b2714cb111
This is make ceph configmap and admin keyring secret names using in storage init scripts to be read from chart values as we may have two ceph clusters gets activated in one namespace and each ceph clsuter will have its own configmap and admin secret names. Change-Id: I84d94f3ac21e602c50619e456ff327ae1da53622
2289 lines
73 KiB
YAML
2289 lines
73 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for nova.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
release_group: null
|
|
|
|
labels:
|
|
agent:
|
|
compute:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
compute_ironic:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
api_metadata:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
conductor:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
consoleauth:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
novncproxy:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
osapi:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
placement:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
scheduler:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
spiceproxy:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
pull_policy: IfNotPresent
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:newton
|
|
db_drop: docker.io/openstackhelm/heat:newton
|
|
db_init: docker.io/openstackhelm/heat:newton
|
|
dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
ks_user: docker.io/openstackhelm/heat:newton
|
|
ks_service: docker.io/openstackhelm/heat:newton
|
|
ks_endpoints: docker.io/openstackhelm/heat:newton
|
|
nova_api: docker.io/openstackhelm/nova:newton
|
|
nova_cell_setup: docker.io/openstackhelm/nova:newton
|
|
nova_cell_setup_init: docker.io/openstackhelm/heat:newton
|
|
nova_compute: docker.io/openstackhelm/nova:newton
|
|
nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:3.0.3'
|
|
nova_compute_ssh: docker.io/openstackhelm/nova:newton
|
|
nova_conductor: docker.io/openstackhelm/nova:newton
|
|
nova_consoleauth: docker.io/openstackhelm/nova:newton
|
|
nova_db_sync: docker.io/openstackhelm/nova:newton
|
|
nova_novncproxy: docker.io/openstackhelm/nova:newton
|
|
nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3'
|
|
nova_placement: docker.io/openstackhelm/nova:newton
|
|
nova_scheduler: docker.io/openstackhelm/nova:newton
|
|
# NOTE(portdirect): we simply use the ceph config helper here,
|
|
# as it has both oscli and jq.
|
|
nova_service_cleaner: 'docker.io/port/ceph-config-helper:v1.10.3'
|
|
nova_spiceproxy: docker.io/openstackhelm/nova:newton
|
|
nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:3.0.3'
|
|
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
jobs:
|
|
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
|
|
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
|
|
cell_setup:
|
|
cron: "0 */1 * * *"
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
service_cleaner:
|
|
cron: "0 */1 * * *"
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
ks_user: admin
|
|
script: null
|
|
structured:
|
|
flavors:
|
|
enabled: true
|
|
options:
|
|
m1_tiny:
|
|
name: "m1.tiny"
|
|
id: "auto"
|
|
ram: 512
|
|
disk: 1
|
|
vcpus: 1
|
|
m1_small:
|
|
name: "m1.small"
|
|
id: "auto"
|
|
ram: 2048
|
|
disk: 20
|
|
vcpus: 1
|
|
m1_medium:
|
|
name: "m1.medium"
|
|
id: "auto"
|
|
ram: 4096
|
|
disk: 40
|
|
vcpus: 2
|
|
m1_large:
|
|
name: "m1.large"
|
|
id: "auto"
|
|
ram: 8192
|
|
disk: 80
|
|
vcpus: 4
|
|
m1_xlarge:
|
|
name: "m1.xlarge"
|
|
id: "auto"
|
|
ram: 16384
|
|
disk: 160
|
|
vcpus: 8
|
|
|
|
network:
|
|
# provide what type of network wiring will be used
|
|
# possible options: openvswitch, linuxbridge, sriov
|
|
backend:
|
|
- openvswitch
|
|
osapi:
|
|
port: 8774
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30774
|
|
metadata:
|
|
port: 8775
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30775
|
|
placement:
|
|
port: 8778
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
node_port:
|
|
enabled: false
|
|
port: 30778
|
|
novncproxy:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
node_port:
|
|
enabled: false
|
|
port: 30680
|
|
spiceproxy:
|
|
node_port:
|
|
enabled: false
|
|
port: 30682
|
|
ssh:
|
|
name: "nova-ssh"
|
|
port: 8022
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- nova-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
targeted:
|
|
openvswitch:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
linuxbridge:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
sriov:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-sriov-agent
|
|
static:
|
|
api:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-ks-user
|
|
- nova-ks-endpoints
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: public
|
|
service: compute_metadata
|
|
bootstrap:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
cell_setup:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
pod:
|
|
- requireSameNode: false
|
|
labels:
|
|
application: nova
|
|
component: compute
|
|
service_cleaner:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: libvirt
|
|
component: libvirt
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
compute_ironic:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: baremetal
|
|
conductor:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
consoleauth:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- nova-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
ks_endpoints:
|
|
jobs:
|
|
- nova-ks-service
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_service:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
rabbit_init:
|
|
services:
|
|
- service: oslo_messaging
|
|
endpoint: internal
|
|
novncproxy:
|
|
jobs:
|
|
- nova-db-sync
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
scheduler:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
console:
|
|
# serial | spice | novnc | none
|
|
console_kind: novnc
|
|
serial:
|
|
spice:
|
|
compute:
|
|
# IF blank, search default routing interface
|
|
server_proxyclient_interface:
|
|
proxy:
|
|
# IF blank, search default routing interface
|
|
server_proxyclient_interface:
|
|
novnc:
|
|
compute:
|
|
# IF blank, search default routing interface
|
|
vncserver_proxyclient_interface:
|
|
vncproxy:
|
|
# IF blank, search default routing interface
|
|
vncserver_proxyclient_interface:
|
|
|
|
ssh:
|
|
key_types:
|
|
- rsa
|
|
- dsa
|
|
- ecdsa
|
|
- ed25519
|
|
|
|
ceph_client:
|
|
configmap: ceph-etc
|
|
user_secret_name: pvc-ceph-client-key
|
|
|
|
conf:
|
|
ceph:
|
|
enabled: true
|
|
admin_keyring: null
|
|
cinder:
|
|
user: "cinder"
|
|
keyring: null
|
|
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
ssh: |
|
|
Host *
|
|
StrictHostKeyChecking no
|
|
UserKnownHostsFile /dev/null
|
|
Port {{ .Values.network.ssh.port }}
|
|
rally_tests:
|
|
run_tempest: false
|
|
tests:
|
|
NovaAgents.list_agents:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.create_and_get_aggregate_details:
|
|
- args:
|
|
availability_zone: nova
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.create_and_update_aggregate:
|
|
- args:
|
|
availability_zone: nova
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.list_aggregates:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAvailabilityZones.list_availability_zones:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_and_delete_flavor:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_and_list_flavor_access:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor_and_add_tenant_access:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor_and_set_keys:
|
|
- args:
|
|
disk: 1
|
|
extra_specs:
|
|
'quota:disk_read_bytes_sec': 10240
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.list_flavors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHosts.list_hosts:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_get_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_get_uptime_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_search_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.statistics_hypervisors:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaImages.list_images:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaKeypair.create_and_delete_keypair:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaKeypair.create_and_list_keypairs:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaSecGroup.create_and_delete_secgroups:
|
|
- args:
|
|
rules_per_security_group: 1
|
|
security_group_count: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaSecGroup.create_and_list_secgroups:
|
|
- args:
|
|
rules_per_security_group: 1
|
|
security_group_count: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaSecGroup.create_and_update_secgroups:
|
|
- args:
|
|
security_group_count: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaServerGroups.create_and_list_server_groups:
|
|
- args:
|
|
all_projects: false
|
|
kwargs:
|
|
policies:
|
|
- affinity
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaServices.list_services:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
paste:
|
|
composite:metadata:
|
|
use: egg:Paste#urlmap
|
|
/: meta
|
|
pipeline:meta:
|
|
pipeline: cors metaapp
|
|
app:metaapp:
|
|
paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
|
|
composite:osapi_compute:
|
|
use: call:nova.api.openstack.urlmap:urlmap_factory
|
|
/: oscomputeversions
|
|
/v2: openstack_compute_api_v21_legacy_v2_compatible
|
|
/v2.1: openstack_compute_api_v21
|
|
composite:openstack_compute_api_v21:
|
|
use: call:nova.api.auth:pipeline_factory_v21
|
|
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
|
|
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
|
|
composite:openstack_compute_api_v21_legacy_v2_compatible:
|
|
use: call:nova.api.auth:pipeline_factory_v21
|
|
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
|
|
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
|
|
filter:request_id:
|
|
paste.filter_factory: oslo_middleware:RequestId.factory
|
|
filter:compute_req_id:
|
|
paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
|
|
filter:faultwrap:
|
|
paste.filter_factory: nova.api.openstack:FaultWrapper.factory
|
|
filter:noauth2:
|
|
paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
|
|
filter:sizelimit:
|
|
paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
|
|
filter:http_proxy_to_wsgi:
|
|
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
|
filter:legacy_v2_compatible:
|
|
paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
|
|
app:osapi_compute_app_v21:
|
|
paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
|
|
pipeline:oscomputeversions:
|
|
pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
|
|
app:oscomputeversionapp:
|
|
paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
|
|
filter:cors:
|
|
paste.filter_factory: oslo_middleware.cors:filter_factory
|
|
oslo_config_project: nova
|
|
filter:keystonecontext:
|
|
paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
|
|
filter:authtoken:
|
|
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
|
|
policy:
|
|
os_compute_api:os-admin-actions:discoverable: "@"
|
|
os_compute_api:os-admin-actions:reset_state: rule:admin_api
|
|
os_compute_api:os-admin-actions:inject_network_info: rule:admin_api
|
|
os_compute_api:os-admin-actions: rule:admin_api
|
|
os_compute_api:os-admin-actions:reset_network: rule:admin_api
|
|
os_compute_api:os-admin-password:discoverable: "@"
|
|
os_compute_api:os-admin-password: rule:admin_or_owner
|
|
os_compute_api:os-agents: rule:admin_api
|
|
os_compute_api:os-agents:discoverable: "@"
|
|
os_compute_api:os-aggregates:set_metadata: rule:admin_api
|
|
os_compute_api:os-aggregates:add_host: rule:admin_api
|
|
os_compute_api:os-aggregates:discoverable: "@"
|
|
os_compute_api:os-aggregates:create: rule:admin_api
|
|
os_compute_api:os-aggregates:remove_host: rule:admin_api
|
|
os_compute_api:os-aggregates:update: rule:admin_api
|
|
os_compute_api:os-aggregates:index: rule:admin_api
|
|
os_compute_api:os-aggregates:delete: rule:admin_api
|
|
os_compute_api:os-aggregates:show: rule:admin_api
|
|
os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api
|
|
os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api
|
|
os_compute_api:os-assisted-volume-snapshots:discoverable: "@"
|
|
os_compute_api:os-attach-interfaces: rule:admin_or_owner
|
|
os_compute_api:os-attach-interfaces:discoverable: "@"
|
|
os_compute_api:os-attach-interfaces:create: rule:admin_or_owner
|
|
os_compute_api:os-attach-interfaces:delete: rule:admin_or_owner
|
|
os_compute_api:os-availability-zone:list: rule:admin_or_owner
|
|
os_compute_api:os-availability-zone:discoverable: "@"
|
|
os_compute_api:os-availability-zone:detail: rule:admin_api
|
|
os_compute_api:os-baremetal-nodes:discoverable: "@"
|
|
os_compute_api:os-baremetal-nodes: rule:admin_api
|
|
context_is_admin: role:admin
|
|
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
|
admin_api: is_admin:True
|
|
network:attach_external_network: is_admin:True
|
|
os_compute_api:os-block-device-mapping:discoverable: "@"
|
|
os_compute_api:os-block-device-mapping-v1:discoverable: "@"
|
|
os_compute_api:os-cells:discoverable: "@"
|
|
os_compute_api:os-cells:update: rule:admin_api
|
|
os_compute_api:os-cells:create: rule:admin_api
|
|
os_compute_api:os-cells: rule:admin_api
|
|
os_compute_api:os-cells:sync_instances: rule:admin_api
|
|
os_compute_api:os-cells:delete: rule:admin_api
|
|
cells_scheduler_filter:DifferentCellFilter: is_admin:True
|
|
cells_scheduler_filter:TargetCellFilter: is_admin:True
|
|
os_compute_api:os-certificates:discoverable: "@"
|
|
os_compute_api:os-certificates:create: rule:admin_or_owner
|
|
os_compute_api:os-certificates:show: rule:admin_or_owner
|
|
os_compute_api:os-cloudpipe: rule:admin_api
|
|
os_compute_api:os-cloudpipe:discoverable: "@"
|
|
os_compute_api:os-config-drive:discoverable: "@"
|
|
os_compute_api:os-config-drive: rule:admin_or_owner
|
|
os_compute_api:os-console-auth-tokens:discoverable: "@"
|
|
os_compute_api:os-console-auth-tokens: rule:admin_api
|
|
os_compute_api:os-console-output:discoverable: "@"
|
|
os_compute_api:os-console-output: rule:admin_or_owner
|
|
os_compute_api:os-consoles:create: rule:admin_or_owner
|
|
os_compute_api:os-consoles:show: rule:admin_or_owner
|
|
os_compute_api:os-consoles:delete: rule:admin_or_owner
|
|
os_compute_api:os-consoles:discoverable: "@"
|
|
os_compute_api:os-consoles:index: rule:admin_or_owner
|
|
os_compute_api:os-create-backup:discoverable: "@"
|
|
os_compute_api:os-create-backup: rule:admin_or_owner
|
|
os_compute_api:os-deferred-delete:discoverable: "@"
|
|
os_compute_api:os-deferred-delete: rule:admin_or_owner
|
|
os_compute_api:os-evacuate:discoverable: "@"
|
|
os_compute_api:os-evacuate: rule:admin_api
|
|
os_compute_api:os-extended-availability-zone: rule:admin_or_owner
|
|
os_compute_api:os-extended-availability-zone:discoverable: "@"
|
|
os_compute_api:os-extended-server-attributes: rule:admin_api
|
|
os_compute_api:os-extended-server-attributes:discoverable: "@"
|
|
os_compute_api:os-extended-status:discoverable: "@"
|
|
os_compute_api:os-extended-status: rule:admin_or_owner
|
|
os_compute_api:os-extended-volumes: rule:admin_or_owner
|
|
os_compute_api:os-extended-volumes:discoverable: "@"
|
|
os_compute_api:extension_info:discoverable: "@"
|
|
os_compute_api:extensions: rule:admin_or_owner
|
|
os_compute_api:extensions:discoverable: "@"
|
|
os_compute_api:os-fixed-ips:discoverable: "@"
|
|
os_compute_api:os-fixed-ips: rule:admin_api
|
|
os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api
|
|
os_compute_api:os-flavor-access:discoverable: "@"
|
|
os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api
|
|
os_compute_api:os-flavor-access: rule:admin_or_owner
|
|
os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner
|
|
os_compute_api:os-flavor-extra-specs:create: rule:admin_api
|
|
os_compute_api:os-flavor-extra-specs:discoverable: "@"
|
|
os_compute_api:os-flavor-extra-specs:update: rule:admin_api
|
|
os_compute_api:os-flavor-extra-specs:delete: rule:admin_api
|
|
os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner
|
|
os_compute_api:os-flavor-manage: rule:admin_api
|
|
os_compute_api:os-flavor-manage:discoverable: "@"
|
|
os_compute_api:os-flavor-rxtx: rule:admin_or_owner
|
|
os_compute_api:os-flavor-rxtx:discoverable: "@"
|
|
os_compute_api:flavors:discoverable: "@"
|
|
os_compute_api:flavors: rule:admin_or_owner
|
|
os_compute_api:os-floating-ip-dns: rule:admin_or_owner
|
|
os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api
|
|
os_compute_api:os-floating-ip-dns:discoverable: "@"
|
|
os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api
|
|
os_compute_api:os-floating-ip-pools:discoverable: "@"
|
|
os_compute_api:os-floating-ip-pools: rule:admin_or_owner
|
|
os_compute_api:os-floating-ips: rule:admin_or_owner
|
|
os_compute_api:os-floating-ips:discoverable: "@"
|
|
os_compute_api:os-floating-ips-bulk:discoverable: "@"
|
|
os_compute_api:os-floating-ips-bulk: rule:admin_api
|
|
os_compute_api:os-fping:all_tenants: rule:admin_api
|
|
os_compute_api:os-fping:discoverable: "@"
|
|
os_compute_api:os-fping: rule:admin_or_owner
|
|
os_compute_api:os-hide-server-addresses:discoverable: "@"
|
|
os_compute_api:os-hide-server-addresses: is_admin:False
|
|
os_compute_api:os-hosts:discoverable: "@"
|
|
os_compute_api:os-hosts: rule:admin_api
|
|
os_compute_api:os-hypervisors:discoverable: "@"
|
|
os_compute_api:os-hypervisors: rule:admin_api
|
|
os_compute_api:image-metadata:discoverable: "@"
|
|
os_compute_api:image-size:discoverable: "@"
|
|
os_compute_api:image-size: rule:admin_or_owner
|
|
os_compute_api:images:discoverable: "@"
|
|
os_compute_api:os-instance-actions:events: rule:admin_api
|
|
os_compute_api:os-instance-actions: rule:admin_or_owner
|
|
os_compute_api:os-instance-actions:discoverable: "@"
|
|
os_compute_api:os-instance-usage-audit-log: rule:admin_api
|
|
os_compute_api:os-instance-usage-audit-log:discoverable: "@"
|
|
os_compute_api:ips:discoverable: "@"
|
|
os_compute_api:ips:show: rule:admin_or_owner
|
|
os_compute_api:ips:index: rule:admin_or_owner
|
|
os_compute_api:os-keypairs:discoverable: "@"
|
|
os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs: rule:admin_or_owner
|
|
os_compute_api:limits:discoverable: "@"
|
|
os_compute_api:limits: rule:admin_or_owner
|
|
os_compute_api:os-lock-server:discoverable: "@"
|
|
os_compute_api:os-lock-server:lock: rule:admin_or_owner
|
|
os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api
|
|
os_compute_api:os-lock-server:unlock: rule:admin_or_owner
|
|
os_compute_api:os-migrate-server:migrate: rule:admin_api
|
|
os_compute_api:os-migrate-server:discoverable: "@"
|
|
os_compute_api:os-migrate-server:migrate_live: rule:admin_api
|
|
os_compute_api:os-migrations:index: rule:admin_api
|
|
os_compute_api:os-migrations:discoverable: "@"
|
|
os_compute_api:os-multinic: rule:admin_or_owner
|
|
os_compute_api:os-multinic:discoverable: "@"
|
|
os_compute_api:os-multiple-create:discoverable: "@"
|
|
os_compute_api:os-networks:discoverable: "@"
|
|
os_compute_api:os-networks: rule:admin_api
|
|
os_compute_api:os-networks:view: rule:admin_or_owner
|
|
os_compute_api:os-networks-associate: rule:admin_api
|
|
os_compute_api:os-networks-associate:discoverable: "@"
|
|
os_compute_api:os-pause-server:unpause: rule:admin_or_owner
|
|
os_compute_api:os-pause-server:discoverable: "@"
|
|
os_compute_api:os-pause-server:pause: rule:admin_or_owner
|
|
os_compute_api:os-pci:index: rule:admin_api
|
|
os_compute_api:os-pci:detail: rule:admin_api
|
|
os_compute_api:os-pci:pci_servers: rule:admin_or_owner
|
|
os_compute_api:os-pci:show: rule:admin_api
|
|
os_compute_api:os-pci:discoverable: "@"
|
|
os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s
|
|
os_compute_api:os-quota-class-sets:discoverable: "@"
|
|
os_compute_api:os-quota-class-sets:update: rule:admin_api
|
|
os_compute_api:os-quota-sets:update: rule:admin_api
|
|
os_compute_api:os-quota-sets:defaults: "@"
|
|
os_compute_api:os-quota-sets:show: rule:admin_or_owner
|
|
os_compute_api:os-quota-sets:delete: rule:admin_api
|
|
os_compute_api:os-quota-sets:discoverable: "@"
|
|
os_compute_api:os-quota-sets:detail: rule:admin_api
|
|
os_compute_api:os-remote-consoles: rule:admin_or_owner
|
|
os_compute_api:os-remote-consoles:discoverable: "@"
|
|
os_compute_api:os-rescue:discoverable: "@"
|
|
os_compute_api:os-rescue: rule:admin_or_owner
|
|
os_compute_api:os-scheduler-hints:discoverable: "@"
|
|
os_compute_api:os-security-group-default-rules:discoverable: "@"
|
|
os_compute_api:os-security-group-default-rules: rule:admin_api
|
|
os_compute_api:os-security-groups: rule:admin_or_owner
|
|
os_compute_api:os-security-groups:discoverable: "@"
|
|
os_compute_api:os-server-diagnostics: rule:admin_api
|
|
os_compute_api:os-server-diagnostics:discoverable: "@"
|
|
os_compute_api:os-server-external-events:create: rule:admin_api
|
|
os_compute_api:os-server-external-events:discoverable: "@"
|
|
os_compute_api:os-server-groups:discoverable: "@"
|
|
os_compute_api:os-server-groups: rule:admin_or_owner
|
|
os_compute_api:server-metadata:index: rule:admin_or_owner
|
|
os_compute_api:server-metadata:show: rule:admin_or_owner
|
|
os_compute_api:server-metadata:create: rule:admin_or_owner
|
|
os_compute_api:server-metadata:discoverable: "@"
|
|
os_compute_api:server-metadata:update_all: rule:admin_or_owner
|
|
os_compute_api:server-metadata:delete: rule:admin_or_owner
|
|
os_compute_api:server-metadata:update: rule:admin_or_owner
|
|
os_compute_api:os-server-password: rule:admin_or_owner
|
|
os_compute_api:os-server-password:discoverable: "@"
|
|
os_compute_api:os-server-tags:delete_all: "@"
|
|
os_compute_api:os-server-tags:index: "@"
|
|
os_compute_api:os-server-tags:update_all: "@"
|
|
os_compute_api:os-server-tags:delete: "@"
|
|
os_compute_api:os-server-tags:update: "@"
|
|
os_compute_api:os-server-tags:show: "@"
|
|
os_compute_api:os-server-tags:discoverable: "@"
|
|
os_compute_api:os-server-usage: rule:admin_or_owner
|
|
os_compute_api:os-server-usage:discoverable: "@"
|
|
os_compute_api:servers:index: rule:admin_or_owner
|
|
os_compute_api:servers:detail: rule:admin_or_owner
|
|
os_compute_api:servers:detail:get_all_tenants: rule:admin_api
|
|
os_compute_api:servers:index:get_all_tenants: rule:admin_api
|
|
os_compute_api:servers:show: rule:admin_or_owner
|
|
os_compute_api:servers:show:host_status: rule:admin_api
|
|
os_compute_api:servers:create: rule:admin_or_owner
|
|
os_compute_api:servers:create:forced_host: rule:admin_api
|
|
os_compute_api:servers:create:attach_volume: rule:admin_or_owner
|
|
os_compute_api:servers:create:attach_network: rule:admin_or_owner
|
|
os_compute_api:servers:delete: rule:admin_or_owner
|
|
os_compute_api:servers:update: rule:admin_or_owner
|
|
os_compute_api:servers:confirm_resize: rule:admin_or_owner
|
|
os_compute_api:servers:revert_resize: rule:admin_or_owner
|
|
os_compute_api:servers:reboot: rule:admin_or_owner
|
|
os_compute_api:servers:resize: rule:admin_or_owner
|
|
os_compute_api:servers:rebuild: rule:admin_or_owner
|
|
os_compute_api:servers:create_image: rule:admin_or_owner
|
|
os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner
|
|
os_compute_api:servers:start: rule:admin_or_owner
|
|
os_compute_api:servers:stop: rule:admin_or_owner
|
|
os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner
|
|
os_compute_api:servers:discoverable: "@"
|
|
os_compute_api:servers:migrations:show: rule:admin_api
|
|
os_compute_api:servers:migrations:force_complete: rule:admin_api
|
|
os_compute_api:servers:migrations:delete: rule:admin_api
|
|
os_compute_api:servers:migrations:index: rule:admin_api
|
|
os_compute_api:server-migrations:discoverable: "@"
|
|
os_compute_api:os-services: rule:admin_api
|
|
os_compute_api:os-services:discoverable: "@"
|
|
os_compute_api:os-shelve:shelve: rule:admin_or_owner
|
|
os_compute_api:os-shelve:unshelve: rule:admin_or_owner
|
|
os_compute_api:os-shelve:shelve_offload: rule:admin_api
|
|
os_compute_api:os-shelve:discoverable: "@"
|
|
os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner
|
|
os_compute_api:os-simple-tenant-usage:list: rule:admin_api
|
|
os_compute_api:os-simple-tenant-usage:discoverable: "@"
|
|
os_compute_api:os-suspend-server:resume: rule:admin_or_owner
|
|
os_compute_api:os-suspend-server:suspend: rule:admin_or_owner
|
|
os_compute_api:os-suspend-server:discoverable: "@"
|
|
os_compute_api:os-tenant-networks: rule:admin_or_owner
|
|
os_compute_api:os-tenant-networks:discoverable: "@"
|
|
os_compute_api:os-used-limits:discoverable: "@"
|
|
os_compute_api:os-used-limits: rule:admin_api
|
|
os_compute_api:os-user-data:discoverable: "@"
|
|
os_compute_api:versions:discoverable: "@"
|
|
os_compute_api:os-virtual-interfaces:discoverable: "@"
|
|
os_compute_api:os-virtual-interfaces: rule:admin_or_owner
|
|
os_compute_api:os-volumes:discoverable: "@"
|
|
os_compute_api:os-volumes: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:index: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:create: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:show: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:discoverable: "@"
|
|
os_compute_api:os-volumes-attachments:update: rule:admin_api
|
|
os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner
|
|
nova_sudoers: |
|
|
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
|
Defaults !requiretty
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
|
nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
|
|
rootwrap: |
|
|
# Configuration for nova-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[DEFAULT]
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
|
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitely specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
|
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog=False
|
|
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility=syslog
|
|
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level=ERROR
|
|
wsgi_placement: |
|
|
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
|
|
<VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
|
WSGIDaemonProcess placement-api processes=1 threads=4 user=nova group=nova display-name=%{GROUP}
|
|
WSGIProcessGroup placement-api
|
|
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /dev/stdout
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
</VirtualHost>
|
|
|
|
Alias /placement /var/www/cgi-bin/nova/nova-placement-api
|
|
<Location /placement>
|
|
SetHandler wsgi-script
|
|
Options +ExecCGI
|
|
|
|
WSGIProcessGroup placement-api
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
</Location>
|
|
rootwrap_filters:
|
|
api_metadata:
|
|
pods:
|
|
- metadata
|
|
content: |
|
|
# nova-rootwrap command filters for api-metadata nodes
|
|
# This is needed on nova-api hosts running with "metadata" in enabled_apis
|
|
# or when running nova-api-metadata
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
compute:
|
|
pods:
|
|
- compute
|
|
content: |
|
|
# nova-rootwrap command filters for compute nodes
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
|
|
kpartx: CommandFilter, kpartx, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
|
|
tune2fs: CommandFilter, tune2fs, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'mount', mapped_device
|
|
# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
|
|
# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
|
|
# nova/virt/configdrive.py: 'mount', device, mountdir
|
|
# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
|
|
mount: CommandFilter, mount, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'umount', mapped_device
|
|
# nova/virt/disk/api.py: 'umount' target
|
|
# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
|
|
# nova/virt/configdrive.py: 'umount', mountdir
|
|
umount: CommandFilter, umount, root
|
|
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
|
|
qemu-nbd: CommandFilter, qemu-nbd, root
|
|
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
|
|
losetup: CommandFilter, losetup, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
|
|
blkid: CommandFilter, blkid, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
|
|
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
|
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
|
|
tee: CommandFilter, tee, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
|
|
mkdir: CommandFilter, mkdir, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chown'
|
|
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
|
|
chown: CommandFilter, chown, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chmod'
|
|
chmod: CommandFilter, chmod, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
|
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
|
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
|
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
|
ip: CommandFilter, ip, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
|
|
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
|
|
tunctl: CommandFilter, tunctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
|
|
vrouter-port-control: CommandFilter, vrouter-port-control, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ebrctl', ...
|
|
ebrctl: CommandFilter, ebrctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'mm-ctl', ...
|
|
mm-ctl: CommandFilter, mm-ctl, root
|
|
|
|
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
|
|
dd: CommandFilter, dd, root
|
|
|
|
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
|
|
iscsiadm: CommandFilter, iscsiadm, root
|
|
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
|
|
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
|
aoe-discover: CommandFilter, aoe-discover, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: parted, --script, ...
|
|
# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
|
|
parted: CommandFilter, parted, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
|
|
pygrub: CommandFilter, pygrub, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
|
|
fdisk: CommandFilter, fdisk, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
|
|
# nova/virt/disk/api.py: e2fsck, -f, -p, image
|
|
e2fsck: CommandFilter, e2fsck, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
|
|
# nova/virt/disk/api.py: resize2fs, image
|
|
resize2fs: CommandFilter, resize2fs, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
|
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
|
arping: CommandFilter, arping, root
|
|
|
|
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
|
|
# nova/network/linux_net.py: 'kill', '-9', pid
|
|
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
|
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# nova/network/linux_net.py: 'kill', pid
|
|
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
|
|
|
# nova/network/linux_net.py: dnsmasq call
|
|
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
|
|
|
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
|
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
|
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
|
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
|
brctl: CommandFilter, brctl, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'mkswap'
|
|
# nova/virt/xenapi/vm_utils.py: 'mkswap'
|
|
mkswap: CommandFilter, mkswap, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'nova-idmapshift'
|
|
nova-idmapshift: CommandFilter, nova-idmapshift, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'mkfs'
|
|
# nova/utils.py: 'mkfs', fs, path, label
|
|
mkfs: CommandFilter, mkfs, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'qemu-img'
|
|
qemu-img: CommandFilter, qemu-img, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
|
|
readlink: CommandFilter, readlink, root
|
|
|
|
# nova/virt/disk/api.py:
|
|
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
|
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
|
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
|
|
|
|
# nova/virt/libvirt/connection.py:
|
|
lvremove: CommandFilter, lvremove, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvcreate: CommandFilter, lvcreate, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvs: CommandFilter, lvs, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
vgs: CommandFilter, vgs, root
|
|
|
|
# nova/utils.py:read_file_as_root: 'cat', file_path
|
|
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
|
|
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
|
|
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
|
|
|
|
# os-brick needed commands
|
|
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
|
multipath: CommandFilter, multipath, root
|
|
# multipathd show status
|
|
multipathd: CommandFilter, multipathd, root
|
|
systool: CommandFilter, systool, root
|
|
vgc-cluster: CommandFilter, vgc-cluster, root
|
|
# os_brick/initiator/connector.py
|
|
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
|
|
|
# TODO(smcginnis) Temporary fix.
|
|
# Need to pull in os-brick os-brick.filters file instead and clean
|
|
# out stale brick values from this file.
|
|
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
|
# os_brick.privileged.default oslo.privsep context
|
|
# This line ties the superuser privs with the config files, context name,
|
|
# and (implicitly) the actual python code invoked.
|
|
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
|
|
|
# nova/storage/linuxscsi.py: sg_scan device
|
|
sg_scan: CommandFilter, sg_scan, root
|
|
|
|
# nova/volume/encryptors/cryptsetup.py:
|
|
# nova/volume/encryptors/luks.py:
|
|
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
|
|
|
|
# nova/volume/encryptors.py:
|
|
# nova/virt/libvirt/dmcrypt.py:
|
|
cryptsetup: CommandFilter, cryptsetup, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
xenstore-read: CommandFilter, xenstore-read, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
rbd: CommandFilter, rbd, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
|
|
shred: CommandFilter, shred, root
|
|
|
|
# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
|
|
cp: CommandFilter, cp, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
sync: CommandFilter, sync, root
|
|
|
|
# nova/virt/libvirt/imagebackend.py:
|
|
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
|
|
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
|
|
|
|
# nova/virt/libvirt/utils.py: 'xend', 'status'
|
|
xend: CommandFilter, xend, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
touch: CommandFilter, touch, root
|
|
|
|
# nova/virt/libvirt/volume/vzstorage.py
|
|
pstorage-mount: CommandFilter, pstorage-mount, root
|
|
network:
|
|
pods:
|
|
- compute
|
|
content: |
|
|
# nova-rootwrap command filters for network nodes
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
|
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
|
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
|
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
|
ip: CommandFilter, ip, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ivs-ctl', ....
|
|
ivs-ctl: CommandFilter, ivs-ctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
|
|
ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
|
|
|
|
# nova/network/linux_net.py: 'ebtables', '-D' ...
|
|
# nova/network/linux_net.py: 'ebtables', '-I' ...
|
|
ebtables: CommandFilter, ebtables, root
|
|
ebtables_usr: CommandFilter, ebtables, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
|
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
|
arping: CommandFilter, arping, root
|
|
|
|
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
|
|
# nova/network/linux_net.py: 'kill', '-9', pid
|
|
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
|
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# nova/network/linux_net.py: 'kill', pid
|
|
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
|
|
|
# nova/network/linux_net.py: dnsmasq call
|
|
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
|
|
|
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
|
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
|
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
|
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
|
brctl: CommandFilter, brctl, root
|
|
|
|
# nova/network/linux_net.py: 'sysctl', ....
|
|
sysctl: CommandFilter, sysctl, root
|
|
|
|
# nova/network/linux_net.py: 'conntrack'
|
|
conntrack: CommandFilter, conntrack, root
|
|
|
|
# nova/network/linux_net.py: 'fp-vdev'
|
|
fp-vdev: CommandFilter, fp-vdev, root
|
|
nova_ironic:
|
|
DEFAULT:
|
|
scheduler_host_manager: ironic_host_manager
|
|
compute_driver: ironic.IronicDriver
|
|
libvirt:
|
|
# Get the IP address to be used as the target for live migration traffic using interface name.
|
|
# If this option is set to None, the hostname of the migration target compute node will be used.
|
|
live_migration_interface:
|
|
nova:
|
|
DEFAULT:
|
|
log_config_append: /etc/nova/logging.conf
|
|
default_ephemeral_format: ext4
|
|
ram_allocation_ratio: 1.0
|
|
disk_allocation_ratio: 1.0
|
|
cpu_allocation_ratio: 3.0
|
|
state_path: /var/lib/nova
|
|
osapi_compute_listen: 0.0.0.0
|
|
# NOTE(portdirect): the bind port should not be defined, and is manipulated
|
|
# via the endpoints section.
|
|
osapi_compute_listen_port: null
|
|
osapi_compute_workers: 1
|
|
metadata_workers: 1
|
|
use_neutron: true
|
|
firewall_driver: nova.virt.firewall.NoopFirewallDriver
|
|
linuxnet_interface_driver: openvswitch
|
|
allow_resize_to_same_host: true
|
|
compute_driver: libvirt.LibvirtDriver
|
|
my_ip: 0.0.0.0
|
|
instance_usage_audit: True
|
|
instance_usage_audit_period: hour
|
|
notify_on_state_change: vm_and_task_state
|
|
resume_guests_state_on_host_boot: True
|
|
vnc:
|
|
novncproxy_host: 0.0.0.0
|
|
vncserver_listen: 0.0.0.0
|
|
# This would be set by each compute nodes's ip
|
|
# vncserver_proxyclient_address: 127.0.0.1
|
|
spice:
|
|
html5proxy_host: 0.0.0.0
|
|
server_listen: 0.0.0.0
|
|
# This would be set by each compute nodes's ip
|
|
# server_proxyclient_address: 127.0.0.1
|
|
conductor:
|
|
workers: 1
|
|
oslo_policy:
|
|
policy_file: /etc/nova/policy.yaml
|
|
oslo_concurrency:
|
|
lock_path: /var/lib/nova/tmp
|
|
oslo_middleware:
|
|
enable_proxy_headers_parsing: true
|
|
glance:
|
|
num_retries: 3
|
|
ironic:
|
|
api_endpoint: null
|
|
auth_url: null
|
|
neutron:
|
|
metadata_proxy_shared_secret: "password"
|
|
service_metadata_proxy: True
|
|
auth_type: password
|
|
auth_version: v3
|
|
database:
|
|
max_retries: -1
|
|
api_database:
|
|
max_retries: -1
|
|
cell0_database:
|
|
max_retries: -1
|
|
keystone_authtoken:
|
|
auth_type: password
|
|
auth_version: v3
|
|
memcache_security_strategy: ENCRYPT
|
|
libvirt:
|
|
connection_uri: "qemu+tcp://127.0.0.1/system"
|
|
images_type: qcow2
|
|
images_rbd_pool: vms
|
|
images_rbd_ceph_conf: /etc/ceph/ceph.conf
|
|
rbd_user: cinder
|
|
rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
disk_cachemodes: "network=writeback"
|
|
hw_disk_discard: unmap
|
|
upgrade_levels:
|
|
compute: auto
|
|
cache:
|
|
enabled: true
|
|
backend: oslo_cache.memcache_pool
|
|
wsgi:
|
|
api_paste_config: /etc/nova/api-paste.ini
|
|
oslo_messaging_notifications:
|
|
driver: messagingv2
|
|
placement:
|
|
auth_type: password
|
|
auth_version: v3
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- nova
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: 'null'
|
|
logger_nova:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: nova
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
rabbitmq:
|
|
#NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
|
|
policies:
|
|
- vhost: "nova"
|
|
name: "ha_ttl_nova"
|
|
definition:
|
|
#mirror messges to other nodes in rmq cluster
|
|
ha-mode: "all"
|
|
ha-sync-mode: "automatic"
|
|
#70s
|
|
message-ttl: 70000
|
|
priority: 0
|
|
apply-to: all
|
|
pattern: '(notifications)\.'
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: nova-keystone-admin
|
|
nova: nova-keystone-user
|
|
placement: nova-keystone-placement
|
|
test: nova-keystone-test
|
|
oslo_db:
|
|
admin: nova-db-admin
|
|
nova: nova-db-user
|
|
oslo_db_api:
|
|
admin: nova-db-api-admin
|
|
nova: nova-db-api-user
|
|
oslo_db_cell0:
|
|
admin: nova-db-api-admin
|
|
nova: nova-db-api-user
|
|
oslo_messaging:
|
|
admin: nova-rabbitmq-admin
|
|
nova: nova-rabbitmq-user
|
|
tls:
|
|
compute:
|
|
osapi:
|
|
public: nova-tls-public
|
|
compute_novnc_proxy:
|
|
novncproxy:
|
|
public: nova-novncproxy-tls-public
|
|
placement:
|
|
placement:
|
|
public: placement-tls-public
|
|
|
|
# typically overridden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_db_api:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova_api
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_db_cell0:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova_cell0
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
auth:
|
|
# NOTE(portdirect): this is used to define the value for keystone
|
|
# authtoken cache encryption key, if not set it will be populated
|
|
# automatically with a random value, but to take advantage of
|
|
# this feature all services should be set to use the same key,
|
|
# and memcache service.
|
|
memcache_secret_key: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
nova:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: nova
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
# NOTE(portdirect): the neutron user is not managed by the nova chart
|
|
# these values should match those set in the neutron chart.
|
|
neutron:
|
|
region_name: RegionOne
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
username: neutron
|
|
password: password
|
|
# NOTE(portdirect): the ironic user is not managed by the nova chart
|
|
# these values should match those set in the ironic chart.
|
|
ironic:
|
|
auth_type: password
|
|
auth_version: v3
|
|
region_name: RegionOne
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
username: ironic
|
|
password: password
|
|
placement:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: placement
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
test:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: test
|
|
password: password
|
|
project_name: test
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
image:
|
|
name: glance
|
|
hosts:
|
|
default: glance-api
|
|
public: glance
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 9292
|
|
public: 80
|
|
compute:
|
|
name: nova
|
|
hosts:
|
|
default: nova-api
|
|
public: nova
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: "/v2.1/%(tenant_id)s"
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8774
|
|
public: 80
|
|
novncproxy:
|
|
default: 6080
|
|
compute_metadata:
|
|
name: nova
|
|
ip:
|
|
# IF blank, set clusterIP and metadata_host dynamically
|
|
ingress: null
|
|
hosts:
|
|
default: nova-metadata
|
|
public: metadata
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metadata:
|
|
default: 8775
|
|
public: 80
|
|
compute_novnc_proxy:
|
|
name: nova
|
|
hosts:
|
|
default: nova-novncproxy
|
|
public: novncproxy
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: /vnc_auto.html
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
novnc_proxy:
|
|
default: 6080
|
|
public: 80
|
|
compute_spice_proxy:
|
|
name: nova
|
|
hosts:
|
|
default: nova-spiceproxy
|
|
public: placement
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /spice_auto.html
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
spice_proxy:
|
|
default: 6082
|
|
placement:
|
|
name: placement
|
|
hosts:
|
|
default: placement-api
|
|
public: placement
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8778
|
|
public: 80
|
|
network:
|
|
name: neutron
|
|
hosts:
|
|
default: neutron-server
|
|
public: neutron
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 9696
|
|
public: 80
|
|
baremetal:
|
|
name: ironic
|
|
hosts:
|
|
default: ironic-api
|
|
public: ironic
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 6385
|
|
public: 80
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
|
|
pod:
|
|
user:
|
|
nova:
|
|
uid: 42424
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
nova_compute:
|
|
init_container: null
|
|
nova_compute:
|
|
nova_compute_ironic:
|
|
init_container: null
|
|
nova_compute_ironic:
|
|
nova_api_metadata:
|
|
init_container: null
|
|
nova_api_metadata:
|
|
nova_placement:
|
|
init_container: null
|
|
nova_placement:
|
|
nova_api_osapi:
|
|
init_container: null
|
|
nova_api_osapi:
|
|
nova_consoleauth:
|
|
init_container: null
|
|
nova_consoleauth:
|
|
nova_conductor:
|
|
init_container: null
|
|
nova_conductor:
|
|
nova_scheduler:
|
|
init_container: null
|
|
nova_scheduler:
|
|
nova_bootstrap:
|
|
init_container: null
|
|
nova_bootstrap:
|
|
nova_tests:
|
|
init_container: null
|
|
nova_tests:
|
|
nova_novncproxy:
|
|
init_novncproxy: null
|
|
nova_novncproxy:
|
|
nova_spiceproxy:
|
|
init_spiceproxy: null
|
|
nova_spiceproxy:
|
|
replicas:
|
|
api_metadata: 1
|
|
compute_ironic: 1
|
|
placement: 1
|
|
osapi: 1
|
|
conductor: 1
|
|
consoleauth: 1
|
|
scheduler: 1
|
|
novncproxy: 1
|
|
spiceproxy: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
compute:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
disruption_budget:
|
|
metadata:
|
|
min_available: 0
|
|
placement:
|
|
min_available: 0
|
|
osapi:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
metadata:
|
|
timeout: 30
|
|
placement:
|
|
timeout: 30
|
|
osapi:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
compute:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
compute_ironic:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
api_metadata:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
placement:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
conductor:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
consoleauth:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
scheduler:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ssh:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
novncproxy:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
spiceproxy:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
cell_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
service_cleaner:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_job_cell_setup: true
|
|
cron_job_service_cleaner: true
|
|
daemonset_compute: true
|
|
deployment_api_metadata: true
|
|
deployment_api_osapi: true
|
|
deployment_placement: true
|
|
deployment_conductor: true
|
|
deployment_consoleauth: true
|
|
deployment_novncproxy: true
|
|
deployment_spiceproxy: true
|
|
deployment_scheduler: true
|
|
ingress_metadata: true
|
|
ingress_novncproxy: true
|
|
ingress_placement: true
|
|
ingress_osapi: true
|
|
job_bootstrap: true
|
|
job_db_init: true
|
|
job_db_init_placement: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_image_repo_sync: true
|
|
job_rabbit_init: true
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
job_ks_placement_endpoints: true
|
|
job_ks_placement_service: true
|
|
job_ks_placement_user: true
|
|
job_cell_setup: true
|
|
pdb_metadata: true
|
|
pdb_placement: true
|
|
pdb_osapi: true
|
|
pod_rally_test: true
|
|
secret_db_api: true
|
|
secret_db: true
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_keystone_placement: true
|
|
secret_rabbitmq: true
|
|
service_ingress_metadata: true
|
|
service_ingress_novncproxy: true
|
|
service_ingress_placement: true
|
|
service_ingress_osapi: true
|
|
service_metadata: true
|
|
service_placement: true
|
|
service_novncproxy: true
|
|
service_spiceproxy: true
|
|
service_osapi: true
|
|
statefulset_compute_ironic: false
|