openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/playbooks/roles/os_nova/templates/nova.conf.j2
kevin b2624d4a26
Compartmentalizing RabbitMQ 
Presently all services use the single root virtual host within RabbitMQ
and while this is “OK” for small to mid sized deployments however it
would be better to divide services into logical resource groups within
RabbitMQ which will bring with it additional security. This change set
provides OSAD better compartmentalization of consumer services that use
RabbitMQ.

UpgradeImpact
DocImpact
Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52
Implements: blueprint compartmentalize-rabbitmq
2015-09-11 11:08:50 -05:00

260 lines
8.8 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% set _api_threads = ansible_processor_vcpus|default(2) // 2 %}
{% set api_threads = _api_threads if _api_threads > 0 else 1 %}
[DEFAULT]
# Logs / State
debug = {{ debug }}
verbose = {{ verbose }}
fatal_deprecations = {{ nova_fatal_deprecations }}
log_dir = /var/log/nova
state_path = {{ nova_system_home_folder }}
rootwrap_config = /etc/nova/rootwrap.conf
service_down_time = 120
# Quota
quota_cores = {{ nova_quota_cores }}
quota_fixed_ips = {{ nova_quota_fixed_ips }}
quota_floating_ips = {{ nova_quota_floating_ips }}
quota_injected_file_content_bytes = {{ nova_quota_injected_file_content_bytes }}
quota_injected_file_path_length = {{ nova_quota_injected_file_path_length }}
quota_injected_files = {{ nova_quota_injected_files }}
quota_instances = {{ nova_quota_instances }}
quota_key_pairs = {{ nova_quota_key_pairs }}
quota_metadata_items = {{ nova_quota_metadata_items }}
quota_networks = {{ nova_quota_networks }}
quota_ram = {{ nova_quota_ram }}
quota_security_group_rules = {{ nova_quota_security_group_rules }}
quota_security_groups = {{ nova_quota_security_groups }}
quota_server_group_members = {{ nova_quota_server_group_members }}
quota_server_groups = {{ nova_quota_server_groups }}
# Scheduler
cpu_allocation_ratio = {{ nova_cpu_allocation_ratio }}
disk_allocation_ratio = {{ nova_disk_allocation_ratio }}
max_instances_per_host = {{ nova_max_instances_per_host }}
max_io_ops_per_host = {{ nova_max_io_ops_per_host }}
ram_allocation_ratio = {{ nova_ram_allocation_ratio }}
ram_weight_multiplier = {{ nova_ram_weight_multiplier }}
reserved_host_disk_mb = {{ nova_reserved_host_disk_mb }}
reserved_host_memory_mb = {{ nova_reserved_host_memory_mb }}
scheduler_driver = {{ nova_scheduler_driver }}
scheduler_available_filters = {{ nova_scheduler_available_filters }}
scheduler_default_filters = {{ nova_scheduler_default_filters }}
scheduler_driver_task_period = {{ nova_scheduler_driver_task_period }}
scheduler_host_manager = {{ nova_scheduler_host_manager }}
scheduler_host_subset_size = {{ nova_scheduler_host_subset_size }}
scheduler_manager = {{ nova_scheduler_manager }}
scheduler_max_attempts = {{ nova_scheduler_max_attempts }}
scheduler_weight_classes = {{ nova_scheduler_weight_classes }}
# Compute
enable_instance_password = {{ nova_enable_instance_password }}
compute_driver = {{ nova_compute_driver }}
instance_name_template = instance-%08x
instances_path = {{ nova_system_home_folder }}/instances
api_paste_config = /etc/nova/api-paste.ini
allow_resize_to_same_host = True
image_cache_manager_interval = {{ nova_image_cache_manager_interval }}
resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }}
# Api's
enabled_apis = {{ nova_enabled_apis }}
osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}
{% if nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True' %}
ec2_workers = {{ nova_ec2_workers | default(api_threads) }}
ec2_dmz_host = {{ external_lb_vip_address }}
{% endif %}
{% if nova_s3_deprecated_but_enabled == true or nova_s3_deprecated_but_enabled == 'True' %}
s3_port = {{ nova_s3_service_port }}
s3_host = {{ ansible_ssh_host }}
{% endif %}
# Rpc all
rpc_backend = {{ nova_rpc_backend }}
rpc_thread_pool_size = {{ nova_rpc_thread_pool_size }}
rpc_conn_pool_size = {{ nova_rpc_conn_pool_size }}
rpc_response_timeout = {{ nova_rpc_response_timeout }}
# Metadata
metadata_host = {{ internal_lb_vip_address }}
metadata_port = {{ nova_metadata_port }}
metadata_workers = {{ nova_metadata_workers | default(api_threads) }}
# Network
dhcp_domain = {{ nova_dhcp_domain }}
force_dhcp_release = True
dhcpbridge_flagfile = /etc/nova/nova.conf
firewall_driver = {{ nova_firewall_driver }}
my_ip = {{ ansible_ssh_host }}
default_floating_pool = public
security_group_api = neutron
network_api_class = nova.network.neutronv2.api.API
# VNC disabled, see spice section
vnc_enabled = False
# Authentication
auth_strategy = keystone
## Vif
linuxnet_interface_driver = {{ nova_linuxnet_interface_driver }}
libvirt_vif_driver = {{ nova_libvirt_vif_driver }}
libvirt_vif_type = ethernet
vif_plugging_timeout = 10
vif_plugging_is_fatal = False
# Hypervisor
default_ephemeral_format = ext4
# Configdrive
force_config_drive = {{ nova_force_config_drive }}
# Policy
max_age = {{ nova_max_age }}
# Common
memcached_servers = {{ memcached_servers }}
# Ceilometer notification configurations
{% if nova_ceilometer_enabled %}
instance_usage_audit = True
instance_usage_audit_period = hour
notify_on_state_change = vm_and_task_state
notification_driver = messagingv2
{% endif %}
# Cinder
[cinder]
catalog_info = volumev2:cinderv2:internalURL
cross_az_attach = {{ nova_cross_az_attach }}
{% if nova_spice_html5proxy_base_url is defined and nova_console_type == "spice" %}
[spice]
agent_enabled = {{ nova_console_agent_enabled }}
enabled = {{ nova_console_agent_enabled }}
keymap = {{ nova_console_keymap }}
# Console Url and binds
html5proxy_base_url = {{ nova_spice_html5proxy_base_url }}
server_listen = {{ ansible_ssh_host }}
server_proxyclient_address = {{ ansible_ssh_host }}
{% endif %}
# Glance
[glance]
{% if glance_api_servers is defined %}
api_servers = {{ glance_api_servers }}
{% else %}
host = {{ glance_host }}
port = {{ glance_service_port }}
{% endif %}
# Neutron
[neutron]
url = {{ neutron_service_adminurl }}
region_name = {{ neutron_service_region }}
auth_plugin = password
auth_strategy = keystone
# Keystone client plugin password option
password = {{ neutron_service_password }}
# Keystone client plugin username option
username = {{ neutron_service_user_name }}
project_name = {{ neutron_service_project_name }}
user_domain_name = {{ neutron_service_domain_name |default("Default") }}
project_domain_name = {{ neutron_service_domain_name |default("Default") }}
# Keystone client plugin authentication URL option
auth_url = {{ keystone_service_adminurl }}
metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
service_metadata_proxy = {{ nova_metadata_proxy_enabled }}
[conductor]
use_local = false
topic = conductor
manager = nova.conductor.manager.ConductorManager
workers = {{ nova_conductor_workers | default(api_threads) }}
[osapi_v3]
# note that this setting enables both the v3 and v2.1 APIs in kilo
{% if nova_v3_deprecated_but_enabled == true or nova_v3_deprecated_but_enabled == 'True' or nova_v21_enabled == true or nova_v21_enabled == 'True' %}
enabled = true
{% else %}
enabled = false
{% endif %}
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ nova_keystone_auth_plugin }}
signing_dir = {{ nova_system_home_folder }}/cache/api
auth_url = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internaluri }}
project_domain_id = {{ nova_service_project_domain_id }}
user_domain_id = {{ nova_service_user_domain_id }}
project_name = {{ nova_service_project_name }}
username = {{ nova_service_user_name }}
password = {{ nova_service_password }}
memcached_servers = {{ memcached_servers }}
token_cache_time = 300
revocation_cache_time = 60
# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}
# if your keystone deployment uses PKI, and you value security over performance:
check_revocations_for_cached = False
{% if inventory_hostname not in groups['nova_compute'] %}
[database]
connection = mysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8
max_overflow = {{ nova_db_max_overflow }}
max_pool_size = {{ nova_db_max_pool_size }}
pool_timeout = {{ nova_db_pool_timeout }}
{% endif %}
[oslo_concurrency]
lock_path = /var/lock/nova
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ nova_rabbitmq_userid }}
rabbit_password = {{ nova_rabbitmq_password }}
rabbit_virtual_host = {{ nova_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
[libvirt]
vif_driver = {{ nova_libvirt_vif_driver }}
inject_partition = {{ nova_libvirt_inject_partition }}
inject_password = {{ nova_libvirt_inject_password }}
inject_key = {{ nova_libvirt_inject_key }}
use_usb_tablet = False
use_virtio_for_bridges = True
cpu_mode = {{ nova_cpu_mode }}
virt_type = {{ nova_virt_type }}
remove_unused_resized_minimum_age_seconds = {{ nova_remove_unused_resized_minimum_age_seconds }}
{% if cinder_backends_rbd_inuse|bool or nova_libvirt_images_rbd_pool is defined %}
rbd_user = {{ nova_ceph_client }}
rbd_secret_uuid = {{ nova_ceph_client_uuid }}
{% endif %}
{% if nova_libvirt_images_rbd_pool is defined %}
# ceph rbd support
images_type = rbd
images_rbd_pool = {{ nova_libvirt_images_rbd_pool }}
images_rbd_ceph_conf = /etc/ceph/ceph.conf
{% endif %}
live_migration_flag = "{{ nova_libvirt_live_migration_flag }}"
hw_disk_discard = {{ nova_libvirt_hw_disk_discard }}
disk_cachemodes = {{ nova_libvirt_disk_cachemodes }}
View Git Blame Copy Permalink