fdd11b54a5
This patch adds standard SSL options to IPA config and makes use of them when making HTTP requests. For now, a single set of certificates is used when needed. In the future configuration can be expanded to allow per-service certificates. Besides, the 'insecure' option (defaults to False) can be overridden through kernel command line parameter 'ipa-insecure'. This will allow running IPA in CI-like environments with self-signed SSL certificates. Change-Id: I259d9b3caa9ba1dc3d7382f375b8e086a5348d80 Closes-Bug: #1642515
267 lines
10 KiB
Plaintext
267 lines
10 KiB
Plaintext
[DEFAULT]
|
|
|
|
#
|
|
# From ironic-python-agent
|
|
#
|
|
|
|
# URL of the Ironic API. Can be supplied as "ipa-api-url"
|
|
# kernel parameter.The value must start with either http:// or
|
|
# https://. (string value)
|
|
# Deprecated group/name - [DEFAULT]/api_url
|
|
#api_url = <None>
|
|
|
|
# The IP address to listen on. Can be supplied as "ipa-listen-
|
|
# host" kernel parameter. (string value)
|
|
# Deprecated group/name - [DEFAULT]/listen_host
|
|
#listen_host = 0.0.0.0
|
|
|
|
# The port to listen on. Can be supplied as "ipa-listen-port"
|
|
# kernel parameter. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/listen_port
|
|
#listen_port = 9999
|
|
|
|
# The host to tell Ironic to reply and send commands to. Can
|
|
# be supplied as "ipa-advertise-host" kernel parameter.
|
|
# (string value)
|
|
# Deprecated group/name - [DEFAULT]/advertise_host
|
|
#advertise_host = <None>
|
|
|
|
# The port to tell Ironic to reply and send commands to. Can
|
|
# be supplied as "ipa-advertise-port" kernel parameter.
|
|
# (integer value)
|
|
# Deprecated group/name - [DEFAULT]/advertise_port
|
|
#advertise_port = 9999
|
|
|
|
# The number of times to try and automatically determine the
|
|
# agent IPv4 address. Can be supplied as "ipa-ip-lookup-
|
|
# attempts" kernel parameter. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/ip_lookup_attempts
|
|
#ip_lookup_attempts = 3
|
|
|
|
# The amount of time to sleep between attempts to determine IP
|
|
# address. Can be supplied as "ipa-ip-lookup-timeout" kernel
|
|
# parameter. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/ip_lookup_sleep
|
|
#ip_lookup_sleep = 10
|
|
|
|
# The interface to use when looking for an IP address. Can be
|
|
# supplied as "ipa-network-interface" kernel parameter.
|
|
# (string value)
|
|
# Deprecated group/name - [DEFAULT]/network_interface
|
|
#network_interface = <None>
|
|
|
|
# The amount of time to retry the initial lookup call to
|
|
# Ironic. After the timeout, the agent will exit with a non-
|
|
# zero exit code. Can be supplied as "ipa-lookup-timeout"
|
|
# kernel parameter. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/lookup_timeout
|
|
#lookup_timeout = 300
|
|
|
|
# The initial interval for retries on the initial lookup call
|
|
# to Ironic. The interval will be doubled after each failure
|
|
# until timeout is exceeded. Can be supplied as "ipa-lookup-
|
|
# interval" kernel parameter. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/lookup_interval
|
|
#lookup_interval = 1
|
|
|
|
# The amount of seconds to wait for LLDP packets. Can be
|
|
# supplied as "ipa-lldp-timeout" kernel parameter. (floating
|
|
# point value)
|
|
#lldp_timeout = 30.0
|
|
|
|
# Whether IPA should attempt to receive LLDP packets for each
|
|
# network interface it discovers in the inventory. Can be
|
|
# supplied as "ipa-collect-lldp" kernel parameter. (boolean
|
|
# value)
|
|
#collect_lldp = false
|
|
|
|
# Note: for debugging only. Start the Agent but suppress any
|
|
# calls to Ironic API. Can be supplied as "ipa-standalone"
|
|
# kernel parameter. (boolean value)
|
|
#standalone = false
|
|
|
|
# Endpoint of ironic-inspector. If set, hardware inventory
|
|
# will be collected and sent to ironic-inspector on start up.
|
|
# Can be supplied as "ipa-inspection-callback-url" kernel
|
|
# parameter. (string value)
|
|
#inspection_callback_url = <None>
|
|
|
|
# Comma-separated list of plugins providing additional
|
|
# hardware data for inspection, empty value gives a minimum
|
|
# required set of plugins. Can be supplied as "ipa-inspection-
|
|
# collectors" kernel parameter. (string value)
|
|
#inspection_collectors = default
|
|
|
|
# Maximum time (in seconds) to wait for the PXE NIC (or all
|
|
# NICs if inspection_dhcp_all_interfaces is True) to get its
|
|
# IP address via DHCP before inspection. Set to 0 to disable
|
|
# waiting completely. Can be supplied as "ipa-inspection-dhcp-
|
|
# wait-timeout" kernel parameter. (integer value)
|
|
#inspection_dhcp_wait_timeout = 60
|
|
|
|
# Whether to wait for all interfaces to get their IP addresses
|
|
# before inspection. If set to false (the default), only waits
|
|
# for the PXE interface. Can be supplied as "ipa-inspection-
|
|
# dhcp-all-interfaces" kernel parameter. (boolean value)
|
|
#inspection_dhcp_all_interfaces = false
|
|
|
|
# How much time (in seconds) to wait for hardware to
|
|
# initialize before proceeding with any actions. Can be
|
|
# supplied as "ipa-hardware-initialization-delay" kernel
|
|
# parameter. (integer value)
|
|
#hardware_initialization_delay = 0
|
|
|
|
# The number of times to try and check to see if at least one
|
|
# suitable disk has appeared in inventory before proceeding
|
|
# with any actions. Can be supplied as "ipa-disk-wait-
|
|
# attempts" kernel parameter. (integer value)
|
|
#disk_wait_attempts = 10
|
|
|
|
# How much time (in seconds) to wait between attempts to check
|
|
# if at least one suitable disk has appeared in inventory. Can
|
|
# be supplied as "ipa-disk-wait-delay" kernel parameter.
|
|
# (integer value)
|
|
#disk_wait_delay = 3
|
|
|
|
# Verify HTTPS connections. Can be supplied as "ipa-insecure"
|
|
# kernel parameter. (boolean value)
|
|
#insecure = false
|
|
|
|
# Path to PEM encoded Certificate Authority file to use when
|
|
# verifying HTTPS connections. Default is to use available
|
|
# system-wide configured CAs. (string value)
|
|
#cafile = <None>
|
|
|
|
# Path to PEM encoded client certificate cert file. Must be
|
|
# provided together with "keyfile" option. Default is to not
|
|
# present any client certificates to the server. (string
|
|
# value)
|
|
#certfile = <None>
|
|
|
|
# Path to PEM encoded client certificate key file. Must be
|
|
# provided together with "certfile" option. Default is to not
|
|
# present any client certificates to the server. (string
|
|
# value)
|
|
#keyfile = <None>
|
|
|
|
#
|
|
# From oslo.log
|
|
#
|
|
|
|
# If set to true, the logging level will be set to DEBUG
|
|
# instead of the default INFO level. (boolean value)
|
|
# Note: This option can be changed without restarting.
|
|
#debug = false
|
|
|
|
# DEPRECATED: If set to false, the logging level will be set
|
|
# to WARNING instead of the default INFO level. (boolean
|
|
# value)
|
|
# This option is deprecated for removal.
|
|
# Its value may be silently ignored in the future.
|
|
#verbose = true
|
|
|
|
# The name of a logging configuration file. This file is
|
|
# appended to any existing logging configuration files. For
|
|
# details about logging configuration files, see the Python
|
|
# logging module documentation. Note that when logging
|
|
# configuration files are used then all logging configuration
|
|
# is set in the configuration file and other logging
|
|
# configuration options are ignored (for example,
|
|
# logging_context_format_string). (string value)
|
|
# Note: This option can be changed without restarting.
|
|
# Deprecated group/name - [DEFAULT]/log_config
|
|
#log_config_append = <None>
|
|
|
|
# Defines the format string for %%(asctime)s in log records.
|
|
# Default: %(default)s . This option is ignored if
|
|
# log_config_append is set. (string value)
|
|
#log_date_format = %Y-%m-%d %H:%M:%S
|
|
|
|
# (Optional) Name of log file to send logging output to. If no
|
|
# default is set, logging will go to stderr as defined by
|
|
# use_stderr. This option is ignored if log_config_append is
|
|
# set. (string value)
|
|
# Deprecated group/name - [DEFAULT]/logfile
|
|
#log_file = <None>
|
|
|
|
# (Optional) The base directory used for relative log_file
|
|
# paths. This option is ignored if log_config_append is set.
|
|
# (string value)
|
|
# Deprecated group/name - [DEFAULT]/logdir
|
|
#log_dir = <None>
|
|
|
|
# Uses logging handler designed to watch file system. When log
|
|
# file is moved or removed this handler will open a new log
|
|
# file with specified path instantaneously. It makes sense
|
|
# only if log_file option is specified and Linux platform is
|
|
# used. This option is ignored if log_config_append is set.
|
|
# (boolean value)
|
|
#watch_log_file = false
|
|
|
|
# Use syslog for logging. Existing syslog format is DEPRECATED
|
|
# and will be changed later to honor RFC5424. This option is
|
|
# ignored if log_config_append is set. (boolean value)
|
|
#use_syslog = false
|
|
|
|
# Syslog facility to receive log lines. This option is ignored
|
|
# if log_config_append is set. (string value)
|
|
#syslog_log_facility = LOG_USER
|
|
|
|
# Log output to standard error. This option is ignored if
|
|
# log_config_append is set. (boolean value)
|
|
#use_stderr = false
|
|
|
|
# Format string to use for log messages with context. (string
|
|
# value)
|
|
#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
|
|
|
|
# Format string to use for log messages when context is
|
|
# undefined. (string value)
|
|
#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
|
|
|
|
# Additional data to append to log message when logging level
|
|
# for the message is DEBUG. (string value)
|
|
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
|
|
|
|
# Prefix each line of exception output with this format.
|
|
# (string value)
|
|
#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
|
|
|
|
# Defines the format string for %(user_identity)s that is used
|
|
# in logging_context_format_string. (string value)
|
|
#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
|
|
|
|
# List of package logging levels in logger=LEVEL pairs. This
|
|
# option is ignored if log_config_append is set. (list value)
|
|
#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
|
|
|
|
# Enables or disables publication of error events. (boolean
|
|
# value)
|
|
#publish_errors = false
|
|
|
|
# The format for an instance that is passed with the log
|
|
# message. (string value)
|
|
#instance_format = "[instance: %(uuid)s] "
|
|
|
|
# The format for an instance UUID that is passed with the log
|
|
# message. (string value)
|
|
#instance_uuid_format = "[instance: %(uuid)s] "
|
|
|
|
# Interval, number of seconds, of log rate limiting. (integer
|
|
# value)
|
|
#rate_limit_interval = 0
|
|
|
|
# Maximum number of logged messages per rate_limit_interval.
|
|
# (integer value)
|
|
#rate_limit_burst = 0
|
|
|
|
# Log level name used by rate limiting: CRITICAL, ERROR, INFO,
|
|
# WARNING, DEBUG or empty string. Logs with level greater or
|
|
# equal to rate_limit_except_level are not filtered. An empty
|
|
# string means that all levels are filtered. (string value)
|
|
#rate_limit_except_level = CRITICAL
|
|
|
|
# Enables or disables fatal status of deprecations. (boolean
|
|
# value)
|
|
#fatal_deprecations = false
|