ced30abead
Based on spec support-OCI-image-registry-with-authentication-turned-on.rst Each Helm chart can configure an OCI image registry and credentials to use. A Kubernetes secret is then created with this info. Service Accounts then specify an imagePullSecret specifying the Secret with creds for the registry. Then any pod using one of these ServiceAccounts may pull images from an authenticated container registry. Related OSH-infra change: https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142 Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2488 lines
72 KiB
YAML
2488 lines
72 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for nova.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
release_group: null
|
|
|
|
labels:
|
|
agent:
|
|
compute:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
compute_ironic:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
api_metadata:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
conductor:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
novncproxy:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
osapi:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
scheduler:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
spiceproxy:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
pull_policy: IfNotPresent
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
nova_archive_deleted_rows: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
nova_api: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_cell_setup: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_cell_setup_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
|
|
nova_compute: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ussuri'
|
|
nova_compute_ssh: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_conductor: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_db_sync: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_novncproxy: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ussuri'
|
|
nova_scheduler: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
# NOTE(portdirect): we simply use the ceph config helper here,
|
|
# as it has both oscli and jq.
|
|
nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic'
|
|
nova_spiceproxy: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
nova_spiceproxy_assets: docker.io/openstackhelm/nova:ussuri-ubuntu_bionic
|
|
test: docker.io/xrally/xrally-openstack:2.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
jobs:
|
|
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
|
|
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
|
|
cell_setup:
|
|
cron: "0 */1 * * *"
|
|
starting_deadline: 600
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
extended_wait:
|
|
enabled: false
|
|
iteration: 3
|
|
duration: 5
|
|
service_cleaner:
|
|
cron: "0 */1 * * *"
|
|
starting_deadline: 600
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
sleep_time: 60
|
|
archive_deleted_rows:
|
|
cron: "0 */1 * * *"
|
|
starting_deadline: 600
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
ks_user: admin
|
|
script: null
|
|
structured:
|
|
flavors:
|
|
enabled: true
|
|
options:
|
|
m1_tiny:
|
|
name: "m1.tiny"
|
|
ram: 512
|
|
disk: 1
|
|
vcpus: 1
|
|
m1_small:
|
|
name: "m1.small"
|
|
ram: 2048
|
|
disk: 20
|
|
vcpus: 1
|
|
m1_medium:
|
|
name: "m1.medium"
|
|
ram: 4096
|
|
disk: 40
|
|
vcpus: 2
|
|
m1_large:
|
|
name: "m1.large"
|
|
ram: 8192
|
|
disk: 80
|
|
vcpus: 4
|
|
m1_xlarge:
|
|
name: "m1.xlarge"
|
|
ram: 16384
|
|
disk: 160
|
|
vcpus: 8
|
|
wait_for_computes:
|
|
enabled: false
|
|
# Wait percentage is the minimum percentage of compute hypervisors which
|
|
# must be available before the remainder of the bootstrap script can be run.
|
|
wait_percentage: 70
|
|
# Once the wait_percentage above is achieved, the remaining_wait is the
|
|
# amount of time in seconds to wait before executing the remainder of the
|
|
# boostrap script.
|
|
remaining_wait: 300
|
|
scripts:
|
|
init_script: |
|
|
# This runs in a bootstrap init container. It counts the number of compute nodes.
|
|
COMPUTE_NODES=$(kubectl get nodes -o custom-columns=NAME:.metadata.name -l openstack-compute-node=enabled --no-headers | sort)
|
|
/bin/echo $COMPUTE_NODES > /tmp/compute_nodes.txt
|
|
wait_script: |
|
|
# This script runs in the main bootstrap container just before the
|
|
# bootstrap.script is called.
|
|
COMPUTE_HOSTS=`cat /tmp/compute_nodes.txt | wc -w`
|
|
if [[ $COMPUTE_HOSTS == 0 ]]; then
|
|
echo "There are no compute hosts found!"
|
|
exit 1
|
|
fi
|
|
|
|
# Wait for all hypervisors to come up before moving on with the deployment
|
|
HYPERVISOR_WAIT=true
|
|
WAIT_AFTER_READY=0
|
|
SLEEP=5
|
|
while [[ $HYPERVISOR_WAIT == true ]]; do
|
|
# Its possible that openstack command may fail due to not being able to
|
|
# reach the compute service
|
|
set +e
|
|
HYPERVISORS=$(openstack hypervisor list -f value -c 'Hypervisor Hostname' | wc -w)
|
|
set -e
|
|
|
|
PERCENT_READY=$(( $HYPERVISORS * 100 / $COMPUTE_HOSTS ))
|
|
if [[ $PERCENT_READY -ge $WAIT_PERCENTAGE ]]; then
|
|
echo "Hypervisor ready percentage is $PERCENT_READY"
|
|
if [[ $PERCENT_READY == 100 ]]; then
|
|
HYPERVISOR_WAIT=false
|
|
echo "All hypervisors are ready."
|
|
elif [[ WAIT_AFTER_READY -ge $REMAINING_WAIT ]]; then
|
|
HYPERVISOR_WAIT=false
|
|
echo "Waited the configured time -- $HYPERVISORS out of $COMPUTE_HOSTS hypervisor(s) ready -- proceeding with the bootstrap."
|
|
else
|
|
sleep $SLEEP
|
|
WAIT_AFTER_READY=$(( $WAIT_AFTER_READY + $SLEEP ))
|
|
fi
|
|
else
|
|
echo "Waiting $SLEEP seconds for enough hypervisors to be discovered..."
|
|
sleep $SLEEP
|
|
fi
|
|
done
|
|
|
|
network:
|
|
# provide what type of network wiring will be used
|
|
# possible options: openvswitch, linuxbridge, sriov
|
|
backend:
|
|
- openvswitch
|
|
osapi:
|
|
port: 8774
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30774
|
|
metadata:
|
|
port: 8775
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30775
|
|
novncproxy:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
node_port:
|
|
enabled: false
|
|
port: 30680
|
|
spiceproxy:
|
|
node_port:
|
|
enabled: false
|
|
port: 30682
|
|
ssh:
|
|
enabled: false
|
|
port: 8022
|
|
from_subnet: 0.0.0.0/0
|
|
key_types:
|
|
- rsa
|
|
- dsa
|
|
- ecdsa
|
|
- ed25519
|
|
private_key: 'null'
|
|
public_key: 'null'
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- nova-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
targeted:
|
|
openvswitch:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
linuxbridge:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
sriov:
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-sriov-agent
|
|
static:
|
|
api:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-ks-user
|
|
- nova-ks-endpoints
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
api_metadata:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-ks-user
|
|
- nova-ks-endpoints
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
bootstrap:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
cell_setup:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
pod:
|
|
- requireSameNode: false
|
|
labels:
|
|
application: nova
|
|
component: compute
|
|
service_cleaner:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
compute:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: libvirt
|
|
component: libvirt
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute_metadata
|
|
compute_ironic:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: baremetal
|
|
conductor:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
archive_deleted_rows:
|
|
jobs:
|
|
- nova-db-init
|
|
- nova-db-sync
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- nova-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
ks_endpoints:
|
|
jobs:
|
|
- nova-ks-service
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_service:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
rabbit_init:
|
|
services:
|
|
- service: oslo_messaging
|
|
endpoint: internal
|
|
novncproxy:
|
|
jobs:
|
|
- nova-db-sync
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
spiceproxy:
|
|
jobs:
|
|
- nova-db-sync
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
scheduler:
|
|
jobs:
|
|
- nova-db-sync
|
|
- nova-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: compute
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: image
|
|
- endpoint: internal
|
|
service: compute
|
|
- endpoint: internal
|
|
service: network
|
|
- endpoint: internal
|
|
service: compute_metadata
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
console:
|
|
# serial | spice | novnc | none
|
|
console_kind: novnc
|
|
serial:
|
|
spice:
|
|
compute:
|
|
# IF blank, search default routing interface
|
|
server_proxyclient_interface:
|
|
proxy:
|
|
# IF blank, search default routing interface
|
|
server_proxyclient_interface:
|
|
novnc:
|
|
compute:
|
|
# IF blank, search default routing interface
|
|
vncserver_proxyclient_interface:
|
|
vncproxy:
|
|
# IF blank, search default routing interface
|
|
vncserver_proxyclient_interface:
|
|
|
|
ceph_client:
|
|
configmap: ceph-etc
|
|
user_secret_name: pvc-ceph-client-key
|
|
|
|
conf:
|
|
security: |
|
|
#
|
|
# Disable access to the entire file system except for the directories that
|
|
# are explicitly allowed later.
|
|
#
|
|
# This currently breaks the configurations that come with some web application
|
|
# Debian packages.
|
|
#
|
|
#<Directory />
|
|
# AllowOverride None
|
|
# Require all denied
|
|
#</Directory>
|
|
|
|
# Changing the following options will not really affect the security of the
|
|
# server, but might make attacks slightly more difficult in some cases.
|
|
|
|
#
|
|
# ServerTokens
|
|
# This directive configures what you return as the Server HTTP response
|
|
# Header. The default is 'Full' which sends information about the OS-Type
|
|
# and compiled in modules.
|
|
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
|
|
# where Full conveys the most information, and Prod the least.
|
|
ServerTokens Prod
|
|
|
|
#
|
|
# Optionally add a line containing the server version and virtual host
|
|
# name to server-generated pages (internal error documents, FTP directory
|
|
# listings, mod_status and mod_info output etc., but not CGI generated
|
|
# documents or custom error documents).
|
|
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
|
|
# Set to one of: On | Off | EMail
|
|
ServerSignature Off
|
|
|
|
#
|
|
# Allow TRACE method
|
|
#
|
|
# Set to "extended" to also reflect the request body (only for testing and
|
|
# diagnostic purposes).
|
|
#
|
|
# Set to one of: On | Off | extended
|
|
TraceEnable Off
|
|
|
|
#
|
|
# Forbid access to version control directories
|
|
#
|
|
# If you use version control systems in your document root, you should
|
|
# probably deny access to their directories. For example, for subversion:
|
|
#
|
|
#<DirectoryMatch "/\.svn">
|
|
# Require all denied
|
|
#</DirectoryMatch>
|
|
|
|
#
|
|
# Setting this header will prevent MSIE from interpreting files as something
|
|
# else than declared by the content type in the HTTP headers.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Content-Type-Options: "nosniff"
|
|
|
|
#
|
|
# Setting this header will prevent other sites from embedding pages from this
|
|
# site as frames. This defends against clickjacking attacks.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Frame-Options: "sameorigin"
|
|
software:
|
|
apache2:
|
|
binary: apache2
|
|
start_parameters: -DFOREGROUND
|
|
conf_dir: /etc/apache2/conf-enabled
|
|
site_dir: /etc/apache2/sites-enable
|
|
mods_dir: /etc/apache2/mods-available
|
|
a2enmod: null
|
|
a2dismod: null
|
|
ceph:
|
|
enabled: true
|
|
admin_keyring: null
|
|
cinder:
|
|
user: "cinder"
|
|
keyring: null
|
|
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
rally_tests:
|
|
run_tempest: false
|
|
clean_up: |
|
|
FLAVORS=$(openstack flavor list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
|
|
if [ -n "$FLAVORS" ]; then
|
|
echo $FLAVORS | xargs openstack flavor delete
|
|
fi
|
|
SERVERS=$(openstack server list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
|
|
if [ -n "$SERVERS" ]; then
|
|
echo $SERVERS | xargs openstack server delete
|
|
fi
|
|
IMAGES=$(openstack image list -f value | awk '$2 ~ /^c_rally_/ { print $1 }')
|
|
if [ -n "$IMAGES" ]; then
|
|
echo $IMAGES | xargs openstack image delete
|
|
fi
|
|
tests:
|
|
NovaAgents.list_agents:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.create_and_get_aggregate_details:
|
|
- args:
|
|
availability_zone: nova
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.create_and_update_aggregate:
|
|
- args:
|
|
availability_zone: nova
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAggregates.list_aggregates:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaAvailabilityZones.list_availability_zones:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_and_delete_flavor:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_and_list_flavor_access:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor_and_add_tenant_access:
|
|
- args:
|
|
disk: 1
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.create_flavor_and_set_keys:
|
|
- args:
|
|
disk: 1
|
|
extra_specs:
|
|
'quota:disk_read_bytes_sec': 10240
|
|
ram: 500
|
|
vcpus: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaFlavors.list_flavors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_get_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_get_uptime_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_and_search_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.list_hypervisors:
|
|
- args:
|
|
detailed: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaHypervisors.statistics_hypervisors:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaKeypair.create_and_delete_keypair:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaKeypair.create_and_list_keypairs:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaServerGroups.create_and_list_server_groups:
|
|
- args:
|
|
all_projects: false
|
|
kwargs:
|
|
policies:
|
|
- affinity
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
NovaServices.list_services:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
paste:
|
|
composite:metadata:
|
|
use: egg:Paste#urlmap
|
|
/: meta
|
|
pipeline:meta:
|
|
pipeline: cors metaapp
|
|
app:metaapp:
|
|
paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
|
|
composite:osapi_compute:
|
|
use: call:nova.api.openstack.urlmap:urlmap_factory
|
|
/: oscomputeversions
|
|
/v2: openstack_compute_api_v21_legacy_v2_compatible
|
|
/v2.1: openstack_compute_api_v21
|
|
composite:openstack_compute_api_v21:
|
|
use: call:nova.api.auth:pipeline_factory_v21
|
|
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
|
|
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext osapi_compute_app_v21
|
|
composite:openstack_compute_api_v21_legacy_v2_compatible:
|
|
use: call:nova.api.auth:pipeline_factory_v21
|
|
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
|
|
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext legacy_v2_compatible osapi_compute_app_v21
|
|
filter:request_id:
|
|
paste.filter_factory: oslo_middleware:RequestId.factory
|
|
filter:compute_req_id:
|
|
paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
|
|
filter:faultwrap:
|
|
paste.filter_factory: nova.api.openstack:FaultWrapper.factory
|
|
filter:noauth2:
|
|
paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
|
|
filter:sizelimit:
|
|
paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
|
|
filter:http_proxy_to_wsgi:
|
|
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
|
filter:legacy_v2_compatible:
|
|
paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
|
|
app:osapi_compute_app_v21:
|
|
paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
|
|
pipeline:oscomputeversions:
|
|
pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
|
|
app:oscomputeversionapp:
|
|
paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
|
|
filter:cors:
|
|
paste.filter_factory: oslo_middleware.cors:filter_factory
|
|
oslo_config_project: nova
|
|
filter:keystonecontext:
|
|
paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
|
|
filter:authtoken:
|
|
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
|
|
filter:audit:
|
|
paste.filter_factory: keystonemiddleware.audit:filter_factory
|
|
audit_map_file: /etc/nova/api_audit_map.conf
|
|
policy: {}
|
|
nova_sudoers: |
|
|
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
|
Defaults !requiretty
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
|
nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
|
|
api_audit_map:
|
|
DEFAULT:
|
|
target_endpoint_type: None
|
|
custom_actions:
|
|
enable: enable
|
|
disable: disable
|
|
delete: delete
|
|
startup: start/startup
|
|
shutdown: stop/shutdown
|
|
reboot: start/reboot
|
|
os-migrations/get: read
|
|
os-server-password/post: update
|
|
path_keywords:
|
|
add: None
|
|
action: None
|
|
enable: None
|
|
disable: None
|
|
configure-project: None
|
|
defaults: None
|
|
delete: None
|
|
detail: None
|
|
diagnostics: None
|
|
entries: entry
|
|
extensions: alias
|
|
flavors: flavor
|
|
images: image
|
|
ips: label
|
|
limits: None
|
|
metadata: key
|
|
os-agents: os-agent
|
|
os-aggregates: os-aggregate
|
|
os-availability-zone: None
|
|
os-certificates: None
|
|
os-cloudpipe: None
|
|
os-fixed-ips: ip
|
|
os-extra_specs: key
|
|
os-flavor-access: None
|
|
os-floating-ip-dns: domain
|
|
os-floating-ips-bulk: host
|
|
os-floating-ip-pools: None
|
|
os-floating-ips: floating-ip
|
|
os-hosts: host
|
|
os-hypervisors: hypervisor
|
|
os-instance-actions: instance-action
|
|
os-keypairs: keypair
|
|
os-migrations: None
|
|
os-networks: network
|
|
os-quota-sets: tenant
|
|
os-security-groups: security_group
|
|
os-security-group-rules: rule
|
|
os-server-password: None
|
|
os-services: None
|
|
os-simple-tenant-usage: tenant
|
|
os-virtual-interfaces: None
|
|
os-volume_attachments: attachment
|
|
os-volumes_boot: None
|
|
os-volumes: volume
|
|
os-volume-types: volume-type
|
|
os-snapshots: snapshot
|
|
reboot: None
|
|
servers: server
|
|
shutdown: None
|
|
startup: None
|
|
statistics: None
|
|
service_endpoints:
|
|
compute: service/compute
|
|
rootwrap: |
|
|
# Configuration for nova-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[DEFAULT]
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
|
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitely specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
|
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog=False
|
|
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility=syslog
|
|
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level=ERROR
|
|
rootwrap_filters:
|
|
api_metadata:
|
|
pods:
|
|
- metadata
|
|
content: |
|
|
# nova-rootwrap command filters for api-metadata nodes
|
|
# This is needed on nova-api hosts running with "metadata" in enabled_apis
|
|
# or when running nova-api-metadata
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
compute:
|
|
pods:
|
|
- compute
|
|
content: |
|
|
# nova-rootwrap command filters for compute nodes
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
|
|
kpartx: CommandFilter, kpartx, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
|
|
tune2fs: CommandFilter, tune2fs, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'mount', mapped_device
|
|
# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
|
|
# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
|
|
# nova/virt/configdrive.py: 'mount', device, mountdir
|
|
# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
|
|
mount: CommandFilter, mount, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'umount', mapped_device
|
|
# nova/virt/disk/api.py: 'umount' target
|
|
# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
|
|
# nova/virt/configdrive.py: 'umount', mountdir
|
|
umount: CommandFilter, umount, root
|
|
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
|
|
qemu-nbd: CommandFilter, qemu-nbd, root
|
|
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
|
|
losetup: CommandFilter, losetup, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
|
|
blkid: CommandFilter, blkid, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
|
|
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
|
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
|
|
tee: CommandFilter, tee, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
|
|
mkdir: CommandFilter, mkdir, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chown'
|
|
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
|
|
chown: CommandFilter, chown, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chmod'
|
|
chmod: CommandFilter, chmod, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
|
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
|
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
|
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
|
ip: CommandFilter, ip, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
|
|
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
|
|
tunctl: CommandFilter, tunctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
|
|
vrouter-port-control: CommandFilter, vrouter-port-control, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ebrctl', ...
|
|
ebrctl: CommandFilter, ebrctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'mm-ctl', ...
|
|
mm-ctl: CommandFilter, mm-ctl, root
|
|
|
|
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
|
|
dd: CommandFilter, dd, root
|
|
|
|
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
|
|
iscsiadm: CommandFilter, iscsiadm, root
|
|
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
|
|
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
|
aoe-discover: CommandFilter, aoe-discover, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: parted, --script, ...
|
|
# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
|
|
parted: CommandFilter, parted, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
|
|
pygrub: CommandFilter, pygrub, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
|
|
fdisk: CommandFilter, fdisk, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
|
|
# nova/virt/disk/api.py: e2fsck, -f, -p, image
|
|
e2fsck: CommandFilter, e2fsck, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
|
|
# nova/virt/disk/api.py: resize2fs, image
|
|
resize2fs: CommandFilter, resize2fs, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
|
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
|
arping: CommandFilter, arping, root
|
|
|
|
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
|
|
# nova/network/linux_net.py: 'kill', '-9', pid
|
|
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
|
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# nova/network/linux_net.py: 'kill', pid
|
|
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
|
|
|
# nova/network/linux_net.py: dnsmasq call
|
|
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
|
|
|
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
|
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
|
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
|
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
|
brctl: CommandFilter, brctl, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'mkswap'
|
|
# nova/virt/xenapi/vm_utils.py: 'mkswap'
|
|
mkswap: CommandFilter, mkswap, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'nova-idmapshift'
|
|
nova-idmapshift: CommandFilter, nova-idmapshift, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'mkfs'
|
|
# nova/utils.py: 'mkfs', fs, path, label
|
|
mkfs: CommandFilter, mkfs, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'qemu-img'
|
|
qemu-img: CommandFilter, qemu-img, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
|
|
readlink: CommandFilter, readlink, root
|
|
|
|
# nova/virt/disk/api.py:
|
|
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
|
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
|
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
|
|
|
|
# nova/virt/libvirt/connection.py:
|
|
lvremove: CommandFilter, lvremove, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvcreate: CommandFilter, lvcreate, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvs: CommandFilter, lvs, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
vgs: CommandFilter, vgs, root
|
|
|
|
# nova/utils.py:read_file_as_root: 'cat', file_path
|
|
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
|
|
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
|
|
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
|
|
|
|
# os-brick needed commands
|
|
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
|
multipath: CommandFilter, multipath, root
|
|
# multipathd show status
|
|
multipathd: CommandFilter, multipathd, root
|
|
systool: CommandFilter, systool, root
|
|
vgc-cluster: CommandFilter, vgc-cluster, root
|
|
# os_brick/initiator/connector.py
|
|
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
|
|
|
# TODO(smcginnis) Temporary fix.
|
|
# Need to pull in os-brick os-brick.filters file instead and clean
|
|
# out stale brick values from this file.
|
|
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
|
# os_brick.privileged.default oslo.privsep context
|
|
# This line ties the superuser privs with the config files, context name,
|
|
# and (implicitly) the actual python code invoked.
|
|
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
|
|
|
# nova/storage/linuxscsi.py: sg_scan device
|
|
sg_scan: CommandFilter, sg_scan, root
|
|
|
|
# nova/volume/encryptors/cryptsetup.py:
|
|
# nova/volume/encryptors/luks.py:
|
|
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
|
|
|
|
# nova/volume/encryptors.py:
|
|
# nova/virt/libvirt/dmcrypt.py:
|
|
cryptsetup: CommandFilter, cryptsetup, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
xenstore-read: CommandFilter, xenstore-read, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
rbd: CommandFilter, rbd, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
|
|
shred: CommandFilter, shred, root
|
|
|
|
# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
|
|
cp: CommandFilter, cp, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
sync: CommandFilter, sync, root
|
|
|
|
# nova/virt/libvirt/imagebackend.py:
|
|
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
|
|
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
|
|
|
|
# nova/virt/libvirt/utils.py: 'xend', 'status'
|
|
xend: CommandFilter, xend, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
touch: CommandFilter, touch, root
|
|
|
|
# nova/virt/libvirt/volume/vzstorage.py
|
|
pstorage-mount: CommandFilter, pstorage-mount, root
|
|
network:
|
|
pods:
|
|
- compute
|
|
content: |
|
|
# nova-rootwrap command filters for network nodes
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
|
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
|
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
|
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
|
ip: CommandFilter, ip, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ivs-ctl', ....
|
|
ivs-ctl: CommandFilter, ivs-ctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
|
|
ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
|
|
|
|
# nova/network/linux_net.py: 'ebtables', '-D' ...
|
|
# nova/network/linux_net.py: 'ebtables', '-I' ...
|
|
ebtables: CommandFilter, ebtables, root
|
|
ebtables_usr: CommandFilter, ebtables, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
|
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
|
arping: CommandFilter, arping, root
|
|
|
|
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
|
|
# nova/network/linux_net.py: 'kill', '-9', pid
|
|
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
|
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# nova/network/linux_net.py: 'kill', pid
|
|
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
|
|
|
# nova/network/linux_net.py: dnsmasq call
|
|
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
|
|
|
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
|
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
|
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
|
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
|
brctl: CommandFilter, brctl, root
|
|
|
|
# nova/network/linux_net.py: 'sysctl', ....
|
|
sysctl: CommandFilter, sysctl, root
|
|
|
|
# nova/network/linux_net.py: 'conntrack'
|
|
conntrack: CommandFilter, conntrack, root
|
|
|
|
# nova/network/linux_net.py: 'fp-vdev'
|
|
fp-vdev: CommandFilter, fp-vdev, root
|
|
nova_ironic:
|
|
DEFAULT:
|
|
scheduler_host_manager: ironic_host_manager
|
|
compute_driver: ironic.IronicDriver
|
|
ram_allocation_ratio: 1.0
|
|
cpu_allocation_ratio: 1.0
|
|
reserved_host_memory_mb: 0
|
|
libvirt:
|
|
# Get the IP address to be used as the target for live migration traffic using interface name.
|
|
# If this option is set to None, the hostname of the migration target compute node will be used.
|
|
live_migration_interface:
|
|
hypervisor:
|
|
# my_ip can be set automatically through this interface name.
|
|
host_interface:
|
|
# This list is the keys to exclude from the config file ingested by nova-compute
|
|
nova_compute_redactions:
|
|
- database
|
|
- api_database
|
|
- cell0_database
|
|
nova:
|
|
DEFAULT:
|
|
log_config_append: /etc/nova/logging.conf
|
|
default_ephemeral_format: ext4
|
|
ram_allocation_ratio: 1.0
|
|
disk_allocation_ratio: 1.0
|
|
cpu_allocation_ratio: 3.0
|
|
state_path: /var/lib/nova
|
|
osapi_compute_listen: 0.0.0.0
|
|
# NOTE(portdirect): the bind port should not be defined, and is manipulated
|
|
# via the endpoints section.
|
|
osapi_compute_listen_port: null
|
|
osapi_compute_workers: 1
|
|
metadata_workers: 1
|
|
use_neutron: true
|
|
firewall_driver: nova.virt.firewall.NoopFirewallDriver
|
|
linuxnet_interface_driver: openvswitch
|
|
compute_driver: libvirt.LibvirtDriver
|
|
my_ip: 0.0.0.0
|
|
instance_usage_audit: True
|
|
instance_usage_audit_period: hour
|
|
notify_on_state_change: vm_and_task_state
|
|
resume_guests_state_on_host_boot: True
|
|
vnc:
|
|
novncproxy_host: 0.0.0.0
|
|
vncserver_listen: 0.0.0.0
|
|
# This would be set by each compute nodes's ip
|
|
# server_proxyclient_address: 127.0.0.1
|
|
spice:
|
|
html5proxy_host: 0.0.0.0
|
|
server_listen: 0.0.0.0
|
|
# This would be set by each compute nodes's ip
|
|
# server_proxyclient_address: 127.0.0.1
|
|
conductor:
|
|
workers: 1
|
|
oslo_policy:
|
|
policy_file: /etc/nova/policy.yaml
|
|
oslo_concurrency:
|
|
lock_path: /var/lib/nova/tmp
|
|
oslo_middleware:
|
|
enable_proxy_headers_parsing: true
|
|
glance:
|
|
num_retries: 3
|
|
ironic:
|
|
api_endpoint: null
|
|
auth_url: null
|
|
neutron:
|
|
metadata_proxy_shared_secret: "password"
|
|
service_metadata_proxy: True
|
|
auth_type: password
|
|
auth_version: v3
|
|
database:
|
|
max_retries: -1
|
|
api_database:
|
|
max_retries: -1
|
|
cell0_database:
|
|
max_retries: -1
|
|
keystone_authtoken:
|
|
auth_type: password
|
|
auth_version: v3
|
|
memcache_security_strategy: ENCRYPT
|
|
service_user:
|
|
auth_type: password
|
|
send_service_user_token: false
|
|
libvirt:
|
|
connection_uri: "qemu+unix:///system?socket=/run/libvirt/libvirt-sock"
|
|
images_type: qcow2
|
|
images_rbd_pool: vms
|
|
images_rbd_ceph_conf: /etc/ceph/ceph.conf
|
|
rbd_user: cinder
|
|
rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
disk_cachemodes: "network=writeback"
|
|
hw_disk_discard: unmap
|
|
upgrade_levels:
|
|
compute: auto
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
wsgi:
|
|
api_paste_config: /etc/nova/api-paste.ini
|
|
oslo_messaging_notifications:
|
|
driver: messagingv2
|
|
oslo_messaging_rabbit:
|
|
rabbit_ha_queues: true
|
|
placement:
|
|
auth_type: password
|
|
auth_version: v3
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- nova
|
|
- os.brick
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: 'null'
|
|
logger_nova:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: nova
|
|
logger_os.brick:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: os.brick
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
rabbitmq:
|
|
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
|
|
policies:
|
|
- vhost: "nova"
|
|
name: "ha_ttl_nova"
|
|
definition:
|
|
# mirror messges to other nodes in rmq cluster
|
|
ha-mode: "all"
|
|
ha-sync-mode: "automatic"
|
|
# 70s
|
|
message-ttl: 70000
|
|
priority: 0
|
|
apply-to: all
|
|
pattern: '^(?!(amq\.|reply_)).*'
|
|
enable_iscsi: false
|
|
archive_deleted_rows:
|
|
purge_deleted_rows: false
|
|
until_completion: true
|
|
all_cells: false
|
|
max_rows:
|
|
enabled: False
|
|
rows: 1000
|
|
before:
|
|
enabled: false
|
|
date: 'nil'
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: nova-keystone-admin
|
|
nova: nova-keystone-user
|
|
test: nova-keystone-test
|
|
oslo_db:
|
|
admin: nova-db-admin
|
|
nova: nova-db-user
|
|
oslo_db_api:
|
|
admin: nova-db-api-admin
|
|
nova: nova-db-api-user
|
|
oslo_db_cell0:
|
|
admin: nova-db-cell0-admin
|
|
nova: nova-db-cell0-user
|
|
oslo_messaging:
|
|
admin: nova-rabbitmq-admin
|
|
nova: nova-rabbitmq-user
|
|
tls:
|
|
compute:
|
|
osapi:
|
|
public: nova-tls-public
|
|
internal: nova-tls-api
|
|
compute_novnc_proxy:
|
|
novncproxy:
|
|
public: nova-novncproxy-tls-public
|
|
internal: nova-novncproxy-tls-proxy
|
|
compute_metadata:
|
|
metadata:
|
|
public: metadata-tls-public
|
|
internal: metadata-tls-metadata
|
|
compute_spice_proxy:
|
|
spiceproxy:
|
|
internal: nova-tls-spiceproxy
|
|
oci_image_registry:
|
|
nova: nova-oci-image-registry
|
|
|
|
# typically overridden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oci_image_registry:
|
|
name: oci-image-registry
|
|
namespace: oci-image-registry
|
|
auth:
|
|
enabled: false
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
default: null
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
secret:
|
|
tls:
|
|
internal: mariadb-tls-direct
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_db_api:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova_api
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_db_cell0:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova_cell0
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
secret:
|
|
tls:
|
|
internal: rabbitmq-tls-direct
|
|
nova:
|
|
username: nova
|
|
password: password
|
|
statefulset:
|
|
replicas: 2
|
|
name: rabbitmq-rabbitmq
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /nova
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
auth:
|
|
# NOTE(portdirect): this is used to define the value for keystone
|
|
# authtoken cache encryption key, if not set it will be populated
|
|
# automatically with a random value, but to take advantage of
|
|
# this feature all services should be set to use the same key,
|
|
# and memcache service.
|
|
memcache_secret_key: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
nova:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: nova
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
# NOTE(portdirect): the neutron user is not managed by the nova chart
|
|
# these values should match those set in the neutron chart.
|
|
neutron:
|
|
region_name: RegionOne
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
username: neutron
|
|
password: password
|
|
# NOTE(portdirect): the ironic user is not managed by the nova chart
|
|
# these values should match those set in the ironic chart.
|
|
ironic:
|
|
auth_type: password
|
|
auth_version: v3
|
|
region_name: RegionOne
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
username: ironic
|
|
password: password
|
|
placement:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: placement
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
test:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: nova-test
|
|
password: password
|
|
project_name: test
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
image:
|
|
name: glance
|
|
hosts:
|
|
default: glance-api
|
|
public: glance
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 9292
|
|
public: 80
|
|
compute:
|
|
name: nova
|
|
hosts:
|
|
default: nova-api
|
|
public: nova
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: "/v2.1/%(tenant_id)s"
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8774
|
|
public: 80
|
|
novncproxy:
|
|
default: 6080
|
|
compute_metadata:
|
|
name: nova
|
|
ip:
|
|
# IF blank, set clusterIP and metadata_host dynamically
|
|
ingress: null
|
|
hosts:
|
|
default: nova-metadata
|
|
public: metadata
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metadata:
|
|
default: 8775
|
|
public: 80
|
|
compute_novnc_proxy:
|
|
name: nova
|
|
hosts:
|
|
default: nova-novncproxy
|
|
public: novncproxy
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: /vnc_auto.html
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
novnc_proxy:
|
|
default: 6080
|
|
public: 80
|
|
compute_spice_proxy:
|
|
name: nova
|
|
hosts:
|
|
default: nova-spiceproxy
|
|
public: placement
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /spice_auto.html
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
spice_proxy:
|
|
default: 6082
|
|
placement:
|
|
name: placement
|
|
hosts:
|
|
default: placement-api
|
|
public: placement
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8778
|
|
public: 80
|
|
network:
|
|
name: neutron
|
|
hosts:
|
|
default: neutron-server
|
|
public: neutron
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 9696
|
|
public: 80
|
|
baremetal:
|
|
name: ironic
|
|
hosts:
|
|
default: ironic-api
|
|
public: ironic
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 6385
|
|
public: 80
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
|
# They are using to enable the Egress K8s network policy.
|
|
kube_dns:
|
|
namespace: kube-system
|
|
name: kubernetes-dns
|
|
hosts:
|
|
default: kube-dns
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: http
|
|
port:
|
|
dns:
|
|
default: 53
|
|
protocol: UDP
|
|
ingress:
|
|
namespace: null
|
|
name: ingress
|
|
hosts:
|
|
default: ingress
|
|
port:
|
|
ingress:
|
|
default: 80
|
|
|
|
pod:
|
|
probes:
|
|
rpc_timeout: 60
|
|
rpc_retries: 2
|
|
compute:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 80
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
api-metadata:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
api-osapi:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
conductor:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 80
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
novncproxy:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
scheduler:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 80
|
|
periodSeconds: 90
|
|
timeoutSeconds: 70
|
|
compute-spice-proxy:
|
|
default:
|
|
liveness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
readiness:
|
|
enabled: True
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 15
|
|
security_context:
|
|
nova:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_compute_init:
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 0
|
|
tungstenfabric_compute_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
ceph_perms:
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 0
|
|
nova_compute_vnc_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_compute_spice_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_compute:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
nova_compute_ssh:
|
|
privileged: true
|
|
runAsUser: 0
|
|
nova_compute_ssh_init:
|
|
runAsUser: 0
|
|
nova_api_metadata_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_api:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_osapi:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_conductor:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_novncproxy_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_novncproxy_init_assests:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_novncproxy:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_scheduler:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_spiceproxy_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_spiceproxy_init_assets:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_spiceproxy:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
bootstrap:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_wait_for_computes_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
bootstrap:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_cell_setup:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_wait_for_computes_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_cell_setup_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_cell_setup:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
archive_deleted_rows:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_archive_deleted_rows_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
nova_archive_deleted_rows:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
cell_setup:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_cell_setup:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
service_cleaner:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
nova_service_cleaner:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
use_fqdn:
|
|
# NOTE: If the option "host" is not specified in nova.conf, the host name
|
|
# shown in the hypervisor host is defaulted to the short name of the host.
|
|
# Setting the option here to true will cause use $(hostname --fqdn) as the
|
|
# host name by default. If the short name is desired $(hostname --short),
|
|
# set the option to false. Specifying a host in the nova.conf via the conf:
|
|
# section will supersede the value of this option.
|
|
compute: true
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
tolerations:
|
|
nova:
|
|
enabled: false
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
mounts:
|
|
nova_compute:
|
|
init_container: null
|
|
nova_compute:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_compute_ironic:
|
|
init_container: null
|
|
nova_compute_ironic:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_api_metadata:
|
|
init_container: null
|
|
nova_api_metadata:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_api_osapi:
|
|
init_container: null
|
|
nova_api_osapi:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_conductor:
|
|
init_container: null
|
|
nova_conductor:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_scheduler:
|
|
init_container: null
|
|
nova_scheduler:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_bootstrap:
|
|
init_container: null
|
|
nova_bootstrap:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_tests:
|
|
init_container: null
|
|
nova_tests:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_novncproxy:
|
|
init_novncproxy: null
|
|
nova_novncproxy:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_spiceproxy:
|
|
init_spiceproxy: null
|
|
nova_spiceproxy:
|
|
volumeMounts:
|
|
volumes:
|
|
nova_db_sync:
|
|
nova_db_sync:
|
|
volumeMounts:
|
|
volumes:
|
|
useHostNetwork:
|
|
novncproxy: true
|
|
replicas:
|
|
api_metadata: 1
|
|
compute_ironic: 1
|
|
osapi: 1
|
|
conductor: 1
|
|
scheduler: 1
|
|
novncproxy: 1
|
|
spiceproxy: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
compute:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
disruption_budget:
|
|
metadata:
|
|
min_available: 0
|
|
osapi:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
metadata:
|
|
timeout: 30
|
|
osapi:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
compute:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
compute_ironic:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
api_metadata:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
conductor:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
scheduler:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ssh:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
novncproxy:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
spiceproxy:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
archive_deleted_rows:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
cell_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
service_cleaner:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
network_policy:
|
|
nova:
|
|
# TODO(lamt): Need to tighten this ingress for security.
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
# NOTE(helm_hook): helm_hook might break for helm2 binary.
|
|
# set helm3_hook: false when using the helm2 binary.
|
|
helm3_hook: true
|
|
|
|
health_probe:
|
|
logging:
|
|
level: ERROR
|
|
|
|
tls:
|
|
identity: false
|
|
oslo_messaging: false
|
|
oslo_db: false
|
|
|
|
manifests:
|
|
certificates: false
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_job_cell_setup: true
|
|
cron_job_service_cleaner: true
|
|
cron_job_archive_deleted_rows: false
|
|
daemonset_compute: true
|
|
deployment_api_metadata: true
|
|
deployment_api_osapi: true
|
|
deployment_conductor: true
|
|
deployment_novncproxy: true
|
|
deployment_spiceproxy: true
|
|
deployment_scheduler: true
|
|
ingress_metadata: true
|
|
ingress_novncproxy: true
|
|
ingress_osapi: true
|
|
job_bootstrap: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_image_repo_sync: true
|
|
job_rabbit_init: true
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
job_cell_setup: true
|
|
pdb_metadata: true
|
|
pdb_osapi: true
|
|
pod_rally_test: true
|
|
network_policy: false
|
|
secret_db_api: true
|
|
secret_db_cell0: true
|
|
secret_db: true
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_rabbitmq: true
|
|
secret_registry: true
|
|
service_ingress_metadata: true
|
|
service_ingress_novncproxy: true
|
|
service_ingress_osapi: true
|
|
service_metadata: true
|
|
service_novncproxy: true
|
|
service_spiceproxy: true
|
|
service_osapi: true
|
|
statefulset_compute_ironic: false
|
|
...
|