bfcb74f83c
Presently all services use the single root virtual host within RabbitMQ and while this is “OK” for small to mid sized deployments however it would be better to divide services into logical resource groups within RabbitMQ which will bring with it additional security. This change set provides OSAD better compartmentalization of consumer services that use RabbitMQ. UpgradeImpact DocImpact Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52 Implements: blueprint compartmentalize-rabbitmq
160 lines
5.1 KiB
Django/Jinja
160 lines
5.1 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
{% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
|
|
{% set api_threads = _api_threads if _api_threads > 0 else 1 %}
|
|
|
|
# General, applies to all host groups
|
|
[DEFAULT]
|
|
verbose = {{ verbose }}
|
|
debug = {{ debug }}
|
|
fatal_deprecations = {{ neutron_fatal_deprecations }}
|
|
use_syslog = False
|
|
log_file = /var/log/neutron/neutron.log
|
|
|
|
{% if inventory_hostname in groups['neutron_server'] %}
|
|
|
|
# General, only applies to neutron server host group
|
|
network_device_mtu = {{ neutron_network_device_mtu }}
|
|
allow_overlapping_ips = True
|
|
vlan_transparent = False
|
|
|
|
# Plugins
|
|
core_plugin = {{ neutron_plugin_core }}
|
|
service_plugins = {{ neutron_plugin_loaded_base }}
|
|
|
|
# MAC address generation for VIFs
|
|
base_mac = fa:16:3e:00:00:00
|
|
mac_generation_retries = 16
|
|
|
|
# Authentication method
|
|
auth_strategy = keystone
|
|
|
|
# Drivers
|
|
network_scheduler_driver = {{ neutron_driver_network_scheduler }}
|
|
router_scheduler_driver = {{ neutron_driver_router_scheduler }}
|
|
loadbalancer_pool_scheduler_driver = {{ neutron_driver_loadbalancer_pool_scheduler }}
|
|
notification_driver = {{ neutron_driver_notification }}
|
|
|
|
# Schedulers
|
|
network_auto_schedule = True
|
|
router_auto_schedule = True
|
|
|
|
# Distributed virtual routing (disable by default)
|
|
router_distributed = False
|
|
|
|
# Agents
|
|
agent_down_time = {{ neutron_agent_down_time }}
|
|
|
|
# API
|
|
bind_port = 9696
|
|
bind_host = 0.0.0.0
|
|
|
|
# Workers
|
|
api_workers = {{ neutron_api_workers | default(api_threads) }}
|
|
rpc_workers = {{ neutron_rpc_workers }}
|
|
|
|
# DHCP
|
|
dhcp_agent_notification = True
|
|
dhcp_agents_per_network = {{ groups['neutron_agent'] | length }}
|
|
dhcp_lease_duration = 86400
|
|
advertise_mtu = False
|
|
|
|
# Nova notifications
|
|
notify_nova_on_port_status_changes = True
|
|
notify_nova_on_port_data_changes = True
|
|
send_events_interval = 2
|
|
nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }}
|
|
|
|
## Rpc all
|
|
rpc_backend = {{ neutron_rpc_backend }}
|
|
rpc_thread_pool_size = {{ neutron_rpc_thread_pool_size }}
|
|
rpc_conn_pool_size = {{ neutron_rpc_conn_pool_size }}
|
|
rpc_response_timeout = {{ neutron_rpc_response_timeout }}
|
|
|
|
[nova]
|
|
auth_plugin = {{ nova_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_adminuri }}
|
|
region_name = {{ nova_service_region }}
|
|
project_domain_id = {{ nova_service_project_domain_id }}
|
|
user_domain_id = {{ nova_service_user_domain_id }}
|
|
project_name = {{ nova_service_project_name }}
|
|
username = {{ nova_service_user_name }}
|
|
password = {{ nova_service_password }}
|
|
|
|
# Quotas
|
|
[quotas]
|
|
quota_driver = {{ neutron_driver_quota }}
|
|
quota_items = network,subnet,port
|
|
default_quota = {{ neutron_default_quota }}
|
|
quota_floatingip = {{ neutron_quota_floatingip }}
|
|
quota_health_monitor = {{ neutron_quota_health_monitor }}
|
|
quota_member = {{ neutron_quota_member }}
|
|
quota_network = {{ neutron_quota_network }}
|
|
quota_network_gateway = {{ neutron_quota_network_gateway }}
|
|
quota_packet_filter = {{ neutron_quota_packet_filter }}
|
|
quota_pool = {{ neutron_quota_pool }}
|
|
quota_port = {{ neutron_quota_port }}
|
|
quota_router = {{ neutron_quota_router }}
|
|
quota_security_group = {{ neutron_quota_security_group }}
|
|
quota_security_group_rule = {{ neutron_quota_security_group_rule }}
|
|
quota_subnet = {{ neutron_quota_subnet }}
|
|
quota_vip = {{ neutron_quota_vip }}
|
|
|
|
# Keystone authentication
|
|
[keystone_authtoken]
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_plugin = {{ neutron_keystone_auth_plugin }}
|
|
signing_dir = /var/cache/neutron
|
|
auth_url = {{ keystone_service_adminuri }}
|
|
auth_uri = {{ keystone_service_internaluri }}
|
|
project_domain_id = {{ neutron_service_project_domain_id }}
|
|
user_domain_id = {{ neutron_service_user_domain_id }}
|
|
project_name = {{ neutron_service_project_name }}
|
|
username = {{ neutron_service_user_name }}
|
|
password = {{ neutron_service_password }}
|
|
|
|
memcached_servers = {{ memcached_servers }}
|
|
|
|
token_cache_time = 300
|
|
revocation_cache_time = 60
|
|
|
|
# Prevent cache poisoning if sharing a memcached server
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
# Enable if your keystone deployment uses PKI and you prefer security over
|
|
# performance (disable by default)
|
|
check_revocations_for_cached = False
|
|
|
|
# Database
|
|
[database]
|
|
connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8
|
|
max_overflow = {{ neutron_db_max_overflow }}
|
|
max_pool_size = {{ neutron_db_pool_size }}
|
|
pool_timeout = {{ neutron_db_pool_timeout }}
|
|
|
|
# Service providers
|
|
[service_providers]
|
|
service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
|
|
service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
|
|
|
|
{% endif %}
|
|
|
|
# Agent
|
|
[agent]
|
|
polling_interval = {{ neutron_agent_polling_interval|default(5) }}
|
|
report_interval = {{ neutron_report_interval|int }}
|
|
root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
|
|
|
|
# Messaging service
|
|
[oslo_messaging_rabbit]
|
|
rabbit_port = {{ rabbitmq_port }}
|
|
rabbit_userid = {{ neutron_rabbitmq_userid }}
|
|
rabbit_password = {{ neutron_rabbitmq_password }}
|
|
rabbit_virtual_host = {{ neutron_rabbitmq_vhost }}
|
|
rabbit_hosts = {{ rabbitmq_servers }}
|
|
|
|
# Concurrency (locking mechanisms)
|
|
[oslo_concurrency]
|
|
lock_path = /var/lock/neutron
|