# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for nova.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
labels:
agent:
compute:
node_selector_key: openstack-compute-node
node_selector_value: enabled
compute_ironic:
node_selector_key: openstack-compute-node
node_selector_value: enabled
api_metadata:
node_selector_key: openstack-control-plane
node_selector_value: enabled
conductor:
node_selector_key: openstack-control-plane
node_selector_value: enabled
consoleauth:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
novncproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
osapi:
node_selector_key: openstack-control-plane
node_selector_value: enabled
placement:
node_selector_key: openstack-control-plane
node_selector_value: enabled
scheduler:
node_selector_key: openstack-control-plane
node_selector_value: enabled
spiceproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
ks_service: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
ks_endpoints: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
nova_api: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_cell_setup: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_cell_setup_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
nova_compute: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ocata'
nova_compute_ssh: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_conductor: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_consoleauth: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_db_sync: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_novncproxy: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ocata'
nova_placement: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_scheduler: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
# NOTE(portdirect): we simply use the ceph config helper here,
# as it has both oscli and jq.
nova_service_cleaner: 'docker.io/port/ceph-config-helper:v1.10.3'
nova_spiceproxy: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:ocata'
test: docker.io/xrally/xrally-openstack:1.3.0
image_repo_sync: docker.io/docker:17.07.0
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
jobs:
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
cell_setup:
cron: "0 */1 * * *"
starting_deadline: 600
history:
success: 3
failed: 1
service_cleaner:
cron: "0 */1 * * *"
starting_deadline: 600
history:
success: 3
failed: 1
bootstrap:
enabled: true
ks_user: admin
script: null
structured:
flavors:
enabled: true
options:
m1_tiny:
name: "m1.tiny"
id: "auto"
ram: 512
disk: 1
vcpus: 1
m1_small:
name: "m1.small"
id: "auto"
ram: 2048
disk: 20
vcpus: 1
m1_medium:
name: "m1.medium"
id: "auto"
ram: 4096
disk: 40
vcpus: 2
m1_large:
name: "m1.large"
id: "auto"
ram: 8192
disk: 80
vcpus: 4
m1_xlarge:
name: "m1.xlarge"
id: "auto"
ram: 16384
disk: 160
vcpus: 8
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
osapi:
port: 8774
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30774
metadata:
port: 8775
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30775
placement:
port: 8778
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30778
novncproxy:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30680
spiceproxy:
node_port:
enabled: false
port: 30682
ssh:
name: "nova-ssh"
port: 8022
sshd:
enabled: false
from_subnet: 0.0.0.0/24
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- nova-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
openvswitch:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
sriov:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
static:
api:
jobs:
- nova-db-sync
- nova-ks-user
- nova-ks-endpoints
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
api_metadata:
jobs:
- nova-db-sync
- nova-ks-user
- nova-ks-endpoints
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
bootstrap:
services:
- endpoint: internal
service: identity
- endpoint: internal
service: compute
cell_setup:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
pod:
- requireSameNode: false
labels:
application: nova
component: compute
service_cleaner:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
compute:
pod:
- requireSameNode: true
labels:
application: libvirt
component: libvirt
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
- endpoint: internal
service: compute_metadata
compute_ironic:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
- endpoint: internal
service: baremetal
conductor:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
consoleauth:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- nova-db-init
services:
- endpoint: internal
service: oslo_db
ks_endpoints:
jobs:
- nova-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
novncproxy:
jobs:
- nova-db-sync
services:
- endpoint: internal
service: oslo_db
spiceproxy:
jobs:
- nova-db-sync
services:
- endpoint: internal
service: oslo_db
scheduler:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
tests:
services:
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
- endpoint: internal
service: compute_metadata
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
console:
# serial | spice | novnc | none
console_kind: novnc
serial:
spice:
compute:
# IF blank, search default routing interface
server_proxyclient_interface:
proxy:
# IF blank, search default routing interface
server_proxyclient_interface:
novnc:
compute:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
vncproxy:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
ssh:
key_types:
- rsa
- dsa
- ecdsa
- ed25519
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
conf:
security: |
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#
# AllowOverride None
# Require all denied
#
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#
# Require all denied
#
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
conf_dir: /etc/apache2/conf-enabled
site_dir: /etc/apache2/sites-enable
mods_dir: /etc/apache2/mods-available
a2enmod: null
a2dismod: null
ceph:
enabled: true
admin_keyring: null
cinder:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
ssh: |
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Port {{ .Values.network.ssh.port }}
ssh_private: 'null'
ssh_public: 'null'
rally_tests:
run_tempest: false
tests:
NovaAgents.list_agents:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_get_aggregate_details:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_update_aggregate:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.list_aggregates:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAvailabilityZones.list_availability_zones:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_delete_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_list_flavor_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_add_tenant_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_set_keys:
- args:
disk: 1
extra_specs:
'quota:disk_read_bytes_sec': 10240
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.list_flavors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_uptime_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_search_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.statistics_hypervisors:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_delete_keypair:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_list_keypairs:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServerGroups.create_and_list_server_groups:
- args:
all_projects: false
kwargs:
policies:
- affinity
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServices.list_services:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
paste:
composite:metadata:
use: egg:Paste#urlmap
/: meta
pipeline:meta:
pipeline: cors metaapp
app:metaapp:
paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
composite:osapi_compute:
use: call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_v21_legacy_v2_compatible
/v2.1: openstack_compute_api_v21
composite:openstack_compute_api_v21:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext osapi_compute_app_v21
composite:openstack_compute_api_v21_legacy_v2_compatible:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext legacy_v2_compatible osapi_compute_app_v21
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:compute_req_id:
paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
filter:faultwrap:
paste.filter_factory: nova.api.openstack:FaultWrapper.factory
filter:noauth2:
paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
filter:sizelimit:
paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
filter:legacy_v2_compatible:
paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
app:osapi_compute_app_v21:
paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
pipeline:oscomputeversions:
pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
app:oscomputeversionapp:
paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: nova
filter:keystonecontext:
paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/nova/api_audit_map.conf
policy:
os_compute_api:os-admin-actions:discoverable: "@"
os_compute_api:os-admin-actions:reset_state: rule:admin_api
os_compute_api:os-admin-actions:inject_network_info: rule:admin_api
os_compute_api:os-admin-actions: rule:admin_api
os_compute_api:os-admin-actions:reset_network: rule:admin_api
os_compute_api:os-admin-password:discoverable: "@"
os_compute_api:os-admin-password: rule:admin_or_owner
os_compute_api:os-agents: rule:admin_api
os_compute_api:os-agents:discoverable: "@"
os_compute_api:os-aggregates:set_metadata: rule:admin_api
os_compute_api:os-aggregates:add_host: rule:admin_api
os_compute_api:os-aggregates:discoverable: "@"
os_compute_api:os-aggregates:create: rule:admin_api
os_compute_api:os-aggregates:remove_host: rule:admin_api
os_compute_api:os-aggregates:update: rule:admin_api
os_compute_api:os-aggregates:index: rule:admin_api
os_compute_api:os-aggregates:delete: rule:admin_api
os_compute_api:os-aggregates:show: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:discoverable: "@"
os_compute_api:os-attach-interfaces: rule:admin_or_owner
os_compute_api:os-attach-interfaces:discoverable: "@"
os_compute_api:os-attach-interfaces:create: rule:admin_or_owner
os_compute_api:os-attach-interfaces:delete: rule:admin_or_owner
os_compute_api:os-availability-zone:list: rule:admin_or_owner
os_compute_api:os-availability-zone:discoverable: "@"
os_compute_api:os-availability-zone:detail: rule:admin_api
os_compute_api:os-baremetal-nodes:discoverable: "@"
os_compute_api:os-baremetal-nodes: rule:admin_api
context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s
admin_api: is_admin:True
network:attach_external_network: is_admin:True
os_compute_api:os-block-device-mapping:discoverable: "@"
os_compute_api:os-block-device-mapping-v1:discoverable: "@"
os_compute_api:os-cells:discoverable: "@"
os_compute_api:os-cells:update: rule:admin_api
os_compute_api:os-cells:create: rule:admin_api
os_compute_api:os-cells: rule:admin_api
os_compute_api:os-cells:sync_instances: rule:admin_api
os_compute_api:os-cells:delete: rule:admin_api
cells_scheduler_filter:DifferentCellFilter: is_admin:True
cells_scheduler_filter:TargetCellFilter: is_admin:True
os_compute_api:os-certificates:discoverable: "@"
os_compute_api:os-certificates:create: rule:admin_or_owner
os_compute_api:os-certificates:show: rule:admin_or_owner
os_compute_api:os-cloudpipe: rule:admin_api
os_compute_api:os-cloudpipe:discoverable: "@"
os_compute_api:os-config-drive:discoverable: "@"
os_compute_api:os-config-drive: rule:admin_or_owner
os_compute_api:os-console-auth-tokens:discoverable: "@"
os_compute_api:os-console-auth-tokens: rule:admin_api
os_compute_api:os-console-output:discoverable: "@"
os_compute_api:os-console-output: rule:admin_or_owner
os_compute_api:os-consoles:create: rule:admin_or_owner
os_compute_api:os-consoles:show: rule:admin_or_owner
os_compute_api:os-consoles:delete: rule:admin_or_owner
os_compute_api:os-consoles:discoverable: "@"
os_compute_api:os-consoles:index: rule:admin_or_owner
os_compute_api:os-create-backup:discoverable: "@"
os_compute_api:os-create-backup: rule:admin_or_owner
os_compute_api:os-deferred-delete:discoverable: "@"
os_compute_api:os-deferred-delete: rule:admin_or_owner
os_compute_api:os-evacuate:discoverable: "@"
os_compute_api:os-evacuate: rule:admin_api
os_compute_api:os-extended-availability-zone: rule:admin_or_owner
os_compute_api:os-extended-availability-zone:discoverable: "@"
os_compute_api:os-extended-server-attributes: rule:admin_api
os_compute_api:os-extended-server-attributes:discoverable: "@"
os_compute_api:os-extended-status:discoverable: "@"
os_compute_api:os-extended-status: rule:admin_or_owner
os_compute_api:os-extended-volumes: rule:admin_or_owner
os_compute_api:os-extended-volumes:discoverable: "@"
os_compute_api:extension_info:discoverable: "@"
os_compute_api:extensions: rule:admin_or_owner
os_compute_api:extensions:discoverable: "@"
os_compute_api:os-fixed-ips:discoverable: "@"
os_compute_api:os-fixed-ips: rule:admin_api
os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api
os_compute_api:os-flavor-access:discoverable: "@"
os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api
os_compute_api:os-flavor-access: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:create: rule:admin_api
os_compute_api:os-flavor-extra-specs:discoverable: "@"
os_compute_api:os-flavor-extra-specs:update: rule:admin_api
os_compute_api:os-flavor-extra-specs:delete: rule:admin_api
os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner
os_compute_api:os-flavor-manage: rule:admin_api
os_compute_api:os-flavor-manage:discoverable: "@"
os_compute_api:os-flavor-rxtx: rule:admin_or_owner
os_compute_api:os-flavor-rxtx:discoverable: "@"
os_compute_api:flavors:discoverable: "@"
os_compute_api:flavors: rule:admin_or_owner
os_compute_api:os-floating-ip-dns: rule:admin_or_owner
os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api
os_compute_api:os-floating-ip-dns:discoverable: "@"
os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api
os_compute_api:os-floating-ip-pools:discoverable: "@"
os_compute_api:os-floating-ip-pools: rule:admin_or_owner
os_compute_api:os-floating-ips: rule:admin_or_owner
os_compute_api:os-floating-ips:discoverable: "@"
os_compute_api:os-floating-ips-bulk:discoverable: "@"
os_compute_api:os-floating-ips-bulk: rule:admin_api
os_compute_api:os-fping:all_tenants: rule:admin_api
os_compute_api:os-fping:discoverable: "@"
os_compute_api:os-fping: rule:admin_or_owner
os_compute_api:os-hide-server-addresses:discoverable: "@"
os_compute_api:os-hide-server-addresses: is_admin:False
os_compute_api:os-hosts:discoverable: "@"
os_compute_api:os-hosts: rule:admin_api
os_compute_api:os-hypervisors:discoverable: "@"
os_compute_api:os-hypervisors: rule:admin_api
os_compute_api:image-metadata:discoverable: "@"
os_compute_api:image-size:discoverable: "@"
os_compute_api:image-size: rule:admin_or_owner
os_compute_api:images:discoverable: "@"
os_compute_api:os-instance-actions:events: rule:admin_api
os_compute_api:os-instance-actions: rule:admin_or_owner
os_compute_api:os-instance-actions:discoverable: "@"
os_compute_api:os-instance-usage-audit-log: rule:admin_api
os_compute_api:os-instance-usage-audit-log:discoverable: "@"
os_compute_api:ips:discoverable: "@"
os_compute_api:ips:show: rule:admin_or_owner
os_compute_api:ips:index: rule:admin_or_owner
os_compute_api:os-keypairs:discoverable: "@"
os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs: rule:admin_or_owner
os_compute_api:limits:discoverable: "@"
os_compute_api:limits: rule:admin_or_owner
os_compute_api:os-lock-server:discoverable: "@"
os_compute_api:os-lock-server:lock: rule:admin_or_owner
os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api
os_compute_api:os-lock-server:unlock: rule:admin_or_owner
os_compute_api:os-migrate-server:migrate: rule:admin_api
os_compute_api:os-migrate-server:discoverable: "@"
os_compute_api:os-migrate-server:migrate_live: rule:admin_api
os_compute_api:os-migrations:index: rule:admin_api
os_compute_api:os-migrations:discoverable: "@"
os_compute_api:os-multinic: rule:admin_or_owner
os_compute_api:os-multinic:discoverable: "@"
os_compute_api:os-multiple-create:discoverable: "@"
os_compute_api:os-networks:discoverable: "@"
os_compute_api:os-networks: rule:admin_api
os_compute_api:os-networks:view: rule:admin_or_owner
os_compute_api:os-networks-associate: rule:admin_api
os_compute_api:os-networks-associate:discoverable: "@"
os_compute_api:os-pause-server:unpause: rule:admin_or_owner
os_compute_api:os-pause-server:discoverable: "@"
os_compute_api:os-pause-server:pause: rule:admin_or_owner
os_compute_api:os-pci:index: rule:admin_api
os_compute_api:os-pci:detail: rule:admin_api
os_compute_api:os-pci:pci_servers: rule:admin_or_owner
os_compute_api:os-pci:show: rule:admin_api
os_compute_api:os-pci:discoverable: "@"
os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s
os_compute_api:os-quota-class-sets:discoverable: "@"
os_compute_api:os-quota-class-sets:update: rule:admin_api
os_compute_api:os-quota-sets:update: rule:admin_api
os_compute_api:os-quota-sets:defaults: "@"
os_compute_api:os-quota-sets:show: rule:admin_or_owner
os_compute_api:os-quota-sets:delete: rule:admin_api
os_compute_api:os-quota-sets:discoverable: "@"
os_compute_api:os-quota-sets:detail: rule:admin_api
os_compute_api:os-remote-consoles: rule:admin_or_owner
os_compute_api:os-remote-consoles:discoverable: "@"
os_compute_api:os-rescue:discoverable: "@"
os_compute_api:os-rescue: rule:admin_or_owner
os_compute_api:os-scheduler-hints:discoverable: "@"
os_compute_api:os-security-group-default-rules:discoverable: "@"
os_compute_api:os-security-group-default-rules: rule:admin_api
os_compute_api:os-security-groups: rule:admin_or_owner
os_compute_api:os-security-groups:discoverable: "@"
os_compute_api:os-server-diagnostics: rule:admin_api
os_compute_api:os-server-diagnostics:discoverable: "@"
os_compute_api:os-server-external-events:create: rule:admin_api
os_compute_api:os-server-external-events:discoverable: "@"
os_compute_api:os-server-groups:discoverable: "@"
os_compute_api:os-server-groups: rule:admin_or_owner
os_compute_api:server-metadata:index: rule:admin_or_owner
os_compute_api:server-metadata:show: rule:admin_or_owner
os_compute_api:server-metadata:create: rule:admin_or_owner
os_compute_api:server-metadata:discoverable: "@"
os_compute_api:server-metadata:update_all: rule:admin_or_owner
os_compute_api:server-metadata:delete: rule:admin_or_owner
os_compute_api:server-metadata:update: rule:admin_or_owner
os_compute_api:os-server-password: rule:admin_or_owner
os_compute_api:os-server-password:discoverable: "@"
os_compute_api:os-server-tags:delete_all: "@"
os_compute_api:os-server-tags:index: "@"
os_compute_api:os-server-tags:update_all: "@"
os_compute_api:os-server-tags:delete: "@"
os_compute_api:os-server-tags:update: "@"
os_compute_api:os-server-tags:show: "@"
os_compute_api:os-server-tags:discoverable: "@"
os_compute_api:os-server-usage: rule:admin_or_owner
os_compute_api:os-server-usage:discoverable: "@"
os_compute_api:servers:index: rule:admin_or_owner
os_compute_api:servers:detail: rule:admin_or_owner
os_compute_api:servers:detail:get_all_tenants: rule:admin_api
os_compute_api:servers:index:get_all_tenants: rule:admin_api
os_compute_api:servers:show: rule:admin_or_owner
os_compute_api:servers:show:host_status: rule:admin_api
os_compute_api:servers:create: rule:admin_or_owner
os_compute_api:servers:create:forced_host: rule:admin_api
os_compute_api:servers:create:attach_volume: rule:admin_or_owner
os_compute_api:servers:create:attach_network: rule:admin_or_owner
os_compute_api:servers:delete: rule:admin_or_owner
os_compute_api:servers:update: rule:admin_or_owner
os_compute_api:servers:confirm_resize: rule:admin_or_owner
os_compute_api:servers:revert_resize: rule:admin_or_owner
os_compute_api:servers:reboot: rule:admin_or_owner
os_compute_api:servers:resize: rule:admin_or_owner
os_compute_api:servers:rebuild: rule:admin_or_owner
os_compute_api:servers:create_image: rule:admin_or_owner
os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner
os_compute_api:servers:start: rule:admin_or_owner
os_compute_api:servers:stop: rule:admin_or_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner
os_compute_api:servers:discoverable: "@"
os_compute_api:servers:migrations:show: rule:admin_api
os_compute_api:servers:migrations:force_complete: rule:admin_api
os_compute_api:servers:migrations:delete: rule:admin_api
os_compute_api:servers:migrations:index: rule:admin_api
os_compute_api:server-migrations:discoverable: "@"
os_compute_api:os-services: rule:admin_api
os_compute_api:os-services:discoverable: "@"
os_compute_api:os-shelve:shelve: rule:admin_or_owner
os_compute_api:os-shelve:unshelve: rule:admin_or_owner
os_compute_api:os-shelve:shelve_offload: rule:admin_api
os_compute_api:os-shelve:discoverable: "@"
os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner
os_compute_api:os-simple-tenant-usage:list: rule:admin_api
os_compute_api:os-simple-tenant-usage:discoverable: "@"
os_compute_api:os-suspend-server:resume: rule:admin_or_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_owner
os_compute_api:os-suspend-server:discoverable: "@"
os_compute_api:os-tenant-networks: rule:admin_or_owner
os_compute_api:os-tenant-networks:discoverable: "@"
os_compute_api:os-used-limits:discoverable: "@"
os_compute_api:os-used-limits: rule:admin_api
os_compute_api:os-user-data:discoverable: "@"
os_compute_api:versions:discoverable: "@"
os_compute_api:os-virtual-interfaces:discoverable: "@"
os_compute_api:os-virtual-interfaces: rule:admin_or_owner
os_compute_api:os-volumes:discoverable: "@"
os_compute_api:os-volumes: rule:admin_or_owner
os_compute_api:os-volumes-attachments:index: rule:admin_or_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_owner
os_compute_api:os-volumes-attachments:show: rule:admin_or_owner
os_compute_api:os-volumes-attachments:discoverable: "@"
os_compute_api:os-volumes-attachments:update: rule:admin_api
os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner
nova_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
api_audit_map:
DEFAULT:
target_endpoint_type: None
custom_actions:
enable: enable
disable: disable
delete: delete
startup: start/startup
shutdown: stop/shutdown
reboot: start/reboot
os-migrations/get: read
os-server-password/post: update
path_keywords:
add: None
action: None
enable: None
disable: None
configure-project: None
defaults: None
delete: None
detail: None
diagnostics: None
entries: entry
extensions: alias
flavors: flavor
images: image
ips: label
limits: None
metadata: key
os-agents: os-agent
os-aggregates: os-aggregate
os-availability-zone: None
os-certificates: None
os-cloudpipe: None
os-fixed-ips: ip
os-extra_specs: key
os-flavor-access: None
os-floating-ip-dns: domain
os-floating-ips-bulk: host
os-floating-ip-pools: None
os-floating-ips: floating-ip
os-hosts: host
os-hypervisors: hypervisor
os-instance-actions: instance-action
os-keypairs: keypair
os-migrations: None
os-networks: network
os-quota-sets: tenant
os-security-groups: security_group
os-security-group-rules: rule
os-server-password: None
os-services: None
os-simple-tenant-usage: tenant
os-virtual-interfaces: None
os-volume_attachments: attachment
os-volumes_boot: None
os-volumes: volume
os-volume-types: volume-type
os-snapshots: snapshot
reboot: None
servers: server
shutdown: None
startup: None
statistics: None
service_endpoints:
compute: service/compute
rootwrap: |
# Configuration for nova-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
wsgi_placement: |
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
WSGIDaemonProcess placement-api processes=1 threads=4 user=nova group=nova display-name=%{GROUP}
WSGIProcessGroup placement-api
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
Alias /placement /var/www/cgi-bin/nova/nova-placement-api
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
rootwrap_filters:
api_metadata:
pods:
- metadata
content: |
# nova-rootwrap command filters for api-metadata nodes
# This is needed on nova-api hosts running with "metadata" in enabled_apis
# or when running nova-api-metadata
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
compute:
pods:
- compute
content: |
# nova-rootwrap command filters for compute nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
kpartx: CommandFilter, kpartx, root
# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
tune2fs: CommandFilter, tune2fs, root
# nova/virt/disk/mount/api.py: 'mount', mapped_device
# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
# nova/virt/configdrive.py: 'mount', device, mountdir
# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
mount: CommandFilter, mount, root
# nova/virt/disk/mount/api.py: 'umount', mapped_device
# nova/virt/disk/api.py: 'umount' target
# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
# nova/virt/configdrive.py: 'umount', mountdir
umount: CommandFilter, umount, root
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
qemu-nbd: CommandFilter, qemu-nbd, root
# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
losetup: CommandFilter, losetup, root
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
blkid: CommandFilter, blkid, root
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
tee: CommandFilter, tee, root
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
mkdir: CommandFilter, mkdir, root
# nova/virt/disk/vfs/localfs.py: 'chown'
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
chown: CommandFilter, chown, root
# nova/virt/disk/vfs/localfs.py: 'chmod'
chmod: CommandFilter, chmod, root
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
# nova/network/linux_net.py: 'ip', 'route', 'del', .
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
ip: CommandFilter, ip, root
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
tunctl: CommandFilter, tunctl, root
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
# nova/network/linux_net.py: 'ovs-vsctl', ....
ovs-vsctl: CommandFilter, ovs-vsctl, root
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
vrouter-port-control: CommandFilter, vrouter-port-control, root
# nova/virt/libvirt/vif.py: 'ebrctl', ...
ebrctl: CommandFilter, ebrctl, root
# nova/virt/libvirt/vif.py: 'mm-ctl', ...
mm-ctl: CommandFilter, mm-ctl, root
# nova/network/linux_net.py: 'ovs-ofctl', ....
ovs-ofctl: CommandFilter, ovs-ofctl, root
# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
dd: CommandFilter, dd, root
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
iscsiadm: CommandFilter, iscsiadm, root
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
aoe-revalidate: CommandFilter, aoe-revalidate, root
aoe-discover: CommandFilter, aoe-discover, root
# nova/virt/xenapi/vm_utils.py: parted, --script, ...
# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
parted: CommandFilter, parted, root
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
pygrub: CommandFilter, pygrub, root
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
fdisk: CommandFilter, fdisk, root
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
# nova/virt/disk/api.py: e2fsck, -f, -p, image
e2fsck: CommandFilter, e2fsck, root
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
# nova/virt/disk/api.py: resize2fs, image
resize2fs: CommandFilter, resize2fs, root
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
arping: CommandFilter, arping, root
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
dhcp_release: CommandFilter, dhcp_release, root
# nova/network/linux_net.py: 'kill', '-9', pid
# nova/network/linux_net.py: 'kill', '-HUP', pid
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
# nova/network/linux_net.py: 'kill', pid
kill_radvd: KillFilter, root, /usr/sbin/radvd
# nova/network/linux_net.py: dnsmasq call
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
radvd: CommandFilter, radvd, root
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
brctl: CommandFilter, brctl, root
# nova/virt/libvirt/utils.py: 'mkswap'
# nova/virt/xenapi/vm_utils.py: 'mkswap'
mkswap: CommandFilter, mkswap, root
# nova/virt/libvirt/utils.py: 'nova-idmapshift'
nova-idmapshift: CommandFilter, nova-idmapshift, root
# nova/virt/xenapi/vm_utils.py: 'mkfs'
# nova/utils.py: 'mkfs', fs, path, label
mkfs: CommandFilter, mkfs, root
# nova/virt/libvirt/utils.py: 'qemu-img'
qemu-img: CommandFilter, qemu-img, root
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
readlink: CommandFilter, readlink, root
# nova/virt/disk/api.py:
mkfs.ext3: CommandFilter, mkfs.ext3, root
mkfs.ext4: CommandFilter, mkfs.ext4, root
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
# nova/virt/libvirt/connection.py:
lvremove: CommandFilter, lvremove, root
# nova/virt/libvirt/utils.py:
lvcreate: CommandFilter, lvcreate, root
# nova/virt/libvirt/utils.py:
lvs: CommandFilter, lvs, root
# nova/virt/libvirt/utils.py:
vgs: CommandFilter, vgs, root
# nova/utils.py:read_file_as_root: 'cat', file_path
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
# os-brick needed commands
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
multipath: CommandFilter, multipath, root
# multipathd show status
multipathd: CommandFilter, multipathd, root
systool: CommandFilter, systool, root
vgc-cluster: CommandFilter, vgc-cluster, root
# os_brick/initiator/connector.py
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
# TODO(smcginnis) Temporary fix.
# Need to pull in os-brick os-brick.filters file instead and clean
# out stale brick values from this file.
scsi_id: CommandFilter, /lib/udev/scsi_id, root
# os_brick.privileged.default oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
# nova/storage/linuxscsi.py: sg_scan device
sg_scan: CommandFilter, sg_scan, root
# nova/volume/encryptors/cryptsetup.py:
# nova/volume/encryptors/luks.py:
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
# nova/volume/encryptors.py:
# nova/virt/libvirt/dmcrypt.py:
cryptsetup: CommandFilter, cryptsetup, root
# nova/virt/xenapi/vm_utils.py:
xenstore-read: CommandFilter, xenstore-read, root
# nova/virt/libvirt/utils.py:
rbd: CommandFilter, rbd, root
# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
shred: CommandFilter, shred, root
# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
cp: CommandFilter, cp, root
# nova/virt/xenapi/vm_utils.py:
sync: CommandFilter, sync, root
# nova/virt/libvirt/imagebackend.py:
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
# nova/virt/libvirt/utils.py: 'xend', 'status'
xend: CommandFilter, xend, root
# nova/virt/libvirt/utils.py:
touch: CommandFilter, touch, root
# nova/virt/libvirt/volume/vzstorage.py
pstorage-mount: CommandFilter, pstorage-mount, root
network:
pods:
- compute
content: |
# nova-rootwrap command filters for network nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
# nova/network/linux_net.py: 'ip', 'route', 'del', .
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
ip: CommandFilter, ip, root
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
# nova/network/linux_net.py: 'ovs-vsctl', ....
ovs-vsctl: CommandFilter, ovs-vsctl, root
# nova/network/linux_net.py: 'ovs-ofctl', ....
ovs-ofctl: CommandFilter, ovs-ofctl, root
# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
# nova/network/linux_net.py: 'ivs-ctl', ....
ivs-ctl: CommandFilter, ivs-ctl, root
# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
# nova/network/linux_net.py: 'ebtables', '-D' ...
# nova/network/linux_net.py: 'ebtables', '-I' ...
ebtables: CommandFilter, ebtables, root
ebtables_usr: CommandFilter, ebtables, root
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
iptables-save: CommandFilter, iptables-save, root
ip6tables-save: CommandFilter, ip6tables-save, root
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
arping: CommandFilter, arping, root
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
dhcp_release: CommandFilter, dhcp_release, root
# nova/network/linux_net.py: 'kill', '-9', pid
# nova/network/linux_net.py: 'kill', '-HUP', pid
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
# nova/network/linux_net.py: 'kill', pid
kill_radvd: KillFilter, root, /usr/sbin/radvd
# nova/network/linux_net.py: dnsmasq call
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
radvd: CommandFilter, radvd, root
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
brctl: CommandFilter, brctl, root
# nova/network/linux_net.py: 'sysctl', ....
sysctl: CommandFilter, sysctl, root
# nova/network/linux_net.py: 'conntrack'
conntrack: CommandFilter, conntrack, root
# nova/network/linux_net.py: 'fp-vdev'
fp-vdev: CommandFilter, fp-vdev, root
nova_ironic:
DEFAULT:
scheduler_host_manager: ironic_host_manager
compute_driver: ironic.IronicDriver
libvirt:
# Get the IP address to be used as the target for live migration traffic using interface name.
# If this option is set to None, the hostname of the migration target compute node will be used.
live_migration_interface:
hypervisor:
# my_ip can be set automatically through this interface name.
host_interface:
nova:
DEFAULT:
log_config_append: /etc/nova/logging.conf
default_ephemeral_format: ext4
ram_allocation_ratio: 1.0
disk_allocation_ratio: 1.0
cpu_allocation_ratio: 3.0
state_path: /var/lib/nova
osapi_compute_listen: 0.0.0.0
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
osapi_compute_listen_port: null
osapi_compute_workers: 1
metadata_workers: 1
use_neutron: true
firewall_driver: nova.virt.firewall.NoopFirewallDriver
linuxnet_interface_driver: openvswitch
compute_driver: libvirt.LibvirtDriver
my_ip: 0.0.0.0
instance_usage_audit: True
instance_usage_audit_period: hour
notify_on_state_change: vm_and_task_state
resume_guests_state_on_host_boot: True
vnc:
novncproxy_host: 0.0.0.0
vncserver_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# vncserver_proxyclient_address: 127.0.0.1
spice:
html5proxy_host: 0.0.0.0
server_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# server_proxyclient_address: 127.0.0.1
conductor:
workers: 1
oslo_policy:
policy_file: /etc/nova/policy.yaml
oslo_concurrency:
lock_path: /var/lib/nova/tmp
oslo_middleware:
enable_proxy_headers_parsing: true
glance:
num_retries: 3
ironic:
api_endpoint: null
auth_url: null
neutron:
metadata_proxy_shared_secret: "password"
service_metadata_proxy: True
auth_type: password
auth_version: v3
database:
max_retries: -1
api_database:
max_retries: -1
cell0_database:
max_retries: -1
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
libvirt:
connection_uri: "qemu+tcp://127.0.0.1/system"
images_type: qcow2
images_rbd_pool: vms
images_rbd_ceph_conf: /etc/ceph/ceph.conf
rbd_user: cinder
rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
disk_cachemodes: "network=writeback"
hw_disk_discard: unmap
upgrade_levels:
compute: auto
cache:
enabled: true
backend: dogpile.cache.memcached
wsgi:
api_paste_config: /etc/nova/api-paste.ini
oslo_messaging_notifications:
driver: messagingv2
oslo_messaging_rabbit:
rabbit_ha_queues: true
placement:
auth_type: password
auth_version: v3
logging:
loggers:
keys:
- root
- nova
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: stdout
logger_nova:
level: INFO
handlers:
- stdout
qualname: nova
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
datefmt: "%Y-%m-%d %H:%M:%S"
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
rabbitmq:
#NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
- vhost: "nova"
name: "ha_ttl_nova"
definition:
#mirror messges to other nodes in rmq cluster
ha-mode: "all"
ha-sync-mode: "automatic"
#70s
message-ttl: 70000
priority: 0
apply-to: all
pattern: '^(?!amq\.).*'
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: nova-keystone-admin
nova: nova-keystone-user
placement: nova-keystone-placement
test: nova-keystone-test
oslo_db:
admin: nova-db-admin
nova: nova-db-user
oslo_db_api:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_db_cell0:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_messaging:
admin: nova-rabbitmq-admin
nova: nova-rabbitmq-user
tls:
compute:
osapi:
public: nova-tls-public
compute_novnc_proxy:
novncproxy:
public: nova-novncproxy-tls-public
placement:
placement:
public: placement-tls-public
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_api:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_api
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_cell0:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_cell0
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
nova:
username: nova
password: password
statefulset:
replicas: 2
name: rabbitmq-rabbitmq
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /nova
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
nova:
role: admin
region_name: RegionOne
username: nova
password: password
project_name: service
user_domain_name: service
project_domain_name: service
# NOTE(portdirect): the neutron user is not managed by the nova chart
# these values should match those set in the neutron chart.
neutron:
region_name: RegionOne
project_name: service
user_domain_name: service
project_domain_name: service
username: neutron
password: password
# NOTE(portdirect): the ironic user is not managed by the nova chart
# these values should match those set in the ironic chart.
ironic:
auth_type: password
auth_version: v3
region_name: RegionOne
project_name: service
user_domain_name: service
project_domain_name: service
username: ironic
password: password
placement:
role: admin
region_name: RegionOne
username: placement
password: password
project_name: service
user_domain_name: service
project_domain_name: service
test:
role: admin
region_name: RegionOne
username: nova-test
password: password
project_name: test
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
image:
name: glance
hosts:
default: glance-api
public: glance
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 9292
public: 80
compute:
name: nova
hosts:
default: nova-api
public: nova
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
default: 'http'
port:
api:
default: 8774
public: 80
novncproxy:
default: 6080
compute_metadata:
name: nova
ip:
# IF blank, set clusterIP and metadata_host dynamically
ingress: null
hosts:
default: nova-metadata
public: metadata
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
metadata:
default: 8775
public: 80
compute_novnc_proxy:
name: nova
hosts:
default: nova-novncproxy
public: novncproxy
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /vnc_auto.html
scheme:
default: 'http'
port:
novnc_proxy:
default: 6080
public: 80
compute_spice_proxy:
name: nova
hosts:
default: nova-spiceproxy
public: placement
host_fqdn_override:
default: null
path:
default: /spice_auto.html
scheme:
default: 'http'
port:
spice_proxy:
default: 6082
placement:
name: placement
hosts:
default: placement-api
public: placement
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
api:
default: 8778
public: 80
network:
name: neutron
hosts:
default: neutron-server
public: neutron
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9696
public: 80
baremetal:
name: ironic
hosts:
default: ironic-api
public: ironic
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 6385
public: 80
fluentd:
namespace: null
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
# They are using to enable the Egress K8s network policy.
k8s:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system
kube_public:
namespace: kube-public
pod:
user:
nova:
uid: 42424
security_context:
nova:
pod:
runAsUser: 42424
container:
nova_compute_init:
readOnlyRootFilesystem: true
runAsUser: 0
ceph_perms:
readOnlyRootFilesystem: true
runAsUser: 0
ceph_admin_keyring_placement:
readOnlyRootFilesystem: true
ceph_keyring_placement:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_vnc_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_spice_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute:
readOnlyRootFilesystem: true
privileged: true
nova_compute_ssh:
readOnlyRootFilesystem: true
privileged: true
nova_api_metadata_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_osapi:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_conductor:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_consoleauth:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy_init_assests:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_scheduler:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy_init_assets:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
nova_compute:
init_container: null
nova_compute:
volumeMounts:
volumes:
nova_compute_ironic:
init_container: null
nova_compute_ironic:
volumeMounts:
volumes:
nova_api_metadata:
init_container: null
nova_api_metadata:
volumeMounts:
volumes:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
volumes:
nova_api_osapi:
init_container: null
nova_api_osapi:
volumeMounts:
volumes:
nova_consoleauth:
init_container: null
nova_consoleauth:
volumeMounts:
volumes:
nova_conductor:
init_container: null
nova_conductor:
volumeMounts:
volumes:
nova_scheduler:
init_container: null
nova_scheduler:
volumeMounts:
volumes:
nova_bootstrap:
init_container: null
nova_bootstrap:
volumeMounts:
volumes:
nova_tests:
init_container: null
nova_tests:
volumeMounts:
volumes:
nova_novncproxy:
init_novncproxy: null
nova_novncproxy:
volumeMounts:
volumes:
nova_spiceproxy:
init_spiceproxy: null
nova_spiceproxy:
volumeMounts:
volumes:
nova_db_sync:
nova_db_sync:
volumeMounts:
volumes:
replicas:
api_metadata: 1
compute_ironic: 1
placement: 1
osapi: 1
conductor: 1
consoleauth: 1
scheduler: 1
novncproxy: 1
spiceproxy: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
daemonsets:
pod_replacement_strategy: RollingUpdate
compute:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
metadata:
min_available: 0
placement:
min_available: 0
osapi:
min_available: 0
termination_grace_period:
metadata:
timeout: 30
placement:
timeout: 30
osapi:
timeout: 30
resources:
enabled: false
compute:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
compute_ironic:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api_metadata:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
placement:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conductor:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
consoleauth:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
scheduler:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ssh:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
novncproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
spiceproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
cell_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
service_cleaner:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
network_policy:
nova:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
egress:
- {}
- to:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: openvswitch
- podSelector:
matchLabels:
application: libvirt
- podSelector:
matchLabels:
application: cinder
placement:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
egress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
cron_job_cell_setup: true
cron_job_service_cleaner: true
daemonset_compute: true
deployment_api_metadata: true
deployment_api_osapi: true
deployment_placement: true
deployment_conductor: true
deployment_consoleauth: true
deployment_novncproxy: true
deployment_spiceproxy: true
deployment_scheduler: true
ingress_metadata: true
ingress_novncproxy: true
ingress_placement: true
ingress_osapi: true
job_bootstrap: true
job_db_init: true
job_db_init_placement: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_rabbit_init: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_ks_placement_endpoints: true
job_ks_placement_service: true
job_ks_placement_user: true
job_cell_setup: true
pdb_metadata: true
pdb_placement: true
pdb_osapi: true
pod_rally_test: true
network_policy: false
secret_db_api: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_keystone_placement: true
secret_rabbitmq: true
service_ingress_metadata: true
service_ingress_novncproxy: true
service_ingress_placement: true
service_ingress_osapi: true
service_metadata: true
service_placement: true
service_novncproxy: true
service_spiceproxy: true
service_osapi: true
statefulset_compute_ironic: false