# Copyright 2017 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for nova. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value release_group: null labels: agent: compute: node_selector_key: openstack-compute-node node_selector_value: enabled compute_ironic: node_selector_key: openstack-compute-node node_selector_value: enabled api_metadata: node_selector_key: openstack-control-plane node_selector_value: enabled conductor: node_selector_key: openstack-control-plane node_selector_value: enabled consoleauth: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled novncproxy: node_selector_key: openstack-control-plane node_selector_value: enabled osapi: node_selector_key: openstack-control-plane node_selector_value: enabled placement: node_selector_key: openstack-control-plane node_selector_value: enabled scheduler: node_selector_key: openstack-control-plane node_selector_value: enabled spiceproxy: node_selector_key: openstack-control-plane node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled images: pull_policy: IfNotPresent tags: bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1' rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial ks_service: docker.io/openstackhelm/heat:ocata-ubuntu_xenial ks_endpoints: docker.io/openstackhelm/heat:ocata-ubuntu_xenial nova_api: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_cell_setup: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_cell_setup_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial nova_compute: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ocata' nova_compute_ssh: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_conductor: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_consoleauth: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_db_sync: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_novncproxy: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ocata' nova_placement: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_scheduler: docker.io/openstackhelm/nova:ocata-ubuntu_xenial # NOTE(portdirect): we simply use the ceph config helper here, # as it has both oscli and jq. nova_service_cleaner: 'docker.io/port/ceph-config-helper:v1.10.3' nova_spiceproxy: docker.io/openstackhelm/nova:ocata-ubuntu_xenial nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:ocata' test: docker.io/xrally/xrally-openstack:1.3.0 image_repo_sync: docker.io/docker:17.07.0 local_registry: active: false exclude: - dep_check - image_repo_sync jobs: # NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default. # TODO(portdirect): Add a post-start action to nova compute pods that registers themselves. cell_setup: cron: "0 */1 * * *" starting_deadline: 600 history: success: 3 failed: 1 service_cleaner: cron: "0 */1 * * *" starting_deadline: 600 history: success: 3 failed: 1 bootstrap: enabled: true ks_user: admin script: null structured: flavors: enabled: true options: m1_tiny: name: "m1.tiny" id: "auto" ram: 512 disk: 1 vcpus: 1 m1_small: name: "m1.small" id: "auto" ram: 2048 disk: 20 vcpus: 1 m1_medium: name: "m1.medium" id: "auto" ram: 4096 disk: 40 vcpus: 2 m1_large: name: "m1.large" id: "auto" ram: 8192 disk: 80 vcpus: 4 m1_xlarge: name: "m1.xlarge" id: "auto" ram: 16384 disk: 160 vcpus: 8 network: # provide what type of network wiring will be used # possible options: openvswitch, linuxbridge, sriov backend: - openvswitch osapi: port: 8774 ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30774 metadata: port: 8775 ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30775 placement: port: 8778 ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 30778 novncproxy: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 30680 spiceproxy: node_port: enabled: false port: 30682 ssh: name: "nova-ssh" port: 8022 sshd: enabled: false from_subnet: 0.0.0.0/24 dependencies: dynamic: common: local_image_registry: jobs: - nova-image-repo-sync services: - endpoint: node service: local_image_registry targeted: openvswitch: compute: pod: - requireSameNode: true labels: application: neutron component: neutron-ovs-agent linuxbridge: compute: pod: - requireSameNode: true labels: application: neutron component: neutron-lb-agent sriov: compute: pod: - requireSameNode: true labels: application: neutron component: neutron-sriov-agent static: api: jobs: - nova-db-sync - nova-ks-user - nova-ks-endpoints - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity api_metadata: jobs: - nova-db-sync - nova-ks-user - nova-ks-endpoints - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity bootstrap: services: - endpoint: internal service: identity - endpoint: internal service: compute cell_setup: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: compute pod: - requireSameNode: false labels: application: nova component: compute service_cleaner: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: compute compute: pod: - requireSameNode: true labels: application: libvirt component: libvirt jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: image - endpoint: internal service: compute - endpoint: internal service: network - endpoint: internal service: compute_metadata compute_ironic: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: image - endpoint: internal service: compute - endpoint: internal service: network - endpoint: internal service: baremetal conductor: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: compute consoleauth: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: compute db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - nova-db-init services: - endpoint: internal service: oslo_db ks_endpoints: jobs: - nova-ks-service services: - endpoint: internal service: identity ks_service: services: - endpoint: internal service: identity ks_user: services: - endpoint: internal service: identity rabbit_init: services: - service: oslo_messaging endpoint: internal novncproxy: jobs: - nova-db-sync services: - endpoint: internal service: oslo_db spiceproxy: jobs: - nova-db-sync services: - endpoint: internal service: oslo_db scheduler: jobs: - nova-db-sync - nova-rabbit-init services: - endpoint: internal service: oslo_messaging - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: compute tests: services: - endpoint: internal service: image - endpoint: internal service: compute - endpoint: internal service: network - endpoint: internal service: compute_metadata image_repo_sync: services: - endpoint: internal service: local_image_registry console: # serial | spice | novnc | none console_kind: novnc serial: spice: compute: # IF blank, search default routing interface server_proxyclient_interface: proxy: # IF blank, search default routing interface server_proxyclient_interface: novnc: compute: # IF blank, search default routing interface vncserver_proxyclient_interface: vncproxy: # IF blank, search default routing interface vncserver_proxyclient_interface: ssh: key_types: - rsa - dsa - ecdsa - ed25519 ceph_client: configmap: ceph-etc user_secret_name: pvc-ceph-client-key conf: security: | # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. # # # AllowOverride None # Require all denied # # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail ServerSignature Off # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended TraceEnable Off # # Forbid access to version control directories # # If you use version control systems in your document root, you should # probably deny access to their directories. For example, for subversion: # # # Require all denied # # # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # #Header set X-Content-Type-Options: "nosniff" # # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # #Header set X-Frame-Options: "sameorigin" software: apache2: binary: apache2 start_parameters: -DFOREGROUND conf_dir: /etc/apache2/conf-enabled site_dir: /etc/apache2/sites-enable mods_dir: /etc/apache2/mods-available a2enmod: null a2dismod: null ceph: enabled: true admin_keyring: null cinder: user: "cinder" keyring: null secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 ssh: | Host * StrictHostKeyChecking no UserKnownHostsFile /dev/null Port {{ .Values.network.ssh.port }} ssh_private: 'null' ssh_public: 'null' rally_tests: run_tempest: false tests: NovaAgents.list_agents: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaAggregates.create_and_get_aggregate_details: - args: availability_zone: nova runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaAggregates.create_and_update_aggregate: - args: availability_zone: nova runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaAggregates.list_aggregates: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaAvailabilityZones.list_availability_zones: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.create_and_delete_flavor: - args: disk: 1 ram: 500 vcpus: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.create_and_list_flavor_access: - args: disk: 1 ram: 500 vcpus: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.create_flavor: - args: disk: 1 ram: 500 vcpus: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.create_flavor_and_add_tenant_access: - args: disk: 1 ram: 500 vcpus: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.create_flavor_and_set_keys: - args: disk: 1 extra_specs: 'quota:disk_read_bytes_sec': 10240 ram: 500 vcpus: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaFlavors.list_flavors: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaHypervisors.list_and_get_hypervisors: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaHypervisors.list_and_get_uptime_hypervisors: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaHypervisors.list_and_search_hypervisors: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaHypervisors.list_hypervisors: - args: detailed: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaHypervisors.statistics_hypervisors: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaKeypair.create_and_delete_keypair: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaKeypair.create_and_list_keypairs: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaServerGroups.create_and_list_server_groups: - args: all_projects: false kwargs: policies: - affinity runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 NovaServices.list_services: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 paste: composite:metadata: use: egg:Paste#urlmap /: meta pipeline:meta: pipeline: cors metaapp app:metaapp: paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory composite:osapi_compute: use: call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions /v2: openstack_compute_api_v21_legacy_v2_compatible /v2.1: openstack_compute_api_v21 composite:openstack_compute_api_v21: use: call:nova.api.auth:pipeline_factory_v21 noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext osapi_compute_app_v21 composite:openstack_compute_api_v21_legacy_v2_compatible: use: call:nova.api.auth:pipeline_factory_v21 noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext legacy_v2_compatible osapi_compute_app_v21 filter:request_id: paste.filter_factory: oslo_middleware:RequestId.factory filter:compute_req_id: paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory filter:faultwrap: paste.filter_factory: nova.api.openstack:FaultWrapper.factory filter:noauth2: paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory filter:sizelimit: paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory filter:legacy_v2_compatible: paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory app:osapi_compute_app_v21: paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory pipeline:oscomputeversions: pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp app:oscomputeversionapp: paste.app_factory: nova.api.openstack.compute.versions:Versions.factory filter:cors: paste.filter_factory: oslo_middleware.cors:filter_factory oslo_config_project: nova filter:keystonecontext: paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory filter:audit: paste.filter_factory: keystonemiddleware.audit:filter_factory audit_map_file: /etc/nova/api_audit_map.conf policy: os_compute_api:os-admin-actions:discoverable: "@" os_compute_api:os-admin-actions:reset_state: rule:admin_api os_compute_api:os-admin-actions:inject_network_info: rule:admin_api os_compute_api:os-admin-actions: rule:admin_api os_compute_api:os-admin-actions:reset_network: rule:admin_api os_compute_api:os-admin-password:discoverable: "@" os_compute_api:os-admin-password: rule:admin_or_owner os_compute_api:os-agents: rule:admin_api os_compute_api:os-agents:discoverable: "@" os_compute_api:os-aggregates:set_metadata: rule:admin_api os_compute_api:os-aggregates:add_host: rule:admin_api os_compute_api:os-aggregates:discoverable: "@" os_compute_api:os-aggregates:create: rule:admin_api os_compute_api:os-aggregates:remove_host: rule:admin_api os_compute_api:os-aggregates:update: rule:admin_api os_compute_api:os-aggregates:index: rule:admin_api os_compute_api:os-aggregates:delete: rule:admin_api os_compute_api:os-aggregates:show: rule:admin_api os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api os_compute_api:os-assisted-volume-snapshots:discoverable: "@" os_compute_api:os-attach-interfaces: rule:admin_or_owner os_compute_api:os-attach-interfaces:discoverable: "@" os_compute_api:os-attach-interfaces:create: rule:admin_or_owner os_compute_api:os-attach-interfaces:delete: rule:admin_or_owner os_compute_api:os-availability-zone:list: rule:admin_or_owner os_compute_api:os-availability-zone:discoverable: "@" os_compute_api:os-availability-zone:detail: rule:admin_api os_compute_api:os-baremetal-nodes:discoverable: "@" os_compute_api:os-baremetal-nodes: rule:admin_api context_is_admin: role:admin admin_or_owner: is_admin:True or project_id:%(project_id)s admin_api: is_admin:True network:attach_external_network: is_admin:True os_compute_api:os-block-device-mapping:discoverable: "@" os_compute_api:os-block-device-mapping-v1:discoverable: "@" os_compute_api:os-cells:discoverable: "@" os_compute_api:os-cells:update: rule:admin_api os_compute_api:os-cells:create: rule:admin_api os_compute_api:os-cells: rule:admin_api os_compute_api:os-cells:sync_instances: rule:admin_api os_compute_api:os-cells:delete: rule:admin_api cells_scheduler_filter:DifferentCellFilter: is_admin:True cells_scheduler_filter:TargetCellFilter: is_admin:True os_compute_api:os-certificates:discoverable: "@" os_compute_api:os-certificates:create: rule:admin_or_owner os_compute_api:os-certificates:show: rule:admin_or_owner os_compute_api:os-cloudpipe: rule:admin_api os_compute_api:os-cloudpipe:discoverable: "@" os_compute_api:os-config-drive:discoverable: "@" os_compute_api:os-config-drive: rule:admin_or_owner os_compute_api:os-console-auth-tokens:discoverable: "@" os_compute_api:os-console-auth-tokens: rule:admin_api os_compute_api:os-console-output:discoverable: "@" os_compute_api:os-console-output: rule:admin_or_owner os_compute_api:os-consoles:create: rule:admin_or_owner os_compute_api:os-consoles:show: rule:admin_or_owner os_compute_api:os-consoles:delete: rule:admin_or_owner os_compute_api:os-consoles:discoverable: "@" os_compute_api:os-consoles:index: rule:admin_or_owner os_compute_api:os-create-backup:discoverable: "@" os_compute_api:os-create-backup: rule:admin_or_owner os_compute_api:os-deferred-delete:discoverable: "@" os_compute_api:os-deferred-delete: rule:admin_or_owner os_compute_api:os-evacuate:discoverable: "@" os_compute_api:os-evacuate: rule:admin_api os_compute_api:os-extended-availability-zone: rule:admin_or_owner os_compute_api:os-extended-availability-zone:discoverable: "@" os_compute_api:os-extended-server-attributes: rule:admin_api os_compute_api:os-extended-server-attributes:discoverable: "@" os_compute_api:os-extended-status:discoverable: "@" os_compute_api:os-extended-status: rule:admin_or_owner os_compute_api:os-extended-volumes: rule:admin_or_owner os_compute_api:os-extended-volumes:discoverable: "@" os_compute_api:extension_info:discoverable: "@" os_compute_api:extensions: rule:admin_or_owner os_compute_api:extensions:discoverable: "@" os_compute_api:os-fixed-ips:discoverable: "@" os_compute_api:os-fixed-ips: rule:admin_api os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api os_compute_api:os-flavor-access:discoverable: "@" os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api os_compute_api:os-flavor-access: rule:admin_or_owner os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner os_compute_api:os-flavor-extra-specs:create: rule:admin_api os_compute_api:os-flavor-extra-specs:discoverable: "@" os_compute_api:os-flavor-extra-specs:update: rule:admin_api os_compute_api:os-flavor-extra-specs:delete: rule:admin_api os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner os_compute_api:os-flavor-manage: rule:admin_api os_compute_api:os-flavor-manage:discoverable: "@" os_compute_api:os-flavor-rxtx: rule:admin_or_owner os_compute_api:os-flavor-rxtx:discoverable: "@" os_compute_api:flavors:discoverable: "@" os_compute_api:flavors: rule:admin_or_owner os_compute_api:os-floating-ip-dns: rule:admin_or_owner os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api os_compute_api:os-floating-ip-dns:discoverable: "@" os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api os_compute_api:os-floating-ip-pools:discoverable: "@" os_compute_api:os-floating-ip-pools: rule:admin_or_owner os_compute_api:os-floating-ips: rule:admin_or_owner os_compute_api:os-floating-ips:discoverable: "@" os_compute_api:os-floating-ips-bulk:discoverable: "@" os_compute_api:os-floating-ips-bulk: rule:admin_api os_compute_api:os-fping:all_tenants: rule:admin_api os_compute_api:os-fping:discoverable: "@" os_compute_api:os-fping: rule:admin_or_owner os_compute_api:os-hide-server-addresses:discoverable: "@" os_compute_api:os-hide-server-addresses: is_admin:False os_compute_api:os-hosts:discoverable: "@" os_compute_api:os-hosts: rule:admin_api os_compute_api:os-hypervisors:discoverable: "@" os_compute_api:os-hypervisors: rule:admin_api os_compute_api:image-metadata:discoverable: "@" os_compute_api:image-size:discoverable: "@" os_compute_api:image-size: rule:admin_or_owner os_compute_api:images:discoverable: "@" os_compute_api:os-instance-actions:events: rule:admin_api os_compute_api:os-instance-actions: rule:admin_or_owner os_compute_api:os-instance-actions:discoverable: "@" os_compute_api:os-instance-usage-audit-log: rule:admin_api os_compute_api:os-instance-usage-audit-log:discoverable: "@" os_compute_api:ips:discoverable: "@" os_compute_api:ips:show: rule:admin_or_owner os_compute_api:ips:index: rule:admin_or_owner os_compute_api:os-keypairs:discoverable: "@" os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s os_compute_api:os-keypairs: rule:admin_or_owner os_compute_api:limits:discoverable: "@" os_compute_api:limits: rule:admin_or_owner os_compute_api:os-lock-server:discoverable: "@" os_compute_api:os-lock-server:lock: rule:admin_or_owner os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api os_compute_api:os-lock-server:unlock: rule:admin_or_owner os_compute_api:os-migrate-server:migrate: rule:admin_api os_compute_api:os-migrate-server:discoverable: "@" os_compute_api:os-migrate-server:migrate_live: rule:admin_api os_compute_api:os-migrations:index: rule:admin_api os_compute_api:os-migrations:discoverable: "@" os_compute_api:os-multinic: rule:admin_or_owner os_compute_api:os-multinic:discoverable: "@" os_compute_api:os-multiple-create:discoverable: "@" os_compute_api:os-networks:discoverable: "@" os_compute_api:os-networks: rule:admin_api os_compute_api:os-networks:view: rule:admin_or_owner os_compute_api:os-networks-associate: rule:admin_api os_compute_api:os-networks-associate:discoverable: "@" os_compute_api:os-pause-server:unpause: rule:admin_or_owner os_compute_api:os-pause-server:discoverable: "@" os_compute_api:os-pause-server:pause: rule:admin_or_owner os_compute_api:os-pci:index: rule:admin_api os_compute_api:os-pci:detail: rule:admin_api os_compute_api:os-pci:pci_servers: rule:admin_or_owner os_compute_api:os-pci:show: rule:admin_api os_compute_api:os-pci:discoverable: "@" os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s os_compute_api:os-quota-class-sets:discoverable: "@" os_compute_api:os-quota-class-sets:update: rule:admin_api os_compute_api:os-quota-sets:update: rule:admin_api os_compute_api:os-quota-sets:defaults: "@" os_compute_api:os-quota-sets:show: rule:admin_or_owner os_compute_api:os-quota-sets:delete: rule:admin_api os_compute_api:os-quota-sets:discoverable: "@" os_compute_api:os-quota-sets:detail: rule:admin_api os_compute_api:os-remote-consoles: rule:admin_or_owner os_compute_api:os-remote-consoles:discoverable: "@" os_compute_api:os-rescue:discoverable: "@" os_compute_api:os-rescue: rule:admin_or_owner os_compute_api:os-scheduler-hints:discoverable: "@" os_compute_api:os-security-group-default-rules:discoverable: "@" os_compute_api:os-security-group-default-rules: rule:admin_api os_compute_api:os-security-groups: rule:admin_or_owner os_compute_api:os-security-groups:discoverable: "@" os_compute_api:os-server-diagnostics: rule:admin_api os_compute_api:os-server-diagnostics:discoverable: "@" os_compute_api:os-server-external-events:create: rule:admin_api os_compute_api:os-server-external-events:discoverable: "@" os_compute_api:os-server-groups:discoverable: "@" os_compute_api:os-server-groups: rule:admin_or_owner os_compute_api:server-metadata:index: rule:admin_or_owner os_compute_api:server-metadata:show: rule:admin_or_owner os_compute_api:server-metadata:create: rule:admin_or_owner os_compute_api:server-metadata:discoverable: "@" os_compute_api:server-metadata:update_all: rule:admin_or_owner os_compute_api:server-metadata:delete: rule:admin_or_owner os_compute_api:server-metadata:update: rule:admin_or_owner os_compute_api:os-server-password: rule:admin_or_owner os_compute_api:os-server-password:discoverable: "@" os_compute_api:os-server-tags:delete_all: "@" os_compute_api:os-server-tags:index: "@" os_compute_api:os-server-tags:update_all: "@" os_compute_api:os-server-tags:delete: "@" os_compute_api:os-server-tags:update: "@" os_compute_api:os-server-tags:show: "@" os_compute_api:os-server-tags:discoverable: "@" os_compute_api:os-server-usage: rule:admin_or_owner os_compute_api:os-server-usage:discoverable: "@" os_compute_api:servers:index: rule:admin_or_owner os_compute_api:servers:detail: rule:admin_or_owner os_compute_api:servers:detail:get_all_tenants: rule:admin_api os_compute_api:servers:index:get_all_tenants: rule:admin_api os_compute_api:servers:show: rule:admin_or_owner os_compute_api:servers:show:host_status: rule:admin_api os_compute_api:servers:create: rule:admin_or_owner os_compute_api:servers:create:forced_host: rule:admin_api os_compute_api:servers:create:attach_volume: rule:admin_or_owner os_compute_api:servers:create:attach_network: rule:admin_or_owner os_compute_api:servers:delete: rule:admin_or_owner os_compute_api:servers:update: rule:admin_or_owner os_compute_api:servers:confirm_resize: rule:admin_or_owner os_compute_api:servers:revert_resize: rule:admin_or_owner os_compute_api:servers:reboot: rule:admin_or_owner os_compute_api:servers:resize: rule:admin_or_owner os_compute_api:servers:rebuild: rule:admin_or_owner os_compute_api:servers:create_image: rule:admin_or_owner os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner os_compute_api:servers:start: rule:admin_or_owner os_compute_api:servers:stop: rule:admin_or_owner os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner os_compute_api:servers:discoverable: "@" os_compute_api:servers:migrations:show: rule:admin_api os_compute_api:servers:migrations:force_complete: rule:admin_api os_compute_api:servers:migrations:delete: rule:admin_api os_compute_api:servers:migrations:index: rule:admin_api os_compute_api:server-migrations:discoverable: "@" os_compute_api:os-services: rule:admin_api os_compute_api:os-services:discoverable: "@" os_compute_api:os-shelve:shelve: rule:admin_or_owner os_compute_api:os-shelve:unshelve: rule:admin_or_owner os_compute_api:os-shelve:shelve_offload: rule:admin_api os_compute_api:os-shelve:discoverable: "@" os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner os_compute_api:os-simple-tenant-usage:list: rule:admin_api os_compute_api:os-simple-tenant-usage:discoverable: "@" os_compute_api:os-suspend-server:resume: rule:admin_or_owner os_compute_api:os-suspend-server:suspend: rule:admin_or_owner os_compute_api:os-suspend-server:discoverable: "@" os_compute_api:os-tenant-networks: rule:admin_or_owner os_compute_api:os-tenant-networks:discoverable: "@" os_compute_api:os-used-limits:discoverable: "@" os_compute_api:os-used-limits: rule:admin_api os_compute_api:os-user-data:discoverable: "@" os_compute_api:versions:discoverable: "@" os_compute_api:os-virtual-interfaces:discoverable: "@" os_compute_api:os-virtual-interfaces: rule:admin_or_owner os_compute_api:os-volumes:discoverable: "@" os_compute_api:os-volumes: rule:admin_or_owner os_compute_api:os-volumes-attachments:index: rule:admin_or_owner os_compute_api:os-volumes-attachments:create: rule:admin_or_owner os_compute_api:os-volumes-attachments:show: rule:admin_or_owner os_compute_api:os-volumes-attachments:discoverable: "@" os_compute_api:os-volumes-attachments:update: rule:admin_api os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner nova_sudoers: | # This sudoers file supports rootwrap for both Kolla and LOCI Images. Defaults !requiretty Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf * api_audit_map: DEFAULT: target_endpoint_type: None custom_actions: enable: enable disable: disable delete: delete startup: start/startup shutdown: stop/shutdown reboot: start/reboot os-migrations/get: read os-server-password/post: update path_keywords: add: None action: None enable: None disable: None configure-project: None defaults: None delete: None detail: None diagnostics: None entries: entry extensions: alias flavors: flavor images: image ips: label limits: None metadata: key os-agents: os-agent os-aggregates: os-aggregate os-availability-zone: None os-certificates: None os-cloudpipe: None os-fixed-ips: ip os-extra_specs: key os-flavor-access: None os-floating-ip-dns: domain os-floating-ips-bulk: host os-floating-ip-pools: None os-floating-ips: floating-ip os-hosts: host os-hypervisors: hypervisor os-instance-actions: instance-action os-keypairs: keypair os-migrations: None os-networks: network os-quota-sets: tenant os-security-groups: security_group os-security-group-rules: rule os-server-password: None os-services: None os-simple-tenant-usage: tenant os-virtual-interfaces: None os-volume_attachments: attachment os-volumes_boot: None os-volumes: volume os-volume-types: volume-type os-snapshots: snapshot reboot: None servers: server shutdown: None startup: None statistics: None service_endpoints: compute: service/compute rootwrap: | # Configuration for nova-rootwrap # This file should be owned by (and only-writeable by) the root user [DEFAULT] # List of directories to load filter definitions from (separated by ','). # These directories MUST all be only writeable by root ! filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap # List of directories to search executables in, in case filters do not # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin # Enable logging to syslog # Default value is False use_syslog=False # Which syslog facility to use. # Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility=syslog # Which messages to log. # INFO means log all usage # ERROR means only log unsuccessful attempts syslog_log_level=ERROR wsgi_placement: | Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded WSGIDaemonProcess placement-api processes=1 threads=4 user=nova group=nova display-name=%{GROUP} WSGIProcessGroup placement-api WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /dev/stdout SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded Alias /placement /var/www/cgi-bin/nova/nova-placement-api SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup placement-api WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On rootwrap_filters: api_metadata: pods: - metadata content: | # nova-rootwrap command filters for api-metadata nodes # This is needed on nova-api hosts running with "metadata" in enabled_apis # or when running nova-api-metadata # This file should be owned by (and only-writeable by) the root user [Filters] # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) iptables-restore: CommandFilter, iptables-restore, root ip6tables-restore: CommandFilter, ip6tables-restore, root compute: pods: - compute content: | # nova-rootwrap command filters for compute nodes # This file should be owned by (and only-writeable by) the root user [Filters] # nova/virt/disk/mount/api.py: 'kpartx', '-a', device # nova/virt/disk/mount/api.py: 'kpartx', '-d', device kpartx: CommandFilter, kpartx, root # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path tune2fs: CommandFilter, tune2fs, root # nova/virt/disk/mount/api.py: 'mount', mapped_device # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. # nova/virt/configdrive.py: 'mount', device, mountdir # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... mount: CommandFilter, mount, root # nova/virt/disk/mount/api.py: 'umount', mapped_device # nova/virt/disk/api.py: 'umount' target # nova/virt/xenapi/vm_utils.py: 'umount', dev_path # nova/virt/configdrive.py: 'umount', mountdir umount: CommandFilter, umount, root # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device qemu-nbd: CommandFilter, qemu-nbd, root # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device losetup: CommandFilter, losetup, root # nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device blkid: CommandFilter, blkid, root # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* # nova/virt/disk/vfs/localfs.py: 'tee', canonpath tee: CommandFilter, tee, root # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath mkdir: CommandFilter, mkdir, root # nova/virt/disk/vfs/localfs.py: 'chown' # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') chown: CommandFilter, chown, root # nova/virt/disk/vfs/localfs.py: 'chmod' chmod: CommandFilter, chmod, root # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' # nova/network/linux_net.py: 'ip', 'route', 'add', .. # nova/network/linux_net.py: 'ip', 'route', 'del', . # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev ip: CommandFilter, ip, root # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev tunctl: CommandFilter, tunctl, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... # nova/network/linux_net.py: 'ovs-vsctl', .... ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/virt/libvirt/vif.py: 'vrouter-port-control', ... vrouter-port-control: CommandFilter, vrouter-port-control, root # nova/virt/libvirt/vif.py: 'ebrctl', ... ebrctl: CommandFilter, ebrctl, root # nova/virt/libvirt/vif.py: 'mm-ctl', ... mm-ctl: CommandFilter, mm-ctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... dd: CommandFilter, dd, root # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... iscsiadm: CommandFilter, iscsiadm, root # nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev # nova/virt/libvirt/volume/aoe.py: 'aoe-discover' aoe-revalidate: CommandFilter, aoe-revalidate, root aoe-discover: CommandFilter, aoe-discover, root # nova/virt/xenapi/vm_utils.py: parted, --script, ... # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. parted: CommandFilter, parted, root # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path pygrub: CommandFilter, pygrub, root # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s fdisk: CommandFilter, fdisk, root # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path # nova/virt/disk/api.py: e2fsck, -f, -p, image e2fsck: CommandFilter, e2fsck, root # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path # nova/virt/disk/api.py: resize2fs, image resize2fs: CommandFilter, resize2fs, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) iptables-restore: CommandFilter, iptables-restore, root ip6tables-restore: CommandFilter, ip6tables-restore, root # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address dhcp_release: CommandFilter, dhcp_release, root # nova/network/linux_net.py: 'kill', '-9', pid # nova/network/linux_net.py: 'kill', '-HUP', pid kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP # nova/network/linux_net.py: 'kill', pid kill_radvd: KillFilter, root, /usr/sbin/radvd # nova/network/linux_net.py: dnsmasq call dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. radvd: CommandFilter, radvd, root # nova/network/linux_net.py: 'brctl', 'addbr', bridge # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface brctl: CommandFilter, brctl, root # nova/virt/libvirt/utils.py: 'mkswap' # nova/virt/xenapi/vm_utils.py: 'mkswap' mkswap: CommandFilter, mkswap, root # nova/virt/libvirt/utils.py: 'nova-idmapshift' nova-idmapshift: CommandFilter, nova-idmapshift, root # nova/virt/xenapi/vm_utils.py: 'mkfs' # nova/utils.py: 'mkfs', fs, path, label mkfs: CommandFilter, mkfs, root # nova/virt/libvirt/utils.py: 'qemu-img' qemu-img: CommandFilter, qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' readlink: CommandFilter, readlink, root # nova/virt/disk/api.py: mkfs.ext3: CommandFilter, mkfs.ext3, root mkfs.ext4: CommandFilter, mkfs.ext4, root mkfs.ntfs: CommandFilter, mkfs.ntfs, root # nova/virt/libvirt/connection.py: lvremove: CommandFilter, lvremove, root # nova/virt/libvirt/utils.py: lvcreate: CommandFilter, lvcreate, root # nova/virt/libvirt/utils.py: lvs: CommandFilter, lvs, root # nova/virt/libvirt/utils.py: vgs: CommandFilter, vgs, root # nova/utils.py:read_file_as_root: 'cat', file_path # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow # os-brick needed commands read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi multipath: CommandFilter, multipath, root # multipathd show status multipathd: CommandFilter, multipathd, root systool: CommandFilter, systool, root vgc-cluster: CommandFilter, vgc-cluster, root # os_brick/initiator/connector.py drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid # TODO(smcginnis) Temporary fix. # Need to pull in os-brick os-brick.filters file instead and clean # out stale brick values from this file. scsi_id: CommandFilter, /lib/udev/scsi_id, root # os_brick.privileged.default oslo.privsep context # This line ties the superuser privs with the config files, context name, # and (implicitly) the actual python code invoked. privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* # nova/storage/linuxscsi.py: sg_scan device sg_scan: CommandFilter, sg_scan, root # nova/volume/encryptors/cryptsetup.py: # nova/volume/encryptors/luks.py: ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+ # nova/volume/encryptors.py: # nova/virt/libvirt/dmcrypt.py: cryptsetup: CommandFilter, cryptsetup, root # nova/virt/xenapi/vm_utils.py: xenstore-read: CommandFilter, xenstore-read, root # nova/virt/libvirt/utils.py: rbd: CommandFilter, rbd, root # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path shred: CommandFilter, shred, root # nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root # nova/virt/libvirt/imagebackend.py: ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .* prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .* # nova/virt/libvirt/utils.py: 'xend', 'status' xend: CommandFilter, xend, root # nova/virt/libvirt/utils.py: touch: CommandFilter, touch, root # nova/virt/libvirt/volume/vzstorage.py pstorage-mount: CommandFilter, pstorage-mount, root network: pods: - compute content: | # nova-rootwrap command filters for network nodes # This file should be owned by (and only-writeable by) the root user [Filters] # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' # nova/network/linux_net.py: 'ip', 'route', 'add', .. # nova/network/linux_net.py: 'ip', 'route', 'del', . # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev ip: CommandFilter, ip, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... # nova/network/linux_net.py: 'ovs-vsctl', .... ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root # nova/virt/libvirt/vif.py: 'ivs-ctl', ... # nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... # nova/network/linux_net.py: 'ivs-ctl', .... ivs-ctl: CommandFilter, ivs-ctl, root # nova/virt/libvirt/vif.py: 'ifc_ctl', ... ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root # nova/network/linux_net.py: 'ebtables', '-D' ... # nova/network/linux_net.py: 'ebtables', '-I' ... ebtables: CommandFilter, ebtables, root ebtables_usr: CommandFilter, ebtables, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) iptables-restore: CommandFilter, iptables-restore, root ip6tables-restore: CommandFilter, ip6tables-restore, root # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address dhcp_release: CommandFilter, dhcp_release, root # nova/network/linux_net.py: 'kill', '-9', pid # nova/network/linux_net.py: 'kill', '-HUP', pid kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP # nova/network/linux_net.py: 'kill', pid kill_radvd: KillFilter, root, /usr/sbin/radvd # nova/network/linux_net.py: dnsmasq call dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. radvd: CommandFilter, radvd, root # nova/network/linux_net.py: 'brctl', 'addbr', bridge # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface brctl: CommandFilter, brctl, root # nova/network/linux_net.py: 'sysctl', .... sysctl: CommandFilter, sysctl, root # nova/network/linux_net.py: 'conntrack' conntrack: CommandFilter, conntrack, root # nova/network/linux_net.py: 'fp-vdev' fp-vdev: CommandFilter, fp-vdev, root nova_ironic: DEFAULT: scheduler_host_manager: ironic_host_manager compute_driver: ironic.IronicDriver libvirt: # Get the IP address to be used as the target for live migration traffic using interface name. # If this option is set to None, the hostname of the migration target compute node will be used. live_migration_interface: hypervisor: # my_ip can be set automatically through this interface name. host_interface: nova: DEFAULT: log_config_append: /etc/nova/logging.conf default_ephemeral_format: ext4 ram_allocation_ratio: 1.0 disk_allocation_ratio: 1.0 cpu_allocation_ratio: 3.0 state_path: /var/lib/nova osapi_compute_listen: 0.0.0.0 # NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. osapi_compute_listen_port: null osapi_compute_workers: 1 metadata_workers: 1 use_neutron: true firewall_driver: nova.virt.firewall.NoopFirewallDriver linuxnet_interface_driver: openvswitch compute_driver: libvirt.LibvirtDriver my_ip: 0.0.0.0 instance_usage_audit: True instance_usage_audit_period: hour notify_on_state_change: vm_and_task_state resume_guests_state_on_host_boot: True vnc: novncproxy_host: 0.0.0.0 vncserver_listen: 0.0.0.0 # This would be set by each compute nodes's ip # vncserver_proxyclient_address: 127.0.0.1 spice: html5proxy_host: 0.0.0.0 server_listen: 0.0.0.0 # This would be set by each compute nodes's ip # server_proxyclient_address: 127.0.0.1 conductor: workers: 1 oslo_policy: policy_file: /etc/nova/policy.yaml oslo_concurrency: lock_path: /var/lib/nova/tmp oslo_middleware: enable_proxy_headers_parsing: true glance: num_retries: 3 ironic: api_endpoint: null auth_url: null neutron: metadata_proxy_shared_secret: "password" service_metadata_proxy: True auth_type: password auth_version: v3 database: max_retries: -1 api_database: max_retries: -1 cell0_database: max_retries: -1 keystone_authtoken: auth_type: password auth_version: v3 memcache_security_strategy: ENCRYPT libvirt: connection_uri: "qemu+tcp://127.0.0.1/system" images_type: qcow2 images_rbd_pool: vms images_rbd_ceph_conf: /etc/ceph/ceph.conf rbd_user: cinder rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 disk_cachemodes: "network=writeback" hw_disk_discard: unmap upgrade_levels: compute: auto cache: enabled: true backend: dogpile.cache.memcached wsgi: api_paste_config: /etc/nova/api-paste.ini oslo_messaging_notifications: driver: messagingv2 oslo_messaging_rabbit: rabbit_ha_queues: true placement: auth_type: password auth_version: v3 logging: loggers: keys: - root - nova handlers: keys: - stdout - stderr - "null" formatters: keys: - context - default logger_root: level: WARNING handlers: stdout logger_nova: level: INFO handlers: - stdout qualname: nova logger_amqp: level: WARNING handlers: stderr qualname: amqp logger_amqplib: level: WARNING handlers: stderr qualname: amqplib logger_eventletwsgi: level: WARNING handlers: stderr qualname: eventlet.wsgi.server logger_sqlalchemy: level: WARNING handlers: stderr qualname: sqlalchemy logger_boto: level: WARNING handlers: stderr qualname: boto handler_null: class: logging.NullHandler formatter: default args: () handler_stdout: class: StreamHandler args: (sys.stdout,) formatter: context handler_stderr: class: StreamHandler args: (sys.stderr,) formatter: context formatter_context: class: oslo_log.formatters.ContextFormatter datefmt: "%Y-%m-%d %H:%M:%S" formatter_default: format: "%(message)s" datefmt: "%Y-%m-%d %H:%M:%S" rabbitmq: #NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones policies: - vhost: "nova" name: "ha_ttl_nova" definition: #mirror messges to other nodes in rmq cluster ha-mode: "all" ha-sync-mode: "automatic" #70s message-ttl: 70000 priority: 0 apply-to: all pattern: '^(?!amq\.).*' # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: nova-keystone-admin nova: nova-keystone-user placement: nova-keystone-placement test: nova-keystone-test oslo_db: admin: nova-db-admin nova: nova-db-user oslo_db_api: admin: nova-db-api-admin nova: nova-db-api-user oslo_db_cell0: admin: nova-db-api-admin nova: nova-db-api-user oslo_messaging: admin: nova-rabbitmq-admin nova: nova-rabbitmq-user tls: compute: osapi: public: nova-tls-public compute_novnc_proxy: novncproxy: public: nova-novncproxy-tls-public placement: placement: public: placement-tls-public # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 oslo_db: auth: admin: username: root password: password nova: username: nova password: password hosts: default: mariadb host_fqdn_override: default: null path: /nova scheme: mysql+pymysql port: mysql: default: 3306 oslo_db_api: auth: admin: username: root password: password nova: username: nova password: password hosts: default: mariadb host_fqdn_override: default: null path: /nova_api scheme: mysql+pymysql port: mysql: default: 3306 oslo_db_cell0: auth: admin: username: root password: password nova: username: nova password: password hosts: default: mariadb host_fqdn_override: default: null path: /nova_cell0 scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: auth: admin: username: rabbitmq password: password nova: username: nova password: password statefulset: replicas: 2 name: rabbitmq-rabbitmq hosts: default: rabbitmq host_fqdn_override: default: null path: /nova scheme: rabbit port: amqp: default: 5672 http: default: 15672 oslo_cache: auth: # NOTE(portdirect): this is used to define the value for keystone # authtoken cache encryption key, if not set it will be populated # automatically with a random value, but to take advantage of # this feature all services should be set to use the same key, # and memcache service. memcache_secret_key: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 identity: name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default nova: role: admin region_name: RegionOne username: nova password: password project_name: service user_domain_name: service project_domain_name: service # NOTE(portdirect): the neutron user is not managed by the nova chart # these values should match those set in the neutron chart. neutron: region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service username: neutron password: password # NOTE(portdirect): the ironic user is not managed by the nova chart # these values should match those set in the ironic chart. ironic: auth_type: password auth_version: v3 region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service username: ironic password: password placement: role: admin region_name: RegionOne username: placement password: password project_name: service user_domain_name: service project_domain_name: service test: role: admin region_name: RegionOne username: nova-test password: password project_name: test user_domain_name: service project_domain_name: service hosts: default: keystone internal: keystone-api host_fqdn_override: default: null path: default: /v3 scheme: default: http port: api: default: 80 internal: 5000 image: name: glance hosts: default: glance-api public: glance host_fqdn_override: default: null path: default: null scheme: default: http port: api: default: 9292 public: 80 compute: name: nova hosts: default: nova-api public: nova host_fqdn_override: default: null # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null path: default: "/v2.1/%(tenant_id)s" scheme: default: 'http' port: api: default: 8774 public: 80 novncproxy: default: 6080 compute_metadata: name: nova ip: # IF blank, set clusterIP and metadata_host dynamically ingress: null hosts: default: nova-metadata public: metadata host_fqdn_override: default: null path: default: / scheme: default: 'http' port: metadata: default: 8775 public: 80 compute_novnc_proxy: name: nova hosts: default: nova-novncproxy public: novncproxy host_fqdn_override: default: null # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null path: default: /vnc_auto.html scheme: default: 'http' port: novnc_proxy: default: 6080 public: 80 compute_spice_proxy: name: nova hosts: default: nova-spiceproxy public: placement host_fqdn_override: default: null path: default: /spice_auto.html scheme: default: 'http' port: spice_proxy: default: 6082 placement: name: placement hosts: default: placement-api public: placement host_fqdn_override: default: null path: default: / scheme: default: 'http' port: api: default: 8778 public: 80 network: name: neutron hosts: default: neutron-server public: neutron host_fqdn_override: default: null path: default: null scheme: default: 'http' port: api: default: 9696 public: 80 baremetal: name: ironic hosts: default: ironic-api public: ironic host_fqdn_override: default: null path: default: null scheme: default: http port: api: default: 6385 public: 80 fluentd: namespace: null name: fluentd hosts: default: fluentd-logging host_fqdn_override: default: null path: default: null scheme: 'http' port: service: default: 24224 metrics: default: 24220 #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # They are using to enable the Egress K8s network policy. k8s: port: api: default: 6443 internal: 5000 default: namespace: default kube_system: namespace: kube-system kube_public: namespace: kube-public pod: user: nova: uid: 42424 security_context: nova: pod: runAsUser: 42424 container: nova_compute_init: readOnlyRootFilesystem: true runAsUser: 0 ceph_perms: readOnlyRootFilesystem: true runAsUser: 0 ceph_admin_keyring_placement: readOnlyRootFilesystem: true ceph_keyring_placement: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_compute_vnc_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_compute_spice_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_compute: readOnlyRootFilesystem: true privileged: true nova_compute_ssh: readOnlyRootFilesystem: true privileged: true nova_api_metadata_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_api: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_osapi: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_conductor: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_consoleauth: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_novncproxy_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_novncproxy_init_assests: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_novncproxy: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_scheduler: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_spiceproxy_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_spiceproxy_init_assets: readOnlyRootFilesystem: true allowPrivilegeEscalation: false nova_spiceproxy: readOnlyRootFilesystem: true allowPrivilegeEscalation: false affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname weight: default: 10 mounts: nova_compute: init_container: null nova_compute: volumeMounts: volumes: nova_compute_ironic: init_container: null nova_compute_ironic: volumeMounts: volumes: nova_api_metadata: init_container: null nova_api_metadata: volumeMounts: volumes: nova_placement: init_container: null nova_placement: volumeMounts: volumes: nova_api_osapi: init_container: null nova_api_osapi: volumeMounts: volumes: nova_consoleauth: init_container: null nova_consoleauth: volumeMounts: volumes: nova_conductor: init_container: null nova_conductor: volumeMounts: volumes: nova_scheduler: init_container: null nova_scheduler: volumeMounts: volumes: nova_bootstrap: init_container: null nova_bootstrap: volumeMounts: volumes: nova_tests: init_container: null nova_tests: volumeMounts: volumes: nova_novncproxy: init_novncproxy: null nova_novncproxy: volumeMounts: volumes: nova_spiceproxy: init_spiceproxy: null nova_spiceproxy: volumeMounts: volumes: nova_db_sync: nova_db_sync: volumeMounts: volumes: replicas: api_metadata: 1 compute_ironic: 1 placement: 1 osapi: 1 conductor: 1 consoleauth: 1 scheduler: 1 novncproxy: 1 spiceproxy: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 daemonsets: pod_replacement_strategy: RollingUpdate compute: enabled: true min_ready_seconds: 0 max_unavailable: 1 disruption_budget: metadata: min_available: 0 placement: min_available: 0 osapi: min_available: 0 termination_grace_period: metadata: timeout: 30 placement: timeout: 30 osapi: timeout: 30 resources: enabled: false compute: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" compute_ironic: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" api_metadata: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" placement: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" conductor: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" consoleauth: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" scheduler: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ssh: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" novncproxy: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" spiceproxy: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" rabbit_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_endpoints: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_service: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_user: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" cell_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" service_cleaner: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" network_policy: nova: # TODO(lamt): Need to tighten this ingress for security. ingress: - {} egress: - {} - to: - podSelector: matchLabels: application: ceph - podSelector: matchLabels: application: ingress - podSelector: matchLabels: application: openvswitch - podSelector: matchLabels: application: libvirt - podSelector: matchLabels: application: cinder placement: # TODO(lamt): Need to tighten this ingress for security. ingress: - {} egress: - {} manifests: configmap_bin: true configmap_etc: true cron_job_cell_setup: true cron_job_service_cleaner: true daemonset_compute: true deployment_api_metadata: true deployment_api_osapi: true deployment_placement: true deployment_conductor: true deployment_consoleauth: true deployment_novncproxy: true deployment_spiceproxy: true deployment_scheduler: true ingress_metadata: true ingress_novncproxy: true ingress_placement: true ingress_osapi: true job_bootstrap: true job_db_init: true job_db_init_placement: true job_db_sync: true job_db_drop: false job_image_repo_sync: true job_rabbit_init: true job_ks_endpoints: true job_ks_service: true job_ks_user: true job_ks_placement_endpoints: true job_ks_placement_service: true job_ks_placement_user: true job_cell_setup: true pdb_metadata: true pdb_placement: true pdb_osapi: true pod_rally_test: true network_policy: false secret_db_api: true secret_db: true secret_ingress_tls: true secret_keystone: true secret_keystone_placement: true secret_rabbitmq: true service_ingress_metadata: true service_ingress_novncproxy: true service_ingress_placement: true service_ingress_osapi: true service_metadata: true service_placement: true service_novncproxy: true service_spiceproxy: true service_osapi: true statefulset_compute_ironic: false