702c17eb78
Depends-on: https://review.opendev.org/#/c/741037/ Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410
2519 lines
75 KiB
YAML
2519 lines
75 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for neutron.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
release_group: null
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
test: docker.io/xrally/xrally-openstack:1.3.0
|
|
purge_test: docker.io/openstackhelm/ospurge:latest
|
|
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
|
|
neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
|
|
neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
labels:
|
|
agent:
|
|
dhcp:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
l3:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
metadata:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
l2gw:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
lb:
|
|
node_selector_key: linuxbridge
|
|
node_selector_value: enabled
|
|
# openvswitch is a special case, requiring a special
|
|
# label that can apply to both control hosts
|
|
# and compute hosts, until we get more sophisticated
|
|
# with our daemonset scheduling
|
|
ovs:
|
|
node_selector_key: openvswitch
|
|
node_selector_value: enabled
|
|
sriov:
|
|
node_selector_key: sriov
|
|
node_selector_value: enabled
|
|
bagpipe_bgp:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
server:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
ironic_agent:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
netns_cleanup_cron:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
network:
|
|
# provide what type of network wiring will be used
|
|
backend:
|
|
- openvswitch
|
|
# NOTE(Portdirect): Share network namespaces with the host,
|
|
# allowing agents to be restarted without packet loss and simpler
|
|
# debugging. This feature requires mount propagation support.
|
|
share_namespaces: true
|
|
interface:
|
|
# Tunnel interface will be used for VXLAN tunneling.
|
|
tunnel: null
|
|
# If tunnel is null there is a fallback mechanism to search
|
|
# for interface with routing using tunnel network cidr.
|
|
tunnel_network_cidr: "0/0"
|
|
# To perform setup of network interfaces using the SR-IOV init
|
|
# container you can use a section similar to:
|
|
# sriov:
|
|
# - device: ${DEV}
|
|
# num_vfs: 8
|
|
# mtu: 9214
|
|
# promisc: false
|
|
# qos:
|
|
# - vf_num: 0
|
|
# share: 10
|
|
# queues_per_vf:
|
|
# - num_queues: 16
|
|
# exclude_vf: 0,11,21
|
|
server:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30096
|
|
|
|
bootstrap:
|
|
enabled: false
|
|
ks_user: neutron
|
|
script: |
|
|
openstack token issue
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- neutron-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
targeted:
|
|
sriov: {}
|
|
l2gateway: {}
|
|
bagpipe_bgp: {}
|
|
openvswitch:
|
|
dhcp:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
l3:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
metadata:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
linuxbridge:
|
|
dhcp:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
l3:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
metadata:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
lb_agent:
|
|
pod: null
|
|
static:
|
|
bootstrap:
|
|
services:
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- neutron-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
dhcp:
|
|
pod: null
|
|
jobs:
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute
|
|
ks_endpoints:
|
|
jobs:
|
|
- neutron-ks-service
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_service:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
rabbit_init:
|
|
services:
|
|
- service: oslo_messaging
|
|
endpoint: internal
|
|
l3:
|
|
pod: null
|
|
jobs:
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute
|
|
lb_agent:
|
|
pod: null
|
|
jobs:
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: network
|
|
metadata:
|
|
pod: null
|
|
jobs:
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: public
|
|
service: compute_metadata
|
|
ovs_agent:
|
|
jobs:
|
|
- neutron-rabbit-init
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: openvswitch
|
|
component: openvswitch-vswitchd
|
|
- requireSameNode: true
|
|
labels:
|
|
application: openvswitch
|
|
component: openvswitch-vswitchd-db
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: network
|
|
server:
|
|
jobs:
|
|
- neutron-db-sync
|
|
- neutron-ks-user
|
|
- neutron-ks-endpoints
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_cache
|
|
- endpoint: internal
|
|
service: identity
|
|
ironic_agent:
|
|
jobs:
|
|
- neutron-db-sync
|
|
- neutron-ks-user
|
|
- neutron-ks-endpoints
|
|
- neutron-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_cache
|
|
- endpoint: internal
|
|
service: identity
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
pod:
|
|
use_fqdn:
|
|
neutron_agent: true
|
|
probes:
|
|
rpc_timeout: 60
|
|
rpc_retries: 2
|
|
dhcp_agent:
|
|
dhcp_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 190
|
|
timeoutSeconds: 185
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 600
|
|
timeoutSeconds: 580
|
|
l3_agent:
|
|
l3_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 190
|
|
timeoutSeconds: 185
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 600
|
|
timeoutSeconds: 580
|
|
lb_agent:
|
|
lb_agent:
|
|
readiness:
|
|
enabled: true
|
|
metadata_agent:
|
|
metadata_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 190
|
|
timeoutSeconds: 185
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 600
|
|
timeoutSeconds: 580
|
|
ovs_agent:
|
|
ovs_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 600
|
|
timeoutSeconds: 580
|
|
sriov_agent:
|
|
sriov_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 190
|
|
timeoutSeconds: 185
|
|
bagpipe_bgp:
|
|
bagpipe_bgp:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 60
|
|
l2gw_agent:
|
|
l2gw_agent:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
timeoutSeconds: 65
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
server:
|
|
server:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 60
|
|
security_context:
|
|
neutron_dhcp_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_dhcp_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_l2gw_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_l2gw_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_bagpipe_bgp:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_bagpipe_bgp:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_l3_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_l3_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_lb_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_lb_agent_kernel_modules:
|
|
capabilities:
|
|
add:
|
|
- SYS_MODULE
|
|
- SYS_CHROOT
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
neutron_lb_agent_init:
|
|
privileged: true
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
neutron_lb_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_metadata_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_metadata_agent_init:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
neutron_ovs_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_openvswitch_agent_kernel_modules:
|
|
capabilities:
|
|
add:
|
|
- SYS_MODULE
|
|
- SYS_CHROOT
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
neutron_ovs_agent_init:
|
|
privileged: true
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
neutron_ovs_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_server:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_server:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
neutron_sriov_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_sriov_agent_init:
|
|
privileged: true
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: false
|
|
neutron_sriov_agent:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
neutron_ironic_agent:
|
|
pod:
|
|
runAsUser: 42424
|
|
neutron_netns_cleanup_cron:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
neutron_netns_cleanup_cron:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
mounts:
|
|
neutron_server:
|
|
init_container: null
|
|
neutron_server:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_dhcp_agent:
|
|
init_container: null
|
|
neutron_dhcp_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_l3_agent:
|
|
init_container: null
|
|
neutron_l3_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_lb_agent:
|
|
init_container: null
|
|
neutron_lb_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_metadata_agent:
|
|
init_container: null
|
|
neutron_metadata_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_ovs_agent:
|
|
init_container: null
|
|
neutron_ovs_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_sriov_agent:
|
|
init_container: null
|
|
neutron_sriov_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_l2gw_agent:
|
|
init_container: null
|
|
neutron_l2gw_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
bagpipe_bgp:
|
|
init_container: null
|
|
bagpipe_bgp:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_ironic_agent:
|
|
init_container: null
|
|
neutron_ironic_agent:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_netns_cleanup_cron:
|
|
init_container: null
|
|
neutron_netns_cleanup_cron:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_tests:
|
|
init_container: null
|
|
neutron_tests:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_bootstrap:
|
|
init_container: null
|
|
neutron_bootstrap:
|
|
volumeMounts:
|
|
volumes:
|
|
neutron_db_sync:
|
|
neutron_db_sync:
|
|
volumeMounts:
|
|
- name: db-sync-conf
|
|
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
|
|
subPath: ml2_conf.ini
|
|
readOnly: true
|
|
volumes:
|
|
replicas:
|
|
server: 1
|
|
ironic_agent: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
dhcp_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
l3_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
lb_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
metadata_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
ovs_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
sriov_agent:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
netns_cleanup_cron:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
disruption_budget:
|
|
server:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
server:
|
|
timeout: 30
|
|
ironic_agent:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
agent:
|
|
dhcp:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
l3:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
lb:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
metadata:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ovs:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
sriov:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
l2gw:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
bagpipe_bgp:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
server:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ironic_agent:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
netns_cleanup_cron:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
conf:
|
|
rally_tests:
|
|
force_project_purge: false
|
|
run_tempest: false
|
|
clean_up: |
|
|
# NOTE: We will make the best effort to clean up rally generated networks and routers,
|
|
# but should not block further automated deployment.
|
|
set +e
|
|
PATTERN="^[sc]_rally_"
|
|
|
|
ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
|
|
NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
|
|
|
|
for ROUTER in $ROUTERS
|
|
do
|
|
openstack router unset --external-gateway $ROUTER
|
|
openstack router set --disable --no-ha $ROUTER
|
|
|
|
SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | jq .[].subnet_id | tr -d '\r\"')
|
|
for SUBN in $SUBNS
|
|
do
|
|
openstack router remove subnet $ROUTER $SUBN
|
|
done
|
|
|
|
for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
|
|
do
|
|
openstack router remove port $ROUTER $PORT
|
|
done
|
|
|
|
openstack router delete $ROUTER
|
|
done
|
|
|
|
for NETWORK in $NETWORKS
|
|
do
|
|
for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
|
|
do
|
|
openstack port delete $PORT
|
|
done
|
|
openstack network delete $NETWORK
|
|
done
|
|
set -e
|
|
tests:
|
|
NeutronNetworks.create_and_delete_networks:
|
|
- args:
|
|
network_create_args: {}
|
|
context:
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_delete_ports:
|
|
- args:
|
|
network_create_args: {}
|
|
port_create_args: {}
|
|
ports_per_network: 10
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
port: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_delete_routers:
|
|
- args:
|
|
network_create_args: {}
|
|
router_create_args: {}
|
|
subnet_cidr_start: 1.1.0.0/30
|
|
subnet_create_args: {}
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
router: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_delete_subnets:
|
|
- args:
|
|
network_create_args: {}
|
|
subnet_cidr_start: 1.1.0.0/30
|
|
subnet_create_args: {}
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_list_routers:
|
|
- args:
|
|
network_create_args: {}
|
|
router_create_args: {}
|
|
subnet_cidr_start: 1.1.0.0/30
|
|
subnet_create_args: {}
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
router: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_list_subnets:
|
|
- args:
|
|
network_create_args: {}
|
|
subnet_cidr_start: 1.1.0.0/30
|
|
subnet_create_args: {}
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_show_network:
|
|
- args:
|
|
network_create_args: {}
|
|
context:
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_update_networks:
|
|
- args:
|
|
network_create_args: {}
|
|
network_update_args:
|
|
admin_state_up: false
|
|
name: _updated
|
|
context:
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_update_ports:
|
|
- args:
|
|
network_create_args: {}
|
|
port_create_args: {}
|
|
port_update_args:
|
|
admin_state_up: false
|
|
device_id: dummy_id
|
|
device_owner: dummy_owner
|
|
name: _port_updated
|
|
ports_per_network: 5
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
port: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_update_routers:
|
|
- args:
|
|
network_create_args: {}
|
|
router_create_args: {}
|
|
router_update_args:
|
|
admin_state_up: false
|
|
name: _router_updated
|
|
subnet_cidr_start: 1.1.0.0/30
|
|
subnet_create_args: {}
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
router: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.create_and_update_subnets:
|
|
- args:
|
|
network_create_args: {}
|
|
subnet_cidr_start: 1.4.0.0/16
|
|
subnet_create_args: {}
|
|
subnet_update_args:
|
|
enable_dhcp: false
|
|
name: _subnet_updated
|
|
subnets_per_network: 2
|
|
context:
|
|
network: {}
|
|
quotas:
|
|
neutron:
|
|
network: -1
|
|
subnet: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronNetworks.list_agents:
|
|
- args:
|
|
agent_args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronSecurityGroup.create_and_list_security_groups:
|
|
- args:
|
|
security_group_create_args: {}
|
|
context:
|
|
quotas:
|
|
neutron:
|
|
security_group: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NeutronSecurityGroup.create_and_update_security_groups:
|
|
- args:
|
|
security_group_create_args: {}
|
|
security_group_update_args: {}
|
|
context:
|
|
quotas:
|
|
neutron:
|
|
security_group: -1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
paste:
|
|
composite:neutron:
|
|
use: egg:Paste#urlmap
|
|
/: neutronversions_composite
|
|
/v2.0: neutronapi_v2_0
|
|
composite:neutronapi_v2_0:
|
|
use: call:neutron.auth:pipeline_factory
|
|
noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
|
|
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
|
|
composite:neutronversions_composite:
|
|
use: call:neutron.auth:pipeline_factory
|
|
noauth: cors http_proxy_to_wsgi neutronversions
|
|
keystone: cors http_proxy_to_wsgi neutronversions
|
|
filter:request_id:
|
|
paste.filter_factory: oslo_middleware:RequestId.factory
|
|
filter:catch_errors:
|
|
paste.filter_factory: oslo_middleware:CatchErrors.factory
|
|
filter:cors:
|
|
paste.filter_factory: oslo_middleware.cors:filter_factory
|
|
oslo_config_project: neutron
|
|
filter:http_proxy_to_wsgi:
|
|
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
|
filter:keystonecontext:
|
|
paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
|
|
filter:authtoken:
|
|
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
|
|
filter:audit:
|
|
paste.filter_factory: keystonemiddleware.audit:filter_factory
|
|
audit_map_file: /etc/neutron/api_audit_map.conf
|
|
filter:extensions:
|
|
paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
|
|
app:neutronversions:
|
|
paste.app_factory: neutron.pecan_wsgi.app:versions_factory
|
|
app:neutronapiapp_v2_0:
|
|
paste.app_factory: neutron.api.v2.router:APIRouter.factory
|
|
filter:osprofiler:
|
|
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
|
|
policy:
|
|
context_is_admin: role:admin
|
|
owner: tenant_id:%(tenant_id)s
|
|
admin_or_owner: rule:context_is_admin or rule:owner
|
|
context_is_advsvc: role:advsvc
|
|
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
|
|
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
|
|
admin_only: rule:context_is_admin
|
|
regular_user: ''
|
|
shared: field:networks:shared=True
|
|
shared_subnetpools: field:subnetpools:shared=True
|
|
shared_address_scopes: field:address_scopes:shared=True
|
|
external: field:networks:router:external=True
|
|
default: rule:admin_or_owner
|
|
create_subnet: rule:admin_or_network_owner
|
|
create_subnet:segment_id: rule:admin_only
|
|
create_subnet:service_types: rule:admin_only
|
|
get_subnet: rule:admin_or_owner or rule:shared
|
|
get_subnet:segment_id: rule:admin_only
|
|
update_subnet: rule:admin_or_network_owner
|
|
update_subnet:service_types: rule:admin_only
|
|
delete_subnet: rule:admin_or_network_owner
|
|
create_subnetpool: ''
|
|
create_subnetpool:shared: rule:admin_only
|
|
create_subnetpool:is_default: rule:admin_only
|
|
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
|
|
update_subnetpool: rule:admin_or_owner
|
|
update_subnetpool:is_default: rule:admin_only
|
|
delete_subnetpool: rule:admin_or_owner
|
|
create_address_scope: ''
|
|
create_address_scope:shared: rule:admin_only
|
|
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
|
|
update_address_scope: rule:admin_or_owner
|
|
update_address_scope:shared: rule:admin_only
|
|
delete_address_scope: rule:admin_or_owner
|
|
create_network: ''
|
|
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
|
|
get_network:router:external: rule:regular_user
|
|
get_network:segments: rule:admin_only
|
|
get_network:provider:network_type: rule:admin_only
|
|
get_network:provider:physical_network: rule:admin_only
|
|
get_network:provider:segmentation_id: rule:admin_only
|
|
get_network:queue_id: rule:admin_only
|
|
get_network_ip_availabilities: rule:admin_only
|
|
get_network_ip_availability: rule:admin_only
|
|
create_network:shared: rule:admin_only
|
|
create_network:router:external: rule:admin_only
|
|
create_network:is_default: rule:admin_only
|
|
create_network:segments: rule:admin_only
|
|
create_network:provider:network_type: rule:admin_only
|
|
create_network:provider:physical_network: rule:admin_only
|
|
create_network:provider:segmentation_id: rule:admin_only
|
|
update_network: rule:admin_or_owner
|
|
update_network:segments: rule:admin_only
|
|
update_network:shared: rule:admin_only
|
|
update_network:provider:network_type: rule:admin_only
|
|
update_network:provider:physical_network: rule:admin_only
|
|
update_network:provider:segmentation_id: rule:admin_only
|
|
update_network:router:external: rule:admin_only
|
|
delete_network: rule:admin_or_owner
|
|
create_segment: rule:admin_only
|
|
get_segment: rule:admin_only
|
|
update_segment: rule:admin_only
|
|
delete_segment: rule:admin_only
|
|
network_device: 'field:port:device_owner=~^network:'
|
|
create_port: ''
|
|
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:binding:host_id: rule:admin_only
|
|
create_port:binding:profile: rule:admin_only
|
|
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
|
get_port:queue_id: rule:admin_only
|
|
get_port:binding:vif_type: rule:admin_only
|
|
get_port:binding:vif_details: rule:admin_only
|
|
get_port:binding:host_id: rule:admin_only
|
|
get_port:binding:profile: rule:admin_only
|
|
update_port: rule:admin_or_owner or rule:context_is_advsvc
|
|
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
|
|
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:binding:host_id: rule:admin_only
|
|
update_port:binding:profile: rule:admin_only
|
|
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
|
get_router:ha: rule:admin_only
|
|
create_router: rule:regular_user
|
|
create_router:external_gateway_info:enable_snat: rule:admin_only
|
|
create_router:distributed: rule:admin_only
|
|
create_router:ha: rule:admin_only
|
|
get_router: rule:admin_or_owner
|
|
get_router:distributed: rule:admin_only
|
|
update_router:external_gateway_info:enable_snat: rule:admin_only
|
|
update_router:distributed: rule:admin_only
|
|
update_router:ha: rule:admin_only
|
|
delete_router: rule:admin_or_owner
|
|
add_router_interface: rule:admin_or_owner
|
|
remove_router_interface: rule:admin_or_owner
|
|
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
|
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
|
insert_rule: rule:admin_or_owner
|
|
remove_rule: rule:admin_or_owner
|
|
create_qos_queue: rule:admin_only
|
|
get_qos_queue: rule:admin_only
|
|
update_agent: rule:admin_only
|
|
delete_agent: rule:admin_only
|
|
get_agent: rule:admin_only
|
|
create_dhcp-network: rule:admin_only
|
|
delete_dhcp-network: rule:admin_only
|
|
get_dhcp-networks: rule:admin_only
|
|
create_l3-router: rule:admin_only
|
|
delete_l3-router: rule:admin_only
|
|
get_l3-routers: rule:admin_only
|
|
get_dhcp-agents: rule:admin_only
|
|
get_l3-agents: rule:admin_only
|
|
get_loadbalancer-agent: rule:admin_only
|
|
get_loadbalancer-pools: rule:admin_only
|
|
get_agent-loadbalancers: rule:admin_only
|
|
get_loadbalancer-hosting-agent: rule:admin_only
|
|
create_floatingip: rule:regular_user
|
|
create_floatingip:floating_ip_address: rule:admin_only
|
|
update_floatingip: rule:admin_or_owner
|
|
delete_floatingip: rule:admin_or_owner
|
|
get_floatingip: rule:admin_or_owner
|
|
create_network_profile: rule:admin_only
|
|
update_network_profile: rule:admin_only
|
|
delete_network_profile: rule:admin_only
|
|
get_network_profiles: ''
|
|
get_network_profile: ''
|
|
update_policy_profiles: rule:admin_only
|
|
get_policy_profiles: ''
|
|
get_policy_profile: ''
|
|
create_metering_label: rule:admin_only
|
|
delete_metering_label: rule:admin_only
|
|
get_metering_label: rule:admin_only
|
|
create_metering_label_rule: rule:admin_only
|
|
delete_metering_label_rule: rule:admin_only
|
|
get_metering_label_rule: rule:admin_only
|
|
get_service_provider: rule:regular_user
|
|
get_lsn: rule:admin_only
|
|
create_lsn: rule:admin_only
|
|
create_flavor: rule:admin_only
|
|
update_flavor: rule:admin_only
|
|
delete_flavor: rule:admin_only
|
|
get_flavors: rule:regular_user
|
|
get_flavor: rule:regular_user
|
|
create_service_profile: rule:admin_only
|
|
update_service_profile: rule:admin_only
|
|
delete_service_profile: rule:admin_only
|
|
get_service_profiles: rule:admin_only
|
|
get_service_profile: rule:admin_only
|
|
get_policy: rule:regular_user
|
|
create_policy: rule:admin_only
|
|
update_policy: rule:admin_only
|
|
delete_policy: rule:admin_only
|
|
get_policy_bandwidth_limit_rule: rule:regular_user
|
|
create_policy_bandwidth_limit_rule: rule:admin_only
|
|
delete_policy_bandwidth_limit_rule: rule:admin_only
|
|
update_policy_bandwidth_limit_rule: rule:admin_only
|
|
get_policy_dscp_marking_rule: rule:regular_user
|
|
create_policy_dscp_marking_rule: rule:admin_only
|
|
delete_policy_dscp_marking_rule: rule:admin_only
|
|
update_policy_dscp_marking_rule: rule:admin_only
|
|
get_rule_type: rule:regular_user
|
|
get_policy_minimum_bandwidth_rule: rule:regular_user
|
|
create_policy_minimum_bandwidth_rule: rule:admin_only
|
|
delete_policy_minimum_bandwidth_rule: rule:admin_only
|
|
update_policy_minimum_bandwidth_rule: rule:admin_only
|
|
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
|
create_rbac_policy: ''
|
|
create_rbac_policy:target_tenant: rule:restrict_wildcard
|
|
update_rbac_policy: rule:admin_or_owner
|
|
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
|
|
get_rbac_policy: rule:admin_or_owner
|
|
delete_rbac_policy: rule:admin_or_owner
|
|
create_flavor_service_profile: rule:admin_only
|
|
delete_flavor_service_profile: rule:admin_only
|
|
get_flavor_service_profile: rule:regular_user
|
|
get_auto_allocated_topology: rule:admin_or_owner
|
|
create_trunk: rule:regular_user
|
|
get_trunk: rule:admin_or_owner
|
|
delete_trunk: rule:admin_or_owner
|
|
get_subports: ''
|
|
add_subports: rule:admin_or_owner
|
|
remove_subports: rule:admin_or_owner
|
|
api_audit_map:
|
|
DEFAULT:
|
|
target_endpoint_type: None
|
|
custom_actions:
|
|
add_router_interface: update/add
|
|
remove_router_interface: update/remove
|
|
path_keywords:
|
|
floatingips: ip
|
|
healthmonitors: healthmonitor
|
|
health_monitors: health_monitor
|
|
lb: None
|
|
members: member
|
|
metering-labels: label
|
|
metering-label-rules: rule
|
|
networks: network
|
|
pools: pool
|
|
ports: port
|
|
routers: router
|
|
quotas: quota
|
|
security-groups: security-group
|
|
security-group-rules: rule
|
|
subnets: subnet
|
|
vips: vip
|
|
service_endpoints:
|
|
network: service/network
|
|
neutron_sudoers: |
|
|
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
|
Defaults !requiretty
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
|
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
|
|
rootwrap: |
|
|
# Configuration for neutron-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[DEFAULT]
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
|
|
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitely specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
|
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog=False
|
|
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility=syslog
|
|
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level=ERROR
|
|
|
|
[xenapi]
|
|
# XenAPI configuration is only required by the L2 agent if it is to
|
|
# target a XenServer/XCP compute host's dom0.
|
|
xenapi_connection_url=<None>
|
|
xenapi_connection_username=root
|
|
xenapi_connection_password=<None>
|
|
rootwrap_filters:
|
|
debug:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# This is needed because we should ping
|
|
# from inside a namespace which requires root
|
|
# _alt variants allow to match -c and -w in any order
|
|
# (used by NeutronDebugAgent.ping_all)
|
|
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
|
|
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
|
|
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
|
|
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
|
|
dibbler:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# Filters for the dibbler-based reference implementation of the pluggable
|
|
# Prefix Delegation driver. Other implementations using an alternative agent
|
|
# should include a similar filter in this folder.
|
|
|
|
# prefix_delegation_agent
|
|
dibbler-client: CommandFilter, dibbler-client, root
|
|
ipset_firewall:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
# neutron/agent/linux/iptables_firewall.py
|
|
# "ipset", "-A", ...
|
|
ipset: CommandFilter, ipset, root
|
|
l3:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# arping
|
|
arping: CommandFilter, arping, root
|
|
|
|
# l3_agent
|
|
sysctl: CommandFilter, sysctl, root
|
|
route: CommandFilter, route, root
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# haproxy
|
|
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
|
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
|
|
|
|
# metadata proxy
|
|
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
|
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
|
kill_metadata: KillFilter, root, python, -15, -9
|
|
kill_metadata2: KillFilter, root, python2, -15, -9
|
|
kill_metadata7: KillFilter, root, python2.7, -15, -9
|
|
kill_metadata3: KillFilter, root, python3, -15, -9
|
|
kill_metadata35: KillFilter, root, python3.5, -15, -9
|
|
kill_metadata36: KillFilter, root, python3.6, -15, -9
|
|
kill_metadata37: KillFilter, root, python3.7, -15, -9
|
|
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
|
|
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# l3_tc_lib
|
|
l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
|
|
l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
|
|
l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
|
|
l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
|
|
l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
|
|
l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
|
|
l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
|
|
|
|
# For ip monitor
|
|
kill_ip_monitor: KillFilter, root, ip, -9
|
|
|
|
# ovs_lib (if OVSInterfaceDriver is used)
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# iptables_manager
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# Keepalived
|
|
keepalived: CommandFilter, keepalived, root
|
|
kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
|
|
|
|
# l3 agent to delete floatingip's conntrack state
|
|
conntrack: CommandFilter, conntrack, root
|
|
|
|
# keepalived state change monitor
|
|
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
|
# The following filters are used to kill the keepalived state change monitor.
|
|
# Since the monitor runs as a Python script, the system reports that the
|
|
# command of the process to be killed is python.
|
|
# TODO(mlavalle) These kill filters will be updated once we come up with a
|
|
# mechanism to kill using the name of the script being executed by Python
|
|
kill_keepalived_monitor_py: KillFilter, root, python, -15
|
|
kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
|
|
kill_keepalived_monitor_py3: KillFilter, root, python3, -15
|
|
kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
|
|
kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
|
|
kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
|
|
netns_cleanup:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
- netns_cleanup_cron
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# netns-cleanup
|
|
netstat: CommandFilter, netstat, root
|
|
dhcp:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
- netns_cleanup_cron
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# dhcp-agent
|
|
dnsmasq: CommandFilter, dnsmasq, root
|
|
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
|
# it looks like these are the only signals needed, per
|
|
# neutron/agent/linux/dhcp.py
|
|
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
|
|
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
|
|
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
ivs-ctl: CommandFilter, ivs-ctl, root
|
|
mm-ctl: CommandFilter, mm-ctl, root
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
dhcp_release6: CommandFilter, dhcp_release6, root
|
|
|
|
# metadata proxy
|
|
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
|
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
|
kill_metadata: KillFilter, root, python, -9
|
|
kill_metadata2: KillFilter, root, python2, -9
|
|
kill_metadata7: KillFilter, root, python2.7, -9
|
|
kill_metadata3: KillFilter, root, python3, -9
|
|
kill_metadata35: KillFilter, root, python3.5, -9
|
|
kill_metadata36: KillFilter, root, python3.6, -9
|
|
kill_metadata37: KillFilter, root, python3.7, -9
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
ebtables:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
ebtables: CommandFilter, ebtables, root
|
|
iptables_firewall:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# neutron/agent/linux/iptables_firewall.py
|
|
# "iptables-save", ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# neutron/agent/linux/iptables_firewall.py
|
|
# "iptables", "-A", ...
|
|
iptables: CommandFilter, iptables, root
|
|
ip6tables: CommandFilter, ip6tables, root
|
|
|
|
# neutron/agent/linux/iptables_firewall.py
|
|
sysctl: CommandFilter, sysctl, root
|
|
|
|
# neutron/agent/linux/ip_conntrack.py
|
|
conntrack: CommandFilter, conntrack, root
|
|
linuxbridge_plugin:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# linuxbridge-agent
|
|
# unclear whether both variants are necessary, but I'm transliterating
|
|
# from the old mechanism
|
|
brctl: CommandFilter, brctl, root
|
|
bridge: CommandFilter, bridge, root
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# tc commands needed for QoS support
|
|
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
|
|
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
|
|
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
|
|
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
|
|
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
|
|
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
|
|
openvswitch_plugin:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
content: |
|
|
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# openvswitch-agent
|
|
# unclear whether both variants are necessary, but I'm transliterating
|
|
# from the old mechanism
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
ovs-appctl: CommandFilter, ovs-appctl, root
|
|
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
|
|
ovsdb-client: CommandFilter, ovsdb-client, root
|
|
xe: CommandFilter, xe, root
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# needed for FDB extension
|
|
bridge: CommandFilter, bridge, root
|
|
privsep:
|
|
pods:
|
|
- dhcp_agent
|
|
- l3_agent
|
|
- lb_agent
|
|
- metadata_agent
|
|
- ovs_agent
|
|
- sriov_agent
|
|
- netns_cleanup_cron
|
|
content: |
|
|
# Command filters to allow privsep daemon to be started via rootwrap.
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
|
|
# By installing the following, the local admin is asserting that:
|
|
#
|
|
# 1. The python module load path used by privsep-helper
|
|
# command as root (as started by sudo/rootwrap) is trusted.
|
|
# 2. Any oslo.config files matching the --config-file
|
|
# arguments below are trusted.
|
|
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
|
|
# also allowed to invoke python "entrypoint" functions from
|
|
# --privsep_context with the additional (possibly root) privileges
|
|
# configured for that context.
|
|
#
|
|
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
|
|
#
|
|
# In particular, the oslo.config and python module path must not
|
|
# be writeable by the unprivileged user.
|
|
|
|
# oslo.privsep default neutron context
|
|
privsep: PathFilter, privsep-helper, root,
|
|
--config-file, /etc,
|
|
--privsep_context, neutron.privileged.default,
|
|
--privsep_sock_path, /
|
|
|
|
# NOTE: A second `--config-file` arg can also be added above. Since
|
|
# many neutron components are installed like that (eg: by devstack).
|
|
# Adjust to suit local requirements.
|
|
linux_vxlan:
|
|
pods:
|
|
- bagpipe_bgp
|
|
content: |
|
|
# bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
|
|
# expected to control VXLAN Linux Bridge dataplane
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
#
|
|
modprobe: CommandFilter, modprobe, root
|
|
|
|
#
|
|
brctl: CommandFilter, brctl, root
|
|
bridge: CommandFilter, bridge, root
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# shell (for piped commands)
|
|
sh: CommandFilter, sh, root
|
|
mpls_ovs_dataplane:
|
|
pods:
|
|
- bagpipe_bgp
|
|
content: |
|
|
# bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
|
|
# expected to control MPLS OpenVSwitch dataplane
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# openvswitch
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# shell (for piped commands)
|
|
sh: CommandFilter, sh, root
|
|
neutron:
|
|
DEFAULT:
|
|
log_config_append: /etc/neutron/logging.conf
|
|
# NOTE(portdirect): the bind port should not be defined, and is manipulated
|
|
# via the endpoints section.
|
|
bind_port: null
|
|
default_availability_zones: nova
|
|
api_workers: 1
|
|
rpc_workers: 4
|
|
allow_overlapping_ips: True
|
|
state_path: /var/lib/neutron
|
|
# core_plugin can be: ml2, calico
|
|
core_plugin: ml2
|
|
# service_plugin can be: router, odl-router, empty for calico,
|
|
# networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
|
|
service_plugins: router
|
|
allow_automatic_l3agent_failover: True
|
|
l3_ha: True
|
|
max_l3_agents_per_router: 2
|
|
l3_ha_network_type: vxlan
|
|
network_auto_schedule: True
|
|
router_auto_schedule: True
|
|
# (NOTE)portdirect: if unset this is populated dynamically from the value in
|
|
# 'network.backend' to sane defaults.
|
|
interface_driver: null
|
|
oslo_concurrency:
|
|
lock_path: /var/lib/neutron/tmp
|
|
database:
|
|
max_retries: -1
|
|
agent:
|
|
root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
|
|
oslo_messaging_notifications:
|
|
driver: messagingv2
|
|
oslo_messaging_rabbit:
|
|
rabbit_ha_queues: true
|
|
oslo_middleware:
|
|
enable_proxy_headers_parsing: true
|
|
nova:
|
|
auth_type: password
|
|
auth_version: v3
|
|
endpoint_type: internal
|
|
designate:
|
|
auth_type: password
|
|
auth_version: v3
|
|
endpoint_type: internal
|
|
allow_reverse_dns_lookup: true
|
|
ironic:
|
|
endpoint_type: internal
|
|
keystone_authtoken:
|
|
memcache_security_strategy: ENCRYPT
|
|
auth_type: password
|
|
auth_version: v3
|
|
octavia:
|
|
request_poll_timeout: 3000
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- neutron
|
|
- neutron_taas
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: stdout
|
|
logger_neutron:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: neutron
|
|
logger_neutron_taas:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: neutron_taas
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
plugins:
|
|
ml2_conf:
|
|
ml2:
|
|
extension_drivers: port_security
|
|
# (NOTE)portdirect: if unset this is populated dyanmicly from the value
|
|
# in 'network.backend' to sane defaults.
|
|
mechanism_drivers: null
|
|
type_drivers: flat,vlan,vxlan
|
|
tenant_network_types: vxlan
|
|
ml2_type_vxlan:
|
|
vni_ranges: 1:1000
|
|
vxlan_group: 239.1.1.1
|
|
ml2_type_flat:
|
|
flat_networks: "*"
|
|
# If you want to use the external network as a tagged provider network,
|
|
# a range should be specified including the intended VLAN target
|
|
# using ml2_type_vlan.network_vlan_ranges:
|
|
# ml2_type_vlan:
|
|
# network_vlan_ranges: "external:1100:1110"
|
|
agent:
|
|
extensions: ""
|
|
ml2_conf_sriov: null
|
|
taas:
|
|
taas:
|
|
enabled: False
|
|
openvswitch_agent:
|
|
agent:
|
|
tunnel_types: vxlan
|
|
l2_population: True
|
|
arp_responder: True
|
|
ovs:
|
|
bridge_mappings: "external:br-ex"
|
|
securitygroup:
|
|
firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
|
linuxbridge_agent:
|
|
linux_bridge:
|
|
# To define Flat and VLAN connections, in LB we can assign
|
|
# specific interface to the flat/vlan network name using:
|
|
# physical_interface_mappings: "external:eth3"
|
|
# Or we can set the mapping between the network and bridge:
|
|
bridge_mappings: "external:br-ex"
|
|
# The two above options are exclusive, do not use both of them at once
|
|
securitygroup:
|
|
firewall_driver: iptables
|
|
vxlan:
|
|
l2_population: True
|
|
arp_responder: True
|
|
macvtap_agent: null
|
|
sriov_agent:
|
|
securitygroup:
|
|
firewall_driver: neutron.agent.firewall.NoopFirewallDriver
|
|
sriov_nic:
|
|
physical_device_mappings: physnet2:enp3s0f1
|
|
# NOTE: do not use null here, use an empty string
|
|
exclude_devices: ""
|
|
dhcp_agent:
|
|
DEFAULT:
|
|
# (NOTE)portdirect: if unset this is populated dyanmicly from the value in
|
|
# 'network.backend' to sane defaults.
|
|
interface_driver: null
|
|
dnsmasq_config_file: /etc/neutron/dnsmasq.conf
|
|
force_metadata: True
|
|
l3_agent:
|
|
DEFAULT:
|
|
# (NOTE)portdirect: if unset this is populated dyanmicly from the value in
|
|
# 'network.backend' to sane defaults.
|
|
interface_driver: null
|
|
agent_mode: legacy
|
|
metering_agent: null
|
|
metadata_agent:
|
|
DEFAULT:
|
|
# we cannot change the proxy socket path as it is declared
|
|
# as a hostPath volume from agent daemonsets
|
|
metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
|
|
metadata_proxy_shared_secret: "password"
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
bagpipe_bgp: {}
|
|
|
|
rabbitmq:
|
|
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
|
|
policies:
|
|
- vhost: "neutron"
|
|
name: "ha_ttl_neutron"
|
|
definition:
|
|
# mirror messges to other nodes in rmq cluster
|
|
ha-mode: "all"
|
|
ha-sync-mode: "automatic"
|
|
# 70s
|
|
message-ttl: 70000
|
|
priority: 0
|
|
apply-to: all
|
|
pattern: '^(?!(amq\.|reply_)).*'
|
|
## NOTE: "besteffort" is meant for dev env with mixed compute type only.
|
|
## This helps prevent sriov init script from failing due to mis-matched NIC
|
|
## For prod env, target NIC should match and init script should fail otherwise.
|
|
## sriov_init:
|
|
## - besteffort
|
|
sriov_init:
|
|
-
|
|
# auto_bridge_add is a table of "bridge: interface" pairs
|
|
# To automatically add a physical interfaces to a specific bridges,
|
|
# for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
|
|
# to br1 do something like:
|
|
#
|
|
# auto_bridge_add:
|
|
# br-physnet1: eth3
|
|
# br0: if0
|
|
# br1: iface_two
|
|
# br-ex will be added by default
|
|
auto_bridge_add:
|
|
br-ex: null
|
|
|
|
# configuration of OVS DPDK bridges and NICs
|
|
# this is a separate section and not part of the auto_bridge_add section
|
|
# because additional parameters are needed
|
|
ovs_dpdk:
|
|
enabled: false
|
|
driver: uio_pci_generic
|
|
# In case bonds are configured, the nics which are part of those bonds
|
|
# must NOT be provided here.
|
|
nics:
|
|
- name: dpdk0
|
|
pci_id: '0000:05:00.0'
|
|
# Set VF Index in case some particular VF(s) need to be
|
|
# used with ovs-dpdk.
|
|
# vf_index: 0
|
|
bridge: br-phy
|
|
migrate_ip: true
|
|
n_rxq: 2
|
|
n_txq: 2
|
|
pmd_rxq_affinity: "0:3,1:27"
|
|
ofport_request: 1
|
|
# optional parameters for tuning the OVS DPDK config
|
|
# in alignment with the available hardware resources
|
|
# mtu: 2000
|
|
# n_rxq_size: 1024
|
|
# n_txq_size: 1024
|
|
# vhost-iommu-support: true
|
|
bridges:
|
|
- name: br-phy
|
|
# optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
|
|
# - tunnel_underlay_vlan: 45
|
|
# Optional parameter for configuring bonding in OVS-DPDK
|
|
# - name: br-phy-bond0
|
|
# bonds:
|
|
# - name: dpdkbond0
|
|
# bridge: br-phy-bond0
|
|
# # The IP from the first nic in nics list shall be used
|
|
# migrate_ip: true
|
|
# mtu: 2000
|
|
# # Please note that n_rxq is set for each NIC individually
|
|
# # rather than denoting the total number of rx queues for
|
|
# # the bond as a whole. So setting n_rxq = 2 below for ex.
|
|
# # would be 4 rx queues in total for the bond.
|
|
# # Same for n_txq
|
|
# n_rxq: 2
|
|
# n_txq: 2
|
|
# ofport_request: 1
|
|
# n_rxq_size: 1024
|
|
# n_txq_size: 1024
|
|
# vhost-iommu-support: true
|
|
# ovs_options: "bond_mode=active-backup"
|
|
# nics:
|
|
# - name: dpdk_b0s0
|
|
# pci_id: '0000:06:00.0'
|
|
# pmd_rxq_affinity: "0:3,1:27"
|
|
# # Set VF Index in case some particular VF(s) need to be
|
|
# # used with ovs-dpdk. In which case pci_id of PF must be
|
|
# # provided above.
|
|
# # vf_index: 0
|
|
# - name: dpdk_b0s1
|
|
# pci_id: '0000:07:00.0'
|
|
# pmd_rxq_affinity: "0:3,1:27"
|
|
# # Set VF Index in case some particular VF(s) need to be
|
|
# # used with ovs-dpdk. In which case pci_id of PF must be
|
|
# # provided above.
|
|
# # vf_index: 0
|
|
#
|
|
# Set the log level for each target module (default level is always dbg)
|
|
# Supported log levels are: off, emer, err, warn, info, dbg
|
|
#
|
|
# modules:
|
|
# - name: dpdk
|
|
# log_level: info
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: neutron-keystone-admin
|
|
neutron: neutron-keystone-user
|
|
test: neutron-keystone-test
|
|
oslo_db:
|
|
admin: neutron-db-admin
|
|
neutron: neutron-db-user
|
|
oslo_messaging:
|
|
admin: neutron-rabbitmq-admin
|
|
neutron: neutron-rabbitmq-user
|
|
tls:
|
|
compute_metadata:
|
|
metadata:
|
|
internal: metadata-tls-metadata
|
|
network:
|
|
server:
|
|
public: neutron-tls-public
|
|
internal: neutron-tls-server
|
|
|
|
# typically overridden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
secret:
|
|
tls:
|
|
internal: mariadb-tls-direct
|
|
neutron:
|
|
username: neutron
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /neutron
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
neutron:
|
|
username: neutron
|
|
password: password
|
|
statefulset:
|
|
replicas: 2
|
|
name: rabbitmq-rabbitmq
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /neutron
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
auth:
|
|
# NOTE(portdirect): this is used to define the value for keystone
|
|
# authtoken cache encryption key, if not set it will be populated
|
|
# automatically with a random value, but to take advantage of
|
|
# this feature all services should be set to use the same key,
|
|
# and memcache service.
|
|
memcache_secret_key: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
compute:
|
|
name: nova
|
|
hosts:
|
|
default: nova-api
|
|
public: nova
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: "/v2.1/%(tenant_id)s"
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8774
|
|
public: 80
|
|
novncproxy:
|
|
default: 6080
|
|
compute_metadata:
|
|
name: nova
|
|
hosts:
|
|
default: nova-metadata
|
|
public: metadata
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metadata:
|
|
default: 8775
|
|
public: 80
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
neutron:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: neutron
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
nova:
|
|
region_name: RegionOne
|
|
project_name: service
|
|
username: nova
|
|
password: password
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
designate:
|
|
region_name: RegionOne
|
|
project_name: service
|
|
username: designate
|
|
password: password
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
ironic:
|
|
region_name: RegionOne
|
|
project_name: service
|
|
username: ironic
|
|
password: password
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
test:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: neutron-test
|
|
password: password
|
|
# NOTE: this project will be purged and reset if
|
|
# conf.rally_tests.force_project_purge is set to true
|
|
# which may be required upon test failure, but be aware that this will
|
|
# expunge all openstack objects, so if this is used a seperate project
|
|
# should be used for each helm test, and also it should be ensured
|
|
# that this project is not in use by other tenants
|
|
project_name: test
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
network:
|
|
name: neutron
|
|
hosts:
|
|
default: neutron-server
|
|
public: neutron
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 9696
|
|
public: 80
|
|
load_balancer:
|
|
name: octavia
|
|
hosts:
|
|
default: octavia-api
|
|
public: octavia
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 9876
|
|
public: 80
|
|
fluentd:
|
|
namespace: osh-infra
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
dns:
|
|
name: designate
|
|
hosts:
|
|
default: designate-api
|
|
public: designate
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 9001
|
|
public: 80
|
|
baremetal:
|
|
name: ironic
|
|
hosts:
|
|
default: ironic-api
|
|
public: ironic
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 6385
|
|
public: 80
|
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
|
# They are using to enable the Egress K8s network policy.
|
|
kube_dns:
|
|
namespace: kube-system
|
|
name: kubernetes-dns
|
|
hosts:
|
|
default: kube-dns
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: http
|
|
port:
|
|
dns:
|
|
default: 53
|
|
protocol: UDP
|
|
ingress:
|
|
namespace: null
|
|
name: ingress
|
|
hosts:
|
|
default: ingress
|
|
port:
|
|
ingress:
|
|
default: 80
|
|
|
|
network_policy:
|
|
neutron:
|
|
# TODO(lamt): Need to tighten this ingress for security.
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
manifests:
|
|
certificates: false
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
daemonset_dhcp_agent: true
|
|
daemonset_l3_agent: true
|
|
daemonset_lb_agent: true
|
|
daemonset_metadata_agent: true
|
|
daemonset_ovs_agent: true
|
|
daemonset_sriov_agent: true
|
|
daemonset_l2gw_agent: false
|
|
daemonset_bagpipe_bgp: false
|
|
daemonset_netns_cleanup_cron: true
|
|
deployment_ironic_agent: false
|
|
deployment_server: true
|
|
ingress_server: true
|
|
job_bootstrap: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_image_repo_sync: true
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
job_rabbit_init: true
|
|
pdb_server: true
|
|
pod_rally_test: true
|
|
network_policy: false
|
|
secret_db: true
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_rabbitmq: true
|
|
service_ingress_server: true
|
|
service_server: true
|
|
...
|