the value is 255. (integer value) +#max_luns_per_storage_group=255 + +# To destroy storage group when the last LUN is removed from +# it. By default, the value is False. (boolean value) +#destroy_empty_storage_group=false + +# Mapping between hostname and its iSCSI initiator IP +# addresses. (string value) +#iscsi_initiators= + +# Automatically register initiators. By default, the value is +# False. (boolean value) +#initiator_auto_registration=false + +# Automatically deregister initiators after the related +# storage group is destroyed. By default, the value is False. +# (boolean value) +#initiator_auto_deregistration=false + +# Report free_capacity_gb as 0 when the limit to maximum +# number of pool LUNs is reached. By default, the value is +# False. (boolean value) +#check_max_pool_luns_threshold=false + +# Delete a LUN even if it is in Storage Groups. (boolean +# value) +#force_delete_lun_in_storagegroup=false + + +# +# Options defined in cinder.volume.drivers.emc.xtremio +# + +# XMS cluster id in multi-cluster environment (string value) +#xtremio_cluster_name= + + +# +# Options defined in cinder.volume.drivers.eqlx +# + +# Group name to use for creating volumes. Defaults to +# "group-0". (string value) +#eqlx_group_name=group-0 + +# Timeout for the Group Manager cli command execution. Default +# is 30. (integer value) +#eqlx_cli_timeout=30 + +# Maximum retry count for reconnection. Default is 5. (integer +# value) +#eqlx_cli_max_retries=5 + +# Use CHAP authentication for targets. Note that this option +# is deprecated in favour of "use_chap_auth" as specified in +# cinder/volume/driver.py and will be removed in next release. +# (boolean value) +#eqlx_use_chap=false + +# Existing CHAP account name. Note that this option is +# deprecated in favour of "chap_username" as specified in +# cinder/volume/driver.py and will be removed in next release. +# (string value) +#eqlx_chap_login=admin + +# Password for specified CHAP account name. Note that this +# option is deprecated in favour of "chap_password" as +# specified in cinder/volume/driver.py and will be removed in +# the next release (string value) +#eqlx_chap_password=password + +# Pool in which volumes will be created. Defaults to +# "default". (string value) +#eqlx_pool=default + + +# +# Options defined in cinder.volume.drivers.glusterfs +# + +# File with the list of available gluster shares (string +# value) +#glusterfs_shares_config=/etc/cinder/glusterfs_shares + +# Create volumes as sparsed files which take no space.If set +# to False volume is created as regular file.In such case +# volume creation takes a lot of time. (boolean value) +#glusterfs_sparsed_volumes=true + +# Create volumes as QCOW2 files rather than raw files. +# (boolean value) +#glusterfs_qcow2_volumes=false + +# Base dir containing mount points for gluster shares. (string +# value) +#glusterfs_mount_point_base=$state_path/mnt + + +# +# Options defined in cinder.volume.drivers.hds.hds +# + +# The configuration file for the Cinder HDS driver for HUS +# (string value) +#hds_cinder_config_file=/opt/hds/hus/cinder_hus_conf.xml + + +# +# Options defined in cinder.volume.drivers.hds.iscsi +# + +# Configuration file for HDS iSCSI cinder plugin (string +# value) +#hds_hnas_iscsi_config_file=/opt/hds/hnas/cinder_iscsi_conf.xml + + +# +# Options defined in cinder.volume.drivers.hds.nfs +# + +# Configuration file for HDS NFS cinder plugin (string value) +#hds_hnas_nfs_config_file=/opt/hds/hnas/cinder_nfs_conf.xml + + +# +# Options defined in cinder.volume.drivers.hitachi.hbsd_common +# + +# Serial number of storage system (string value) +#hitachi_serial_number=<None> + +# Name of an array unit (string value) +#hitachi_unit_name=<None> + +# Pool ID of storage system (integer value) +#hitachi_pool_id=<None> + +# Thin pool ID of storage system (integer value) +#hitachi_thin_pool_id=<None> + +# Range of logical device of storage system (string value) +#hitachi_ldev_range=<None> + +# Default copy method of storage system (string value) +#hitachi_default_copy_method=FULL + +# Copy speed of storage system (integer value) +#hitachi_copy_speed=3 + +# Interval to check copy (integer value) +#hitachi_copy_check_interval=3 + +# Interval to check copy asynchronously (integer value) +#hitachi_async_copy_check_interval=10 + +# Control port names for HostGroup or iSCSI Target (string +# value) +#hitachi_target_ports=<None> + +# Range of group number (string value) +#hitachi_group_range=<None> + +# Request for creating HostGroup or iSCSI Target (boolean +# value) +#hitachi_group_request=false + + +# +# Options defined in cinder.volume.drivers.hitachi.hbsd_fc +# + +# Request for FC Zone creating HostGroup (boolean value) +#hitachi_zoning_request=false + + +# +# Options defined in cinder.volume.drivers.hitachi.hbsd_horcm +# + +# Instance numbers for HORCM (string value) +#hitachi_horcm_numbers=200,201 + +# Username of storage system for HORCM (string value) +#hitachi_horcm_user=<None> + +# Password of storage system for HORCM (string value) +#hitachi_horcm_password=<None> + +# Add to HORCM configuration (boolean value) +#hitachi_horcm_add_conf=true + + +# +# Options defined in cinder.volume.drivers.hitachi.hbsd_iscsi +# + +# Add CHAP user (boolean value) +#hitachi_add_chap_user=false + +# iSCSI authentication method (string value) +#hitachi_auth_method=<None> + +# iSCSI authentication username (string value) +#hitachi_auth_user=HBSD-CHAP-user + +# iSCSI authentication password (string value) +#hitachi_auth_password=HBSD-CHAP-password + + +# +# Options defined in cinder.volume.drivers.huawei +# + +# The configuration file for the Cinder Huawei driver (string +# value) +#cinder_huawei_conf_file=/etc/cinder/cinder_huawei_conf.xml + + +# +# Options defined in cinder.volume.drivers.ibm.flashsystem +# + +# Connection protocol should be FC. (string value) +#flashsystem_connection_protocol=FC + +# Connect with multipath (FC only). (boolean value) +#flashsystem_multipath_enabled=false + +# Allows vdisk to multi host mapping. (boolean value) +#flashsystem_multihostmap_enabled=true + + +# +# Options defined in cinder.volume.drivers.ibm.gpfs +# + +# Specifies the path of the GPFS directory where Block Storage +# volume and snapshot files are stored. (string value) +#gpfs_mount_point_base=<None> + +# Specifies the path of the Image service repository in GPFS. +# Leave undefined if not storing images in GPFS. (string +# value) +#gpfs_images_dir=<None> + +# Specifies the type of image copy to be used. Set this when +# the Image service repository also uses GPFS so that image +# files can be transferred efficiently from the Image service +# to the Block Storage service. There are two valid values: +# "copy" specifies that a full copy of the image is made; +# "copy_on_write" specifies that copy-on-write optimization +# strategy is used and unmodified blocks of the image file are +# shared efficiently. (string value) +#gpfs_images_share_mode=<None> + +# Specifies an upper limit on the number of indirections +# required to reach a specific block due to snapshots or +# clones. A lengthy chain of copy-on-write snapshots or +# clones can have a negative impact on performance, but +# improves space utilization. 0 indicates unlimited clone +# depth. (integer value) +#gpfs_max_clone_depth=0 + +# Specifies that volumes are created as sparse files which +# initially consume no space. If set to False, the volume is +# created as a fully allocated file, in which case, creation +# may take a significantly longer time. (boolean value) +#gpfs_sparse_volumes=true + +# Specifies the storage pool that volumes are assigned to. By +# default, the system storage pool is used. (string value) +#gpfs_storage_pool=system + + +# +# Options defined in cinder.volume.drivers.ibm.ibmnas +# + +# IBMNAS platform type to be used as backend storage; valid +# values are - v7ku : for using IBM Storwize V7000 Unified, +# sonas : for using IBM Scale Out NAS, gpfs-nas : for using +# NFS based IBM GPFS deployments. (string value) +#ibmnas_platform_type=v7ku + + +# +# Options defined in cinder.volume.drivers.ibm.storwize_svc +# + +# Storage system storage pool for volumes (string value) +#storwize_svc_volpool_name=volpool + +# Storage system space-efficiency parameter for volumes +# (percentage) (integer value) +#storwize_svc_vol_rsize=2 + +# Storage system threshold for volume capacity warnings +# (percentage) (integer value) +#storwize_svc_vol_warning=0 + +# Storage system autoexpand parameter for volumes (True/False) +# (boolean value) +#storwize_svc_vol_autoexpand=true + +# Storage system grain size parameter for volumes +# (32/64/128/256) (integer value) +#storwize_svc_vol_grainsize=256 + +# Storage system compression option for volumes (boolean +# value) +#storwize_svc_vol_compression=false + +# Enable Easy Tier for volumes (boolean value) +#storwize_svc_vol_easytier=true + +# The I/O group in which to allocate volumes (integer value) +#storwize_svc_vol_iogrp=0 + +# Maximum number of seconds to wait for FlashCopy to be +# prepared. Maximum value is 600 seconds (10 minutes) (integer +# value) +#storwize_svc_flashcopy_timeout=120 + +# Connection protocol (iSCSI/FC) (string value) +#storwize_svc_connection_protocol=iSCSI + +# Configure CHAP authentication for iSCSI connections +# (Default: Enabled) (boolean value) +#storwize_svc_iscsi_chap_enabled=true + +# Connect with multipath (FC only; iSCSI multipath is +# controlled by Nova) (boolean value) +#storwize_svc_multipath_enabled=false + +# Allows vdisk to multi host mapping (boolean value) +#storwize_svc_multihostmap_enabled=true + +# Indicate whether svc driver is compatible for NPIV setup. If +# it is compatible, it will allow no wwpns being returned on +# get_conn_fc_wwpns during initialize_connection (boolean +# value) +#storwize_svc_npiv_compatibility_mode=false + +# Allow tenants to specify QOS on create (boolean value) +#storwize_svc_allow_tenant_qos=false + +# If operating in stretched cluster mode, specify the name of +# the pool in which mirrored copies are stored.Example: +# "pool2" (string value) +#storwize_svc_stretched_cluster_partner=<None> + + +# +# Options defined in cinder.volume.drivers.ibm.xiv_ds8k +# + +# Proxy driver that connects to the IBM Storage Array (string +# value) +#xiv_ds8k_proxy=xiv_ds8k_openstack.nova_proxy.XIVDS8KNovaProxy + +# Connection type to the IBM Storage Array (string value) +#xiv_ds8k_connection_type=iscsi + +# CHAP authentication mode, effective only for iscsi +# (disabled|enabled) (string value) +#xiv_chap=disabled + + +# +# Options defined in cinder.volume.drivers.lvm +# + +# Name for the VG that will contain exported volumes (string +# value) +volume_group=cinder-volumes + +# If >0, create LVs with multiple mirrors. Note that this +# requires lvm_mirrors + 2 PVs with available space (integer +# value) +#lvm_mirrors=0 + +# Type of LVM volumes to deploy (string value) +#lvm_type=default + +# LVM conf file to use for the LVM driver in Cinder; this +# setting is ignored if the specified file does not exist (You +# can also specify 'None' to not use a conf file even if one +# exists). (string value) +#lvm_conf_file=/etc/cinder/lvm.conf + + +# +# Options defined in cinder.volume.drivers.netapp.options +# + +# The vFiler unit on which provisioning of block storage +# volumes will be done. This option is only used by the driver +# when connecting to an instance with a storage family of Data +# ONTAP operating in 7-Mode. Only use this option when +# utilizing the MultiStore feature on the NetApp storage +# system. (string value) +#netapp_vfiler=<None> + +# The name of the config.conf stanza for a Data ONTAP (7-mode) +# HA partner. This option is only used by the driver when +# connecting to an instance with a storage family of Data +# ONTAP operating in 7-Mode, and it is required if the storage +# protocol selected is FC. (string value) +#netapp_partner_backend_name=<None> + +# Administrative user account name used to access the storage +# system or proxy server. (string value) +#netapp_login=<None> + +# Password for the administrative user account specified in +# the netapp_login option. (string value) +#netapp_password=<None> + +# This option specifies the virtual storage server (Vserver) +# name on the storage cluster on which provisioning of block +# storage volumes should occur. (string value) +#netapp_vserver=<None> + +# The hostname (or IP address) for the storage system or proxy +# server. (string value) +#netapp_server_hostname=<None> + +# The TCP port to use for communication with the storage +# system or proxy server. If not specified, Data ONTAP drivers +# will use 80 for HTTP and 443 for HTTPS; E-Series will use +# 8080 for HTTP and 8443 for HTTPS. (integer value) +#netapp_server_port=<None> + +# This option is used to specify the path to the E-Series +# proxy application on a proxy server. The value is combined +# with the value of the netapp_transport_type, +# netapp_server_hostname, and netapp_server_port options to +# create the URL used by the driver to connect to the proxy +# application. (string value) +#netapp_webservice_path=/devmgr/v2 + +# This option is only utilized when the storage family is +# configured to eseries. This option is used to restrict +# provisioning to the specified controllers. Specify the value +# of this option to be a comma separated list of controller +# hostnames or IP addresses to be used for provisioning. +# (string value) +#netapp_controller_ips=<None> + +# Password for the NetApp E-Series storage array. (string +# value) +#netapp_sa_password=<None> + +# This option is used to restrict provisioning to the +# specified storage pools. Only dynamic disk pools are +# currently supported. Specify the value of this option to be +# a comma separated list of disk pool names to be used for +# provisioning. (string value) +#netapp_storage_pools=<None> + +# This option is used to define how the controllers in the +# E-Series storage array will work with the particular +# operating system on the hosts that are connected to it. +# (string value) +#netapp_eseries_host_type=linux_dm_mp + +# If the percentage of available space for an NFS share has +# dropped below the value specified by this option, the NFS +# image cache will be cleaned. (integer value) +#thres_avl_size_perc_start=20 + +# When the percentage of available space on an NFS share has +# reached the percentage specified by this option, the driver +# will stop clearing files from the NFS image cache that have +# not been accessed in the last M minutes, where M is the +# value of the expiry_thres_minutes configuration option. +# (integer value) +#thres_avl_size_perc_stop=60 + +# This option specifies the threshold for last access time for +# images in the NFS image cache. When a cache cleaning cycle +# begins, images in the cache that have not been accessed in +# the last M minutes, where M is the value of this parameter, +# will be deleted from the cache to create free space on the +# NFS share. (integer value) +#expiry_thres_minutes=720 + +# This option specifies the path of the NetApp copy offload +# tool binary. Ensure that the binary has execute permissions +# set which allow the effective user of the cinder-volume +# process to execute the file. (string value) +#netapp_copyoffload_tool_path=<None> + +# The quantity to be multiplied by the requested volume size +# to ensure enough space is available on the virtual storage +# server (Vserver) to fulfill the volume creation request. +# (floating point value) +#netapp_size_multiplier=1.2 + +# This option is only utilized when the storage protocol is +# configured to use iSCSI or FC. This option is used to +# restrict provisioning to the specified controller volumes. +# Specify the value of this option to be a comma separated +# list of NetApp controller volume names to be used for +# provisioning. (string value) +#netapp_volume_list=<None> + +# The storage family type used on the storage system; valid +# values are ontap_7mode for using Data ONTAP operating in +# 7-Mode, ontap_cluster for using clustered Data ONTAP, or +# eseries for using E-Series. (string value) +#netapp_storage_family=ontap_cluster + +# The storage protocol to be used on the data path with the +# storage system. (string value) +#netapp_storage_protocol=<None> + +# The transport protocol used when communicating with the +# storage system or proxy server. (string value) +#netapp_transport_type=http + + +# +# Options defined in cinder.volume.drivers.nfs +# + +# File with the list of available nfs shares (string value) +#nfs_shares_config=/etc/cinder/nfs_shares + +# Create volumes as sparsed files which take no space.If set +# to False volume is created as regular file.In such case +# volume creation takes a lot of time. (boolean value) +#nfs_sparsed_volumes=true + +# Percent of ACTUAL usage of the underlying volume before no +# new volumes can be allocated to the volume destination. +# (floating point value) +#nfs_used_ratio=0.95 + +# This will compare the allocated to available space on the +# volume destination. If the ratio exceeds this number, the +# destination will no longer be valid. (floating point value) +#nfs_oversub_ratio=1.0 + +# Base dir containing mount points for nfs shares. (string +# value) +#nfs_mount_point_base=$state_path/mnt + +# Mount options passed to the nfs client. See section of the +# nfs man page for details. (string value) +#nfs_mount_options=<None> + +# The number of attempts to mount nfs shares before raising an +# error. At least one attempt will be made to mount an nfs +# share, regardless of the value specified. (integer value) +#nfs_mount_attempts=3 + + +# +# Options defined in cinder.volume.drivers.nimble +# + +# Nimble Controller pool name (string value) +#nimble_pool_name=default + +# Nimble Subnet Label (string value) +#nimble_subnet_label=* + + +# +# Options defined in cinder.volume.drivers.openvstorage +# + +# Vpool to use for volumes - backend is defined by vpool not +# by us. (string value) +#vpool_name= + + +# +# Options defined in cinder.volume.drivers.prophetstor.options +# + +# DPL pool uuid in which DPL volumes are stored. (string +# value) +#dpl_pool= + +# DPL port number. (integer value) +#dpl_port=8357 + + +# +# Options defined in cinder.volume.drivers.pure +# + +# REST API authorization token. (string value) +#pure_api_token=<None> + + +# +# Options defined in cinder.volume.drivers.quobyte +# + +# URL to the Quobyte volume e.g., quobyte://<DIR host>/<volume +# name> (string value) +#quobyte_volume_url=<None> + +# Path to a Quobyte Client configuration file. (string value) +#quobyte_client_cfg=<None> + +# Create volumes as sparse files which take no space. If set +# to False, volume is created as regular file.In such case +# volume creation takes a lot of time. (boolean value) +#quobyte_sparsed_volumes=true + +# Create volumes as QCOW2 files rather than raw files. +# (boolean value) +#quobyte_qcow2_volumes=true + +# Base dir containing the mount point for the Quobyte volume. +# (string value) +#quobyte_mount_point_base=$state_path/mnt + + +# +# Options defined in cinder.volume.drivers.rbd +# + +# The RADOS pool where rbd volumes are stored (string value) +#rbd_pool=rbd + +# The RADOS client name for accessing rbd volumes - only set +# when using cephx authentication (string value) +#rbd_user=<None> + +# Path to the ceph configuration file (string value) +#rbd_ceph_conf= + +# Flatten volumes created from snapshots to remove dependency +# from volume to snapshot (boolean value) +#rbd_flatten_volume_from_snapshot=false + +# The libvirt uuid of the secret for the rbd_user volumes +# (string value) +#rbd_secret_uuid=<None> + +# Directory where temporary image files are stored when the +# volume driver does not write them directly to the volume. +# Warning: this option is now deprecated, please use +# image_conversion_dir instead. (string value) +#volume_tmp_dir=<None> + +# Maximum number of nested volume clones that are taken before +# a flatten occurs. Set to 0 to disable cloning. (integer +# value) +#rbd_max_clone_depth=5 + +# Volumes will be chunked into objects of this size (in +# megabytes). (integer value) +#rbd_store_chunk_size=4 + +# Timeout value (in seconds) used when connecting to ceph +# cluster. If value < 0, no timeout is set and default +# librados value is used. (integer value) +#rados_connect_timeout=-1 + + +# +# Options defined in cinder.volume.drivers.remotefs +# + +# IP address or Hostname of NAS system. (string value) +#nas_ip= + +# User name to connect to NAS system. (string value) +#nas_login=admin + +# Password to connect to NAS system. (string value) +#nas_password= + +# SSH port to use to connect to NAS system. (integer value) +#nas_ssh_port=22 + +# Filename of private key to use for SSH authentication. +# (string value) +#nas_private_key= + +# Allow network-attached storage systems to operate in a +# secure environment where root level access is not permitted. +# If set to False, access is as the root user and insecure. If +# set to True, access is not as root. If set to auto, a check +# is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. (string value) +#nas_secure_file_operations=auto + +# Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to +# False, volumes are created with open permissions. If set to +# True, volumes are created with permissions for the cinder +# user and group (660). If set to auto, a check is done to +# determine if this is a new installation: True is used if so, +# otherwise False. Default is auto. (string value) +#nas_secure_file_permissions=auto + +# Path to the share to use for storing Cinder volumes. For +# example: "/srv/export1" for an NFS server export available +# at 10.0.5.10:/srv/export1 . (string value) +#nas_share_path= + +# Options used to mount the storage backend file system where +# Cinder volumes are stored. (string value) +#nas_mount_options=<None> + + +# +# Options defined in cinder.volume.drivers.san.hp.hp_3par_common +# + +# 3PAR WSAPI Server Url like https://<3par ip>:8080/api/v1 +# (string value) +#hp3par_api_url= + +# 3PAR Super user username (string value) +#hp3par_username= + +# 3PAR Super user password (string value) +#hp3par_password= + +# List of the CPG(s) to use for volume creation (list value) +#hp3par_cpg=OpenStack + +# The CPG to use for Snapshots for volumes. If empty the +# userCPG will be used. (string value) +#hp3par_cpg_snap= + +# The time in hours to retain a snapshot. You can't delete it +# before this expires. (string value) +#hp3par_snapshot_retention= + +# The time in hours when a snapshot expires and is deleted. +# This must be larger than expiration (string value) +#hp3par_snapshot_expiration= + +# Enable HTTP debugging to 3PAR (boolean value) +#hp3par_debug=false + +# List of target iSCSI addresses to use. (list value) +#hp3par_iscsi_ips= + +# Enable CHAP authentication for iSCSI connections. (boolean +# value) +#hp3par_iscsi_chap_enabled=false + + +# +# Options defined in cinder.volume.drivers.san.hp.hp_lefthand_rest_proxy +# + +# HP LeftHand WSAPI Server Url like https://<LeftHand +# ip>:8081/lhos (string value) +#hplefthand_api_url=<None> + +# HP LeftHand Super user username (string value) +#hplefthand_username=<None> + +# HP LeftHand Super user password (string value) +#hplefthand_password=<None> + +# HP LeftHand cluster name (string value) +#hplefthand_clustername=<None> + +# Configure CHAP authentication for iSCSI connections +# (Default: Disabled) (boolean value) +#hplefthand_iscsi_chap_enabled=false + +# Enable HTTP debugging to LeftHand (boolean value) +#hplefthand_debug=false + + +# +# Options defined in cinder.volume.drivers.san.san +# + +# Use thin provisioning for SAN volumes? (boolean value) +#san_thin_provision=true + +# IP address of SAN controller (string value) +#san_ip= + +# Username for SAN controller (string value) +#san_login=admin + +# Password for SAN controller (string value) +#san_password= + +# Filename of private key to use for SSH authentication +# (string value) +#san_private_key= + +# Cluster name to use for creating volumes (string value) +#san_clustername= + +# SSH port to use with SAN (integer value) +#san_ssh_port=22 + +# Execute commands locally instead of over SSH; use if the +# volume service is running on the SAN device (boolean value) +#san_is_local=false + +# SSH connection timeout in seconds (integer value) +#ssh_conn_timeout=30 + +# Minimum ssh connections in the pool (integer value) +#ssh_min_pool_conn=1 + +# Maximum ssh connections in the pool (integer value) +#ssh_max_pool_conn=5 + + +# +# Options defined in cinder.volume.drivers.scality +# + +# Path or URL to Scality SOFS configuration file (string +# value) +#scality_sofs_config=<None> + +# Base dir where Scality SOFS shall be mounted (string value) +#scality_sofs_mount_point=$state_path/scality + +# Path from Scality SOFS root to volume dir (string value) +#scality_sofs_volume_dir=cinder/volumes + + +# +# Options defined in cinder.volume.drivers.smbfs +# + +# File with the list of available smbfs shares. (string value) +#smbfs_shares_config=/etc/cinder/smbfs_shares + +# Default format that will be used when creating volumes if no +# volume format is specified. (string value) +#smbfs_default_volume_format=qcow2 + +# Create volumes as sparsed files which take no space rather +# than regular files when using raw format, in which case +# volume creation takes lot of time. (boolean value) +#smbfs_sparsed_volumes=true + +# Percent of ACTUAL usage of the underlying volume before no +# new volumes can be allocated to the volume destination. +# (floating point value) +#smbfs_used_ratio=0.95 + +# This will compare the allocated to available space on the +# volume destination. If the ratio exceeds this number, the +# destination will no longer be valid. (floating point value) +#smbfs_oversub_ratio=1.0 + +# Base dir containing mount points for smbfs shares. (string +# value) +#smbfs_mount_point_base=$state_path/mnt + +# Mount options passed to the smbfs client. See mount.cifs man +# page for details. (string value) +#smbfs_mount_options=noperm,file_mode=0775,dir_mode=0775 + + +# +# Options defined in cinder.volume.drivers.solidfire +# + +# Set 512 byte emulation on volume creation; (boolean value) +#sf_emulate_512=true + +# Allow tenants to specify QOS on create (boolean value) +#sf_allow_tenant_qos=false + +# Create SolidFire accounts with this prefix. Any string can +# be used here, but the string "hostname" is special and will +# create a prefix using the cinder node hostsname (previous +# default behavior). The default is NO prefix. (string value) +#sf_account_prefix=<None> + +# Account name on the SolidFire Cluster to use as owner of +# template/cache volumes (created if does not exist). (string +# value) +#sf_template_account_name=openstack-vtemplate + +# Create an internal cache of copy of images when a bootable +# volume is created to eliminate fetch from glance and qemu- +# conversion on subsequent calls. (boolean value) +#sf_allow_template_caching=true + +# SolidFire API port. Useful if the device api is behind a +# proxy on a different port. (integer value) +#sf_api_port=443 + + +# +# Options defined in cinder.volume.drivers.srb +# + +# Comma-separated list of REST servers IP to connect to. (eg +# http://IP1/,http://IP2:81/path (string value) +#srb_base_urls=<None> + + +# +# Options defined in cinder.volume.drivers.violin.v6000_common +# + +# IP address or hostname of mg-a (string value) +#gateway_mga=<None> + +# IP address or hostname of mg-b (string value) +#gateway_mgb=<None> + +# Use igroups to manage targets and initiators (boolean value) +#use_igroups=false + +# Global backend request timeout, in seconds (integer value) +#request_timeout=300 + + +# +# Options defined in cinder.volume.drivers.vmware.vmdk +# + +# IP address for connecting to VMware ESX/VC server. (string +# value) +#vmware_host_ip=<None> + +# Username for authenticating with VMware ESX/VC server. +# (string value) +#vmware_host_username=<None> + +# Password for authenticating with VMware ESX/VC server. +# (string value) +#vmware_host_password=<None> + +# Optional VIM service WSDL Location e.g +# http://<server>/vimService.wsdl. Optional over-ride to +# default location for bug work-arounds. (string value) +#vmware_wsdl_location=<None> + +# Number of times VMware ESX/VC server API must be retried +# upon connection related issues. (integer value) +#vmware_api_retry_count=10 + +# The interval (in seconds) for polling remote tasks invoked +# on VMware ESX/VC server. (floating point value) +#vmware_task_poll_interval=0.5 + +# Name for the folder in the VC datacenter that will contain +# cinder volumes. (string value) +#vmware_volume_folder=cinder-volumes + +# Timeout in seconds for VMDK volume transfer between Cinder +# and Glance. (integer value) +#vmware_image_transfer_timeout_secs=7200 + +# Max number of objects to be retrieved per batch. Query +# results will be obtained in batches from the server and not +# in one shot. Server may still limit the count to something +# less than the configured value. (integer value) +#vmware_max_objects_retrieval=100 + +# Optional string specifying the VMware VC server version. The +# driver attempts to retrieve the version from VMware VC +# server. Set this configuration only if you want to override +# the VC server version. (string value) +#vmware_host_version=<None> + +# Directory where virtual disks are stored during volume +# backup and restore. (string value) +#vmware_tmp_dir=/tmp + + +# +# Options defined in cinder.volume.drivers.windows.windows +# + +# Path to store VHD backed volumes (string value) +#windows_iscsi_lun_path=C:\iSCSIVirtualDisks + + +# +# Options defined in cinder.volume.drivers.xio +# + +# Default storage pool for volumes. (integer value) +#ise_storage_pool=1 + +# Raid level for ISE volumes. (integer value) +#ise_raid=1 + +# Number of retries (per port) when establishing connection to +# ISE management port. (integer value) +#ise_connection_retries=5 + +# Interval (secs) between retries. (integer value) +#ise_retry_interval=1 + +# Number on retries to get completion status after issuing a +# command to ISE. (integer value) +#ise_completion_retries=30 + + +# +# Options defined in cinder.volume.drivers.zfssa.zfssanfs +# + +# Data path IP address (string value) +#zfssa_data_ip=<None> + +# HTTPS port number (string value) +#zfssa_https_port=443 + +# Options to be passed while mounting share over nfs (string +# value) +#zfssa_nfs_mount_options= + +# Storage pool name. (string value) +#zfssa_nfs_pool= + +# Project name. (string value) +#zfssa_nfs_project=NFSProject + +# Share name. (string value) +#zfssa_nfs_share=nfs_share + +# Data compression. (string value) +#zfssa_nfs_share_compression=off + +# Synchronous write bias-latency, throughput. (string value) +#zfssa_nfs_share_logbias=latency + +# REST connection timeout. (seconds) (integer value) +#zfssa_rest_timeout=<None> + + +# +# Options defined in cinder.volume.manager +# + +# Driver to use for volume creation (string value) +volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver + +# Timeout for creating the volume to migrate to when +# performing volume migration (seconds) (integer value) +#migration_create_volume_timeout_secs=300 + +# Offload pending volume delete during volume service startup +# (boolean value) +#volume_service_inithost_offload=false + +# FC Zoning mode configured (string value) +#zoning_mode=none + +# User defined capabilities, a JSON formatted string +# specifying key/value pairs. The key/value pairs can be used +# by the CapabilitiesFilter to select between backends when +# requests specify volume types. For example, specifying a +# service level or the geographical location of a backend, +# then creating a volume type to allow the user to select by +# these different properties. (string value) +#extra_capabilities={} + + +[BRCD_FABRIC_EXAMPLE] + +# +# Options defined in cinder.zonemanager.drivers.brocade.brcd_fabric_opts +# + +# Management IP of fabric (string value) +#fc_fabric_address= + +# Fabric user ID (string value) +#fc_fabric_user= + +# Password for user (string value) +#fc_fabric_password= + +# Connecting port (integer value) +#fc_fabric_port=22 + +# overridden zoning policy (string value) +#zoning_policy=initiator-target + +# overridden zoning activation state (boolean value) +#zone_activate=true + +# overridden zone name prefix (string value) +#zone_name_prefix=<None> + +# Principal switch WWN of the fabric (string value) +#principal_switch_wwn=<None> + + +[CISCO_FABRIC_EXAMPLE] + +# +# Options defined in cinder.zonemanager.drivers.cisco.cisco_fabric_opts +# + +# Management IP of fabric (string value) +#cisco_fc_fabric_address= + +# Fabric user ID (string value) +#cisco_fc_fabric_user= + +# Password for user (string value) +#cisco_fc_fabric_password= + +# Connecting port (integer value) +#cisco_fc_fabric_port=22 + +# overridden zoning policy (string value) +#cisco_zoning_policy=initiator-target + +# overridden zoning activation state (boolean value) +#cisco_zone_activate=true + +# overridden zone name prefix (string value) +#cisco_zone_name_prefix=<None> + +# VSAN of the Fabric (string value) +#cisco_zoning_vsan=<None> + + +[database] + +# +# Options defined in oslo.db.concurrency +# + +# Enable the experimental use of thread pooling for all DB API +# calls (boolean value) +# Deprecated group/name - [DEFAULT]/dbapi_use_tpool +#use_tpool=false + +# The SQLAlchemy connection string to use to connect to the +# database. (string value) +connection=postgresql://{{ CINDER_DB_USER }}:{{ CINDER_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/cinder + + +[fc-zone-manager] + +# +# Options defined in cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver +# + +# Southbound connector for zoning operation (string value) +#brcd_sb_connector=cinder.zonemanager.drivers.brocade.brcd_fc_zone_client_cli.BrcdFCZoneClientCLI + + +# +# Options defined in cinder.zonemanager.drivers.cisco.cisco_fc_zone_driver +# + +# Southbound connector for zoning operation (string value) +#cisco_sb_connector=cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClientCLI + + +# +# Options defined in cinder.zonemanager.fc_zone_manager +# + +# FC Zone Driver responsible for zone management (string +# value) +#zone_driver=cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.BrcdFCZoneDriver + +# Zoning policy configured by user; valid values include +# "initiator-target" or "initiator" (string value) +#zoning_policy=initiator-target + +# Comma separated list of Fibre Channel fabric names. This +# list of names is used to retrieve other SAN credentials for +# connecting to each SAN fabric (string value) +#fc_fabric_names=<None> + +# FC SAN Lookup Service (string value) +#fc_san_lookup_service=cinder.zonemanager.drivers.brocade.brcd_fc_san_lookup_service.BrcdFCSanLookupService + + +[keymgr] + +# +# Options defined in cinder.keymgr +# + +# The full class name of the key manager API class (string +# value) +#api_class=cinder.keymgr.conf_key_mgr.ConfKeyManager + + +# +# Options defined in cinder.keymgr.conf_key_mgr +# + +# Fixed key returned by key manager, specified in hex (string +# value) +#fixed_key=<None> + + +# +# Options defined in cinder.keymgr.key_mgr +# + +# Authentication url for encryption service. (string value) +#encryption_auth_url=http://localhost:5000/v3 + +# Url for encryption service. (string value) +#encryption_api_url=http://localhost:9311/v1 + + +[oslo_concurrency] + +lock_path = /var/lock/cinder + +[keystone_authtoken] + +# +# Options defined in keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri=http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + +# API version of the admin Identity API endpoint. (string +# value) +#auth_version=<None> + +# Do not handle authorization requests within the middleware, +# but delegate the authorization decision to downstream WSGI +# components. (boolean value) +#delay_auth_decision=false + +# Request timeout value for communicating with Identity API +# server. (integer value) +#http_connect_timeout=<None> + +# How many times are we trying to reconnect when communicating +# with Identity API Server. (integer value) +#http_request_max_retries=3 + +# Env key for the swift cache. (string value) +#cache=<None> + +# Required if identity server requires client certificate +# (string value) +#certfile=<None> + +# Required if identity server requires client certificate +# (string value) +#keyfile=<None> + +# A PEM encoded Certificate Authority to use when verifying +# HTTPs connections. Defaults to system CAs. (string value) +#cafile=<None> + +# Verify HTTPS connections. (boolean value) +#insecure=false + +# Directory used to cache files related to PKI tokens. (string +# value) +#signing_dir=<None> + +# Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached +# in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers=<None> + +# In order to prevent excessive effort spent validating +# tokens, the middleware caches previously-seen tokens for a +# configurable duration (in seconds). Set to -1 to disable +# caching completely. (integer value) +#token_cache_time=300 + +# Determines the frequency at which the list of revoked tokens +# is retrieved from the Identity service (in seconds). A high +# number of revocation events combined with a low cache +# duration may significantly reduce performance. (integer +# value) +#revocation_cache_time=10 + +# (Optional) If defined, indicate whether token data should be +# authenticated or authenticated and encrypted. Acceptable +# values are MAC or ENCRYPT. If MAC, token data is +# authenticated (with HMAC) in the cache. If ENCRYPT, token +# data is encrypted and authenticated in the cache. If the +# value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +#memcache_security_strategy=<None> + +# (Optional, mandatory if memcache_security_strategy is +# defined) This string is used for key derivation. (string +# value) +#memcache_secret_key=<None> + +# (Optional) Number of seconds memcached server is considered +# dead before it is tried again. (integer value) +#memcache_pool_dead_retry=300 + +# (Optional) Maximum total number of open connections to every +# memcached server. (integer value) +#memcache_pool_maxsize=10 + +# (Optional) Socket timeout in seconds for communicating with +# a memcache server. (integer value) +#memcache_pool_socket_timeout=3 + +# (Optional) Number of seconds a connection to memcached is +# held unused in the pool before it is closed. (integer value) +#memcache_pool_unused_timeout=60 + +# (Optional) Number of seconds that an operation will wait to +# get a memcache client connection from the pool. (integer +# value) +#memcache_pool_conn_get_timeout=10 + +# (Optional) Use the advanced (eventlet safe) memcache client +# pool. The advanced pool will only work under python 2.x. +# (boolean value) +#memcache_use_advanced_pool=false + +# (Optional) Indicate whether to set the X-Service-Catalog +# header. If False, middleware will not ask for service +# catalog on token validation and will not set the X-Service- +# Catalog header. (boolean value) +#include_service_catalog=true + +# Used to control the use and type of token binding. Can be +# set to: "disabled" to not check token binding. "permissive" +# (default) to validate binding information if the bind type +# is of a form known to the server and ignore it if not. +# "strict" like "permissive" but if the bind type is unknown +# the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string +# value) +#enforce_token_bind=permissive + +# If true, the revocation list will be checked for cached +# tokens. This requires that PKI tokens are configured on the +# identity server. (boolean value) +#check_revocations_for_cached=false + +# Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those +# supported by Python standard hashlib.new(). The hashes will +# be tried in the order given, so put the preferred one first +# for performance. The result of the first hash will be stored +# in the cache. This will typically be set to multiple values +# only while migrating from a less secure algorithm to a more +# secure one. Once all the old tokens are expired this option +# should be set to a single value for better performance. +# (list value) +#hash_algorithms=md5 + + +[matchmaker_redis] + +# +# Options defined in oslo.messaging +# + +# Host to locate redis. (string value) +#host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port=6379 + +# Password for Redis server (optional). (string value) +#password=<None> + + +[matchmaker_ring] + +# +# Options defined in oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile=/etc/oslo/matchmaker_ring.json + + +[oslo_messaging_amqp] + +# +# Options defined in oslo.messaging +# + +# address prefix used when sending to a specific server +# (string value) +#server_request_prefix=exclusive + +# address prefix used when broadcasting to all servers (string +# value) +#broadcast_prefix=broadcast + +# address prefix when sending to any server in group (string +# value) +#group_request_prefix=unicast + +# Name for the AMQP container (string value) +#container_name=<None> + +# Timeout for inactive connections (in seconds) (integer +# value) +#idle_timeout=0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace=false + +# CA certificate PEM file for verifing server certificate +# (string value) +#ssl_ca_file= + +# Identifying certificate PEM file to present to clients +# (string value) +#ssl_cert_file= + +# Private key PEM file used to sign cert_file certificate +# (string value) +#ssl_key_file= + +# Password for decrypting ssl_key_file (if encrypted) (string +# value) +#ssl_key_password=<None> + +# Accept clients using either SSL or plain TCP (boolean value) +#allow_insecure_clients=false + + +[oslo_messaging_qpid] + +# +# Options defined in oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size=30 + +# Qpid broker hostname. (string value) +#qpid_hostname=localhost + +# Qpid broker port. (integer value) +#qpid_port=5672 + +# Qpid HA cluster host:port pairs. (list value) +#qpid_hosts=$qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +#qpid_username= + +# Password for Qpid connection. (string value) +#qpid_password= + +# Space separated list of SASL mechanisms to use for auth. +# (string value) +#qpid_sasl_mechanisms= + +# Seconds between connection keepalive heartbeats. (integer +# value) +#qpid_heartbeat=60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +#qpid_protocol=tcp + +# Whether to disable the Nagle algorithm. (boolean value) +#qpid_tcp_nodelay=true + +# The number of prefetched messages held by receiver. (integer +# value) +#qpid_receiver_capacity=1 + +# The qpid topology version to use. Version 1 is what was +# originally used by impl_qpid. Version 2 includes some +# backwards-incompatible changes that allow broker federation +# to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. +# (integer value) +#qpid_topology_version=1 + + +[oslo_messaging_rabbit] + +# +# Options defined in oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size=30 + +# SSL version to use (valid only if SSL enabled). Valid values +# are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may +# be available on some distributions. (string value) +#kombu_ssl_version= + +# SSL key file (valid only if SSL enabled). (string value) +#kombu_ssl_keyfile= + +# SSL cert file (valid only if SSL enabled). (string value) +#kombu_ssl_certfile= + +# SSL certification authority file (valid only if SSL +# enabled). (string value) +#kombu_ssl_ca_certs= + +# How long to wait before reconnecting in response to an AMQP +# consumer cancel notification. (floating point value) +#kombu_reconnect_delay=1.0 + +# The RabbitMQ broker address where a single node is used. +# (string value) +rabbit_host={{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. +# (integer value) +rabbit_port={{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +rabbit_hosts=$rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +#rabbit_use_ssl=false + +# The RabbitMQ userid. (string value) +rabbit_userid={{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +rabbit_password={{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +#rabbit_login_method=AMQPLAIN + +# The RabbitMQ virtual host. (string value) +#rabbit_virtual_host=/ + +# How frequently to retry connecting with RabbitMQ. (integer +# value) +#rabbit_retry_interval=1 + +# How long to backoff for between retries when connecting to +# RabbitMQ. (integer value) +#rabbit_retry_backoff=2 + +# Maximum number of RabbitMQ connection retries. Default is 0 +# (infinite retry count). (integer value) +#rabbit_max_retries=0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change +# this option, you must wipe the RabbitMQ database. (boolean +# value) +#rabbit_ha_queues=false + +# Number of seconds after which the Rabbit broker is +# considered down if heartbeat's keep-alive fails (0 disables +# the heartbeat, >0 enables it. Enabling heartbeats requires +# kombu>=3.0.7 and amqp>=1.4.0). EXPERIMENTAL (integer value) +#heartbeat_timeout_threshold=0 + +# How often times during the heartbeat_timeout_threshold we +# check the heartbeat. (integer value) +#heartbeat_rate=2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake +# (boolean value) +#fake_rabbit=false + + +[profiler] + +# +# Options defined in cinder.service +# + +# If False fully disable profiling feature. (boolean value) +#profiler_enabled=false + +# If False doesn't trace SQL requests. (boolean value) +#trace_sqlalchemy=false + + +[DEFAULT] + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +#auth_uri = <None> + +# API version of the admin Identity API endpoint. (string value) +#auth_version = <None> + +# Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. +# (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. +# (integer value) +#http_connect_timeout = <None> + +# How many times are we trying to reconnect when communicating with +# Identity API Server. (integer value) +#http_request_max_retries = 3 + +# Env key for the swift cache. (string value) +#cache = <None> + +# Required if identity server requires client certificate (string +# value) +#certfile = <None> + +# Required if identity server requires client certificate (string +# value) +#keyfile = <None> + +# A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. Defaults to system CAs. (string value) +#cafile = <None> + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = <None> + +# Optionally specify a list of memcached server(s) to use for caching. +# If left undefined, tokens will instead be cached in-process. (list +# value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers = <None> + +# In order to prevent excessive effort spent validating tokens, the +# middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. (integer +# value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of +# revocation events combined with a low cache duration may +# significantly reduce performance. (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be +# authenticated or authenticated and encrypted. Acceptable values are +# MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in +# the cache. If ENCRYPT, token data is encrypted and authenticated in +# the cache. If the value is not one of these options or empty, +# auth_token will raise an exception on initialization. (string value) +#memcache_security_strategy = <None> + +# (Optional, mandatory if memcache_security_strategy is defined) This +# string is used for key derivation. (string value) +#memcache_secret_key = <None> + +# (Optional) Number of seconds memcached server is considered dead +# before it is tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every +# memcached server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a +# memcache server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held +# unused in the pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a +# memcache client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcache client pool. +# The advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If +# False, middleware will not ask for service catalog on token +# validation and will not set the X-Service-Catalog header. (boolean +# value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: +# "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to +# the server and ignore it if not. "strict" like "permissive" but if +# the bind type is unknown the token will be rejected. "required" any +# form of token binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This +# requires that PKI tokens are configured on the identity server. +# (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single +# algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, +# so put the preferred one first for performance. The result of the +# first hash will be stored in the cache. This will typically be set +# to multiple values only while migrating from a less secure algorithm +# to a more secure one. Once all the old tokens are expired this +# option should be set to a single value for better performance. (list +# value) +#hash_algorithms = md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use +# identity_uri. (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use +# identity_uri. (string value) +#auth_host = 127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use +# identity_uri. (integer value) +#auth_port = 35357 + +# Protocol of the admin Identity API endpoint (http or https). +# Deprecated, use identity_uri. (string value) +#auth_protocol = https + +# Complete admin Identity API endpoint. This should specify the +# unversioned root endpoint e.g. https://localhost:35357/ (string +# value) +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 + +# This option is deprecated and may be removed in a future release. +# Single shared secret with the Keystone configuration used for +# bootstrapping a Keystone installation, or otherwise bypassing the +# normal authentication process. This option should not be used, use +# `admin_user` and `admin_password` instead. (string value) +#admin_token = <None> + +# Service username. (string value) +admin_user = {{ CINDER_SERVICE_USER }} + +# Service user password. (string value) +admin_password = {{ CINDER_SERVICE_PASSWORD }} + +# Service tenant name. (string value) +admin_tenant_name = service diff --git a/old/install-files/openstack/usr/share/openstack/extras/00-disable-device.network b/old/install-files/openstack/usr/share/openstack/extras/00-disable-device.network new file mode 100644 index 00000000..8e2532d0 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/extras/00-disable-device.network @@ -0,0 +1,2 @@ +[Match] +Name={{ item }} diff --git a/old/install-files/openstack/usr/share/openstack/extras/60-device-dhcp.network b/old/install-files/openstack/usr/share/openstack/extras/60-device-dhcp.network new file mode 100644 index 00000000..6fdbfd8d --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/extras/60-device-dhcp.network @@ -0,0 +1,5 @@ +[Match] +Name={{ item }} + +[Network] +DHCP=yes diff --git a/old/install-files/openstack/usr/share/openstack/glance.yml b/old/install-files/openstack/usr/share/openstack/glance.yml new file mode 100644 index 00000000..4d642b6c --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/glance.yml @@ -0,0 +1,92 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/glance.conf" + tasks: + - name: Create the glance user. + user: + name: glance + comment: Openstack Glance Daemons + shell: /sbin/nologin + home: /var/lib/glance + + - name: Create the /var folders for glance + file: + path: "{{ item }}" + state: directory + owner: glance + group: glance + with_items: + - /var/run/glance + - /var/lock/glance + - /var/log/glance + - /var/lib/glance + - /var/lib/glance/images + - /var/lib/glance/image-cache + + - name: Create /etc/glance directory + file: + path: /etc/glance + state: directory + + - name: Add the configuration needed for glance in /etc/glance using templates + template: + src: /usr/share/openstack/glance/{{ item }} + dest: /etc/glance/{{ item }} + with_lines: + - cd /usr/share/openstack/glance && find -type f + + - name: Create glance service user in service tenant + keystone_user: + user: "{{ GLANCE_SERVICE_USER }}" + password: "{{ GLANCE_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Assign admin role to glances service user in the service tenant + keystone_user: + role: admin + user: "{{ GLANCE_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add glance endpoint + keystone_service: + name: glance + type: image + description: Openstack Image Service + publicurl: http://{{ ansible_hostname }}:9292 + internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:9292 + adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:9292 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for glance + postgresql_user: + name: "{{ GLANCE_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + password: "{{ GLANCE_DB_PASSWORD }}" + sudo: yes + sudo_user: glance + + - name: Create database for glance services + postgresql_db: + name: glance + owner: "{{ GLANCE_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + sudo: yes + sudo_user: glance + + - name: Initiate glance database + command: glance-manage db_sync + sudo: yes + sudo_user: glance + + - name: Enable and start openstack-glance services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - openstack-glance-api.service + - openstack-glance-registry.service diff --git a/old/install-files/openstack/usr/share/openstack/glance/glance-api.conf b/old/install-files/openstack/usr/share/openstack/glance/glance-api.conf new file mode 100644 index 00000000..b6a4723d --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/glance/glance-api.conf @@ -0,0 +1,813 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False + +# Maximum image size (in bytes) that may be uploaded through the +# Glance API server. Defaults to 1 TB. +# WARNING: this value should only be increased after careful consideration +# and must be set to a value under 8 EB (9223372036854775808). +#image_size_cap = 1099511627776 + +# Address to bind the API server +bind_host = 0.0.0.0 + +# Port the bind the API server to +bind_port = 9292 + +# Log to this file. Make sure you do not set the same log file for both the API +# and registry servers! +# +# If `log_file` is omitted and `use_syslog` is false, then log messages are +# sent to stdout as a fallback. +# log_file = /var/log/glance/api.log + +# Backlog requests when creating socket +backlog = 4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle = 600 + +# API to use for accessing data. Default value points to sqlalchemy +# package, it is also possible to use: glance.db.registry.api +# data_api = glance.db.sqlalchemy.api + +# The number of child process workers that will be +# created to service API requests. The default will be +# equal to the number of CPUs available. (integer value) +#workers = 4 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large tokens +# (typically those generated by the Keystone v3 API with big service +# catalogs) +# max_header_line = 16384 + +# Role used to identify an authenticated user as administrator +#admin_role = admin + +# Allow unauthenticated users to access the API with read-only +# privileges. This only applies when using ContextMiddleware. +#allow_anonymous_access = False + +# Allow access to version 1 of glance api +#enable_v1_api = True + +# Allow access to version 2 of glance api +#enable_v2_api = True + +# Return the URL that references where the data is stored on +# the backend storage system. For example, if using the +# file system store a URL of 'file:///path/to/image' will +# be returned to the user in the 'direct_url' meta-data field. +# The default value is false. +#show_image_direct_url = False + +# Send headers containing user and tenant information when making requests to +# the v1 glance registry. This allows the registry to function as if a user is +# authenticated without the need to authenticate a user itself using the +# auth_token middleware. +# The default value is false. +#send_identity_headers = False + +# Supported values for the 'container_format' image attribute +#container_formats=ami,ari,aki,bare,ovf,ova + +# Supported values for the 'disk_format' image attribute +#disk_formats=ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso + +# Property Protections config file +# This file contains the rules for property protections and the roles/policies +# associated with it. +# If this config value is not specified, by default, property protections +# won't be enforced. +# If a value is specified and the file is not found, then the glance-api +# service will not start. +#property_protection_file = + +# Specify whether 'roles' or 'policies' are used in the +# property_protection_file. +# The default value for property_protection_rule_format is 'roles'. +#property_protection_rule_format = roles + +# This value sets what strategy will be used to determine the image location +# order. Currently two strategies are packaged with Glance 'location_order' +# and 'store_type'. +#location_strategy = location_order + + +# Public url to use for versions endpoint. The default is None, +# which will use the request's host_url attribute to populate the URL base. +# If Glance is operating behind a proxy, you will want to change this to +# represent the proxy's URL. +#public_endpoint=<None> + +# http_keepalive option. If False, server will return the header +# "Connection: close", If True, server will return "Connection: Keep-Alive" +# in its responses. In order to close the client socket connection +# explicitly after the response is sent and read successfully by the client, +# you simply have to set this option to False when you create a wsgi server. +#http_keepalive = True + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +use_syslog = True + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility = LOG_LOCAL0 + +# ================= SSL Options =============================== + +# Certificate file to use when starting API server securely +#cert_file = /path/to/certfile + +# Private key file to use when starting API server securely +#key_file = /path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file = /path/to/cafile + +# ================= Security Options ========================== + +# AES key for encrypting store 'location' metadata, including +# -- if used -- Swift or S3 credentials +# Should be set to a random string of length 16, 24 or 32 bytes +#metadata_encryption_key = <16, 24 or 32 char registry metadata key> + + +# Digest algorithm which will be used for digital signature, the default is +# sha1 in Kilo for a smooth upgrade process, and it will be updated with +# sha256 in next release(L). Use command +# "openssl list-message-digest-algorithms" to get the available algorithms +# supported by the version of OpenSSL on the platform. Examples are 'sha1', +# 'sha256', 'sha512', etc. +#digest_algorithm = sha1 + +# ============ Registry Options =============================== + +# Address to find the registry server +registry_host = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Port the registry server is listening on +registry_port = 9191 + +# What protocol to use when connecting to the registry server? +# Set to https for secure HTTP communication +registry_client_protocol = http + +# The path to the key file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file +#registry_client_key_file = /path/to/key/file + +# The path to the cert file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file +#registry_client_cert_file = /path/to/cert/file + +# The path to the certifying authority cert file to use in SSL connections +# to the registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file +#registry_client_ca_file = /path/to/ca/file + +# When using SSL in connections to the registry server, do not require +# validation via a certifying authority. This is the registry's equivalent of +# specifying --insecure on the command line using glanceclient for the API +# Default: False +#registry_client_insecure = False + +# The period of time, in seconds, that the API server will wait for a registry +# request to complete. A value of '0' implies no timeout. +# Default: 600 +#registry_client_timeout = 600 + +# Enable DEBUG log messages from sqlalchemy which prints every database +# query and response. +# Default: False +#sqlalchemy_debug = True + +# Pass the user's token through for API requests to the registry. +# Default: True +#use_user_token = True + +# If 'use_user_token' is not in effect then admin credentials +# can be specified. Requests to the registry on behalf of +# the API will use these credentials. +# Admin user name +#admin_user = None +# Admin password +#admin_password = None +# Admin tenant name +#admin_tenant_name = None +# Keystone endpoint +#auth_url = None +# Keystone region +#auth_region = None +# Auth strategy +#auth_strategy = keystone + +# ============ Notification System Options ===================== + +# Driver or drivers to handle sending notifications. Set to +# 'messaging' to send notifications to a message queue. +notification_driver = messagingv2 + +# Default publisher_id for outgoing notifications. +# default_publisher_id = image.localhost + +# List of disabled notifications. A notification can be given either as a +# notification type to disable a single event, or as a notification group +# prefix to disable all events within a group. +# Example: if this config option is set to +# ["image.create", "metadef_namespace"], then "image.create" notification will +# not be sent after image is created and none of the notifications for +# metadefinition namespaces will be sent. +# disabled_notifications = [] + +# Messaging driver used for 'messaging' notifications driver +rpc_backend = 'rabbit' + +# Configuration options if sending notifications via rabbitmq (these are +# the defaults) +rabbit_host = {{ RABBITMQ_HOST }} +rabbit_port = {{ RABBITMQ_PORT }} +rabbit_use_ssl = false +rabbit_userid = {{ RABBITMQ_USER }} +rabbit_password = {{ RABBITMQ_PASSWORD }} +rabbit_virtual_host = / +rabbit_notification_exchange = glance +rabbit_notification_topic = notifications +rabbit_durable_queues = False + +# Configuration options if sending notifications via Qpid (these are +# the defaults) +#qpid_notification_exchange = glance +#qpid_notification_topic = notifications +#qpid_hostname = localhost +#qpid_port = 5672 +#qpid_username = +#qpid_password = +#qpid_sasl_mechanisms = +#qpid_reconnect_timeout = 0 +#qpid_reconnect_limit = 0 +#qpid_reconnect_interval_min = 0 +#qpid_reconnect_interval_max = 0 +#qpid_reconnect_interval = 0 +#qpid_heartbeat = 5 +# Set to 'ssl' to enable SSL +#qpid_protocol = tcp +#qpid_tcp_nodelay = True + +# ============ Delayed Delete Options ============================= + +# Turn on/off delayed delete +delayed_delete = False + +# Delayed delete time in seconds +scrub_time = 43200 + +# Directory that the scrubber will use to remind itself of what to delete +# Make sure this is also set in glance-scrubber.conf +scrubber_datadir = /var/lib/glance/scrubber + +# =============== Quota Options ================================== + +# The maximum number of image members allowed per image +#image_member_quota = 128 + +# The maximum number of image properties allowed per image +#image_property_quota = 128 + +# The maximum number of tags allowed per image +#image_tag_quota = 128 + +# The maximum number of locations allowed per image +#image_location_quota = 10 + +# Set a system wide quota for every user. This value is the total number +# of bytes that a user can use across all storage systems. A value of +# 0 means unlimited. +#user_storage_quota = 0 + +# =============== Image Cache Options ============================= + +# Base directory that the Image Cache uses +image_cache_dir = /var/lib/glance/image-cache/ + +# =============== Policy Options ================================== + +[oslo_policy] +# The JSON file that defines policies. +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. +# The file defined by policy_file must exist for these +# directories to be searched. +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + +# =============== Database Options ================================= + +[database] +# The file name to use with SQLite (string value) +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode (boolean value) +#sqlite_synchronous = True + +# The backend to use for db (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string used to connect to the +# database (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = <None> +connection=postgresql://{{ GLANCE_DB_USER }}:{{ GLANCE_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/glance + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle sql connections are reaped (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = <None> + +# Maximum db connection retries during startup. (setting -1 +# implies an infinite retry count) (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a sql connection +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with sqlalchemy +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = <None> + +# Verbosity of SQL debugging information. 0=None, +# 100=Everything (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add python stack traces to SQL as comment strings (boolean +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = False + +# If set, use this value for pool_timeout with sqlalchemy +# (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on +# connection lost (boolean value) +#use_db_reconnect = False + +# seconds between db connection retries (integer value) +#db_retry_interval = 1 + +# Whether to increase interval between db connection retries, +# up to db_max_retry_interval (boolean value) +#db_inc_retry_interval = True + +# max seconds between db connection retries, if +# db_inc_retry_interval is enabled (integer value) +#db_max_retry_interval = 10 + +# maximum db connection retries before error is raised. +# (setting -1 implies an infinite retry count) (integer value) +#db_max_retries = 20 + +[oslo_concurrency] + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group/name - [DEFAULT]/disable_process_locking +#disable_process_locking = false + +# Directory to use for lock files. For security, the specified +# directory should only be writable by the user running the processes +# that need locking. It could be read from environment variable +# OSLO_LOCK_PATH. This setting needs to be the same for both +# glance-scrubber and glance-api service. Default to a temp directory. +# Deprecated group/name - [DEFAULT]/lock_path (string value) +#lock_path = /tmp + +[keystone_authtoken] +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 +admin_tenant_name = service +admin_user = {{ GLANCE_SERVICE_USER }} +admin_password = {{ GLANCE_SERVICE_PASSWORD }} +revocation_cache_time = 10 + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file = glance-api-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-api-keystone], you would configure the flavor below +# as 'keystone'. +flavor=keystone + +[store_type_location_strategy] +# The scheme list to use to get store preference order. The scheme must be +# registered by one of the stores defined by the 'stores' config option. +# This option will be applied when you using 'store_type' option as image +# location strategy defined by the 'location_strategy' config option. +#store_type_preference = + +[profiler] +# If False fully disable profiling feature. +#enabled = False + +# If False doesn't trace SQL requests. +#trace_sqlalchemy = False + +[task] +# ================= Glance Tasks Options ============================ + +# Specifies how long (in hours) a task is supposed to live in the tasks DB +# after succeeding or failing before getting soft-deleted. +# The default value for task_time_to_live is 48 hours. +# task_time_to_live = 48 + +# Specifies which task executor to be used to run the task scripts. +# The default value for task_executor is taskflow. +# task_executor = taskflow + +# Work dir for asynchronous task operations. The directory set here +# will be used to operate over images - normally before they are +# imported in the destination store. When providing work dir, make sure +# enough space is provided for concurrent tasks to run efficiently +# without running out of space. A rough estimation can be done by +# multiplying the number of `max_workers` - or the N of workers running +# - by an average image size (e.g 500MB). The image size estimation +# should be done based on the average size in your deployment. Note that +# depending on the tasks running you may need to multiply this number by +# some factor depending on what the task does. For example, you may want +# to double the available size if image conversion is enabled. All this +# being said, remember these are just estimations and you should do them +# based on the worst case scenario and be prepared to act in case they +# were wrong. +# work_dir=None + +# Specifies the maximum number of eventlet threads which can be spun up by +# the eventlet based task executor to perform execution of Glance tasks. +# DEPRECATED: Use [taskflow_executor]/max_workers instead. +# eventlet_executor_pool_size = 1000 + +[taskflow_executor] +# The mode in which the engine will run. Can be 'default', 'serial', +# 'parallel' or 'worker-based' +#engine_mode = serial + +# The number of parallel activities executed at the same time by +# the engine. The value can be greater than one when the engine mode is +# 'parallel' or 'worker-based', otherwise this value will be ignored. +#max_workers = 10 + +[glance_store] +# List of which store classes and store class locations are +# currently known to glance at startup. +# Deprecated group/name - [DEFAULT]/known_stores +# Existing but disabled stores: +# glance.store.rbd.Store, +# glance.store.s3.Store, +# glance.store.swift.Store, +# glance.store.sheepdog.Store, +# glance.store.cinder.Store, +# glance.store.gridfs.Store, +# glance.store.vmware_datastore.Store, +#stores = glance.store.filesystem.Store, +# glance.store.http.Store + +# Which backend scheme should Glance use by default is not specified +# in a request to add a new image to Glance? Known schemes are determined +# by the stores option. +# Deprecated group/name - [DEFAULT]/default_store +# Default: 'file' +default_store = file + +# ============ Filesystem Store Options ======================== + +# Directory that the Filesystem backend store +# writes image data to +filesystem_store_datadir = /var/lib/glance/images/ + +# A list of directories where image data can be stored. +# This option may be specified multiple times for specifying multiple store +# directories. Either one of filesystem_store_datadirs or +# filesystem_store_datadir option is required. A priority number may be given +# after each directory entry, separated by a ":". +# When adding an image, the highest priority directory will be selected, unless +# there is not enough space available in cases where the image size is already +# known. If no priority is given, it is assumed to be zero and the directory +# will be considered for selection last. If multiple directories have the same +# priority, then the one with the most free space available is selected. +# If same store is specified multiple times then BadStoreConfiguration +# exception will be raised. +#filesystem_store_datadirs = /var/lib/glance/images/:1 + +# A path to a JSON file that contains metadata describing the storage +# system. When show_multiple_locations is True the information in this +# file will be returned with any location that is contained in this +# store. +#filesystem_store_metadata_file = None + +# ============ Swift Store Options ============================= + +# Version of the authentication service to use +# Valid versions are '2' for keystone and '1' for swauth and rackspace +swift_store_auth_version = 2 + +# Address where the Swift authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'https://' +# For swauth, use something like '127.0.0.1:8080/v1.0/' +swift_store_auth_address = 127.0.0.1:5000/v2.0/ + +# User to authenticate against the Swift authentication service +# If you use Swift authentication service, set it to 'account':'user' +# where 'account' is a Swift storage account and 'user' +# is a user in that account +swift_store_user = jdoe:jdoe + +# Auth key for the user authenticating against the +# Swift authentication service +swift_store_key = a86850deb2742ec3cb41518e26aa2d89 + +# Container within the account that the account should use +# for storing images in Swift +swift_store_container = glance + +# Do we create the container if it does not exist? +swift_store_create_container_on_put = False + +# What size, in MB, should Glance start chunking image files +# and do a large object manifest in Swift? By default, this is +# the maximum object size in Swift, which is 5GB +swift_store_large_object_size = 5120 + +# swift_store_config_file = glance-swift.conf +# This file contains references for each of the configured +# Swift accounts/backing stores. If used, this option can prevent +# credentials being stored in the database. Using Swift references +# is disabled if this config is left blank. + +# The reference to the default Swift parameters to use for adding new images. +# default_swift_reference = 'ref1' + +# When doing a large object manifest, what size, in MB, should +# Glance write chunks to Swift? This amount of data is written +# to a temporary disk buffer during the process of chunking +# the image file, and the default is 200MB +swift_store_large_object_chunk_size = 200 + +# If set, the configured endpoint will be used. If None, the storage URL +# from the auth response will be used. The location of an object is +# obtained by appending the container and object to the configured URL. +# +# swift_store_endpoint = https://www.example.com/v1/not_a_container +#swift_store_endpoint = + +# If set to True enables multi-tenant storage mode which causes Glance images +# to be stored in tenant specific Swift accounts. +#swift_store_multi_tenant = False + +# If set to an integer value between 1 and 32, a single-tenant store will +# use multiple containers to store images. If set to the default value of 0, +# only a single container will be used. Multi-tenant stores are not affected +# by this option. The max number of containers that will be used to store +# images is approximately 16^N where N is the value of this option. Discuss +# the impact of this with your swift deployment team, as this option is only +# beneficial in the largest of deployments where swift rate limiting can lead +# to unwanted throttling on a single container. +#swift_store_multiple_containers_seed = 0 + +# A list of swift ACL strings that will be applied as both read and +# write ACLs to the containers created by Glance in multi-tenant +# mode. This grants the specified tenants/users read and write access +# to all newly created image objects. The standard swift ACL string +# formats are allowed, including: +# <tenant_id>:<username> +# <tenant_name>:<username> +# *:<username> +# Multiple ACLs can be combined using a comma separated list, for +# example: swift_store_admin_tenants = service:glance,*:admin +#swift_store_admin_tenants = + +# The region of the swift endpoint to be used for single tenant. This setting +# is only necessary if the tenant has multiple swift endpoints. +#swift_store_region = + +# If set to False, disables SSL layer compression of https swift requests. +# Setting to 'False' may improve performance for images which are already +# in a compressed format, eg qcow2. If set to True, enables SSL layer +# compression (provided it is supported by the target swift proxy). +#swift_store_ssl_compression = True + +# The number of times a Swift download will be retried before the +# request fails +#swift_store_retry_get_count = 0 + +# Bypass SSL verification for Swift +#swift_store_auth_insecure = False + +# The path to a CA certificate bundle file to use for SSL verification when +# communicating with Swift. +#swift_store_cacert = + +# ============ S3 Store Options ============================= + +# Address where the S3 authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'http://' +s3_store_host = s3.amazonaws.com + +# User to authenticate against the S3 authentication service +s3_store_access_key = <20-char AWS access key> + +# Auth key for the user authenticating against the +# S3 authentication service +s3_store_secret_key = <40-char AWS secret key> + +# Container within the account that the account should use +# for storing images in S3. Note that S3 has a flat namespace, +# so you need a unique bucket name for your glance images. An +# easy way to do this is append your AWS access key to "glance". +# S3 buckets in AWS *must* be lowercased, so remember to lowercase +# your AWS access key if you use it in your bucket name below! +s3_store_bucket = <lowercased 20-char aws access key>glance + +# Do we create the bucket if it does not exist? +s3_store_create_bucket_on_put = False + +# When sending images to S3, the data will first be written to a +# temporary buffer on disk. By default the platform's temporary directory +# will be used. If required, an alternative directory can be specified here. +#s3_store_object_buffer_dir = /path/to/dir + +# When forming a bucket url, boto will either set the bucket name as the +# subdomain or as the first token of the path. Amazon's S3 service will +# accept it as the subdomain, but Swift's S3 middleware requires it be +# in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'. +#s3_store_bucket_url_format = subdomain + +# Size, in MB, should S3 start chunking image files +# and do a multipart upload in S3. The default is 100MB. +#s3_store_large_object_size = 100 + +# Multipart upload part size, in MB, should S3 use when uploading +# parts. The size must be greater than or equal to +# 5MB. The default is 10MB. +#s3_store_large_object_chunk_size = 10 + +# The number of thread pools to perform a multipart upload +# in S3. The default is 10. +#s3_store_thread_pools = 10 + +# ============ RBD Store Options ============================= + +# Ceph configuration file path +# If using cephx authentication, this file should +# include a reference to the right keyring +# in a client.<USER> section +#rbd_store_ceph_conf = /etc/ceph/ceph.conf + +# RADOS user to authenticate as (only applicable if using cephx) +# If <None>, a default will be chosen based on the client. section +# in rbd_store_ceph_conf +#rbd_store_user = <None> + +# RADOS pool in which images are stored +#rbd_store_pool = images + +# RADOS images will be chunked into objects of this size (in megabytes). +# For best performance, this should be a power of two +#rbd_store_chunk_size = 8 + +# ============ Sheepdog Store Options ============================= + +sheepdog_store_address = localhost + +sheepdog_store_port = 7000 + +# Images will be chunked into objects of this size (in megabytes). +# For best performance, this should be a power of two +sheepdog_store_chunk_size = 64 + +# ============ Cinder Store Options =============================== + +# Info to match when looking for cinder in the service catalog +# Format is : separated values of the form: +# <service_type>:<service_name>:<endpoint_type> (string value) +#cinder_catalog_info = volume:cinder:publicURL + +# Override service catalog lookup with template for cinder endpoint +# e.g. http://localhost:8776/v1/%(project_id)s (string value) +#cinder_endpoint_template = <None> + +# Region name of this node (string value) +#os_region_name = <None> + +# Location of ca certicates file to use for cinder client requests +# (string value) +#cinder_ca_certificates_file = <None> + +# Number of cinderclient retries on failed http calls (integer value) +#cinder_http_retries = 3 + +# Allow to perform insecure SSL requests to cinder (boolean value) +#cinder_api_insecure = False + +# ============ VMware Datastore Store Options ===================== + +# ESX/ESXi or vCenter Server target system. +# The server value can be an IP address or a DNS name +# e.g. 127.0.0.1, 127.0.0.1:443, www.vmware-infra.com +#vmware_server_host = <None> + +# Server username (string value) +#vmware_server_username = <None> + +# Server password (string value) +#vmware_server_password = <None> + +# Inventory path to a datacenter (string value) +# Value optional when vmware_server_ip is an ESX/ESXi host: if specified +# should be `ha-datacenter`. +# Deprecated in favor of vmware_datastores. +#vmware_datacenter_path = <None> + +# Datastore associated with the datacenter (string value) +# Deprecated in favor of vmware_datastores. +#vmware_datastore_name = <None> + +# A list of datastores where the image can be stored. +# This option may be specified multiple times for specifying multiple +# datastores. Either one of vmware_datastore_name or vmware_datastores is +# required. The datastore name should be specified after its datacenter +# path, separated by ":". An optional weight may be given after the datastore +# name, separated again by ":". Thus, the required format becomes +# <datacenter_path>:<datastore_name>:<optional_weight>. +# When adding an image, the datastore with highest weight will be selected, +# unless there is not enough free space available in cases where the image size +# is already known. If no weight is given, it is assumed to be zero and the +# directory will be considered for selection last. If multiple datastores have +# the same weight, then the one with the most free space available is selected. +#vmware_datastores = <None> + +# The number of times we retry on failures +# e.g., socket error, etc (integer value) +#vmware_api_retry_count = 10 + +# The interval used for polling remote tasks +# invoked on VMware ESX/VC server in seconds (integer value) +#vmware_task_poll_interval = 5 + +# Absolute path of the folder containing the images in the datastore +# (string value) +#vmware_store_image_dir = /openstack_glance + +# Allow to perform insecure SSL requests to the target system (boolean value) +#vmware_api_insecure = False diff --git a/old/install-files/openstack/usr/share/openstack/glance/glance-registry.conf b/old/install-files/openstack/usr/share/openstack/glance/glance-registry.conf new file mode 100644 index 00000000..40993d8d --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/glance/glance-registry.conf @@ -0,0 +1,268 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False + +# Address to bind the registry server +bind_host = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Port the bind the registry server to +bind_port = 9191 + +# Log to this file. Make sure you do not set the same log file for both the API +# and registry servers! +# +# If `log_file` is omitted and `use_syslog` is false, then log messages are +# sent to stdout as a fallback. +# log_file = /var/log/glance/registry.log + +# Backlog requests when creating socket +backlog = 4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle = 600 + +# API to use for accessing data. Default value points to sqlalchemy +# package. +#data_api = glance.db.sqlalchemy.api + +# The number of child process workers that will be +# created to service Registry requests. The default will be +# equal to the number of CPUs available. (integer value) +#workers = None + +# Enable Registry API versions individually or simultaneously +#enable_v1_registry = True +#enable_v2_registry = True + +# Limit the api to return `param_limit_max` items in a call to a container. If +# a larger `limit` query param is provided, it will be reduced to this value. +api_limit_max = 1000 + +# If a `limit` query param is not provided in an api request, it will +# default to `limit_param_default` +limit_param_default = 25 + +# Role used to identify an authenticated user as administrator +#admin_role = admin + +# Enable DEBUG log messages from sqlalchemy which prints every database +# query and response. +# Default: False +#sqlalchemy_debug = True + +# http_keepalive option. If False, server will return the header +# "Connection: close", If True, server will return "Connection: Keep-Alive" +# in its responses. In order to close the client socket connection +# explicitly after the response is sent and read successfully by the client, +# you simply have to set this option to False when you create a wsgi server. +#http_keepalive = True + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +use_syslog = True + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility = LOG_LOCAL1 + +# ================= SSL Options =============================== + +# Certificate file to use when starting registry server securely +#cert_file = /path/to/certfile + +# Private key file to use when starting registry server securely +#key_file = /path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file = /path/to/cafile + +# ============ Notification System Options ===================== + +# Driver or drivers to handle sending notifications. Set to +# 'messaging' to send notifications to a message queue. +notification_driver = messagingv2 + +# Default publisher_id for outgoing notifications. +# default_publisher_id = image.localhost + +# Messaging driver used for 'messaging' notifications driver +rpc_backend = 'rabbit' + +# Configuration options if sending notifications via rabbitmq (these are +# the defaults) +rabbit_host = {{ RABBITMQ_HOST }} +rabbit_port = {{ RABBITMQ_PORT }} +rabbit_use_ssl = false +rabbit_userid = {{ RABBITMQ_USER }} +rabbit_password = {{ RABBITMQ_PASSWORD }} +rabbit_virtual_host = / +rabbit_notification_exchange = glance +rabbit_notification_topic = notifications +rabbit_durable_queues = False + +# Configuration options if sending notifications via Qpid (these are +# the defaults) +#qpid_notification_exchange = glance +#qpid_notification_topic = notifications +#qpid_hostname = localhost +#qpid_port = 5672 +#qpid_username = +#qpid_password = +#qpid_sasl_mechanisms = +#qpid_reconnect_timeout = 0 +#qpid_reconnect_limit = 0 +#qpid_reconnect_interval_min = 0 +#qpid_reconnect_interval_max = 0 +#qpid_reconnect_interval = 0 +#qpid_heartbeat = 5 +# Set to 'ssl' to enable SSL +#qpid_protocol = tcp +#qpid_tcp_nodelay = True + + +# =============== Policy Options ============================== + +[oslo_policy] +# The JSON file that defines policies. +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. +# The file defined by policy_file must exist for these +# directories to be searched. +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + +# ================= Database Options ========================== + +[database] +# The file name to use with SQLite (string value) +#sqlite_db = glance.sqlite + +# If True, SQLite uses synchronous mode (boolean value) +#sqlite_synchronous = True + +# The backend to use for db (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string used to connect to the +# database (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = <None> +connection=postgresql://{{ GLANCE_DB_USER }}:{{ GLANCE_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/glance + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle sql connections are reaped (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = <None> + +# Maximum db connection retries during startup. (setting -1 +# implies an infinite retry count) (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a sql connection +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with sqlalchemy +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = <None> + +# Verbosity of SQL debugging information. 0=None, +# 100=Everything (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add python stack traces to SQL as comment strings (boolean +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = False + +# If set, use this value for pool_timeout with sqlalchemy +# (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on +# connection lost (boolean value) +#use_db_reconnect = False + +# seconds between db connection retries (integer value) +#db_retry_interval = 1 + +# Whether to increase interval between db connection retries, +# up to db_max_retry_interval (boolean value) +#db_inc_retry_interval = True + +# max seconds between db connection retries, if +# db_inc_retry_interval is enabled (integer value) +#db_max_retry_interval = 10 + +# maximum db connection retries before error is raised. +# (setting -1 implies an infinite retry count) (integer value) +#db_max_retries = 20 + +[keystone_authtoken] +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 +admin_tenant_name = service +admin_user = {{ GLANCE_SERVICE_USER }} +admin_password = {{ GLANCE_SERVICE_PASSWORD }} + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file = glance-registry-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-registry-keystone], you would configure the flavor below +# as 'keystone'. +flavor=keystone + +[profiler] +# If False fully disable profiling feature. +#enabled = False + +# If False doesn't trace SQL requests. +#trace_sqlalchemy = False diff --git a/old/install-files/openstack/usr/share/openstack/horizon.yml b/old/install-files/openstack/usr/share/openstack/horizon.yml new file mode 100644 index 00000000..1fec4ab0 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/horizon.yml @@ -0,0 +1,46 @@ +--- +- hosts: localhost + tasks: + +# Setup apache, this may end up in apache.yml + - name: Create the apache user. + user: + name: apache + comment: Apache Server + shell: /sbin/nologin + home: /var/www + + - file: + path: /usr/sbin/suexec + group: apache + mode: 4750 + +# Setup horizon + - name: Create the horizon user. + user: + name: horizon + comment: Openstack Horizon User + shell: /sbin/nologin + home: /var/lib/horizon + + - name: Fix permissions in /var/lib/horizon + file: + path: /var/lib/horizon + state: directory + owner: horizon + group: horizon + recurse: yes + + - name: Link horizon apache configuration + file: + src: /etc/horizon/apache-horizon.conf + dest: /etc/httpd/conf.d/apache-horizon.conf + state: link + + - name: Enable and start apache services needed by horizon + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - apache-httpd.service diff --git a/old/install-files/openstack/usr/share/openstack/hosts b/old/install-files/openstack/usr/share/openstack/hosts new file mode 100644 index 00000000..5b97818d --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/hosts @@ -0,0 +1 @@ +localhost ansible_connection=local diff --git a/old/install-files/openstack/usr/share/openstack/ironic.yml b/old/install-files/openstack/usr/share/openstack/ironic.yml new file mode 100644 index 00000000..19906b04 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/ironic.yml @@ -0,0 +1,104 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/ironic.conf" + tasks: + - name: Create the ironic user + user: + name: ironic + comment: Openstack Ironic Daemons + shell: /sbin/nologin + home: /var/lib/ironic + + - name: Create the /var folders for Ironic + file: + path: "{{ item }}" + state: directory + owner: ironic + group: ironic + with_items: + - /var/run/ironic + - /var/lock/ironic + - /var/log/ironic + - /var/lib/ironic + + - file: path=/etc/ironic state=directory + - name: Add the configuration needed for ironic in /etc/ironic using templates + template: + src: /usr/share/openstack/ironic/{{ item }} + dest: /etc/ironic/{{ item }} + with_lines: + - cd /usr/share/openstack/ironic && find -type f + + - name: Create Ironic service user in service tenant + keystone_user: + user: "{{ IRONIC_SERVICE_USER }}" + password: "{{ IRONIC_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Assign admin role to Ironic service user in the service tenant + keystone_user: + role: admin + user: "{{ IRONIC_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add Ironic endpoint + keystone_service: + name: ironic + type: baremetal + description: Openstack Ironic Service + publicurl: 'http://{{ ansible_hostname }}:6385' + internalurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:6385' + adminurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:6385' + region: 'regionOne' + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for Ironic + postgresql_user: + name: "{{ IRONIC_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + password: "{{ IRONIC_DB_PASSWORD }}" + sudo: yes + sudo_user: ironic + + - name: Create database for Ironic services + postgresql_db: + name: ironic + owner: "{{ IRONIC_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + sudo: yes + sudo_user: ironic + + - name: Initiate Ironic database + # Use 'upgrade' instead of 'create_schema' to make the operation + # idempotent + shell: | + ironic-dbsync \ + --config-file /etc/ironic/ironic.conf upgrade + sudo: yes + sudo_user: ironic + + - name: Enable and start openstack-ironic services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - openstack-ironic-conductor.service + - openstack-ironic-api.service + + - name: Set owner and group for the tftp root directory + file: + path: "/srv/tftp_root/" + state: directory + owner: ironic + group: ironic + recurse: yes + + - name: Enable and start tftp-hpa + service: + name: tftp-hpa.socket + enabled: yes + state: started diff --git a/old/install-files/openstack/usr/share/openstack/ironic/ironic.conf b/old/install-files/openstack/usr/share/openstack/ironic/ironic.conf new file mode 100644 index 00000000..a5b5d2e3 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/ironic/ironic.conf @@ -0,0 +1,1568 @@ +[DEFAULT] + +# +# Options defined in oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet +# interface, or IP. The "host" option should point or resolve +# to this address. (string value) +#rpc_zmq_bind_address=* + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker=oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port=9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts=1 + +# Maximum number of ingress messages to locally buffer per +# topic. Default is unlimited. (integer value) +#rpc_zmq_topic_backlog=<None> + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir=/var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP +# address. Must match "host" option, if running Nova. (string +# value) +#rpc_zmq_host=ironic + +# Seconds to wait before a cast expires (TTL). Only supported +# by impl_zmq. (integer value) +#rpc_cast_timeout=30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl=600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size=64 + +# Driver or drivers to handle sending notifications. (multi +# valued) +#notification_driver= + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics=notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout=60 + +# A URL representing the messaging driver to use and its full +# configuration. If not set, we fall back to the rpc_backend +# option and driver specific configuration. (string value) +#transport_url=<None> + +# The messaging driver to use, defaults to rabbit. Other +# drivers include qpid and zmq. (string value) +#rpc_backend=rabbit + +# The default exchange under which topics are scoped. May be +# overridden by an exchange name specified in the +# transport_url option. (string value) +#control_exchange=openstack + + +# +# Options defined in ironic.netconf +# + +# IP address of this host. (string value) +my_ip = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + + +# +# Options defined in ironic.api.app +# + +# Method to use for authentication: noauth or keystone. +# (string value) +#auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in production. (boolean value) +#pecan_debug=false + + +# +# Options defined in ironic.common.driver_factory +# + +# Specify the list of drivers to load during service +# initialization. Missing drivers, or drivers which fail to +# initialize, will prevent the conductor service from +# starting. The option default is a recommended set of +# production-oriented drivers. A complete list of drivers +# present on your system may be found by enumerating the +# "ironic.drivers" entrypoint. An example may be found in the +# developer documentation online. (list value) +enabled_drivers=pxe_ipmitool,pxe_ssh + + +# +# Options defined in ironic.common.exception +# + +# Make exception message format errors fatal. (boolean value) +#fatal_exception_format_errors=false + + +# +# Options defined in ironic.common.hash_ring +# + +# Exponent to determine number of hash partitions to use when +# distributing load across conductors. Larger values will +# result in more even distribution of load and less load when +# rebalancing the ring, but more memory usage. Number of +# partitions per conductor is (2^hash_partition_exponent). +# This determines the granularity of rebalancing: given 10 +# hosts, and an exponent of the 2, there are 40 partitions in +# the ring.A few thousand partitions should make rebalancing +# smooth in most cases. The default is suitable for up to a +# few hundred conductors. Too many partitions has a CPU +# impact. (integer value) +#hash_partition_exponent=5 + +# [Experimental Feature] Number of hosts to map onto each hash +# partition. Setting this to more than one will cause +# additional conductor services to prepare deployment +# environments and potentially allow the Ironic cluster to +# recover more quickly if a conductor instance is terminated. +# (integer value) +#hash_distribution_replicas=1 + + +# +# Options defined in ironic.common.images +# + +# Force backing images to raw format. (boolean value) +#force_raw_images=true + +# Path to isolinux binary file. (string value) +#isolinux_bin=/usr/lib/syslinux/isolinux.bin + +# Template file for isolinux configuration file. (string +# value) +#isolinux_config_template=$pybasedir/common/isolinux_config.template + +# Template file for grub configuration file. (string value) +#grub_config_template=$pybasedir/common/grub_conf.template + + +# +# Options defined in ironic.common.paths +# + +# Directory where the ironic python module is installed. +# (string value) +#pybasedir=/usr/lib/python/site-packages/ironic + +# Directory where ironic binaries are installed. (string +# value) +#bindir=$pybasedir/bin + +# Top-level directory for maintaining ironic's state. (string +# value) +#state_path=$pybasedir + + +# +# Options defined in ironic.common.service +# + +# Seconds between running periodic tasks. (integer value) +#periodic_interval=60 + +# Name of this node. This can be an opaque identifier. It is +# not necessarily a hostname, FQDN, or IP address. However, +# the node name must be valid within an AMQP key, and if using +# ZeroMQ, a valid hostname, FQDN, or IP address. (string +# value) +#host=ironic + + +# +# Options defined in ironic.common.utils +# + +# Path to the rootwrap configuration file to use for running +# commands as root. (string value) +#rootwrap_config=/etc/ironic/rootwrap.conf + +# Explicitly specify the temporary working directory. (string +# value) +#tempdir=<None> + + +# +# Options defined in ironic.drivers.modules.image_cache +# + +# Run image downloads and raw format conversions in parallel. +# (boolean value) +#parallel_image_downloads=false + + +# +# Options defined in ironic.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, <port>, +# and <start>:<end>, where 0 results in listening on a random +# tcp port number; <port> results in listening on the +# specified port number (and not enabling backdoor if that +# port is in use); and <start>:<end> results in listening on +# the smallest unused port number within the specified range +# of port numbers. The chosen port is displayed in the +# service's log file. (string value) +#backdoor_port=<None> + + +# +# Options defined in ironic.openstack.common.log +# + +# Print debugging output (set logging level to DEBUG instead +# of default WARNING level). (boolean value) +#debug=false + +# Print more verbose output (set logging level to INFO instead +# of default WARNING level). (boolean value) +#verbose=false + +# Log output to standard error. (boolean value) +#use_stderr=true + +# Format string to use for log messages with context. (string +# value) +#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. +# (string value) +#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string +# value) +#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. +# (string value) +#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean +# value) +#publish_errors=false + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + +# The format for an instance that is passed with the log +# message. (string value) +#instance_format="[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log +# message. (string value) +#instance_uuid_format="[instance: %(uuid)s] " + +# The name of a logging configuration file. This file is +# appended to any existing logging configuration files. For +# details about logging configuration files, see the Python +# logging module documentation. (string value) +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append=<None> + +# DEPRECATED. A logging.Formatter log message format string +# which may use any of the available logging.LogRecord +# attributes. This option is deprecated. Please use +# logging_context_format_string and +# logging_default_format_string instead. (string value) +#log_format=<None> + +# Format string for %%(asctime)s in log records. Default: +# %(default)s . (string value) +#log_date_format=%Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is +# set, logging will go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file=<None> + +# (Optional) The base directory used for relative --log-file +# paths. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir=<None> + +# Use syslog for logging. Existing syslog format is DEPRECATED +# during I, and will change in J to honor RFC5424. (boolean +# value) +use_syslog=true + +# (Optional) Enables or disables syslog rfc5424 format for +# logging. If enabled, prefixes the MSG part of the syslog +# message with APP-NAME (RFC5424). The format without the APP- +# NAME is deprecated in I, and will be removed in J. (boolean +# value) +#use_syslog_rfc_format=false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility=LOG_USER + + +# +# Options defined in ironic.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# +# Options defined in ironic.openstack.common.versionutils +# + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + + +[agent] + +# +# Options defined in ironic.drivers.modules.agent +# + +# Additional append parameters for baremetal PXE boot. (string +# value) +#agent_pxe_append_params=nofb nomodeset vga=normal + +# Template file for PXE configuration. (string value) +#agent_pxe_config_template=$pybasedir/drivers/modules/agent_config.template + +# Neutron bootfile DHCP parameter. (string value) +#agent_pxe_bootfile_name=pxelinux.0 + +# Priority to run in-band erase devices via the Ironic Python +# Agent ramdisk. If unset, will use the priority set in the +# ramdisk (defaults to 10 for the GenericHardwareManager). If +# set to 0, will not run during cleaning. (integer value) +#agent_erase_devices_priority=<None> + +# Whether Ironic will manage TFTP files for the deploy +# ramdisks. If set to False, you will need to configure your +# own TFTP server that allows booting the deploy ramdisks. +# (boolean value) +#manage_tftp=true + +# +# Options defined in ironic.drivers.modules.agent_base_vendor +# + +# Maximum interval (in seconds) for agent heartbeats. (integer +# value) +#heartbeat_timeout=300 + + +# +# Options defined in ironic.drivers.modules.agent_client +# + +# API version to use for communicating with the ramdisk agent. +# (string value) +#agent_api_version=v1 + + +[amt] + +# +# Options defined in ironic.drivers.modules.amt.common +# + +# Protocol used for AMT endpoint, support http/https (string +# value) +#protocol=http + + +# +# Options defined in ironic.drivers.modules.amt.power +# + +# Maximum number of times to attempt an AMT operation, before +# failing (integer value) +#max_attempts=3 + +# Amount of time (in seconds) to wait, before retrying an AMT +# operation (integer value) +#action_wait=10 + + +[api] + +# +# Options defined in ironic.api +# + +# The listen IP for the Ironic API server. (string value) +#host_ip=0.0.0.0 + +# The port for the Ironic API server. (integer value) +#port=6385 + +# The maximum number of items returned in a single response +# from a collection resource. (integer value) +#max_limit=1000 + + +[conductor] + +# +# Options defined in ironic.conductor.manager +# + +# URL of Ironic API service. If not set ironic can get the +# current value from the keystone service catalog. (string +# value) +api_url = http://{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}:6385 + +# Seconds between conductor heart beats. (integer value) +#heartbeat_interval=10 + +# Maximum time (in seconds) since the last check-in of a +# conductor. (integer value) +#heartbeat_timeout=60 + +# Interval between syncing the node power state to the +# database, in seconds. (integer value) +#sync_power_state_interval=60 + +# Interval between checks of provision timeouts, in seconds. +# (integer value) +#check_provision_state_interval=60 + +# Timeout (seconds) for waiting callback from deploy ramdisk. +# 0 - unlimited. (integer value) +#deploy_callback_timeout=1800 + +# During sync_power_state, should the hardware power state be +# set to the state recorded in the database (True) or should +# the database be updated based on the hardware state (False). +# (boolean value) +#force_power_state_during_sync=true + +# During sync_power_state failures, limit the number of times +# Ironic should try syncing the hardware node power state with +# the node power state in DB (integer value) +#power_state_sync_max_retries=3 + +# Maximum number of worker threads that can be started +# simultaneously by a periodic task. Should be less than RPC +# thread pool size. (integer value) +#periodic_max_workers=8 + +# The size of the workers greenthread pool. (integer value) +#workers_pool_size=100 + +# Number of attempts to grab a node lock. (integer value) +#node_locked_retry_attempts=3 + +# Seconds to sleep between node lock attempts. (integer value) +#node_locked_retry_interval=1 + +# Enable sending sensor data message via the notification bus +# (boolean value) +#send_sensor_data=false + +# Seconds between conductor sending sensor data message to +# ceilometer via the notification bus. (integer value) +#send_sensor_data_interval=600 + +# List of comma separated metric types which need to be sent +# to Ceilometer. The default value, "ALL", is a special value +# meaning send all the sensor data. (list value) +#send_sensor_data_types=ALL + +# When conductors join or leave the cluster, existing +# conductors may need to update any persistent local state as +# nodes are moved around the cluster. This option controls how +# often, in seconds, each conductor will check for nodes that +# it should "take over". Set it to a negative value to disable +# the check entirely. (integer value) +#sync_local_state_interval=180 + +# Whether to upload the config drive to Swift. (boolean value) +#configdrive_use_swift=false + +# Name of the Swift container to store config drive data. Used +# when configdrive_use_swift is True. (string value) +#configdrive_swift_container=ironic_configdrive_container + +# Timeout (seconds) for waiting for node inspection. 0 - +# unlimited. (integer value) +#inspect_timeout=1800 + +# Cleaning is a configurable set of steps, such as erasing +# disk drives, that are performed on the node to ensure it is +# in a baseline state and ready to be deployed to. This is +# done after instance deletion, and during the transition from +# a "managed" to "available" state. When enabled, the +# particular steps performed to clean a node depend on which +# driver that node is managed by; see the individual driver's +# documentation for details. NOTE: The introduction of the +# cleaning operation causes instance deletion to take +# significantly longer. In an environment where all tenants +# are trusted (eg, because there is only one tenant), this +# option could be safely disabled. (boolean value) +#clean_nodes=true + + +[console] + +# +# Options defined in ironic.drivers.modules.console_utils +# + +# Path to serial console terminal program (string value) +#terminal=shellinaboxd + +# Directory containing the terminal SSL cert(PEM) for serial +# console access (string value) +#terminal_cert_dir=<None> + +# Directory for holding terminal pid files. If not specified, +# the temporary directory will be used. (string value) +#terminal_pid_dir=<None> + +# Time interval (in seconds) for checking the status of +# console subprocess. (integer value) +#subprocess_checking_interval=1 + +# Time (in seconds) to wait for the console subprocess to +# start. (integer value) +#subprocess_timeout=10 + + +[database] + +# +# Options defined in oslo.db +# + +# The file name to use with SQLite. (string value) +#sqlite_db=oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous=true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend=sqlalchemy + +# The SQLAlchemy connection string to use to connect to the +# database. (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = postgresql://{{ IRONIC_DB_USER}}:{{ IRONIC_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/ironic + +# The SQLAlchemy connection string to use to connect to the +# slave database. (string value) +#slave_connection=<None> + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size=<None> + +# Maximum number of database connection retries during +# startup. Set to -1 to specify an infinite retry count. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries=10 + +# Interval between retries of opening a SQL connection. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow=<None> + +# Verbosity of SQL debugging information: 0=None, +# 100=Everything. (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. +# (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout=<None> + +# Enable the experimental use of database reconnect on +# connection lost. (boolean value) +#use_db_reconnect=false + +# Seconds between retries of a database transaction. (integer +# value) +#db_retry_interval=1 + +# If True, increases the interval between retries of a +# database operation up to db_max_retry_interval. (boolean +# value) +#db_inc_retry_interval=true + +# If db_inc_retry_interval is set, the maximum seconds between +# retries of a database operation. (integer value) +#db_max_retry_interval=10 + +# Maximum retries in case of connection error or deadlock +# error before error is raised. Set to -1 to specify an +# infinite retry count. (integer value) +#db_max_retries=20 + + +# +# Options defined in ironic.db.sqlalchemy.models +# + +# MySQL engine to use. (string value) +#mysql_engine=InnoDB + + +[deploy] + +# +# Options defined in ironic.drivers.modules.deploy_utils +# + +# Size of EFI system partition in MiB when configuring UEFI +# systems for local boot. (integer value) +#efi_system_partition_size=200 + +# Block size to use when writing to the nodes disk. (string +# value) +#dd_block_size=1M + +# Maximum attempts to verify an iSCSI connection is active, +# sleeping 1 second between attempts. (integer value) +#iscsi_verify_attempts=3 + + +[dhcp] + +# +# Options defined in ironic.common.dhcp_factory +# + +# DHCP provider to use. "neutron" uses Neutron, and "none" +# uses a no-op provider. (string value) +#dhcp_provider=neutron + + +[discoverd] + +# +# Options defined in ironic.drivers.modules.discoverd +# + +# whether to enable inspection using ironic-discoverd (boolean +# value) +#enabled=false + +# ironic-discoverd HTTP endpoint. If this is not set, the +# ironic-discoverd client default (http://127.0.0.1:5050) will +# be used. (string value) +#service_url=<None> + +# period (in seconds) to check status of nodes on inspection +# (integer value) +#status_check_period=60 + + +[disk_partitioner] + +# +# Options defined in ironic.common.disk_partitioner +# + +# After Ironic has completed creating the partition table, it +# continues to check for activity on the attached iSCSI device +# status at this interval prior to copying the image to the +# node, in seconds (integer value) +#check_device_interval=1 + +# The maximum number of times to check that the device is not +# accessed by another process. If the device is still busy +# after that, the disk partitioning will be treated as having +# failed. (integer value) +#check_device_max_retries=20 + + +[glance] + +# +# Options defined in ironic.common.glance_service.v2.image_service +# + +# A list of URL schemes that can be downloaded directly via +# the direct_url. Currently supported schemes: [file]. (list +# value) +#allowed_direct_url_schemes= + +# The secret token given to Swift to allow temporary URL +# downloads. Required for temporary URLs. (string value) +#swift_temp_url_key=<None> + +# The length of time in seconds that the temporary URL will be +# valid for. Defaults to 20 minutes. If some deploys get a 401 +# response code when trying to download from the temporary +# URL, try raising this duration. (integer value) +#swift_temp_url_duration=1200 + +# The "endpoint" (scheme, hostname, optional port) for the +# Swift URL of the form +# "endpoint_url/api_version/account/container/object_id". Do +# not include trailing "/". For example, use +# "https://swift.example.com". Required for temporary URLs. +# (string value) +#swift_endpoint_url=<None> + +# The Swift API version to create a temporary URL for. +# Defaults to "v1". Swift temporary URL format: +# "endpoint_url/api_version/account/container/object_id" +# (string value) +#swift_api_version=v1 + +# The account that Glance uses to communicate with Swift. The +# format is "AUTH_uuid". "uuid" is the UUID for the account +# configured in the glance-api.conf. Required for temporary +# URLs. For example: +# "AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30". Swift temporary +# URL format: +# "endpoint_url/api_version/account/container/object_id" +# (string value) +#swift_account=<None> + +# The Swift container Glance is configured to store its images +# in. Defaults to "glance", which is the default in glance- +# api.conf. Swift temporary URL format: +# "endpoint_url/api_version/account/container/object_id" +# (string value) +#swift_container=glance + +# This should match a config by the same name in the Glance +# configuration file. When set to 0, a single-tenant store +# will only use one container to store all images. When set to +# an integer value between 1 and 32, a single-tenant store +# will use multiple containers to store images, and this value +# will determine how many containers are created. (integer +# value) +#swift_store_multiple_containers_seed=0 + + +# +# Options defined in ironic.common.image_service +# + +# Default glance hostname or IP address. (string value) +glance_host = {{ CONTROLLER_HOST_ADDRESS }} + +# Default glance port. (integer value) +#glance_port=9292 + +# Default protocol to use when connecting to glance. Set to +# https for SSL. (string value) +#glance_protocol=http + +# A list of the glance api servers available to ironic. Prefix +# with https:// for SSL-based glance API servers. Format is +# [hostname|IP]:port. (list value) +#glance_api_servers=<None> + +# Allow to perform insecure SSL (https) requests to glance. +# (boolean value) +#glance_api_insecure=false + +# Number of retries when downloading an image from glance. +# (integer value) +#glance_num_retries=0 + +# Authentication strategy to use when connecting to glance. +# Only "keystone" and "noauth" are currently supported by +# ironic. (string value) +#auth_strategy=keystone + + +[ilo] + +# +# Options defined in ironic.drivers.modules.ilo.common +# + +# Timeout (in seconds) for iLO operations (integer value) +#client_timeout=60 + +# Port to be used for iLO operations (integer value) +#client_port=443 + +# The Swift iLO container to store data. (string value) +#swift_ilo_container=ironic_ilo_container + +# Amount of time in seconds for Swift objects to auto-expire. +# (integer value) +#swift_object_expiry_timeout=900 + + +# +# Options defined in ironic.drivers.modules.ilo.deploy +# + +# Priority for erase devices clean step. If unset, it defaults +# to 10. If set to 0, the step will be disabled and will not +# run during cleaning. (integer value) +#clean_priority_erase_devices=<None> + + +# +# Options defined in ironic.drivers.modules.ilo.management +# + +# Priority for reset_ilo clean step. (integer value) +#clean_priority_reset_ilo=1 + +# Priority for reset_bios_to_default clean step. (integer +# value) +#clean_priority_reset_bios_to_default=10 + +# Priority for reset_secure_boot_keys clean step. This step +# will reset the secure boot keys to manufacturing defaults. +# (integer value) +#clean_priority_reset_secure_boot_keys_to_default=20 + +# Priority for clear_secure_boot_keys clean step. This step is +# not enabled by default. It can be enabled to to clear all +# secure boot keys enrolled with iLO. (integer value) +#clean_priority_clear_secure_boot_keys=0 + +# Priority for reset_ilo_credential clean step. This step +# requires "ilo_change_password" parameter to be updated in +# nodes's driver_info with the new password. (integer value) +#clean_priority_reset_ilo_credential=30 + + +# +# Options defined in ironic.drivers.modules.ilo.power +# + +# Number of times a power operation needs to be retried +# (integer value) +#power_retry=6 + +# Amount of time in seconds to wait in between power +# operations (integer value) +#power_wait=2 + + +[ipmi] + +# +# Options defined in ironic.drivers.modules.ipminative +# + +# Maximum time in seconds to retry IPMI operations. There is a +# tradeoff when setting this value. Setting this too low may +# cause older BMCs to crash and require a hard reset. However, +# setting too high can cause the sync power state periodic +# task to hang when there are slow or unresponsive BMCs. +# (integer value) +#retry_timeout=60 + +# Minimum time, in seconds, between IPMI operations sent to a +# server. There is a risk with some hardware that setting this +# too low may cause the BMC to crash. Recommended setting is 5 +# seconds. (integer value) +#min_command_interval=5 + + +[irmc] + +# +# Options defined in ironic.drivers.modules.irmc.common +# + +# Port to be used for iRMC operations, either 80 or 443 +# (integer value) +#port=443 + +# Authentication method to be used for iRMC operations, either +# "basic" or "digest" (string value) +#auth_method=basic + +# Timeout (in seconds) for iRMC operations (integer value) +#client_timeout=60 + +# Sensor data retrieval method, either "ipmitool" or "scci" +# (string value) +#sensor_method=ipmitool + + +[keystone] + +# +# Options defined in ironic.common.keystone +# + +# The region used for getting endpoints of OpenStackservices. +# (string value) +#region_name=<None> + + +[keystone_authtoken] + +# +# Options defined in keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + +# API version of the admin Identity API endpoint. (string +# value) +#auth_version=<None> + +# Do not handle authorization requests within the middleware, +# but delegate the authorization decision to downstream WSGI +# components. (boolean value) +#delay_auth_decision=false + +# Request timeout value for communicating with Identity API +# server. (integer value) +#http_connect_timeout=<None> + +# How many times are we trying to reconnect when communicating +# with Identity API Server. (integer value) +#http_request_max_retries=3 + +# Env key for the swift cache. (string value) +#cache=<None> + +# Required if identity server requires client certificate +# (string value) +#certfile=<None> + +# Required if identity server requires client certificate +# (string value) +#keyfile=<None> + +# A PEM encoded Certificate Authority to use when verifying +# HTTPs connections. Defaults to system CAs. (string value) +#cafile=<None> + +# Verify HTTPS connections. (boolean value) +#insecure=false + +# Directory used to cache files related to PKI tokens. (string +# value) +#signing_dir=<None> + +# Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached +# in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers=<None> + +# In order to prevent excessive effort spent validating +# tokens, the middleware caches previously-seen tokens for a +# configurable duration (in seconds). Set to -1 to disable +# caching completely. (integer value) +#token_cache_time=300 + +# Determines the frequency at which the list of revoked tokens +# is retrieved from the Identity service (in seconds). A high +# number of revocation events combined with a low cache +# duration may significantly reduce performance. (integer +# value) +#revocation_cache_time=10 + +# (Optional) If defined, indicate whether token data should be +# authenticated or authenticated and encrypted. Acceptable +# values are MAC or ENCRYPT. If MAC, token data is +# authenticated (with HMAC) in the cache. If ENCRYPT, token +# data is encrypted and authenticated in the cache. If the +# value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +#memcache_security_strategy=<None> + +# (Optional, mandatory if memcache_security_strategy is +# defined) This string is used for key derivation. (string +# value) +#memcache_secret_key=<None> + +# (Optional) Number of seconds memcached server is considered +# dead before it is tried again. (integer value) +#memcache_pool_dead_retry=300 + +# (Optional) Maximum total number of open connections to every +# memcached server. (integer value) +#memcache_pool_maxsize=10 + +# (Optional) Socket timeout in seconds for communicating with +# a memcache server. (integer value) +#memcache_pool_socket_timeout=3 + +# (Optional) Number of seconds a connection to memcached is +# held unused in the pool before it is closed. (integer value) +#memcache_pool_unused_timeout=60 + +# (Optional) Number of seconds that an operation will wait to +# get a memcache client connection from the pool. (integer +# value) +#memcache_pool_conn_get_timeout=10 + +# (Optional) Use the advanced (eventlet safe) memcache client +# pool. The advanced pool will only work under python 2.x. +# (boolean value) +#memcache_use_advanced_pool=false + +# (Optional) Indicate whether to set the X-Service-Catalog +# header. If False, middleware will not ask for service +# catalog on token validation and will not set the X-Service- +# Catalog header. (boolean value) +#include_service_catalog=true + +# Used to control the use and type of token binding. Can be +# set to: "disabled" to not check token binding. "permissive" +# (default) to validate binding information if the bind type +# is of a form known to the server and ignore it if not. +# "strict" like "permissive" but if the bind type is unknown +# the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string +# value) +#enforce_token_bind=permissive + +# If true, the revocation list will be checked for cached +# tokens. This requires that PKI tokens are configured on the +# identity server. (boolean value) +#check_revocations_for_cached=false + +# Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those +# supported by Python standard hashlib.new(). The hashes will +# be tried in the order given, so put the preferred one first +# for performance. The result of the first hash will be stored +# in the cache. This will typically be set to multiple values +# only while migrating from a less secure algorithm to a more +# secure one. Once all the old tokens are expired this option +# should be set to a single value for better performance. +# (list value) +#hash_algorithms=md5 + +# Prefix to prepend at the beginning of the path. Deprecated, +# use identity_uri. (string value) +#auth_admin_prefix= + +# Host providing the admin Identity API endpoint. Deprecated, +# use identity_uri. (string value) +#auth_host=127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use +# identity_uri. (integer value) +#auth_port=35357 + +# Protocol of the admin Identity API endpoint (http or https). +# Deprecated, use identity_uri. (string value) +#auth_protocol=https + +# Complete admin Identity API endpoint. This should specify +# the unversioned root endpoint e.g. https://localhost:35357/ +# (string value) +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 + +# This option is deprecated and may be removed in a future +# release. Single shared secret with the Keystone +# configuration used for bootstrapping a Keystone +# installation, or otherwise bypassing the normal +# authentication process. This option should not be used, use +# `admin_user` and `admin_password` instead. (string value) +#admin_token=<None> + +# Service username. (string value) +admin_user = {{ IRONIC_SERVICE_USER }} + +# Service user password. (string value) +admin_password = {{ IRONIC_SERVICE_PASSWORD }} + +# Service tenant name. (string value) +admin_tenant_name=service + + +[matchmaker_redis] + +# +# Options defined in oslo.messaging +# + +# Host to locate redis. (string value) +#host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port=6379 + +# Password for Redis server (optional). (string value) +#password=<None> + + +[matchmaker_ring] + +# +# Options defined in oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile=/etc/oslo/matchmaker_ring.json + + +[neutron] + +# +# Options defined in ironic.dhcp.neutron +# + +# URL for connecting to neutron. (string value) +url = http://{{ CONTROLLER_HOST_ADDRESS }}:9696 + +# Timeout value for connecting to neutron in seconds. (integer +# value) +#url_timeout=30 + +# Client retries in the case of a failed request. (integer +# value) +#retries=3 + +# Default authentication strategy to use when connecting to +# neutron. Can be either "keystone" or "noauth". Running +# neutron in noauth mode (related to but not affected by this +# setting) is insecure and should only be used for testing. +# (string value) +#auth_strategy=keystone + +# UUID of the network to create Neutron ports on when booting +# to a ramdisk for cleaning/zapping using Neutron DHCP (string +# value) +#cleaning_network_uuid=<None> + + +[oslo_concurrency] + +# +# Options defined in oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +#disable_process_locking=false + +# Directory to use for lock files. For security, the +# specified directory should only be writable by the user +# running the processes that need locking. Defaults to +# environment variable OSLO_LOCK_PATH. If external locks are +# used, a lock path must be set. (string value) +#lock_path=<None> + + +[oslo_messaging_amqp] + +# +# Options defined in oslo.messaging +# + +# address prefix used when sending to a specific server +# (string value) +#server_request_prefix=exclusive + +# address prefix used when broadcasting to all servers (string +# value) +#broadcast_prefix=broadcast + +# address prefix when sending to any server in group (string +# value) +#group_request_prefix=unicast + +# Name for the AMQP container (string value) +#container_name=<None> + +# Timeout for inactive connections (in seconds) (integer +# value) +#idle_timeout=0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace=false + +# CA certificate PEM file for verifing server certificate +# (string value) +#ssl_ca_file= + +# Identifying certificate PEM file to present to clients +# (string value) +#ssl_cert_file= + +# Private key PEM file used to sign cert_file certificate +# (string value) +#ssl_key_file= + +# Password for decrypting ssl_key_file (if encrypted) (string +# value) +#ssl_key_password=<None> + +# Accept clients using either SSL or plain TCP (boolean value) +#allow_insecure_clients=false + + +[oslo_messaging_qpid] + +# +# Options defined in oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size=30 + +# Qpid broker hostname. (string value) +#qpid_hostname=localhost + +# Qpid broker port. (integer value) +#qpid_port=5672 + +# Qpid HA cluster host:port pairs. (list value) +#qpid_hosts=$qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +#qpid_username= + +# Password for Qpid connection. (string value) +#qpid_password= + +# Space separated list of SASL mechanisms to use for auth. +# (string value) +#qpid_sasl_mechanisms= + +# Seconds between connection keepalive heartbeats. (integer +# value) +#qpid_heartbeat=60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +#qpid_protocol=tcp + +# Whether to disable the Nagle algorithm. (boolean value) +#qpid_tcp_nodelay=true + +# The number of prefetched messages held by receiver. (integer +# value) +#qpid_receiver_capacity=1 + +# The qpid topology version to use. Version 1 is what was +# originally used by impl_qpid. Version 2 includes some +# backwards-incompatible changes that allow broker federation +# to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. +# (integer value) +#qpid_topology_version=1 + + +[oslo_messaging_rabbit] + +# +# Options defined in oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size=30 + +# SSL version to use (valid only if SSL enabled). Valid values +# are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may +# be available on some distributions. (string value) +#kombu_ssl_version= + +# SSL key file (valid only if SSL enabled). (string value) +#kombu_ssl_keyfile= + +# SSL cert file (valid only if SSL enabled). (string value) +#kombu_ssl_certfile= + +# SSL certification authority file (valid only if SSL +# enabled). (string value) +#kombu_ssl_ca_certs= + +# How long to wait before reconnecting in response to an AMQP +# consumer cancel notification. (floating point value) +#kombu_reconnect_delay=1.0 + +# The RabbitMQ broker address where a single node is used. +# (string value) +rabbit_host = {{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. +# (integer value) +rabbit_port = {{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +#rabbit_hosts=$rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +#rabbit_use_ssl=false + +# The RabbitMQ userid. (string value) +rabbit_userid = {{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +rabbit_password = {{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +#rabbit_login_method=AMQPLAIN + +# The RabbitMQ virtual host. (string value) +#rabbit_virtual_host=/ + +# How frequently to retry connecting with RabbitMQ. (integer +# value) +#rabbit_retry_interval=1 + +# How long to backoff for between retries when connecting to +# RabbitMQ. (integer value) +#rabbit_retry_backoff=2 + +# Maximum number of RabbitMQ connection retries. Default is 0 +# (infinite retry count). (integer value) +#rabbit_max_retries=0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change +# this option, you must wipe the RabbitMQ database. (boolean +# value) +#rabbit_ha_queues=false + +# Number of seconds after which the Rabbit broker is +# considered down if heartbeat's keep-alive fails (0 disable +# the heartbeat). (integer value) +#heartbeat_timeout_threshold=60 + +# How often times during the heartbeat_timeout_threshold we +# check the heartbeat. (integer value) +#heartbeat_rate=2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake +# (boolean value) +#fake_rabbit=false + + +[oslo_policy] + +# +# Options defined in oslo.policy +# + +# The JSON file that defines policies. (string value) +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# (string value) +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. The +# file defined by policy_file must exist for these directories +# to be searched. Missing or empty directories are ignored. +# (multi valued) +#policy_dirs=policy.d + + +[pxe] + +# +# Options defined in ironic.drivers.modules.iscsi_deploy +# + +# Additional append parameters for baremetal PXE boot. (string +# value) +#pxe_append_params=nofb nomodeset vga=normal + +# Default file system format for ephemeral partition, if one +# is created. (string value) +#default_ephemeral_format=ext4 + +# Directory where images are stored on disk. (string value) +#images_path=/var/lib/ironic/images/ + +# Directory where master instance images are stored on disk. +# (string value) +#instance_master_path=/var/lib/ironic/master_images + +# Maximum size (in MiB) of cache for master images, including +# those in use. (integer value) +#image_cache_size=20480 + +# Maximum TTL (in minutes) for old master images in cache. +# (integer value) +#image_cache_ttl=10080 + +# The disk devices to scan while doing the deploy. (string +# value) +#disk_devices=cciss/c0d0,sda,hda,vda + + +# +# Options defined in ironic.drivers.modules.pxe +# + +# Template file for PXE configuration. (string value) +#pxe_config_template=$pybasedir/drivers/modules/pxe_config.template + +# Template file for PXE configuration for UEFI boot loader. +# (string value) +#uefi_pxe_config_template=$pybasedir/drivers/modules/elilo_efi_pxe_config.template + +# IP address of Ironic compute node's tftp server. (string +# value) +#tftp_server=$my_ip + +# Ironic compute node's tftp root path. (string value) +tftp_root=/srv/tftp_root/ + +# Directory where master tftp images are stored on disk. +# (string value) +tftp_master_path=/srv/tftp_root/master_images + +# Bootfile DHCP parameter. (string value) +#pxe_bootfile_name=pxelinux.0 + +# Bootfile DHCP parameter for UEFI boot mode. (string value) +#uefi_pxe_bootfile_name=elilo.efi + +# Ironic compute node's HTTP server URL. Example: +# http://192.1.2.3:8080 (string value) +#http_url=<None> + +# Ironic compute node's HTTP root path. (string value) +#http_root=/httpboot + +# Enable iPXE boot. (boolean value) +#ipxe_enabled=false + +# The path to the main iPXE script file. (string value) +#ipxe_boot_script=$pybasedir/drivers/modules/boot.ipxe + + +[seamicro] + +# +# Options defined in ironic.drivers.modules.seamicro +# + +# Maximum retries for SeaMicro operations (integer value) +#max_retry=3 + +# Seconds to wait for power action to be completed (integer +# value) +#action_timeout=10 + + +[snmp] + +# +# Options defined in ironic.drivers.modules.snmp +# + +# Seconds to wait for power action to be completed (integer +# value) +#power_timeout=10 + + +[ssh] + +# +# Options defined in ironic.drivers.modules.ssh +# + +# libvirt uri (string value) +#libvirt_uri=qemu:///system + + +[swift] + +# +# Options defined in ironic.common.swift +# + +# Maximum number of times to retry a Swift request, before +# failing. (integer value) +#swift_max_retries=2 + + +[virtualbox] + +# +# Options defined in ironic.drivers.modules.virtualbox +# + +# Port on which VirtualBox web service is listening. (integer +# value) +#port=18083 + + diff --git a/old/install-files/openstack/usr/share/openstack/iscsi.yml b/old/install-files/openstack/usr/share/openstack/iscsi.yml new file mode 100644 index 00000000..b80377ae --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/iscsi.yml @@ -0,0 +1,15 @@ +--- +- hosts: localhost + tasks: + - name: Update kernel module dependencies + command: depmod -a + + - name: generate InitiatorName for iscsi + shell: iscsi-iname + register: initiator_name + + - lineinfile: + dest: /etc/iscsi/initiatorname.iscsi + regexp: '^InitiatorName=$' + line: 'InitiatorName={{ initiator_name.stdout }}' + backrefs: yes diff --git a/old/install-files/openstack/usr/share/openstack/keystone.yml b/old/install-files/openstack/usr/share/openstack/keystone.yml new file mode 100644 index 00000000..2fae4e98 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/keystone.yml @@ -0,0 +1,142 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/keystone.conf" + tasks: + + # RabbitMQ configuration, this may end up in a different playbook + - name: Create rabbitmq user + user: + name: rabbitmq + comment: Rabbitmq server daemon + shell: /sbin/nologin + home: /var/lib/rabbitmq + + - name: Create the rabbitmq directories + file: + path: "{{ item }}" + state: directory + owner: rabbitmq + group: rabbitmq + with_items: + - /var/run/rabbitmq + - /var/log/rabbitmq + - /etc/rabbitmq + + - name: Add the configuration needed for rabbitmq in /etc/rabbitmq using templates + template: + src: /usr/share/openstack/rabbitmq/{{ item }} + dest: /etc/rabbitmq/{{ item }} + owner: rabbitmq + group: rabbitmq + mode: 0644 + with_items: + - rabbitmq.config + - rabbitmq-env.conf + + - name: Enable and start rabbitmq services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - rabbitmq-server + + # Keystone configuration + - name: Create the keystone user. + user: + name: keystone + comment: Openstack Keystone Daemons + shell: /sbin/nologin + home: /var/lib/keystone + + - name: Create the /var folders for keystone + file: + path: "{{ item }}" + state: directory + owner: keystone + group: keystone + with_items: + - /var/run/keystone + - /var/lock/keystone + - /var/log/keystone + - /var/lib/keystone + + - name: Create /etc/keystone directory + file: + path: /etc/keystone + state: directory + + - name: Add the configuration needed for keystone in /etc using templates + template: + src: /usr/share/openstack/keystone/{{ item }} + dest: /etc/keystone/{{ item }} + with_lines: + - cd /usr/share/openstack/keystone && find -type f + + - name: Create postgresql user for keystone + postgresql_user: + name: "{{ KEYSTONE_DB_USER }}" + password: "{{ KEYSTONE_DB_PASSWORD }}" + sudo: yes + sudo_user: keystone + + - name: Create database for keystone services + postgresql_db: + name: keystone + owner: "{{ KEYSTONE_DB_USER }}" + sudo: yes + sudo_user: keystone + + - name: Initiate keystone database + command: keystone-manage db_sync + sudo: yes + sudo_user: keystone + + - name: Enable and start openstack-keystone service + service: + name: openstack-keystone.service + enabled: yes + state: started + + - name: Create admin tenant + keystone_user: + tenant: admin + tenant_description: Admin Tenant + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create admin user for the admin tenant + keystone_user: + user: admin + tenant: admin + password: "{{ KEYSTONE_ADMIN_PASSWORD }}" + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create admin role for admin user in the admin tenant + keystone_user: + role: admin + user: admin + tenant: admin + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create service tenant + keystone_user: + tenant: service + tenant_description: Service Tenant + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Add keystone endpoint + keystone_service: + name: keystone + type: identity + description: Keystone Identity Service + publicurl: http://{{ ansible_hostname }}:5000/v2.0 + internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + adminurl: http://{{ ansible_hostname }}:35357/v2.0 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 diff --git a/old/install-files/openstack/usr/share/openstack/keystone/keystone.conf b/old/install-files/openstack/usr/share/openstack/keystone/keystone.conf new file mode 100644 index 00000000..1a082601 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/keystone/keystone.conf @@ -0,0 +1,1733 @@ +[DEFAULT] + +# +# From keystone +# + +# A "shared secret" that can be used to bootstrap Keystone. This "token" does +# not represent a user, and carries no explicit authorization. To disable in +# production (highly recommended), remove AdminTokenAuthMiddleware from your +# paste application pipelines (for example, in keystone-paste.ini). (string +# value) +admin_token = {{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }} + +# (Deprecated) The port which the OpenStack Compute service listens on. This +# option was only used for string replacement in the templated catalog backend. +# Templated catalogs should replace the "$(compute_port)s" substitution with +# the static port of the compute service. As of Juno, this option is deprecated +# and will be removed in the L release. (integer value) +#compute_port = 8774 + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. E.g. a request to +# http://server:5000/v3/users will default to http://server:5000. You should +# only need to set this value if the base URL contains a path (e.g. /prefix/v3) +# or the endpoint should be found on a different server. (string value) +#public_endpoint = <None> + +# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: +# this does NOT affect how Keystone listens for connections). Defaults to the +# base host URL of the request. E.g. a request to http://server:35357/v3/users +# will default to http://server:35357. You should only need to set this value +# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be +# found on a different server. (string value) +#admin_endpoint = <None> + +# Maximum depth of the project hierarchy. WARNING: setting it to a large value +# may adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to max_param_size, but provides an exception for token values. +# (integer value) +#max_token_size = 8192 + +# Similar to the member_role_name option, this represents the default role ID +# used to associate users with their default projects in the v2 API. This will +# be used as the explicit role where one is not specified by the v2 API. +# (string value) +#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab + +# This is the role name used in combination with the member_role_id option; see +# that option for more detail. (string value) +#member_role_name = _member_ + +# The value passed as the keyword "rounds" to passlib's encrypt method. +# (integer value) +#crypt_strength = 40000 + +# The maximum number of entities that will be returned in a collection, with no +# limit set by default. This global limit may be then overridden for a specific +# driver, by specifying a list_limit in the appropriate section (e.g. +# [assignment]). (integer value) +#list_limit = <None> + +# Set this to false if you want to enable the ability for user, group and +# project entities to be moved between domains by updating their domain_id. +# Allowing such movement is not recommended if the scope of a domain admin is +# being restricted by use of an appropriate policy file (see +# policy.v3cloudsample as an example). (boolean value) +#domain_id_immutable = true + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# The HTTP header used to determine the scheme for the original request, even +# if it was removed by an SSL terminating proxy. Typical value is +# "HTTP_X_FORWARDED_PROTO". (string value) +#secure_proxy_ssl_header = <None> + +# +# From keystone.notifications +# + +# Default publisher_id for outgoing notifications (string value) +#default_publisher_id = <None> + +# Define the notification format for Identity Service events. A "basic" +# notification has information about the resource being operated on. A "cadf" +# notification has the same information, as well as information about the +# initiator of the event. Valid options are: basic and cadf (string value) +#notification_format = basic + +# +# From keystone.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, <port>, and +# <start>:<end>, where 0 results in listening on a random tcp port number; +# <port> results in listening on the specified port number (and not enabling +# backdoor if that port is in use); and <start>:<end> results in listening on +# the smallest unused port number within the specified range of port numbers. +# The chosen port is displayed in the service's log file. (string value) +#backdoor_port = <None> + +# +# From oslo.log +# + +# Print debugging output (set logging level to DEBUG instead of default WARNING +# level). (boolean value) +#debug = false + +# Print more verbose output (set logging level to INFO instead of default +# WARNING level). (boolean value) +#verbose = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. (string value) +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = <None> + +# DEPRECATED. A logging.Formatter log message format string which may use any +# of the available logging.LogRecord attributes. This option is deprecated. +# Please use logging_context_format_string and logging_default_format_string +# instead. (string value) +#log_format = <None> + +# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, logging will +# go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = <None> + +# (Optional) The base directory used for relative --log-file paths. (string +# value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = <None> + +# Use syslog for logging. Existing syslog format is DEPRECATED during I, and +# will change in J to honor RFC5424. (boolean value) +#use_syslog = false + +# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, +# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The +# format without the APP-NAME is deprecated in I, and will be removed in J. +# (boolean value) +#use_syslog_rfc_format = false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. (boolean value) +#use_stderr = true + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. +# The "host" option should point or resolve to this address. (string value) +#rpc_zmq_bind_address = * + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port = 9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts = 1 + +# Maximum number of ingress messages to locally buffer per topic. Default is +# unlimited. (integer value) +#rpc_zmq_topic_backlog = <None> + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir = /var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match +# "host" option, if running Nova. (string value) +#rpc_zmq_host = localhost + +# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. +# (integer value) +#rpc_cast_timeout = 30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq = 300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl = 600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size = 64 + +# Driver or drivers to handle sending notifications. (multi valued) +#notification_driver = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics = notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# A URL representing the messaging driver to use and its full configuration. If +# not set, we fall back to the rpc_backend option and driver specific +# configuration. (string value) +#transport_url = <None> + +# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# and zmq. (string value) +rpc_backend = rabbit + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[assignment] + +# +# From keystone +# + +# Assignment backend driver. (string value) +#driver = <None> + + +[auth] + +# +# From keystone +# + +# Default auth methods. (list value) +#methods = external,password,token,oauth1 + +# The password auth plugin module. (string value) +#password = keystone.auth.plugins.password.Password + +# The token auth plugin module. (string value) +#token = keystone.auth.plugins.token.Token + +# The external (REMOTE_USER) auth plugin module. (string value) +#external = keystone.auth.plugins.external.DefaultDomain + +# The oAuth1.0 auth plugin module. (string value) +#oauth1 = keystone.auth.plugins.oauth1.OAuth + + +[cache] + +# +# From keystone +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.keystone + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Dogpile.cache backend module. It is recommended that Memcache with pooling +# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in +# production deployments. Small workloads (single process) like devstack can +# use the dogpile.cache.memory backend. (string value) +#backend = keystone.common.cache.noop + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# "<argname>:<value>". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for all caching using the should_cache_fn mechanism. (boolean +# value) +#enabled = false + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# keystone.cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends +# only). (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# keystone.cache.memcache_pool backends only). (integer value) +#memcache_socket_timeout = 3 + +# Max total number of open connections to every memcached server. +# (keystone.cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (keystone.cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Catalog template file name for use with the template catalog backend. (string +# value) +#template_file = default_catalog.templates + +# Catalog backend driver. (string value) +#driver = keystone.catalog.backends.sql.Catalog + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are enabled. (integer value) +#cache_time = <None> + +# Maximum number of entities that will be returned in a catalog collection. +# (integer value) +#list_limit = <None> + + +[credential] + +# +# From keystone +# + +# Credential backend driver. (string value) +#driver = keystone.credential.backends.sql.Credential + + +[database] + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection=postgresql://{{ KEYSTONE_DB_USER }}:{{ KEYSTONE_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/keystone + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = <None> + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = <None> + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = <None> + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +[domain_config] + +# +# From keystone +# + +# Domain config backend driver. (string value) +#driver = keystone.resource.config_backends.sql.DomainConfig + +# Toggle for domain config caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# TTL (in seconds) to cache domain config data. This has no effect unless +# domain config caching is enabled. (integer value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Endpoint Filter backend driver (string value) +#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter + +# Toggle to return all active endpoints if no filter exists. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Endpoint policy backend driver (string value) +#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy + + +[eventlet_server] + +# +# From keystone +# + +# The number of worker processes to serve the public eventlet application. +# Defaults to number of CPUs (minimum of 2). (integer value) +# Deprecated group/name - [DEFAULT]/public_workers +#public_workers = <None> + +# The number of worker processes to serve the admin eventlet application. +# Defaults to number of CPUs (minimum of 2). (integer value) +# Deprecated group/name - [DEFAULT]/admin_workers +#admin_workers = <None> + +# The IP address of the network interface for the public service to listen on. +# (string value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +#public_bind_host = 0.0.0.0 + +# The port number which the public service listens on. (integer value) +# Deprecated group/name - [DEFAULT]/public_port +public_port = 5000 + +# The IP address of the network interface for the admin service to listen on. +# (string value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +#admin_bind_host = 0.0.0.0 + +# The port number which the admin service listens on. (integer value) +# Deprecated group/name - [DEFAULT]/admin_port +admin_port = 35357 + +# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. +# sockets used by the Keystone wsgi server for client connections. (boolean +# value) +# Deprecated group/name - [DEFAULT]/tcp_keepalive +#tcp_keepalive = false + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only +# applies if tcp_keepalive is true. (integer value) +# Deprecated group/name - [DEFAULT]/tcp_keepidle +#tcp_keepidle = 600 + + +[eventlet_server_ssl] + +# +# From keystone +# + +# Toggle for SSL support on the Keystone eventlet servers. (boolean value) +# Deprecated group/name - [ssl]/enable +#enable = false + +# Path of the certfile for SSL. For non-production environments, you may be +# interested in using `keystone-manage ssl_setup` to generate self-signed +# certificates. (string value) +# Deprecated group/name - [ssl]/certfile +#certfile = /etc/keystone/ssl/certs/keystone.pem + +# Path of the keyfile for SSL. (string value) +# Deprecated group/name - [ssl]/keyfile +#keyfile = /etc/keystone/ssl/private/keystonekey.pem + +# Path of the CA cert file for SSL. (string value) +# Deprecated group/name - [ssl]/ca_certs +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# Require client certificate. (boolean value) +# Deprecated group/name - [ssl]/cert_required +#cert_required = false + + +[federation] + +# +# From keystone +# + +# Federation backend driver. (string value) +#driver = keystone.contrib.federation.backends.sql.Federation + +# Value to be used when filtering assertion parameters from the environment. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity- +# Provider`). (string value) +#remote_id_attribute = <None> + +# A domain name that is reserved to allow federated ephemeral users to have a +# domain concept. Note that an admin will not be able to create a domain with +# this name or update an existing domain to this name. You are not advised to +# change this value unless you really have to. Changing this option to empty +# string or None will not have any impact and default name will be used. +# (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of the trusted_dashboard +# list. This configuration option may be repeated for multiple values. For +# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com +# (multi valued) +#trusted_dashboard = + +# Location of Single Sign-On callback handler, will return a token to a trusted +# dashboard host. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by keystone-manage +# fernet_rotate before they are discarded. The default value of 3 means that +# keystone will maintain one staged key, one primary key, and one secondary +# key. Increasing this value means that additional secondary keys will be kept +# in the rotation. (integer value) +#max_active_keys = 3 + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID will be created for you by +# keystone-manage db_sync in migration 008. The domain referenced by this ID +# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. +# There is nothing special about this domain, other than the fact that it must +# exist to order to maintain support for your v2 clients. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of domain_configurations_from_database). Only values specific to the +# domain need to be specified in this manner. This feature is disabled by +# default; set to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# Extract the domain specific configuration options from the resource backend +# where they have been stored with the domain data. This feature is disabled by +# default (in which case the domain specific options will be loaded from files +# in the domain configuration directory); set to true to enable. (boolean +# value) +#domain_configurations_from_database = false + +# Path for Keystone to locate the domain specific identity configuration files +# if domain_specific_drivers_enabled is set to true. (string value) +#domain_config_dir = /etc/keystone/domains + +# Identity backend driver. (string value) +#driver = keystone.identity.backends.sql.Identity + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum supported length for user passwords; decrease to improve performance. +# (integer value) +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = <None> + + +[identity_mapping] + +# +# From keystone +# + +# Keystone Identity Mapping backend driver. (string value) +#driver = keystone.identity.mapping_backends.sql.Mapping + +# Public ID generator for user and group entities. The Keystone identity mapper +# only supports generators that produce no more than 64 characters. (string +# value) +#generator = keystone.identity.id_generators.sha256.Generator + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the +# underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain specific drivers, any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to False will enable the +# mapping for even the default LDAP driver. It is only safe to do this if you +# do not already have assignments for users and groups from the default LDAP +# domain, and it is acceptable for Keystone to provide the different IDs to +# clients than it did previously. Typically this means that the only time you +# can set this value to False is when configuring a fresh installation. +# (boolean value) +#backward_compatible_ids = true + + +[kvs] + +# +# From keystone +# + +# Extra dogpile.cache backend modules to register with the dogpile.cache +# library. (list value) +#backends = + +# Prefix for building the configuration dictionary for the KVS region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = keystone.kvs + +# Toggle to disable using a key-mangling function to ensure fixed length keys. +# This is toggle-able for debugging purposes, it is highly recommended to +# always leave this set to true. (boolean value) +#enable_key_mangler = true + +# Default lock timeout (in seconds) for distributed locking. (integer value) +#default_lock_timeout = 5 + + +[ldap] + +# +# From keystone +# + +# URL for connecting to the LDAP server. (string value) +#url = ldap://localhost + +# User BindDN to query the LDAP server. (string value) +#user = <None> + +# Password for the BindDN to query the LDAP server. (string value) +#password = <None> + +# LDAP server suffix (string value) +#suffix = cn=example,cn=com + +# If true, will add a dummy member to groups. This is required if the +# objectclass for groups requires the "member" attribute. (boolean value) +#use_dumb_member = false + +# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string +# value) +#dumb_member = cn=dumb,dc=nonexistent + +# Delete subtrees using the subtree delete control. Only enable this option if +# your LDAP server supports subtree deletion. (boolean value) +#allow_subtree_delete = false + +# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) +# or "sub" (subtree/wholeSubtree). (string value) +#query_scope = one + +# Maximum results per page; a value of zero ("0") disables paging. (integer +# value) +#page_size = 0 + +# The LDAP dereferencing option for queries. This can be either "never", +# "searching", "always", "finding" or "default". The "default" option falls +# back to using default dereferencing configured by your ldap.conf. (string +# value) +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +#debug_level = <None> + +# Override the system's default referral chasing behavior for queries. (boolean +# value) +#chase_referrals = <None> + +# Search base for users. (string value) +#user_tree_dn = <None> + +# LDAP search filter for users. (string value) +#user_filter = <None> + +# LDAP objectclass for users. (string value) +#user_objectclass = inetOrgPerson + +# LDAP attribute mapped to user id. WARNING: must not be a multivalued +# attribute. (string value) +#user_id_attribute = cn + +# LDAP attribute mapped to user name. (string value) +#user_name_attribute = sn + +# LDAP attribute mapped to user email. (string value) +#user_mail_attribute = mail + +# LDAP attribute mapped to password. (string value) +#user_pass_attribute = userPassword + +# LDAP attribute mapped to user enabled flag. (string value) +#user_enabled_attribute = enabled + +# Invert the meaning of the boolean enabled values. Some LDAP servers use a +# boolean lock attribute where "true" means an account is disabled. Setting +# "user_enabled_invert = true" will allow these lock attributes to be used. +# This setting will have no effect if "user_enabled_mask" or +# "user_enabled_emulation" settings are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to indicate the bit that the enabled value is stored in if +# the LDAP server represents "enabled" as a bit on an integer rather than a +# boolean. A value of "0" indicates the mask is not used. If this is not set to +# "0" the typical value is "2". This is typically used when +# "user_enabled_attribute = userAccountControl". (integer value) +#user_enabled_mask = 0 + +# Default value to enable users. This should match an appropriate int value if +# the LDAP server uses non-boolean (bitmask) values to indicate if a user is +# enabled or disabled. If this is not set to "True" the typical value is "512". +# This is typically used when "user_enabled_attribute = userAccountControl". +# (string value) +#user_enabled_default = True + +# List of attributes stripped off the user on update. (list value) +#user_attribute_ignore = default_project_id,tenants + +# LDAP attribute mapped to default_project_id for users. (string value) +#user_default_project_id_attribute = <None> + +# Allow user creation in LDAP backend. (boolean value) +#user_allow_create = true + +# Allow user updates in LDAP backend. (boolean value) +#user_allow_update = true + +# Allow user deletion in LDAP backend. (boolean value) +#user_allow_delete = true + +# If true, Keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the +# "user_enabled_emulation_dn" group. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# (string value) +#user_enabled_emulation_dn = <None> + +# List of additional LDAP attributes used for mapping additional attribute +# mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, +# where ldap_attr is the attribute in the LDAP entry and user_attr is the +# Identity API attribute. (list value) +#user_additional_attribute_mapping = + +# Search base for projects (string value) +# Deprecated group/name - [ldap]/tenant_tree_dn +#project_tree_dn = <None> + +# LDAP search filter for projects. (string value) +# Deprecated group/name - [ldap]/tenant_filter +#project_filter = <None> + +# LDAP objectclass for projects. (string value) +# Deprecated group/name - [ldap]/tenant_objectclass +#project_objectclass = groupOfNames + +# LDAP attribute mapped to project id. (string value) +# Deprecated group/name - [ldap]/tenant_id_attribute +#project_id_attribute = cn + +# LDAP attribute mapped to project membership for user. (string value) +# Deprecated group/name - [ldap]/tenant_member_attribute +#project_member_attribute = member + +# LDAP attribute mapped to project name. (string value) +# Deprecated group/name - [ldap]/tenant_name_attribute +#project_name_attribute = ou + +# LDAP attribute mapped to project description. (string value) +# Deprecated group/name - [ldap]/tenant_desc_attribute +#project_desc_attribute = description + +# LDAP attribute mapped to project enabled. (string value) +# Deprecated group/name - [ldap]/tenant_enabled_attribute +#project_enabled_attribute = enabled + +# LDAP attribute mapped to project domain_id. (string value) +# Deprecated group/name - [ldap]/tenant_domain_id_attribute +#project_domain_id_attribute = businessCategory + +# List of attributes stripped off the project on update. (list value) +# Deprecated group/name - [ldap]/tenant_attribute_ignore +#project_attribute_ignore = + +# Allow project creation in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_create +#project_allow_create = true + +# Allow project update in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_update +#project_allow_update = true + +# Allow project deletion in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_delete +#project_allow_delete = true + +# If true, Keystone uses an alternative method to determine if a project is +# enabled or not by checking if they are a member of the +# "project_enabled_emulation_dn" group. (boolean value) +# Deprecated group/name - [ldap]/tenant_enabled_emulation +#project_enabled_emulation = false + +# DN of the group entry to hold enabled projects when using enabled emulation. +# (string value) +# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn +#project_enabled_emulation_dn = <None> + +# Additional attribute mappings for projects. Attribute mapping format is +# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping +#project_additional_attribute_mapping = + +# Search base for roles. (string value) +#role_tree_dn = <None> + +# LDAP search filter for roles. (string value) +#role_filter = <None> + +# LDAP objectclass for roles. (string value) +#role_objectclass = organizationalRole + +# LDAP attribute mapped to role id. (string value) +#role_id_attribute = cn + +# LDAP attribute mapped to role name. (string value) +#role_name_attribute = ou + +# LDAP attribute mapped to role membership. (string value) +#role_member_attribute = roleOccupant + +# List of attributes stripped off the role on update. (list value) +#role_attribute_ignore = + +# Allow role creation in LDAP backend. (boolean value) +#role_allow_create = true + +# Allow role update in LDAP backend. (boolean value) +#role_allow_update = true + +# Allow role deletion in LDAP backend. (boolean value) +#role_allow_delete = true + +# Additional attribute mappings for roles. Attribute mapping format is +# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +#role_additional_attribute_mapping = + +# Search base for groups. (string value) +#group_tree_dn = <None> + +# LDAP search filter for groups. (string value) +#group_filter = <None> + +# LDAP objectclass for groups. (string value) +#group_objectclass = groupOfNames + +# LDAP attribute mapped to group id. (string value) +#group_id_attribute = cn + +# LDAP attribute mapped to group name. (string value) +#group_name_attribute = ou + +# LDAP attribute mapped to show group membership. (string value) +#group_member_attribute = member + +# LDAP attribute mapped to group description. (string value) +#group_desc_attribute = description + +# List of attributes stripped off the group on update. (list value) +#group_attribute_ignore = + +# Allow group creation in LDAP backend. (boolean value) +#group_allow_create = true + +# Allow group update in LDAP backend. (boolean value) +#group_allow_update = true + +# Allow group deletion in LDAP backend. (boolean value) +#group_allow_delete = true + +# Additional attribute mappings for groups. Attribute mapping format is +# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +#group_additional_attribute_mapping = + +# CA certificate file path for communicating with LDAP servers. (string value) +#tls_cacertfile = <None> + +# CA certificate directory path for communicating with LDAP servers. (string +# value) +#tls_cacertdir = <None> + +# Enable TLS for communicating with LDAP servers. (boolean value) +#use_tls = false + +# Valid options for tls_req_cert are demand, never, and allow. (string value) +#tls_req_cert = demand + +# Enable LDAP connection pooling. (boolean value) +#use_pool = false + +# Connection pool size. (integer value) +#pool_size = 10 + +# Maximum count of reconnect trials. (integer value) +#pool_retry_max = 3 + +# Time span in seconds to wait between two reconnect trials. (floating point +# value) +#pool_retry_delay = 0.1 + +# Connector timeout in seconds. Value -1 indicates indefinite wait for +# response. (integer value) +#pool_connection_timeout = -1 + +# Connection lifetime in seconds. (integer value) +#pool_connection_lifetime = 600 + +# Enable LDAP connection pooling for end user authentication. If use_pool is +# disabled, then this setting is meaningless and is not used at all. (boolean +# value) +#use_auth_pool = false + +# End user auth connection pool size. (integer value) +#auth_pool_size = 100 + +# End user auth connection lifetime in seconds. (integer value) +#auth_pool_connection_lifetime = 60 + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host = 127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port = 6379 + +# Password for Redis server (optional). (string value) +#password = <None> + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile = /etc/oslo/matchmaker_ring.json + + +[memcache] + +# +# From keystone +# + +# Memcache servers in the format of "host:port". (list value) +#servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#dead_retry = 300 + +# Timeout in seconds for every call to a server. This is used by the key value +# store system (e.g. token pooled memcached persistence backend). (integer +# value) +#socket_timeout = 3 + +# Max total number of open connections to every memcached server. This is used +# by the key value store system (e.g. token pooled memcached persistence +# backend). (integer value) +#pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#pool_connection_get_timeout = 10 + + +[oauth1] + +# +# From keystone +# + +# Credential backend driver. (string value) +#driver = keystone.contrib.oauth1.backends.sql.OAuth1 + +# Duration (in seconds) for the OAuth Request Token. (integer value) +#request_token_duration = 28800 + +# Duration (in seconds) for the OAuth Access Token. (integer value) +#access_token_duration = 86400 + + +[os_inherit] + +# +# From keystone +# + +# role-assignment inheritance to projects from owning domain or from projects +# higher in the hierarchy can be optionally enabled. (boolean value) +#enabled = false + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group/name - [amqp1]/server_request_prefix +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group/name - [amqp1]/broadcast_prefix +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group/name - [amqp1]/group_request_prefix +#group_request_prefix = unicast + +# Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name +#container_name = <None> + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group/name - [amqp1]/idle_timeout +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace +#trace = false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group/name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group/name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group/name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group/name - [amqp1]/ssl_key_password +#ssl_key_password = <None> + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients +#allow_insecure_clients = false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# Qpid broker hostname. (string value) +# Deprecated group/name - [DEFAULT]/qpid_hostname +#qpid_hostname = localhost + +# Qpid broker port. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_port +#qpid_port = 5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/qpid_hosts +#qpid_hosts = $qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_heartbeat +#qpid_heartbeat = 60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group/name - [DEFAULT]/qpid_protocol +#qpid_protocol = tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay +#qpid_tcp_nodelay = true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity +#qpid_receiver_capacity = 1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_topology_version +#qpid_topology_version = 1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay +#kombu_reconnect_delay = 1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_host +rabbit_host = {{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_port +rabbit_port = {{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts +rabbit_hosts = $rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl +rabbit_use_ssl = false + +# The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid +rabbit_userid = {{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password +rabbit_password = {{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method +#rabbit_login_method = AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host +#rabbit_virtual_host = / + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff +#rabbit_retry_backoff = 2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries +#rabbit_max_retries = 0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues +#rabbit_ha_queues = false + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit +#fake_rabbit = false + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + + +[paste_deploy] + +# +# From keystone +# + +# Name of the paste configuration file that defines the available pipelines. +# (string value) +#config_file = keystone-paste.ini + + +[policy] + +# +# From keystone +# + +# Policy backend driver. (string value) +#driver = keystone.policy.backends.sql.Policy + +# Maximum number of entities that will be returned in a policy collection. +# (integer value) +#list_limit = <None> + + +[resource] + +# +# From keystone +# + +# Resource backend driver. If a resource driver is not specified, the +# assignment driver will choose the resource driver. (string value) +#driver = <None> + +# Toggle for resource caching. This has no effect unless global caching is +# enabled. (boolean value) +# Deprecated group/name - [assignment]/caching +#caching = true + +# TTL (in seconds) to cache resource data. This has no effect unless global +# caching is enabled. (integer value) +# Deprecated group/name - [assignment]/cache_time +#cache_time = <None> + +# Maximum number of entities that will be returned in a resource collection. +# (integer value) +# Deprecated group/name - [assignment]/list_limit +#list_limit = <None> + + +[revoke] + +# +# From keystone +# + +# An implementation of the backend for persisting revocation events. (string +# value) +#driver = keystone.contrib.revoke.backends.sql.Revoke + +# This value (calculated in seconds) is added to token expiration before a +# revocation event may be removed from the backend. (integer value) +#expiration_buffer = 1800 + +# Toggle for revocation event caching. This has no effect unless global caching +# is enabled. (boolean value) +#caching = true + +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and token caching are enabled. (integer +# value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + + +[role] + +# +# From keystone +# + +# Role backend driver. (string value) +#driver = <None> + +# Toggle for role caching. This has no effect unless global caching is enabled. +# (boolean value) +#caching = true + +# TTL (in seconds) to cache role data. This has no effect unless global caching +# is enabled. (integer value) +#cache_time = <None> + +# Maximum number of entities that will be returned in a role collection. +# (integer value) +#list_limit = <None> + + +[saml] + +# +# From keystone +# + +# Default TTL, in seconds, for any generated SAML assertion created by +# Keystone. (integer value) +#assertion_expiration_time = 3600 + +# Binary to be called for XML signing. Install the appropriate package, specify +# absolute path or adjust your PATH environment variable if the binary cannot +# be found. (string value) +#xmlsec1_binary = xmlsec1 + +# Path of the certfile for SAML signing. For non-production environments, you +# may be interested in using `keystone-manage pki_setup` to generate self- +# signed certificates. Note, the path cannot contain a comma. (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Path of the keyfile for SAML signing. Note, the path cannot contain a comma. +# (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# Entity ID value for unique Identity Provider identification. Usually FQDN is +# set with a suffix. A value is required to generate IDP Metadata. For example: +# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) +#idp_entity_id = <None> + +# Identity Provider Single-Sign-On service value, required in the Identity +# Provider's metadata. A value is required to generate IDP Metadata. For +# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string +# value) +#idp_sso_endpoint = <None> + +# Language used by the organization. (string value) +#idp_lang = en + +# Organization name the installation belongs to. (string value) +#idp_organization_name = <None> + +# Organization name to be displayed. (string value) +#idp_organization_display_name = <None> + +# URL of the organization. (string value) +#idp_organization_url = <None> + +# Company of contact person. (string value) +#idp_contact_company = <None> + +# Given name of contact person (string value) +#idp_contact_name = <None> + +# Surname of contact person. (string value) +#idp_contact_surname = <None> + +# Email address of contact person. (string value) +#idp_contact_email = <None> + +# Telephone number of contact person. (string value) +#idp_contact_telephone = <None> + +# Contact type. Allowed values are: technical, support, administrative billing, +# and other (string value) +#idp_contact_type = other + +# Path to the Identity Provider Metadata file. This file should be generated +# with the keystone-manage saml_idp_metadata command. (string value) +#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml + +# The prefix to use for the RelayState SAML attribute, used when generating ECP +# wrapped assertions. (string value) +#relay_state_prefix = ss:mem: + + +[signing] + +# +# From keystone +# + +# Path of the certfile for token signing. For non-production environments, you +# may be interested in using `keystone-manage pki_setup` to generate self- +# signed certificates. (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Path of the keyfile for token signing. (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# Path of the CA for token signing. (string value) +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# Path of the CA key for token signing. (string value) +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# Key size (in bits) for token signing cert (auto generated certificate). +# (integer value) +#key_size = 2048 + +# Days the token signing cert is valid for (auto generated certificate). +# (integer value) +#valid_days = 3650 + +# Certificate subject (auto generated certificate) for token signing. (string +# value) +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com + + +[ssl] + +# +# From keystone +# + +# Path of the CA key file for SSL. (string value) +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# SSL key length (in bits) (auto generated certificate). (integer value) +#key_size = 1024 + +# Days the certificate is valid for once signed (auto generated certificate). +# (integer value) +#valid_days = 3650 + +# SSL certificate subject (auto generated certificate). (string value) +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost + + +[token] + +# +# From keystone +# + +# External auth mechanisms that should add bind information to token, e.g., +# kerberos,x509. (list value) +#bind = + +# Enforcement policy on tokens presented to Keystone with bind information. One +# of disabled, permissive, strict, required or a specifically required bind +# mode, e.g., kerberos or x509 to require binding to that authentication. +# (string value) +#enforce_token_bind = permissive + +# Amount of time a token should remain valid (in seconds). (integer value) +#expiration = 3600 + +# Controls the token construction, validation, and revocation operations. Core +# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". +# (string value) +provider = keystone.token.providers.uuid.Provider + +# Token persistence backend driver. (string value) +driver = keystone.token.persistence.backends.sql.Token + +# Toggle for token system caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache tokens (in seconds). This has no effect unless global and token +# caching are enabled. (integer value) +#cache_time = <None> + +# Revoke token by token identifier. Setting revoke_by_id to true enables +# various forms of enumerating tokens, e.g. `list tokens for user`. These +# enumerations are processed to determine the list of tokens to revoke. Only +# disable if you are switching to using the Revoke extension with a backend +# other than KVS, which stores events in memory. (boolean value) +#revoke_by_id = true + +# Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false +# prevents a user from exchanging a scoped token for any other token. (boolean +# value) +#allow_rescope_scoped_token = true + +# The hash algorithm to use for PKI tokens. This can be set to any algorithm +# that hashlib supports. WARNING: Before changing this value, the auth_token +# middleware must be configured with the hash_algorithms, otherwise token +# revocation will not be processed correctly. (string value) +#hash_algorithm = md5 + + +[trust] + +# +# From keystone +# + +# Delegation and impersonation features can be optionally disabled. (boolean +# value) +#enabled = true + +# Enable redelegation feature. (boolean value) +#allow_redelegation = false + +# Maximum depth of trust redelegation. (integer value) +#max_redelegation_count = 3 + +# Trust backend driver. (string value) +#driver = keystone.trust.backends.sql.Trust diff --git a/old/install-files/openstack/usr/share/openstack/network.yml b/old/install-files/openstack/usr/share/openstack/network.yml new file mode 100644 index 00000000..f99f7f1a --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/network.yml @@ -0,0 +1,67 @@ +--- +- hosts: localhost + vars_files: + - /etc/openstack/network.conf + tasks: +# Create the bridges to use the External network mapped + +# Count number of network interfaces (interfaces starting with 'e') + - shell: ls /sys/class/net | grep ^e.* | wc -l + register: number_interfaces + +# Abort if there number of interfaces != 1 + - fail: + msg: More than one, or none network interfaces found. + when: EXTERNAL_INTERFACE is not defined and number_interfaces.stdout != "1" + + - shell: ls /sys/class/net | grep ^e.* + register: interface_name + when: EXTERNAL_INTERFACE is not defined + + - set_fact: + ETH_INTERFACE: "{{ interface_name.stdout }}" + when: EXTERNAL_INTERFACE is not defined + + - set_fact: + ETH_INTERFACE: "{{ EXTERNAL_INTERFACE }}" + when: EXTERNAL_INTERFACE is defined + + - set_fact: + ETH_MAC_ADDRESS: "{{ hostvars['localhost']['ansible_' + ETH_INTERFACE]['macaddress'] }}" + + - name: Create the /run/systemd/network + file: + path: /run/systemd/network + state: directory + + - name: Disable dhcp on the bound physical interface + template: + src: /usr/share/openstack/extras/00-disable-device.network + dest: /run/systemd/network/00-disable-{{ item }}-config.network + with_items: + - "{{ ETH_INTERFACE }}" + + - name: Disable dhcp on all the internal interfaces + template: + src: /usr/share/openstack/extras/00-disable-device.network + dest: /run/systemd/network/00-disable-{{ item }}-config.network + with_items: + - ovs-system + + - openvswitch_bridge: + bridge: br-ex + state: present + + - openvswitch_port: + bridge: br-ex + port: "{{ ETH_INTERFACE }}" + state: present + + - shell: ovs-vsctl set bridge br-ex other-config:hwaddr={{ ETH_MAC_ADDRESS }} + + - name: Enable dhcp on the Open vSwitch device that replaces our external interface + template: + src: /usr/share/openstack/extras/60-device-dhcp.network + dest: /run/systemd/network/60-{{ item }}-dhcp.network + with_items: + - br-ex diff --git a/old/install-files/openstack/usr/share/openstack/neutron-config.yml b/old/install-files/openstack/usr/share/openstack/neutron-config.yml new file mode 100644 index 00000000..5d594353 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron-config.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/neutron.conf" + tasks: + + - name: Create the neutron user. + user: + name: neutron + comment: Openstack Neutron Daemons + shell: /sbin/nologin + home: /var/lib/neutron + + - name: Create the /var folders for neutron + file: + path: "{{ item }}" + state: directory + owner: neutron + group: neutron + with_items: + - /var/run/neutron + - /var/lock/neutron + - /var/log/neutron + + - name: Create the directories needed for Neutron configuration files. + file: + path: /etc/{{ item }} + state: directory + with_lines: + - cd /usr/share/openstack && find neutron -type d + + - name: Add configuration needed for neutron using templates + template: + src: /usr/share/openstack/{{ item }} + dest: /etc/{{ item }} + with_lines: + - cd /usr/share/openstack && find neutron -type f diff --git a/old/install-files/openstack/usr/share/openstack/neutron-db.yml b/old/install-files/openstack/usr/share/openstack/neutron-db.yml new file mode 100644 index 00000000..fee53315 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron-db.yml @@ -0,0 +1,51 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/neutron.conf" + tasks: + - name: Create neutron service user in service tenant + keystone_user: + user: "{{ NEUTRON_SERVICE_USER }}" + password: "{{ NEUTRON_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add admin role to neutron service user in service tenant + keystone_user: + role: admin + user: "{{ NEUTRON_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - keystone_service: + name: neutron + type: network + description: Openstack Compute Networking + publicurl: http://{{ ansible_hostname }}:9696 + internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:9696 + adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:9696 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for neutron + postgresql_user: + name: "{{ NEUTRON_DB_USER }}" + password: "{{ NEUTRON_DB_PASSWORD }}" + sudo: yes + sudo_user: neutron + + - name: Create database for neutron services + postgresql_db: + name: neutron + owner: "{{ NEUTRON_DB_USER }}" + sudo: yes + sudo_user: neutron + + - name: Initiate neutron database + shell: | + neutron-db-manage \ + --config-file /etc/neutron/neutron.conf \ + --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ + upgrade head + sudo: yes + sudo_user: neutron diff --git a/old/install-files/openstack/usr/share/openstack/neutron/dhcp_agent.ini b/old/install-files/openstack/usr/share/openstack/neutron/dhcp_agent.ini new file mode 100644 index 00000000..1ab4c806 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/dhcp_agent.ini @@ -0,0 +1,89 @@ +[DEFAULT] +# Show debugging output in log (sets DEBUG log level output) +# debug = False + +# The DHCP agent will resync its state with Neutron to recover from any +# transient notification or rpc errors. The interval is number of +# seconds between attempts. +# resync_interval = 5 + +# The DHCP agent requires an interface driver be set. Choose the one that best +# matches your plugin. +# interface_driver = + +# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP, +# BigSwitch/Floodlight) +interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver + +# Name of Open vSwitch bridge to use +# ovs_integration_bridge = br-int + +# Use veth for an OVS interface or not. +# Support kernels with limited namespace support +# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True. +# ovs_use_veth = False + +# Example of interface_driver option for LinuxBridge +# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + +# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires +# no additional setup of the DHCP server. +dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq + +# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and +# iproute2 package that supports namespaces). This option is deprecated and +# will be removed in a future release, at which point the old behavior of +# use_namespaces = True will be enforced. +# use_namespaces = True + +# The DHCP server can assist with providing metadata support on isolated +# networks. Setting this value to True will cause the DHCP server to append +# specific host routes to the DHCP request. The metadata service will only +# be activated when the subnet does not contain any router port. The guest +# instance must be configured to request host routes via DHCP (Option 121). +enable_isolated_metadata = True + +# Allows for serving metadata requests coming from a dedicated metadata +# access network whose cidr is 169.254.169.254/16 (or larger prefix), and +# is connected to a Neutron router from which the VMs send metadata +# request. In this case DHCP Option 121 will not be injected in VMs, as +# they will be able to reach 169.254.169.254 through a router. +# This option requires enable_isolated_metadata = True +# enable_metadata_network = False + +# Number of threads to use during sync process. Should not exceed connection +# pool size configured on server. +# num_sync_threads = 4 + +# Location to store DHCP server config files +# dhcp_confs = $state_path/dhcp + +# Domain to use for building the hostnames +# dhcp_domain = openstacklocal + +# Override the default dnsmasq settings with this file +dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf + +# Comma-separated list of DNS servers which will be used by dnsmasq +# as forwarders. +# dnsmasq_dns_servers = + +# Limit number of leases to prevent a denial-of-service. +# dnsmasq_lease_max = 16777216 + +# Location to DHCP lease relay UNIX domain socket +# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay + +# Use broadcast in DHCP replies +# dhcp_broadcast_reply = False + +# dhcp_delete_namespaces, which is True by default, can be set to False if +# namespaces can't be deleted cleanly on the host running the DHCP agent. +# Disable this if you hit the issue in +# https://bugs.launchpad.net/neutron/+bug/1052535 or if +# you are sure that your version of iproute suffers from the problem. +# dhcp_delete_namespaces = True + +# Timeout for ovs-vsctl commands. +# If the timeout expires, ovs commands will fail with ALARMCLOCK error. +# ovs_vsctl_timeout = 10 diff --git a/old/install-files/openstack/usr/share/openstack/neutron/l3_agent.ini b/old/install-files/openstack/usr/share/openstack/neutron/l3_agent.ini new file mode 100644 index 00000000..bc1321e4 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/l3_agent.ini @@ -0,0 +1,121 @@ +[DEFAULT] +# Show debugging output in log (sets DEBUG log level output) +# debug = False + +# L3 requires that an interface driver be set. Choose the one that best +# matches your plugin. +interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver + +# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC) +# that supports L3 agent +# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver + +# Use veth for an OVS interface or not. +# Support kernels with limited namespace support +# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True. +# ovs_use_veth = False + +# Example of interface_driver option for LinuxBridge +# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + +# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and +# iproute2 package that supports namespaces). This option is deprecated and +# will be removed in a future release, at which point the old behavior of +# use_namespaces = True will be enforced. +# use_namespaces = True + +# If use_namespaces is set as False then the agent can only configure one router. + +# This is done by setting the specific router_id. +# router_id = + +# When external_network_bridge is set, each L3 agent can be associated +# with no more than one external network. This value should be set to the UUID +# of that external network. To allow L3 agent support multiple external +# networks, both the external_network_bridge and gateway_external_network_id +# must be left empty. +# gateway_external_network_id = + +# With IPv6, the network used for the external gateway does not need +# to have an associated subnet, since the automatically assigned +# link-local address (LLA) can be used. However, an IPv6 gateway address +# is needed for use as the next-hop for the default route. If no IPv6 +# gateway address is configured here, (and only then) the neutron router +# will be configured to get its default route from router advertisements (RAs) +# from the upstream router; in which case the upstream router must also be +# configured to send these RAs. +# The ipv6_gateway, when configured, should be the LLA of the interface +# on the upstream router. If a next-hop using a global unique address (GUA) +# is desired, it needs to be done via a subnet allocated to the network +# and not through this parameter. +# ipv6_gateway = + +# Indicates that this L3 agent should also handle routers that do not have +# an external network gateway configured. This option should be True only +# for a single agent in a Neutron deployment, and may be False for all agents +# if all routers must have an external network gateway +# handle_internal_only_routers = True + +# Name of bridge used for external network traffic. This should be set to +# empty value for the linux bridge. when this parameter is set, each L3 agent +# can be associated with no more than one external network. +external_network_bridge = br-ex + +# TCP Port used by Neutron metadata server +# metadata_port = 9697 + +# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0 +# to disable this feature. +# send_arp_for_ha = 3 + +# seconds between re-sync routers' data if needed +# periodic_interval = 40 + +# seconds to start to sync routers' data after +# starting agent +# periodic_fuzzy_delay = 5 + +# enable_metadata_proxy, which is true by default, can be set to False +# if the Nova metadata server is not available +# enable_metadata_proxy = True + +# Iptables mangle mark used to mark metadata valid requests +# metadata_access_mark = 0x1 + +# Iptables mangle mark used to mark ingress from external network +# external_ingress_mark = 0x2 + +# router_delete_namespaces, which is True by default, can be set to False if +# namespaces can't be deleted cleanly on the host running the L3 agent. +# Disable this if you hit the issue in +# https://bugs.launchpad.net/neutron/+bug/1052535 or if +# you are sure that your version of iproute suffers from the problem. +# If True, namespaces will be deleted when a router is destroyed. +# router_delete_namespaces = True + +# Timeout for ovs-vsctl commands. +# If the timeout expires, ovs commands will fail with ALARMCLOCK error. +# ovs_vsctl_timeout = 10 + +# The working mode for the agent. Allowed values are: +# - legacy: this preserves the existing behavior where the L3 agent is +# deployed on a centralized networking node to provide L3 services +# like DNAT, and SNAT. Use this mode if you do not want to adopt DVR. +# - dvr: this mode enables DVR functionality, and must be used for an L3 +# agent that runs on a compute host. +# - dvr_snat: this enables centralized SNAT support in conjunction with +# DVR. This mode must be used for an L3 agent running on a centralized +# node (or in single-host deployments, e.g. devstack). +# agent_mode = legacy + +# Location to store keepalived and all HA configurations +# ha_confs_path = $state_path/ha_confs + +# VRRP authentication type AH/PASS +# ha_vrrp_auth_type = PASS + +# VRRP authentication password +# ha_vrrp_auth_password = + +# The advertisement interval in seconds +# ha_vrrp_advert_int = 2 diff --git a/old/install-files/openstack/usr/share/openstack/neutron/metadata_agent.ini b/old/install-files/openstack/usr/share/openstack/neutron/metadata_agent.ini new file mode 100644 index 00000000..ee89c943 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/metadata_agent.ini @@ -0,0 +1,68 @@ +[DEFAULT] +# Show debugging output in log (sets DEBUG log level output) +# debug = True + +# The Neutron user information for accessing the Neutron API. +auth_url = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 +auth_region = regionOne +# Turn off verification of the certificate for ssl +# auth_insecure = False +# Certificate Authority public key (CA cert) file for ssl +# auth_ca_cert = +admin_tenant_name = service +admin_user = {{ NEUTRON_SERVICE_USER }} +admin_password = {{ NEUTRON_SERVICE_PASSWORD }} + +# Network service endpoint type to pull from the keystone catalog +# endpoint_type = adminURL + +# IP address used by Nova metadata server +nova_metadata_ip = {{ CONTROLLER_HOST_ADDRESS }} + +# TCP Port used by Nova metadata server +# nova_metadata_port = 8775 + +# Which protocol to use for requests to Nova metadata server, http or https +# nova_metadata_protocol = http + +# Whether insecure SSL connection should be accepted for Nova metadata server +# requests +# nova_metadata_insecure = False + +# Client certificate for nova api, needed when nova api requires client +# certificates +# nova_client_cert = + +# Private key for nova client certificate +# nova_client_priv_key = + +# When proxying metadata requests, Neutron signs the Instance-ID header with a +# shared secret to prevent spoofing. You may select any string for a secret, +# but it must match here and in the configuration used by the Nova Metadata +# Server. NOTE: Nova uses the same config key, but in [neutron] section. +metadata_proxy_shared_secret = {{ METADATA_PROXY_SHARED_SECRET }} + +# Location of Metadata Proxy UNIX domain socket +# metadata_proxy_socket = $state_path/metadata_proxy + +# Metadata Proxy UNIX domain socket mode, 3 values allowed: +# 'deduce': deduce mode from metadata_proxy_user/group values, +# 'user': set metadata proxy socket mode to 0o644, to use when +# metadata_proxy_user is agent effective user or root, +# 'group': set metadata proxy socket mode to 0o664, to use when +# metadata_proxy_group is agent effective group, +# 'all': set metadata proxy socket mode to 0o666, to use otherwise. +# metadata_proxy_socket_mode = deduce + +# Number of separate worker processes for metadata server. Defaults to +# half the number of CPU cores +# metadata_workers = + +# Number of backlog requests to configure the metadata server socket with +# metadata_backlog = 4096 + +# URL to connect to the cache backend. +# default_ttl=0 parameter will cause cache entries to never expire. +# Otherwise default_ttl specifies time in seconds a cache entry is valid for. +# No cache is used in case no value is passed. +# cache_url = memory://?default_ttl=5 diff --git a/old/install-files/openstack/usr/share/openstack/neutron/neutron.conf b/old/install-files/openstack/usr/share/openstack/neutron/neutron.conf new file mode 100644 index 00000000..33c6398a --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/neutron.conf @@ -0,0 +1,1027 @@ +[DEFAULT] +# Print more verbose output (set logging level to INFO instead of default WARNING level). +# verbose = False + +# =========Start Global Config Option for Distributed L3 Router=============== +# Setting the "router_distributed" flag to "True" will default to the creation +# of distributed tenant routers. The admin can override this flag by specifying +# the type of the router on the create request (admin-only attribute). Default +# value is "False" to support legacy mode (centralized) routers. +# +# router_distributed = False +# +# ===========End Global Config Option for Distributed L3 Router=============== + +# Print debugging output (set logging level to DEBUG instead of default WARNING level). +# debug = False + +# Where to store Neutron state files. This directory must be writable by the +# user executing the agent. +# state_path = /var/lib/neutron + +# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s +# log_date_format = %Y-%m-%d %H:%M:%S + +# use_syslog -> syslog +# log_file and log_dir -> log_dir/log_file +# (not log_file) and log_dir -> log_dir/{binary_name}.log +# use_stderr -> stderr +# (not user_stderr) and (not log_file) -> stdout +# publish_errors -> notification system + +use_syslog = True +# syslog_log_facility = LOG_USER + +# use_stderr = True +# log_file = +# log_dir = + +# publish_errors = False + +# Address to bind the API server to +# bind_host = 0.0.0.0 + +# Port the bind the API server to +# bind_port = 9696 + +# Path to the extensions. Note that this can be a colon-separated list of +# paths. For example: +# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions +# The __path__ of neutron.extensions is appended to this, so if your +# extensions are in there you don't need to specify them here +# api_extensions_path = + +# (StrOpt) Neutron core plugin entrypoint to be loaded from the +# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the +# plugins included in the neutron source distribution. For compatibility with +# previous versions, the class name of a plugin can be specified instead of its +# entrypoint name. +# +core_plugin = ml2 +# Example: core_plugin = ml2 + +# (ListOpt) List of service plugin entrypoints to be loaded from the +# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of +# the plugins included in the neutron source distribution. For compatibility +# with previous versions, the class name of a plugin can be specified instead +# of its entrypoint name. +# +service_plugins = router +# Example: service_plugins = router,firewall,lbaas,vpnaas,metering + +# Paste configuration file +# api_paste_config = api-paste.ini + +# (StrOpt) Hostname to be used by the neutron server, agents and services +# running on this machine. All the agents and services running on this machine +# must use the same host value. +# The default value is hostname of the machine. +# +# host = + +# The strategy to be used for auth. +# Supported values are 'keystone'(default), 'noauth'. +auth_strategy = keystone + +# Base MAC address. The first 3 octets will remain unchanged. If the +# 4h octet is not 00, it will also be used. The others will be +# randomly generated. +# 3 octet +# base_mac = fa:16:3e:00:00:00 +# 4 octet +# base_mac = fa:16:3e:4f:00:00 + +# DVR Base MAC address. The first 3 octets will remain unchanged. If the +# 4th octet is not 00, it will also be used. The others will be randomly +# generated. The 'dvr_base_mac' *must* be different from 'base_mac' to +# avoid mixing them up with MAC's allocated for tenant ports. +# A 4 octet example would be dvr_base_mac = fa:16:3f:4f:00:00 +# The default is 3 octet +# dvr_base_mac = fa:16:3f:00:00:00 + +# Maximum amount of retries to generate a unique MAC address +# mac_generation_retries = 16 + +# DHCP Lease duration (in seconds). Use -1 to +# tell dnsmasq to use infinite lease times. +# dhcp_lease_duration = 86400 + +# Allow sending resource operation notification to DHCP agent +# dhcp_agent_notification = True + +# Enable or disable bulk create/update/delete operations +# allow_bulk = True +# Enable or disable pagination +# allow_pagination = False +# Enable or disable sorting +# allow_sorting = False +# Enable or disable overlapping IPs for subnets +# Attention: the following parameter MUST be set to False if Neutron is +# being used in conjunction with nova security groups +allow_overlapping_ips = True +# Ensure that configured gateway is on subnet. For IPv6, validate only if +# gateway is not a link local address. Deprecated, to be removed during the +# K release, at which point the check will be mandatory. +# force_gateway_on_subnet = True + +# Default maximum number of items returned in a single response, +# value == infinite and value < 0 means no max limit, and value must +# be greater than 0. If the number of items requested is greater than +# pagination_max_limit, server will just return pagination_max_limit +# of number of items. +# pagination_max_limit = -1 + +# Maximum number of DNS nameservers per subnet +# max_dns_nameservers = 5 + +# Maximum number of host routes per subnet +# max_subnet_host_routes = 20 + +# Maximum number of fixed ips per port +# max_fixed_ips_per_port = 5 + +# Maximum number of routes per router +# max_routes = 30 + +# Default Subnet Pool to be used for IPv4 subnet-allocation. +# Specifies by UUID the pool to be used in case of subnet-create being called +# without a subnet-pool ID. The default of None means that no pool will be +# used unless passed explicitly to subnet create. If no pool is used, then a +# CIDR must be passed to create a subnet and that subnet will not be allocated +# from any pool; it will be considered part of the tenant's private address +# space. +# default_ipv4_subnet_pool = + +# Default Subnet Pool to be used for IPv6 subnet-allocation. +# Specifies by UUID the pool to be used in case of subnet-create being +# called without a subnet-pool ID. Set to "prefix_delegation" +# to enable IPv6 Prefix Delegation in a PD-capable environment. +# See the description for default_ipv4_subnet_pool for more information. +# default_ipv6_subnet_pool = + +# =========== items for MTU selection and advertisement ============= +# Advertise MTU. If True, effort is made to advertise MTU +# settings to VMs via network methods (ie. DHCP and RA MTU options) +# when the network's preferred MTU is known. +# advertise_mtu = False +# ======== end of items for MTU selection and advertisement ========= + +# =========== items for agent management extension ============= +# Seconds to regard the agent as down; should be at least twice +# report_interval, to be sure the agent is down for good +# agent_down_time = 75 +# =========== end of items for agent management extension ===== + +# =========== items for agent scheduler extension ============= +# Driver to use for scheduling network to DHCP agent +# network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler +# Driver to use for scheduling router to a default L3 agent +# router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler +# Driver to use for scheduling a loadbalancer pool to an lbaas agent +# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler + +# (StrOpt) Representing the resource type whose load is being reported by +# the agent. +# This can be 'networks','subnets' or 'ports'. When specified (Default is networks), +# the server will extract particular load sent as part of its agent configuration object +# from the agent report state, which is the number of resources being consumed, at +# every report_interval. +# dhcp_load_type can be used in combination with network_scheduler_driver = +# neutron.scheduler.dhcp_agent_scheduler.WeightScheduler +# When the network_scheduler_driver is WeightScheduler, dhcp_load_type can +# be configured to represent the choice for the resource being balanced. +# Example: dhcp_load_type = networks +# Values: +# networks - number of networks hosted on the agent +# subnets - number of subnets associated with the networks hosted on the agent +# ports - number of ports associated with the networks hosted on the agent +# dhcp_load_type = networks + +# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted +# networks to first DHCP agent which sends get_active_networks message to +# neutron server +# network_auto_schedule = True + +# Allow auto scheduling routers to L3 agent. It will schedule non-hosted +# routers to first L3 agent which sends sync_routers message to neutron server +# router_auto_schedule = True + +# Allow automatic rescheduling of routers from dead L3 agents with +# admin_state_up set to True to alive agents. +# allow_automatic_l3agent_failover = False + +# Allow automatic removal of networks from dead DHCP agents with +# admin_state_up set to True. +# Networks could then be rescheduled if network_auto_schedule is True +# allow_automatic_dhcp_failover = True + +# Number of DHCP agents scheduled to host a tenant network. +# If this number is greater than 1, the scheduler automatically +# assigns multiple DHCP agents for a given tenant network, +# providing high availability for DHCP service. +# dhcp_agents_per_network = 1 + +# Enable services on agents with admin_state_up False. +# If this option is False, when admin_state_up of an agent is turned to +# False, services on it will be disabled. If this option is True, services +# on agents with admin_state_up False keep available and manual scheduling +# to such agents is available. Agents with admin_state_up False are not +# selected for automatic scheduling regardless of this option. +# enable_services_on_agents_with_admin_state_down = False + +# =========== end of items for agent scheduler extension ===== + +# =========== items for l3 extension ============== +# Enable high availability for virtual routers. +# l3_ha = False +# +# Maximum number of l3 agents which a HA router will be scheduled on. If it +# is set to 0 the router will be scheduled on every agent. +# max_l3_agents_per_router = 3 +# +# Minimum number of l3 agents which a HA router will be scheduled on. The +# default value is 2. +# min_l3_agents_per_router = 2 +# +# CIDR of the administrative network if HA mode is enabled +# l3_ha_net_cidr = 169.254.192.0/18 +# +# Enable snat by default on external gateway when available +# enable_snat_by_default = True +# =========== end of items for l3 extension ======= + +# =========== items for metadata proxy configuration ============== +# User (uid or name) running metadata proxy after its initialization +# (if empty: agent effective user) +# metadata_proxy_user = + +# Group (gid or name) running metadata proxy after its initialization +# (if empty: agent effective group) +# metadata_proxy_group = + +# Enable/Disable log watch by metadata proxy, it should be disabled when +# metadata_proxy_user/group is not allowed to read/write its log file and +# 'copytruncate' logrotate option must be used if logrotate is enabled on +# metadata proxy log files. Option default value is deduced from +# metadata_proxy_user: watch log is enabled if metadata_proxy_user is agent +# effective user id/name. +# metadata_proxy_watch_log = + +# Location of Metadata Proxy UNIX domain socket +# metadata_proxy_socket = $state_path/metadata_proxy +# =========== end of items for metadata proxy configuration ============== + +# ========== items for VLAN trunking networks ========== +# Setting this flag to True will allow plugins that support it to +# create VLAN transparent networks. This flag has no effect for +# plugins that do not support VLAN transparent networks. +# vlan_transparent = False +# ========== end of items for VLAN trunking networks ========== + +# =========== WSGI parameters related to the API server ============== +# Number of separate worker processes to spawn. The default, 0, runs the +# worker thread in the current process. Greater than 0 launches that number of +# child processes as workers. The parent process manages them. +# api_workers = 0 + +# Number of separate RPC worker processes to spawn. The default, 0, runs the +# worker thread in the current process. Greater than 0 launches that number of +# child processes as RPC workers. The parent process manages them. +# This feature is experimental until issues are addressed and testing has been +# enabled for various plugins for compatibility. +# rpc_workers = 0 + +# Timeout for client connections socket operations. If an +# incoming connection is idle for this number of seconds it +# will be closed. A value of '0' means wait forever. (integer +# value) +# client_socket_timeout = 900 + +# wsgi keepalive option. Determines if connections are allowed to be held open +# by clients after a request is fulfilled. A value of False will ensure that +# the socket connection will be explicitly closed once a response has been +# sent to the client. +# wsgi_keep_alive = True + +# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when +# starting API server. Not supported on OS X. +# tcp_keepidle = 600 + +# Number of seconds to keep retrying to listen +# retry_until_window = 30 + +# Number of backlog requests to configure the socket with. +# backlog = 4096 + +# Max header line to accommodate large tokens +# max_header_line = 16384 + +# Enable SSL on the API server +# use_ssl = False + +# Certificate file to use when starting API server securely +# ssl_cert_file = /path/to/certfile + +# Private key file to use when starting API server securely +# ssl_key_file = /path/to/keyfile + +# CA certificate file to use when starting API server securely to +# verify connecting clients. This is an optional parameter only required if +# API clients need to authenticate to the API server using SSL certificates +# signed by a trusted CA +# ssl_ca_file = /path/to/cafile +# ======== end of WSGI parameters related to the API server ========== + +# ======== neutron nova interactions ========== +# Send notification to nova when port status is active. +notify_nova_on_port_status_changes = True + +# Send notifications to nova when port data (fixed_ips/floatingips) change +# so nova can update it's cache. +notify_nova_on_port_data_changes = True + +# URL for connection to nova (Only supports one nova region currently). +nova_url = http://{{ CONTROLLER_HOST_ADDRESS }}:8774/v2 + +# Name of nova region to use. Useful if keystone manages more than one region +# nova_region_name = + +# Username for connection to nova in admin context +# nova_admin_username = + +# The uuid of the admin nova tenant +# nova_admin_tenant_id = + +# The name of the admin nova tenant. If the uuid of the admin nova tenant +# is set, this is optional. Useful for cases where the uuid of the admin +# nova tenant is not available when configuration is being done. +# nova_admin_tenant_name = + +# Password for connection to nova in admin context. +# nova_admin_password = + +# Authorization URL for connection to nova in admin context. +# nova_admin_auth_url = + +# CA file for novaclient to verify server certificates +# nova_ca_certificates_file = + +# Boolean to control ignoring SSL errors on the nova url +# nova_api_insecure = False + +# Number of seconds between sending events to nova if there are any events to send +# send_events_interval = 2 + +# ======== end of neutron nova interactions ========== + +# +# Options defined in oslo.messaging +# + +# Use durable queues in amqp. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +# amqp_durable_queues=false + +# Auto-delete queues in amqp. (boolean value) +# amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +# rpc_conn_pool_size=30 + +# Qpid broker hostname. (string value) +# qpid_hostname=localhost + +# Qpid broker port. (integer value) +# qpid_port=5672 + +# Qpid HA cluster host:port pairs. (list value) +# qpid_hosts=$qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# qpid_username= + +# Password for Qpid connection. (string value) +# qpid_password= + +# Space separated list of SASL mechanisms to use for auth. +# (string value) +# qpid_sasl_mechanisms= + +# Seconds between connection keepalive heartbeats. (integer +# value) +# qpid_heartbeat=60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# qpid_protocol=tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# qpid_tcp_nodelay=true + +# The qpid topology version to use. Version 1 is what was +# originally used by impl_qpid. Version 2 includes some +# backwards-incompatible changes that allow broker federation +# to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. +# (integer value) +# qpid_topology_version=1 + +# SSL version to use (valid only if SSL enabled). valid values +# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some +# distributions. (string value) +# kombu_ssl_version= + +# SSL key file (valid only if SSL enabled). (string value) +# kombu_ssl_keyfile= + +# SSL cert file (valid only if SSL enabled). (string value) +# kombu_ssl_certfile= + +# SSL certification authority file (valid only if SSL +# enabled). (string value) +# kombu_ssl_ca_certs= + +# How long to wait before reconnecting in response to an AMQP +# consumer cancel notification. (floating point value) +# kombu_reconnect_delay=1.0 + +# The RabbitMQ broker address where a single node is used. +# (string value) +# rabbit_host=localhost + +# The RabbitMQ broker port where a single node is used. +# (integer value) +# rabbit_port =5672 + +# RabbitMQ HA cluster host:port pairs. (list value) +# rabbit_hosts=$rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# rabbit_use_ssl=false + +# The RabbitMQ userid. (string value) +# rabbit_userid=guest + +# The RabbitMQ password. (string value) +# rabbit_password=guest + +# the RabbitMQ login method (string value) +# rabbit_login_method=AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# rabbit_virtual_host=/ + +# How frequently to retry connecting with RabbitMQ. (integer +# value) +# rabbit_retry_interval=1 + +# How long to backoff for between retries when connecting to +# RabbitMQ. (integer value) +# rabbit_retry_backoff=2 + +# Maximum number of RabbitMQ connection retries. Default is 0 +# (infinite retry count). (integer value) +# rabbit_max_retries=0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change +# this option, you must wipe the RabbitMQ database. (boolean +# value) +# rabbit_ha_queues=false + +# If passed, use a fake RabbitMQ provider. (boolean value) +# fake_rabbit=false + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet +# interface, or IP. The "host" option should point or resolve +# to this address. (string value) +# rpc_zmq_bind_address=* + +# MatchMaker driver. (string value) +# rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +# rpc_zmq_port=9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +# rpc_zmq_contexts=1 + +# Maximum number of ingress messages to locally buffer per +# topic. Default is unlimited. (integer value) +# rpc_zmq_topic_backlog= + +# Directory for holding IPC sockets. (string value) +# rpc_zmq_ipc_dir=/var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP +# address. Must match "host" option, if running Nova. (string +# value) +# rpc_zmq_host=oslo + +# Seconds to wait before a cast expires (TTL). Only supported +# by impl_zmq. (integer value) +# rpc_cast_timeout=30 + +# Heartbeat frequency. (integer value) +# matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +# matchmaker_heartbeat_ttl=600 + +# Size of RPC greenthread pool. (integer value) +# rpc_thread_pool_size=64 + +# Driver or drivers to handle sending notifications. (multi +# valued) +notification_driver = neutron.openstack.common.notifier.rpc_notifier + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# notification_topics=notifications + +# Seconds to wait for a response from a call. (integer value) +# rpc_response_timeout=60 + +# A URL representing the messaging driver to use and its full +# configuration. If not set, we fall back to the rpc_backend +# option and driver specific configuration. (string value) +# transport_url= + +# The messaging driver to use, defaults to rabbit. Other +# drivers include qpid and zmq. (string value) +rpc_backend = rabbit + +# The default exchange under which topics are scoped. May be +# overridden by an exchange name specified in the +# transport_url option. (string value) +# control_exchange=openstack + + +[matchmaker_redis] + +# +# Options defined in oslo.messaging +# + +# Host to locate redis. (string value) +# host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +# port=6379 + +# Password for Redis server (optional). (string value) +# password= + + +[matchmaker_ring] + +# +# Options defined in oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +# ringfile=/etc/oslo/matchmaker_ring.json + +[quotas] +# Default driver to use for quota checks +# quota_driver = neutron.db.quota_db.DbQuotaDriver + +# Resource name(s) that are supported in quota features +# This option is deprecated for removal in the M release, please refrain from using it +# quota_items = network,subnet,port + +# Default number of resource allowed per tenant. A negative value means +# unlimited. +# default_quota = -1 + +# Number of networks allowed per tenant. A negative value means unlimited. +# quota_network = 10 + +# Number of subnets allowed per tenant. A negative value means unlimited. +# quota_subnet = 10 + +# Number of ports allowed per tenant. A negative value means unlimited. +# quota_port = 50 + +# Number of security groups allowed per tenant. A negative value means +# unlimited. +# quota_security_group = 10 + +# Number of security group rules allowed per tenant. A negative value means +# unlimited. +# quota_security_group_rule = 100 + +# Number of vips allowed per tenant. A negative value means unlimited. +# quota_vip = 10 + +# Number of pools allowed per tenant. A negative value means unlimited. +# quota_pool = 10 + +# Number of pool members allowed per tenant. A negative value means unlimited. +# The default is unlimited because a member is not a real resource consumer +# on Openstack. However, on back-end, a member is a resource consumer +# and that is the reason why quota is possible. +# quota_member = -1 + +# Number of health monitors allowed per tenant. A negative value means +# unlimited. +# The default is unlimited because a health monitor is not a real resource +# consumer on Openstack. However, on back-end, a member is a resource consumer +# and that is the reason why quota is possible. +# quota_health_monitor = -1 + +# Number of loadbalancers allowed per tenant. A negative value means unlimited. +# quota_loadbalancer = 10 + +# Number of listeners allowed per tenant. A negative value means unlimited. +# quota_listener = -1 + +# Number of v2 health monitors allowed per tenant. A negative value means +# unlimited. These health monitors exist under the lbaas v2 API +# quota_healthmonitor = -1 + +# Number of routers allowed per tenant. A negative value means unlimited. +# quota_router = 10 + +# Number of floating IPs allowed per tenant. A negative value means unlimited. +# quota_floatingip = 50 + +# Number of firewalls allowed per tenant. A negative value means unlimited. +# quota_firewall = 1 + +# Number of firewall policies allowed per tenant. A negative value means +# unlimited. +# quota_firewall_policy = 1 + +# Number of firewall rules allowed per tenant. A negative value means +# unlimited. +# quota_firewall_rule = 100 + +[agent] +# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real +# root filter facility. +# Change to "sudo" to skip the filtering and just run the command directly +root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf + +# Set to true to add comments to generated iptables rules that describe +# each rule's purpose. (System must support the iptables comments module.) +# comment_iptables_rules = True + +# Root helper daemon application to use when possible. +# root_helper_daemon = + +# Use the root helper when listing the namespaces on a system. This may not +# be required depending on the security configuration. If the root helper is +# not required, set this to False for a performance improvement. +# use_helper_for_ns_read = True + +# The interval to check external processes for failure in seconds (0=disabled) +# check_child_processes_interval = 60 + +# Action to take when an external process spawned by an agent dies +# Values: +# respawn - Respawns the external process +# exit - Exits the agent +# check_child_processes_action = respawn + +# =========== items for agent management extension ============= +# seconds between nodes reporting state to server; should be less than +# agent_down_time, best if it is half or less than agent_down_time +# report_interval = 30 + +# =========== end of items for agent management extension ===== + +[keystone_authtoken] +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 +admin_tenant_name = service +admin_user = {{ NEUTRON_SERVICE_USER }} +admin_password = {{ NEUTRON_SERVICE_PASSWORD }} + +[database] +# This line MUST be changed to actually run the plugin. +# Example: +# connection = mysql://root:pass@127.0.0.1:3306/neutron +# Replace 127.0.0.1 above with the IP address of the database used by the +# main neutron server. (Leave it as is if the database runs on this host.) +connection=postgresql://{{ NEUTRON_DB_USER }}:{{ NEUTRON_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/neutron + +# NOTE: In deployment the [database] section and its connection attribute may +# be set in the corresponding core plugin '.ini' file. However, it is suggested +# to put the [database] section and its connection attribute in this +# configuration file. + +# Database engine for which script will be generated when using offline +# migration +# engine = + +# The SQLAlchemy connection string used to connect to the slave database +# slave_connection = + +# Database reconnection retry times - in event connectivity is lost +# set to -1 implies an infinite retry count +# max_retries = 10 + +# Database reconnection interval in seconds - if the initial connection to the +# database fails +# retry_interval = 10 + +# Minimum number of SQL connections to keep open in a pool +# min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool +# max_pool_size = 10 + +# Timeout in seconds before idle sql connections are reaped +# idle_timeout = 3600 + +# If set, use this value for max_overflow with sqlalchemy +# max_overflow = 20 + +# Verbosity of SQL debugging information. 0=None, 100=Everything +# connection_debug = 0 + +# Add python stack traces to SQL as comment strings +# connection_trace = False + +# If set, use this value for pool_timeout with sqlalchemy +# pool_timeout = 10 + +[nova] +# Name of the plugin to load +auth_plugin = password + +# Config Section from which to load plugin specific options +# auth_section = + +# PEM encoded Certificate Authority to use when verifying HTTPs connections. +# cafile = + +# PEM encoded client certificate cert file +# certfile = + +# Verify HTTPS connections. +# insecure = False + +# PEM encoded client certificate key file +# keyfile = + +# Name of nova region to use. Useful if keystone manages more than one region. +region_name = regionOne + +# Timeout value for http requests +# timeout = + +# Authorization URL for connection to nova in admin context. +auth_url = http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + +# Username for connection to nova in admin context +username = {{ NOVA_SERVICE_USER }} + +# Password for connection to nova in admin context. +password = {{ NOVA_SERVICE_PASSWORD }} + +# The uuid of the admin nova tenant +# tenant_id = + +# The name of the admin nova tenant. If the uuid of the admin nova tenant +# is set, this is optional. Useful for cases where the uuid of the admin +# nova tenant is not available when configuration is being done. +tenant_name = service + +[oslo_concurrency] + +# Directory to use for lock files. For security, the specified directory should +# only be writable by the user running the processes that need locking. +# Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, +# a lock path must be set. +lock_path = $state_path/lock + +# Enables or disables inter-process locks. +# disable_process_locking = False + +[oslo_policy] + +# The JSON file that defines policies. +# policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. +# policy_default_rule = default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path defined by the +# config_dir option, or absolute paths. The file defined by policy_file +# must exist for these directories to be searched. Missing or empty +# directories are ignored. +# policy_dirs = policy.d + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Address prefix used when sending to a specific server (string value) +# Deprecated group/name - [amqp1]/server_request_prefix +# server_request_prefix = exclusive + +# Address prefix used when broadcasting to all servers (string value) +# Deprecated group/name - [amqp1]/broadcast_prefix +# broadcast_prefix = broadcast + +# Address prefix when sending to any server in group (string value) +# Deprecated group/name - [amqp1]/group_request_prefix +# group_request_prefix = unicast + +# Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name +# container_name = + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group/name - [amqp1]/idle_timeout +# idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace +# trace = false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group/name - [amqp1]/ssl_ca_file +# ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group/name - [amqp1]/ssl_cert_file +# ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group/name - [amqp1]/ssl_key_file +# ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group/name - [amqp1]/ssl_key_password +# ssl_key_password = + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients +# allow_insecure_clients = false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +# amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +# amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +# rpc_conn_pool_size = 30 + +# Qpid broker hostname. (string value) +# Deprecated group/name - [DEFAULT]/qpid_hostname +# qpid_hostname = localhost + +# Qpid broker port. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_port +# qpid_port = 5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/qpid_hosts +# qpid_hosts = $qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_username +# qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_password +# qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms +# qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_heartbeat +# qpid_heartbeat = 60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group/name - [DEFAULT]/qpid_protocol +# qpid_protocol = tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay +# qpid_tcp_nodelay = true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity +# qpid_receiver_capacity = 1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_topology_version +# qpid_topology_version = 1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +# amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +# amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +# rpc_conn_pool_size = 30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version +# kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile +# kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile +# kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs +# kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay +# kombu_reconnect_delay = 1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_host +rabbit_host = {{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_port +rabbit_port = {{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts +# rabbit_hosts = $rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl +# rabbit_use_ssl = false + +# The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid +rabbit_userid = {{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password +rabbit_password = {{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method +# rabbit_login_method = AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host +# rabbit_virtual_host = / + +# How frequently to retry connecting with RabbitMQ. (integer value) +# rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff +# rabbit_retry_backoff = 2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries +# rabbit_max_retries = 0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues +# rabbit_ha_queues = false + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit +# fake_rabbit = false diff --git a/old/install-files/openstack/usr/share/openstack/neutron/plugins/ml2/ml2_conf.ini b/old/install-files/openstack/usr/share/openstack/neutron/plugins/ml2/ml2_conf.ini new file mode 100644 index 00000000..3258a40f --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/plugins/ml2/ml2_conf.ini @@ -0,0 +1,113 @@ +[ml2] +# (ListOpt) List of network type driver entrypoints to be loaded from +# the neutron.ml2.type_drivers namespace. +# +type_drivers = flat,gre +# Example: type_drivers = flat,vlan,gre,vxlan + +# (ListOpt) Ordered list of network_types to allocate as tenant +# networks. The default value 'local' is useful for single-box testing +# but provides no connectivity between hosts. +# +tenant_network_types = gre +# Example: tenant_network_types = vlan,gre,vxlan + +# (ListOpt) Ordered list of networking mechanism driver entrypoints +# to be loaded from the neutron.ml2.mechanism_drivers namespace. +mechanism_drivers = openvswitch +# Example: mechanism_drivers = openvswitch,mlnx +# Example: mechanism_drivers = arista +# Example: mechanism_drivers = cisco,logger +# Example: mechanism_drivers = openvswitch,brocade +# Example: mechanism_drivers = linuxbridge,brocade + +# (ListOpt) Ordered list of extension driver entrypoints +# to be loaded from the neutron.ml2.extension_drivers namespace. +# extension_drivers = +# Example: extension_drivers = anewextensiondriver + +# =========== items for MTU selection and advertisement ============= +# (IntOpt) Path MTU. The maximum permissible size of an unfragmented +# packet travelling from and to addresses where encapsulated Neutron +# traffic is sent. Drivers calculate maximum viable MTU for +# validating tenant requests based on this value (typically, +# path_mtu - max encap header size). If <=0, the path MTU is +# indeterminate and no calculation takes place. +# path_mtu = 0 + +# (IntOpt) Segment MTU. The maximum permissible size of an +# unfragmented packet travelling a L2 network segment. If <=0, +# the segment MTU is indeterminate and no calculation takes place. +# segment_mtu = 0 + +# (ListOpt) Physical network MTUs. List of mappings of physical +# network to MTU value. The format of the mapping is +# <physnet>:<mtu val>. This mapping allows specifying a +# physical network MTU value that differs from the default +# segment_mtu value. +# physical_network_mtus = +# Example: physical_network_mtus = physnet1:1550, physnet2:1500 +# ======== end of items for MTU selection and advertisement ========= + +# (StrOpt) Default network type for external networks when no provider +# attributes are specified. By default it is None, which means that if +# provider attributes are not specified while creating external networks +# then they will have the same type as tenant networks. +# Allowed values for external_network_type config option depend on the +# network type values configured in type_drivers config option. +# external_network_type = +# Example: external_network_type = local + +[ml2_type_flat] +# (ListOpt) List of physical_network names with which flat networks +# can be created. Use * to allow flat networks with arbitrary +# physical_network names. +# +flat_networks = External +# Example:flat_networks = physnet1,physnet2 +# Example:flat_networks = * + +[ml2_type_vlan] +# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples +# specifying physical_network names usable for VLAN provider and +# tenant networks, as well as ranges of VLAN tags on each +# physical_network available for allocation as tenant networks. +# +# network_vlan_ranges = +# Example: network_vlan_ranges = physnet1:1000:2999,physnet2 + +[ml2_type_gre] +# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation +tunnel_id_ranges = 1:1000 + +[ml2_type_vxlan] +# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating +# ranges of VXLAN VNI IDs that are available for tenant network allocation. +# +# vni_ranges = + +# (StrOpt) Multicast group for the VXLAN interface. When configured, will +# enable sending all broadcast traffic to this multicast group. When left +# unconfigured, will disable multicast VXLAN mode. +# +# vxlan_group = +# Example: vxlan_group = 239.1.1.1 + +[securitygroup] +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +enable_security_group = True + +# Use ipset to speed-up the iptables security groups. Enabling ipset support +# requires that ipset is installed on L2 agent node. +enable_ipset = True + +firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver + +[ovs] +local_ip = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} +enable_tunneling = True +bridge_mappings=External:br-ex + +[agent] +tunnel_types = gre diff --git a/old/install-files/openstack/usr/share/openstack/neutron/plugins/ryu/ryu.ini b/old/install-files/openstack/usr/share/openstack/neutron/plugins/ryu/ryu.ini new file mode 100644 index 00000000..9d9cfa25 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/neutron/plugins/ryu/ryu.ini @@ -0,0 +1,44 @@ +[ovs] +# integration_bridge = br-int + +# openflow_rest_api = <host IP address of ofp rest api service>:<port: 8080> +# openflow_rest_api = 127.0.0.1:8080 + +# tunnel key range: 0 < tunnel_key_min < tunnel_key_max +# VLAN: 12bits, GRE, VXLAN: 24bits +# tunnel_key_min = 1 +# tunnel_key_max = 0xffffff + +# tunnel_ip = <ip address for tunneling> +# tunnel_interface = interface for tunneling +# when tunnel_ip is NOT specified, ip address is read +# from this interface +# tunnel_ip = +# tunnel_interface = +tunnel_interface = eth0 + +# ovsdb_port = port number on which ovsdb is listening +# ryu-agent uses this parameter to setup ovsdb. +# ovs-vsctl set-manager ptcp:<ovsdb_port> +# See set-manager section of man ovs-vsctl for details. +# currently ptcp is only supported. +# ovsdb_ip = <host IP address on which ovsdb is listening> +# ovsdb_interface = interface for ovsdb +# when ovsdb_addr NOT specifiied, ip address is gotten +# from this interface +# ovsdb_port = 6634 +# ovsdb_ip = +# ovsdb_interface = +ovsdb_interface = eth0 + +[securitygroup] +# Firewall driver for realizing neutron security group function +# firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver + +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True + +[agent] +# Agent's polling interval in seconds +# polling_interval = 2 diff --git a/old/install-files/openstack/usr/share/openstack/nova-config.yml b/old/install-files/openstack/usr/share/openstack/nova-config.yml new file mode 100644 index 00000000..4f43db39 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/nova-config.yml @@ -0,0 +1,34 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/nova.conf" + tasks: + - name: Create the nova user. + user: + name: nova + comment: Openstack Nova Daemons + shell: /sbin/nologin + home: /var/lib/nova + groups: libvirt + append: yes + + - name: Create the /var folders for nova + file: + path: "{{ item }}" + state: directory + owner: nova + group: nova + with_items: + - /var/run/nova + - /var/lock/nova + - /var/log/nova + - /var/lib/nova + - /var/lib/nova/instances + + - file: path=/etc/nova state=directory + - name: Add the configuration needed for nova in /etc/nova using templates + template: + src: /usr/share/openstack/nova/{{ item }} + dest: /etc/nova/{{ item }} + with_lines: + - cd /usr/share/openstack/nova && find -type f diff --git a/old/install-files/openstack/usr/share/openstack/nova-db.yml b/old/install-files/openstack/usr/share/openstack/nova-db.yml new file mode 100644 index 00000000..0e933ba8 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/nova-db.yml @@ -0,0 +1,50 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/nova.conf" + tasks: + - name: Create nova service user in service tenant + keystone_user: + user: "{{ NOVA_SERVICE_USER }}" + password: "{{ NOVA_SERVICE_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Assign admin role to nova service user in the service tenant + keystone_user: + role: admin + user: "{{ NOVA_SERVICE_USER }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Add nova endpoint + keystone_service: + name: nova + type: compute + description: Openstack Compute Service + publicurl: 'http://{{ ansible_hostname }}:8774/v2/%(tenant_id)s' + internalurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8774/v2/%(tenant_id)s' + adminurl: 'http://{{ CONTROLLER_HOST_ADDRESS }}:8774/v2/%(tenant_id)s' + region: 'regionOne' + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - name: Create postgresql user for nova + postgresql_user: + name: "{{ NOVA_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + password: "{{ NOVA_DB_PASSWORD }}" + sudo: yes + sudo_user: nova + + - name: Create database for nova services + postgresql_db: + name: nova + owner: "{{ NOVA_DB_USER }}" + login_host: "{{ CONTROLLER_HOST_ADDRESS }}" + sudo: yes + sudo_user: nova + + - name: Initiate nova database + command: nova-manage db sync + sudo: yes + sudo_user: nova diff --git a/old/install-files/openstack/usr/share/openstack/nova/nova-compute.conf b/old/install-files/openstack/usr/share/openstack/nova/nova-compute.conf new file mode 100644 index 00000000..8d186211 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/nova/nova-compute.conf @@ -0,0 +1,4 @@ +[DEFAULT] +compute_driver={{ COMPUTE_DRIVER }} +[libvirt] +virt_type={{ NOVA_VIRT_TYPE }} diff --git a/old/install-files/openstack/usr/share/openstack/nova/nova.conf b/old/install-files/openstack/usr/share/openstack/nova/nova.conf new file mode 100644 index 00000000..f2db93fc --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/nova/nova.conf @@ -0,0 +1,4008 @@ +[DEFAULT] + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. +# The "host" option should point or resolve to this address. (string value) +#rpc_zmq_bind_address = * + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port = 9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts = 1 + +# Maximum number of ingress messages to locally buffer per topic. Default is +# unlimited. (integer value) +#rpc_zmq_topic_backlog = <None> + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir = /var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match +# "host" option, if running Nova. (string value) +#rpc_zmq_host = localhost + +# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. +# (integer value) +#rpc_cast_timeout = 30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq = 300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl = 600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size = 64 + +# Driver or drivers to handle sending notifications. (multi valued) +notification_driver = messagingv2 + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics = notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# A URL representing the messaging driver to use and its full configuration. If +# not set, we fall back to the rpc_backend option and driver specific +# configuration. (string value) +#transport_url = <None> + +# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# and zmq. (string value) +rpc_backend = rabbit + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = openstack + + +# +# Options defined in nova.availability_zones +# + +# The availability_zone to show internal services under +# (string value) +#internal_service_availability_zone=internal + +# Default compute node availability_zone (string value) +#default_availability_zone=nova + + +# +# Options defined in nova.crypto +# + +# Filename of root CA (string value) +#ca_file=cacert.pem + +# Filename of private key (string value) +#key_file=private/cakey.pem + +# Filename of root Certificate Revocation List (string value) +#crl_file=crl.pem + +# Where we keep our keys (string value) +#keys_path=$state_path/keys + +# Where we keep our root CA (string value) +#ca_path=$state_path/CA + +# Should we use a CA for each project? (boolean value) +#use_project_ca=false + +# Subject for certificate for users, %s for project, user, +# timestamp (string value) +#user_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=%.16s-%.16s-%s + +# Subject for certificate for projects, %s for project, +# timestamp (string value) +#project_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=project-ca-%.16s-%s + + +# +# Options defined in nova.exception +# + +# Make exception message format errors fatal (boolean value) +#fatal_exception_format_errors=false + + +# +# Options defined in nova.netconf +# + +# IP address of this host (string value) +my_ip={{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Block storage IP address of this host (string value) +#my_block_storage_ip=$my_ip + +# Name of this node. This can be an opaque identifier. It is +# not necessarily a hostname, FQDN, or IP address. However, +# the node name must be valid within an AMQP key, and if using +# ZeroMQ, a valid hostname, FQDN, or IP address (string value) +#host=nova + +# Use IPv6 (boolean value) +#use_ipv6=false + + +# +# Options defined in nova.notifications +# + +# If set, send compute.instance.update notifications on +# instance state changes. Valid values are None for no +# notifications, "vm_state" for notifications on VM state +# changes, or "vm_and_task_state" for notifications on VM and +# task state changes. (string value) +notify_on_state_change=vm_and_task_state + +# If set, send api.fault notifications on caught exceptions in +# the API service. (boolean value) +#notify_api_faults=false + +# Default notification level for outgoing notifications +# (string value) +#default_notification_level=INFO + +# Default publisher_id for outgoing notifications (string +# value) +#default_publisher_id=<None> + + +# +# Options defined in nova.paths +# + +# Directory where the nova python module is installed (string +# value) +#pybasedir=/usr/lib/python/site-packages + +# Directory where nova binaries are installed (string value) +#bindir=/usr/local/bin + +# Top-level directory for maintaining nova's state (string +# value) +state_path=/var/lib/nova + + +# +# Options defined in nova.quota +# + +# Number of instances allowed per project (integer value) +#quota_instances=10 + +# Number of instance cores allowed per project (integer value) +#quota_cores=20 + +# Megabytes of instance RAM allowed per project (integer +# value) +#quota_ram=51200 + +# Number of floating IPs allowed per project (integer value) +#quota_floating_ips=10 + +# Number of fixed IPs allowed per project (this should be at +# least the number of instances allowed) (integer value) +#quota_fixed_ips=-1 + +# Number of metadata items allowed per instance (integer +# value) +#quota_metadata_items=128 + +# Number of injected files allowed (integer value) +#quota_injected_files=5 + +# Number of bytes allowed per injected file (integer value) +#quota_injected_file_content_bytes=10240 + +# Length of injected file path (integer value) +#quota_injected_file_path_length=255 + +# Number of security groups per project (integer value) +#quota_security_groups=10 + +# Number of security rules per security group (integer value) +#quota_security_group_rules=20 + +# Number of key pairs per user (integer value) +#quota_key_pairs=100 + +# Number of server groups per project (integer value) +#quota_server_groups=10 + +# Number of servers per server group (integer value) +#quota_server_group_members=10 + +# Number of seconds until a reservation expires (integer +# value) +#reservation_expire=86400 + +# Count of reservations until usage is refreshed. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. (integer value) +#until_refresh=0 + +# Number of seconds between subsequent usage refreshes. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. Note that quotas are +# not updated on a periodic task, they will update on a new +# reservation if max_age has passed since the last reservation +# (integer value) +#max_age=0 + +# Default driver to use for quota checks (string value) +#quota_driver=nova.quota.DbQuotaDriver + + +# +# Options defined in nova.service +# + +# Seconds between nodes reporting state to datastore (integer +# value) +#report_interval=10 + +# Enable periodic tasks (boolean value) +#periodic_enable=true + +# Range of seconds to randomly delay when starting the +# periodic task scheduler to reduce stampeding. (Disable by +# setting to 0) (integer value) +#periodic_fuzzy_delay=60 + +# A list of APIs to enable by default (list value) +enabled_apis=ec2,osapi_compute,metadata + +# A list of APIs with enabled SSL (list value) +#enabled_ssl_apis= + +# The IP address on which the EC2 API will listen. (string +# value) +#ec2_listen=0.0.0.0 + +# The port on which the EC2 API will listen. (integer value) +#ec2_listen_port=8773 + +# Number of workers for EC2 API service. The default will be +# equal to the number of CPUs available. (integer value) +#ec2_workers=<None> + +# The IP address on which the OpenStack API will listen. +# (string value) +#osapi_compute_listen=0.0.0.0 + +# The port on which the OpenStack API will listen. (integer +# value) +#osapi_compute_listen_port=8774 + +# Number of workers for OpenStack API service. The default +# will be the number of CPUs available. (integer value) +#osapi_compute_workers=<None> + +# OpenStack metadata service manager (string value) +#metadata_manager=nova.api.manager.MetadataManager + +# The IP address on which the metadata API will listen. +# (string value) +#metadata_listen=0.0.0.0 + +# The port on which the metadata API will listen. (integer +# value) +#metadata_listen_port=8775 + +# Number of workers for metadata service. The default will be +# the number of CPUs available. (integer value) +#metadata_workers=<None> + +# Full class name for the Manager for compute (string value) +compute_manager={{ COMPUTE_MANAGER }} + +# Full class name for the Manager for console proxy (string +# value) +#console_manager=nova.console.manager.ConsoleProxyManager + +# Manager for console auth (string value) +#consoleauth_manager=nova.consoleauth.manager.ConsoleAuthManager + +# Full class name for the Manager for cert (string value) +#cert_manager=nova.cert.manager.CertManager + +# Full class name for the Manager for network (string value) +#network_manager=nova.network.manager.VlanManager + +# Full class name for the Manager for scheduler (string value) +#scheduler_manager=nova.scheduler.manager.SchedulerManager + +# Maximum time since last check-in for up service (integer +# value) +#service_down_time=60 + + +# +# Options defined in nova.utils +# + +# Whether to log monkey patching (boolean value) +#monkey_patch=false + +# List of modules/decorators to monkey patch (list value) +#monkey_patch_modules=nova.api.ec2.cloud:nova.notifications.notify_decorator,nova.compute.api:nova.notifications.notify_decorator + +# Length of generated instance admin passwords (integer value) +#password_length=12 + +# Time period to generate instance usages for. Time period +# must be hour, day, month or year (string value) +instance_usage_audit_period=hour + +# Path to the rootwrap configuration file to use for running +# commands as root (string value) +rootwrap_config=/etc/nova/rootwrap.conf + +# Explicitly specify the temporary working directory (string +# value) +#tempdir=<None> + + +# +# Options defined in nova.wsgi +# + +# File name for the paste.deploy config for nova-api (string +# value) +api_paste_config=api-paste.ini + +# A python format string that is used as the template to +# generate log lines. The following values can be formatted +# into it: client_ip, date_time, request_line, status_code, +# body_length, wall_seconds. (string value) +#wsgi_log_format=%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f + +# CA certificate file to use to verify connecting clients +# (string value) +#ssl_ca_file=<None> + +# SSL certificate of API server (string value) +#ssl_cert_file=<None> + +# SSL private key of API server (string value) +#ssl_key_file=<None> + +# Sets the value of TCP_KEEPIDLE in seconds for each server +# socket. Not supported on OS X. (integer value) +#tcp_keepidle=600 + +# Size of the pool of greenthreads used by wsgi (integer +# value) +#wsgi_default_pool_size=1000 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + +# If False, closes the client socket connection explicitly. +# (boolean value) +#wsgi_keep_alive=true + +# Timeout for client connections' socket operations. If an +# incoming connection is idle for this number of seconds it +# will be closed. A value of '0' means wait forever. (integer +# value) +#client_socket_timeout=900 + + +# +# Options defined in nova.api.auth +# + +# Whether to use per-user rate limiting for the api. This +# option is only used by v2 api. Rate limiting is removed from +# v3 api. (boolean value) +#api_rate_limit=false + +# The strategy to use for auth: keystone, noauth +# (deprecated), or noauth2. Both noauth and noauth2 are +# designed for testing only, as they do no actual credential +# checking. noauth provides administrative credentials +# regardless of the passed in user, noauth2 only does if +# 'admin' is specified as the username. (string value) +auth_strategy=keystone + +# Treat X-Forwarded-For as the canonical remote address. Only +# enable this if you have a sanitizing proxy. (boolean value) +#use_forwarded_for=false + + +# +# Options defined in nova.api.ec2 +# + +# Number of failed auths before lockout. (integer value) +#lockout_attempts=5 + +# Number of minutes to lockout if triggered. (integer value) +#lockout_minutes=15 + +# Number of minutes for lockout window. (integer value) +#lockout_window=15 + +# URL to get token from ec2 request. (string value) +#keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens + +# Return the IP address as private dns hostname in describe +# instances (boolean value) +#ec2_private_dns_show_ip=false + +# Validate security group names according to EC2 specification +# (boolean value) +#ec2_strict_validation=true + +# Time in seconds before ec2 timestamp expires (integer value) +#ec2_timestamp_expiry=300 + +# Disable SSL certificate verification. (boolean value) +#keystone_ec2_insecure=false + + +# +# Options defined in nova.api.ec2.cloud +# + +# The IP address of the EC2 API server (string value) +#ec2_host=$my_ip + +# The internal IP address of the EC2 API server (string value) +#ec2_dmz_host=$my_ip + +# The port of the EC2 API server (integer value) +#ec2_port=8773 + +# The protocol to use when connecting to the EC2 API server +# (http, https) (string value) +#ec2_scheme=http + +# The path prefix used to call the ec2 API server (string +# value) +#ec2_path=/ + +# List of region=fqdn pairs separated by commas (list value) +#region_list= + + +# +# Options defined in nova.api.metadata.base +# + +# List of metadata versions to skip placing into the config +# drive (string value) +#config_drive_skip_versions=1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 + +# Driver to use for vendor data (string value) +#vendordata_driver=nova.api.metadata.vendordata_json.JsonFileVendorData + + +# +# Options defined in nova.api.metadata.handler +# + +# Time in seconds to cache metadata; 0 to disable metadata +# caching entirely (not recommended). Increasingthis should +# improve response times of the metadata API when under heavy +# load. Higher values may increase memoryusage and result in +# longer times for host metadata changes to take effect. +# (integer value) +#metadata_cache_expiration=15 + + +# +# Options defined in nova.api.metadata.vendordata_json +# + +# File to load JSON formatted vendor data from (string value) +#vendordata_jsonfile_path=<None> + + +# +# Options defined in nova.api.openstack.common +# + +# The maximum number of items returned in a single response +# from a collection resource (integer value) +#osapi_max_limit=1000 + +# Base URL that will be presented to users in links to the +# OpenStack Compute API (string value) +#osapi_compute_link_prefix=<None> + +# Base URL that will be presented to users in links to glance +# resources (string value) +#osapi_glance_link_prefix=<None> + + +# +# Options defined in nova.api.openstack.compute +# + +# Permit instance snapshot operations. (boolean value) +#allow_instance_snapshots=true + + +# +# Options defined in nova.api.openstack.compute.contrib +# + +# Specify list of extensions to load when using +# osapi_compute_extension option with +# nova.api.openstack.compute.contrib.select_extensions (list +# value) +#osapi_compute_ext_list= + + +# +# Options defined in nova.api.openstack.compute.contrib.fping +# + +# Full path to fping. (string value) +#fping_path=/usr/sbin/fping + + +# +# Options defined in nova.api.openstack.compute.contrib.os_tenant_networks +# + +# Enables or disables quota checking for tenant networks +# (boolean value) +#enable_network_quota=false + +# Control for checking for default networks (string value) +#use_neutron_default_nets=False + +# Default tenant id when creating neutron networks (string +# value) +#neutron_default_tenant_id=default + +# Number of private networks allowed per project (integer +# value) +#quota_networks=3 + + +# +# Options defined in nova.api.openstack.compute.extensions +# + +# osapi compute extension to load (multi valued) +osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions + + +# +# Options defined in nova.api.openstack.compute.plugins.v3.hide_server_addresses +# + +# List of instance states that should hide network info (list +# value) +#osapi_hide_server_address_states=building + + +# +# Options defined in nova.api.openstack.compute.servers +# + +# Enables returning of the instance password by the relevant +# server API calls such as create, rebuild or rescue, If the +# hypervisor does not support password injection then the +# password returned will not be correct (boolean value) +#enable_instance_password=true + + +# +# Options defined in nova.cert.rpcapi +# + +# The topic cert nodes listen on (string value) +#cert_topic=cert + + +# +# Options defined in nova.cloudpipe.pipelib +# + +# Image ID used when starting up a cloudpipe vpn server +# (string value) +#vpn_image_id=0 + +# Flavor for vpn instances (string value) +#vpn_flavor=m1.tiny + +# Template for cloudpipe instance boot script (string value) +#boot_script_template=$pybasedir/nova/cloudpipe/bootscript.template + +# Network to push into openvpn config (string value) +#dmz_net=10.0.0.0 + +# Netmask to push into openvpn config (string value) +#dmz_mask=255.255.255.0 + +# Suffix to add to project name for vpn key and secgroups +# (string value) +#vpn_key_suffix=-vpn + + +# +# Options defined in nova.cmd.novnc +# + +# Record sessions to FILE.[session_number] (boolean value) +#record=false + +# Become a daemon (background process) (boolean value) +#daemon=false + +# Disallow non-encrypted connections (boolean value) +#ssl_only=false + +# Source is ipv6 (boolean value) +#source_is_ipv6=false + +# SSL certificate file (string value) +#cert=self.pem + +# SSL key file (if separate from cert) (string value) +#key=<None> + +# Run webserver on same port. Serve files from DIR. (string +# value) +#web=/usr/share/spice-html5 + + +# +# Options defined in nova.cmd.novncproxy +# + +# Host on which to listen for incoming requests (string value) +#novncproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#novncproxy_port=6080 + + +# +# Options defined in nova.compute.api +# + +# Allow destination machine to match source for resize. Useful +# when testing in single-host environments. (boolean value) +#allow_resize_to_same_host=false + +# Allow migrate machine to the same host. Useful when testing +# in single-host environments. (boolean value) +#allow_migrate_to_same_host=false + +# Availability zone to use when user doesn't specify one +# (string value) +#default_schedule_zone=<None> + +# These are image properties which a snapshot should not +# inherit from an instance (list value) +#non_inheritable_image_properties=cache_in_nova,bittorrent + +# Kernel image that indicates not to use a kernel, but to use +# a raw disk image instead (string value) +#null_kernel=nokernel + +# When creating multiple instances with a single request using +# the os-multiple-create API extension, this template will be +# used to build the display name for each instance. The +# benefit is that the instances end up with different +# hostnames. To restore legacy behavior of every instance +# having the same name, set this option to "%(name)s". Valid +# keys for the template are: name, uuid, count. (string value) +#multi_instance_display_name_template=%(name)s-%(count)d + +# Maximum number of devices that will result in a local image +# being created on the hypervisor node. Setting this to 0 +# means nova will allow only boot from volume. A negative +# number means unlimited. (integer value) +#max_local_block_devices=3 + + +# +# Options defined in nova.compute.flavors +# + +# Default flavor to use for the EC2 API only. The Nova API +# does not support a default flavor. (string value) +#default_flavor=m1.small + + +# +# Options defined in nova.compute.manager +# + +# Console proxy host to use to connect to instances on this +# host. (string value) +#console_host=nova + +# Name of network to use to set access IPs for instances +# (string value) +#default_access_ip_network_name=<None> + +# Whether to batch up the application of IPTables rules during +# a host restart and apply all at the end of the init phase +# (boolean value) +#defer_iptables_apply=false + +# Where instances are stored on disk (string value) +#instances_path=$state_path/instances + +# Generate periodic compute.instance.exists notifications +# (boolean value) +instance_usage_audit= True + +# Number of 1 second retries needed in live_migration (integer +# value) +#live_migration_retry_count=30 + +# Whether to start guests that were running before the host +# rebooted (boolean value) +#resume_guests_state_on_host_boot=false + +# Number of times to retry network allocation on failures +# (integer value) +#network_allocate_retries=0 + +# Maximum number of instance builds to run concurrently +# (integer value) +#max_concurrent_builds=10 + +# Number of times to retry block device allocation on failures +# (integer value) +#block_device_allocate_retries=60 + +# The number of times to attempt to reap an instance's files. +# (integer value) +#maximum_instance_delete_attempts=5 + +# Interval to pull network bandwidth usage info. Not supported +# on all hypervisors. Set to -1 to disable. Setting this to 0 +# will run at the default rate. (integer value) +#bandwidth_poll_interval=600 + +# Interval to sync power states between the database and the +# hypervisor. Set to -1 to disable. Setting this to 0 will run +# at the default rate. (integer value) +#sync_power_state_interval=600 + +# Number of seconds between instance network information cache +# updates (integer value) +#heal_instance_info_cache_interval=60 + +# Interval in seconds for reclaiming deleted instances +# (integer value) +#reclaim_instance_interval=0 + +# Interval in seconds for gathering volume usages (integer +# value) +#volume_usage_poll_interval=0 + +# Interval in seconds for polling shelved instances to +# offload. Set to -1 to disable.Setting this to 0 will run at +# the default rate. (integer value) +#shelved_poll_interval=3600 + +# Time in seconds before a shelved instance is eligible for +# removing from a host. -1 never offload, 0 offload when +# shelved (integer value) +#shelved_offload_time=0 + +# Interval in seconds for retrying failed instance file +# deletes. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#instance_delete_interval=300 + +# Waiting time interval (seconds) between block device +# allocation retries on failures (integer value) +#block_device_allocate_retries_interval=3 + +# Waiting time interval (seconds) between sending the +# scheduler a list of current instance UUIDs to verify that +# its view of instances is in sync with nova. If the CONF +# option `scheduler_tracks_instance_changes` is False, +# changing this option will have no effect. (integer value) +#scheduler_instance_sync_interval=120 + +# Action to take if a running deleted instance is detected. +# Valid options are 'noop', 'log', 'shutdown', or 'reap'. Set +# to 'noop' to take no action. (string value) +#running_deleted_instance_action=reap + +# Number of seconds to wait between runs of the cleanup task. +# (integer value) +#running_deleted_instance_poll_interval=1800 + +# Number of seconds after being deleted when a running +# instance should be considered eligible for cleanup. (integer +# value) +#running_deleted_instance_timeout=0 + +# Automatically hard reboot an instance if it has been stuck +# in a rebooting state longer than N seconds. Set to 0 to +# disable. (integer value) +#reboot_timeout=0 + +# Amount of time in seconds an instance can be in BUILD before +# going into ERROR status. Set to 0 to disable. (integer +# value) +#instance_build_timeout=0 + +# Automatically unrescue an instance after N seconds. Set to 0 +# to disable. (integer value) +#rescue_timeout=0 + +# Automatically confirm resizes after N seconds. Set to 0 to +# disable. (integer value) +#resize_confirm_window=0 + +# Total amount of time to wait in seconds for an instance to +# perform a clean shutdown. (integer value) +#shutdown_timeout=60 + + +# +# Options defined in nova.compute.monitors +# + +# Monitor classes available to the compute which may be +# specified more than once. (multi valued) +#compute_available_monitors=nova.compute.monitors.all_monitors + +# A list of monitors that can be used for getting compute +# metrics. (list value) +#compute_monitors= + + +# +# Options defined in nova.compute.resource_tracker +# + +# Amount of disk in MB to reserve for the host (integer value) +#reserved_host_disk_mb=0 + +# Amount of memory in MB to reserve for the host (integer +# value) +reserved_host_memory_mb={{ RESERVED_HOST_MEMORY_MB }} + +# Class that will manage stats for the local compute host +# (string value) +#compute_stats_class=nova.compute.stats.Stats + +# The names of the extra resources to track. (list value) +#compute_resources=vcpu + + +# +# Options defined in nova.compute.rpcapi +# + +# The topic compute nodes listen on (string value) +#compute_topic=compute + + +# +# Options defined in nova.conductor.tasks.live_migrate +# + +# Number of times to retry live-migration before failing. If +# == -1, try until out of hosts. If == 0, only try once, no +# retries. (integer value) +#migrate_max_retries=-1 + + +# +# Options defined in nova.console.manager +# + +# Driver to use for the console proxy (string value) +#console_driver=nova.console.xvp.XVPConsoleProxy + +# Stub calls to compute worker for tests (boolean value) +#stub_compute=false + +# Publicly visible name for this console host (string value) +#console_public_hostname=nova + + +# +# Options defined in nova.console.rpcapi +# + +# The topic console proxy nodes listen on (string value) +#console_topic=console + + +# +# Options defined in nova.console.xvp +# + +# XVP conf template (string value) +#console_xvp_conf_template=$pybasedir/nova/console/xvp.conf.template + +# Generated XVP conf file (string value) +#console_xvp_conf=/etc/xvp.conf + +# XVP master process pid file (string value) +#console_xvp_pid=/var/run/xvp.pid + +# XVP log file (string value) +#console_xvp_log=/var/log/xvp.log + +# Port for XVP to multiplex VNC connections on (integer value) +#console_xvp_multiplex_port=5900 + + +# +# Options defined in nova.consoleauth +# + +# The topic console auth proxy nodes listen on (string value) +#consoleauth_topic=consoleauth + + +# +# Options defined in nova.consoleauth.manager +# + +# How many seconds before deleting tokens (integer value) +#console_token_ttl=600 + + +# +# Options defined in nova.db.api +# + +# Services to be added to the available pool on create +# (boolean value) +#enable_new_services=true + +# Template string to be used to generate instance names +# (string value) +instance_name_template=instance-%08x + +# Template string to be used to generate snapshot names +# (string value) +snapshot_name_template=snapshot-%s + + +# +# Options defined in nova.db.base +# + +# The driver to use for database access (string value) +#db_driver=nova.db + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# When set, compute API will consider duplicate hostnames +# invalid within the specified scope, regardless of case. +# Should be empty, "project" or "global". (string value) +#osapi_compute_unique_server_name_scope= + + +# +# Options defined in nova.image.s3 +# + +# Parent directory for tempdir used for image decryption +# (string value) +#image_decryption_dir=/tmp + +# Hostname or IP for OpenStack to use when accessing the S3 +# api (string value) +#s3_host=$my_ip + +# Port used when accessing the S3 api (integer value) +#s3_port=3333 + +# Access key to use for S3 server for images (string value) +#s3_access_key=notchecked + +# Secret key to use for S3 server for images (string value) +#s3_secret_key=notchecked + +# Whether to use SSL when talking to S3 (boolean value) +#s3_use_ssl=false + +# Whether to affix the tenant id to the access key when +# downloading from S3 (boolean value) +#s3_affix_tenant=false + + +# +# Options defined in nova.ipv6.api +# + +# Backend to use for IPv6 generation (string value) +#ipv6_backend=rfc2462 + + +# +# Options defined in nova.network +# + +# The full class name of the network API class to use (string +# value) +network_api_class=nova.network.neutronv2.api.API + + +# +# Options defined in nova.network.driver +# + +# Driver to use for network creation (string value) +#network_driver=nova.network.linux_net + + +# +# Options defined in nova.network.floating_ips +# + +# Default pool for floating IPs (string value) +#default_floating_pool=nova + +# Autoassigning floating IP to VM (boolean value) +#auto_assign_floating_ip=false + +# Full class name for the DNS Manager for floating IPs (string +# value) +#floating_ip_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Manager for instance IPs (string +# value) +#instance_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Zone for instance IPs (string +# value) +#instance_dns_domain= + + +# +# Options defined in nova.network.ldapdns +# + +# URL for LDAP server which will store DNS entries (string +# value) +#ldap_dns_url=ldap://ldap.example.com:389 + +# User for LDAP DNS (string value) +#ldap_dns_user=uid=admin,ou=people,dc=example,dc=org + +# Password for LDAP DNS (string value) +#ldap_dns_password=password + +# Hostmaster for LDAP DNS driver Statement of Authority +# (string value) +#ldap_dns_soa_hostmaster=hostmaster@example.org + +# DNS Servers for LDAP DNS driver (multi valued) +#ldap_dns_servers=dns.example.org + +# Base DN for DNS entries in LDAP (string value) +#ldap_dns_base_dn=ou=hosts,dc=example,dc=org + +# Refresh interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_refresh=1800 + +# Retry interval (in seconds) for LDAP DNS driver Statement of +# Authority (string value) +#ldap_dns_soa_retry=3600 + +# Expiry interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_expiry=86400 + +# Minimum interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_minimum=7200 + + +# +# Options defined in nova.network.linux_net +# + +# Location of flagfiles for dhcpbridge (multi valued) +#dhcpbridge_flagfile=/etc/nova/nova-dhcpbridge.conf + +# Location to keep network config files (string value) +#networks_path=$state_path/networks + +# Interface for public IP addresses (string value) +#public_interface=eth0 + +# Location of nova-dhcpbridge (string value) +#dhcpbridge=$bindir/nova-dhcpbridge + +# Public IP of network host (string value) +#routing_source_ip=$my_ip + +# Lifetime of a DHCP lease in seconds (integer value) +#dhcp_lease_time=86400 + +# If set, uses specific DNS server for dnsmasq. Can be +# specified multiple times. (multi valued) +#dns_server= + +# If set, uses the dns1 and dns2 from the network ref. as dns +# servers. (boolean value) +#use_network_dns_servers=false + +# A list of dmz ranges that should be accepted (list value) +#dmz_cidr= + +# Traffic to this range will always be snatted to the fallback +# ip, even if it would normally be bridged out of the node. +# Can be specified multiple times. (multi valued) +#force_snat_range= + +# Override the default dnsmasq settings with this file (string +# value) +#dnsmasq_config_file= + +# Driver used to create ethernet devices. (string value) +linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver + +# Name of Open vSwitch bridge used with linuxnet (string +# value) +#linuxnet_ovs_integration_bridge=br-int + +# Send gratuitous ARPs for HA setup (boolean value) +#send_arp_for_ha=false + +# Send this many gratuitous ARPs for HA setup (integer value) +#send_arp_for_ha_count=3 + +# Use single default gateway. Only first nic of vm will get +# default gateway from dhcp server (boolean value) +#use_single_default_gateway=false + +# An interface that bridges can forward to. If this is set to +# all then all traffic will be forwarded. Can be specified +# multiple times. (multi valued) +#forward_bridge_interface=all + +# The IP address for the metadata API server (string value) +#metadata_host=$my_ip + +# The port for the metadata API port (integer value) +#metadata_port=8775 + +# Regular expression to match the iptables rule that should +# always be on the top. (string value) +#iptables_top_regex= + +# Regular expression to match the iptables rule that should +# always be on the bottom. (string value) +#iptables_bottom_regex= + +# The table that iptables to jump to when a packet is to be +# dropped. (string value) +#iptables_drop_action=DROP + +# Amount of time, in seconds, that ovs_vsctl should wait for a +# response from the database. 0 is to wait forever. (integer +# value) +#ovs_vsctl_timeout=120 + +# If passed, use fake network devices and addresses (boolean +# value) +#fake_network=false + +# Number of times to retry ebtables commands on failure. +# (integer value) +#ebtables_exec_attempts=3 + +# Number of seconds to wait between ebtables retries. +# (floating point value) +#ebtables_retry_interval=1.0 + + +# +# Options defined in nova.network.manager +# + +# Bridge for simple network instances (string value) +#flat_network_bridge=<None> + +# DNS server for simple network (string value) +#flat_network_dns=8.8.4.4 + +# Whether to attempt to inject network setup into guest +# (boolean value) +#flat_injected=false + +# FlatDhcp will bridge into this interface if set (string +# value) +#flat_interface=<None> + +# First VLAN for private networks (integer value) +#vlan_start=100 + +# VLANs will bridge into this interface if set (string value) +#vlan_interface=<None> + +# Number of networks to support (integer value) +#num_networks=1 + +# Public IP for the cloudpipe VPN servers (string value) +#vpn_ip=$my_ip + +# First Vpn port for private networks (integer value) +#vpn_start=1000 + +# Number of addresses in each private subnet (integer value) +#network_size=256 + +# Fixed IPv6 address block (string value) +#fixed_range_v6=fd00::/48 + +# Default IPv4 gateway (string value) +#gateway=<None> + +# Default IPv6 gateway (string value) +#gateway_v6=<None> + +# Number of addresses reserved for vpn clients (integer value) +#cnt_vpn_clients=0 + +# Seconds after which a deallocated IP is disassociated +# (integer value) +#fixed_ip_disassociate_timeout=600 + +# Number of attempts to create unique mac address (integer +# value) +#create_unique_mac_address_attempts=5 + +# If True, skip using the queue and make local calls (boolean +# value) +#fake_call=false + +# If True, unused gateway devices (VLAN and bridge) are +# deleted in VLAN network mode with multi hosted networks +# (boolean value) +#teardown_unused_network_gateway=false + +# If True, send a dhcp release on instance termination +# (boolean value) +#force_dhcp_release=true + +# If True, when a DNS entry must be updated, it sends a fanout +# cast to all network hosts to update their DNS entries in +# multi host mode (boolean value) +#update_dns_entries=false + +# Number of seconds to wait between runs of updates to DNS +# entries. (integer value) +#dns_update_periodic_interval=-1 + +# Domain to use for building the hostnames (string value) +#dhcp_domain=novalocal + +# Indicates underlying L3 management library (string value) +#l3_lib=nova.network.l3.LinuxNetL3 + + +# +# Options defined in nova.network.rpcapi +# + +# The topic network nodes listen on (string value) +#network_topic=network + +# Default value for multi_host in networks. Also, if set, some +# rpc network calls will be sent directly to host. (boolean +# value) +#multi_host=false + + +# +# Options defined in nova.network.security_group.openstack_driver +# + +# The full class name of the security API class (string value) +security_group_api=neutron + + +# +# Options defined in nova.objects.network +# + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. If True in multi_host mode, all compute hosts share +# the same dhcp address. The same IP address used for DHCP +# will be added on each nova-network node which is only +# visible to the vms on the same host. (boolean value) +#share_dhcp_address=false + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. MTU setting for network interface. (integer value) +#network_device_mtu=<None> + + +# +# Options defined in nova.objectstore.s3server +# + +# Path to S3 buckets (string value) +#buckets_path=$state_path/buckets + +# IP address for S3 API to listen (string value) +#s3_listen=0.0.0.0 + +# Port for S3 API to listen (integer value) +#s3_listen_port=3333 + + +# +# From oslo.log +# + +# Print debugging output (set logging level to DEBUG instead of default WARNING +# level). (boolean value) +#debug = false + +# Print more verbose output (set logging level to INFO instead of default +# WARNING level). (boolean value) +#verbose = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. (string value) +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = <None> + +# DEPRECATED. A logging.Formatter log message format string which may use any +# of the available logging.LogRecord attributes. This option is deprecated. +# Please use logging_context_format_string and logging_default_format_string +# instead. (string value) +#log_format = <None> + +# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, logging will +# go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = <None> + +# (Optional) The base directory used for relative --log-file paths. (string +# value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = <None> + +# Use syslog for logging. Existing syslog format is DEPRECATED during I, and +# will change in J to honor RFC5424. (boolean value) +use_syslog = True + +# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, +# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The +# format without the APP-NAME is deprecated in I, and will be removed in J. +# (boolean value) +#use_syslog_rfc_format = false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. (boolean value) +#use_stderr = true + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + + +# +# Options defined in nova.pci.request +# + +# An alias for a PCI passthrough device requirement. This +# allows users to specify the alias in the extra_spec for a +# flavor, without needing to repeat all the PCI property +# requirements. For example: pci_alias = { "name": +# "QuicAssist", "product_id": "0443", "vendor_id": "8086", +# "device_type": "ACCEL" } defines an alias for the Intel +# QuickAssist card. (multi valued) (multi valued) +#pci_alias= + + +# +# Options defined in nova.pci.whitelist +# + +# White list of PCI devices available to VMs. For example: +# pci_passthrough_whitelist = [{"vendor_id": "8086", +# "product_id": "0443"}] (multi valued) +#pci_passthrough_whitelist= + + +# +# Options defined in nova.scheduler.driver +# + +# The scheduler host manager class to use (string value) +scheduler_host_manager={{ SCHEDULER_HOST_MANAGER }} + + +# +# Options defined in nova.scheduler.filter_scheduler +# + +# New instances will be scheduled on a host chosen randomly +# from a subset of the N best hosts. This property defines the +# subset size that a host is chosen from. A value of 1 chooses +# the first host returned by the weighing functions. This +# value must be at least 1. Any value less than 1 will be +# ignored, and 1 will be used instead (integer value) +#scheduler_host_subset_size=1 + + +# +# Options defined in nova.scheduler.filters.aggregate_image_properties_isolation +# + +# Force the filter to consider only keys matching the given +# namespace. (string value) +#aggregate_image_properties_isolation_namespace=<None> + +# The separator used between the namespace and keys (string +# value) +#aggregate_image_properties_isolation_separator=. + + +# +# Options defined in nova.scheduler.filters.core_filter +# + +# Virtual CPU to physical CPU allocation ratio which affects +# all CPU filters. This configuration specifies a global ratio +# for CoreFilter. For AggregateCoreFilter, it will fall back +# to this configuration value if no per-aggregate setting +# found. (floating point value) +#cpu_allocation_ratio=16.0 + + +# +# Options defined in nova.scheduler.filters.disk_filter +# + +# Virtual disk to physical disk allocation ratio (floating +# point value) +#disk_allocation_ratio=1.0 + + +# +# Options defined in nova.scheduler.filters.io_ops_filter +# + +# Tells filters to ignore hosts that have this many or more +# instances currently in build, resize, snapshot, migrate, +# rescue or unshelve task states (integer value) +#max_io_ops_per_host=8 + + +# +# Options defined in nova.scheduler.filters.isolated_hosts_filter +# + +# Images to run on isolated host (list value) +#isolated_images= + +# Host reserved for specific images (list value) +#isolated_hosts= + +# Whether to force isolated hosts to run only isolated images +# (boolean value) +#restrict_isolated_hosts_to_isolated_images=true + + +# +# Options defined in nova.scheduler.filters.num_instances_filter +# + +# Ignore hosts that have too many instances (integer value) +#max_instances_per_host=50 + + +# +# Options defined in nova.scheduler.filters.ram_filter +# + +# Virtual ram to physical ram allocation ratio which affects +# all ram filters. This configuration specifies a global ratio +# for RamFilter. For AggregateRamFilter, it will fall back to +# this configuration value if no per-aggregate setting found. +# (floating point value) +ram_allocation_ratio={{ RAM_ALLOCATION_RATIO }} + + +# +# Options defined in nova.scheduler.host_manager +# + +# Filter classes available to the scheduler which may be +# specified more than once. An entry of +# "nova.scheduler.filters.all_filters" maps to all filters +# included with nova. (multi valued) +#scheduler_available_filters=nova.scheduler.filters.all_filters + +# Which filter class names to use for filtering hosts when not +# specified in the request. (list value) +scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter + +# Which weight class names to use for weighing hosts (list +# value) +#scheduler_weight_classes=nova.scheduler.weights.all_weighers + +# Determines if the Scheduler tracks changes to instances to +# help with its filtering decisions. (boolean value) +#scheduler_tracks_instance_changes=true + + +# +# Options defined in nova.scheduler.ironic_host_manager +# + +# Which filter class names to use for filtering baremetal +# hosts when not specified in the request. (list value) +#baremetal_scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ExactRamFilter,ExactDiskFilter,ExactCoreFilter + +# Flag to decide whether to use +# baremetal_scheduler_default_filters or not. (boolean value) +scheduler_use_baremetal_filters={{ SCHEDULER_USE_BAREMETAL_FILTERS }} + + +# +# Options defined in nova.scheduler.manager +# + +# Default driver to use for the scheduler (string value) +scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler + +# How often (in seconds) to run periodic tasks in the +# scheduler driver of your choice. Please note this is likely +# to interact with the value of service_down_time, but exactly +# how they interact will depend on your choice of scheduler +# driver. (integer value) +#scheduler_driver_task_period=60 + + +# +# Options defined in nova.scheduler.rpcapi +# + +# The topic scheduler nodes listen on (string value) +#scheduler_topic=scheduler + + +# +# Options defined in nova.scheduler.scheduler_options +# + +# Absolute path to scheduler configuration JSON file. (string +# value) +#scheduler_json_config_location= + + +# +# Options defined in nova.scheduler.utils +# + +# Maximum number of attempts to schedule an instance (integer +# value) +#scheduler_max_attempts=3 + + +# +# Options defined in nova.scheduler.weights.io_ops +# + +# Multiplier used for weighing host io ops. Negative numbers +# mean a preference to choose light workload compute hosts. +# (floating point value) +#io_ops_weight_multiplier=-1.0 + + +# +# Options defined in nova.scheduler.weights.ram +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=1.0 + + +# +# Options defined in nova.servicegroup.api +# + +# The driver for servicegroup service (valid options are: db, +# zk, mc) (string value) +#servicegroup_driver=db + + +# +# Options defined in nova.virt.configdrive +# + +# Config drive format. One of iso9660 (default) or vfat +# (string value) +#config_drive_format=iso9660 + +# Set to "always" to force injection to take place on a config +# drive. NOTE: The "always" will be deprecated in the Liberty +# release cycle. (string value) +#force_config_drive=<None> + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#mkisofs_cmd=genisoimage + + +# +# Options defined in nova.virt.disk.api +# + +# Name of the mkfs commands for ephemeral device. The format +# is <os_type>=<mkfs command> (multi valued) +#virt_mkfs= + +# Attempt to resize the filesystem by accessing the image over +# a block device. This is done by the host and may not be +# necessary if the image contains a recent version of cloud- +# init. Possible mechanisms require the nbd driver (for qcow +# and raw), or loop (for raw). (boolean value) +#resize_fs_using_block_device=false + + +# +# Options defined in nova.virt.disk.mount.nbd +# + +# Amount of time, in seconds, to wait for NBD device start up. +# (integer value) +#timeout_nbd=10 + + +# +# Options defined in nova.virt.driver +# + +# Driver to use for controlling virtualization. Options +# include: libvirt.LibvirtDriver, xenapi.XenAPIDriver, +# fake.FakeDriver, baremetal.BareMetalDriver, +# vmwareapi.VMwareVCDriver, hyperv.HyperVDriver (string value) +compute_driver={{ COMPUTE_DRIVER }} + +# The default format an ephemeral_volume will be formatted +# with on creation. (string value) +#default_ephemeral_format=<None> + +# VM image preallocation mode: "none" => no storage +# provisioning is done up front, "space" => storage is fully +# allocated at instance start (string value) +#preallocate_images=none + +# Whether to use cow images (boolean value) +#use_cow_images=true + +# Fail instance boot if vif plugging fails (boolean value) +#vif_plugging_is_fatal=true + +# Number of seconds to wait for neutron vif plugging events to +# arrive before continuing or failing (see +# vif_plugging_is_fatal). If this is set to zero and +# vif_plugging_is_fatal is False, events should not be +# expected to arrive at all. (integer value) +#vif_plugging_timeout=300 + + +# +# Options defined in nova.virt.firewall +# + +# Firewall driver (defaults to hypervisor specific iptables +# driver) (string value) +firewall_driver=nova.virt.firewall.NoopFirewallDriver + +# Whether to allow network traffic from same network (boolean +# value) +#allow_same_net_traffic=true + + +# +# Options defined in nova.virt.hardware +# + +# Defines which pcpus that instance vcpus can use. For +# example, "4-12,^8,15" (string value) +#vcpu_pin_set=<None> + + +# +# Options defined in nova.virt.imagecache +# + +# Number of seconds to wait between runs of the image cache +# manager. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#image_cache_manager_interval=2400 + +# Where cached images are stored under $instances_path. This +# is NOT the full path - just a folder name. For per-compute- +# host cached images, set to _base_$my_ip (string value) +#image_cache_subdirectory_name=_base + +# Should unused base images be removed? (boolean value) +#remove_unused_base_images=true + +# Unused unresized base images younger than this will not be +# removed (integer value) +#remove_unused_original_minimum_age_seconds=86400 + + +# +# Options defined in nova.virt.images +# + +# Force backing images to raw format (boolean value) +#force_raw_images=true + + +# +# Options defined in nova.virt.netutils +# + +# Template file for injected network (string value) +#injected_network_template=$pybasedir/nova/virt/interfaces.template + + +# +# Options defined in nova.vnc +# + +# Location of VNC console proxy, in the form +# "http://127.0.0.1:6080/vnc_auto.html" (string value) +novncproxy_base_url=http://{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}:6080/vnc_auto.html + +# Location of nova xvp VNC console proxy, in the form +# "http://127.0.0.1:6081/console" (string value) +#xvpvncproxy_base_url=http://127.0.0.1:6081/console + +# IP address on which instance vncservers should listen +# (string value) +vncserver_listen=0.0.0.0 + +# The address to which proxy clients (like nova-xvpvncproxy) +# should connect (string value) +vncserver_proxyclient_address={{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +# Enable VNC related features (boolean value) +vnc_enabled=true + +# Keymap for VNC (string value) +vnc_keymap=en-us + + +# +# Options defined in nova.vnc.xvp_proxy +# + +# Port that the XCP VNC proxy should bind to (integer value) +#xvpvncproxy_port=6081 + +# Address that the XCP VNC proxy should bind to (string value) +#xvpvncproxy_host=0.0.0.0 + + +# +# Options defined in nova.volume +# + +# The full class name of the volume API class to use (string +# value) +#volume_api_class=nova.volume.cinder.API + + +# +# Options defined in nova.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, <port>, +# and <start>:<end>, where 0 results in listening on a random +# tcp port number; <port> results in listening on the +# specified port number (and not enabling backdoor if that +# port is in use); and <start>:<end> results in listening on +# the smallest unused port number within the specified range +# of port numbers. The chosen port is displayed in the +# service's log file. (string value) +#backdoor_port=<None> + + +# +# Options defined in nova.openstack.common.memorycache +# + +# Memcached servers or None for in process cache. (list value) +#memcached_servers=<None> + + +# +# Options defined in nova.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# +# Options defined in nova.openstack.common.policy +# + +# The JSON file that defines policies. (string value) +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# (string value) +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. The +# file defined by policy_file must exist for these directories +# to be searched. Missing or empty directories are ignored. +# (multi valued) +#policy_dirs=policy.d + + +# +# Options defined in nova.openstack.common.versionutils +# + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + + +[api_database] + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# Nova API database. (string value) +#connection=postgresql://{{ NOVA_DB_USER }}:{{ NOVA_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/nova + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous=true + +# Timeout before idle SQL connections are reaped. (integer +# value) +#idle_timeout=3600 + +# Maximum number of SQL connections to keep open in a pool. +# (integer value) +#max_pool_size=<None> + +# Maximum number of database connection retries during +# startup. Set to -1 to specify an infinite retry count. +# (integer value) +#max_retries=10 + +# Interval between retries of opening a SQL connection. +# (integer value) +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. +# (integer value) +#max_overflow=<None> + +# Verbosity of SQL debugging information: 0=None, +# 100=Everything. (integer value) +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean +# value) +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. +# (integer value) +#pool_timeout=<None> + + +[barbican] + +# +# Options defined in nova.keymgr.barbican +# + +# Info to match when looking for barbican in the service +# catalog. Format is: separated values of the form: +# <service_type>:<service_name>:<endpoint_type> (string value) +#catalog_info=key-manager:barbican:public + +# Override service catalog lookup with template for barbican +# endpoint e.g. http://localhost:9311/v1/%(project_id)s +# (string value) +#endpoint_template=<None> + +# Region name of this node (string value) +#os_region_name=<None> + + +# +# Options defined in nova.volume.cinder +# + +# Region name of this node (string value) +#os_region_name=<None> + + +[cells] + +# +# Options defined in nova.cells.manager +# + +# Cells communication driver to use (string value) +#driver=nova.cells.rpc_driver.CellsRPCDriver + +# Number of seconds after an instance was updated or deleted +# to continue to update cells (integer value) +#instance_updated_at_threshold=3600 + +# Number of instances to update per periodic task run (integer +# value) +#instance_update_num_instances=1 + + +# +# Options defined in nova.cells.messaging +# + +# Maximum number of hops for cells routing. (integer value) +#max_hop_count=10 + +# Cells scheduler to use (string value) +#scheduler=nova.cells.scheduler.CellsScheduler + + +# +# Options defined in nova.cells.opts +# + +# Enable cell functionality (boolean value) +#enable=false + +# The topic cells nodes listen on (string value) +#topic=cells + +# Manager for cells (string value) +#manager=nova.cells.manager.CellsManager + +# Name of this cell (string value) +#name=nova + +# Key/Multi-value list with the capabilities of the cell (list +# value) +#capabilities=hypervisor=xenserver;kvm,os=linux;windows + +# Seconds to wait for response from a call to a cell. (integer +# value) +#call_timeout=60 + +# Percentage of cell capacity to hold in reserve. Affects both +# memory and disk utilization (floating point value) +#reserve_percent=10.0 + +# Type of cell: api or compute (string value) +#cell_type=compute + +# Number of seconds after which a lack of capability and +# capacity updates signals the child cell is to be treated as +# a mute. (integer value) +#mute_child_interval=300 + +# Seconds between bandwidth updates for cells. (integer value) +#bandwidth_update_interval=600 + + +# +# Options defined in nova.cells.rpc_driver +# + +# Base queue name to use when communicating between cells. +# Various topics by message type will be appended to this. +# (string value) +#rpc_driver_queue_base=cells.intercell + + +# +# Options defined in nova.cells.scheduler +# + +# Filter classes the cells scheduler should use. An entry of +# "nova.cells.filters.all_filters" maps to all cells filters +# included with nova. (list value) +#scheduler_filter_classes=nova.cells.filters.all_filters + +# Weigher classes the cells scheduler should use. An entry of +# "nova.cells.weights.all_weighers" maps to all cell weighers +# included with nova. (list value) +#scheduler_weight_classes=nova.cells.weights.all_weighers + +# How many retries when no cells are available. (integer +# value) +#scheduler_retries=10 + +# How often to retry in seconds when no cells are available. +# (integer value) +#scheduler_retry_delay=2 + + +# +# Options defined in nova.cells.state +# + +# Interval, in seconds, for getting fresh cell information +# from the database. (integer value) +#db_check_interval=60 + +# Configuration file from which to read cells configuration. +# If given, overrides reading cells from the database. (string +# value) +#cells_config=<None> + + +# +# Options defined in nova.cells.weights.mute_child +# + +# Multiplier used to weigh mute children. (The value should be +# negative.) (floating point value) +#mute_weight_multiplier=-10.0 + +# Weight value assigned to mute children. (The value should be +# positive.) (floating point value) +#mute_weight_value=1000.0 + + +# +# Options defined in nova.cells.weights.ram_by_instance_type +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=10.0 + + +# +# Options defined in nova.cells.weights.weight_offset +# + +# Multiplier used to weigh offset weigher. (floating point +# value) +#offset_weight_multiplier=1.0 + + +[cinder] + +# +# Options defined in nova.volume.cinder +# + +# Info to match when looking for cinder in the service +# catalog. Format is: separated values of the form: +# <service_type>:<service_name>:<endpoint_type> (string value) +#catalog_info=volumev2:cinderv2:publicURL + +# Override service catalog lookup with template for cinder +# endpoint e.g. http://localhost:8776/v1/%(project_id)s +# (string value) +#endpoint_template=<None> + +# Number of cinderclient retries on failed http calls (integer +# value) +#http_retries=3 + +# Allow attach between instance and volume in different +# availability zones. (boolean value) +#cross_az_attach=true + + +[conductor] + +# +# Options defined in nova.conductor.api +# + +# Perform nova-conductor operations locally (boolean value) +use_local=true + +# The topic on which conductor nodes listen (string value) +#topic=conductor + +# Full class name for the Manager for conductor (string value) +#manager=nova.conductor.manager.ConductorManager + +# Number of workers for OpenStack Conductor service. The +# default will be the number of CPUs available. (integer +# value) +#workers=<None> + + +[database] + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = <None> +connection=postgresql://{{ NOVA_DB_USER }}:{{ NOVA_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/nova + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = <None> + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = <None> + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = <None> + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# slave database. (string value) +#slave_connection=<None> + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + + +[ephemeral_storage_encryption] + +# +# Options defined in nova.compute.api +# + +# Whether to encrypt ephemeral storage (boolean value) +#enabled=false + +# The cipher and mode to be used to encrypt ephemeral storage. +# Which ciphers are available ciphers depends on kernel +# support. See /proc/crypto for the list of available options. +# (string value) +#cipher=aes-xts-plain64 + +# The bit length of the encryption key to be used to encrypt +# ephemeral storage (in XTS mode only half of the bits are +# used for encryption key) (integer value) +#key_size=512 + + +[glance] + +# +# Options defined in nova.image.glance +# + +# Default glance hostname or IP address (string value) +host={{ CONTROLLER_HOST_ADDRESS }} + +# Default glance port (integer value) +port=9292 + +# Default protocol to use when connecting to glance. Set to +# https for SSL. (string value) +protocol=http + +# A list of the glance api servers available to nova. Prefix +# with https:// for ssl-based glance api servers. +# ([hostname|ip]:port) (list value) +api_servers=$host:$port + +# Allow to perform insecure SSL (https) requests to glance +# (boolean value) +#api_insecure=false + +# Number of retries when uploading / downloading an image to / +# from glance. (integer value) +#num_retries=0 + +# A list of url scheme that can be downloaded directly via the +# direct_url. Currently supported schemes: [file]. (list +# value) +#allowed_direct_url_schemes= + + +[guestfs] + +# +# Options defined in nova.virt.disk.vfs.guestfs +# + +# Enable guestfs debug (boolean value) +#debug=false + + +[hyperv] + +# +# Options defined in nova.virt.hyperv.pathutils +# + +# The name of a Windows share name mapped to the +# "instances_path" dir and used by the resize feature to copy +# files to the target host. If left blank, an administrative +# share will be used, looking for the same "instances_path" +# used locally (string value) +#instances_path_share= + + +# +# Options defined in nova.virt.hyperv.utilsfactory +# + +# Force V1 WMI utility classes (boolean value) +#force_hyperv_utils_v1=false + +# Force V1 volume utility class (boolean value) +#force_volumeutils_v1=false + + +# +# Options defined in nova.virt.hyperv.vif +# + +# External virtual switch Name, if not provided, the first +# external virtual switch is used (string value) +#vswitch_name=<None> + + +# +# Options defined in nova.virt.hyperv.vmops +# + +# Required for live migration among hosts with different CPU +# features (boolean value) +#limit_cpu_features=false + +# Sets the admin password in the config drive image (boolean +# value) +#config_drive_inject_password=false + +# Path of qemu-img command which is used to convert between +# different image types (string value) +#qemu_img_cmd=qemu-img.exe + +# Attaches the Config Drive image as a cdrom drive instead of +# a disk drive (boolean value) +#config_drive_cdrom=false + +# Enables metrics collections for an instance by using +# Hyper-V's metric APIs. Collected data can by retrieved by +# other apps and services, e.g.: Ceilometer. Requires Hyper-V +# / Windows Server 2012 and above (boolean value) +#enable_instance_metrics_collection=false + +# Enables dynamic memory allocation (ballooning) when set to a +# value greater than 1. The value expresses the ratio between +# the total RAM assigned to an instance and its startup RAM +# amount. For example a ratio of 2.0 for an instance with +# 1024MB of RAM implies 512MB of RAM allocated at startup +# (floating point value) +#dynamic_memory_ratio=1.0 + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=60 + + +# +# Options defined in nova.virt.hyperv.volumeops +# + +# The number of times to retry to attach a volume (integer +# value) +#volume_attach_retry_count=10 + +# Interval between volume attachment attempts, in seconds +# (integer value) +#volume_attach_retry_interval=5 + +# The number of times to retry checking for a disk mounted via +# iSCSI. (integer value) +#mounted_disk_query_retry_count=10 + +# Interval between checks for a mounted iSCSI disk, in +# seconds. (integer value) +#mounted_disk_query_retry_interval=5 + + +[image_file_url] + +# +# Options defined in nova.image.download.file +# + +# List of file systems that are configured in this file in the +# image_file_url:<list entry name> sections (list value) +#filesystems= + + +[ironic] + +# +# Options defined in nova.virt.ironic.driver +# + +# Version of Ironic API service endpoint. (integer value) +#api_version=1 + +# URL for Ironic API endpoint. (string value) +api_endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:6385/v1 + +# Ironic keystone admin name (string value) +admin_username={{ IRONIC_SERVICE_USER }} + +# Ironic keystone admin password. (string value) +admin_password={{ IRONIC_SERVICE_PASSWORD }} + +# Ironic keystone auth token. (string value) +#admin_auth_token=<None> + +# Keystone public API endpoint. (string value) +admin_url=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + +# Log level override for ironicclient. Set this in order to +# override the global "default_log_levels", "verbose", and +# "debug" settings. DEPRECATED: use standard logging +# configuration. (string value) +#client_log_level=<None> + +# Ironic keystone tenant name. (string value) +admin_tenant_name=service + +# How many retries when a request does conflict. (integer +# value) +#api_max_retries=60 + +# How often to retry in seconds when a request does conflict +# (integer value) +#api_retry_interval=2 + + +[keymgr] + +# +# Options defined in nova.keymgr +# + +# The full class name of the key manager API class (string +# value) +#api_class=nova.keymgr.conf_key_mgr.ConfKeyManager + + +# +# Options defined in nova.keymgr.conf_key_mgr +# + +# Fixed key returned by key manager, specified in hex (string +# value) +#fixed_key=<None> + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + +# API version of the admin Identity API endpoint. (string value) +auth_version = v2.0 + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = <None> + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries = 3 + +# Env key for the swift cache. (string value) +#cache = <None> + +# Required if identity server requires client certificate (string value) +#certfile = <None> + +# Required if identity server requires client certificate (string value) +#keyfile = <None> + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = <None> + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = <None> + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers = <None> + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. +# (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, +# token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data +# is encrypted and authenticated in the cache. If the value is not one of these +# options or empty, auth_token will raise an exception on initialization. +# (string value) +#memcache_security_strategy = <None> + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = <None> + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcache +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcache +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcache client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms = md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. +# (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use identity_uri. +# (string value) +#auth_host = 127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use identity_uri. +# (integer value) +#auth_port = 35357 + +# Protocol of the admin Identity API endpoint (http or https). Deprecated, use +# identity_uri. (string value) +#auth_protocol = https + +# Complete admin Identity API endpoint. This should specify the unversioned +# root endpoint e.g. https://localhost:35357/ (string value) +identity_uri = http://{{ CONTROLLER_HOST_ADDRESS }}:35357 + +# This option is deprecated and may be removed in a future release. Single +# shared secret with the Keystone configuration used for bootstrapping a +# Keystone installation, or otherwise bypassing the normal authentication +# process. This option should not be used, use `admin_user` and +# `admin_password` instead. (string value) +#admin_token = <None> + +# Service username. (string value) +admin_user = {{ NOVA_SERVICE_USER }} + +# Service user password. (string value) +admin_password = {{ NOVA_SERVICE_PASSWORD }} + +# Service tenant name. (string value) +admin_tenant_name = service + + +[libvirt] + +# +# Options defined in nova.virt.libvirt.driver +# + +# Rescue ami image. This will not be used if an image id is +# provided by the user. (string value) +#rescue_image_id=<None> + +# Rescue aki image (string value) +#rescue_kernel_id=<None> + +# Rescue ari image (string value) +#rescue_ramdisk_id=<None> + +# Libvirt domain type (valid options are: kvm, lxc, qemu, uml, +# xen and parallels) (string value) +virt_type={{ NOVA_VIRT_TYPE }} + +# Override the default libvirt URI (which is dependent on +# virt_type) (string value) +#connection_uri= + +# Inject the admin password at boot time, without an agent. +# (boolean value) +#inject_password=false + +# Inject the ssh public key at boot time (boolean value) +#inject_key=false + +# The partition to inject to : -2 => disable, -1 => inspect +# (libguestfs only), 0 => not partitioned, >0 => partition +# number (integer value) +#inject_partition=-2 + +# Sync virtual and real mouse cursors in Windows VMs (boolean +# value) +#use_usb_tablet=true + +# Migration target URI (any included "%s" is replaced with the +# migration target hostname) (string value) +#live_migration_uri=qemu+tcp://%s/system + +# Migration flags to be set for live migration (string value) +#live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED + +# Migration flags to be set for block migration (string value) +#block_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC + +# Maximum bandwidth to be used during migration, in Mbps +# (integer value) +#live_migration_bandwidth=0 + +# Snapshot image format (valid options are : raw, qcow2, vmdk, +# vdi). Defaults to same as source image (string value) +#snapshot_image_format=<None> + +# Override the default disk prefix for the devices attached to +# a server, which is dependent on virt_type. (valid options +# are: sd, xvd, uvd, vd) (string value) +#disk_prefix=<None> + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=120 + +# Set to "host-model" to clone the host CPU feature flags; to +# "host-passthrough" to use the host CPU model exactly; to +# "custom" to use a named CPU model; to "none" to not set any +# CPU model. If virt_type="kvm|qemu", it will default to +# "host-model", otherwise it will default to "none" (string +# value) +#cpu_mode=<None> + +# Set to a named libvirt CPU model (see names listed in +# /usr/share/libvirt/cpu_map.xml). Only has effect if +# cpu_mode="custom" and virt_type="kvm|qemu" (string value) +#cpu_model=<None> + +# Location where libvirt driver will store snapshots before +# uploading them to image service (string value) +#snapshots_directory=$instances_path/snapshots + +# Location where the Xen hvmloader is kept (string value) +#xen_hvmloader_path=/usr/lib/xen/boot/hvmloader + +# Specific cachemodes to use for different disk types e.g: +# file=directsync,block=none (list value) +#disk_cachemodes= + +# A path to a device that will be used as source of entropy on +# the host. Permitted options are: /dev/random or /dev/hwrng +# (string value) +#rng_dev_path=<None> + +# For qemu or KVM guests, set this option to specify a default +# machine type per host architecture. You can find a list of +# supported machine types in your environment by checking the +# output of the "virsh capabilities"command. The format of the +# value for this config option is host-arch=machine-type. For +# example: x86_64=machinetype1,armv7l=machinetype2 (list +# value) +#hw_machine_type=<None> + +# The data source used to the populate the host "serial" UUID +# exposed to guest in the virtual BIOS. Permitted options are +# "hardware", "os", "none" or "auto" (default). (string value) +#sysinfo_serial=auto + +# A number of seconds to memory usage statistics period. Zero +# or negative value mean to disable memory usage statistics. +# (integer value) +#mem_stats_period_seconds=10 + +# List of uid targets and ranges.Syntax is guest-uid:host- +# uid:countMaximum of 5 allowed. (list value) +#uid_maps= + +# List of guid targets and ranges.Syntax is guest-gid:host- +# gid:countMaximum of 5 allowed. (list value) +#gid_maps= + + +# +# Options defined in nova.virt.libvirt.imagebackend +# + +# VM Images format. Acceptable values are: raw, qcow2, lvm, +# rbd, default. If default is specified, then use_cow_images +# flag is used instead of this one. (string value) +#images_type=default + +# LVM Volume Group that is used for VM images, when you +# specify images_type=lvm. (string value) +#images_volume_group=<None> + +# Create sparse logical volumes (with virtualsize) if this +# flag is set to True. (boolean value) +#sparse_logical_volumes=false + +# The RADOS pool in which rbd volumes are stored (string +# value) +#images_rbd_pool=rbd + +# Path to the ceph configuration file to use (string value) +#images_rbd_ceph_conf= + +# Discard option for nova managed disks (valid options are: +# ignore, unmap). Need Libvirt(1.0.6) Qemu1.5 (raw format) +# Qemu1.6(qcow2 format) (string value) +#hw_disk_discard=<None> + + +# +# Options defined in nova.virt.libvirt.imagecache +# + +# Allows image information files to be stored in non-standard +# locations (string value) +#image_info_filename_pattern=$instances_path/$image_cache_subdirectory_name/%(image)s.info + +# Should unused kernel images be removed? This is only safe to +# enable if all compute nodes have been updated to support +# this option. This will be enabled by default in future. +# (boolean value) +#remove_unused_kernels=false + +# Unused resized base images younger than this will not be +# removed (integer value) +#remove_unused_resized_minimum_age_seconds=3600 + +# Write a checksum for files in _base to disk (boolean value) +#checksum_base_images=false + +# How frequently to checksum base images (integer value) +#checksum_interval_seconds=3600 + + +# +# Options defined in nova.virt.libvirt.lvm +# + +# Method used to wipe old volumes (valid options are: none, +# zero, shred) (string value) +#volume_clear=zero + +# Size in MiB to wipe at start of old volumes. 0 => all +# (integer value) +#volume_clear_size=0 + + +# +# Options defined in nova.virt.libvirt.utils +# + +# Compress snapshot images when possible. This currently +# applies exclusively to qcow2 images (boolean value) +#snapshot_compression=false + + +# +# Options defined in nova.virt.libvirt.vif +# + +# Use virtio for bridge interfaces with KVM/QEMU (boolean +# value) +#use_virtio_for_bridges=true + + +# +# Options defined in nova.virt.libvirt.volume +# + +# Number of times to rescan iSCSI target to find volume +# (integer value) +#num_iscsi_scan_tries=5 + +# Number of times to rescan iSER target to find volume +# (integer value) +#num_iser_scan_tries=5 + +# The RADOS client name for accessing rbd volumes (string +# value) +#rbd_user=<None> + +# The libvirt UUID of the secret for the rbd_uservolumes +# (string value) +#rbd_secret_uuid=<None> + +# Directory where the NFS volume is mounted on the compute +# node (string value) +#nfs_mount_point_base=$state_path/mnt + +# Mount options passed to the NFS client. See section of the +# nfs man page for details (string value) +#nfs_mount_options=<None> + +# Directory where the SMBFS shares are mounted on the compute +# node (string value) +#smbfs_mount_point_base=$state_path/mnt + +# Mount options passed to the SMBFS client. See mount.cifs man +# page for details. Note that the libvirt-qemu uid and gid +# must be specified. (string value) +#smbfs_mount_options= + +# Number of times to rediscover AoE target to find volume +# (integer value) +#num_aoe_discover_tries=3 + +# Directory where the glusterfs volume is mounted on the +# compute node (string value) +#glusterfs_mount_point_base=$state_path/mnt + +# Use multipath connection of the iSCSI volume (boolean value) +#iscsi_use_multipath=false + +# Use multipath connection of the iSER volume (boolean value) +#iser_use_multipath=false + +# Path or URL to Scality SOFS configuration file (string +# value) +#scality_sofs_config=<None> + +# Base dir where Scality SOFS shall be mounted (string value) +#scality_sofs_mount_point=$state_path/scality + +# Protocols listed here will be accessed directly from QEMU. +# Currently supported protocols: [gluster] (list value) +#qemu_allowed_storage_drivers= + +# Directory where the Quobyte volume is mounted on the compute +# node (string value) +#quobyte_mount_point_base=$state_path/mnt + +# Path to a Quobyte Client configuration file. (string value) +#quobyte_client_cfg=<None> + +# The iSCSI transport iface to use to connect to target in +# case offload support is desired. Supported transports are +# be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx and ocs. Default +# format is transport_name.hwaddress and can be generated +# manually or via iscsiadm -m iface (string value) +# Deprecated group/name - [DEFAULT]/iscsi_transport +#iscsi_iface=<None> + + +[metrics] + +# +# Options defined in nova.scheduler.weights.metrics +# + +# Multiplier used for weighing metrics. (floating point value) +#weight_multiplier=1.0 + +# How the metrics are going to be weighed. This should be in +# the form of "<name1>=<ratio1>, <name2>=<ratio2>, ...", where +# <nameX> is one of the metrics to be weighed, and <ratioX> is +# the corresponding ratio. So for "name1=1.0, name2=-1.0" The +# final weight would be name1.value * 1.0 + name2.value * +# -1.0. (list value) +#weight_setting= + +# How to treat the unavailable metrics. When a metric is NOT +# available for a host, if it is set to be True, it would +# raise an exception, so it is recommended to use the +# scheduler filter MetricFilter to filter out those hosts. If +# it is set to be False, the unavailable metric would be +# treated as a negative factor in weighing process, the +# returned value would be set by the option +# weight_of_unavailable. (boolean value) +#required=true + +# The final weight value to be returned if required is set to +# False and any one of the metrics set by weight_setting is +# unavailable. (floating point value) +#weight_of_unavailable=-10000.0 + + +[neutron] + +# +# Options defined in nova.api.metadata.handler +# + +# Set flag to indicate Neutron will proxy metadata requests +# and resolve instance ids. (boolean value) +service_metadata_proxy=True + +# Shared secret to validate proxies Neutron metadata requests +# (string value) +metadata_proxy_shared_secret={{ METADATA_PROXY_SHARED_SECRET }} + + +# +# Options defined in nova.network.neutronv2.api +# + +# URL for connecting to neutron (string value) +url=http://{{ CONTROLLER_HOST_ADDRESS }}:9696 + +# User id for connecting to neutron in admin context. +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_user_id=<None> + +# Username for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +admin_username={{ NEUTRON_SERVICE_USER }} + +# Password for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +admin_password={{ NEUTRON_SERVICE_PASSWORD }} + +# Tenant id for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_tenant_id=<None> + +# Tenant name for connecting to neutron in admin context. This +# option will be ignored if neutron_admin_tenant_id is set. +# Note that with Keystone V3 tenant names are only unique +# within a domain. DEPRECATED: specify an auth_plugin and +# appropriate credentials instead. (string value) +admin_tenant_name=service + +# Region name for connecting to neutron in admin context +# (string value) +#region_name=<None> + +# Authorization URL for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +admin_auth_url=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + +# Authorization strategy for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. If an auth_plugin is specified strategy +# will be ignored. (string value) +auth_strategy=keystone + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_bridge=br-int + +# Number of seconds before querying neutron for extensions +# (integer value) +#extension_sync_interval=600 + +# DEPRECATED: Allow an instance to have multiple vNICs +# attached to the same Neutron network. This option is +# deprecated in the 2015.1 release and will be removed in the +# 2015.2 release where the default behavior will be to always +# allow multiple ports from the same network to be attached to +# an instance. (boolean value) +#allow_duplicate_networks=false + + +[osapi_v3] + +# +# Options defined in nova.api.openstack +# + +# Whether the V3 API is enabled or not (boolean value) +#enabled=false + +# A list of v3 API extensions to never load. Specify the +# extension aliases here. (list value) +#extensions_blacklist= + +# If the list is not empty then a v3 API extension will only +# be loaded if it exists in this list. Specify the extension +# aliases here. (list value) +#extensions_whitelist= + + +[rdp] + +# +# Options defined in nova.rdp +# + +# Location of RDP html5 console proxy, in the form +# "http://127.0.0.1:6083/" (string value) +#html5_proxy_base_url=http://127.0.0.1:6083/ + +# Enable RDP related features (boolean value) +#enabled=false + + +[serial_console] + +# +# Options defined in nova.cmd.serialproxy +# + +# Host on which to listen for incoming requests (string value) +serialproxy_host=127.0.0.1 + +# Port on which to listen for incoming requests (integer +# value) +#serialproxy_port=6083 + + +# +# Options defined in nova.console.serial +# + +# Enable serial console related features (boolean value) +enabled=false + +# Range of TCP ports to use for serial ports on compute hosts +# (string value) +#port_range=10000:20000 + +# Location of serial console proxy. (string value) +#base_url=ws://127.0.0.1:6083/ + +# IP address on which instance serial console should listen +# (string value) +#listen=127.0.0.1 + +# The address to which proxy clients (like nova-serialproxy) +# should connect (string value) +#proxyclient_address=127.0.0.1 + + +[spice] + +# +# Options defined in nova.cmd.spicehtml5proxy +# + +# Host on which to listen for incoming requests (string value) +#html5proxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#html5proxy_port=6082 + + +# +# Options defined in nova.spice +# + +# Location of spice HTML5 console proxy, in the form +# "http://127.0.0.1:6082/spice_auto.html" (string value) +#html5proxy_base_url=http://127.0.0.1:6082/spice_auto.html + +# IP address on which instance spice server should listen +# (string value) +#server_listen=127.0.0.1 + +# The address to which proxy clients (like nova- +# spicehtml5proxy) should connect (string value) +#server_proxyclient_address=127.0.0.1 + +# Enable spice related features (boolean value) +enabled=false + +# Enable spice guest agent support (boolean value) +#agent_enabled=true + +# Keymap for spice (string value) +#keymap=en-us + + +[ssl] + +# +# Options defined in nova.openstack.common.sslutils +# + +# CA certificate file to use to verify connecting clients. +# (string value) +#ca_file=<None> + +# Certificate file to use when starting the server securely. +# (string value) +#cert_file=<None> + +# Private key file to use when starting the server securely. +# (string value) +#key_file=<None> + + +[trusted_computing] + +# +# Options defined in nova.scheduler.filters.trusted_filter +# + +# Attestation server HTTP (string value) +#attestation_server=<None> + +# Attestation server Cert file for Identity verification +# (string value) +#attestation_server_ca_file=<None> + +# Attestation server port (string value) +#attestation_port=8443 + +# Attestation web API URL (string value) +#attestation_api_url=/OpenAttestationWebServices/V1.0 + +# Attestation authorization blob - must change (string value) +#attestation_auth_blob=<None> + +# Attestation status cache valid period length (integer value) +#attestation_auth_timeout=60 + +# Disable SSL cert verification for Attestation service +# (boolean value) +#attestation_insecure_ssl=false + + +[upgrade_levels] + +# +# Options defined in nova.baserpc +# + +# Set a version cap for messages sent to the base api in any +# service (string value) +#baseapi=<None> + + +# +# Options defined in nova.cells.rpc_driver +# + +# Set a version cap for messages sent between cells services +# (string value) +#intercell=<None> + + +# +# Options defined in nova.cells.rpcapi +# + +# Set a version cap for messages sent to local cells services +# (string value) +#cells=<None> + + +# +# Options defined in nova.cert.rpcapi +# + +# Set a version cap for messages sent to cert services (string +# value) +#cert=<None> + + +# +# Options defined in nova.compute.rpcapi +# + +# Set a version cap for messages sent to compute services. If +# you plan to do a live upgrade from havana to icehouse, you +# should set this option to "icehouse-compat" before beginning +# the live upgrade procedure. (string value) +#compute=<None> + + +# +# Options defined in nova.conductor.rpcapi +# + +# Set a version cap for messages sent to conductor services +# (string value) +#conductor=<None> + + +# +# Options defined in nova.console.rpcapi +# + +# Set a version cap for messages sent to console services +# (string value) +#console=<None> + + +# +# Options defined in nova.consoleauth.rpcapi +# + +# Set a version cap for messages sent to consoleauth services +# (string value) +#consoleauth=<None> + + +# +# Options defined in nova.network.rpcapi +# + +# Set a version cap for messages sent to network services +# (string value) +#network=<None> + + +# +# Options defined in nova.scheduler.rpcapi +# + +# Set a version cap for messages sent to scheduler services +# (string value) +#scheduler=<None> + + +[vmware] + +# +# Options defined in nova.virt.vmwareapi.driver +# + +# The PBM status. (boolean value) +#pbm_enabled=false + +# PBM service WSDL file location URL. e.g. +# file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not setting this +# will disable storage policy based placement of instances. +# (string value) +#pbm_wsdl_location=<None> + +# The PBM default policy. If pbm_wsdl_location is set and +# there is no defined storage policy for the specific request +# then this policy will be used. (string value) +#pbm_default_policy=<None> + +# Hostname or IP address for connection to VMware VC host. +# (string value) +#host_ip=<None> + +# Port for connection to VMware VC host. (integer value) +#host_port=443 + +# Username for connection to VMware VC host. (string value) +#host_username=<None> + +# Password for connection to VMware VC host. (string value) +#host_password=<None> + +# Name of a VMware Cluster ComputeResource. (multi valued) +#cluster_name=<None> + +# Regex to match the name of a datastore. (string value) +#datastore_regex=<None> + +# The interval used for polling of remote tasks. (floating +# point value) +#task_poll_interval=0.5 + +# The number of times we retry on failures, e.g., socket +# error, etc. (integer value) +#api_retry_count=10 + +# VNC starting port (integer value) +#vnc_port=5900 + +# Total number of VNC ports (integer value) +#vnc_port_total=10000 + +# Whether to use linked clone (boolean value) +#use_linked_clone=true + +# Optional VIM Service WSDL Location e.g +# http://<server>/vimService.wsdl. Optional over-ride to +# default location for bug work-arounds (string value) +#wsdl_location=<None> + + +# +# Options defined in nova.virt.vmwareapi.vif +# + +# Physical ethernet adapter name for vlan networking (string +# value) +#vlan_interface=vmnic0 + +# Name of Integration Bridge (string value) +#integration_bridge=br-int + + +# +# Options defined in nova.virt.vmwareapi.vim_util +# + +# The maximum number of ObjectContent data objects that should +# be returned in a single result. A positive value will cause +# the operation to suspend the retrieval when the count of +# objects reaches the specified maximum. The server may still +# limit the count to something less than the configured value. +# Any remaining objects may be retrieved with additional +# requests. (integer value) +#maximum_objects=100 + + +# +# Options defined in nova.virt.vmwareapi.vmops +# + +# The prefix for Where cached images are stored. This is NOT +# the full path - just a folder prefix. This should only be +# used when a datastore cache should be shared between compute +# nodes. Note: this should only be used when the compute nodes +# have a shared file system. (string value) +#cache_prefix=<None> + + +[workarounds] + +# +# Options defined in nova.utils +# + +# This option allows a fallback to sudo for performance +# reasons. For example see +# https://bugs.launchpad.net/nova/+bug/1415106 (boolean value) +#disable_rootwrap=false + +# When using libvirt 1.2.2 fails live snapshots intermittently +# under load. This config option provides mechanism to +# disable livesnapshot while this is resolved. See +# https://bugs.launchpad.net/nova/+bug/1334398 (boolean value) +#disable_libvirt_livesnapshot=true + +# Whether to destroy instances on startup when we suspect they +# have previously been evacuated. This can result in data loss +# if undesired. See https://launchpad.net/bugs/1419785 +# (boolean value) +#destroy_after_evacuate=true + + +[xenserver] + +# +# Options defined in nova.virt.xenapi.agent +# + +# Number of seconds to wait for agent reply (integer value) +#agent_timeout=30 + +# Number of seconds to wait for agent to be fully operational +# (integer value) +#agent_version_timeout=300 + +# Number of seconds to wait for agent reply to resetnetwork +# request (integer value) +#agent_resetnetwork_timeout=60 + +# Specifies the path in which the XenAPI guest agent should be +# located. If the agent is present, network configuration is +# not injected into the image. Used if +# compute_driver=xenapi.XenAPIDriver and flat_injected=True +# (string value) +#agent_path=usr/sbin/xe-update-networking + +# Disables the use of the XenAPI agent in any image regardless +# of what image properties are present. (boolean value) +#disable_agent=false + +# Determines if the XenAPI agent should be used when the image +# used does not contain a hint to declare if the agent is +# present or not. The hint is a glance property +# "xenapi_use_agent" that has the value "True" or "False". +# Note that waiting for the agent when it is not present will +# significantly increase server boot times. (boolean value) +#use_agent_default=false + + +# +# Options defined in nova.virt.xenapi.client.session +# + +# Timeout in seconds for XenAPI login. (integer value) +#login_timeout=10 + +# Maximum number of concurrent XenAPI connections. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#connection_concurrent=5 + + +# +# Options defined in nova.virt.xenapi.driver +# + +# URL for connection to XenServer/Xen Cloud Platform. A +# special value of unix://local can be used to connect to the +# local unix socket. Required if +# compute_driver=xenapi.XenAPIDriver (string value) +#connection_url=<None> + +# Username for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_username=root + +# Password for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_password=<None> + +# The interval used for polling of coalescing vhds. Used only +# if compute_driver=xenapi.XenAPIDriver (floating point value) +#vhd_coalesce_poll_interval=5.0 + +# Ensure compute service is running on host XenAPI connects +# to. (boolean value) +#check_host=true + +# Max number of times to poll for VHD to coalesce. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#vhd_coalesce_max_attempts=20 + +# Base path to the storage repository (string value) +#sr_base_path=/var/run/sr-mount + +# The iSCSI Target Host (string value) +#target_host=<None> + +# The iSCSI Target Port, default is port 3260 (string value) +#target_port=3260 + +# IQN Prefix (string value) +#iqn_prefix=iqn.2010-10.org.openstack + +# Used to enable the remapping of VBD dev (Works around an +# issue in Ubuntu Maverick) (boolean value) +#remap_vbd_dev=false + +# Specify prefix to remap VBD dev to (ex. /dev/xvdb -> +# /dev/sdb) (string value) +#remap_vbd_dev_prefix=sd + + +# +# Options defined in nova.virt.xenapi.image.bittorrent +# + +# Base URL for torrent files. (string value) +#torrent_base_url=<None> + +# Probability that peer will become a seeder. (1.0 = 100%) +# (floating point value) +#torrent_seed_chance=1.0 + +# Number of seconds after downloading an image via BitTorrent +# that it should be seeded for other peers. (integer value) +#torrent_seed_duration=3600 + +# Cached torrent files not accessed within this number of +# seconds can be reaped (integer value) +#torrent_max_last_accessed=86400 + +# Beginning of port range to listen on (integer value) +#torrent_listen_port_start=6881 + +# End of port range to listen on (integer value) +#torrent_listen_port_end=6891 + +# Number of seconds a download can remain at the same progress +# percentage w/o being considered a stall (integer value) +#torrent_download_stall_cutoff=600 + +# Maximum number of seeder processes to run concurrently +# within a given dom0. (-1 = no limit) (integer value) +#torrent_max_seeder_processes_per_host=1 + + +# +# Options defined in nova.virt.xenapi.pool +# + +# To use for hosts with different CPUs (boolean value) +#use_join_force=true + + +# +# Options defined in nova.virt.xenapi.vif +# + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_integration_bridge=xapi1 + + +# +# Options defined in nova.virt.xenapi.vm_utils +# + +# Cache glance images locally. `all` will cache all images, +# `some` will only cache images that have the image_property +# `cache_in_nova=True`, and `none` turns off caching entirely +# (string value) +#cache_images=all + +# Compression level for images, e.g., 9 for gzip -9. Range is +# 1-9, 9 being most compressed but most CPU intensive on dom0. +# (integer value) +#image_compression_level=<None> + +# Default OS type (string value) +#default_os_type=linux + +# Time to wait for a block device to be created (integer +# value) +#block_device_creation_timeout=10 + +# Maximum size in bytes of kernel or ramdisk images (integer +# value) +#max_kernel_ramdisk_size=16777216 + +# Filter for finding the SR to be used to install guest +# instances on. To use the Local Storage in default +# XenServer/XCP installations set this flag to other-config +# :i18n-key=local-storage. To select an SR with a different +# matching criteria, you could set it to other- +# config:my_favorite_sr=true. On the other hand, to fall back +# on the Default SR, as displayed by XenCenter, set this flag +# to: default-sr:true (string value) +#sr_matching_filter=default-sr:true + +# Whether to use sparse_copy for copying data on a resize down +# (False will use standard dd). This speeds up resizes down +# considerably since large runs of zeros won't have to be +# rsynced (boolean value) +#sparse_copy=true + +# Maximum number of retries to unplug VBD. if <=0, should try +# once and no retry (integer value) +#num_vbd_unplug_retries=10 + +# Whether or not to download images via Bit Torrent +# (all|some|none). (string value) +#torrent_images=none + +# Name of network to use for booting iPXE ISOs (string value) +#ipxe_network_name=<None> + +# URL to the iPXE boot menu (string value) +#ipxe_boot_menu_url=<None> + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#ipxe_mkisofs_cmd=mkisofs + + +# +# Options defined in nova.virt.xenapi.vmops +# + +# Number of seconds to wait for instance to go to running +# state (integer value) +#running_timeout=60 + +# The XenAPI VIF driver using XenServer Network APIs. (string +# value) +#vif_driver=nova.virt.xenapi.vif.XenAPIBridgeDriver + +# Dom0 plugin driver used to handle image uploads. (string +# value) +#image_upload_handler=nova.virt.xenapi.image.glance.GlanceStore + + +# +# Options defined in nova.virt.xenapi.volume_utils +# + +# Number of seconds to wait for an SR to settle if the VDI +# does not exist when first introduced (integer value) +#introduce_vdi_retry_wait=20 + + +[zookeeper] + +# +# Options defined in nova.servicegroup.drivers.zk +# + +# The ZooKeeper addresses for servicegroup service in the +# format of host1:port,host2:port,host3:port (string value) +#address=<None> + +# The recv_timeout parameter for the zk session (integer +# value) +#recv_timeout=4000 + +# The prefix used in ZooKeeper to store ephemeral nodes +# (string value) +#sg_prefix=/servicegroups + +# Number of seconds to wait until retrying to join the session +# (integer value) +#sg_retry_interval=5 + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host = 127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port = 6379 + +# Password for Redis server (optional). (string value) +#password = <None> + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile = /etc/oslo/matchmaker_ring.json + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group/name - [DEFAULT]/disable_process_locking +#disable_process_locking = false + +# Directory to use for lock files. For security, the specified directory +# should only be writable by the user running the processes that need locking. +# Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, +# a lock path must be set. (string value) +# Deprecated group/name - [DEFAULT]/lock_path +lock_path = /var/lock/nova + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group/name - [amqp1]/server_request_prefix +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group/name - [amqp1]/broadcast_prefix +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group/name - [amqp1]/group_request_prefix +#group_request_prefix = unicast + +# Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name +#container_name = <None> + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group/name - [amqp1]/idle_timeout +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace +#trace = false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group/name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group/name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group/name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group/name - [amqp1]/ssl_key_password +#ssl_key_password = <None> + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients +#allow_insecure_clients = false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# Qpid broker hostname. (string value) +# Deprecated group/name - [DEFAULT]/qpid_hostname +#qpid_hostname = localhost + +# Qpid broker port. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_port +#qpid_port = 5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/qpid_hosts +#qpid_hosts = $qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_heartbeat +#qpid_heartbeat = 60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group/name - [DEFAULT]/qpid_protocol +#qpid_protocol = tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay +#qpid_tcp_nodelay = true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity +#qpid_receiver_capacity = 1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_topology_version +#qpid_topology_version = 1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay +#kombu_reconnect_delay = 1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_host +rabbit_host = {{ RABBITMQ_HOST }} + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_port +rabbit_port = {{ RABBITMQ_PORT }} + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts +#rabbit_hosts = $rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl +rabbit_use_ssl = false + +# The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid +rabbit_userid = {{ RABBITMQ_USER }} + +# The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password +rabbit_password = {{ RABBITMQ_PASSWORD }} + +# The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method +#rabbit_login_method = AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host +#rabbit_virtual_host = / + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff +#rabbit_retry_backoff = 2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries +#rabbit_max_retries = 0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues +#rabbit_ha_queues = false + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit +#fake_rabbit = false diff --git a/old/install-files/openstack/usr/share/openstack/openvswitch.yml b/old/install-files/openstack/usr/share/openstack/openvswitch.yml new file mode 100644 index 00000000..47257f7f --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/openvswitch.yml @@ -0,0 +1,38 @@ +--- +- hosts: localhost + tasks: + + - name: Create openvswitch directories + file: path={{ item }} state=directory + with_items: + - /etc/openvswitch + - /var/run/openvswitch + + - shell: > + ovsdb-tool create /etc/openvswitch/conf.db /usr/share/openvswitch/vswitch.ovsschema + creates=/etc/openvswitch/conf.db + + # We enable the openvswitch-db-server in a different task to identify + # the first time we run this script by identifying when we enable the + # unit. + # + # We need to identify this to initialise the database. + - name: Enable openvswitch database service + service: name={{ item }} enabled=yes + with_items: + - openvswitch-db-server.service + register: openvswitch_db_enable + + - name: Start openvswitch database service + service: name={{ item }} state=started + with_items: + - openvswitch-db-server.service + + - name: initialise openvswitch-db + shell: ovs-vsctl --no-wait init + when: openvswitch_db_enable|changed + + - name: Enable and start Open vSwitch service + service: name={{ item }} enabled=yes state=started + with_items: + - openvswitch.service diff --git a/old/install-files/openstack/usr/share/openstack/postgres.yml b/old/install-files/openstack/usr/share/openstack/postgres.yml new file mode 100644 index 00000000..5ff9355e --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/postgres.yml @@ -0,0 +1,48 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/postgres.conf" + tasks: + + - name: Create postgres user + user: + name: postgres + comment: PostgreSQL Server + shell: /sbin/nologin + home: /var/lib/pgsql + + - name: Create the postgres directories + file: + path: "{{ item }}" + state: directory + owner: postgres + group: postgres + with_items: + - /var/run/postgresql + - /var/lib/pgsql/data + + - name: Initialise postgres database + command: pg_ctl -D /var/lib/pgsql/data initdb + args: + creates: /var/lib/pgsql/data/base + sudo: yes + sudo_user: postgres + + - name: Add the configuration needed for postgres for Openstack + template: + src: /usr/share/openstack/postgres/{{ item }} + dest: /var/lib/pgsql/data/{{ item }} + owner: postgres + group: postgres + mode: 0600 + with_items: + - postgresql.conf + - pg_hba.conf + + - name: Enable and start postgres services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - postgres-server diff --git a/old/install-files/openstack/usr/share/openstack/postgres/pg_hba.conf b/old/install-files/openstack/usr/share/openstack/postgres/pg_hba.conf new file mode 100644 index 00000000..78186924 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/postgres/pg_hba.conf @@ -0,0 +1,5 @@ +local all all trust +host all all 127.0.0.0/8 trust +host all all ::1/128 trust +host all all {{ MANAGEMENT_INTERFACE_IP_ADDRESS }}/32 trust +host all all 0.0.0.0/0 md5 diff --git a/old/install-files/openstack/usr/share/openstack/postgres/postgresql.conf b/old/install-files/openstack/usr/share/openstack/postgres/postgresql.conf new file mode 100644 index 00000000..9c8094ea --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/postgres/postgresql.conf @@ -0,0 +1,11 @@ +listen_addresses = '{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}' +max_connections = 300 +shared_buffers = 128MB +log_timezone = 'UTC' +datestyle = 'iso, mdy' +timezone = 'UTC' +lc_messages = 'C' +lc_monetary = 'C' +lc_numeric = 'C' +lc_time = 'C' +default_text_search_config = 'pg_catalog.english' diff --git a/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf b/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf new file mode 100644 index 00000000..d4c58dae --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf @@ -0,0 +1,3 @@ +# Configure port node where rabbitmq-server will listen from. +NODE_PORT={{ RABBITMQ_PORT }} +CONFIG_FILE=/etc/rabbitmq/rabbitmq diff --git a/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq.config b/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq.config new file mode 100644 index 00000000..9b93881e --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/rabbitmq/rabbitmq.config @@ -0,0 +1,9 @@ +%% -*- Rabbit configuration for Openstack in Baserock +[ + {rabbit, + [ + {default_user, <<"{{ RABBITMQ_USER }}">>}, + {default_pass, <<"{{ RABBITMQ_PASSWORD }}">>}, + {tcp_listeners, [{{ RABBITMQ_PORT }}]} + ]} +]. diff --git a/old/install-files/openstack/usr/share/openstack/swift-controller.yml b/old/install-files/openstack/usr/share/openstack/swift-controller.yml new file mode 100644 index 00000000..690de087 --- /dev/null +++ b/old/install-files/openstack/usr/share/openstack/swift-controller.yml @@ -0,0 +1,52 @@ +--- +- hosts: localhost + vars_files: + - swift-controller-vars.yml + vars: + - ring_name_port_map: + account: + port: 6002 + container: + port: 6001 + object: + port: 6000 + remote_user: root + tasks: + - user: + name: swift + comment: Swift user + + - file: + path: /etc/swift + owner: swift + group: swift + state: directory + + - template: + src: /usr/share/swift/etc/swift/proxy-server.j2 + dest: /etc/swift/proxy-server.conf + mode: 0644 + owner: swift + group: swift + + - keystone_user: + user: swift + password: "{{ SWIFT_ADMIN_PASSWORD }}" + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - keystone_user: + role: admin + user: swift + tenant: service + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + + - keystone_service: + name: swift + type: object-store + description: OpenStack Object Storage + publicurl: http://{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}:8080/v1/AUTH_%(tenant_id)s + internalurl: http://{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}:8080/v1/AUTH_%(tenant_id)s + adminurl: http://{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}:8080 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" diff --git a/old/install-files/openstack/usr/share/swift/etc/rsyncd.j2 b/old/install-files/openstack/usr/share/swift/etc/rsyncd.j2 new file mode 100644 index 00000000..c0657665 --- /dev/null +++ b/old/install-files/openstack/usr/share/swift/etc/rsyncd.j2 @@ -0,0 +1,23 @@ +uid = swift +gid = swift +log file = /var/log/rsyncd.log +pid file = /var/run/rsyncd.pid +address = {{ MANAGEMENT_INTERFACE_IP_ADDRESS }} + +[account] +max connections = 2 +path = /srv/node/ +read only = false +lock file = /var/lock/account.lock + +[container] +max connections = 2 +path = /srv/node/ +read only = false +lock file = /var/lock/container.lock + +[object] +max connections = 2 +path = /srv/node/ +read only = false +lock file = /var/lock/object.lock diff --git a/old/install-files/openstack/usr/share/swift/etc/swift/proxy-server.j2 b/old/install-files/openstack/usr/share/swift/etc/swift/proxy-server.j2 new file mode 100644 index 00000000..dda82d5a --- /dev/null +++ b/old/install-files/openstack/usr/share/swift/etc/swift/proxy-server.j2 @@ -0,0 +1,630 @@ +[DEFAULT] +# bind_ip = 0.0.0.0 +bind_port = 8080 +# bind_timeout = 30 +# backlog = 4096 +swift_dir = /etc/swift +user = swift + +# Enables exposing configuration settings via HTTP GET /info. +# expose_info = true + +# Key to use for admin calls that are HMAC signed. Default is empty, +# which will disable admin calls to /info. +# admin_key = secret_admin_key +# +# Allows the ability to withhold sections from showing up in the public calls +# to /info. You can withhold subsections by separating the dict level with a +# ".". The following would cause the sections 'container_quotas' and 'tempurl' +# to not be listed, and the key max_failed_deletes would be removed from +# bulk_delete. Default is empty, allowing all registered fetures to be listed +# via HTTP GET /info. +# disallowed_sections = container_quotas, tempurl, bulk_delete.max_failed_deletes + +# Use an integer to override the number of pre-forked processes that will +# accept connections. Should default to the number of effective cpu +# cores in the system. It's worth noting that individual workers will +# use many eventlet co-routines to service multiple concurrent requests. +# workers = auto +# +# Maximum concurrent requests per worker +# max_clients = 1024 +# +# Set the following two lines to enable SSL. This is for testing only. +# cert_file = /etc/swift/proxy.crt +# key_file = /etc/swift/proxy.key +# +# expiring_objects_container_divisor = 86400 +# expiring_objects_account_name = expiring_objects +# +# You can specify default log routing here if you want: +# log_name = swift +# log_facility = LOG_LOCAL0 +# log_level = INFO +# log_headers = false +# log_address = /dev/log +# The following caps the length of log lines to the value given; no limit if +# set to 0, the default. +# log_max_line_length = 0 +# +# This optional suffix (default is empty) that would be appended to the swift transaction +# id allows one to easily figure out from which cluster that X-Trans-Id belongs to. +# This is very useful when one is managing more than one swift cluster. +# trans_id_suffix = +# +# comma separated list of functions to call to setup custom log handlers. +# functions get passed: conf, name, log_to_console, log_route, fmt, logger, +# adapted_logger +# log_custom_handlers = +# +# If set, log_udp_host will override log_address +# log_udp_host = +# log_udp_port = 514 +# +# You can enable StatsD logging here: +# log_statsd_host = localhost +# log_statsd_port = 8125 +# log_statsd_default_sample_rate = 1.0 +# log_statsd_sample_rate_factor = 1.0 +# log_statsd_metric_prefix = +# +# Use a comma separated list of full url (http://foo.bar:1234,https://foo.bar) +# cors_allow_origin = +# strict_cors_mode = True +# +# client_timeout = 60 +# eventlet_debug = false + +[pipeline:main] +#pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server +pipeline = authtoken cache healthcheck keystoneauth proxy-logging proxy-server + +[app:proxy-server] +use = egg:swift#proxy +# You can override the default log routing for this app here: +# set log_name = proxy-server +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_address = /dev/log +# +# log_handoffs = true +# recheck_account_existence = 60 +# recheck_container_existence = 60 +# object_chunk_size = 65536 +# client_chunk_size = 65536 +# +# How long the proxy server will wait on responses from the a/c/o servers. +# node_timeout = 10 +# +# How long the proxy server will wait for an initial response and to read a +# chunk of data from the object servers while serving GET / HEAD requests. +# Timeouts from these requests can be recovered from so setting this to +# something lower than node_timeout would provide quicker error recovery +# while allowing for a longer timeout for non-recoverable requests (PUTs). +# Defaults to node_timeout, should be overriden if node_timeout is set to a +# high number to prevent client timeouts from firing before the proxy server +# has a chance to retry. +# recoverable_node_timeout = node_timeout +# +# conn_timeout = 0.5 +# +# How long to wait for requests to finish after a quorum has been established. +# post_quorum_timeout = 0.5 +# +# How long without an error before a node's error count is reset. This will +# also be how long before a node is reenabled after suppression is triggered. +# error_suppression_interval = 60 +# +# How many errors can accumulate before a node is temporarily ignored. +# error_suppression_limit = 10 +# +# If set to 'true' any authorized user may create and delete accounts; if +# 'false' no one, even authorized, can. +allow_account_management = true +# +# Set object_post_as_copy = false to turn on fast posts where only the metadata +# changes are stored anew and the original data file is kept in place. This +# makes for quicker posts; but since the container metadata isn't updated in +# this mode, features like container sync won't be able to sync posts. +# object_post_as_copy = true +# +# If set to 'true' authorized accounts that do not yet exist within the Swift +# cluster will be automatically created. +account_autocreate = true +# +# If set to a positive value, trying to create a container when the account +# already has at least this maximum containers will result in a 403 Forbidden. +# Note: This is a soft limit, meaning a user might exceed the cap for +# recheck_account_existence before the 403s kick in. +# max_containers_per_account = 0 +# +# This is a comma separated list of account hashes that ignore the +# max_containers_per_account cap. +# max_containers_whitelist = +# +# Comma separated list of Host headers to which the proxy will deny requests. +# deny_host_headers = +# +# Prefix used when automatically creating accounts. +# auto_create_account_prefix = . +# +# Depth of the proxy put queue. +# put_queue_depth = 10 +# +# Storage nodes can be chosen at random (shuffle), by using timing +# measurements (timing), or by using an explicit match (affinity). +# Using timing measurements may allow for lower overall latency, while +# using affinity allows for finer control. In both the timing and +# affinity cases, equally-sorting nodes are still randomly chosen to +# spread load. +# The valid values for sorting_method are "affinity", "shuffle", and "timing". +# sorting_method = shuffle +# +# If the "timing" sorting_method is used, the timings will only be valid for +# the number of seconds configured by timing_expiry. +# timing_expiry = 300 +# +# The maximum time (seconds) that a large object connection is allowed to last. +# max_large_object_get_time = 86400 +# +# Set to the number of nodes to contact for a normal request. You can use +# '* replicas' at the end to have it use the number given times the number of +# replicas for the ring being used for the request. +# request_node_count = 2 * replicas +# +# Which backend servers to prefer on reads. Format is r<N> for region +# N or r<N>z<M> for region N, zone M. The value after the equals is +# the priority; lower numbers are higher priority. +# +# Example: first read from region 1 zone 1, then region 1 zone 2, then +# anything in region 2, then everything else: +# read_affinity = r1z1=100, r1z2=200, r2=300 +# Default is empty, meaning no preference. +# read_affinity = +# +# Which backend servers to prefer on writes. Format is r<N> for region +# N or r<N>z<M> for region N, zone M. If this is set, then when +# handling an object PUT request, some number (see setting +# write_affinity_node_count) of local backend servers will be tried +# before any nonlocal ones. +# +# Example: try to write to regions 1 and 2 before writing to any other +# nodes: +# write_affinity = r1, r2 +# Default is empty, meaning no preference. +# write_affinity = +# +# The number of local (as governed by the write_affinity setting) +# nodes to attempt to contact first, before any non-local ones. You +# can use '* replicas' at the end to have it use the number given +# times the number of replicas for the ring being used for the +# request. +# write_affinity_node_count = 2 * replicas +# +# These are the headers whose values will only be shown to swift_owners. The +# exact definition of a swift_owner is up to the auth system in use, but +# usually indicates administrative responsibilities. +# swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-account-access-control + +[filter:tempauth] +use = egg:swift#tempauth +# You can override the default log routing for this filter here: +# set log_name = tempauth +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log +# +# The reseller prefix will verify a token begins with this prefix before even +# attempting to validate it. Also, with authorization, only Swift storage +# accounts with this prefix will be authorized by this middleware. Useful if +# multiple auth systems are in use for one Swift cluster. +# reseller_prefix = AUTH +# +# The auth prefix will cause requests beginning with this prefix to be routed +# to the auth subsystem, for granting tokens, etc. +# auth_prefix = /auth/ +# token_life = 86400 +# +# This allows middleware higher in the WSGI pipeline to override auth +# processing, useful for middleware such as tempurl and formpost. If you know +# you're not going to use such middleware and you want a bit of extra security, +# you can set this to false. +# allow_overrides = true +# +# This specifies what scheme to return with storage urls: +# http, https, or default (chooses based on what the server is running as) +# This can be useful with an SSL load balancer in front of a non-SSL server. +# storage_url_scheme = default +# +# Lastly, you need to list all the accounts/users you want here. The format is: +# user_<account>_<user> = <key> [group] [group] [...] [storage_url] +# or if you want underscores in <account> or <user>, you can base64 encode them +# (with no equal signs) and use this format: +# user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url] +# There are special groups of: +# .reseller_admin = can do anything to any account for this auth +# .admin = can do anything within the account +# If neither of these groups are specified, the user can only access containers +# that have been explicitly allowed for them by a .admin or .reseller_admin. +# The trailing optional storage_url allows you to specify an alternate url to +# hand back to the user upon authentication. If not specified, this defaults to +# $HOST/v1/<reseller_prefix>_<account> where $HOST will do its best to resolve +# to what the requester would need to use to reach this host. +# Here are example entries, required for running the tests: +user_admin_admin = admin .admin .reseller_admin +user_test_tester = testing .admin +user_test2_tester2 = testing2 .admin +user_test_tester3 = testing3 + +# To enable Keystone authentication you need to have the auth token +# middleware first to be configured. Here is an example below, please +# refer to the keystone's documentation for details about the +# different settings. +# +# You'll need to have as well the keystoneauth middleware enabled +# and have it in your main pipeline so instead of having tempauth in +# there you can change it to: authtoken keystoneauth +# +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory +# auth_host = keystonehost +# auth_port = 35357 +# auth_protocol = http +# auth_uri = http://keystonehost:5000/ +#auth_uri = http://controller:5000/v2.0 +auth_uri = http://127.0.0.1:5000/v2.0 +identity_uri = http://127.0.0.1:35357 +admin_tenant_name = service +admin_user = swift +admin_password = {{ SWIFT_ADMIN_PASSWORD }} +delay_auth_decision = 1 +# cache = swift.cache +# include_service_catalog = False +# +[filter:keystoneauth] +use = egg:swift#keystoneauth +# Operator roles is the role which user would be allowed to manage a +# tenant and be able to create container or give ACL to others. +# operator_roles = admin, swiftoperator +operator_roles = admin, _member_ +# The reseller admin role has the ability to create and delete accounts +# reseller_admin_role = ResellerAdmin +# For backwards compatibility, keystoneauth will match names in cross-tenant +# access control lists (ACLs) when both the requesting user and the tenant +# are in the default domain i.e the domain to which existing tenants are +# migrated. The default_domain_id value configured here should be the same as +# the value used during migration of tenants to keystone domains. +# default_domain_id = default +# For a new installation, or an installation in which keystone projects may +# move between domains, you should disable backwards compatible name matching +# in ACLs by setting allow_names_in_acls to false: +# allow_names_in_acls = true + +[filter:healthcheck] +use = egg:swift#healthcheck +# An optional filesystem path, which if present, will cause the healthcheck +# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE". +# This facility may be used to temporarily remove a Swift node from a load +# balancer pool during maintenance or upgrade (remove the file to allow the +# node back into the load balancer pool). +# disable_path = + +[filter:cache] +use = egg:swift#memcache +# You can override the default log routing for this filter here: +# set log_name = cache +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log +# +# If not set here, the value for memcache_servers will be read from +# memcache.conf (see memcache.conf-sample) or lacking that file, it will +# default to the value below. You can specify multiple servers separated with +# commas, as in: 10.1.2.3:11211,10.1.2.4:11211 +memcache_servers = 127.0.0.1:11211 +# +# Sets how memcache values are serialized and deserialized: +# 0 = older, insecure pickle serialization +# 1 = json serialization but pickles can still be read (still insecure) +# 2 = json serialization only (secure and the default) +# If not set here, the value for memcache_serialization_support will be read +# from /etc/swift/memcache.conf (see memcache.conf-sample). +# To avoid an instant full cache flush, existing installations should +# upgrade with 0, then set to 1 and reload, then after some time (24 hours) +# set to 2 and reload. +# In the future, the ability to use pickle serialization will be removed. +# memcache_serialization_support = 2 +# +# Sets the maximum number of connections to each memcached server per worker +# memcache_max_connections = 2 + +[filter:ratelimit] +use = egg:swift#ratelimit +# You can override the default log routing for this filter here: +# set log_name = ratelimit +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log +# +# clock_accuracy should represent how accurate the proxy servers' system clocks +# are with each other. 1000 means that all the proxies' clock are accurate to +# each other within 1 millisecond. No ratelimit should be higher than the +# clock accuracy. +# clock_accuracy = 1000 +# +# max_sleep_time_seconds = 60 +# +# log_sleep_time_seconds of 0 means disabled +# log_sleep_time_seconds = 0 +# +# allows for slow rates (e.g. running up to 5 sec's behind) to catch up. +# rate_buffer_seconds = 5 +# +# account_ratelimit of 0 means disabled +# account_ratelimit = 0 + +# these are comma separated lists of account names +# account_whitelist = a,b +# account_blacklist = c,d + +# with container_limit_x = r +# for containers of size x limit write requests per second to r. The container +# rate will be linearly interpolated from the values given. With the values +# below, a container of size 5 will get a rate of 75. +# container_ratelimit_0 = 100 +# container_ratelimit_10 = 50 +# container_ratelimit_50 = 20 + +# Similarly to the above container-level write limits, the following will limit +# container GET (listing) requests. +# container_listing_ratelimit_0 = 100 +# container_listing_ratelimit_10 = 50 +# container_listing_ratelimit_50 = 20 + +[filter:domain_remap] +use = egg:swift#domain_remap +# You can override the default log routing for this filter here: +# set log_name = domain_remap +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log +# +# storage_domain = example.com +# path_root = v1 +# reseller_prefixes = AUTH + +[filter:catch_errors] +use = egg:swift#catch_errors +# You can override the default log routing for this filter here: +# set log_name = catch_errors +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log + +[filter:cname_lookup] +# Note: this middleware requires python-dnspython +use = egg:swift#cname_lookup +# You can override the default log routing for this filter here: +# set log_name = cname_lookup +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log +# +# Specify the storage_domain that match your cloud, multiple domains +# can be specified separated by a comma +# storage_domain = example.com +# +# lookup_depth = 1 + +# Note: Put staticweb just after your auth filter(s) in the pipeline +[filter:staticweb] +use = egg:swift#staticweb + +# Note: Put tempurl before dlo, slo and your auth filter(s) in the pipeline +[filter:tempurl] +use = egg:swift#tempurl +# The methods allowed with Temp URLs. +# methods = GET HEAD PUT POST DELETE +# +# The headers to remove from incoming requests. Simply a whitespace delimited +# list of header names and names can optionally end with '*' to indicate a +# prefix match. incoming_allow_headers is a list of exceptions to these +# removals. +# incoming_remove_headers = x-timestamp +# +# The headers allowed as exceptions to incoming_remove_headers. Simply a +# whitespace delimited list of header names and names can optionally end with +# '*' to indicate a prefix match. +# incoming_allow_headers = +# +# The headers to remove from outgoing responses. Simply a whitespace delimited +# list of header names and names can optionally end with '*' to indicate a +# prefix match. outgoing_allow_headers is a list of exceptions to these +# removals. +# outgoing_remove_headers = x-object-meta-* +# +# The headers allowed as exceptions to outgoing_remove_headers. Simply a +# whitespace delimited list of header names and names can optionally end with +# '*' to indicate a prefix match. +# outgoing_allow_headers = x-object-meta-public-* + +# Note: Put formpost just before your auth filter(s) in the pipeline +[filter:formpost] +use = egg:swift#formpost + +# Note: Just needs to be placed before the proxy-server in the pipeline. +[filter:name_check] +use = egg:swift#name_check +# forbidden_chars = '"`<> +# maximum_length = 255 +# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$ + +[filter:list-endpoints] +use = egg:swift#list_endpoints +# list_endpoints_path = /endpoints/ + +[filter:proxy-logging] +use = egg:swift#proxy_logging +# If not set, logging directives from [DEFAULT] without "access_" will be used +# access_log_name = swift +# access_log_facility = LOG_LOCAL0 +# access_log_level = INFO +# access_log_address = /dev/log +# +# If set, access_log_udp_host will override access_log_address +# access_log_udp_host = +# access_log_udp_port = 514 +# +# You can use log_statsd_* from [DEFAULT] or override them here: +# access_log_statsd_host = localhost +# access_log_statsd_port = 8125 +# access_log_statsd_default_sample_rate = 1.0 +# access_log_statsd_sample_rate_factor = 1.0 +# access_log_statsd_metric_prefix = +# access_log_headers = false +# +# If access_log_headers is True and access_log_headers_only is set only +# these headers are logged. Multiple headers can be defined as comma separated +# list like this: access_log_headers_only = Host, X-Object-Meta-Mtime +# access_log_headers_only = +# +# By default, the X-Auth-Token is logged. To obscure the value, +# set reveal_sensitive_prefix to the number of characters to log. +# For example, if set to 12, only the first 12 characters of the +# token appear in the log. An unauthorized access of the log file +# won't allow unauthorized usage of the token. However, the first +# 12 or so characters is unique enough that you can trace/debug +# token usage. Set to 0 to suppress the token completely (replaced +# by '...' in the log). +# Note: reveal_sensitive_prefix will not affect the value +# logged with access_log_headers=True. +# reveal_sensitive_prefix = 16 +# +# What HTTP methods are allowed for StatsD logging (comma-sep); request methods +# not in this list will have "BAD_METHOD" for the <verb> portion of the metric. +# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS +# +# Note: The double proxy-logging in the pipeline is not a mistake. The +# left-most proxy-logging is there to log requests that were handled in +# middleware and never made it through to the right-most middleware (and +# proxy server). Double logging is prevented for normal requests. See +# proxy-logging docs. + +# Note: Put before both ratelimit and auth in the pipeline. +[filter:bulk] +use = egg:swift#bulk +# max_containers_per_extraction = 10000 +# max_failed_extractions = 1000 +# max_deletes_per_request = 10000 +# max_failed_deletes = 1000 + +# In order to keep a connection active during a potentially long bulk request, +# Swift may return whitespace prepended to the actual response body. This +# whitespace will be yielded no more than every yield_frequency seconds. +# yield_frequency = 10 + +# Note: The following parameter is used during a bulk delete of objects and +# their container. This would frequently fail because it is very likely +# that all replicated objects have not been deleted by the time the middleware got a +# successful response. It can be configured the number of retries. And the +# number of seconds to wait between each retry will be 1.5**retry + +# delete_container_retry_count = 0 + +# Note: Put after auth in the pipeline. +[filter:container-quotas] +use = egg:swift#container_quotas + +# Note: Put after auth and staticweb in the pipeline. +[filter:slo] +use = egg:swift#slo +# max_manifest_segments = 1000 +# max_manifest_size = 2097152 +# min_segment_size = 1048576 +# Start rate-limiting SLO segment serving after the Nth segment of a +# segmented object. +# rate_limit_after_segment = 10 +# +# Once segment rate-limiting kicks in for an object, limit segments served +# to N per second. 0 means no rate-limiting. +# rate_limit_segments_per_sec = 0 +# +# Time limit on GET requests (seconds) +# max_get_time = 86400 + +# Note: Put after auth and staticweb in the pipeline. +# If you don't put it in the pipeline, it will be inserted for you. +[filter:dlo] +use = egg:swift#dlo +# Start rate-limiting DLO segment serving after the Nth segment of a +# segmented object. +# rate_limit_after_segment = 10 +# +# Once segment rate-limiting kicks in for an object, limit segments served +# to N per second. 0 means no rate-limiting. +# rate_limit_segments_per_sec = 1 +# +# Time limit on GET requests (seconds) +# max_get_time = 86400 + +[filter:account-quotas] +use = egg:swift#account_quotas + +[filter:gatekeeper] +use = egg:swift#gatekeeper +# You can override the default log routing for this filter here: +# set log_name = gatekeeper +# set log_facility = LOG_LOCAL0 +# set log_level = INFO +# set log_headers = false +# set log_address = /dev/log + +[filter:container_sync] +use = egg:swift#container_sync +# Set this to false if you want to disallow any full url values to be set for +# any new X-Container-Sync-To headers. This will keep any new full urls from +# coming in, but won't change any existing values already in the cluster. +# Updating those will have to be done manually, as knowing what the true realm +# endpoint should be cannot always be guessed. +# allow_full_urls = true +# Set this to specify this clusters //realm/cluster as "current" in /info +# current = //REALM/CLUSTER + +# Note: Put it at the beginning of the pipleline to profile all middleware. But +# it is safer to put this after catch_errors, gatekeeper and healthcheck. +[filter:xprofile] +use = egg:swift#xprofile +# This option enable you to switch profilers which should inherit from python +# standard profiler. Currently the supported value can be 'cProfile', +# 'eventlet.green.profile' etc. +# profile_module = eventlet.green.profile +# +# This prefix will be used to combine process ID and timestamp to name the +# profile data file. Make sure the executing user has permission to write +# into this path (missing path segments will be created, if necessary). +# If you enable profiling in more than one type of daemon, you must override +# it with an unique value like: /var/log/swift/profile/proxy.profile +# log_filename_prefix = /tmp/log/swift/profile/default.profile +# +# the profile data will be dumped to local disk based on above naming rule +# in this interval. +# dump_interval = 5.0 +# +# Be careful, this option will enable profiler to dump data into the file with +# time stamp which means there will be lots of files piled up in the directory. +# dump_timestamp = false +# +# This is the path of the URL to access the mini web UI. +# path = /__profile__ +# +# Clear the data when the wsgi server shutdown. +# flush_at_shutdown = false +# +# unwind the iterator of applications +# unwind = false |