openstack-helm/nova/values.yaml
Chinasubbareddy M b2714cb111 Ceph-storage-init : make configmap and secret names to be driven via chart values
This is make ceph configmap and admin keyring secret names using
in storage init scripts to be read  from chart values as we may
have two ceph clusters  gets activated in one namespace and
each ceph clsuter will have its own configmap and admin secret names.

Change-Id: I84d94f3ac21e602c50619e456ff327ae1da53622
2018-09-05 14:56:00 +00:00

2289 lines
73 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for nova.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
labels:
agent:
compute:
node_selector_key: openstack-compute-node
node_selector_value: enabled
compute_ironic:
node_selector_key: openstack-compute-node
node_selector_value: enabled
api_metadata:
node_selector_key: openstack-control-plane
node_selector_value: enabled
conductor:
node_selector_key: openstack-control-plane
node_selector_value: enabled
consoleauth:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
novncproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
osapi:
node_selector_key: openstack-control-plane
node_selector_value: enabled
placement:
node_selector_key: openstack-control-plane
node_selector_value: enabled
scheduler:
node_selector_key: openstack-control-plane
node_selector_value: enabled
spiceproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
bootstrap: docker.io/openstackhelm/heat:newton
db_drop: docker.io/openstackhelm/heat:newton
db_init: docker.io/openstackhelm/heat:newton
dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
nova_api: docker.io/openstackhelm/nova:newton
nova_cell_setup: docker.io/openstackhelm/nova:newton
nova_cell_setup_init: docker.io/openstackhelm/heat:newton
nova_compute: docker.io/openstackhelm/nova:newton
nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:3.0.3'
nova_compute_ssh: docker.io/openstackhelm/nova:newton
nova_conductor: docker.io/openstackhelm/nova:newton
nova_consoleauth: docker.io/openstackhelm/nova:newton
nova_db_sync: docker.io/openstackhelm/nova:newton
nova_novncproxy: docker.io/openstackhelm/nova:newton
nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3'
nova_placement: docker.io/openstackhelm/nova:newton
nova_scheduler: docker.io/openstackhelm/nova:newton
# NOTE(portdirect): we simply use the ceph config helper here,
# as it has both oscli and jq.
nova_service_cleaner: 'docker.io/port/ceph-config-helper:v1.10.3'
nova_spiceproxy: docker.io/openstackhelm/nova:newton
nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:3.0.3'
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
image_repo_sync: docker.io/docker:17.07.0
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
jobs:
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
cell_setup:
cron: "0 */1 * * *"
history:
success: 3
failed: 1
service_cleaner:
cron: "0 */1 * * *"
history:
success: 3
failed: 1
bootstrap:
enabled: true
ks_user: admin
script: null
structured:
flavors:
enabled: true
options:
m1_tiny:
name: "m1.tiny"
id: "auto"
ram: 512
disk: 1
vcpus: 1
m1_small:
name: "m1.small"
id: "auto"
ram: 2048
disk: 20
vcpus: 1
m1_medium:
name: "m1.medium"
id: "auto"
ram: 4096
disk: 40
vcpus: 2
m1_large:
name: "m1.large"
id: "auto"
ram: 8192
disk: 80
vcpus: 4
m1_xlarge:
name: "m1.xlarge"
id: "auto"
ram: 16384
disk: 160
vcpus: 8
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
osapi:
port: 8774
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30774
metadata:
port: 8775
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30775
placement:
port: 8778
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30778
novncproxy:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30680
spiceproxy:
node_port:
enabled: false
port: 30682
ssh:
name: "nova-ssh"
port: 8022
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- nova-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
openvswitch:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
sriov:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
static:
api:
jobs:
- nova-db-sync
- nova-ks-user
- nova-ks-endpoints
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: public
service: compute_metadata
bootstrap:
services:
- endpoint: internal
service: identity
- endpoint: internal
service: compute
cell_setup:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
pod:
- requireSameNode: false
labels:
application: nova
component: compute
service_cleaner:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
compute:
pod:
- requireSameNode: true
labels:
application: libvirt
component: libvirt
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
compute_ironic:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
- endpoint: internal
service: baremetal
conductor:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
consoleauth:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- nova-db-init
services:
- endpoint: internal
service: oslo_db
ks_endpoints:
jobs:
- nova-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
novncproxy:
jobs:
- nova-db-sync
services:
- endpoint: internal
service: oslo_db
scheduler:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
tests:
services:
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
console:
# serial | spice | novnc | none
console_kind: novnc
serial:
spice:
compute:
# IF blank, search default routing interface
server_proxyclient_interface:
proxy:
# IF blank, search default routing interface
server_proxyclient_interface:
novnc:
compute:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
vncproxy:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
ssh:
key_types:
- rsa
- dsa
- ecdsa
- ed25519
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
conf:
ceph:
enabled: true
admin_keyring: null
cinder:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
ssh: |
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Port {{ .Values.network.ssh.port }}
rally_tests:
run_tempest: false
tests:
NovaAgents.list_agents:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_get_aggregate_details:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_update_aggregate:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.list_aggregates:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAvailabilityZones.list_availability_zones:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_delete_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_list_flavor_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_add_tenant_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_set_keys:
- args:
disk: 1
extra_specs:
'quota:disk_read_bytes_sec': 10240
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.list_flavors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHosts.list_hosts:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_uptime_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_search_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.statistics_hypervisors:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaImages.list_images:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_delete_keypair:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_list_keypairs:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_delete_secgroups:
- args:
rules_per_security_group: 1
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_list_secgroups:
- args:
rules_per_security_group: 1
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_update_secgroups:
- args:
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServerGroups.create_and_list_server_groups:
- args:
all_projects: false
kwargs:
policies:
- affinity
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServices.list_services:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
paste:
composite:metadata:
use: egg:Paste#urlmap
/: meta
pipeline:meta:
pipeline: cors metaapp
app:metaapp:
paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
composite:osapi_compute:
use: call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_v21_legacy_v2_compatible
/v2.1: openstack_compute_api_v21
composite:openstack_compute_api_v21:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
composite:openstack_compute_api_v21_legacy_v2_compatible:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:compute_req_id:
paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
filter:faultwrap:
paste.filter_factory: nova.api.openstack:FaultWrapper.factory
filter:noauth2:
paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
filter:sizelimit:
paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
filter:legacy_v2_compatible:
paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
app:osapi_compute_app_v21:
paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
pipeline:oscomputeversions:
pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
app:oscomputeversionapp:
paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: nova
filter:keystonecontext:
paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
policy:
os_compute_api:os-admin-actions:discoverable: "@"
os_compute_api:os-admin-actions:reset_state: rule:admin_api
os_compute_api:os-admin-actions:inject_network_info: rule:admin_api
os_compute_api:os-admin-actions: rule:admin_api
os_compute_api:os-admin-actions:reset_network: rule:admin_api
os_compute_api:os-admin-password:discoverable: "@"
os_compute_api:os-admin-password: rule:admin_or_owner
os_compute_api:os-agents: rule:admin_api
os_compute_api:os-agents:discoverable: "@"
os_compute_api:os-aggregates:set_metadata: rule:admin_api
os_compute_api:os-aggregates:add_host: rule:admin_api
os_compute_api:os-aggregates:discoverable: "@"
os_compute_api:os-aggregates:create: rule:admin_api
os_compute_api:os-aggregates:remove_host: rule:admin_api
os_compute_api:os-aggregates:update: rule:admin_api
os_compute_api:os-aggregates:index: rule:admin_api
os_compute_api:os-aggregates:delete: rule:admin_api
os_compute_api:os-aggregates:show: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:discoverable: "@"
os_compute_api:os-attach-interfaces: rule:admin_or_owner
os_compute_api:os-attach-interfaces:discoverable: "@"
os_compute_api:os-attach-interfaces:create: rule:admin_or_owner
os_compute_api:os-attach-interfaces:delete: rule:admin_or_owner
os_compute_api:os-availability-zone:list: rule:admin_or_owner
os_compute_api:os-availability-zone:discoverable: "@"
os_compute_api:os-availability-zone:detail: rule:admin_api
os_compute_api:os-baremetal-nodes:discoverable: "@"
os_compute_api:os-baremetal-nodes: rule:admin_api
context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s
admin_api: is_admin:True
network:attach_external_network: is_admin:True
os_compute_api:os-block-device-mapping:discoverable: "@"
os_compute_api:os-block-device-mapping-v1:discoverable: "@"
os_compute_api:os-cells:discoverable: "@"
os_compute_api:os-cells:update: rule:admin_api
os_compute_api:os-cells:create: rule:admin_api
os_compute_api:os-cells: rule:admin_api
os_compute_api:os-cells:sync_instances: rule:admin_api
os_compute_api:os-cells:delete: rule:admin_api
cells_scheduler_filter:DifferentCellFilter: is_admin:True
cells_scheduler_filter:TargetCellFilter: is_admin:True
os_compute_api:os-certificates:discoverable: "@"
os_compute_api:os-certificates:create: rule:admin_or_owner
os_compute_api:os-certificates:show: rule:admin_or_owner
os_compute_api:os-cloudpipe: rule:admin_api
os_compute_api:os-cloudpipe:discoverable: "@"
os_compute_api:os-config-drive:discoverable: "@"
os_compute_api:os-config-drive: rule:admin_or_owner
os_compute_api:os-console-auth-tokens:discoverable: "@"
os_compute_api:os-console-auth-tokens: rule:admin_api
os_compute_api:os-console-output:discoverable: "@"
os_compute_api:os-console-output: rule:admin_or_owner
os_compute_api:os-consoles:create: rule:admin_or_owner
os_compute_api:os-consoles:show: rule:admin_or_owner
os_compute_api:os-consoles:delete: rule:admin_or_owner
os_compute_api:os-consoles:discoverable: "@"
os_compute_api:os-consoles:index: rule:admin_or_owner
os_compute_api:os-create-backup:discoverable: "@"
os_compute_api:os-create-backup: rule:admin_or_owner
os_compute_api:os-deferred-delete:discoverable: "@"
os_compute_api:os-deferred-delete: rule:admin_or_owner
os_compute_api:os-evacuate:discoverable: "@"
os_compute_api:os-evacuate: rule:admin_api
os_compute_api:os-extended-availability-zone: rule:admin_or_owner
os_compute_api:os-extended-availability-zone:discoverable: "@"
os_compute_api:os-extended-server-attributes: rule:admin_api
os_compute_api:os-extended-server-attributes:discoverable: "@"
os_compute_api:os-extended-status:discoverable: "@"
os_compute_api:os-extended-status: rule:admin_or_owner
os_compute_api:os-extended-volumes: rule:admin_or_owner
os_compute_api:os-extended-volumes:discoverable: "@"
os_compute_api:extension_info:discoverable: "@"
os_compute_api:extensions: rule:admin_or_owner
os_compute_api:extensions:discoverable: "@"
os_compute_api:os-fixed-ips:discoverable: "@"
os_compute_api:os-fixed-ips: rule:admin_api
os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api
os_compute_api:os-flavor-access:discoverable: "@"
os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api
os_compute_api:os-flavor-access: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:create: rule:admin_api
os_compute_api:os-flavor-extra-specs:discoverable: "@"
os_compute_api:os-flavor-extra-specs:update: rule:admin_api
os_compute_api:os-flavor-extra-specs:delete: rule:admin_api
os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner
os_compute_api:os-flavor-manage: rule:admin_api
os_compute_api:os-flavor-manage:discoverable: "@"
os_compute_api:os-flavor-rxtx: rule:admin_or_owner
os_compute_api:os-flavor-rxtx:discoverable: "@"
os_compute_api:flavors:discoverable: "@"
os_compute_api:flavors: rule:admin_or_owner
os_compute_api:os-floating-ip-dns: rule:admin_or_owner
os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api
os_compute_api:os-floating-ip-dns:discoverable: "@"
os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api
os_compute_api:os-floating-ip-pools:discoverable: "@"
os_compute_api:os-floating-ip-pools: rule:admin_or_owner
os_compute_api:os-floating-ips: rule:admin_or_owner
os_compute_api:os-floating-ips:discoverable: "@"
os_compute_api:os-floating-ips-bulk:discoverable: "@"
os_compute_api:os-floating-ips-bulk: rule:admin_api
os_compute_api:os-fping:all_tenants: rule:admin_api
os_compute_api:os-fping:discoverable: "@"
os_compute_api:os-fping: rule:admin_or_owner
os_compute_api:os-hide-server-addresses:discoverable: "@"
os_compute_api:os-hide-server-addresses: is_admin:False
os_compute_api:os-hosts:discoverable: "@"
os_compute_api:os-hosts: rule:admin_api
os_compute_api:os-hypervisors:discoverable: "@"
os_compute_api:os-hypervisors: rule:admin_api
os_compute_api:image-metadata:discoverable: "@"
os_compute_api:image-size:discoverable: "@"
os_compute_api:image-size: rule:admin_or_owner
os_compute_api:images:discoverable: "@"
os_compute_api:os-instance-actions:events: rule:admin_api
os_compute_api:os-instance-actions: rule:admin_or_owner
os_compute_api:os-instance-actions:discoverable: "@"
os_compute_api:os-instance-usage-audit-log: rule:admin_api
os_compute_api:os-instance-usage-audit-log:discoverable: "@"
os_compute_api:ips:discoverable: "@"
os_compute_api:ips:show: rule:admin_or_owner
os_compute_api:ips:index: rule:admin_or_owner
os_compute_api:os-keypairs:discoverable: "@"
os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs: rule:admin_or_owner
os_compute_api:limits:discoverable: "@"
os_compute_api:limits: rule:admin_or_owner
os_compute_api:os-lock-server:discoverable: "@"
os_compute_api:os-lock-server:lock: rule:admin_or_owner
os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api
os_compute_api:os-lock-server:unlock: rule:admin_or_owner
os_compute_api:os-migrate-server:migrate: rule:admin_api
os_compute_api:os-migrate-server:discoverable: "@"
os_compute_api:os-migrate-server:migrate_live: rule:admin_api
os_compute_api:os-migrations:index: rule:admin_api
os_compute_api:os-migrations:discoverable: "@"
os_compute_api:os-multinic: rule:admin_or_owner
os_compute_api:os-multinic:discoverable: "@"
os_compute_api:os-multiple-create:discoverable: "@"
os_compute_api:os-networks:discoverable: "@"
os_compute_api:os-networks: rule:admin_api
os_compute_api:os-networks:view: rule:admin_or_owner
os_compute_api:os-networks-associate: rule:admin_api
os_compute_api:os-networks-associate:discoverable: "@"
os_compute_api:os-pause-server:unpause: rule:admin_or_owner
os_compute_api:os-pause-server:discoverable: "@"
os_compute_api:os-pause-server:pause: rule:admin_or_owner
os_compute_api:os-pci:index: rule:admin_api
os_compute_api:os-pci:detail: rule:admin_api
os_compute_api:os-pci:pci_servers: rule:admin_or_owner
os_compute_api:os-pci:show: rule:admin_api
os_compute_api:os-pci:discoverable: "@"
os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s
os_compute_api:os-quota-class-sets:discoverable: "@"
os_compute_api:os-quota-class-sets:update: rule:admin_api
os_compute_api:os-quota-sets:update: rule:admin_api
os_compute_api:os-quota-sets:defaults: "@"
os_compute_api:os-quota-sets:show: rule:admin_or_owner
os_compute_api:os-quota-sets:delete: rule:admin_api
os_compute_api:os-quota-sets:discoverable: "@"
os_compute_api:os-quota-sets:detail: rule:admin_api
os_compute_api:os-remote-consoles: rule:admin_or_owner
os_compute_api:os-remote-consoles:discoverable: "@"
os_compute_api:os-rescue:discoverable: "@"
os_compute_api:os-rescue: rule:admin_or_owner
os_compute_api:os-scheduler-hints:discoverable: "@"
os_compute_api:os-security-group-default-rules:discoverable: "@"
os_compute_api:os-security-group-default-rules: rule:admin_api
os_compute_api:os-security-groups: rule:admin_or_owner
os_compute_api:os-security-groups:discoverable: "@"
os_compute_api:os-server-diagnostics: rule:admin_api
os_compute_api:os-server-diagnostics:discoverable: "@"
os_compute_api:os-server-external-events:create: rule:admin_api
os_compute_api:os-server-external-events:discoverable: "@"
os_compute_api:os-server-groups:discoverable: "@"
os_compute_api:os-server-groups: rule:admin_or_owner
os_compute_api:server-metadata:index: rule:admin_or_owner
os_compute_api:server-metadata:show: rule:admin_or_owner
os_compute_api:server-metadata:create: rule:admin_or_owner
os_compute_api:server-metadata:discoverable: "@"
os_compute_api:server-metadata:update_all: rule:admin_or_owner
os_compute_api:server-metadata:delete: rule:admin_or_owner
os_compute_api:server-metadata:update: rule:admin_or_owner
os_compute_api:os-server-password: rule:admin_or_owner
os_compute_api:os-server-password:discoverable: "@"
os_compute_api:os-server-tags:delete_all: "@"
os_compute_api:os-server-tags:index: "@"
os_compute_api:os-server-tags:update_all: "@"
os_compute_api:os-server-tags:delete: "@"
os_compute_api:os-server-tags:update: "@"
os_compute_api:os-server-tags:show: "@"
os_compute_api:os-server-tags:discoverable: "@"
os_compute_api:os-server-usage: rule:admin_or_owner
os_compute_api:os-server-usage:discoverable: "@"
os_compute_api:servers:index: rule:admin_or_owner
os_compute_api:servers:detail: rule:admin_or_owner
os_compute_api:servers:detail:get_all_tenants: rule:admin_api
os_compute_api:servers:index:get_all_tenants: rule:admin_api
os_compute_api:servers:show: rule:admin_or_owner
os_compute_api:servers:show:host_status: rule:admin_api
os_compute_api:servers:create: rule:admin_or_owner
os_compute_api:servers:create:forced_host: rule:admin_api
os_compute_api:servers:create:attach_volume: rule:admin_or_owner
os_compute_api:servers:create:attach_network: rule:admin_or_owner
os_compute_api:servers:delete: rule:admin_or_owner
os_compute_api:servers:update: rule:admin_or_owner
os_compute_api:servers:confirm_resize: rule:admin_or_owner
os_compute_api:servers:revert_resize: rule:admin_or_owner
os_compute_api:servers:reboot: rule:admin_or_owner
os_compute_api:servers:resize: rule:admin_or_owner
os_compute_api:servers:rebuild: rule:admin_or_owner
os_compute_api:servers:create_image: rule:admin_or_owner
os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner
os_compute_api:servers:start: rule:admin_or_owner
os_compute_api:servers:stop: rule:admin_or_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner
os_compute_api:servers:discoverable: "@"
os_compute_api:servers:migrations:show: rule:admin_api
os_compute_api:servers:migrations:force_complete: rule:admin_api
os_compute_api:servers:migrations:delete: rule:admin_api
os_compute_api:servers:migrations:index: rule:admin_api
os_compute_api:server-migrations:discoverable: "@"
os_compute_api:os-services: rule:admin_api
os_compute_api:os-services:discoverable: "@"
os_compute_api:os-shelve:shelve: rule:admin_or_owner
os_compute_api:os-shelve:unshelve: rule:admin_or_owner
os_compute_api:os-shelve:shelve_offload: rule:admin_api
os_compute_api:os-shelve:discoverable: "@"
os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner
os_compute_api:os-simple-tenant-usage:list: rule:admin_api
os_compute_api:os-simple-tenant-usage:discoverable: "@"
os_compute_api:os-suspend-server:resume: rule:admin_or_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_owner
os_compute_api:os-suspend-server:discoverable: "@"
os_compute_api:os-tenant-networks: rule:admin_or_owner
os_compute_api:os-tenant-networks:discoverable: "@"
os_compute_api:os-used-limits:discoverable: "@"
os_compute_api:os-used-limits: rule:admin_api
os_compute_api:os-user-data:discoverable: "@"
os_compute_api:versions:discoverable: "@"
os_compute_api:os-virtual-interfaces:discoverable: "@"
os_compute_api:os-virtual-interfaces: rule:admin_or_owner
os_compute_api:os-volumes:discoverable: "@"
os_compute_api:os-volumes: rule:admin_or_owner
os_compute_api:os-volumes-attachments:index: rule:admin_or_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_owner
os_compute_api:os-volumes-attachments:show: rule:admin_or_owner
os_compute_api:os-volumes-attachments:discoverable: "@"
os_compute_api:os-volumes-attachments:update: rule:admin_api
os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner
nova_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
rootwrap: |
# Configuration for nova-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
wsgi_placement: |
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
WSGIDaemonProcess placement-api processes=1 threads=4 user=nova group=nova display-name=%{GROUP}
WSGIProcessGroup placement-api
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</VirtualHost>
Alias /placement /var/www/cgi-bin/nova/nova-placement-api
<Location /placement>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
rootwrap_filters:
api_metadata:
pods:
- metadata
content: |
# nova-rootwrap command filters for api-metadata nodes
# This is needed on nova-api hosts running with "metadata" in enabled_apis
# or when running nova-api-metadata
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
compute:
pods:
- compute
content: |
# nova-rootwrap command filters for compute nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
kpartx: CommandFilter, kpartx, root
# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
tune2fs: CommandFilter, tune2fs, root
# nova/virt/disk/mount/api.py: 'mount', mapped_device
# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
# nova/virt/configdrive.py: 'mount', device, mountdir
# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
mount: CommandFilter, mount, root
# nova/virt/disk/mount/api.py: 'umount', mapped_device
# nova/virt/disk/api.py: 'umount' target
# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
# nova/virt/configdrive.py: 'umount', mountdir
umount: CommandFilter, umount, root
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
qemu-nbd: CommandFilter, qemu-nbd, root
# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
losetup: CommandFilter, losetup, root
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
blkid: CommandFilter, blkid, root
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
tee: CommandFilter, tee, root
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
mkdir: CommandFilter, mkdir, root
# nova/virt/disk/vfs/localfs.py: 'chown'
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
chown: CommandFilter, chown, root
# nova/virt/disk/vfs/localfs.py: 'chmod'
chmod: CommandFilter, chmod, root
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
# nova/network/linux_net.py: 'ip', 'route', 'del', .
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
ip: CommandFilter, ip, root
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
tunctl: CommandFilter, tunctl, root
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
# nova/network/linux_net.py: 'ovs-vsctl', ....
ovs-vsctl: CommandFilter, ovs-vsctl, root
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
vrouter-port-control: CommandFilter, vrouter-port-control, root
# nova/virt/libvirt/vif.py: 'ebrctl', ...
ebrctl: CommandFilter, ebrctl, root
# nova/virt/libvirt/vif.py: 'mm-ctl', ...
mm-ctl: CommandFilter, mm-ctl, root
# nova/network/linux_net.py: 'ovs-ofctl', ....
ovs-ofctl: CommandFilter, ovs-ofctl, root
# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
dd: CommandFilter, dd, root
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
iscsiadm: CommandFilter, iscsiadm, root
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
aoe-revalidate: CommandFilter, aoe-revalidate, root
aoe-discover: CommandFilter, aoe-discover, root
# nova/virt/xenapi/vm_utils.py: parted, --script, ...
# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
parted: CommandFilter, parted, root
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
pygrub: CommandFilter, pygrub, root
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
fdisk: CommandFilter, fdisk, root
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
# nova/virt/disk/api.py: e2fsck, -f, -p, image
e2fsck: CommandFilter, e2fsck, root
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
# nova/virt/disk/api.py: resize2fs, image
resize2fs: CommandFilter, resize2fs, root
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
arping: CommandFilter, arping, root
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
dhcp_release: CommandFilter, dhcp_release, root
# nova/network/linux_net.py: 'kill', '-9', pid
# nova/network/linux_net.py: 'kill', '-HUP', pid
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
# nova/network/linux_net.py: 'kill', pid
kill_radvd: KillFilter, root, /usr/sbin/radvd
# nova/network/linux_net.py: dnsmasq call
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
radvd: CommandFilter, radvd, root
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
brctl: CommandFilter, brctl, root
# nova/virt/libvirt/utils.py: 'mkswap'
# nova/virt/xenapi/vm_utils.py: 'mkswap'
mkswap: CommandFilter, mkswap, root
# nova/virt/libvirt/utils.py: 'nova-idmapshift'
nova-idmapshift: CommandFilter, nova-idmapshift, root
# nova/virt/xenapi/vm_utils.py: 'mkfs'
# nova/utils.py: 'mkfs', fs, path, label
mkfs: CommandFilter, mkfs, root
# nova/virt/libvirt/utils.py: 'qemu-img'
qemu-img: CommandFilter, qemu-img, root
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
readlink: CommandFilter, readlink, root
# nova/virt/disk/api.py:
mkfs.ext3: CommandFilter, mkfs.ext3, root
mkfs.ext4: CommandFilter, mkfs.ext4, root
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
# nova/virt/libvirt/connection.py:
lvremove: CommandFilter, lvremove, root
# nova/virt/libvirt/utils.py:
lvcreate: CommandFilter, lvcreate, root
# nova/virt/libvirt/utils.py:
lvs: CommandFilter, lvs, root
# nova/virt/libvirt/utils.py:
vgs: CommandFilter, vgs, root
# nova/utils.py:read_file_as_root: 'cat', file_path
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
# os-brick needed commands
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
multipath: CommandFilter, multipath, root
# multipathd show status
multipathd: CommandFilter, multipathd, root
systool: CommandFilter, systool, root
vgc-cluster: CommandFilter, vgc-cluster, root
# os_brick/initiator/connector.py
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
# TODO(smcginnis) Temporary fix.
# Need to pull in os-brick os-brick.filters file instead and clean
# out stale brick values from this file.
scsi_id: CommandFilter, /lib/udev/scsi_id, root
# os_brick.privileged.default oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
# nova/storage/linuxscsi.py: sg_scan device
sg_scan: CommandFilter, sg_scan, root
# nova/volume/encryptors/cryptsetup.py:
# nova/volume/encryptors/luks.py:
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
# nova/volume/encryptors.py:
# nova/virt/libvirt/dmcrypt.py:
cryptsetup: CommandFilter, cryptsetup, root
# nova/virt/xenapi/vm_utils.py:
xenstore-read: CommandFilter, xenstore-read, root
# nova/virt/libvirt/utils.py:
rbd: CommandFilter, rbd, root
# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
shred: CommandFilter, shred, root
# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
cp: CommandFilter, cp, root
# nova/virt/xenapi/vm_utils.py:
sync: CommandFilter, sync, root
# nova/virt/libvirt/imagebackend.py:
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
# nova/virt/libvirt/utils.py: 'xend', 'status'
xend: CommandFilter, xend, root
# nova/virt/libvirt/utils.py:
touch: CommandFilter, touch, root
# nova/virt/libvirt/volume/vzstorage.py
pstorage-mount: CommandFilter, pstorage-mount, root
network:
pods:
- compute
content: |
# nova-rootwrap command filters for network nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
# nova/network/linux_net.py: 'ip', 'route', 'del', .
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
ip: CommandFilter, ip, root
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
# nova/network/linux_net.py: 'ovs-vsctl', ....
ovs-vsctl: CommandFilter, ovs-vsctl, root
# nova/network/linux_net.py: 'ovs-ofctl', ....
ovs-ofctl: CommandFilter, ovs-ofctl, root
# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
# nova/network/linux_net.py: 'ivs-ctl', ....
ivs-ctl: CommandFilter, ivs-ctl, root
# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
# nova/network/linux_net.py: 'ebtables', '-D' ...
# nova/network/linux_net.py: 'ebtables', '-I' ...
ebtables: CommandFilter, ebtables, root
ebtables_usr: CommandFilter, ebtables, root
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
arping: CommandFilter, arping, root
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
dhcp_release: CommandFilter, dhcp_release, root
# nova/network/linux_net.py: 'kill', '-9', pid
# nova/network/linux_net.py: 'kill', '-HUP', pid
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
# nova/network/linux_net.py: 'kill', pid
kill_radvd: KillFilter, root, /usr/sbin/radvd
# nova/network/linux_net.py: dnsmasq call
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
radvd: CommandFilter, radvd, root
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
brctl: CommandFilter, brctl, root
# nova/network/linux_net.py: 'sysctl', ....
sysctl: CommandFilter, sysctl, root
# nova/network/linux_net.py: 'conntrack'
conntrack: CommandFilter, conntrack, root
# nova/network/linux_net.py: 'fp-vdev'
fp-vdev: CommandFilter, fp-vdev, root
nova_ironic:
DEFAULT:
scheduler_host_manager: ironic_host_manager
compute_driver: ironic.IronicDriver
libvirt:
# Get the IP address to be used as the target for live migration traffic using interface name.
# If this option is set to None, the hostname of the migration target compute node will be used.
live_migration_interface:
nova:
DEFAULT:
log_config_append: /etc/nova/logging.conf
default_ephemeral_format: ext4
ram_allocation_ratio: 1.0
disk_allocation_ratio: 1.0
cpu_allocation_ratio: 3.0
state_path: /var/lib/nova
osapi_compute_listen: 0.0.0.0
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
osapi_compute_listen_port: null
osapi_compute_workers: 1
metadata_workers: 1
use_neutron: true
firewall_driver: nova.virt.firewall.NoopFirewallDriver
linuxnet_interface_driver: openvswitch
allow_resize_to_same_host: true
compute_driver: libvirt.LibvirtDriver
my_ip: 0.0.0.0
instance_usage_audit: True
instance_usage_audit_period: hour
notify_on_state_change: vm_and_task_state
resume_guests_state_on_host_boot: True
vnc:
novncproxy_host: 0.0.0.0
vncserver_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# vncserver_proxyclient_address: 127.0.0.1
spice:
html5proxy_host: 0.0.0.0
server_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# server_proxyclient_address: 127.0.0.1
conductor:
workers: 1
oslo_policy:
policy_file: /etc/nova/policy.yaml
oslo_concurrency:
lock_path: /var/lib/nova/tmp
oslo_middleware:
enable_proxy_headers_parsing: true
glance:
num_retries: 3
ironic:
api_endpoint: null
auth_url: null
neutron:
metadata_proxy_shared_secret: "password"
service_metadata_proxy: True
auth_type: password
auth_version: v3
database:
max_retries: -1
api_database:
max_retries: -1
cell0_database:
max_retries: -1
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
libvirt:
connection_uri: "qemu+tcp://127.0.0.1/system"
images_type: qcow2
images_rbd_pool: vms
images_rbd_ceph_conf: /etc/ceph/ceph.conf
rbd_user: cinder
rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
disk_cachemodes: "network=writeback"
hw_disk_discard: unmap
upgrade_levels:
compute: auto
cache:
enabled: true
backend: oslo_cache.memcache_pool
wsgi:
api_paste_config: /etc/nova/api-paste.ini
oslo_messaging_notifications:
driver: messagingv2
placement:
auth_type: password
auth_version: v3
logging:
loggers:
keys:
- root
- nova
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: 'null'
logger_nova:
level: INFO
handlers:
- stdout
qualname: nova
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
formatter_default:
format: "%(message)s"
rabbitmq:
#NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
- vhost: "nova"
name: "ha_ttl_nova"
definition:
#mirror messges to other nodes in rmq cluster
ha-mode: "all"
ha-sync-mode: "automatic"
#70s
message-ttl: 70000
priority: 0
apply-to: all
pattern: '(notifications)\.'
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: nova-keystone-admin
nova: nova-keystone-user
placement: nova-keystone-placement
test: nova-keystone-test
oslo_db:
admin: nova-db-admin
nova: nova-db-user
oslo_db_api:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_db_cell0:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_messaging:
admin: nova-rabbitmq-admin
nova: nova-rabbitmq-user
tls:
compute:
osapi:
public: nova-tls-public
compute_novnc_proxy:
novncproxy:
public: nova-novncproxy-tls-public
placement:
placement:
public: placement-tls-public
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_api:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_api
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_cell0:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_cell0
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
nova:
username: nova
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /nova
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
nova:
role: admin
region_name: RegionOne
username: nova
password: password
project_name: service
user_domain_name: service
project_domain_name: service
# NOTE(portdirect): the neutron user is not managed by the nova chart
# these values should match those set in the neutron chart.
neutron:
region_name: RegionOne
project_name: service
user_domain_name: service
project_domain_name: service
username: neutron
password: password
# NOTE(portdirect): the ironic user is not managed by the nova chart
# these values should match those set in the ironic chart.
ironic:
auth_type: password
auth_version: v3
region_name: RegionOne
project_name: service
user_domain_name: service
project_domain_name: service
username: ironic
password: password
placement:
role: admin
region_name: RegionOne
username: placement
password: password
project_name: service
user_domain_name: service
project_domain_name: service
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
image:
name: glance
hosts:
default: glance-api
public: glance
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 9292
public: 80
compute:
name: nova
hosts:
default: nova-api
public: nova
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
default: 'http'
port:
api:
default: 8774
public: 80
novncproxy:
default: 6080
compute_metadata:
name: nova
ip:
# IF blank, set clusterIP and metadata_host dynamically
ingress: null
hosts:
default: nova-metadata
public: metadata
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
metadata:
default: 8775
public: 80
compute_novnc_proxy:
name: nova
hosts:
default: nova-novncproxy
public: novncproxy
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /vnc_auto.html
scheme:
default: 'http'
port:
novnc_proxy:
default: 6080
public: 80
compute_spice_proxy:
name: nova
hosts:
default: nova-spiceproxy
public: placement
host_fqdn_override:
default: null
path:
default: /spice_auto.html
scheme:
default: 'http'
port:
spice_proxy:
default: 6082
placement:
name: placement
hosts:
default: placement-api
public: placement
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
api:
default: 8778
public: 80
network:
name: neutron
hosts:
default: neutron-server
public: neutron
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9696
public: 80
baremetal:
name: ironic
hosts:
default: ironic-api
public: ironic
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 6385
public: 80
fluentd:
namespace: null
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
pod:
user:
nova:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
nova_compute:
init_container: null
nova_compute:
nova_compute_ironic:
init_container: null
nova_compute_ironic:
nova_api_metadata:
init_container: null
nova_api_metadata:
nova_placement:
init_container: null
nova_placement:
nova_api_osapi:
init_container: null
nova_api_osapi:
nova_consoleauth:
init_container: null
nova_consoleauth:
nova_conductor:
init_container: null
nova_conductor:
nova_scheduler:
init_container: null
nova_scheduler:
nova_bootstrap:
init_container: null
nova_bootstrap:
nova_tests:
init_container: null
nova_tests:
nova_novncproxy:
init_novncproxy: null
nova_novncproxy:
nova_spiceproxy:
init_spiceproxy: null
nova_spiceproxy:
replicas:
api_metadata: 1
compute_ironic: 1
placement: 1
osapi: 1
conductor: 1
consoleauth: 1
scheduler: 1
novncproxy: 1
spiceproxy: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
daemonsets:
pod_replacement_strategy: RollingUpdate
compute:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
metadata:
min_available: 0
placement:
min_available: 0
osapi:
min_available: 0
termination_grace_period:
metadata:
timeout: 30
placement:
timeout: 30
osapi:
timeout: 30
resources:
enabled: false
compute:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
compute_ironic:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api_metadata:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
placement:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conductor:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
consoleauth:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
scheduler:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ssh:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
novncproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
spiceproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
cell_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
service_cleaner:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
cron_job_cell_setup: true
cron_job_service_cleaner: true
daemonset_compute: true
deployment_api_metadata: true
deployment_api_osapi: true
deployment_placement: true
deployment_conductor: true
deployment_consoleauth: true
deployment_novncproxy: true
deployment_spiceproxy: true
deployment_scheduler: true
ingress_metadata: true
ingress_novncproxy: true
ingress_placement: true
ingress_osapi: true
job_bootstrap: true
job_db_init: true
job_db_init_placement: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_rabbit_init: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_ks_placement_endpoints: true
job_ks_placement_service: true
job_ks_placement_user: true
job_cell_setup: true
pdb_metadata: true
pdb_placement: true
pdb_osapi: true
pod_rally_test: true
secret_db_api: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_keystone_placement: true
secret_rabbitmq: true
service_ingress_metadata: true
service_ingress_novncproxy: true
service_ingress_placement: true
service_ingress_osapi: true
service_metadata: true
service_placement: true
service_novncproxy: true
service_spiceproxy: true
service_osapi: true
statefulset_compute_ironic: false