40701500b5
Add support to enabling logging of security groups for OpenStack Queens or later; this feature is enabled via the neutron-api charm, with local charm configuration options to allow control of rate and burst limits and to set a local log output directory if require (allowing log data to be written to a separate partition for example). The feature is only compatible with the openvswitch firewall driver and will not be enabled if this configuration option is not set. Basic deployment tests changes is included here since nova-cloud-controller unit and relation was missing before, and it leads to CI constantly failing. Corresponding charm-helpers change: https://github.com/juju/charm-helpers/pull/228 Change-Id: Id6ed09f714981e87838186d51a4f5e693bedb1d3 Closes-Bug: #1787397 Depends-On: https://review.openstack.org/602355
280 lines
11 KiB
YAML
280 lines
11 KiB
YAML
options:
|
|
debug:
|
|
type: boolean
|
|
default: False
|
|
description: Enable debug logging.
|
|
verbose:
|
|
type: boolean
|
|
default: False
|
|
description: Enable verbose logging.
|
|
use-syslog:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
Setting this to True will allow supporting services to log to syslog.
|
|
rabbit-user:
|
|
type: string
|
|
default: neutron
|
|
description: Username used to access RabbitMQ queue
|
|
rabbit-vhost:
|
|
type: string
|
|
default: openstack
|
|
description: RabbitMQ vhost
|
|
data-port:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of bridge:port mappings. Ports will be added to
|
|
their corresponding bridge. The bridges will allow usage of flat or
|
|
VLAN network types with Neutron and should match this defined in
|
|
bridge-mappings.
|
|
.
|
|
Ports provided can be the name or MAC address of the interface to be
|
|
added to the bridge. If MAC addresses are used, you may provide multiple
|
|
bridge:mac for the same bridge so as to be able to configure multiple
|
|
units. In this case the charm will run through the provided MAC addresses
|
|
for each bridge until it finds one it can resolve to an interface name.
|
|
Port can also be a linuxbridge bridge. In this case a veth pair will be
|
|
created, the ovs bridge and the linuxbridge bridge will be connected. It
|
|
can be useful to connect the ovs bridge to juju bridge.
|
|
dpdk-bond-mappings:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of bond:port mappings. The DPDK assigned ports will
|
|
be added to their corresponding bond, which in turn will be put into the
|
|
bridge as specified in data-port.
|
|
.
|
|
This option is supported only when enable-dpdk is true.
|
|
dpdk-bond-config:
|
|
type: string
|
|
default: ":balance-tcp:active:fast"
|
|
description: |
|
|
Space delimited list of bond:mode:lacp:lacp-time, where the arguments meaning is:
|
|
.
|
|
* bond - the bond name. If not specified the configuration applies to all bonds
|
|
* mode - the bond mode of operation. Possible values are:
|
|
- active-backup - No load balancing is offered in this mode and only one of
|
|
the member ports is active/used at a time.
|
|
- balance-slb - Considered as a static load-balancing mode. Traffic is load
|
|
balanced between member ports based on the source MAC and VLAN.
|
|
- balance-tcp - This is the preferred bonding mode. It offers traffic load
|
|
balancing based on 5-tuple header fields. LACP must be enabled
|
|
at both endpoints to use this mode. The aggregate link will
|
|
fall back to default mode (active-passive) in the event of LACP
|
|
negotiation failure.
|
|
* lacp - active, passive or off
|
|
* lacp-time - fast or slow. LACP negotiation time interval - 30 ms or 1 second
|
|
disable-security-groups:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Disable neutron based security groups - setting this configuration option
|
|
will override any settings configured via the neutron-api charm.
|
|
.
|
|
BE CAREFUL - this option allows you to disable all port level security
|
|
within an OpenStack cloud.
|
|
bridge-mappings:
|
|
type: string
|
|
default: 'physnet1:br-data'
|
|
description: |
|
|
Space-delimited list of ML2 data bridge mappings with format
|
|
<provider>:<bridge>.
|
|
flat-network-providers:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of Neutron flat network providers.
|
|
vlan-ranges:
|
|
type: string
|
|
default: "physnet1:1000:2000"
|
|
description: |
|
|
Space-delimited list of <physical_network>:<vlan_min>:<vlan_max> or
|
|
<physical_network> specifying physical_network names usable for VLAN
|
|
provider and tenant networks, as well as ranges of VLAN tags on each
|
|
available for allocation to tenant networks.
|
|
firewall-driver:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Firewall driver to use to support use of security groups with
|
|
instances; valid values include iptables_hybrid (default) and
|
|
openvswitch (>= Mitaka on Ubuntu 16.04 or later).
|
|
ext-port:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Deprecated: Use bridge-mappings and data-port to create a network
|
|
which can be used for external connectivity. You can call the network
|
|
external and the bridge br-ex by convention, but neither is required
|
|
|
|
A space-separated list of external ports to use for routing of instance
|
|
traffic to the external public network. Valid values are either MAC
|
|
addresses (in which case only MAC addresses for interfaces without an IP
|
|
address already assigned will be used), or interfaces (eth0)
|
|
enable-local-dhcp-and-metadata:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Enable local Neutron DHCP and Metadata Agents. This is useful for
|
|
deployments which do not include a neutron-gateway (do not require l3,
|
|
lbaas or vpnaas services) and should only be used in-conjunction with
|
|
flat or VLAN provider networks configurations.
|
|
dnsmasq-flags:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Comma-separated list of key=value config flags with the additional dhcp
|
|
options for neutron dnsmasq. Note, this option is only valid when
|
|
enable-local-dhcp-and-metadata option is set to True.
|
|
instance-mtu:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Configure DHCP services to provide MTU configuration to instances
|
|
within the cloud. This is useful in deployments where its not
|
|
possible to increase MTU on switches and physical servers to
|
|
accommodate the packet overhead of using GRE tunnels.
|
|
dns-servers:
|
|
type: string
|
|
default:
|
|
description: |
|
|
A comma-separated list of DNS servers which will be used by dnsmasq as
|
|
forwarders. This option only applies when the enable-local-dhcp-and-metadata
|
|
options is set to True.
|
|
prevent-arp-spoofing:
|
|
type: boolean
|
|
default: true
|
|
description: |
|
|
Enable suppression of ARP responses that don't match an IP address that
|
|
belongs to the port from which they originate.
|
|
.
|
|
Only supported in OpenStack Liberty or newer, which has the required
|
|
minimum version of Open vSwitch.
|
|
.
|
|
NOTE: this feature is deprecated and removed in Openstack >= Ocata. As of
|
|
that point the only way to disable protection will be via the port
|
|
security extension (see LP 1691080 for info).
|
|
enable-dpdk:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Enable DPDK fast userspace networking; this requires use of DPDK
|
|
supported network interface drivers and must be used in conjunction with
|
|
the data-port configuration option to configure each bridge with an
|
|
appropriate DPDK enabled network device.
|
|
dpdk-socket-memory:
|
|
type: int
|
|
default: 1024
|
|
description: |
|
|
Amount of hugepage memory in MB to allocate per NUMA socket in deployed
|
|
systems.
|
|
.
|
|
Only used when DPDK is enabled.
|
|
dpdk-socket-cores:
|
|
type: int
|
|
default: 1
|
|
description: |
|
|
Number of cores to allocate to DPDK per NUMA socket in deployed systems.
|
|
.
|
|
Only used when DPDK is enabled.
|
|
dpdk-driver:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Kernel userspace device driver to use for DPDK devices, valid values
|
|
include:
|
|
.
|
|
vfio-pci
|
|
uio_pci_generic
|
|
.
|
|
Only used when DPDK is enabled.
|
|
enable-sriov:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Enable SR-IOV NIC agent on deployed units; use with sriov-device-mappings
|
|
to map SR-IOV devices to underlying provider networks. Enabling this
|
|
option allows instances to be plugged into directly into SR-IOV VF
|
|
devices connected to underlying provider networks alongside the default
|
|
Open vSwitch networking options.
|
|
sriov-device-mappings:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Space-delimited list of SR-IOV device mappings with format
|
|
.
|
|
<provider>:<interface>
|
|
.
|
|
Multiple mappings can be provided, delimited by spaces.
|
|
sriov-numvfs:
|
|
type: string
|
|
default: auto
|
|
description: |
|
|
Number of VF's to configure each PF with; by default, each SR-IOV PF will
|
|
be configured with the maximum number of VF's it can support. Either use
|
|
a single integer to apply the same VF configuration to all detected
|
|
SR-IOV devices or use a per-device configuration in the following format
|
|
.
|
|
<device>:<numvfs>
|
|
.
|
|
Multiple devices can be configured by providing multi values delimited by
|
|
spaces.
|
|
.
|
|
NOTE: Changing this value will disrupt networking on all SR-IOV capable
|
|
interfaces for blanket configuration or listed interfaces when per-device
|
|
configuration is used.
|
|
worker-multiplier:
|
|
type: float
|
|
default:
|
|
description: |
|
|
The CPU core multiplier to use when configuring worker processes for
|
|
this services e.g. metadata-agent. By default, the number of workers for
|
|
each daemon is set to twice the number of CPU cores a service unit has.
|
|
When deployed in a LXD container, this default value will be capped to 4
|
|
workers unless this configuration option is set.
|
|
# Network config (by default all access is over 'private-address')
|
|
os-data-network:
|
|
type: string
|
|
default: ""
|
|
description: |
|
|
The IP address and netmask of the OpenStack Data network (e.g.,
|
|
192.168.0.0/24)
|
|
.
|
|
This network will be used for tenant network traffic in overlay
|
|
networks.
|
|
.
|
|
In order to support service zones spanning multiple network
|
|
segments, a space-delimited list of a.b.c.d/x can be provided
|
|
The address of the first network found to have an address
|
|
configured will be used.
|
|
ipfix-target:
|
|
type: string
|
|
default:
|
|
description: |
|
|
IPFIX target wit the format "IP_Address:Port". This will enable IPFIX
|
|
exporting on all OVS bridges to the target, including br-int and br-ext.
|
|
security-group-log-output-base:
|
|
type: string
|
|
default:
|
|
description: |
|
|
This option allows setting a path for Network Security Group logs.
|
|
A valid file system path must be provided. If this option is not
|
|
provided Neutron will use syslog as a destination.
|
|
(Available from Queens)
|
|
security-group-log-rate-limit:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Log entries are queued for writing to a log file when a packet rate
|
|
exceeds the limit set by this option.
|
|
Possible values: null (no rate limitation), integer values greater than 100.
|
|
WARNING: Should be NOT LESS than 100, if set
|
|
(or, if null, logging will log unlimited.)
|
|
security-group-log-burst-limit:
|
|
type: int
|
|
default: 25
|
|
description: |
|
|
This option sets the maximum queue size for log entries.
|
|
Can be used to avoid excessive memory consumption.
|
|
WARNING: Should be NOT LESS than 25. |