openstack/openstack-ansible
Code Issues Proposed changes
Files
f5388b61e4c41c071f3935066b1150f1a6cffe01
openstack-ansible/playbooks/roles/os_neutron/templates/neutron.conf.j2
Jesse Pretorius 4341b79b3a Enable all services to use Keystone 'insecurely' 
This patch introduces an insecure flag for the Keystone internal
 and admin endpoints:

* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure

Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.

This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.

The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.

Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
2015-07-10 14:06:25 +01:00

144 lines
4.0 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
{% set api_threads = _api_threads if _api_threads > 0 else 1 %}
[DEFAULT]
verbose = {{ verbose }}
debug = {{ debug }}
fatal_deprecations = {{ neutron_fatal_deprecations }}
use_syslog = False
log_file = /var/log/neutron/neutron.log
auth_strategy = keystone
network_device_mtu = {{ neutron_network_device_mtu }}
allow_overlapping_ips = True
vlan_transparent = False
## Drivers
network_scheduler_driver = {{ neutron_driver_network_scheduler }}
router_scheduler_driver = {{ neutron_driver_router_scheduler }}
loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }}
dhcp_driver = {{ neutron_driver_dhcp }}
notification_driver = {{ neutron_driver_notification }}
## Schedulers
router_distributed = False
network_auto_schedule = True
router_auto_schedule = True
## Agents
agent_down_time = {{ neutron_agent_down_time }}
## API
bind_port = 9696
bind_host = 0.0.0.0
## Workers
api_workers = {{ neutron_api_workers | default(api_threads) }}
rpc_workers = {{ neutron_rpc_workers }}
## Plugins
core_plugin = {{ neutron_plugin_core }}
service_plugins = {{ neutron_plugin_loaded_base }}
## MAC Address
base_mac = fa:16:3e:00:00:00
mac_generation_retries = 16
## DHCP
dhcp_agent_notification = True
dhcp_agents_per_network = {{ groups['neutron_agent'] | length }}
dhcp_delete_namespaces = True
dhcp_lease_duration = 86400
advertise_mtu = False
## Notifications
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
send_events_interval = 2
## Nova
nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }}
[nova]
auth_plugin = {{ nova_keystone_auth_plugin }}
auth_url = {{ keystone_service_adminuri }}
region_name = {{ nova_service_region }}
project_domain_id = {{ nova_service_project_domain_id }}
user_domain_id = {{ nova_service_user_domain_id }}
project_name = {{ nova_service_project_name }}
username = {{ nova_service_user_name }}
password = {{ nova_service_password }}
[quotas]
quota_driver = {{ neutron_driver_quota }}
quota_items = network,subnet,port
[agent]
polling_interval = {{ neutron_agent_polling_interval|default(5) }}
report_interval = {{ neutron_report_interval|int }}
root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ neutron_keystone_auth_plugin }}
signing_dir = /var/cache/neutron
auth_url = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internaluri }}
project_domain_id = {{ neutron_service_project_domain_id }}
user_domain_id = {{ neutron_service_user_domain_id }}
project_name = {{ neutron_service_project_name }}
username = {{ neutron_service_user_name }}
password = {{ neutron_service_password }}
memcached_servers = {{ memcached_servers }}
token_cache_time = 300
revocation_cache_time = 60
# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}
# if your keystone deployment uses PKI, and you value security over performance:
check_revocations_for_cached = False
{% if inventory_hostname in groups['neutron_server'] %}
[database]
connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8
max_overflow = {{ neutron_db_max_overflow }}
max_pool_size = {{ neutron_db_pool_size }}
pool_timeout = {{ neutron_db_pool_timeout }}
{% endif %}
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_hosts = {{ rabbitmq_servers }}
[oslo_concurrency]
lock_path = /var/lock/neutron
[service_providers]
service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
View Git Blame Copy Permalink