c43d69c5d8
The setting vm.unprivileged_userfaultfd = 1 is required to make post-copy working for containerised libvirt. Related: rhbz#2110556 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> Change-Id: I40cf17a971e5c52e145fc7b760fd64c086284a03
209 lines
7.7 KiB
YAML
209 lines
7.7 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Load kernel modules with kmod and configure kernel options with sysctl.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
KernelPidMax:
|
|
default: 1048576
|
|
description: Configures sysctl kernel.pid_max key
|
|
type: number
|
|
KernelDisableIPv6:
|
|
default: 0
|
|
description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
|
|
type: number
|
|
KernelIpForward:
|
|
default: 1
|
|
description: Configures net.ipv4.ip_forward key
|
|
type: number
|
|
KernelIpv6ConfAllForwarding:
|
|
default: 0
|
|
description: Configures the net.ipv6.conf.all.forwarding key
|
|
type: number
|
|
KernelIpv4ConfAllRpFilter:
|
|
default: 1
|
|
description: Configures the net.ipv4.conf.all.rp_filter key
|
|
type: number
|
|
KernelIpNonLocalBind:
|
|
default: 1
|
|
description: Configures net.ipv{4,6}.ip_nonlocal_bind key
|
|
type: number
|
|
NeighbourGcThreshold1:
|
|
default: 1024
|
|
description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
|
|
This is the minimum number of entries to keep in the ARP
|
|
cache. The garbage collector will not run if there are
|
|
fewer than this number of entries in the cache.
|
|
type: number
|
|
NeighbourGcThreshold2:
|
|
default: 2048
|
|
description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value.
|
|
This is the soft maximum number of entries to keep in the
|
|
ARP cache. The garbage collector will allow the number of
|
|
entries to exceed this for 5 seconds before collection will
|
|
be performed.
|
|
type: number
|
|
NeighbourGcThreshold3:
|
|
default: 4096
|
|
description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value.
|
|
This is the hard maximum number of entries to keep in the
|
|
ARP cache. The garbage collector will always run if there
|
|
are more than this number of entries in the cache.
|
|
type: number
|
|
InotifyInstancesMax:
|
|
default: 1024
|
|
description: Configures sysctl fs.inotify.max_user_instances key
|
|
type: number
|
|
BridgeNfCallArpTables:
|
|
default: 1
|
|
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
|
|
type: number
|
|
BridgeNfCallIpTables:
|
|
default: 1
|
|
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
|
|
type: number
|
|
BridgeNfCallIp6Tables:
|
|
default: 1
|
|
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
|
|
type: number
|
|
ExtraKernelModules:
|
|
default: {}
|
|
description: Hash of extra Kernel modules to load.
|
|
type: json
|
|
tags:
|
|
- role_specific
|
|
ExtraKernelPackages:
|
|
default: {}
|
|
description: List of extra kernel related packages to install.
|
|
type: json
|
|
tags:
|
|
- role_specific
|
|
ExtraSysctlSettings:
|
|
default: {}
|
|
description: Hash of extra sysctl settings to apply.
|
|
type: json
|
|
tags:
|
|
- role_specific
|
|
FsAioMaxNumber:
|
|
default: 0
|
|
description: >
|
|
The kernel allocates aio memory on demand, and this number limits the
|
|
number of parallel aio requests; the only drawback of a larger limit is
|
|
that a malicious guest could issue parallel requests to cause the kernel
|
|
to set aside memory. Set this number at least as large as
|
|
128 * (number of virtual disks on the host)
|
|
Libvirt uses a default of 1M requests to allow 8k disks, with at most
|
|
64M of kernel memory if all disks hit an aio request at the same time.
|
|
type: number
|
|
tags:
|
|
- role_specific
|
|
|
|
conditions:
|
|
ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]}
|
|
fs_aio_max_number_set:
|
|
and:
|
|
- not: {equals: [{get_param: [RoleParameters, FsAioMaxNumber]}, 0]}
|
|
- not: {equals: [{get_param: [RoleParameters, FsAioMaxNumber]}, '']}
|
|
|
|
resources:
|
|
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
|
# RoleParameters will have the precedence over the default parameters.
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- extra_kernel_modules: ExtraKernelModules
|
|
extra_kernel_packages: ExtraKernelPackages
|
|
extra_sysctl_settings: ExtraSysctlSettings
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ExtraKernelModules: {get_param: ExtraKernelModules}
|
|
ExtraKernelPackages: {get_param: ExtraKernelPackages}
|
|
ExtraSysctlSettings: {get_param: ExtraSysctlSettings}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Kernel modules
|
|
value:
|
|
service_name: kernel
|
|
host_prep_tasks:
|
|
- include_role:
|
|
name: tripleo_kernel
|
|
ansible_group_vars:
|
|
hieradata_localhost_address:
|
|
if:
|
|
- ipv6_disabled
|
|
- '127.0.0.1'
|
|
- 'localhost'
|
|
tripleo_kernel_extra_modules: {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
|
|
tripleo_kernel_extra_packages: {get_attr: [RoleParametersValue, value, extra_kernel_packages]}
|
|
tripleo_kernel_sysctl_extra_settings:
|
|
map_merge:
|
|
- net.ipv6.conf.default.disable_ipv6:
|
|
value: {get_param: KernelDisableIPv6}
|
|
net.ipv4.ip_local_reserved_ports:
|
|
value: "35357,49000-49001"
|
|
net.ipv6.conf.all.disable_ipv6:
|
|
value: {get_param: KernelDisableIPv6}
|
|
net.ipv6.conf.lo.disable_ipv6:
|
|
value: 0
|
|
net.ipv4.ip_forward:
|
|
value: {get_param: KernelIpForward}
|
|
net.ipv4.conf.all.rp_filter:
|
|
value: {get_param: KernelIpv4ConfAllRpFilter}
|
|
net.ipv6.conf.all.forwarding:
|
|
value: {get_param: KernelIpv6ConfAllForwarding}
|
|
net.ipv4.ip_nonlocal_bind:
|
|
value: {get_param: KernelIpNonLocalBind}
|
|
net.ipv6.ip_nonlocal_bind:
|
|
value: {get_param: KernelIpNonLocalBind}
|
|
kernel.pid_max:
|
|
value: {get_param: KernelPidMax}
|
|
net.ipv4.neigh.default.gc_thresh1:
|
|
value: {get_param: NeighbourGcThreshold1}
|
|
net.ipv4.neigh.default.gc_thresh2:
|
|
value: {get_param: NeighbourGcThreshold2}
|
|
net.ipv4.neigh.default.gc_thresh3:
|
|
value: {get_param: NeighbourGcThreshold3}
|
|
net.bridge.bridge-nf-call-arptables:
|
|
value: {get_param: BridgeNfCallArpTables}
|
|
net.bridge.bridge-nf-call-iptables:
|
|
value: {get_param: BridgeNfCallIpTables}
|
|
net.bridge.bridge-nf-call-ip6tables:
|
|
value: {get_param: BridgeNfCallIp6Tables}
|
|
fs.inotify.max_user_instances:
|
|
value: {get_param: InotifyInstancesMax}
|
|
vm.unprivileged_userfaultfd:
|
|
value: 1
|
|
- if:
|
|
- fs_aio_max_number_set
|
|
- fs.aio-max-nr:
|
|
value: {get_param: [RoleParameters, FsAioMaxNumber]}
|
|
- {get_attr: [RoleParametersValue, value, extra_sysctl_settings]}
|