b2624d4a26
Presently all services use the single root virtual host within RabbitMQ and while this is “OK” for small to mid sized deployments however it would be better to divide services into logical resource groups within RabbitMQ which will bring with it additional security. This change set provides OSAD better compartmentalization of consumer services that use RabbitMQ. UpgradeImpact DocImpact Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52 Implements: blueprint compartmentalize-rabbitmq
274 lines
10 KiB
YAML
274 lines
10 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Defines that the role will be deployed on a host machine
|
|
is_metal: true
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
verbose: True
|
|
neutron_fatal_deprecations: False
|
|
|
|
## neutron User / Group
|
|
neutron_system_user_name: neutron
|
|
neutron_system_group_name: neutron
|
|
neutron_system_comment: neutron system user
|
|
neutron_system_shell: /bin/false
|
|
neutron_system_home_folder: "/var/lib/{{ neutron_system_user_name }}"
|
|
|
|
## DB
|
|
neutron_galera_user: neutron
|
|
neutron_galera_password: "{{ neutron_container_mysql_password }}"
|
|
neutron_galera_database: neutron
|
|
neutron_db_revision: heads
|
|
neutron_db_config: /etc/neutron/neutron.conf
|
|
neutron_db_plugin: /etc/neutron/plugins/ml2/ml2_conf.ini
|
|
neutron_db_max_overflow: 20
|
|
neutron_db_pool_size: 120
|
|
neutron_db_pool_timeout: 30
|
|
|
|
## RabbitMQ info
|
|
neutron_rabbitmq_userid: neutron
|
|
neutron_rabbitmq_vhost: /neutron
|
|
|
|
## Plugins
|
|
neutron_plugin_core: neutron.plugins.ml2.plugin.Ml2Plugin
|
|
# Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
|
|
# neutron_plugin_base:
|
|
# - neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
|
|
# - neutron.services.metering.metering_plugin.MeteringPlugin
|
|
# - neutron.services.loadbalancer.plugin.LoadBalancerPlugin
|
|
# - neutron.services.vpn.plugin.VPNDriverPlugin
|
|
neutron_plugin_base:
|
|
- neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
|
|
- neutron.services.metering.metering_plugin.MeteringPlugin
|
|
neutron_plugin_loaded_base: "{% for plugin in neutron_plugin_base %}{{ plugin }}{% if not loop.last %},{% endif %}{% endfor %}"
|
|
|
|
## Drivers
|
|
neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
|
|
neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
|
|
neutron_driver_loadbalancer_pool_scheduler: neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
|
|
neutron_driver_interface: neutron.agent.linux.interface.BridgeInterfaceDriver
|
|
neutron_driver_metering: neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver
|
|
neutron_driver_dhcp: neutron.agent.linux.dhcp.Dnsmasq
|
|
neutron_driver_notification: neutron.openstack.common.notifier.rpc_notifier
|
|
neutron_driver_quota: neutron.db.quota_db.DbQuotaDriver
|
|
neutron_driver_firewall: neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
|
|
|
## Quotas
|
|
neutron_default_quota: -1
|
|
neutron_quota_floatingip: 50
|
|
neutron_quota_health_monitor: -1
|
|
neutron_quota_member: -1
|
|
neutron_quota_network: 10
|
|
neutron_quota_network_gateway: 5
|
|
neutron_quota_packet_filter: 100
|
|
neutron_quota_pool: 10
|
|
neutron_quota_port: 50
|
|
neutron_quota_router: 10
|
|
neutron_quota_security_group: 10
|
|
neutron_quota_security_group_rule: 100
|
|
neutron_quota_subnet: 10
|
|
neutron_quota_vip: 10
|
|
|
|
## General Neutron configuration
|
|
# If ``neutron_api_workers`` is unset the system will use half the number of available VCPUs to
|
|
# compute the number of api workers to use.
|
|
# neutron_api_workers: 16
|
|
|
|
# ``neutron_rpc_workers`` is an experimental feature in neutron master (as of 03/2015) and
|
|
# the value will be 0 by default.
|
|
neutron_rpc_workers: 0
|
|
|
|
# If ``neutron_metadata_workers`` is unset the system will use half the number of available VCPUs to
|
|
# compute the number of api workers to use.
|
|
# neutron_metadata_workers: 16
|
|
neutron_metadata_backlog: 128
|
|
|
|
## Auth
|
|
neutron_service_project_name: service
|
|
neutron_service_project_domain_id: default
|
|
neutron_service_user_domain_id: default
|
|
neutron_service_role_name: admin
|
|
neutron_service_user_name: neutron
|
|
neutron_service_name: neutron
|
|
neutron_service_type: network
|
|
neutron_service_description: "OpenStack Networking"
|
|
neutron_service_port: 9696
|
|
neutron_service_proto: http
|
|
neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(neutron_service_proto) }}"
|
|
neutron_service_publicuri: "{{ neutron_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ neutron_service_port }}"
|
|
neutron_service_publicurl: "{{ neutron_service_publicuri }}"
|
|
neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
|
|
neutron_service_adminurl: "{{ neutron_service_adminuri }}"
|
|
neutron_service_internaluri: "{{ neutron_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}"
|
|
neutron_service_internalurl: "{{ neutron_service_internaluri }}"
|
|
neutron_service_region: RegionOne
|
|
|
|
## Keystone authentication middleware
|
|
neutron_keystone_auth_plugin: password
|
|
|
|
neutron_service_program_name: neutron-server
|
|
neutron_service_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
|
|
neutron_service_program_enabled: false
|
|
|
|
neutron_service_dhcp_program_name: neutron-dhcp-agent
|
|
neutron_service_dhcp_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini
|
|
neutron_service_dhcp_program_enabled: false
|
|
|
|
neutron_service_l3_program_name: neutron-l3-agent
|
|
neutron_service_l3_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini
|
|
neutron_service_l3_program_enabled: false
|
|
|
|
neutron_service_linuxbridge_program_name: neutron-linuxbridge-agent
|
|
neutron_service_linuxbridge_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
|
|
neutron_service_linuxbridge_program_enabled: false
|
|
|
|
neutron_service_metadata_program_name: neutron-metadata-agent
|
|
neutron_service_metadata_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini
|
|
neutron_service_metadata_program_enabled: false
|
|
|
|
neutron_service_metering_program_name: neutron-metering-agent
|
|
neutron_service_metering_program_config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metering_agent.ini
|
|
neutron_service_metering_program_enabled: false
|
|
|
|
## Agent
|
|
neutron_external_network_bridge: ""
|
|
neutron_gateway_external_network_id: ""
|
|
|
|
# Enable l2 population
|
|
neutron_l2_population: True
|
|
|
|
neutron_agent_mode: legacy
|
|
neutron_agent_down_time: 120
|
|
neutron_agent_polling_interval: 5
|
|
neutron_report_interval: "{{ neutron_agent_down_time | int / 2 | int }}"
|
|
neutron_network_device_mtu: 1450
|
|
|
|
# L3 configuration options
|
|
neutron_l3_router_delete_namespaces: True
|
|
|
|
# L3HA configuration options.
|
|
neutron_ha_vrrp_advert_int: 2
|
|
neutron_ha_vrrp_auth_password: None
|
|
neutron_ha_vrrp_auth_type: PASS
|
|
neutron_handle_internal_only_routers: True
|
|
neutron_l3_ha_enabled: False
|
|
neutron_l3_ha_net_cidr: 169.254.192.0/18
|
|
|
|
# If ``neutron_min_l3_agents_per_router`` is unset the system will use half the number of hosts in the
|
|
# "neutron_agent" group to determine the min agents per routers.
|
|
# neutron_min_l3_agents_per_router: 3
|
|
|
|
# If ``neutron_max_l3_agents_per_router`` is unset the system will use the number of hosts in the
|
|
# "neutron_agent" group to determine the max agents per routers.
|
|
# neutron_max_l3_agents_per_router: 3
|
|
|
|
# DHCP AGENT CONFIG
|
|
neutron_dhcp_config:
|
|
dhcp-option-force: "26,1450"
|
|
log-facility: "/var/log/neutron/neutron-dnsmasq.log"
|
|
|
|
# Types of networks supported by the ml2 plugin
|
|
neutron_ml2_drivers_type: "flat,vlan,vxlan,local"
|
|
neutron_ml2_mechanism_drivers: "linuxbridge,l2population"
|
|
|
|
## Set this to configure overlay networks. The default is set as an empty hash.
|
|
# neutron_overlay_network:
|
|
# address: "172.29.241.248"
|
|
# bridge: "br-vxlan"
|
|
# interface: "eth10"
|
|
# netmask: "255.255.252.0"
|
|
# type: "veth"
|
|
neutron_overlay_network: {}
|
|
|
|
## The neutron multicast group address. This should be set as a host variable if used.
|
|
## This defaults to an empty string
|
|
# neutron_vxlan_group: 239.1.1.100
|
|
neutron_vxlan_group: ""
|
|
|
|
## Set this variable to configure the provider networks that will be available
|
|
## When setting up networking in things like the ml2_conf.ini file. Normally
|
|
## this will be defined as a host variable used within neutron as network configuration
|
|
## are likely to differ in between hosts.
|
|
# neutron_provider_networks:
|
|
# network_flat_networks: "flat"
|
|
# network_mappings: "flat:eth12,vlan:eth11"
|
|
# network_types: "vxlan,flat,vlan"
|
|
# network_vlan_ranges: "vlan:1:1,vlan:1024:1025"
|
|
# network_vxlan_ranges: "1:1000"
|
|
|
|
neutron_dhcp_domain: openstacklocal
|
|
neutron_dhcp_delete_namespaces: True
|
|
# Comma-separated list of DNS servers which will be used by dnsmasq as forwarders.
|
|
neutron_dnsmasq_dns_servers: ""
|
|
# Limit number of leases to prevent a denial-of-service.
|
|
neutron_dnsmasq_lease_max: 16777216
|
|
# If ``neutron_num_sync_threads`` is unset, the system will use the value of api_workers calculated
|
|
# in templates/dhcp_agent.ini.j2 for num_sync_threads.
|
|
# neutron_num_sync_threads: 4
|
|
|
|
## RPC
|
|
neutron_rpc_backend: rabbit
|
|
neutron_rpc_thread_pool_size: 64
|
|
neutron_rpc_conn_pool_size: 30
|
|
neutron_rpc_response_timeout: 60
|
|
|
|
## Policy vars
|
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
# with the access controls in the default policy.json. E.g.
|
|
#neutron_policy_overrides:
|
|
# "create_subnet": "rule:admin_or_network_owner"
|
|
# "get_subnet": "rule:admin_or_owner or rule:shared"
|
|
|
|
neutron_apt_packages:
|
|
- conntrack
|
|
- dnsmasq-base
|
|
- dnsmasq-utils
|
|
- ipset
|
|
- iputils-arping
|
|
- keepalived
|
|
- libpq-dev
|
|
- ebtables
|
|
|
|
neutron_apt_remove_packages:
|
|
- conntrackd
|
|
|
|
neutron_pip_packages:
|
|
- configobj
|
|
- cliff
|
|
- keystonemiddleware
|
|
- MySQL-python
|
|
- neutron
|
|
- pycrypto
|
|
- python-glanceclient
|
|
- python-keystoneclient
|
|
- python-memcached
|
|
- python-neutronclient
|
|
- python-novaclient
|
|
- repoze.lru
|
|
|
|
## Service Names
|
|
neutron_service_names:
|
|
- neutron-agent
|
|
- neutron-dhcp-agent
|
|
- neutron-linuxbridge-agent
|
|
- neutron-l3-agent
|
|
- neutron-metadata-agent
|
|
- neutron-metering-agent
|
|
- neutron-server
|