83d0ad0238
Add support for application of apparmor profiles to neutron and nova daemons that run on neutron-gateway units. By default this is disabled but may be enabled by setting the aa-profile-mode option to ether 'complain' or 'enforce'. Note that the apparmor profiles do not try to reproduce the permissions required for all operations that may be undertaken using oslo.rootwrap; daemons are granted permission to run 'sudo' without any apparmor based restrictions. Change-Id: Ibe568a46ee4c1f1148c162f0f0b2907153770efe
269 lines
9.5 KiB
YAML
269 lines
9.5 KiB
YAML
options:
|
|
debug:
|
|
default: False
|
|
type: boolean
|
|
description: Enable debug logging.
|
|
verbose:
|
|
default: False
|
|
type: boolean
|
|
description: Enable verbose logging.
|
|
use-syslog:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
Setting this to True will allow supporting services to log to syslog.
|
|
openstack-origin:
|
|
default: distro
|
|
type: string
|
|
description: |
|
|
Repository from which to install. May be one of the following:
|
|
distro (default), ppa:somecustom/ppa, a deb url sources entry,
|
|
or a supported Cloud Archive release pocket.
|
|
|
|
Supported Cloud Archive sources include:
|
|
|
|
cloud:<series>-<openstack-release>
|
|
cloud:<series>-<openstack-release>/updates
|
|
cloud:<series>-<openstack-release>/staging
|
|
cloud:<series>-<openstack-release>/proposed
|
|
|
|
For series=Precise we support cloud archives for openstack-release:
|
|
* icehouse
|
|
|
|
For series=Trusty we support cloud archives for openstack-release:
|
|
* juno
|
|
* kilo
|
|
* liberty
|
|
* mitaka
|
|
|
|
NOTE: updating this setting to a source that is known to provide
|
|
a later version of OpenStack will trigger a software upgrade.
|
|
openstack-origin-git:
|
|
default:
|
|
type: string
|
|
description: |
|
|
Specifies a default OpenStack release name, or a YAML dictionary
|
|
listing the git repositories to install from.
|
|
|
|
The default Openstack release name may be one of the following, where
|
|
the corresponding OpenStack github branch will be used:
|
|
* liberty
|
|
* mitaka
|
|
* master
|
|
|
|
The YAML must minimally include requirements, neutron-fwaas,
|
|
neutron-lbaas, neutron-vpnaas, and neutron repositories, and may
|
|
also include repositories for other dependencies:
|
|
repositories:
|
|
- {name: requirements,
|
|
repository: 'git://github.com/openstack/requirements',
|
|
branch: master}
|
|
- {name: neutron-fwaas,
|
|
repository: 'git://github.com/openstack/neutron-fwaas',
|
|
branch: master}
|
|
- {name: neutron-lbaas,
|
|
repository: 'git://github.com/openstack/neutron-lbaas',
|
|
branch: master}
|
|
- {name: neutron-vpnaas,
|
|
repository: 'git://github.com/openstack/neutron-vpnaas',
|
|
branch: master}
|
|
- {name: neutron,
|
|
repository: 'git://github.com/openstack/neutron',
|
|
branch: master}
|
|
release: master
|
|
plugin:
|
|
default: ovs
|
|
type: string
|
|
description: |
|
|
Network configuration plugin to use for quantum.
|
|
Supported values include:
|
|
|
|
ovs - ML2 + Open vSwitch
|
|
nsx - VMware NSX
|
|
n1kv - Cisco N1kv
|
|
ovs-odl - ML2 + Open vSwitch with OpenDayLight Controller
|
|
ext-port:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Deprecated: Use bridge-mappings and data-port to create a network
|
|
which can be used for external connectivity. You can call the network
|
|
external and the bridge br-ex by convention, but neither is required.
|
|
|
|
Space-delimited list of external ports to use for routing of instance
|
|
traffic to the external public network. Valid values are either MAC
|
|
addresses (in which case only MAC addresses for interfaces without an IP
|
|
address already assigned will be used), or interfaces (eth0)
|
|
data-port:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of bridge:port mappings. Ports will be added to
|
|
their corresponding bridge. The bridges will allow usage of flat or
|
|
VLAN network types with Neutron and should match this defined in
|
|
bridge-mappings.
|
|
.
|
|
Ports provided can be the name or MAC address of the interface to be
|
|
added to the bridge. If MAC addresses are used, you may provide multiple
|
|
bridge:mac for the same bridge so as to be able to configure multiple
|
|
units. In this case the charm will run through the provided MAC addresses
|
|
for each bridge until it finds one it can resolve to an interface name.
|
|
run-internal-router:
|
|
type: string
|
|
default: all
|
|
description: |
|
|
Optional configuration to support how the L3 agent option
|
|
handle_internal_only_routers is configured.
|
|
all => Set to be true everywhere
|
|
none => Set to be false everywhere
|
|
leader => Set to be true on one node (the leader) and false everywhere
|
|
else.
|
|
Use leader and none when configuring multiple floating pools
|
|
external-network-id:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Optional configuration to set the external-network-id. Only needed when
|
|
configuring multiple external networks and should be used in conjunction
|
|
with run-internal-router.
|
|
rabbit-user:
|
|
type: string
|
|
description: RabbitMQ user
|
|
default: neutron
|
|
rabbit-vhost:
|
|
type: string
|
|
description: RabbitMQ Virtual Host
|
|
default: openstack
|
|
nova-rabbit-user:
|
|
type: string
|
|
description: RabbitMQ Nova user
|
|
default: nova
|
|
nova-rabbit-vhost:
|
|
type: string
|
|
description: RabbitMQ Nova Virtual Host
|
|
default: openstack
|
|
instance-mtu:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Configure DHCP services to provide MTU configuration to instances
|
|
within the cloud. This is useful in deployments where its not
|
|
possible to increase MTU on switches and physical servers to
|
|
accommodate the packet overhead of using GRE tunnels.
|
|
dnsmasq-flags:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Comma-separated list of key=value config flags with the additional
|
|
dhcp options for neutron dnsmasq.
|
|
enable-l3-agent:
|
|
type: boolean
|
|
default: True
|
|
description: |
|
|
Optional configuration to support use of linux router
|
|
Note that this is used only for Cisco n1kv plugin.
|
|
nagios_context:
|
|
default: "juju"
|
|
type: string
|
|
description: |
|
|
Used by the nrpe-external-master subordinate charm.
|
|
A string that will be prepended to instance name to set the host name
|
|
in Nagios. So for instance the hostname would be something like:
|
|
juju-myservice-0
|
|
If you're running multiple environments with the same services in them
|
|
this allows you to differentiate between them.
|
|
nagios_servicegroups:
|
|
default: ""
|
|
type: string
|
|
description: |
|
|
A comma-separated list of Nagios servicegroups.
|
|
If left empty, the nagios_context will be used as the servicegroup
|
|
bridge-mappings:
|
|
type: string
|
|
default: 'physnet1:br-data'
|
|
description: |
|
|
Space-separated list of ML2 data bridge mappings with format
|
|
<provider>:<bridge>.
|
|
flat-network-providers:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of Neutron flat network providers.
|
|
vlan-ranges:
|
|
type: string
|
|
default: "physnet1:1000:2000"
|
|
description: |
|
|
Space-delimited list of <physical_network>:<vlan_min>:<vlan_max> or
|
|
<physical_network> specifying physical_network names usable for VLAN
|
|
provider and tenant networks, as well as ranges of VLAN tags on each
|
|
available for allocation to tenant networks.
|
|
# Network configuration options
|
|
# by default all access is over 'private-address'
|
|
os-data-network:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The IP address and netmask of the OpenStack Data network (e.g.,
|
|
192.168.0.0/24)
|
|
|
|
This network will be used for tenant network traffic in overlay
|
|
networks.
|
|
sysctl:
|
|
type: string
|
|
default:
|
|
description: |
|
|
YAML-formatted associative array of sysctl key/value pairs to be set
|
|
persistently e.g. '{ kernel.pid_max : 4194303 }'.
|
|
# Legacy (Icehouse) HA
|
|
ha-legacy-mode:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
If True will enable Pacemaker to monitor the neutron-ha-monitor daemon
|
|
on every neutron-gateway unit, which detects neutron agents status and
|
|
reschedule resources hosting on failed agents, detects local errors and
|
|
release resources when network is unreachable or do necessary recover
|
|
tasks. This feature targets to < Juno which doesn't natively support HA
|
|
in Neutron itself.
|
|
ha-bindiface:
|
|
type: string
|
|
default: eth0
|
|
description: |
|
|
Default network interface on which HA cluster will bind to communicate
|
|
with the other members of the HA Cluster.
|
|
ha-mcastport:
|
|
type: int
|
|
default: 5409
|
|
description: |
|
|
Default multicast port number that will be used to communicate between
|
|
HA Cluster nodes.
|
|
action-managed-upgrade:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
If True enables openstack upgrades for this charm via juju actions.
|
|
You will still need to set openstack-origin to the new repository but
|
|
instead of an upgrade running automatically across all units, it will
|
|
wait for you to execute the openstack-upgrade action for this charm on
|
|
each unit. If False it will revert to existing behavior of upgrading
|
|
all units on config change.
|
|
harden:
|
|
default:
|
|
type: string
|
|
description: |
|
|
Apply system hardening. Supports a space-delimited list of modules
|
|
to run. Supported modules currently include os, ssh, apache and mysql.
|
|
worker-multiplier:
|
|
type: float
|
|
default: 2.0
|
|
description: |
|
|
The CPU core multiplier to use when configuring worker processes for
|
|
neutron and nova-metadata-api. By default, the number of workers for
|
|
each daemon is set to twice the number of CPU cores a service unit has.
|
|
aa-profile-mode:
|
|
type: string
|
|
default: 'disable'
|
|
description: |
|
|
Experimental enable apparmor profile. Valid settings: 'complain', 'enforce' or 'disable'.
|
|
AA disabled by default.
|