openstack-helm/neutron/values.yaml
Thiago Brito 8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00

2533 lines
76 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for neutron.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
release_group: null
images:
tags:
bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
test: docker.io/xrally/xrally-openstack:2.0.0
purge_test: docker.io/openstackhelm/ospurge:latest
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
agent:
dhcp:
node_selector_key: openstack-control-plane
node_selector_value: enabled
l3:
node_selector_key: openstack-control-plane
node_selector_value: enabled
metadata:
node_selector_key: openstack-control-plane
node_selector_value: enabled
l2gw:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
lb:
node_selector_key: linuxbridge
node_selector_value: enabled
# openvswitch is a special case, requiring a special
# label that can apply to both control hosts
# and compute hosts, until we get more sophisticated
# with our daemonset scheduling
ovs:
node_selector_key: openvswitch
node_selector_value: enabled
sriov:
node_selector_key: sriov
node_selector_value: enabled
bagpipe_bgp:
node_selector_key: openstack-compute-node
node_selector_value: enabled
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
ironic_agent:
node_selector_key: openstack-control-plane
node_selector_value: enabled
netns_cleanup_cron:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
# provide what type of network wiring will be used
backend:
- openvswitch
# NOTE(Portdirect): Share network namespaces with the host,
# allowing agents to be restarted without packet loss and simpler
# debugging. This feature requires mount propagation support.
share_namespaces: true
interface:
# Tunnel interface will be used for VXLAN tunneling.
tunnel: null
# If tunnel is null there is a fallback mechanism to search
# for interface with routing using tunnel network cidr.
tunnel_network_cidr: "0/0"
# To perform setup of network interfaces using the SR-IOV init
# container you can use a section similar to:
# sriov:
# - device: ${DEV}
# num_vfs: 8
# mtu: 9214
# promisc: false
# qos:
# - vf_num: 0
# share: 10
# queues_per_vf:
# - num_queues: 16
# exclude_vf: 0,11,21
server:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30096
bootstrap:
enabled: false
ks_user: neutron
script: |
openstack token issue
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- neutron-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
sriov: {}
l2gateway: {}
bagpipe_bgp: {}
openvswitch:
dhcp:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
l3:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
metadata:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
dhcp:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
l3:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
metadata:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
lb_agent:
pod: null
static:
bootstrap:
services:
- endpoint: internal
service: network
- endpoint: internal
service: compute
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- neutron-db-init
services:
- endpoint: internal
service: oslo_db
dhcp:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
ks_endpoints:
jobs:
- neutron-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
l3:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
lb_agent:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
metadata:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
- endpoint: public
service: compute_metadata
ovs_agent:
jobs:
- neutron-rabbit-init
pod:
- requireSameNode: true
labels:
application: openvswitch
component: openvswitch-vswitchd
- requireSameNode: true
labels:
application: openvswitch
component: openvswitch-vswitchd-db
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
server:
jobs:
- neutron-db-sync
- neutron-ks-user
- neutron-ks-endpoints
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: identity
ironic_agent:
jobs:
- neutron-db-sync
- neutron-ks-user
- neutron-ks-endpoints
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: identity
tests:
services:
- endpoint: internal
service: network
- endpoint: internal
service: compute
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
pod:
use_fqdn:
neutron_agent: true
probes:
rpc_timeout: 60
rpc_retries: 2
dhcp_agent:
dhcp_agent:
readiness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 190
timeoutSeconds: 185
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 600
timeoutSeconds: 580
l3_agent:
l3_agent:
readiness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 190
timeoutSeconds: 185
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 600
timeoutSeconds: 580
lb_agent:
lb_agent:
readiness:
enabled: true
metadata_agent:
metadata_agent:
readiness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 190
timeoutSeconds: 185
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 600
timeoutSeconds: 580
ovs_agent:
ovs_agent:
readiness:
enabled: true
params:
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 600
timeoutSeconds: 580
sriov_agent:
sriov_agent:
readiness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 190
timeoutSeconds: 185
bagpipe_bgp:
bagpipe_bgp:
readiness:
enabled: true
params:
liveness:
enabled: true
params:
initialDelaySeconds: 60
l2gw_agent:
l2gw_agent:
readiness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 65
liveness:
enabled: true
params:
initialDelaySeconds: 120
periodSeconds: 90
timeoutSeconds: 70
server:
server:
readiness:
enabled: true
params:
liveness:
enabled: true
params:
initialDelaySeconds: 60
security_context:
neutron_dhcp_agent:
pod:
runAsUser: 42424
container:
neutron_dhcp_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_l2gw_agent:
pod:
runAsUser: 42424
container:
neutron_l2gw_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_bagpipe_bgp:
pod:
runAsUser: 42424
container:
neutron_bagpipe_bgp:
readOnlyRootFilesystem: true
privileged: true
neutron_l3_agent:
pod:
runAsUser: 42424
container:
neutron_l3_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_lb_agent:
pod:
runAsUser: 42424
container:
neutron_lb_agent_kernel_modules:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_metadata_agent:
pod:
runAsUser: 42424
container:
neutron_metadata_agent_init:
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent:
pod:
runAsUser: 42424
container:
neutron_openvswitch_agent_kernel_modules:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_server:
pod:
runAsUser: 42424
container:
nginx:
runAsUser: 0
readOnlyRootFilesystem: false
neutron_server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
neutron_sriov_agent:
pod:
runAsUser: 42424
container:
neutron_sriov_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: false
neutron_sriov_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_ironic_agent:
pod:
runAsUser: 42424
container:
neutron_ironic_agent:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
neutron_netns_cleanup_cron:
pod:
runAsUser: 42424
container:
neutron_netns_cleanup_cron:
readOnlyRootFilesystem: true
privileged: true
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
neutron_server:
init_container: null
neutron_server:
volumeMounts:
volumes:
neutron_dhcp_agent:
init_container: null
neutron_dhcp_agent:
volumeMounts:
volumes:
neutron_l3_agent:
init_container: null
neutron_l3_agent:
volumeMounts:
volumes:
neutron_lb_agent:
init_container: null
neutron_lb_agent:
volumeMounts:
volumes:
neutron_metadata_agent:
init_container: null
neutron_metadata_agent:
volumeMounts:
volumes:
neutron_ovs_agent:
init_container: null
neutron_ovs_agent:
volumeMounts:
volumes:
neutron_sriov_agent:
init_container: null
neutron_sriov_agent:
volumeMounts:
volumes:
neutron_l2gw_agent:
init_container: null
neutron_l2gw_agent:
volumeMounts:
volumes:
bagpipe_bgp:
init_container: null
bagpipe_bgp:
volumeMounts:
volumes:
neutron_ironic_agent:
init_container: null
neutron_ironic_agent:
volumeMounts:
volumes:
neutron_netns_cleanup_cron:
init_container: null
neutron_netns_cleanup_cron:
volumeMounts:
volumes:
neutron_tests:
init_container: null
neutron_tests:
volumeMounts:
volumes:
neutron_bootstrap:
init_container: null
neutron_bootstrap:
volumeMounts:
volumes:
neutron_db_sync:
neutron_db_sync:
volumeMounts:
- name: db-sync-conf
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
readOnly: true
volumes:
replicas:
server: 1
ironic_agent: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
daemonsets:
pod_replacement_strategy: RollingUpdate
dhcp_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
l3_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
lb_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
metadata_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
ovs_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
sriov_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
netns_cleanup_cron:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
server:
min_available: 0
termination_grace_period:
server:
timeout: 30
ironic_agent:
timeout: 30
resources:
enabled: false
agent:
dhcp:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
l3:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lb:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
metadata:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ovs:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
sriov:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
l2gw:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
bagpipe_bgp:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ironic_agent:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
netns_cleanup_cron:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
rally_tests:
force_project_purge: false
run_tempest: false
clean_up: |
# NOTE: We will make the best effort to clean up rally generated networks and routers,
# but should not block further automated deployment.
set +e
PATTERN="^[sc]_rally_"
ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
for ROUTER in $ROUTERS
do
openstack router unset --external-gateway $ROUTER
openstack router set --disable --no-ha $ROUTER
SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
for SUBN in $SUBNS
do
openstack router remove subnet $ROUTER $SUBN
done
for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
do
openstack router remove port $ROUTER $PORT
done
openstack router delete $ROUTER
done
for NETWORK in $NETWORKS
do
for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
do
openstack port delete $PORT
done
openstack network delete $NETWORK
done
set -e
tests:
NeutronNetworks.create_and_delete_networks:
- args:
network_create_args: {}
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_ports:
- args:
network_create_args: {}
port_create_args: {}
ports_per_network: 10
context:
network: {}
quotas:
neutron:
network: -1
port: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_routers:
- args:
network_create_args: {}
router_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_list_routers:
- args:
network_create_args: {}
router_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_list_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_show_network:
- args:
network_create_args: {}
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_networks:
- args:
network_create_args: {}
network_update_args:
admin_state_up: false
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_ports:
- args:
network_create_args: {}
port_create_args: {}
port_update_args:
admin_state_up: false
device_id: dummy_id
device_owner: dummy_owner
ports_per_network: 5
context:
network: {}
quotas:
neutron:
network: -1
port: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_routers:
- args:
network_create_args: {}
router_create_args: {}
router_update_args:
admin_state_up: false
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.4.0.0/16
subnet_create_args: {}
subnet_update_args:
enable_dhcp: false
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.list_agents:
- args:
agent_args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronSecurityGroup.create_and_list_security_groups:
- args:
security_group_create_args: {}
context:
quotas:
neutron:
security_group: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronSecurityGroup.create_and_update_security_groups:
- args:
security_group_create_args: {}
security_group_update_args: {}
context:
quotas:
neutron:
security_group: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
paste:
composite:neutron:
use: egg:Paste#urlmap
/: neutronversions_composite
/v2.0: neutronapi_v2_0
composite:neutronapi_v2_0:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
composite:neutronversions_composite:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi neutronversions
keystone: cors http_proxy_to_wsgi neutronversions
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:catch_errors:
paste.filter_factory: oslo_middleware:CatchErrors.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: neutron
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
filter:keystonecontext:
paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/neutron/api_audit_map.conf
filter:extensions:
paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
app:neutronversions:
paste.app_factory: neutron.pecan_wsgi.app:versions_factory
app:neutronapiapp_v2_0:
paste.app_factory: neutron.api.v2.router:APIRouter.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
policy:
context_is_admin: role:admin
owner: tenant_id:%(tenant_id)s
admin_or_owner: rule:context_is_admin or rule:owner
context_is_advsvc: role:advsvc
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
admin_only: rule:context_is_admin
regular_user: ''
shared: field:networks:shared=True
shared_subnetpools: field:subnetpools:shared=True
shared_address_scopes: field:address_scopes:shared=True
external: field:networks:router:external=True
default: rule:admin_or_owner
create_subnet: rule:admin_or_network_owner
create_subnet:segment_id: rule:admin_only
create_subnet:service_types: rule:admin_only
get_subnet: rule:admin_or_owner or rule:shared
get_subnet:segment_id: rule:admin_only
update_subnet: rule:admin_or_network_owner
update_subnet:service_types: rule:admin_only
delete_subnet: rule:admin_or_network_owner
create_subnetpool: ''
create_subnetpool:shared: rule:admin_only
create_subnetpool:is_default: rule:admin_only
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
update_subnetpool: rule:admin_or_owner
update_subnetpool:is_default: rule:admin_only
delete_subnetpool: rule:admin_or_owner
create_address_scope: ''
create_address_scope:shared: rule:admin_only
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
update_address_scope: rule:admin_or_owner
update_address_scope:shared: rule:admin_only
delete_address_scope: rule:admin_or_owner
create_network: ''
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
get_network:router:external: rule:regular_user
get_network:segments: rule:admin_only
get_network:provider:network_type: rule:admin_only
get_network:provider:physical_network: rule:admin_only
get_network:provider:segmentation_id: rule:admin_only
get_network:queue_id: rule:admin_only
get_network_ip_availabilities: rule:admin_only
get_network_ip_availability: rule:admin_only
create_network:shared: rule:admin_only
create_network:router:external: rule:admin_only
create_network:is_default: rule:admin_only
create_network:segments: rule:admin_only
create_network:provider:network_type: rule:admin_only
create_network:provider:physical_network: rule:admin_only
create_network:provider:segmentation_id: rule:admin_only
update_network: rule:admin_or_owner
update_network:segments: rule:admin_only
update_network:shared: rule:admin_only
update_network:provider:network_type: rule:admin_only
update_network:provider:physical_network: rule:admin_only
update_network:provider:segmentation_id: rule:admin_only
update_network:router:external: rule:admin_only
delete_network: rule:admin_or_owner
create_segment: rule:admin_only
get_segment: rule:admin_only
update_segment: rule:admin_only
delete_segment: rule:admin_only
network_device: 'field:port:device_owner=~^network:'
create_port: ''
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:binding:host_id: rule:admin_only
create_port:binding:profile: rule:admin_only
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:allowed_address_pairs: rule:admin_or_network_owner
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_port:queue_id: rule:admin_only
get_port:binding:vif_type: rule:admin_only
get_port:binding:vif_details: rule:admin_only
get_port:binding:host_id: rule:admin_only
get_port:binding:profile: rule:admin_only
update_port: rule:admin_or_owner or rule:context_is_advsvc
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:binding:host_id: rule:admin_only
update_port:binding:profile: rule:admin_only
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:allowed_address_pairs: rule:admin_or_network_owner
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_router:ha: rule:admin_only
create_router: rule:regular_user
create_router:external_gateway_info:enable_snat: rule:admin_only
create_router:distributed: rule:admin_only
create_router:ha: rule:admin_only
get_router: rule:admin_or_owner
get_router:distributed: rule:admin_only
update_router:external_gateway_info:enable_snat: rule:admin_only
update_router:distributed: rule:admin_only
update_router:ha: rule:admin_only
delete_router: rule:admin_or_owner
add_router_interface: rule:admin_or_owner
remove_router_interface: rule:admin_or_owner
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
insert_rule: rule:admin_or_owner
remove_rule: rule:admin_or_owner
create_qos_queue: rule:admin_only
get_qos_queue: rule:admin_only
update_agent: rule:admin_only
delete_agent: rule:admin_only
get_agent: rule:admin_only
create_dhcp-network: rule:admin_only
delete_dhcp-network: rule:admin_only
get_dhcp-networks: rule:admin_only
create_l3-router: rule:admin_only
delete_l3-router: rule:admin_only
get_l3-routers: rule:admin_only
get_dhcp-agents: rule:admin_only
get_l3-agents: rule:admin_only
get_loadbalancer-agent: rule:admin_only
get_loadbalancer-pools: rule:admin_only
get_agent-loadbalancers: rule:admin_only
get_loadbalancer-hosting-agent: rule:admin_only
create_floatingip: rule:regular_user
create_floatingip:floating_ip_address: rule:admin_only
update_floatingip: rule:admin_or_owner
delete_floatingip: rule:admin_or_owner
get_floatingip: rule:admin_or_owner
create_network_profile: rule:admin_only
update_network_profile: rule:admin_only
delete_network_profile: rule:admin_only
get_network_profiles: ''
get_network_profile: ''
update_policy_profiles: rule:admin_only
get_policy_profiles: ''
get_policy_profile: ''
create_metering_label: rule:admin_only
delete_metering_label: rule:admin_only
get_metering_label: rule:admin_only
create_metering_label_rule: rule:admin_only
delete_metering_label_rule: rule:admin_only
get_metering_label_rule: rule:admin_only
get_service_provider: rule:regular_user
get_lsn: rule:admin_only
create_lsn: rule:admin_only
create_flavor: rule:admin_only
update_flavor: rule:admin_only
delete_flavor: rule:admin_only
get_flavors: rule:regular_user
get_flavor: rule:regular_user
create_service_profile: rule:admin_only
update_service_profile: rule:admin_only
delete_service_profile: rule:admin_only
get_service_profiles: rule:admin_only
get_service_profile: rule:admin_only
get_policy: rule:regular_user
create_policy: rule:admin_only
update_policy: rule:admin_only
delete_policy: rule:admin_only
get_policy_bandwidth_limit_rule: rule:regular_user
create_policy_bandwidth_limit_rule: rule:admin_only
delete_policy_bandwidth_limit_rule: rule:admin_only
update_policy_bandwidth_limit_rule: rule:admin_only
get_policy_dscp_marking_rule: rule:regular_user
create_policy_dscp_marking_rule: rule:admin_only
delete_policy_dscp_marking_rule: rule:admin_only
update_policy_dscp_marking_rule: rule:admin_only
get_rule_type: rule:regular_user
get_policy_minimum_bandwidth_rule: rule:regular_user
create_policy_minimum_bandwidth_rule: rule:admin_only
delete_policy_minimum_bandwidth_rule: rule:admin_only
update_policy_minimum_bandwidth_rule: rule:admin_only
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
create_rbac_policy: ''
create_rbac_policy:target_tenant: rule:restrict_wildcard
update_rbac_policy: rule:admin_or_owner
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
get_rbac_policy: rule:admin_or_owner
delete_rbac_policy: rule:admin_or_owner
create_flavor_service_profile: rule:admin_only
delete_flavor_service_profile: rule:admin_only
get_flavor_service_profile: rule:regular_user
get_auto_allocated_topology: rule:admin_or_owner
create_trunk: rule:regular_user
get_trunk: rule:admin_or_owner
delete_trunk: rule:admin_or_owner
get_subports: ''
add_subports: rule:admin_or_owner
remove_subports: rule:admin_or_owner
api_audit_map:
DEFAULT:
target_endpoint_type: None
custom_actions:
add_router_interface: update/add
remove_router_interface: update/remove
path_keywords:
floatingips: ip
healthmonitors: healthmonitor
health_monitors: health_monitor
lb: None
members: member
metering-labels: label
metering-label-rules: rule
networks: network
pools: pool
ports: port
routers: router
quotas: quota
security-groups: security-group
security-group-rules: rule
subnets: subnet
vips: vip
service_endpoints:
network: service/network
neutron_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
rootwrap: |
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>
rootwrap_filters:
debug:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
dibbler:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root
ipset_firewall:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root
l3:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata2: KillFilter, root, python2, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_metadata3: KillFilter, root, python3, -15, -9
kill_metadata35: KillFilter, root, python3.5, -15, -9
kill_metadata36: KillFilter, root, python3.6, -15, -9
kill_metadata37: KillFilter, root, python3.7, -15, -9
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# l3_tc_lib
l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# ovs_lib (if OVSInterfaceDriver is used)
ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
# The following filters are used to kill the keepalived state change monitor.
# Since the monitor runs as a Python script, the system reports that the
# command of the process to be killed is python.
# TODO(mlavalle) These kill filters will be updated once we come up with a
# mechanism to kill using the name of the script being executed by Python
kill_keepalived_monitor_py: KillFilter, root, python, -15
kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
kill_keepalived_monitor_py3: KillFilter, root, python3, -15
kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
netns_cleanup:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# netns-cleanup
netstat: CommandFilter, netstat, root
dhcp:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
ovs-vsctl: CommandFilter, ovs-vsctl, root
ivs-ctl: CommandFilter, ivs-ctl, root
mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -9
kill_metadata2: KillFilter, root, python2, -9
kill_metadata7: KillFilter, root, python2.7, -9
kill_metadata3: KillFilter, root, python3, -9
kill_metadata35: KillFilter, root, python3.5, -9
kill_metadata36: KillFilter, root, python3.6, -9
kill_metadata37: KillFilter, root, python3.7, -9
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
ebtables:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root
iptables_firewall:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root
linuxbridge_plugin:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# tc commands needed for QoS support
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
openvswitch_plugin:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, ovs-vsctl, root
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
ovs-appctl: CommandFilter, ovs-appctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
xe: CommandFilter, xe, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# needed for FDB extension
bridge: CommandFilter, bridge, root
privsep:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
- netns_cleanup_cron
content: |
# Command filters to allow privsep daemon to be started via rootwrap.
#
# This file should be owned by (and only-writeable by) the root user
[Filters]
# By installing the following, the local admin is asserting that:
#
# 1. The python module load path used by privsep-helper
# command as root (as started by sudo/rootwrap) is trusted.
# 2. Any oslo.config files matching the --config-file
# arguments below are trusted.
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
# also allowed to invoke python "entrypoint" functions from
# --privsep_context with the additional (possibly root) privileges
# configured for that context.
#
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
#
# In particular, the oslo.config and python module path must not
# be writeable by the unprivileged user.
# oslo.privsep default neutron context
privsep: PathFilter, privsep-helper, root,
--config-file, /etc,
--privsep_context, neutron.privileged.default,
--privsep_sock_path, /
# NOTE: A second `--config-file` arg can also be added above. Since
# many neutron components are installed like that (eg: by devstack).
# Adjust to suit local requirements.
linux_vxlan:
pods:
- bagpipe_bgp
content: |
# bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
# expected to control VXLAN Linux Bridge dataplane
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
#
modprobe: CommandFilter, modprobe, root
#
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# shell (for piped commands)
sh: CommandFilter, sh, root
mpls_ovs_dataplane:
pods:
- bagpipe_bgp
content: |
# bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
# expected to control MPLS OpenVSwitch dataplane
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch
ovs-vsctl: CommandFilter, ovs-vsctl, root
ovs-ofctl: CommandFilter, ovs-ofctl, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# shell (for piped commands)
sh: CommandFilter, sh, root
neutron:
DEFAULT:
metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
log_config_append: /etc/neutron/logging.conf
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
bind_port: null
default_availability_zones: nova
api_workers: 1
rpc_workers: 4
allow_overlapping_ips: True
state_path: /var/lib/neutron
# core_plugin can be: ml2, calico
core_plugin: ml2
# service_plugin can be: router, odl-router, empty for calico,
# networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
service_plugins: router
allow_automatic_l3agent_failover: True
l3_ha: True
max_l3_agents_per_router: 2
l3_ha_network_type: vxlan
network_auto_schedule: True
router_auto_schedule: True
# (NOTE)portdirect: if unset this is populated dynamically from the value in
# 'network.backend' to sane defaults.
interface_driver: null
oslo_concurrency:
lock_path: /var/lib/neutron/tmp
database:
max_retries: -1
agent:
root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
oslo_messaging_notifications:
driver: messagingv2
oslo_messaging_rabbit:
rabbit_ha_queues: true
oslo_middleware:
enable_proxy_headers_parsing: true
oslo_policy:
policy_file: /etc/neutron/policy.yaml
nova:
auth_type: password
auth_version: v3
endpoint_type: internal
designate:
auth_type: password
auth_version: v3
endpoint_type: internal
allow_reverse_dns_lookup: true
ironic:
endpoint_type: internal
keystone_authtoken:
memcache_security_strategy: ENCRYPT
auth_type: password
auth_version: v3
octavia:
request_poll_timeout: 3000
logging:
loggers:
keys:
- root
- neutron
- neutron_taas
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: 'null'
logger_neutron:
level: INFO
handlers:
- stdout
qualname: neutron
logger_neutron_taas:
level: INFO
handlers:
- stdout
qualname: neutron_taas
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
datefmt: "%Y-%m-%d %H:%M:%S"
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
plugins:
ml2_conf:
ml2:
extension_drivers: port_security
# (NOTE)portdirect: if unset this is populated dyanmicly from the value
# in 'network.backend' to sane defaults.
mechanism_drivers: null
type_drivers: flat,vlan,vxlan
tenant_network_types: vxlan
ml2_type_vxlan:
vni_ranges: 1:1000
vxlan_group: 239.1.1.1
ml2_type_flat:
flat_networks: "*"
# If you want to use the external network as a tagged provider network,
# a range should be specified including the intended VLAN target
# using ml2_type_vlan.network_vlan_ranges:
# ml2_type_vlan:
# network_vlan_ranges: "external:1100:1110"
agent:
extensions: ""
ml2_conf_sriov: null
taas:
taas:
enabled: False
openvswitch_agent:
agent:
tunnel_types: vxlan
l2_population: True
arp_responder: True
ovs:
bridge_mappings: "external:br-ex"
securitygroup:
firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
linuxbridge_agent:
linux_bridge:
# To define Flat and VLAN connections, in LB we can assign
# specific interface to the flat/vlan network name using:
# physical_interface_mappings: "external:eth3"
# Or we can set the mapping between the network and bridge:
bridge_mappings: "external:br-ex"
# The two above options are exclusive, do not use both of them at once
securitygroup:
firewall_driver: iptables
vxlan:
l2_population: True
arp_responder: True
macvtap_agent: null
sriov_agent:
securitygroup:
firewall_driver: neutron.agent.firewall.NoopFirewallDriver
sriov_nic:
physical_device_mappings: physnet2:enp3s0f1
# NOTE: do not use null here, use an empty string
exclude_devices: ""
dhcp_agent:
DEFAULT:
# (NOTE)portdirect: if unset this is populated dyanmicly from the value in
# 'network.backend' to sane defaults.
interface_driver: null
dnsmasq_config_file: /etc/neutron/dnsmasq.conf
force_metadata: True
l3_agent:
DEFAULT:
# (NOTE)portdirect: if unset this is populated dyanmicly from the value in
# 'network.backend' to sane defaults.
interface_driver: null
agent_mode: legacy
metering_agent: null
metadata_agent:
DEFAULT:
# we cannot change the proxy socket path as it is declared
# as a hostPath volume from agent daemonsets
metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
metadata_proxy_shared_secret: "password"
cache:
enabled: true
backend: dogpile.cache.memcached
bagpipe_bgp: {}
rabbitmq:
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
- vhost: "neutron"
name: "ha_ttl_neutron"
definition:
# mirror messges to other nodes in rmq cluster
ha-mode: "all"
ha-sync-mode: "automatic"
# 70s
message-ttl: 70000
priority: 0
apply-to: all
pattern: '^(?!(amq\.|reply_)).*'
## NOTE: "besteffort" is meant for dev env with mixed compute type only.
## This helps prevent sriov init script from failing due to mis-matched NIC
## For prod env, target NIC should match and init script should fail otherwise.
## sriov_init:
## - besteffort
sriov_init:
-
# auto_bridge_add is a table of "bridge: interface" pairs
# To automatically add a physical interfaces to a specific bridges,
# for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
# to br1 do something like:
#
# auto_bridge_add:
# br-physnet1: eth3
# br0: if0
# br1: iface_two
# br-ex will be added by default
auto_bridge_add:
br-ex: null
# configuration of OVS DPDK bridges and NICs
# this is a separate section and not part of the auto_bridge_add section
# because additional parameters are needed
ovs_dpdk:
enabled: false
# setting update_dpdk_bond_config to true will have default behavior,
# which may cause disruptions in ovs dpdk traffic in case of neutron
# ovs agent restart or when dpdk nic/bond configurations are changed.
# Setting this to false will configure dpdk in the first run and
# disable nic/bond config on event of restart or config update.
update_dpdk_bond_config: true
driver: uio_pci_generic
# In case bonds are configured, the nics which are part of those bonds
# must NOT be provided here.
nics:
- name: dpdk0
pci_id: '0000:05:00.0'
# Set VF Index in case some particular VF(s) need to be
# used with ovs-dpdk.
# vf_index: 0
bridge: br-phy
migrate_ip: true
n_rxq: 2
n_txq: 2
pmd_rxq_affinity: "0:3,1:27"
ofport_request: 1
# optional parameters for tuning the OVS DPDK config
# in alignment with the available hardware resources
# mtu: 2000
# n_rxq_size: 1024
# n_txq_size: 1024
# vhost-iommu-support: true
bridges:
- name: br-phy
# optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
# - tunnel_underlay_vlan: 45
# Optional parameter for configuring bonding in OVS-DPDK
# - name: br-phy-bond0
# bonds:
# - name: dpdkbond0
# bridge: br-phy-bond0
# # The IP from the first nic in nics list shall be used
# migrate_ip: true
# mtu: 2000
# # Please note that n_rxq is set for each NIC individually
# # rather than denoting the total number of rx queues for
# # the bond as a whole. So setting n_rxq = 2 below for ex.
# # would be 4 rx queues in total for the bond.
# # Same for n_txq
# n_rxq: 2
# n_txq: 2
# ofport_request: 1
# n_rxq_size: 1024
# n_txq_size: 1024
# vhost-iommu-support: true
# ovs_options: "bond_mode=active-backup"
# nics:
# - name: dpdk_b0s0
# pci_id: '0000:06:00.0'
# pmd_rxq_affinity: "0:3,1:27"
# # Set VF Index in case some particular VF(s) need to be
# # used with ovs-dpdk. In which case pci_id of PF must be
# # provided above.
# # vf_index: 0
# - name: dpdk_b0s1
# pci_id: '0000:07:00.0'
# pmd_rxq_affinity: "0:3,1:27"
# # Set VF Index in case some particular VF(s) need to be
# # used with ovs-dpdk. In which case pci_id of PF must be
# # provided above.
# # vf_index: 0
#
# Set the log level for each target module (default level is always dbg)
# Supported log levels are: off, emer, err, warn, info, dbg
#
# modules:
# - name: dpdk
# log_level: info
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: neutron-keystone-admin
neutron: neutron-keystone-user
test: neutron-keystone-test
oslo_db:
admin: neutron-db-admin
neutron: neutron-db-user
oslo_messaging:
admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user
tls:
compute_metadata:
metadata:
internal: metadata-tls-metadata
network:
server:
public: neutron-tls-public
internal: neutron-tls-server
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
secret:
tls:
internal: mariadb-tls-direct
neutron:
username: neutron
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /neutron
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
secret:
tls:
internal: rabbitmq-tls-direct
neutron:
username: neutron
password: password
statefulset:
replicas: 2
name: rabbitmq-rabbitmq
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /neutron
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
compute:
name: nova
hosts:
default: nova-api
public: nova
host_fqdn_override:
default: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
default: 'http'
port:
api:
default: 8774
public: 80
novncproxy:
default: 6080
compute_metadata:
name: nova
hosts:
default: nova-metadata
public: metadata
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
metadata:
default: 8775
public: 80
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
neutron:
role: admin
region_name: RegionOne
username: neutron
password: password
project_name: service
user_domain_name: service
project_domain_name: service
nova:
region_name: RegionOne
project_name: service
username: nova
password: password
user_domain_name: service
project_domain_name: service
designate:
region_name: RegionOne
project_name: service
username: designate
password: password
user_domain_name: service
project_domain_name: service
ironic:
region_name: RegionOne
project_name: service
username: ironic
password: password
user_domain_name: service
project_domain_name: service
test:
role: admin
region_name: RegionOne
username: neutron-test
password: password
# NOTE: this project will be purged and reset if
# conf.rally_tests.force_project_purge is set to true
# which may be required upon test failure, but be aware that this will
# expunge all openstack objects, so if this is used a seperate project
# should be used for each helm test, and also it should be ensured
# that this project is not in use by other tenants
project_name: test
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
network:
name: neutron
hosts:
default: neutron-server
public: neutron
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9696
public: 80
load_balancer:
name: octavia
hosts:
default: octavia-api
public: octavia
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 9876
public: 80
fluentd:
namespace: osh-infra
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
dns:
name: designate
hosts:
default: designate-api
public: designate
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
api:
default: 9001
public: 80
baremetal:
name: ironic
hosts:
default: ironic-api
public: ironic
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 6385
public: 80
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy.
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
network_policy:
neutron:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
egress:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
daemonset_dhcp_agent: true
daemonset_l3_agent: true
daemonset_lb_agent: true
daemonset_metadata_agent: true
daemonset_ovs_agent: true
daemonset_sriov_agent: true
daemonset_l2gw_agent: false
daemonset_bagpipe_bgp: false
daemonset_netns_cleanup_cron: true
deployment_ironic_agent: false
deployment_server: true
ingress_server: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_rabbit_init: true
pdb_server: true
pod_rally_test: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_server: true
service_server: true
...