[DEFAULT] # Print debugging output (set logging level to DEBUG instead of default WARNING level). debug = {{ debug }} {% if not octavia_v2|bool %} bind_host = 0.0.0.0 bind_port = {{ octavia_service_port }} # api_handler = queue_producer # # How should authentication be handled (keystone, noauth) auth_strategy = {{ octavia_auth_strategy }} # {% endif %} # Plugin options are hot_plug_plugin (Hot-pluggable controller plugin) # # octavia_plugins = hot_plug_plugin # Hostname to be used by the host machine for services running on it. # The default value is the hostname of the host machine. # host = # AMQP Transport URL # For Single Host, specify one full transport URL: # transport_url = rabbit://:@127.0.0.1:5672/ # For HA, specify queue nodes in cluster, comma delimited: # transport_url = rabbit://:@server01,:@server02/ transport_url = rabbit://{% for host in octavia_rabbitmq_servers.split(',') %}{{ octavia_rabbitmq_userid }}:{{ octavia_rabbitmq_password }}@{{ host }}:{{ octavia_rabbitmq_port }}{% if not loop.last %},{% else %}/{{ octavia_rabbitmq_vhost }}{% endif %}{% endfor %} [api_settings] bind_host = 0.0.0.0 bind_port = {{ octavia_service_port }} # api_handler = queue_producer # # How should authentication be handled (keystone, noauth) # Note: remove "noauth" once LP bug is fixed auth_strategy = {{ octavia_auth_strategy }} # api_v1_enabled = {{ octavia_v1 }} api_v2_enabled = {{ octavia_v2 }} # Allow users to create TLS Terminated listeners? allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }} # pre Ocata [oslo_messaging_rabbit] ssl = {{ octavia_rabbitmq_use_ssl }} rpc_conn_pool_size = {{ octavia_rpc_conn_pool_size }} [database] connection = mysql+pymysql://{{ octavia_galera_user }}:{{ octavia_container_mysql_password }}@{{ octavia_galera_address }}/{{ octavia_galera_database }}?charset=utf8 max_overflow = {{ octavia_db_max_overflow }} max_pool_size = {{ octavia_db_pool_size }} pool_timeout = {{ octavia_db_pool_timeout }} [health_manager] bind_ip = 0.0.0.0 bind_port = {{ octavia_health_manager_port }} # controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555 controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %} # failover_threads = 10 # status_update_threads = 50 # heartbeat_interval = 10 heartbeat_key = {{ octavia_health_hmac_key }} # heartbeat_timeout = 60 # health_check_interval = 3 # sock_rlimit = 0 # EventStreamer options are # queue_event_streamer, # noop_event_streamer event_streamer_driver = {% if octavia_event_streamer|bool %}queue_event_streamer{% else %}noop_event_streamer{% endif %} # Enable provisioning status sync with neutron db sync_provisioning_status = {{ octavia_sync_provisioning_status }} [keystone_authtoken] insecure = {{ keystone_service_internaluri_insecure | bool }} auth_type = {{ octavia_keystone_auth_plugin }} auth_url = {{ keystone_service_internaluri }}/v3 auth_uri = {{ keystone_service_internaluri }}/v3 auth_version = 3 project_domain_id = {{ octavia_service_project_domain_id }} user_domain_id = {{ octavia_service_user_domain_id }} project_name = {{ octavia_service_project_name }} username = {{ octavia_service_user_name }} password = {{ octavia_service_password }} region_name = {{ keystone_service_region }} auth_type = password endpoint_type = {{ octavia_clients_endpoint }} memcached_servers = {{ memcached_servers }} token_cache_time = 300 # if your memcached server is shared, use these settings to avoid cache poisoning memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcached_encryption_key }} [certificates] # cert_generator = local_cert_generator # For local certificate signing (development only): ca_certificate = /etc/octavia/certs/ca.pem ca_private_key = /etc/octavia/certs/ca_key.pem ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }} signing_digest = {{ octavia_signing_digest }} # storage_path = /var/lib/octavia/certificates/ # For the TLS management # Certificate Manager options are local_cert_manager # barbican_cert_manager # cert_manager = barbican_cert_manager # For Barbican authentication (if using any Barbican based cert class) # barbican_auth = barbican_acl_auth # # Region in Identity service catalog to use for communication with the Barbican service. # region_name = # # Endpoint type to use for communication with the Barbican service. # endpoint_type = publicURL [anchor] # Use OpenStack anchor to sign the amphora REST API certificates # url = http://localhost:9999/v1/sign/default # username = # password = [networking] # The maximum attempts to retry an action with the networking service. # max_retries = 15 # Seconds to wait before retrying an action with the networking service. # retry_interval = 1 # The maximum time to wait, in seconds, for a port to detach from an amphora # port_detach_timeout = 300 [haproxy_amphora] # base_path = /var/lib/octavia # base_cert_dir = /var/lib/octavia/certs # Absolute path to a custom HAProxy template file {% if octavia_haproxy_amphora_template is defined %} haproxy_template = {{ octavia_haproxy_amphora_template }} {% endif %} # connection_max_retries = 300 # connection_retry_interval = 5 # Maximum number of entries that can fit in the stick table. # The size supports "k", "m", "g" suffixes. # haproxy_stick_size = 10k # REST Driver specific # bind_host = 0.0.0.0 bind_port = {{ octavia_agent_port }} # # This setting is only needed with IPv6 link-local addresses (fe80::/64) are # used for communication between Octavia and its Amphora, if IPv4 or other IPv6 # addresses are used it can be ignored. # lb_network_interface = o-hm0 # # haproxy_cmd = /usr/sbin/haproxy # respawn_count = 2 # respawn_interval = 2 client_cert = /etc/octavia/certs/client.pem server_ca = /etc/octavia/certs/server_ca.pem # # This setting is deprecated. It is now automatically discovered. # use_upstart = True # # rest_request_conn_timeout = 10 # rest_request_read_timeout = 60 [controller_worker] # amp_active_retries = 10 # amp_active_wait_sec = 10 # Glance parameters to extract image ID to use for amphora. Only one of # parameters is needed. Using tags is the recommended way to refer to images. amp_image_id = {{ octavia_amp_image_id }} amp_image_tag = {{ octavia_glance_image_tag }} # Optional owner ID used to restrict glance images to one owner ID. # This is a recommended security setting. amp_image_owner_id = {{ octavia_amp_image_owner_id }} # octavia parameters to use when booting amphora amp_flavor_id = {{ octavia_nova_flavor_uuid }} amp_ssh_key_name = {{ octavia_ssh_key_name }} amp_ssh_access_allowed = {{ octavia_ssh_enabled }} # Networks to attach to the Amphorae examples: # - One primary network # - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666 # - Multiple networks # - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666 # - All networks defined in the list will be attached to each amphora amp_boot_network_list = {{ octavia_neutron_management_network_uuid }} # Takes a single network id that is attached to amphorae on boot # Deprecated... # amp_network = amp_secgroup_list = {{ octavia_security_group_name }} client_ca = /etc/octavia/certs/client_ca.pem # Amphora driver options are amphora_noop_driver, # amphora_haproxy_rest_driver # amphora_driver = {{ octavia_amphora_driver }} # # Compute driver options are compute_noop_driver # compute_octavia_driver # compute_driver = {{ octavia_compute_driver }} # # Network driver options are network_noop_driver # allowed_address_pairs_driver # network_driver = {{ octavia_network_driver }} # # Certificate Generator options are local_cert_generator # barbican_cert_generator # anchor_cert_generator # cert_generator = local_cert_generator # # Load balancer topology options are SINGLE, ACTIVE_STANDBY loadbalancer_topology = {{ octavia_loadbalancer_topology }} # user_data_config_drive = False [task_flow] # engine = serial max_workers = {{ octavia_task_flow_max_workers }} [oslo_messaging] # Queue Consumer Thread Pool Size rpc_thread_pool_size = {{ octavia_rpc_thread_pool_size }} # Topic (i.e. Queue) Name topic = octavia_prov # Topic for octavia's events sent to a queue event_stream_topic = neutron_lbaas_event [house_keeping] # Interval in seconds to initiate spare amphora checks # spare_check_interval = 30 spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }} # Cleanup interval for Deleted amphora # cleanup_interval = 30 # Amphora expiry age in seconds. Default is 1 week # amphora_expiry_age = 604800 # Load balancer expiry age in seconds. Default is 1 week # load_balancer_expiry_age = 604800 [amphora_agent] # agent_server_ca = /etc/octavia/certs/client_ca.pem # agent_server_cert = /etc/octavia/certs/server.pem # agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/ # agent_server_network_file = # agent_request_read_timeout = 120 [keepalived_vrrp] # Amphora Role/Priority advertisement interval in seconds # vrrp_advert_int = 1 # Service health check interval and success/fail count # vrrp_check_interval = 5 # vrpp_fail_count = 2 # vrrp_success_count = 2 # Amphora MASTER gratuitous ARP refresh settings # vrrp_garp_refresh_interval = 5 # vrrp_garp_refresh_count = 2 [service_auth] # memcached_servers = # signing_dir = # cafile = /opt/stack/data/ca-bundle.pem # project_domain_name = Default # project_name = admin # user_domain_name = Default # password = password # username = admin # auth_type = password # auth_url = http://localhost:5555/ insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ octavia_keystone_auth_plugin }} auth_url = {{ keystone_service_internaluri }}/v3 auth_uri = {{ keystone_service_internaluri }}/v3 auth_version = 3 project_domain_name = {{ octavia_service_project_domain_id }} user_domain_name = {{ octavia_service_user_domain_id }} project_name = {{ octavia_service_project_name }} username = {{ octavia_service_user_name }} password = {{ octavia_service_password }} region_name = {{ keystone_service_region }} auth_type = password memcached_servers = {{ memcached_servers }} endpoint_type = {{ octavia_clients_endpoint }} token_cache_time = 300 # if your memcached server is shared, use these settings to avoid cache poisoning memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcached_encryption_key }} [octavia] # The name of the octavia service in the keystone catalog # service_name = # Custom octavia endpoint if override is necessary # endpoint = # Region in Identity service catalog to use for communication with the # OpenStack services. region_name = {{ keystone_service_region }} # Endpoint type in Identity service catalog to use for communication with # the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} # CA certificates file to verify neutron connections when TLS is enabled # insecure = False # ca_certificates_file = [nova] # The name of the nova service in the keystone catalog # service_name = # Custom nova endpoint if override is necessary # endpoint = # Region in Identity service catalog to use for communication with the # OpenStack services. region_name = {{ keystone_service_region }} # Endpoint type in Identity service catalog to use for communication with # the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} # CA certificates file to verify neutron connections when TLS is enabled # insecure = False # ca_certificates_file = enable_anti_affinity = {{ octavia_enable_anti_affinity }} {% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%} [glance] # The name of the glance service in the keystone catalog # service_name = # Custom glance endpoint if override is necessary # endpoint = # Region in Identity service catalog to use for communication with the # OpenStack services. region_name = {{ keystone_service_region }} # Endpoint type in Identity service catalog to use for communication with # the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} # CA certificates file to verify neutron connections when TLS is enabled # insecure = False # ca_certificates_file = [neutron] # The name of the neutron service in the keystone catalog # service_name = # Custom neutron endpoint if override is necessary # endpoint = # Region in Identity service catalog to use for communication with the # OpenStack services. region_name = {{ keystone_service_region }} # Endpoint type in Identity service catalog to use for communication with # the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} # CA certificates file to verify neutron connections when TLS is enabled # insecure = False # ca_certificates_file =