1568 lines
46 KiB
XML
1568 lines
46 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<chapter version="5.0" xml:id="ch_configuring-openstack-compute"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:ns5="http://www.w3.org/1999/xhtml"
|
|
xmlns:ns4="http://www.w3.org/2000/svg"
|
|
xmlns:ns3="http://www.w3.org/1998/Math/MathML"
|
|
xmlns:ns="http://docbook.org/ns/docbook">
|
|
<title>Configuring OpenStack Compute</title>
|
|
|
|
<para>The OpenStack system has several key projects that are separate
|
|
installations but can work together depending on your cloud needs: OpenStack
|
|
Compute, OpenStack Object Storage, and OpenStack Image Store. You can
|
|
install any of these projects separately and then configure them either as
|
|
standalone or connected entities.</para>
|
|
|
|
<section xml:id="general-compute-configuration-overview">
|
|
<title>General Compute Configuration Overview</title>
|
|
|
|
<para>Most configuration information is available in the nova.conf flag
|
|
file. Here are some general purpose flags that you can use to learn more
|
|
about the flag file and the node. The configuration file nova.conf is
|
|
typically stored in /etc/nova/nova.conf. </para>
|
|
|
|
<para>You can use a particular flag file by using the --flagfile
|
|
(nova.conf) parameter when running one of the nova- services. This inserts
|
|
flag definitions from the given configuration file name, which may be
|
|
useful for debugging or performance tuning. Here are some general purpose
|
|
flags.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of general purpose nova.conf flags</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--my_ip</td>
|
|
|
|
<td>None</td>
|
|
|
|
<td>IP address; Calculated to contain the host IP address.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--host</td>
|
|
|
|
<td>None</td>
|
|
|
|
<td>String value; Calculated to contain the name of the node where
|
|
the cloud controller is hosted</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>-?, --[no]help</td>
|
|
|
|
<td>None</td>
|
|
|
|
<td>Show this help.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--[no]helpshort</td>
|
|
|
|
<td>None</td>
|
|
|
|
<td>Show usage only for this module.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--[no]helpxml</td>
|
|
|
|
<td>None</td>
|
|
|
|
<td>Show this help, but with XML output instead of text</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<para>If you want to maintain the state of all the services, you can use
|
|
the --state_path flag to indicate a top-level directory for storing data
|
|
related to the state of Compute including images if you are using the
|
|
Compute object store. Here are additional flags that apply to all nova-
|
|
services.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for all services</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--state_path</td>
|
|
|
|
<td>'/Users/username/p/nova/nova/../'</td>
|
|
|
|
<td>Directory path; Top-level directory for maintaining nova's
|
|
state.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--periodic_interval</td>
|
|
|
|
<td>default: '60'</td>
|
|
|
|
<td>Integer value; Seconds between running periodic tasks.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--report_interval</td>
|
|
|
|
<td>default: '10'</td>
|
|
|
|
<td>Integer value; Seconds between nodes reporting state to the data
|
|
store.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="sample-nova-configuration-files">
|
|
<title>Example nova.conf Configuration Files</title>
|
|
|
|
<para>The following sections describe many of the flag settings that can
|
|
go into the nova.conf files. These need to be copied to each compute node.
|
|
Here are some sample nova.conf files that offer examples of specific
|
|
configurations.</para>
|
|
|
|
<simplesect>
|
|
<title>Configuration using KVM, FlatDHCP, MySQL, Glance, LDAP, and
|
|
optionally sheepdog, API is EC2</title>
|
|
|
|
<para>From <link
|
|
xlink:href="http://wikitech.wikimedia.org/view/OpenStack#On_the_controller_and_all_compute_nodes.2C_configure_.2Fetc.2Fnova.2Fnova.conf">wikimedia.org</link>,
|
|
used with permission. Where you see parameters passed in, it's likely an
|
|
IP address you need.</para>
|
|
|
|
<programlisting>
|
|
# configured using KVM, FlatDHCP, MySQL, Glance, LDAP, and optionally sheepdog, API is EC2
|
|
--verbose
|
|
--daemonize=1
|
|
--logdir=/var/log/nova
|
|
--state_path=/var/lib/nova
|
|
--lock_path=/var/lock/nova
|
|
--sql_connection=mysql://$nova_db_user:$nova_db_pass@$nova_db_host/$nova_db_name
|
|
--image_service=nova.image.glance.GlanceImageService
|
|
--s3_host=$nova_glance_host
|
|
--glance_api_servers=$nova_glance_host
|
|
--rabbit_host=$nova_rabbit_host
|
|
--network_host=$nova_network_host
|
|
--ec2_url=http://$nova_api_host:8773/services/Cloud
|
|
--libvirt_type=kvm
|
|
--dhcpbridge=/usr/bin/nova-dhcpbridge
|
|
--flat_network_bridge=br100
|
|
--network_manager=nova.network.manager.FlatDHCPManager
|
|
--flat_interface=$nova_network_flat_interface
|
|
--public_interface=$nova_network_public_interface
|
|
--routing_source_ip=$nova_network_public_ip
|
|
--ajax_console_proxy_url=$nova_ajax_proxy_url
|
|
--volume_driver=nova.volume.driver.SheepdogDriver
|
|
--auth_driver=nova.auth.ldapdriver.LdapDriver
|
|
--ldap_url=ldap://$nova_ldap_host
|
|
--ldap_password=$nova_ldap_user_pass
|
|
--ldap_user_dn=$nova_ldap_user_dn
|
|
--ldap_user_unit=people
|
|
--ldap_user_subtree=ou=people,$nova_ldap_base_dn
|
|
--ldap_project_subtree=ou=groups,$nova_ldap_base_dn
|
|
--role_project_subtree=ou=groups,$nova_ldap_base_dn
|
|
--ldap_cloudadmin=cn=cloudadmins,ou=groups,$nova_ldap_base_dn
|
|
--ldap_itsec=cn=itsec,ou=groups,$nova_ldap_base_dn
|
|
--ldap_sysadmin=cn=sysadmins,$nova_ldap_base_dn
|
|
--ldap_netadmin=cn=netadmins,$nova_ldap_base_dn
|
|
--ldap_developer=cn=developers,$nova_ldap_base_dn
|
|
</programlisting>
|
|
|
|
<figure xml:id="Nova_conf_KVM_LDAP">
|
|
<title>KVM, FlatDHCP, MySQL, Glance, LDAP, and optionally
|
|
sheepdog</title>
|
|
|
|
<mediaobject>
|
|
<imageobject role="html">
|
|
<imagedata fileref="figures/SCH_5003_V00_NUAC-Network_mode_KVM_LDAP_OpenStack.png"
|
|
scale="60"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</figure>
|
|
</simplesect>
|
|
|
|
<simplesect>
|
|
<title>KVM, Flat, MySQL, and Glance, OpenStack or EC2 API</title>
|
|
|
|
<para>This example nova.conf file is from an internal Rackspace test
|
|
system used for demonstrations.</para>
|
|
|
|
<programlisting>
|
|
# configured using KVM, Flat, MySQL, and Glance, API is OpenStack (or EC2)
|
|
--daemonize=1
|
|
--dhcpbridge_flagfile=/etc/nova/nova.conf
|
|
--dhcpbridge=/usr/bin/nova-dhcpbridge
|
|
--flat_network_bridge=br100
|
|
--lock_path=/var/lock/nova
|
|
--logdir=/var/log/nova
|
|
--state_path=/var/lib/nova
|
|
--verbose
|
|
--network_manager=nova.network.manager.FlatManager
|
|
--sql_connection=mysql://$nova_db_user:$nova_db_pass@$nova_db_host/$nova_db_name
|
|
--osapi_host=$nova_api_host
|
|
--rabbit_host=$rabbit_api_host
|
|
--ec2_host=$nova_api_host
|
|
--image_service=nova.image.glance.GlanceImageService
|
|
--glance_api_servers=$nova_glance_host
|
|
|
|
# first 3 octets of the network your volume service is on, substitute with real numbers
|
|
--iscsi_ip_prefix=nnn.nnn.nnn
|
|
</programlisting>
|
|
|
|
<figure xml:id="Nova_conf_KVM_Flat">
|
|
<title>KVM, Flat, MySQL, and Glance, OpenStack or EC2 API</title>
|
|
|
|
<mediaobject>
|
|
<imageobject role="html">
|
|
<imagedata fileref="figures/SCH_5004_V00_NUAC-Network_mode_KVM_Flat_OpenStack.png"
|
|
scale="60"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</figure>
|
|
</simplesect>
|
|
|
|
<simplesect>
|
|
<title>XenServer 5.6, Flat networking, MySQL, and Glance, OpenStack
|
|
API</title>
|
|
|
|
<para>This example nova.conf file is from an internal Rackspace test
|
|
system.</para>
|
|
|
|
<programlisting>
|
|
--verbose
|
|
--nodaemon
|
|
--sql_connection=mysql://root:<password>@127.0.0.1/nova
|
|
--network_manager=nova.network.manager.FlatManager
|
|
--image_service=nova.image.glance.GlanceImageService
|
|
--flat_network_bridge=xenbr0
|
|
--connection_type=xenapi
|
|
--xenapi_connection_url=https://<XenServer IP>
|
|
--xenapi_connection_username=root
|
|
--xenapi_connection_password=supersecret
|
|
--rescue_timeout=86400
|
|
--allow_admin_api=true
|
|
--xenapi_inject_image=false
|
|
--use_ipv6=true
|
|
|
|
# To enable flat_injected, currently only works on Debian-based systems
|
|
--flat_injected=true
|
|
--ipv6_backend=account_identifier
|
|
--ca_path=./nova/CA
|
|
|
|
# Add the following to your flagfile if you're running on Ubuntu Maverick
|
|
--xenapi_remap_vbd_dev=true
|
|
</programlisting>
|
|
|
|
<figure xml:id="Nova_conf_XEN_Flat">
|
|
<title>KVM, Flat, MySQL, and Glance, OpenStack or EC2 API</title>
|
|
|
|
<mediaobject>
|
|
<imageobject role="html">
|
|
<imagedata fileref="figures/SCH_5005_V00_NUAC-Network_mode_XEN_Flat_OpenStack.png"
|
|
scale="60"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</figure>
|
|
</simplesect>
|
|
</section>
|
|
|
|
<section xml:id="configuring-logging">
|
|
<title>Configuring Logging</title>
|
|
|
|
<para>You can use nova.conf flags to indicate where Compute will log
|
|
events, the level of logging, and customize log formats.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for logging</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--logdir</td>
|
|
|
|
<td>'/var/logs/nova'</td>
|
|
|
|
<td>Directory path; Output to a per-service log file in the named
|
|
directory.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--logfile</td>
|
|
|
|
<td>default: ''</td>
|
|
|
|
<td>File name; Output to named file.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--[no]use_syslog</td>
|
|
|
|
<td>default: 'false'</td>
|
|
|
|
<td>Output to syslog using their file naming system.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--default_log_levels</td>
|
|
|
|
<td>default:
|
|
'amqplib=WARN,sqlalchemy=WARN,eventlet.wsgi.server=WARN'</td>
|
|
|
|
<td>Pair of named loggers and level of message to be logged; List of
|
|
logger=LEVEL pairs</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--verbose</td>
|
|
|
|
<td>default: 'false'</td>
|
|
|
|
<td>Set to 1 or true to turn on; Shows debug output - optional but
|
|
helpful during initial setup.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<para>To customize log formats for OpenStack Compute, use these flag
|
|
settings.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for customized log
|
|
formats</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--logging_context_format_string</td>
|
|
|
|
<td>default: '%(asctime)s %(levelname)s %(name)s [%(request_id)s
|
|
%(user)s %(project)s] %(message)s'</td>
|
|
|
|
<td>The format string to use for log messages with additional
|
|
context.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--logging_debug_format_suffix</td>
|
|
|
|
<td>default: 'from %(processName)s (pid=%(process)d) %(funcName)s
|
|
%(pathname)s:%(lineno)d'</td>
|
|
|
|
<td>The data to append to the log format when level is DEBUG</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--logging_default_format_string</td>
|
|
|
|
<td>default: '%(asctime)s %(levelname)s %(name)s [-]
|
|
%(message)s'</td>
|
|
|
|
<td>The format string to use for log messages without context.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--logging_exception_prefix</td>
|
|
|
|
<td>default: '(%(name)s): TRACE: '</td>
|
|
|
|
<td>String value; Prefix each line of exception output with this
|
|
format.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-hypervisors">
|
|
<title>Configuring Hypervisors</title>
|
|
|
|
<para>OpenStack Compute requires a hypervisor and supports several
|
|
hypervisors and virtualization standards. Configuring and running
|
|
OpenStack Compute to use a particular hypervisor takes several
|
|
installation and configuration steps. The --libvirt_type flag indicates
|
|
which hypervisor will be used. Refer <xref
|
|
linkend="hypervisor-configuration-basics">
|
|
Hypervisor configuration basics
|
|
</xref> for more details.</para>
|
|
</section>
|
|
|
|
<section xml:id="configuring-authentication-authorization">
|
|
<title>Configuring Authentication and Authorization</title>
|
|
|
|
<para>There are different methods of authentication for the OpenStack
|
|
Compute project. The default setting is to use the novarc file that
|
|
contains credentials. To do so, set the --use_deprecated-auth flag in your
|
|
nova.conf, which is True by default. For no auth, modify the paste.ini
|
|
that is included in the etc/nova directory. With additional configuration,
|
|
you can use the OpenStack Identity Service, code-named Keystone. In
|
|
Compute, the settings for using Keystone are commented lines in
|
|
etc/nova/api-paste.ini, and Keystone also provides an example file in
|
|
keystone/examples/paste/nova-api-paste.ini. Restart the nova-api service
|
|
for these settings to be configured. Refer to the Identity Service Starter
|
|
Guide for additional information.</para>
|
|
|
|
<para>OpenStack Compute uses an implementation of an authentication system
|
|
structured with an Active Directory or other federated LDAP user store
|
|
that backends to an identity manager or other SAML Policy Controller that
|
|
then maps to groups. Credentials for API calls are stored in the project
|
|
zip file when using this auth system. Certificate authority is also
|
|
customized in nova.conf for the this built-in auth system.</para>
|
|
|
|
<para>If you see errors such as "EC2ResponseError: 403 Forbidden" it is
|
|
likely you are trying to use euca commands without the auth system
|
|
properly configured. Either install and use the default auth setting, or
|
|
change out the default paste.ini file to use no auth, or configure the
|
|
Identity Service.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for Authentication</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--auth_driver</td>
|
|
|
|
<td>default:'nova.auth.dbdriver.DbDriver'</td>
|
|
|
|
<td><para>String value; Name of the driver for authentication</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>nova.auth.dbdriver.DbDriver - Default setting, uses
|
|
credentials stored in zip file, one per project.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>nova.auth.ldapdriver.FakeLdapDriver - create a
|
|
replacement for this driver supporting other backends by
|
|
creating another class that exposes the same public
|
|
methods.</para>
|
|
</listitem>
|
|
</itemizedlist></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--use_deprecated_auth</td>
|
|
|
|
<td>default:'False'</td>
|
|
|
|
<td><para>True or false; Sets the auth system to use the zip file
|
|
provided with the project files to store all credentials</para></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for customizing roles in
|
|
deprecated auth</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--allowed_roles</td>
|
|
|
|
<td>default: 'cloudadmin,itsec,sysadmin,netadmin,developer')</td>
|
|
|
|
<td>Comma separated list; Allowed roles for project</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--global_roles</td>
|
|
|
|
<td>default: 'cloudadmin,itsec')</td>
|
|
|
|
<td>Comma separated list; Roles that apply to all projects</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--superuser_roles</td>
|
|
|
|
<td>default: 'cloudadmin')</td>
|
|
|
|
<td>Comma separated list; Roles that ignore authorization checking
|
|
completely</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for credentials in deprecated
|
|
auth</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--credentials_template</td>
|
|
|
|
<td>default: '')</td>
|
|
|
|
<td>Directory; Template for creating users' RC file</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--credential_rc_file</td>
|
|
|
|
<td>default: '%src')</td>
|
|
|
|
<td>File name; File name of rc in credentials zip</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--credential_cert_file</td>
|
|
|
|
<td>default: 'cert.pem')</td>
|
|
|
|
<td>File name; File name of certificate in credentials zip</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--credential_key_file</td>
|
|
|
|
<td>default: 'pk.pem')</td>
|
|
|
|
<td>File name; File name of rc in credentials zip</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--vpn_client_template</td>
|
|
|
|
<td>default: 'nova/cloudpipe/client/ovpn.template')</td>
|
|
|
|
<td>Directory; Refers to where the template lives for creating users
|
|
vpn file</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--credential_vpn_file</td>
|
|
|
|
<td>default: 'nova-vpn.conf')</td>
|
|
|
|
<td>File name; Filename of certificate in credentials.zip</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for CA (Certificate
|
|
Authority)</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--keys_path</td>
|
|
|
|
<td>default: '$state_path/keys')</td>
|
|
|
|
<td>Directory; Where Nova keeps the keys</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--ca_file</td>
|
|
|
|
<td>default: 'cacert.pem')</td>
|
|
|
|
<td>File name; File name of root CA</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--crl_file</td>
|
|
|
|
<td>default: 'crl.pem')</td>
|
|
|
|
<td>File name; File name of Certificate Revocation List</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--key_file</td>
|
|
|
|
<td>default: 'private/cakey.pem')</td>
|
|
|
|
<td>File name; File name of private key</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--use_project_ca</td>
|
|
|
|
<td>default: 'false')</td>
|
|
|
|
<td>True or false; Indicates whether to use a CA for each project;
|
|
false means CA is not used for each project</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--project_cert_subject</td>
|
|
|
|
<td>default:
|
|
'/C=US/ST=California/L=MountainView/O=AnsoLabs/OU=NovaDev/CN=proje
|
|
ct-ca-%s-%s')</td>
|
|
|
|
<td>String; Subject for certificate for projects, %s for project,
|
|
timestamp</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--user_cert_subject</td>
|
|
|
|
<td>default:
|
|
'/C=US/ST=California/L=MountainView/O=AnsoLabs/OU=NovaDev/CN=%s-%s-%s')</td>
|
|
|
|
<td>String; Subject for certificate for users, %s for project,
|
|
users, timestamp</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--vpn_cert_subject</td>
|
|
|
|
<td>default:
|
|
'/C=US/ST=California/L=MountainView/O=AnsoLabs/OU=NovaDev/CN=project-vpn-%s-%s')</td>
|
|
|
|
<td>String; Subject for certificate for vpns, %s for project,
|
|
timestamp</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-compute-to-use-ipv6-addresses">
|
|
<title>Configuring Compute to use IPv6 Addresses</title>
|
|
|
|
<para>You can configure Compute to use both IPv4 and IPv6 addresses for
|
|
communication by putting it into a IPv4/IPv6 dual stack mode. In IPv4/IPv6
|
|
dual stack mode, instances can acquire their IPv6 global unicast address
|
|
by stateless address autoconfiguration mechanism [RFC 4862/2462].
|
|
IPv4/IPv6 dual stack mode works with VlanManager and FlatDHCPManager
|
|
networking modes, though floating IPs are not supported in the Bexar
|
|
release. In VlanManager, different 64bit global routing prefix is used for
|
|
each project. In FlatDHCPManager, one 64bit global routing prefix is used
|
|
for all instances. The Cactus release includes support for the FlatManager
|
|
networking mode with a required database migration.</para>
|
|
|
|
<para>This configuration has been tested on Ubuntu 10.04 with VM images
|
|
that have IPv6 stateless address autoconfiguration capability (must use
|
|
EUI-64 address for stateless address autoconfiguration), a requirement for
|
|
any VM you want to run with an IPv6 address. Each node that executes a
|
|
nova- service must have python-netaddr and radvd installed.</para>
|
|
|
|
<para>On all nova-nodes, install python-netaddr:</para>
|
|
|
|
<para><literallayout class="monospaced">sudo apt-get install -y python-netaddr</literallayout></para>
|
|
|
|
<para>On all nova-network nodes install radvd and configure IPv6
|
|
networking:</para>
|
|
|
|
<literallayout class="monospaced">sudo apt-get install -y radvd
|
|
sudo bash -c "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding"
|
|
sudo bash -c "echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra"</literallayout>
|
|
|
|
<para>Edit the nova.conf file on all nodes to set the --use_ipv6 flag to
|
|
True. Restart all nova- services.</para>
|
|
|
|
<para>When using the command 'nova-manage network create' you can add a
|
|
fixed range for IPv6 addresses. You must specify public or private after
|
|
the create parameter.</para>
|
|
|
|
<para><literallayout class="monospaced">nova-manage network create public fixed_range num_networks network_size [vlan_start] [vpn_start] [fixed_range_v6]</literallayout></para>
|
|
|
|
<para>You can set IPv6 global routing prefix by using the fixed_range_v6
|
|
parameter. The default is: fd00::/48. When you use FlatDHCPManager, the
|
|
command uses the original value of fixed_range_v6. When you use
|
|
VlanManager, the command creates prefixes of subnet by incrementing subnet
|
|
id. Guest VMs uses this prefix for generating their IPv6 global unicast
|
|
address.</para>
|
|
|
|
<para>Here is a usage example for VlanManager:</para>
|
|
|
|
<para><literallayout class="monospaced">nova-manage network create public 10.0.1.0/24 3 32 100 1000 fd00:1::/48 </literallayout></para>
|
|
|
|
<para>Here is a usage example for FlatDHCPManager:</para>
|
|
|
|
<para><literallayout class="monospaced">nova-manage network create public 10.0.2.0/24 3 32 0 0 fd00:1::/48 </literallayout></para>
|
|
|
|
<para>Note that [vlan_start] and [vpn_start] parameters are not used by
|
|
FlatDHCPManager.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for configuring IPv6</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--use_ipv6</td>
|
|
|
|
<td>default: 'false'</td>
|
|
|
|
<td>Set to 1 or true to turn on; Determines whether to use IPv6
|
|
network addresses</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--flat_injected</td>
|
|
|
|
<td>default: 'false'</td>
|
|
|
|
<td>Cactus only:Indicates whether Compute (Nova) should use attempt
|
|
to inject IPv6 network configuration information into the guest. It
|
|
attempts to modify /etc/network/interfaces and currently only works
|
|
on Debian-based systems.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-compute-to-use-the-image-service">
|
|
<title>Configuring Image Service and Storage for Compute</title>
|
|
|
|
<para>Diablo uses Glance for storing and retrieving images. After you have
|
|
installed a Glance server, you can configure nova-compute to use Glance
|
|
for image storage and retrieval. You must ensure the --image_service flag
|
|
is defined with the Glance service :
|
|
'nova.image.glance.GlanceImageService' uses Glance to store and retrieve
|
|
images for OpenStack Compute.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for the Glance image service and
|
|
storage</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--image_service</td>
|
|
|
|
<td>default: 'nova.image.local.GlanceImageService'</td>
|
|
|
|
<td><para>The service to use for retrieving and searching for
|
|
images. Images must be registered using euca2ools. Options:
|
|
</para><itemizedlist>
|
|
<listitem>
|
|
<para>nova.image.s3.S3ImageService</para>
|
|
|
|
<para>S3 backend for the Image Service.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">nova.image.glance.GlanceImageService</emphasis></para>
|
|
|
|
<para>Glance back end for storing and retrieving images; See
|
|
<link
|
|
xlink:href="http://glance.openstack.org">http://glance.openstack.org</link>
|
|
for more info.</para>
|
|
</listitem>
|
|
</itemizedlist></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--glance_api_servers</td>
|
|
|
|
<td>default: '$my_ip:9292'</td>
|
|
|
|
<td>List of Glance API hosts. Each item may contain a host (or IP
|
|
address) and port of an OpenStack Compute Image Service server
|
|
(project's name is Glance)</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--s3_dmz</td>
|
|
|
|
<td>default: '$my_ip'</td>
|
|
|
|
<td>IP address; For instances internal IP (a DMZ is shorthand for a
|
|
demilitarized zone)</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--s3_host</td>
|
|
|
|
<td>default: '$my_ip'</td>
|
|
|
|
<td>IP address: IP address of the S3 host for infrastructure.
|
|
Location where OpenStack Compute is hosting the objectstore service,
|
|
which will contain the virtual machine images and buckets.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--s3_port</td>
|
|
|
|
<td>default: '3333'</td>
|
|
|
|
<td>Integer value; Port where S3 host is running</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--use_s3</td>
|
|
|
|
<td>default: 'true'</td>
|
|
|
|
<td>Set to 1 or true to turn on; Determines whether to get images
|
|
from s3 or use a local copy</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-live-migrations">
|
|
<title>Configuring Live Migrations</title>
|
|
|
|
<para>The live migration feature is useful when you need to upgrade or
|
|
installing patches to hypervisors/BIOS and you need the machines to keep
|
|
running. For example, when one of HDD volumes RAID or one of bonded NICs
|
|
is out of order. Also for regular periodic maintenance, you may need to
|
|
migrate VM instances. When many VM instances are running on a specific
|
|
physical machine, you can redistribute the high load. Sometimes when VM
|
|
instances are scattered, you can move VM instances to a physical machine
|
|
to arrange them more logically.</para>
|
|
|
|
<para><emphasis role="bold">Environments</emphasis> <itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">OS:</emphasis> Ubuntu 10.04/10.10 for
|
|
both instances and host.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shared storage:</emphasis>
|
|
NOVA-INST-DIR/instances/ has to be mounted by shared storage (tested
|
|
using NFS).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Instances:</emphasis> Instance can be
|
|
migrated with ISCSI based volumes</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Hypervisor:</emphasis> KVM with
|
|
libvirt</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">(NOTE1)</emphasis>
|
|
"NOVA-INST-DIR/instance" is expected that vm image is put on to. see
|
|
"flags.instances_path" in nova.compute.manager for the default
|
|
value</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">(NOTE2)</emphasis> This feature is admin
|
|
only, since nova-manage is necessary.</para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
|
|
<para><emphasis role="bold">Sample Nova Installation before
|
|
starting</emphasis> <itemizedlist>
|
|
<listitem>
|
|
<para>Prepare 3 servers at least, lets say, HostA, HostB and
|
|
HostC</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>nova-api/nova-network/nova-volume/nova-objectstore/
|
|
nova-scheduler(and other daemon) are running on HostA.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>nova-compute is running on both HostB and HostC.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>HostA export NOVA-INST-DIR/instances, HostB and HostC mount
|
|
it.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>To avoid any confusion, NOVA-INST-DIR is same at
|
|
HostA/HostB/HostC("NOVA-INST-DIR" shows top of install dir).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>HostA export NOVA-INST-DIR/instances, HostB and HostC mount
|
|
it.</para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
|
|
<para><emphasis role="bold">Pre-requisite configurations</emphasis></para>
|
|
|
|
<para><orderedlist>
|
|
<listitem>
|
|
<para>Configure /etc/hosts, Make sure 3 Hosts can do name-resolution
|
|
with each other. Ping with each other is better way to test.</para>
|
|
|
|
<literallayout class="monospaced">
|
|
ping HostA
|
|
ping HostB
|
|
ping HostC
|
|
</literallayout>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Configure NFS at HostA by adding below to /etc/exports</para>
|
|
|
|
<literallayout class="monospaced">NOVA-INST-DIR/instances HostA/255.255.0.0(rw,sync,fsid=0,no_root_squash</literallayout>
|
|
|
|
<para>Change "255.255.0.0" appropriate netmask, which should include
|
|
HostB/HostC. Then restart nfs server.</para>
|
|
|
|
<literallayout class="monospaced">
|
|
/etc/init.d/nfs-kernel-server restart
|
|
/etc/init.d/idmapd restart
|
|
</literallayout>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Configure NFS at HostB and HostC by adding below to
|
|
/etc/fstab</para>
|
|
|
|
<literallayout class="monospaced">HostA:/ DIR nfs4 defaults 0 0</literallayout>
|
|
|
|
<para>Then mount, check exported directory can be mounted.</para>
|
|
|
|
<literallayout class="monospaced">mount -a -v</literallayout>
|
|
|
|
<para>If fail, try this at any hosts.</para>
|
|
|
|
<literallayout class="monospaced">iptables -F</literallayout>
|
|
|
|
<para>Also, check file/daemon permissions. We expect any nova
|
|
daemons are running as root.</para>
|
|
|
|
<literallayout class="monospaced">ps -ef | grep nova </literallayout>
|
|
|
|
<programlisting>root 5948 5904 9 11:29 pts/4 00:00:00 python /opt/nova-2010.4//bin/nova-api
|
|
root 5952 5908 6 11:29 pts/5 00:00:00 python /opt/nova-2010.4//bin/nova-objectstore
|
|
... (snip) </programlisting>
|
|
|
|
<para>"NOVA-INST-DIR/instances/" directory can be seen at
|
|
HostA</para>
|
|
|
|
<literallayout class="monospaced">ls -ld NOVA-INST-DIR/instances/</literallayout>
|
|
|
|
<programlisting>drwxr-xr-x 2 root root 4096 2010-12-07 14:34 nova-install-dir/instances/ </programlisting>
|
|
|
|
<para>Same check at HostB and HostC</para>
|
|
|
|
<literallayout>ls -ld NOVA-INST-DIR/instances/</literallayout>
|
|
|
|
<programlisting>drwxr-xr-x 2 root root 4096 2010-12-07 14:34 nova-install-dir/instances/</programlisting>
|
|
|
|
<literallayout class="monospaced">df -k</literallayout>
|
|
|
|
<programlisting>Filesystem 1K-blocks Used Available Use% Mounted on
|
|
/dev/sda1 921514972 4180880 870523828 1% /
|
|
none 16498340 1228 16497112 1% /dev
|
|
none 16502856 0 16502856 0% /dev/shm
|
|
none 16502856 368 16502488 1% /var/run
|
|
none 16502856 0 16502856 0% /var/lock
|
|
none 16502856 0 16502856 0% /lib/init/rw
|
|
HostA: 921515008 101921792 772783104 12% /opt ( <--- this line is important.)
|
|
</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Libvirt configurations. Modify
|
|
/etc/libvirt/libvirt.conf:</para>
|
|
|
|
<programlisting>
|
|
before : #listen_tls = 0
|
|
after : listen_tls = 0
|
|
|
|
before : #listen_tcp = 1
|
|
after : listen_tcp = 1
|
|
|
|
add: auth_tcp = "none"
|
|
</programlisting>
|
|
|
|
<para>Modify /etc/init/libvirt-bin.conf</para>
|
|
|
|
<programlisting>
|
|
before : exec /usr/sbin/libvirtd -d
|
|
after : exec /usr/sbin/libvirtd -d -l
|
|
</programlisting>
|
|
|
|
<para>Modify /etc/default/libvirt-bin</para>
|
|
|
|
<programlisting>
|
|
before :libvirtd_opts=" -d"
|
|
after :libvirtd_opts=" -d -l"
|
|
</programlisting>
|
|
|
|
<para>then, restart libvirt. Make sure libvirt is restarted.</para>
|
|
|
|
<literallayout class="monospaced">
|
|
stop libvirt-bin && start libvirt-bin
|
|
|
|
ps -ef | grep libvirt</literallayout>
|
|
|
|
<programlisting>root 1145 1 0 Nov27 ? 00:00:03 /usr/sbin/libvirtd -d -l </programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Flag configuration. usually, you do not have to configure any
|
|
flags. Below chart is only for advanced usage.</para>
|
|
</listitem>
|
|
</orderedlist></para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for live migration</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--live_migration_retry_count</td>
|
|
|
|
<td>default: 30</td>
|
|
|
|
<td>Retry count needed in live_migration. Sleep 1sec for each
|
|
retry</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--live_migration_uri</td>
|
|
|
|
<td>default: 'qemu+tcp://%s/system'</td>
|
|
|
|
<td>Define protocol used by live_migration feature. If you would
|
|
like to use qemu+ssh, change this as described at
|
|
http://libvirt.org/.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--live_migration_bandwidth</td>
|
|
|
|
<td>default: 0</td>
|
|
|
|
<td>Define bandwidth used by live migration.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--live_migration_flag</td>
|
|
|
|
<td>default: 'VIR_MIGRATE_UNDEFINE_SOURCE,
|
|
VIR_MIGRATE_PEER2PEER'</td>
|
|
|
|
<td>Define libvirt flag for live migration.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-database-connections">
|
|
<title>Configuring Database Connections</title>
|
|
|
|
<para>You can configure OpenStack Compute to use any SQLAlchemy-compatible
|
|
database. The database name is 'nova' and entries to it are mostly written
|
|
by the nova-scheduler service, although all the services need to be able
|
|
to update entries in the database. Use these settings to configure the
|
|
connection string for the nova database.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for database access</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--sql_connection</td>
|
|
|
|
<td>default: 'sqlite:///$state_path/nova.sqlite'</td>
|
|
|
|
<td>IP address; Location of OpenStack Compute SQL database</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--sql_idle_timeout</td>
|
|
|
|
<td>default: '3600'</td>
|
|
|
|
<td>Integer value; Number of seconds to wait for a database
|
|
connection</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--sql_max_retries</td>
|
|
|
|
<td>default: '12'</td>
|
|
|
|
<td>Integer value; Number of attempts on the SQL connection</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--sql_retry_interval</td>
|
|
|
|
<td>default: '10'</td>
|
|
|
|
<td>Integer value; Retry interval for SQL connections</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--db_backend</td>
|
|
|
|
<td>default: 'sqlalchemy'</td>
|
|
|
|
<td>The backend selected for the database connection</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--db_driver</td>
|
|
|
|
<td>default: 'nova.db.api'</td>
|
|
|
|
<td>The drive to use for database access</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-compute-messaging">
|
|
<title>Configuring the Compute Messaging System</title>
|
|
|
|
<para>OpenStack Compute uses an open standard for messaging middleware
|
|
known as AMQP. RabbitMQ enables this messaging system so that nova-
|
|
services can talk to each other. You can configure the messaging
|
|
communication for different installation scenarios as well as tune
|
|
RabbitMQ's retries and the size of the RPC thread pool.</para>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for Remote Procedure Calls and
|
|
RabbitMQ Messaging</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--rabbit_host</td>
|
|
|
|
<td>default: 'localhost'</td>
|
|
|
|
<td>IP address; Location of RabbitMQ installation.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rabbit_password</td>
|
|
|
|
<td>default: 'guest'</td>
|
|
|
|
<td>String value; Password for the RabbitMQ server.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rabbit_port</td>
|
|
|
|
<td>default: '5672'</td>
|
|
|
|
<td>Integer value; Port where RabbitMQ server is
|
|
running/listening.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rabbit_userid</td>
|
|
|
|
<td>default: 'guest'</td>
|
|
|
|
<td>String value; User ID used for Rabbit connections.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rabbit_virtual_host</td>
|
|
|
|
<td>default: '/'</td>
|
|
|
|
<td>Location of a virtual RabbitMQ installation.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for Tuning RabbitMQ
|
|
Messaging</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--rabbit_max_retries</td>
|
|
|
|
<td>default: '12'</td>
|
|
|
|
<td>Integer value; RabbitMQ connection attempts.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rabbit-retry-interval</td>
|
|
|
|
<td>default: '10'</td>
|
|
|
|
<td>Integer value: RabbitMQ connection retry interval.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--rpc_thread_pool_size</td>
|
|
|
|
<td>default: '1024'</td>
|
|
|
|
<td>Integer value: Size of Remote Procedure Call thread pool.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<table rules="all">
|
|
<caption>Description of nova.conf flags for Customizing Exchange or
|
|
Topic Names</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>Flag</td>
|
|
|
|
<td>Default</td>
|
|
|
|
<td>Description</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>--control_exchange</td>
|
|
|
|
<td>default:nova</td>
|
|
|
|
<td>String value; Name of the main exchange to connect to</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--ajax_console_proxy_topic</td>
|
|
|
|
<td>default: 'ajax_proxy'</td>
|
|
|
|
<td>String value; Topic that the ajax proxy nodes listen on</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--console_topic</td>
|
|
|
|
<td>default: 'console'</td>
|
|
|
|
<td>String value; The topic console proxy nodes listen on</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--network_topic</td>
|
|
|
|
<td>default: 'network'</td>
|
|
|
|
<td>String value; The topic network nodes listen on.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--scheduler_topic</td>
|
|
|
|
<td>default: 'scheduler'</td>
|
|
|
|
<td>String value; The topic scheduler nodes listen on.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>--volume_topic</td>
|
|
|
|
<td>default: 'volume'</td>
|
|
|
|
<td>String value; Name of the topic that volume nodes listen on</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
|
|
<section xml:id="configuring-compute-rate-limiting">
|
|
<title>Configuring Compute API Rate Limiting</title>
|
|
|
|
<para>OpenStack Compute supports API rate limiting for the OpenStack API.
|
|
The rate limiting allows an administrator to configure limits on the type
|
|
and number of API calls that can be made in a specific time
|
|
interval.</para>
|
|
|
|
<para>When API rate limits are exceeded, HTTP requests will return a error
|
|
with a status code of 413 "Request entity too large", and will also
|
|
include a 'Retry-After' HTTP header. The response body will include the
|
|
error details, and the delay before the request should be retried.</para>
|
|
|
|
<para>Rate limiting is not available for the EC2 API.</para>
|
|
|
|
<simplesect>
|
|
<title>Specifying Limits</title>
|
|
|
|
<para>Limits are specified using five values:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The <emphasis role="bold">HTTP method</emphasis> used in the
|
|
API call, typically one of GET, PUT, POST, or DELETE.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A <emphasis role="bold">human readable URI</emphasis> that is
|
|
used as a friendly description of where the limit is applied.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A <emphasis role="bold">regular expression</emphasis>. The
|
|
limit will be applied to all URI's that match the regular expression
|
|
and HTTP Method.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A <emphasis role="bold">limit value </emphasis> that specifies
|
|
the maximum count of units before the limit takes effect.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>An <emphasis role="bold">interval</emphasis> that specifies
|
|
time frame the limit is applied to. The interval can be SECOND,
|
|
MINUTE, HOUR, or DAY.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Rate limits are applied in order, relative to the HTTP method,
|
|
going from least to most specific. For example, although the default
|
|
threshold for POST to */servers is 50 per day, one cannot POST to
|
|
*/servers more than 10 times within a single minute because the rate
|
|
limits for any POST is 10/min.</para>
|
|
</simplesect>
|
|
|
|
<simplesect>
|
|
<title>Default Limits</title>
|
|
|
|
<para>OpenStack compute is normally installed with the following limits
|
|
enabled:</para>
|
|
|
|
<table rules="all">
|
|
<caption>Default API Rate Limits</caption>
|
|
|
|
<thead>
|
|
<tr>
|
|
<td>HTTP method</td>
|
|
|
|
<td>API URI</td>
|
|
|
|
<td>API regular expression</td>
|
|
|
|
<td>Limit</td>
|
|
</tr>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<tr>
|
|
<td>POST</td>
|
|
|
|
<td>any URI (*)</td>
|
|
|
|
<td>.*</td>
|
|
|
|
<td>10 per minute</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>POST</td>
|
|
|
|
<td>/servers</td>
|
|
|
|
<td>^/servers</td>
|
|
|
|
<td>50 per day</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>PUT</td>
|
|
|
|
<td>any URI (*)</td>
|
|
|
|
<td>.*</td>
|
|
|
|
<td>10 per minute</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>GET</td>
|
|
|
|
<td>*changes-since*</td>
|
|
|
|
<td>.*changes-since.*</td>
|
|
|
|
<td>3 per minute</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>DELETE</td>
|
|
|
|
<td>any URI (*)</td>
|
|
|
|
<td>.*</td>
|
|
|
|
<td>100 per minute</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</simplesect>
|
|
|
|
<simplesect>
|
|
<title>Configuring and Changing Limits</title>
|
|
|
|
<para>The actual limits are specified in the file
|
|
etc/nova/api-paste.ini, as part of the WSGI pipeline.</para>
|
|
|
|
<para>To enable limits, ensure the 'ratelimit' filter is included in the
|
|
API pipeline specification. If the 'ratelimit' filter is removed from
|
|
the pipeline, limiting will be disabled. There should also be a
|
|
definition for the ratelimit filter. The lines will appear as
|
|
follows:</para>
|
|
|
|
<programlisting>
|
|
|
|
[pipeline:openstack_compute_api_v2]
|
|
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
|
|
|
|
[pipeline:openstack_volume_api_v1]
|
|
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
|
|
|
|
[filter:ratelimit]
|
|
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
|
|
|
|
</programlisting>
|
|
|
|
<para>To modify the limits, add a 'limits' specification to the
|
|
[filter:ratelimit] section of the file. The limits are specified in the
|
|
order HTTP method, friendly URI, regex, limit, and interval. The
|
|
following example specifies the default rate limiting values:</para>
|
|
|
|
<programlisting>
|
|
|
|
[filter:ratelimit]
|
|
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
|
|
limits =("POST", "*", ".*", 10, MINUTE);("POST", "*/servers", "^/servers", 50, DAY);("PUT", "*", ".*", 10, MINUTE);("GET", "*changes-since*", ".*changes-since.*", 3, MINUTE);("DELETE", "*", ".*", 100, MINUTE)
|
|
|
|
</programlisting>
|
|
</simplesect>
|
|
</section>
|
|
</chapter>
|