openstack/charm-nova-compute
Code Issues Proposed changes
99a9cf63ba
charm-nova-compute/templates/juno/nova.conf
Chris MacNaughton 82c5027814 Ensure that VNC only binds on the internal network 
When the VNC server is set to bind to 0.0.0.0,
unauthenticated console access is possible to any
VM via any of the compute host's interfaces. This
access should be restricted to an internal network.

Change-Id: Ibbc12ae282320f966eec90e9116388233e65eb9a
Closes-Bug: #1843004
2019-09-06 11:55:44 +02:00

183 lines
5.0 KiB
Plaintext
Raw Blame History

# juno
###############################################################################
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
{% if restart_trigger -%}
# restart trigger: {{ restart_trigger }}
{% endif -%}
###############################################################################
[DEFAULT]
verbose={{ verbose }}
debug={{ debug }}
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
{% if arch == 'aarch64' -%}
libvirt_use_virtio_for_bridges=False
libvirt_disk_prefix=vd
{% else -%}
libvirt_use_virtio_for_bridges=True
{% endif -%}
use_syslog = {{ use_syslog }}
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
enabled_apis=osapi_compute,metadata
auth_strategy=keystone
compute_driver=libvirt.LibvirtDriver
my_ip = {{ host_ip }}
{% include "parts/rabbitmq" %}
{% if glance_api_servers -%}
glance_api_servers = {{ glance_api_servers }}
{% endif -%}
{% if metadata_shared_secret -%}
neutron_metadata_proxy_shared_secret = {{ metadata_shared_secret }}
service_neutron_metadata_proxy=True
{% endif -%}
{% if console_vnc_type -%}
vnc_enabled = True
novnc_enabled = True
vnc_keymap = {{ console_keymap }}
vncserver_listen = {{ console_listen_addr }}
vncserver_proxyclient_address = {{ console_listen_addr }}
{% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
novncproxy_base_url = {{ novnc_proxy_address }}
{% endif -%}
{% if console_access_protocol == 'xvpvnc' or console_access_protocol == 'vnc' -%}
xvpvncproxy_port = {{ xvpvnc_proxy_port }}
xvpvncproxy_host = {{ xvpvnc_proxy_host }}
xvpvncproxy_base_url = {{ xvpvnc_proxy_address }}
{% endif -%}
{% else -%}
vnc_enabled = False
novnc_enabled = False
{% endif -%}
{% if neutron_plugin and neutron_plugin in ('ovs', 'midonet') -%}
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtGenericVIFDriver
{% if neutron_security_groups -%}
security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif -%}
{% endif -%}
{% if neutron_plugin and neutron_plugin == 'vsp' -%}
network_api_class=nova.network.neutronv2.api.API
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver
neutron_ovs_bridge=alubr0
security_group_api=nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif -%}
{% if neutron_plugin and (neutron_plugin == 'nvp' or neutron_plugin == 'nsx') -%}
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchVirtualPortDriver
security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif -%}
{% if neutron_plugin and neutron_plugin == 'Calico' -%}
security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif -%}
{% if neutron_plugin and neutron_plugin == 'plumgrid' -%}
security_group_api=neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif -%}
{% if network_manager_config -%}
{% for key, value in network_manager_config.items() -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}
{% if network_manager == 'neutron' -%}
network_api_class = nova.network.neutronv2.api.API
{% else -%}
network_manager = nova.network.manager.FlatDHCPManager
{% endif -%}
{% if network_device_mtu -%}
network_device_mtu = {{ network_device_mtu }}
{% endif -%}
{% if volume_service -%}
volume_api_class = nova.volume.cinder.API
{% endif -%}
{% if user_config_flags -%}
{% for key, value in user_config_flags.items() -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}
{% if instances_path -%}
instances_path = {{ instances_path }}
{% endif -%}
{% if sections and 'DEFAULT' in sections -%}
{% for key, value in sections['DEFAULT'] -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}
{% if default_availability_zone -%}
default_availability_zone = {{ default_availability_zone }}
{% endif -%}
{% if console_access_protocol == 'spice' -%}
[spice]
agent_enabled = True
enabled = True
html5proxy_base_url = {{ spice_proxy_address }}
keymap = {{ console_keymap }}
server_listen = {{ console_listen_addr }}
server_proxyclient_address = {{ console_listen_addr }}
{% endif -%}
[libvirt]
{% if cpu_mode -%}
cpu_mode = {{ cpu_mode }}
{% endif -%}
{% if cpu_model -%}
cpu_model = {{ cpu_model }}
{% endif -%}
{% if libvirt_images_type -%}
images_type = {{ libvirt_images_type }}
{% endif -%}
{% if libvirt_images_type and rbd_pool -%}
images_rbd_pool = {{ rbd_pool }}
images_rbd_ceph_conf = {{ libvirt_rbd_images_ceph_conf }}
inject_password = false
inject_key = false
inject_partition = -2
{% endif -%}
rbd_user = {{ rbd_user }}
rbd_secret_uuid = {{ rbd_secret_uuid }}
{% if live_migration_uri -%}
live_migration_uri = {{ live_migration_uri }}
{% endif -%}
{% if disk_cachemodes -%}
disk_cachemodes = {{ disk_cachemodes }}
{% endif %}
{% if use_multipath -%}
iscsi_use_multipath = {{ use_multipath }}
{% endif %}
{% if default_ephemeral_format -%}
default_ephemeral_format = {{ default_ephemeral_format }}
{% endif %}
{% include "parts/section-cinder" %}
{% include "parts/section-ephemeral" %}
{% include "parts/section-serial-console" %}
View Git Blame Copy Permalink