charm-glance/config.yaml
Alex Kavanagh 97152f55a1 Policyd override implementation
This patchset implements policy overrides for glance.  It uses the
code in charmhelpers.

Change-Id: I0586326ff87fdf03f2c88e4c459627f4085c3367
Closed-Bug: #1741723
2019-10-07 22:04:00 +01:00

359 lines
13 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

options:
debug:
type: boolean
default: False
description: Enable debug logging.
verbose:
type: boolean
default: False
description: Enable verbose logging.
use-syslog:
type: boolean
default: False
description: |
Setting this to True will allow supporting services to log to syslog.
openstack-origin:
type: string
default: distro
description: |
Repository from which to install. May be one of the following:
distro (default), ppa:somecustom/ppa, a deb url sources entry,
or a supported Ubuntu Cloud Archive e.g.
.
cloud:<series>-<openstack-release>
cloud:<series>-<openstack-release>/updates
cloud:<series>-<openstack-release>/staging
cloud:<series>-<openstack-release>/proposed
.
See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which
cloud archives are available and supported.
.
NOTE: updating this setting to a source that is known to provide
a later version of OpenStack will trigger a software upgrade unless
action-managed-upgrade is set to True.
action-managed-upgrade:
type: boolean
default: False
description: |
If True enables openstack upgrades for this charm via juju actions.
You will still need to set openstack-origin to the new repository but
instead of an upgrade running automatically across all units, it will
wait for you to execute the openstack-upgrade action for this charm on
each unit. If False it will revert to existing behavior of upgrading
all units on config change.
harden:
type: string
default:
description: |
Apply system hardening. Supports a space-delimited list of modules
to run. Supported modules currently include os, ssh, apache and mysql.
database-user:
type: string
default: glance
description: Database username
database:
type: string
default: glance
description: Glance database name.
api-config-flags:
type: string
default:
description: |
Comma-separated list of key=value pairs to be added to glance-api.conf
where 'value' may itself be a comma-separated list of values to be
assigned to the 'key'.
registry-config-flags:
type: string
default:
description: |
Comma-separated list of key=value pairs to be added to
glance-registry.conf where 'value' may itself be a comma-separated list
of values to be assigned to the 'key'.
region:
type: string
default: RegionOne
description: OpenStack Region
use-internal-endpoints:
type: boolean
default: False
description: |
Openstack mostly defaults to using public endpoints for
internal communication between services. If set to True this option will
configure services to use internal endpoints where possible.
ceph-osd-replication-count:
type: int
default: 3
description: |
This value dictates the number of replicas ceph must make of any
object it stores within the images rbd pool. Of course, this only
applies if using Ceph as a backend store. Note that once the images
rbd pool has been created, changing this value will not have any
effect (although it can be changed in ceph by manually configuring
your ceph cluster).
ceph-pool-weight:
type: int
default: 5
description: |
Defines a relative weighting of the pool as a percentage of the total
amount of data in the Ceph cluster. This effectively weights the number
of placement groups for the pool created to be appropriately portioned
to the amount of data expected. For example, if the compute images
for the OpenStack compute instances are expected to take up 20% of the
overall configuration then this value would be specified as 20. Note -
it is important to choose an appropriate value for the pool weight as
this directly affects the number of placement groups which will be
created for the pool. The number of placement groups for a pool can
only be increased, never decreased - so it is important to identify the
percent of data that will likely reside in the pool.
restrict-ceph-pools:
type: boolean
default: False
description: |
Optionally restrict Ceph key permissions to access pools as required.
worker-multiplier:
type: float
default:
description: |
The CPU core multiplier to use when configuring worker processes for
Glance. By default, the number of workers for each daemon is set to
twice the number of CPU cores a service unit has. When deployed in
a LXD container, this default value will be capped to 4 workers
unless this configuration option is set.
expose-image-locations:
type: boolean
default: True
description: |
Expose underlying image locations via the API when using Ceph for image
storage. Only disable this option if you do not wish to use
copy-on-write clones of RAW format images with Ceph in Cinder and Nova.
restrict-image-location-operations:
type: boolean
default: False
description: |
If this is set to True, all *_image_location operations in the Glance api
will be restricted to role:admin which will result in non-admin users no
longer being able to view the "locations" information for an image.
This only affects environments that have expose-image-locations set to
True.
WARNING: enabling this restriction will cause Nova to no longer be able
to create COW clones or snapshots for non-admin users when using the
RBDImageBackend in the nova-compute charm.
rabbit-user:
type: string
default: glance
description: Username to request access on rabbitmq-server.
rabbit-vhost:
type: string
default: openstack
description: RabbitMQ virtual host to request access on rabbitmq-server.
container-formats:
type: string
default:
description: |
Comma separated list of container formats that Glance will support.
disk-formats:
type: string
default: ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso,root-tar
description: |
Comma separated list of disk formats that Glance will support.
image-size-cap:
type: string
default: 1TB
description: |
Maximum size of image a user can upload. Defaults to 1TB
(1099511627776 bytes). Example values: 500M, 500MB, 5G, 5TB.
Valid units: K, KB, M, MB, G, GB, T, TB, P, PB. If no units provided,
bytes are assumed.
.
WARNING: this value should only be increased after careful consideration
and must be set to a value under 8EB (9223372036854775808 bytes).
# HA configuration settings
dns-ha:
type: boolean
default: False
description: |
Use DNS HA with MAAS 2.0. Note if this is set do not set vip
settings below.
vip:
type: string
default:
description: |
Virtual IP(s) to use to front API services in HA configuration.
.
If multiple networks are being used, a VIP should be provided for each
network, separated by spaces.
vip_iface:
type: string
default: eth0
description: |
Default network interface to use for HA vip when it cannot be
automatically determined.
vip_cidr:
type: int
default: 24
description: |
Default CIDR netmask to use for HA vip when it cannot be automatically
determined.
ha-bindiface:
type: string
default: eth0
description: |
Default network interface on which HA cluster will bind to communication
with the other members of the HA Cluster.
ha-mcastport:
type: int
default: 5444
description: |
Default multicast port number that will be used to communicate between
HA Cluster nodes.
haproxy-server-timeout:
type: int
default:
description: |
Server timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 90000ms is used.
haproxy-client-timeout:
type: int
default:
description: |
Client timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 90000ms is used.
haproxy-queue-timeout:
type: int
default:
description: |
Queue timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 9000ms is used.
haproxy-connect-timeout:
type: int
default:
description: |
Connect timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 9000ms is used.
ssl_cert:
type: string
default:
description: |
SSL certificate to install and use for API ports. Setting this value
and ssl_key will enable reverse proxying, point Glance's entry in the
Keystone catalog to use https, and override any certificate and key
issued by Keystone (if it is configured to do so).
ssl_key:
type: string
default:
description: SSL key to use with certificate specified as ssl_cert.
ssl_ca:
type: string
default:
description: |
SSL CA to use with the certificate and key provided - this is only
required if you are providing a privately signed ssl_cert and ssl_key.
# Network config (by default all access is over 'private-address')
os-admin-network:
type: string
default:
description: |
The IP address and netmask of the OpenStack Admin network (e.g.
192.168.0.0/24)
.
This network will be used for admin endpoints.
os-internal-network:
type: string
default:
description: |
The IP address and netmask of the OpenStack Internal network (e.g.
192.168.0.0/24)
.
This network will be used for internal endpoints.
os-public-network:
type: string
default:
description: |
The IP address and netmask of the OpenStack Public network (e.g.
192.168.0.0/24)
.
This network will be used for public endpoints.
os-public-hostname:
type: string
default:
description: |
The hostname or address of the public endpoints created for glance
in the keystone identity provider.
.
This value will be used for public endpoints. For example, an
os-public-hostname set to 'glance.example.com' with ssl enabled will
create a public endpoint for glance of:
.
https://glance.example.com:9292/
os-internal-hostname:
type: string
default:
description: |
The hostname or address of the internal endpoints created for glance
in the keystone identity provider.
.
This value will be used for internal endpoints. For example, an
os-internal-hostname set to 'glance.internal.example.com' with ssl
enabled will create a internal endpoint for glance of:
.
https://glance.internal.example.com:9292/
os-admin-hostname:
type: string
default:
description: |
The hostname or address of the admin endpoints created for glance
in the keystone identity provider.
.
This value will be used for admin endpoints. For example, an
os-admin-hostname set to 'glance.admin.example.com' with ssl enabled will
create a admin endpoint for glance of:
.
https://glance.admin.example.com:9292/
prefer-ipv6:
type: boolean
default: False
description: |
If True enables IPv6 support. The charm will expect network interfaces
to be configured with an IPv6 address. If set to False (default) IPv4
is expected.
.
NOTE: these charms do not currently support IPv6 privacy extension. In
order for this charm to function correctly, the privacy extension must be
disabled and a non-temporary address must be configured/available on
your network interface.
# Monitoring config
nagios_context:
type: string
default: "juju"
description: |
Used by the nrpe-external-master subordinate charm. A string that will
be prepended to instance name to set the host name in nagios. So for
instance the hostname would be something like 'juju-myservice-0'. If
you are running multiple environments with the same services in them
this allows you to differentiate between them.
nagios_servicegroups:
type: string
default: ""
description: |
A comma-separated list of nagios service groups.
If left empty, the nagios_context will be used as the servicegroup
filesystem-store-datadir:
type: string
default: "/var/lib/glance/images/"
description: |
Directory to which the filesystem backend store writes images.
Upon start up, Glance creates the directory if it doesnt already exist
and verifies write access to the user under which glance-api runs. If
the write access isnt available, a BadStoreConfiguration exception is
raised and the filesystem store may not be available for adding new
images. NOTE: This directory is used only when filesystem store is used
as a storage backend.
use-policyd-override:
type: boolean
default: False
description: |
If True then use the resource file named 'policyd-override' to install
override YAML files in the service's policy.d directory. The resource
file should be a ZIP file containing at least one yaml file with a .yaml
or .yml extension. If False then remove the overrides.