2014-08-28 23:38:38 -07:00
|
|
|
[DEFAULT]
|
|
|
|
# Print debugging output (set logging level to DEBUG instead of default WARNING level).
|
|
|
|
# debug = False
|
2016-09-07 21:30:38 +00:00
|
|
|
# bind_host = 127.0.0.1
|
2015-04-15 12:49:17 -05:00
|
|
|
# bind_port = 9876
|
2016-02-01 21:35:58 -06:00
|
|
|
# api_handler = queue_producer
|
2015-07-15 17:51:58 -05:00
|
|
|
#
|
2016-01-07 22:11:15 -06:00
|
|
|
# How should authentication be handled (keystone, noauth)
|
|
|
|
# auth_strategy = noauth
|
|
|
|
#
|
2015-07-15 17:51:58 -05:00
|
|
|
# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin)
|
|
|
|
#
|
|
|
|
# octavia_plugins = hot_plug_plugin
|
2014-08-28 23:38:38 -07:00
|
|
|
|
2015-01-23 17:15:21 -06:00
|
|
|
# Hostname to be used by the host machine for services running on it.
|
|
|
|
# The default value is the hostname of the host machine.
|
|
|
|
# host =
|
2015-01-30 00:48:32 +00:00
|
|
|
|
2016-12-19 16:23:40 -08:00
|
|
|
# AMQP Transport URL
|
|
|
|
# For Single Host, specify one full transport URL:
|
|
|
|
# transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
|
|
|
|
# For HA, specify queue nodes in cluster, comma delimited:
|
|
|
|
# transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
|
|
|
|
|
|
|
|
# transport_url =
|
|
|
|
|
|
|
|
|
2014-08-28 23:38:38 -07:00
|
|
|
[database]
|
|
|
|
# This line MUST be changed to actually run the plugin.
|
|
|
|
# Example:
|
2014-12-12 16:06:09 -06:00
|
|
|
# connection = mysql+pymysql://root:pass@127.0.0.1:3306/octavia
|
2014-08-28 23:38:38 -07:00
|
|
|
# Replace 127.0.0.1 above with the IP address of the database used by the
|
|
|
|
# main octavia server. (Leave it as is if the database runs on this host.)
|
|
|
|
|
2014-12-12 16:06:09 -06:00
|
|
|
# connection = mysql+pymysql://
|
2014-08-28 23:38:38 -07:00
|
|
|
|
|
|
|
# NOTE: In deployment the [database] section and its connection attribute may
|
|
|
|
# be set in the corresponding core plugin '.ini' file. However, it is suggested
|
|
|
|
# to put the [database] section and its connection attribute in this
|
|
|
|
# configuration file.
|
2014-11-10 16:10:55 -06:00
|
|
|
|
2015-03-03 18:25:08 -08:00
|
|
|
[health_manager]
|
2016-09-07 21:30:38 +00:00
|
|
|
# bind_ip = 127.0.0.1
|
2015-07-14 20:12:42 -05:00
|
|
|
# bind_port = 5555
|
|
|
|
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
|
|
|
|
# controller_ip_port_list =
|
2015-03-03 18:25:08 -08:00
|
|
|
# failover_threads = 10
|
2015-07-14 20:12:42 -05:00
|
|
|
# status_update_threads = 50
|
|
|
|
# heartbeat_interval = 10
|
|
|
|
# heartbeat_key =
|
|
|
|
# heartbeat_timeout = 60
|
|
|
|
# health_check_interval = 3
|
|
|
|
# sock_rlimit = 0
|
2015-03-03 18:25:08 -08:00
|
|
|
|
2015-08-31 00:58:48 -05:00
|
|
|
# EventStreamer options are
|
|
|
|
# queue_event_streamer,
|
|
|
|
# noop_event_streamer
|
|
|
|
# event_streamer_driver = noop_event_streamer
|
|
|
|
|
2014-11-10 16:10:55 -06:00
|
|
|
[keystone_authtoken]
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
# This group of config options are imported from keystone middleware. Thus the
|
|
|
|
# option names should match the names declared in the middleware.
|
2014-11-10 16:10:55 -06:00
|
|
|
# auth_uri = https://localhost:5000/v3
|
|
|
|
# admin_user = octavia
|
|
|
|
# admin_password = password
|
2015-04-20 21:02:36 +00:00
|
|
|
# admin_tenant_name = service
|
2015-09-17 00:52:46 -05:00
|
|
|
# insecure = False
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
# cafile =
|
2015-04-20 21:02:36 +00:00
|
|
|
|
2014-10-21 18:25:29 -05:00
|
|
|
[certificates]
|
2016-09-30 10:41:49 +08:00
|
|
|
# Certificate Generator options are local_cert_generator
|
|
|
|
# anchor_cert_generator
|
2015-10-19 13:01:54 -07:00
|
|
|
# cert_generator = local_cert_generator
|
2014-10-21 18:25:29 -05:00
|
|
|
|
|
|
|
# For local certificate signing (development only):
|
|
|
|
# ca_certificate = /etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
|
|
# ca_private_key = /etc/ssl/private/ssl-cert-snakeoil.key
|
|
|
|
# ca_private_key_passphrase =
|
2015-04-15 16:16:01 -05:00
|
|
|
# signing_digest = sha256
|
2014-10-21 18:25:29 -05:00
|
|
|
# storage_path = /var/lib/octavia/certificates/
|
2014-11-06 12:54:03 -06:00
|
|
|
|
2015-10-19 13:01:54 -07:00
|
|
|
# For the TLS management
|
|
|
|
# Certificate Manager options are local_cert_manager
|
|
|
|
# barbican_cert_manager
|
2016-01-13 10:57:07 -06:00
|
|
|
# cert_manager = barbican_cert_manager
|
2015-08-24 03:07:18 -05:00
|
|
|
# For Barbican authentication (if using any Barbican based cert class)
|
|
|
|
# barbican_auth = barbican_acl_auth
|
2016-01-23 02:27:46 -07:00
|
|
|
#
|
|
|
|
# Region in Identity service catalog to use for communication with the Barbican service.
|
|
|
|
# region_name =
|
|
|
|
#
|
|
|
|
# Endpoint type to use for communication with the Barbican service.
|
|
|
|
# endpoint_type = publicURL
|
2015-08-24 03:07:18 -05:00
|
|
|
|
2015-10-19 13:01:54 -07:00
|
|
|
|
2015-11-05 16:12:13 -08:00
|
|
|
[anchor]
|
|
|
|
# Use OpenStack anchor to sign the amphora REST API certificates
|
|
|
|
# url = http://localhost:9999/v1/sign/default
|
2016-03-30 13:51:52 -07:00
|
|
|
# username =
|
|
|
|
# password =
|
2015-11-05 16:12:13 -08:00
|
|
|
|
2014-11-06 12:54:03 -06:00
|
|
|
[networking]
|
|
|
|
# Network to communicate with amphora
|
2015-02-27 14:45:54 -08:00
|
|
|
# lb_network_name =
|
2015-09-15 17:27:39 -05:00
|
|
|
# The maximum attempts to retry an action with the networking service.
|
2015-09-21 19:08:40 +00:00
|
|
|
# max_retries = 15
|
2015-09-15 17:27:39 -05:00
|
|
|
# Seconds to wait before retrying an action with the networking service.
|
|
|
|
# retry_interval = 1
|
2016-05-03 22:30:42 +00:00
|
|
|
# The maximum time to wait, in seconds, for a port to detach from an amphora
|
|
|
|
# port_detach_timeout = 300
|
2015-02-27 14:45:54 -08:00
|
|
|
|
2015-03-03 14:15:15 -06:00
|
|
|
[haproxy_amphora]
|
|
|
|
# base_path = /var/lib/octavia
|
2015-05-03 22:29:06 -05:00
|
|
|
# base_cert_dir = /var/lib/octavia/certs
|
2016-01-13 10:57:07 -06:00
|
|
|
# Absolute path to a custom HAProxy template file
|
|
|
|
# haproxy_template =
|
2015-08-29 17:35:26 -07:00
|
|
|
# connection_max_retries = 300
|
2015-05-03 22:29:06 -05:00
|
|
|
# connection_retry_interval = 5
|
2016-04-14 19:16:02 -07:00
|
|
|
# build_rate_limit = -1
|
|
|
|
# build_active_retries = 300
|
|
|
|
# build_retry_interval = 5
|
2017-02-08 16:02:44 +02:00
|
|
|
|
|
|
|
# This setting is deprecated. It is now automatically discovered.
|
|
|
|
# user_group =
|
2016-01-13 10:57:07 -06:00
|
|
|
|
|
|
|
# Maximum number of entries that can fit in the stick table.
|
|
|
|
# The size supports "k", "m", "g" suffixes.
|
|
|
|
# haproxy_stick_size = 10k
|
2015-01-30 00:48:32 +00:00
|
|
|
|
2015-02-27 14:45:54 -08:00
|
|
|
# REST Driver specific
|
|
|
|
# bind_host = 0.0.0.0
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
# bind_port = 9443
|
2016-10-27 06:51:53 -07:00
|
|
|
#
|
|
|
|
# This setting is only needed with IPv6 link-local addresses (fe80::/64) are
|
|
|
|
# used for communication between Octavia and its Amphora, if IPv4 or other IPv6
|
|
|
|
# addresses are used it can be ignored.
|
|
|
|
# lb_network_interface = o-hm0
|
|
|
|
#
|
2015-02-27 14:45:54 -08:00
|
|
|
# haproxy_cmd = /usr/sbin/haproxy
|
|
|
|
# respawn_count = 2
|
|
|
|
# respawn_interval = 2
|
2016-01-13 10:57:07 -06:00
|
|
|
# client_cert = /etc/octavia/certs/client.pem
|
|
|
|
# server_ca = /etc/octavia/certs/server_ca.pem
|
2016-11-10 23:35:24 +00:00
|
|
|
#
|
2017-02-08 16:02:44 +02:00
|
|
|
# This setting is deprecated. It is now automatically discovered.
|
2015-10-07 19:35:32 -05:00
|
|
|
# use_upstart = True
|
2016-11-10 23:35:24 +00:00
|
|
|
#
|
2016-02-22 20:57:47 +00:00
|
|
|
# rest_request_conn_timeout = 10
|
|
|
|
# rest_request_read_timeout = 60
|
2015-02-27 14:45:54 -08:00
|
|
|
|
2015-01-30 00:48:32 +00:00
|
|
|
[controller_worker]
|
2017-04-08 05:13:21 +09:00
|
|
|
# workers = 1
|
2015-08-27 16:57:36 -07:00
|
|
|
# amp_active_retries = 10
|
2015-01-30 00:48:32 +00:00
|
|
|
# amp_active_wait_sec = 10
|
2016-02-25 15:26:57 +01:00
|
|
|
# Glance parameters to extract image ID to use for amphora. Only one of
|
|
|
|
# parameters is needed. Using tags is the recommended way to refer to images.
|
|
|
|
# amp_image_id =
|
|
|
|
# amp_image_tag =
|
2016-09-08 01:25:18 +00:00
|
|
|
# Optional owner ID used to restrict glance images to one owner ID.
|
|
|
|
# This is a recommended security setting.
|
|
|
|
# amp_image_owner_id =
|
2015-01-30 00:48:32 +00:00
|
|
|
# Nova parameters to use when booting amphora
|
|
|
|
# amp_flavor_id =
|
2015-05-03 22:29:06 -05:00
|
|
|
# amp_ssh_key_name =
|
2017-02-02 11:18:21 -05:00
|
|
|
# amp_ssh_access_allowed = True
|
2016-04-08 00:29:42 -05:00
|
|
|
|
|
|
|
# Networks to attach to the Amphorae examples:
|
|
|
|
# - One primary network
|
2016-04-25 13:42:25 -05:00
|
|
|
# - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666
|
2016-04-08 00:29:42 -05:00
|
|
|
# - Multiple networks
|
2016-04-25 13:42:25 -05:00
|
|
|
# - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666
|
2016-09-20 06:16:15 +00:00
|
|
|
# - All networks defined in the list will be attached to each amphora
|
2016-04-08 00:29:42 -05:00
|
|
|
# amp_boot_network_list =
|
|
|
|
|
2015-01-30 00:48:32 +00:00
|
|
|
# amp_secgroup_list =
|
2015-02-27 14:45:54 -08:00
|
|
|
# client_ca = /etc/octavia/certs/ca_01.pem
|
2015-01-30 00:48:32 +00:00
|
|
|
|
|
|
|
# Amphora driver options are amphora_noop_driver,
|
2016-02-17 02:28:14 -08:00
|
|
|
# amphora_haproxy_rest_driver
|
2015-01-30 00:48:32 +00:00
|
|
|
#
|
|
|
|
# amphora_driver = amphora_noop_driver
|
|
|
|
#
|
|
|
|
# Compute driver options are compute_noop_driver
|
|
|
|
# compute_nova_driver
|
|
|
|
#
|
|
|
|
# compute_driver = compute_noop_driver
|
|
|
|
#
|
|
|
|
# Network driver options are network_noop_driver
|
|
|
|
# allowed_address_pairs_driver
|
|
|
|
#
|
|
|
|
# network_driver = network_noop_driver
|
2015-02-27 14:45:54 -08:00
|
|
|
#
|
Amphora Flows and Drivers for Active Standby
This patch implements the Active/Standby blueprint in
https://blueprints.launchpad.net/octavia/+spec/activepassiveamphora
The following points describe the main changes:
1. The patch introduces new flows and subflows to create M amphorae. The
controller worker parses the loadbalancer_topology configuration. If the
loadbalancer_topology value is ACTIVE_STANDBY, the controller invokes a new flow
independent from the SINGLE topology case, which is left untouched. The new
flow uses conditional taskflows to check for spare amphorae at runtime. This
removes the need for the exception workaround we earlier had. The controller
creates the amphorae in parallel using an unordered flow. A new database task
alter an amphora role as either MASTER or BACKUP and assigns a VRRP priority to
each amphora. After the amphorae are created, the controller invokes a separate
flow for post amphora configuration including plug_vip methods, vrrp
configuration upload, and keepalived service start.
2. The patch introduces new data models that include a new table for VRRP group
configuration per loadbalancer, and update the amphora, loadbalancer, and
listener tables to support the new active/standby capability. The VRRPGroup
table hides authentication data, and makes future extensions of VRRP
capabilities easy.
3. This patch updates the existing Haproxy configuration templates to include
peer synchronization. In case of ACTIVE_STANDBY configuration, the jinja
configuration renders the peer section in the Haproxy configuration and assigns
short names to the amphorae as listener peers. As listeners implies different
Haproxy process, each listener synchronizes on a different port evaluated as
BASE_PORT (1024) + NUMBER_OF_LISTENERS accounting for ports in use.
4. This patch introduces a new Jinja configuration templater and a REST driver
for Keepalived (developed as a Mixin). By default, Keepalived runs "all" check
scripts found in a predefined directory. The keepalived driver is a Mixin that
can be plugged in other services' drivers. It is the responsibility of these
services drivers to introduce their own check scripts. In this patch a
lightweight check script for Haproxy was introduced along with changes in the
amphora agent installation script.
5. The VRRP requires enabling protocol 112 for Master/Backup advertisements,
and enabling protocol 51 for authentication header. This patch enables these
protocols as needed in the loadbalancer security group.
Note: Updates to the failover flow to support active/standby will come in
a dependent patch.
Note: The amphora-agent is pinned to this patch in this patch set. This
is required so the scenario tests will pass. It will be removed in a
follow up patch.
Co-Authored-By: Sherif Abdelwahab <sherif.abdelwahab@hp.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Implements: blueprint activepassiveamphora
Depends-On: Ifdf20378b26cdd13e0a3ff87cec8990fe89c0661
Change-Id: Ic4e04594e114ba682088d68d5f1af3f8f376db83
2015-07-27 15:49:05 -07:00
|
|
|
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
|
|
|
|
# loadbalancer_topology = SINGLE
|
2016-02-03 01:27:37 -06:00
|
|
|
# user_data_config_drive = False
|
2015-01-30 00:48:32 +00:00
|
|
|
|
|
|
|
[task_flow]
|
|
|
|
# engine = serial
|
|
|
|
# max_workers = 5
|
2015-01-23 17:15:21 -06:00
|
|
|
|
2015-08-19 15:48:22 +02:00
|
|
|
[oslo_messaging]
|
2015-01-23 17:15:21 -06:00
|
|
|
# Queue Consumer Thread Pool Size
|
|
|
|
# rpc_thread_pool_size = 2
|
|
|
|
|
|
|
|
# Topic (i.e. Queue) Name
|
2015-02-27 14:45:54 -08:00
|
|
|
# topic = octavia_prov
|
2015-07-16 16:14:36 -07:00
|
|
|
|
2015-08-31 00:58:48 -05:00
|
|
|
# Topic for octavia's events sent to a queue
|
|
|
|
# event_stream_topic = neutron_lbaas_event
|
|
|
|
|
2015-07-16 16:14:36 -07:00
|
|
|
[house_keeping]
|
|
|
|
# Interval in seconds to initiate spare amphora checks
|
|
|
|
# spare_check_interval = 30
|
|
|
|
# spare_amphora_pool_size = 0
|
|
|
|
|
|
|
|
# Cleanup interval for Deleted amphora
|
|
|
|
# cleanup_interval = 30
|
|
|
|
# Amphora expiry age in seconds. Default is 1 week
|
2015-08-28 09:03:33 +00:00
|
|
|
# amphora_expiry_age = 604800
|
2015-10-20 01:26:25 -05:00
|
|
|
|
2016-06-22 19:36:56 +03:00
|
|
|
# Load balancer expiry age in seconds. Default is 1 week
|
|
|
|
# load_balancer_expiry_age = 604800
|
|
|
|
|
2015-10-20 01:26:25 -05:00
|
|
|
[amphora_agent]
|
|
|
|
# agent_server_ca = /etc/octavia/certs/client_ca.pem
|
|
|
|
# agent_server_cert = /etc/octavia/certs/server.pem
|
2017-01-12 11:32:50 +02:00
|
|
|
|
|
|
|
# Defaults for agent_server_network_dir when not specified here are:
|
|
|
|
# Ubuntu: /etc/netns/amphora-haproxy/network/interfaces.d/
|
|
|
|
# Centos/fedora/rhel: /etc/netns/amphora-haproxy/sysconfig/network-scripts/
|
|
|
|
#
|
|
|
|
# agent_server_network_dir =
|
|
|
|
|
2015-10-20 01:26:25 -05:00
|
|
|
# agent_server_network_file =
|
2016-10-15 04:50:53 +09:00
|
|
|
# agent_request_read_timeout = 120
|
Amphora Flows and Drivers for Active Standby
This patch implements the Active/Standby blueprint in
https://blueprints.launchpad.net/octavia/+spec/activepassiveamphora
The following points describe the main changes:
1. The patch introduces new flows and subflows to create M amphorae. The
controller worker parses the loadbalancer_topology configuration. If the
loadbalancer_topology value is ACTIVE_STANDBY, the controller invokes a new flow
independent from the SINGLE topology case, which is left untouched. The new
flow uses conditional taskflows to check for spare amphorae at runtime. This
removes the need for the exception workaround we earlier had. The controller
creates the amphorae in parallel using an unordered flow. A new database task
alter an amphora role as either MASTER or BACKUP and assigns a VRRP priority to
each amphora. After the amphorae are created, the controller invokes a separate
flow for post amphora configuration including plug_vip methods, vrrp
configuration upload, and keepalived service start.
2. The patch introduces new data models that include a new table for VRRP group
configuration per loadbalancer, and update the amphora, loadbalancer, and
listener tables to support the new active/standby capability. The VRRPGroup
table hides authentication data, and makes future extensions of VRRP
capabilities easy.
3. This patch updates the existing Haproxy configuration templates to include
peer synchronization. In case of ACTIVE_STANDBY configuration, the jinja
configuration renders the peer section in the Haproxy configuration and assigns
short names to the amphorae as listener peers. As listeners implies different
Haproxy process, each listener synchronizes on a different port evaluated as
BASE_PORT (1024) + NUMBER_OF_LISTENERS accounting for ports in use.
4. This patch introduces a new Jinja configuration templater and a REST driver
for Keepalived (developed as a Mixin). By default, Keepalived runs "all" check
scripts found in a predefined directory. The keepalived driver is a Mixin that
can be plugged in other services' drivers. It is the responsibility of these
services drivers to introduce their own check scripts. In this patch a
lightweight check script for Haproxy was introduced along with changes in the
amphora agent installation script.
5. The VRRP requires enabling protocol 112 for Master/Backup advertisements,
and enabling protocol 51 for authentication header. This patch enables these
protocols as needed in the loadbalancer security group.
Note: Updates to the failover flow to support active/standby will come in
a dependent patch.
Note: The amphora-agent is pinned to this patch in this patch set. This
is required so the scenario tests will pass. It will be removed in a
follow up patch.
Co-Authored-By: Sherif Abdelwahab <sherif.abdelwahab@hp.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Implements: blueprint activepassiveamphora
Depends-On: Ifdf20378b26cdd13e0a3ff87cec8990fe89c0661
Change-Id: Ic4e04594e114ba682088d68d5f1af3f8f376db83
2015-07-27 15:49:05 -07:00
|
|
|
|
|
|
|
[keepalived_vrrp]
|
|
|
|
# Amphora Role/Priority advertisement interval in seconds
|
|
|
|
# vrrp_advert_int = 1
|
|
|
|
|
|
|
|
# Service health check interval and success/fail count
|
|
|
|
# vrrp_check_interval = 5
|
|
|
|
# vrpp_fail_count = 2
|
|
|
|
# vrrp_success_count = 2
|
|
|
|
|
|
|
|
# Amphora MASTER gratuitous ARP refresh settings
|
|
|
|
# vrrp_garp_refresh_interval = 5
|
|
|
|
# vrrp_garp_refresh_count = 2
|
2016-01-29 01:44:22 -06:00
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
[service_auth]
|
2016-10-27 06:51:53 -07:00
|
|
|
# memcached_servers =
|
2016-09-01 23:03:50 -05:00
|
|
|
# signing_dir =
|
|
|
|
# cafile = /opt/stack/data/ca-bundle.pem
|
|
|
|
# project_domain_name = Default
|
|
|
|
# project_name = admin
|
|
|
|
# user_domain_name = Default
|
|
|
|
# password = password
|
|
|
|
# username = admin
|
|
|
|
# auth_type = password
|
|
|
|
# auth_url = http://localhost:5555/
|
|
|
|
|
|
|
|
[nova]
|
|
|
|
# The name of the nova service in the keystone catalog
|
2016-02-25 15:26:57 +01:00
|
|
|
# service_name =
|
2016-09-01 23:03:50 -05:00
|
|
|
# Custom nova endpoint if override is necessary
|
2016-02-25 15:26:57 +01:00
|
|
|
# endpoint =
|
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
|
|
# OpenStack services.
|
2016-02-25 15:26:57 +01:00
|
|
|
# region_name =
|
|
|
|
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
|
|
# the OpenStack services.
|
|
|
|
# endpoint_type = publicURL
|
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
# ca_certificates_file =
|
|
|
|
|
2017-02-08 13:30:03 -08:00
|
|
|
# Disable certificate validation on SSL connections
|
|
|
|
# insecure = False
|
|
|
|
|
|
|
|
# If non-zero, generate a random name of the length provided for each amphora,
|
|
|
|
# in the format "a[A-Z0-9]*".
|
|
|
|
# Otherwise, the default name format will be used: "amphora-{UUID}".
|
|
|
|
# random_amphora_name_length = 0
|
2017-01-24 13:41:47 -06:00
|
|
|
#
|
|
|
|
# Availability zone to use for creating Amphorae
|
|
|
|
# availability_zone =
|
2017-02-08 13:30:03 -08:00
|
|
|
|
2017-03-30 13:38:26 -04:00
|
|
|
# Enable anti-affinity in nova
|
|
|
|
# enable_anti_affinity = False
|
|
|
|
# Set the anti-affinity policy to what is suitable.
|
|
|
|
# Nova supports: anti-affinity and soft-anti-affinity
|
|
|
|
# anti_affinity_policy = anti-affinity
|
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
[glance]
|
|
|
|
# The name of the glance service in the keystone catalog
|
2016-01-29 01:44:22 -06:00
|
|
|
# service_name =
|
2016-09-01 23:03:50 -05:00
|
|
|
# Custom glance endpoint if override is necessary
|
2016-02-02 11:32:34 -06:00
|
|
|
# endpoint =
|
2016-01-29 01:44:22 -06:00
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
|
|
# OpenStack services.
|
2016-01-22 10:43:02 -08:00
|
|
|
# region_name =
|
|
|
|
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
|
|
# the OpenStack services.
|
|
|
|
# endpoint_type = publicURL
|
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
# insecure = False
|
|
|
|
# ca_certificates_file =
|
|
|
|
|
2016-01-29 01:44:22 -06:00
|
|
|
[neutron]
|
|
|
|
# The name of the neutron service in the keystone catalog
|
2016-02-02 11:32:34 -06:00
|
|
|
# service_name =
|
|
|
|
# Custom neutron endpoint if override is necessary
|
|
|
|
# endpoint =
|
2016-01-22 10:43:02 -08:00
|
|
|
|
2016-09-01 23:03:50 -05:00
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
|
|
# OpenStack services.
|
2016-01-22 10:43:02 -08:00
|
|
|
# region_name =
|
|
|
|
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
|
|
# the OpenStack services.
|
|
|
|
# endpoint_type = publicURL
|
Add CA Cert file config option to validate against SSL endpoints
Currently Octavia cannot validate against SSL service endpoints,
which would be keystone, neutron, nova and glance in this case.
This patch adds a config option under nova, neutron and glance
sections to read the specified CA certificate files
for validation. It's slightly different in the case of glance,
because glance session method invocations depend on the endpoint
URL whether it starts with HTTP or HTTPS.
Also added is the "insecure" option for these services in case
the cert validation needs to be skipped.
For keystone, we read config params from keystone middleware. Thus,
instead of defining a new config option, we can make use of it's
pre-defined "cafile".
Barbican is not added because we do not yet have a barbican endpoint
override in it's config. This could be added in the future as a
separate patch, if needed.
Lastly, unrelated to the above, fixes the amphora REST api default
bind_port in octavia.conf
Change-Id: Id57672a3dc7c962b8ee07db0cb7a743041082c66
Closes-Bug: #1552987
2016-03-04 01:14:54 -08:00
|
|
|
|
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
|
|
|
# insecure = False
|
2016-04-01 03:16:07 +00:00
|
|
|
# ca_certificates_file =
|
2016-08-25 16:01:21 -05:00
|
|
|
|
|
|
|
[quotas]
|
|
|
|
# default_load_balancer_quota = -1
|
|
|
|
# default_listener_quota = -1
|
|
|
|
# default_member_quota = -1
|
|
|
|
# default_pool_quota = -1
|
|
|
|
# default_health_monitor_quota = -1
|